-
How To: Hunting For Data Leaks In Google FireBase
Background In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps. Details Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.…more
-
How To: Asset Discovery Using DNS And SSL
Background There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!). This is actually simpler than you’d think, as long as you know the domains associated with the organization. Process First, create a text file containing the domains you’re interested in, one per line. Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:…more
-
How To: Check For Symantec Certificates From the Command Line
Background Starting with Chrome 66 and Firefox 60, Symantec SSL certificates issued before June 1, 2016 will be distrusted. With Chrome 70 and Firefox 63, all Symantec SSL certs issued before December 1, 2017 will be distrusted. This creates a need to quickly scan for those certs. Use OpenSSL to check This is a fairly simple task with OpenSSL: $ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 | openssl x509 -noout -startdate This will tell you the start date for a site’s certificate.…more
-
DIY Threat Intel: Monitoring Phishing Domains and Typosquatting
Being able to receive alerts when a new domain is registered that closely matches an existing domain you own can be a valuable source of threat intelligence. So valuable, in fact, that several services incorporate such notification as part of their product offering. However, you don’t need to pay for this sort of service. You can build the functionality rather easily, for free! What You’ll Need For this how-to, you’ll need access to some source of newly-registered domain information.…more
-
How To: Enriching IPs With Python
I need a certain amount of enrichment on IP addresses multiple times per day. While certain tools and controls have built-in enrichment, I often find myself sitting at a shell prompt needing the same or similar info quickly. So, I decided to write something that will take an IPv4 address as an argument, and return the data I need in an easily-parsable format. The code is available here. Usage The code takes an IPv4 address as input, and outputs the following:…more
-
How To: Mitigating Web Session Replay Information Leakage
Background There has been a lot of talk in the news lately about security issues surrounding web-based session replay. The issue is a simple one: many popular websites are now running scripts that record every keystroke and every mouse movement, allowing them to replay your entire visit to their website, as though they’re looking over your shoulder. However, that data’s being collected and retained by third parties, not the websites themselves.…more
-
How To: Mitigating The New Intel Management Engine Vulnerability
Background On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine. The Intel Management Engine (ME) has three vulnerable modules in this advisory: The Active Management (AMT) module The Trusted Execution Engine (TXE) module The Server Platform Services (SPS) module The only module of the three that can be exploited remotely is the AMT module. Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.…more
-
How To: Building A Dark Web Scraper
In a previous post, I demonstrated a way to run Linux command-line tools through Tor. Let’s take it a step further, and come up with a way to scrape sites on the dark web. This will allow us to hunt for mentions of various pieces of information we may want to be alerted to, such as the presence of company names, email addresses, etc. We’re going to need some code. Let’s start with importing all the modules we’ll need, and grabbing a URL from the command line:…more
-
How To: Using Tor From The Command Line
If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more
-
DIY Threat Intel: Mining Spam For Malware
If you use email, you already have a wonderful resource available to you for doing some quick and dirty threat intelligence work: your spam folder. Every day, people receive anywhere from dozens to hundreds of spam emails, ranging from plain vanilla unsolicited emails, to unwanted content, to phishing attempts and malware. There’s a wealth of information to be mined from your spam folder. Right now, we’ll focus on extracting URLs and attachments from your spam emails and automatically analyzing them.…more