Virtual Hacking Lab

📆
🏷
security

I will use this post to publish my progress while working on virtual hacking lab. It does not have the same reputation as OSCP but I do enjoy the lab and am very pleased with the lab material and dashboard. Also support is quick and nice if you need it (not for clues, of course!). The lab is also regularily expanded. All of this for a fraction of the price tag called for OSCP.

Without any further ado here are the machines I have rooted so far:

CVE-2019-19781 poor man's ktrace(1) driven analysis

📆
🏷
security, shitrix, citrix, cve-2019-19781

Recently I had the chance to get myself a copy of a malicious httpd executable used by an unknown party while exploiting CVE-2019-19781. Even though I do not have anything else but a layman's understanding of forensics I still wanted to dig into it. This is my journal about a journey into looking into a malware as a noob. While I hope to encourage others to also try to look behind the curtain I also want to stress that this is all potentially dangerous and you should not do this from within a sensitive network.

unbound DNS rebind protection

📆
🏷
unbound, dns firewall, security

While working on my DNS firewalling @home I was studying unbound.conf and found what I already had forgotten, unbound's DNS rebinding protection.

DNS rebinding is a an attack where a malicious website is using your browser to resolve internal addresses (e.g. RFC1918) in order to get their hands on internal ressources like e.g. your routers admin interface. There have been attacks in the wild using that technique and I bet there still are. rebind.network is a site that actually tries to find some internal ressources on your network; the site needs javascript. Anywho and without further ado, here's the setting that I am running on my unbound – courtesy of unbound.conf(5):

private-address: 10.0.0.0/8 
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-domain: my.lan.domain

--EOF

Open Source Threat Intelligence And Makeshift RPZ with Unbound

📆
🏷
openbsd, unbound, security, osint, dns firewall, dns rpz

<span class="md_update">Update:</span> Added some remarks about what DNS RPZ actually is, what my objective is and what the outcome will be.

A friend of mine and I tried to play w/ RPZ and knot yesterday and gravely failed. The fact that knot as well as RPZ had been new to us didn't help. Discussing the failure later that night I remembered that I was already doing something similar at home for adblocking at the DNS level instead of every application on every client. In some way this is also DNS RPZ.

DNS RPZ is something that could be described as DNS firewalling and is described by wikipedia as follows:

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is “DNS firewall”.

My main objective is to block ad networks and malware sites (e.g. command and control) on the DNS level for all devices without them having to install adblockers or stuff. So if someone tries to access a blacklisted site, say domain.tld the client will get a NXDOMAIN as an answer instead of the real IP address. As I can't keep up with the domains I also want to leverage some of the OSINT feeds available. Currently I have roughly 16k domains blacklisted.

My take on a network manager

📆
🏷
openbsd, netmanager

There's one thing that I am really missing under OpenBSD, a network manager which seemlessly handles running around with my laptop. So my main itches to scratch are doing magic things at boot and resume so I don't have to bother with fiddling with hostname.if(5) ever.

My first take on tackling that problem actually was working ok'ish but depended on sqlite3 and after sqlite3 left base the solution started to annoy me everytime I moved to a current snapshot and sqlite3 stoppped working or was unavailable from within bsd.rd.

So I started to look around what other people did to get rid of those problems which led me to netctl. I like that netctl is nothing but a shell script. I dislike that it didn't work at boot time.