recentpopularlog in

whip_lash : security   740

« earlier  
Introducing the OWASP Nettacker Project - Speaker Deck
OWASP Nettacker project was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods.
scan  scanner  webapp  owasp  security 
18 days ago by whip_lash
Targeted Active Directory Host Enumeration | TrustedSec
I have seen environments that have stale 10-year-old records in their AD database where half or more of the records are of hosts that no longer exist. This complicates the matter for a consultant conducting attack emulation or for a threat hunter trying to identify assets. I know I can use the LastLogon date of the machine, but since I use the machine’s extracted credentials for other purposes in several scenarios, I prefer to use the last time the machine changed its password.
activedirectory  recon  security  pentest 
21 days ago by whip_lash
KubeCon NA 2019 Tutorial Guide
Welcome to the Attacking and Defending Kubernetes Clusters: A Guided Tour Walkthrough Guide, as presented at KubeCon NA 2019. We'll help you create your own Kubernetes environment so you can follow along as we take on the role of two attacking personas looking to make some money and one defending persona working hard to keep the cluster safe and healthy.
kubernetes  tutorial  security 
21 days ago by whip_lash
specterops/at-ps: Adversary Tactics - PowerShell Training
SpecterOps recently decommissioned our PowerShell course and rather than letting it collect dust, we wanted to offer it up to the community for free in the spirit of our commitment to transparency.
security  powershell  pentest  redteam  training  offensive 
21 days ago by whip_lash
Flamingo Captures Credentials — Atredis Partners
Flamingo is not Responder. Responder is an amazing tool that listens on the network, responds to name requests, and captures credentials. While the main goal of Responder is to coerce systems on the same broadcast domain into sending it Active Directory credentials, Flamingo takes a more passive approach, and does not actively solicit connections through LLMNR or NetBIOS responses. For most scenarios where you want to capture Active Directory credentials, Responder is still your tool of choice.
security  tools  credentials  redteam 
21 days ago by whip_lash
pcapinator: tool for processing a lot of pcaps using tshark
pcapinator: tool for processing a lot of pcaps using tshark
pcap  tshark  cli  security 
27 days ago by whip_lash
Hunting with Splunk: The Basics
Starting with this blog post, we will publish a weekly series of blog posts that take a single Splunk search command or hunting concept and break it down to its basic parts.
splunk  threathunting  security 
27 days ago by whip_lash
salesforce/ja3: JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
JA3 is a much more effective way to detect malicious activity over SSL than IP or domain based IOCs. Since JA3 detects the client application, it doesn’t matter if malware uses DGA (Domain Generation Algorithms), or different IPs for each C2 host, or even if the malware uses Twitter for C2, JA3 can detect the malware itself based on how it communicates rather than what it communicates to.

JA3 is also an excellent detection mechanism in locked-down environments where only a few specific applications are allowed to be installed. In these types of environments one could build a whitelist of expected applications and then alert on any other JA3 hits.
security  tls  fingerprinting  JA3  Malware  PCAP 
27 days ago by whip_lash
activecm/passer: Passive service locator, a python sniffer that identifies servers, clients, names and much more
Passer can work off a live packet capture or from a pcap file (command line parameter, see examples below). It reports live services and clients, ethernet cards on the lan, dns entries, operating systems, and routers - all passively!
network  security  pcap 
27 days ago by whip_lash
Announcing General Availability of CloudSploit by Aqua for GCP
Aqua Security announced the general availability of CloudSploit by Aqua for Google Cloud Platform (GCP). This release comes after an extended beta program, during which we worked closely with our customers to develop and deliver a robust set of out-of-the-box policies for GCP. This release also includes a Center for Internet Security (CIS) benchmark certification for GCP.
gcp  security  tool  cloud 
27 days ago by whip_lash
systemd service sandboxing and security hardening 101 | Ctrl blog
systemd enable services to run with a whole suite of hardening and sandboxing features from the Linux kernel. Here’s how to get a quick security review of the services running on your system and how to go about hardening their security.
linux  systemd  security 
27 days ago by whip_lash
Training Resources — ENISA
In these pages you will find the ENISA CSIRT training material, containing Handbooks for teachers, Toolsets for students and Virtual Images to support hands on training sessions.
training  security 
4 weeks ago by whip_lash
AlienVault - Open Threat Exchange
Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.
security  threatintel 
4 weeks ago by whip_lash
PolarProxy - A transparent TLS proxy created primarily for incident responders and malware researchers
PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file that can be loaded into Wireshark or an intrusion detection system (IDS).
dfir  tools  malware  security 
4 weeks ago by whip_lash
Zeek Blog: Detecting CVE-2020-0601 with Zeek
In this blog post, I will provide a high-level overview of some of the basics of the exploit,and how Zeek can be used to detect it.
security  windows  zeek  dfir 
4 weeks ago by whip_lash
BeyondProd: A new approach to cloud-native security  |  Documentation  |  Google Cloud
In this whitepaper, we provide details on how several pieces of Google’s infrastructure work together to protect workloads一in an architecture that is now known as "cloud-native". For an overview of Google’s security, see the Security Infrastructure Design whitepaper.
security  architecture  cloud  google  beyondprod  zero-trust  secops 
8 weeks ago by whip_lash
Security Correlation Then and Now: A Sad Truth About SIEM
2020 is almost here. Most of the detection content I see today is in fact written in the 1990s style of exact and narrow matching to raw logs. Look at all the sexy Sigma content, will you? A fellow Network Intelligence enVision SIM user from 1998 will recognized many of the detections! Sure, we have ATT&CK today, but it is about solving a different problem.
security  siem  blueteam 
8 weeks ago by whip_lash
4 Google Cloud Shell bugs explained – Offensi
While the Google Cloud Platform is known to be a tough target among bughunters, i was lucky enough to have some modest success in finding bugs in one of it’s services, the Google Cloud Shell.
gcp  security  pentest 
8 weeks ago by whip_lash
Creating a Rootkit to Learn C - The Human Machine Interface
Background InformationThis post is my solution for the last assignment in my Learning-C repository. I thought a good way to cap off a repo designed to introduce people to very basic C programming would be to take those very basic techinques and make a simple yet powerful security related program, namely a malicious shared library rootkit.
c  learning  programming  rootkit  security  tutorial 
9 weeks ago by whip_lash
Reversing Windows Internals (Part 1) - Digging Into Handles, Callbacks & ObjectTypes
Welcome to the first part of a series of posts about Exploring & Reversing Windows Concepts and Internals. If you reach here then you’re probably a security researcher or a programmer and this post and similar posts can help you understand what’s going on in some parts of Windows when you use objects with different users and credentials and what you can expect from Windows and how it internally works.
windows  security  reverseengineering 
10 weeks ago by whip_lash
Overview - AWS Well-Architected Labs
This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorized into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
aws  security  labs 
11 weeks ago by whip_lash
Attacking FreeIPA — Part I Authentication - Posts By SpecterOps Team Members
It is fundamental for an attacker to understand the operating environment, including various technologies in use and how they are applied. Hopefully this series can serve as a reference for operating inside of environments managed by FreeIPA.
authentication  freeipa  linux  security  pentest 
11 weeks ago by whip_lash
Towards a Quieter Firefox - Black Hills Information Security
There. Now Firefox shouldn’t be polluting your Burp Proxy History with requests you didn’t make.

I put this all into a user.js file, which you can copy to the Firefox profile directory every time you set up a new testing VM, so you don’t have to remember and make all those changes by hand.
burp  firefox  pentest  security 
11 weeks ago by whip_lash
Announcing the Cloud Native Security Hub | Sysdig
Standardized infrastructure enables sharing application resources across entities. We are taking advantage of this with the Cloud Native Security Hub.
cloud  security 
12 weeks ago by whip_lash
33(+) Kubernetes security tools. | Sysdig
That’s why we decided to create this Kubernetes security tools list, including open source projects and commercial platforms from different vendors, to help you choose the ones that look more interesting to you and guide you in the right direction depending on your Kubernetes security needs.
kubernetes  security  tools 
12 weeks ago by whip_lash
Home · ticarpi/jwt_tool Wiki
This wiki is a project to document the known attacks and potential security vulnerabilities and misconfigurations you may come across when testing JSON Web Tokens, and to provide a repeatable methodology for attacking them.
JWT  security  webap  pentest  pentesting 
november 2019 by whip_lash
Bypassing Authentication on SSH Bastion Hosts
In order to create a Multiplexing Back door, we need to modify the SSH configuration file (~/.ssh/config) of a targeted user who we know will access the bastion from our compromised host:
ssh  hack  security  pentest  bastion 
november 2019 by whip_lash
Detecting Manual AWS Console Actions
In this post I’ll describe a set of AWS Cloudtrail alerting rules that let you detect when someone makes a manual change in your AWS Console. This has been one of the highest signal / lowest noise alerts we created in our organization - it lets us know when engineers do things like, i.e., manually add new security group ingress rules through the AWS Console
aws  devops  security  alerting  cloudtrail 
november 2019 by whip_lash
GitHub - taviso/cefdebug: Minimal code to connect to a CEF debugger.
This is a minimal commandline utility and/or reference code for using libwebsockets to connect to an electron/CEF/chromium debugger.

You're probably thinking, "who would enable the debugger in shipping products?". Well, it turns out just about everyone shipping electron or CEF has made this mistake at least once.

In some configurations, you can pop a shell remotely just by making a victim click a link.
pentesting  electron  software  debugger  security 
october 2019 by whip_lash
Linux 25 PHP Security Best Practices For Sys Admins - nixCraft
Here are twenty-five php security best practices for Linux and Unix sysadmins for configuring PHP securely.
php  security  webapp 
september 2019 by whip_lash
T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About - VICE
I was able to activate the feature on my own T-Mobile account by calling customer service and asking for it to be put on the account
phone  security 
september 2019 by whip_lash
Forseti Security / About
Forseti Security is a collection of community-driven, open-source tools to help you improve the security of your Google Cloud Platform (GCP) environments. Forseti consists of core modules that you can enable, configure, and execute independently of each other. Community contributors are also developing add-on modules to offer unique capabilities. Forseti’s core modules work together, and provide a foundation that others can build upon.
forseti  gcp  cloud  security 
august 2019 by whip_lash
Neo23x0/sigma: Generic Signature Format for SIEM Systems
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
analytics  security  siem 
august 2019 by whip_lash
Security - Kubernetes
As you can see from the above figure, each one of the 4C’s depend on the security of the squares in which they fit. It is nearly impossibly to safeguard against poor security standards in Cloud, Containers, and Code by only addressing security at the code level. However, when these areas are dealt with appropriately, then adding security to your code augments an already strong base. These areas of concern will now be described in more detail below.
kubernetes  security 
august 2019 by whip_lash
HTTP Desync Attacks: Request Smuggling Reborn | Blog - PortSwigger
HTTP requests are traditionally viewed as isolated, standalone entities. In this paper, I'll explore forgotten techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties.
webapp  pentest  security  http  requestsmuggling 
august 2019 by whip_lash
Don’t Underestimate Grep Based Code Scanning
Below is the starter pack of rules. Some rules are clearly more noisy than others — people can pick and choose the ones they want to focus on.
grep  staticanalysis  security  code 
august 2019 by whip_lash
GoateePFE/PowerShellSummit2019: Hands on lab materials for the PowerShell Security session
Materials for the Hands on lab: Hunting PowerShell Badness.

This lab was done on site at the event with an environment hosted online. That environment was decommissioned after the event.

To do this at home ignore the credentials and machine names in the lab guides. Instead build your own environment and accounts using the outline in Lab_99_Home_Lab_Build.md found in this repo. Then substitute your own machine names and credentials in the appropriate lab steps.
powershell  security  dfir  tutorial 
august 2019 by whip_lash
Recorded Courses | Professionally Evil Training
Browse the list of our recorded courses below

AD & BURP
security  course  tutorial 
august 2019 by whip_lash
sans-blue-team/DeepBlueCLI
DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
powershell  security  att&ck  dfir 
august 2019 by whip_lash
MITRE ATT&CK™
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
hacking  dfir  mitre  analysis  purpleteam  security  att&ck 
august 2019 by whip_lash
Tool Analysis Result Sheet
This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.

Event Log
Execution history
Prefetch
USN Journal
MFT
UserAssist
Packet Capture
hacking  dfir  mitre  analysis  purpleteam  security  att&ck 
august 2019 by whip_lash
Pentagon testing mass surveillance balloons across the US | US news | The Guardian
“We do not think that American cities should be subject to wide-area surveillance in which every vehicle could be tracked wherever they go,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union.
privacy  security  surveillance 
august 2019 by whip_lash
redhuntlabs/RedHunt-OS: Virtual Machine for Adversary Emulation and Threat Hunting
Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs

RedHunt OS aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
dfir  security  threathunting  vm 
august 2019 by whip_lash
Netflix Information Security: Preventing Credential Compromise in AWS
Today, we would like to share two additional layers of security: API enforcement and metadata protection. These layers can be used to help prevent credential compromise in your environment.
aws  security 
july 2019 by whip_lash
Find Security Bugs
The SpotBugs plugin for security audits of Java web applications.

IDE PLUGIN
java  library  security  test  analysis  vulnerability  scanner  owasp 
july 2019 by whip_lash
OWASP Dependency Check - OWASP
Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake).
analysis  owasp  security  scanner  vulnerability  software 
july 2019 by whip_lash
Pentesting tools | theyknow
This page will be a completely chaotic list of tools, articles, and ressources I use regularly in Pentesting and CTF situations. My goal is to update this list as often as possible with examples, articles, and useful tips. It will serve as a reference for myself when I forget things and hopefully help other to discover tools that they haven’t used.
pentesting  pentest  security  tools 
july 2019 by whip_lash
mbechler/marshalsec
It's been more than two years since Chris Frohoff and Garbriel Lawrence have presented their research into Java object deserialization vulnerabilities ultimately resulting in what can be readily described as the biggest wave of remote code execution bugs in Java history.

Research into that matter indicated that these vulnerabilities are not exclusive to mechanisms as expressive as Java serialization or XStream, but some could possibly be applied to other mechanisms as well.
java  webapp  deserialization  security  pentest 
july 2019 by whip_lash
cloud-custodian/cloud-custodian: Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions.

It integrates with the cloud native serverless capabilities of each provider to provide for real time enforcement of policies with builtin provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
aws  gcp  cloud  compliance  security 
july 2019 by whip_lash
RiotGames/cloud-inquisitor: Enforce ownership and data security within AWS
Cloud Inquisitor can be used to improve the security posture of your AWS footprint through:

monitoring AWS objects for ownership attribution, notifying account owners of unowned objects, and subsequently removing unowned AWS objects if ownership is not resolved.
detecting domain hijacking.
verifying security services such as Cloudtrail and VPC Flowlogs.
managing IAM policies across multiple accounts.
aws  security 
july 2019 by whip_lash
Netflix/repokid: AWS Least Privilege for Distributed, High-Velocity Deployment
Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.
aws  security  iam 
july 2019 by whip_lash
StreamAlert — streamalert 2.2.0 documentation
StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
Overview

Incoming log data is classified and scanned by the StreamAlert rules engine running in your AWS account. Rule matches are reported to one or more alert outputs:
aws  security  dfir 
july 2019 by whip_lash
Intro to CakePHP for Bug Hunters - Tenable TechBlog - Medium
This guide is here to help you fast track that process for an application built using CakePHP.
php  cakephp  webapp  security  pentest 
july 2019 by whip_lash
GitHub - toniblyx/my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Favorite tweet:

A Huge List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. https://t.co/mlF1Crm7Jq

— Emad Shanab (@Alra3ees) June 29, 2019
pentest  aws  security  tools 
june 2019 by whip_lash
FOSDEM 2019 - Base64 is not encryption
Secrets are a key pillar of Kubernetes' security model, used internally (e.g. service accounts) and by users (e.g. API keys), but did you know they are stored in plaintext? That's right, by default all Kubernetes secrets are base64 encoded and stored as plaintext in etcd. Anyone with access to the etcd cluster has access to all your Kubernetes secrets.

Thankfully there are better ways. This lecture provides an overview of different techniques for more securely managing secrets in Kubernetes including secrets encryption, KMS plugins, and tools like HashiCorp Vault.
kubernetes  security 
june 2019 by whip_lash
Zed Attack Proxy in a CI Pipeline?
OWASP ZAP is a powerful tool in the battlefield of secure web applications. The toolset developed around it is powerful, modern and is the cornerstone of moving to a fully automated penetration testing state in the CI Pipeline. The Jenkins plugin is highly recommended for baseline scans
owasp  security  devsecops 
june 2019 by whip_lash
AWS SSM is a trojan horse: fix it now! | cloudonaut
You have to be very careful about the following permissions which can be used to execute a command on an EC2 instance via the SSM agent
aws  security 
june 2019 by whip_lash
AWS Policy Generator
The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources. For more information about creating policies, see key concepts in Using AWS Identity and Access Management. Here are sample policies.
aws  policy  tool  security 
june 2019 by whip_lash
Securing Your GraphQL API from Malicious Queries – Apollo GraphQL
With GraphQL you can query exactly what you want whenever you want. That is amazing for working with an API, but also has complex security implications. Instead of asking for legitimate, useful data, a malicious actor could submit an expensive, nested query to overload your server, database, network, or all of these. Without the right protections you open yourself up to a DoS (Denial of Service) attack.
graphql  api  security 
june 2019 by whip_lash
hastebin
Favorite tweet:

The #Hacking, #OffSec, #Cybersecurity & #OSINT resources archive/study guide is finished.

Added many hundreds, maybe thousands of new resources, cleaned up study guide, added huge lists of #OSINT, #OPSEC content.

Also,links to graphics like below. https://t.co/WSQtMdmrSR … pic.twitter.com/qP0kNhovKq

— ΜΔDΞRΔS (@hackermaderas) June 10, 2019
hacking  security 
june 2019 by whip_lash
GitHub - porterhau5/BloodHound-Owned: A collection of files for adding and leveraging custom properties in BloodHound.
A collection of files for adding and leveraging custom properties in BloodHound. A thorough overview of the ideas that led to these Custom Queries & Ruby script can be found in this blog post: http://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/

These are intended, although not required, to be used with a forked version of BloodHound found here: https://github.com/porterhau5/BloodHound
bloodhound  activedirectory  pentest  security 
june 2019 by whip_lash
GKE Security Using Falco, Pub/Sub, and Cloud Functions - DZone Security
In this blog post, we will demonstrate how to build a complete GKE security stack for anomaly detection and prevent container runtime security threats. We will integrate the Falco runtime security engine with Google Cloud Functions and Pub/Sub.
gke  gcp  kubernetes  security 
june 2019 by whip_lash
Podman: A more secure way to run containers | Opensource.com
Podman uses a traditional fork/exec model for the container, so the container process is an offspring of the Podman process. Docker uses a client/server model. The docker command I executed is the Docker client tool, and it communicates with the Docker daemon via a client/server operation. Then the Docker daemon creates the container and handles communications of stdin/stdout back to the Docker client tool.

The default loginuid of processes (before their loginuid is set) is 4294967295. Since th...
containers  podman  security  docker 
june 2019 by whip_lash
Using Tabletop Simulations to Improve Your Information Security Program
So how do we better design and deliver a simulation that drives our security program toward a state of continuous improvement?
security  exercise 
june 2019 by whip_lash
FreeIPA
Integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others.
authentication  linux  security  ipa  iam 
june 2019 by whip_lash
« earlier      
per page:    204080120160

Copy this bookmark:





to read