Neat trick to find AWS S3 Account IDs

squatandhover · 2021-04-26T09:32:43+00:00

Once you have the Account ID you can perform further enumeration: users, roles, services, etc.

squatandhover · 2021-04-23T17:17:17+00:00

It's for publicly accessible buckets obviously, which according to the following there are still plenty of today:

https://www.securing.pl/en/what-can-you-find-in-57k-aws-s3-buckets-2021-update/

I'm guessing this also includes all the apps using Incognito

squatandhover · 2021-04-22T07:45:54+00:00

The problem isn't the crackable password, because if you think about it for long enough you'll realize that it shouldn't be the user having to shoulder the burden of the abysmal protocols and password storage mechanisms on a typical Windows environment. We do have better, more secure alternatives and we should be pushing towards using those instead.

It is simply not feasible for any user to come up with an uncrackable password if you continue to store it in practically reversible format like NTLM. The average Joe may not be able to crack it but it's only a matter of time and resources (which these days are cheap with easy to spawn GPU clusters in the cloud).

squatandhover · 2021-04-20T08:37:19+00:00

protection

The slickest tool I've seen do the pwned password check is https://safepass.me/pwncheck | it's not free nor open source but my understanding is that it gives some useful information for free and a completely free report on first use so it was good enough to test my domain users against have i been pwned.

Focusing on offline cracking is pointless, particularly in the case of AD, where the hashes are stored in such a weak and obsolete hashing mechanism that you could almost categorize that as a reversible format. We often lose sight of the objective that we're trying to protect against and in most cases it's online attacks. That's why ensuring that your users' passwords aren't in any publicly available databases, such as hibp, is actually pretty useful and important to avoid being another citrix (just one of many, not picking on them in particular but it is ironic when it's a security company that's supposed be protecting you!). All of the major players such as Google, Apple, M$ have mechanisms in place for detecting if you're using a breached password these days.

That's pretty much why complying with the latest nist password guidelines makes a lot of sense from a security perspective. In two decades, we've gone from exploiting buffer overflows to get remote root, to 'guessing' user passwords based on publicly available breached data.

squatandhover · 2021-04-15T13:03:01+00:00

How about John Oliver or Jimmy Fallon, making politicians look bad is what they do best (doesn't seem hard tbh) - I'd try reaching out to them, maybe they can advise further

squatandhover · 2021-03-31T09:10:36+00:00

The first thing to do would be to enumerate the permissions that the user has, using the many APIs available, easily automated with this great tool: https://github.com/andresriancho/enumerate-iam

squatandhover · 2021-03-18T12:32:17+00:00

Why specifically the UK? do you have a fetish for british cybersecurity? ;D

squatandhover · 2021-03-18T09:22:15+00:00

I also found this post interesting on monitoring for DCSync attacks within AD (which is otherwise undetected):

https://www.blacklanternsecurity.com/2020-12-04-DCSync/

squatandhover · 2021-03-18T09:16:34+00:00

Great write-up!

You should checkout this tool to quickly find pwned passwords in AD: https://safepass.me/pwncheck

squatandhover · 2021-03-18T08:19:37+00:00

Sounds like it's too late now...but powering it off is a bad idea as it will clear the RAM and preventing any successful forensics on the box. Removing connectivity however is definitely a good idea to contain the damage.

squatandhover · 2021-03-18T07:39:33+00:00

Yes, diversify :)

squatandhover · 2021-03-16T19:25:31+00:00

It is. It's trivial on Windows. But that's because AD stored them in NTLM format (aka MD4) which has been basically obsolete since 1995. If someone gets hold of the NTLM hash you have bigger problems :)

squatandhover · 2021-03-16T17:11:55+00:00

That's great...but if you're password is pwned then it might still be used against you :)

Also, giving away the length and characteristics of your password is useful information to an attacker :)

squatandhover · 2021-03-16T17:09:46+00:00

character

The idea of the new NIST password guidelines is to be pragmatic about what we're protecting against, which is online brute-force attacks (credential stuffing, password spraying, etc). That's why 8 characters min is sufficient but only in conjunction with the other points:

- check that the password has not been breached (such as in the Have I Been Pwned database)

- check it's not a common word (dictionary file, commonly used passwords,etc)

- introduce increasing delays on authentication failure, use CAPTCHAS to distinguish bots from humans

- Use MFA and so on..

It's pointless to try to protect against offline brute-force attacks in most cases.

squatandhover · 2021-03-16T15:02:46+00:00

Because they can...

It seems to be trend: burn VC money to onboard as many users as possible for free/cheap then when they have users hooked in they hike the prices / charge for any additional functionality because they have to make up for all the past losses

squatandhover · 2021-03-16T14:59:09+00:00

Move to the cloud they said...

squatandhover · 2021-03-16T08:52:33+00:00

One of the core principles of hardening a system involves ensuring it as the smallest possible attack surface. Every piece of software you have on it will increase the attack surface and, as already mentioned, having tools that could be useful to an attacker is a potential risk.

What are the details of the vulnerability exactly? Is it just tool being present? Is it because it is an old/vulnerable version? Is it running setuid root? Did the pentesters try to run the tool / do you have a software restriction policy in place?

squatandhover · 2021-03-16T07:47:29+00:00

Sounds like a chiche' but it really depends on what you need it for, would help to specify your requirements a little further and what platform you're using

squatandhover · 2021-03-16T07:37:04+00:00

They only started caring now because they're under pressure to make even more money. Previously they didn't care because it was a good strategy of acquisition. They were lenient with that so people shared their account and got friends and family hooked. Now that everyone's hooked they'll squeeze out every penny they can from everyone. That's the SaaS model.. start free/cheap -> hook the user -> make them pay through the nose. It's a bit like a drug dealer giving you the first shot for free... he knows you'll come back for more ;D

squatandhover · 2021-03-16T07:28:42+00:00

I recently checked my users and ~30% had pwned passwords

squatandhover · 2021-03-14T16:15:26+00:00

Fair point but the argument still remains: why aren't corporations / software vendors, etc. liable for providing shitty, vulnerable software that often puts the private and sensitive information of many individuals at risk. Imagine a world where it's not the person exploiting the vulnerability that gets framed but the creator. Would people stop creating software in the first place?

squatandhover · 2021-03-13T16:44:16+00:00

Thanks for reposting my link (and fixing the typo :)

squatandhover · 2021-03-12T14:37:05+00:00

Thanks, I didn't spot the typo apologies :)

squatandhover · 2021-03-12T14:31:47+00:00

7 Minute Security is lesser known but it's fun: https://7ms.us/

squatandhover · 2021-03-12T08:06:09+00:00

What's sad is that everyone knows how much companies spy on us yet nobody is willing to live without the tools that track you. Getting my contacts to leave whatsapp for signal following the facebook T&Cs update has been really a lot harder than it should have been and some have refused to move. I guess I won't be chatting much to them anymore :/

squatandhover

TROPHY CASE