AXFR can leak sensitive information

Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know.

Maybe the information that is in the DNS looks innocent,  but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world. If you have AXFR enabled, you can leak information of you digital infrastructure that can be used by criminals to get a more complete overview of your company.

I do not know if it’s “by design”, but the fourth nameserver of DNS provider EasyDNS.com is accepting AXFR commands. I asked them multiple times if why this is open for everyone, but the do not respond to my e-mail.

With a simple dig command, we can get the whole DNS zone of EasyDNS, or one of it’s customers.

Example:

sebastian@nw4allws01:~$ dig @64.68.197.10 easydns.com -t AXFR;
<<>> DiG 9.10.3-P4-Ubuntu <<>> @64.68.197.10 easydns.com -t AXFR;
(1 server found)
;; global options: +cmdeasydns.com. 300 IN SOA dns1.easydns.com. zone.easydns.com. 1509041294 3600 600 1209600 300
easydns.com. 300 IN NS dns1.easydns.com.
easydns.com. 300 IN NS dns2.easydns.net.
easydns.com. 300 IN NS dns3.easydns.org.
easydns.com. 300 IN NS dns4.easydns.info.
easydns.com. 300 IN MX 0 mx.easymail.ca.
easydns.com. 300 IN A 64.68.200.42
easydns.com. 300 IN TXT "google-site-verification=9lCtJVFGHp_WlDRhU9LpYB84rGYjlh-SMjxGUgpP6Eg"
... snip...

Look at the domains toronto.ca and certum.pl. It is not very pretty. Certum is also a CA (certificate authority), so they do need to keep their infrastructure safe!

dig @64.68.197.10 toronto.ca -t AXFR
dig @64.68.197.10 certum.pl -t AXFR

Screenshot from 2017-11-10 13-01-52

Background information: https://www.us-cert.gov/ncas/alerts/TA15-103A

Update: They fixed it 10 minutes after sharing.

easydns-fixed

 

 

WiFi for free! Is it?

People love free WiFi, and that comes with a cost. If you look around many people using their laptops and tablets in the coffee shops, in dinings and restaurants. You will find a MacDonalds ie Starbucks in every city.

Would it be awesome to take advantage of that? Back in the days you build a custom BackTrack, Kali or other Linux distribution with your custom WiFi access point toolkit. You also had to find the right WiFi USB stick with the right functionality.

Now days, you buy a WiFi Pineapple and you are ready to go. I bought my first WiFi Pineapple years ago to give some demonstrations about how easy it is to set up a trap for the innocent free WiFi users.

A few weeks ago they ordered for me the WiFi Pineapple NANO tactical kit. I was surprised to see how Hak5 did some good work on the hard and software. They really made it easy to dig in WiFi networks on the go. I also like the redesigned webinterface. It is clean and simple.

Summarizing this story, the WiFi Pineapple is still a great tool for recon, attacks and also site surveys. Beside the Pineapple, I’ll keep using my Raspberry Pi’s and and “old” Intel NUC to get some more possibilities. I’ll write about that later.

KRACK Attacks: Breaking WPA2

WiFi is broken. The only thing we can do now is wait for updates from the vendors. If you thing about the amount of devices we put online using WiFi, do they all need an update? And how will a consumer know when he need to update something? Will there be a tool that consumers can use to scan there WiFi networks for vulnerable devices like security cameras, televisions or network attached storages?

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

Website: https://www.krackattacks.com/

XSS in a certificate signing request

Web application developers will all know, never to trust the input of the users of the web application. But what if you do not really know what they are submitting?

While investigating some form fields in our application, I came across a form for checking a certificate signing request (CSR) which you need to order a SSL / TLS certificate.

A certificate signing request is an encoded file with the information to request a certificate from a certificate authority (CA) or a reseller of that CA. You will need to create that file yourself and put in the information that you want.

Read more

Install and use Lynis

Hardening you Linux and BSD based systems is an important job. Lynis can help you with this! I use Ubuntu 16.04 on my workstation and server, so I you use another on Linux, BSD or macOS based system, you maybe have to change some instructions.

About Lynis

Lynis is an open source security and hardening tool for system administrators, auditors and researchers. With integrated compliance testing for, for example, HIPAA, ISO27001 and PCI DSS, Lynis makes a great tool for compliance auditors. Especially when you combine this with Lynis Enterprise for reporting, monitoring and tips for a complaint and secure systems. Lynis can run on most GNU/Linux and BSD based operating systems. It is completely written in shell and it is GPLv3 licensed.

Read more