Embrace The Red

One area that I have encountered quite often over the years is that during recon phase of a bug bounty hunt or pentest a set of AWS access keys are being discovered. Let’s say you found 50 AWS access keys by drooling and hunting through public Github repos and using other nifty tricks and means. How do you go about checking their validity? And what do they have access to and provide the Bug Bounty Program or Blue Team the dates, times, and IP address when those keys were used?

Although Gitlab is not as popular as Github, it’s common to run across it these days. Especially after Microsoft acquired Github it seemed more individuals and organizations flocked over to Gitlab. In this post I want to document a couple of recon commands that are useful post-exploitation, and for blue teamers to watch out for. Let’s assume one has access to a Gitlab Token as a precursor. Let’s walk through some interesting commands and script snippets to leverage to find out more.

The last weeks of 2021 got quite interesting for security professionals and software engineers. Apache’s log4j library and its now prominent Java Naming and Directory Interface support, which enables easy remote code execution, made the news across the industry. What makes Log4Shell scary is the widespread adoption of the Log4j library amongst Java applications, and the ease of remote exploitation. A dangerous combination. Patches got released, bypasses were discovered more patches were released and so forth.

Cybersecurity breaches follow common patterns and stages - from an initial Beachhead to accomplishing Objectives. This video gives an overview of the anatomy of a compromise: Cheers. @wunderwuzzi23

This post is part of a series about Offensive BPF to learn how BPFs use will impact offensive security, malware, and detection engineering. Click the “ebpf” tag to see all relevant posts. Building advanced BPF programs So far in this Offensive BPF series the focus was on bpftrace to build and run BPF programs. The next thing I wanted to investigate is what options are available to modify data structures during BPF execution.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware, and detection engineering. Click the “ebpf” tag to see all relevant posts. One of the issues I ran into when trying out sslsniff-bpfcc was that it did not work with Firefox or Chrome traffic. This post is about me learning how to hook user space APIs with bpftrace using uprobes.

Today you are in for a special treat. Did you know that an adversary can hide a smaller image within a larger one? This video demonstrates how a small image becomes magically visible when the computer resizes the large image, and also how to mitigate the vulnerability. This is possible when vulnerable code uses insecure interpolation. If you like this one check out the overall Machine Learning Attack Series.

Tabnabbing is a web application security vulnerability that can be used to perform phishing attacks, so its important to be aware of it as a developer and penetration tester. It is easy to mitigate and in this short video we cover both attacks and mitigations. Thanks for reading and happy hacking! @wunderwuzzi23

This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses. Click the “ebpf” tag to see all relevant posts. In the previous posts I spend time learning about bpftrace which is quite powerful. This post is focused on basics and using existing BPF tools, rather then building new BPF programs from scratch. Living off the land: bpfcc-tools Performance and observability teams are pushing for BPF tooling to be present in production.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware and detection engineering. Click the “ebpf” tag to see all relevant posts. In the last few posts, we talked about a bpftrace and how attackers can use it to their advantage. This post is about my initial ideas and strategies to detecting malicious usage. Detecting BPF misuse There are a set of detection ideas for Blue Teams.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware and detection engineering. Click the “ebpf” tag to see all relevant posts. In the last post we talked about a basic bpftrace script to install a BPF program that runs commands upon connecting from a specific IP with a specific magic source port. This post will dive into this idea more by leveraging more a complex solution.

This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to understand how its use will impact offensive security, malware, and detection engineering. One offsec idea that quickly comes to mind with BPF is to observe network traffic and act upon specific events. So, I wanted to see if/how bpftrace, a popular tool for running BPF programs, can be used to create potential backdoors, and what evidence to look for as defenders.

Over the last few years eBPF has gained a lot of traction in the Linux community and beyond. eBPF’s offensive usage is also slowly getting more attention. So, I decided to dive into the topic from a red teaming point of view to learn about it to raise awareness and share the journey. Similar to the format of my Machine Learning Attack Series, there will be a serious of posts around BPF usage in offensive settings, and also how its misuse can be detected.

In this 25 minute video I’m explaining the foundations of Web Application Security. The video covers the basic building blocks of web applications, such as HTML, HTTP, JavaScript and Cookies. Furthermore core web applications security concepts such as the Same-Origin Policy are discussed in detail. The goal is to provide foundational knowledge to help grasp security vulnerabilities, such as XSS, CSRF, SQLi, tab-nabbing, etc. later on. In the past I have trained and presented content like this to thousands of engineers at large organizations and cloud providers, hence its quite optimized for best learning and comprehension outcome.

On Unix/Linux users with a uid=0 are root. This means any security checks are bypassed for them. An adversary might go ahead and create a new account, or set an existing account’s user identifier (uid) or group identifier to zero. A simple way to do this is to update /etc/passwd of an account, or use usermod -u 0 -o mallory. Let’s create a new user named mallory: wuzzi@saturn:/$ sudo adduser mallory [.

This post is part of the machine learning attack series. It’s been a while that I did a Husky AI and offensive machine learning related post. This weekend I had some time to try out Counterfit. My goal was to understand what Counterfit is, how it works, and use it to turn Shadowbunny into a husky. Let’s get started. What is Counterfit? With Counterfit you can test your machine learning models and endpoints for specific adversarial attacks.

I like using procdump on Windows. It’s quite handy for software development when systems have memory leaks or performance issues, procdump allows to set thresholds to trigger creation of a core dump. BUT, it’s also super useful to search processes for secrets and other information. For instance, this one liner will dump the memory of all processes to hard disk and then you can search them as you see fit.

In this very short post I wanna talk mention The Silver Searcher, which I just learned about a few weeks ago. In the past I have written quite a bit about the importance of credential hunting for your organization and some cool built-in operating system indexing features that can be used as well. Of course grep and findstr are also in every red teamers toolbox. As part of a coding project I recently learned about “The Silver Searcher”, which is very fast and has some neat features built it.

Many Windows applications and services are implemented using an automation infrastructure called Component Object Model (COM). COM has been around for decades and its useful for programming, sharing of code at binary level, usage from scripting languages, and well, red teaming. Wide Usage of Component Object Model Many products are implemented as COM objects, including Microsoft Office. Using PowerShell (or other languages) COM objects can be created to fully automate applications and services.

Until the Apple Airtag came out a few months ago I hadn’t really looked into the tag tracking market. Turns out there were already quite a lot of offerings available before Apple joined the market, most notably Tile. However, I wanted to try out the Airtag and ended up ordering a few. This post will explore three things: Removing the speaker of my Airtag Using Browser APIs to scan for Airtags (if you don’t have an iPhone but someone tries to stalk you this might be handy) Explore data exfiltration via Airtags and Apple’s “Find My” network By the way, when you order your Airtags online you can customize them.