What is the OWASP Top Ten?

The OWASP Top 10 is a list of critical security vulnerabilities for web applications.  OWASP stands for the Open Web Application Security Project, which is a nonprofit foundation dedicated to improving the security of software.  The OWASP Top Ten list is updated every several years to reflect the changing cybersecurity landscape and to direct focus onto the most important current security issues.  The OWASP Top Ten for 2021 is as follows:

  • A01:2021-Broken Access Control allows an attacker to gain access to user accounts. The attacker in this context can function as a user or even an administrator of the system. This can be secured by ensuring that all accounts use the principle of least privilege and unused accounts are disabled immediately.

  • A02:2021-Cryptographic Failures occur when important stored or transmitted data is compromised. This vulnerability is also known as “Sensitive Data Exposure.” This can be improved by properly encrypting data at rest as well as data in transit.

  • A03:2021-Injection, or more specifically “Code Injection,” occurs when invalid data is sent by an attacker into a web application in order to make the app do something it was not designed to do. Writing secure code that is resistant to input fuzzing can help secure against this type of vulnerability.

  • A04:2021-Insecure Design is a generic term for web application vulnerabilities that are related to design flaws. Improvements in this category require the use of threat modeling, secure design patterns and principles, and reference architectures.

  • A05:2021-Security Misconfiguration describes design or configuration weaknesses that are the result of errors or shortcomings. Proper development and quality assurance testing will help secure against misconfigurations.

  • A06:2021-Vulnerable and Outdated Components relates to devices with known vulnerabilities that need to be patched. If a device or piece of software cannot be patched, it should be removed or replaced with a more secure option.

  • A07:2021-Identification and Authentication Failures leads to compromised passwords, keywords, and sessions which can translate to stolen user identity. This can be secured through proper user authentication and session management, as well as user education regarding password hygiene.

  • A08:2021-Software and Data Integrity Failures can occur when software updates or critical data is used without verifying integrity. This can be improved through hashing techniques to verify data accuracy and integrity.

  • A09:2021-Security Logging and Monitoring Failures are common when logging is not performed frequently and consistently. This type of failure can result in data exfiltration and other attacks.

  • A10:2021-Server-Side Request Forgery happens when a web application fetches a remote resource without validation, which can give an attacker access to critical data regardless of firewalls or other defensive tools. Proper validation is required to protect against this threat.

For more information about each vulnerability and how to defend against these attacks, check out the OWASP Top Ten website.  Thanks for reading - check out my YouTube channel for more!

https://owasp.org/www-project-top-ten/

LAB: SpiderTrap

This a description of my experience working on the labs offered by Black Hills Information Security called “Advanced C2 PCAP Analysis” and “RITA.” I completed these labs in May of 2022 as part of the “Active Defense - Cyber Deception” live class offered by John Strand and Antisyphon Training. If you want to do the labs yourself, check out their class here! The lab walkthroughs are also available on GitHub.

Image credit: Nathan Dumlao

This lab covers a tool called SpiderTrap that can be used to catch and slow down web crawling bots that attempt to enumerate your web server for malicious reasons. It does this by generating lots of random links for the spider to examine and waste it’s time with.

I began the lab by opening my virtual machine in VMware, which was provided by BHIS as part of the class downloads. I opened a terminal as administrator, clicked the dropdown menu and opened an Ubuntu shell. I changed directories into the location of the spidertrap installation (/opt/spidertrap) and ran ifconfig to determine my IP address. I then started the trap by running the following command:

python3 spidertrap.py

This displayed the randomly generated links, which just lead to more random links if they are clicked on. Below is a screenshot of the result. I then stopped the tool from running.

I then moved on to the next step of the lab, which was to start SpiderTrap again, but this time with a directory list enabled to make the links look like real directories, which further obfuscates that fact that this is acting as a trap.

A normal penetration test involves starting with an automated scan, where the pentester starts the scan and then lets it run while doing something else. If they run into SpiderTrap while the automated scan is running, this could either fill the pentester’s hard drive or completely exhaust the memory of the pentester’s computer. Either way, it is disruptive and can slow down a penetration tester or attacker, which gives time for network defenders to take further action to secure the systems.

You can learn more about SpiderTrap here. Thanks for reading!

LAB - Advanced C2 PCAP Analysis | Using RITA as an “Easy Button”

This a description of my experience working on the labs offered by Black Hills Information Security called “Advanced C2 PCAP Analysis” and “RITA.” I completed these labs in May of 2022 as part of the “Active Defense - Cyber Deception” live class offered by John Strand and Antisyphon Training. If you want to do the labs yourself, check out their class here! The lab walkthroughs are also available on GitHub.

These labs show two ways of analyzing packet capture data, also known as PCAP analysis. The “manual” way is by using tcpdump to look at SYN packets, while the “easy” way is to use an open source tool called RITA.

The first step of the “manual way” was to open a Windows terminal as Administrator. I then opened an Ubuntu tab, as seen in the image below.

Next, I moved into the directory where the pcap file was stored and ran the following command (see below) to analyze the file with tcpdump. As stated in the lab instructions, “the –nA option tells tcpdump not to resolve names (n) and print the ASCII text of the packet (A).” The “-r” option allows us to read the file, and piping it through “less” allows us to view the data section by section.

sudo tcpdump -nA -r covertC2.pcap | less

Running this command opens a tcpdump session. The information displayed here is certainly not easy to parse if you are just getting started looking at pcap data. The interesting data here is the SYN packets that are all 30 seconds apart. To see the SYN packets, run the following command:

sudo tcpdump -r covertC2.pcap 'tcp[13] = 0x02'

This filters the data by showing “all packets with the SYN bit (0x02) set in the 13th byte offset in the TCP/IP header (tcp[13]).” This confirms that the packets are all 30 seconds apart. We can also grep any instances of “hidden” using the following command:

sudo tcpdump -nA -r covertC2.pcap | grep "hidden"

This returns some random-looking data followed by an “=” sign. This indicates Base64 encoded data, which could be malicious or benign. Either way, it should encourage us to dig deeper and look into this data more. In this case, this data appears to be a malicious PowerShell command to “download and execute Powersploit, which then invokes a Metasploit Meterpreter on the system.”

Without a solid understanding of tcpdump and python, malicious code like this might go unnoticed on a network. An easier way to detect this type of code is by using an open source tool such as RITA.

The “beacons” tool in RITA sorts connections by the consistency of their “heartbeat.” A value of “1” is considered perfect, where a connection is happening at a consistent interval. The image above shows the destination IP of 138.197.117.74 with a nearly perfect “heartbeat score.” A consistent heartbeat is not inherently dangerous, but the egregious number of connections (4532) in this case is very suspicious. This is an indication of a beacon that is calling home to wait for commands from an attacker.

Another way to use RITA is to look at when specific requests are being made for certain domains. By clicking “DNS,” we can see that there were over 40,000 requests for a website called “nanobotninjas.” This is a strong indicator of a backdoor present on the network that is receiving (or waiting for) commands from an attacker.

Open source tools like RITA are great for visualizing data patterns over longer time spans. Understanding the data in this context allows defenders to see trends and take appropriate actions to protect their networks. You can learn more about RITA here. Thanks for reading!

What is the Log4j Vulnerability?

Log4j is a widely-used library of log files for applications written in the Java programming language. It copies down everything that happens when a Java program runs. NPR spoke to Andrew Morris, founder and CEO of cyber intelligence firm GreyNoise, who described Log4j as “…a modular component that's used in many, many different kinds of software. And its job is... just basically recording things that happened and writing them to another computer somewhere else.” In December of 2021, Log4j was found to be vulnerable to remote code execution.

Put more simply, Log4j is a vulnerable logging library that allows attackers to take control of remote devices running Java software. This represents a severe security risk. Gadgets 360 reports that "the Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team.

One of the most popular programs affected by this vulnerability is Minecraft. John Hammond, a noted cybersecurity researcher, recently posted a video showing how Log4j could be exploited in Minecraft, allowing a remote user to access the calculator of a system (proving that any other program or command could also be run). Tech Times posted an article detailing how Minecraft users can defend against this threat.

Unfortunately, Minecraft is not the only vulnerable software. Speaking to CNET, Nadir Izrael (CTO and co-founder of IoT security company Armis) said that “generally speaking, any consumer device that uses a web server could be running Apache. Apache is widely used in devices like smart TVs, DVR systems and security cameras. Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates. The day they're unboxed and connected, they're immediately vulnerable to attack."

To mitigate this threat, users should continue to install all security patches and updates as soon as possible. As companies roll out patches to this vulnerability, it is important to stay on top of those updates!

The Return of PunkSpider

PunkSpider is a tool that automatically crawls the internet searching for vulnerable websites. It then lists those websites and their vulnerabilities in a public database with the intention of creating a more secure online world. It was originally launched by developer Alejandro Caceres and his company Hyperion Gray, but was eventually shut down. It is slated to return at Defcon in August of 2021. But what does this really mean for vulnerable websites?

When asked about his intentions with this tool, the developer said “wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free? I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good” (Caceres, WIRED article).

The other side of the argument comes down to timing. Regardless of the good intentions, “bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches” (Karen Gullo, email to WIRED).

This raises the question: should a tool like PunkSpider exist? Should those vulnerabilities be made public? Will this lead to more ransomware attacks? Caceres responded to these concerns by saying “you know your customers can see [the vulnerabilities], your investors can see it, so you’re going to fix that s*** fast.”

What do you think about PunkSpider? Leave a comment below. Thanks for reading!

Get Started in I.T. with TryHackMe Pre-Security

Click on the image to visit TryHackMe.com and create an account!

Click on the image to visit TryHackMe.com and create an account!

TryHackMe is a cybersecurity learning platform used by over 500,000 people. In July of 2021, TryHackMe released a new training module called “Pre-Security.” This learning path is great for anyone getting started in I.T., offering interactive lessons with questions to test your knowledge as you learn.

What Does “Pre-Security” Cover?

These sections are available in the “Pre-Security” learning path.

These sections are available in the “Pre-Security” learning path.

After a brief introduction, the learning path breaks into four primary areas (as seen in the screenshot above). The first category, Network Fundamentals, breaks down the following concepts in five rooms:

  • What is Networking?

  • Intro to LAN

  • OSI Model

  • Packets & Frames

  • Extending Your Network

The next section titled How The Web Works covers these concepts in the next four rooms:

  • DNS in Detail

  • HTTP in Detail

  • How Websites Work

  • Putting it All Together

The path continues on to focus on Linux Fundamentals in three rooms, covering:

  • Basic commands in the terminal

  • Using SSH and interacting with the file system

  • Common utilities used in Linux

Finally, the path wraps up with two rooms focused on Windows Fundamentals, focused on:

  • Desktop, NTFS, UAC, and the Control Panel

  • System Configuration, UAC settings, Resource Monitoring, and the Windows Registry

Who is This Training For?

Here’s an example of the platform in action. This room is called “What is Networking” and is part of the “Pre-Security” path.

Here’s an example of the platform in action. This room is called “What is Networking” and is part of the “Pre-Security” path.

“This learning path will teach you the pre-requisite technical knowledge to get started in cyber security. To attack or defend any technology, you to first learn how this technology works. The Pre-Security learning path is a beginner friendly and fun way to learn the basics. Your cyber security learning journey starts here!”

- TryHackMe, Pre-Security

As stated on the website, this path is for anyone getting started in IT networking and/or security. It’s a great way to get hands-on with basic IT concepts. Sign up and try it out today!

What is the OSI Model?

The OSI Model describes how data travels across a network. (Photo credit: Thomas Jensen)

The OSI Model describes how data travels across a network. (Photo credit: Thomas Jensen)

The Open Systems Interconnection (OSI) Model is a framework describing how network devices transmit and use data. It consists of seven layers, as seen and briefly described here:

  • Layer 7: Application (a user interacts with the data)

  • Layer 6: Presentation (data is translated between application and the network)

  • Layer 5: Session (devices are synced up so they can communicate)

  • Layer 4: Transport (data is classified as segments via reliable TCP or as datagrams via fast UDP)

  • Layer 3: Network (logical routing is determined via the shortest and/or most reliable path using IP addresses)

  • Layer 2: Data link (physical addressing is determined using MAC addresses)

  • Layer 1: Physical (data is physically sent over binary via electrical signals)

How to Memorize the OSI Model

To memorize the order of the OSI layers, it can be helpful to use mnemonic devices such as:

  • Layers 7 to 1:

    • All people seem to need data processing.

    • APS transports network data physically.

  • Layers 1 to 7:

    • Please do not throw sausage pizza away!

    • Please do not touch Steve’s pet alligator!

More Resources

This guide just scratches the surface of defining the OSI Model. For more in depth understanding, check out these resources!

Thanks for reading!

Common Port Numbers

I.T. security professionals need to have a solid understanding of common port numbers and the protocols associated with each one. The best way to learn about these ports is to get hands-on with the protocols listed below.

The following list doesn’t cover every port you will ever need to know, but instead is a list of the ports I studied when preparing to take the CompTIA Security+ exam. There might be a few missing here that you should in fact know, and there may be extra ports here that you wouldn’t really need to know for the Security+ exam, but it wouldn’t hurt to learn them as well! This isn’t meant to be an exhaustive list, but instead one resource among many that you can use to gain knowledge.

I recommend making physical flash cards and creating a “memory palace” that connects each port number to an idea that make sense for you. For example, I remember Telnet is TCP port 23 because Michael Jordan’s number was 23 and he always hits nothing but “net.” To someone who doesn’t like basketball, that might not help. This is why you should connect the protocols and ports to ideas that resonate with you!

All ports are TCP unless specified:

  • 20-21 FTP

  • 22 SSH and SFTP and SCP

  • 23 Telnet

  • 25 SMTP

  • 49 TACACS

  • 53 DNS

  • 67/68 DHCP (UDP)

  • 69 TFTP (UDP)

  • 80 HTTP

  • 88 Kerberos (TCP/UDP)

  • 110 POP3

  • 123 NTP (UDP)

  • 137 NetBIOS

  • 143 IMAP4

  • 161 SNMP (UDP)

  • 162 SNMP Trap (TCP/UDP)

  • 179 BGP

  • 389 LDAP (TCP/UDP)

  • 443 HTTPS (HTTP over SSL)

  • 500 ISAKMP VPN (UDP)

  • 514 Syslog (UDP)

  • 636 LDAPS (LDAP over SSL)

  • 989 FTP over SSL

  • 990 FTPS

  • 993 IMAP over SSL

  • 1701 L2TP (UDP)

  • 3389 RDAP (TCP/UDP)

Visit the Music Store!
Visit the Cyber Store!