Posted in Blog, Cons

HouSecCon 2021 – D2

It’s nice talking on day 1 so day 2 is more chill. Also incredibly great to have an employer, boss, and colleagues who are like “go conference, we’ve got this under control.”

Session Notes

First up Gregory Pollmann and Chrissy Grove on using identifying/prioritizing using crown jewel analysis. I like the crown jewels approach and repeatable process. Dropping the blog link here because it’s got links to the whitepaper and what not. Good approach that can make it easier to tie things to the business impact.

Then Ross Burke on operationalizing threat intel. Big takeaway here was you have to close the feedback loop so you aren’t just awash in IOCs. And that context matters. CTI can’t be set it and forget it.

The last talk I was able to get to was Clint Bodungen on hacking the cybersecurity workforce. What he talked about for getting started and growing your career are exactly what I’ve done – get involved, be part of the community, be accepting. Also mentioned letting people help you – that’s one I need to work on. I just about fell over when he mentioned getting a job is pretty much SE. Because, yeah, it is.

The rest of the day was talking to people and checking out vendors. There were a few new to me companies there so it was cool to see what they were doing. Caught up with some reps I know (and of course reminded them that helping out the K12 space is a good thing to do). I like checking out what new things are coming up. Yes, some of it is a little snake oil-ish, but even that gets you thinking.

I’m looking forward to talks being posted because there were several I would have liked to hear but couldn’t for various reasons. A huge thank you to Michael, Sam, all the volunteers, and all the sponsors who make HouSecCon happen. The hard work to put on a great conference is appreciated!

Posted in Blog, Cons

HouSecCon 2021 – D1

Day 1 in the books. It was a little odd to be at an in-person function, but it was a good time. I’ll theoretically add links to the videos when they come out.

Quick summary of my day…

Session notes

Opening keynote by Lesley Carhart on IR was jam packed full of tips for making IR hurt less. I’m going to have to watch this one when it’s posted. My biggest takeaway was an ounce of prevention is better than a pound of cure. I think any org looking to get a functional IR plan in place would benefit from watching.

Next for me was Nathan Wenzler on shifting to the cloud. Key points for me were don’t let tools become shelfware and make sure your APIs don’t suck. Also make sure that you are reading the fine print in your agreements. Know your SLAs and who is responsible/accountable for what.

Then Andy Bennett on ransomware. BEC costs more, but ransomware hurts more. One point I really liked was that your communication plan needs to be different for the IR team than for the upper level people. Good reminder. And MFA all the things. ALL THE THINGS.

After lunch was Deborah Watson on MITRE ATT&CkK to reduce risk. I liked the emphasis on risk based controls and the reminder that if it’s someone’s job to open emails and attachments, we really can’t fault them for that. But we need to make it safer. And do you really have controls in place if the majority of the company is excepted form them?

Ricky Allen talked about cyber resilience. I liked the focus on recovery – I do think that part often gets neglected. He highlighted checklists as well. There’s a reason high pressure situations tend to have checklists. We forget things under stress. I’m a big believer in checklists (and documentation).

Then came my talk (Everything’s on fire and I’m not okay – managing priorities and workloads as an army of 1 [or more]), which I think went well, but I’ll also always think could have gone better. It was fun for me at least. Slides and links below. I think we can do better in focusing our priorities and stress levels. I hope people took away that priorities will look different at different places, that finding a way to match your needs for infosec with the needs of the org is a good thing to do, and that work boundaries are good.

My talk stuff

The references

Posted in Blog, Resources, Review

Workshop Review – DevOps for Hackers with Hands-On Labs w/Ralph May (Black Hills Information Security)

I’ve been wanting to get some exposure to deployment options like Ansible and Terraform, so when a Black Hill Information Security (BHIS) workshop popped up in my LinkedIn feed taking about using both for hackers, I mashed the registration link as fast as I could.

My “why” for taking the workshop was to have a better idea of how I can use Ansible and Terraform to better manage my lab environments. Since I tend to pop up and destroy cloud resources, it made sense to learn more and see if it could help. Plus it’s not going to hurt to know the basics of either one. That the workshop used Digital Oceans was a bonus. It’s nice to get out of the AWS and Azure worlds to see something new.

The TL:DR, if you see a Black Hills Information Security, Wild West Hackin’ Fest , or ActiveCountermeasures webinar or workshop that covers something you are interested in, sign up. It will be a good use of your time.

Workshop Resources

Workshop YouTube Recording: DevOps for Hackers with Hands-On Labs w/ Ralph May (4-Hour Workshop) – YouTube

Workshop Website (looks like Ralph May turned this into a public Notion page, so I’m linking that rather than the original): DevOps for Hackers with Hands-On Labs w/ Ralph May (4-Hour Workshop) (notion.site)

The original website was https://workshop.hackerops.dev

Workshop Overview

This 4 hour (plus an hour for setup) workshop included 4 labs (Terraform, Ansible, Docker, and C2 Deployment). Ralph did an introduction of each topic before walking through the lab. A huge help was that he provided completed lab files. Using the completed files I was able to keep up with the labs. There’s no way I could have typed fast enough. I might have been able to if I were more familiar with the platforms, but this approach worked for me. My plan is to go through the workshop again at my own pace where I can build the lab files myself knowing I have functional files to check things against if needed. The initial hour for setup was helpful since I had a brain fart about unpacking the VM and didn’t put it in a specific folder prior to extracting. The BHIS Discord was very active during the setup time, and everyone I saw having issues was able to get moving in the right direction before things started. I really appreciate this extra time because labs don’t go well when your environment is wonky. This lab setup was same day, which I think may be a more effective method. An earlier workshop sent the lab files earlier, and I think that is more likely to get put off until it’s time for the workshop. But that was also a pretty large VM download, so there may have been a need to spread that traffic out. I think you would get a decent amount out of the workshop just following along and not working on the labs during the live portion. I prefer to do what I can hands-on during the live portion so I have a better idea of what I want to go back to.

Presentation slides and lab guides were available for download, and it looks like those will be available on the Notion site for at least a little while. They mentioned Ralph is developing this into a full 16 hour workshop, and I think for anyone who is managing infrastructure for pentesting or red teaming, it could be a good time investment. I could see using this approach to pop up custom infrastructure quickly for each engagement and easily keep things separated out. The BHIS team also built in breaks every hour, so you could have a few minutes to step out for a bio break, check in on work, or wander aimlessly for a bit. That approach is working well for their 4 hour workshops that I’ve been in.

My Takeaways

I wanted to get a good idea of what things were and how they were used – mission accomplished in that regard. These are my brief, extremely high level takeaways. There’s a lot more to it, but these are the things that I want to have stored in my head so I have an idea of what I might want to reference for different projects.

  • Terraform – infrastructure as code, manage infrastructure, fast and consistent, free/open source, great for cloud and API
  • Ansible – infrastructure as code, configuration management, Python and YAML, slower, OS config
  • Docker (this was what was most familiar to me in the workshop) – containers, CI/CD, runs on all the things, application isolation, clean up your images
  • C2 deployment – there are a lot of C2 options available (and a lot of fun logos), calling some just a C2 framework is underselling their capabilities
    • Mythic – Docker(!), cool but there’s a lot going on, need to research more if I want to effectively use this, can be deployed with Ansible
    • I need to look up the ones I’m not familiar with (not being a pentester these aren’t something I can justify a lot of time playing with) to keep up with what’s out there. I need to look at some of these for labs so I’m not just using Metasploit, Empire, etc. because those are the ones I’m most familiar with. But also beware of chasing shiny things.

Post-Workshop To Dos

I want to go back through and do the labs by creating the files myself. Spending that time will help internalize the capabilities of Terraform and Ansible. I’ll probably do this using Digital Ocean initially, but I think the next time I’m building labs in AWS or Azure, I want to at least try setting things up with Terraform or Ansible as appropriate.

I probably would not go for the 16 hour workshop right now just because what it would cover are not my primary responsibilities. If I were in a role where I could use this approach to be more efficient, I’d be jumping at the opportunity. BHIS and WWHF have some of the most reasonable training rates around. And they are offering even more with a cyberrange as part of their Antisyphon training stuff, so keep an eye on their training schedule.

Wrap Up

The content was well prepared and well presented. Labs worked and had files available so you could keep up if needed. I have an understanding of how Terraform and Ansible can be used. I know where I can go to find out more and ways to practice using them. I wouldn’t even call myself a beginner, but I know enough to learn more. That’s a big part of why I take things like this.

Bottom line, this was a good use of my time. I will continue to take advantage of the training from BHIS/WWHF/ACM as much as I can.

Posted in Blog, Resources

Let’s talk Terminal – Windows Terminal

First off, I really feel like there should be an apostrophe in there somewhere – Windows’ Terminal maybe? Regardless, I recently decided to give Windows Terminal a try after a colleague (thanks Kristy!) mentioned she’s been using it some. And then, I swear, I was seeing it everywhere. I could see some advantages, so I installed. Now, I think I might have a problem. I wanted a quick reference for myself and thought it would be a decent blog since I kept sharing them with colleagues (whether they wanted to know or not – I get excited/you’re welcome Chad!)

What is it and why I’m a little obsessed (skip if you’re just here for the tips/tricks)

I figured this was some random third party app before I started looking into it. Nope, it is from Microsoft – so that could be positive or negative. The big “selling points” for me were having multiple tabs and custom themes. Since I sometimes (always) have a questionable number of terminals open between various PowerShell, Command Prompt, and WSL options, being able to easily contain and differentiate them would be nice. And nice it is.

Terminal defaulted to PowerShell for me, which was fine. It will also pull in the other terminals you have, so if you are running PowerShell 7 alongside 5, it’ll show up. As will WSL distros, Azure Cloud Shell, etc. When I got some time to fiddle with it, I realized how well it fits into my workflow. The ability to have profiles for different tasks and access all the options without having a ton of Windows open improved my efficiency quite a bit. Not knowing which PowerShell window was IPPSSession versus ExchangeOnline versus general versus whatever made moving between them frustrating. You can change themes in the regular terminals, but it’s kind of a pain. I’m now happily down to usually just Windows Terminal and PowerShell ISE when I need that. Much of the time I’m down to Windows Terminal with multiple tabs.

What makes it powerful is the ability to set profiles, pass some commands when calling profiles, and starting with multiple tabs open. You can also specify the path to start in for a profile, which comes in handy. All can have different themes, tab titles, and tab icons. The ability to have clear visual indicators is incredibly helpful, particularly when you might be doing some IR and need to have access to multiple terminal options. For some reason, using the right commands in the right places is more efficient. Who knew? It also lets me more clearly separate which has admin permissions. I’m using different background colors and specific icons to make it easy to get where I need to be to do that next thing. And as silly it is, opening with the terminals I’m typically in all day every day without having to do anything makes me ridiculously happy. People like to tell me that’s me being efficient, but it feels kind of lazy to me. I guess it’s like writing a function to run a 1 line command in PowerShell – it may only save a few keystrokes each time, but the cumulative savings really adds up.

Set Up Tips

The kind of time consuming part is getting things setup for effectiveness. A lot of the options can be configured via the Settings GUI – Startup options, Appearance, Profile basics, etc. There are additional color schemes available by searching online, but I’ve been tweaking what already there because that’s a rabbit I don’t need to chase right now. Pick your profile name, icon, font, color scheme, background image, etc. to whatever makes you happy. Create custom color schemes in the Color Schemes section and apply to your profiles to help differentiate them.

Pass commands starting the profile

If you look at the profiles, you’ll notice there’s a “Command Line” spot with just the typical cmd.exe, powershell.exe, wsl.exe -d <distro>, etc. there. What is cool/useful is being able to pass commands here. So if you want to always start a profile to connect to a computer remotely because you do this ALL THE TIME, you can:

 #Include -NoProfile if you want to avoid having a profile loaded
 PowerShell.exe -NoExit -Command Enter-PSSession -ComputerName <computername>
 PowerShell.exe -NoExit -Command Connect-IPPSSession -UserPrincipalName <UPN>
 PowerShell.exe -NoExit -Command Connect-ExchangeOnline -UserPrincipalName <UPN>

You might also want to jump straight into Python:

 cmd.exe /k python #Or whatever you start Python with in Command Prompt
 wsl.exe -d <distro> python3 #Or whatever you start Python with in your various WSL distros

This was a game changer because of how “efficient” I like to be – not having the extra step of connecting or whatever is phenomenal. The ability to pass arguments starting profiles gives you a ton of options. You may need to do a little testing to determine if you need to tweak the syntax a bit, but it’s pretty straightforward.

Start with multiple tabs

This part moved Windows Terminal from nice to awesome…because apparently opening the extra tabs is really hard for me. You do need a more recent version as some of the older ones don’t allow for it. Make sure you determine whether you want to use a distro or a profile because that impacts the syntax. You can also use this to specify colors and other things, but I prefer to do that with color schemes.

All you need to do is open up the JSON file with the settings (which will conveniently tell you if you’ve forked and work off an older version while you troubleshoot) and add this line – I put it after the default profile line:

#Put profiles with spaces in quotes and set focus tab as desired, 0 is default profile 
"startupActions": "; new-tab -p <profile> ; new-tab -p <profile>; focus-tab -t 0",

Add as many as you would like and there you go.

Multiple Panes

You can also put things in different panes so you have multiple options visible at the same time. Look through the documentation to see your options. Here are a few handy things:

 # Open vertical or horizonal pane with default profile
 ALT+SHIFT+= (Vertical) ALT+SHIFT+- (Horizontal)
 # Open from profile menu
 ALT+(Click new tab or dropdown to select profile)
 # Move between panes
 ALT+(arrow)
 # Resize
 ALT+SHIFT+(arrow)

There’s not a great way to open split panes with different profiles from the keyboard yet, but a decent workaround is to either make a profile that runs the command or put in the command manually (I’d probably make this a PowerShell function if I wanted to use it a lot…yeah that happened, here’s the GitHub in case I develop it more. I would put this in the CurrentUserAllHosts profile version unless you want to keep it separated for some reason. If you create a profile and keep it in your first 9, you can open with CTRL+SHIFT+<#>. Pretty handy if there are 2 profiles that you need to split panes with frequently. Both of these will open in a new window, which is not that big of a deal. I’d rather deal with that than take hands off the keyboard.

 # Add options as desired and put profile names in quotes if they contain spaces
 # This will open in a new window either way
 wt -p <profile>; split-pane -p <profile>
 ‚Äč
 # PowerShell Function quick version - I might expand this more over time in my Github
 Function splitpanes ($profile1, $profile2, $type)
 {
     wt -p $profile1`; split-pane -p $profile2 `-$type
 }

References

The documentation is fairly good and a great place to start. It’s not always easy to find exactly what you are looking for though. Here are a few handy links to get started with:

Windows Terminal Startup Settings | Microsoft Docs

Windows Terminal command line arguments | Microsoft Docs

Windows Terminal Actions | Microsoft Docs

Launch Windows Terminal with multiple tabs (frakkingsweet.com)

cmd | Microsoft Docs

Posted in Blog, Resources

PrintNightmare Scanner – ItWasAllADream

PrintNightmare is causing quite a stir. This writeup from Kevin Beaumont is a great overview and intro if somehow you aren’t familiar with the issue. And the Huntress blog is also a good resource. From being patched in June, but not really that was another thing, to an OOB July patch that didn’t fully remediate, it’s been quite the adventure in infosec. There has been great work by cube0x0 and gentilkiwi to provide POC code to test systems and validate the July patch as well as a PowerShell implementation from Caleb Stewart and John Hammond. All kinds of fun. These are all exploit code, which is awesome, but maybe not something you want to run in your org. Enter byt3bl33d3r’s ItWasAllADream scanner. It works well and checks for the vulnerability without exploiting the hosts. Much better for testing. The ReadMe is great, but I know in my current state of dumpster fire, there were some brain farts. So writing up a quick guide to not forget. If you want to get some experience with containers, this is good practice with low overhead.

You may need to verify you are running WSL 2 if you want to route this through a WSL distro. Follow the documentation to get up and running with Docker and WSL 2. You may need restarts and to convert WSL 1 distros. Running WSL 1 and docker will make things cranky, so update before getting started. If you’ve installed Docker via apt, you will need to remove it (and remember it’s docker.io not just docker) to use the WSL 2 integration. Verify you have the right Docker by confirming the version. Setting up WSL2 wasn’t difficult, but it can be a little fidgety.

 docker --version

Windows recommends using Windows Terminal for the WSL 2 Docker integration. That may just be to push Terminal, but it’s got some advantages. So at least consider it.

Once you’ve got whatever you will be using for Docker functional, install and as directed. Super simple.

 git clone https://github.com/byt3bl33d3r/ItWasAllADream
 cd ItWasAllADream #This and next can be combined if desired, make sure you clone it where you want it
 docker build -t itwasalladream
 docker run -it itwasalladream -u <user> -p <password> -d <domain> <targetinCIDRnotation>

The output is a little verbose by default and is very clear what is found. This is great work by byt3bl33d3r.

The CSV output is dropped in the working directory in the CONTAINER. This was where I had a total brain fart. I do feel a little better that I’m not the only one based on the issues on Github. So, getting the report out of the container requires using docker cp. See the Docker documentation for details.

 docker copy <containername>:<reportname> .

If you don’t know the container name, get it by listing the containers available.

 docker ps -a

And clean up your scans when you are done.

 docker system prune

As much as I enjoy the generated container names Docker creates, they were a bit long to deal with effectively when using this to really check things. So name your container something useful and copy where you need it.

What is really great about the infosec community is from when the issue/question was posted, it took about 12 hours for details to be provided to the original poster with links and sample commands.

docker run --name <shortname> -ti itwasalladream -u <user> -p <password> -d <domain> <targetinCIDR>
# Get the report name from the output, adjust path to fit your needs
docker cp <shortname>:<reportname> /mnt/c/Users/<username>/<path>

So that’s ItWasAllADream in a nutshell. Easy to use scanner that in my testing has not caused issues and has returned accurate info. I suspect we’ll have a lot of people trying to scan systems who may not use Docker or WSL regularly, and hopefully this will help if they get stuck. And yes, this will probably be me here in a few months when I decided to re-check some things. Thus the writing it down.

I’m seeing a ton of questions about how to implement mitigations, and this testing is really helpful. Right now, it looks like the best option is shutting off the print spooler where that’s an option. Since that’s really unpractical in a lot of cases, the GPO disabling inbound remote printing also seems to be effective. Either way, I bet we’re going to be dealing with the fallout for some time.