Blog

Archive for March, 2021

Spam Farm Spotted in the Wild, (Fri, Mar 5th)

If there is a place where you can always find juicy information, it’s your spam folder! Yes, I like spam and I don’t delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or “Non-Delivery Receipt” messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a “spam farm” based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That’s why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The “good” point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That’s what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

--1614779618-eximdsn-513689040
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [victim]@[victimdomain]
    host [victimmx]
    SMTP error from remote mail server after end of data:
    550 5.2.0 Mail rejete. Mail rejected. ************

--1614779618-eximdsn-513689040
Content-type: message/delivery-status

Reporting-MTA: dns; fjimkopo[.]com

Action: failed
Final-Recipient: rfc822;[victim]@[victimdomain]
Status: 5.0.0
Remote-MTA: dns; [victimmx]
Diagnostic-Code: smtp; 550 5.2.0 Mail rejete. Mail rejected. ***********

--1614779618-eximdsn-513689040
Content-type: message/rfc822

Return-path: 
Received: from admin by fjimkopo[.]com with local (Exim 4.86_2)
(envelope-from [ourmailbox]@[ourdomain])
id 1lHQYA-0002y9-UD
for [victim]@[victimdomain]; Wed, 03 Mar 2021 12:24:22 +0000
To: [victim]@[victimdomain]
Subject: *****************
X-PHP-Originating-Script: 1000:mailer1.php
Date: Wed, 3 Mar 2021 12:24:22 +0000
From: ***************** [ourmailbox]@[ourdomain]>
Reply-To: [email protected][.]com
Message-ID: 
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let’s combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php

This is a leafmailer[3] instance… A very popular PHP mailer used by spammers. urlscan.io reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:

hxxp://voceconfia[[.]]com[[.]]br/utils/leafmailer[.]php
hxxp://surmatete[[.]]com/img/p/9/5/
hxxp://hamboua1[[.]]000webhostapp[[.]]com/leafmailer[.]php
hxxp://avalonfootwears[.]com/images/leafmailernzmall[.]php
hxxps://www[.]bearchub4u[.]com/images/snd[.]php
hxxp://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://www[.]eudurica[.]sk/doc/leafmailer[.]php
hxxps://github[.]com/PHPMailer/apix-log-phpmailer
hxxp://thehunarfoundation[.]org/luckk[.]php
hxxp://farments[.]cf/mailer1[.]php
hxxp://elhusseinyusmleprep[.]com/wp-includes/leafmailer[.]php
hxxp://jrcasey[.]com/leaf[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples
hxxp://synergieconsulting[.]biz/leaf[.]php
hxxp://www[.]shiatsu[.]com[.]uy/archivos/pdf/2722[.]php
hxxp://rainbowisp[.]info/dot/js/leafmailer2[.]8[.]php
hxxp://aquabizarre[.]com/leaf[.]php
hxxp://neaters[.]serveusers[.]com/
hxxp://www[.]eos-numerique[.]com/sitemap/JC4Ei2aF[.]php
hxxp://themadam[.]com/inb0x[.]php
hxxp://satkom[.]id/includes/phpmailer
hxxp://a-mla[.]org/images/acts/leafmailer2[.]8[.]php
hxxp://scootelaru[.]com/leafmailer2[.]8[.]php
hxxp://eudurica[.]sk/doc/leafmailer[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples/images
hxxps://e2e[.]marketing/wp-content/themes/spacious/leaf[.]php
hxxp://mailerphppro[.]blogspot[.]com/
hxxp://www[.]fastnet[.]rw/luckk[.]php
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/docs
hxxp://emboutsdetalons[.]com/
hxxps://yanaclub[.]net/vendor/bootstrap/css/alal[.]php
hxxp://wigitest[.]com/leafmailer2[.]8[.]php
hxxp://fullfullstack[.]com/leafmailer2[.]8[.]php
hxxps://www[.]itread01[.]com/content/1542020464[.]html
hxxp://letsdoit[.]pro/wp-admin/oonnm[.]php
hxxps://www[.]leafmailer[.]pw/
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/language
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/test
hxxps://www[.]sementesvivas[.]bio/modules/jmsslider/views/img/layers/leafmailer2[.]8[.]php
hxxp://143[.]110[.]155[.]129/
hxxps://casing-china[.]com/wp-admin/leaf[.]php
hxxp://grma[.]9lj[.]ru/
hxxps://ipv6[.]lekkeropdemet[.]be/ibasao/l[.]php
hxxp://ow[.]ly/9t8W50DzlZG
hxxp://siquerida[.]com/ajtro/system/PHPMailer/language
hxxps://tinyurl[.]com/y4zbkzja
hxxps://anandlagad[.]com/how-to-send-email-using-phpmailer-and-gmail-with-example/
hxxp://www[.]asc925[.]com/leafmailer2[.]8[.]php
hxxp://solusitoilet[.]com/xz/leafmailer2[.]7[.]php
hxxps://mckinleywashstand[.]com/leafmailer2[.]8[.]php
hxxp://chase-online[.]ddnsking[.]com/
hxxps://smyankton[.]com/leaf[.]php
hxxps://m12tatar[.]ru/wp-admin/leafmailer2[.]8[.]php
hxxp://rnd[.]com[.]mx/wp-content/plugins/RootSaul/block[.]php
hxxp://is01[.]cba[.]edu[.]kw/old/wptest/wp-content/themes/xzbvsjrmhd[.]php?pass=xptasztqzd
hxxp://www[.]assostone[.]com/11[.]php
hxxps://pastebin[.]com/5igVDBVT
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer
hxxp://www[.]ilendglobal[.]com/PHPMailer/
hxxps://elite11[.]in/public/site/image/slider/leafmailer2[.]8[.]php
hxxp://phpmailer[.]github[.]io/PHPMailer/
hxxps://legalhackers[.]com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC[.]html
hxxps://legalhackers[.]com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln[.]html
hxxps://github[.]com/opsxcq/exploit-CVE-2016-10033
hxxps://t[.]co/LMf3TIcdmy
hxxps://rfr[.]bz/t1jy3sp
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html?utm_source=twitter&utm_medium=social&utm_campaign=en-us_sec_social_prd_awa_us_x_001
hxxp://sucur[.]it/3qXbEMS
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html
hxxp://www[.]erbilen[.]net/phpmailer-sinifi-ile-gmail-uzerinden-e-posta-gonderimi/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leafmails[.]php
hxxps://t[.]co/vXgBEIippr
hxxps://emboutsdetalons[.]com/
hxxp://www[.]qurankipukar[.]com/en/
hxxp://github[.]com/PHPMailer/PHPMailer
hxxps://dummyscodes[.]blogspot[.]com/2014/08/php-send-mail-with-xampp-localhost[.]html
hxxps://pseudonymousone[.]com/leafmailer[.]php
hxxp://vulapps[.]evalbug[.]com/w_wordpress_6/
hxxps://estacaoblumenau[.]com[.]br/leaf[.]php
hxxp://vitamfoundation[.]org/luckk[.]php
hxxps://phpmailer[.]en[.]softonic[.]com/
hxxps://unicrditalia[.]com/
hxxp://unicrditalia[.]com/
hxxp://cbdmover[.]com[.]au/calculate-your-move/phpmailer/
hxxp://52[.]42[.]241[.]167/PHPMailer-master/vendor/guzzlehxxp/guzzle/src/Exception
hxxp://shiyarajewells[.]com/img/portfolio/leafmailer2[.]8[.]php
hxxps://www[.]cdxy[.]me/?p=765
hxxp://warriorwealthsolutions[.]com/wp-admin/wp-config[.]php
hxxp://mislayer[.]egloos[.]com/1509382
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]PHPMailer[.]html
hxxp://espaciosdeinnovacion[.]udd[.]cl/leaf[.]php
hxxp://siquerida[.]com/ajtro/system/PHPMailer/docs
hxxp://siquerida[.]com/ajtro/system/PHPMailer
hxxp://dedikodudunyasi[.]com/
hxxps://alchemicclasses[.]com/
hxxp://www[.]willalooka[.]com[.]au/wp-content/plugins/sdwffdy/leafmailer2[.]8[.]php
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]POP3[.]html
hxxps://ranaunique[.]com/hato-old/vendor/phpmailer/phpmailer/language/
hxxps://www[.]websapex[.]com/blog/tutorial/php/send-an-email-through-html-form-using-phpmailer-in-php/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leaf[.]php
hxxps://owlmailer[.]io/
hxxp://phpmailer[.]worxware[.]com/critique-avengers-endgame-streaming/
hxxp://labanquepostale623662s7[.]betaforge[.]it/
hxxps://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://unionbankonline[.]light-nutrition[.]com/leafmailer2[.]8[.]php
hxxps://zaimcraft[.]ru/
hxxps://account-login-inc[.]com/wp-admin/ky-verification/leafmailer2[.]8%20(1)[.]php?emailfilter=on
hxxp://caudan-vous-accueille[.]com/images/gmapfp/hsfgdyfy[.]php?pass=kod3
hxxp://mailqwerty[.]xyz/
hxxp://www[.]thaimartin[.]co/aku/pro[.]php
hxxp://wonodds[.]club/wp-content/plugins/qohdbjl/classic[.]php
hxxps://uni-leipzig[.]email/leaf[.]php?emailfilter=on
hxxp://theqwrqwry[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxps://dduuwwc[.]com/1[.]php?emailfilter=on
hxxp://hghfhgfhs[.]com/1[.]php?emailfilter=on
hxxps://adggnbbvns[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxp://galaxysystemsgroup[.]com/1[.]php?emailfilter=on
hxxps://freesolos[.]club/inc/PHPMailer/test_script
hxxps://github[.]com/Synchro/PHPMailer/
hxxp://envision-media[.]co/wp-includes/js/jcrop/leafup[.]php?pass=0112255
hxxp://www[.]netsisantalya[.]com/wp-content/themes/skand/lhcqyhebrt[.]php?pass=nsgonwmful

Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[3] https://leafmailer.pw
[4] https://urlscan.io/result/3289f4f9-6db2-46e8-b72b-fa3b1561bdf6/related/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I’ve seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

I haven’t documented one for the ISC yet, so today’s diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.


Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images


Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.


Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).


Shown above:  Initial DLL saved a the victim’s Windows host.


Shown above:  Artifact saved to disk during the Qakbot infection.


Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

Traffic to retrieve the initial Qakbot DLL:

  • 8.209.64[.]96 port 80 – kfzhm28pwzrlk02bmjy[.]com – GET /mrch.gif

Qakbot C2 traffic:

  • 207.246.77[.]75 port 995 – HTTPS traffic

Cobalt Strike traffic:

  • 45.144.29[.]185 port 443 – HTTPS traffic
  • 45.144.29[.]185 port 443 – logon.securewindows[.]xyz – HTTPS traffic
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /WjSH
  • 45.144.29[.]185 port 8080 – logon.securewindows[.]xyz:8080 – GET /cx
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /en_US/all.js
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Adversary Simulation with Sim, (Tue, Mar 2nd)

One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.

I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repoHope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome.

Again, referring to her repo content, user actions can be scripted using the task block in an XML configuration file where tasks are comprised of two components:

  • Task configuration: three configuration tags determine the name of the task (for error tracing and configuration), the number of times the task will , and how long to  between each action.
  • Task actions: Many actions can be configured but it is recommended to maintain task granularity for more narrow, specified testing. Create multiple, scenario based config files, and run individual tests instead. Sim execute  as part of user simulation. Sim performs each action as if scripted, executing one action after the other in sequential order. Sim does not wait for one action to complete before starting another, thus the importance of the  and  tags.

Read the rest of Hope’s documentation for yourselves, there are plenty of details as to action configurations including , and  for plain text typed as if a user typing sequentially. There are numerous special key options as well as the ability to call executables via  and run PowerShell commands with .

I built Sim in Visual Studio; it’s posted to GitHub as a source-only project but with a solution file so compiling your own sim.exe is quick and easy. I also created a copy of the admindemo.xml file found in XMLExamples, saved it as sim_toolsmith_demo.xml and made some tweaks to create a more adversarial user.
I’ve shared my modifications for your use and consideration as a Gist.

Calling my demo file with sim.exe is as easy as Sim.exe sim_toolsmith_demo.xml (unique to your file structure) at an admin command prompt.

Sim

Figure 1: Sim with actions config file

Rather than talk about it, I captured a video to exhibit Sim’s run through my adversarial user configuration file. Imagine this adversary as a script kiddie who has popped a system and is now searching for hacker tools to expand terrain. You’ll note PowerShell calls as well as command prompt actions. Actions also include Google searches, including multiple browser tabs, as well as keyboard tabs to land on desired search content. This config also saves the Windows Security event log, noteworthy because it could just as easily have cleared it, which should always trigger an alert.

Sim demo video

As you can see, Sim does a great job of emulating user behaviors, and can easily be configured to conduct far more adversarial behaviors as desired. This particular demonstration would likely trigger alerts for web filtering rules intended to block access to hacker tools. Detections that make use of PowerShell logging could certainly be easily tested here as well. And again, if the Security event log had been cleared instead of simply written off to a file, any detection rules or signatures monitoring the 1100 series of Windows Event Logs would have triggered, particularly Event ID 1102 – The audit log was cleared.
I assert that Sim could be batched and automated. You could deploy an entire range of adversary emulations to a central share then call a master file during a desired and scheduled test or emulation window. Group Policy is even an option. Obviously, it is not recommended to fire off Sim jobs designed to emulate adversarial behavior without working with your leadership and any teams who may be monitoring user behaviors. Much like penetration testing, definitely ask for written permission rather than forgiveness after the fact.
I hope Hope will keep developing against this project, the possibilities are endless for adversary emulation scenarios, end Sim is really light and highly flexible. It’s great work, please safely give it a go for yourselves!

Cheers…until next time.

Russ McRee | @holisticinfosec

 
 
 
 
 
 
 
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Fun with DNS over TLS (DoT), (Mon, Mar 1st)

Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/)  – very much as an unauthenticated API over HTTPS.  But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven’t we heard about it so much?

After wrestling with it for a bit, I can tell you why!

DoH is easy to work with, since we have so many HTTPS tools at our disposal.  Plus DoH was first implemented in browsers, and the browser developers *live* in HTTPS, so DoH is a cake-walk for them.  DNSSEC is basically plain old unencrypted DNS, but with signature records.

DoT on the other hand is a whole ‘nother beast.  It’s still basic DNS, but encapsulated in TLS.  So to make DoT calls we need a toolset to create TLS packets, then send and validate them using the certificate at the server side.  So the first tool that came to my mind of course was scapy, but read on, I used an easier method ..

To allow all of the mentioned DNS protocols to live on one server, DoT lives on tcp/853.  This makes for an easy NMAP scan if you’re looking for this service.  NMAP tags the port correctly, but an NMAP version scan (-sV) won’t identify  the DoT service.  It will however find some critical strings in the fingerprint, things like “DNSVersionBindReqTCP” and “DNSStatusRequestTCP” – so a version scan will validate the service enough for your eyes to see it, without calling it out definitively.  You can also of course validate the certificate on port tcp/853 using NMAP’s ssl-cert.nse script or openssl:

nmap -p853 –script ssl-cert 8.8.8.8

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 07:55 Eastern Standard Time

Nmap scan report for 8.8.8.8

Host is up (0.012s latency).

 

PORT    STATE SERVICE

853/tcp open  domain-s

| ssl-cert: Subject: commonName=dns.google/organizationName=Google LLC/stateOrProvinceName=California/countryName=US

| Subject Alternative Name: DNS:dns.google, DNS:*.dns.google.com, DNS:8888.google, DNS:dns.google.com, DNS:dns64.dns.google, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:8.8.4.4, IP Address:8.8.8.8

| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2021-01-26T08:54:07

| Not valid after:  2021-04-20T08:54:06

| MD5:   9edd 82e5 5661 89c0 13a5 cced e040 c76d

|_SHA-1: 2e80 c54b 0c55 f8ad 3d61 f9ae af43 e70c 1e67 fafd

Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

Me, I took the easy way out for DoT queries and installed the knot-dnsutils (sudo apt-get install knot-dnsutils), which installs kdig to do all the heavy lifting for me.  As the name implies, kdig does just about everything that dig does, but for this task gives you parameters to make DoT queries.

So an A record query over DoT from kdig looks just very much like DOS query outpuyt from dig:

$ kdig @dns.google.com +tls-ca  isc.sans.edu A

;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57540

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

 

;; EDNS PSEUDOSECTION:

;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; PADDING: 391 B

;; QUESTION SECTION:

;; isc.sans.edu.                IN      A

;; ANSWER SECTION:

isc.sans.edu.           4       IN      A       45.60.103.34

isc.sans.edu.           4       IN      A       45.60.31.34

 

;; Received 468 B

;; Time 2021-03-01 04:58:51 PST

;; From [email protected](TCP) in 38.9 ms

Note all the TLS session info at the top, and the port number in the last line.

As you’d expect, if you’re just after answers you can use the +short parameter:

# kdig @dns.google.com +tls-ca +short www.coherentsecurity.com AAAA

robvandenbrink.github.io.

.. yup, I host my website on github, handiest github feature ever (ok, maybe not the handiest, but still pretty darned handy)

Other handy parameters in kdig?

  • Just as in dig, you can always tack on the “-d” parameter for debug output
  • +tls-hostname can be used to over-ride the server name during TLS negotiation.  This means you can even use the server’s IP address when you use this parameter.
  • Related to tls-hostname, +tls-sni adds the Server Name Indication field to the request

Without constructing the TLS packet, how can I use DoT in an NMAP script?  I again took the easy way out and used kdig, in combination with the lua command os.execute.  Yup, in the time honoured tradition of coding laziness I shelled out and executed the matching OS command!  In the DoH script I wrote I did a quick check to make sure that the host was running HTTP services on port 443 with “shortport.http”.  In the DoT script I changed this, to ensure that TLS is running on the scanned port, using the “shortport.ssl” check.  An example scan is shown below:

$ nmap -p853 –script dns-dot.nse 8.8.8.8 –script-args target=www.cisco.com,query=AAAA

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 05:13 PST

Nmap scan report for dns.google (8.8.8.8)

Host is up (0.017s latency).

 

PORT    STATE SERVICE

853/tcp open  domain-s

| dns-dot:

|   www.cisco.com.akadns.net.

|   wwwds.cisco.com.edgekey.net.

|   wwwds.cisco.com.edgekey.net.globalredir.akadns.net.

|   e2867.dsca.akamaiedge.net.

|   2607:f798:d04:189::b33

|_  2607:f798:d04:191::b33

 

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

You can find the DoT script here: https://github.com/robvandenbrink/dns-dot . So if you’re interested in combining NMAP scans with different OS commands you’re welcome to review the source code and use whatever you need!

Do you have a handy nmap script that uses os.execute to do the “behind the scenes” work?  Please, share a link in our comment form!

 

References:
DoT RFD: https://tools.ietf.org/html/rfc7858

Usage Profiles for DNS over TLS and DNS over DTLS: https://tools.ietf.org/html/rfc8310

knot-dnsutils: https://www.knot-dns.cz/

 

===============
Rob VandenBrink
robcoherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 6 of 6 «...23456