Let’s say I want to send some spoofed email to a friend of mine to help him test his MTA and I have authorization to do so. I need to do recon and prepare some things before I start sending emails. The first thing is a PTR record for my Read more
Ever had the issue where the source IP is not the source IP? With Suricata and Sourcefire you can view the true client source IP and filter out or alert on it. For example, if there’s some known legit scanner hiding in X-Forwarded-For –generating mountains of false positives– it’s much Read more
The folks at MITRE have created yet another awesome tool. CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up. Here’s how I got it going. I pretty much just followed along with the instructions Read more
Information: A user reported strange computer activity to their support staff. Support was so good that the first thing they did was to snap a memory image before the computer was rebooted. Once the technical staff acquired the memory, they were also able to grab an image of the system Read more
I love honeypots and wanted to give opencanary a shot. It’s written in python, and very easy to configure and extend. The idea is to stick these in various places in your network with fake services similar to what’s around it. In this case, I have opencanary acting like a Read more
Getting around protections with tunnels is very easy, but there are things you can do to detect and prevent them. A few are outlined at the bottom of this post. DNS Tunneling: First you need to set up DNS. Create an A record for the tunnel server, e.g. ‘lab.yourdomain.com’. Then Read more
Software versions: Bro 2.5.1 – on Debian 8.9 bro server Logstash 2.2.4 on Debian 8.9 bro server Elasticsearch 2.4.6 on Debian 8.9 ELK server Kibana 4.3.0.9369 on Debian 8.9 ELK server First install Java on both systems: sudo add-apt-repository -y ppa:webupd8team/java sudo apt-get update sudo apt-get -y install oracle-java8-installer Read more
There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and is the groundwork for all this. It builds a database of bindings and specifies where Read more
It’s easy to stop Optionsbleed with mod_security, unless you need HTTP OPTIONS on your web server. If you’re using CRS, you can uncomment rule number 900200 in crs-setup.conf. The idea here is to only allow what needs to be allowed, and drop everything else. Of course, if you’re not using Read more
This challenge has two phases. The first one involves creative thinking and research. The second one is live malware and reversing. Instructions and hints are built in. Rules and things you’ll need: 1. You need an isolated environment with a Windows Vista/7/10 VM guest, and a snapshot. On the VM, Read more
Google and others have been working on implementing DNS over HTTPS. https://tools.ietf.org/id/draft-hoffman-dns-over-https-00.html This allows bypass of things like RPZ, DNS blackholes, and other protections. All the more reason to start thinking about SSL inspection. The right to privacy is understandable, but protecting users, assets, and data is more important. This Read more
Struts vulnerable ISOs. https://pentesterlab.com/exercises/s2-045 https://struts.apache.org/docs/s2-045.html – CVE-2017-5638 https://pentesterlab.com/exercises/s2-052 https://struts.apache.org/docs/s2-052.html – CVE-2017-9805 Pentesterlab has over 20 free labs where you can learn some techniques used for some pretty big vulns that happened over the past few years. Pro version is 20 bucks a month. Good to see someone doing this again. Read more
MISP is free and it’s one of the best threat sharing platforms I could find. The beauty of MISP is how easy it is to integrate with tools like bro, Snort, and RPZ. You can do API calls and pull in only the data that you want to either alert Read more
I’ve been comparing SSL decryption services and devices, and Zscaler is much more than that. It’s an all-in-one Content Filtering, SSL decrypting, DLP, Bandwidth controlling(quota), IPS, Malware preventing(including sandbox) awesome cloud based solution. AND, It works with mobile devices even if they’re roaming! The solution consists of GRE tunnels out Read more
Here’s how to install the CA certificate on multiple platforms for MITM. For Linux you have to import certificates into individual browsers. For Firefox, go to edit/preferences/advanced/certificates/view and import the cert under authorities. Check the box for “Identifies Websites.” For Chrome, click settings, search for cert, and open ‘Manage Certificates.’ Read more
Here’s how to generate custom certs and perform a MITM + SSL decryption with bettercap or Squid. MITM with Bettercap. Create a private key, CSR, and Certificate. openssl genrsa -out mitm.key 2048 openssl req -new -key mitm.key -out mitm.csr openssl x509 -req -days 3652 -in mitm.csr -signkey mitm.key -out mitm.crt Read more
Attacker: 172.16.1.10 Victim: 172.16.1.20 Router: 172.16.1.1 Arpspoof method: First enable forwarding on the attacking system. echo ‘1’ > /proc/sys/net/ipv4/ip_forward Poison the ARP table of the router to tell it that you are the victim. arpspoof -i eth0 172.16.1.20 172.16.1.1 Poison the ARP table of the victim to tell it that Read more
Here’s how to configure a pfSense firewall to be a VPN client so IPv4 traffic always traverses the VPN. Build a VM at a cloud provider and configure it as an OpenVPN server. Using a self signed CA, cert, and TLS auth. For pfSense, take the following steps. Cat your Read more
Here’s how to configure an RPI so that it auto connects to a VPN on boot via PoE. One could connect to it via WiFi and surf over the VPN, and no one will ever know. EVAR! This is for educational purposes only. I’m not responsible for your actions. Get Read more
Through my research I came across several scripts and howtos on chrooting, or running openvpn as nobody. They all had issues for me on Arch. Below is a very simple way to run openvpn as a normal non-root user. I have found that this is the most secure method of Read more