- tl;dr sec
- [tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes
[tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes
My summary of Daniel Miessler's talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.
I hope you’ve been doing well.
Last week I learned that many security people have taken matters their hair into their own hands; most people seem to have had their partner cut their hair or cut their own. One person described it as “reducing your personal grooming supply chain risk.” 🤣 My people! ✊
And one person recommended I continue growing my hair and strength, like Samson.
Speaking at Global AppSec SF!
4This week has been a bit hectic as I’ve been finalizing my Global AppSec SF slides with a colleague so we can record the talk (tomorrow).
I don’t know if I’d say it’s flame-y, but it does call into question a bit of how we’ve been doing things as an industry. Will be interesting to see what people think 😅 (also #SpacesNotTabs and #emacs4lyfe)
Vote to 🛡️ Save or 🗡️ Cut the Summary Section
Last week I experimented with cutting the summary section, as I wasn’t sure how much value it provided readers (vs just skimming the section headers). A number of people kindly reached out and said they found it useful and would like me to keep it.
So I wanted to do a quick poll: please click one of these buttons to express your preferences 🙏
📢 Sr. Security Engineer @ Netflix
Netflix is looking for a Sr. Security Engineer to build and lead strategies to reduce risk for Identity & Access Management. Key areas of focus are identity lifecycle management, authorization policy shaping, and adaptive authentication.
📜 In this newsletter...
AppSec: Escalating open redirect to RCE via source review
GraphQL: Monitor GraphQL endpoints and get updates when there are changes, find potential authz issues
Web Security: In Soviet Russia, TLS hacks you 🐻
Cloud Security: Parliament can flag issues by line numbers + a nice UI, AWS adds protections against HTTP desync attacks
Blue Team: Serverless app to manage AWS honeytokens at scale
Red Team: OSCP prep guide for beginner and intermediate hackers, Apfell/Mythic C2 updates, pen test walkthrough with a nice chain including SNMP, Jenkins, bypassing firewall rules, etc.
Politics / Privacy: Secret SIMs used to spoof any number, malicious Tor actors running SSL stripping attacks on exit nodes, it takes several days to really know the outcome of elections
Expiring vs. Permanent Skills: Thoughts on the value of where you focus your time and the skills you develop
Misc: Summaries of ~20 DEF CON talks, roadtripping across America interviewing people, attacking voice over LTE calls, everything depends on some rando's side project, tool to navigate roles within security by core skills
Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis: Academics set up a robocall honeypot and share their results
Apple, Epic, and the App Store: Reflections on good business practices vs. anticompetitive behavior
📚 Mechanizing the Methodology: How to find vulnerabilities while you're doing other things
Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.
Open Sesame: Escalating Open Redirect to RCE with Electron Code Review
Two cool GraphQL tools by GitLab security engineer Dominic Couture.
GraphQL API Monitor
Monitors GraphQL URLs that return schema files or APIs that support introspection. Each time it’s ran, it compares the downloaded schema to the previous one using a
git repo. Supports sending the diff to a webhook. Great for AppSec teams or bug bounty researchers looking for a continuously updated view on web app’s attack surface.
GraphQL path enumeration for better permission testing
GraphQL schemas often contain objects that reference other objects. Depending on how the application implements authorization checks, this can result in different access controls being applied based on the access path used; for example,
Root -> Foo vs
Root -> Bar -> Foo. This tool, graphql-path-enum, enumerates the ways one can reach one object type from another.
$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
Found 27 ways to reach the "Skill" node from the "Query" node:
- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
- Query (query) -> Query (skills) -> Skill
- Query (skills) -> Skill
Latacora security engineer Joshua Maddux presented this tool at BlackHat and DEF CON (video), which “allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers. The goals are similar to SNI injection, but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation.”
Parliament can now identify the line numbers of flagged issues
More cool updates by Scott Piper.
Application and Classic Load Balancers are adding defense in depth with the introduction of Desync Mitigation Mode
“A new feature that protects your application from issues due to HTTP Desync.” source Pretty neat when your research results in new mitigations or features in major cloud providers. Not too shabby James Kettle 🙌
By Kevin Hicks: “A honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey tokens at scale – up to 10,000 per SpaceSiren instance – at close to no cost… It provides an API to create no-permission AWS IAM users and access keys for those users.” Alerts via email, PagerDuty, Slack, and Pushover.
Creates segmentation between where beginners should start vs. intermediate hackers.
Creates separate tip sections for beginners and intermediate hackers.
Highlights pre-examination tips & tips for taking the exam.
Why you should always scan UDP ports (part 1/2)
By Federico Lago: “This is the story of a pentest in which scanning UDP ports allowed us to take control of the whole network. We’ll see how we exploited SNMP vulnerabilities, used a Jenkins console to call a reverse shell, bypassed firewall rules, worked around AppArmor and exploited bash injections to escalate privileges, amongst other things.”
Politics / Privacy
The Secret SIMs Used By Criminals to Spoof Any Number
Criminals are using “Russian SIMs” that can make calls appear to come from any number. This makes it easier to commit fraud, as the victim thinks the call is coming from their bank, the government, etc. These SIMs likely rely on a virtual mobile network (MVNO), which piggybacks off another carrier.
How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
“As far as I know this is the first time we uncovered a malicious actor running more than 23% of the entire Tor network’s exit capacity. That means roughly about one out of 4 connections leaving the Tor network were going through exit relays controlled by a single attacker.” One of the actor’s motivations appears to be profit, as they’ve been doing SSL stripping attacks (removing HTTP-to-HTTPS redirects), and then using the fact that they can then inline modify the HTTP traffic victims receive to replace Bitcoin addresses observed in the traffic with their own wallets.
Brace for the Blue Shift
While the media likes to claim election winners on election night; in reality, there are often many votes that still need to be counted to determine an official conclusion. This will likely be even more so this year due to coronavirus and more mail-in ballots (and that hundreds of high-volume mail-processing machines are being taken offline before the election, more by NY Times).
This could lead to a massive political cluster#$%^ / protests in the streets, if, for example, the additional ballots counted in the days or weeks after election day change the outcome of key swing states, leading to a different presidential winner. Good thing both parties are upholding the democratic process, not spreading unsubstantiated voter fraud claims, and are likely to calmly wait for the final results.
DEFCON 2020 Live Notes
Post by Charlie Belmer containing notes for ~20 talks on topics including privacy, web security, network security, and more. (When I come across other people summarizing talks, I shed a single tear of joy.)
The Brilliance of All Gas No Brakes
Andrew Callaghan, 23-year-old creator of the hit YouTube show All Gas No Brakes, has been driving across the U.S. in an RV, putting a microphone in front of people’s faces, and letting them speak. This article argues that the rise in many fringe/conspiracy groups (e.g. flat-earth gatherings, alien conventions, etc.) is the result of a decline in the prior things that gave people purpose (e.g. religion, community, etc.).
Attack of the week: Voice calls in LTE
Matthew Green describes a new attack called ReVoLTE (has its own domain), “that exploits an LTE implementation flaw to recover the contents of an encrypted Voice over LTE (VoLTE) call. This enables an adversary to eavesdrop on VoLTE phone calls.”
Matthew Green: ‘Attack overview from the ReVoLTE paper. This diagram assumes that two different calls happen using the same key. The attacker controls a passive sniffer (top left) as well as a second handset that they can use to make a second call to the victim phone.’
Cyber Career Pathways Tool
“This tool presents a new and interactive way to explore work roles within the NICE Cybersecurity Workforce Framework. It depicts the Cyber Workforce according to five distinct, yet complementary, skill communities. It also highlights core attributes among each of the 52 work roles and offers actionable insights for employers, professionals, and those considering a career in Cyber.”
Usenix Distinguished Paper Award Winner by Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves.
Another interesting Stratechery article by Ben Thompson:
In this talk, Daniel discusses:
The philosophy behind how he automates his recon and OSINT
Several concrete examples of useful automations he’s built
How these individual automation building blocks can be combined into powerful and complex chains
How to set up lightweight, continuous scanning so you can focus your manual time on interesting targets
Where to learn more
I think this talk is useful not just for the technical details, but also the mindsets and principles. To me, this is one of the things that separates great talks from good talks.
Also I like analyzing the structure of talks, not just their content, so I took a stab at trying to represent this talk visually.
Let me know what you think: if you find it interesting or useful, or if there’s another way you think that would make it more clear.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them
Thanks for reading!