Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆraditional Blue Team Techniques on Steroid with LLM Honeypots ๐ก
Honeypots are not new. Still, you can re-innovate how it works with the technology - this time with LLM. Honeypots can be a critical tool for detecting and analyzing malicious activity. But what if we could take them to the next level? Enter LLM Honeypotsโa groundbreaking approach leveraging the power of LLMs to create advanced, interactive traps for attackers.
๐ What sets LLM Honeypots apart?
Traditional honeypots often rely on static or semi-dynamic environments. In contrast, LLMs introduce context-aware, adaptive interactions, enabling a honeypot to mimic real systems and user behaviors more convincingly. Imagine an attacker interacting with a "system" that not only responds but learns and adapts in real time.
๐ก Key Innovations:
1๏ธโฃ Dynamic Interaction: LLMs can simulate realistic system responses, mimicking human-like behavior.
2๏ธโฃ Data Harvesting: They help collect rich telemetry, offering insights into attacker methodologies.
3๏ธโฃ Deception at Scale: LLMs enhance deception, making it harder for adversaries to distinguish honeypots from legitimate systems.
๐ Why It Matters: This approach can provide security teams with a treasure trove of intelligence, from understanding new attack vectors to proactively defending against them. Itโs a leap forward in using AI to protect and outsmart attackers.
๐ง Future Implications: Integrating LLMs into honeypot systems could redefine cybersecurity strategies as AI evolves. From training SOC teams to crafting defense mechanisms, the possibilities are endless.
The use of LLM Honeypots to interact with attackers and gather insights. Here's a potential flow:
1๏ธโฃ Attacker Interaction: The attacker interacts with the system, believing it legit.
2๏ธโฃ Honeypot Interaction: The interaction is routed to a honeypot, a system designed to mimic real environments while capturing malicious behaviors.
3๏ธโฃ Data Collection & Analysis: The honeypot collects telemetry, including input patterns and attacker strategies. Then, the data is processed and analyzed.
4๏ธโฃ Model Integration: The analyzed data is leveraged to enhance machine learning models or decision systems, potentially an LLM.
5๏ธโฃ Feedback: The refined model can improve its security posture & response.
Ref: Elli Shlomo
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Honeypots are not new. Still, you can re-innovate how it works with the technology - this time with LLM. Honeypots can be a critical tool for detecting and analyzing malicious activity. But what if we could take them to the next level? Enter LLM Honeypotsโa groundbreaking approach leveraging the power of LLMs to create advanced, interactive traps for attackers.
๐ What sets LLM Honeypots apart?
Traditional honeypots often rely on static or semi-dynamic environments. In contrast, LLMs introduce context-aware, adaptive interactions, enabling a honeypot to mimic real systems and user behaviors more convincingly. Imagine an attacker interacting with a "system" that not only responds but learns and adapts in real time.
๐ก Key Innovations:
1๏ธโฃ Dynamic Interaction: LLMs can simulate realistic system responses, mimicking human-like behavior.
2๏ธโฃ Data Harvesting: They help collect rich telemetry, offering insights into attacker methodologies.
3๏ธโฃ Deception at Scale: LLMs enhance deception, making it harder for adversaries to distinguish honeypots from legitimate systems.
๐ Why It Matters: This approach can provide security teams with a treasure trove of intelligence, from understanding new attack vectors to proactively defending against them. Itโs a leap forward in using AI to protect and outsmart attackers.
๐ง Future Implications: Integrating LLMs into honeypot systems could redefine cybersecurity strategies as AI evolves. From training SOC teams to crafting defense mechanisms, the possibilities are endless.
The use of LLM Honeypots to interact with attackers and gather insights. Here's a potential flow:
1๏ธโฃ Attacker Interaction: The attacker interacts with the system, believing it legit.
2๏ธโฃ Honeypot Interaction: The interaction is routed to a honeypot, a system designed to mimic real environments while capturing malicious behaviors.
3๏ธโฃ Data Collection & Analysis: The honeypot collects telemetry, including input patterns and attacker strategies. Then, the data is processed and analyzed.
4๏ธโฃ Model Integration: The analyzed data is leveraged to enhance machine learning models or decision systems, potentially an LLM.
5๏ธโฃ Feedback: The refined model can improve its security posture & response.
Ref: Elli Shlomo
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
This media is not supported in your browser
VIEW IN TELEGRAM
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆ Ever wondered how VPN tunneling works? ๐
This infographic breaks down the process, step by step, showing how data remains secure and private during transit. A VPN tunnel encrypts your data, ensuring that even if intercepted, it stays protected from unauthorized access. ๐
๐ Here are some key points:
โ A VPN creates a secure pathway between your device and a server.
โ Encryption protocols like OpenVPN, IPsec, and WireGuard safeguard your data.
โ The process ensures privacy while you browse, stream, or work online.
๐ How Does VPN Tunneling Work? ๐
Letโs dive into the step-by-step process of how a VPN ensures secure and private communication over the internet:
1๏ธโฃ User Initiates a Request:
The process begins when a user takes an action, such as browsing a website or accessing an app. This request originates from their device.
2๏ธโฃ Request Encryption:
The VPN software installed on the userโs device encrypts the request using a secure encryption protocol (like OpenVPN, IPsec, or WireGuard). This ensures the data is unreadable to anyone intercepting it.
3๏ธโฃ Data Travels Through the VPN Tunnel:
The encrypted data is then transmitted securely over the internet through the VPN tunnel, safeguarding it from threats during transit.
4๏ธโฃ Server Decrypts the Data:
The VPN server decrypts the incoming data and forwards the userโs request to the target destination (e.g., a web server).
5๏ธโฃ Web Server Processes the Request:
The web server receives the request, processes it, and prepares a response (e.g., delivering a webpage or data).
6๏ธโฃ Response Encryption & Delivery:
The VPN server encrypts the response from the web server and sends it back through the secure VPN tunnel. The userโs VPN client decrypts the data, displaying the secure and private result on their device.
๐ By following these steps, VPNs ensure data privacy, integrity, and security throughout the communication process.
Ref: Fadi Kazdar
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
This infographic breaks down the process, step by step, showing how data remains secure and private during transit. A VPN tunnel encrypts your data, ensuring that even if intercepted, it stays protected from unauthorized access. ๐
๐ Here are some key points:
โ A VPN creates a secure pathway between your device and a server.
โ Encryption protocols like OpenVPN, IPsec, and WireGuard safeguard your data.
โ The process ensures privacy while you browse, stream, or work online.
๐ How Does VPN Tunneling Work? ๐
Letโs dive into the step-by-step process of how a VPN ensures secure and private communication over the internet:
1๏ธโฃ User Initiates a Request:
The process begins when a user takes an action, such as browsing a website or accessing an app. This request originates from their device.
2๏ธโฃ Request Encryption:
The VPN software installed on the userโs device encrypts the request using a secure encryption protocol (like OpenVPN, IPsec, or WireGuard). This ensures the data is unreadable to anyone intercepting it.
3๏ธโฃ Data Travels Through the VPN Tunnel:
The encrypted data is then transmitted securely over the internet through the VPN tunnel, safeguarding it from threats during transit.
4๏ธโฃ Server Decrypts the Data:
The VPN server decrypts the incoming data and forwards the userโs request to the target destination (e.g., a web server).
5๏ธโฃ Web Server Processes the Request:
The web server receives the request, processes it, and prepares a response (e.g., delivering a webpage or data).
6๏ธโฃ Response Encryption & Delivery:
The VPN server encrypts the response from the web server and sends it back through the secure VPN tunnel. The userโs VPN client decrypts the data, displaying the secure and private result on their device.
๐ By following these steps, VPNs ensure data privacy, integrity, and security throughout the communication process.
Ref: Fadi Kazdar
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆ The potential of the LLM landscape
Have you ever wondered about the threats lurking beneath the surface? This high-level threat-mapping table exposes how LLM features intersect with risks, and the findings are eye-opening.
This table can be one of your LLM Risk guidance. From LLM-based
Controller to Tool Invocation, what are the potential threats? And which one affects you?
Ref: Elli Shlomo (IR)Elli Shlomo (IR)
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Have you ever wondered about the threats lurking beneath the surface? This high-level threat-mapping table exposes how LLM features intersect with risks, and the findings are eye-opening.
This table can be one of your LLM Risk guidance. From LLM-based
Controller to Tool Invocation, what are the potential threats? And which one affects you?
Ref: Elli Shlomo (IR)Elli Shlomo (IR)
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆFree AI Ethical Hacking :
> Get: https://github.com/berylliumsec/nebula
> Tutorial: https://www.youtube.com/watch?v=188QnOcXEAI
> Get: https://github.com/berylliumsec/nebula
> Tutorial: https://www.youtube.com/watch?v=188QnOcXEAI
Forwarded from UNDERCODE PRIVATE
This media is not supported in your browser
VIEW IN TELEGRAM
Forwarded from Exploiting Crew (Pr1vAt3)
AI-SOC. Security Copilot & Tier 3.
In the realm of SOCs, Tier 3 analysts are the vanguard against sophisticated cyber threats, engaging in advanced threat hunting, in-depth incident analysis, and developing strategic defense mechanisms. Security Copilot enhances these critical functions by providing AI-driven insights and automation, thereby amplifying the capabilities of Tier 3 SOC operations.
While most organizations provide the Security Copilot as a "prompt tool" for all the various security teams, the idea is totally something else. The benefits from it will be to prepare it with features such as Prompt Book, Automation, etc.
I'm working with Security Copilot to complete the Radiant Security AI part and provide a complete AI-SOC flow for all tier levels.
Below are some of the benefits of Security Copilot:
1๏ธโฃ Advanced Threat Hunting: Security Copilot proactively empowers Tier 3 analysts to identify and neutralize emerging threats. Analysts can unearth hidden threats and understand complex attack vectors more effectively by leveraging AI-generated queries and comprehensive threat intelligence.
2๏ธโฃ In-Depth Incident Analysis: For incidents, Security Copilot offers detailed summaries, including attack timelines, affected assets, and indicators of compromise. This contextual information enables Tier 3 analysts to dissect incidents thoroughly, understand attacker methodologies, and devise robust mitigation strategies.
3๏ธโฃ Script and File Analysis: Security Copilot simplifies the analysis of suspicious scripts and executables by translating code into natural language explanations. This feature allows Tier 3 analysts to quickly comprehend malicious code behavior and identify associated tactics, techniques, and procedures, streamlining the reverse-engineering process.
4๏ธโฃ Config drift analysis: Security Copilot identifies deviations in Conditional Access policies or cloud security misconfig that attackers could exploit.
5๏ธโฃ Behavioral anomaly detection: Detects and flags unusual access behaviors tied to privileged identities, enabling swift adjustments to access controls.
Security Copilot doesnโt just assist Tier 3โit elevates them:
> Reduced time-to-detect through automated alert correlation.
> Enhanced contextual awareness with AI-driven insights that unify identity, endpoint, and cloud signals.
> Precision actions are driven by deep integration with security tools.
๐ก AI isnโt replacing analystsโitโs augmenting their expertise.
Ref: Elli Shlomo
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
In the realm of SOCs, Tier 3 analysts are the vanguard against sophisticated cyber threats, engaging in advanced threat hunting, in-depth incident analysis, and developing strategic defense mechanisms. Security Copilot enhances these critical functions by providing AI-driven insights and automation, thereby amplifying the capabilities of Tier 3 SOC operations.
While most organizations provide the Security Copilot as a "prompt tool" for all the various security teams, the idea is totally something else. The benefits from it will be to prepare it with features such as Prompt Book, Automation, etc.
I'm working with Security Copilot to complete the Radiant Security AI part and provide a complete AI-SOC flow for all tier levels.
Below are some of the benefits of Security Copilot:
1๏ธโฃ Advanced Threat Hunting: Security Copilot proactively empowers Tier 3 analysts to identify and neutralize emerging threats. Analysts can unearth hidden threats and understand complex attack vectors more effectively by leveraging AI-generated queries and comprehensive threat intelligence.
2๏ธโฃ In-Depth Incident Analysis: For incidents, Security Copilot offers detailed summaries, including attack timelines, affected assets, and indicators of compromise. This contextual information enables Tier 3 analysts to dissect incidents thoroughly, understand attacker methodologies, and devise robust mitigation strategies.
3๏ธโฃ Script and File Analysis: Security Copilot simplifies the analysis of suspicious scripts and executables by translating code into natural language explanations. This feature allows Tier 3 analysts to quickly comprehend malicious code behavior and identify associated tactics, techniques, and procedures, streamlining the reverse-engineering process.
4๏ธโฃ Config drift analysis: Security Copilot identifies deviations in Conditional Access policies or cloud security misconfig that attackers could exploit.
5๏ธโฃ Behavioral anomaly detection: Detects and flags unusual access behaviors tied to privileged identities, enabling swift adjustments to access controls.
Security Copilot doesnโt just assist Tier 3โit elevates them:
> Reduced time-to-detect through automated alert correlation.
> Enhanced contextual awareness with AI-driven insights that unify identity, endpoint, and cloud signals.
> Precision actions are driven by deep integration with security tools.
๐ก AI isnโt replacing analystsโitโs augmenting their expertise.
Ref: Elli Shlomo
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆ Enhancing SOC Capabilities Through Heatmaps and Tools
In todayโs evolving threat landscape, prioritizing prevention and detection capabilities in your Security Operations Center (SOC) is critical.
๐ Tools and frameworks like MaGMA, DETT&CT, DEFEND and RE&CT not only provide structure but also enable organizations to align their detection strategies with frameworks like MITRE ATT&CK. By leveraging these, SOC teams can prioritize detection development through a combination of heatmaps, threat modeling, and targeted use-case frameworks, ensuring a systematic and risk-driven approach to addressing critical gaps.
The approach should focus on a structured methodology:
1๏ธโฃ Threat Insights: Understanding the techniques and tactics adversaries employ.
2๏ธโฃ Control Insights: Evaluating existing security controls and aligning them with detection priorities.
3๏ธโฃ Data Sources: Identifying visibility gaps in data collection.
4๏ธโฃ Detection Capabilities: Analyzing current rule sets and detection effectiveness.
By comparing target detection (what you need) with current detection (what you have), the framework uses heatmaps to visually represent gaps, helping to focus resources on the most impactful areas.
๐ก Key Takeaways:
โข You donโt need to do everything all at once. Start by enhancing current capabilities and gradually refine your profile to align with your organizationโs unique risks.
โข Each incremental step adds more detail, making your defenses more risk-driven, cost-effective, and tailored to your needs.
This method empowers SOC teams to adopt a proactive, scalable approach to security operations. Check out the visuals below to understand how insights and tools combine to bridge detection gaps.
Ref: Ryan N.Ryan N.
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
In todayโs evolving threat landscape, prioritizing prevention and detection capabilities in your Security Operations Center (SOC) is critical.
๐ Tools and frameworks like MaGMA, DETT&CT, DEFEND and RE&CT not only provide structure but also enable organizations to align their detection strategies with frameworks like MITRE ATT&CK. By leveraging these, SOC teams can prioritize detection development through a combination of heatmaps, threat modeling, and targeted use-case frameworks, ensuring a systematic and risk-driven approach to addressing critical gaps.
The approach should focus on a structured methodology:
1๏ธโฃ Threat Insights: Understanding the techniques and tactics adversaries employ.
2๏ธโฃ Control Insights: Evaluating existing security controls and aligning them with detection priorities.
3๏ธโฃ Data Sources: Identifying visibility gaps in data collection.
4๏ธโฃ Detection Capabilities: Analyzing current rule sets and detection effectiveness.
By comparing target detection (what you need) with current detection (what you have), the framework uses heatmaps to visually represent gaps, helping to focus resources on the most impactful areas.
๐ก Key Takeaways:
โข You donโt need to do everything all at once. Start by enhancing current capabilities and gradually refine your profile to align with your organizationโs unique risks.
โข Each incremental step adds more detail, making your defenses more risk-driven, cost-effective, and tailored to your needs.
This method empowers SOC teams to adopt a proactive, scalable approach to security operations. Check out the visuals below to understand how insights and tools combine to bridge detection gaps.
Ref: Ryan N.Ryan N.
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆNew Free Practice๐ก๏ธ CEHv12, โ๏ธ CCSP, and ๐ SSCP ๐ฅ
Ready to elevate your certification prep? These fully simulated and timed practice exams will help strengthen your skills and boost your confidence under real exam conditions! ๐ฏ
๐ก๏ธ Certified Ethical Hacker (CEHv12)
With 1,000+ unique questions across 8 practice exams, this set will challenge you and ensure youโre ready for the CEHv12.
โข CEHv12 Practice Exam 1: https://lnkd.in/dVeQUwiw
โข CEHv12 Practice Exam 2: https://lnkd.in/d5ShM5AZ
โข CEHv12 Practice Exam 3: https://lnkd.in/da8nkDn5
โข CEHv12 Practice Exam 4: https://lnkd.in/dbPbn4x8
โข CEHv12 Practice Exam 5: https://lnkd.in/ddsQ6DnM
โข CEHv12 Practice Exam 6: https://lnkd.in/dVHf_TjH
โข CEHv12 Practice Exam 7: https://lnkd.in/dST4u_MX
โข CEHv12 Practice Exam 8: https://lnkd.in/d9Nue9QP
โ๏ธ Certified Cloud Security Professional (CCSP)
Challenge yourself with 1,000+ exam-level questions. Complete these, and youโll be fully prepared for the CCSP exam!
โข ISC2 CCSP Practice Exam 1: https://lnkd.in/dekjyfPa
โข ISC2 CCSP Practice Exam 2: https://lnkd.in/dy5bp8FP
โข ISC2 CCSP Practice Exam 3: https://lnkd.in/d_3txHnb
โข ISC2 CCSP Practice Exam 4: https://lnkd.in/dRbCYydv
โข ISC2 CCSP Practice Exam 5: https://lnkd.in/ddXJZMfZ
โข ISC2 CCSP Practice Exam 6: https://lnkd.in/ddv4aJ6M
โข ISC2 CCSP Practice Exam 7: https://lnkd.in/dJ_4KcuJ
โข ISC2 CCSP Practice Exam 8: https://lnkd.in/dAv2x-Ef
๐ Systems Security Certified Practitioner (SSCP)
Test your knowledge and strengthen your understanding of all SSCP domains with these practice exams.
โข SSCP Practice Exam 1: https://lnkd.in/dUKdvsxD
โข SSCP Practice Exam 2: https://lnkd.in/dvXAzPtH
โข SSCP Practice Exam 3: https://lnkd.in/deJQCyzA
โข SSCP Practice Exam 4: https://lnkd.in/dGcumayJ
โข SSCP Practice Exam 5: https://lnkd.in/ddfSty77
โข SSCP Practice Exam 6: https://lnkd.in/dqeDi6jJ
โข SSCP Practice Exam 7: https://lnkd.in/drWV3DHg
โข SSCP Practice Exam 8: https://lnkd.in/diCvQMUS
Additional Practice Exams You Might Be Interested In:
โข Security+ SY0-701: https://lnkd.in/dc7NTdvd
โข CISSP: https://lnkd.in/dK4YNCM2
โข ISC2 CC: https://certpreps.com/CC
โข CISM: https://lnkd.in/d9x3_Djr
โข CISA: https://lnkd.in/d-8BccxW
โข AWS CLF-C02: https://lnkd.in/dHd_Nxgi
โข Azure Fundamentals (AZ-900): https://lnkd.in/d4Zm9r-N
โข CYSA+: https://lnkd.in/dfcGKsPt
โข CCNA: https://certpreps.com/ccna
โข A+: https://lnkd.in/dWDV5prF
Ref: Mohamad Hamadi
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Ready to elevate your certification prep? These fully simulated and timed practice exams will help strengthen your skills and boost your confidence under real exam conditions! ๐ฏ
๐ก๏ธ Certified Ethical Hacker (CEHv12)
With 1,000+ unique questions across 8 practice exams, this set will challenge you and ensure youโre ready for the CEHv12.
โข CEHv12 Practice Exam 1: https://lnkd.in/dVeQUwiw
โข CEHv12 Practice Exam 2: https://lnkd.in/d5ShM5AZ
โข CEHv12 Practice Exam 3: https://lnkd.in/da8nkDn5
โข CEHv12 Practice Exam 4: https://lnkd.in/dbPbn4x8
โข CEHv12 Practice Exam 5: https://lnkd.in/ddsQ6DnM
โข CEHv12 Practice Exam 6: https://lnkd.in/dVHf_TjH
โข CEHv12 Practice Exam 7: https://lnkd.in/dST4u_MX
โข CEHv12 Practice Exam 8: https://lnkd.in/d9Nue9QP
โ๏ธ Certified Cloud Security Professional (CCSP)
Challenge yourself with 1,000+ exam-level questions. Complete these, and youโll be fully prepared for the CCSP exam!
โข ISC2 CCSP Practice Exam 1: https://lnkd.in/dekjyfPa
โข ISC2 CCSP Practice Exam 2: https://lnkd.in/dy5bp8FP
โข ISC2 CCSP Practice Exam 3: https://lnkd.in/d_3txHnb
โข ISC2 CCSP Practice Exam 4: https://lnkd.in/dRbCYydv
โข ISC2 CCSP Practice Exam 5: https://lnkd.in/ddXJZMfZ
โข ISC2 CCSP Practice Exam 6: https://lnkd.in/ddv4aJ6M
โข ISC2 CCSP Practice Exam 7: https://lnkd.in/dJ_4KcuJ
โข ISC2 CCSP Practice Exam 8: https://lnkd.in/dAv2x-Ef
๐ Systems Security Certified Practitioner (SSCP)
Test your knowledge and strengthen your understanding of all SSCP domains with these practice exams.
โข SSCP Practice Exam 1: https://lnkd.in/dUKdvsxD
โข SSCP Practice Exam 2: https://lnkd.in/dvXAzPtH
โข SSCP Practice Exam 3: https://lnkd.in/deJQCyzA
โข SSCP Practice Exam 4: https://lnkd.in/dGcumayJ
โข SSCP Practice Exam 5: https://lnkd.in/ddfSty77
โข SSCP Practice Exam 6: https://lnkd.in/dqeDi6jJ
โข SSCP Practice Exam 7: https://lnkd.in/drWV3DHg
โข SSCP Practice Exam 8: https://lnkd.in/diCvQMUS
Additional Practice Exams You Might Be Interested In:
โข Security+ SY0-701: https://lnkd.in/dc7NTdvd
โข CISSP: https://lnkd.in/dK4YNCM2
โข ISC2 CC: https://certpreps.com/CC
โข CISM: https://lnkd.in/d9x3_Djr
โข CISA: https://lnkd.in/d-8BccxW
โข AWS CLF-C02: https://lnkd.in/dHd_Nxgi
โข Azure Fundamentals (AZ-900): https://lnkd.in/d4Zm9r-N
โข CYSA+: https://lnkd.in/dfcGKsPt
โข CCNA: https://certpreps.com/ccna
โข A+: https://lnkd.in/dWDV5prF
Ref: Mohamad Hamadi
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
lnkd.in
LinkedIn
This link will take you to a page thatโs not on LinkedIn
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆ๐๐๐ง๐ญ๐๐ฌ๐ญ๐ข๐ง๐ ๐๐๐-๐๐๐ ๐๐ฉ๐ฉ๐ฌ ๐
Recently I had the "honor" to pentest an app using GWT-RPC requests
GWT-RPC stands for Google Web Toolkit Remote Procedure Calls
You can think about it as an alternative to JSON, XML and forms data
So if you see something like the image below, you are dealing with GWT-RPC
----
H๐จ๐ฐ ๐๐จ ๐ฐ๐ ๐ฉ๐๐ง๐ญ๐๐ฌ๐ญ ๐ข๐ญ?
1. ๐๐ข๐๐๐๐ง ๐ ๐ฎ๐ง๐๐ญ๐ข๐จ๐ง๐ฌ -> using the GWTMap tool, enumerate all functions available in the obfuscated {hex} . cache . js file. If you have new functions, use the --rpc flag and send direct commands to them as there's a high chance that they are not protected
2. ๐๐ซ๐จ๐ค๐๐ง ๐๐๐๐๐ฌ๐ฌ ๐๐จ๐ง๐ญ๐ซ๐จ๐ฅ -> chances are developers would assume the protocol is too complicated and hard to read (i.e: it uses some obfuscation). Using two different accounts, replay the requests generated by the app using both session cookies. If it works -> Broken Access Control
3. ๐๐ง๐ฃ๐๐๐ญ๐ข๐จ๐ง -> all values that look like user controlled data in the String Table and Payload sections can (and should) be fuzzed for common injections attacks, including SQLi, command injection, SSRF, SSTI, etc. but avoid changing the indexes as this might generate an invalid GWT-RCP format
4. ๐๐๐ซ๐ข๐๐ฅ๐ข๐ณ๐๐ญ๐ข๐จ๐ง - the String Table + Payloads are used together to define and serialize the data provided through the request. Insecure deserialization attacks are an attack vector worth considering
Ref: Andrei Agape
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Recently I had the "honor" to pentest an app using GWT-RPC requests
GWT-RPC stands for Google Web Toolkit Remote Procedure Calls
You can think about it as an alternative to JSON, XML and forms data
So if you see something like the image below, you are dealing with GWT-RPC
----
H๐จ๐ฐ ๐๐จ ๐ฐ๐ ๐ฉ๐๐ง๐ญ๐๐ฌ๐ญ ๐ข๐ญ?
1. ๐๐ข๐๐๐๐ง ๐ ๐ฎ๐ง๐๐ญ๐ข๐จ๐ง๐ฌ -> using the GWTMap tool, enumerate all functions available in the obfuscated {hex} . cache . js file. If you have new functions, use the --rpc flag and send direct commands to them as there's a high chance that they are not protected
2. ๐๐ซ๐จ๐ค๐๐ง ๐๐๐๐๐ฌ๐ฌ ๐๐จ๐ง๐ญ๐ซ๐จ๐ฅ -> chances are developers would assume the protocol is too complicated and hard to read (i.e: it uses some obfuscation). Using two different accounts, replay the requests generated by the app using both session cookies. If it works -> Broken Access Control
3. ๐๐ง๐ฃ๐๐๐ญ๐ข๐จ๐ง -> all values that look like user controlled data in the String Table and Payload sections can (and should) be fuzzed for common injections attacks, including SQLi, command injection, SSRF, SSTI, etc. but avoid changing the indexes as this might generate an invalid GWT-RCP format
4. ๐๐๐ซ๐ข๐๐ฅ๐ข๐ณ๐๐ญ๐ข๐จ๐ง - the String Table + Payloads are used together to define and serialize the data provided through the request. Insecure deserialization attacks are an attack vector worth considering
Ref: Andrei Agape
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Forwarded from Exploiting Crew (Pr1vAt3)
๐ฆHow do you secure remote access in ICS/OT?
Here are 5 tips on how to allow remote access AND secure it.
As much as possible.
1. Multifactor Authentication
This one goes without saying. While MFA isn't a silver bullet...
It vastly decreases the chance an unauthorized party can establish a VPN connection without a valid second factor.
2. On-demand Access
Besides MFA, this is my favorite.
Always assume that any VPN user's system could be compromised.
-> Your vendors.
-> Your employees.
-> Your other third parties.
Once compromised, do you want an attacker having 24x7x365 access into your ICS/OT network?
Of course not.
Limit VPN access to only the time windows in which access is required.
Have the outside parties schedule or call when access is required.
Many say that this is burdensome and too much overhead.
Which I can understand.
You'll have to weigh the advantages and disadvantages for your environment.
For me, I always push for on-demand access to greatly reduce the risk.
3. Implement Harden Jump Hosts
Require remote parties to login to a jump host before accessing ICS/OT resources.
There could even be multiple jump hosts for them to authenticate to.
For these jump hosts, ensure that each system is hardened.
Also ensure that the host's network connectivity is limited to only the IP addresses and ports that are necessary.
4. Monitor for Suspicious Activity
No security solution is perfect.
A VPN can become compromised.
Attackers can gain access to your network.
For when they do, it's important to be watching.
95% of ICS/OT networks don't perform network security monitoring.
This doesn't mean you shouldn't.
Watching your network activity. Your host activity.
All for signs of compromise.
Which brings us to...
5. Record and Monitor Jump Host Activity
This one isn't high on many lists.
But if you have the resources, watch in real-time what remote parties are doing on jump hosts.
Ensure all activity looks legitimate.
And if something looks suspicious, take action!
Thanks for checking out the list!
P.S. Do you know someone with unsecured remote access?
Ref: Mike HolcombMike Holcomb
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ
Here are 5 tips on how to allow remote access AND secure it.
As much as possible.
1. Multifactor Authentication
This one goes without saying. While MFA isn't a silver bullet...
It vastly decreases the chance an unauthorized party can establish a VPN connection without a valid second factor.
2. On-demand Access
Besides MFA, this is my favorite.
Always assume that any VPN user's system could be compromised.
-> Your vendors.
-> Your employees.
-> Your other third parties.
Once compromised, do you want an attacker having 24x7x365 access into your ICS/OT network?
Of course not.
Limit VPN access to only the time windows in which access is required.
Have the outside parties schedule or call when access is required.
Many say that this is burdensome and too much overhead.
Which I can understand.
You'll have to weigh the advantages and disadvantages for your environment.
For me, I always push for on-demand access to greatly reduce the risk.
3. Implement Harden Jump Hosts
Require remote parties to login to a jump host before accessing ICS/OT resources.
There could even be multiple jump hosts for them to authenticate to.
For these jump hosts, ensure that each system is hardened.
Also ensure that the host's network connectivity is limited to only the IP addresses and ports that are necessary.
4. Monitor for Suspicious Activity
No security solution is perfect.
A VPN can become compromised.
Attackers can gain access to your network.
For when they do, it's important to be watching.
95% of ICS/OT networks don't perform network security monitoring.
This doesn't mean you shouldn't.
Watching your network activity. Your host activity.
All for signs of compromise.
Which brings us to...
5. Record and Monitor Jump Host Activity
This one isn't high on many lists.
But if you have the resources, watch in real-time what remote parties are doing on jump hosts.
Ensure all activity looks legitimate.
And if something looks suspicious, take action!
Thanks for checking out the list!
P.S. Do you know someone with unsecured remote access?
Ref: Mike HolcombMike Holcomb
@UndercodeCommunity
โ โ โ U๐๐ปโบ๐ซฤ๐ฌ๐โ โ โ โ