Thursday, December 19, 2019

Exposing a port from running docker container

Following steps were done on Windows Docker Quick Start installation.

Run a network service in a new port (which was not exposed during starting of the docker container)
docker exec -it container_name /bin/bash
nohup python -m http.server 8000 &

Expose the port using iptables in the docker host.

docker-machine ssh

sudo iptables -t nat -A  DOCKER -p tcp --dport 8001 -j DNAT --to-destination $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' container_name):8000


Test the connection to the newly exposed port from your local machine.
(I used because I was testing this on Docker Quick Start installation on Windows machine)

curl -s

Friday, November 8, 2019

Making files immutable by Linux 'chattr' command

After all those years working in Linux env and studying on application hardening, I don't know how did I miss "chattr" command.

chattr - change file attributes on a Linux file system

Specially the attribute "i" is interesting for me, as it allows you to make a file immutable.

"A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed,  no  link  can  be created  to  this  file and no data can be written to the file.  Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute."

From man page of chattr, other attributes you can change are,
 -    append  only  (a),
 -    no  atime updates  (A),
 -    compressed  (c),
 -    no copy on write (C),
 -    no dump (d),
 -    synchronous directory updates (D),
 -    extent format (e),
 -    immutable (i),
 -    data journalling (j),
 -    secure deletion (s),
 -    synchronous updates (S),
 -    no tail-merging (t),
 -    top of directory hierarchy (T), and
 -    undeletable (u).

Following article explains many interesting usage of this command (including disabling user creation by making /etc/passwd file immutable)

You can use lsattr command to see the attributes of the files/folders.

Monday, November 4, 2019

Threat Agents: Insider Threats: Motivations

Insider threat actors can be motivated by different factors. I try to summarize possible motivations in the following table, and it is not a complete list.

Also the attackers can gain access to a workstation of an employee through mechanism like phishing, and if there are controls to prevent insider threats, the damage that could be done by this attacker can be minimized.

Threat Agent
motivated by
Possible Motivations
Patriotism, Blackmail, Financial gain, Legal gain, Psychological manipulation
InsiderCriminal Organization
Blackmail, Financial gain, Psychological manipulation
InsiderCriminal Organization - Criminal Community
Blackmail, Financial gain, reputation on sharing with community
InsiderCriminal Organization - Hacktivist groups
supporting a ideological cause, reputation on sharing with community, guilt/remorse
InsiderCriminal Organization - Terrorists
supporting a ideological cause, reputation in a like-minded community,
Financial gain
Financial gain, Blackmail
Financial gain, helping family/friend from difficult situation
revenge, remorse/guilt, financial reward, patriotism, ideological cause, fame
Criminal OrganizationGovernment
Financial gain, blackmail, patriotism
Criminal OrganizationCompetitor
Financial gain
Manipulation of facts

Sunday, November 3, 2019

Accessing AWS metadata from EC2 instance

Recently I found few alternative ways to access EC2 metadata, during my studies for AWS Security Specialty exam.

 This is the most popular way to access the metadata from an EC2 instance.

Using http://instance-data/latest/meta-data/ 
But did you know, you can use "instance-data" instead of IP address, and use it to access same information?

Using ec2-metadata command 
If you have logged in as ec2-user, you can run "ec2-metadata" command to access the same set of data. This command has lots of options to filter the information you need. If you have logged in as another user, you will have to add "/opt/aws/bin" to your path, or use full path (/opt/aws/bin/ec2-metadata) to run the command.
You can find lots of such cli tool to access aws services in /opt/aws/bin/ . (My test was done in a Amazon Linux AMI).

Securing access to this service is important, as it allow anyone to get temporary credentials to AWS role assigned to EC2 instance. We have seen the name of this service appears in many security incidents happen in AWS infrastructure.

Possible mitigation on SSRF attacks on metadata service
Netflix security team has created a good solution, "a metadata proxy", to mitigate compromise of AWS credentials through metadata service by SSRF attacks. You can find the details here   Nice thing about this tool is, it is transparent to existing services and users who access AWS metadata URLs.

If you can direct the log output of the proxy to a CloudWatch group, Then you will be able to create alerts to detect malicious attempts on accessing metadata URL.

("ec2-metadata" command line tool calls the above URLs via curl.)

UPDATE (19-NOV-2019):
Finally AWS has added some changes to mitigate the abuse of metadata service by attackers. See

Tuesday, October 29, 2019

Say good bye to Bastion hosts by using AWS Session Manager

Previously if you want to access an EC2 instances inside a private subnet securely, you either use a Bastion host or a VPN connection. If you are using a Bastion host, that means there is another EC2 instance in the public subnet which also expose SSH port to internet, which can be a security risk if it is not properly hardened.

I recently found out that AWS offer a great alternative for this, in the form of "AWS Session Manager". AWS Session Manager is a part of AWS System Manager. First, you need to include the EC2 instances you are planning to connect to the AWS SYstem Manager, as "managed instances" in AWS System Manager by installing ssm-agent (which is already bundled in some AMI versions) and granting relevant IAM permissions.  Then you can go to "Session Manager" link in AWS System Manager, and click "Create a Session". It then ask you to select one of EC2 instances in the managed instances, and you can click start a session. This will open another web page tab, which gives you a nice representation of a shell inside the connected EC2 instance. The user used by session manager to login to EC2 instance is "ssm-user", but you can use ssm-user to run commands including privileged commands similar to ec2-user.

You no longer have to manage a separate EC2 instance as a Bastion Host and expose it to internet  because of this Session Manager feature.

Also you can use IAM policies to restrict access to EC2 instances instead of managing SSH keys, which is another plus for security as it allow you to centralize access management.

Another benefit is you can use CloudTrail for logging and auditing the access and activities done to EC2 instances.

I noticed that, if you are using a AMI from AWS Marketplace which requires running some initialization scripts at the first login, may not work if you use ssm-user to login if the product did not anticipate user login using ssm-user.

See for more details.


Later I encountered difficulties when trying to use Session Manager to login to EC2 instances which were in private subnet (or VPC without attached Internet Gateway). Please follow these instructions to solve the issue using VPC endpoints: 

RFI/RFP/RFQ and Vendor Security Assessment

Following links are good places to start if you are new to RFI/RFP/RFQ process.

Also, there is this free resource you can use to assess your supplier during RFP process.

Saturday, April 13, 2019

Easy way to restrict proxy usage only to selected websites - using a PAC file

Sometimes when you doing CTFs/bug bounties/etc, you face the need to send the traffic to a certain site through a local proxy (or remote proxy for other cases) while keeping other websites access internet directly.

This is how you can do it through a PAC file.

Step 1: 

Start your local proxy (I have started a burpsuite proxy in localhost ( on port 8080 in this case).

Step 2: 

Create a PAC file

function FindProxyForURL(url, host) {
  host = host.toLowerCase();
  if (dnsDomainIs(host, ""))
    return "PROXY"; // (IP:port)

  return "DIRECT";

Step 3: 

Configure your browser to use this PAC file for proxy resolving. (Following example is for Firefox on Windows)

Step 4:

Now use your browser to access the specific website and see your proxy show the request/response only from that specific website.

Step 5: 

If you have done any change to list of web addresses later, You do not need to restart the browser, you can go back to Proxy settings and click "Reload" file in front of PAC file url.

More details: