PatrOwl – Open Source, Free And Scalable Security Operations Orchestration Platform

PatrOwl is a scalable, free and open-source solution for orchestrating Security Operations.PatrowlManager is the Front-end application for managing the assets, reviewing risks on real-time, orchestrating the operations (scans, searches, API calls, …), aggregating the results, relaying alerts on third parties (ex: Incident Response platform like TheHive, Splunk, …) and providing the reports and dashboards. Operations are performed by the PatrowlEngines instances. Don’t forget to install and deploy them ;)Project pitch deskArchitectureFully-Developed in Python, PatrOwl is composed of a Front-end application PatrowlManager (Django) communicating with one or multiple PatrowlEngines micro-applications (Flask) which perform the scans, analyze the results and format them in a normalized way. It remains incredibly easy to customize all components. Asynchronous tasks and engine scalability are supported by RabbitMQ and Celery. The PatrowlManager application is reachable using the embedded WEB interface or using the JSON-API. PatrowlEngines are only available through generic JSON-API calls (see Documentation).Download PatrOwl

Link: http://www.kitploit.com/2018/10/patrowl-open-source-free-and-scalable.html

SILENTTRINITY – A Post-Exploitation Agent Powered By Python, IronPython, C#/.NET

A post-exploitation agent powered by Python, IronPython, C#/.NET.RequirementsServer requires Python >= 3.7SILENTTRINITY C# implant requires .NET >= 4.5How it worksNotes.NET runtime supportThe implant needs .NET 4.5 or greater due to the IronPython DLLs being compiled against .NET 4.0, also there is no ZipArchive .NET library prior to 4.5 which the implant relies upon to download the initial stage containing the IronPython DLLs and the main Python code.Reading the source for the IronPython Compiler it seems like we can get around the first issue by directly generating IL code through IKVM (I still don’t understand why this works). However this would require modifying the compiler to generate a completely new EXE stub (definitely feasible, just time consuming to find the proper IKVM API calls).C2 CommsCurrently the implant only supports C2 over HTTP 1.1, .NET 4.5 seems to have a native WebSocket library which makes implementing a WS C2 channel more than possible.HTTP/2 client support for .NET’s HttpClient API is in the works, just not yet released.The implant and server design are very much “future proof" which should make implementing these C2 Channels pretty trivial when the time comes.COM Interophttp://ironpython.net/documentation/dotnet/dotnet.html#oleautomation-and-com-interopWe could possibly leaverage this to use IE’s COM object to do C2 ala WSC2.Python Standard LibraryWe technically could load/use IronPython’s stdlib instead of calling .NET APIs but this would require writing some "magic" dependency resolving code.Possibly could modify httpimports to do this automagically.Inject into unmanaged processhttps://www.codeproject.com/Articles/607352/Injecting-Net-Assemblies-Into-Unmanaged-ProcessesRPCWe might want to implement a fully fledged RPC that proxies objects between C# and Python. This could be interesting… https://pythonhosted.org/Pyro4/pyrolite.html https://thrift.apache.org/Download SILENTTRINITY

Link: http://www.kitploit.com/2018/10/silenttrinity-post-exploitation-agent.html

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Link: https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/

U.S. Mobile Giants Want to be Your Online Identity

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Link: https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-your-online-identity/

In a Few Days, Credit Freezes Will Be Fee-Free

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

Link: https://krebsonsecurity.com/2018/09/in-a-few-days-credit-freezes-will-be-fee-free/

htrace.sh – Simple Shell Script To Debugging HTTP/HTTPS Traffic Tracing, Response Headers And Mixed-Content

htrace.sh is a shell script that allows you to validate your domain configuration and catch any errors (e.g. redirect loops). It also displays basic information about the ssl configuration (if available), response headers, checks for mixed content and performs security scans using Nmap scripts and great external tools such as Ssllabs or Mozilla Observatory.FunctionsIt is useful for:checking properly domain configuration (web servers/reverse proxies) redirects analysis, e.g. to eliminate redirect loops checking response headers for each request checking basic ssl configuration validation of the certificates (date, cn, san) and verification ssl connectionscanning domain for Mixed Content scanning domain using Nmap NSE Library scanning domain with external security tools: Mozilla Observatory and SSL Labs API Before use htrace.sh please see Requirements.How To UseIt’s simple:# Clone this repositorygit clone https://github.com/trimstray/htrace.sh# Go into the repositorycd htrace.sh# Install./setup.sh install# Run the apphtrace.sh –domain https://google.comsymlink to bin/htrace.sh is placed in /usr/local/binman page is placed in /usr/local/man/man8External toolshtrace.sh support external tools for security scans:Mozilla Observatory – cli version of observatory.mozilla.orgwith params: –format=report –rescan –zero –quietSsllabs – command-line reference-implementation client for SSL Labs APIwith params: -quiet -grademixed-content-scan – cli tool for check HTTPS-enabled website for Mixed Contentwith params: -user-agent \”$_user_agent\" –no-check-certificateNmap NSE Library – provide automated security scans with Nmapwith scripts:http-auth-finderhttp-chronohttp-cookie-flagshttp-corshttp-cross-domain-policyhttp-csrfhttp-dombased-xsshttp-githttp-grephttp-internal-ip-disclosurehttp-jsonp-detectionhttp-malware-hosthttp-methodshttp-passwdhttp-phpself-xsshttp-php-versionhttp-robots.txthttp-sitemap-generatorhttp-shellshockhttp-stored-xsshttp-unsafe-output-escapinghttp-useragent-testerhttp-vhostshttp-xssedssl-enum-cipherswhois-ipIf you don’t know how to install these tools and where they should be placed, please see in Dockerfile where exactly every step is described.When scanning for mixed content and nmap scripting engine, remember that it may take a long time before the entire site is checked.ReportsIf you want to generate a report in html format, use the ansi2html.sh tool. A detailed description of use:htrace.sh -d https://nmap.org -s -h | ansi2html –bg=dark > report.htmlDockerThe configuration is contained in the build/Dockerfile.Build imagecd htrace.sh/builddocker build –rm -t htrace.sh -f Dockerfile .Run containerdocker run –rm -it –name htrace.sh htrace.sh -d http://nmap.org -hRequirementsThis tool working with:GNU/Linux (testing on Debian and CentOS)Bash (testing on 4.4.19)Curl with specific variables support (≥ 7.52.0)OpenSSLMozilla ObservatorySsllabsmixed-content-scanNmapParametersProvides the following options: htrace.sh v1.0.6Usage: htrace.sh Examples: htrace.sh –domain https://example.com htrace.sh –domain https://example.com -s -h –scan ssllabs Options: –help show this message -d|–domain <domain_name> set domain name -s|–ssl show ssl server/connection params -h|–headers show response headers –scan <all|observatory|ssllabs> scan domain with external security tools –mixed-content scan website for mixed content –nse scan website with nmap nse library –user-agent <val> set ‘User-Agent’ header –max-redirects <num> set max redirects (default: 10) –timeout <num> set max timeout (default: 15)Download Htrace.Sh

Link: http://feedproxy.google.com/~r/PentestTools/~3/E7ntCMA1l7c/htracesh-simple-shell-script-to.html

R0Ak (The Ring 0 Army Knife) – A Command Line Utility To Read/Write/Execute Ring Zero On For Windows 10 Systems

r0ak is a Windows command-line utility that enables you to easily read, write, and execute kernel-mode code (with some limitations) from the command prompt, without requiring anything else other than Administrator privileges.Quick Peekr0ak v1.0.0 — Ring 0 Army Knifehttp://www.github.com/ionescu007/r0akCopyright (c) 2018 Alex Ionescu [@aionescu]http://www.windows-internals.comUSAGE: r0ak.exe [–execute

<Argument>] [–write <Address | module.ext!function> <Value>] [–read <Address | module.ext!function> <Size>]IntroductionMotivationThe Windows kernel is a rich environment in which hundreds of drivers execute on a typical system, and where thousands of variables containing global state are present. For advanced troubleshooting, IT experts will typically use tools such as the Windows Debugger (WinDbg), SysInternals Tools, or write their own. Unfortunately, usage of these tools is getting increasingly hard, and they are themselves limited by their own access to Windows APIs and exposed features.Some of today’s challenges include:Windows 8 and later support Secure Boot, which prevents kernel debugging (including local debugging) and loading of test-signed driver code. This restricts troubleshooting tools to those that have a signed kernel-mode driver.Even on systems without Secure Boot enabled, enabling local debugging or changing boot options which ease debugging capabilities will often trigger BitLocker’s recovery mode.Windows 10 Anniversary Update and later include much stricter driver signature requirements, which now enforce Microsoft EV Attestation Signing. This restricts the freedom of software developers as generic “read-write-everything" drivers are frowned upon.Windows 10 Spring Update now includes customer-facing options for enabling HyperVisor Code Integrity (HVCI) which further restricts allowable drivers and blacklists multiple 3rd party drivers that had "read-write-everything" capabilities due to poorly written interfaces and security risks.Technologies like Supervisor Mode Execution Prevention (SMEP), Kernel Control Flow Guard (KCFG) and HVCI with Second Level Address Translation (SLAT) are making traditional Ring 0 execution ‘tricks’ obsoleted, so a new approach is needed.In such an environment, it was clear that a simple tool which can be used as an emergency band-aid/hotfix and to quickly troubleshoot kernel/system-level issues which may be apparent by analyzing kernel state might be valuable for the community.How it WorksBasic Architecturer0ak works by redirecting the execution flow of the window manager’s trusted font validation checks when attempting to load a new font, by replacing the trusted font table’s comparator routine with an alternate function which schedules an executive work item (WORK_QUEUE_ITEM) stored in the input node. Then, the trusted font table’s right child (which serves as the root node) is overwritten with a named pipe’s write buffer (NP_DATA_ENTRY) in which a custom work item is stored. This item’s underlying worker function and its parameter are what will eventually be executed by a dedicated ExpWorkerThread at PASSIVE_LEVEL once a font load is attempted and the comparator routine executes, receiving the name pipe-backed parent node as its input. A real-time Event Tracing for Windows (ETW) trace event is used to receive an asynchronous notification that the work item has finished executing, which makes it safe to tear down the structures, free the kernel-mode buffers, and restore normal operation.Supported CommandsWhen using the –execute option, this function and parameter are supplied by the user.When using –write, a custom gadget is used to modify arbitrary 32-bit values anywhere in kernel memory.When using –read, the write gadget is used to modify the system’s HSTI buffer pointer and size (N.B.: This is destructive behavior in terms of any other applications that will request the HSTI data. As this is optional Windows behavior, and this tool is meant for emergency debugging/experimentation, this loss of data was considered acceptable). Then, the HSTI Query API is used to copy back into the tool’s user-mode address space, and a hex dump is shown.Because only built-in, Microsoft-signed, Windows functionality is used, and all called functions are part of the KCFG bitmap, there is no violation of any security checks, and no debugging flags are required, or usage of 3rd party poorly-written drivers.FAQIs this a bug/vulnerability in Windows?No. Since this tool — and the underlying technique — require a SYSTEM-level privileged token, which can only be obtained by a user running under the Administrator account, no security boundaries are being bypassed in order to achieve the effect. The behavior and utility of the tool is only possible due to the elevated/privileged security context of the Administrator account on Windows, and is understood to be a by-design behavior.Was Microsoft notified about this behavior?Of course! It’s important to always file security issues with Microsoft even when no violation of privileged boundaries seems to have occurred — their teams of researchers and developers might find novel vectors and ways to reach certain code paths which an external researcher may not have thought of.As such, in November 2014, a security case was filed with the Microsoft Security Research Centre (MSRC) which responded: "[…] doesn’t fall into the scope of a security issue we would address via our traditional Security Bulletin vehicle. It […] pre-supposes admin privileges — a place where architecturally, we do not currently define a defensible security boundary. As such, we won’t be pursuing this to fix."Furthermore, in April 2015 at the Infiltrate conference, a talk titled Insection : AWEsomely Exploiting Shared Memory Objects was presented detailing this issue, including to Microsoft developers in attendance, which agreed this was currently out of scope of Windows’s architectural security boundaries. This is because there are literally dozens — if not more — of other ways an Administrator can read/write/execute Ring 0 memory. This tool merely allows an easy commodification of one such vector, for purposes of debugging and troubleshooting system issues.Can’t this be packaged up as part of end-to-end attack/exploit kit?Packaging this code up as a library would require carefully removing all interactive command-line parsing and standard output, at which point, without major rewrites, the ‘kit’ would:Require the target machine to be running Windows 10 Anniversary Update x64 or laterHave already elevated privileges to SYSTEMRequire an active Internet connection with a proxy/firewall allowing access to Microsoft’s Symbol ServerRequire the Windows SDK/WDK installed on the target machineRequire a sensible _NT_SYMBOL_PATH environment variable to have been configured on the target machine, and for about 15MB of symbol data to be downloaded and cached as PDB files somewhere on the diskAttackers interested in using this particular approach — versus very many others more cross-compatible, no-SYSTEM-right-requiring techniques — likely already adapted their own code based on the Proof-of-Concept from April 2015 — more than 3 years ago.UsageRequirementsDue to the usage of the Windows Symbol Engine, you must have either the Windows Software Development Kit (SDK) or Windows Driver Kit (WDK) installed with the Debugging Tools for Windows. The tool will lookup your installation path automatically, and leverage the DbgHelp.dll and SymSrv.dll that are present in that directory. As these files are not re-distributable, they cannot be included with the release of the tool.Alternatively, if you obtain these libraries on your own, you can modify the source-code to use them.Usage of symbols requires an Internet connection, unless you have pre-cached them locally. Additionally, you should setup the _NT_SYMBOL_PATH variable pointing to an appropriate symbol server and cached location.It is assumed that an IT Expert or other troubleshooter which apparently has a need to read/write/execute kernel memory (and has knowledge of the appropriate kernel variables to access) is already more than intimately familiar with the above setup requirements. Please do not file issues asking what the SDK is or how to set an environment variable.Use CasesSome driver leaked kernel pool? Why not call ntoskrnl.exe!ExFreePool and pass in the kernel address that’s leaking? What about an object reference? Go call ntoskrnl.exe!ObfDereferenceObject and have that cleaned up. Want to dump the kernel DbgPrint log? Why not dump the internal circular buffer at ntoskrnl.exe!KdPrintCircularBuffer Wondering how big the kernel stacks are on your machine? Try looking at ntoskrnl.exe!KeKernelStackSize Want to dump the system call table to look for hooks? Go print out ntoskrnl.exe!KiServiceTable These are only a few examples — all Ring 0 addresses are accepted, either by module!symbol syntax or directly passing the kernel pointer if known. The Windows Symbol Engine is used to look these up.LimitationsThe tool requires certain kernel variables and functions that are only known to exist in modern versions of Windows 10, and was only meant to work on 64-bit systems. These limitations are due to the fact that on older systems (or x86 systems), these stricter security requirements don’t exist, and as such, more traditional approaches can be used instead. This is a personal tool which I am making available, and I had no need for these older systems, where I could use a simple driver instead. That being said, this repository accepts pull requests, if anyone is interested in porting it.Secondly, due to the use cases and my own needs, the following restrictions apply:Reads — Limited to 4 GB of data at a timeWrites — Limited to 32-bits of data at a timeExecutes — Limited to functions which only take 1 scalar parameterObviously, these limitations could be fixed by programmatically choosing a different approach, but they fit the needs of a command line tool and my use cases. Again, pull requests are accepted if others wish to contribute their own additions.Note that all execution (including execution of the –read and –write commands) occurs in the context of a System Worker Thread at PASSIVE_LEVEL. Therefore, user-mode addresses should not be passed in as parameters/arguments.Download R0Ak

Link: http://feedproxy.google.com/~r/PentestTools/~3/Vz-gBSo0l3s/r0ak-ring-0-army-knife-command-line.html

Instagram’s New Security Tools are a Welcome Step, But Not Enough

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys.  On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

Link: https://krebsonsecurity.com/2018/08/instagrams-new-security-tools-are-a-welcome-step-but-not-enough/

Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

Link: https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/