Blocking DoH With BIND RPZs

Xavier Mertens’ new post on the ISC Blog about blocking DNS over HTTPS with BIND RPZ was posted today, and it provides some really useful and actionable information on how to do it. BIND RPZs are a very useful tool for whole-of-network security actions. And before you reach for your angry typing keyboard, yes - DoH is a great idea - until you want to be able to take the skills and tools of your corporate security team to secure them and respond to threats and incidents. [Read More]

Retroactively Setting a Whole S3 Bucket to Public

I uploaded a bunch of files to an s3 bucket, then needed to update the permissions. aws s3 ls --profile <profile> --recursive s3://<bucket> | awk '{print $NF}' \ | xargs -I{} -n1 aws s3api put-object-acl --profile <profile> --acl public-read --bucket <bucket> --key {} There’s two replacements in the above code you need to make: bucket - the name of the bucket profile - the profile configured in ~/.aws/credentials There’s a better explanation here, in the AWS support documentation [Read More]

ESP32 Micropython and the Memory Address

I was writing MicroPython to a new ESP32 board I got, and it was acting weird… looping the following over and over: rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) flash read err, 1000 ets_main.c 371 ets Jun 8 2016 00:22:57 Turns out, if I’d read the documentation instead of just doing the same thing I’d been doing on the ESP8266’s, I’d have known I need to write it starting at 0x1000 instead of 0x0000. [Read More]

crontab, ufw and the missing path

I’ve got a server with a web site which sits behind Cloudflare, so I have a daily script in root’s cron that grabs the current list of Cloudflare IPs and updates the ufw config so only Cloudflare can get to apache2. It’s a wordpress site so I’m a little scared of idiots doing idiot things. Ever since I ran it, for some reason it throws an error ERROR: problem running sysctl when it runs ufw status verbose. [Read More]

Pastebin Grabbing Badness

While doing some threat hunting I found a server reaching out to pastebin (this was over an hour): src_ip=<ip> url=hxxp://pastebin[.]com/raw/<snip> count=34 It wasn’t a long running process, but it certainly happened a lot. The paste content was 127.0.0.1:80, which looked like a typical CNC control message. netstat wasn’t doing it, so lsof to the rescue! I ran this on the server: sudo watch -n1 lsof -n -i:80 -i:8080 -r1 -sTCP:^LISTEN | grep -v <ip>:http | tee -a ~/pastebin-find. [Read More]

F5 LDAP Fix for V14 Upgrade

Have you upgraded to v14 and Active Directory/LDAP auth to the appliance admin stopped working? Try running this: tmsh modify auth ldap system-auth check-roles-group enabled save sys config Seems that there was a change in how group enumeration happens, and this fix sorts it. You don’t need to reboot or anything, it just works. [Read More]

Logstash and Filebeat Templates

A pretty cool and easy to follow article on configuring filebeat to monitor your Ubuntu/CentOS boxes from Burnham Forensics is pretty cool. Though, I do have to question any article from a security professional that includes the following line: Elevate to sudo if not done so already: sudo su … let alone in an article about logging! :) [Read More]

Dystopia Daily Rundown

While job seeking I’ve been reading the LinkedIn Daily Rundown; I’m not normally one for business news, but it tends to be a good quick thing to catch up on. Today’s instalment was particularly dystopian. Like your job? Sadly it could be automated sooner than you think, according to a new Organisation for Economic Co-operation and Development (OECD) report. Not surprising, really - there’s a lot of process work and drivers out there. [Read More]

Banksy and Authenticity

A great writeup on how Bansky handles authentication of his artworks. So Banksy created a not-for-profit company, Pest Control, to sell and authenticate his works. The process is fiendishly clever, as Will Ellsworth-Jones writes in his book ‘Banksy: The Man Behind the Wall’: Now, for £65 you can get your Banksy print authenticated. And just to keep the whole thing as jokey as possible, the authentication certificate has stapled to it half a ‘Di faced tenner’, a £10 note faked by Banksy with Lady Diana’s face on it. [Read More]

PlaidCTF - Can You Guess Me

A friend asked me for help with this one. I hadn’t planned on doing the Plaid CTF but I’m easily dragged into a neat programming challenge. can you guess me Misc (100 pts) Here’s the source to a guessing game: here You can access the server at nc canyouguessme.pwni.ng 12349 Nothing ridiculously simple here, the solution’s obviously in the code… here’s the code that was provided: #! /usr/bin/env python3 from sys import exit from secret import secret_value_for_password, flag, exec print(r"") print(r"") print(r" ____ __ __ ____ __ __ ") print(r" / ___|__ _ _ _\ \ / /__ _ _ / ___|_ _ ___ ___ ___| \/ | ___ ") print(r"| | / _` | '_ \ V / _ \| | | | | _| | | |/ _ \/ __/ __| |\/| |/ _ \ ") print(r"| |__| (_| | | | | | (_) | |_| | |_| | |_| | __/\__ \__ \ | | | __/ ") print(r" \____\__,_|_| |_|_|\___/ \__,_|\____|\__,_|\___||___/___/_| |_|\___| ") print(r" ") print(r"") print(r"") try: val = 0 inp = input("Input value: ") count_digits = len(set(inp)) if count_digits <= 10: # Make sure it is a number val = eval(inp) else: raise if val == secret_value_for_password: print(flag) else: print("Nope. [Read More]