• tl;dr sec
  • Posts
  • [tl;dr sec] #47 - Automating Recon, Podcasts, and Lateral Movement / Privilege Escalation in GCP

[tl;dr sec] #47 - Automating Recon, Podcasts, and Lateral Movement / Privilege Escalation in GCP

Daniel Miessler on automating your recon workflow, I was on a few podcasts, how to compromise GCP orgs via cloud API lateral movement & privilege escalation.

Hey there,

I hope you’ve been doing well!

So I have this dilemma: I haven’t cut my hair since February (or earlier), and it’s starting to get long. I’ve been evaluating my options:

  1. Pull my hair back in a man bun, move to SF’s Mission district, buy $10 coffees, and in 9 months complain about how “things have changed,” and how every other tech worker who moved in more recently is a gentrifier.

  2. Get a haircut like normal, acknowledging that there’s a non-zero chance I’ll get COVID-19, die, and have my tombstone read, “Died for a haircut.”

  3. Watch 30 hours of tutorials on Youtube, and after 5 hours of trying to cut my own hair, satisfice on a bowl cut.

  4. Keep the long hair, and make my directorial and lead actor debut in a self-produced indie post-apocalyptic sci-fi thriller, whose success will pave the way for an illustrious film career, saving me from the uncertainty of pursuing a career in security.

  5. Do nothing.

So far I’ve been doing #5, but I feel like that can only continue for so long.

Remove Summary Section?

I’ve decided to try cutting the mini summary section (see midway down here for an example), where I say a few words about each link in the newsletter.

Let me know if you feel strongly that the summary section is useful for you.

Podcasts

I’ve been on a few podcasts recently with some awesome friends! Check ‘em out 😀

Cyber Security & Cloud Podcast: AppSec, Community, Conferences
I joined Francesco Cipollone and discussed topics ranging from how to have a successful career in security, scaling your security program, and more.

Cloud Security Podcast: How to Create an Effective Security Team
I joined Ashish Rajan and discussed topics ranging from useful metrics for security teams, building relationships with other parts of your org, and SAST/DAST trade-offs and approaches.

Sponsor

📢 Datadog Security Monitoring

Datadog's Security Monitoring product allows you to easily detect threats in real time across your applications, network, and infrastructure. Accelerate security investigations and break down silos between developers, security, and operations team by correlating your threats, metrics, traces, and logs all in one place. Learn more about Datadog, sign up for a live demo and receive a free T-shirt

.

BlackHat and DEF CON 2020

There are many talks I haven’t even read the title of yet, but I’ve included some talks and tools I like below. Also, here are some video playlists for easy access:

AppSec

BBVA/kapow: If you can script it, you can HTTP it
Turn any shell command into an HTTP API.

Token-Hunter & Gitrob: Hunting for Secrets
BlackHat Arsenal presentation by GitLab’s Greg Johnson on two tools to find hard-coded secrets: a Gitrob fork (original) and Token-Hunter (blog post: Introducing Token-Hunter).

In reviewing this, I also came across credential-digger by SAP’s Slim Trabelesi, which filters out false positives using machine learning models.

Static Analysis

Type-awareness in semantic grep
By Emma Jin: The open source, lightweight static analysis tool semgrep now allows specifying types in search patterns. For example,

ttern
(Runtime $RT).exec(...)

// Will match
Runtime run = Runtime.getRuntime();
run.exec(user_input);

// But won't match
otherObj.exec(foo);

Pysa: Open Source static analysis for Python code
Official release of Pysa, a security-focused tool built on top of Facebook’s Python type checker, Pyre.

  • Pysa does interprocedural data-flow analysis to determine when attacker-controlled input (“sources”) could reach dangerous function calls (“sinks”, like eval or os.open) (source/sink definitions).

  • They’ve chose to err on the side of minimizing false negatives (missing real issues), which could result in many false positives.

    • To combat false positives, they use sanitizers to tell Pysa that certain functions make tainted benign (e.g. context-relevant output encoding), and features, metadata associated with certain taint flows.

In the first half of 2020, Pysa detected 44 percent of the issues that our engineers found in the Instagram server codebase.

Web Security

Google Rolls Out SameSite Cookie Changes to Chrome
The SameSite cookie update is now fully rolled out on the latest Chrome. SameSite is a cookie flag that modifies how web browsers handle third-party cookies (in short, it’s a defense-in-depth measure to help prevent CSRF). Now, the default value is Lax, meaning that cookies will only be sent when the domain in the URL of the browser matches the cookie’s domain.

Cloud Security

cr0hn/festin
A tool by Daniel García for discovering open S3 Buckets starting from domains. Collects info via DNS, web pages (crawler), and S3 buckets themselves (like S3 redirections). “Watch mode” can listen for new domains in real time, and supports downloading bucket objects and putting them in Redis Search to enable full-text search of discovered contents.

SmogCloud: Expose Yourself Without Insecurity - Cloud Breach Patterns
BlackHat Arsenal presentation by Bishop Fox’s Rob Ragan and Oscar Salazar on a new tool: Smogcloud, that can be used to find exposed AWS cloud assets that you may not have known you had.

  • For example: Internet-facing FQDNs and IPs across one or hundreds of AWS accounts, assets that are no longer in use, services not currently monitored, shadow IT, etc.

  • Currently supports about 13 different AWS services.

Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
Great BlackHat USA / DEF CON Safe Mode talk by Allison Donovan and Dylan Ayrey and tool release, gcploit, a “BFS search tool meant for defensive threat models, a mock org simulator, as well as stack driver queries that profile the gcploit tool.”

In addition to having great technical content, I really appreciated how this talk played with the form and medium of talks, experimenting with things you can’t do when the presentation is live. For example, cutting between the speakers talking to the camera, diagrams, screenshots, interacting with a web page, and drawing on a whiteboard. It made me reflect on how I can make recorded talk videos more interesting and engaging 🤔

Blue Team

I’m Open Sourcing the Have I Been Pwned Code Base
Troy Hunt is planning to open source the Have I Been Pwned code base. It’s not all ready to be released currently, but that’s where he wants to head. The data itself may never be publicly shared for legal reasons.

Red Team

How to Create Unlimited Rotating IP Addresses with AWS
Devin Stokes describes how to use proxycannon-ng to distribute your traffic over an endless supply of cloud-based IP addresses.

Politics / Privacy

Why Markets Don’t Seem to Care If the Economy Stinks
I’ve been personally quite confuzzled by why the stock market is so high given unemployment rates, some industries getting massively impacted (e.g. airlines, restaurants, retail), etc. This article makes a case for why, including: the most visible and economically vulnerable industries (e.g. local businesses) have negligible impact on the stock market when weighted by market-capitalization, and many FAANG companies derive much of their value abroad.

‘This is unstoppable’: America’s midwest braces itself for a Covid-19 surge
Missouri has recorded more deaths than Japan and several European countries, and more new cases per day than Germany. According to this article, “at this rate the U.S. is racking up more cases in a week than Britain has accumulated since the start of the pandemic.”

I know wearing a mask and socially distancing sucks. It wears on me every day. But I also know it’s important to do, to keep my parents, grandparents, and healthcare workers safe.The sooner we can beat coronavirus back, by our collective action, the sooner the economy can get back to work, we can dine in at our favorite restaurant, and we can hit the town with friends. Let’s do this!  

Exposing and Circumventing China’s Censorship of ESNI
Several University of Maryland academics and others confirmed that China’s Great Firewall has recently begun blocking ESNI, one of the foundational features of TLS 1.3 and HTTPS. They empirically demonstrate what triggers this censorship and how long residual censorship lasts. They also present 6 client-side and 4 server-side evasion strategies.

Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment
In a recent internal town hall, “Zuckerberg did not have a clear answer for what the company would do should Trump declare the election results invalid.” Also, it appears certain right-wing media outlets have backchannel ways to get fake news marks from third party fact checkers expunged from their record. A senior engineer who collected a series of examples of right-wing pages getting preferential treatment was fired.

OSINT

🔥 Mechanizing the Methodology: How to find vulnerabilities while you’re doing other things
Great Red Team Village talk by Daniel Miessler on automating your OSINT/recon workflow so you can spend your manual time poking at interesting things. I really liked how this talk included insights into Daniel’s mindset and principles, which I think provides a lot of value beyond talks that are just, “Here’s how to do X.”

intelowlproject/IntelOwl:
By Matteo Lodi: Enables gathering threat intelligence data about a file, IP, or a domain from multiple sources via a single API. Has modules supporting Yara, Oletools, VirusTotal, Censys.io, Shodan, and many more.

Misc

pemistahl/grex
A command-line tool and library for generating regular expressions from user-provided test cases.

CrimeOps: The Operational Art of Cyber Crime
Interesting post by The Grugq on the FIN7 cyber crime group’s innovations in process and business, not technical capabilities. Basically, they found a repeatable process (Crime Market Fit?) and were able to scale it and run it in parallel. JIRA tickets for each victim, etc. H/T Viktor Gazdag 

How Much Things Can Change
Interesting reflection by Rodney Brooks on how much our understanding of the world has changed over the last few generations and how this is likely to continue.

The Mother of All Demos
In 1968, Doug Engelbart gave a famous live demo demonstrating what people at the Stanford Research Institute (SRI) had been building, which were the precursors to many modern ideas in computing. Short overview video.

A thing about chords
A short video demonstrating how playing different chords over the same melody makes it sound quite different.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint