Tuesday, September 22, 2020

Quick Tip #6

Sorting a list of IPs the proper way requires sorting on all four fields (octets). Hal Pomeranz presented this in the Linux DoJo 2 webinar on Black Hills Security webcast. 


Thursday, August 20, 2020

Quick Tip #5

 Find the interfaces in Linux that have IPs assigned (and what those IPs are):


ifconfig | grep -B1 -P -e "\d*\d\.\d*\d\.\d*\d\.\d*\d"


[root@rtrispa02 user1]# ifconfig | grep -B1 -P -e "\d*\d\.\d*\d\.\d*\d\.\d*\d"

enp1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.82.250.27  netmask 255.255.255.255  broadcast 10.82.250.27

--

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

Friday, May 15, 2020

Quick Tip #4 - Dshell

Dshell is a network forensics tool that extracts data from network traffic, either from a pcap or live from a network interface.

You can us Git or Subversion to install the tool.

[root@legolas opt]# git clone https://github.com/USArmyResearchLab/Dshell.git
Cloning into 'Dshell'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 653 (delta 9), reused 17 (delta 7), pack-reused 624
Receiving objects: 100% (653/653), 924.42 KiB | 4.26 MiB/s, done.
Resolving deltas: 100% (292/292), done.
[root@legolas opt]# ls
Dshell  google
[root@legolas opt]#

Next is installing the dependencies.

There's no Fedora package for pypcap, so here I had to use pip for that one package...
[jeff@legolas opt]$ sudo pip install pypcap
[sudo] password for jeff:
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
WARNING: Running pip install with root privileges is generally not a good idea. Try pip install --user instead.
Collecting pypcap
  Using cached https://files.pythonhosted.org/packages/12/71/a689ca8c6ef4570e105efdc6b46d4ac16cdef7af36a8fbfaff0f6fa2b754/pypcap-1.2.3.tar.gz
Installing collected packages: pypcap
  Running setup.py install for pypcap ... done
Successfully installed pypcap-1.2.3
And install the rest of the prereqs...
[root@legolas opt]# dnf install geoip python2-dpkt  python2-IPy pycrypto
[root@legolas opt]# dnf install geoip python2-dpkt  python2-IPy pycrypto
Last metadata expiration check: 0:08:56 ago on Mon 23 Mar 2020 07:18:53 PM EDT.
Package GeoIP-1.6.12-5.fc30.x86_64 is already installed.
Package python2-crypto-2.6.1-25.fc30.x86_64 is already installed.
Dependencies resolved.
============================================================================================================================================================================
 Package                                     Architecture                          Version                                      Repository                             Size
============================================================================================================================================================================
Installing:
 python2-IPy                                 noarch                                0.81-24.fc30                                 fedora                                 37 k
 python2-dpkt                                noarch                                1.9.1-7.fc30                                 fedora                                261 k
Transaction Summary
============================================================================================================================================================================
Install  2 Packages
Total download size: 298 k
Installed size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): python2-IPy-0.81-24.fc30.noarch.rpm                                                                                                   86 kB/s |  37 kB     00:00
(2/2): python2-dpkt-1.9.1-7.fc30.noarch.rpm

Once the prereqs are satisfied, run make from the Dshell directory.
Once it successfully completes. run ./dshell. If you see a dshell command prompt, you're good to go..
[root@legolas Dshell]# ./dshell
root@legolas.net.att:/opt/Dshell Dshell>
Now run decode -l to get a list of available decoders..

root@legolas.net.att:/opt/Dshell Dshell> decode -l
  module                                   name                           author            desc
  ---------------------------------------- ------------------------------ ---------- --- -  --------------------------------------------------
  decoders.dhcp.dhcp                       dhcp                           dek        UDP    Extract client information from DHCP messages
  decoders.dns.dns                         dns                            bg/twp     TCP    extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)
  decoders.dns.dns-asn                     dns-asn                        bg         TCP    identify AS of DNS A/AAAA record responses
  decoders.dns.dns-cc                      dns-cc                         bg         TCP    identify country code of DNS A/AAAA record responses
  decoders.dns.innuendo-dns                innuendo-dns                   primalsec  TCP    proof-of-concept detector for INNUENDO DNS channel
  decoders.dns.reservedips                 reservedips                    bg         TCP    identify DNS resolutions that fall into reserved ip space
  decoders.filter.asn-filter               asn-filter                     twp/nl     TCP +  filter connections on autonomous system number (ASN)
  decoders.filter.country                  country                        twp        TCP +  filter connections on geolocation (country code)
  decoders.filter.snort                    snort                          twp        RAW +  filter packets by snort rule
  decoders.filter.track                    track                          twp        TCP +  tracked activity recorder
  decoders.flows.large-flows               large-flows                    bg         TCP    display netflows that have at least 1MB transferred
  decoders.flows.long-flows                long-flows                     bg         TCP    display netflows that have a duration of at least 5mins
  decoders.flows.netflow                   netflow                        bg         TCP    generate netflow information from pcap
  decoders.flows.reverse-flow              reverse-flow                   me         TCP    Generate an alert if the client transmits more data than the server
  decoders.ftp.ftp                         ftp                            amm        TCP    ftp
  decoders.http.flash-detect               flash-detect                   ekilmer    TCP +  Detects successful Flash file download.
  decoders.http.httpdump                   httpdump                       amm        TCP    Dump useful information about HTTP sessions
  decoders.http.joomla-cve-2015-8562       joomla-cve-2015-8562           bg         TCP    detect and dissect malformed HTTP headers targeting Joomla
  decoders.http.ms15-034                   ms15-034                       bg         TCP    detect attempts to enumerate MS15-034 vulnerable IIS servers
  decoders.http.peht                       peht                           mm         TCP    Penetration/Exploit/Hijacking Tool detector
  decoders.http.rip-http                   rip-http                       bg/twp     TCP    rip files from HTTP traffic
  decoders.http.web                        web                            bg,twp     TCP    Improved version of web that tracks server response
  decoders.malware.emdivi.emdivi_c2        emdivi_c2                      bg         TCP    deobfuscate Emdivi http c2
  decoders.misc.followstream               followstream                   amm        TCP    Generates color-coded Screen/HTML output similar to Wireshark Follow Stream
  decoders.misc.grep                       grep                           amm        TCP +  Search for patterns in streams.
  decoders.misc.merge                      merge                          bg/twp     RAW +  dump all packets to single file
  decoders.misc.synrst                     synrst                         bg         RAW    detect failed attempts to connect (SYN followed by a RST/ACK)
  decoders.misc.writer                     writer                         twp        RAW    pcap/session writer
  decoders.misc.xor                        xor                            twp        TCP +  XOR an entire stream with a given single byte key
  decoders.nbns.nbns                       nbns                           dek        UDP    Extract client information from NBNS traffic
  decoders.protocol.bitcoin                bitcoin                        dek        TCP    Extract Bitcoin traffic, including Stratum mining protocol (pooled) traffic
  decoders.protocol.ether                  ether                          twp        RAW    raw ethernet capture decoder
  decoders.protocol.ip                     ip                             twp        RAW    IPv4/IPv6 decoder
  decoders.protocol.protocol               protocol                       bg         RAW    Identifies non-standard protocols (not tcp, udp or icmp)
  decoders.smb.psexec                      psexec                         amm        TCP    Extract command/response information from psexec over smb
  decoders.smb.rip-smb-uploads             rip-smb-uploads                bg         TCP    Extract files uploaded via SMB
  decoders.smb.smbfiles                    smbfiles                       amm        TCP    List files accessed via smb
  decoders.templates.PacketDecoder         unnamed                        xx         RAW
  decoders.templates.SessionDecoder        unnamed                        xx         TCP
  decoders.tftp.tftp                       tftp                           dev195     RAW    Find TFTP streams and, optionally, extract the files
  decoders.voip.rtp                        rtp                            mm         UDP    Real-time transport protocol (RTP) capture decoder
  decoders.voip.sip                        sip                            mm         UDP    Session Initiation Protocol (SIP) capture decoder
  root@legolas.net.att:/opt/Dshell Dshell>

Once in the Dshell prompt, use decode to start analysis, whether from a network interface or a pcap.
the syntax is decode -d <decoder> <source>
So to run the DNS extraction decoder from a network interface, the syntax would be decode -d dns -i <interface>
If you use tcpdump, ngrep or other libpcap tools, -i is easy to remember...

root@legolas.net.att:/opt/Dshell Dshell> decode -d dns -i eno1
dns 2020-03-24 15:57:02      192.168.1.1:53    --      192.168.1.4:44085 ** 34186 A? i.scdn.co / CNAME: scdnco.spotify.map.fastly.net, A: 151.101.46.248 (ttl 6s) **
dns 2020-03-24 15:57:02      192.168.1.1:53    --      192.168.1.4:44085 ** 38801 AAAA? i.scdn.co / CNAME: scdnco.spotify.map.fastly.net, AAAA: 2a04:4e42:b::760 (ttl 6s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:36947 ** 9265 A? www.gstatic.com / A: 172.217.8.163 (ttl 156s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:36947 ** 1339 AAAA? www.gstatic.com / AAAA: 2607:f8b0:4009:810::2003 (ttl 168s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:43795 ** 3600 A? clientservices.googleapis.com / A: 172.217.6.3 (ttl 172s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:58426 ** 18791 AAAA? www.googleapis.com / AAAA: 2607:f8b0:4009:816::200a (ttl 9s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:43795 ** 33050 AAAA? clientservices.googleapis.com / AAAA: 2607:f8b0:4009:816::2003 (ttl 21s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:58426 ** 9310 A? www.googleapis.com / A: 172.217.4.74 (ttl 156s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:42267 ** 29350 A? accounts.google.com / A: 172.217.5.13 (ttl 109s) **
dns 2020-03-24 15:57:10      192.168.1.1:53    --      192.168.1.4:42267 ** 11695 AAAA? accounts.google.com / AAAA: 2607:f8b0:4009:806::200d (ttl 180s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:41977 ** 37896 A? www.google.com / A: 172.217.5.4 (ttl 24s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:41977 ** 1809 AAAA? www.google.com / AAAA: 2607:f8b0:4009:816::2004 (ttl 115s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:38453 ** 2485 AAAA? mirror.toolbar.netcraft.com / CNAME: d2nwnd7jypv9mn.cloudfront.net **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:38453 ** 22186 A? mirror.toolbar.netcraft.com / CNAME: d2nwnd7jypv9mn.cloudfront.net, A: 54.192.30.37 (ttl 60s), A: 54.192.30.3 (ttl 60s), A: 54.192.30.121 (ttl 60s), A: 54.192.30.32 (ttl 60s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:54375 ** 40826 AAAA? oauthaccountmanager.googleapis.com / AAAA: 2607:f8b0:4009:80e::200a (ttl 67s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:54375 ** 18283 A? oauthaccountmanager.googleapis.com / A: 172.217.1.42 (ttl 239s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:43085 ** 3682 A? www.gstatic.com / A: 172.217.8.163 (ttl 155s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:43085 ** 47980 AAAA? www.gstatic.com / AAAA: 2607:f8b0:4009:810::2003 (ttl 167s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:52599 ** 24895 A? fonts.gstatic.com / CNAME: gstaticadssl.l.google.com, A: 172.217.4.227 (ttl 151s) **
dns 2020-03-24 15:57:11      192.168.1.1:53    --      192.168.1.4:52599 ** 17736 AAAA? fonts.gstatic.com / CNAME: gstaticadssl.l.google.com, AAAA: 2607:f8b0:4009:813::2003 (ttl 184s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:34639 ** 6929 A? clients2.google.com / CNAME: clients.l.google.com, A: 172.217.6.110 (ttl 200s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:34639 ** 22810 AAAA? clients2.google.com / CNAME: clients.l.google.com, AAAA: 2607:f8b0:4009:80c::200e (ttl 80s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:38872 ** 56630 A? mtalk.google.com / CNAME: mobile-gtalk.l.google.com, A: 74.125.201.188 (ttl 200s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:54398 ** 38080 AAAA? clients4.google.com / CNAME: clients.l.google.com, AAAA: 2607:f8b0:4009:813::200e (ttl 65s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:38872 ** 8511 AAAA? mtalk.google.com / CNAME: mobile-gtalk.l.google.com, AAAA: 2607:f8b0:4001:c14::bc (ttl 169s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:54398 ** 16312 A? clients4.google.com / CNAME: clients.l.google.com, A: 172.217.8.174 (ttl 144s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:48611 ** 36628 A? update.googleapis.com / A: 172.217.8.195 (ttl 169s) **
dns 2020-03-24 15:57:14      192.168.1.1:53    --      192.168.1.4:48611 ** 6685 AAAA? update.googleapis.com / AAAA: 2607:f8b0:4009:815::2003 (ttl 249s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:51568 ** 18214 A? pbs.twimg.com / CNAME: cs196.wac.edgecastcdn.net, CNAME: cs2-wac.apr-8315.edgecastdns.net, CNAME: cs2-wac-us.8315.ecdns.net, CNAME: cs672.wac.edgecastcdn.net, A: 192.229.173.16 (ttl 1607s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:51568 ** 30000 AAAA? pbs.twimg.com / CNAME: cs196.wac.edgecastcdn.net, CNAME: cs2-wac.apr-8315.edgecastdns.net, CNAME: cs2-wac-us.8315.ecdns.net, CNAME: cs672.wac.edgecastcdn.net, AAAA: 2606:2800:220:13d:2176:94a:948:148e (ttl 282s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:45840 ** 10482 A? twitter.com / A: 104.244.42.65 (ttl 204s), A: 104.244.42.129 (ttl 204s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:42808 ** 22387 A? ogs.google.com / CNAME: www3.l.google.com, A: 172.217.9.78 (ttl 79s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:42808 ** 10107 AAAA? ogs.google.com / CNAME: www3.l.google.com, AAAA: 2607:f8b0:4009:813::200e (ttl 131s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:53188 ** 47438 AAAA? ssl.gstatic.com / AAAA: 2607:f8b0:4009:803::2003 (ttl 51s) **
dns 2020-03-24 15:57:15      192.168.1.1:53    --      192.168.1.4:53188 ** 46402 A? ssl.gstatic.com / A: 172.217.1.35 (ttl 212s) **
8:58
This is just a simple example, of course. Dshell has some really powerful decoders.

Also realize when decoding from a network interface, your results will not be instantaneous. DShell is both sniffing, and processing the packets. It may take a few seconds before you see output to the screen..

Over time, we get a nice list of DHCP clients..

root@legolas.net.att:/opt/Dshell Dshell> decode -d dhcp -i wlp2s0
WARNING:dhcp:unpack requires a string argument of length 7
dhcp 2020-03-25 08:06:03         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xcc7bea4a  Client Hostname: DESKTOP-G7F5AG0 Client MAC: 00:db:df:82:39:a8
**
dhcp 2020-03-25 11:45:32         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0x1fd67e34  Client Hostname: android-2dc255debbc724e1 Client MAC: e0:db:10:4f:
58:95   **
dhcp 2020-03-25 11:48:48         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0x3b0ac447  Client Hostname: android-2dc255debbc724e1 Client MAC: c4:1c:ff:a1:
11:62   **
dhcp 2020-03-25 11:48:49         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0x3b0ac447  Client Hostname: android-2dc255debbc724e1 Client MAC: c4:1c:ff:a1:
11:62   **
dhcp 2020-03-25 11:57:47         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xeef4a9b   Client Hostname: DESKTOP-G7F5AG0 Client MAC: 00:db:df:82:39:a8
**
dhcp 2020-03-25 12:04:07         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xb096d028  Client Hostname: DESKTOP-G7F5AG0 Client MAC: c4:1c:ff:a1:11:62
**
dhcp 2020-03-25 12:04:08         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xb096d028  Client Hostname: DESKTOP-G7F5AG0 Client MAC: c4:1c:ff:a1:11:62
**
dhcp 2020-03-25 12:48:32         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0x9224c4a1  Client Hostname: WINDOWS-F8POIBL Client MAC: 00:db:df:f1:0a:1d
**
dhcp 2020-03-25 12:55:12         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0x1968796   Client Hostname: SAMSUNG-SM-G950U Client MAC: dc:ef:ca:ce:fb:eb
 **
dhcp 2020-03-25 14:00:37         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xffcab1c1  Client Hostname: android-7eb55e3b2dff69c7 Client MAC: c8:a8:23:9a:
bd:36   **
dhcp 2020-03-25 14:23:47         0.0.0.0:68   -- 255.255.255.255:67   ** Transaction ID: 0xa460cc0f  Client Hostname: Living room    Client MAC: c8:a8:23:9a:bd:36

Running Dshell from a pcap

Running dshell against a pcap is as simple as specifying the decoder (-d) then the filename:

decode -d dns test01-200330-00152961.pcap
34.192.146.205 (ttl 43s), A: 3.210.88.27 (ttl 43s), A: 3.214.228.175 (ttl 43s), A: 3.225.196.127 (ttl 43s), A: 3.226.155.212 (ttl 43s), A: 3.230.54.175 (ttl 43s), A: 18.211.68.147 (ttl 43s), A: 18.233.141.189 (ttl 43s) **
dns 2020-03-30 16:15:37   208.67.222.222:53    --      12.68.84.27:48513 ** 43640 A? tps10251.doubleverify.com / CNAME: nycp-hlb.doubleverify.com, CNAME: nycp-hlb.dvgtm.akadns.net, A: 204.154.111.119 (ttl 57s) **
dns 2020-03-30 16:15:37      10.82.17.91:53    --     10.84.81.106:62178 ** 44144 A? sqm.microsoft.com / CNAME: sqmfe.glbdns2.microsoft.com **
dns 2020-03-30 16:15:37      10.82.17.91:53    --    10.84.195.218:52695 ** 40361 A? teams.microsoft.com / CNAME: teams.office.com, CNAME: teams-office-com.s-0005.s-msedge.net, CNAME: s-0005.s-msedge.net, A: 52.113.194.132 (ttl 74s) **
dns 2020-03-30 16:15:37      10.70.12.72:53    --     10.84.196.47:60102 ** 38924 A? eastus.notifications.teams.microsoft.com / CNAME: eastuscns.trafficmanager.net, CNAME: eastuscns-16.eastus.cloudapp.azure.com, A: 52.114.133.8 (ttl 10s) **
A: 67.226.212.59 (ttl 163s), A: 67.226.212.60 (ttl 163s), A: 67.226.212.55 (ttl 163s), A: 67.226.212.56 (ttl 163s) **
dns 2020-03-30 16:15:37      10.82.17.91:53    --    10.84.194.198:56018 ** 33928 A? southcentralus.notifications.teams.microsoft.com / CNAME: southcentraluscns.trafficmanager.net, CNAME: southcentraluscns-28.southcentralus.cloudapp.azure.com, A: 52.114.144.25 (ttl 10s) **
dns 2020-03-30 16:15:37      10.70.12.72:53    --    10.84.194.198:56018 ** 33928 A? southcentralus.notifications.teams.microsoft.com / CNAME: southcentraluscns.trafficmanager.net, CNAME: southcentraluscns-28.southcentralus.cloudapp.azure.com, A: 52.114.144.25 (ttl 4s) **
dns 2020-03-30 16:15:37      10.82.17.91:53    --     10.84.196.72:55455 ** 29864 A? cdn.syndication.twimg.com / CNAME: cs196.wac.edgecastcdn.net, CNAME: cs2-wac.apr-8315.edgecastdns.net, CNAME: cs2-wac-us.8315.ecdns.net, CNAME: cs45.wac.edgecastcdn.net, A: 72.21.91.70 (ttl 882s) **
dns 2020-03-30 16:15:37      10.82.17.91:53    --     10.84.81.106:51938 ** 44545 A? sqm.microsoft.com / CNAME: sqmfe.glbdns2.microsoft.com **
dns 2020-03-30 16:15:37   208.67.220.220:53    --      12.68.84.27:54400 ** 45921 A? acp-ss.adobe.io / A: 52.0.111.85 (ttl 60s), A: 52.0.166.103 (ttl 60s), A: 52.1.255.31 (ttl 60s), A: 52.20.40.93 (ttl 60s), A: 52.21.18.122 (ttl 60s), A: 52.22.128.58 (ttl 60s), A: 35.172.75.11 (ttl 60s), A: 52.0.102.100 (ttl 60s) **

Thursday, April 30, 2020

Quick Tip #3 - Christmas Scan in nmap

nmap determines the OS of the target by the responses it gets. Different operating systems send back slightly different packets in response to what TCP flag is set. The TCP flags are SYN, ACK, FIN, PSH, URG, RST. The mnemonic I use is: Unskilled Attackers Pester Real Security Folks. When you run an XMAS scan in nmap you are setting all TCP flags at the same time. Obviously, this isn’t a valid packet and requires the ability to modify the network stack, hence the need to be root to run this scan. This scan can help identify the target when other OS fingerprinting techniques are inconclusive, but a good IDS/Next Gen Firewall will probably block these packets. But it’s worth a shot when you can’t figure out the OS of the target. Also realize this is NOT stealthy. You’re announcing your intentions are to recon the network and it may get you blacklisted. You run the XMAS scan with the -sX flag.

Friday, April 24, 2020

Quick Tip #2 - dnsmap

dnsmap - command line utility to map out DNS records, bypassing the prohibition on zone transfers...

dnsmap is a great little tool to enumerate as many sub-domains on a target as possible. It's very easy to use and add to a script. Here's the parameters:

[root@legolas /]# dnsmap
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
usage: dnsmap [options]
options:
-w
-r
-c
-d
-i (useful if you're obtaining false positives)
e.g.:
dnsmap target-domain.foo
dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
dnsmap target-fomain.foo -r ./domainbf_results.txt

Now a quick run for the wired.com domain... I stopped it before it completed as this was just an example for educational purposes only

[root@legolas /]# dnsmap wired.com           
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for wired.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
accounts.wired.com
IP address #1: 199.232.64.239
al.wired.com
IP address #1: 206.221.206.72
ar.wired.com
IP address #1: 209.202.221.208
beta.wired.com
IP address #1: 199.232.66.194
blog.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
br.wired.com
IP address #1: 209.202.221.209
bw.wired.com
IP address #1: 206.221.206.104
cl.wired.com
IP address #1: 209.202.221.208
co.wired.com
IP address #1: 209.202.221.208
cr.wired.com
IP address #1: 209.202.221.208
demo.wired.com
IP address #1: 192.168.243.17
[+] warning: internal IP address disclosed
do.wired.com
IP address #1: 209.202.221.208
downloads.wired.com
IP address #1: 199.232.64.239
e.wired.com
IP address #1: 184.51.156.42
f.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
gp.wired.com
IP address #1: 206.221.207.10
gt.wired.com
IP address #1: 209.202.221.208
hl.wired.com
IP address #1: 206.221.207.17
hn.wired.com
IP address #1: 209.202.221.208
home.wired.com
IP address #1: 52.206.152.173
IP address #2: 3.91.111.80
labs.wired.com
IP address #1: 10.91.34.27
[+] warning: internal IP address disclosed
m.wired.com
IP address #1: 3.91.111.80
IP address #2: 52.206.152.173
mc.wired.com
IP address #1: 206.221.206.157
media.wired.com
IP address #1: 199.232.64.239
^C
[root@legolas /]#

Tuesday, March 31, 2020

Quick Tip #1 - tcpdump

Remember when using tcpdump to filter down your pcaps to a smaller segment of traffic, that if you

don’t specify the fields when you read the traffic, it won’t be in the new pcap. I know that sounds

obvious to the point of being silly, but it’s easier to forget than you think. If you need to see Ethernet

headers, use -e.  If you need to see length, TTL, etc., use -v.

If you want both hex and ASCII displayed, use -X. And don’t forget to use -nn so you’re not flooding

your DNS (or tipping off your attacker you’re investigating) and to make sure you see the actual

port in use, not what nmap’s services file thinks it is…

Quick Tips

I'm going to start posting some quick tips for beginners in NetSec as I think of them..hope they're helpful, and if they seem over obvious, remember we're all at different points in our learning. Someone else may not encountered the information yet. That's why this is a mentoring site... =-)

jeff

Tuesday, March 17, 2020

Cleaning up Splunks .CSV export

Exported a bunch of IPs from Splunk that met a certain criteria.. best it could do was .csv, which gave me this… I needed the count too, temporarily...

10.61.2.66",1

10.61.3.253",1

10.61.6.74",1

10.61.9.102",1

10.61.9.141",1

10.62.11.161",1

….
Fortunately Linux has the built in tools to take this output and easily give me a list of IPs, one per line with no duplicates that I can then script to get the hostname..

eowyn02:~ jeffsoh$ awk ‘NR%2==1’ mad_clients.csv | cut -d ‘“’ -f1 | sort -u

10.16.110.121
10.165.64.189
10.165.70.155
10.17.100.7
10.184.192.251
10.184.192.252
10.184.193.112
10.184.193.166
10.184.193.171
10.184.193.172
10.184.193.219
10.184.193.37
10.184.193.43
10.184.194.17
10.184.21.18
10.184.21.90
10.184.22.188
10.184.22.229

The awk command shows every second line, so the line with the IP address and not the line with a double quote only.
The cut command sets the double quote character as the delimiter and shows the first field, so what is before the double quote, the IP address.
And then we sort and remove dups with the -u, the unique parameter to sort..

Wednesday, February 5, 2020

Nmap for Beginners - Part 2

The first parameter to add is the type of scan, and there are many. The most common are -sS for Syn scan and -sT for a Connect scan. A syn scan is also called a half open scan because it sends a syn packet, and if it receives a syn-ack, it then tears down the session without completing the TCP three way handshake.
If you are not root, the default is a Connect scan. A Syn scan requires root privileges. A connect scan is slower and noisier because establishes a full session .

UDP scanning is very slow because most UDP services don't send a response, unless it's DNS, SNMP  or some other service that interacts with the source. UDP scanning relies on an ICMP port unreachable message. Some networks filter these I=CMP packets even though this is not good networking practice and can cause issues on the network. Use -sU to conduct a UDP scan.

So a Syn scan would be: nmap -sS 1.1.1.1 and a Connect scan would be nmap -sT 1.1.1.1

To specify what ports to scan, use -p. For example,  you can use a comma separated list like -p 80,443,8080,3128. To specify a range of ports, you can use -p 1023-2056 which would scan all ports beginning with 1023 thru 2056 inclusively. You can also use CIDR notation and a combination of different types.




Sunday, January 19, 2020

Nmap for Beginners - Part 1

Nmap is the most well known and most used port scanner in existence. It's not the fastest.. MassScan and UnicornScan are much faster. Masscan is a duplex scanner, using one port to send  packets and another to listen for responses. However, nmap has made great progress over the years in speed. One advantage of nmap is its ability to determine the operating system and applications running on the target. There are other tools like p0f that do this as well, but this capability is built into nmap.
But the best feature of nmap besides port scanning is its scripting engine. nmap has hundreds of scripts, written in NSE, the Nmap Scripting Engine, that can check for vulnerable versions, test for misconfigurations that allow techniques like SQL injections and cross site scripting and dozens of other tests.
Using nothing but nmap, you can do a  Nessus like vulnerability scan of an end host.

The simplest scan would be nmap . That's most basic nmap scan you can do. Takes all the defaults. Syn scan if you are root, Connect scan if not. Uses the Nmap default ports which is a mixture of server and ephemeral ports the author, Fyodor, has deemed the most common. Output to stdout. I'm on MacOS here but the commands I use would be the same for Linux.


Thursday, December 5, 2019

What About Automation?

Better analysts or better automation? Which way is the path forward? Have we really reached a point where human analysis is no longer viable or scalable? If so, why do automated tools continue to fail? Behavioral analysis and network threat hunting, as being forwarded by folks like John Strand has a better chance of allowing us to close the breach detection gap and keep bad actors out to begin with. Given the massive investments in each years next big thing, the overlap in tools with companies paying two or three times for the same functionality which vendors market as integration, and our continuing inability to prevent breaches and compromises, I think it's time for companies to start investing more money on training new talent and less on yet another tool to add to the "tool belt", that still has no one to interpret or respond to. Opinions are my own and do not reflect the views of my employer. Thoughts? hashtag

Wednesday, October 16, 2019

Behavioral analysis versus artifacts/IOC's

Much of our defensive architecture today is based on the ability to extract indicators of compromise from logs, packet data and flow data and the monitoring of processes on the system. While this is good, to work through the enormous amounts of alerts and data, the analyst needs more than IOCs, even more than what processes ran. The analyst must be able to determine what action(s) resulted.
A good example of this is Powershell. This program is 1. Installed by default on modern Windows operating systems 2. Utilized heavily by sysadmins to script out maintenance and update processes and 3. also used heavily by attackers as part of their LOLBAS methodology. Behavioral analysis is an essential part of a good EDR product these days. The ability to see what happened after the IOC has become crucial. The old saying goes prevention is optimal but detection is essential. As attack methods and the sophistication and the resources of the attacker continues to increase, I can see a day where behavioral analysis may be the only indication of compromise, a day when IOCs can no longer be detected.
Is machine learning and AI the solution? Personally, I think we're years away from a system that can automate the investigative ability of a good analyst, one who knows his network, application and normal flows of traffic. Can ML learn all of that non-cognitively? Yes, but the human ability to rapidly change their thought process from defender to attacker and back again isn't something ML can duplicate yet, if ever.

Wednesday, June 26, 2019

Mining Packets Via The Command Line (Repost)

I've previously posted this, but I am moving back over to the Blue Team and thought it might be helpful for new analysts. Dusted off and updated where needed.

Mining Packets Via The Command Line

If you're considering becoming an intrusion analyst, there are two other sources of data that go hand in hand with your IDS/IPS: Packet data and logs. A NIDS, or network intrusion detection system, inspects packets as they cross the network  whereas a HIDS, host-based intrusion detection system, resides on a server and inspects logs, files and so forth. A NIDS will capture the packets that triggered it's rule or signature and can be configured to capture additional packets from the session, but it will not capture all of the packets flowing across the network, nor should you want it to. The overhead of capturing all of the packets for reconstruction and investigation is best left to another device dedicated to that purpose. There are many types of programs that can help you reconstruct packets of interest. One of the best is Moloch, a full blown project using Elasticsearch as the back end indexer, with a mature Web based interface that has a rich set of built in queries. Whatever you use, the same principles apply.

Assuming you're using a tool like tcpdump, snoop or daemonlogger, you have a directory somewhere on your packet auditor with a lot of pcap-compatible capture files. Your goal is to pull out the packets you need from this (probably) huge archive and inspect them or run them through your tool of choice.
The first step is to identify the capture file or files that have the packets you need to look at. Once you do that you can extract them into a separate packet capture that you can run through your pcap-compatible tools or upload to another box as needed.
Start building your filter by running the ls command with the -l parameter to see the long listing.

[jeffsoh@packet1 capture_dir]$ ls -l
-rw-r--r--. 1 root root 1.1G Jun  7 01:25 mycaptures.pcap.1370572245
-rw-r--r--. 1 root root 1.1G Jun  7 06:03 mycaptures.pcap.1370582729
-rw-r--r--. 1 root root 1.1G Jun  7 08:28 mycaptures.pcap.1370599389
-rw-r--r--. 1 root root 1.1G Jun  7 09:20 mycaptures.pcap.1370608087
...

Now grep for the date. Let's assume our packets of interest occured on June 8th.

[jeffsoh@packet1 capture_dir] $ ls -l | grep 'Jun  8'
-rw-r--r--. 1 root root 1073743705 Jun  8 03:43 mycaptures.pcap.1370660768
-rw-r--r--. 1 root root 1073744701 Jun  8 07:08 mycaptures.pcap.1370677399
-rw-r--r--. 1 root root 1073742386 Jun  8 08:02 mycaptures.pcap.1370689727
-rw-r--r--. 1 root root 1073743170 Jun  8 08:30 mycaptures.pcap.1370692931
-rw-r--r--. 1 root root 1073741832 Jun  8 09:40 mycaptures.pcap.1370694616
-rw-r--r--. 1 root root 1073741889 Jun  8 10:35 mycaptures.pcap.1370698825
-rw-r--r--. 1 root root 1073744142 Jun  8 11:21 mycaptures.pcap.1370702122
-rw-r--r--. 1 root root 1073742208 Jun  8 13:55 mycaptures.pcap.1370704877
-rw-r--r--. 1 root root 1073741860 Jun  8 22:23 mycaptures.pcap.1370714127
[jeffsoh@packet1 capture_dir]$

And the alert occurred at 8:05 AM. We see a capture with a timestamp of 8:30; that's probably what we need. We run stat on the file to check and make sure. We could also use the excellent Wireshark tool capinfos.

[jeffsoh@packet1 capture_dir] $ stat mycaptures.pcap.1370692931
  File: `mycaptures.pcap.1370692931'
  Size: 1073743170      Blocks: 2097168    IO Block: 4096   regular file
Device: 804h/2052d      Inode: 120588319   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-06-08 08:02:11.527770131 -0400
Modify: 2013-06-08 08:30:16.324924184 -0400
Change: 2013-06-08 08:30:16.324924184 -0400

We have packets from between 8:02 and 8:30. We could just use that packet capture, but if we are looking at an alert from an IDS, we have the timestamp of when the system saw the packet. Depending on the length of the session, this capture may not give us the complete session, so we can pull both packets from that hour. Were this a busier time of day or network we might have dozens of packets for that hour.

[jeffsoh@packet1 capture_dir] $ ls -l | grep 'Jun  8 08:'
-rw-r--r--. 1 root root 1073742386 Jun  8 08:02 mycaptures.pcap.1370689727
-rw-r--r--. 1 root root 1073743170 Jun  8 08:30 captures.pcap.1370692931

Now that we've built our grep string for the time frame we need, all we have to do is use it in a for loop to set the variable for tcpdump to loop through.

Up arrow to pull up our last command and add the for loop around it.

for i in $( ls -lah | grep 'Jun  8' | grep '10:' | awk '{print $9}' );do tcpdump -nn -r $i 'host 10.80.91.43' -w /root/workspace/$i.extract.pcap;done

We now have a pcap for investigation with all of the packets captured for that IP address.

Friday, March 8, 2019

Remote Attacks via Wifi over USB Cable



Security Researcher Mike Grove, _MG_, has created a USB cable that allows an attacker to take over a computer via Wifi. The cable is not yet for sale, but he has plans to relase it soon. Full details ate BleepingComputer, here.

Video of the demo is here..

https://twitter.com/i/status/1094389042685259776

Tuesday, March 5, 2019

Unpatched Vulnerability in Microsoft Office

Researchers at the RSA Conference unveiled a zero day flaw in Microsoft Office that, when exploited on a Java enabled system, could lead to complete ownage of the end point. Microsoft Security Research has responded and said they won't be releasing a patch for it now, but might at a future date. Note the flaw is being actively exploited in the wild, not a theoretical situation. However, researchers admit this is not an easy flaw to exploit and requires in-depth knowledge of the format. Details are here at this ThreatPost article:

https://threatpost.com/zero-day-exploit-microsoft/142327/

Blog Archive