Defending Office 365 against MFA bypass using IMAP

So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!

Default Office365/Exchange Online Config

Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:

Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these) Read more “Defending Office 365 against MFA bypass using IMAP” →

SQL Pwnage – Enumeration using Metasploit 5.0

Database Service Enumeration

Ok in this scenario we care going assume SQL login credentials (sqluser) are exposed and that firewall rules are wide (so we have layer 3 connectivity to the target).

We have loaded Metasploit and will be using the msssql_enum modue

Now that we have configured our target options we can run the module:

Owning the Covenant like a Chief! – C2 Framework…

Covenant is a .NET c2 (Command & Control) Framework that aims to highlight the attack surface of .NET and aid red teamers! Today I’m going to jump into slip space with a Halo themed blog on my first use of Covenant in the lab. Let’s hope I don’t need Cortana to get this deployed (yes I’m a massive Halo nerd!)

Installation

First thing let’s head over to GitHub and check out the install notes:

The architecture seems to look like this:

Covenant is a server (runs in docker)
Elite is a client for the server for c2 management (https://cobbr.io/Covenant.html)
Grunt is the agent

OSCP Week 2

Getting back into it!

Following on in the series from my previous post – My OSCP Diary – Week 1 I continue my offensive security professional certification journey!

So, after a break in my training schedule (pro tip, ask Offensive Security (Offsec) to pause your PWK lab time – I didn’t which was stupid) I’m back into the PWK labs!

The first thing I realised after having ~ 40 days break was taking that long a gap isn’t the best idea (but hey holidays and life have to happen right!) I got back into the lab and looked at my attack Visio blankly for a bit, realising the task ahead of me had a lot of servers still in it!

I think the first box I decided to hit was pain, as its name says this box is not easy as is considered an OSCP boss box, as its name says, it’s painful but quite fun once you have cracked it. Read more “OSCP Week 2” →

My OSCP Diary – Week 1

A long time ago in a more civilised age

I’ve been working on the technology industry for the last 17 years, planning, designing, building and operating solutions since I was able to access the internet. I’ve been working the last 10 years as a consultant architect (across a number of domains) working with clients to understand their businesses, their technology needs, current deployments, gaps, road map and create solutions to enable their businesses, but you can’t do that if you introduce risks to businesses by creating unnecessary and unwanted security risks.

I’ve delivered services directly for and as part of a supply chain for a large range of organisation verticals from global media organisations, logistic firms, retail, telecommunications, media & entertainment through to local authorities, central government agencies, armed forces and the metropolitan police. Read more “My OSCP Diary – Week 1” →

A day out phishing

A common tactic for threat actors is to leverage weaknesses in human behaviour. Over the years a combination of poor configuration has led people to ‘click YES’ syndrome. A common vector for attackers is to send emails with document attachments using either embedded macros or abusing Office document OLE functionality.

Below we have a live sample of a phishing document. As you can see it’s been styled in a similar fashion to the Office user interface. Read more “A day out phishing” →

Hail Hydra – RDP brute forcing with HYDRA

Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

Demonstrate only authorised users can access the service
Demonstrate Remote Desktop Services has a hardened configuration
Demonstrate a brute force attack

Method

Scope Evaluation
Testing
1. Enumeration
2. Vulnerably Assessment
3. Exploitation
Report Results