Jump to content
OpenSecurity.global

Daniel Cuthbert

Members
  • Content Count

    13
  • Joined

  • Last visited

  • Days Won

    4
  • Invited by

    Thomas V Fischer

Daniel Cuthbert last won the day on October 24

Daniel Cuthbert had the most liked content!

Community Reputation

16 Good

3 Followers

Recent Profile Visitors

207 profile views
  1. Sorta, I mean many running Laravel and other CMS-like frameworks would use the try_catch function, so it's not super niche
  2. Sadly PHP continues to show how not to write code, especially if you use it and not want to give free shells to all. A couple of weeks ago, neex, dropped a bug on the PHP sec bug list that detailed a rather ugly condition in fpm_main.c This function assumes that the env_path_info has a prefix that equals that of the php script being called. Now usually we'd validate this, but no, this is where they failed to abide by dem rules and this led to an invalid pointer. Add a newline character and a skip, hop and a jump later and boom, RCE. A lot of people who use PHP-FPM have configs like try_files $uri $uri/ /index.php$is_args$args;) and this is where the issue comes in. The code before the patch was path_info = env_path_info ? env_path_info + pilen - slen : NULL; tflag = (orig_path_info != path_info); That's pretty crap, you assume so much here and this is why it should have been path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; tflag = path_info && (orig_path_info != path_info); Neex published his exploit yesterday after the PHP crew stopped arguing about how bad it was and made the patch and I thought I'd build the exploit and see what we could do to detect it. Running it is simple once you have your Go environment up and running, and all it needs is a url and php file. What I wanted to see was the URI sent, so rather than supply a legitimate resource, I opted for a non-existent one. As you can see, he is appending PHP%0Ais_the_shittiest_lang.php? and a load of Q's to the supplied URL. On the server side, you see So relatively easy to see and block in the original format, which most skids wont change. Here's a Cloudflare rule to block it Hope this is of some help to someone?
  3. A wide variety of tasks, from adversarial hunting to footprinting and more recently, vendor deep dives. For example: - Vendor says they use a unique custom container approach to stop all malware from being an issue - Me spends 24 minutes to find out actually they use React, Python, Ruby and ESXi and some bubble gum, an old loo roll and hope and prayers.
  4. The Admiralty System is one I use a lot, but it can be subjective and also a lot of work to get right. Over the years of doing this, I looked for inspiration from those who really pioneered this space and actually shared stuff, such as the CIA and other agencies. The CIA is actually phenomenal in this regard, this document, titled 'A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis' has been hugely influential in helping develop my own approach and methodologies. Using this approach, with the Admiralty System to score each source and piece of intel, I find I ended up with a smaller subset of sources but ones that produced far higher value intel as a result. Page 17 really hammered home the use of contrarian techniques to determine if a source is good or not based upon what it was showing you. As I said earlier, the CIA release many informative articles and papers on the subject, and if you haven't read them yet, I urge you to. For example, Sailing the Sea of OSINT in the Information Age by Stephen C. Mercado which is a great read. I'm keen to hear how others approach this too
  5. aah shucks, thanks chaps. the app does need me to fix some code issues, but it is being used and the ASVS standard has been adopted by many, which is good
  6. Like I said in my reply, this isn't as clear cut, let me elaborate if I may? I'm a seller of leaked credentials, be it a chap who's just breached a loads of corporate networks and acted in a sleeper fashion, undetected for months to harvest a nice bounty. I now need to monetise this, so I either head to the most popular market to flog them or I hand them off to a number of reputable brokers to do it for me and charge me a fee. These brokers usually test a subset of credentials to confirm they are legitimate and assign a value (higher value target, price goes up etc.). Now here's the tricky part. The TI industry has tipped their hands by being very proactive in advertising their capability to scrape markets for stolen credentials. It's a legitimate worry for all, so many saw a business opportunity and started to do the same. A functional spec was drawn up for a scanner, they registered a load of accounts on these markets, fed those creds into the scanner(s) and harvested away. Thing is, many underestimate the markets and those running them. As Kevin can attest, you can see behavioral patterns from users acting outside of the norm. For example: A newly registered user account, potentially with a randomly generated username, logging in and then performing hundreds, if not thousands of requests impossibe for a human to do. Those user accounts don't act like normal users. There are limited, or no, interactions with other users. The requests themselves often have signatures like that of a script or bot Site owners are well aware of these and indeed so are sellers and brokers, so we have a cat and mouse game in play. What the broker or seller won't do is jeopardise the sale by giving away too much information. They know if they advertise MAJOR org in a thread with known bots or scrapers, it will mostly start a reaction rendering the goods rather useless. What typically happens are deals making use of brokers known to those on either side, buyer and seller, and comms are usually made via introductions to confirm either party is legit and then deals made outside of the main forum. Now I will say, many deals do happen in full view of everyone and that's good as we get some indication by the scrapers as to who might have issues. It's really hard for any provider to effectively perform HUMINT operations at scale without tipping their hand or getting burned. Some are very good at it and have adapted their technology and approaches but at the same time, the criminals themselves are seemingly good at watching what everyone does as no-one really wants to go to jail. As you might have noticed, I'm not a huge fan of said 'breach credential alert' services as I know from experience how hard they are to get right, to build and to keep running. You'd be better off looking at your own credential store(s) and have monitoring capabilities that alert when anything out of the norm happens (such as dumping of many users over X minutes, or concurrent access by a single user and so on) Apologies for the long reply
  7. Can I be truly contraversial here? The whole darkweb as a criminal platform is grossly overhyped, mostly by threat intel firms who tried, and often failed, at building scrapers to look for information. As someone who spent years tracking and mapping onions, I can say that those involved in wholesale breach data collection and disseminating, the onion route is not the place you use. Mostly for a number of reasons, but mainly: It's mostly full of TI firms scraping the crap out of what you do It's a bitch to use, no matter what anyone says The criminal communities already have well-established places to sell this, with structure and heritage Now, your request to monitor for details about breaches would be better directed to places where that actually occurs https://exploit.in/ The daddy of all criminal networks. Yes you need to speak Russian and yes it is membership driven. Be warned, levels 1-9 are mostly threat intelligence analysts all chatting to each other with their carefully curated personas whilst thinking they are deep inside a criminal conspiracy and scraping the shit out of the site looking for actors. It's only when you go above the higher levels do you actually see real stuff and that requires vetting from those with a high reputation, a fee and you to be an actual criminal with proof. there are others, they come and go and whilst some are on the dark web, they aren't really big players, but for reference http://omertavzkmsn6tp6.onion/ 100 USD to join, a mix of finance and creds but mostly more finance now as easier to monetise in a shorter period than creds. http://wallstyizjhkrvmj.onion/ Wall Street Market was pretty good but they found out that OPSEC is hard and web application security even harder and they got a visit from LE. The biggest issue with scraping the dark web is that you need a list of every forum offering said services. You can use Ahmia to see who is leaking it via headers and titles, and then write a scraper using Python and Scrapy, register an account, don't go all gung ho and scrape the shit out of the site (hello TI peeps, learn to randomise your scraping so as to not look so blatant) but again this requires a considerable amount of effort, trust me Now there are plenty of other scam sites and most of them are honeypots, or ones created by TI firms or just flat out scams, so I'd spend a month writing them all with no value if I'm honest. Why most use exploit.in is that it has structure, it has verification of sellers and their warez and it also has tribunals one can go to if they purchase bad goods and want to make a complaint. This is something that others do not have and whilst many report on the fact that the criminal markets are the wild west, there is structure and organisation and buyers and sellers need to be able to trust each other to a degree. So if I was to use a TI feed to do all the scraping, collating and analysing, there would really be only one, and that's https://www.recordedfuture.com/. I have known them for a very long time, I've helped them with their dark web datasets and also use them so know the quality of the intel they have. Another firm who specialises in the criminal markets, Intel471 deserves a mention To sum up, I hope this was somewhat useful? A lot of FUD and utter crap has been marketed by many who offer such dark web monitoring and it's all mostly shit. They either use commercial feeds such as RF or Intel471 or they've thrown together a tool based upon the amazing work Sarah has done with https://github.com/s-rah/onionscan/graphs/contributors
  8. I'm going to differ here to a lot of the opinions posted: as someone who's been heavily involved in the offensive realm for a long time now, modern EDRs like Crowdstrike and Carbon Black, are annoying as hell to me when I want to be evil. As a defender, they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around. Sure, the early ones were signature-based, did really stupid things to their agents that made it trivial to disable, perform sneak process hollowing tricks to stop you seeing me and so many others, but that isn't the case much today. I don't see them as a box ticking exercise, not at all whilst they still have a lot to do, i'm glad im not a pentester anymore 😉
  9. This isn't just a sloppy validation issue. It's not the first time either https://www.theregister.co.uk/2016/01/12/fortinet_bakdoor/ but yeah a simple way to look at this: If Chinese then backdoor, if western then "An Improper Authorization vulnerability"
  10. It does strike me as very odd for a number of reasons. First it shows how little people are actually poking at the very devices meant to protect them (fair play to the vendors here, they do make it hard to do this in some cases) and secondly how this seemingly has remained "undiscovered" for so long. It's no secret that anything protecting the perimeter has been massaged by those who dislike perimeters and this is straight out of the OWASP Testing Guide 1.0 days in 2003 here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy