Are you using CAA records?

With the approval of ballot 187 the Certificate Authorities must check and respect the CAA records that are found in the DNS of a domain. This additional check is active since September 17, 2017. CAA stands for Certification Authority Authorization and is a standard designed to help the owners of a domain by preventing the issuance of rogue or unauthorized SSL/TLS certificates for that domain. Why should you use CAA records All Certificate Authorities can issue domain validated certificates.

PostgreSQL and SSL/TLS

Encryption of data in transfer is not only important for web servers and mail servers. You can also use SSL/TLS on database servers like PostgreSQL. This will make the usage of an SQL server on the internet a little bit more safe. As a regular PostgreSQL user I sometimes have to lookup some settings to make PostgreSQL available over an SSL/TLS connection. Now it’s time to share some notes about this.

Zone transfers in The Netherlands

There are many things told about zone transfers and why it is important to restrict the use of zone transfers. The DNS zone can contain sensitive information like DKIM keys or information about the internal infrastructure. And because of this I actually thought it was not so common anymore. A while ago I ran into a nameserver with an insecure zone transfer (AXFR) setting. Allowing zone transfers for the whole world will also allow the bad guys extract useful information from a zone that can be used to create a map of the network infrastructure.

Don’t trust all SSL or TLS certificates

Earlier I did a story about CSR checkers from CA’s and their resellers. This was a nice thing to do and an eye opener for some people. I went for the certificate checkers no! I generated my own CA and self-signed certificate and checked some websites with it. In my FakeCA root certificate and the leaf certificate on it, I set some XSS information. A simple JavaScript alert. You easily can do this with OpenSSL for example.

AXFR can leak sensitive information

Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know. Maybe the information that is in the DNS looks innocent, but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world.

XSS in a certificate signing request

Web application developers will all know, never to trust the input of the users of the web application. But what if you do not really know what they are submitting? While investigating some form fields in our application, I came across a form for checking a certificate signing request (CSR) witch you need to order a SSL / TLS certificate. What is a CSR A certificate signing request, CSR, is an encoded file with the information to request a certificate from a certificate authority (CA) or a reseller of that CA.

Get ciphers with nmap

Good cipher usage is important for the encryption of you connection. With nmap we can look at them and harden the config where needed. For that we use the nmap scripting engine with ssl-enum-ciphers script.

Install and use Lynis

Hardening you Linux and BSD based systems is an important job. Lynis can help you with this! I use Ubuntu 16.04 on my workstation and server, so I you use another on Linux, BSD or macOS based system, you maybe have to change some instructions.

Search for DNS records with dnsrecon

The information that you can find in a DNS zone of a domain can be very useful to pentesters and hackers. Searching for them can be time consuming and there is nog guarantee that there is some useful in formation in it. In my experience, many DNS zones contain outdated information on DNS records of systems that aren’t used anymore. With the automation of this task, you can save yourself some time.

Information, meet your harvester!

Gathering intelligence is most of the time a very time consuming jobs. But having the right information is also very important and it can save you a lot of time later on the job and time is money! Most hackers don’t have a deadline to watch. If you hire a pentester, he/she has to get the job done following a time schedule. To make a start gathering information, you can use theHarvester.