da_667

@da_667@infosec.exchange

Senior Security Researcher, Proofpoint Emerging Threats.

I've been doing this cybersecurity thing for the better part of a decade now. Probably longer than that. I'm starting to forget. Time is relative, but it surely isn't kind to my memory.

I'd like to think I do cybersecurity well, but blue teamers collectively get told they're doing it wrong constantly. So maybe I just failed forward throughout my career.

Oh, I wrote a book. Its a good framework for setting up a virtual machine lab. See my bookmarked toots if you're curious.

Work-Related hashtags:
#Iocs #ThreatIntel #DFIR #Malware #NSM #suricata #snort #BEC #phishing #APT #ThreatDetection

Hobbies:
#VideoGames #XCOM2 #Minecraft #Synthetik #Fallout #Skyrim #Anime #Manga #Adventure #Fantasy #Isekai #HomeImprovement #WoodWorking #MetalWorking #HomeLab

This profile is from a federated server and may be incomplete. Browse more on the original instance.

da_667, to random

can't wait until someone hacks apple HQ, and max headrooms everyone wearing the new apple VR helmet.

da_667,

@gsuberland it was the fashion at the time

da_667, to random

AND THE HITS JUST KEEP ON COMIN'

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

da_667, to random

I have managed to figure out some time ago how to connect to my work laptop over RDP while it was still connected to the VPN, and had forgotten how I had did it. I made a static route between my work laptop and desktop and set the cost metric super low.

The metric for the routes on the TAP interface were manually set to 1. So then I had to reset the cost metric for those routes to where they were more expensive than the static route I made.

da_667,

just kidding globalprotect doesn't allow RDP connections when you're on the VPN for some stupid fucking reason.

da_667,

I'm able to ping to my box, the routes work, the second it detects RDP it just kills the VPN connection. WEHLP.

da_667, to random

Remember when they told us that the cloud would mean that traditional networks and the traditional perimeter were going to hell and that we'd never see server side vulns ever again?

https://github.com/JBalanza/CVE-2023-41474

In first month of this year, there have been directory traversal vulns in three different products across two different vendors. I've seen more directory traversal in the past few weeks than most of the past few years.

da_667, to random
da_667, to random

me: "searching for term in quotation marks"

google: did you mean completely unrelated thing?

me: did I fucking stutter?

Here, let me search for completely unrelated thing. Then, you can click this link that actually searches for the thing you want.

Oh wait. The search results are still ass, lol.

OKAY. FINE. intext:"fucking thing I'm looking for"

google: WHOA THERE, CYBERSPACE COWBOY. HERES A CAPTCHA BECAUSE THIS LOOKS SUSPICIOUS.

da_667, to random

tell me if you can spot the bug.

da_667,

actually, this might or might not be a bug. I think that if $mode is set to AP or WDS, that the status should be set to one, and it should exit. I think there should be an elseif in front of the lan_status variable declaration there.

da_667,

in any case, the fucking thing is no longer blinking, and nor is it trying to repeatedly ping shit that I'm explicitly not allowing it to talk to.

da_667,

Just so I can say I did my due diligence, I submitted a request to glinet's support e-mail address detailing what I think is the bug and what I believe are the work-arounds.

da_667, to random

GL-iNet router came in the mail. Turns out their webUI has an access point mode already configured. All I had to do was set the admin pass, wi-fi SSIDs, wpa2-psk, then connect the LAN port, and enable access point mode and it'll happily relay stuff to my pfSense firewall.

Connectivity is aces, speed is great. No complaints whatsoever.

da_667,

next step is to set up a pi-hole VM, and telling pfSense to relay DNS requests through it.

da_667,

@Viss I see. I'm currently messing with this right now. I like that it has a common list of DoH providers that can be blocked.

h2onolan, to random

for a good time, send your corp account an email with the word hacked in the subject, reset your password and wait to see how long it takes for your team to message you asking wtf

da_667,

@Viss @h2onolan

https://www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes

when I read this, it was pretty wild. "Here's my calender invite. on an SMB share. Over the internet."

"Heres a Windows Performance Analyzer file. On this random SMB share."

"just click this .search-ms link/file. It'll be fine."

Wasn't that long ago, you could just send someone a file:// link and that'd work too.

0x00string, to random

deleted_by_author

    •
    da_667,

    @0x00string https://www.youtube.com/watch?v=s3e4wRR7lzw

    SwiftOnSecurity, to random

    When you turn 30 you die but don’t worry there is a second, elder life where you are still the young people.

    da_667,

    @SwiftOnSecurity please stop reminding me that I'm staring down the barrel of 40

    da_667, to random

    video/mp4

    da_667, to random

    naming my malware lab kaidacorp.local in the Synthetik series of games, they're sort of the equivalent of cyberdyne, except with way less ethics, way more dangerous weapons and a shit ton more rogue AI

    da_667,

    @Viss make redirect to SANS.

    (note: I love their research, but GOD DAMN ARE THEY FUCKING EXPENSIVE)

    da_667,

    @Viss reading room has a lot of good legit papers for doing various things. Also Internet Storm Center is pretty great

    da_667,

    @Viss lmfao, what a great domain name

    da_667,

    @gsuberland @Viss yeah, no doubt, the 'threat landscape' is becoming a weird place. Remember like a decade ago when everyone announced the end of perimeter RCE because the cloud is here and was gonna solve all those problems? The last two major vulns that got a lot of mainline traction were an RCE in a VPN product, and an RCE in a file transfer product. Both of them were directory traversal based.

    The more things change, the more some things stay the same.

    GossiTheDog, to random
    @GossiTheDog@cyberplace.social avatar

    ⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?

    Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.

    In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.

    Looks like Ivanti have done a really good job identifying.

    I call it ConnectAround.

    da_667,

    @GossiTheDog

    Has Ivanti been compromised due to this vulnerability?<br></br> No. Ivanti does use our own tools and technology. Ivanti has no indication that it has been compromised. Ivanti uses enterprise-grade technology and security partners to detect, prevent, and respond to increasingly sophisticated threat actors.<br></br>

    C I S C O S Y S T E M S

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • megavids
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • provamag3
  • tester
  • Leos
  • JUstTest
  • All magazines
    •