Part 3: Tricks, Tips and Playbooks

This content is based on the H3 tasks of Data Security by Mr. Karvinen. We will have a look at some attack tactics and more WebGoat tasks.

Mitre 2022: ATT&CK Enterprise Matrix

The MITRE ATT&CKĀ® Matrix for Enterprise contains tactics and techniques for various platforms. They cover the following areas:

Please follow the link below for the full enterprise matrix.

The easy stuff

Each tactic contains multiple techniques, of various difficulty levels. Below there is an overview containing one simple and easy technique of each category.

Reconnaissance

Searching Open Websites/Domains refers to searching of publicly available websites and domains for intelligence, which can then be used for possible attacks or targeting. This includes social media, news, business reports, job postings, etc.

Resource Development

Establishing Accounts refers to creating of accounts which are then used for the targeting or an attack. As example, this could be in the way of building a persona and social engineering.

Initial Access

Exploit Public-Facing Application refers to using weaknesses in public-facing systems for an attack. As example this could be a websites content management system which is outdated and not properly secured.

Execution

Exploitation for Client Execution refers to the exploitation of software vulnerabilities which allow us to execute malicious code.

Persistence

Create Account refers to creation of an account in the target system to maintain access and persistence. This could be local, domain accounts, etc.

Privilege Escalation

Valid Accounts refers to the takeover or abuse of legitimate account credentials as a base for an attack.

Defense Evasion

Hide Artifacts refers to hiding artifacts related to an attack to evade detection. This could mean hiding files, various activities etc. to remain undetected.

Credential Access

Unsecured Credentials refers to credentials which are insecurely stored. This could be as simple as production server credentials stored in a text document on a software engineers machine.

Discovery

File and Directory Discovery refers to the searching of information in files and directories on a target system or network.

Lateral Movement

Internal Spearphishing refers to target phishing of information from within the target environment. As example we might have control of the general managers account and send in his name a payload to another target within the environment.

Collection

Data from Local System refers to the search and collection of target data on a local system.

Command and Control

Web Service refers to the usage of a external web service to relay data and instructions to and from the target system.

Exfiltration

Transfer Data to Cloud Account refers to the exfiltration of data with the help of a cloud service to avoid more traditional detection.

Impact

System Shutdown/Reboot refers to the shutdown of a target system to either interrupt access, cause damage or delays.

Techniques, Subtechniques, Tactics and Procedures

To make things a bit more clear in the context of the topic, lets have a quick look at the explanation of each of the following terms, together with some examples.

Techniques refer to how a tactical goal is achieved through an action. As example, active scanning of a target via network traffic.

Subtechniques are as the name implies subcategories of techniques. The technique Account Discovery might as example have subtechniques such as local account, domain account, etc.

Tactics describe the overall goal of the therein contained techniques and subtechniques. As example the tactic Execution contains techniques such as "Native API".

Procedures are the approaches to execute the technique or subtechnique. As example a procedure could be the use of the Calisto trojan to open a backdoor on a macOS target.

OWASP: Cross Site Scripting (XSS)

Cross Site Scripting or XSS is a very diverse attack type based on injections. It allows us to inject scripts/code into trusted websites which makes them extra sneaky since we don't need to lure someone to some dodgy or untrusted location. With XSS we can access all kinds of sensitive information, including cookies and session tokens, as well as manipulate the HTML of the trusted website. Especially in current times where a lot of dynamic content and external ads are loaded into websites willingly, it makes it a rather lucrative path to utilize XSS.

Generally, XSS attacks can be divided into two categories. Stored XSS Attacks and reflected XSS. Stored attacks will permanently integrate the injected script on the target server, while reflected XSS rely on the script being hosted on an external source. Depending on their nature XSS attacks can be tricky to prevent, for more details on XSS prevention check out the OWASP XSS Prevention Cheat Sheet.

XSS can range from very simple to highly complicated attacks. As example, it could be as simple as writing JS code into a comment field on not well protected blog website. The XSS could forward visitors to a malicious target page, steal cookies, create a new database user with admin rights, etc. The possibilities are endless.

XSS: Cross Site Story

To better highlight the potential of XSS lets imagine the following scenario. We have disgruntled person (DP) named John, and a clueless target (CT) named Peter. CT is a 58 year old HR manager that decided he starts his own online business with his wife, selling handmade scented candles. While his wife knows all about candles, Peter wants to be useful too. His work experience in HR isn't of much help here, but 15 years ago he took some free online courses on how to build a online store with HTML, PHP, Javascript and MySQL. He mostly copied everything together from code examples, but it works like a charm. He still has that that project stored on a USB stick. A little bit of copy pasting CSS and fancy JavaScript libraries later to make everything look modern, CT has his store up and running. Plus he saved a lot of money since he didn't have to buy any ready solution. Even better his son gave him an old computer where he managed to host the store. So no need to even pay for anything. This is great CT thinks.

Not far away we have DP, he happens to be a previous coworker of CT. He had a long and successful career as a Systems Architect in the company, until one day CT heard him making multiple jokes about his wives obsession with all those long and big candles. CT did not find this funny in any way and escalated the issue to his manager. This resulted in the termination of DP's permanent work contract. DP was more than just upset that someone can be so uptight about his awesome candle jokes. The job market is in the gutter and DP can't find a new job which would support his rather extravagant lifestyle. He just had to sell his second Porsche to keep paying his rent. While being bored at home he hears from an ex coworker that CT quit his job to start a candle online store with his wife. DP sees his opportunity for revenge, he will show that idiot that he messed with the wrong guy.

In the meantime CTs business is booming and the candles sell extremely well. While the local newspaper publishes a story about the new and successful local candle business, DP is working on much more sinister or in his eyes funny plans. He has thoroughly analysed the online store and noticed that security is nearly non-existent. While he could easily turn this store into digital dust with a few keystrokes, he has a much better idea. He utilizes the comment fields under each product to inject some JavaScript that is then stored in the database and loaded as part of the comments when the product page is opened. The script uses document.getElementsByTagName('img') and assign a new src value that points to pictures of some candle like shaped adult toys. As a result all product pictures in CTs store now display something slightly different than the innocent candles he and his wife are selling.

CT sees with fear that something horrible has happened to his store. Luckily it seems that he is the first person that noticed that, so after some panicking he deletes all comments and removes the comment field from all product pages, thinking that the problem is solved. DP is not happy that someone as incompetent and CT managed to figure out to get things back under control so fast. He didn't even manage to tell all his friends about it so that they can share a big laugh together. Well I guess it is time to step things up and do some real damage he thought. This time CT manages to inject a XSS based keylogger on another input field. This way he can get the targets keystrokes sent straight to a server under his control. After capturing the admin credentials for the store, and noticing that CT uses the same password not only for his database, but also the webserver, he has now easy access to everything he wants and can setup a more permanent nest to keep messing DP and his candle business.

WebGoat A3: Sensitive data exposure

Step 2 - Insecure Login: Let's try

This lesson highlights the importance of encryption. By asking us to intercept a login request with a packet sniffer. We see that the request contains JSON data with the password: BlackPearl and the username: CaptainJack, which lets us successfully login through the form.

But in reality we probably wouldn't use the browser console the same works with Wireshark. We can just filter for http.request method == POST and we find what we are looking for. I actually planned to include a screenshot but weirdly after completing the task once I could no longer generate the package, it was neither visible in the browser console nor Wireshark.

Webgoat A7: Cross Site Scripting (XSS)

As part of this lesson we will explore cross site scripting or XSS and how it used.

Step 2: What is XSS?

XSS is classified as a vulnerability which combines the permission of script and html tags as an input and the rendering of such without any sanitization. The impact of an XSS vulnerability can range from minor to critical. Especially so if critical or sensitive data is at risk.

Step 7: Try It! Reflected XSS

Now lets get our hands on some real practice example to engage in a reflected XSS attack. Meaning a form of XSS where we craft a URL containing an injected script. As advised in the instructions lets make use of alert() or console.log() to check if a field is vulnerable to XSS.

Lets try if any of the fields accepts something simple like console.log('Hello'). Don't forget to put script tags around it. The quantity fields and access code field seem to be no good since they expect a valid number. The credit card field on the other hand seems to be vulnerable as we can see in the screenshot below.

Now that we know what to work with we could plan out a more sophisticated attack.