mardi 4 novembre 2014

DNS Queries in the LAN: an interesting source of information


Observing DNS queries inside your LAN is a very simple way to detect security problems and/or various misconfiguration issues.

The only pre-requisite for the operator: a good knowledge of his network infrastructure and technologies. The operation can be realized with the builtin Windows features, enabling the DNS debugging (http://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx)

I prefer use a simple tool “NirSoft DNS Query Sniffer” available here: http://www.nirsoft.net/utils/dns_query_sniffer.html

1/ Copy and launch it locally on your DNS server. DNS queries appear in real-time.

2/ Stop the acquisition

3/ Analyze in the GUI or export in a file

...easy and simple.



Examples of use:

-          Internet Explorer configuration issue:

A request to wpad.landnssuffix indicates the use of Web ProxyAuto-Discovery Protocol by clients. Of course you can always retrieve IP adress of the requesting source in the dedicated column on the right side (not shown on screenshot) and modify the browser settings as convenient.

 




-          Misconfiguration of a client process:

Here we can see a double dns suffix generating an error. The client, for an unknown reason append the lan dns suffix twice.




 

-          Browser Addon characterization and detection

Look at the Ask toolbar in action and find the clients


 

 

-          Usage of Network Connectivity Status Indicator:

A good explanation can be find here http://www.techrepublic.com/blog/data-center/what-do-microsoft-and-ncsi-have-in-common/






-          CRL checking :

 


And this…


Microsoft puts non-qualified domain name in some certificates. They contain the following CRL distribution point: http://corppki/crl/Microsoft Secure Server Authority.crl which probably only works inside Microsoft LANs.

 

-          Malware detection:

The more powerful usage according to me. Example of requests done by an infected client.






-          Other cases:

Be aware of isolated systems that don’t have internet access and realize outside DNS requests. It can be a data exfiltration in a covert channel
(see https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html and http://bernardodamele.blogspot.fr/2012/06/data-retrieval-over-dns-in-sql.html )
 

Capturing DNS queries is an easy way to observe your network infrastructure in action. There's a lot of stuff to do with this little tool. Thanks Nirsoft!


jeudi 31 juillet 2014

Chicks & Risks

A few years ago, when I started to study Infosec, I was living in the countryside of Provence.
My home was in the middle of a walled garden. I had a dog too. Good, but very unruly! Always jumping everywhere and eating everything. I never succeeded in training him.
One year, at Easter time,some members of my family decided to be innovative when thinking of a gift for my children. They bought 4 young chickens. Wow “What a nice idea !” I replied but with a bad feeling.

At that time, the young chickens were small and lived in a box under a warming light. They had to stay inside the house for 3 or 4 weeks. It was at that time I noticed the behaviour of my dog. He remained outside, his face stuck to the glass window, looking for the chickens with the ever-present idea to “play” with them.

At that time, I realized too that there was only 4 weeks left before the chicks needed to housed outside, I needed to build a strong hen house. A henhouse the dog could never defeat!

So I do ! Building a henhouse is a nice family project. Everybody was involved but I was the project manager: solid metal wire was pegged around the perimeter. Fixing fence posts were cemented in to the ground. Inside the enclosure we built a though wood house where the chickens could be safe. Quickly, the work was done and the hen house and enclosure completed. Before releasing the chicks inside, I checked on several times the overall security off the building. I was proud of our work and was in no doubt that it was impossible for the dog to get inside.

So the chicks were released. It was a success. During the first few days, the dog kept looking at these new guests, sometimes barking but never trying to penetrate the henhouse defences. From their ivory tower, the chickens got used to his presence and behaviour. They were so used to the dog that eventually they paid no attention to him. Instead, they spent their lifes walking around the enclosure eating and sleeping.

I noticed that the chickens particularly appreciated eating blades of grass within the hen enclosure. They systematically ate them all so it was progressively impossible to find any grass inside the run.

One day a chicken passed his head through the metal wire to eat a blade of grass. The dog quickly appeared, grabbed the chicken’s head and well you can guess the rest!

What Infosec lessons can we learn from my henhouse?

When conducting a risk assessment it is often the case that we concentrate on the external threat. Or, in this case, the threat from the dog to the chickens. As the story highlights this is not a thorough or complete assessment of risk.
In my case by only considering the threat of the dog’s behaviour, it led me to develop controls, in this case a wire mesh fence, to prevent the dog getting inside the hen coup where my chickens could be found.  I had forgotten that the objective of my efforts  was to protect the chicken and not just stop the dog.

Thinking in the context of the asset you are trying to protect should never be limited to the malicious threat. In my analogy  I did not consider the chickens behaviour as a threat in its self. Neither did the risk assessment consider the role of grass or the lack of it play in the chickens behaviour, would result in an increased risk. If I had, I would have recognised  that chickens eat grass, and that, when they had eaten all  the grass in the hen coup,  they would be tempted to eat the grass outside of the coup. And, for them to eat the grass outside of the hen coup, they would need to stick their head through the wire mesh fence which was designed to keep the much larger dog from getting through. Recognising this I would have used a finer wire mesh that even the chicken could not get their heads through.
In Infosec, a risk assessment ought to consider the whole environment, within which the asset operates, which may influence the likelihood or impact of an event happening. This should include both internal and external factors.

Processes, information systems, people, facilities which host these systems and people and the geographical location of the assets  to all need to be considered. But this is all only part of the picture. Political, economic, social, technological, environmental and legal factors, all outside of the control of the organisations can also have an effect on our exposure to information security risks.

jeudi 19 juin 2014

How to Anonymize Everything You Do Online

(external source)







One year after the first revelations of Edward Snowden, cryptography has shifted from an obscure branch of computer science to an almost mainstream notion: It’s possible, user privacy groups and a growing industry of crypto-focused companies tell us, to encrypt everything from emails to IMs t



Read more => http://ift.tt/1n8Y808

The Psych of Sec

(external source)







I recently gave this presentation at BsidesCT and have found that slideshare does not like my sense of graphic design as well as a slide deck at times alone just doesn’t tell the full story of the presentation.



Read more => http://ift.tt/1pkTQYc

If You Are Doing Incident Response, You Are Doing It Wrong

(external source)







I’d been thinking about this for awhile, but conversations with Rob Lee and then a presentation with him really helped me clarify my thinking on this issue. Here goes: If you are doing incident response, you are psychologically, if not operationally, in a reactive rather than proactive mode.



Read more => http://ift.tt/1hY5tDE

lundi 16 juin 2014

Infosec has his Godwin law


"As an infosec discussion grows longer, the probability of an ending involving human factor approaches 1"

mercredi 12 février 2014

Windows exploitation in 2013

(external source)







In the past year, Microsoft (MS) has fixed a large number of vulnerabilities for Windows and its components, as well as for Office.



Read more => http://ift.tt/1lwoGd8

mercredi 29 janvier 2014

Enumeration using the Meterpreter ADSI Extended API Commands

(external source)







Windows Meterpreter recently got some new capabilities thru the Extended API module by OJ Reeves also known as TheColonial. He added support for:



Read more => http://ift.tt/1k6PtMz

PHDays 2014 Quals: DT_VCS writeup

(external source)







It was my favorite task from PHDays 2014 Quals, and the best CTF web challenge i made. During the PHDays Quals it was solved only 3 times, so i think that this writeup will be interesting. Ok, we found Detcelfer Version Control System and need to PWN it.



Read more => http://ift.tt/1dO4q01

lundi 20 janvier 2014

Metasploit Meterpreter and NAT

(external source)







Professional pentesters typically use a host that is connected directly to the internet, has a public IP address, and is not hindered by any firewalls or NAT devices to perform their audit.



Read more => http://ift.tt/1dCRvC2

News and Threat Research A Closer Look at Cryptolocker's DGA

(external source)







CryptoLocker is the name of a ransomware trojan family that emerged late last year. This malware is designed to target Microsoft Windows systems and is renown for its ability to take its victim’s files hostage by fully encrypting files on the victim’s computer.



Read more => http://ift.tt/1aMiRoQ