Web Exploitation – Information Security Newspaper | Hacking News

New Azure AD Cross-Tenant Synchronisation (CTS) Attack allows hacking tenants laterally

Mike Stevens — Fri, 04 Aug 2023 19:52:00 +0000

Attackers are still focusing their attention on Microsoft identities in the hopes of breaking into linked Microsoft apps and federated SaaS applications. In addition, attackers continue to advance their attacks in these contexts, however they do so not by taking advantage of vulnerabilities but rather by misusing core Microsoft features in order to accomplish their goal. It has been revealed that the attacker organization Nobelium, which has been associated with the SolarWinds attacks, used native capability such as the formation of Federated Trusts in order to provide permanent access to a Microsoft tenancy. CTS is a new technology offered by Microsoft that gives companies the ability to synchronize users and groups from various source tenants and then provide those users and groups access to resources in the destination tenant. These resources may include both Microsoft and non-Microsoft applications. The CTS features expand on prior B2B trust settings to enable automatic and smooth cooperation across various tenants. This is a feature that many businesses will wish to implement, and it is a capability that builds on past B2B trust configurations. CTS is a strong and valuable tool for organizations like corporate conglomerates with various tenants across related firms.

5 best free API security testing tools. Protecting your cloud CI/CD Pipeline

However, if it is not set and maintained effectively, it presents the opportunity for spying, lateral movement, and persistence assaults by malicious actors. CTS makes it possible to add people from another tenancy to a target tenant by syncing their user accounts.
It is possible to migrate laterally from a compromised tenant to another tenant of the same or a different company by exploiting a CTS setting that has been setup in a lax manner and that may be abused by an attacker. It is possible to install a malicious CTS configuration and utilize it as a backdoor approach in order to keep access to a Microsoft tenancy that is controlled by an external attacker.

Vectra AI, a cybersecurity company, recently produced a research in which it elaborated on how threat actors might use this capability to propagate laterally to related tenants or even employ this feature for persistence.

However, they also caution that in order to abuse this functionality, a threat actor must first either compromise a privileged account or acquire privilege escalation in a Microsoft cloud environment that has already been compromised. The first method detailed in Vectra AI’s paper entails evaluating the CTS settings in order to find target tenants linked via these policies and, more particularly, searching for tenants with the ‘Outbound Sync’ feature enabled, which enables synchronizing with other tenants.

After discovering a tenant that satisfies those requirements, the attacker finds the application that is used for CTS synchronization and adjusts its settings in order to include the compromised user inside its sync scope. This gives the attacker access to the network of the other tenant. Because of this, it is possible for the threat actor to accomplish lateral movement without the need for fresh user credentials.

The second method that Vectra demonstrates includes establishing a rogue CTS configuration in order to maintain permanent access to the tenants that are the focus of the attack. It should be emphasized once again that in order for this strategy to work, the threat actor must have already succeeded in compromising a privileged account inside the tenant.

To get more specific, the attacker installs a new CTS policy and activates ‘Inbound Sync’ and ‘Automatic User Consent,’ which gives them the ability to push new users from their external tenancy to the target at any moment.

Microsoft Azure cloud exposed customers’ confidential source code since 2017

Because of the way this arrangement is configured, the attacker will always have access to the target tenancy via the external account.

Even if the rogue accounts are deactivated, the attacker may still create and “push” new users at anytime, obtaining instant access to the resources of the target tenancy. This is the reason why the researchers refer to this as a “backdoor.”

Defense

The methods of attack described in this article presume the presence of a compromise. The continued implementation and enforcement of security best practices inside businesses is required to continue lowering the chance of accounts being compromised.

CTS Target residents are required to:

It is best to steer clear of the practice of establishing a default inbound CTA setup if at all possible, since this would allow any users, groups, and apps from the source tenancy to sync inbound.

Implement an incoming CTA setup that is less inclusive, such as specifically designating accounts (if it’s at all feasible) or groups that can receive access via CTS.

In order to block access by unauthorized users, combine the CTA policy with any additional Conditional Access Policies.

Tenants of CTS Source are required to:

Ensure that all privileged groups, including those that are permitted access to other tenants through CTS, are subject to the appropriate levels of regulation and monitoring.

The post New Azure AD Cross-Tenant Synchronisation (CTS) Attack allows hacking tenants laterally appeared first on Information Security Newspaper | Hacking News.

How to find Vulnerabilities in CMS Websites

Jim Gill — Wed, 27 Nov 2019 14:34:06 +0000

Finding vulnerabilities takes time for pentester/ security researcher. There are many tools & techniques for finding bugs in any URL. Earlier we have shown many tools which are used in many phases of pentesting. Pentesting always begins with information gathering phase. According to ethical hacking researcher of international institute of cyber security, pentesting has really moved to a automated way. Pentesters uses tools to scan for open ports & services, we will show an small automation bot which is used for finding vulnerabilities in different types of CMS.

Vulnx is used to find vulnerabilities in different types of CMS. Vulnx scan for subdomains, port scan, IP address, country, region. Vulnx is designed to automate your pentesting.

For testing we have used Kali Linux 2018.2. Make ensure python3 is installed.
- Type sudo apt-get update
- Type sudo apt-get install python3
Type git clone https://github.com/anouarbensaad/vulnx.git

root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/anouarbensaad/vulnx.git
 Cloning into 'vulnx'…
 remote: Enumerating objects: 35, done.
 remote: Counting objects: 100% (35/35), done.
 remote: Compressing objects: 100% (28/28), done.
 remote: Total 1034 (delta 13), reused 17 (delta 7), pack-reused 999
 Receiving objects: 100% (1034/1034), 505.30 KiB | 410.00 KiB/s, done.
 Resolving deltas: 100% (609/609), done.

Type cd vulnx/
Type ls

root@kali:/home/iicybersecurity/Downloads# cd vulnx/
root@kali:/home/iicybersecurity/Downloads/vulnx# ls
 CHANGELOG.md  common  docker      LICENSE  README.md         shell      vulnx.py
 cli.py        config  install.sh  modules  requirements.txt  update.sh

Type ./install.sh

root@kali:/home/iicybersecurity/Downloads/vulnx# ./install.sh

===== VULNX INSTALL =====
 [+] Vulnx Will Be Installed In Your System
 [+] Installing python3...
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.7.3-1).
0 upgraded, 0 newly installed, 0 to remove and 664 not upgraded.
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r ./requirements.txt (line 1)) (2.21.0)
Collecting bs4 (from -r ./requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: beautifulsoup4 in /usr/lib/python2.7/dist-packages (from bs4->-r ./requirements.txt (line 2)) (4.8.0)
Building wheels for collected packages: bs4
  Running setup.py bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
Successfully built bs4
Installing collected packages: bs4
Successfully installed bs4-0.0.1
 [+] Checking directories...
 [+] Installing ...
 [+] Creating Symbolic Link ...
 [+] Tool Successfully Installed And Will Start In 5s!
 [+] You can execute tool by typing vulnx



                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad

Type chmod 755 requirements.txt vulnx.py

root@kali:/home/iicybersecurity/Downloads/vulnx# chmod 755 requiremnets.txt vulnx.py

Type python3 vulnx.py –help

root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py --help

                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad

usage: vulnx.py [-h] [-u URL] [-D DORKS] [-o OUTPUT] [-t TIMEOUT]
                [-c {user,themes,version,plugins,all}] [--threads NUMTHREAD]
                [-n NUMBERPAGE] [-i INPUT_FILE]
                [-l {wordpress,prestashop,joomla,lokomedia,drupal,all}]
                [-p SCANPORTS] [-e] [--it] [-w] [-d] [--dns]

OPTIONS:
  -h, --help            show this help message and exit
  -u URL, --url URL     url target to scan
  -D DORKS, --dorks DORKS
                        search webs with dorks
  -o OUTPUT, --output OUTPUT
                        specify output directory
  -t TIMEOUT, --timeout TIMEOUT
                        http requests timeout
  -c {user,themes,version,plugins,all}, --cms-info {user,themes,version,plugins,all}
                        search cms info[themes,plugins,user,version..]
  --threads NUMTHREAD   number of threads
  -n NUMBERPAGE, --number-pages NUMBERPAGE
                        search dorks number page limit
  -i INPUT_FILE, --input INPUT_FILE
                        specify input file of domains to scan
  -l {wordpress,prestashop,joomla,lokomedia,drupal,all}, --dork-list {wordpress,prestashop,joomla,lokomedia,drupal,all}
                        list names of dorks exploits
  -p SCANPORTS, --ports SCANPORTS
                        ports to scan
  -e, --exploit         searching vulnerability & run exploits
  --it                  interactive mode.
  -w, --web-info        web informations gathering
  -d, --domain-info     subdomains informations gathering
  --dns                 dns informations gatherings

Type python3 vulnx.py -u http://hack.me –dns -d -w -e –output ./hack.me
–dns is used to gather dns information.
-d is used to gather domain info.
-w is used to gather web domain info.
-e is used to search for vulnerabilities & exploits.

root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py -u http://hack.me --dns -d -w -e --output ./hack.me

                   .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad


 [Target] => http://hack.me

------------------------------------------------
 [?] looking for cms
 [+] CMS : Lokomedia
------------------------------------------------
------------------------------------------------
 [~] Scanning Ports

   PORTS                     STATUS  PROTO
 [?] 22                    CLOSE   SSH
-----------------------------------------------
 [~] Starting DNS dump
 [!] Retrieved token: 7lMSlFeGREkQtU4PxAkC9E7JuA0wsfXnLpLxG3izLIboqqtCEBFGs2YDRCIMsJLh
 [?] Search for DNS Servers
 [+] Host : ns-113.awsdns-14.com.
 [+] IP : 205.251.192.113
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1428.awsdns-50.org.
 [+] IP : 205.251.197.148
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1869.awsdns-41.co.uk.
 [+] IP : 205.251.199.77
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-881.awsdns-46.net.
 [+] IP : 205.251.195.113
 [+] AS : AMAZON-02
  ----------------
 [?] Search for MX Records
 [+] Host : 1 aspmx.l.google.com.
 [+] IP : 172.217.197.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt3.aspmx.l.google.com.
 [+] IP : 64.233.184.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt4.aspmx.l.google.com.
 [+] IP : 172.217.218.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt1.aspmx.l.google.com.
 [+] IP : 64.233.186.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt2.aspmx.l.google.com.
 [+] IP : 209.85.202.26
 [+] AS : GOOGLE
  ----------------
-----------------------------------------------
 [~] Check Vulnerability

Above shows the CMS of the target URL. Then vulnx has scanned for opened ports & it has also retrieved token associated with DNS.
Then it has retrieved DNS servers with their respective IP addresses & hosts. Such basic information can also be retrieved with nslookup.
But here vulnx makes an automation for finding all the DNS servers.
You can scan websites for different CMS in a similar way.

The post How to find Vulnerabilities in CMS Websites appeared first on Information Security Newspaper | Hacking News.