2021-01-29 16:14:00
I've been dabbling in pen-testing for a few years now; it's never been my main gig and I wonder whether it'll ever be. For now it's a wonderful challenge which makes its way into my work assignments.
Case in point: at my new customer I'll be performing pen-tests on contemporary applications and services. Java backends, Javascript frontends and lots of APIs! It's in that area that I feel I need additional development: I've learned and practiced with a lot of vulnerabilities and software stacks, but not these.
Which is why I yet again turned to Black Hills InfoSec and WWHF, for another training! This time around, it's "Modern webapp pen-testing with B.B. King".
Where the "Applied Purple Teaming" class I recently took was okay, B.B.'s class was excellent! All the labs use OWASP's Juice Shop project, which combines NodeJS on the backend (with REST APIs!) with AngularJS on the frontend. Throw in MongoDB for some NoSQL and you've got a party going!
All in all, B.B.'s teaching style is great and his interactions with us students were pure gold. In general, the Discord chat was lively and had great contributions from people all over the world. I'd highly recommend this class! I'll defo learn more with Juice Shop and other vulnerable apps in the upcoming months. :)
kilala.nl tags: studies, work,
View or add comments (curr. 0)
2021-01-28 15:42:00
At one of my previous clients, we taught developers and engineers about a number of common software vulnerabilities through an in-house course. The training makes use of labs provided by OWASP's SKF Labs project.
The SKF Labs offer dozens of Dockerized mini-webapps, each of them purpose built to demo one type of vulnerability. They're the exact inverse of demo apps like Juice Shop or DVWA, which combine many different vulns into one webapp.
The Dockerized apps make it easy to teach a small set of vulns to students: all they need is Docker and a way to pull in the public containers.
After teaching with these labs, I also wanted to contribute! There were two specific vulnerability types that I wanted to include in our teaching:
Building the first of those apps was easy: just clone one of the existing Dockerized apps and adjust where needed.
The second one was an absolute blast to build, because it forced me to learn new things! I had to practice my Python, I got started with TCP/IP packet crafting in Scapy and I got to learn NetFilter plugins! I learned a lot from a similar project by Ludovic Barman.
The TLS downgrade demo is something I'm pretty darn proud of! I learned how to build a Python script which performs a man-in-the-middle attack on TLS, through the abuse of NetFilter plugins and by tweaking TLS packets using Scapy! What a rush!
kilala.nl tags: work,
View or add comments (curr. 0)
2021-01-08 15:19:00
I fear that I may have been over-doing it a little bit the past few weeks.
December 21st was my last day at my previous assignment, with my new assignment starting January 11th. The three weeks inbetween were spent on the holidays and on studying. I pushed through:
The latter two are both advertised as 16 hour trainings, but I've easily spent upwards of 20-25 hours on each to go through the labs and to research side quests. A few hours more on improvements to the labs for the latter, since I ran into many problems with their Terraforming scripts for Azure Cloud. Huzzah for cooperation through Github.
While I found the APT class very educational, I can't shake the feeling that it could have been better. In some cases K&J skipped through a number of topics relatively quickly, as "these are basics, etc" and at some points there was rapid back-and-forth between slides. Granted, I did watch the VoD-recordings of their July session and I expect their more recent classes to have been more fluent.
Thanks to K&J's class my todo list has grown tremendously. Between trainings and certifications added to my wishlist, I've also added a number of improvements that I would like to apply to my homelab. First and foremost: right-sizing my network segments and properly applying all local firewalls. This is a best-practice that will hinder lateral movement in simulations or real-world scenarios.
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-01-05 15:44:00
While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.
In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.
That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.
See also this excellent blog post from 2018.
Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.
EDIT:
Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.
EDIT 2:
Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK.
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-01-02 14:48:00
It's nice when sidetracks during learning lead to measurable results. Case in point: while setting up the labs for the BHIS "Applied PurpleTeaming" training, I needed to quickly learn about Azure Cloud. ... And now I've passed the AZ-900 exam! :D
Microsoft offers (most of) their exams to take at-home remotely, through Pearson Vue's "OnVue" service. I already worked with OnVue back in August, when taking the Cloud+ beta exam. My experience this time around was very similar: the tooling works well, as long as you make sure to turn off your local outbound firewall like Little Snitch.
As to the AZ-900 exam: it was a nice motivator (the proverbial carrot on the stick) for me to go through the six Azure Fundamentals modules on Microsoft Learn. I'm happy to have finally gotten some hands-on experience with Azure Cloud, or basically any cloud provider beyond running a shortlived VM on AWS.
After completing the BHIS APT training I intend to play around with Azure a bit more... Maybe I'll even rebuild this website on there!
kilala.nl tags: work, studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.