Blog¶
VM Packet Capture Considerations
When running a virtual machine (VM) to capture network data, there's a potential problem that can arise due to network offloading. This is a specific issue related to capturing network data in a virtualized environment. Network offloading can be likened to missing pages in a notebook; when you capture packets without network offloading, it's like having a complete set of notes with all the necessary information. But when network offloading occurs, it's as if some crucial pages are missing or not present, making it harder to understand the original context and intent.
What Happens?
-
Network Offloading: Many modern network cards and VM hosts support network offloading, allowing the NIC or host to handle certain aspects of the TCP protocol stack on behalf of the guest VM.
-
MSS (Maximum Segment Size): The MSS is a parameter that specifies the largest amount of data that a device is willing to receive in a single TCP segment. While MSS itself is not altered by offloading, offloading can impact how TCP segments are handled, potentially obscuring details in captured traffic.
-
VM Network Stack: The VM’s network stack, specifically the virtual NIC, handles TCP segments. Disabling offloading within the VM ensures that packet capture tools see traffic as it is truly handled by the VM without NIC-induced alterations.
-
Impact on Captured Traffic: When offloading is enabled, the virtual NIC or the host might process packets differently, altering their structure in ways that are not reflected accurately in packet captures.
The Impact
- Altered Packet Handling: Network offloading features like TSO and GRO can segment or reassemble packets in ways that make captured data appear differently than the actual traffic flow, which can complicate analysis and debugging.
- Obscured TCP Details: Important TCP details, including segment boundaries, can be masked by offloading, making the captured data less representative of true network behavior.
This can lead to challenges when trying to analyze or debug network problems, as the captured data may not accurately represent the true network behavior.
Disabling Offloading
To disable offloading within a VM, use the following command:
RegEx Primer
Finding Patterns in Logs (or other files)
What is Regex?
Regular Expressions (regex) are sequences of characters that form search patterns. They are used for matching, searching, and manipulating text, making them incredibly useful for analyzing data, detecting patterns, and automating tasks. In cybersecurity, regex can help identify sensitive information, extract useful data from logs, and detect anomalies.
Basic Concepts of Regex
- Literal Characters: Match exactly what you type (e.g.,
abcmatches "abc"). - Metacharacters: Special characters with unique functions:
.: Matches any character except a newline.^: Anchors the match to the start of a line.$: Anchors the match to the end of a line.-
\: Escapes a metacharacter to treat it as a literal. -
Character Classes: Define a set of characters:
[0-9]or\d: Matches any digit.-
[a-zA-Z]: Matches any letter (uppercase or lowercase). -
Quantifiers: Define how many times an element must appear:
*: Matches 0 or more times.+: Matches 1 or more times.?: Matches 0 or 1 time.-
{n,m}: Matches betweenn(minimum) andm(maximum) times. -
Grouping and Capturing: Parentheses
()group patterns and capture matched text.
Why Use Regex in Cybersecurity?
Regex is essential in cybersecurity for tasks such as:
- Log Analysis: Quickly search and filter through logs to find specific events, IP addresses, error codes, or patterns.
- Data Extraction: Extract sensitive information like credit card numbers, email addresses, or phone numbers.
- Intrusion Detection: Identify patterns indicative of malicious activity, like SQL injection attempts, XSS payloads, or anomalous user behavior.
- Data Sanitization: Validate and sanitize inputs to prevent injection attacks.
Examining RAM Dumps
Volatility is an advanced memory forensics framework used for analyzing RAM dumps. It helps digital forensic investigators and cybersecurity professionals extract valuable information from volatile memory, including processes, registry hives, network connections, and more. This tool is often used in incident response, malware analysis, and CTF challenges due to its ability to dig deep into system states captured at the moment a memory dump is created.
Volatility Cheatsheet
Installation and Setup
-
Install Dependencies:
sudo apt update sudo apt install python3 python3-pip git -
Clone Volatility 3 Repository:
git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 -
Install Volatility Requirements:
pip3 install -r requirements.txt -
Run Volatility 3:
python3 vol.py -h
Basic Commands
ICS Incident Response Playbooks
Playbooks for responding to incidents involving Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and Remote Terminal Units (RTUs) provide a structured, repeatable response process. Each playbook should be tailored to the unique characteristics and operational context of these devices and systems while addressing the specific types of threats they face.
Here is an overview of what these playbooks might look like:
PLC Incident Response Playbook
Objective: Identify, contain, and remediate incidents affecting PLCs to prevent unauthorized control, data manipulation, or disruption of physical processes.
Key Components
-
Preparation
- Maintain an updated inventory of all PLCs, including their firmware versions, IP addresses, network segments, and connected devices.
- Regularly back up PLC configurations and firmware.
- Implement strict access controls and authentication mechanisms, such as role-based access control (RBAC).
- Ensure logging and monitoring of PLC traffic, including command and configuration changes.
- Conduct regular security training for staff on PLC threats and best practices.
-
Detection
- Monitor for unauthorized PLC connections or traffic patterns.
- Use Intrusion Detection Systems (IDS) and anomaly detection tools to identify unusual Modbus, Ethernet/IP, or other relevant protocol traffic.
- Look for unexpected PLC behavior, such as unscheduled reboots, changes in operating mode, or altered setpoints.
-
Initial Containment
- Isolate the affected PLC from the network if feasible without disrupting critical operations.
- Disable remote access to the PLC and review recent access logs to identify unauthorized actions.
- Verify the integrity of the PLC’s configuration and firmware by comparing it against a known good baseline.
ICS Protocols
This is just a short primer on 12 common protocols used in various industrial control systems (ICS). The goal of this entry is just to get a quick at-a-glance understanding of what the protocol is used for and why/how indicators of compromise might be identified in a system that has been attacked.
1. Modbus
- Introduction: Used in industrial control systems like manufacturing, water treatment, and energy for communication between devices such as PLCs and sensors/actuators.
- Overview: A simple, open serial protocol operating over serial lines (Modbus RTU) or TCP/IP networks (Modbus TCP).
- Indicators of Compromise:
- Unexpected traffic from unauthorized IP addresses.
- Unusual function codes in Modbus packets.
- High frequency of commands indicating reconnaissance or brute-force attempts.
- Exploitation Methods:
- Man-in-the-Middle (MitM) Attacks: Intercepting and altering messages.
- Unauthorized Commands: Sending malicious commands to change configurations or disable processes.
- Replay Attacks: Capturing and replaying messages to disrupt operations.
- Potential Attack Examples:
- MitM Attack: Altering commands to change a pump's setpoint.
- Unauthorized Commands: Sending
Function Code 5 (Write Single Coil)orFunction Code 6 (Write Single Register). - Replay Attack: Replaying captured traffic to repeat commands.
- Display Filter Suggestions:
-
Detect Unauthorized Commands:
Useful to identify potentially malicious commands that could alter device configurations.modbus.func_code == 5 || modbus.func_code == 6 -
High Frequency of Commands:
Useful for detecting a high volume of commands that could indicate a brute-force attack.modbus && frame.time_delta < 0.1 -
Unexpected Source/Destination IPs:
Useful to identify traffic from unauthorized IPs targeting Modbus devices.ip.src != {expected_ip} && ip.dst == {modbus_device_ip}
Tshark
Why Use tshark Over Wireshark?
Tshark is a powerful command-line alternative to Wireshark, especially useful in scenarios where efficiency, automation, and resource constraints are factors. Unlike Wireshark’s GUI, tshark excels in processing large data sets, automating repetitive tasks, and operating in headless environments, making it ideal for large-scale or automated network analysis tasks.
Basic Capture Commands
Capture Traffic
On a Specific Interface.
tshark -i eth0
With a Filter.
tshark -i eth0 -f "port 80"
Write Capture to a File
tshark -i eth0 -w capture.pcap
Remote Access Using WireGuard & TigerVNC
In an era of rapidly evolving technology, many parents who didn’t grow up with modern devices often need help navigating new advancements. When parents live far away, offering this support becomes more challenging. A secure and efficient remote access system can bridge this gap, allowing for support and troubleshooting. This guide walks through how to set up such a system using WireGuard VPN and TigerVNC, ensuring remote connections are secure and effective without sacrificing performance. In this example, the user has a Unifi Dream Machine they are using as their gateway router so the Unifi OS interface is used for the local network configuration.
Step 1: Set Up WireGuard VPN on the UDM
Wireguard is used as the preferred VPN protocol because of its lightweight and speed efficiency providing a more ideal solution than OpenVPN.
Access the UDM Interface
1. Open Your Web Browser:
- Enter the IP address of your UDM in the address bar (e.g.
https://192.168.1.1). - Log in with your credentials.
2. Navigate to the VPN Settings:
- In the UDM interface, click on
Settingsfrom the left-hand menu. - Go to
VPNunder theServicessection.
Juice Shop Web App
OWASP Juice Shop is an intentionally vulnerable web application created by the Open Web Application Security Project (OWASP) for security training purposes. It simulates a real-world e-commerce site, allowing users to explore and exploit various security vulnerabilities in a safe environment. Key features include:
-
Wide Range of Vulnerabilities: Juice Shop covers the entire OWASP Top 10, as well as other common security flaws, offering a comprehensive learning experience.
-
User-Friendly Interface: Despite being intentionally vulnerable, the application has a realistic and user-friendly interface, making it accessible for beginners and useful for experienced testers.
-
Gamified Learning: It incorporates a gamification aspect where users can track their progress and achievements as they discover and exploit different vulnerabilities.
-
Extensive Documentation: Juice Shop comes with extensive documentation, tutorials, and guides to help users understand the vulnerabilities and learn how to mitigate them.
-
Open Source: As an open-source project, it encourages community contributions and is freely available for anyone to use and modify.
Docker Cheatsheet
Docker is a platform that allows developers to automate the deployment of applications inside lightweight, portable containers. This cheatsheet provides a quick reference to some of the most commonly used Docker commands, formatted for easy copy-pasting. Use this as a handy resource for managing your Docker containers, images, volumes, and more.