-
How To: Hunting For Data Leaks In Google FireBase
Background In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps. Details Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.…more
-
How To: Asset Discovery Using DNS And SSL
Background There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!). This is actually simpler than you’d think, as long as you know the domains associated with the organization. Process First, create a text file containing the domains you’re interested in, one per line. Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:…more
-
Analyst Tip: Testing Firewall Egress
A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you’re on.…more
-
Simple Check For OptionsBleed vulnerability
Shortly after CVE-2017-9798 (a.k.a. “OptionsBleed”) was announced, the good folks over at The Fuzzing Project posted a great write-up, including a quick check for the vulnerability. I adapted it to check a list of sites, as analysts often have more than one web property to test. for j in `cat domains.txt`; do for i in {1..20}; do curl -sI -X OPTIONS https://www.$j/| grep -i "allow:"; done >optionsbleed-https-www.$j.out ;done This will run through a list of domains in the file domains.…more
-
Analyst Tip: Researching IPs, Domains, And URLs From The Shell
In the course of an average day, an analyst needs to look up various bits of information about IPs, domain names, and URLs. Various workplace tools may do some of this enrichment automatically, but every now and then the analyst needs a quick, effective way to either get this information for a single indicator, or for a large list of them. Tools While there are numerous websites that can be used to obtain this information, in my opinion, nothing beats the flexibility of command-line tools.…more
-
Analyst Tip: Spotting Botnet Members
You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more
-
Various Shell Tricks
Quickest way to get your ssh key to a remote host: ssh-copy-id username@host.example.com Shuffle items in a file: cat file.txt | perl -MList::Util=shuffle -e 'print shuffle(<STDIN>);' >file-shuffled.txt Count the number of comma-separated items on each line in a file: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' Count number of comma-separated items on each line in a file, and generate average of items: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' |awk '{ sum += $1; n++ } END { if (n > 0) print sum / n; }' Give the average of a list of numbers in a file: cat numbers-list.…more
-
Analyst Tip: Suspicious DNS Behavior
The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible. Reference Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference IP assigned to domain changes frequenty over a period of time Reference…more