Dear PenTest Readers,
On the very special occasion of the last month of a decade, we would like to present you with a collection of 20 remarkable articles, chosen by our editors and grouped into 5 thematic blocks. The choice was based on our opinion, as well as valuable feedback from our internal reviewers and readers. There is about 250 pages of our best articles, therefore this edition is a great treat for every ethical hacker.
Section “Colors of Pentesting” is filled with great tutorials on Red Teaming and Blue Teaming. “Be Business-wise” will lead you into the world of attack vectors within the finance sector, as well as some tips how to secure your API, automate your SOC, or organize the most efficient CTF model for your company. Next, “Model the Threat” will help you explore the art of threat modeling and the landscape of threat intelligence. Last but not least, something crucial for collective security - “Critical Infrastructure”
In the end there is also “miscellaneous” section, full of various interesting articles which don’t fit into any of above-mentioned categories. And they don’t need to! They are just awesome reads on their own. No matter if you are into automation of API Pentesting, binary exploitation, pentesting with Python, or a report from really interesting CTF competition, you will definitely find something for yourself!
Without further ado,
Let’s dive into the reading!
Table of Contents
I. Colors of Pentesting
Red Teaming Operations and Threat Emulation
by Boumediene Kaddour
In a real Red Team engagement, making communications occur directly between the target and C2 server is a silly decision for an advanced operator. Attackers and Red Teamers use C2 redirectors to hide the real C2 server for the purpose of protecting the C2 server IP address from identification. The best way to build a C2 infrastructure is to wisely choose legitimate domain names with valid SSL certificate (LetsEncrypt), IP addresses, and well-known protocols like HTTP(s). There’s various techniques and tools that can be used to implement a C2 redirector, including iptables, socat and the built-in Microsoft tool netsh.
Red Team C2 and Blue Team Detection
by Jesse Moore
Blue Teams can simulate Red Team Operations by leveraging Atomic Red Teams Github where they have provided many Red Team commands to test detection mechanisms. Blue Teams can capture what Red Teams commands are tested by standing up a Kansa environment. Kansa is free from Github which is a framework that helps defenders capture anything with the use of WinRM and PowerShell on Windows Operating systems. If you can script it with PowerShell than Kansa is able to push that script out to a fleet of Windows machines and return the output to further analysis of adversarial TTPs.
Red Team Scenario: Delivering a Trigger-able Outlook Malware via Macros
by Alexandros Pappas
By executing this malware, the Red Teamer can bypass this security prompt and in fact make the security prompt disappear from the end-user’s screen. Red Teamer can achieve this by loading simultaneously those series of keystrokes that grant attacker access to the victim's email box. In fact, by tuning out the sleep values, the whole outlook security prompt will never appear in front of the user's screen.
II. Be Business-wise
Social Engineering in the Age of Fintech
by Jeremy Walker and Sean Butler
Even as Fintech systems become increasingly automated, Social Engineering continues to be a major attack vector. According to the Cyber Security Firm KnowBe4, ninety-seven percent (97%) of malware is targeting users, rather than technical vulnerabilities. This article explores an example of both a remote and an on-prem social engineering method being combined with low sophistication attacks to obtain data associated with Fintech systems.
Securing the API Economy
by Abhi Singh
The network by virtue implements least privilege without relying on developers for it. This can be a manageability and scalability headache. One method to implement these capabilities is to use “Service Mesh”. This mesh will determine how each service discovers each other (discovery) and talk to each other (routing). This was previously done using load balancers in front of each service. Following this logic, most of these load balancers are manually managed and if you were to add a new service, you would open a change ticket that would be serviced by IT. Load balancers introduce a cost penalty and an agility penalty based on how fast an organization turns around the tickets, thereby defeating the overall purpose of rapidly scaling using microservices.
Security of the FIX Protocol: How To Intercept, Modify and Crash FIX Server with Mal-formatted Message
The only confirmation of the counterparty identity during the FIX communication is the check of field SenderCompID (field id: 49). It is possible that by accident the SenderCompID will be revealed (for example, sent to another firm via email), which should be treated as a security breach as knowing the SenderCompID will allow the attacker to steal the identity of the holder and use it in the attack (see chapter on different attack methods and approach). All things considered, firms should practice due diligence and treat SenderCompID as sensitive information.
Corporate Capture The Flag (CCTF) – Creating “The Hacker Mindset”
by Rohit Nambiar and David Kosorok
While external bug bounties are a great way to PenTest your application, what if you could achieve something similar by harnessing internal talent and maybe even develop new ones? The process would be slower but possibly more fruitful in the long run. While this cannot replace the regulatory required external PenTests, there could be a gradual substitute for many of the bi-annual or more frequent PenTests that don’t require external auditing. In the long haul, not only do your applications get tested but you have also created an army of security experts, each with unique mindsets gained from solving diverse types of challenges as part of the CTF.
The Red Pill of SOC Automation
by Nicolas Mattiocco
Because the assets are in continuous transformation and the spectrum of threat scenarios is reshaped every day, it became clearly obvious that manual security assessments, classical yearly penetration testing or quarterly configuration reviews are not best practices anymore. Maybe it already belongs to a bygone age. Because attackers are impressively gaining in velocity, organizations have to adapt their detection strategy of cyber threats. On the defensive side, a SOC will never be able to hire enough people to analyze and respond to all alerts.
III. Model the Threat
Threat Modeling for Supply Chain Risks
by Cecilia Clark
To include vendors, work with them to develop their independent risk management strategy, mirroring the stringency of your own. If they are already security-focused and have a risk management plan in place, review it to ensure it includes the three basic categories of a cybersecurity plan. Once satisfied with their plan, use their text-based, detailed threat model to create a threat model map. Determine where your vendor’s systems connect to yours and link your threat model map to the vendor’s map at those points.
Preemptive and Proactive Protection from DDoS through Threat Intelligence
by Jalasutram Sai Praveen Kumar
Botnets are the sole of DDoS attacks. Botnets and DDoS attacks are interrelated when it comes to causing disruption to its victims. Threat actors create their own botnet networks by compromising multiple systems (bots/zombies) at various locations and coordinate them accordingly to divert enormous amounts of data packets towards their target, rapidly increasing the target’s bandwidth criteria and disrupting its normal operations.
Purple Team Tactics and Threat Intelligence
by Alexandros Pappas
There is increasing recognition that Red Teams and Blue Teams should work together, creating a Purple Team. This Purple Team isn’t necessarily new, but a combination of existing Red and Blue Teams working together to serve an identical goal: improved organizational security posture! It might be regarded as a process (by engaging both Teams), as opposed to a unique entity. The Red Team should be conducting objective assessments mimicking known and quantifiable threats. As part of this process, the threat actor’s TTPs should be known. Based on this modern approach, the Purple Team improves security by removing the “win or lose” mentality between Teams, and enhances cooperation, as transparency benefits everyone.
IV. Critical Infrastructure
Deterministic Unidirectional Devices: Protecting OT Networks with Data Diodes
by Marlene Ladendorff, PhD
The Ukraine power grid compromise offers an example of the consequences that can result from a cyber-attack. A deterministic unidirectional device (data diode) would have circumvented the attack via the wired network cyber threat vector. Once the diode is installed, confirmation of unidirectional communication should be performed via penetration testing. Other possible circumventions of IT/OT network separation include data diode bypasses, improper data diode configuration, primary and backup diode composition, and incident response plans in the event of diode failure.
Industrial Cyber Physical Security Enhancement
by Cevn Vibert
Industrial Cyber Security is now deeply into a form of arms race. Defenders are needing more defence tools and monitoring wizardry to detect and prevent attacks, but only if they can afford the resource time and expertise costs. They are usually seriously hampered by lack of budget and resources. Automation and Security Vendors are building more and more complex systems to help the defenders, but only if the defenders can afford the prices.
Pentesting SCADA Architecture
by Marlene Ladendorff, PdD
Significant differences exist between Enterprise IT and OT SCADA system architecture and functionality. IT systems are upgraded on a much more frequent basis than SCADA systems but the lifetime of SCADA systems is substantially longer than their IT counterparts. Penetration testing for IT systems can be performed on active networks while SCADA penetration testing should be limited to test bed or development systems and executed in a passive manner to not disrupt operations. All personnel involved or potentially affected by a penetration test should be included in a review of the test, an activity that some industries refer to as a pre-job brief.
Automating API Testing
by Chrissa Constantine
There is considerable value in automating portions of API pentesting. Commonly pentesters open the web application and navigate to all of the pages, capturing the requests and responses in a security testing tool like Burp or OWASP Zap. The use of API testing tools like SoapUI or Postman can help pentesters generate and submit web service requests. For SOAP calls, the WSDL can be challenging to read and derive manual tests. Tools that can be used to point to a WSDL or Swagger file (REST) are essential to use so that testers can work more efficiently. It is essential to spend time setting up the testing environment in preparation for analyzing the API.
APT In Action - Advanced Python Programming
by Bomediene Kaddour
If you are a penetration tester or incident responder, you should have asked yourself a question while conducting a penetration test project or responding to a massive attack, where “off-the-shelf” tools did not achieve what you were expecting, why did this tool fail to exploit this clear as blue vulnerability, and how can I move fast to provide a POC to my customer who’s paying me to emulate such a threat? Or how can I retrieve these forensics artifacts from this operating system before the case goes cold? The answer to the aforementioned questions is to develop your own tools using a fully featured, easy to use programming language like Python.
A Report From Western Regional Collegiate Cyber Defense Competition [February 28, 2019]
by Eric Crutchlow
As the end of day 2 approaches, it’s time to nuke all the Blue Team systems. The goal before was to create just enough havoc in a way that a Blue Team should be able to identify and remediate. This is one of the key areas that Blue Teams can make points, identify and remediate a hack and then report it (aka document the incident). But at one hour before the end of the competition, the Red Team is given the OK to use the nuclear option; take down all systems through any means possible (except DDoS).
10 Pitfalls When Working With Kubernetes
by Jeroen Willemsen and Eric Nieuwenhuijsen
When looking at accessing the workload, you should remember that at its core, the Kubernetes nodes just run Docker containers but Kubernetes just calls them pods. One interesting attack vector to expand your foothold is via the actual containers themselves. When a container proves vulnerable by, for example, allowing SSH, kubectl exec or the applications allows you to do an RCE you have a great starting point. If you’re able to get inside a container, check if you can create new files and/or run/install kubectl: if not, then the container storage volumes are probably read-only, which will prevent a lot of manipulation of the containers.
Next-Generation Binary Exploitation
by Alcyon Junior (aka AlcyJones)
In this article, I propose to present a simple way of understanding the binary code to a basic enumeration of the program to start the binary exploitation. This modern technique is used for initial binary exploration, and aids in understanding how it works to perform one of the most commonly used methods in systems and programs known as Buffer Overflow.
Reverse Engineering SAP Security Notes
by Fred van de Langenberg
Using only two such SQL statements, an attacker can create a new SAP user and subsequently assign it super user privileges, which may then be used to attack the SAP system. In effect, it would be a major (and very efficient) type of attack if this vulnerability could be exploited.