Are we measuring Blue and Red right?

in

In security many people see solutions of problem as a whole, all or nothing. Many times even worst they see the security as a hindrance to the delivery of a project or even day to day actions. Even internally in some organization with the size and level of maturity of having both a Red and Blue team you have rivalry between both. In this blog post I would like to cover my idea on how we should think when measuring the performance of the internals sub teams inside of security. Some of this ideas can be even expanded later to how the team can interact with the DevOps, Support, Sales, Finance and other teams in the organization if there is a possibility to unify the metrics to provide a series or high level or single goal for the organization as a whole.

 

Read More

Tip: Meterpreter SSL Certificate Validation

Have you ever been in a pentest where the defenders know their stuff and are actively looking to detect and sabotage all of your actions? If not I can say only one thing, it changes the way you approach, plan and execute a penetration test drastically. 

I want to share a simple tip on how to secure your initial staged connection for Meterpreter by having it check the certificate of the listener it is connecting to. 

Read More

RDP TLS Certificate Deployment Using GPO

in

Remote Desktop has been the Go To remote administration tool for many IT professionals and sadly many even expose it to the internet leading to brutefoce attacks and Man in the Middle attacks. I still remember the fist time I saw how easy it is from Irongeek examples using Cain & Able http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff and http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser I have taken great care to make sure RDP connections in my network and customer networks are as secure as possible. Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems.

 

Read More

WinRM SSL Certificate Deployment via GPO

I really like using WinRM (Windows Remote Management) to manage my servers and lab. It serves as the basis for server management that Microsoft is moving in to. It provides several advantages:

  • It is secured by default by leveraging strong encryption to protect traffic.
  • It is standards based so it allows for interoperability with other platforms. 
  • it is SOAP based making it firewall friendly and easier to route in segmented enviromentes. 
  • I can leverage Kerberos for authentication. 
  • It allows me to query WMI information from the host without the need of opening RPC ports or dealing with DCOM it self.

One of the problems with WinRM is that by being compatible it provides downgrading of its security for compitibility or user error. In Windows one can disable encryption when connecting and also specify Basic for auth exposing credentials. In a Windows only environment one could set it up to enforce encryption and force stronger authentication methods but we hardly see that kind of enviroment often that is why I prefer SSL when possible. To protect me from user naivate and have already a foundation for future integrations.

Read More

Patching with WSUS Offline Open Source Project

I'm constantly spinning lab VMs for testing and validating ideas, also to cinstatly practicing basics of system administration. Sadly there might be periods where I will forget to update my teamplate images I use to clone and sysprep Windows machines. I started playing with a solution called WSUS Offline from http://www.wsusoffline.net/ an open source project that aids in building several automated ways to install critical patches on a machine making it safe to connect that machine to the web for downloading none critical or security patches. This is not only great for virtual labs but when participating on Red vs Blue challenges and you are in the blue team looking for a quick way to apply security patches.

Read More