Category: Hacking

Defense

Ransomware Defence Checklist – Part 1 : Initial Access

Defending the Realm

We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.

Ransomware 101

It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access”

Breach

Following a Kill Chain – Defending against Babuk group’s…

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs”

CTF

Server Message Block (SMB) Enumeration, Attack and Defence

Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

  • Can you enumerate the server version?
  • Can you enumerate shares?
  • What versions of the protocol are enabled?
  • Can you connect using anon bind?
  • Are there any known vulnerabilities?
  • Can you enumerate usernames?
  • Is SMB signing enabled?
  • Are there other hosts in the subnet that can be used?

Read more “Server Message Block (SMB) Enumeration, Attack and Defence”

Defense

Business Email Compromise in Office 365

BEC

Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).

Initial Access

To gain access to the mailbox a range of techniques can be employed which includes:

  • Credential stuffing
  • Phishing and credential harvesting
  • Malware

Once they have your logon credentials, they now will attempt to access your mailbox.

Avoiding Geo Location Alerts

A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.

By moving to the normal area of the user they are less likely to trip geo location alerts. Read more “Business Email Compromise in Office 365”

Guides

Becoming a Cyber Criminal (Pro) – Basic External Attacks

This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!

The Fundamental Steps

Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.

Read more “Becoming a Cyber Criminal (Pro) – Basic External Attacks”
Defense

Password Spraying/Credential Stuffing OWA with Metasploit Framework

Ok so this is not very ‘1337’ but it will get the job done (and that is what is important, no one cares how they get pw3d they just care they were). If you really wanted, you could hand craft this in python of another language or use another tool (script etc.)

Do start with we are going to need a username list and a password list (as well as a target IP or DNS name). This could be:

  • Obtained via OSINT
  • Obtained via stolen/breached credentials
  • Dictionary Created
  • Password Lists could be used/generated etc.

We also need to have considerations for account lockouts. If we are doing a penetration test, then we will have to likely avoid DoS. If we are doing a ‘RED TEAM’ or adversary simulation, then we will want to avoid being noisy and getting caught. (If we are doing monitoring and detection testing you probably want to be quiet and noisy ala control testing). Read more “Password Spraying/Credential Stuffing OWA with Metasploit Framework”

Defense

ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released

The last two weeks we’ve seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. We saw a PoC fairly early but it required that you reverse engineer some exchange DLLs and/or TAP the 443 to 444 interface on an exchange server to work out how to weaponise it. Things however have progressed, 8 hours ago we saw a metasploit module go online:

Read more “ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released”