Category: Security

Why enabling Zabbix remote command feature can be bad – chink in the armor of your servers

Today I was reminded of a little Pen-Test I did last year, which reminded me that I should write why for me that feature seems like a bad idea most of the times.

Zabbix is a popular monitoring solution which is agent based and it has the ability to run remote commands on the agents. While it may be nice to have your monitoring system try and auto restart things, etc. Enabling that feature also has other consequences, that people fail to take into account or just ignore.

Namely that it opens up a whole new nice attack vector to easily gain foothold in your servers. One issue is that usually the monitoring service instances are not that well protected. In a lot of cases the reasoning behind that is that “it’s just monitoring, there nothing sensitive there”. Although I disagree on that part, not going to rant about that. That statement becomes completely wrong as soon as you enable the remote command ability on the agents.

So what harm can come from the remote command feature? Why is it bad? In one of my Pen-test engagements I used it to take over the client’s whole infrastructure. Although it’s “just a monitoring solution”, gaining access to it was enough to compromise all of their servers thanks to the remote command feature. How I got access to their monitoring system is one thing, they had multiple setup failures there, but that’s besides the point. Never have devices with admin access to any system lying around unprotected in your office.. IE monitoring dashboard meant to show your service status in the reception area in your office..

Not to be too technical, but here is a short description of what happened. Basically after having gained access to the monitoring dashboard and noticing it had Zabbix admin privileges I did the following:
* Tested whether remote command execution was enabled on some hosts, that turned out to be YES.
* Using that figured out which of their servers had outbound unrestricted internet access.
* Activated a simple remote shell on the internet capable devices, just to make my life easier
* Found out their systems patch levels via Zabbix and abused a existing sudo vulnerability to gain root privileges

Long story short.. Just think twice about activating that feature and maybe there is some better way to do what You need. Oh yeah and patch your systems, as that sudo vulnerability at that time was already quite old.

Apache TLS auth restriction based on custom OID value using PeerExtList

A client was concerned that Apache/OpenSSL combo was not respecting certificate key usage values out of the box. They demonstrated how they logged into a web-service using certificates that didn’t have the “TLS Web Client Authentication” extended key usage set. Because of that were asking if they had some config error and how would it be possible to require those extensions to be set.

They had messed about with different hints they got from the web, but none worked properly. After a bit of reading manuals/researching the web and tinkering around I managed to get it working the way they wanted it to. So I thought I’d share the brief config snippet to help out anyone else who was running into the same problem.

<Directory /var/www/html/test.site/tls_test>
  SSLVerifyClient require
  SSLVerifyDepth 2
  SSLOptions +StdEnvVars          
  Require expr "TLS Web Client Authentication, E-mail Protection" in PeerExtList('extendedKeyUsage')

Kali apt-get update fails with signature error

When booting up a older Kali VM I hadn’t used for a while, I wanted to update it & ran into a small issue. Namely whilst trying to update I ran into the following error message:

root@kali:~/Documents# apt-get update
Get:1 http://kali.koyanet.lv/kali kali-rolling InRelease [30.5 kB]
Err:1 http://kali.koyanet.lv/kali kali-rolling InRelease
The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository devel@kali.org
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://kali.koyanet.lv/kali kali-rolling InRelease: The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository devel@kali.org
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository devel@kali.org
W: Some index files failed to download. They have been ignored, or old ones used instead.

As it seems, the GPG key had been changed. Fortunately the fix is easy, just do the following:

  • Check which is the most current key-s file at https://http.kali.org/kali/pool/main/k/kali-archive-keyring/ and download it. For example today it was “ kali-archive-keyring_2020.2_all.deb “.
  • Download it using the wget command or via browser:
    wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2020.2_all.deb
  • Install it by running “pkg -i kali-archive-keyring_2020.2_all.deb”
    root@kali:~/Documents# dpkg -i kali-archive-keyring_2020.2_all.deb
    (Reading database … 528672 files and directories currently installed.)
    Preparing to unpack kali-archive-keyring_2020.2_all.deb …
    Unpacking kali-archive-keyring (2020.2) over (2018.2) …
    Setting up kali-archive-keyring (2020.2) …
    Installed kali-archive-keyring as a trusted APT keyring.
  • Now updating should work again.
    root@kali:~/Documents# apt-get update
    Get:1 http://kali.koyanet.lv/kali kali-rolling InRelease [30.5 kB]
    Get:2 http://kali.koyanet.lv/kali kali-rolling/main i386 Packages [17.5 MB]
    Get:3 http://kali.koyanet.lv/kali kali-rolling/non-free i386 Packages [167 kB]
    Get:4 http://kali.koyanet.lv/kali kali-rolling/contrib i386 Packages [97.7 kB]
    Fetched 17.8 MB in 3s (5,676 kB/s)
    Reading package lists… Done

Ethical hacker isn’t a vigilante

A long time ago, when I decided to get the EC Council “Certified Ethical Hacker” certification done, I couldn’t imagine what type of job offers and requests I would start getting after adding it to my Freelancer profile. People started asking me about a lot of illegal things. And over the years nothing has changed, still almost every day I get some strange requests I now just tend to ignore, not even turn down with a reply.

Initially it seemed strange to receive on a daily basis requests to break into some ones Facebook, Twitter or Instagram account or bug their smart device. Eventually I got used to it, but still some of the requests are stranger than others and make me scratch my head..

Mostly people ask to spy on their life partners/family/close ones, because they think they are being cheated on and to them this makes the privacy invasion & illegal actions ethical. Those are just the regular everyday ones and somewhat relatable as an emotional outburst- yet still a bit creepy people go that far instead of just confronting the issue. But besides these regular ones there are the strange ones.

One day I got a request asking whether it would be possible for me to remove every negative news article ever made about one specific person from one country’s news sites. Yes all of them from all news papers. That almost got me interested into replying to the request, just to know what they are trying to hide.. But decided not to, just in case.. Then there are requests to “get my money back from a gambling site or some crypto deal”. Or locate who ever is behind what ever gamer tag or social media account and get their personal details..

No those aforementioned requests don’t come via some shady underground forums, but regular freelancer job exchanges. Which makes it seem to me that they actually don’t moderate their postings, even after reporting some illegal postings as illegal they were still up 3 days after the report.

After being bombarded with such requests for a while now, I wish people would actually learn what ethical hacker means and deal with their problems in a LEGAL way. Also I wish that freelancer sites would actually deal with the illegal offers on their sites them selves also.

As an ending to this rant, I have to cite the definition for ethical hacker I actually like and that feels right to me. The definition as it is written on techtarget :”An ethical hacker, also referred to as a white hat hacker, is an information security (infosec) expert who penetrates a computer system, network, application or other computing resource on behalf of its owners — and with their authorization.”

Please secure your WordPress sites

WordPress is a very popular engine to use when creating your businesses website, it’s flexible, etc. But when finding a developer to create your page, please find some one who actually thinks about security also not only the design. Or have some one take a look at it afterwards.

A lot of company websites I’ve seen have no security plugins installed and very lax settings. They don’t get updated and some even have out right data leaks in them.

What made me write this was one of the latest & interesting security practice I saw one developer use. What he did right, was use complex passwords! But where he went wrong, was he was using it also as a username. Although using a completely random 12 character username is in some sense good (no dictionary attack for it) and it should be really hard to guess.. Well except when you have WP JSON interface wide open to the public. Guess what, the username is there & when you reuse your password like username actually for the password, its all over..

For me when I’m tasked at looking at a Website’s security, the first thing I look for is are there any hints on credentials through known interfaces that haven’t been locked down properly. Why even bother trying to find injection vulnerabilities when the low hanging things haven’t been taken care of.

So please when running your website on WordPress, do the decent thing and lock it down to keep your viewers/customers safe. Invest a bit of time in securing your site and reading on how to do it.

Here are some basic hints:
* Install some security plugins, for example WordFence or iThemes security.
* Disable un-needed features/interfaces that you don’t use. (ie wp-json/xmlrpc)
* Don’t have your WP-ADMIN page open to the public move it / add some extra measures to protect it. (basic auth/MFA, etc)
* Keep your plugins/WP instance up2date.
* Do regular backups (off-site) & track file changes to be able to spot malicious actors more easily and have a clean site you could restore.
* Don’t reuse passwords – I’ve been able to access too many admin pages using passwords from password leak databases to say that this isn’t a problem.
* Check if your e-mail address has been a part of any password dumps (https://haveibeenpwned.com)

Besides the aforementioned points, just read and have your developer read the following articles: https://kinsta.com/blog/wordpress-security/ and https://www.wpbeginner.com/wordpress-security/

Tenable.SC license renewal headache – things to keep in mind when renewing

First year of Tenable usage was coming to an end. Nessus scanners/Managers and Tenable.SC all notified me that their licenses are about to expire. Contacted the company selling tenable in the region, got the licenses extended.

New license expiry date popped into the tenable support site, was wondering if the different instances would auto update their licenses. Looked at the scanners and managers – all was fine and licenses were extended. So I was happy problem solved, at least so I thought.. But I had missed one place, the SC, as I assumed that all their software/licenses would work the same way and didn’t waste any more time looking at the licenses.

A few weeks pass and suddenly I cannot log into the SC any more “with invalid license” error popping up when I try and log in. As it turned out – never assume that a vendors products all work the same way. When going to the admin interface of the SC I discover that the license states that its expired. Logged into the tenable support website to check on the license status all is supposed to be fine.

After that had a little chat with support – as it turns out licenses for Tenable.SC can be renewed in multiple ways. In one case your license is extended and the other just superseded so you need to re-download the license key file and upload it to your SC for it to start working again..

During the period the license was expired the scan data was not imported (rejected with an error by the SC). Fortunately it could be re-processed in the scan results list, but all the data ended up having the discovery date set as the manual re-processing date.. A minor inconvenience/integrity issue, but at least all the info still exists.

Check Point to Cisco ASA IKEv2 VPN with SHA-256 “no proposal chosen” – Timed out

When creating a VPN tunnel between Cisco ASA 9.x and Check Point firewalls using IKE v2 and integrity checks better than SHA1 you might run into a small issue where Phase 1 comes up with no issue and on Phase 2 see time outs in the Check Point logs.

After seeing time out, you enable VPN debugging and you see in the ikev2.xmll log “No Proposal Chosen” message coming from the ASA side. Then you and compare the the crypto configurations on both sides and see that they are identical. If that is the case, there might be a pseudo-random function (“prf”) mismatch. To get around it you should try the following command on the Cisco side:

prf sha

It’s only doable on Cisco side, as Check Point doesn’t let you change this value. That was supposedly the only change made on the peer gateway by the Cisco admin after which the tunnel came up.

Tenable.SC and Nessus Scanner updates activation

When installing Tenable.SC it asks for a activation key and installation continues. Then you install your Nessus scanner and during the install point it to the SC and it shows that its license is managed by Tenable.SC. Now that you have everything installed and up and running right? Wrong..

Updates for the plugins are not working yet, as for that you need to enter a separate license key. You need to log in to your Tenable Community account go to Your products and find the Tenable.sc activation key.

You need to insert that key into your Tenable.SC when logged into it as and administrator (not the scanning account). You need to navigate in the menu to System > Configuration > License and click on “Nessus Scanner” and paste the activation key you found on the Support site into there and press Register. After that your Tenable.SC and Nessus will be able to update their plugins and feeds.

Getting Tenable.SC working with Nessus Agents

What do Nessus Agents do

Nessus Agent is a lightweight piece of software that You can install on a host to do patch management and vulnerability/compliance checking with out having some central server with credentials logging into every machine you have. For example the Nessus Credentialed scans. Instead the agent software just reports back to the central server and keeps polling to see if any commands have been given.

Nessus Agent can run patch level/vulnerability scan/malware scan or configuration compliance checks.

Requirements

I assume that when thinking about Nessus Agent based scans with Tenable.sc You already have a Tenable.SC license and working installation.

Tenable.SC needs to have access to the TCP port 8834 on the Nessus Manager.

Nessus Manager preferrably has internet access to download updates and activate the license.

Nessus Agents need access to the TCP port 8834 on the Nessus Manager.

Licensing hassle

In order to get Nessus Agents info into Tenable.SC there are some extra steps You need to take besides the Tenable.SC and Nessus Scanner installation. You actually also need to install Nessus Manager to get Agents working. Regular Nessus scanners haven’t got the ability to work with Agents.

To actually get Nessus Manager, it turned out to be a bit of a hassle. As it turns out, although the software comes with the Tenable.SC license, You actually need to ask for it separately. After a short e-mail exchange with support and some signed documents later, You will actually get Nessus Manager license added to your Tenable account.

The installation

After You get the license key, download the regular “Tenable Core + Nessus” software from https://www.tenable.com/downloads/tenable-appliance and install the VM. The install will be the same as for regular Nessus Scanner.

After having set up the VM open Your web browser and go to the appliance web page https://nessus-manager-ip-here:8834/, then the wizard will open. From there select Nessus Manager instead of Nessus Scanner and insert the license key when prompted. The setup will also ask for you to create an account for you self.. It will take a while for the wizard to download and compile all the needed components. After it completes you have a ready working Nessus Manager.

After the wizard completes, login to the the Appliance with the account You created during the wizard. First thing You need to do is create a “group” for the agents. IE for your web servers call it “Web Servers” or for Client PC’s call it “Client PC’s”. After having created the groups you now can proceed to linking your Agents.

To install the agents first You need to download the proper Agent software from https://www.tenable.com/downloads/nessus-agents. Installation is quite straight forward. As an example on a 64bit Centos7 machine, it would go like this:

  • Copy the Agent to the machine
  • Elevate privileges to root or use sudo
  • Install the agent by issuing the “rpm -i NessusAgent-7.5.1-es7.x86_64.rpm” command. You should get the following output:
    warning: NessusAgent-7.5.1-es7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1c0c4a5d: NOKEY
    You must first start Nessus Agent by typing /bin/systemctl start nessusagent.service
    To link this agent to the Nessus Manager, use the ‘/opt/nessus_agent/sbin/nessuscli agent’ command.
    Type ‘/opt/nessus_agent/sbin/nessuscli agent help’ for more info.

Next you need to link Your agent to the Nessus Manager. In order to do that copy the “Linking Key” from Nessus Manager, which can be found at the Agents page in the “Linked Agents” section. After having found the key you can create your linking command on your client. Which is looks something like this:
/opt/nessus_agent/sbin/nessuscli agent lin/opt/nessus_agent/sbin/nessuscli agent link –key=”your-linking-key” –host=”your-nessus-manager-address” –port=8834 –groups=”Web Servers”

After issuing the previous command on the client it should now show up in the linked agents list where You got the linking key from. After having linked the agent to the manager you also need to start the service as was mentioned in the output from the rpm.

It will take a bit of time for the agent to come online. I initially thought something was broken. But it actually took ~5min for the client to go into the “initializing state” for a bitand then again offline. But after being in the initializing state the list started showing some more inf about the client, not only IP address. After that it stay’s offline again for some time, for me it was something like 15-20min and then the host started showing up as online. During that period might as well link the Nessus Manager and Tenable.SC.

Linking Nessus Manager and Tenable.SC goes is the same as with regular Nessus Scanner.

Running your first Agent scan

After having linked Your agents to Nessus Manager and Nessus Manager to Tenable.SC You can now define and run Agent scans.

Unlike how scanning works with Tenable.SC and Nessus Scanner, the agent scan needs to be defined and run on Nessus Manager instead. Tenable.SC only imports the reports actually although the button says run scan.

So you need to log in to Nessus Manager and under scans you should create a new scan. For every scan you need to select a group that the scan gets run on and also the interval if you want it to be a recurring one.

A lot of companies leak internal DNS/information system info to 3rd parties

One thing I have noticed while auditing different “internal use only” systems, that are not available online. Is that although they are offline, their existence is freely sent to Google with their URL’s/IP addresses.

Namely a lot of developers tend to integrate something provided by Google or by some other vendor, be it some java script or fonts. As an example when you include some css provided by Google – every time someone loads an internal application, Google gets a request from the clients web browser which also includes the referring URL.
Just example of outbound request headers from a web-page including some style sheet info provided by Google:

host: fonts.googleapis.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
 Accept: text/css,/;q=0.1Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Connection: keep-alive
 Referer: https://someportal.corp.inernal/css/main.css

The “referer” header can be easily be harvested from logs. So next time including external resources think about it if you want a 3rd party to know about your internal things.