Posts on Caladan

How to Create a MISP Feed from a Greynoise Trend

Wed, 03 Aug 2022 04:10:59 +0000

Introduction

GreyNoise Trends are a feature offered on the platform which allows us to track IPs associated with a particular activity, exploit, or tool. These trends can also be benign or malicious. GreyNoise recently created a feature allowing users to utilize dynamic blocklists based on a particular trend.

For example, let’s say I wanted to track the latest exploit, CVE-2022-26138 (Hardcoded Confluence Password). As long GreyNoise has already created a tag for this CVE (which they have), I can access a URL that contains a list of IPs associated with this activity in a rolling 24-hour window.

These URLs containing the blocklists are meant to be utilized by firewalls which can proactively block these IPs in real-time, but MISP is also able to automate collections from remote URLs.

Getting Unique GreyNoise Trend URL

Before we create our feed in MISP, we first need to retrieve the URL for the GreyNoise trend that also utilizes a unique key for our account (not the same as your API key).

Go to the GreyNoise Trends page and choose a tag that you are interested in, for this tutorial we’ll use the vulnerability we referenced before (CVE-2022-26138), which can be found here.

Once you’re on the page for the tag you just need to click “Block at Firewall”, and we’ll get a panel that contains our unique URL. Copy this URL because you will need it for the next part.

Creating the Feed in MISP

First, we’re going to log into MISP and go to create a new feed; Sync Actions -> List Feeds -> Add Feed.

Now, we just need to add our configuration details to the new feed. Feel free to fill it out however you like but I’ll provide a template below:

Enabled = Y
Caching enabled = Y
Lookup visible = Y
Name = "Greynoise: Exploiting Confluence Hardcoded Credentials"
Provider = "Greynoise"
Input Source = "Network"
URL = "https://api.greynoise.io/v3/tags/18ac439f-c0b6-4d98-afcf-24de74d9b169/ips?format=txt&token=<unique key>"
Source Format = "Freetext Parsed Feed"
Creator organisation = "<Select your default MISP org>"
Target Event = "Fixed Event"
Target Event ID = <Leave Blank>
Auto Publish = Y
Delta Merse = Y

Once you’re happy with the feed configuration, now we will want to cache the feed; this will initiate a pull for all IoCs from our blocklist and also create the event where all of this data will live in MISP.

Give it a minute and you should see the new event is created and slowly populating with IoCs! Assuming you have automation set up on the MISP server, this event will be refreshed regularly.

TL;DR

Find a tag on GreyNoise you are interested in.
Get unique URL blocklist from the Trends page corresponding to the tag you’ve chosen.
Configure a new free-text feed in MISP using the URL you retrieved before.
Cache feed for initial pull (or wait for your automation).

Malware Analysis Tips: Analyzing an Emotet Maldoc

Mon, 14 Mar 2022 22:22:44 +0000

Overview

I came across a new Emotet campaign at work that was inevitably caught by our mail filter, but thought this was a good opportunity to learn more about extracting IoCs from these maldocs.

The Sample

Attribute	Value
SHA1	814b9961fbb5a75a00ca05591ac5a60d503bea22
Filename	INFO_405261.xlsm
Sender	mark.amarilla@abbraza[.]com.ph
Date Received	March 14th, 2022

Analysis

Upon opening the Excel document, you see a familiar banner urging users to allow macros - the banner is actually a static photo seen below by the context menu options.

Now something is a little fishy with this document, the gridlines look off - select a cell and you unveil some hidden text.

Next, you’ll want to grab all of these strings easily - use a simple trick to extract them from the maldoc; change the extension to .zip, unzip the maldoc and cat the shared strings table for some quick Cyber-Cheffin’.

cp INFO_405261.xlsm zipped.zip
unzip -d unzipped/ zipped.zip
cat unzipped/xl/sharedStrings.xml

Copy the file from stdout and paste into Cyber Chef so we can quickly replace unwanted characters - this could easily be done with sed or tr as well.

Now enjoy the fresh IoCs!

Conclusion

Hopefully learned a quick trick to extract strings and manually grab IoCs from an Excel file without even needing Excel to do so!

I didn’t even begin to go into analyzing the actual maldoc execution chain and seeing what else it tries to load and possibly drop onto disk - all which of course leads to more IoCs! I leave that up to the audience.

Technical Appendix

Table of IoCs

Type	Value
SHA1	814b9961fbb5a75a00ca05591ac5a60d503bea22
Filename	INFO_405261.xlsm
URL	hxxp://schemas[.]openxmlformats[.]org/spreadsheetml/2006/main
URL	hxxps://aservon[.]com/css/DhaDF9VHoru7/
URL	hxxps://www[.]hih7[.]com/wp-admin/nX8WbaRCZVyVXi/
URL	hxxps://afrivac[.]org/css/sZqqu3mYVHFK/
URL	hxxps://a-u-s[.]it/qLoyJJFV0q6Z2i/
URL	hxxps://actwell[.]fr/logs/g2xyR/
URL	hxxps://www[.]activ-shoes[.]ro/wp-includes/7Ob1hpWvAnpR2fK4/
URL	hxxps://getlivetext[.]com/wp-admin/6ZsANn00/

Zettelkasten For The Lazy

Sat, 23 Oct 2021 06:33:31 +0000

Index

What is Zettelkasten?

Before we can dive into note-taking methodology, a little background on the particular method we pursue here is helpful for context. Zettelkasten is a German word translating to “note box”. This was a system of note-taking pioneered by Niklas Luhmann - who essentially had a particular way of storing and taking notes which involved small index cards and a large chest with many drawers to store the notes in.

This is good to know but largely unimportant given that this original system was only applicable for physical note-taking. Thankfully we are in the 21st century and don’t need to lug around a chest full of notes and have to paw through stacks to find tidbits that mattered to us.

I will try to explain my system in a way that is tool-agnostic, given that there are several ongoing holy wars amongst the best note-taking application (my take is, who gives a damn - shut up and write).

So how does it work?

The most infuriating part about my research into Zettelkasten was, you ask 10 different people how they implement it and you’ll get 10 different answers, most involving some Byzantine structure and spartan-like discipline that I’ll never muster for note-taking.

Although I am ultimately contributing to the noise a bit, I’ve managed to develop a system that scales well and also doesn’t require a Type-A personality. The key takeaways from it are:

Take notes everyday. Period.
No screenshots. A picture’s worth a thousand words so don’t take the shortcut. Also gets messy for storage and archival purposes.
Avoid keeping multiple notebooks.
Your note-taking application of choice must always be open and ready.
Use cross-references.
Use citations.
5 different types of notes:
- Daily: Archive for processed temporary notes
- Source: The information backbone, contains notes with citations, tags, and cross-references
- Permanent: An atomic note without outside citation
- Project: Independent study, labs, CTFs, courses - will be turned into Source and Permanent notes
- Temporary: Notes taken daily that will be processed and possibly turned into Source/Permanent notes

Example workflow

So as I glossed over before, there are 5 types of notes that I utilize on a daily basis to form my knowledge base. I’ll go over a typical day of note-taking and how each note type is used.

First things, I leave my editor open to my Temporary note for that day. Everything gets dumped into the Temporary note, my to-do lists, articles I’m reading, ideas, etc. The point is to keep these notes as frictionless as possible so I keep writing.

So, let’s say I come across an interesting article on Detection Engineering - I’ll read this article and glean the important bits and throw them into my Temporary note. Now I’ll do a deeper dive on Detection Engineering in a Source note.

The subsequent Source note I create should first have a cross-reference added pointing to the Temporary note that spawned it. Then, I’ll find some other sources on Detection Engineering and pull out interesting parts and dump them into the Source note with citations.

Next, this same idea can tie into a Project note, for example a long-standing “Threat Hunting” project can now add the “Detection Engineering” Source note as a cross-reference.

After I feel like I’ve confidently explored the topic well enough and filled out the Source note, I can then begin filling out a Permanent note. The Permanent note is meant to be atomic (containing a single idea) and shouldn’t contain citations to outside sources. It is supposed to be the ultimate synthesized representation of our knowledge on the topic, essentially how we would explain the topic to someone if we didn’t have Google by our side.

Note how all of these additional notes were created from a single idea in a Temporary note, this is how a Temporary note gets processed. Once the day is done, if you are diligent and processed the Temporary note for that day - the Temporary note for that day gets archived in the Daily notes silo.

TL;DR

Take notes everyday about any media you consume.

Dump those free-flowing notes into a daily Temporary note. Process the Temporary notes - which cascades out into Projects, Permanent and Source notes.

Add references throughout all the notes so you can follow your train-of-thought, this is key. Once the Temporary note for the day is processed, archive it in the Daily notes silo.

We strive to create Permanent notes, they are the culmination of our knowledge. How better can you assess your knowledge of something than sitting down and writing 4-6 sentences about it without Googling anything?

Note that I didn’t get into folder structures and indexing, that is another holy war I don’t feel like starting, all I will say is that the 5 note types should be separated in their own silo.

As your Source notes grow, you will naturally find the need for folder categories and indexing in order to quickly get the information needed. I leave that up to the reader.

The maddening beauty of Zettelkasten is how everyone has their own implentation, hopefully this serves as a starting point (or endpoint for lazy people like me) for those looking to try out a new note-taking method.

Thanks for reading folks, feel free to reach out with any questions or comments!

Intro To Go - A Naive TCP Port Scanner

Mon, 24 May 2021 13:50:22 +0000

Intro

So over the weekend I picked up a copy of Black Hat Go by Tom Steele and have been following along. I have a little experience with Python and Bash, so Go wasn’t terribly hard to jump into but definitely different as I have zero experience with C or other similar languages.

So why choose Go to learn?

It’s minimalist as hell (the language spec is only 50 pages)
Concurrency is a big part of Go (unfortunately I won’t be utilizing that feature in this project)
Go can cross-compile static binaries!

The Naive Approach

Whenever learning a new programming language or concept, I find the “naive” approach works well. Instead of trying to implement the “best” approach to a problem, simply implement the first one that comes to mind and build off of that. I like taking a project-oriented approach to learning so I decided to build a “naive” TCP port-scanner utilizing what I’ve learned so far with Go.

The Code

The repo can be found here

package main

import (
	"bufio"
	"fmt"
	"net"
	"os"
)

func main() {
	// open our file for reading
	file, _ := os.Open("ports.conf")

	// create a scanner object that reads the file we opened before
	// by default, NewScanner splits on newlines
	scanner := bufio.NewScanner(file)

	// we need to initialize an empty slice here for text in order
	// for the append function on line 25 to work
	var text []string

	// read in the file line by line, save it to "text" and close the file
	for scanner.Scan() {
		text = append(text, scanner.Text())
	}
	file.Close()
	// os.Args[1] parses argv
	TARGET := os.Args[1]
	fmt.Printf("The target is %s", TARGET)
	var openPorts []string
	for _, port := range text {
		fmt.Printf("\r\nCurrently scanning: %s:%s", TARGET, port)
		address := TARGET + ":" + port
		conn, err := net.Dial("tcp", address)
		if err != nil {
			//port is either filtered or closed
			continue
		}
		conn.Close()
		openPorts = append(openPorts, port)
		fmt.Printf("\r\n[*]Port %s is open!\n", port)
	}
	fmt.Printf("\nThe ports open for %s are %s", TARGET, openPorts)
}

Breaking Down The Code

    file, _ := os.Open("ports.conf")

ports.conf will be our config file, simply fill it up with newline separated ports we want to TCP scan

scanner := bufio.NewScanner(file)
var text []string
 for scanner.Scan() {
	text = append(text, scanner.Text())
}
file.Close()

this bit reads our ports file and stores the result as an array in a variable called text

TARGET := os.Args[1]
fmt.Printf("The target is %s", TARGET)
var openPorts []string

initialize our target as a constant that is read as a command line argument
e.g ./scan scanme.nmap.org
also declare a string array we’ll use to store open ports we find

for _, port := range text {
	address := TARGET + ":" + port
	conn, err := net.Dial("tcp", address)
	if err != nil {
		//port is either filtered or closed
		continue
	}
	conn.Close()
	openPorts = append(openPorts, port)

finally, we get to the meaty part of the scanner, the actual scanning routine that utilizes the built-in net package that golang provides
“err” lets us know if the port is filtered or closed
each open port we find gets appended to openPorts, the array we declared earlier

Conclusion

This is a really bad and slow TCP port scanner, there’s many things I would improve upon like:

making use of concurrency
scan top 100 ports by default
read multiple hosts
different type of scans (half-open, UDP, Xmas, etc..)
improving user UI

These features will come in the next iteration!

TraceLabs Search Party Write-up

Tue, 30 Mar 2021 16:37:57 +0000

DISCLAIMER: Please use the following techniques for good. Don’t be evil 🙂

Search Party CTF is an initiative by TraceLabs which is a gamified OSINT investigation involving real, active missing persons cases. Once the CTF begins you’re given a few different cases with the relevant background information and a short brief. You get points for finding things like e-mail addresses, home addresses, friends and family, etc. The point is to emulate what investigators actually do by casting a very wide net and going through the evidence piecemeal. I wanted to give a short write-up detailing one technique I was able to pull off which gave me the suspects vehicle information which includes; make, model, and year. While this technique is somewhat useless for professionals given the private records at their disposal, it is still very useful for the amateur sleuth.

PRE-REQUISITES

So, first things first, we need some basic information on our suspect before we can get their vehicle information. You didn’t think we could just type in someone’s name and get that information right? Err, actually, that’s pretty close to it. So the main mechanism we will be ~~abusing~~ utilizing is a simple auto insurance quote from Progressive.

We need a ZIP code first!

The zip code is easy enough since we already know the suspect is the victim’s parent and lived in the same city where the crime occurred. Next, we have a crucial piece of information leaked from a news article detailing where the victim was last seen.

Names, ages, and locations have been changed.

Now, we can pivot on this piece of information and use it against the results of some people search engines like whitepages.com or truepeoplesearch.com, which often have erroneous or outright wrong results.

So after some digging around on the people search sites and a few Google dorks later, we see an address matching the block number and neighborhood for the suspect. While this isn’t 100% accurate it’s still a pretty good indicator that the record in question may be accurate.

With this information we have all we need to pull down the vehicle records. After we enter the zip code on the Progressive page we visited earlier, it will prompt us for further information.

The name and birthdate literally do not matter at all – at least on Progressive’s website – the only thing that matters is the address being accurate. After we enter the correct information we finally get our payoff!

RESULTS

What do you think Batman drives when his car is in the shop?

And there we go! Police and other agencies are usually not too keen (for good reasons) on releasing this sort of information publicly but it can greatly aid investigators who lack the private resources that a LEO has. Cheers and happy hunting!

Creating a Windows Defender Rule for Spotify Connect Traffic

Sun, 17 Jan 2021 19:29:07 +0000

Quick post today about cleaning up your network traffic and nipping unnecessary broadcast traffic in the bud. I look at my Security Onion logs maybe once a day when I have time and I couldn’t help but always notice this particular log showing Spotify sending packets to broadcast quite often.

Taking a further look at the logs, I can see the packet data decoded which confirms this is Spotify sending UDP packets from my host to broadcast.

Now the Spotify Connect protocol is pretty cool and allow inter-connectivity between devices both running Spotify. Meaning I can play and control my song selection on my phone via my PC and vice versa. But is this something I need? Nope. So let’s create a quick Defender Firewall rule to block this functionality and clean up my Security Onion logs. First we are going to bring up the Firewall MMC snap-in and create a new Custom Outbound Rule.

Spotify has a weird default service path inside the User\AppData folder so hunt Spotify.exe down and add it to our rule.

In my case, the ephemeral port was 57612 for both local and remote port. Given the transient nature of ephemeral ports this could change but a quick Google search shows that this port is standard for Spotify Connect. So, we know that the protocol type is UDP and the port is 57612 – let’s further improve the rule on the next screen.

On the next prompt we can define the scope – this host is inside VLAN10 so I left the default ‘Any IP address’ since I don’t have to worry about other hosts on the subnet. Adjust accordingly for your own network.

On the next screen, we are going to naturally block this unwanted connection.

Next we’re going to apply this rule to all profiles, mileage may vary depending on any given person’s needs/usage.

Finally, we just name the sucker and let it rip!

Looking at my Security Onion logs, they are now just a little bit cleaner and I don’t have to weed through those broadcast alerts anymore!

How to Write a Script

Sun, 17 Jan 2021 01:15:08 +0000

Greetings! Today I will be sharing my general script writing process and how they can improve your workflow. Below is the script I created which I’ll be using to go over how I approach creating scripts to help my pentesting workflow.

#!/bin/bash
# AutoEnum by Droogy
#
# AutoEnum is a simple service scanner built around nmap
#
printf 'gimme target: '
read target
nmap -p- -T4 $target -oN portscan

# read portscan file output and turn into CSV formatted ports for nmap
cat portscan | grep open | cut -d '/' -f 1 | \
tr '\n' , > ports.txt

# read file into variable
ports=$(<ports.txt)

# script categories
# auth, broadcast, brute, default. discovery, dos, exploit 
# external, fuzzer, intrusive, malware, safe, version, and vuln
# should prob throw in UDP at some point
# -sU -top-ports 250

# finalized nmap scan to run against discovered ports
nmap -A -v -p$ports --script=discovery,vuln,brute\
--version-all $target -oN initial.log
clear
cat initial.log | grep tcp

So this script was developed while I was pursuing the eJPT certification and doing a lot of TryHackMe/VulnHub/HackTheBox/Hera boxes which naturally involves a TON of scanning and enumeration. This gets quite repetitive so I developed a script to make this process a bit easier.

I chose Bash as the language because it’s simple, readable, and super portable across Linux distros. I’m barely a competent programmer so if I can get an Nmap parser done in less than ten lines of bash imagine what you could do!

To begin with, we need to clearly define our problem, which makes coding much easier as we can break up our large problem into smaller ones. Some people like to use pseudo-code, but honestly any sort of pre-planning for a program/script works. The problem I need to solve can roughly be broken up into the following steps:

I need a full portscan on a target
parse those ports into a variable/file
Format them in a way that works with nmap
feed the ports back into nmap and re-enumerate the discovered ports, this time with script/service scanning

Let’s break the code into chunks and take a look at what each one does.

printf 'gimme target: '
read target
nmap -p- -T4 $target -oN portscan

This is pretty self explanatory, the script prompts the user for input, reads that into a variable and then runs a full portscan against that target and saves output into a file called “portscan”.

cat portscan | grep open | cut -d '/' -f 1 | \
tr '\n' , > ports.txt

Next up is an ugly little bit which formats our portscan results into a CSV formatted list of ports which we will need to feed back into Nmap in our next step. Let’s break up the code further and see what each bit does.

cat portscan – reads the portscan results
grep open – searches for the word “open”, which would be on the same line as the port we need to grab
cut -d '/' -f 1 – separates strings by the delimiter which is ‘/’ in our case and then the -f switch selects the first field, which is the port itself with no extra text
tr '\n' , > ports.txt – finally, the translate (tr) command replaces all new lines with commas – thus creating a list of CSV formatted ports which can be fed into Nmap!

To conclude, the above chunk of code turns a file this

Into this: 21,22,80

Next, since Nmap doesn’t exactly allow for reading a file with a list of ports, we will export the previous CSV list of ports into a variable with this neat bash trick.

ports=$(<ports.txt)

Finally, the last part is pretty self-explanatory, we start a comprehensive Nmap scan utilizing the open ports we found and then output these results to the terminal as show below.

nmap -A -v -p$ports --script=discovery,vuln,brute \
--version-all $target -oN initial.log ;
clear;
cat initial.log | grep tcp;

final output

Security Onion for the Home

Mon, 11 Jan 2021 16:16:33 +0000

Network Configuration

Quick note, you will need a SPAN port or some sort of network tap in order to properly monitor your network which is a feature most managed switches will have. In my case I’m using a TL-SG108E switch which manages 3 separate VLANs; VLAN1 is for my network appliances, VLAN10 contains about 10 IoT devices and a WAP, VLAN20 is for my personal workstations. VLANs work nicely in the SOC as I can quickly identify assets by their subnet.

The Install

So this is a fairly straight-forward post about my experience installing Security Onion on a Dell Optiplex 960 and hunting down my very first false-positive! To start with, the Optiplex has fairly low specs; 2 cores and 8GBs RAM (maxed out). I installed a Gigabit PCIe Ethernet card, thankfully the PC already had one so I just needed one extra.

After I made a bootable USB via Etcher I just had to install it, which proved a little annoying as the anaconda installer froze twice and the first time the anaconda installer worked as intended it failed at the last step of installation after about 45 minutes. Probably has to do with the low specs.

The Hunt

Shortly after firing up Security Onion, running so-allow from the Security Onion console and adding my private IP to the analyst role I was able to browse the SOC from my workstation in a separate VLAN, cool! Except I was quickly greeted with this log entry which is a bit worrisome.

“???” is a seemingly random IP which resolves to somewhere in Romania…crap.

I quickly regained composure and figured it was some sort of relay my VPN uses, so let’s quickly verify this. First thing I want to do is resolve this IP, so I fire up nslookup, change my server to my Pi-Hole (192.168.1.2), and enter the IP address in question and get this result.

A quick Google search for dataclub.info is pretty reassuring, seems to be a hosting provider which backs up my initial hypothesis for this being related to my VPN. We can further prove this with tracert.

Sure enough, the first hop is in the same Class A private address space as my network adapter for my VPN. Mystery solved!

How I Get My News

Thu, 07 Jan 2021 19:07:41 +0000

Intro

How do you consume your news? Podcasts? TV? Radio? Online publications?

All of these are fine and dandy for most people who might consume less than a dozen sources of news – but what about someone who follows hundreds of blogs/news organizations? If I spent everyday visiting blogs (that may not even be updated yet) and other various news sites to read their news and stay informed, I would literally have no time left in my day. Thus enters RSS.

What is RSS?

RSS is a protocol that allows for the transmission and aggregation of web content. Doesn’t really sound ground-breaking, so what does that mean for us? Let’s say XYZ News has an RSS feed, you just copy the link of the RSS feed and you simply import it to your RSS reader. XYZ News publishes a new post and it automatically gets transmitted over RSS into a neat text document in my RSS reader. Instead of checking hundreds of sources for news, I simply open up my RSS reader and all of my news is there.

Which RSS reader to choose?

Now the question of choosing an RSS reader was actually tough and rather annoying for such a simple protocol. Most RSS readers seemed insanely bloated and outdated (looking at you Thunderbird). I also wanted something open-source for Windows (so no Newsflow). So after a lot of messing around with various readers on my Windows host and giving up on running a reader on Windows altogether, I decided this is a perfect task for my Pi server which also serves DNS.

Miniflux

For this task I chose Miniflux, which would run as a service on my Pi and be accessible over my LAN. Side note here, I also use a PIA VPN so make sure you enable split-tunneling to reach your RSS server over LAN. You have to configure a new user for miniflux on the server which is simple enough. I had to add a line to the /etc/miniflux.conf file to bind the service to a different port and then restart the service. After that, I can now browse to my Pi’s local IP while connected to my VPN and have all my news in one source!

Posts on Caladan

How to Create a MISP Feed from a Greynoise Trend

Introduction

Getting Unique GreyNoise Trend URL

Creating the Feed in MISP

TL;DR

Malware Analysis Tips: Analyzing an Emotet Maldoc

Overview

The Sample

Analysis

Conclusion

Technical Appendix

Zettelkasten For The Lazy

Index

What is Zettelkasten?

So how does it work?

Example workflow

TL;DR

Further Reading

Intro To Go - A Naive TCP Port Scanner

Intro

The Code

Breaking Down The Code

Conclusion

TraceLabs Search Party Write-up

Creating a Windows Defender Rule for Spotify Connect Traffic

How to Write a Script

Security Onion for the Home

Network Configuration

The Install

The Hunt

How I Get My News

Intro

What is RSS?

Which RSS reader to choose?

Miniflux

Further Reading/Reference