WordPress.com forces you to use SMS-2FA

So im using wordpress.com as I definetly dont want the burden of running one of the most hacked CMS myself!

Now that I finally found out that you can securely configure your PayPal with TOTP 2FA I revisited all my other Accounts with SMS-2FA activated.

I still stand behind using SMS-2FA is better than no 2FA at all but if proper OTP-2FA or U2F is available then SMS-2FA really becomes a Security-Downgrade…

So I contacted @wordpressdotcom and fot the following responses:

So I guess it boils down to saving money/earning more money is more important for them than security which might bite them in the ass at some point…

BR

Sebastian

Advertisements
Posted in miscellaneous

PayPal now Supports proper OTP 2FA Apps – but no Recovery Codes and no U2F!

In 2013 I published the Blogpost:

Paypal – How to not implement 2-Factor-Authentication

Since then Paypal had a lot hits and misses with 2FA as you can find in countless blogposts out there.

I cannot tell you when exactly but at some point in the last 2 years PayPal managed to implement support for proper 2FA OTP Apps like Google Authenticator, Authy, Lastpass Authenticator, YubiKey OTP to name only a few!

You can set this up by logging into the PayPal website and Navigating to the Security Settings:

It is now finally also possible to remove SMS-2FA entirely which is a good idea when securing your money!:

If your Mobilephone number is still listed there add a “Third-party code generator App” switch it to your primary device and remove the mobile number!

Im always of the mindset that SMS-2FA is better than no 2FA at all, but its not state of the art and has proven easily breakable by sim-swapping!

No U2F – Will PayPal ever Support it?

So before we preaise PayPal that they managed to implement TOTP properly in their website (btw, they don’t offer recovery codes when setting up 2FA….) lets note that it is 2019 and U2F and Cheap Tokens like Yubikeys and even Cheaper U2F Only Tokens are now Available and will prevent phishing of your second factor!

Read up on how U2F will prevent a MITM Website to steal your 2nd Factor on Wikipedia!

So definitely switch over your PayPal Account to an OTP App like Authy and deactivate SMS-2FA but beware that you still have to be carefull that you dont enter your Login-Credentials + 2FA Code into a Phishing Site!

Posted in miscellaneous | Tagged , , , , ,

Tenable Nessus Agents: Deploying Trusted Certificate for Nessus Manager on Virtual Appliance

If you want to deploy Nessus Agents in an OnPremise Nessus Manager Setup you have to make sure Nessus Manager has a Certificate which is trusted by the Clients OS and that Nessus Manager trusts the Clients Computer certificates.

With the default self-signed Certificate Linking of Agents will not work. You might have found this out during Agent Linking and seen some kind of ssl error like this:

[07/Apr/2017:11:57:47 +0100] [error] [msscan] Connection to manager for 'jobs?distro=es6-x86-64&platform=LINUX&sleep_time=10&ui_version=6.9.3' failed with code 0 [Connection to shared-nessusmanager:7021 failed with an ssl error] -- Last connection was Mon, 20 Feb 2017 18:51:18 GMT

Source: https://community.tenable.com/s/article/Connection-issues-with-a-new-Nessus-Agent-install

Nearly every environment i encounter has similar parameters:

  • A Windows Domain
  • Mainly Windows Clients and Servers
  • A Windows Certificate Authority (CA)
  • Nessus Manager Running on Linux or Tenable Virtual Appliance which is Based on Linux

If you want to deploy Agents in a similar environment and are not Certificate Savy the following guide to deploy a Trusted Certificate on your Nessus Manager might help you!

Create a PrivateKey and CSR for your Nessus Manager

First we need a PrivateKey for the Webserver. If you do not know why read up on PKI!

The easiest way to do this, especially if you want to chose a custom Hostname for the certificate is with openssl on a Linux or macOS host! It will be possible on a Windows  host as well (google it) and there are also Websites out there that provide this as a service but you should always think about whom you trust to share your private keys with!

openssl genrsa -out hostname.key 2048

Note: the Name of the output file is arbitrary! But it makes sense to call it like the hostname to not mix stuff up!

Important: Do net send out this private Key ever! Just like a private key for SSH a private key for a Webserver Certificate should never be made public!

Important2: RSA is coming under criticism lately – there are newer and better encryption systems than RSA. This discussion is not part of this blogpost but feel free to reasearch alternatives to RSA private Keys!  Also you have to decide if 2048 bits are Strong enough for your environment. Best you read up on your companies Security Guidelines regarding Certificates!

Now that you have a private key you can create the CSR (Certificate Signing Request) that you can then send on to the CA Administrator of the Windows Domain:

openssl req -new -sha256 -key hostname.key -out hostname.csr

You will be asked a couple of questions on what Data should be present in the Certificate with the most important one being the Hostname.

Note: This will create a CSR without an AltSubjectName which is nowadays required by Chrome. So if you want a Certificate that is trusted in Google Chrome (the Nessus Agents wont care!) you have to awkwardly pass on the SubjectAlternateName via a config file as for example described here.

Again: Never send out the Private Key alongside the CSR! Only the CSR itself!

If you ever want to check the content of a CSR, for example to check if the SubjectAlternateName was included properly you can use the following command:

openssl req -text -noout -verify -in hostname.csr

Request a Signed Certificate Chain from the Windows Domain CA Administrator

A lot of companies are running Windows CA’s. Send the generated .csr (not the key!) to the CA Admin and request specifically that they create:

  • A p7b Certificate Chain in base64 Encoded format!

The default under Windows is often Binary encoded which will not be compatible with the next steps. In the end if you are an OpenSSL/Certificate expert you can convert nearly any format to any other format, however if you are an expert you probably would not read this article, so make sure you get a base64 encoded p7b Chain!

Convert the p7b Chain in individual separate Certificates

The p7b file will contain the entire chain in a Single file which will look / start like this:

$ head hostname.p7b

-----BEGIN CERTIFICATE-----
MIIOHQYJKoZIhvcNAQcCoIIODjCCDgoCAQExADALBgkqhkiG9w0BBwGggg3yMIIF
xTCCBK2gAwIBAgITFgAAidyU5PhdMBcNUQABAACJ3DANBgkqhkiG9w0BAQsFADBg
MRMwEQYKCZImiZPyLGQBGRYDZGlyMRMwEQYKCZImiZPyLGQBGRYDYWRzMRkwFwYK
CZImiZPyLGQBGRYJa3dzLWdyb3VwMRkwFwYDVQQDExBLV1MtU3ViQ0EtU0hBMjU2
MB4XDTE5MDcxNTA3MzYyOFoXDTIxMDcxNDA3MzYyOFowOzELMAkGA1UEBhMCREUx
FDASBgNVBAoTC0tXUyBTYWF0IFNFMRYwFAYDVQQDEw10bm0wMS5rd3MuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2V5FdCmvIRBvXx6mFzSBU/r/
msl+7NGPJ/r+83dDiRLygMrIn7b3UKu7g8Ugq7oxzpSasS0iFhAiTNxkkeQDNvq1
mRvDP28xLrD6UGA94PgZPlPGxC49yu9yyFQ8ATkFN3eBfDo/jKZaFYcnN8JPtWXA
....truncated....
-----END CERTIFICATE-----

To feed this chain to the Tenable Virtual Appliance and a lot of Linux Setups you have to split this chain up in individual certificate files with the following command:

openssl pkcs7 -print_certs -in hostname.p7b -out hostname-chain.cer

The resulting .cer file will include 2-3 (possibly even more) separate Certificates depending on how long the Chain is (how many subCAs there are in between the RootCA and the Server Cert).

This will look like this:

subject=/C=DE/O=COMPANY/CN=HOSTNAME
issuer=/DC=dir/DC=ads/DC=COMPANY/CN=SUBCANAME
-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgITFgAAidyU5PhdMBcNUQABAACJ3DANBgkqhkiG9w0BAQsF
...truncated...
skf8mYVBARph81h6r6OL7URFmzFtAqOpEdECNxFcnXT3yw3cFKnpKBE=
-----END CERTIFICATE-----

subject=/DC=dir/DC=ads/DC=COMPANY/CN=SUBCANAME
issuer=/CN=ROOTCANAME
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgITTgAAAAUmKMuXfYiC4wAAAAAABTANBgkqhkiG9w0BAQsF
...truncated...
S3KQbG+pD8pDh+DKbjhUyAvMM237Fy7LxI47ee/qLm+8cR/qlFJsnrdynGQbL24z
bIc=
-----END CERTIFICATE-----

subject=/CN=ROOTCANAME
issuer=/CN=ROOTCANAME
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIQbDFHC4Zy1pBORbxJMUPMaDANBgkqhkiG9w0BAQsFADAc
...truncated...
xsTBh4bpqS3TraLTz0TGovjqTfAlQBA=
-----END CERTIFICATE-----

Split this Textfile in 3 separate textfiles each time after —-END CERTIFICATE—–. The Subject and Issuer lines above the Certificate and the Commands (Begin/End) can stay in the files to make it easier to identify the content of the file for a human.

Save the three textfiles as:

  • hostname.cer (the server certificate)
  • subca.cer (if a subca was present)
  • rootca.cer (always has to be present – it has signed the cert!)

Note that you actually have a fourth file: hostname.key which is the matching private key for the server certificate.

Install the Certificate

Now that you have all the required files you can go ahead and install the Server Certificate:

On The legacy tenable Virtual Appliance

See:  https://docs.tenable.com/appliance/4_8/Content/4.8_GuideTopics/CertificateManagement.htm?Highlight=certificate 

Navigate to Applications -> Nessus -> and Scroll Down to the Certificate Settings:

nessmgr-va-setp1

Now provide the four files (Intermediate Certificates = SubCA Certificates).

Note: If there is more than one SubCA/IntermediateCA dont split the SubCA Chain, leave all SubCA certificates in one file to be uploaded here!

After providing the four files and clicking Install Server Certificates you will see a green Success Message at the top of the screen, and this Dialoge will show the newly installed certificates information.

Important: Note down the “Not Valid After” Date somewhere, best you set a reminder in you calendar, als your entire Agent Setup will stop to work if you let the Certificate expire! Best will be you keep the four files save and 4 weeks before the expiration date you create a new Set of files / server certificate and replace the old one. If you make a mistake you can always quickly roll back to the old files and troubleshoot what you did wrong.

You still have to do one last step! The Nessus Manager will also verify the Clients Computer Certificate which is also signed by the Windows CA. However you have to specify the RootCA as trusted for this separately in the lower section of the above already shown dialogue:

nessmgr-va-setp2

Here you only have to provide the RootCA Certificate which is the same one from the four files you created above!

Note: This is basically just the public Certificate of the RootCA which can be found publicly everywhere on the Domain! It will help Nessus Manager to validate the trust for the Clients Computer Certificate.

On The new tenable Core Virtual Appliance

See: https://docs.tenable.com/tenablecore/Nessus/Content/TenableCore/ServerCertificate.htm

The Steps are basically the same why I will not post another set of screenshots here. Just follow the guide above and upload the four files and also the trusted CA again:

https://docs.tenable.com/tenablecore/Nessus/Content/TenableCore/TrustedCertificateAuthorityCertificate.htm

Important: Make sure to notice that the Core Appliance also keeps two different sets of Certificates (one for the Core Appliances Webinterface on Port 8000 and one for Nessus Manager on Port 8834). Make sure to upload it at least to the Nessus Manager Configuration but feel free to also deploy it to the Core Appliance Webinterface.

Thats it!

If this helped at least one person struggling out there im happy! Feel free to ask questions in the comments below if you encounter an issue with this guide and I will be happy to advance it where necessary!

BR
Sebastian

Posted in tenable | Tagged , , , , ,

Setting up macOS to enable API&Python related Stuff – the BREW way

Most people will either use:

  • Windows (you’re on your own buddy!)
  • Linux (you probably already have everything you need installed already!)
  • macOS (you’ve got a Terminal but all programs are old….)

So if you are using a macOS you kinda have a Terminal running Bash (for now) by default but all programs are horribly old and wont get you far!

There are gazillions of different paths you can take to get decent python and pip Versions and Updated Versions of other tools running!

Homebrew

I will describe just one of them: the BREW way. Taken from the Documentation:

Homebrew is the easiest and most flexible way to install the UNIX tools Apple didn’t include with macOS.

The good thing: Homebrew will just conveniently install up to date UNIX tools beside the default apple built in tools without touching or removing them! So you can keep the default BASH and python from macOS but also install recent versions beside them in your profile and use them whenever you feel like it!

If you are familiar with brew chances are you already have it installed on your macOS! If not don not just blindly pull install scripts from the Internet and hope they wont own you!

Read up a bit! Ask Professionals with Macs if they use brew and if the trust it! Do some research about what you are going to do!

If you can and have the time you might even want to dig through the brew Installer Script before installing it!

If you are paranoid: download the brew installer script manually from the github repository before feeding it to ruby! Make sure its the same as in github before Installing it to verify it has not been tempered with during download!

After you have installed homebrew you will use two commands often:

brew update

…to update your installed brew packages…

brew install PACKAGE

…to install a new UNIX tool.

Note: Homebrew will not replace the default macOS programs in your path! So if you for example installed Bash v4.x via Homebrew macOS will not launch Bash v4.x when you launch a terminal!

But you can always spawn a Bash v4.x instance by calling it from its installation directory:

/usr/local/bin/bash

Install bash & python & pip & pyTenable

Install Bash

First of I would recommend to install a recent Version of Bash to be able to run all bash scripts you encounter (there are scripts that will not work with macOS old Version of bash!

brew install bash

Note: Remember as stated above that you have to drop into this new Version of Bash 4.x by calling it directly:

/usr/local/bin/bash

Install Python, pip & pyTenable API Wrapper

When you have successfully installed Homebrew and played around with updating it and all installed packages you can continue installing python and the pyTenable API Wrapper:

brew install python

will install python (Version 2 and 3 including pip for both versions).

pip3 install pyTenable

will install the pyTenable API Wrapper.

Note: As there is no pip3 command on macOS by default the pip3 installer will automatically be in your path and no dedicated calling form /usr/local/bin is required.

 

Thats it!

You are now able to use recent versions of Bash4, python2, python3, pip2, pip3 and pyTenable!

Posted in tenable | Tagged , , , , ,

pyTenable Python API Wrapper

Not all Infosec Professionals are Programmers by trade. I encourage anyone working in Infosec to learn as much programming as possible but there are still a lot of Jobs that don’t require in depth Programming and Programming-Architecture Skills.

If you are like me and know your way around Python Scripts and the small Program here and there you might appreciate a simplified API Wrapper for the Tenable RESTful APIs located here:

https://github.com/tenable/pyTenable

And its documentation located here: https://pytenable.readthedocs.io/en/latest/

Some of the Scripts and Examples I will post here will be based on the pyTenable API Wrapper.

Please Note: you don’t have to use this, you can always look at the functionality and implement it completely without this wrapper on your own!

Feel free to get inspired by my examples but always:

  • Check if they fit your needs or need to be edited!
  • Review their functionality and never use them in production without testing them prior in lab or uncritical environment!
  • Alter, edit and advance them!
Posted in tenable | Tagged , ,

New Life in an old Blog!

I started this Blog to document and share my experience with and around Checkpoint Firewalls.

Since then I have switched Jobs and have not touched a Checkpoint Firewall in years!

However I became a Tenable-Partner and touched and built a lot of Tenable Setups (mostly SecurityCenters) so I have gathered a lot of Knowledge and BestPractices KnowHow around Tenable’s Product suites.

So stay tuned for new Life in this old blog and regular updates around Tenable’s products and API automation.

Posted in miscellaneous, tenable | Tagged

Assemble your own affordable Treadmill Desk!

Ever since I listened to Neal Stephenson’s Book Reamde I wanted to get a Treadmill Desk!

A long time I thought you need to buy expensive Ones for a couple thousand Dollars like the Uplift Desk ones.

Now I found out that you can assemble a decent one for just 550 Euros with:

  • Ikea Desk SKARSTA – 199€
  • And a Cheap LONTEK Treadmill from Rakuten – 350€

The result looks decent and works like a charm:

IMG_5757

If you don’t think you can work effectively while walking please go and try out somewhere! It works pretty well and your are not sitting the entire day!

I know this sounds a lot like Advertisement but all links above are without any affiliation and I just want to share my experience with the Desk!

BR
Sebastian

Posted in miscellaneous

Published my Second Book: Penetration Testing mit mimikatz

Hello,

since beginning of July 2019 my new Book “Penetration Testing mit mimikatz” is available directly from the Publisher mitp and the usual Shops like Amazon!

Bildschirmfoto 2019-06-06 um 18.27.41 Kopie

Keep on Roasting!

 

Posted in Books

I am the Evil!

Update July 30th 2018: seems that Microsofts SmartScreen Team fixed this swiftly after my review request. So props to Microsoft. Misclassifications can happen – a swift and productive response is all one can ask for!

Microsoft seems to be thinking I am Evil…

I just want to assure everyone that I am not hosting any kind of malware on my site and do not collect any personal information in my Blog.

This blog is purely to write about IT Security related topics and to publish my CV.

The WordPress is hosted and beeing kept up to date by wordpress.com and uses no custom Plugins on my part – so a basic vanilla wordpress.com Blog.

I cannot vouch for wordpress.com’s hosting but I think that a wordpress focused professional hoster will keep the best patchlevel possible for wordpress.

I imagine some overeager Proxy Admin saw evil haxing Tools and reported my site as malicious. I already requested a reevaluation from Microsofts SmartScreen Team and hope this will get resolved quickly!

BR
Sebastian

Bildschirmfoto 2018-07-27 um 12.15.55

Posted in miscellaneous

Controls to prevent Petya Outbreak and harden your environment in the future

A quick post with a collective list of measures that can be undertaken to harden your environment to prevent a Petya outbreak.

Backups, Backups, Backups and Restore!

  • With the current Ransomeware threats a working backup and even more important a working Restore saves you from death!
  • Seriously, check if you are really able to restore critical servers.
  • VM Snapshot based backup / restore tends to be much faster than oldschool file based backups.
  • Databases tend to need special attention when it comes to backup and restore.
    • How much data will you lose between backup cycles?

AV :-)

Prevent spread via MS17-010

  • Patch your shit!
    • WSUS
    • Proper Patch management Processes
    • think of 3rd party tools/patches to!
  • Use Vulnerability Scanners and Management products like Tenable Nessus and Security Center (or others…) to keep an constant eye on critical vulnerabilities.
    • MS17-010 is now older than 3 months!
  • Disable SMBv1
    • MS17-010 is based on SMBv1 vulnerabilities.
    • Further vulnerabilities in this legacy protocol could come along in the future!
  • Block inbound TCP139/445 on machines where possible
    • At least between clients and client subnets!
    • Clients should not need to access each other via SMB – they should rather use central file and printservers
    • You obviously have to keep those ports open on fileservers and other servers where those Ports are required.
    • Be Cautious to not break Fileserver / DFS Sync
  • NEVER expose TCP 135/139/445 to the internet!

Prevent PSexec + WMI Spread:

  • Block inbound TCP 135, 139, 445 on machines where possible
  • Use AppLocker / SRP to prevent creation of C:\Windows\perfc.dat
  • Make sure to limit privileges:
    • Do not work with Admin accounts
    • Never work with Domain Admin account if not absolutely necessary
    • Users should have no permissions on servers / not be able to log onto servers
    • Admins/Supporters should have special accounts for supporting and not do their daily routine with accounts that have admin rights on all clients
    • Do not use the same local admin creds on all systems
  • Prevent future PTH (heavy read):

Inform your users / Heighten awareness

  • Even if you don’t often inform your users – now is the time!
  • Ask everyone to be carefull and cautious
  • Ask users double check strange mails with IT-Support
    • Be able to help users swiftly that contact IT-Support for this
  • Show them pictures of Inital Vectors (if available – Mails, attachments)
  • Show them pictures of compromised systems
  • Ask users to disconnect and power-off compromised systemes immediately to prevent spreading
    • This Could lead to data loss for some ransomware that leaves keys in memory
    • However spreading is probably bigger issue!
    • It’s your decision in the end!

 

This list is obviously not all you can and should do for proper IT-Security Management!
This controls however are meant to specifically help with the current Petya outbreak.

Did I miss something vital?

Put it in the comments below and I will add it!

BR
Sebastian

 

 

Posted in miscellaneous | Leave a comment