What is DNS over TLS (RFC-7858) ?

There is a new security mechanism coming to DNS  which is called DNS over TLS the current DNS infrastructure uses UDP traffic that is sent in clear text which means it can be read by anyone who is sniffing traffic  Also for some it provides that extra privacy

 

Security Stock Image

The current DNS implementations use UDP port 53  to accept connections from clients  the traditional DNS setup has no encryption and also does not really have any spoofing protection as UDP inherently has no security mechanism or checks against source traffic

With DNS over TLS the client and the server will establish a secure channel over TCP port 853 there will be a handshake between the client and the server which will protect the traffic using TLS.

If you are not familiar with TLS or (Transport Layer Security) it is a technology that provides encryption it is commonly used in websites and VPN’s.

Software vendors on the host and server side will need to enable support for these types of servers as there will most likely be a mix of traditional and secure DNS servers for a while before it completely  becomes a norm I mean HTTPS has been around for ages but we still see HTTP sites around so the transition will be slow.

For security admins, you will need to consider the ramifications of encrypting DNS traffic as we cant see the hostnames being resolved content filtering and others like it will need to adapt.

With cloud blowing up we cant even block a certain IP as many websites and content are using shared resources such as AWS or AZURE blocking an IP can potentially block 10’s or 100’s of websites.

You can read the full RFC for DNS over TLS here https://tools.ietf.org/html/rfc7858

As of recent DNS over TLS  support is being pushed in the latest versions of Android OS.

 

 

 

OSINT using SHODAN

You may have heard the term OSINT(“Open Source Intelligence”) The basics is that you can use public sources to get information about a target during your recon.

There are many tools that are available to perform this task such as Google, Maltego, SHODAN etc,

one of the tools that really puts a perspective not only on what can be found but just how insecure some devices are.

Meet SHODAN https://www.shodan.io/

Shodan was created as a search engine for devices for example if you search “DLINK” you will find all of the Dlink routers and devices found by the crawler. The crawler looks for devices with publically reachable ports such as HTTP or Telnet.

You can also search by service type such as DNS and you will see all devices that have port 53 open lets take a look.

 

Here is the SHODAN main page you can perform some basic  searches without a login but you will need an account for full site access

shodan main page

A search on Dlink devices brings up the following results I have removed the IP’s

Dlink results

 

As you can see from above the search engine has found  some services on these devices that are exposed to the internet lets drill down on one of them to see what the results are

 

As you can see from above the device has NTP exposed to the internet a big NONO as we are aware NTP is used in a lot of DDoS attacks.

You can get creative with your searches I am not going to do that in this article but you can take some time to explore the tool.

This tool sheds a lot of light on the issues that are facing this industry a lot of consumer devices and even corporate devices improperly configured and exposing these services to the internet.

Whats more is that some of these devices still have the default credentials !!!!

Let me know what you think about this tool

Sean

New Attack against WPA2 “KRACK”

Hello Everyone,

Security Stock Image

There has been a new security flaw found in the WPA2 stack  a security researcher was able to  manipulate handshake packets in the 4 way WPA handshake and perform a key re-installation attack.

1.)T he basics of this attack is that an attacker would need to be in close range of  your network

2.) The attacker  manipulate the 3rd stage of the handshake process which tricks the client to install a key that is already in use  thus allowing the attacker to read all of the traffic that should be encrypted via WPA

It has been found that Linux ,MAC and Android devices are most vulnerable since an implementation bug allows for the devices to install an all zero key

This is a perfect example as to why it is important to be using a VPN service when connected to a public WI-FI   if you did fall victim to this attack it would be in-effective if the traffic were encapsulated in a VPN tunnel.

 

See below for a demo of this attack from the researcher who found the exploit.

 

 

It is  highly recommended to check your router for firmware updates if not available it may be time to replace your WI-FI router to better protect your self

Also you will want to check for software patches on your operating systems to patch this vulnerability .

With sources from securityaffairs.co/wordpress/64373/breaking-news/wpa-krack-attack.html

Awesome DDoS Lookup tool

In my day to day Job, I have been responsible for mitigating DDoS attacks and making sure that they are detected in a timely manner.

The company I work for has an awesome platform to mitigate DDoS attacks which have an alert system and analytics but I came across a public tool that you can enter an IP or domain into and check if there has been a DDoS against that target.

Check out https://ddosmon.net/

ddosmon front page

 

DDoS Mon gets data from telecoms and other sources around the world to compile a list of DDoS attacks. I have personally used this tool and compared it to known real attacks and let me tell you this tool is very accurate. It’s great to be able to quickly search for attacks also it’s easy to use the URL to search for an attack

For example, you can use https://ddosmon.net/explore/4.2.2.2 to search for attacks against 4.2.2.2(level 3 DNS servers)

There is also an API that requests some JSON data so you can parse the data and you need to create an account to get API access.

When searching for attacks against this IP we see the below result

ddos mon attack view

 

 

The latest attack was a UDP style attack against this IP

The site also provides valuable insights into DDoS traffic on a global scale check out https://ddosmon.net/insight/

Here is a snippet of some interesting data there is much more on the site

                                                                             ddos insights

 

In conclusion this tool is very useful and can be incorporated as another tool in a SOC environment or for any business who suspects they may have experienced attacks but don’t have the resources to check.

This tool is also great for research purposes.

I would like to know what you think about this tool !  send me a email with you thoughts or leave a comment !

Have a good day !

Sean

 

Where have I been ?

Hey, Everyone,

I have been AFK for a bit I had some laser eye surgery done. Or as I like to say patches for my buggy eyes!

I am recovering well and I am pretty much back to normal I am still having some blurred vision when looking at my PC but it’s minimal now

I will be releasing new videos soon to my youtube channel!

Thanks for sticking with me and I can’t wait to start making some new videos and getting back to normal!

I’ll see you soon!

Sean Mancini