Hunt

How To: Hunting For Data Leaks In Google FireBase
Background In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps. Details Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.…more
HowTo Analyst Tips Blue Team Red Team Hunt
How To: Asset Discovery Using DNS And SSL
Background There are times, more often than we’d like to admit, that we need to do asset discovery on our own organization (or, for you red teamers, other people’s!). This is actually simpler than you’d think, as long as you know the domains associated with the organization. Process First, create a text file containing the domains you’re interested in, one per line. Next, use OpenSSL to get a list of Subject Alternative Names (SANs) from any certificates present on the domains:…more
HowTo Analyst Tips Hunt Blue Team Red Team
How To: Check For Symantec Certificates From the Command Line
Background Starting with Chrome 66 and Firefox 60, Symantec SSL certificates issued before June 1, 2016 will be distrusted. With Chrome 70 and Firefox 63, all Symantec SSL certs issued before December 1, 2017 will be distrusted. This creates a need to quickly scan for those certs. Use OpenSSL to check This is a fairly simple task with OpenSSL: $ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 | openssl x509 -noout -startdate This will tell you the start date for a site’s certificate.…more
HowTo Blue Team Red Team Hunt
How To: Scanning For SSL Certificates From the Command Line
Background Recently, there was a Remote Code Execution (RCE) vulnerability discovered in Palo Alto Firewalls. I found out about this through a post on the Full Disclosure mailing list by the researcher who discovered it. Even more recently, another post was made, with a script to test for the vulnerability. In that post, the author states they used a Shodan search to locate Palo Alto firewalls. While they don’t specify what search they used, I suspect it is something similar to:…more
HowTo Hunt
How To: Mitigating The New Intel Management Engine Vulnerability
Background On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine. The Intel Management Engine (ME) has three vulnerable modules in this advisory: The Active Management (AMT) module The Trusted Execution Engine (TXE) module The Server Platform Services (SPS) module The only module of the three that can be exploited remotely is the AMT module. Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.…more
HowTo Blue Team Hunt
How To: Building A Dark Web Scraper
In a previous post, I demonstrated a way to run Linux command-line tools through Tor. Let’s take it a step further, and come up with a way to scrape sites on the dark web. This will allow us to hunt for mentions of various pieces of information we may want to be alerted to, such as the presence of company names, email addresses, etc. We’re going to need some code. Let’s start with importing all the modules we’ll need, and grabbing a URL from the command line:…more
HowTo Blue Team Hunt Threat Intel
How To: Using Tor From The Command Line
If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more
HowTo Hunt Blue Team Red Team
Hunting For Insecure Amazon S3 Buckets
Breaches caused by insecurely-configured Amazon S3 buckets are not new. Researchers have been sounding the alarm since 2013. However, S3-related breaches continue to make the news. Last Friday (20170901), researchers announced the discovery of records for four million Time Warner Cable customers due to an improperly secured Amazon S3 bucket. Amazon has been proactive in raising awareness of this issue. However, the problem persists, and is widespread. Let’s be clear: The problem here isn’t just one of potential exposure of PII.…more
HowTo Hunt Blue Team Red Team
Analyst Tip: Spotting Botnet Members
You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more
HowTo Analyst Tips Hunt Blue Team
Analyst Tip: Suspicious DNS Behavior
The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible. Reference Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference IP assigned to domain changes frequenty over a period of time Reference…more
HowTo Analyst Tips Hunt Blue Team