Offensive Security 101 — Understand the relationship between Vulnerability Mgmt & Version Control (aka Git)
At it’s core, vulnerability management focuses on identifying the specific version of a system, application, kernel, driver, logic condition and making the connection to a known security issue (aka CVE).
To put it simply, The well-known Equifax breach was based on a vulnerability identified in the Struts application. A totally preventable error that a bit of SecDevOps would have helped to mitigate. Synopsys outlines the vulnerability nicely in the article below.
For those a bit more technical, you need to dive into technical write-ups often in hopes of reproducing the bug. As a bughunter and/or Security Engineer, you will need to review the codebase, perform a technical analysis against the application to understand the patch & spot the bug. It is a common practice to maintain Application code within a code repository.
Semantic Versioning
Having version controlled semantic releases allow applications to publish x.y.z versions; Using the in Struts CVE-2017–5638 example, This bug was fixed in version `2.3.32` &`2.5.10.1`
If the application has a remote code execution vulnerability within a piece of software, say apache struts
then you will need to understand where the flawed logic exists within the application & how to trigger it.
If you are researching a patched version of the software then you will never trigger the vulnerability.
Therefore Git & Version control is a core fundamental bit of knowledge that any Researcher/Engineer/Business Analyst is required to have.
DevOps engineers also use these versions to determine the changes between a test environment and a production environment.
Business Analysts are able to understand how features, bug fixes, and UI changes relate to the current book-of-work. Having a solid understanding of semantic versioning as you interact with the application development team will make you many times more effective.
From a Security Researcher perspective, these versions are critical for setting up a Cyber Range Scenario. Many of us understand the concepts of Virtualization & Containerization. For those who do, here’s handy docker repo of containers hosting vulnerable exploitable scenarios.
A hands-on introduction to version control with Git
Open-Source is all about re-using the wheel that was previously created. That said, I’ve referenced Scott Lowe’s github multiple times. I believe his content is and delivery of the basic fundamentals of git are spot on. Therefore I copy/paste & provide a reference pointer back to the source.
To learn git, you must read. To learn code, you must read. To contribute as a engineer you must use git. Let’s get started with a review…
Git/Github Flow
A gitflow outlines the development process used by small/large teams. GitFlow is famous for scaring off new git users with an avalanche of boxes and arrows, while Github Flow takes an almost painfully simple approach.
The CyberRange follows a similar approach yet I used forks to merge changes from my Personal Cyber Range master into the official SecDevOps@Cuse Cyber Range master.
With more contributors, I’ll shift over to branching of the CyberRange features.
Git Cliff-Notes:
Git terms
* Repository: The database that contains all of a project’s information
and history. Once added to the repository, information is immutable
* Index: A binary file maintained by Git that describes the repository’s
directory structure and content at a point in time
* Commit: An entry in the repository (Git database) recording metadata
for each change made to the repository
* Remote: A link to another Git repository
* Push: Sending a committed change to an upstream repository
Lab #1: Installing Git
https://github.com/lowescott/2018-git-workshop/blob/master/lab1.md
Lab #2: Creating a repository
https://github.com/lowescott/2018-git-workshop/blob/master/lab2.md
Git commands from Lab #2
* git init: Initialize (create) a Git repository
* git config: Set Git con guration parameters
* git status: Show the current status of the Git repository ∑ git add: Stage les or changes to be committed to the
repository
* git commit: Commit changes to the repository
* git log: Show the history of changes to the repository
Git branches
Lab #3: Branching and merging
https://github.com/lowescott/2018-git-workshop/blob/master/lab3.md
* As a developer, use branches to maintain small changes.
* Changes committed in a Git branch aren’t visible in other Git branches
* Merging changes from one branch to another is the way to share changes between branches.
Git commands from Lab #3
* git branch: Add, remove, or checkout (switch) branches
* git checkout: Switch branches
* git merge: Merge commits into current branch
* git checkout -b <branch>: Create a new branch
Git remotes
Lab #4: Using remotes
https://github.com/lowescott/2018-git-workshop/blob/master/lab4.md
- Git remotes allow humans to model relationships between repositories
- Git uses the name “origin” by default when cloning a repository
- Git supports the use of multiple protocols to communicate with
remotes - SSH (you’ll need public key authentication)
- HTTP/HTTPS (typically used with GitHub/GitLab/etc.)
- Git (fast, but no security)
- You can have multiple remotes (used with “fork-and-branch” work ow)
Git commands from Lab #4
* git clone: Clones a repository from an existing repository
* git remote: Shows information about remote repositories
* git push: Push commits/branches to a Git remote
* git fetch: Retrieve changes from a Git remote
* git pull: Retrieve and merge changes from a Git remote
Vulnerability Management
Analyzing semantic versions of environments, assets, and applications is a key component of vulnerability management. There are many libraries within codebases like python; many versions of Adobe Reader, and many operating windows-based operating systems.
Setting up Vulnerable Software w/ Chocolatey
Read through this to get an idea about chocolatey & what it can do. Then bootup the Cyber Range and use the windows-based Metasploitable3 asset to bootup a completely vulnerable environment. The link below points directly towards the chocolately install script of the Metasplotable3 repository.
Research chocolatey a bit more and this article outlines a quick read about installing software with it. Consider enhancing the Metasploitable3 asset with more chocolatey packages.
Next Steps
- Make Git part of your daily routine
- Create Some Code, then Read & Learn More
- Sign-Up for the CyberRange Webinar
Additional resources: