Adonis Information Security Page

This page is about information security. 

Main focus: Research attack and defense in information warfare.

In my free time, I work with Leather and I shot slingshots.

List Title

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ Securing and Managing Your AWS Account (Part 1 /2)                       _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-10                                                |
|   Author       : Adonis Sawan                                              |
|   Main focus   : Research attack and defense in information warfare        |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|                                                                            |
| We're going to cover what makes the ROOT user unique and how to secure     |
| the route User in your AWS account                                         |
| We will also discuss different ways to secure access to your accounts      |
| including policies and other tools for limiting I am user access.          |
|                                                                            |
| When you create an AWS account, you start out with a single root user.     |
| The Route user has complete access to all of AWS Service's and resources   |
| in the account. Because it is so powerful, you need to lock it down        |
| Let's go through those recommended steps                                   |
|                                                                            |
| Instead of using the ROOT user for administrative tasks, create an I am    |
| user that has administrative privileges.                                   |
| It's recommended that you use I am groups To assign permissions.           |
| Simply create an administrator's group with the appropriate permissions.   |
| Then assign the I am user to that group. Next delete your root access keys |
| This goes back to using an I am user to administer your account.           |
| Except for those things that only, a Root user can do.                     |
|                                                                            |
| Activate multi factor authentication on your room account.                 |
| This is an important step to Add a layer of security to your account.      |
| You can use a virtual or physical M F A device too.                        |
|                                                                            |
| Finally, ensure that the Root user a randomly generated password.          |
| At least 20 characters in length.                                          |
| You should also be using a secrets manager to generate and secure the      |
| password, and Limite who has access to the root account.                   |
|                                                                            |
| There are a few account actions that can only be performed by Root user.   |
| Many of these are one time actions or things you may not ever do, but I    |
| wanted to give you an idea of when you would have to use the Root user     |
| to perform an action.                                                      |
|                                                                            |
| If you've enabled AWS organizations in service control policies, it's      |
| possible that for a given member account in the organization, the Root user|
| could have limited permissions.                                            |
|                                                                            |
| Actions that are not listed in an S. C. P are implicitly denied, and that  |
| an SCP can also explicitly deny actions which will prevent them from       |
| happening under any circumstance.                                          |
|                                                                            |
| If you're leveraging AWS organizations to manage several AWS accounts,     |
| the Root user of each account should still be locked down.                 |
| But setting up guard rails with service control policies for each account  |
| according to how you are going to use the account can further limit the    |
| possible actions for any user, including the Root user.                    |
|                                                                            |
| So even if the route user was compromised, any possible actions would be   |
| limited by the service control policy.                                     |
| The other thing to be aware of when using AWS organizations is that any    |
| I am users in the master account that have permissions to change settings  |
| in AWS organizations need to be locked down as those users could attach    |
| and detach S C P's from member accounts and organizational units or move   |
| member accounts from one organizational unit to another, thus affecting    |
| the permissions for that account.                                          |
|                                                                            |
| Only a few trusted I am administrative users should have access to the     |
| master account of the organization.                                        |
| The rest of the I am users can be created and managed from a member        |
| account in the organization to reduce the risk of compromise in the        |
| master account.                                                            |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|   Continue on Part 2                                                       |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

List Title

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ Securing and Managing Your AWS Account (Part 2 /2)                       _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-10                                                |
|   Author       : Adonis Sawan                                              |
|   Main focus   : Research attack and defense in information warfare        |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|                                                                            |
| Let's go through the steps to lock down a Root user in an AWS account and  |
| demonstrate an action that, only the Root user can do next will attach a   |
| service control policy to limit the Root user in a member account.         |
|                                                                            |
| Then we'll see how I am. Users in the master account can modify S. C. P's, |
| in organization structure.                                                 |
| First we will sign in as the Root user in this AWS account.                |
| If I go to the I am Dashboard, it's going to show me quite plainly all of  |
| the things that I need to do lock down my Root user account.               |
|                                                                            |
| Let's start with deleting the root access keys under my account name.      |
| I can select my security credentials, expand access keys.                  |
| Then delete the key confirmed that you want to delete it.                  |
| Now if we go back to the I am dashboard, we can see a green check mark.    |
| We've deleted the root access keys. Next, let's activate multi factor      |
| authentication on the Root account.                                        |
|                                                                            |
| Go back to my security credentials and expand multi factor authentication. |
| Select Activate M. F. A. Choose the type of device you want to use then    |
| follow the instructions for that particular device.                        |
| Once you've entered the required information, you can assign the M F A.    |
|                                                                            |
| If we go back to the dashboard, we can see that that box is now checked.   |
| If we log out and log back in, noticed that now it requires the M F A code.|
| It's fairly easy to set up and adds an extra level of security to your     |
| account.                                                                   |
|                                                                            |
| Some companies may use a hardware M F A, and keep it in a safe or some     |
| other way to ensure that only a small number of people have access to the  |
| root account and traceability to whom is logging in with that Root account.|
|                                                                            |
| Let's go back to the dashboard and see what else we need to fix.           |
| Creating I am users and assigning permissions has to do with creating      |
| an I am user to administer the account.                                    |
|                                                                            |
| Let's first create an administrator's group.                               |
| Then we'll create a user and assign it to that group.                      |
| I'll attach the administrator access policy to this administrators group,  |
| recall that Administrator access includes all actions available in the     |
| AWS account, except those items that can only be performed by Root.        |
| Now we can create a user and a sign it to that group.                      |
|                                                                            |
| You can choose what type of access they'll have.                           |
| I'll do counsel access only for now will assign them to the administrators |
| group. I'll skip the tags, review our selections and create the user.      |
|                                                                            |
| Depending on how your structuring your administrators, you can send an     |
| email or download a C S V with the credentials.                            |
| If you're using AWS organizations, you can instead create a role that      |
| allows administrative access. Then assign the account that contains the    |
| I am administrators in your organization as a trusted account.             |
|                                                                            |
| The final thing is to add an I am password policy, go to account settings, |
| set password policy, then select the parameters for your password policy.  |
| I'm just going to make mine 20 characters as an example. Save the changes. |
| And now this account has an I am password policy.                          |
| Any I am users that are created or that change their password will have to |
| follow the password policy.                                                |
|                                                                            |
| When we go back to the dashboard, we can see our security status is all    |
| green at this point, the only time that you'll need to log in as the Root  |
| user is when you need to perform certain things that Only the Root         |
| user can do. For example, Suppose I wanted to change the account name.     |
| I could go to my account than edit the account settings.                   |
|                                                                            |
| Certain actions like this require you to re-authenticate.                  |
| Now I could change the name of the account, the email associated with it   |
| or the root password. Since the global active account is part of a AWS     |
| organization, let's create a service control policy that limits this       |
| account. Then we can see how even the Root user is subject to the service  |
| control policy. In the master account under AWS organizations go to the    |
| policies tab, then select service control policies. Here we can create a   |
| policy or attach an existing policy note the full AWS access policy that   |
| is attached to each organizational unit and account by default.            |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|                                                                            |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

List Title

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ Benefits of using Kernel Mode ROOTKIT for Windows                        _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-10                                                |
|   Publ/Author  : Adonis Sawan                                              |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
| There's a lot of benefits by using a kernel level rootkits                 |
| ► - Kernel drivers have significant access to the machine.                 |
| ► - Unlike in user mode, you pretty much have access to anything           |
| ► - Kernel drivers have the same privilege level as a typical kernel AV.   |
| ► - There are less security mitigations targeting kernel malware.          |
| ► - If you can load kernel code, you can cover up your tracks better.      |
| ► - AV have less visibility into the operations performed by kernel drv.   |
| ► - Kernel drivers are treated with a significant amount of trust by AV.   |
|                                                                            |
| Let's talk a little bit about loading a rootkit.                           |
| The first option you have is to abuse the legitimate drivers.              |
| There are a lot of publicly available vulnerable drivers out there.        |
| Abusing legitimate drivers has quite a few benefits as well.               |
| You only need a few primitives to escalate privileges. Finding a           |
| vulnerable driver is relatively not hard, e.g OEM Drivers.                 |
|                                                                            |
| The second option is to just buy a code signing certificate.               |
| Another option is just to use someone else's certificate. You'd be         |
| surprised at the number of publicly available leaked certificates online.  |
| But the leak certificate you use can be blacklisted.                       |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|                                                                            |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

List Title

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ Hacking ZOS Mainframe *Finding VTAM with NMAP*                           _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-10                                                |
|   Publ/Author  : Adonis Sawan                                              |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
| Some years ago I started playing with Mainframe. I have been using an      |
| emulator called Hercules and turnkey-mvs-3.                                |
| You can find Hercules here http://www.hercules-390.org/                    |
|                                                                            |
| To connect to a Mainframe you need TN3270 terminal emulator                |
|                                                                            |
| To find the Mainframe we can use nmap                                      |
| ► nmap -p 23,2323 IPADDRESS -n -sV                                         |
| We can use TN3270 script to grab screen shots                              |
| ► nmap -p 23,992,2323 IPADDRESS -n -sV --script tn3270-screen              |
| We will use Nmap to enumrate valid existing applications                   |
| ► nmap -p 23,2323 IPADDRESS -n -sV --script vtam-enum --script-args        |
|   idlist=./vtam.txt,vtam-enum.path=./savedscreenshots/,vtam-enum.macros=   |
|   true -v                                                                  |
| vtam.txt contain a list of valid applications name.                        |
| savedscreenshots is the name of a folder to save our screenshots           |
| The file vtam.txt may contain the followings                               |
|     CICS01                                                                 |
|  CICS42                                                                    |
|  CICSTS42                                                                  |
|  CICSTS52                                                                  |
|  CICSDEV                                                                   |
|  A06TSO                                                                    |
|  TSO                                                                       |
|  TS001                                                                     |
|  TS002                                                                     |
|  IMS                                                                       |
|  NETVIEW                                                                   |
|  TPX                                                                       |
|  NOPE                                                                      |
|  BMC$567                                                                   |
|                                                                            |
| To enumerate users we can use Nmap                                         |
| ► nmap -p 23,992,2323 IPADDRESS -v --script-args userdb=user.txt           |
| The file user.txt will contain possible username                           |
|                                                                            |
| Other scripts that can be used with Nmap on Mainframe                      |
| CICS-ENUM.NSE                                                              |
| TSO-ENUM.NSE                                                               |
| TSO-BRUTE.NSE                                                              |
| CICS-USER-ENUM.NSE                                                         |
| CICS-USER-BRUTE.NSE                                                        |
|                                                                            |
| Once we find a MF we connect to it using TN3270                            |
| At the main screen try ibmtest                                             |
| ibmtest is a command used to confirm that you're actually in VTAM          |
| After you enter ibmtest we can use the logon command followed by           |
| application ID                                                             |
| ► logon applid(tso)                                                        |
| ► logon applid(cicsts42) this will run the kicks application               |

|                                                                            |
| Using Nmap to bruteforce TSO                                               |
|  ► nmap -p 23 -n -sV IPADDRESS  --script tso-brute --script-args userdb=   |
|    ./userlist.txt,passdd=./passwordlist.txt,brute.threads=1,brute.start=1  |
|    ,brute.useraspass=false,brute.emptypass=false,unpwdb.timelimit=0 -v     |
|                                                                            |
| brute.useraspass                                                           |
|  guess the username as password for each user (default: true)              |
| brute.start                                                                |
|  the number of threads the engine will start with. (default: 5)            |
| brute.threads                                                              |
|  the number of initial worker threads                                      |
| brute.emptypass                                                            |
|  guess an empty password for each user (default: false)                    |
| brute.firstonly                                                            |
|  stop guessing after first password is found (default: false)              |
|                                                                            |

|                                                                            |
| Some commands to try once we are connected to a Mainframe                  |
| ► id                                                                       |
| ► uname -I                                                                 |
| ► pwd                                                                      |
|                                                                            |
| List of TSO/E Commands can be found here                                   |
| https://www.ibm.com/docs/en/zos/2.3.0?topic=commands-list-tsoe             |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|   Mainframe Hacking                                                        |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

List Title

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ ZOS Mainframe *TSO* *ISPF* *SDSF*                                        _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-10                                                |
|   Publ/Author  : Adonis Sawan                                              |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
| Some years ago I started playing with Mainframe. I have been using an      |
| emulator called Hercules and turnkey-mvs-3.                                |
| You can find Hercules here http://www.hercules-390.org/                    |
|                                                                            |
| Quick Into to Mainframe File system                                        |
| z/OS manages data by means of data sets.                                   |
| The term data set refers to a file that contains one or more records.      |
| The record is the basic unit of information used by a program on z/OS.     |
| In simplest terms, a record is a fixed number of bytes containing data.    |
| Any named group of records is called a data set.                           |
|                                                                            |
| FILES                                                                      |
| ► Are Datasets                                                             |
| ► Made up of: High Level Qualifier Other Qualifier                         |
|   SYS1.IPLPARMS.2021  (This is a file)                                     |
|   SYS1      .     IPLPARMS     .     2021                                  |
|   HLQ             Other Qualifier                                          |
|                                                                            |
| DIRECTORIES                                                                |
| ► Are Partitioned DataSets                                                 |
| ► Same as Dataset but Partitioned                                          |
| ► A partitioned data set or PDS consists of a directory and members.       |
| ► Partitioned data sets are often called libraries.                        |
| ► We cannot set the security of individual files inside a folder.          |
| ► We can set only the security of the member not individual files          |
|   SYS1.IPLPARMS(LOADCS)  (This is a Folder)                                |
|   SYS1      .     IPLPARMS          (LOADCS)                               |
|   HLQ             Other Qualifier    Member                                |
|   a fully qualified data set name with a member in parentheses             |
|                                                                            |
|                                                                            |
| TSO, ISPF and SDSF                                                         |
| ► Are fundamental z/OS navigation interfaces                               |
| ► Are primarily accessed using a TN3270 emulator (Text based)              |
| ► Are used for application development                                     |
| ► Are used for system and operation tasks                                  |
| ► Can be executed in background (Batch)                                    |
|                                                                            |
| So What is TSO -- TSO is Time Sharing Option.                              |
|  TSO is a prompt without line interface (CLI)                              |
|                                                                            |
| TSO Command line interface                                                 |
| ► TSO is the primary base environment for ISPF and SDSF                    |
| ► TSO is a command line interface with a limited set of commands           |
| ► TSO execute programs and scripts                                         |
| ► In TSO at the ready prompt type profile                                  |
| ► In TSO at the ready prompt type time                                     |
| ► In TSO at the ready prompt type profile msgid                            |
| ► In TSO at the ready prompt type time (change the displayed time)         |
| ► In TSO at the ready prompt type listc (List catalog)                     |
| ► In TSO at the ready prompt type profile prefix (userID_here).            |
|         (to set back the prefix)                                           |
| ► In TSO at the ready prompt type profile noprefix                         |
|      (To break out of this, we need to use ATL + INS)                      |
| ► In TSO at the ready prompt type listc (This will list the catalog)       |
| ► In TSO at the ready prompt type send 'message' userID_here               |
|                                                                            |
| What is SDSF -- System Display and Search Facility                         |
| ► SDSF is a full screen panel driven interface used to:                    |
|         view input queue, execution queue, system log and enter commands   |
| ► Requires TSO as base environment                                         |
| ► SDSF most used commands                                                  |
|      In SDSF Primary Option Menu ==>  log (give you system log (syslog))   |
|      Type F10 (While we are in the system log we will shift to the left)   |
|                                                                            |
| ISPF -- Interactive System Productivity Facility                           |
| ► Interactive Menu-driven panel with full screen format                    |
| ► used to edit data sets, edit unix files and execute system utilities     |
| ► Requires TSO as base environment                                         |
| ► In ISPF Primary Option Menu type pfshow off                              |
|         This will remove the function key from the menu                    |
| ► In ISPF Primary Option Menu type pfshow on                               |
|         This will put back the function key                                |
| ► In ISPF editor, the command delimiter by default is semi column ;        |
| ► In ISPF editor if we put d to the left of the line (delete the line)     |
| ► r 3 will replicate the line 3 times                                      |
| ► i 2 will insert 2 lines after the line                                   |
| ► c for change. Ex =c line message all (Change the word line to message)   |
| ► Type F3 (To Return to ISPF Primary Option Menu)                          |
| ► In ISPF Primary Option Menu >  =sd (Take you to SDSF search)             |
| ► In ISPF Primary Option Menu >  3 (Utilities, Utility Selection Panel)    |
| ► In ISPF Utility Selection Panel >  4 (DSLIST Data Set List Utility)      |
| ► To show Data Set Created by a user, TAB or put cursor on the right of    |
|      Dsname Level and type UserID_Here                                     |
| ► If you type / to the left of a Data Set (File), this will give you more  |
|   option to choose from (Data Set List Actions)                            |
| ► If you type e next to the left one of the Partitioned Data Set (Folder)  |
|   you will go inside the Folder in EDIT mode                               |
| ► While inside the Partitioned Data Set type s edittest                    |
|   (Will create a member inside the Partitioned Data Set Called EDITTEST)   |
| ► While inside the Partitioned Data Set type reset ; caps off              |
|   (This will turn caps off)                                                |
|                                                                            |
| Some commands you can use while you are connected                          |
| ► ping google.com                                                          |
| ► netstat home (This is like ipconfig or ifconfig)                         |
| ► listcat (Will list the catalog                                           |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
|   Mainframe Hacking                                                        |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

List Title

Comming Soon

List Title

Comming Soon

List Title

Comming Soon