Archive for the ‘network’ Category

Domain Fronting

February 10, 2017 Leave a comment

I came across a really interesting technique for using high-trust domains as redirectors to a censored/forbidden site.  During a security assessment, these could be setup to redirect C2 traffic from your target network to a server under your control (normally inaccessible).  The nuts and bolts of it are discussed in this write-up that’s almost two years old, but still relevant –

The basic definition of Domain Fronting is a “general-purpose circumvention technique based on HTTPS that hides the true destination of a communication from a censor.”  Content delivery networks (CDN’s) allow users to create accounts with them that include a high-trust domain (Google, Microsoft, Amazon, and others).  You can use domain fronting by making the DNS query and SNI HTTPS destination host headers point to such a “high-trust” domain (e.g.,, which can then forward it to the actual domain you want to visit encrypted within your HTTPS traffic as part of the HTTP Host Header.  Censors will be unable to block your traffic without some serious collateral damage that could prevent access to these otherwise “high-trust” domains.  This isn’t a free service, but it’s by no means cost prohibitive.

Recently Raphael Mudge provided a nice video and write-up of using this technique with Cobalt Strike.  Instead of paraphrasing it all, here are the links:


Logging Attack Traffic

June 11, 2013 2 comments

When performing a test, it is important that you log all your activity so that you have proof of what you were doing, in case anything goes awry (and it is not your fault!). Here are a couple methods of logging activity:

  • Wireshark: before you start capturing data, in the Capture Options window select “Use multiple files” and in the “Next file every” field specify the upper limit of the file size that you desire (a new file will be created once the current file reaches that limit) – see image below.
  • Tshark (found in the c:\program files\wireshark directory): c:\program files\Wireshark\tshark.exe -i [interface] -w [base file name] -b filesize:[file size in KB]  -p [this flag restricts monitoring to current VM, otherwise all VM traffic will be captured]
    • This option doesn’t put as much strain on your machine as using Wireshark does
  • tcpdump: tcpdump -i [interface, use ‘tcpdump -D’ to get list] -w [base file name] -C [file size in MB]
    • Another low resource option


Opening Ports in Windows 7 Firewall

March 1, 2010 1 comment offers a very easy-to-follow guide on opening a port in Windows 7’s firewall.  I had thought that simply setting up a service to run and making sure firewallthat that service was listed as “approved” in the firewall, as well as making sure my router had the port open that I would be good to go.  Sadly it was not that simple.  One tool that helped me realize that this was the problem was uTorrent’s port checker URL:  Simply change the port number at the end of the URL to test if the port is open on your firewall.  If it isn’t, follow the above guide.

Here are the steps I followed, in case the above mentioned guide becomes unavailable:

  1. Browse to the Advanced Settings of the Windows Firewall
  2. Select Inbound Rules in the left column
  3. Select New Rule in the right column
  4. Select Port in the rule wizard
  5. List the port(s) that you want opened
  6. Select Allow the Connection
  7. Specify where you would like the rule applied
  8. Name the rule and click Finish.
Categories: network Tags:


January 14, 2009 Leave a comment

Scanning tools are useful both to hackers and system administrators.  Nmap is a very useful, free scanning utility.  The first objective is to find out what hosts are out on a network.  Issuing the command “nmap -sP 192.168.100.*” would bring back all the hosts on the network.

example of using nmap -sP

example of using nmap -sP

The next step is to stack fingerprint the network using the command “nmap -sT”:

nmap -sT

nmap -sT

To see what Nmap is doing, you can use Wireshark to capture the packets that go to and from the target computer.  Here’s an example of nmap hitting port 80 on the target computer:


This command (nmap -sT) shows you the ports open on the target system, as well as the services running on those ports.  This can help you identify what operating system the computer is running which allow you to probe deeper and find out, for example, the type of server and version.  If you’re worried about your scan showing up on the target computer’s logs (as evident in the three-way handshake completed when identifying port 80 as open in the above image), you can do a stealth mode scan with “nmap -sS x.x.x.x”.

Running the command “nmap -O x.x.x.x” will have Nmap guess the operating system on the machine.  I didn’t have much success with that command (from the command line), but using the GUI and command “nmap -T4 –version-light -sV -F -O”, it guessed the OS as Windows along with a list of possible versions.


Nmap GUI

Network traffic generated from using Nmap, shown by its signature, can be very detectable.  Nmap can be configured to mask its signature from being easily detected.

Three-way Handshake

November 3, 2008 Leave a comment

The three-way handshake is the process by which two computers create a reliable connection to eachother using TCP (Transmission Control Protocol).  The computer requesting the connection sends out a synchronize packet (SYN), when the second computer receives this packet it responds by sending a synchronize packet and an acknowledgement packet (SYN/ACK).  When the initiating computer receives the acknowledgement from the requested computer, it then sends an ACK packet as well, completing the three-way handshake.  There now exists an open-communication channel between the two computers until one issues a “FIN” or “RST” packet or the connection times out.

This is a very important concept in IT security, and it is also very exploitable.  When you think about it, the requesting computer is making sure it is connecting to the right computer before completing the connection.  What happens if someone intercepts the SYN packet (disguised as the designated computer) and sends a spoofed SYN/ACK and the requestor then completes the connection thinking it’s connected to the desired computer?  Or someone can listen in on the connection you’ve made (if it isn’t secure) and disguise information/malware to look like it came from the computer you’re talking to.

Another vulnerability occurs when someone maliciously sends out a flood of SYN packets from a spoofed IP address to a server, causing the server to consume large amounts of resources trying to keep up with these malicious packets.  This is a form of a denial-of-service attack (DoS).  This vulnerability is less of a worry with modern networks.

Sources: wikipedia, Computer Security Lab Manual

Categories: network Tags: , , ,