🦑How do you secure remote access in ICS/OT?

Here are 5 tips on how to allow remote access AND secure it.

As much as possible.

1. Multifactor Authentication

This one goes without saying. While MFA isn't a silver bullet...

It vastly decreases the chance an unauthorized party can establish a VPN connection without a valid second factor.

2. On-demand Access

Besides MFA, this is my favorite.

Always assume that any VPN user's system could be compromised.

-> Your vendors.
-> Your employees.
-> Your other third parties.

Once compromised, do you want an attacker having 24x7x365 access into your ICS/OT network?

Of course not.

Limit VPN access to only the time windows in which access is required.

Have the outside parties schedule or call when access is required.

Many say that this is burdensome and too much overhead.

Which I can understand.

You'll have to weigh the advantages and disadvantages for your environment.

For me, I always push for on-demand access to greatly reduce the risk.

3. Implement Harden Jump Hosts

Require remote parties to login to a jump host before accessing ICS/OT resources.

There could even be multiple jump hosts for them to authenticate to.

For these jump hosts, ensure that each system is hardened.

Also ensure that the host's network connectivity is limited to only the IP addresses and ports that are necessary.

4. Monitor for Suspicious Activity

No security solution is perfect.

A VPN can become compromised.

Attackers can gain access to your network.

For when they do, it's important to be watching.

95% of ICS/OT networks don't perform network security monitoring.

This doesn't mean you shouldn't.

Watching your network activity. Your host activity.

All for signs of compromise.

Which brings us to...

5. Record and Monitor Jump Host Activity

This one isn't high on many lists.

But if you have the resources, watch in real-time what remote parties are doing on jump hosts.

Ensure all activity looks legitimate.

And if something looks suspicious, take action!

Thanks for checking out the list!

P.S. Do you know someone with unsecured remote access?


Ref: Mike HolcombMike Holcomb
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Getting RCE via Worst Fit 🤦

If you watched the Black Hat talk from Orange Tsai and Splitline last week in London, you might have found yourself shocked to see that a code snippet like the one below can lead to RCE.

Why can this be hacked? 🤔

Well, because you can inject double quotes... But can you? Not really, because 'subprocess.run()' would handle them securely. What you can do instead though is inject the odd fullwidth quotation mark: ＂

This shouldn't be a problem because surely shells wouldn't interpret this, right?

Wrong. Since Windows historically stores a lot of things, like cmdlines, environment variables, etc., in both ANSI and UTF-16, we run into a problem... How can you represent a value in ANSI if that value doesn't actually exist in the character set?

Meet "Best Fit". Which converts certain UTF-16 characters to similar-looking ANSI characters (such as converting a ∞ to an 8. Or converting a ¥ to a backslash. Or converting a ＂to a normal double quote).

This means that you can pwn this code snippet by injecting something like:

＂ --use-askpass=calc ＂

This pops calculator.

If you want to play around a bit with this, you may want to check out this PoC that I've created: https://lnkd.in/dBgeFscq

Also, you may want to check out https://worst[.]fit/ which tracks a list of Windows binaries vulnerable to this attack.

The worst part? Microsoft says this isn't a Windows vulnerability while open-source library maintainers say it is. So who is gonna fix it? 🤷‍♂️

Ref: Florian Walter
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 𝟏𝟎 𝐁𝐥𝐮𝐞 𝐓𝐞𝐚𝐦 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐅𝐑𝐄𝐄 𝐂𝐨𝐮𝐫𝐬𝐞𝐬

1- Cybersecurity for Students: lnkd.in/g4YmXP9J
2- SOC Fundamentals: lnkd.in/gVfUGNR3
3- Phishing Email Analysis: lnkd.in/giQWrn3a
4- Detecting Web Attacks: lnkd.in/gUTFXRzM
5- Malware Traffic Analysis with Wireshark: lnkd.in/g5Ze-iwU
6- Linux for Blue Team: lnkd.in/gvpWMdea
7-Building a Malware Analysis Lab: lnkd.in/gGXunp4q
8-📊 Splunk for SOC: lnkd.in/gkZMam_n
9-🔐 Introduction to Cryptology: lnkd.in/g3jbE84W
10-💼 Job Hunting: lnkd.in/g9MeH9P7

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Free For You :)) Android SSL Pinning Bypass using Noxer🚨

Automate your Android penetration testing lab setup using Nox Emulator. Noxer is a powerful Python script designed for automating Android penetration testing tasks within the Nox Player emulator. It simplifies setup, enhances stability, manages Frida Server, removes unwanted bloatware, integrates BurpSuite certificates, and much more!

>> DOWNLOAD <<

Clone this repository to your local machine.

git clone https://github.com/AggressiveUser/noxer.git

Navigate to the project directory.

cd noxer

Install the dependencies from the requirements.txt file using pip.

pip install -r requirements.txt

You are now set to run the NOXER script.

python noxer.py

🦑𝟮𝗙𝗔 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗧𝗶𝗽𝘀 𝗳𝗼𝗿 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗛𝘂𝗻𝘁𝗲𝗿𝘀

1. Status Code Changes
Check if altering response or status codes (e.g., 200, 403) during 2FA verification allows bypass.

2. Brute-Force OTP
Test if the application allows repeated attempts to guess OTPs without blocking.

3. OTP Reuse
Verify if the OTP can be reused after it's already been used once.

4. Cross-Account Token Test
Request two OTPs for different accounts and see if you can use one account's OTP in another account.

5. Direct Dashboard Access
Try accessing the dashboard URL directly without completing 2FA. If blocked, include the 2FA page as a referrer header and retry.

6. Search for 2FA Codes
Use tools like Burp Suite to search response or JavaScript files for exposed 2FA codes.

7. CSRF/Clickjacking on 2FA
Test if attackers can disable 2FA using CSRF (cross-site request forgery) or clickjacking attacks.

8. Session Persistence
Check if enabling 2FA logs out all active sessions. If not, report it.

9. OAuth 2FA Bypass
See if using OAuth logins bypasses the need for 2FA. (This is rare.)

10. Disabling 2FA Without Verification
Test if 2FA can be disabled without entering a 2FA code.

11. Password Reset Without 2FA
Try resetting the account password using "Forgot Password" to bypass 2FA.

12. Test 000000 OTP
Enter "000000" (or similar default codes) to see if the app accepts it as a valid OTP.

13. Request Manipulation
Manipulate JSON requests to bypass 2FA:
- Send a null value.
- Change "otprequired": true to false.
- Remove the 2FA-related code or parameter.
- Use unexpected inputs (e.g., an email as an array).

14. OpenID Misconfiguration
Test for misconfigurations in OpenID that might allow bypassing 2FA.

15. OTP Expiry Check
Verify if OTPs remain valid for an excessive amount of time (e.g., more than a few minutes).

16. Backup Code Abuse
After logging in, generate a backup code request and check if it leaks valid codes.

17. Sensitive Info Exposure
Check if the 2FA page reveals sensitive information (e.g., phone numbers or email addresses).

18. Permanent Denial of Service (DoS) on Accounts
Abuse the system to lock an account:
- Create an account with someone else's email (if email verification isn't required) and enable 2FA.
- If verification is required, use a verified account to enable 2FA, then change the email to the victim's.

19. Authenticated Actions Without 2FA
Test if you can perform authenticated actions (e.g., update profile, create API tokens) without solving 2FA.

20. Bulk OTP Testing in JSON
Send multiple OTP values in a single request:

 {
 "code": ["1000", "1001", "1002", ..., "9999"]
 }
 

21. Backup Code Misuse
Explore any other ways to misuse or generate backup codes.

Ref: Saumadip MandalSaumadip Mandal
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑1)15 vulnerabilities in one public bbp
https://lnkd.in/ggi4T39C

2)How I got access to Credentials easily
https://lnkd.in/gcnNE8hs

3)Bug Bounty Tips Series: 10 Ways To Find HTTP Host Header Injection Vulnerability
https://lnkd.in/gnji_rts

4)🚨 Cisco Warns of Attacks Exploiting Decade-Old ASA Vulnerability 🚨
https://lnkd.in/gNHZMnXY

5)Exploiting and Remediating Access Control Vulnerabilities
https://lnkd.in/gasczeCV

6)20 Bug Bounty CrowdSourced Platforms
https://lnkd.in/g24uCdbQ

7)The Ninja Hacker Academy - A full guide to your graduation
https://lnkd.in/g86dxzSQ

8)Lookup — TryHackMe CTF Writeup {FOR BEGINNERS}
https://lnkd.in/gK9Vd6_i

9)TRYHACKME : Dav
https://lnkd.in/ggpStJn2

10)CTFs Network Section Walkthrough
https://lnkd.in/gC79pVfS

Ref: Saumadip MandalSaumadip Mandal
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑ANDROID PIN CRACKING - Live Video Demonstration

This document presents a functional Proof-of-Concept (PoC) for a novel attack vector targeting #Android #smartphones running the latest Android version and #security patches. This attack has been successfully validated on over 20 popular brands, including Google Pixel and OnePlus devices. The PoC demonstrates the ability to compromise both standard 4-digit and 6-digit PINs, as well as pattern locks and PINs required for device boot-up.

1️⃣The attack leverages a physical Rubber Ducky device, which exploits the Human Interface Device (HID) protocol to emulate keyboard input. By employing a brute-force approach, the device systematically attempts PIN combinations from 0000 to 9999, saving the correct PIN upon successful authentication. To mitigate detection mechanisms, the attack is designed to halt after five unsuccessful attempts and a 30-minute timeout. Furthermore, the device's configuration and scripting capabilities can be tailored to specific target devices.

> Beyond PIN cracking, the #RubberDucky can be programmed to enable USB debugging, opening the door to a wider range of potential attacks. This includes reverse shell connections, binding shell sessions, and camera exploitation, ultimately exposing the device to data leakage and other security risks.

⚛Here is a working Proof of concept of the latest attack discovered by me that exploits Android Smartphones working on the latest version of Android and the latest security patches that can break Android PIN (4-digit PIN and 6-digit PIN) tested on 20 brands including the Google Pixel series and OnePlus devices. The demonstration can crack PIN patterns and also the PIN that is required before the device is turned on. The device is a rubber ducky that uses an HID exploit that can work like a keyboard and use brute force attack i.e. trying PIN from 0000 to 9999 and also saving the PIN once unlocked. The device is configured to work with a timeout of 30 minutes after 5 attempts and the scripts can be configured based on the device we are working on. It can store 5MB of Python Script which is executed after the Arduino firmware is complete. It works on ATMega chipset and allows the user to also enable USB debugging which can further enable other attacks like reverse shell and binding connections exposing users to Camera exploits and even data leaks.

Ref: Priyank Gada
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Free Certificated Courses:
Cisco is Offering FREE Cyber Security Courses + official Badges!
Start Your Cybersecurity Career with these in demand courses!

⭕1. Introduction to Cybersecurity

- Course Duration: 6 HOURS
- Level: BEGINNER
- Lab: 7 LABS
- Delivery Type: SELF-PACED

Course Link: https://lnkd.in/eh5MTBwT

⭕2. Cyber Threat Management

- Course Duration: 16 HOURS
- Level: INTERMEDIATE
- Lab: 16 LABS
- Delivery Type: SELF-PACED

Course Link: https://lnkd.in/ehwb_Hsh

⭕3. Endpoint Security

- Course Duration: 27 HOURS
- Level: Intermediate
- Labs: 31 LABS
- Delivery Type: SELF-PACED

Course Link: https://lnkd.in/eV2UB7xy

⭕4. Network Defense

- Course Duration: 27 HOURS
- Level: INTERMEDIATE
- Lab: 29 LABS
- Delivery Type: SELF-PACED

Course Link: https://lnkd.in/ekTpuvyn

Ref: Mohamed Ali Mohamed
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Free 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, 𝗦𝗰𝗮𝗻𝗻𝗶𝗻𝗴 𝗧𝗼𝗼𝗹𝘀 𝗮𝗻𝗱 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 𝟮𝟬𝟮𝟰 🕵️ Vulnerability management is important in cybersecurity as it helps reduce risk, maintain compliance, protect assets, enable proactive defense, manage reputation, and achieve cost savings. Here's a curated list of resources I prepared to help you delve deeper into this topic.

✅ 𝟭. Vulnerability management: https://lnkd.in/e_GaRhWZ
Checklist:

》 https:://DailyCVE.com (AI powered Checker & Analysis)✅

https://lnkd.in/eyM7VJEs ⭐ VM 101 by CrowdStrike: https://lnkd.in/e_HY3Z_J
Vulnerability Assessment 101: https://lnkd.in/eRkz-hMe
Vulnerability Scanning Tools: https://lnkd.in/gbKnkgdt
OWASP Vulnerability Management Guide: https: //lnkd.in/ebEB4HHa
SANS VM Resources: https://lnkd.in/ePGveFcd

✅ 𝟮. 𝗚𝗿𝗲𝗲𝗻𝗯𝗼𝗻𝗲 𝗢𝗽𝗲𝗻𝗩𝗔𝗦 Download Link: https://www.openvas.org/
Installation Guide: https://lnkd.in/eFB78JTQ

✅ 𝟯. 𝗧𝗲𝗻𝗮𝗯𝗹𝗲 𝗡𝗲𝘀𝘀𝘂𝘀 𝗘𝘀𝘀𝗲𝗻𝘁𝗶𝗮𝗹𝘀 Download Link: https://lnkd.in/gzNsE_kW
Tenable University: https://lnkd.in/dt9t4iVs
Training: https://lnkd.in/gQEUxFeu

✅ 𝟰. 𝗤𝘂𝗮𝗹𝘆𝘀 Link: https://lnkd.in/ezytw_UB
Training: https://lnkd.in/gvNKJnni
VM for Dummies eBook : https://lnkd.in/e2ed9XxS

✅ 𝟱. 𝗥𝗮𝗽𝗶𝗱 𝟳 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝗩𝗠 Vulnerability Management Process : https://lnkd.in/eCe5RHtR ⭐ Nexpose Link: https://lnkd.in/gdARCttE
InsightVM Link: https://lnkd.in/gCtiQgyA
Training: https://lnkd.in/g3Q5i6fT

✅ 𝟲. 𝗔𝗴𝗲𝗻𝘁𝗹𝗲𝘀𝘀 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗦𝗰𝗮𝗻𝗻𝗲𝗿 𝗳𝗼𝗿 𝗟𝗶𝗻𝘂𝘅/𝗙𝗿𝗲𝗲𝗕𝗦𝗗: https://vuls.io/

✅ 𝟳. 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗮𝘁𝗮𝗯𝗮𝘀𝗲 / 𝗗𝗮𝘁𝗮 𝘀𝗼𝘂𝗿𝗰𝗲 National Vulnerability Database: https://nvd.nist.gov/
Full Listing: https://lnkd.in/gSNNgY9W
Top-50-vendors: https://lnkd.in/eTqY7bxG
CVE Details: https://lnkd.in/gXm_2Z5h
CVE Report: https://cve.report/
Miter CVE: https://cve.mitre.org/
Miter CWE: https://cwe.mitre.org/
Exploit Prediction Scoring System (EPSS): https://lnkd.in/e3EndP-3
Vulnerability search: https://vulners.com/
Vulnerability database: https://vuldb.com/
Known Exploited Vulnerabilities:https://lnkd.in/gHAFJEtS
Cyberscan : https://lnkd.in/eRS6W_w3

✅ 𝟴. 𝗖𝗩𝗦𝗦 𝗖𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗼𝗿 V3 Link: https://lnkd.in/gNqYyqKx
V4 Link: https://lnkd.in/eRd_ggVT

✅ 𝟵. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀: find vulnerability and get paid - https://lnkd.in/esUdfjD9
Mozilla Observatory: https://lnkd.in/e7AbJDEh
The Mozilla Observatory has helped over 240,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely. Source: https://lnkd.in/emMQ- Zhm


Ref: Mohamad Hamadi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Windows Defender Bypass 2024 with AES-Encrypted Malicious DLL.

Hello everyone,
Since a lot of you guys enjoyed the last video, I decided to create another bypass technique—this time using AES encryption for the shellcode. To make it more interesting, I incorporated the shellcode into a malicious DLL and executed it using another process.

Here’s how it works:

I created a simple file, test.exe (the process I mentioned), which loads the malicious DLL containing the encrypted shellcode. This is achieved using the LoadLibraryA() function and the GetProcAddress() function which is essential for loading any DLL and their exported functions into a process's memory. Once loaded, the DLL decrypts and executes the shellcode.

This time malicious DLL contained raw encrypted shellcode stored on disk. The encryption prevents detection by Windows Defender. In my previous approach, the shellcode was hosted on a server, making it a staged payload. While experimenting, I also tried XOR to obfuscate the shellcode like last time. However, it was consistently detected for some reason I still don’t understand.XORing the shellcode and AES encrypting it share a similar concept though.I might be wrong on this one, forgive me if I am.

This method can be implemented in various ways. One approach is to inject the DLL into another process using its PID or using this AES method to just execute the malicious exe to run the shellcode in memory without loading the dll. This technique has been used by APTs as a means of achieving persistence on compromised systems they target.

I used multiple resources from the internet. All the code used do not belong to me. I added custom logic(like calling the exported function) and tweaked it a little bit to make it work like the way I wanted it to. I give credit to the internet.Hope you guys find this useful!

Ref: Dhanush Arvind
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁