Cyberis Blog
Reassuringly clear thinking.
- Cloud risk management
- Cyber Essentials
- Penetration testing
- Remote working
- Tools and techniques
Defining controls by expectation may result in exploitation
One of the significant factors influencing SMEs when selecting security controls is not pragmatic risk management and risk treatment, or even common industry frameworks, as you might imagine - but security controls expected by customers. Supply-chain security management through due diligence activities is often reasonable for this approach, but the one-size-fits-all approach can lead to weaker security models.
- Penetration testing
- Tools and techniques
XSS is more than just <script>
Recently, we were examining an application that was protected by Cloudflare. We found a code injection point in a search field parameter where it was possible to introduce data of our choosing which looked like a good candidate for reflected cross-site scripting. With the protection afforded by control layers in place, however, demonstrating a credible proof-of-concept meant using alternative methods.
- Penetration testing
- Tools and techniques
Sticky Keys - classic EUD device privilege escalation
Sticky Keys is an accessibility feature within Windows that assists users who have physical disabilities. Instead of having to press multiple keys at once, you can use one key by turning on Sticky Keys and adjusting the settings. However, the feature can be manipulated to elevate your local privileges. Now this technique is not new and has been around since the days of Windows XP but is still relevant if you have physical access to a device.
- Cloud risk management
- Research
- Tools and techniques
Intune hacking: when is a "wipe" not a wipe
In this blog post we explore privilege escalation to SYSTEM with Intune managed devices, and how an Intune "Wipe" is not really a wipe at all.
- Tools and techniques
Nessus Scanning With SSH Proxies
Unfortunately, Nessus does not support SSH proxying. This is a problem when scanning remote hosts behind a bastion box, especially when it is not possible to bind or connect to a new port to the bastion box due to firewall rules. Binding a port to localhost and pointing Nessus to 127.0.0.1 is also not an option as Nessus handles scanning localhost in a different way and will report issues with the scanning box itself. In a pinch it is possible to hack around this problem by tricking the Nessus scanner into thinking it’s scanning the remote host when it is in fact connecting via a port bound to the localhost. Iptables to the rescue….
- Penetration testing
- Tools and techniques
Online Password Auditing Of A Domain Controller
Password auditing of a domain traditionally involves obtaining copy of the ntds.dit and performing some offline analysis which can be time consuming. The DSInternals PowerShell Module has an Active Directory password auditing cmdlet which performs checks for default, duplicate, empty and weak passwords. The audit can be performed against a domain online via DCSync, saving the need to obtain a copy of the ntds.dit. This can be of benefit if regular password audits are being performed.
- Penetration testing
- Tools and techniques
User Enumeration - Timing Discrepancies
I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness. The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?
- Red teaming
- Tools and techniques
Attacking Big Business
Reputational filtering typically blocks websites known to be malicious, performs antivirus scanning of all traffic, and crucially for us in respect to performing a simulated attack, warns end-users when visiting "non-categorised" sites. Any URLs and domains used as part of an attack now require user interaction in a web browser. This effectively rules out using newly stood up infrastructure both at the delivery and exfiltration stages of an attack, as these activities are performed without the victim's knowledge. The only options left to the attacker would be to "build" reputation over time, or alternatively, cheat the system.
Improve your security
Our experienced team will identify and address your most critical information security concerns.