Dear PenTest Readers,
In the current issue our main topic is Cloud Security. We’ve decided to focus on this, as the market of cloud services is constantly developing in a very fast pace, which results in new challenges to the business, individual users, and cybersecurity.
To start with, Alcyon Junior presents the new methodological approach to cloud pentesting. Daniel “DJ” Sherman wrote a really interesting tutorial on FuzzyUnicorn attacks, and Michal Zdunowski wrote an interesting essay on the security of processing information in cloud. These articles will definitely help you enrich your perspective on cloud security!
As usual, there are also articles related to other, various aspects of information security. West Shepherd provided a really good piece on enterprise penetration testing, based on his rich professional experience. Daniel Feichter presents an interesting case study of Microsoft incident response handling critical bugs. Mostafa Mahmoud continues his guidance on the journey into binary exploitation, which has started in the previous issue. If you got aboard then, now it’s time for another stage! If not, there is still time to catch up :). Speaking about continuity between this and the previous issue - Bruno Rodrigues brings in the second part of his article “Malware Analysis with Machine Learning”.
And that’s not all we have for you in this issue! Find out yourself! :)
Enjoy the reading,
PenTest Magazine's Editorial Team
Table of Contents
A New Methodology for Cloud Environments Penetration Testing
by Alcyon Junior
Cloud Computing Penetration Testing is a method of actively checking and examining the Cloud system by simulating the attack from the client side. The methodology already presented is a tool to be used when talking about Cloud Computing, on-premise or even hybrid environments, provided they are performed on the client access side. With this article, I intend to present a methodology for pentest in Cloud Computing environments in a simpler and structured way.
Native AWS Security vs FuzzyUnicorn
by Daniel "DJ" Sherman
The team does some research and finds that there are two ways to nullify AWS STS access. Note that disabling the active keys and the IAM user does not nullify the STS access. The first way to stop the bleeding is by deleting the devOPs1 user. This will work, however, this account may be needed for some business function that is disrupting production. The devOPs1 user is re-enabled with no password to console access and granted new keys to allow the business to continue to function. Security has to keep in mind that disabling all the things will not always be an option. This is a business decision that leadership needs to make.
How To Avoid Thunderstorms On a Sunny Day – Consequences Of Processing Information In Cloud
by Michał Zdunowski
But what exactly is the right amount of protection? Well, each organization treats their data in a different way, that’s why I would encourage the use of encryption only on the most sensitive types of information with a pre-defined group of users, sothat even if such label is used, users are able to access their files. And what about the rest? Well, classification tools have that great ability to write those classification labels into the metadata of the files, just make sure that you train the users in such a way that they understand the need of classification.
Enterprise Penetration Testing
by West Shepherd
As a penetration tester that’s conducted enterprise engagements over the past ten years, I’ve come to the realization that most organizations suffer from the same issues. Whether private sector or otherwise, the path to domain admin is usually the result of one or more of these common issues. While an all-inclusive list is beyond the scope of this article, these issues can be broken down into the following categories: password policies, multi-factor authentication, segmentation, change control, principle of least privilege, and (occasionally) patch management. In this article, I will break down how I exploit these areas and how an organization canavoid these issues.
MSRC Case 53842 – Microsoft’s Handling with Critical bugs
by Daniel Feichter
In the end I always got a malware sample which allows me to targeted crash the Windows Defender service and also to open a C2 to the Empire server. In my opinion this bug could be very critical when maybe the malicious actors know that weakness in the Windows Defender before Microsoft does. So I decide to open a case at the MSRC portal.
The Techniques of Redirecting the Execution Flaw
by Mostafa Mahmoud
In the last article, we explained how we can build an exploit for FreeFloat FTP; we used JMP ESP to override the EIP and execute our Shellcode. In this article, we are going to talk about the techniques of redirecting the execution flaw. The JMP ESP, CALL ESP are the optimum ways to control the execution flaw, but we can’t find it easily every time we try to write exploits.
Malware Analysis with Machine Learning. Part 2.
by Bruno Rodrigues
Let me warn you that I cannot take credit for the concept itself but only for the optimisation of the code used. So what’s the concept behind our ML malware analysis? We are going to transform our malware into images and then feed it to our Deep Neural Network for learning and therefore be able to identify malware based on its correspondent image. Who would imagine it possible?
The Challenge of Assessing Strategic Cyber Risk [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Charles Harry, PhD
Organizational leaders and policy makers are struggling to assess larger consequences from what are essentially attacks conducted at a local level. The emergent consequences and our inability to model interdependence remains an enduring challenge for the field. Advancing our ability to do so, while not solving the cybersecurity problem, will help us better manage potential consequences and more efficiently allocate our scarce resources.
Does an Increase in Security Always Result in a Decrease in Usability?
by Robert Griffin
The problem is that these two-step systems dramatically detract from the userfriendly experience that customers expect as part of an entertaining and sometimes impulse-led purchase process. In the instance of e-commerce for example, testing has shown that the fall-off in sales resulting from the additional required step is so great that operators have steered well clear of two-step authentication.
Interview with Jacob Wilkin - a penetration tester and a talented security tools developer
I developed Social Mapper for a number of reasons. Firstly, I wanted to make it easier to scrape social media profiles on a mass scale, to save time on some OSINT work i was doing at the time for a red teaming engagement. Secondly, I was shocked that social media sites couldn't detect mass scraping that they claimed was against their terms of service, and I wanted to bring this to the attention of the wider security community.