Blog

Archive for March 3rd, 2019

Sextortion Email Variant: With QR Code, (Mon, Feb 25th)

Reader Robert submitted a sextortion email with a twist: it contains a QR code:

In case you’re wondering: I covered the QR code with a cross. I don’t want you to pay ransom by accident.

All the text in this email is a picture, except for the Bitcoin address. Hence this SPAM variant might be harder to detect by anti-SPAM engines.

The QR code decodes to:

bitcoin:1F3PqNUSQtv3znDduVgmk4Vq6pf8BFKo62?amount=0.16012

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Packet Editor and Builder by Colasoft, (Sun, Feb 24th)

I was looking for a tool to modify the packets in a pcap file for testing purposes that would allow me to change and modify any fields in packets and recompile the checksum to be able to use them for testing and training. I wanted to be able to change and modify some of the content such as IP addresses and where necessary, modify the content of the payload to obfuscate sensitive information. This Packet Editor and Builder by Colasoft is advertise as a freeware tool and very useful to manipulate and send packets over a network interface.

The interface is easy to use and intuitive. It is divided into three sections: Decode Editor that present the packet headers, the Hex Editor that shows the packet in hexadecimal format and the Packet List that shows individual packets.

The Decode Editor section can manipulate each part of the packet header, simply select and change the information to what you need. As you modify the information in the header or the payload, the checksum is recalculated (box on top of graph) to ensure the packet is free of checksum errors.

In the Hex Editor section, you can manipulate the payload of the packet by removing, modifying or adding to the payload. This picture is the original packet with USER anonymous:

This second picture is after removing USER from the payload:

Last is the Packet List section. This section shows the list of the packets which also includes the protocol and a summary of what the payload contains (if available).

Also a nice feature that is built-in this tool, it allow for building your own packets from scratch or reuse a pcap file and sending them via one of the host adaptors.

[1] https://www.colasoft.com/download/products/download_packet_builder.php

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Ad Blocking With Pi Hole, (Tue, Feb 26th)

Network-wide ad blocking via your own Linux hardware

Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.

From the Pi-hole Overview:

Easy-to-install: versatile installer, takes less than ten minutes

Resolute: content is blocked in non-browser locations, such as ad-laden mobile apps and smart TVs

Responsive: speeds up browsing by caching DNS queries

Lightweight: runs smoothly with minimal hardware and software requirements

Robust: command line interface quality assured for interoperability

Insightful: responsive Web Interface dashboard to view and control Pi-hole

Versatile: optionally functions as DHCP server, ensuring all your devices are protected automatically

Scalable: capable of handling hundreds of millions of queries when installed on server-grade hardware

Modern: blocks ads over both IPv4 and IPv6

Free: open source software

Of Note
* Cited from docs.pi-hole.net.

The Pi-hole setup offers 8 options for an upstream DNS Provider during the initial setup.

Utilize the Pi-hole command line interface with ease.

Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS.

After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s).

Updating is as simple as running the following command: pihole -up

Pi-hole Installation

I installed Pi-hole on a Raspberry Pi 2 Model B running Raspbian Stretch (November 2018, 4.14 kernel).

Figure 1: Pi-hole on Raspberry Pi 2 Model B

There a one step automated installation method for those who want to get started quickly and conveniently, using the following command:

curl -sSL https://install.pi-hole.net | bash

There are alternative installation methods if you’re not comfortable piping to bash.

Piloting Pi-hole

Once you’ve completed installation, browse to the IP addess you established during setup. After running Pi-hole for even a few hours, it will begin to serve you as designed, and well at that.

Figure 2: Pi-hole at work

Take note of the fact that 17.9% of traffic and 532 specific queries. Pi-hole’s Gravity script is key here: “Gravity is one of the most important scripts of Pi-hole. Its main purpose is to retrieve blocklists, and then consolidate them into one unique list for the built-in DNS server to use, but it also serves to complete the process of manual whitelisting, blacklisting and wildcard update. It is run automatically each week, but it can be invoked manually at any time.”

As seen in Figure 3, Pi-hole takes exception to a number of offending domains.

Figure 3: Pi-hole blocks

192.168.248.12 is my iPhone on my local network. You can see that between Apple, Microsoft, and other domains, there’s more than a bit of content in their ad streams that is flagged as less than desirable via Pi-hole’s Block Lists.

Enjoy the use and benefits of Pi-hole, I’d really like to hear about your success stories, and how you’re running Pi-hole (what hardware platforms?).

Let me know via Twitter or email. Cheers…until next time.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 2 12