Posts

HSTS directs the browser to use HTTPS for certain domains (optionally subdomains). This mitigates some MitM attacks by upgrading HTTP connections to HTTPS. HSTS Preloading The native implementation of HSTS communicates the HSTS policy to the browser via an HTTP response header Strict-Transport-Security: max-age=31536000; includeSubDomains. HSTS requires a user to visit a website once before HSTS protection is cached. But what if HTTP is used on the first visit or a user clears their cache frequently? An attacker can still redirect the user to a malicious site by altering the response. ...

Elastiflow is a high performance flow collector that provides unparalleled network observability. The community edition is free so it’s perfect for homelabbers. Why use Elastiflow? Note: This guide is not recommended for production use. It is a POC for home lab use. Setting up Elastiflow Visit this link to obtain a Basic Free License. Follow these steps to install Elastiflow. Don’t follow the steps under Running the Collector to start Elastiflow yet. ...

What is WPAD? WPAD stands for Windows Proxy Auto-Discovery. It is a protocol to obtain the URL for a PAC file. WPAD uses the following methods in order to discover the PAC file URL: DHCP DNS WINS LLMNR NetBIOS Hosts Lmhosts The PAC file tells the host where to direct network traffic. This is usually used to force traffic through a web proxy. Why is it insecure? When DHCP or DNS is misconfigured or not configured, an attacker can provide the client with a PAC file that directs traffic to a compromised server. ...

Summary Remote Credential Guard (RCG) protects admin credentials by ensuring they are not passed over the network to a target device. RCG is particularly useful for administrators who need to remotely access and manage servers and other critical systems. By ensuring that credentials are not exposed during these remote sessions, it significantly reduces the risk of credential theft and lateral movement in the network. Details Clients with RCG enabled do not send primary credentials to the target machine. This mitigates the risk of stolen credentials if the target is compromised. ...

Identity Queries Detect Users in an OU not in an Azure AD Group Let’s say you need to find out which AD users are in an OU but not in an Azure AD group. You can use the following query to find the users in the OU but not in the group: IdentityInfo | where OnPremisesDistinguishedName endswith_cs "OU=COMPANY,OU=STORES,OU=CONTOSO,DC=LOCAL" | where GroupMembership !contains "Company Store Users" Detect Users using Office Resources on Personal Devices Identify users logging in from non company devices. Define company device as Azure AD joined or Hybrid AD joined. ...

Introduction Stomspotter is an Azure Red Team tool to graph Azure and Azure AD objects. By mapping out relationships between objects, Stormspotter visualises attack paths between Azure objects. Stormspotter currently only supports Neo4j 3.x.x. I recommend setting image: neo4j:3.5.18 in your docker-compose.yml Requirements Docker Docker Compose Python 3.8.X Az PowerShell Installation Installation via Docker to avoid manual installation of dependencies. The docker-compose file creates three containers: Frontend Backend Neo4j git clone https://github.com/Azure/Stormspotter cd Stormspotter docker-compose up -d Stormspotter Frontend will expose a WebUI on port 9091. ...

Problem Statement Accounts with bad passwords, especially accounts with privileged access are the Achilles heel of an organisation’s security. Traditionally IT has tried to impose “strong password policies” such as “Choose a password with an uppercase letter, a number, a symbol and more than 10 characters”. However, a password like “Summer2020!” satisfies ALL those requirements despite being an immesurably weak password. So, what can we as IT professionals do to reduce bad passwords and mitigate their impact? ...

Summary Tpotce is an all-in-one honeypot platform with a collection of honeypots and tools for monitoring them. Requirements 8GB RAM 128GB Disk Space Unfiltered Internet Access Isolated Subnet Promiscious Mode Enabled for fatt, suricata and p0f to work properly Port forward or NAT to the honeypot Installation Set up is simple as the ISO is prebuilt. Download the latest ISO from Tpotce releases Mount the ISO to a VM and run through the installer. Select “Standard” as an install option. The install should take around 30 minutes. Network Configuration Isolated Subnet To prevent attackers from accessing your internal network via the honeypot, you need to create an isolated subnet. ...

Update: I’ve since switched to the PaperMod Theme I’m sick of maintaining Wordpress. I’ve finally decided to switch to a static site using Hugo. Hugo Setup Install Hugo I’m using the PaperMod Theme Hugo theme. This requires Hugo Extended. Installation via Chocolatey choco install hugo-extended Create a new site Hugo will create a new site named <my-site> hugo new site <my-site> Install a theme I like the simplicity and aesthetics of the PaperMod Theme theme. Create a git repository and make the CodeIT repo a submodule of the side directory. ...

Sometimes you need to do a packet capture on a Windows machine without installing anything. This is a guide on how to use the inbuilt Windows utility – netsh trace – to capture IPv4 packets. For just capturing DNS packets, capturing only UDP packets should cover most DNS traffic. #Run this command in an elevated command prompt netsh trace start maxSize=500 capture=yes Ethernet.Type=IPv4 Protocol=UDP report=disabled #When you want to stop the packet capture run netsh trace stop For capturing all types of packets, leave out the Protocol Type: ...