Configuring SYSLOG integration with F5 BIG-IP

CVE-2020-5902 Defensive Guidance (FAST publish)

This week’s been a whirlwind, once again teams of people scrambled to help defend networks from criminals trying to abuse CVE-2020-5902.

If you want to see this in action check out my video on youtube!

The main issue (other than the vulnerability itself (path traversal and unauthenticated remote code execution) is exposing management interfaces to the internet (or other insecure/untrusted networks). Yesterday we looked at IOCs in the “/var/log/audit” file.

Now a sensible attacker who has ROOT level access would have likely cleared their tracks! However, a good sysadmin would have the logs shipped off the device!

Hunting a breach… CVE-2020-5902

I’ve spent the last 24 hours (including a sleeps) gathering intel, testing in the lab and looking at what the path traversal and RCE for the F5 BIG-IP as outlined in CVE-2020-5902 looks like.
Well I’ll be honest.. the whole scenario is a bit of a bloody mess! We’ve got people leaving management interfaces exposed to the internet, we’ve got a vulnerability that’s incredibly old in a security appliance (it’s not exactly uber 1337 either) and we’ve had the release scenario that’s probably ruined peoples weekends and weeks (I’m not going into an Offensive Securitry Tools debate/argument, if you want that go talk to a brick wall or someone else!)

If I had to go and find a job

Some background

I’m in a very fortunate position (currently) whereby I have not had to look for a ‘job’ since I was much younger. I do however remember what a soul crushing experience that used to be. I’d send emails, I’d write letters, eventually after stone walls of silence and rejections because of not enough experience or qualifications. I just remember job hunting as a depressing experience and I can’t really imagine that’s changed a great deal over time!

When I was younger, I was a year ahead of myself in school (due to the event of not dying and going to a very lovely first school). I was never very academic when I was younger, but I loved games and I learnt very quickly (this was with our first Amstrad) that I loved computers and wasn’t too shabby with them.

KB4551762 (CVE-2020-0796)

A recent information disclosure by Microsoft revealed there is a remote code execution vulneability in the SMB3 services (client and server). This vulnerability could be leveraged in a simmilar manner to MSBLASTER/NACHI/WannaCry etc.

This is a CRITICAL vulnerability, yet currently there are no reports of this being exploite in the wild (epect that the change in the near future)

Internet Presence Technology and Security Management

Living on the internet in the digital age

I have watched enough technology deployments occur over the last 20 years to have learnt a thing or two. One constant I find is the perception that deploying and technology in a business environment is ‘simple and easy’. However, history and experience teach us that this simply isn’t the case. Whilst working on a project recently I thought I would try and show this in terms of looking at foundational technology and security management capabilities regarding internet presence. In this post I’m going to outline a look at foundational capabilities for Domain Registrar, DNS and internet preens management. Read more “Internet Presence Technology and Security Management” →

Active Directory Security: Securing the crown jewels with PingCastle…

Securing the crown jewels

At the heart of most organisations are a Windows server active directory domain (or multiple of these), yet one of the most common findings when we review organisations security postures are there are significant weaknesses in their active directory deployments, both from an architectural, operational and security perspectives.

Active directory provides a range of functionality to organisations, from authentication, authorisation as well as supporting services such as printer and share listing, DNS, people/information lookups and integration for 3^rd party services. It’s the very hub that links most modern networked systems together and now it’s expanded beyond the corporate walls into the cloud with integration into Azure Directory Services as part of Azure or Office 365.

Essentially Active Directory can be considered a castle whereby crown jewels are held! This may be in the form of credentials/identity or by nature of granting access to business systems that hold sensitive data (such as using AD integration to log into an HR or Finance system). Read more “Active Directory Security: Securing the crown jewels with PingCastle 2.8.0.0” →

Try Hack Me – Part 6: Rise of the…

In this latest room (box) we take on Skynet! This box has a cool theme and was fun to play through.

https://tryhackme.com/room/skynet

This room starts to move away from the guided path and has far fewer flags, but it retains more than just a two-task approach to keep the person thinking about the types of vulnerability. I’m thinking it might be cool to ask defensive questions as well (something I might add into my room I’m building).

Well we don’t have time to waste, the machines might rise up and judgement day occur so let’s get pwning! Read more “Try Hack Me – Part 6: Rise of the Machines” →

Tech Tip: Simple Python3 HTTPS Server

Today’s tip is a quick post on how to create self signed HTTPS web services in python for when you need to transfer a file fast! Now in a live environment you are likely going to need to use a CA signed service such as LetsEncrypt etc. otherwise your clients will get a warning (or they will just click Accept and Continue etc. as most people do! However this is a quick post to show how to use Python3 to host http and https services for staging payloads etc.

Try Hack Me: Part 5 – Game Zone

Getting my agent on!

Today we look at a vulnerable web application room based upon the Hitman series!

https://tryhackme.com/room/gamezone

This is a fun room where we see an old but common vulnerability in untrusted user input lead to sensitive information disclosure (hashed credentials) which results in a threat actor gaining initial access. From here we then discover there is a weak security configuration (in effective network segmentation) and a vulnerable unpatched service. This chain leads to total system compromise. Read more “Try Hack Me: Part 5 – Game Zone” →

Thinking of building a Capture the Flag game?

Capture all the things!

Capture the Flag (CTF) games seem to be all the rage now! I mean, I’m not complaining, I’ve been using these for years now and I’ve been building games for about a year so I’m super excited they are more popular, but popular != great. Read more “Thinking of building a Capture the Flag game?” →