Monday, 22 February 2021

PFBlockerNG Top Level Domain Blocking

If you are using pfsense as your firewall of choice there is a useful package called PFBlockerNG.  There are so many useful features of this package.  

This video showcases how to block top level domains on a separate interface connected to your pfsense router.

 




 

Friday, 19 February 2021

NSE:dns-check-zone

 

Let's talk about analyzing DNS zone configuration against best practices. 

Generally if you are running a DNS server you should be monitoring it frequently.  There are so many attacks out there that abuse DNS that this is a technology that should never be left on it's own just because it "works."  Audit your DNS regularly.  

A quick test you can do with NSE is "dns-check-zone"  It will give you some quick info on what areas are not quite up to par.

...The real question you should be asking yourself is this.  

"Who else is checking this?"

I digress.

Below I go through a useful NSE script to check your zones.  I have two examples one that failed a couple tests and one that failed 

A LOT.

Before we go ahead and do this we need to find the name server of a particular domain.

Let's use #nslookup

the image below will give you you some details about using #nslookup



With this information we can feed more specific information into NSE
#nmap -sn -Pn <name of name server> --script dns-check-zone --script-args='dns-check-zone.domain=<domain name in question>'

The two images below are the the same as above.



In the above image the name server did fail the SOA Expire check.  Let us look at another server that failed a lot more


1)"FAIL" -->Missing nameservers reported by your nameservers 

At the registrar for your domain name you need to point your domain name too a specific set of name servers.

When you do this the registrar tells the TLD server(parent).

Your NS records need to match the name servers your domain name is pointed to.

The FAIL means that TLD server is not pointing to all the name servers that exist in your DNS zone.

2)"FAIL"-->SOA Refresh not within recommended range

If we take a look at the first NS it's refresh was set to 28800s this second NS is set to 600s.

Curious.

 

Hope you enjoyed!

 

Reference:

[1] https://nmap.org/nsedoc/scripts/dns-check-zone.html

[2] https://www.youtube.com/watch/UVNmby8rLz4

[3] https://www.cloudns.net/wiki/article/203/

Tuesday, 16 February 2021

Cyber Security: How We Have Failed


The deeper I get into cyber studies the more I wish that my own country could hold its own against nation-states (specifically cyber).

It seems that more and more articles are coming across my feed stating that Canada has a weak defence against cyber-attacks. 

Many people have known for awhile that Canada has been lacking on the defence side of things. [2]  It has been learned that nation-states have switched from flat out stealing government secrets to targeting something much more powerful, our economic sovereignty.

CSIS Director David Vigneault named publicly on February 9, 2021 that China and Russia are behind much of the Intellectual Property theft occurring in Canada.  This was the first time that Mr. Vigneault publicly named any specific actor. [1]

This is significant.

Let's say it one more time, the Director of Canadian Security Intelligence Services has publicly stated that Russia and China represent a "... significant danger to Canada's prosperity and sovereignty."

 Look at what happened to Nortel [3].  They had an IP leak that persisted for a long time, till the point they didn't exist anymore.

Nortel bled out it's IP till it could no longer compete.  What Mr. Vigneault is telling us is that this is happening all over the place and it's out of control.

We have failed [Cyber Security] because we leave the defense of our nations IP up to private businesses.  Businesses who don't even know they are THE frontline of this cyber fight.

North America, and many other nations, are so incredibly vulnerable.  

National cyber security is not a unified body.  It is comprised of a distributed network of millions of entities(private businesses) working independently to protect their own turf.  One weakness in this chain means that any trust relationships between those entities can be exploited.

This week it was released that a Florida water plant was hacked and that the chemical composition of the areas drinking water had been compromised[4].  It was discovered that this critical infrastructure was easily hacked do to the fact that it had no Firewall.

Had..................No..................Firewall.

How does this even happen in these "modern" times?  It's a safe bet that people have been poking around in that treatment plant for a long time.

Going back to CSIS.  It must be bad when Vigneault announces to the entire world that there is a serious threat to our national prosperity and sovereignty.

Was the goal awareness? 

Are our federal leaders aware of how bad it is?  

How much more IP needs to bleed out before someone takes this seriously?

Andrew Campbell

Reference:

[1] https://www.cbc.ca/news/politics/csis-speech-david-vigneault-1.5906665 

[2] https://globalnews.ca/news/3131347/canadas-military-too-vulnerable-to-cyber-attacks-documents/

[3] https://globalnews.ca/news/7275588/inside-the-chinese-military-attack-on-nortel/

[4] https://gizmodo.com/hacked-florida-water-plant-reportedly-had-no-firewall-a-1846246067

Friday, 12 February 2021

NSE:broadcast-listener

Broadcast-listener is a interesting NSE script that listens on a network for devices that are broadcasting and provides some information on what in particular is broadcasting.

Usage:

#nmap --script broadcast-listener -e <interface name>

if you need to quickly find the name of your interface type

#tcpdump -D

 

Hosts on a network are broadcasting all the time.  Attempting to determine "who is who in the zoo."  Where broadcast listener comes in handy is that it attempts, and fairly accurately, tells us what type of broadcasting is occurring.  The packets from these broadcasters are analyzed and the output reflects this data.

Above you will see the output for a network.  The colours correspond with numbers that show up multiple times.

 Important to note that UDP decoders are triggered by destination port and ether decoders are triggered by pattern match.

Protocols present in this image

SSDP = Simple Service Discovery Protocol (Network protocol for advertisement and discovery of network services and presence information)

MDNS = Multi Cast DNS(Protocol that resolves hostnames to IP addresses within small networks that do not include local name server)

NetBIOS = Network Basic Input/Output System (Provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network)  it is not a protocol it is an API

Reference: 

[1]  https://nmap.org/nsedoc/scripts/broadcast-listener.html

Monday, 8 February 2021

How To: Find Random Machines in Specific Countries

On the internet there are packets flying everywhere.  Some from legit sources, and many many many many other sources maybe not so much.

ICMP packets are truly awesome.  I can reach out to a machine across the planet and know that it is there and that it is real.

The idea of being able to reach out and touch a machine across the planet is fascinating.  In a previous post I demonstrated how to find 100% random hosts on the internet LINK.  

What if we could modify this slightly to choose a particular country we want to connect with?

It is actually quite simple.

Check out the reference below [1].  This site provides us with networks allocated to particular countries.

Take a look at the ranges.  Some vary from 1 to the thousands!  Pick the network you want.

With hping3 we select the appropriate network and leave the final octet as "x".  

When we call "--rand-dest -I <your interface>" we are establishing that we want a random host from with in a specific network.

Since the specific network is allocated to a individual country the IP addresses that are returned belong to hosts from within that country.




Reference:

[1] https://lite.ip2location.com/ip-address-ranges-by-country

[2] https://blog.apt-secure.ca/2020/08/how-to-hping3-random-host-discovery.html

Monday, 1 February 2021

Metasploit: FTP Anonymous Scanner

 In a previous post (NSE:ftp-anon) I demonstrated how to use NSE to collect information about a target machine and determine if the target is allowing anonymous credentials.

This post is going to show that we can gather similar information utilizing metasploit as well.

Take a look at the image below.

The following steps will prep metasploit so that you can do some scanning of your target.

#use scanner/ftp/anonymous

#set rhosts [Target IP] 

#set threads 50  (You don't have to do this step, but is useful if you are doing a scan of an entire network 192.168.1.0/24  <--Example) 

#run

Results:

Look at what comes back!  We know that the target is allowing anonymous connections and that READ access is set!

We can also see that vsFTPd 2.3.4 is set!  Which is awesome because metaploit is a perfect pool for gaining shell access through this vulnerability.


For curiosity sake I also ran NSE:ftp-anon.

The picture below comes back with more information!


 What can we learn from this? Well, both tools are good but together are even better.  Keep learning about the various tools available too you and when you package them together you can do some awesome things.  

 

Keep checking out my NSE Database I am continuing to add to it so that it can be a good resource for all.

Andrew Campbell