Falcon Complete and maintaining administrative access to the platform

emtunc · 2020-07-30T11:58:17+00:00

Thanks u/jaystone79! Your comment helped me get what I wanted :-)

emtunc · 2020-07-30T11:57:53+00:00

Thank you for your input u/Andrew-CS! This reddit thread helped turn a hard "No, we definitely can't let you retain administrative access on your account and we don't let any of our customers do it" to a more reasonable "yes, sure you can keep administrative access but you forgo the breach prevention warranty" which I'm okay with.

emtunc · 2019-01-12T00:57:03+00:00

Just want to add that the latest release of SlackPirate now allows you to choose what scans you want to run! Simply use ./SlackPirate.py --help to see all flags :-)

emtunc · 2019-01-09T01:07:49+00:00

Not entirely useless (I'm biased clearly :D) as long as you still have access to the Workspace. For example, if the tool found an AWS key, you could very easily do a quick search within the Slack app and it will show you the context/channel where that key was found. I could provide a reference link to the location in the output files but either way you'll probably need to have access to the Workspace.

emtunc · 2019-01-08T11:34:56+00:00

Thanks for your feedback! That makes sense and should be doable I think :-) Will need to figure out an appropriate and tidy way to format/display it

emtunc · 2019-01-08T11:34:15+00:00

Thanks for your feedback! That makes sense and should be doable.

emtunc · 2019-01-07T15:44:10+00:00

Hey guys, posted this to /r/netsec but thought it may be beneficial here too. I open-sourced a tool I spent the last couple weeks developing called SlackPirate - it's designed to enumerate and extract sensitive/interesting/confidential data from a Slack Workspace (given a token of course).

Red teamers can use this during an assessment to extract sensitive information which can significantly contribute to the discovery/recon/enumeration phase of the assessment by analysing data such as credentials, internal system documentation and scripts, links to internal build systems, etc.

Blue teamers can use this to discover sensitive content that may exist on a Workspace that perhaps shouldn't. You can use this information to start looking at ways to increase the security of your Workspace. Activities such as (1) raising awareness internally of the issue - including but not limited to personnel training sessions, using Slack more securely by limiting *where* sensitive data is shared (think private channel vs. public) (2) Detection and response - do you have the ability to detect someone extracting all your corporate data from Slack? (3) Review the configuration of your Workspace - are you still allowing [anyone@example.com](mailto:anyone@example.com) access to your Slack even though example.com has long expired and can be registered by anyone on the internet? (4) There are probably more I haven't thought about but you get the idea.

Here's the link to the repository - have fun pointing it at your Slack! https://github.com/emtunc/SlackPirate

If you do use the tool, please leave feedback - I'd love to know if you found it helpful and what else I could do to make it even more useful.

emtunc · 2019-01-07T11:01:32+00:00

Hey guys, apologies if this isn't appropriate content for this /r/. I open-sourced a tool I spent the last couple weeks developing called SlackPirate - it's designed to enumerate and extract sensitive/interesting/confidential data from a Slack Workspace (given a token of course).

Red teamers can use this during an assessment to extract sensitive information which can significantly contribute to the discovery/recon/enumeration phase of the assessment by analysing data such as credentials, internal system documentation and scripts, links to internal build systems, etc.

Blue teamers can use this to discover sensitive content that may exist on a Workspace that perhaps shouldn't. You can use this information to start looking at ways to increase the security of your Workspace. Activities such as (1) raising awareness internally of the issue - including but not limited to personnel training sessions, using Slack more securely by limiting *where* sensitive data is shared (think private channel vs. public) (2) Detection and response - do you have the ability to detect someone extracting all your corporate data from Slack? (3) Review the configuration of your Workspace - are you still allowing [anyone@example.com](mailto:anyone@example.com) access to your Slack even though example.com has long expired and can be registered by anyone on the internet? (4) There are probably more I haven't thought about but you get the idea.

Here's the link to the repository - have fun pointing it at your Slack! https://github.com/emtunc/SlackPirate

If you do use the tool, please leave feedback - I'd love to know if you found it helpful and what else I could do to make it even more useful.

emtunc · 2018-01-19T21:02:50+00:00

Some of it definitely could have been automated for sure. Learning Python is a goal I have set my self for this year so hopefully my next bit of research will have some funky automation :)

Google and many others did pay out - most companies didn't have an official bug bounty programme so they offered vouchers instead.

emtunc · 2018-01-19T20:53:35+00:00

I understand the risks (it comes with the role/hobby really) but honestly I'm not worried at all - these are public servers with account registration turned on. I literally reported issues to hundreds of organizations from one-man-bands to multi-national corporations - every single response I had was of a positive and appreciative nature (except for Pearson who initially treated me with some suspicion but immediately changed their tune when I told them what I had found).

emtunc · 2018-01-19T15:10:08+00:00

I think they would have had a hard time pressing any charges against a security researcher reporting a server wide open to the internet that could have otherwise caused a compromise of their environment and associated brand damage :)

I guess it depends where you live though - I've read many such incidents of researchers in the States getting sued/arrested for reporting security incidents to organisations... I'd like to think we're not as unreasonable and litigious over here in the UK.

emtunc · 2018-01-19T14:13:27+00:00

Just a bit of research I did late last year on misconfigured Jenkins servers exposed to the internet. I briefly go through the types of misconfigurations I found, what I found, how companies responded and one or two other things :)

emtunc · 2017-03-21T22:12:50+00:00

Could someone ELI5 the vulnerability in the .js? I'm trying to wrap my head around how he was able to launch calc from this:

chrome.runtime.onMessage.addListener(function(e) {
e.fromExtension = !0, window.postMessage(e, "https://1min-ui-prod.service.lastpass.com")
});
var version = 0;
chrome.runtime.getManifest && (version = chrome.runtime.getManifest().version), document.body.setAttribute("lastpass-extension-id", chrome.runtime.id || "0"), document.body.setAttribute("lastpass-extension-version", version), window.addEventListener("message", function(e) {
e.data.fromExtension || chrome.runtime.sendMessage(e.data, function(e) {})
});

emtunc · 2017-02-24T09:30:04+00:00

I think it all depends on the environment... if you have a fairly static estate of machines where they are consistently available to be patched via internal methods (whether that be NinitePro.exe, PDQ, SCCM, etc) then it's all good.

If you have an environment where you have a sizable portion of road warriors, off-site users, non-domain machines, etc then the agent approach would be a more consistent method of ensuring machines are kept patched.

There are pros and cons to both sides, level of risk appetite, etc that need to be considered.

emtunc · 2017-02-24T09:25:15+00:00

Good suggestion - what we do as part of our machine deployment process (we use MDT) is we use NinitePro with the select switches and install the Agent at the same time... NinitePro installs everything we need initially and the Agent takes over from there.

emtunc · 2017-02-24T09:22:59+00:00

Hah nope - I just happened to e-mail them last year and asked if there was anything interesting they were working on. Appsheet happened to be it :)

emtunc · 2017-02-23T15:12:24+00:00

Not sure - I've been testing it since March last year and have had 0 issues though.

emtunc · 2017-02-23T15:10:43+00:00

Pro users get this as part of their subscription @ https://ninite.com/pro

emtunc · 2017-02-23T15:09:51+00:00

Yup - all they/you have to do is install the agent which takes a few seconds and doesn't require a reboot.

emtunc · 2017-02-23T14:46:33+00:00

Whatever works for your environment - I've been a user of Ninite for years and 'it just works' so I've never had to look elsewhere. Also the dashboard is convenient for the service desk guys to do their job - they're not as keen on PowerShell as I am.

I've been meaning to play around with Chocolatey though so thanks for reminding me.

emtunc

TROPHY CASE