THE DFIR BLOG
Menu

Blog

Fast Flux - DNS

9/7/2019

 
Domain Name Server (DNS) is one of the most common protocol. We use it multiple times a day without realizing it. Popularly known for converting a do main name into an IP address. Think of it as a glue between human and the network. Newer Content Delivery Networks (CDN) use DNS to ensure a client is send to the server closest to it's geography.

In today's post we are going to talk about the common DNS attacks used by malwares called Fast Flux. This may fall under the "Command and Control" Category in MITRE ATT&CK Framework.

In order to avoid blocking a malware owner quickly changes the resolved IP Addresses. So, every-time you'll query a host-name it'll give you a different IP Address. Usually, time to live (TTL) for each IP address is around 300 Seconds.  This technique is most commonly used by Botnets. A key thing to remember is the DNS Servers participates in the Fast-Flux is usually for Malicious purpose.

Investigation Tips:

Look for TTL < 300
DNS Count > 12
Recently registered domain.
Learn more about Fast Flux: http://www.honeynet.org/node/136


Hack the Box - MarketDump

6/17/2019

 
The Forensics CTF Challenge is from Hackthebox.eu. Please see the details of the challenge and download the file from this link: 
https://www.hackthebox.eu/home/challenges/Forensics

We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?

They have provided a pcap file for the analysis. For the analysis you need to follow the TCP Stream. 
Picture
Once you start following in TCP Stream, you'll find the exfiltration information in the 1056 Stream.
Picture
Scroll down and review the content, it's fairly easy to notice the encoded flag in the data.
Picture
Use CyberChef Magic Recipe to decode the flag.
Picture

Marshal in the Middle

3/10/2019

 
Hack the box Forensic Challenge Library:
The security team was alerted to suspicious network activity from a production web server.Can you determine if any data was stolen and what it was?

Solution:
 Hackinthebox will provide you following data - pcapng file, and lot of bro logs:
Picture
While reviewing the log files - I noticed pastebin.com access from ip 10.10.20.13
Picture

​

Picture
Decrypte the data by the secrets.log file provided by hackthebox to view the content in plain text
Picture
Followed the TCP Stream for ip.addr == 10.10.20.13
Picture
There was a post request made (as seen in about screenshot). Filters packets by HTTP Post
Picture
Credit Card Data in Plain Text
Picture
Hack the box key below:
Picture





    Subscribe to Newsletter

    Mac Forensics
    Windows Forensics
    Forensic Tools

    Categories

    All
    Attack
    Bash
    Bigdata
    CISSP
    Corporate
    Ctf
    Data
    Digital Forensics
    Docker
    EDR
    Forensics
    Hacking
    Hadoop
    HDFS
    Health Care
    Linux
    Memory
    Network
    Network Forensics
    PCIP
    SQL
    Windows
    Wireshark

    Archives

    August 2024
    July 2024
    January 2023
    October 2019
    September 2019
    July 2019
    June 2019
    May 2019
    March 2019
    April 2018
    March 2018
    February 2018
    July 2017
    June 2017
    May 2017
    November 2015
    October 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me