Welcome to this blog series where we delve into the fascinating world of Trusted Platform Modules (TPMs). In this series, we will explore what TPMs are, their history, how they work, and their practical applications in enhancing security. By the end of this series, you'll have a solid understanding of TPMs and their importance in modern computing.

Glossary

• TPM (Trusted Platform Module): A hardware-based security device that performs cryptographic operations.

• NVRAM (Non-Volatile Random-Access Memory): Memory that retains data even after the system is powered off.

• ECC (Elliptic Curve Cryptography): A type of public key cryptography based on the algebraic structure of elliptic curves.

• RSA (Rivest-Shamir-Adleman): A widely used public key cryptosystem for secure data transmission.

• SEED: Initial value used in key generation processes within TPM.

• Primary Key: A key generated by the TPM that never leaves the TPM, used to encrypt child keys.

• Child Key: A key created by the TPM and encrypted by its parent key for various cryptographic operations.

What is TPM?

The Trusted Platform Module (TPM) is a security tool that can be part of your computer's motherboard, CPU, or provided by a software that controls the system.

It works below the level of the operating system and the boot sequence, which means it can check if these systems are safe even if they've been tampered with.

However, if you look at the many pages of guidelines and additional documents by TCG (Trusted Computing Group), you'll see that TPMs are quite complicated.

Small scenario related to importance of TPM in security

Imagine a large financial corporation, VulnCorp, handling sensitive customer data and financial transactions. Despite their robust digital security measures, a group of hackers managed to infiltrate their network through a phishing attack. They installed malware that could manipulate the boot process and load malicious software before the operating system.

Here’s where a TPM could have made a difference: TPMs check the integrity of the boot process, verifying each component before the operating system loads. If VulnCorp had implemented TPM technology, the TPM would have detected unauthorized changes to the boot sequence initiated by the malware. This would trigger a security alert, preventing the system from loading the compromised operating system, thus nullifying the hackers’ attempts to steal sensitive data.

History of TPM

Early Development and Origins (1999-2003)

• 1999: Concept emerges from the Trusted Computing Platform Alliance (TCPA) by IBM, Intel, HP, Microsoft.

• 2001: TCPA releases first specification (TCPA Main Specification 1.0).

Establishment of the Trusted Computing Group (TCG) (2003)

• 2003: TCPA evolves into TCG; TPM 1.1b specification released.

TPM 1.2 Specification and Adoption (2005-2009)

• 2005: TCG releases TPM 1.2 specification with enhanced key management and platform attestation.

• 2006-2009: Widespread adoption in enterprise devices (laptops, desktops, servers).

Transition to TPM 2.0 (2011-2014)

• 2011: TCG releases TPM 2.0 specification; more cryptographic algorithms, flexible architecture.

• 2013-2014: Integration into new hardware platforms and major OS support (Windows, Linux, macOS).

TPM 2.0 Implementation and Regulatory Mandates (2015-2020)

• 2015-2020: TPM 2.0 becomes industry standard; adoption driven by regulatory guidelines (NIST, GDPR).

TPM in Modern Computing (2020-Present)

• 2020: Continued evolution of TPM 2.0; enhanced for cloud computing, IoT devices.

• 2021: Microsoft mandates TPM 2.0 for Windows 11, underlining its importance in modern security.

How TPM works?

TPM functions as a secure cryptoprocessor, performing key management, encryption, and integrity checking below the operating system level. It can store passwords, security certificates, and encryption keys securely, preventing unauthorized access and tampering.

Practical Applications of TPM

Here are the main tasks a TPM performs:

• The TPM stores passwords, security certificates, and encryption keys securely and prevents unauthorized tampering.

• It stores information about the computer securely, so it’s easy to detect if anyone has tampered with the computer.

• A TPM can securely generate encryption keys so that the process cannot be spied upon or interfered with.

• Seal and unseal keys, ensuring keys are only accessible when the system is trustworthy.

In conclusion, TPMs are used in various security applications:

• Checking the boot state

• Device identification

• Secure key management

• Creating secure authorization systems

• Ensuring secure sessions

How does TPM works internally?

Here is an example to make it simpler and clearer: (READ THIS AGAIN AFTER COMPLETING the latter content)

Let's say you have a safe (the TPM) and inside that safe, you have a locked box (primary key). Inside this locked box, you place another smaller locked box (child key). The smaller box can be taken out of the safe, but it can't be opened because it's protected by the lock from the bigger box (encrypted by the parent key). The big box can't be taken out of the safe (never leaves the TPM).

So, the big box (primary key) protects the smaller box (child key), and the safe (TPM) protects the big box. This process ensures a secure way of handling keys, where even if the child key is somehow exposed, it can't be used because it's encrypted by the primary key.

TPM has the following architecture

SEED - This is usually setted-up by the manufacturer, which plays a vital role in generating the primary/private key data inside the KDF (key derivation function) which also adds additional entropy to the KDF.

BONUS: By using the same user entropy added to the internal seed we can know who generated the same primary key.

What is PRIMARY KEY?

• Primary Keys are generated by the TPM and never leave the TPM. They are used to protect (encrypt) child keys.

• The Primary Key is at the root of the TPM's storage hierarchy. It's created when you take ownership of the TPM and it is protected by the Storage Root Key (SEED), which is burned into the TPM at manufacture time.

• The private portion of a primary key, also called an endorsement key, is never exposed to any other component, software, process, or user.

• As the private material of private keys never leave the TPM, we can only regenerate them. We can also persist a TPM key to avoid the regeneration of the keys.

• We don't associate primary key in usual operations.

• Primary keys are always asymmetric - ECC or RSA.

• Usually, primary keys do not support signing, it is possible, however it is meant to wrap the child key by default.

What is CHILD KEYS?

• Child keys can leave the TPM if they are encrypted by a parent key (also known as wrapping). This means that the child key is protected by the parent key.

• A child key is a key that is created by a TPM and wrapped (encrypted) by its parent key.

• A child key can be used for various purposes, such as signing, encryption, or storage.

• A child key can also become a parent key if it meets certain conditions, such as being a storage key.

• A child key can only be unwrapped (decrypted) by its parent key.

• Child keys are the one that we usually associate with different operations.

• They can be symmetric or key-hash as well like AES128

Visualize - illustrating sequential operation of a TPM in laymen terms

• TPM Activation: The TPM is activated and initializes by setting up the SEED.

• Primary Key Generation: Utilizing the SEED and the key derivation function (KDF), the TPM generates the primary key.

• Child Key Creation: The primary key generates a child key, which it then encrypts.

• Child Key Usage: The encrypted child key is exported for external operations like signing or encryption.

• Child Key Return: After use, the child key is returned to the TPM, still encrypted.

When not to use a TPM?

• For Speed - Built for high grade security, not for speed.

• For Storage - Enough storage for critical artifacts like secrets and keys.

• Primary Security Solution - Cannot be used as a standalone security solution (it's a passive security device)

Where to use TPM?

• Better physical tamper protection

• Built-in protection against MITM (Man-in-the-Middle)

TPM Secure storage use-cases:

• Store certificates and other forms of authorizations in TPM's NVRAM

• Use TPM's NVRAM as a secure counter (e.g., for counter the miles in taxis)

• Use the TPM's NVRAM to store sensitive data

Conclusion

TPMs have become an essential component in safeguarding systems against unauthorized access and tampering. By understanding how TPMs work and their benefits, you can better appreciate their importance in today's security landscape.

I hope this series has provided valuable insights, and I encourage you to share your thoughts or questions in the comments below.

P.S. If you feel something can be improved in the above blog please feel free to contact me on LinkedIn, I am always open to constructive feedback!

Stay tuned for more detailed explorations in my upcoming posts!

The inspiration for this task was to automate the annoying weekly Network Scan for my company every Sunday on all the public facing IPs (that are changed every week), so that we already know about known vulnerabilities and mitigate them just after the weekly prod deployment.

So, let's get started!

TL;DR
Nessus Expert does have a schedule scan feature, however we cannot schedule scans while changing the IPs automatically, so I utilized the official Nessus API.
But the catch here is due to some issue in Nessus's API it doesn't schedule the scan with the API keys given by Nessus itself, it needs some UI specific cookies, which is strange since you should be able use the API keys!
That's what I have tried a workaround for here. Hope you may find this helpful, as I will be showcasing some reverse code analysis and network tab analysis to create this automation, which might help you in future for creating automation!
P.S. I will be using code snippets for reference, the whole code will not be shared here.

OPENING NOTE:
Now, your first question will be that -
You: If you are doing weekly network scan, you must have Nessus license?
Me: Yep, I do. Nessus Expert :)
You: Then, it already has a feature to schedule the scans, then why in the world are you making this useless automation?
Me: Cuz the IPs are changed every week -_- and there is no target refresh feature on Nessus.
Me: So, the good news is Nessus Expert have a official API documentation :O
You: Lol it would be so easy, me don't need this blog :|
Me: So did I thought in the beginning.. However..

Me: They do have a API, and it's the foundation for this automation, but the API keys for some reason don't work on the endpoint that runs the scan :|
IDK why... Maybe they forgot to maintain the API XD

Anyways, let's actually get started!

I have used Python for making this tool, cuz why not!

Now, you would need the following two API keys for interacting with the Nessus API - Access Key and Secret key

Which you can find here: > My Account > API Key
Generate your keys below, and save 'em to your config.yaml file.

Then test it using below code (basic API functioning)

# Function to test a simple API call to Nessus
def test_nessus_connection():
    try:
        response = requests.get(f"{NESSUS_URL}/scans", headers=headers, verify=False, timeout=60)
        log_response(response)
    except Exception as e:
        print(f"Error testing Nessus connection: {e}")

Now, you need to pass the API Key in the headers.
Look at the below code for understanding the basic Nessus API structural working, which shows all the scans you have done in past with the different scan templates used.

import requests
import yaml

# Load configuration from YAML file
with open("config.yaml", "r") as file:
    config = yaml.safe_load(file)

# Nessus API setup
NESSUS_URL = config["nessus"]["url"]
ACCESS_KEY = config["nessus"]["access_key"]
SECRET_KEY = config["nessus"]["secret_key"]

headers = {
    "X-ApiKeys": f"accessKey={ACCESS_KEY}; secretKey={SECRET_KEY}",
    "Content-Type": "application/json",
}

# Function to list all scans
def list_scans():
    response = requests.get(f"{NESSUS_URL}/scans", headers=headers, verify=False)
    response.raise_for_status()
    scans = response.json()["scans"]
    return scans

def list_scan_templates():
    response = requests.get(f'{NESSUS_URL}/editor/scan/templates', headers=headers, verify=False)
    response.raise_for_status()
    templates = response.json()['templates']
    return templates

# Main
if __name__ == "__main__":
    scans = list_scans()
    for scan in scans:
        print(f"ID: {scan['id']}, Name: {scan['name']}, Status: {scan['status']}")
    templates = list_scan_templates()
    for template in templates:
        print(f"Name: {template['name']}, UUID: {template['uuid']}")

Scan API request template

Below was my first noobie attempt to run the scan using the API

NOTE: You need to run a scan and get the SCAN_ID from network tab analysis using dev-tools (that you'll add in the config.yaml file), to automate this scan.

# Function to launch a scan with updated targets from ips.json
def launch_scan():
    with open("ips.json", "r") as file:
        targets = json.load(file)
    scan_data = targets
    try:
        response = requests.post(
            f"{NESSUS_URL}/scans/{SCAN_ID}/launch",
            headers=headers,
            json=scan_data,
            verify=False,  # Disable SSL verification
            timeout=120  # Increase timeout to 120 seconds
        )
        log_response(response)
    except requests.exceptions.RequestException as e:
        print(f"Error launching scan: {e}")
    except Exception as e:
        print(f"Unexpected error launching scan: {e}")

# Main execution
if __name__ == "__main__":
    updateIPList()
    launch_scan()

But Sadly I got the following error every time I ran the above code...
Error launching scan: ("Connection broken: ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)", ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None))

Bonus - In such cases you can add a proxy and check the response on you BurpSuite or any other network proxy tool.

Now, I had to check and debug the issue, so I added a proxy to my code to check if the request is even correct or not!

def launch_scan():
    with open("ips.json", "r") as file:
        targets = json.load(file)
    scan_data = targets
    print(scan_data)
    try:
        # added proxy urls
        proxy = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
        response = requests.post(
            f"{NESSUS_URL}/scans/{SCAN_ID}/launch",
            headers=headers,
            json=scan_data,
            verify=False,  # Disable SSL verification
            proxies=proxy, # traffic Proxy enabled
            timeout=120    # Increase timeout to 120 seconds
        )
        log_response(response)
    except requests.exceptions.RequestException as e:
        print(f"Error launching scan: {e}")
    except Exception as e:
        print(f"Unexpected error launching scan: {e}")

I got the below result -

As you can see that I am using access key and secret key, on the official suggested API endpoint by Nessus Documentation, that can be seen below but still it shows API is not available error.

Now, from here onwards it got really annoying!
I had wasted my ample time retrying and debugging the same endpoint, but no luck.

At this point most of you'll think that why not use selenium...
Well, for starters I didn't wanted to, cuz it's not efficient and prone to failures and might fail on successive app updates. Also, it'll need periodic maintainance.

Now, we'll see how I solved this problem by not using selenium but still able to run and schedule the scan!

Problem and Solution

Identifying the problems

I began by exploring the frontend UI using the NETWORK TAB in DevTools and then switched to BurpSuite. I identified two headers for authentication: X-Cookie and X-Api-Token.

Initially, I copied these values from the UI to BurpSuite, and both headers needed to be used together for the request to work.

Problem 1: Obtain X-Cookie and X-Api-Token after login.

X-Cookie was straightforward as it appeared in the login response. However, X-Api-Token was trickier, appearing only after 2-3 requests post-login, suggesting it's set client-side.

I navigated to the SOURCE tab in DevTools, searched for X-Api-Token in the JavaScript source code (nessus6.js file), and found it being set dynamically.

Where the second occurrence show it is setting the X-Api-Token on the fly and we can see the token is returned as well just above the function.

Now, Problem 2: Identify or generate the client-side X-Api-Token.

PROBLEM 3: The ultimate goal of the automation script, which will be determined once the script is complete.

Creating a solution

For Problem 1, I logged in using credentials obtained from the Network tab request to get the X-Cookie.

For Problem 2, I couldn't find a direct source to generate the X-Api-Token. Instead, I speculated that the TOKEN, returned in the nessus6.js file (which we saw earlier), must be from a dynamic JS source. I used regex to fetch the X-Api-Token from this file after login and saved it in the config.yaml along with the X-Cookie.

This allowed the request to launch the scan with the necessary headers. Here's the working solution:

def fetch_and_update_api_token():
    js_url = f"{NESSUS_URL}/nessus6.js"
    try:
        response = requests.get(js_url, verify=False, timeout=60)
        if response.status_code == 200:
            pattern = (
                r"\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b"
            )
            matches = re.findall(pattern, response.text)
            if matches:
                new_x_api_token = matches[
                    0
                ]  # Assuming the first match is the required token
                update_config(new_x_api_token=new_x_api_token)
                print("---------------------------------------")
                print(new_x_api_token)
                print("---------------------------------------")
            else:
                print("No X-Api-Token found in the JavaScript file")
        else:
            print(
                f"Failed to fetch JavaScript file: {response.status_code} - {response.text}"
            )
    except requests.RequestException as e:
        print(f"Request failed: {e}")

And here itself the script was done and working perfectly!

config.yaml file -

nessus:
  scan_id:
  access_key:
  secret_key:
  url: https://localhost:8834
  username:
  password:
  x_api_token:
  x_cookie:

Problem 3 (the actual Goal)

The goal was to automate the weekly scan scheduling, freeing myself from manual scheduling every Sunday.

So, Now, how should I schedule it?

You: Bruh! Now it's fairly simple, use schedule library in python to schedule it, lol.

Me: Inefficient, as it requires the script to run 24/7, which is impractical on a VPS with potential downtime.

You: Oh! Then maybe try Task Scheduler or schtasks.exe?

Me: So, did I thought, but didn't work due to the task's fast execution (when using task scheduler or schtasks.exe) and my script's longer run time.

SOLUTION: I found a freeware workaround called Task Till Dawn, which simplifies scheduling on Windows and Mac.

SOLUTION 3 -

Just create a simple batch script

@echo off
REM Change directory to the location of your Python script
cd $PATH/

REM log the output to a file
python nessus_automation.py > output.log 2>&1

Drag and drop the script into Task Till Dawn and edit the task. Actions will be set automatically on the tool's home dashboard.

Add your schedule -

Save and Close

Now, your script will run automatically on schedule, even after a machine restart. The schedule will remain unaffected unless the machine is shut down during execution or the code is deleted.

Thanks for reading!

If this blog helped, give it a like! For any improvements or feedback, feel free to contact me on LinkedIn. Always open to constructive feedback!

Thanks and see you in the next blog!

Like many of you, I've been a regular participant of null-meetups in Bengaluru. However, I often found myself missing out on special workshops (Humla/Bachav) due to the limited seat availability. I realized that attendees were registering faster than I could, leaving me out on the opportunity.

As a solution, I decided to leverage my recent learning of GoLang to develop a notification bot. This bot is programmed to monitor the website at regular intervals and notify me via email with an attached screenshot of the events, whenever a Null meetup or workshop is announced.

Sounds intriguing? Let's dive into the details!

The Bot's Mechanism

TL;DR

The GoLang bot is created to monitor the null.community website for Bengaluru Null meetup (especially for Humla/Bachav workshops). Once it detects an event, it sends an email notification along with a screenshot of the event to my inbox. One of the challenges faced during the bot's deployment was the IP/host blocking by null.community firewall. However, I found a way around it, which I'll detail later.

Libraries Used

1. github.com/gocolly/colly: An elegant scraper and crawler framework for Golang used for monitoring the website.

2. github.com/mailgun/mailgun-go: A Go library for sending mail with the Mailgun API, used for emailing the results.

3. github.com/chromedp/chromedp: A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol, used for capturing the event screenshot from the site.

Now, first let's check how the content looks on the website -

We want content from tbody part to parse and check for the content.

Why didn't I choose div?

Well, I only wanted the content related to the event, so that I can easily parse and read data with minimal noise.

A Look at the tool logic

The below UML diagram demonstrates the whole process:

P.S. I won't detail the whole code since the logic is important, the code will follow itself if you have enough practice with the coding language.

Overcoming Deployment Challenges

Initially, the plan was to run this bot using Github Actions or my VPS. However, the null website was blocking my requests from these sources. As a workaround, I decided to schedule the bot on my personal system, which is typically active for 18 hours a day. I used the Windows Task Scheduler to run the binary I built from Go at regular intervals.

Using Task Scheduler

Creating a basic task locally -

Example result:

In conclusion, this GoLang bot was just a play-through in my free time to learn GoLang.

This blog was meant for beginners, if it helped you even a little bit give it a like!

Also, if you feel something can be improved in the above blog please feel free to contact me on LinkedIn, always open to the constructive feedback!

Thanks and see ya in next blog!