A Week in Vegas

BSides LV — Pros vs Joes

https://twitter.com/minimaltalking/status/1159225760994824192?s=20

Linux Hardening Tips

Linux Forensics

DEF CON 27

Demo

  • Modules: modules that are associated with RWX memory regions
  • Threads: unbacked or floating code living in memory regions
  • Memory Regions: check PE header over these regions
  • Call Stack: check call stack of threads for unbacked symbols
  • Base Address: if the base addr of the main module (.exe) is private, it should always be memory mapped and not marked as RWX. This also detects a technique called Process Hollowing
  • Exports: such as ReflectiveLoader
  • Hollowed Modules: in-memory vs on-disk comparison of modules, compare their entry points, the size of the code etc.
  • Registry Persistence: common registry injection or persistence techniques
  • Shellcode: looks for RWX memory regions that start with well known x64/x86 opcodes

DNS Rebinding Attack

  • The ‘same-origin’ concept is where you have two webpages that consist of the same scheme (so HTTP or HTTPS), host (domain), and port.
Credit: DEF CON Media Server— Presentation by G. Doussot and R. Meyer.
  • ‘Cross-origin reads’ are not permitted, as a webpage with one origin should not be allowed to read the contents of a webpage with a different origin. However, a malicious actor can ‘bypass restrictions imposed’ by the ‘same-origin policy’ using DNS rebinding where the victim runs a client-side script on their webpage after visiting the attacker’s web server.
Credit: DEF CON Media Server — Presentation by G. Doussot and R. Meyer.
  • The victim browser would have unauthenticated access to the target service (127.0.0.1), yet this would be blocked if the attacker DNS attempts to connect to it. But using the rebinding technique, it exploits the fact that the ‘same-origin’ policy looks at the domain name and not the IP address. If you can get the IP address of one webpage to quickly change to that of another by modifying the TTL setting… you can successfully exploit this vulnerability. In most instances, this can be achieved in under 5 seconds:
Credit: DEF CON Media Server — Presentation by G. Doussot and R. Meyer.
  • How can we protect ourselves against such attacks?

CTFs

  • Graylog: open source log management tool
  • Kolide: endpoint security solution that allows you to query logs
  • Moloch: ‘ Large scale, open source, indexed packet capture and search’.

--

--

--

Your one and only source into the scandalous life of a DFIR consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Silent Gear Hack Free Resources Generator

Five Important Tips To Find The Private Investigator

Treason allegations reignite theories on Russian hacking

{UPDATE} Monsters TD Hack Free Resources Generator

Halloween is coming to NeftyBlocks!

Mainstream banking shows unreliability in Australian cyber stumble

https://t.co/4fgjDpmfnK https://t.co/ci3FLr5JBg

Brinc Finance was attacked due to suspected private key compromise, resulting in the loss of 290…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
darkdefender

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.

More from Medium

This is the Analogy I Used to Understand Buffer Overflow

The Ninja Sensei’s Logbook: Understanding the Computer Misuse Act of Singapore

Why Getting Hacked Is Just What Your Organization Needs

Sunset in Carlsbad California

Active Directory — Pass The Hash Attack