Monday, 28 September 2020

Risks of Surfing the Web: When a Nation says "NO!"

Communications censorship is not a new thing.  It has been happening as long as people were able to grunt out rudimentary messages to one another.  like everything else as humans evolve so does our technology.  So that begs the question, how does one get around that?  I have talked about proxies in this blog before, I will be mentioning it again in other posts.  However what I want to focus on is how can people circumvent censorship when an entire nation is blocking them?

The internet is this fascinating universe where people can reach out and connect with one another.  We can chat with friends and family around the world.  Better yet, especially for the researcher in me, I can reach out and touch machines on the other side of the planet.  If I wanted I could send an ICMP packet to a printer sitting on someone's desk in Vietnam and have it talk back to me.  That is the power of cyberspace.  

The internet is also like the Wild West where people and nation states are making plays all the time time.  There are so many connections that it is easy to see why nations are vying for power in this realm.  Power and control exist in many forms, one of those forms being the control of information and access to information.  

Introducing censorship!

There are a few big offenders when it comes to mass censorship of the internet.  Take a look at the picture below (the darker the shade the worse the censorship.[10]


How is Censorship enforced?[9] [4] 

There are a few methods that can be in play.

- DNS Filtering - This one is popular

- Packet Filtering

- IP Address Blocking

- URL Filtering

- Removing pages from search engine results

- Resetting network connections

- Disconnecting the network

How to beat Censorship [5]

The question now is how can I come out and experience the freedom from censorship when my government is blocking and redirecting me.  Well it is as simple as this.

1. VPN

ExpressVPN [6] is considered the best well-rounded VPN service for Russians (for example, although I suspect that the websites that state this were paid to say so...).

 But really it doesn't matter what VPN service you use, it's effective to encrypt your traffic.

 2. Onion Routing

Most people who are reading this blog have heard of tor network.  Follow this link

if you find your tor is blocked.

Also access this PDF on how to use tor to circumvent censorship. [8]

 THAT WAS BORING KEEP READING

For those who have read this far you are probably thinking "Ya, I know that already VPN and Tor!  Thanks for the click-bait."

Hold your horses I say!

Yes the above two options can help beat censorship but they are not full-proof.  I could restrict VPN servers/protocols in my country, or I could monitor known exit nodes on the tor network.  There, I have just debunked these two methods.

Furthermore lets talk about how easy censorship really is.

DNS is critical to online communications.  It is a hub of activity and redirection.  Every communication we submit via the internet, most likely is hitting a DNS server first.  At a high level DNS allows for convenience so that we don't have to memorize IP addresses.  What this also does is create a bottle neck for data flow. [11] .  Most censorship targets DNS resolvers.  It is true that there are thousands and thousands of DNS servers one could connect too, but you still have to get too that that resolver.

It is kind of like if I wanted to buy a loaf of bread from my local grocer "TASTY FOODS".  In a normal scenario I leave my house get in my car, drive to TASTY FOODS, buy my bread and return home.  

Under censorship: I leave my house, there is a person standing outside my front door, I move to go to my car.  the person says "Are you going to TASTY FOODS? I tell them yes.  The person then states, actually sir all bread must be bought from "SUPER BETTER FOR YOU FOODS" please get in this bus with all these other people and we will escort you to where you can get the bread we want you to eat.

This all may sound glib, but if the ISP (Internet Service Provider) and the IXP (Internet Exchange Provider) are under government control....and that government wants to restrict it's residents access to the internet then they can do it and it is not that hard.

Surf Safe friends

Andrew Campbell


[1] https://en.wikipedia.org/wiki/Internet_censorship_in_Russia

[2] https://freedomhouse.org/country/russia/freedom-world/2020

[3] https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/

[4] https://readwrite.com/2019/07/01/which-countries-have-the-strictest-internet-censorship/ 

[5] https://www.comparitech.com/blog/vpn-privacy/best-vpn-russia/ 

[6] https://www.vpnmentor.com/blog/best-vpns-russia-fast-cheap/ 

[7] https://blog.torproject.org/breaking-through-censorship-barriers-even-when-tor-blocked

[8] https://www.ftc.gov/system/files/documents/public_comments/2016/10/00057-129178.pdf

[10] https://www.comparitech.com/blog/vpn-privacy/internet-censorship-map/

[11] https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes

Monday, 21 September 2020

An Introduction DNS SinkHoles (Pi-Hole)

 


 I wanted to showcase an awesome lightweight tool that can be used in businesses and in your personal home.

Pi-Hole is a DNS sinkhole.  When set up correctly (and it is dirt easy) all your traffic in/out is filtered, and removes a large portion of garbage adds and various known content that can be harmful to your internal hosts.

I set up my Pi-Hole and had it working with default settings within minutes and had it running for 24 hours.  The picture above shows the results of normal traffic across the network.  

I was pleasantly surprised at how simple the set up was.  Also the fact that the software comes pre packaged with a massive blocklist to begin filtering content immediately.

There are loads of features to enable in this solution and is relevant to not just to home filtering but also to the business environment.

Maybe you don't want your staff spending time accessing streaming videos for hours on end, easily add domains to the "blacklist" and the traffic will be stopped in it's tracks.

You can direct traffic to your sinkhole on each individual machine but an even better solution is to set up Pi-Hole as a solution where all your devices point to it as the default DNS resolver of choice.  Using this scenario you can force all devices on the network to resolve with Pi-Hole first before going out to the internet.

I want to share a bit of how I am utilizing the tool in my home/lab environment.

In my lab I have a desktop server.  On that server I run a virtualized 2020 ubuntu server set to bridged.  I have Pi-Hole installed on the virtual Ubuntu server.  With my bridged Ubuntu server I can now direct traffic to the IP where Pi-Hole is installed.  If I wanted to set Pi-Hole as DNS resolver on each device I could do so at this point, however I don't want to do that much work.  Also I want Pi-Hole to be the defacto DNS server on my network so that any guests that visit me and ask to use my network will have their traffic filtered and I would be mitigating(to a degree) the risk of someone bringing ransomware etc. into my home network.

So in order to do this I need to tell my router that before users exit my network and access the internet they need to resolve with my Pi-Hole first.  This is simple enough and you can find very good instructions at pi-hole.net.  Every router is different though so you would need to access your router and do some trouble shooting.

I noticed an impact immediately.  Right away I could tell things were cleaner while accessing my browser.  The part that amazed me the most was the sheer quantity of queries that were blocked that I was not aware of.  Tons of analytics, trackers, ads, redirects etc.  Things we just wouldn't think about, which is kind of the point of them existing.

Also an extremely useful aspect of Pi-Hole is that is leans itself well to network analytics.  Which sites are blocked the most? which device on the network is sending the most blocked queries?  Why is a certain device making queries in the middle of the night when everyone is asleep? So on and so on.  The in depth ability to monitor and analyze logs allowed me to gain a better idea of what is happening in my network.  

I learned some fascinating things right away.

example 1: My wife's fitbit makes internet queries every 20 min even throughout the night (it was blocked and her watch was no longer synced with her phone[she wasn't happy......I fixed it though!]).

example 2: My primary desktop (Ubuntu 2020) whenever I access Office 365 in browser suddenly literally hundreds of ubuntu-connectivity-checks begin occurring.  (this one is weird.  Ubuntu?)

example 3: Things like DisneyPlus and Amazon Prime video stop working, which makes sense because you are blocking ads.  (It's an easy fix in Pi-Hole, find the blocked query and add it to the "whitelist")

Aside from the ability to block/allow content and the ease of analytics there are a couple hidden benefits of utilizing Pi-Hole.

1) Internet traffic can be faster, potentially.

- what! no way! Yes it is true! Pi-Hole uses a cache to keep traffic of regular visits.  If users are accessing data regularly it will give the user the cached content instead of the user having to go and retrieve it from the website.  Your users may not notice this, but you as the sysadmin can know that you have done your bit to make your network more efficient.  FYI you can view analytics on this as well ;)

2)Mitigation of risks at Intrusion and Exploitation layers of Cyber Kill Chain:

Depending how you have been attacked or whether the security incident is purely accidental you will be mitigating some risks.  If we are blocking users from accessing certain things or stripping away some of the opportunity for accidental click-jacking attempts we are doing our part to mitigate risk.  Also useful for threat hunting; Who is doing what on my network? what activity is happening? what is the most blocked content/trackers/ads etc. (tracking and tagging)

Is the solution full-proof? No, a resourceful user could potentially circumvent your carefully crafted security solution.  But it will do something and should greatly resolve potential issues for the average user on your network. 

I can't speak highly enough about this tool. it works beautifully in my home/lab network and I think there is a business case for incorporating this(DNS sinkholes) into an SMB and maybe areas of Enterprise business.

Andrew Campbell


Monday, 14 September 2020

Fingerprinting with Ports (Minecraft Edition)


  So I was doing research the other day gathering some information that I could share with my students and I stumbled upon a random machine (I was using a technique mentioned previously here).  I found a machine that was very clearly also being used for Minecraft.  As I was thinking about how easily I found this machine I began to wonder if I could make it even easier with python.

I know folks who have hosted a Minecraft server (Bukkit) in the past.  They followed the instructions on the website and various forums.  They port forwarded on 25565 and they distributed their external IP address.  I think back now to those friends and realize the world of hurt they were inviting into their lives.  That's the past! Things are different now!

nope.

The recommendations are still pretty simple to set up a Minecraft server and unless you are mindful about how people are connecting into your network you will likely be using default settings.

So I created an experiment.  It is small in scope but can be extrapolated to other areas simply enough.

Using port scanning and python I wanted to be able to fingerprint a machine's purpose based on it's ports.  I don't want services.  I don't want OS'.  All I want is the ability to have an automated process where by I can, within a reasonable margin of error, make a guess at what the machines primary purpose is.

So for example on the internet ("clear-net") there are tons of firewalls.  Which is fine, but what if I get a machine with some obscure ports open?  What could it be?

So as it turns out it is actually possible with python.  For our purposes I went with Minecraft and I scaled back a lot to present a proof of concept.

Experiment:

With python, check an IP address if it has port 25565 accepting tcp connections.  I don't fully care if it is a Minecraft machine or not.  What I care to find out is if this machine is worth digging into any deeper.

in addition, I wanted to use my list of scraped vulnerable IP addresses to see which of these potentially doubled as a Minecraft machine.


Above you will see my short python script.  Essentially what is happening in the script is that I:

1. import nmap module

2. open file fed to script from terminal

3. strip out the newline from every list element and then I begin feeding the IPs to the scanner.  If the there is a tcp connection on port 25565 append to list called "pc"

My results were staggering.

my list of vulnerable IPs currently stands at 13927. 

Of this list of known compromised IP addresses a whopping 7299 were found to have a port 25565 accepting TCP connections.  

That is 54%!!!!!!

So to be clear, did I go though and do a follow up scan to verify that each of these machines had a minecraft service running on this port.  No.  However port 25565 is an obscure enough port number that one can make a educated guess.  Also I did do a random test on a healthy number of these machines to see if they had a Minecraft service on it.....They all did!

In conclusion, this experiment was small in scope.  I was only looking for the results from 1 port.  However it is conceivable that if we add more ports to the list and develop a profile off of that collection of ports one could quickly fingerprint a machine to fish out of it what it's primary purpose or role is.

Thanks hope you enjoyed!

Andrew Campbell

 

Reference:

Tuesday, 8 September 2020

An nmap Buddy Script (Where in the World?)

 I briefly highlighted a script I wrote previously in my post Route out IP Locations: Free Tools  , however I am bringing it back!!

Why? Well honestly because I think that when you are performing recon on a target why wouldn't we want more data?  I modified the script from the previous blog so that it takes input from the terminal and quickly provides you the geolocation of the IP you are scanning.


*IP intentionally obfuscated




lat and long, throw it into Google and you will get a map right away.

 

 

 

Maybe you don't want to be poking around in China (make sure you are using proxies if you are doing deeper recon)



Typically when doing recon you should be obfuscating/hiding your location entirely.  A nice feature of this script is that it utilizes scraping.  This means that you yourself are not probing your target, you are getting someone else to do it and then just reaping the gathered information.

Also understanding the geolocation of target is extremely useful.  

- What is the political climate in that region?

- Are they a nation state known for cyber-agression?

- Are they a small player in the cyber-world?

All of this information is useful for developing a grounded view of your target.  when it comes to cyber-security all data is valuable and helps for the big picture.