πŸ”’
❌
There are new articles available, click to refresh the page.
βœ‡Bad Sector Labs Blog

Pelican + Gitlab CI/CD + Docker + AWS = Awesome Static Site

By: Erik β€”

All the code referenced in this post (and even this post itself) is available on gitlab.

Choosing a static site generator

Setting out to start a blog, there are tons of options. The classic Wordpress, the upstart ghost or the many static site generators like jeckyll, Hugo, Octopress (abandoned), and Pelican. After looking at each option, I settled on pelican because I wanted a static site (one less server to deal with), it's written in Python (one of my preferred languages) and it has an extensive library of themes to use as a base. I decided on the m.css theme because I liked its dark theme and lack of javascript (shout out to anyone reading this via the Tor browser) and it has great support for code. I've only had to make a few small tweaks to m.css to make it my own.

Getting started with Pelican is simple, follow the m.css quickstart.

Pelican has a cool feature which makes tweaking themes or writing content easy - the devserver.

$ cd /dir/of/pelican/blog
$ make devserver
<lots of output>
Pelican and HTTP server processes now running in background.
$

Now Pelican is watching your files for changes, and will re-compile articles when you save a change. Keep an eye on the terminal running the devserver though, if a change causes an error in Pelican it will show up there and your browser will not see anything new.

Creating content is as easy as writing a reStructuredText document in the content directory. reStructuredText is awesome, and if you've used Markdown (Pelican also supports Markdown if you prefer) before, it has the same general feel. The m.css writing content guide is a great primer on reST. The only issue I have with reST is that markup can't be nested, so italicising a link is not as simple as wrapping it in *. For instance, you would think that last writing content link would be written as

*`writing content <http://mcss.mosra.cz/pelican/writing-content/>`_*

But that is not allowed, so you have to define a directive at the top of the document to allow raw HTML and use it in-line later, as so:

.. At the top of the document before any content
.. role:: raw-html(raw)
     :format: html
.. In-line
:raw-html:`<em><a href="http://mcss.mosra.cz/pelican/writing-content/">writing content</a></em>`

Hosting a static site

Just like static site generators, there are a few static site hosts to choose from: Google, GitHub Pages, GitLab Pages, and Amazon's S3.

I choose S3, mostly because I am already familiar with AWS and am using it extensively for another project (hamiltix.net) which will be detailed in a future post. For the first 12 months on AWS you get 5GB of S3 storage free, as well as 20k get requests and 2k put requests per month. Combine this with Cloudfront (AWS's CDN) and even if reddit tries to hug you to death you should have no issues keeping your site up. In fact, if you want to use SSL/TLS with your S3 static site (hint: you do) you have to use Cloudfront.

Instead of walking through another S3 and Cloudfront setup, just follow the same guide I used.

CI/CD - Putting it all together, automatically

This is where the magic happens. On every push to master, your static site should build, minify, upload, and invalidate the Cloudfront cache. This way you can write a post in a feature branch, and when you merge it into master your blog updates without any additional actions! Gitlab is my git host of choice because it can be self-hosted and is very powerful. Additionally, Gitlab.com offers unlimited free private repos with unlimited collaborators. But my favorite feature of Gitlab is its built-in CI/CD. No longer do you need a seperate service to test/build/deploy your code, it's all built right into your version control. Layer docker on top of this and you get easy, reporducable builds and all it takes is one yaml file in the root of your repo!

Getting started with Gitlab CI/CD can be a little intimidating, and I've found using other projects gitlab-ci.yml files as templates is the best way to get started. For instance, here is the gitlab-ci.yml file for this blog (if you're on mobile, sorry in advance; there is no good way to show code on mobile without wrapping which kills context):

variables:
  # Set git strategy, recursive in case there are submodules
  GIT_STRATEGY: clone
  GIT_SUBMODULE_STRATEGY: recursive
  # Keys and secrets are defined in the project CI settings and exposed as env variables
  AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
  AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
  AWS_DEFAULT_REGION: "us-east-1"

# Define two stages, if the site fails to build it will not be deployed
stages:
  - build
  - deploy

build:
  stage: build
  image: apihackers/pelican  # This image contains everything needed to build a static pelican site
  artifacts:  # artifacts are files that will be passed to the next CI stage and can be downloaded from the GitLab web
              # frontend as zips
    paths:
      - output  # This is the directory we want to save and pass to the next stage
    expire_in: 1 week  # Keep it around for a week in case we need to roll back
  script:  # The script block is the series of commands that will be run in the container defined in `image`
    - pelican content -o output -s publishconf.py  # Build the site using the publish config into the output directory
    - ls -lart output
  only:
    - master  # Only run this step on the master branch. No reason to spend resources on incomplete feature branches


deploy-prod:
  stage: deploy
  image: badsectorlabs/aws-compress-and-deploy  # This is a custom image for minifying and working with AWS
  variables:  # You can set per-stage variables like this
    DESC: "Prod build, commit: $CI_COMMIT_SHA"  # There are tons of built in env variables during the CI process
    S3_BUCKET: blog.badsectorlabs.com
    CLOUDFRONT_DISTRIBUTION_ID: $CLOUDFRONT_DISTRIBUTION  # Again, the secrets are stored in GitLab, not in the code!
  script:
    - cd output # Assumes the static site is in 'output' which is automatically created because the last step had
                # 'output' as an artifact
    - echo [+] ls before minification
    - ls -lart .
    - echo "$DESC" > version.html
    - echo [+] minifying HTML
    - find . -iname \*.html | xargs -I {} htmlminify -o {} {}
    - echo [+] minifying CSS
    - find . -iname \*.css | xargs -I {} uglifycss --output {} {}
    - echo [+] minifying JS
    - find . -iname \*.js | xargs -I {} uglifyjs -o {} {}
    - echo [+] ls after minification
    - ls -lart .
    - echo [+] Syncing all files to $S3_BUCKET
    - aws s3 sync . s3://$S3_BUCKET --region us-east-2
    - echo [+] Invalidating Cloudfront cache  # This step is necessary or you wont see the changes until the TTL expires
    - aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/*'
  environment:  # environments are just ways to control what is deployed where, for a simple blog straight to prod is ok
    name: master-prod
  only:
    - master
  when: manual  # This causes GitLab to wait until you click the run button before executing this stage
βœ‡Bad Sector Labs Blog

How we built Hamiltix.net for less than $1 a month on AWS

By: Erik β€”

Background

Hamilton the musical is hot. Really hot. With crazy high ticket prices, finding the best deal should be easy, especially if you live in New York City, Chicago, or a city on the US Tour. You just go to a major ticket resale site, and search across all the dates you are able to attend and... wait... no site supports ranking tickets across dates? And their "deal rankings" don't take into account the intricacies of each theatre (viewing obstructions, etc)!? I guess we'll have to build it ourselves!

For a full background on the motivations behind hamiltix.net checkout the hamiltix.net blog.

From simple script to legitimate website

Being a python programmer it didn't take long to scrape the major ticket sites and rank all the tickets with a custom algorithm. This turned up some interesting results, and it was easy to compare the best tickets for any dates, sections, and theaters we wanted. This was great for personal use, but not very accessible to an average Hamilton-goer (and despite being perfectly legal it may draw the irk of the sites we are scraping). Time to legitimize our data collection and make it presentable.

This lead to a long slog through the secondary ticket market, which was actually quite interesting, and will be detailed on the hamiltix.net blog. The end state was we connected with a "ticket broker" network and are able to access their inventory (spoiler: nearly all secondary ticket sites share the same inventory). With live tickets at our fingertips the question became how do we process all the data and present it on the cheap?

AWS - Power, Complexity, Affordability

Enter Amazon Web Services (AWS). AWS is the cloud service provider that powers may of the biggest names on the internet so lets see how it does with a simple static site and backend.

Normally, the first step for this kind of project is to start up a linux server, but serverless computing is on the rise. We've never dealt with Lambda or any other "serverless" technology before so lets give it a shot.

The overall design of hamiltix looks like this:

Hamiltix AWS Diagram
The Hamiltix.net AWS stack

As you can see, Lambda is the star of the show. If you haven't heard of Lambda before, you can think of it as a service that will run a function (however complex) on a trigger (there are too many to list, basically any AWS service can trigger a lambda). Lambda offers Node.js, Python (2.7 and 3.6), Java (8+), C# (.NET Core), and Go environments. Since we already had the ranking module in Python, we stuck with Python (3 of course) for the rest of the functions as well.

Cloudwatch event rules kick off any Lambdas that need to run on intervals (getting and ranking tickets), and API Gateway fires any "dynamic" content for the website like advanced search, or the actual ticket purchasing.

We also made the decision to not use a javascript framework for the front end, mostly because they are incredebly complex and some people suggest they are all terrible (or maybe great?). Could be use React with a static site? Sure, but that also means dealing with animated routes, custom routing, GraphQL, Redux, Sass or Less, JSX... I'm already exhausted. We just want to present tickets cleanly to users, not build the next Facebook. jQuery, SweetAlert2, Semantic-ui, Moment.js, and MutliDatesPicker are the only external javascript libraries used on hamiltix.net.

Without the need for a server hosting the site, it can be stored on S3 and distributed by Cloudfront. Setting up a static site with AWS is fairly simple. Any ajax calls in the site's javascript are sent to the API Gateway which in turn calls the correct lambda function to handle whatever task is requested. With hamilton ticket prices as high as they are, we set up a staging environment that uses our ticket broker's sandbox API to test all functions on each commit to master. For this to work, you need two separate environments in API Gateway, and the corresponding aliases for your lambda functions (don't forget to publish the changes in API Gateway!).

The two API Gateway stages for hamiltix

While in the API Gateway, you have to point the lambda handler to the function alias that corresponds to either staging or prod. This can be done with a stageVariable when setting up the endpoint in the Resources screen of API Gateway. You'll need to allow API Gateway permissions to access each alias you use, but AWS provides a nice aws-cli command for you when you set up the Lambda proxy integration.

The stageVariable setup on the Resources screen

Then in the Stages screen, ensure that each stage as an appropriate Stage Variable.

The stageVariable setup on the Stages screen

Now the staging and prod APIs will call the Staging and Prod lambda aliases respectively. Setting up staging and prod lambda aliases is not difficult, and is handled by Gitlab's CI/CD pipeline.

CI/CD

If you've read my first post you know I'm a big fan of Gitlab and its built in CI/CD. The hamiltix repo is set up with each lambda as a submodule because Gitlab currently does not support more than one .gitlab-ci.yml file for a repo. The gitlab-ci.yml files for each lambda are nearly identical (on purpose!), only the variables section at the top and the additional cp statements for custom directories (if needed) change between lambda functions. Strict twelve-factor followers will notice that the build and release stages are combined. It is certianlly possible to break the build step out and pass the zip as an artifact, but the stage is so fast we haven't done this yet.

variables:
  #  Set git strategy
  GIT_STRATEGY: clone
  GIT_SUBMODULE_STRATEGY: recursive
  # Keys and secrets are defined in the project CI settings and exposed as env variables
  AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
  AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
  AWS_DEFAULT_REGION: "us-east-1"
  NAME: "MyFunction"
  FILENAME: "MyFunction.py"
  HANDLER: "MyFunction.lambda_handler"
  RUNTIME: "python3.6"
  ROLE: "arn:aws:iam::XXXXXXXXXXXXX:role/XXXXXXXXXX"
  FILE: "fileb://deploy_$CI_COMMIT_REF_NAME.zip"

stages:
  - test
  - deploy

test:
  stage: test
  image: badsectorlabs/code-checking:latest # This is a docker image that contains a lot of code checking tools
  script:
    - cpd --minimum-tokens 100 --language python --files .
    # pylint output is good to look at, but not worth breaking the build over
    - pylint -d bad-continuation -d line-too-long -d import-error -d missing-docstring $FILENAME || true
    - flake8 --max-line-length 120 --ignore=E722,W503 . # You must pass flake8 (W503 is wrong, pep8 changed)

deploy-staging:
  stage: deploy
  image: badsectorlabs/aws-compress-and-deploy:latest
  variables:
    ALIAS: "Staging"
    DESC: "Staging build, commit: $CI_COMMIT_SHA"
  script:
    - virtualenv -p /usr/bin/python3.6 env
    - source env/bin/activate
    - pip install -r requirements.txt
    - mkdir dist
    - cp $FILENAME dist # copy all files needed to dist
    # Copy any other directories (modules, etc) here
    - cp -rf env/lib/python3.6/site-packages/* dist
    - cd dist
    - zip -r9 ../deploy_$CI_COMMIT_REF_NAME.zip .
    - cd ..
    - deactivate
    - ls -lart
    - echo Creating or updating $NAME
    - > # This captures the code hash for the updated/created lambda function; -r is needed with jq to strip the quotes
      CODE_SHA_256=$(aws lambda update-function-code --function-name $NAME --zip-file $FILE | jq -r ."CodeSha256" || aws lambda create-function
      --function-name $NAME --runtime $RUNTIME --role $ROLE --handler $HANDLER --zip-file $FILE | jq -r ."CodeSha256")
    - echo Publishing LATEST, CodeSha256=$CODE_SHA_256, as 'Staging'
    - VERSION=$(aws lambda publish-version --function-name $NAME --description "$DESC" --code-sha-256 $CODE_SHA_256 | jq -r ."Version")
    - echo "Published LATEST as version $VERSION"
    - >
      aws lambda update-alias --function-name $NAME --name $ALIAS --function-version $VERSION || aws lambda create-alias
      --function-name $NAME --name $ALIAS --description "Staging" --function-version $VERSION
    - echo Successfully updated $NAME:$ALIAS
  environment:
    name: master-staging
  only:
    - master

deploy-prod:
  stage: deploy
  image: badsectorlabs/aws-compress-and-deploy:latest
  variables:
    ALIAS: "Prod"
    DESC: "Prod build, commit: $CI_COMMIT_SHA"
  script:
    - virtualenv -p /usr/bin/python3.6 env
    - source env/bin/activate
    - pip install -r requirements.txt
    - mkdir dist
    - cp $FILENAME dist # copy all files needed to dist
    # Copy any other directories (modules, etc) here
    - cp -rf env/lib/python3.6/site-packages/* dist
    - cd dist
    - touch PROD # This is the canary that will tell the lambda function to use the PROD secrets
    - zip -r9 ../deploy_$CI_COMMIT_REF_NAME.zip .
    - cd ..
    - deactivate
    - ls -lart
    - echo Creating or updating $NAME
    - > # This captures the code hash for the updated/created lambda function; -r is needed with jq to strip the quotes
      CODE_SHA_256=$(aws lambda update-function-code --function-name $NAME --zip-file $FILE | jq -r ."CodeSha256" || aws lambda create-function
      --function-name $NAME --runtime $RUNTIME --role $ROLE --handler $HANDLER --zip-file $FILE | jq -r ."CodeSha256")
    - echo Publishing LATEST, CodeSha256=$CODE_SHA_256, as 'Prod'
    - VERSION=$(aws lambda publish-version --function-name $NAME --description "$DESC" --code-sha-256 $CODE_SHA_256 | jq -r ."Version")
    - echo "Published LATEST as version $VERSION"
    - >
      aws lambda update-alias --function-name $NAME --name $ALIAS --function-version $VERSION || aws lambda create-alias
      --function-name $NAME --name $ALIAS --description "Prod" --function-version $VERSION
    - echo Successfully updated $NAME:$ALIAS
  environment:
    name: master-prod
  only:
    - master
  when: manual

Using this CI setup, the lambda can check for PROD with if os.path.exists('PROD'): and if so read in env variables for the production environment, and otherwise use staging variables. Note that both staging and production variables must be defined in the lambda settings (aliases take a snapshot of the lambda settings to prevent a setting change from breaking aliases that already exist).

The CI setup for pushing the static site assets looks nearly identical to the setup for this blog.

Logging and Monitoring

Once you have some lambdas working away for you, it becomes necessary to monitor them. By default the lambdas will log any standard out to Cloudwatch, which is nice if you need to go back and see what caused an issue, but doesn't help alert you when an issue occurs. There are many ways to solve this issue, including many that would leverage AWS services but I already had a lifetime Pushover account, so decided to use it for instant push notifications on any unhandled lambda error.

def send_pushover(message, title, sound='pushover'):
    """
    Send a pushover message
    :param message: string; the message to send
    :param title: string; the title of the message
    :param sound: string; one of the keys of {'pushover': 'Pushover (default)', 'bike': 'Bike', 'bugle': 'Bugle',
                          'cashregister': 'Cash Register', 'classical': 'Classical', 'cosmic': 'Cosmic',
                          'falling': 'Falling', 'gamelan': 'Gamelan', 'incoming': 'Incoming',
                          'intermission': 'Intermission', 'magic': 'Magic', 'mechanical': 'Mechanical',
                          'pianobar': 'Piano Bar', 'siren': 'Siren', 'spacealarm': 'Space Alarm', 'tugboat': 'Tug Boat',
                          'alien': 'Alien Alarm (long)', 'climb': 'Climb (long)', 'persistent': 'Persistent (long)',
                          'echo': 'Pushover Echo (long)', 'updown': 'Up Down (long)', 'none': 'None (silent)'}
    :return: None
    """
    from pushover import init as pushover_init # install with `pip3 install python-pushover`
    from pushover import Client
    # Send Pushover notification via the API (this is the hamiltix key)
    pushover_init('XXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
    client = Client('XXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
    client.send_message(message, title=title, sound=sound)


def lambda_handler(event, context):
    try:
        return main(event, context)
    except Exception as e:
        print('[FATAL] Caught exception: {}'.format(e))
        import traceback
        error_trace = traceback.format_exc()
        print(error_trace)
        error_title = 'Error in [LambdaFunctionName]'
        send_pushover(error_trace, error_title, sound='falling')
        raise(e)  # Make sure the lambda function returns a 500

Getting a push alert any time there is an error helps us respond to issues as soon as they come up. The same send_pushover() is used to alert on other things as well, like any time a ticket is purchaced (with the cash register sound naturally).

Cost

So how much does it cost to run hamiltix.net? Right now we are still in the 12 month AWS "free-tier" and monthly cost is stable at around $0.60, of which $0.50 is Route53 (one hosted zone) and the rest is S3 and taxes. After the "free-tier" expires our S3 costs will increase slightly, API Gateway will be $0.09 per GB of data transferred out, and Cloudfront will be $0.085 for the first 10TB a month but Lambda, DynamoDB, and Cloudwatch will remain free (unless we get really popular!), and costs should remain under $1. Reddit has correced my error, and API Gateway has a base fee of $3.50 for the first 1 million requests. After the free-tier expires costs should remain under $5. If we wanted to bring this down even more, moving the domain to Google Domains (or similar) would reduce our current costs by 80%!

βœ‡Bad Sector Labs Blog

Handling Fatal Errors in Production on a Saturday Night

By: Erik β€”

Background

In my last post I described the way we instrumented all our AWS Lambda functions on hamiltix.net so any unhandled error was sent as a Pushover notification with a full stack trace. While some were concerned this would lead to a flood of messages, it has been nearly silent except for purchase notifications and a few minor bugs which were corrected. Everything had been running smoothly for a while, until...

The Error

It was Saturday, 8:21 P.M. I'd just returned home when I got a Pushover notification.

[FATAL] Error in TheMoneyLambda

The few error notifications we have gotten are in a query or other part of the website that is a "first step" of the user experience. By the time a user gets to the point where they are interacting with "TheMoneyLambada" the order is complete (hence the name). What this means is that a user was trying to purchase tickets when this occurred. Priority: Critical.

I sit down at my laptop and open the CloudWatch dashboard. All Lambda standard out or logging messages are captured by CloudWatch, so this should show exactly what caused the error. Immediately I saw the error, "Invalid Ticket Group Quantity." Like all tricky bugs I immediately thought, "That's impossible!" The details of the order are all checked with the broker immediately before purchase. TheMoneyLambda should never be handling an order that hasn't been checked for correctness. The check is handled by a separate lambda, so flipping over to those logs I see that it was checked successfully. About this time I get another error notification, same as first. Worried the customer is getting error messages and attempting to buy the tickets multiple times, I fire off a quick email (captured at checkout) to them letting them know I am looking into the issue.

The pressure was on now. I have no idea how this bug was possible and I'm about to loose a customer. With a grand total of $0 spent on marketing, word of mouth and this blog is the only driver of sales. A bad customer experience could torpedo the whole project.

The Secret Weapon

With the contradiction of the Lambda logs leading no where, I turned to a tool that I added to the site more for fun than anything. LogRocket is a javascript snippet that you can add to any page and it hooks user interactions and logging and presents it back in a timeline view. From time to time I would use it to see how people interacted with the site (my friend calls this "watching film" - like we are a sports team). While we include LogRocket on the checkout page, we explicitly tell it NOT to capture any of the credit card fields. In the renders they just don't appear (as if the element was deleted) which keeps us from accidentally storing any payment data.

In LogRocket I pick out the session right away and watch the user interaction from the beginning. Every thing looks normal, except the ajax calls to API Gateway (and therefore Lambda) fail. Then I see it. LogRocket helpfully captures all the details about ajax calls, and I notice the duration is about 15 seconds.

LogRocket session showing the failed AJAX request
15 Seconds, why is that familiar?

Besides being an eternity online, 15.957 seconds is awfully close to the default 15 seconds execution limit on Lambada functions. Switching back to the CloudWatch logs I scroll up past the two errors I initially fixated on to see this:

Apparently a successful order

No errors, no traceback. Apparently a successful order. In my initial haste to find the issue I was focused on the errors and missed the fact they were preceded by a successful order. The function must have timed out just before sending the successful order notification and returning a 200 status to the front end. For some reason the broker's API took ten seconds to respond, which in turn caused our Lambda function to hit its time limit of 15 seconds, but not before actually processing the order! The user saw an error on the site, while at the same time getting a confirmation email. I communicated the issue to the customer, who was really great about everything, and immediately increased the execution time limit for TheMoneyLambda. With Lambda aliases, you have to make the change in the Lambda's dashboard then push a new version to all aliases you want changed. This prevents you from accidentally changing a parameter or environment variable that a current alias requires when updating a function. With the GitLab pipelines described in my previous post its as simple as re-running the deploy stage.

If the broker API had failed completely, or was a little faster this error wouldn't be possible. It was just slow enough to succeed on the back end while failing on the front end.

Lessons Learned

  • Instrumenting business critical functions to receive instant error notification is key to knowing there is a problem.
  • Quick communication with affected customers can help smooth over an otherwise bad experience.
  • During testing, ensure you test less-than-optimal conditions to include very slow responses.
  • Sometimes the stars align to serve you a tricky bug on a Saturday night. Welcome to the startup life =)

In the market for Hamilton the Musical tickets? Find a better ticket search, alert, and buying experience at hamiltix.net.

Questions or comments? blog (at) badsectorlabs.com

βœ‡Bad Sector Labs Blog

The DIY Guide to Forming an Online Business with Multiple Members in Different States

By: Erik β€”

Background

We wanted to set up a simple, legitimate business without spending a lot of money. One of our initial side projects (Hamiltix.net) was generating a small amount of revenue and with other small potential revenue generating projects in the pipeline, we needed a way to separate the finances and also to professionally interact with other businesses (for example, we would eventually like to publish apps in the Apple App Store / Google Play Store under our company name instead of using our names).

It seems like startups abound these days, so we would have thought the actual process for setting up a business would have been more straightforward. In our case, we needed to set up a business with two owners who reside in different US states, with no employees, where the business would be entirely online with no physical presence or store front, and we would be working on business related projects from our respective homes.

Given the lack of resources online on the specific mechanics of actually forming a business with this profile, we wanted to write down the process we went through in hopes that it will be helpful to others in a similar situation. We have complied our notes on this process and laid out the decision tree and steps we went through. The below is an amalgamation of hours of internet research (which almost always ended up with something like this

"better check with your lawyer."

Step 1

Determine Which Type of Business You Are / Are Going to Be / Want to Be

  • If you have some or all of the below characteristics, a Delaware C Corporation is likely the way to go:
    • Expect to raise money from outside parties such as venture capital firms or sell your business to a larger company
    • Expect to hire employees and incent them with ownership in your company
    • The easiest, cheapest, and best way to go seems to be to use Clerky or Stripe Atlas and pay the ~$500+ and just be done with it (note we haven’t used these services or tried them, this is solely based on our research. However, Y Combinator backed and uses Clerky for its companies). We won’t spend anymore time detailing this path as this does not describe us
  • If you align more with the characteristics below you may want to create an Limited Liability Company (LLC) or S Corporation
    • Expect to be profitable in the near term
    • Have one founder or a limited number of founders / investors who are mostly friends or family Stripe does a good job of explaining the difference of LLCs and C Corporations in more detail.

For LLCs and S Corporations, profits or losses are passed through to the individual owners based on their underlying ownership interests in the company and then each owner is taxed on those earnings (or losses) based on their individual tax rates. For example, if the business revenue was $10, business costs were $5, then $5 dollars of profit would be split between the owners by their ownership amounts. An owner's allocated amount would then be included on their individual tax return.

For a C Corporation, the company itself would pay taxes on any profits or losses, and then if the owners wanted to receive cash from the company, the company would have to pay a dividend to its owners. A C Corporation owner would then have to pay tax on the dividend. This leads to earnings being taxed twice - once at the C Corporation and again to the investor on their dividends. There is also a board of directors structure in a C corporation which differs from a LLC which generally has less requirements.

Ultimately, a business is just an entity, like a person, that can open accounts, take on debt, and interact with other companies. But one nice reason for setting up a business (and doing it correctly) is that it provides some liability protection to the owners and cleanly separates business finances from personal finances.

One more quick note on proper terminology related to LLCs. In an LLC you own "units" and are a "member" versus a corporation where you own shares of stock and are a shareholder or a stockholder. As a shareholder in a corporation you also then have the right to vote your shares to elect a board of directors who then hire management and guide the corporation where the LLC requires less formalities.

Step 2

Where to Form Your Business?

Once you have decided which type of entity you will be forming you now have to decide where to incorporate. You can incorporate a business in any state, even if you do not live, work, or have an office there. If you are a sole member, or have members in the same state, it may make sense to form the business in your home state.

In our case however, there are two of us located in different states and we were planning on operating an online business with no physical presence. As a result, we decided to form our business in Delaware (even though neither of us live in Delaware). The reason why Delaware is one of the the most popular choices for registering a business is because it has significant historical business legal case law (which makes investors, lawyers, etc. more comfortable that they know how certain legal situations will unfold). Delaware charges a $90 formation fee (for an LLC) and has a $300 annual β€œtax” beginning at the end of year 1 and each year thereafter to maintain registration. Different states have different annual payment requirements (California being one of the most expensive).

Finally there is the potential to have to register in multiple states if you are "doing business" or have "tax nexus" in a state other than the state in which you formed. We haven't been able to find a good answer on what the definition of "doing business" is just yet, but in our situation when we had our initial conversation with the tax accountant our arrangement of filling in Delaware only for now seemed appropriate. We think that since we are an online business, and do not have a physical store front or office, or have physical product at anytime (software only), we do not need to register in other states, but check back with us next April on that one... It would seem a bit extreme (and prohibitively expensive) for us to have to register in all 50 states, for example, just because we might sell to a customer in one of those states. I can't say we fully understand this yet but the tax accountants were ok with only a Delaware registration. If you have better information or understanding on this point and can tell us what "doing business" actually means please let us know! For reference, if we did have to register our Delaware LLC in another state it is known as a "foreign" registration.

Step 3

Name Picked? Good, It's Formation Time

Once you have chosen a state to form your business you will need to determine who will be the registered agent. All business must have a registered agent whose address and information is publicly available and is the location where the business is to receive process of service (court documents if the business is sued). You can be your own registered agent (if you have an address in the state you a registering) but then your information (name and address) are in the public record. This is solved by utilizing a paid registered agent service. The paid registered agent service basically serves two purposes:

  1. Be the name and address on the publicly available information on your business so you do not have to put your personal information, and
  2. Have an online document portal where you will get alerts any time documents are added (so if you were to get sued, the court documents would go to the registered agent's address, and the registered agent would then scan the documents and upload it to the portal for you to view

There are a lot of registered agent services out there but we decided to go with A Registered Agent Inc (Delaware Registered Agent) which after researching a bunch of options seemed to be on the cheaper end of the spectrum and didn't aggressively try to upsell you on every little addition. Unless you absolutely need it, do not pay the extra $50 to expedite your formation. We were formed and had our documents back from Delaware Registered Agent in seven days. They charge $180 for the registration (which would cost $90 if you just did it yourself) and the remainder covers preparation costs, the first year of registered agent services, initial LLC resolutions, and a form LLC operating agreement. Delaware Registered Agent charges $45 each year thereafter for its registered agent services (to use their address and have them scan legal documents for you in the event of legal action).

Now if only there were a decentralized, distributed ledger system for keeping track of business formations and business ownership...

Step 4

Get Squared Away with the IRS

After you have formed the business the next step is to get squared away with the IRS - that means you need to get an Employer Identification Number ("EIN") (basically a social security number for your business). The online portal is the easiest way to do this and it takes about 10-15 minutes. Strangely the online portal is only available Monday through Friday from 7AM to 10PM - last I checked servers do not need to sleep, so if anyone knows why this is the case we are genuinely curious to know.

The online portal is the equivalent of filling out a form SS-4 on paper and mailing it in, except the online portal takes 10 minutes and you get your EIN number right away. The key items when filling out the form online are the "Type of Entity" and the employment tax liability checkbox. While we were very tempted to register as a "church or church controlled organization" (which enjoy some pretty nice tax exemptions), we went with the default for a multi-member LLC, a partnership. The thing to understand here is now you have an LLC that will be taxed as a partnership for tax purposes. This is what we (and probably you if you're in a similar situation) wanted as this allows us to pass through any profits to each of the members annual tax fillings (and avoid double taxation of a C corporation). We also do not plan to have any employees - it will just be us (the owners / members) running the business - and as a result we made sure to check the employment tax liability checkbox (item 14 on the paper SS-4), we only will need to make one annual employer federal tax return filing on form 944 versus quarterly federal tax returns on form 941. If you were to have employees you'll have to make sure you are withholding the appropriate amount from their paychecks for taxes and file the quarterly form.

LLC Tax Responsibilities

Below we have compiled a summary of the tax forms the LLC will need to file:

  • LLC files Form 1065 annually with the IRS - this is just an β€œFYI” to the IRS by March 15th (since the LLC doesn't pay taxes itself as it is a pass through entity)
  • LLC files Form 944 annually with IRS (to file form 944 annually vs. form 941 quarterly you must (i) have less than $1k of wages paid to employees per year, and (ii) check box number 14 on form SS-4 (or the equivalent on the online EIN portal) when filing to get your EIN)
  • LLC prepares and provides K-1 statements Form 1041) to its members by March 15th

Member Tax Responsibilities

  • Member's will be required to file and pay estimated taxes on 1040-ES a quarterly basis if:
"You expect to owe at least $1,000 in tax for 2018, after subtracting your withholding and refundable credits."
  • Members use K-1 (Form 1041) statements to complete their 1040 and Schedule E by April 15th

Step 5

LLC Operating Agreement

For an LLC, the operating agreement is a document that outlines how the business will operate. It typically includes things like management of the business, ownership, distributions, buyout of other members, disputes, etc. We took the template provided by our registered agent (similar template here) and modified it to our liking and went with that.

The operating agreement is not filed with any government institution or bureau and is signed and kept between members, or if you have a lawyer, the lawyer will usually keep a copy of the documents as well. For reference, we talked to a small business lawyer who offered to write a simple operating agreement for us for $1,500. Perhaps if we start bringing in larger amounts of money at some point in the future we will update the agreement, but for now the modified template works just fine for us. We have some experience and familiarity dealing with operating agreements, but even if you do not, the templates we looked at is probably adequate for just starting out.

You can amend the operating agreement at any time (and depending on how you worded your initial operating agreement you may require unanimous or majority approval of unit holders to amend the operating agreement).

Step 6

The Money

Now that you are all set on taxes, you should set up a business checking account to accept payments and pay any business expenses such as server costs. Setting up a checking account also proved to be unnecessarily difficult. We wanted to go with a large national bank that was present in both of our home states (recall we are two members in different states) so we tried to get an account at Chase. However after calling and visiting multiple chase branches, we found that they have a policy that requires a business account to be registered in the state in which the branch you are opening the account is located. Since our business was registered in Delaware, but neither of us reside in Delaware and the Chase branches we have access to are not in Delaware, we could not open a business checking account with Chase.

We then tried another national bank and after walking into a branch with all documents from the steps above in hand (formation document, initial resolutions, EIN letter, operating agreement) they weren't sure either if they could open an account for a Delaware LLC since the branch was not in Delaware. They copied our LLC Operating Agreement, formation document, and initial resolutions and said they would check with someone outside the branch and get back to us. The next day they called back saying they could open the account. We did get the account opened but only I was listed on the account since they required my business partner (who is in a different state) to be physically present with me in order for him to be added to the account. Fortunately, he was planning to be in town in a few weeks but this is another hurdle to be aware of. Also, apparently there is such a difference between a personal checking account and a business checking account that it requires a "business banker", whatever that is. There was one occasion were we visited a branch on a weekend only to have no "business banker" available.

Business checking accounts all also somewhat different personal checking accounts. One difference is transaction volume and size. Our account only allows 150 transactions a month (with $0.50 charge for any transactions thereafter). Additionally, our account requires a minimum $1,500 balance in order to avoid a $12 monthly charge. Lastly, if you are working with a lot of cash for some reason (which we of course are not as everything is online) there are maximums and other fees related to cash deposits. So be aware of all the limitations, which are more stringent than personal checking accounts and to us just feel like ways for banks to charge additional little fees because the account is a "business" account. We looked at a bunch of different banks and all have similar types and amount of fees.

Our bank also required us to sign a banking resolution. This is just a legal document signed by the LLC members that officially gives the members authority to open an account for the LLC.

Lastly, now that we have an account set up we need to track the money and each members capital accounts (remember for taxes in the next year, you will need to fill forms that show how much money the LLC made and how it is allocated to its members). We haven't figured out the optimal solution here yet, but it seems Wave might be a good free option based on research (vs. paying monthly fees for some other services).

Miscellaneous

  • Insurance: Getting insurance for your LLC is probably a good idea and depending on your business there might be certain coverages that are better for you. Depending on what you get, for a small business it should not be any more than a couple hundred dollars.
  • Maximizing the Liability Protection Benefits of an LLC: In order to maximize the potential benefits of the "limited liability" portion of an LLC you will want to make sure you do not use the LLC for any personal expenses or other matters and solely use it for business purposes (hence one reason why we set up a separate business checking account in Step 6 above).

Conclusion

All told we spent what seemed like way too long to set up a business that is relatively common and straightforward. Fortunately, going the DIY route we only ended up spending $248 in total ($180 for A Registered Agent to do the registration and provide registered agent services and another $68 for 6 months of a USPS PO Box to get any physical mail we might receive), excluding any insurance.

Our Projects

Hamiltix.net: We use algorithms to rank the best available Hamilton tickets across all available tickets and dates based on various factors, and allow users to search across any combination of dates, sections, and prices in addition to setting up email alerts.

FirstUp Fitness: Getting up at 4:45 AM to make tomorrow's spin class reservation? Refreshing the page to reserve a class as soon as it opens up for reservations? Our app will let automatically reserve a spot for a fitness class as soon as it opens for reservations. You just set the reservation you want and forget it - FirstUp Fitness will do the reserving for you. If you belong to an Equinox and this sounds like something you would use - drop us a line. We are currently developing the app.

Questions or comments? blog (at) badsectorlabs.com

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-02-10

By: Erik β€”

Introduction

Cyber security is a fast-paced and ever-changing field. I find myself sifting through countless blogs, subreddits, twitter streams, slack/discord channels, and mailing lists just to stay up to date. I've often thought, "I wish someone would just catalog all the useful/technical/interesting bits in one place, each Monday." So I decided to do just that. It is my intention to make a post similar to this one each Monday, with a collection of the previous weeks news that I found relevant. If you are a technical practitioner of cyber security, perhaps it can be of use to you as well. I plan on automating as much of the information gathering and processing as possible and will blog about that system as it is developed.

News

  • A Raytheon engineer was arrested for taking US missile defense data to China, a classic example of the insider threat and ITAR violation. ZDNet has the story.
  • Simon Weckert "hacks" Google Maps with a wagon full of cellphones to create fake traffic jams in Berlin. An interesting and concrete example of potentially adversarial behavior of coordinated users (or just one user acting as multiple) in a distributed system can affect the physical world.
  • 5 Cisco 0days, dubbed CDPwn, released.
  • Fireeye published a very in-depth blog post about an actor deploying a backdoor via stomped VBA macro enabled documents.
    • This twitter thread is a great resource for more information on VBA stomping, detection, and tools.
  • 1.7 million dollars can get you access to lots of windows loot; corp.com is for sale and is a prime example of "namespace collision." Krebs has the details.
  • Ransomware is exploiting vulnerable legitimate signed windows drivers to disable AV before encrypting files. This is an in-the-wild example of signed driver bypass.
  • iOS Exploit News
    • @Fox0x01 released the third part of her iOS exploit development series. Her site is a treasure for anyone in need of an exploit development resource. I highly recommend it.
    • Brandon Azad, iOS exploitation master, released "oob_timestamp," a proof-of-concept research exploit that exports the kernel task port on iOS 13.3. Amazing work as always.
    • @jsherma100 published an incredibly detailed write up of the iOS 12-12.2 and 12.3 user-after-free exploit that became "Sock Puppet".

Techniques

Tools and Exploits

  • PHP 7.0-7.4 UAF exploit that allows running arbitrary commands (Linux only).
  • Mimikatz can now dump creds from fully up to date Chrome on windows.
  • WDACTools - A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
  • Another fake logon screen for post exploitation credential capture on windows.
  • The first open source jailbreak based on checkm8 called Fugu was released. It currently only supports the iPhone 7 and iPad Pro (2017), and only works on macOS. checkra1n works on iPhone 5s to iPhone X but is currently closed source. Checkra1n released Linux support this week. It includes a web interface (demo) for headless devices such as the raspberry pi.
  • @CodeColorist released vscode-firda, a VS-code based GUI for using Frida to explore apps and processes on macOS.
  • A buffer overflow was discovered in sudo (CVE-2019-18634) if pwfeedback is enabled. Check with sudo -l | grep pwfeedback, macOS is not vulnerable by default but Linux Mint is.
  • OpenSMTP LPE/RCE (CVE-2020-7247) exploit released. This is a critical vulnerability but not a widely used mail server.
  • TeamViewer password encryption key and IV disclosed on windows; useful for post exploitation lateral movement.
  • Kali 2020.1 released, which includes a non-root user by default, simplified installer choices, and updated themes and icons.
  • Dufflebag - Search exposed AWS Elastic Block Store (EBS) volumes for secrets. This technique, shown at DEF CON 27, exploits bad (non-default) configurations for persistent disks in EC2 and Dufflebag automates the complicated process to get you loot faster.
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-02-17

By: Erik β€”

Now with MITRE ATT&CK techniques in brackets where appropriate!

News

  • The US Attorney General indicted four suspected Chinese PLA members for the Equifax breach in 2017. The indictment states that the attackers wiped log files daily and routed traffic through dozens of servers in nearly 20 countries. Of note, one photo appears to be from a laptop camera, which indicates a possible "hack back" operation or potentially prior access by US intelligence.
  • CIA and BND (German CIA+NSA) owned and subverted the Swiss cryptography company Crypto AG from 1970 to 2018. Supply chain risk just got another poster child. Alex Stamos (former Yahoo/Facebook security exec) shared the time a Hardware Security Module (HSM) was... tampered with prior to delivery. Still not scared of Huawei? Hmm? [T1195]
  • @_dirkjan, the AD whisperer, revealed that CVE-2020-0665 was patched on Tuesday and is able to use "kerberos magic" to bypass forest security boundaries. More to come in April. Note this is unrelated to @harmj0y's forest trust research. [TA0008]
  • Security Key News
    • Google open sources titan security key firmware as OpenSK, a rust application for Tock OS running on a Nordic nRF52840 dongle.
    • snopf is a new open source USB "password tool" that works differently than a Yubikey or Google's Titan. It generates a password from a master seed based on parameters passed to it and emulates a keyboard to input the password when a physical button is pressed.
  • @Fox0x01 is back at it! Understanding trusted execution environments and ARM TrustZone is a great resource on how Trusted Execution Environments work on modern Android phones and their attack surface.
  • The Joshua Schulte trial (accused leaker of CIA tools "Vault 7") is underway and already contains some OPSEC fails. It appears Joshua downloaded TAILS and searched for disk wiping and MD5 sum utilities right after a USB was delivered from Amazon. Multiple levels of fail here, but if you buy a book on hiding bodies the day your spouse goes missing, the jury doesn't need to see the body to think you did it... [T1488]
  • unc0ver 4.0.1 is out, with support for iOS 13.1-13.3 on A12 and A13 (iPhone XS series, 11, and 11 Pro). This is the first time these devices have been supported by a jailbreak tool as checkra1n only supports i-devices up to the iPhone X. [T1068]
  • ImageMonkey, an open source repository of classified and tagged images, just surpassed 100,000 images. It is all available for free and even has an API. If you are doing any ML classification training involving images (or just learning ML and need data sets) this is a great resource.
  • US Cert has released 7 new detailed malware reports on DPRK malware, as well as releasing samples via Virus Total. These reports include code snippets on decoding C2 traffic and yara rules in addition to standard IOCs.

Techniques

Tools and Exploits

  • VirusTotal releases an official Plugin for IDA Pro 7. It enables you to search for bytes, strings, similar code, or similar functions against the worlds largest collection of binaries to help your analysis. Standard VT licenses allow 90 days retrospection and Threat Hunter PRO allows for 1 year retrospection. [T1140]

  • Hashcat can now crack zip files using PKZIP at an insane rate of 22.7 ZettaHash/s on a single 2080Ti. Any PKZIP password shorter than 20 characters is not safe.

  • Bloodhound 3.0 released! Slides and Demos are available, as is a companion blog. Updates below. [T1482]
    • Powershell Remoting (port 5985/5986).
    • Control of Group Managed Service Account. Allows reading of plaintext password remotely by authorized principles
      • GMSAPasswordReader
      • Defenders audit DC permission with BloodHound and look for event ID 2947 in the Direct Service log to detect this technique
    • SID History - This is the property used for Golden Ticket attacks, now visible in BloodHound 3.0
    • OU Control - Adds the ability to push ACEs to OUs
    • SharpHound total rewrite (based on .NET 4.5) that gives ~30% faster LDAP collection (600k computers in a few hours!), better caching, and more accurate data collection
    • Various quality of life improvements: large graph drawing warning, improved dark mode, improved node data display, etc
    • During the webinar, the BloodHound team mentioned this great BloodHound Cypher cheatsheet for common queries
    • Best detection is to find "loud LDAP talkers" because the collection of lots of LDAP data is a primitive that cannot be changed for BloodHound to work
  • Mimikatz was updated last week to dump creds from Chrome, and it also works with the new Edge beta (Chromium based). [T1503]

  • Windows Local Privilege Elevation Exploits. Is anyone not SYSTEM at this point? It seems like a new LPE is dropped every day! [T1068]

    • CVE-2020-0683 - Windows MSI β€œInstaller service” Elevation of Privilege. This was patched on tuesday, but (surprise) another symbolic link handling bug, this time within MSI packages being installed, allowed an unprivileged attacker to write to arbitrary files. Like all LPEs this requires code to already be executing on the target, but looks like a nice solid LPE for the new year.
      • itm4n's writeup
      • PoC
      • Weaponization: implement the PoC in C# and run a DLL with UsoDllLoader, then clean up.
      • Generic Detection: Alert on file creation or symlinking of C:\windows\system32\WindowsCoreDeviceInfo.dll
    • Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) disclosed by pentagrid. If you are on a windows box, look for anything with PCL6 in the driver name and you can likely get SYSTEM.
    • AMD User Experience Program Launcher from Radeon Software is vulnerable to an insecure file move which leads to LPE
      • Writeup
      • PoC (amd_eop_poc)
      • Vulnerable Versions: AUEPLauncher (<= 1.0.0.1), AUEPMaster (<= 1950.15.1.117)
      • Weaponization: Same as CVE-2020-0683, C# version that can be run in memory and only drop the WindowsCoreDeviceInfo.dll to disk
      • Generic Detection: Alert on file creation or symlinking of C:\windows\system32\WindowsCoreDeviceInfo.dll
    • PrivescCheck is a fresh PowerShell v2 script that aims to be a dependency free yet feature filled Windows privesc checker.
  • Inspired by Orange Tsai's SSL VPN research, @plopz0r found 6 (!) vulnerabilities in SonicWall devices, including 3 pre-auth (SQLi for authenticated sessions, a classic buffer overflow, and a path traversal [existence only]). Patch your SonicWalls! [T1133]

  • KDU is a seriously impressive project that abstracts away the hard part of getting kernel execution on windows by leveraging vulnerable drivers that are compiled into a single executable. It works on everything from Windows 7 to Windows 10 20H2, even with SecureBoot enabled. It wouldn't be hard to take this project and weaponize it, especially if you have a driver 0day on your hands. Top marks to hfiref0x. [T1068]
    • This joins dsepatch, another driver signing enforcement cradle and gdrv-loader from last week, but dsepatch requires you provide your own vulnerable driver.
  • xgo: Cross compiling Go (golang) is easy in theory, but as soon as you start extending Go with C-based languages or modules, things get complicated. xgo makes building a go project for all targets as easy as xgo github.com/[user]/[go-project].

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • SysmonTools is a powerful collection of tools for investigating Sysmon and pcap logs.
  • Go (golang) is a great language for a number of reasons, but one drawback can be binary size. goweight is a tool that shows you what is taking up space in your compiled golang binaries, which allows you to make informed choices about dependancies.
  • npq npq is a drop in replacement for npm that adds a bunch of safety and vulnerability checks. It won't save you from someone cleverly backdooring a package, but it will at least check for known vulns and metrics like age and number of downloads. A baby step forward for the dumpster fire that is javascript dependency management. [T1195]
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-02-24

By: Erik β€”

MITRE ATT&CK techniques are in brackets after entries where appropriate.

News

  • @hFireF0x has been on a rampage against Windows drivers. If you are looking for a driver to add to last weeks KDU or dsepatch, follow this user.
  • Deepfakes are being used to spread misinformation. We all knew it was coming, but this appears to be the first major use of a deepfake in an influence operation. The 2020 US election will likely see a few more. (How good are deep fakes? Really good, powered by DeepFaceLab)
  • The C2 Matrix is out! This matrix compares the features of all the major C2 frameworks available today. This is a great resource for choosing a C2 framework, and it hope it stays updated.
  • Estonian Foreign Intelligence published its 2019 annual report. It contains details of Russian and Chinese operations, both military and cyber. It also has well done infographics.
  • Apple will enforce a maximum certificate lifetime of 398 days on certificates issues from 2020-09-01 onward. If you are using Let's Encrypt this isn't an issue. Analysis here.
  • Chinese Bitcoin investor loses 45MM USD in sim swapping attack. If you have more money in cryptocurrency than you would carry in your wallet, it's time to buy and use hardware wallet. Same rule applies for how much cryptocurrency you should keep on an exchange.

Techniques

Tools and Exploits

  • GadetProbe is a Burp Extension from BishopFox that can aid in identifying remote Java Classpaths even with blind deserialization. Their writeup is worth a read. [T1190 Exploit Public-Facing Application]
  • phsmem2profit is a tool from F-Secure that uses the winpmem driver to remotely access a Windows target's memory and extract credentials. Their blog post has the details. [T1003 Credential Dumping]
  • CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS) exploits a deserialization issue and allows anyone authorized to view the SSRS to achieve remote code execution as nt servicereportserver. [T1190 Exploit Public-Facing Application]
  • onedrive_user_enum allows the enumeration of Office365 domain users that have logged into OneDrive in the past. This provides a reliable enumeration method that is unmonitored and replaces the patched ActiveSync enumeration technique. [T1078 Valid Accounts]
  • KittyLitter is a credential dumper service for Windows that binds to TCP, SMB, and MailSlot channels to communicate credential material to the lowest privilege attackers. This is likely not that useful for offensive engagements, but would be a great tool for attack and defend CTFs where a defender may be rolling creds and trying to kick you off a box. [T1003 Credential Dumping]
  • GadgetToJScript, rasta-mouse fork, makes GadgetToJSscript more user friendly by allowing input files and reference assemblies on the command line instead of hardcoding them which required recompiling the tool. Rastamouse has a blog post that details the changes as well. [T1064 Scripting]
  • IIS-Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker by 0x09AL of MDSec. The MDSec blog has details. [T1100 Web Shell]
  • CVE-2020-1938 Apache Tomcat AJP file read PoC. Deserialization strikes again. [T1190 Exploit Public-Facing Application]
  • Koppeling by Silent Break Security enables advanced DLL Hijacking (maintain stability of the source process, keep code execution within the process, and get around complexities involved in loader lock). Their blog post has all the details. [T1038 DLL Search Order Hijacking]
  • inline_syscall is another header for C++ project on windows that allows for easy inlining of syscalls on windows. This project requires the use of clang, but does highly optimize and inline the direct syscalls. The first EDR to develop a generic detection for direct syscalls will likely have some unique detections. [TA0005 Defense Evasion]
    • This joins SysWhispers, a less optimized but more user friendly library for direct system calls.
    • @Cneelis's blog post which introduced the concept of direct syscalls.
  • CVE-2020-8813 is simple exploit for a pre (if a guest has real time graph privilege - not default) and post authentication command injection vulnerability in the Cacti network monitoring web frontend. This is a 90's/early 2000's style command injection in a cookie; legacy software with legacy bugs. [T1190 Exploit Public-Facing Application]
    • Only affects PHP < 7.2 and Cacti < 1.2.10 (not released as of 2020-02-24; 0day)
    • Demo
    • Patch
  • NoAmci uses DInvoke (from the SharpSploit update last week) to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). As the offensive community moves from PowerShell to .Net EDR has started to catch up and these types of bypasses are required against advanced EDR. [T1054 Indicator Blocking]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 3snake is a tool for extracting information from newly spawned processes on Linux. This could easily be weaponized to ship creds back to a C2 once a box is rooted.
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-03-02

By: Erik β€”

MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • ZyXEL NAS pre-authentication command injection in weblogin.cgi is a classic command injection in the username field. Adding a '; allows for command injection.
    • Affected devices: NAS326, NAS520, NAS540, NAS542 have patches available; NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 are forever vulnerable. [T1190 Exploit Public-Facing Application]
  • Doh365 is a new Office365 email enumeration tool from pry0cc that uses the login.microsoftonline.com/common/GetCredentialType endpoint to enumerate emails. It's subject to throttling but appears to be effective. [T1087 Account Discovery]
  • vscode-language-aggressor is a Cobalt Strike Aggressor extension for Visual Studio Code, and should come in handy for anyone who has tried to write an Aggressor script using Perl syntax highlighting. It also comes with tons of useful snippets.
  • CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys is a very interesting bug where the use of static keys (the same across every install) leads to post-auth RCE as SYSTEM. [T1190 Exploit Public-Facing Application]
  • UDP Hunter is a new python UDP scanner that covers all the common UDP services. My favorite scanning tool rumble run has limited UDP service support, so UDP Hunter is a welcome addition. A blog post by the tool author Savan Gadhiya is here. [T1046 Network Service Scanning]
  • xfrm_poc is a PoC UAF 8-byte write in the XFRM subsystem for linux 3.x-5.x kernels that leads to privilege escalation. Interestingly only a binary and detailed technical report have been released at this time. Affected distributions below. [T1068 Exploitation for Privilege Escalation]
    • Ubuntu 14.04 / 16.04 Server 4.4 LTS kernels
    • CentOS 8 4.18 kernels
    • Red Hat Enterprise Linux 8 4.18 kernels
    • Ubuntu 18.04 Server LTS 4.15 kernels
  • CVE-2020-2551 is an exploit against Oracle Weblogic Server IIOP 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Yet another unauthenticated RCE against Weblogic. If you are unlucky enough to have Weblogic in your environment, patch and isolate it as much as possible. [T1190 Exploit Public-Facing Application]
  • Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • goloader is a project that produces a binary capable of loading and running compiled golang code at runtime. It reuses its own runtime when loading compiled golang code, so the size stays small. I could see this being used for some very cool implants.
  • css.gg has 500+ minimalistic CSS icons for your web front ends. All icons are open source and availalbe under the MIT license!
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-03-09

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-02 to 2020-03-09. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Project Sandcastle is a release of android for iPhones (Just 7 and 7+ currently) from Corellium. I think it's one part cool tech demo, and one part middle finger to Apple due to their recent legal battles.
  • Strategic Cyber LLC sells to Helpsystems marking an end to the 8 year old purveyor of Cobalt Strike, founded by Raphael Mudge. Cobalt Strike will live on under helpsystems, and may get integrated or expanded as helpsystems also owns Core Impact. SpecterOps, the services company also founded by Mudge in 2017, will continue independent of him.
  • Let's Encrypt CAA Rechecking Bug is causing 3 million certificates to be revoked. If a certificate request contained multiple domains, and one of the domains was validated within 30 days, Let's Encrypt could fail to check for CAA records that prohibit issuance by Let's Encrypt within 8 hours of the renewal for all domains as required by the spec. On March 5th, the day of the revocation deadline, Let's Encrypt walked back the revocation plan to be only 1.7 million certificates, 445 of which had forbid issuance by Let's Encrypt but were issued anyway due to the bug.
  • Intel x86 Root of Trust: loss of trust discloses a boot ROM bug that enables an attacker to get code execution inside of Intel's Converged Security and Management Engine (CSME). This is bad for lots of reasons, but the biggest are that being a ROM bug it is unfixable, and theoretically allows access to the chipset key allowing for hardware ID forgery, data decryption, etc. This is checkra1n (the iOS boot ROM exploit) for Intel chips, and effects every chipset besides 10th generation. Yikes. I imagine some people in windowless government offices are very excited by this news. Intel's official guidance: "End users should maintain physical possession of their platform." Thanks Intel. [T1200 Hardware Additions]
  • Mokes and Buerak distributed under the guise of security certificates. Attackers are turning a security control into a weapon, as users have been trained to click through certificate warnings in browsers. These attackers spoof the warning and deliver an executable when a user clicks to "Install (Recommended)." Well played.
  • Remote iOS/MacOS kernel heap corruption due to insufficient bounds checking in AWDL, what an innocuous title for such a monster bug. Ian Beer cements himself as a complete master of iOS/macOS bugs as he demonstrates the ability to wirelessly dump kernel memory from an iPad Pro on iOS 13.3 with no user interaction and AirDrop receiving off. The implication is that this can be turned into RCE, and that is truly terrifying. It's probably been quite a busy week in some other windowless government offices, as the ability to own modern iOS devices just by getting close to them is pretty much as good as it gets.

Techniques

Tools and Exploits

  • BinDiff 6 released with experimental support for Ghidra. Good to see the big name tools supporting Ghidra.
  • CVE-2020-8794 PoC was released. 5 years of OpenSMTPD are vulnerable to this relatively simple exploit. Luckily, it's a rarely used mailer. [T1190 Exploit Public-Facing Application]
  • export_TSv.py allows you to parse Cobalt Strike Teamserver logs to extract credentials, sessions, and targets. This prevents you from having to setup a Teamserver just to get at old data.
  • KsDumper is a tool for dumping a process without calling OpenProcess (developed to get around anti-cheat). This could be useful for dumping malware or other processes out of memory that have good anti-debugging features, and shows a concrete use case for the kernel driver exploit tools featured the past two weeks. [T1003 Credential Dumping]
  • PoC-in-Github is a bot that scrapes GitHub for CVE PoCs and catalogs them. Note: It does not fork the PoCs so they are subject to author take downs.
  • SlackAttack is a python script (can be pyinstaller'd into a binary) that automates the backdooring of the slack desktop client to insert a keylogger that POSTs keystrokes on enter to a server you control. Note that if the app is signed this won't work on macOS as modifying the asar bundle breaks the signature. Windows doesn't care, even if the app is signed (this has been an open issue with electron since 2017), and linux only cares if the checks are done externally (i.e. with AppImage's validate tool or appimaged). Put this in your post-exploitation toolbox, but beware, the server component has a classic SQL injection vulnerability. [T1056 Input Capture]
  • SecretServerSecretStealer is a Powershell script that decrypts the data stored within a Thycotic Secret Server, one of the more popular "enterprise" password managers. This doesn't exploit a weakness with Thycotic Secret Server per say, as once you have code running on the Secret Server itself, it's game over. [T1003 Credential Dumping]
  • ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability is a good old fashion 0day dropped with no vendor notification, no CVE, and no patch or mitigation. This one even provides remote unauthenticated code execution as SYSTEM. [T1190 Exploit Public-Facing Application]
  • FullPowers is a windows PoC to automatically recover the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate. This is useful when an exploit lands you as LOCAL SERVICE or NETWORK SERVICE and you need impersonation privileges to escalate to LOCAL SYSTEM. Detailed information on itm4n's blog. [T1134 Access Token Manipulation]
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-03-16

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-09 to 2020-03-16. MITRE ATT&CK techniques are in brackets where appropriate.

Stuck in self-quarantine? Movies for hackers is a great list of movies and shows for hackers and cyberpunk types.

News

  • Apple's T2 Chip is vulnerable to checkra1n which could lead to unlimited attempts to decrypt a FileVault protected volume if an attacker has physical access. This leads to an interesting question: Did Apple know about the bug and subsequent fix on the A12 chip or was it patched coincidently? If they did know about it, why are they still shipping Macs with the flawed T2 which is built on the vulnerable A10 chip?
  • Finding a problem at the bottom of the Google stack details the process a Google site reliability engineer took as they traced down an issue from frontend to the datacenter. An interesting story of the kinds of issues you can have at Google-scale.
  • CVE-2020-8597 is a bug in the Point-to-Point Protocol (PPP) daemon for linux which allows for an unauthenticated attacker to cause a stack based buffer overflow. Right now the only PoC is a denial of service (crash) but this will likely be weaponized soon. Patch your VPNs! [T1190 Exploit Public-Facing Application]
  • avscript from the infamous Tavis Ormandy contains an interactive shell that lets you test Avast's custom javascript interpreter on Linux for vulnerability research. Yes, Avast ships a custom javascript interpreter and runs untrusted javascript through it. Since this came out Avast has disabled the interpreter globally.
  • Covid-19/Corona: Threat Actor Campaigns catalogs the many instances of threat actors leveraging the global pandemic to spread malware. Standard anti-phishing rules apply, even in a pandemic. [T1192 Spearphishing Link]

Techniques

Tools and Exploits

  • Advanced process monitoring techniques in offensive operations from Outflank introduces Ps-Tools, an advanced process monitoring toolkit for offensive operations. These tools are useful to investigate and keep an eye on compromised hosts and alert when defenders show up and start investigating your tooling. The Ps-Tools are listed below. [T1005 Data from Local System]
    • Psx: Shows a detailed list of all processes running on the system.
    • Psk: Shows detailed kernel information including loaded driver modules.
    • Psc: Shows a detailed list of all processes with Established TCP connections.
    • Psm: Show detailed module information from a specific process id (loaded modules, network connections e.g.).
    • Psh: Show detailed handle information from a specific process id (object handles, network connections e.g.).
    • Psw: Show Window titles from processes with active Windows.
  • CVE-2020-0978 is going to be one to remember like MS08-067 and MS17-010; kernel RCE in Windows 10 1903/1909 via a buffer overflow in SMB3's new compression capability means this is wormable and we will likely see something like WannaCry/Not-Petya. [T1190 Exploit Public-Facing Application]
  • IceBox is a modified virtualbox for windows or linux that enables live, stealthy tracing and debugging on any kernel or user process. It is currently limited to one CPU per virtual machine, which may cause issues with environmental checks in malware. Perhaps this could be combined with VBoxHardenedLoader or antivmdetection.
  • Windows Privilege Escalation Exploits! I feel bad for any exploit dev who has been sitting on Windows LPE 0days as they aren't worth much any more. [T1068 Exploitation for Privilege Escalation]
  • harbian-audit has been updated to support hardening Debian 10 and CentOS 8.
  • pickl3 is another credential phishing tool for Windows. It is nicely packaged as a refelctive DLL and comes with a cna script for Cobalt Strike. For another option, see SharpLoginPrompt. [T1056 Input Capture]
  • Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework. This could be the start of an open source macOS based EDR tool!
  • Callidus is a new O365 C2 framework written in .NET core (C#) that supports C2 via Outlook, OneNote, or Microsoft Teams. [T1102 Web Service]
  • Zelos is a comprehensive binary emulation platform written in python for linux binaries. x86, x86_64, ARM, and MIPS binaries are supported, with Unicorn providing CPU emulation.
  • Starkiller is a frontend for the PowerShell Empire fork maintained by BC Security. Along with the improvements in the 3.1 release of PowerShell Empire, Starkiller allows for easy multi-user interaction with a common C2 server. More details available on the BC Security Blog.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • saferwall is a self-hosted open source malware analysis platform; basically a self-hosted virus total. Once you acquire AV licenses, saferwall will spin up all the infrastructure to do malware scanning across 12 major AVs!
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-03-23

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-16 to 2020-03-23. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. [T1110 Brute Force]
  • r00kie-kr00kie is the first tool to exploit the Kr00k (CVE-2019-15126) WiFi attack where many chips set the packet encryption key to all zeros when de-authenticated, but still send all the packets in the send buffer. It is possible to leak a few packets from busy clients each time you de-auth them. Think of it as heart bleed for WiFi, but much more disruptive to the end user. The Hexway Blog has a detailed explanation.
  • MemProcFS evolves direct memory access (DMA) attacks to their GUI based final form by mounting memory contents as a virtual file system allowing you to use normal tools like hex editors on live memory. It even comes with Python and C/C++ API bindings. [T1200 Hardware Additions]
  • Egalito: Layout-Agnostic Binary Recompilation is an interesting presentation by David Williams-King on a binary recompiler that lifts linux (x86-64, aarch64, and experimental RISC-V) ELF binaries to an intermediate language, applies modifications (i.e. patches, function trampolines, etc), and recompiles back to a binary. The spirit of this project is for binary hardening and after the fact patching, but I can see it being the basis of an advanced binary obfuscator or a tool to repurpose existing binary malaware automatically. All the code is GPL-3 and on GitHub.
  • LDAPFragger: Command and Control over LDAP attributes introduces a tool for C2 via LDAP to use in environments where LDAP queries to a shared AD are allowed from both an isolated network and network with internet access. The C# project is available on GitHub. [T1094 Custom Command and Control Protocol]
  • PDBRipper is a utility for extract an information from PDB-files, the Program Database multi-stream symbol file which contains lots of useful information about a binary.
  • LeakLooker-X is a GUI for discovering, browsing, and monitoring databases that leverages Binary Edge. [TA0007 Discovery]
  • gTunnel is a new tunneling solution written in golang. It may be useful as a base for how to implement tunneling in a custom golang access tool. [T1090 Connection Proxy]
  • Invoke-SharpLoader loads encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and executes it there. Very useful AV/EDR evasion tool. [T1500 Compile After Delivery]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dsdump is an improved nm + objective-d/swift class-dump. If you have worked with macOS or iOS binaries and tried to use the various forms of class dump, you know the issues with the change from objective-c to swift had on their output. dsdump has fixed these issues and provided even more options and output! Derek Selander provides a very in depth writeup on the inner workings as well.
βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-03-30

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-23 to 2020-03-30. MITRE ATT&CK techniques are in brackets where appropriate.

Need a project while working from home? @Random_Robbie published a list of WordPress plugins that call shell_exec. Have fun!

News

Techniques

Tools and Exploits

  • C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. [T1001 Data Obfuscation]
  • TamperETW is a 64 bit PoC based on the blog post from last week about hooking Windows ETW telemetry to hid .NET actions. This PoC blocks assembly load events by hooking EtwEventWrite using native system calls. EDR will likely have a tough time with this. [T1054 Indicator Blocking]
  • ppdump-public uses Zemana AntiMalware Engine To Open a Privileged Handle to a Privileged Process or Privileged Process Low (PPL) and inject MiniDumpWriteDump() shellcode. It even comes with an aggressor script for easy integration with Cobalt Strike. [T1003 Credential Dumping]
  • changeling is a feature morphing tool that allows you to build dynamic payloads without having to constantly recompile. With correctly designed payload binaries, this tool can quickly swap out resources to change shellcode, settings, etc on the fly.
  • redirect.rules dynamically generates a redirect.rules file that will redirect Sandbox environments away from a payload hosting/C2 server to a site of your choosing. It combines a ton of User-Agent rules and IP space for known malware analysis companies to help keep your payload undetected for longer. The output rules work on Apache 2.4+ but it would be fairly easy to convert the output to nginx or iptables block rules. [T1090 Connection Proxy]
  • Runtime Mobile Security is a Frida powered web interface for maniputlating Android Java Classes and Methods at runtime. A comparable iOS tool would be passionfruit and for a powerful CLI tool that supports both Android and iOS, check out objection. [T1055 Process Injection]
  • Grandstream UCM62xx SQL Injection - Tenable drops an unauthenticated remote code execution exploit for the IP-PBX phone system. Over 10,000 of these show up on Shodan. Need more IoT exploits? Raelize released five for the end-of-life D-Link DSL-2640B here including hard coded credentials and Getting root on a Zyxel VMG8825-T50 router is a great breakdown of the process from unboxing to root shell. [T1190 Exploit Public-Facing Application]
  • Lockless is a C# tool that allows for the enumeration of open file handles and the copying of locked files. [T1005 Data from Local System]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dive is a tool for exploring each layer in a docker image interactively in a terminal user interface. It's great for showing what changes at each layer, and can be integrated with continuous integration to ensure space efficiency remains high. It is a great tool to explore containers for possible supply chain risk, especially if the containers are only provided as docker archives. [T1195 Supply Chain Compromise]

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-04-06

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-03-30 to 2020-04-06. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Zoom issues. With great marketshare comes great responsibility to not be a dumpster fire of security. Lest we forget last year when their macOS app installed a web server that listened on localhost and allowed for remote code execution and did not uninstall with the app. Thankfully that has been corrected and the issues discovered recently are less severe.
    • The 'S' in Zoom, Stands for Security. The macOS whisperer Patrick Wardle goes over past issues and digs into the current installer's "tricks" that are also seen in a lot of macOS malware. Pro tip: after clicking "Launch meeting" twice for a Zoom meeting in Chrome it will give the option to "Continue in browser." No client software required.
    • Elon Musk's SpaceX bans Zoom over privacy concerns. Not an unexpected move given all the news here. The most troubling quote is from a Zoom blog post: "Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption." End-to-end encryption is a technical term, not something you can have "in spirit."
    • β€˜War Dialing’ Tool Exposes Zoom’s Password Problems. A new tool called zWarDial is able to find a surprising number of Zoom meetings without passwords by brute forcing meeting IDs. Regardless of your conferencing solution, use a strong password!
    • Zoom’s Encryption Is β€œNot Suited for Secrets” and Has Surprising Links to China, Researchers Discover. 5 out of 73 Key managment servers are in China and are used for some calls that have no nexus in China and makes questionable encryption choices (128 AES in ECB mode?!).
    • There has been some press over Zoom "allowing" UNC paths to "leak windows password hashes" which in my opinion is a stretch at best. Zoom is opening the links correctly, and it is Windows that is sending hashes. To me, this is not a Zoom issue.
    • Zoom seems to be taking this all quite well, and have made concrete steps and promises to improve.
    • Jitsi Meet a more secure and self-hostable option for video conferencing (a good install and comparison to Big Blue Button here). Signal also is a great choice for everyday use and 1 on 1 video calls.
  • ATT&CK with Sub-Techniques β€” What You Need to Know. MITRE releases a new version of the ATT&CK matrix with sub-techniques! Check out the new matrix here.
  • Facebook tried to buy NSO iOS tool Pegasus (see point 10). NSO goes nuclear in their latest court filing by claiming that Facebook tried to pay them to hack iOS users for data collection. Extraordinary claims require extraordinary evidence, as NSO is certainly in a position to gain from bad press about Facebook given the pending Whatsapp lawsuit.
  • Introducing 1.1.1.1 for Families. Cloudflare, one of the few (only?) audited DNS resolvers introduced two new options, 1.1.1.2 will not resolve known malware domains, and 1.1.1.3 will not resolve known malware domains or "adult content." DNS filters are by no means a full filtering solution, but if all it takes to block some malware is a DNS entry change and the provider has a track record of privacy, it may be a good option for average users.

Techniques

Tools and Exploits

  • EyeWitness - Looking Sharp introduces the C# version of the EyeWitness website screenshot tool for use with Cobalt Strike or other C# implants. [T1046 Network Service Scanning]
  • nuclei - Project Discovery keeps the hits coming with nuclei, a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use. Think of it as an open source Nessus. Be sure to grab the templates too. [T1046 Network Service Scanning]
  • dirscan is a high performance tool for summarizing large directories or drives. Written in rust, this cross platform tool is blazing fast and works on local and network drives. If you need to quickly get a handle on where things are on a machine, this could be your new best friend. [T1005 Data from Local System]
  • magnifier0day is this week's Windows local privilege escalation exploit. This one requires a writable path in %PATH% but after that it is as easy as two hotkeys to a SYSTEM shell. [T1068 Exploitation for Privilege Escalation]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • phpggc is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
  • pulsar is an automated network footprint scanner for Red Teams, Pentesters and Bounty Hunters. It's focused on discovery of an organization's public facing assets with minimal knowledge about its infrastructure. [T1046 Network Service Scanning]

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-04-13

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-06 to 2020-04-13. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • IDA Home is coming! The "Ghidra Effect" is pushing Hex-Rays to innovate, and while details are light, this is inevitably a good thing for the reverse engineering community. However, the Home edition will only support one processor family, and is $365 a year (no decompiler). The biggest advantage is the inclusion of IDAPython while unlocks a deep community of user-created tools for IDA.
  • A Decade of Rats is a report from Blackberry that details advanced persistence threats targeting Linux endpoints.
  • Google and Apple team up for contract tracing while trying to preserve privacy. Even with "anonymous" tracking, this data will likely be weaponized in unforeseen ways.

Techniques

Tools and Exploits

  • Ghost-In-The-Logs is a tool that leverages a kernel driver to disable Event Tracing for Windows (ETW). This can enable or disable all logging, so use it sparingly! [T1054 Indicator Blocking]
  • GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects. [T1500 Compile After Delivery]
  • nessus-database-export is a script to export Nessus results to a relational database for use in reports, analysis, or whatever else. This can be used to find a specific vulnerability across many scans, searching for text across all scans, seeing stats across date ranges, or as the backend for a custom web app.
  • Slingshot C2 Matrix Edition is a virtual machine from the makers of the C2 matrix that comes with many C2 frameworks preinstalled. A SANS login is required for download. [TA0011 Command and Control]
  • Gunslinger is a hunting tool that is based around URLScan's Search API. Gunslinger can crawl URLScan for JavaScript files that match a set of user-defined rules and reports the information back to Slack. Of note, the URLScan API is free and this tool may be useful for continuous monitoring of your web properties to alert of javascript or other changes.
  • frankenstein provides a virtual environment to fuzz wireless firmwares using the CYW20735 Bluetooth evaluation board. This is a cool tool to explore Bluetooth firmware bugs.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 18 GitLab features are moving to open source. GitLab might be feeling the pressure from GitHub as they make their free offering even better with the following features that used to be paid-only: Related issues, Export issues, Issue board focus mode, Service desk, Web Terminal for Web IDE, File syncing to the web terminal, Design Management, Package Managers, Canary deployments, Incremental rollout, Feature flags, Deploy boards, Support for multiple Kubernetes clusters, and Network policies for container network security.
  • Project Send is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs, and much more! Docker container here.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-04-20

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-13 to 2020-04-20. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • GitHub is now free for teams - private repositories with unlimited collaborators are now available to all GitHub accounts and the price of the paid plan drops to $4 per user per month. Microsoft is shoveling cash into the Github furnace to ensure dominance. To what end remains to be seen, but in the short term users benefit.
  • Riot Games offers $100,000 for kernel exploit in anti-cheat. Riot Games (developers of league of legends) is offering a lot of money if anyone is able to execute code in the Windows kernel via their new "Vanguard" anti-cheat driver. Hacker One doesn't list a bounty if you can show "Vanguard" is being used as a backdoor; Riot Games is wholly owned by Chinese conglomerate holding company Tencent.
  • tfp0 bug and exploit teased for iOS 13.4.1 on A13. Big if true, this screenshot shows uname -a output for the latest iOS on the latest iPhone processor which means Qihoo 360 likely has a powerful iOS 0day on their hands.
  • AiR-ViBeR: Exfiltrating Data from Air-GappedComputers via Covert Surface ViBrAtIoNs shows that there is yet another way to slowly leak information out of air-gapped networks, this time via vibrations caused by the variations of case fans and detected with an off the shelf cell phone on the same table. Demo video here. [TA0009 Collection]
  • Binary Ninja adds a decompiler. Hot on the heals of the Hex Ray's IDA Home announcement Binary Ninja adds a decompiler to their free cloud offering (graph view only) and offline disassemblers (graph view and linear). Keep up the great work Vector 35!
  • Buyer bewareβ€”that 2TB-6TB β€œNAS” drive you’ve been eyeing might be SMR brings to light a rumor that has been gaining credibility. Despite being marketed as "NAS" drives, nearly all 2TB-6TB drives (yes - even WD Reds) are Shingled Magnetic Recording (SMR) drives. This has a huge impact on write speed and this technology was previously reserved for "archive" or "backup" drives. Seagate has confirmed that none of its IronWolf or IronWolf Pro drives use SMR, but are as cagey as the other major manufacturers about all other drives. This recent bout of shady practices is in the shadow of likely price fixing by the three major drive manufacturers since the Thailand flood of 2011. High capacity SSDs cannot come fast enough.
  • Flipper Zero hardware hacking tool announced. This is a really cool looking piece of kit that, if they can deliver, will be an essential for every hacker's go-bag. It claims to have the capability to do everything from being a 433/868 MHz transceiver, 125kHz RFID cloner, InfraRed transceiver, Bad USB, iButton cloner, and have compatibility with the Arduino IDE. Big promises but I will be in line as soon as the kickstarter opens in May.

Techniques

  • Methodology for Static Reverse Engineering of Windows Kernel Drivers takes the reader through the process of identifying drivers on targets, setting up a Ghidra environment to work with Windows drivers (setting up the symbols needed for analyzing drivers), finding the driver entry, and reversing functions. n4r1b's blog has even more Windows driver reversing.
  • DNS Peer-to-Peer Command and Control with ADIDNS is a method of using Active Directory-Integrated DNS Zones (ADIDNS) records in restrictive corporate networks to bypass locked down outbound firewalls. Adding an ADIDNS entry (available to any authenticated domain user), tunneling with a helper C# tool, and a little socat allows a Cobalt Strike beacon to relay though another Cobalt Strike beacon via DNS. [T1048 Exfiltration Over Alternative Protocol]
  • Kerberos Delegation - Hackndo is back with another great article on Active Directory, this time focusing on the different types of kerberos delegation.
  • Designing The Adversary Simulation Lab by Adam Chester is a deep dive into the tools and technologies MDSec choose to build a deployable lab for their adversary emulation course and contains some insights on desired state configuration, terraform, and the intricacies of AWS. Adam even provides a demo lab!
  • Build your first LLVM Obfuscator. Ever wanted to venture into the depths of the LLVM compiler's intermediate representation to obfuscate a binary without changing the source code? This article introduces LLVM and walks through a string obfuscator. This technique could be expanded and used on open source red team tools as part of an AV/EDR bypass. [T1027 Obfuscated Files or Information]

Tools and Exploits

  • BlockBlock 1.0 Beta is an open source rewrite of the persistence monitor for macOS that uses the Endpoint Security Framework. If you are using the 0.9.x BlockBlock, you will have to manually uninstall and install this version. [TA0003 Persistence]
  • pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV from the maker of evilginx2. The UI is beautiful and the feature road map looks good. Read more on his blog. [T1192 Spearphishing Link]
  • burp-exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
  • xioc extracts indicators of compromise from text, including "escaped" ones like hxxp://banana.com, 1.1.1[.]1 and phish at malicious dot com. This is a useful tool for automating "threat intelligence" pipelines.
  • remove-zoom-macos - Zoom's recent security woes have you thinking twice about that app install? This script removes everything Zoom put on your mac, even the things the official uninstaller leaves behind.
  • Jamf-Attack-Toolkit is a suite of tools to facilitate attacks against the Jamf macOS management platform. Check out the accompanying blog post and slides. [T1133 External Remote Services]
  • meshmembers is a tool to organize a mesh network of redirectors and allow the state of the network to be actively maintained by each node. [T1188 Multi-hop Proxy]
  • vmware_vcenter_cve_2020_3952 is an exploit for last week's CVE-2020-3952 in vCenter 6.7 that allows an unauthenticated attacker to add themselves as an Administrator to a vCenter if it was upgraded from 6.5 or earlier to 6.7 (fresh installs not affected). [T1190 Exploit Public-Facing Application]
  • ROADtools is an Azure AD exploration framework (Rogue Office 365 and Azure (active) Directory tools). It currently contains a great recon tool with an Angular UI for exploring an Azure AD. Blog and stream here.
  • SweetPotato is a rewrite of JuciyPotato (Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019) that is now compatible with execute-assembly with some extras. [T1068 Exploitation for Privilege Escalation]
  • quicksql is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • OffensiveCSharp is a great collection of offensive C# tooling that can be used post-exploitation on Windows targets. Check the readme for a description of each tool.
  • Brim is a desktop application to efficiently search large packet captures and Zeek logs. It loads pcaps much faster than wireshark but allows detailed analysis of flows in wireshark with a single click.
  • qrpc allows you to transfer files over wifi from your computer to your mobile device by scanning a QR code without leaving the terminal. It's bi-directional and can receive files from a phone with a handy web uploader.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-04-27

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-20 to 2020-04-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • BSides LV and DEF CON skytalks announce their cancellation for 2020.
  • Rumble.run announces free tier. Rumble is a scanning and asset identification product from HD Moore, founder of the Metasploit project. I have been using Rumble since the beta and it has proven to be the best tool for enumeration on engagements. The free tier gives you enough room to experiment and use on small engagements or bug bounties. After a few uses, you'll only go back to masscan and nmap for very specific scans. [T1046 Network Service Scanning]
  • COVID-19’s impact on Tor. Tor cut 13 of its staff and are down to 22 employees due to the lack of donations. Donate here to help keep this privacy resource funded.
  • Mobile Bugs
  • Another 1-line NPM package breaks javascript development. is-promise has 3,433,289 dependencies and even had a bug. The early lack of a good standard library (modern Javascript has fixed this) has caused an ecosystem of tiny packages that are maintained by unvetted developers. Let this be another reminder to vendor your dependencies which might work!
  • Python releases 2.7.18 the last release of Python 2, despite it going out of support January 1st 2020. Python 3 has been available since 2008, but if for some reason you can't upgrade, PyPy and RedHat have said they will continue supporting Python 2.

Techniques

Tools and Exploits

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-05-04

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-04-27 to 2020-05-04. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • iOS Sandbox escape "Psychic Paper" 0day released. It turns out having 4 custom XML parsers leads to trivial sandbox escape. The patch ironically adds two additional parsers. I would hope Apple is screening App Store apps to prevent this from being abused.
  • Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams. Subdomain takeover combined with the way Teams includes GIFs allowed the Cyberark team to exfiltrate user's json web tokens which allows them to scrape messages if a user views their GIF. This is extra powerful because the JWT also allows the attacker to impersonate the victim and send the GIF to all contacts, essentially making this vulnerability wormable. [T1193 Spearphishing Attachment]
  • FCC Scrutinizes Four Chinese Government-Controlled Telecom Entities. The FFC issues show cause orders to China Telecom Americas, China Unicom Americas, Pacific Networks, and ComNet demanding explanation of why the FCC should not initiate proceedings to revoke their authorizations. These Telecoms have 30 days to prove their operations and subsidiaries are "not subject to the influence and control of the Chinese government."
  • #OBTS v3.0 Talks & Photos All the slides from the macOS security conference "Objective by the Sea" have been posted.
  • Other "Weeks"
  • Sysmon v11 Released and includes file delete monitoring and archive to help responders capture attacker tools and adds an option to disable reverse DNS lookup. This will be huge for defenders allowing them to easily get samples of malware that only exists on disk for a short period of time.

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • ParamSpider helps discover http parameters by mining parameters from the dark corners of Web Archives.
  • wxHexEditor is a great cross platform free and open source hex editor.
  • DbgShell is a PowerShell front-end for the Windows debugger engine.
  • ysoserial fork is a fork of the official great ysoserial project with some improvements added to create payloads for the Burp Suite plugin Java Deserialization Scanner and more generally to speed-up and improve the detection and the exploitation of Java serialization issues with ysoserial.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-05-11

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-04 to 2020-05-11. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • ALU/Nokia GPON Admin and WIFI keygen. While default WiFi credentials have gotten much better in the last decade, some suppliers are still using bad algorithms to generate default passwords. In this case Nokia is using the OUI and serial number. The full background, device teardown, and keygen is in the git readme.
  • Samsung Android multiple interactionless RCEs and other remote access issues in Qmage image codec built into Skia is as bad as it sounds. With enough malformed images, an attacker can leak address space layout randomization (ASLR) offsets and create a payload image that will provide a remote code execution. While the demo shows lots of alerts for incoming messages, think if this was productized or conducted while the victim is asleep and then cleaned. If you have or manage Samsung devices, ensure they are updated with the May 2020 update. Demo here. [TA0001 Initial Access]
  • Github Code Spaces is a hosted Visual Studio Code for Github. Great for quick edits or perhaps remote development. It remains to be seen how it will handle files not in git (secrets, .env, etc) and what it will cost.
  • Huawei HKSP Introduces Trivially Exploitable Vulnerability. Huawei manages to royally screw up its custom kernel protection mechanism which turns out is exploitable with a 10 line PoC.
  • Matrix enables end-to-end encryption by default. The go-to choice for privacy respecting chat services just enabled end-to-end encryption by default after a long beta period. For federated, self-hostable, encrypted messaging and chat rooms Matrix + Riot is the way to go. For ease of use, Signal wins for now.
  • Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security is an evolution to Thunderbolt Direct Memory Access (DMA) attacks that re-flashes the Thunderbolt controller flash to allow classic DMA attacks. This enables an attacker with physical access to a running, locked Windows or Linux machine (macOS has additional protections that are not bypassed), even with full disk encryption, to be accessed in under 5 minutes. Some laptops produced after 2019 have mitigations, but many do not. Take 5 minutes to watch the demo and think twice about leaving your running laptop unattended. Full paper here. [T1200 Hardware Additions]

Techniques

Tools and Exploits

  • Windows loaders [T1066 Indicator Removal from Tools]
    • NetLoader loads any C# binary in memory, patching AMSI, and bypassing Windows Defender. It includes tons of C# tools and an MSBuld payload.
    • FALCONSTRIKE a stealthy, targeted Windows Loader for delivering second-stage payloads (shellcode) to the host machine undetected. Blog post here.
  • SharpC2 is a new .NET C2 framework "proof of concept" that looks fairly polished. It has a modular design, supports many "advanced" features (port forwarding, PPID spoofing, ETW patching), and has a nice web UI on the server side. Code here. [T1071 Standard Application Layer Protocol]
  • drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime. This is the linux "easy button" of stealthy persistence. Find a binary that runs on boot or on a schedule and infect it with drow to run your implant as well as its normal job. Be sure to fork or inject to allow the process to function normally (don't block). [TA0003 Persistence]
  • NetworkServiceExploit is a self contained binary to escalate from Network Service to SYSTEM on windows when a SYSTEM token is available. Use this with last week's Print Spoofer if FullPowers isn't working for you. I suspect next week we will see a tool that combines all three of these in a "one click to SYSTEM" binary. [T1068 Exploitation for Privilege Escalation]
  • slack-watchman monitors your (or your target's) Slack workspaces for sensitive information. Given a Slack API key this tool will search for sensitive files (API keys, certificates, passwords, etc) and generate a report. Useful for both red and blue teams.
  • CVE-2020-0674-Exploit is a UAF exploit for the x64 version of IE 8, 9, 10, and 11 on Windows 7 that was patched in January 2020 after it was found being exploited in the wild as an 0day. This could be handy when targeting legacy workstations in a corporate environment (out of date and forced to use IE). [T1192 Spearphishing Link]
  • Minimalistic-offensive-security-tools are short but useful powershell scripts that can be used in VDI or other restricted environments where you may have to manually recreate your security tools.
  • whoogle-search is a self-hosted, ad-free, privacy-respecting proxy for Google search. Think of it as a first step to search privacy. The next step is searx.
  • itool is an easy iOS and composable device management command line interface. It was made to simplify and automate common development and provisioning tasks, but could be used to assist with iOS app hacking as well.
  • rbcd-attack is a practical attack against Kerberos Resource-Based Constrained Delegation in a Windows Active Directory Domain.
  • CLRvoyance is a shellcode kit that supports bootstrapping managed assemblies into unmanaged (or managed) processes. It provides three different implementations of position independent shellcode for CLR hosting, as well as a generator script for quickly embedding a managed assembly in position independent shellcode.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Kernel-Bridge is a Windows kernel hacking framework, driver template, hypervisor, and API written on C++ but the magic is that it is a signed kernel driver that is allowed in SecureBoot and allows all kinds of kernel tampering. It seems strange that Microsoft allows this.
  • pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, and port forwarding magic; fully scriptable with Python.
  • Beekeeper Studio is a cross platform open source SQL editor and Database manager that works with MySQL/MariaDB, Postgres, SQLite, SQL Server, and Amazon Redshift.
  • DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.
  • faxhell is a bind shell using the Fax service and a DLL hijack based on Ualapi.dll. A good base for stealthy persistence in Windows.

This post is cross-posted on SIXGEN's blog.

βœ‡Bad Sector Labs Blog

Last Week in Security (LWiS) - 2020-05-18

By: Erik β€”

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-11 to 2020-05-18. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

Utilities

  • vscode-drawio brings the great open source diagraming tool into VSCode.
  • yubikey-agent simplifies the arduous yubikey setup process to just a single command. This setup does not create an encrypted backup though, so a lost or broken yubikey cannot be restored.
  • lens is a cross platform IDE for managing Kubernetes clusters. Nothing extra needs to be installed on the pods, just run the app and start managing.

This post is cross-posted on SIXGEN's blog.

❌