Test your network by Bloodhound

Which Bloodhound might you ask?

No not the Dog…

But the following program in Kali Linux:

Just a slightly different picture and meaning.

Cobaltstrike has tested with it and this is his explanation:

“BloodHound is a tool to analyze and understand Active Directory Trust Relationships. For an offensive practitioner, this tool can highlight the hops you might take to reach a goal within a network. For a defensive practitioner, this tool is gold as it can show you the most likely paths an attacker might take. It’s a good exercise to decide which of these trust paths needs to exist and which you can eliminate.”

Once setting up Bloodhound and Neo4J (used to create a graphical representation) you can then review your users in Active Directory. what is the most important attribute of your users in Active Directory?  Permissions. What can a user access with their permission?

“Defenders think in lists.

Attackers think in graphs

As long as this is true attackers will win “

John Lambert quote , he is with Microsoft Threat Intelligence.

 

What is going to happen is what is called as an Identity snowball attack.  We want to learn what users have privileges that allow us to gain more privileges.

The following images are from a youtube video of Andy Robbins, Will Schroeder, and Rohan Vazarkar – six degrees of Domain Admin

In Bloodhound: Vertices represent individual elements of a system (uses, groups, computer, domain)

Edges: generically represent relationship between vertices( group membership, admin rights, user session, domain trusts)

paths point toward escalating rights – always(compromising a system or user).

 

So the idea is to find users that lead you to domain admin user accounts or their privileges.

Powerview is also useful ( a pure PowerShell v2.0+ domain/network situational awareness tool… Which bloodhound is built upon.  With this tool bloodhound can collect data and does not need elevated privileges for collection methods.

  • Invoke-UserHunter
    • Get-NetSession sessions w remote user
    • Get-NetLoggedOn/Get-LoggedOnLocal – who is looged on to what machine.

Who can admin what?

We can enumerate members of a local group on a remote machine without admin privilieges

  • The WinNT service provider or NetLocalGroupGroup-ComputerName IP [-API]
  • GPOs can set local admins
  • GPOs are applied to OUs/Sites
    • correlation is equal to local admin information through communication with a DC
  • PowerView
    • Find-GPOLocation
  • Who is in What Groups
    • Get-NetGroup| Get-Netgroupmember

Instead of doing these commands manually via PowerView, Bloodhound does it graphically.

Here are 2 examples from the youtube video:

I believe this is test data, but from a large environment (200k computers) so there were a few large graphs. The 2 examples I chose from video are groups and certain users, computers broken out. The key is one can find a few specific computers and users that one has to infiltrate to then quickly get domain admin access. I.e. Identity snowball attack.

 

This tool is worth the time to learn and understand to make sure your environment is not easy to escalate and take over.

Contact Us to discuss.

 

Upgrade or Get Hacked (When Patch Available)

Did you hear the latest in Cybersecurity news?

  1. No not the news that Pizza Hut was hacked
  2. Not the news Hyatt Hotels were hacked.

BUT only the news that the supposed secure WPA2 Wifi Protocol is actually vulnerable to attacks. Which essentially means all current wifi access points are not secure.

CERT has a list of all the vendors with patches and affected vendor models.  CERT used to be Computer Emergency Response Team, but today it is at Carnegie Mellon University and still reviews the important vulnerabilities.

So you say…  Big deal another protocol is insecure the researchers say, just because it may be insecure if a person with knowledge can hack this then my wifi is going to be less secure, but what does it really mean?

It means it is another item to patch in a large schedule of patches (with Microsoft Windows, and other software also having to be patched.)

So we have to evaluate the actual risk and impact before allocating resources.

For one the hacker has to be close enough to your wifi station to see if they can hack your communications, this is not a recipe for mass mania. True,  but as usual it is only the high risk areas that have more to worry about. High risk as in protecting Social security numbers, and other PII (Personal Identifiable Information).

So the largest worry we have is that this patch is going to be ignored by most people, thus leaving 50% or more of wifi access points vulnerable to this attack. So the best thing that can happen here is that companies must evaluate their own situation and then make decisions with their resources as to when to patch this problem. It may not be easily hackable and must have proximity to wifi access points.  So in the future a seeming secure protocol is not until patched.

Unfortunately not everyone patches. As we mentioned before, 25% patch within first week,another 25% within first month, an additional 25% within 6 months. And some do not patch at all.

 

Obviously this is true since there are many ransomware outbreaks and they take advantage of basic patches not applied (vulnerabilities that take advantage of this).

So in the coming months as hackers develop better hacks (programs that take advantage of this vulnerability so the hacker can make money,  only then will the risk go higher and higher. And depending on impact of system affected it might actually get more dangerous for the companies not patching.

 

So everyone must have a patching regimen. Get going already – get a CISA tester on hand (like US – contact us).

 

Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:

 

Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the archive.org webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:

 

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.

 

Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.

 

 

 

The Old FUD – Fear Uncertainty Doubt

The FUD techniques are certain to come up again and again as they are effective (to a degree).

FUD is a marketing technique to sow fear into cost conscious customers that are thinking of going to a competitor. Pushing safety in numbers and other uncertainty creates FUD in the mind of potential customers. Thus it is not so easy to go with a competitor unless one is armed with knowledge.

the first FUD campaign happened when IBM mainframes finally receive some competition with Amdahl mainframe company.

Above picture is an Amdahl mainframe (with red-hued panels instead of the familiar IBM blue). Newcastle university in picture)

So obviously Newcastle University did not pay attention to FUD by IBM

Why do I mention this FUD business? Because it is an old tactic and is being used by competitor Firewalls in the security firewall market space.  Palo Alto is muscling into a larger marketshare (due to developing and running a good firewall operation)

So the competitors have developed a youtube video 

First one selects an exploit 

Then configure the test environment which means setting up what kind of attack will be ‘tested’.

then conveniently one can Run the attack.

So the competitor ran the Evader software with specific evasion techniques to see if they can evade the Palo Alto firewall they have set up so they can evade it.

 

This is exactly why FUD works, make future Palo Alto customers(or current ones) see that they can have a firewall that is not bullet proof.

Yes we know that – no firewall is bulletproof no matter how well you configure it, there is always one item that is missed over the days and years. Since we are assaulted day after day and all the hackers have to do is get one attack to work. We have to be cognizant to not be complacent and invincible (it will not happen to me attitude).

It is true we have better firewalls and the only thing to combat FUD no matter your industry is massive amounts of information, thus knowing what you have backwards and forwards.

Contact us to review your environment so that you don’t worry about FUD.

To Measure Risk, Measure Impact : Major Threats and Effects

To Measure Risk means to measure impact and threats(likelihood)

(R=L*I) Risk = Likelihood * Impact

 

So what does that mean? What are the threats and their effects to your environment? Answering this will give the true impact of the problem figuring out what risk one really has.

(Above image was copied from @ipfconline1 twitter images)

So let’s assume these are the major threats and Major concerns (from image)

  • Unauthorized Access  53%
  • Hijacking Accounts  44%
  • Insecure interfaces / APIs  39%
  • External sharing of data

Major Concerns

  • Data Loss/leakage  49%
  • Data Privacy  46%
  • Confidentiality  42%
  • Legal and regulatory compliance   39%

The threat is one portion of risk, the impact is another.

The idea is to view all of the threats coming at you and review where you should spend your time.

The problem with this methodology is one has to have a decent understanding of the impact and likelihood of various threats. Some of these items need to be also taken into context.

If you have 100 computers and they are all running Windows Operating systems (different versions 7,8,Server, 10) then a threat to your Windows base for MS17-10 is not as dangerous for all computers.

But what if a virus/trojan attacked and affected 20 computers?  Now the impact would be higher. So the Risk to your organization is higher from a relatively minor Microsoft vulnerability.

So one thing you will find is that even minor vulnerabilities can grow into major problems. So the potential effect of an exploited vulnerability  is the issue. Every month new patches are released and at the same time criminal hackers are trying to exploit the patch exploitability.

Unfortunately every vulnerability has an attack timeline.

Here is the crux of the issue, what is the impact for each separate vulnerability to your environment? As criminals develop better attacks you have to keep the threats in mind and do proper patching so as to defend your network.


By performing an audit of your environment and  reviewing impacts and likelihood you will hopefully be able to evaluate your risk properly.

Contact Us to help you with this process.