• tl;dr sec
  • Posts
  • [tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes

[tl;dr sec] #48 - Automating Recon Summary, GraphQL Tools, DEF CON 2020 Live Notes

My summary of Daniel Miessler's talk on automating recon, 2 tools to help with testing GraphQL, quick notes for ~20 DEF CON talks.

Hey there,

I hope you’ve been doing well.

Last week I learned that many security people have taken matters their hair into their own hands; most people seem to have had their partner cut their hair or cut their own. One person described it as “reducing your personal grooming supply chain risk.” 🤣 My people! ✊

And one person recommended I continue growing my hair and strength, like Samson.

Speaking at Global AppSec SF!

4This week has been a bit hectic as I’ve been finalizing my Global AppSec SF slides with a colleague so we can record the talk (tomorrow).

I’m really excited about this talk, it’s one I’ve been wanting to give for a few years. Basically, it takes one topic from my BSidesSF talk and then takes it up to 11.

I don’t know if I’d say it’s flame-y, but it does call into question a bit of how we’ve been doing things as an industry. Will be interesting to see what people think 😅 (also #SpacesNotTabs and #emacs4lyfe)

Vote to 🛡️ Save or 🗡️ Cut the Summary Section

Last week I experimented with cutting the summary section, as I wasn’t sure how much value it provided readers (vs just skimming the section headers). A number of people kindly reached out and said they found it useful and would like me to keep it.

So I wanted to do a quick poll: please click one of these buttons to express your preferences 🙏

Sponsor

📢 Sr. Security Engineer @ Netflix

Netflix is looking for a Sr. Security Engineer to build and lead strategies to reduce risk for Identity & Access Management. Key areas of focus are identity lifecycle management, authorization policy shaping, and adaptive authentication.

Feel free to reach out to Ben Lim on LinkedIn or Twitter with any questions about the role.

📜 In this newsletter...

🔗 Links:

  • AppSec: Escalating open redirect to RCE via source review

  • GraphQL: Monitor GraphQL endpoints and get updates when there are changes, find potential authz issues

  • Web Security: In Soviet Russia, TLS hacks you 🐻

  • Cloud Security: Parliament can flag issues by line numbers + a nice UI, AWS adds protections against HTTP desync attacks

  • Blue Team: Serverless app to manage AWS honeytokens at scale

  • Red Team: OSCP prep guide for beginner and intermediate hackers, Apfell/Mythic C2 updates, pen test walkthrough with a nice chain including SNMP, Jenkins, bypassing firewall rules, etc.

  • Politics / Privacy: Secret SIMs used to spoof any number, malicious Tor actors running SSL stripping attacks on exit nodes, it takes several days to really know the outcome of elections

  • Expiring vs. Permanent Skills: Thoughts on the value of where you focus your time and the skills you develop

  • Misc: Summaries of ~20 DEF CON talks, roadtripping across America interviewing people, attacking voice over LTE calls, everything depends on some rando's side project, tool to navigate roles within security by core skills

  • Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis: Academics set up a robocall honeypot and share their results

  • Apple, Epic, and the App Store: Reflections on good business practices vs. anticompetitive behavior

📚 Mechanizing the Methodology: How to find vulnerabilities while you're doing other things

Daniel Miessler describes how to automate your OSINT and recon processes so you can find more and better bugs with less manual effort.

AppSec

Open Sesame: Escalating Open Redirect to RCE with Electron Code Review
Nice walkthrough by Eugene Lim on doing source review on Electron apps and bypassing potential obstacles to getting that sweet, sweet calc to fire. Also, check out Webpack Exploder, his tool to unpack the source code of React and other Webpacked JavaScript apps.

GraphQL

Two cool GraphQL tools by GitLab security engineer Dominic Couture.

GraphQL API Monitor
Monitors GraphQL URLs that return schema files or APIs that support introspection. Each time it’s ran, it compares the downloaded schema to the previous one using a git repo. Supports sending the diff to a webhook. Great for AppSec teams or bug bounty researchers looking for a continuously updated view on web app’s attack surface.

GraphQL path enumeration for better permission testing
GraphQL schemas often contain objects that reference other objects. Depending on how the application implements authorization checks, this can result in different access controls being applied based on the access path used; for example, Root -> Foo vs Root -> Bar -> Foo. This tool, graphql-path-enum, enumerates the ways one can reach one object type from another.

$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
Found 27 ways to reach the "Skill" node from the "Query" node:
- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
- Query (query) -> Query (skills) -> Skill
- Query (skills) -> Skill
...

Web Security

jmdx/TLS-poison
Latacora security engineer Joshua Maddux presented this tool at BlackHat and DEF CON (video), which “allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers. The goals are similar to SNI injection, but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation.”

Cloud Security

Application and Classic Load Balancers are adding defense in depth with the introduction of Desync Mitigation Mode
“A new feature that protects your application from issues due to HTTP Desync.” source Pretty neat when your research results in new mitigations or features in major cloud providers. Not too shabby James Kettle 🙌

Blue Team

spacesiren/spacesiren
By Kevin Hicks: “A honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey tokens at scale – up to 10,000 per SpaceSiren instance – at close to no cost… It provides an API to create no-permission AWS IAM users and access keys for those users.” Alerts via email, PagerDuty, Slack, and Pushover.

Red Team

The Ultimate OSCP Preparation Guide, 2020
Great, detailed guide by John Jackson. Key features of the guide:

  1. Creates segmentation between where beginners should start vs. intermediate hackers.

  2. Creates separate tip sections for beginners and intermediate hackers.

  3. Highlights pre-examination tips & tips for taking the exam.

A Change of Mythic Proportions
The Apfell C2 framework by Cody Thomas has been rebranded Mythic and has new features including a file browser, SOCKS support, spectator view, and more documentation.

Why you should always scan UDP ports (part 1/2)
By Federico Lago: “This is the story of a pentest in which scanning UDP ports allowed us to take control of the whole network. We’ll see how we exploited SNMP vulnerabilities, used a Jenkins console to call a reverse shell, bypassed firewall rules, worked around AppArmor and exploited bash injections to escalate privileges, amongst other things.”

Politics / Privacy

The Secret SIMs Used By Criminals to Spoof Any Number
Criminals are using “Russian SIMs” that can make calls appear to come from any number. This makes it easier to commit fraud, as the victim thinks the call is coming from their bank, the government, etc. These SIMs likely rely on a virtual mobile network (MVNO), which piggybacks off another carrier.

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
“As far as I know this is the first time we uncovered a malicious actor running more than 23% of the entire Tor network’s exit capacity. That means roughly about one out of 4 connections leaving the Tor network were going through exit relays controlled by a single attacker.” One of the actor’s motivations appears to be profit, as they’ve been doing SSL stripping attacks (removing HTTP-to-HTTPS redirects), and then using the fact that they can then inline modify the HTTP traffic victims receive to replace Bitcoin addresses observed in the traffic with their own wallets.

Brace for the Blue Shift
While the media likes to claim election winners on election night; in reality, there are often many votes that still need to be counted to determine an official conclusion. This will likely be even more so this year due to coronavirus and more mail-in ballots (and that hundreds of high-volume mail-processing machines are being taken offline before the election, more by NY Times).

This could lead to a massive political cluster#$%^ / protests in the streets, if, for example, the additional ballots counted in the days or weeks after election day change the outcome of key swing states, leading to a different presidential winner. Good thing both parties are upholding the democratic process, not spreading unsubstantiated voter fraud claims, and are likely to calmly wait for the final results.

Every field has two kinds of skills:

Expiring skills, which are vital at a given time but prone to diminishing as technology improves and a field evolves.

Permanent skills, which were as essential 100 years ago as they are today, and will still be 100 years from now.

Both are important. But they’re treated differently.

Expiring skills tend to get more attention. They’re more likely to be the cool new thing, and a key driver of an industry’s short-term performance. They’re what employers value and employees flaunt.

Permanent skills are different. They’ve been around a long time, which makes them look stale and basic. They can be hard to define and quantify, which gives the impression of fortune-cookie wisdom vs. a hard skill.

But permanent skills compound over time, which gives them quiet importance. When several previous generations have worked on a skill that’s directly relevant to you, you have a deep well of relevant examples to study. And when you can spend a lifetime perfecting one skill whose importance never wanes, the payoffs can be ridiculous. Anything that compounds over decades usually is.

Misc

DEFCON 2020 Live Notes
Post by Charlie Belmer containing notes for ~20 talks on topics including privacy, web security, network security, and more. (When I come across other people summarizing talks, I shed a single tear of joy.)

The Brilliance of All Gas No Brakes
Andrew Callaghan, 23-year-old creator of the hit YouTube show All Gas No Brakes, has been driving across the U.S. in an RV, putting a microphone in front of people’s faces, and letting them speak. This article argues that the rise in many fringe/conspiracy groups (e.g. flat-earth gatherings, alien conventions, etc.) is the result of a decline in the prior things that gave people purpose (e.g. religion, community, etc.).

Attack of the week: Voice calls in LTE
Matthew Green describes a new attack called ReVoLTE (has its own domain), “that exploits an LTE implementation flaw to recover the contents of an encrypted Voice over LTE (VoLTE) call. This enables an adversary to eavesdrop on VoLTE phone calls.”

Matthew Green: ‘Attack overview from the ReVoLTE paper. This diagram assumes that two different calls happen using the same key. The attacker controls a passive sniffer (top left) as well as a second handset that they can use to make a second call to the victim phone.’

Cyber Career Pathways Tool
“This tool presents a new and interactive way to explore work roles within the NICE Cybersecurity Workforce Framework. It depicts the Cyber Workforce according to five distinct, yet complementary, skill communities. It also highlights core attributes among each of the 52 work roles and offers actionable insights for employers, professionals, and those considering a career in Cyber.”

Usenix Distinguished Paper Award Winner by Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves.

In this paper, we present the first large-scale, longitudinal analysis of unsolicited calls to a honeypot of up to 66,606 lines over 11 months. From call metadata we characterize the long-term trends of unsolicited calls, develop the first techniques to measure voicemail spam, wangiri attacks, and identify unexplained high-volume call incidences. Additionally, we mechanically answer a subset of the call attempts we receive to cluster related calls into operational campaigns, allowing us to characterize how these campaigns use telephone numbers. Critically, we find no evidence that answering unsolicited calls increases the amount of unsolicited calls received, overturning popular wisdom. We also find that we can reliably isolate individual call campaigns, in the process revealing the extent of two distinct Social Security scams while empirically demonstrating the majority of campaigns rarely reuse phone numbers. These analyses comprise powerful new tools and perspectives for researchers, investigators, and a beleaguered public.

Another interesting Stratechery article by Ben Thompson:

…being a successful business by definition means being anticompetitive: without some sort of differentiation and/or superior cost structure any sort of margin a business has will be competed away, and so preserving that differentiation and/or cost structure — being anticompetitive — should be the goal of any business

.…what is anticompetitive and what is simply good business changes as a business scales. A small business can generally be as anticompetitive as it wants to be, while a much larger business is much more constrained in how anticompetitively it can act.

The specific case of Apple and the iPhone raises an additional angle: should the importance of the market in the question make a difference as well?

There is a bit of a running joke in tech that the mainstream media believes that every tech company is ridiculously over-valued right up until the day that the exact same company is a juggernaut that is killing industries; in the case of Apple, the company’s strategy was doomed right up until it was illegal, or so it seems with the App Store.

Apple consistently acts like a company peeved it is not getting its fair share, somehow ignoring the fact it is worth nearly $2 trillion precisely because the iPhone matters more than anything. This is not a console you play to entertain yourself, or even a PC for work: it is the foundation of modern life, which makes it all the more disappointing that Apple seems to care more about its short term bottom line than it does about the users and developers that used to share in its integration upside; if Apple doesn’t change course, hyperessential will at some point trump hypercompetitive.

I really enjoyed Daniel Miessler’s Red Team Village talk, so I wrote a summary.

In this talk, Daniel discusses:

  • The philosophy behind how he automates his recon and OSINT

  • Several concrete examples of useful automations he’s built

  • How these individual automation building blocks can be combined into powerful and complex chains

  • How to set up lightweight, continuous scanning so you can focus your manual time on interesting targets

  • Where to learn more

I think this talk is useful not just for the technical details, but also the mindsets and principles. To me, this is one of the things that separates great talks from good talks.

Also I like analyzing the structure of talks, not just their content, so I took a stab at trying to represent this talk visually.

Let me know what you think: if you find it interesting or useful, or if there’s another way you think that would make it more clear.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint