When running a virtual machine (VM) to capture network data, there's a potential problem that can arise due to network offloading. This is a specific issue related to capturing network data in a virtualized environment. Network offloading can be likened to missing pages in a notebook; when you capture packets without network offloading, it's like having a complete set of notes with all the necessary information. But when network offloading occurs, it's as if some crucial pages are missing or not present, making it harder to understand the original context and intent.
Network Offloading: Many modern network cards and VM hosts support network offloading, allowing the NIC or host to handle certain aspects of the TCP protocol stack on behalf of the guest VM.
MSS (Maximum Segment Size): The MSS is a parameter that specifies the largest amount of data that a device is willing to receive in a single TCP segment. While MSS itself is not altered by offloading, offloading can impact how TCP segments are handled, potentially obscuring details in captured traffic.
VM Network Stack: The VM’s network stack, specifically the virtual NIC, handles TCP segments. Disabling offloading within the VM ensures that packet capture tools see traffic as it is truly handled by the VM without NIC-induced alterations.
Impact on Captured Traffic: When offloading is enabled, the virtual NIC or the host might process packets differently, altering their structure in ways that are not reflected accurately in packet captures.
Altered Packet Handling: Network offloading features like TSO and GRO can segment or reassemble packets in ways that make captured data appear differently than the actual traffic flow, which can complicate analysis and debugging.
Obscured TCP Details: Important TCP details, including segment boundaries, can be masked by offloading, making the captured data less representative of true network behavior.
This can lead to challenges when trying to analyze or debug network problems, as the captured data may not accurately represent the true network behavior.
Regular Expressions (regex) are sequences of characters that form search patterns. They are used for matching, searching, and manipulating text, making them incredibly useful for analyzing data, detecting patterns, and automating tasks. In cybersecurity, regex can help identify sensitive information, extract useful data from logs, and detect anomalies.
Volatility is an advanced memory forensics framework used for analyzing RAM dumps. It helps digital forensic investigators and cybersecurity professionals extract valuable information from volatile memory, including processes, registry hives, network connections, and more. This tool is often used in incident response, malware analysis, and CTF challenges due to its ability to dig deep into system states captured at the moment a memory dump is created.
Playbooks for responding to incidents involving Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and Remote Terminal Units (RTUs) provide a structured, repeatable response process. Each playbook should be tailored to the unique characteristics and operational context of these devices and systems while addressing the specific types of threats they face.
Here is an overview of what these playbooks might look like:
Objective: Identify, contain, and remediate incidents affecting PLCs to prevent unauthorized control, data manipulation, or disruption of physical processes.
This is just a short primer on 12 common protocols used in various industrial control systems (ICS). The goal of this entry is just to get a quick at-a-glance understanding of what the protocol is used for and why/how indicators of compromise might be identified in a system that has been attacked.
Introduction: Used in industrial control systems like manufacturing, water treatment, and energy for communication between devices such as PLCs and sensors/actuators.
Overview: A simple, open serial protocol operating over serial lines (Modbus RTU) or TCP/IP networks (Modbus TCP).
Indicators of Compromise:
Unexpected traffic from unauthorized IP addresses.
Unusual function codes in Modbus packets.
High frequency of commands indicating reconnaissance or brute-force attempts.
Exploitation Methods:
Man-in-the-Middle (MitM) Attacks: Intercepting and altering messages.
Unauthorized Commands: Sending malicious commands to change configurations or disable processes.
Replay Attacks: Capturing and replaying messages to disrupt operations.
Potential Attack Examples:
MitM Attack: Altering commands to change a pump's setpoint.
Unauthorized Commands: Sending Function Code 5 (Write Single Coil) or Function Code 6 (Write Single Register).
Replay Attack: Replaying captured traffic to repeat commands.
Display Filter Suggestions:
Detect Unauthorized Commands:
modbus.func_code == 5 || modbus.func_code == 6
Useful to identify potentially malicious commands that could alter device configurations.
High Frequency of Commands:
modbus && frame.time_delta < 0.1
Useful for detecting a high volume of commands that could indicate a brute-force attack.
Tshark is a powerful command-line alternative to Wireshark, especially useful in scenarios where efficiency, automation, and resource constraints are factors. Unlike Wireshark’s GUI, tshark excels in processing large data sets, automating repetitive tasks, and operating in headless environments, making it ideal for large-scale or automated network analysis tasks.
In an era of rapidly evolving technology, many parents who didn’t grow up with modern devices often need help navigating new advancements. When parents live far away, offering this support becomes more challenging. A secure and efficient remote access system can bridge this gap, allowing for support and troubleshooting. This guide walks through how to set up such a system using WireGuard VPN and TigerVNC, ensuring remote connections are secure and effective without sacrificing performance. In this example, the user has a Unifi Dream Machine they are using as their gateway router so the Unifi OS interface is used for the local network configuration.
OWASP Juice Shop is an intentionally vulnerable web application created by the Open Web Application Security Project (OWASP) for security training purposes. It simulates a real-world e-commerce site, allowing users to explore and exploit various security vulnerabilities in a safe environment. Key features include:
Wide Range of Vulnerabilities: Juice Shop covers the entire OWASP Top 10, as well as other common security flaws, offering a comprehensive learning experience.
User-Friendly Interface: Despite being intentionally vulnerable, the application has a realistic and user-friendly interface, making it accessible for beginners and useful for experienced testers.
Gamified Learning: It incorporates a gamification aspect where users can track their progress and achievements as they discover and exploit different vulnerabilities.
Extensive Documentation: Juice Shop comes with extensive documentation, tutorials, and guides to help users understand the vulnerabilities and learn how to mitigate them.
Open Source: As an open-source project, it encourages community contributions and is freely available for anyone to use and modify.
Docker is a platform that allows developers to automate the deployment of applications inside lightweight, portable containers. This cheatsheet provides a quick reference to some of the most commonly used Docker commands, formatted for easy copy-pasting. Use this as a handy resource for managing your Docker containers, images, volumes, and more.