Cyber Security Architecture

I remember (now it was a long time ago) when I worked in a support role and my dream job was being a technical architect, back in the warm and fuzzy days of no host-based firewalls, IPsec being something only MCPs knew about other than the networking team and when cybercrime was a shadow of how it is today.

It wasn’t until I had a few more notches under my belt when I realised that architecture in technology has different viewpoints, not only that but even the industry can’t agree on what things are or are not. That aside the reality is, is that architecture has different domains, specialisms, views, and viewpoints. I often find myself working across a whole range of areas, that is driven largely by specific customer requirements and scenarios (this is why I have a cool lab and lots of kit!)

When we consider a business technology system it has risk and by nature cyber security in that view. To think of this not being the case would be odd because ultimately “business” is the highest abstraction, and let’s think about what makes up a business: Read more “Cyber Security Architecture” →

Defense

Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)

There’s a new CVE in town but don’t think it’s the only problem you get when you expose administrative interfaces to the wild west of the internet (yeeha or something). Let’s go on a quick exploration of what the world looks like with the help of our friends at Shodan and then let’s see the ramblings of Dan when looking at how benign enumeration and exploration of services can work. Let’s get started looking at the world, a quick face analysis on Shodan with vmware as a product shows a hit or two, what we are going to focus on is vCenter but you know.. you might want to review your attack surfaces so any exposed services (damn people expose some risky stuff!) Read more “Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)” →

Defense

How to restore AdminSDHolder Object Permissions using ADSIedit

Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit” →

CTF

Installing Kali 2021.3

Hax fun with the Dragon distro

Ok today we are going to look at deploying Kali 2013.3. The install process for this is fairly standard and familiar from previous version but for those new to this world, it seems like a good place to start.

Install Procedure (Virtual Machine)

Boot from the ISO

Read more “Installing Kali 2021.3” →

Guides

What if not everyone is a cyber expert?

Developing a Cyber Roadmap

Ok so this topic comes up a fair bit, but organisations and their management are often looking to ensure they are doing the right thing (no really this is a common phrase I hear with organisations) with regard to cyber security. THe challenge I think quite a few people have is even understanding what that even means. Sure you have a firewall, and antivirus and you had a yearly peneration test of a site that isn’t even touching your corproate network. You thought you were fine, but you keep seeing organisations get ransomared in the news and the board keep asking “are we ok?” so this then leads to a common position of maybe buying more widgets or thinking, well we haven’t been “hacked” so we must be doing ok.

Defense

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

Asset Management
Risk Management
Patch Management
Change & Release Management
Security Testing
Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

Scope
- Asset/Hosts
  - IP Ranges
  - Hostnames
- Connectivity
  - VPNs
  - LAN/WAN
- Device Types and Configuration
  - Domain
  - Workgroup
  - Appliance
  - ICS
  - Printers
  - Network Equipment
- Unauthenticated View
- Authenticated View
  - Auth Types
  - Protocols
- Scheduling
- Authority to execute
Impact
- Performance
- Availability
- Confidentiality
Objectives and Outcomes
Reporting
- Information Flow
- Report Storage and Confidentiality

CTF

Abusing AdminSDHolder to enable a Domain Backdoor

If we have high privilege access to a domain, we will likely want to establish persistence with high privilege access. One mechanism to do this is to assign ourselves permissions to the adminSDHolder object in active directory:

Here we have the default adminSDHolder permissions. We are going to add our user “low” in here with modify or full control permissions: Read more “Abusing AdminSDHolder to enable a Domain Backdoor” →

CTF

How to Identify Hashes

Some hashes are obvious but even then, it’s a good job to check. There are a few ways to check a hash outside of manual validation.

Using the Hashcat example list:

https://hashcat.net/wiki/doku.php?id=example_hashes

Using hash-identifier:

https://github.com/blackploit/hash-identifier

Using cyberchef Analyse hash:

https://gchq.github.io/CyberChef/#recipe=Analyse_hash()

Using hash-id:

https://github.com/psypanda/hashID

Using HashTag:

https://github.com/SmeegeSec/HashTag

As you can see there are range of tools available to you, and remember if you want to keep the hashes to yourself you can download Cyberchef and run it locally!

Guides

Cracking an SSH key with John the Ripper (JTR)

This is a super-fast blog to show how to crack sshkeys with JohnTheRipper from Kali VM.

Create a key

Defense

Infection Monkey Overview

Have you ever wanted to see what would occur in an environment if a worm was a make its way in? I often work with customers to show them about lateral movement from a human operated perspective however sometimes it’s useful for people to visualise this better and to demonstrate what could occur if a worm was set loose. A great tool to help with this is Infection Monkey from Guardicore (https://www.guardicore.com/

High Level View

The process steps are as follows:

Scope Exercise
Prepare Environment
Deploy Infection Monkey Server (Monkey Island)
- Configure Server Credentials
Monkey Configuration
Release Monkey/s
Review
Report

Read more “Infection Monkey Overview” →