Portcullis Labs » RID

Is that really you? The importance of identity in breach response and recovery

RID — Tue, 18 Jun 2019 08:56:23 +0000

Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track).

Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust.

This talk discusses the need to monitoring your users’ access and privileges and how securing them as they interact with the Internet is core to a Zero Trust approach to cybersecurity. Richard doesn’t just stop there though but rather moves on to look at what happens if you’re facing a deliberate attempt to steal your users’ identities in order to take advantage of these privileges? In this talk, you’ll learn how to manage identity effectively, as well as the importance of software defined networks in the drive to zero trust and rapid threat containment.

Learning outcomes:

Learn how to manage identity and access management effectively
The importance of software defined networks in enabling rapid threat containment
The first steps an organisation should take to start on the Zero Trust journey
Aligning corporate and personal security practices to get better adoption from staff, identify and password management
The importance of Software defined networks in the drive to Zero Trust

I2019ITRYTIOIIBRR.pdf
June 18, 2019

1.6 MiB
MD5 hash: 14981f12020f7774971ef61b8229188a
Details

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

NOPC

RID — Tue, 03 Jul 2012 12:53:26 +0000

NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network connectivity to the systems under review is not possible.

Key features

The ability to perform analysis on the following Linux/Unix based distributions:
- AIX
- HP-UX
- MacOS X
- Solaris (Not 11)
- Debian
- FreeBSD
- Gentoo
- Mandrake
- Redhat
- Redhat Centos
- Redhat Fedora
- Slackware
- SuSE
- Ubuntu
The ability to perform analysis on Cisco IOS/ASA devices
Output in CSV format with CVSS scores

Overview

Ever tried to perform a patch analysis of a UNIX based machine without network access to it? It can be an eyesore and feel like a wrestling match to make reasonable sense of the output from tools like:


$ /bin/rpm -qa –qf ‘%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n’ > patchlist.txt

Out of this evolved NOPC, which utilises Nessus’ ability to perform an accurate patch analysis with the information extracted from the system. NOPC instructs you on how to manually recover this same information.

Installation

As NOPC is a shell script, it can be run anywhere. Unzip and extract the download in a directory. There are 2 files:

nopc.sh
README.txt

The only prerequisite is that the system where the shell script has Nessus running with up to date nessus plugins. The script assumes the default locations for the nasl command line (/opt/nessus/bin/nasl) and nessus plugins directory (/opt/nessus/lib/plugins)

These locations can be defined with the ‘d’ option for the directory where NOPC will look for nessus plugins and the ‘n’ option for the location of the nasl command line.


$ ./nopc.sh -d '/Library/Nessus/run/lib/nessus/plugins/'
$ ./nopc.sh -n '/local/bin/nasl'

Usage

Interactive Mode

Running through the interactive mode should be straight forward. NOPC asks for
the following:
* Output Type (e.g. list of missing patches, csv of missing patches)
* Distribution that missing patches to be checked against
* Specific system information required to perform checking (e.g. Patchlist, Release, OS Level, Hardware)


$ nopc.sh
Version: nopc.sh  0.4.7d
[+] Which output format would you like to use?
<%%KEEPWHITESPACE%%> 0 - Displays Outdated Packages only
<%%KEEPWHITESPACE%%> 1 - Displays NASL name and Outdated Packages
<%%KEEPWHITESPACE%%> 2 - CSV output of CVE, KB and description (comma)
<%%KEEPWHITESPACE%%> 3 - CSV output of CVE, CVSSv2, Severity, KB, Description (comma)
<%%KEEPWHITESPACE%%> 4 - CSV output of CVE, KB and description (tab)
<%%KEEPWHITESPACE%%> 5 - CSV output of CVE, CVSSv2, Severity, KB, Description (tab)

Enter 1-5? 3
[+] What type of system have you got the patch output for?
<%%KEEPWHITESPACE%%> 1 - AIX
<%%KEEPWHITESPACE%%> 2 - HP-UX
<%%KEEPWHITESPACE%%> 3 - MacOS X *
<%%KEEPWHITESPACE%%> 4 - Solaris (!11) *
<%%KEEPWHITESPACE%%> 5 - Debian
<%%KEEPWHITESPACE%%> 6 - FreeBSD
<%%KEEPWHITESPACE%%> 7 - Gentoo
<%%KEEPWHITESPACE%%> 8 - Mandrake
<%%KEEPWHITESPACE%%> 9 - Redhat
<%%KEEPWHITESPACE%%> 10 - Redhat (Centos)
<%%KEEPWHITESPACE%%> 11 - Redhat (Fedora)
<%%KEEPWHITESPACE%%> 12 - Slackware
<%%KEEPWHITESPACE%%> 13 - SuSE *
<%%KEEPWHITESPACE%%> 14 - Ubuntu
<%%KEEPWHITESPACE%%> 15 - Cisco IOS/ASA *

<%%KEEPWHITESPACE%%> * EXPERIMENTAL!!

Enter 1-15? 1
[+] AIX Selected
[+] Run 'lslpp -Lc > patchlist.txt'
[+] Enter Location of file: aix-7.1-patchlist.txt
[+] Enter the AIX Release e.g. 6.1
[+] Enter Text Requested: 7.1
[+] Enter the output of 'oslevel -s' e.g. 6100-04-04-1441
[+] Enter Text Requested: 7100-03-04-1441
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '1' 'aix-7.1-patchlist.txt' '7.1' '7100-03-04-1441'

[+] Locating Nasls
[+] Checking for 11206 Missing Patches
NOPC, AIX
Plugin ID, CVE, CVSSv2, Severity, KB, Title
81920, "CVE-2014-8769", 6.4, Medium, "IV67588", "AIX 7.1 TL 3 : tcpdump (IV67588)"
82900, , 7.5, High, "openssl_advisory13", "AIX OpenSSL Advisory : openssl_advisory13.asc"
83135, "CVE-2015-0138, CVE-2015-2808", 4.3, Medium, "java_apr2015_advisory", "AIX Java Advisory : Multiple Vulnerabilities"
...

In the above case, several missing patches were identified.
Note that the output type and distribution can be bypassed if these details are known.
 For example, for a detailed report of missing Redhat patches in csv format:

$ nopc.sh -l '3' -s '9'
Version: nopc.sh  0.4.7d
[+] Redhat Selected
[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt'
[+] Enter Location of file: patch-redhat-1.txt
[+] Enter the contents of /etc/redhat-release
[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5
[+] Enter value of 'uname -m' e.g. x86_64, i686
[+] Enter Text Requested: i686
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '9' 'patch-redhat-1.txt' 'Red Hat Enterprise Linux Server release 5' 'i686'

[+] Locating Nasls
[+] Checking for 3620 Missing Patches
NOPC, Redhat
Plugin ID, CVE, CVSSv2, Severity, KB, Title
58262, "CVE-2012-0768, CVE-2012-0769", 10, High, "redhat-RHSA-2012-0359", "RHEL 5 / 6 : flash-plugin (RHSA-2012-0359)"
55813, "CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425", 10, High, "redhat-RHSA-2011-1144", "RHEL 5 / 6 : flash-plugin (RHSA-2011-1144)"


  
  
    nopc-0.4.7.tar.bz2
    
    

    September 29, 2015

    
  
  
    12.7 KiB

    MD5 hash: 052c08188e61c9080cd84a421c966e7c 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: September 29, 2015
  
  
 


  
  
    nopc-0.4.5.tar.bz2
    
    

    February 20, 2014

    
  
  
    17.7 KiB

    MD5 hash: 180e64cce6a8bfee6d375bb796798c6e 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: February 20, 2014
  
  
 


  
  
    nopc-0.4.2.tar.bz2
    
    

    April 26, 2013

    
  
  
    11.7 KiB

    MD5 hash: 3912a7b8a7eea99c0313378dd0843bad 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: April 26, 2013
  
  
 


  
  
    nopc-0.4.1.tar.bz2
    
    

    April 26, 2013

    
  
  
    11.6 KiB

    MD5 hash: 9c82bddb9e214c5cf4fde1eccddc0096 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: April 26, 2013
  
  
 


  
  
    nopc-0.4.tar.bz2
    
    

    April 26, 2013

    
  
  
    11.7 KiB

    MD5 hash: 7da2f9f63e0c2efb051e4b18a92b8d73 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: April 26, 2013
  
  
 


  
  
    nopc-0.3.tar.bz2
    
    

    April 26, 2013

    
  
  
    10.4 KiB

    MD5 hash: b69d91c8e7bc2490391891926c48c8f8 

    Details
  
  
  
  
   
   
   
   
   
   
   Date: April 26, 2013
  
  
 

The post NOPC appeared first on Portcullis Labs.

secdump

RID — Fri, 26 Apr 2013 18:27:40 +0000

secdump is a simple meterpreter module that uploads and runs gsecdump. Nothing fancy, just a time saver.

Usage

meterpreter > run secdump
UploadExec gsecdump

OPTIONS:

    -a        Dump all creds
    -h        Help menu.
    -l        Dump LSA Secrets
    -p        Path on target to upload executable, default is %TEMP%.
    -s        Dump hashes from SAM/AD
    -u        Dump Active logon session hashes
    -w        Dump Wireless Creds {NOT IMPLEMENTED}

secdump_0.1.tar.bz2
April 26, 2013

1.6 KiB
MD5 hash: d8385c6d279d34949fb104dc3c6e63e0
Details

The post secdump appeared first on Portcullis Labs.

hoppy

RID — Fri, 21 Jun 2013 15:32:11 +0000

hoppy is python script to probe HTTP options and perform scanning for information disclosure issues.

hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information.

Key features

HTTP Method detection, TRACK, TRACE, PUT etc
Internal IP address disclosure detection
Internal Path Disclosure detection
Transparent working so you can see exactly what it did
Data extraction
Spider to find directories for webDAV detection
ms09-020 IIS auth bypass check on all discovered directories

hoppy-1.8.1.tar.bz2
April 26, 2013

28.3 KiB
MD5 hash: 29c9a9f1ee5b691f86c367e6144fbca7
Details

hoppy-1.7.3.tar.bz2
April 26, 2013

26.9 KiB
MD5 hash: 03971e8acf01f6fe747a24844494c1fd
Details

hoppy-1.7.2.tar.bz2
April 26, 2013

26.4 KiB
MD5 hash: 0585a312a4f4cb7e59e1ee83a082cb7b
Details

hoppy-1.7.0.tar.bz2
April 26, 2013

26.0 KiB
MD5 hash: 979426b0b3601991044a90e46e07378c
Details

hoppy-1.6.4.tar.bz2
April 26, 2013

22.9 KiB
MD5 hash: 952aea93c90571c19792f1e0c711c9a7
Details

hoppy-1.6.3.tar.bz2
April 26, 2013

22.9 KiB
MD5 hash: b54185838d18a8e5378a00ca033d1ce1
Details

hoppy-1.6.2.tar.bz2
April 26, 2013

22.7 KiB
MD5 hash: 3c585b1da40dfb57b52514f644c70b8e
Details

hoppy-1.6.0.tar.bz2
April 26, 2013

22.7 KiB
MD5 hash: 0deb4a49a55cae310110025bceea295e
Details

hoppy-1.5.12.tar.bz2
April 26, 2013

21.9 KiB
MD5 hash: 7e3b3e486f24c72833b2061b69058f33
Details

hoppy-1.5.11.tar.bz2
April 26, 2013

21.8 KiB
MD5 hash: 54cf9498ec1cd899d753f8b24a56226e
Details

hoppy-1.5.10.tar.bz2
April 26, 2013

21.7 KiB
MD5 hash: f01a87ded65e61d1aa03ee835bf15ef2
Details

hoppy-1.5.9.tar.bz2
April 26, 2013

21.4 KiB
MD5 hash: f222510f1a7c74b123a3f254b18a67b0
Details

hoppy-1.5.8.tar.bz2
April 26, 2013

20.5 KiB
MD5 hash: cd647bcaeb7dc28454d67cea0c4e107c
Details

hoppy-1.5.7.tar.bz2
April 26, 2013

20.5 KiB
MD5 hash: a7cbddcf834c2393c838124fead435a2
Details

The post hoppy appeared first on Portcullis Labs.

polenum

RID — Fri, 26 Apr 2013 18:31:14 +0000

polenum is a python script which can be used to get the password policy from a Windows machine.

It uses the Impacket library from CORE Security Technologies to extract the password policy information from a Windows machine. This allows a non-Windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote Windows box without the need to have access to a Windows machine to perform the query.

Key features

Can extract password and associated information from a windows machine
Will connect over a NULL or authenticated share
Supports encrypted/signed sessions

Limitations

No NTLMv2 support
Has a problem with domain connected workstations

polenum-0.2.tar.bz2
April 26, 2013

5.9 KiB
MD5 hash: 4101c2acfa5442bd75418afaa405624d
Details

The post polenum appeared first on Portcullis Labs.

vessl

RID — Fri, 26 Apr 2013 18:16:05 +0000

vessl is a bash script that can fetch and verify the SSL certificate of a remote server.

It was originally written in order to script up the ability to verify SSL certificates across a large network.

Key features

vessl will connect to any service that OpenSSL can
It will extract and verify against a given CA Pem file
It will check that certificate matches the host it is on
It produce a map going from IPs to hostname
Checks to see if certificate is based on a blacklisted Debian key

Dependencies

openssl
ping
openssl-vulnkey
mktemp
CA Pem File

Usage

vessl -h host [-p port] [-c certfile] [-v]

Output Files

By default the output will be 3 files:

ip:port.verify
ip:port.cert
sslmap

The first is the verification data, the second is the certificate and the third maps IP to SSL Hostname, e.g.

77.75.105.66:443, labs.portcullis.co.uk (77.75.105.66)

Generating a CA PEM file

Gentoo

emerge ca-certificates
mkdir /etc/certs
cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem

Debian

apt-get install ca-certificates
mkdir /etc/certs
cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem

vessl-0.3.1.tar.bz2
April 26, 2013

8.0 KiB
MD5 hash: 9f9b0b942ea85b2f6fd2546870624803
Details

vessl-0.2.tar.bz2
April 26, 2013

7.7 KiB
MD5 hash: 4b7a0bcfca6369836c79aa91b9079e2f
Details

vessl-0.1.tar.bz2
April 26, 2013

7.5 KiB
MD5 hash: f267ae238c2adc58913579eee635ee0b
Details

The post vessl appeared first on Portcullis Labs.

Introduction To Format Strings

RID — Fri, 21 Jun 2013 15:38:55 +0000

A presentation introducing format string problems

What?

This presentation tries to cover the basics of format strings exploitation. Starting with an explanation of the legitimate use of Format Strings (Yin) moving onto how programming flaws can be exploited using this technique.

Why?

I spent many months getting my head around the nuances of FS exploitation so though I would put together a presentation on all the little things that I though were they key points when coming across this subject for the first time. This hopefully will act as a good basis for the More Adventures In Format Strings presentation

IntroducingFormatStrings.pdf
April 26, 2013

759.5 KiB
MD5 hash: cfa7f521e90249bcdb0ce520bdf28f5a
Details

The post Introduction To Format Strings appeared first on Portcullis Labs.

More Adventures in Format Strings

RID — Fri, 26 Apr 2013 18:02:00 +0000

A follow up presentation to show more in-depth format string exploitation techniques.

What?

This presentation covers a method for exploiting format string vulnerabilities which is compared to techniques used for exploiting heap smashes. It does not not cover the basics of the vulnerability because these seem ten a panny.

Why?

Much work has been written about covering the underlying principles of format strings but not much seemed to be written concerning this specific technique. More over is was written to push forward a method and library that can be used to optimise format strings to fit into smaller buffer spaces.

formatstringrevisited.pdf
April 26, 2013

541.6 KiB
MD5 hash: e3fd1fbc64fe67b056a9001987bfc5ea
Details

The post More Adventures in Format Strings appeared first on Portcullis Labs.