Follow:

Latest articles

  1. 'Networking' topic logo

    Spanning Tree Protocol exploitation

    Published: Mon 16 October 2017 in Cookbook.
    How an attacker can take advantage of STP, and how to prevent this.

    As we saw in the previous post, Wireshark revealed us the presence of STP messages.

    The Spanning Tree Protocol is used to detect topology loops and build the most efficient forwarding path between interconnected switches. Topology loops are not a mistake but a way to add redundancy to a topology. Would a link break, the STP protocol detects it and recalculate a new most efficient tree.

    In sane networks, access ports should not deliver STP messages to end-devices, but this is not the default and, as Wireshark told us, not the case in our lab. This lets the attacker the possibility to simulate a topology change by sending maliciously crafted STP messages.

    For this lab we will need at least the User_1 and Server_1 devices to be available:

    STP lab topology

    Warning

    The support of STP in the IOU images I tested was very buggy, STP port state was ignored and frames systematically …

    Continue
  2. 'Networking' topic logo

    Practical network layer 2 exploitation: passive reconnaissance

    Published: Thu 12 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: listen and learn from network's white noise.

    This post is part of a series about practical network layer 2 exploitation.

    Now is the time to change your network administrator hat for the attacker one. Your own, known network now becomes an unfamiliar target.

    Before rushing and banging against the nearest devices, it may wiser to just stand back and listen.

    On switched networks, users are somewhat isolated from each other thanks to the separation of collision domains. All that remain is some kind white noise… but this white noise in itself can bring invaluable information to an attacker!

    In particular we will see how, simply by passively listening to this white noise, an attacker will be able to detect several weaknesses affecting the network and plan his next steps.

    In this lab no interaction will occur with either the Admins or the Servers VLANs, the User_1 workstation will be required only for the DHCP Discover messages part …

    Continue
  3. 'Networking' topic logo

    Practical network layer 2 exploitation: introduction

    Published: Tue 10 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: setting-up the lab.

    This post initiates a series demonstrating network layer 2 exploitation and protection techniques from practical point-of-view.

    This series will rely on the following topology (click to enlarge):

    Layer 2 exploitation lab topology

    This topology is composed of three VLANs:

    • Users (VLAN 1) and Admins (VLAN 2) both contain end-user workstations, they are isolated from each other.
    • Both can access machines located in Servers (VLAN 3).

    The attacker is connected to the Users VLAN.

    In this series we will see how the attacker can leverage various layer 2 configuration weaknesses to disrupt the network, hop from one VLAN to another, and intercept users communication, independently of their location in the topology.

    We will limit ourselves to basic techniques as an attempt to demonstrate that pwning a insufficiently secured network doesn’t involve any high technology or knowledge. When appropriate we will also see how the attacks can be generalized to other real-life scenarios.

    Creating the topology …

    Continue
  4. 'Windows' topic logo

    How to configure Windows as a NTP server & enable IOS NTP client

    Published: Fri 06 October 2017 in Cookbook.
    A step-by-step guide to setup and troubleshoot NTP on Windows and Cisco IOS-based devices.

    NTP allows to synchronize the clock of various devices to a common reference.

    In this how-to, we will configure a Windows Server as a NTP server and a Cisco IOS-based router to act as a NTP client. We will also see how to configure the router so it can itself serve as server to other devices, thus acting as an NTP relay.

    NTP how-to topology

    Windows (NTP server)

    Windows does not ship with any NTP server by default. In fact, Windows’ W32Time service implements SNTP instead, which is not compatible with NTP clients (see here).

    Meinberg NTP is a commonly used alternative to get a proper NTP server on Windows, and is the one we will use in this how-to.

    Before installing it, check that the following settings are correct:

    • The IP configuration (192.168.0.100 in my case)
    • Check the current time (08h15 in my case, but who cares?)

    Once …

    Continue
  5. 'Windows' topic logo

    How to configure Windows as a SCEP server & Cisco ASA enrollment

    Published: Thu 05 October 2017 in Cookbook.
    A step-by-step guide to configure SCEP on Windows and Cisco ASA appliances.

    SCEP is a protocol supported by several manufacturers, including Microsoft and Cisco, and designed to make certificate issuance easier in particular in large-scale environments.

    It proceeds in a few steps:

    1. The SCEP server issues a one-time password (the “challenge password”), transmitted out-of-band to the client.
    2. The client generates a key pair, and sends the certificate signing request to the SCEP server along with the one-time password.
    3. The SCEP server validates the client certificate data (in this how-to the validation will be manual), signs it and makes the signed certificate available to the client.
    4. The client regularly pull the SCEP server until its signed certificate becomes available. The client can then fetch the signed certificate and install it.

    Here we will setup a Windows Server as SCEP server, and use a Cisco ASA as SCEP client.

    SCEP how-to topology

    The topology above mentions Windows 2016, but any other Windows server will do. This how-to …

    Continue
  6. ceh picture

    EC-Council CEH certification review

    Published: Wed 04 October 2017 in Opinions.
    Updated: Fri 06 October 2017 (Added a note about Metasploit)
    Facts, advices and personal impressions on the EC-Council CEH certification.

    The five Ws

    • What: The EC-Council Certified Ethical Hacker (CEH) is a technical certification on penetration testing.

      While being oriented toward technical people, the certification itself goes lightly on the practical side but insists instead on having a broad general culture. This certification covers definitions, concepts, tools, as well as a strong focus on ethic.

      This certification never go really deep in any subject, but instead attempts to cover the widest possible range of topics related to pentesting. Example of covered topics include cryptography, regulation and compliance, operating systems (client, server and mobile systems are all covered), networking (including wireless networking), procedures, code review, physical security, social engineering and, last but not least, ethic.

    • When: This certification has no prerequisite (a two years experience in IT security allows to avoid the training requirement, but subscribing to an approved training removes any experience prerequisite).

      It is suitable for anyone interested …

    Continue
  7. 'Blackhat' topic logo

    How are attacks and APTs attributed

    Published: Sun 01 October 2017 in Opinions.
    How to put the name of a country or an individual behind a security event.

    Computer-based attack attribution works like the attribution of any other illegal activity: it requires a significant amount of investigation, gathering clues, corroborating information, attempting to eliminate false leads and recognize right ones, etc.

    On the attackers’ side

    The attacker may cover his tracks using two main techniques: plausible deniability and false flag.

    Plausible deniability

    Plausible deniability aims non-attribution by making the attacker’s identity unclear. It relies notably on using off-the-shelf and widely available tools and techniques, and carefully removing all metadata or potential clue.

    CIA’s Development Tradecraft DOs and DON’Ts from the “Vault 7” leak is a perfect example on how to implement plausible deniability in malicious software.

    False flag

    False flag (in the case of a government entity we can also talk of a black ops) aims misattribution by voluntarily and actively forging clues designed to deceive investigators (or simply the targets) into attributing the attack …

    Continue
  8. mainframe picture

    Introduction to z/OS and IBM mainframes world and security

    Published: Sun 01 October 2017 in Library.
    They run our economy and critical infrastructures all over the world, yet remain mostly unknown.

    Mainframes are often designated as “legacy platforms”. This triggers the mental image of those old 80’s era enormous bulky computers which can be found in any good computers museum and vintage videos, and leaves a mixed feeling about the place of such machines in todays computing world.

    However, nothing could be such wrong:

    1. A lot of the technologies which made today’s computing what it is actually owe to the mainframe world.

      Things like non-executable memory, process isolation, virtualization and symmetric multiprocessing to name just a few are all technologies that were first developed for mainframes environments, and only then ported onto other architectures.

    2. Today’s mainframes hardware has nothing in common with antique computers, they evolved as the rest of the computer world did.

      They are bulky but not as much as one may imagine, the size of a large fridge to give a rough idea. They remains …

    Continue
  9. 'Virtualization' topic logo

    Common issues when using virtual machines

    Published: Tue 26 September 2017 in Cookbook.
    A collection of the most common pitfalls and their solutions.

    Qemu issues

    Send the Ctrl-Alt-Del key sequence to the guest

    The Ctrl-Alt-Del is a special key sequence intercepted by he operating system. Windows use it as a security1 measure to unlock its screen, but in the case of virtualized system an alternative is necessary as the key sequence would be intercepted by the host instead of being sent to the guest.

    • If you are using VNC display, press F8, you should get a menu proposing to send the Ctrl-Alt-Del sequence to the guest.

    • If accessibility tools are available, enable the on-screen keyboard, press Ctrl-Alt on your physical keyboard and click Del on the on-screen keyboard.

    • If accessibility tools are not available, on Windows systems press the Shift key at least five times in a row, you should get a pop-up allowing to enable sticky keys. Now successively press the Ctrl, the Alt …

    Continue
  10. 'Windows' topic logo

    How to create an Active Directory domain

    Published: Tue 26 September 2017 in Cookbook.
    A step-by-step guide to setup a Windows Active Directory domain.

    Setting-up a basic Windows Active Directory Domains allowing to centrally manage users account can be done painlessly. This guide is mainly based on Peter Kim’s guide written for his book The Hacker Playbook

    In this guide I use a minimal topology, with on one side a Windows server acting as the domain controller and on the other Windows client systems. This guide should work the same no matter the exact versions of the Windows server and clients you are using or if you are using a more complex and realistic topology.

    Windows domain lab topology

    Note

    The Domain Controller must be a Windows Server edition, and for the clients to be able to join the domain they must be at least Windows Professional editions.

    See how to choose a Windows edition.

    Configure the network

    Set IP addresses

    First you need to set static IP addresses to each host.

    The quickest way to access …

    Continue

Pages: 1 2 3 4 5 6

Popular tags see all

Website

Author

Follow