DEV Community: Marek Šottl

Hackitect series vol.3 - Building Capture the flag for developers

Marek Šottl — Sun, 21 Jul 2019 20:59:21 +0000

Starting the game

I always liked games. In my last projects, I looked desperately for some gamification for developers. I am providing the training regarding the SSDLC and its always hard to teach different vulnerabilities and their impact. It's not easy to connect architects and developers together. The best ways are to get our hands dirty. The solution cames very unexpectedly.
OWASP Juice Shop and Facebook capture the flag are providing a very strong combination of predefined vulnerabilities with extensibility to code bashing.

So let's start our journey to setting up funny hacking gamification capture the flag platform.

How it works

To learn OWASP TOP 10 we will build together the platform with Capture the flag portal and vulnerable app called Juice Shop. Vulnerable e-shop contains around 90 different challenges of increasing the level of difficulty.
Every vulnerability challenge exploited is rewarded by achievement. Integration with CTF is done via flag hashes. On the other side, there is a Facebook open-source based world domination CTF platform. Teams are conquering the countries based on quizzes and capturing the flags via finding vulnerabilities. You copy-paste the flag hash into CTF platform and capture selected country containing the challenge. The captured country gives you score points. The amount of score points depends on the difficulty of the challenge.
The Team which gets the most points wins the game in the given time period. Happy threat hunting and don't forget the main price - chocolate.

First step

Installing the OWASP juice shop. You can install juice shop on windows )very easy) or ubuntu as a recommended option for real geeks. The installation of Node.js for Windows is very easy, so I don't see any reason for an explanation.

For Windows, you need to open the command line and:

Install git bash
git clone https://github.com/bkimminich/juice-shop.git > In our working directory
Open the juice-shop directory
npm install
npm start
Open the browser and hit localhost:3000

For Linux you need to open the command line and (tested on Ubuntu 18.04.2 LTS):

Download packaged Juice shop (https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2)
Unpack and cd into the unpacked folder
Alternatively (not recommended doesn't work well): sudo apt install curl curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash - sudo apt install node.js
Open the juice-shop directory
npm install (for alternative) / run npm start for packaged.
Open the browser and hit localhost:3000

Now we are done with juice shop ready to roll It contains epic challenges of different levels for newbies and hardcore non-sleepers.

IT will look like this:

The game is ready but not fully, we need to smuggle inside the platform our CTF flags and then import them into FBCTF. Long fun to play the games? No worries, the fun will come soon.

Second step - setup the environment

You need to set up the environment variables. After setup please restart your machine and set up the env variables under root or administrator access.

Set up the NODE_ENV variable set NODE_ENV=ctf in Windows export NODE_ENV=ctf in Linux
Restart your machine
Open cmd or terminal npm start

Third step - generate the data for FBCTF

Generate the data via guide mentioned here: Guide from author

I recommend following setup:

ctfFramework: FBCTF
juiceShopUrl: https://juice-shop.herokuapp.com
ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key 
countryMapping: https://raw.githubusercontent.com/bkimminich/juice-shop/master/config/fbctf.yml 
insertHints: none
insertHintUrls: none

Fourth step - Set UP & Import info FBCTF

I failed many times in installation. If you are not sure to check the official guide on Github. Please, the password for admin will appear in the command line during the installation process co be careful and check the cmd output. CTF framework need to be installed on Ubuntu 16.04.

Installing the FBCTF:

sudo apt-get update
sudo apt-get install git
git clone https://github.com/facebook/fbctf
cd fbctf
./extra/provision.sh -m prod -s $PWD
source ./extra/lib.sh
set_password [new_password] ctf ctf fbctf $PWD

Import the JSON with data:

Goto Localhost
Login into admin
Go to controls and select import full game.
Choose the *.json data file generated by juice-shop-ctf
Looks amazing!
For more look into Admin guide

Don't forget to create the teams, set up the timer and select the authentication method. Feel free to customize your logo.

All the tribute to the authors of open source, I had lots of struggles during the installation process. I hope that we will meet in one of the sessions together and train how to hack some vulnerable apps. Enjoy your hacking.

If you are interested to meet me in my training session you can sign up for training in ICTpro School HERE

Hackitect series vol.2 - Open source cybersecurity zoo

Marek Šottl — Mon, 10 Jun 2019 19:14:15 +0000

Open source security animal ZOO

As I promised in my first article https://www.linkedin.com/pulse/hackitect-journey-mission-marek-%C5%A1ottl-ceh-cissp/ here is Cyber security open source animal ZOO. This article will not lead you to known and most market breaking open source, but it will lead to different cyber animal useful for day to day job of Hackitect. List is not limited to my selection. So feel free to share your stuff and thoughts about what is missing.

To erase the idea that IT supports the business. We need to understand that security became function. Function requirement in essence. Then we need to understand that security is here to enable the business not support. To enable the business, we need to forget what we know and look for unusual solutions.

Gophish

I remember few projects done by this great tool. In-house phishing became easy and fun after open source like this. You can track user behavior, locations, data sent etc. Everything with one server and one open source solution (with cool GUI). Data from campaign can be easily exported to csv.

Campaign is written in classical HTML and CSS, but is you don’t have knowledge in this area you can easily copy existing system and trick your victims. Emails are easy to create too. System have predefined templates. Codified templates! All the spear, targeted and massive phishing campaigns became fun part of your job.

Phishing master can get the information about email status. Email can be sent, opened, clicked and even data sent (can be anonymized - GDPR ready!). All of this in one package.

Volatility

Forensic beast hard to spot in free security office. Yes, this is Volatility engine. This tool is fantastic open source memory forensic. Last release is version 2.6 from 2016. Not the best, however is you have machines affected by malware and want to focus on RAM forensics, not bad. As majority of the security tools this Cyber toy is coded in python.

Interested in more? Do you like to play and using mutex values to find malware? Look here: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage

Kubebench and Dockerbench

If you are looking for perfect tooling and architecture for benchmarking you are on the right track. If you want to run for example audits in your AWS Lambda or Azure Functions as serverless solutions reporting directly to CloudWatch you are already reaching the cyber grail of Cloudification.

Do you remember the tool named lynis? Perfect audit and benchmarking instrument for linux. Easy to use and implement. If you are big fan of containers this two head snake (giant) is absolutely your choice. Tools Kube-bench and docker-bench are providing comprehensive audit of containerized system. Dockerbench is inspired by CIS (Center for internet security). You can find this project on Github : https://github.com/docker/docker-bench-security . Dockerbench is checking common best practices related with OS configuration and security. (iptalbes, partitions, directory permissions etc.) On other side is Kubenech which is benchmarking kubernetes implementations. Kubebench is too on Github: https://github.com/aquasecurity/kube-bench. Test are written in absolutely awesome coding language named YAML. Whole framework is constructed by GO. For GO fans, perfect news and challenge to start to contribute. All the checks are inspired by CIS kubernetes benchmark.

MobSF

This is my favorite cyber animal. If you are pentester, architect or mail if you are HACKITECT, then start to sharp your mind. Perfect installation is in ubuntu with docker. This pentesting framework for mobile apps is used even by multiple consulting companies (easy to read from their reports). In few seconds you get decompiled application with source code review and recommendation what to do.

Really good feature is dynamic analysis for those who like to explore more. This framework supports iOS (ipa), Android (apk) and Windows phone apps (appx). If you did not started to install, you still have chance.

MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. MobSF have even the Web API. What else you can wish.

Sovrin

OK, OK, OK now we are getting serious. Do you know block chain? YES. This cool and fancy buzzword for 2018. There are people on this planet who want to really make it useful. Sovrin is public blockchain identity implementation build on DID (distributed identifiers) Data models and syntax avalible here: https://w3c-ccg.github.io/did-spec/ . Sovrin is built by open source Hyperledger Indy. Self-sovereign identities can be the future of decentralized Active directory like systems providing secured and immutable identities and identity management features. More details are for separate article.

Last more philosophic question is, do you think that dinosaur technologies like AD will survive the age of digital transformations, the age of self-sovereign identity?

Hashicop Vault

Infrastructure as the code is topic which cannot be forgotten in these days. If you know Terrafom from Hasicorp, you will know Vault too. Secure storage for all the sensitive credentials, tokens and key materials.

Vault project provides not only storage but too enrollment of AWS credentials, keys, SSH credentials or X.509 certificates. Looking for more? Here is the reference architecture: https://www.vaultproject.io/guides/operations/reference-architecture.html

Inspec

Security and architecture as a code is a basic todays need. There will be no more talkers, there will be more people who deliver value. Inspec is an instrument for compliance, or audit if you wish, as a code. More guides and information is available on https://www.inspec.io/. This framework is made by Chef Community. So thank you! In supported platforms are cloud Environments like AWS and Azure, even containers and infrastructure. Results can be exported to JUnit format and consumed by your continuous integration / development. For shell fun you can play with InSpec Shell.

Audit and security as we know is moving to new standards. I am happy of that.

Sonarqube

Looking for solution for source code review. Sonarcube is not the best but it will help you to get insight in your code. Sonarcube can be integrated with enterprise CI/CD solutions (Jenkins, Azure DevOps, Team city and others). Socarcube guys describes themselves as continuos inspection. Sonar is not targeted against security problems (only part of it). So don’t expect features like Fortify or Checkmarx. Great stuff is that there are several opensource plugins: https://redirect.sonarsource.com/doc/plugin-library.html . This Tool supports multiple languages.

Full list is listed here : https://www.sonarqube.org/features/multi-languages/.

Security_monkey

Big companies are working with the comminuty too. Netflix is typical example.

Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations.
Grat is that security monkey can be used for multicloud solutions. I was looking realy long time for AWS security checks automation. If you are creating lambda based security or better said event driven security you must search deep in github to get your aswers or sit and start to code. (God bless you). Netflix statement is: "Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories."

Secure codebox

With today's automation, companies are trying to improve their CI / CD. This is greatly assisted by AWS (Code commit, code deploy) and Azure (Azure DevOps) tools. At a time when we want to integrate SSDLC security into the lifecycle of projects, we need to automate security checks. An excellent tool is a secure codebox that integrates small tools like nmap, nmap, sslyze, wpscan, ZAP proxy etc.

The source code is available at
https://github.com/secureCodeBox/secureCodeBox.

Whole system is based on microservice architecture. Every modern agile Hackitect will choose similar microservice architecture for DevSecOps / SecDevOps.

This article is living creature so i will edit add and improve it to make everything accurate and correct.

Honorable mentinons (not the real zoo):

OWASP ZAP proxy
OpenVAS
Graylog
ELK stack (Elastic serach, kibana, logstash)
Arachni-scanner

Hackitect series vol.1 - Hackitect journey as the mission

Marek Šottl — Sat, 08 Jun 2019 12:59:45 +0000

Hackitect journey as the mission

This article I decided to write as a prequel for the forthcoming series of articles from the Hackitect world. This start will be a bit soft.

I decided to write this beast as a prequel for the forthcoming series of articles from the Hackitect world. First I will start a little untraditionally. The main objective of this chapter is to motivate young talented people for IT slash cyber security. You can go in many directions. You may be risk managers, SOC experts, auditors, consultants, penetration testers, or even security architects. And not to restrict and hold more roles at the same time, such as Ethical Hacker and Architect. Do you think that is not possible?

Hackitect as a concept

I never liked when they were boxing me or trying to put me in my corporate charts. Do not let it happen either. Everyone has to find the right way to use and define their talent. The times when work started and ends when the corpo-roles are long gone. Hackitect is actually a role on the boundary between ethical hacking, SSDLC (safe application development), and architect. Of course, it could be varied, but it is important that the role is not limited to I am a specialist on X. The path of Hackitect means mainly the desire to discover and to constantly learn new things and not to limit the technoogy or instrument. At the same time, Hackitect must retain such knowledge to understand how technology works and was able to dive into great detail and then back to a hi-level look. A long and difficult journey. Sometimes it may seem unattainable. Generally for architects, without hands-on they get completely out of reality. An architect who delivers a solution in the form of pictures full of boxes in an unrealistic design is not an architect, but a pseudo-artist. Again, HANDS ON is ARCHI ON.

Where to start

First read about Information security management system and demming cycle. You will ideally need to start Udemy courses (they have good courses about pentesting) and explore standards such as OWASP (SAMM, ASVS, Coding guidelines). A good tutorial can also be the study of tools in KALI Linux. A great source of how to get started with penetration testing is to install and launch WebGoat. If you only want penetration tests, it is good to read OSSTM (manual) and OWASP testing guide. For architectural understanding, you need to know what architecture is and then study frameworks like TOGAF or SABSA (https://sabsa.org/). If you want to be very modern and work under agility do not hurt to dive into the devsecops studio (http://www.devsecops.org/). If you are interested in cloud security, You cannot miss AWS well achitected Framework and Cloud security alliance whitepaper. There are many other think to study – forensics, identities, cryptography, networking, mobile apps and infinite others. You need to understand, that applications and infrastrucure are two sides of one coin. Don't forget that, when you will study. Explore all the things around which are supporting security (service management, development, configuration management, CI/CD and many other interesting pokemons to gather). If you are enough brave, check the zero trust architecture.

Ok it's chaotic so let's make it simple:

Code like crazy and try to create your on repo on Github ( the strong ones can open source thier code animals)
Without research it will not work.
You read like crazy and then read and study again.
Test the tools and evaluate them.
Plan and make things very simple in small steps.
Dont cry when you dont understand. Cry when you dont have anything to discover.
A high level of ethics must be the first priority.
Learn how systems attack attackers and how systems build (analysis and synthesis).
If you are a trainee, find a mentor.
If you are more experienced professionals, find a coach.
Be humble, choosing to work in cybersecurity is not an easy way.
Determine your hackitect areas and follow the small steps.
Higher goals such as obtaining CISSP, CEH, GWAPT, CSSP, CSLP, CRISC, SABSA, TOGAF, OSCP, CCSP and others are excellent. It is important to equip yourself with patience and determination. Because IT security is not a job, it's part of your mission.

Understanding that you will never know everything

The more you discover on your hackitect journey, the more you find out that you cannot understand everything. You will never be able to hold SIEM, secure development, Cloud, MDM, Microsoft & Linux ecosystem, opensource solutions, Ethical hacking, etc. With this you need to rejoice and learn to live. Somewhere I read a very good quotation. In order to become masters you have to be a beginner. It's a thousand times. Do not be afraid to fail, because you will only learn. Personally, I can say that every 3 years, I feel like I've forgotten everything and started out again. It's a tax on the rapid development of technology.

Dive-in and Dive Out

It is a difficult task to learn a high level of abstraction for explaining to people outside of IT. Learn how to work as a bussines man and learn how to sell it to business units in your company. High-level design capability takes years of practice. Important is also forgotten about enginnering itself and occasionally make your hands dirty to work to not miss the contact with reality of weekdays. Do not let the stereotype of a hi-level viewpoint to conceal the mind of a child engineer in you. Engineering and research is part of architectural work.

Beware of bullshiters

Everyone will promise you possible and impossible. It is true, that no one can give you more than I can promise you. Do not believe the promises. Visions are great when they are at least a bit reachable. If there are very illusionary, put your jetppack on and fly to another nice place. Your own work will not be better without your own innovations and actions. If you will have mentor, doesn’t mean, that he is your teacher. He guides you and points you to right direction. The only person who moves you forward will be you alone. No one will give you AI based on blockchain computed by drones. Realistically build with your own work and build the future as you like it. Many managers and even more experts speak more than they act. Learn to recognize the right partners for your worklife.

Without people it will not work, think about scaled learning

IT security is hard to find good and big teams. We worked on very interesting projects which made me think. Technologically, we have solved cutting edge technology. I was too close to touch the real futuristic products but I was not able to reach them. I realize, that I am alone in the team and there is noone who is my area. And there is the major point. There is an important need for talented people who can make the ideas become real! Without team mates, it is not possible to complete the hackitect journey. Learning each other is a critical factor of success. Being alone, just sucks.

Take your time

Don't hurry up!! Plan effective your gold precious time. Think about learning and enjoy it. If you will hurry too much you can lose contact with reality and start to be lost. Effective time plaining with proper benefits for your Hackitect path is critical element. If you have time, you have time for yourself and critical thinking. If you get information, evaluate if the information is true and relevant. Very important in these days. Try to simplify. Not try, make things simple. As one of my friends is saying: "I am simple man, i like simple solutions!".

I planned this topic make more personal. However i decided to leave few bullets for next time.

Next time I am planning for you article about open source security animal ZOO.