Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on “Machine Learning Risks: Attacks Against Apache NiFi.” Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers.
Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.’” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised. Read More
New Chrome Feature Scans Password-Protected Files for Malicious Content
Google said it’s adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser.
“We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions,” Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said.
To that Read More
PolarDNS – A Free DNS Server For Vulnerability Research & Pentesting
DNS (Domain Name System) decodes human-readable domain names into IP addresses. In vulnerability research and pentesting, analyzing DNS can reveal the following potential attack vectors that could help in identifying security flaws:-
Subdomain enumeration
Misconfigurations
DNS-related vulnerabilities
Besides this, the DNS data can also provide insights into the network infrastructure, which helps map potential targets.
Oryxlabs recently launched a free DNS server written in Python 3.x for vulnerability research and pentesting, dubbed “PolarDNS.”
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
PolarDNS
This free DNS server, PolarDNS, enables its operators to produce fully custom DNS responses for several DNS protocol testing purposes. This free server can be used for the testing of the following things:-
DNS resolvers (server-side)
DNS clients
DNS libraries
DNS parsers and dissectors
Any software handling DNS information
Over the DNS protocol layer, the operator of the PolarDNS gets full control as it supports the following two protocols:-
UDP protocol
TCP protocol
It is also capable of producing the following DNS responses:-
Non-standard DNS responses
Non-compliant DNS responses
DNS responses violating the RFC standards
Malformed DNS responses
However, this could be useful for the following purposes:-
Functional testing
RFC compliance
Vulnerability research
Features & Response Modifiers
Besides this, for diverse DNS responses, the PolarDNS offers numerous built-in features and modifiers.
Combining them creates countless response variants, enabling testing of receivers’ handling of unusual, abnormal, and malformed DNS responses for technical robustness.
Here below, we have mentioned some of the DNS responses produced by PolarDNS that could contain the following things:-
Alias (CNAME) chains and alias loops
DNS header malformations (ID, Flags, number of sections)
Injection of unsolicited records (cache poisoning)
Injection of arbitrary bytes of arbitrary lengths
Incomplete/empty/ NULL byte(s) responses
Compression issues (loops, invalid pointers)
Slowly transmitted chunked responses
Illegal labels or domain name lengths
An arbitrary number of TXT records of arbitrary size
Packet length manipulations (TCP)
Apart from this, all these data can aid in identifying several vulnerabilities like:-
Sloth domain attacks
Phantom domain attacks
Domain lock-up attacks
Cache poisoning
Resource exhaustion
Crashes
DoS
With basic Python and DNS protocol understanding, PolarDNS facilitates easy implementation of:-
New ideas
Test cases
Features
PoCs
Specific scenarios
How to Run it?
First of all, execute the following command:
python polardns.py
Now the Polardns server starts listening on localhost (127.0.0.1) by default.
Then it will use the UDP and TCP ports 53 to handle DNS queries.
To check you have to perform the following sample queries:
In UDP mode: dig always.yourdomain.com @127.0.0.1
In TCP Mode: dig always.yourdomain.com @127.0.0.1 +tcp
After that, you have to ensure that the response includes an A record with the IP address 2.3.4.5.
Now, if the server returns the A 2.3.4.5 record, it indicates that Polardns is functioning correctly.
Installation
First of all, you have to install Python 3.10 or newer.
Then you have to install PyYAML:
pip3 install pyyaml
Now, edit the configuration file polardns.yml.
Then you have to add your domain and nameserver IP addresses.
That’s it, now you are done.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Ukrainian national Vyacheslav Igorevich Penchukov, one of the heads of the notorious JabberZeus cybercrime gang, has pleaded guilty to charges related to his leadership roles in the Zeus and IcedID malware groups. […] Read More