A Week in Vegas

BSides LV — Pros vs Joes

https://twitter.com/minimaltalking/status/1159225760994824192?s=20

Linux Hardening Tips

Linux Forensics

DEF CON 27

Demo

  • Modules: modules that are associated with RWX memory regions
  • Threads: unbacked or floating code living in memory regions
  • Memory Regions: check PE header over these regions
  • Call Stack: check call stack of threads for unbacked symbols
  • Base Address: if the base addr of the main module (.exe) is private, it should always be memory mapped and not marked as RWX. This also detects a technique called Process Hollowing
  • Exports: such as ReflectiveLoader
  • Hollowed Modules: in-memory vs on-disk comparison of modules, compare their entry points, the size of the code etc.
  • Registry Persistence: common registry injection or persistence techniques
  • Shellcode: looks for RWX memory regions that start with well known x64/x86 opcodes

DNS Rebinding Attack

  • The ‘same-origin’ concept is where you have two webpages that consist of the same scheme (so HTTP or HTTPS), host (domain), and port.
Credit: DEF CON Media Server— Presentation by G. Doussot and R. Meyer.
  • ‘Cross-origin reads’ are not permitted, as a webpage with one origin should not be allowed to read the contents of a webpage with a different origin. However, a malicious actor can ‘bypass restrictions imposed’ by the ‘same-origin policy’ using DNS rebinding where the victim runs a client-side script on their webpage after visiting the attacker’s web server.
Credit: DEF CON Media Server — Presentation by G. Doussot and R. Meyer.
  • The victim browser would have unauthenticated access to the target service (127.0.0.1), yet this would be blocked if the attacker DNS attempts to connect to it. But using the rebinding technique, it exploits the fact that the ‘same-origin’ policy looks at the domain name and not the IP address. If you can get the IP address of one webpage to quickly change to that of another by modifying the TTL setting… you can successfully exploit this vulnerability. In most instances, this can be achieved in under 5 seconds:
Credit: DEF CON Media Server — Presentation by G. Doussot and R. Meyer.
  • How can we protect ourselves against such attacks?

CTFs

  • Graylog: open source log management tool
  • Kolide: endpoint security solution that allows you to query logs
  • Moloch: ‘ Large scale, open source, indexed packet capture and search’.

--

--

--

Your one and only source into the scandalous life of a DFIR consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

🌟Smart Reward Token (SRT) Wallet Update Announcement 🌟

{UPDATE} Five Nights at Freddy's 2 Hack Free Resources Generator

{UPDATE} Blobfish Evolution Hack Free Resources Generator

How to verify whether you have been blocked on WhatsApp

{UPDATE} Fingers on Buzzers Pub Quiz Hack Free Resources Generator

6 things in cybersecurity we didn’t know last year

Don’t Let Hackers Hold Your Business for Ransom

{UPDATE} Vegas Spins Casino Slots Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
darkdefender

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.

More from Medium

Our CVE Story: VulDB

Digital Forensic — Most Commonly used Tools

CYPHERDOG SECURITY: Securing The Cyberspace!

Operationalizing MITRE ATT&CK for SOCs | Course notes