Blog

Posts Tagged business

Wireshark Release – 2.6.17, 3.0.11 and 3.2.4 – https://www.wireshark.org/news/20200519.html, (Tue, May 19th)

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

VMWare Security Advisory – VMSA-2020-0010 – https://www.vmware.com/security/advisories/VMSA-2020-0010.html, (Tue, May 19th)

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Cisco Advisories for FTD, ASA, Firepower 1000, (Tue, May 19th)

Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA). 

Cisco Adaptive Security Appliance Software
CVE-2020-3259Web Services Information Disclosure Vulnerability – High 
–    An unauthenticated, remote, attacker can access memory and potentially confidential information.
CVE-2020-3298Malformed OSPF Packets Denial of Service Vulnerability – High
–    An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3196SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195OSPF Packet Processing Memory Leak Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources resulting in DOS

Firepower Threat Defense
CVE-2020-3259Web Services Information Disclosure Vulnerability – High 
–    An unauthenticated, remote attacker can access memory and potentially confidential information.
CVE-2020-3298Malformed OSPF Packets Denial of Service Vulnerability – High
–    An unauthenticated, remote, attacker could cause a device to reload resulting in DOS
CVE-2020-3255Packet Flood Denial of Service Vulnerability – High
–    An unauthenticated, remote attacker can cause a DOS on the device.
CVE-2020-3189VPN System Logging Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can cause memory leak resulting in device degradation or crash.
CVE-2020-3196SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources leading to DOS
CVE-2020-3195OSPF Packet Processing Memory Leak Vulnerability – High
–    Unauthenticated, remote attacker can exhaust memory resources resulting in DOS

Firepower 1000
CVE-2020-3283SSL/TLS Denial of Service Vulnerability – High
–    Unauthenticated, remote attacker can cause buffer underrun resulting in DOS.

Althought Cisco rated all of these vulnerabilities the same, high, most of them require a patient, determined attacker and will result in a DOS condition.  The exception to this is CVE-2020-3259 which can result in a breach of sensitive information. Either way the solution is to upgrade to an unaffected version of the software.
 

 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

What is up on Port 62234?, (Tue, May 19th)

Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today’s data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.

This port is not one I have seen as a target before, and none of my sources show any traffic on this port. A check of Shodan shows only 3 hits, and two of those appear to be BitTorrent related.  I am at a loss.  If any of you has further information,  firewall logs, or better yet, packet captures of this activity it would be appreciated if you could send it over for analysis.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Automating nmap scans, (Mon, May 18th)

With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:

nmap -sT -A

I had indicated that I often use variations on that command to automate periodic scans against a critical IP range.  I had left you with some basics about what other parts of nmap can be helpful to automate this.  This week I received some questions about the automation steps, so here is the rest of the details.  In practice, most of my automated scripts have evolved from this simple state, but in its very basic form here is where they evolved from.  

In order to truly automate the scan we need three components:
Input file – to tell nmap which targets to scan
Output file(s) – to record and compare the results
Bash script – to act as a wrapper for the process steps

To tell nmap which IPs or networks to scan you can use the -iL parameter.  For a quick scan I usually just create a file called ips.txt in the current directory.  The contents of that file can be single IPs or network ranges in CIDR format, one address/network per line. So that takes us to an nmap command of:

nmap -sT -A -iL

As stated in the previous diary, the -oA parameter will send the nmap scan results to files utilizing all three of nmap’s output formats; normal (.nmap), XML (.xml), and grepable (.gnmap).  Only the .xml version is used by ndiff, but I find the other output formats useful for other purposes such as investigating after the scan.  Typically I just send my output to a file called nmap_current.  So the resulting nmap command is:

nmap -sT -A -iL

-oA nmap_current

and once that command is complete there will be three nmap output files:
nmap_current.gnmap  
nmap_current.nmap  
nmap_current.xml

There are many ways the running of this can be automated, but typically I just create a simple bash shell script and schedule it with cron to run at the appropriate interval.  A sample Bash script, nmap_scan.sh:

#!/bin/bash

# if there is a current file from a past run, then copy it to previous
if [ -f nmap_current.xml ];then
   cp nmap_current.xml nmap_previous.xml
fi

# run nmap
/usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

# if there is not a previous file then there is no point running ndiff
# this will fix itself on the next run
if [ -f nmap_previous.xml ];then
   /bin/ndiff nmap_previous.xml nmap_current.xml >> ndiff_out.txt
fi

Please note that is not a very robust script.  The paths should be more explicit, and  it does not handle the emailing of the ndiff result, but as a quick and dirty script it will do.
Once the script completes you will find the differences between the current scan and the previous scan in ndiff_out.txt in standard diff formal.  i.e. anything from the original file that has been removed shows a minus sign in the first column and anything in the new file that has been added shows with a plus sign in the first column.

# cat ndiff_out.txt
-Nmap 7.60 scan initiated Mon May 18 19:36:21 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current
+Nmap 7.60 scan initiated Mon May 18 20:12:00 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

Hostname REDACTED (IP REDACTED):
OS details:
 Vodavi XTS-IP PBX
- Android 5.0 - 5.1
- Linux 3.2 - 3.10
 Linux 3.2 - 3.16
 Linux 3.2 - 4.8
+ Linux 3.2 - 3.10
 Linux 4.2
+ Android 5.0 - 5.1
+ Linux 2.6.32
 Linux 3.10
 Linux 3.13
- Linux 2.6.32
 Linux 2.6.32 - 3.10

+Hostname REDACTED (IP REDACTED):
+Host is up.
+Not shown: 999 closed ports
+PORT   STATE SERVICE VERSION
+3306/tcp open mysql  MariaDB (unauthorized)
+OS details:
+ Linux 2.6.32
+ Linux 3.7 - 3.10
+ Linux 3.10
+ Linux 3.16
+ Linux 3.8 - 4.9
+ Linux 3.1
+ Linux 3.2
+ AXIS 210A or 211 Network Camera (Linux 2.6.17)
+ Linux 3.11 - 3.14
+ Linux 3.19

A little knowledge of the network and some analysis and this is enough to give you a warning if something unusual is going on. i.e. an unauthorized device, or service has appeared, or the configuration of one of the devices has changed. 
 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Antivirus & Multiple Detections, (Sun, May 17th)

“When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?”.

I’m paraphrasing a question I’ve been asked a couple of times.

The answer depends on the sample file and the antivirus.

To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe.

The EICAR file appears first:

The different antivirus programs I’m familiar with, will report just one detection: EICAR or mimikatz.

Like ClamAV:

Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:

Using this option makes that ClamAV reports EICAR and mimikatz:

Do you know antivirus programs with a similar option? Please post a comment!

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)

This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:

tcp-honeypot-20200502-072120.log:20200502-092115: 192.168.25.9:443-162.243.136.126:40998 data ‘GET /owa/auth/logon.aspx?url=https://1/ecp/ HTTP/1.1rnHost: XX.YY.87.76rnUser-Agent: Mozilla/5.0 zgrab/0.xrnAccept: */*rnAccept-Encoding: gziprnrn’

This is a sample of the logs received over the past two weeks. You will notice that all the inbound scans are all from the same IP range owned by the same ASN.

Sample of Scanning Activity
tcp-honeypot-20200502-072120.log:20200502-092115: 192.168.25.9:443-162.243.136.126:40998 data ‘GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1rnHost: XX.YY.87.76rnUser-Agent: Mozilla/5.0 zgrab/0.xrnAccept: */*rnAccept-Encoding: gziprnrn’
tcp-honeypot-20200507-140821.log:20200508-060105: 192.168.25.9:443-162.243.142.247:43656 data ‘GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1rnHost: XX.YY.87.76rnUser-Agent: Mozilla/5.0 zgrab/0.xrnAccept: */*rnAccept-Encoding: gziprnrn’
tcp-honeypot-20200515-181040.log:20200516-160625: 192.168.25.9:443-162.243.138.144:45092 data ‘GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1rnHost: XX.YY.87.76rnUser-Agent: Mozilla/5.0 zgrab/0.xrnAccept: */*rnAccept-Encoding: gziprnrn’

If your organization has made OWA available on the web, verify  the cumulative updates and the service pack that addressed this remote code execution vulnerability found in Microsoft Exchange 2010, 2013, 2016, and 2019 has been applied.

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
[2] https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
[3] https://isc.sans.edu/ipinfo.html?ip=162.243.136.126

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

SHA3 Hashes (on Windows) – Where Art Thou?, (Fri, May 15th)

No sooner had posted on doing file and string hashes in PowerShell, when I (again) got asked by Jim – “What about SHA3?  Shouldn’t we be using Quantum Safe algorithms if we have them?”

Looking around, support for SHA3 is pretty sparse no matter what the OS.  For Windows there’s a decent solution in bouncycastle (https://www.bouncycastle.org/), but the install is likely more than folks want to tackle, especially if it gets rolled into PowerShell at some future date.  Similarly, the SCCM ConfigurationManager module does implement them in some fashion, but that’s kind of a dead-end for most of us too.

In a pinch, hashify.net has a public API that supports just about any hashing algorithm you’d care to mention:

curl –location –request GET “api.hashify.net/hash/sha3-512/hex?value=QCQCQC”
{“Digest”:”bcc7a070db5dd926bfbef21c6c5e8081402a79e45f96c4cd7fedc405e1a7fcb6b047cff266235f19f0d1219d2f0fd9299b93cd28d69517d7aefec8cf0c9ffdcc”,”DigestEnc”:”hex”,”Type”:”SHA3-512″,”Key”:””}

The problem with that is – if the information you are hashing (presumably to verify against either now or later) is important or sensitive enough to warrant using one of the fancy SHA3 algorithms, it’s likely not data that you want sent to a public website in the clear.

I eventually decided to use the functionality in OpenSSL, with the rationale that anyone who needs this function will likely have OpenSSL already installed locally, at most we’d be asking them to upgrade – you’ll need OpenSSL 1.1.1 or better for SHA3-xxx hash support.  The syntax is:

echo “some string” | openssl dgst -hashalgorithm

or

type “somefilespec” | openssl dgst -hashalgorithm

where “hashalgorithm is any of:

blake2b512                blake2s256                md4
md5                       md5-sha1                  mdc2
ripemd                    ripemd160                 rmd160
sha1                      sha224                    sha256
sha3-224                  sha3-256                  sha3-384
sha3-512                  sha384                    sha512
sha512-224                sha512-256                shake128
shake256                  sm3                       ssl3-md5
ssl3-sha1                 whirlpool

So for implementing this in PowerShell, it’s as easy as creating the command in a string, then calling it with “Invoke-Expression” (shortened to “iex” in the examples below).

So for now, until Microsoft rolls better support for SHA3 family of hashing algorithms, my quick-and-dirty implementation for the newer, shinier hash algorithms is below.  Note that if OpenSSL isn’t in the path, I’ve got a variable pointed to the path to the binary (update this variable to match your install).  In any “real” code you would put this in a config file of course (because we all need more config files in our life right?)

$OpenSSLPath = “C:openssl-1.1.1hbin”

function Get-StringHash-OpenSSL ( [String] $InputString, $HashAlgo )

    {

    $QT = “`””

    $cmd = “echo ” + $QT + $InputString + $QT + ” | ” + $OpenSSLPath + “openssl.exe dgst -” + $HashAlgo

    $callcmd = iex $cmd

    $callcmd.split(” “)[1]

    }

$hash = get-stringhash-openssl “CQ CQ CQ” “SHA3-256”

$hash

5b960a5284843bb23af5e249c8692bd6d831645cc5070d501b4cef3e94d6983e

 

$OpenSSLPath = “C:openssl-1.1.1hbin”

function Get-FileHash-OpenSSL ( [String] $InputFileSpec, $HashAlgo )

    {

    $QT = “`””

    $cmd = “type ” + $QT + $InputFileSpec + $QT + ” | ” + $OpenSSLPath + “openssl.exe dgst -” + $HashAlgo

    $callcmd = iex $cmd

    $callcmd.split(” “)[1]

    }

$hash = get-FileHash-OpenSSL “c:windowssystem32cmd.exe” “Sha3-512”

$hash

0cacd8c85b44eed57101fee1431434278319dc441aee26354f811b483a30ff7861ecc88f4c90791e941e49dcb124a975d9eb301
e5d715a4e80ee918ea2f5f844

If you’ve worked out a way to get these algorithms into PowerShell without IEX or any 3rd party installs, please share using our comment form. 

(And yes, I did riff on the title of Mark Baggett’s presentation next week – Tech Tuesday Workshop – O Hacker, Where Art Thou?: A Hands-On Python Workshop for Geolocating Attackers  https://www.sans.org/webcasts/hacker-art-thou-hands-on-python-workshop-geolocating-attackers-115340 )

===============
Rob VandenBrink
www.coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 4 of 344 «...23456...»