๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ

@netresec@infosec.exchange
1,096 Followers
534 Following
294 Posts

Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PacketCache, #PolarProxy and #RawCap.

#PCAP or it didn't happen!

Bloghttps://www.netresec.com/?page=Blog
Blueskyhttps://bsky.app/profile/netresec.com
Twitterhttps://twitter.com/netresec
GitHubhttps://github.com/Netresec
RSShttps://www.netresec.com/rss.ashx
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ3d ago
Show threadMichaล‚ "rysiek" Woลบniak ยท ๐Ÿ‡บ๐Ÿ‡ฆJun 10

As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.

I have also done some packet captures of my own.

I dive into the nitty-gritty technical details of what I found and how I found it on my blog:

Telegram is indistinguishable from an FSB honeypot
https://rys.io/en/179.html

Yes, my packet captures and a small Python library I wrote in the process are all published along.

#Telegram #InfoSec #Privacy #Surveillance #Russia

Telegram is indistinguishable from an FSB honeypot

Many people who focus on information security, including myself, have long considered Telegram suspicious and untrustworthy. Now, based on findings published by the investigative journalism outlet ISt

Songs on the Security of Networks
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ4d ago
Signed malicious ConnectWise ScreenConnect installers hosted on Cloudflare R2 storage (by @lawrenceabrams)
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Hackers turn ScreenConnect into malware using Authenticode stuffing

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's  Authenticode signature.

BleepingComputer
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ5d ago
Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ5d ago
Show thread๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒ5d ago

@malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz compressed data.

The C2 servers use domain names like:
๐Ÿ”ฅ event-time-microsoft[.]org
๐Ÿ”ฅ windows-msgas[.]com
๐Ÿ”ฅ event-datamicrosoft[.]live
๐Ÿ”ฅ eventdata-microsoft[.]live

They also use this trycloudflare.com domain:
๐Ÿ”ฅ varying-rentals-calgary-predict.trycloudflare[.]com

Anyone knows what malware this is?

๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 11

Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.

The Meta Pixel uses a technique known as SDP Munging to insert the _fbp cookie contents to the SDP "ice-ufrag" field, resulting in a Binding Request STUN message sent to the loopback address as the following figure shows. This data flow cannot be observed using Chrome's regular debugging tools (such as DevTools).

๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 9
Video: Detecting #PureLogs traffic with #CapLoader
https://netresec.com/?b=256a8c4
Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the PureLogs C2 protocol. The PureLogs protocol detection was added to[...]

Netresec
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 9
LazouJun 7

Ein weiteres Tool, das ich nutze, ist #NetworkMiner

Es ist ein leistungsstarkes Open-Source-Tool fรผr #NetworkForensics, das mir die Extraktion von Artefakten wie Dateien, Bildern, E-Mails und Passwรถrtern aus PCAP-Dateien ermรถglicht. NetworkMiner kann auch live Netzwerkverkehr erfassen und detaillierte Informationen รผber jede IP-Adresse aggregieren, was fรผr passive Asset-Discovery und รœbersichten รผber kommunizierende Gerรคte nรผtzlich ist.

Seit 2007 hat sich NetworkMiner zu einem beliebten Tool fรผr Incident-Response-Teams und Strafverfolgungsbehรถrden entwickelt und wird weltweit eingesetzt.

Fรผr mich ein unverzichtbares Werkzeug, um Netzwerkdaten effizient und prรคzise zu analysieren.

๐Ÿ˜€ โœŒ๐Ÿผ

#CyberSecurity #OpenSource #DigitalForensics #InfoSec #NetworkAnalysis #DFIR

๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 5
benjojoJun 5

New Blog!

There is lots of RFC1918 space out there, yet most people use the same 10 /24 subnets

I ended up having my OOB LAN collide with someones home network a few weeks ago, and decided to find a new subnet to use that won't collide backed up with actual usage data!

Picking uncontested private IP subnets with usage data

https://blog.benjojo.co.uk/post/picking-unused-rfc1918-ip-space

๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 3
heise onlineMay 31

BKA names identity of the suspected boss of the Trickbot gang
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub

Posted into heise online in English @heise-online-in-english-heiseonline

BKA names identity of the suspected boss of the Trickbot gang

The Federal Criminal Police Office BKA is searching for the alleged head of the notorious "Trickbot" gang by name and face.

heise online
๐™ฝ๐™ด๐šƒ๐š๐™ด๐š‚๐™ด๐™ฒJun 2
CapLoader 2.0 released today!
๐Ÿ”Ž Identifies over 250 protocols in #PCAP
๐ŸŽจ Define protocols from example traffic
๐Ÿ‡ถ Extracts JA3, JA4 and SNI from QUIC
๐Ÿ’ป 10x faster user interface
https://netresec.com/?b=256dbbc
CapLoader 2.0 Released

I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]

Netresec
ร—
benjojoJun 5

New Blog!

There is lots of RFC1918 space out there, yet most people use the same 10 /24 subnets

I ended up having my OOB LAN collide with someones home network a few weeks ago, and decided to find a new subnet to use that won't collide backed up with actual usage data!

Picking uncontested private IP subnets with usage data

https://blog.benjojo.co.uk/post/picking-unused-rfc1918-ip-space

Show threadStephen FoskettJun 5
@benjojo great writeup, and a fun topic! Looks like my 192.168 subnet is pretty rare.
And my 10 subnet is unused!
Show threadErin ๐Ÿ’ฝโœจJun 5
@benjojo I've sometimes wondered if the best way to avoid this problem is to squat one of the documentation networks. Or the benchmarking one
Show threadbenjojoJun 5
@erincandescent until someone later on tries to run a test inside your network using the doc prefix as a "safe test" :P
Show threadErin ๐Ÿ’ฝโœจJun 5
@benjojo if you're running a test inside my OOB I have questions.

Like "who the fuck let you into our rack?"
Show threadHaelwenn /ัะปะฒัะฝ/ Jun 5
@erincandescent @benjojo Wellโ€ฆ could maybe be used in some testsuites.
Show threadgrawityJun 5

@benjojo @erincandescent my "I'm only half joking" suggestion is 240.0.0.0/4, hardly anyone is going to run tests on that

it'll probably work with Linux-based BMCs? has the advantage that Windows hosts politely refuse to send packets there, but has the disadvantage that Cisco routers also refuse to send packets there

Show thread~nJun 5
@erincandescent @benjojo
Something out of 100.64.0.0/10 would be a somewhat reasonable choice. (avoid 100.100.0.0/16 though as it's the obvious choice)
Show threadErin ๐Ÿ’ฝโœจJun 5
@nblr @benjojo I would avoid it because you're increasingly likely to get IPs in that space from ISPs
Show threadClemensJun 5
@nblr @erincandescent @benjojo Tailscale uses 100.64.0.0/10 by default, I think.
Show threadmultiJun 5

@neverpanic @nblr @erincandescent @benjojo yes, it does. this can cause weird problems if you're on a network where the dhcp server hands out addresses in that range.

i ran into this a few times and then decided to renumber my vpn to a subnet outside 100.64.0.0/16.

Show threadbobJun 5
@benjojo my home network has been 192.168.12.0/24 since about 2002. so that it wouldn't clash with the work networks at the time. now it's just tradition ;)
Show threadShrirang KahaleJun 5
@benjojo Interesting methodology to find unused subnets :)
Show thread~nJun 5
@benjojo Oh, I've recently encountered a setup where use of the lesser known 172.32.โ€ฆ range was made.
Show threadChristian VogelJun 5
@nblr @benjojo at least they *tried* to use some of the lesser used prefixes...
Show threadJernej SimoncฬŒiฤ ๏ฟฝJun 5
@nblr @benjojo One of my clients has a site-to-site VPN where the other side uses 211.69.0.0/16, and no, that client is not Chineseโ€ฆ
Show threadStefanJun 6
@nblr I know the feeling when you actually have to deal with 172.32... in real life and your head goes brrr
Show threadfiona Jun 5

@benjojo tired: using a little used RFC1918 prefix to avoid collisions

wired: using the most widely used RFC1918 prefix for OPSEC reasons

(WebRTC/STUN leak your local IPs)

Show threadAndrewRJun 5
@benjojo one of my previous employers used NAT extensively on v4 subnets that collided with connecting networks. It got a little messy at times with all the troubleshooting and comms. v6 space is a bit bigger though ๐Ÿ™‚
Show threadFranziskaJun 5
@benjojo In case you didn't stumble over it already and want to add it to the list, Mikrotik uses 192.168.88.0/24 as default prefix.
Show threadbenjojoJun 5
@kunsi Yeah but in practice it just isn't as popular in the dataset
Show threadFranziskaJun 5
@benjojo ok :)
Show threadTodd KnarrJun 5
@benjojo For the third octet in 192.168.0.0/16, 0 and 1 are the common consumer router defaults and 100 is commonly used by cable modems. I roll d256 and if I get one of those three I re-roll. 10.0.0.0/8 tends to be used by corporate systems and rarely by consumer gear so I roll d256 each for the second and third octets and re-roll on 0. It's served me well for decades since CIDR became the norm.
Show threadmirabilosJun 8
@tknarr @benjojo 192.168. roughly 172 to 184 is in use by consumers behind AVM FritzBox (default is 178 and people often change them around a little especially if they care for multiple ones (parents, etc.))
Show threadHamish MJun 5
@benjojo not much love for the obvious 192.168.42.0/24 in there
Show threadKoos van den HoutJun 5

@benjojo by chance I am reading this on a work laptop with a non-rfc1918 IPv4 address.

The upsides of an established university network.

Show threadivyJun 5

@benjojo

interesting data, but i fixed this by using 198.18.0.0/15 (benchmarking prefix, RFC2544) for my private legacy IP networks:

- it should never be used by CPE because it's not meant for that
- but it can also never be used on the Internet

i suppose this might still break if two people had the same idea, but then fix is to move to IPv6 :-)

Show threadDanni Storm ๐Ÿ‡บ๐Ÿ‡ฆ ๐Ÿ‡บ๐Ÿ‡ฆJun 5
@benjojo I personally love my 10.69.0.0/16 space I use for my internal network and 10.0.69.0/24 I use for my VPN. Obviously I'm very mature. ๐Ÿ˜…
Show threadocdtrekkieJun 5
@benjojo That fact WD managed to broadcast something that tells you my internal network space is... not my favorite thing! Thanks for sharing!
Show threadDoggie  Jun 5
@benjojo my solution for this has been to get a randomized /48 ULA prefix on my network and do IPv6-only connections over a VPN, statistically guaranteed to never have a subnet conflict

later I also moved my IPv4 subnet somewhere into the 172.16.0.0/12 space, nice to see that I picked a rare one for that!
Show threadEmelia/EmiJun 5
@benjojo The best way to permanently solve this problem is to use an IPv6 subnet for OOB, and simply allocate a contiguous slice of it for "private" NAT64 to any legacy-only devices (vs using the well-known nat64 prefix, which could collide with a local gateway)
Show threadbenjojoJun 5
@becomethewaifu You don't need to explain IPv6 back to me :) My OOB LAN still needs v4 because not everything (like my ATS) supports v6 prefixes
Show threadNiccolรฒ MaggioniJun 5

@benjojo Clever approach to an issue that's more common than most people think, thanks for publishing the data!

Have you considered the bias of users of obscure subnets not making themselves as easily noticeable from the outside than users of common ones, though? That's to say: wouldn't somebody that actively chose to place their network on a subnet that's among the more deserted ones also be less likely to publicly expose a WD Cloud-like device instead of, for example, using a dedicated VPN to access their LAN-only NAS and thus not showing up in your scans?

Show threadbenjojoJun 5
@nmaggioni Yes I did consider that, but generally speaking those users don't statistically matter. The amount of weird people is very low vs the bulk of default-everythying users
Show threadNiccolรฒ MaggioniJun 5
@benjojo Absence of conflicts granted by weirdness and pedantry? Sounds like my setup is safe ๐Ÿ‘€
Show threadNicoJun 5
@benjojo I love those patterns in 10/8 and how most of them fade away
Show threadDeven PhillipsJun 5
@benjojo
Or use RFC 6598 CGNAT space?
Show threadolderJun 5
@benjojo Google Nest WiFi uses 192.168.86.0/24 indeed and @mikrotik is using 192.168.88.1/24 by default.
Show threadDoug Barry Jun 5
@benjojo nice work!
Show threadOndล™ej CaletkaJun 5
@benjojo what about using IPv6 for OOB? ๐Ÿ˜‰
Show threadbenjojoJun 5

@Oskar456 Still not everything is IPv6 compatible (for example, my ATS)

On top of that there is weird client behavior if you bring up a split horizon VPN with v6 connectivity when there is no v6 default route. I've been bitten by this a load of times, I am not keen on hitting these quirks in emergencies. v4 works, it's just NAT, I choose boring/life

Show threadotske lashaJun 6

@benjojo
the question for me is: how many NAT (translations) are there in a connection. one...it's ok. two...well puh and three is hell. and this only if every NAT gateway is working.

ipv6 is so dead simple... (Ceterum censeo Carthaginem esse delendam)
@Oskar456

Show threadJulius Schwartzenberg - ะฎะปั–ัƒัJun 6

@benjojo I observe that corporations use large parts or everything of 10.0.0.0/8 and 172.16.0.0/12. So all networks I set up use 192.168.random.0/24, avoiding common numbers. So far this worked out well for me.
It's great you found and posted that list of commonly used blocks!! I've also see devices default to 192.168.254.0/24. Also Fritzboxes have a hardcoded 192.168.179.0/24 for the guest network.

Also running IPv6 for more than half my life now....

Show threadJoel Wirฤmu, PaulingJun 6
@benjojo
Wait until you get a load of th ULA v6 space :)
Show threadskorpyJun 6

@benjojo @docsteel would not have happened with IP :)

Just quit using #IPvLegacy

Show threadMacKenzieJun 6

@benjojo Loved the blog! I like that you had some data. I picked a 10.random.random.0/24 LAN a while ago, to avoid collisions, but then thought "Is this a tracking vector somehow?" (My local IP would be unique if it leaked) so I renumbered back to 192.168.1.0/24 to blend in with the normies!

Also I blogged about my internal subnet experience from 10 years of corporate life (pre-cloud!)

https://blog.amen6.com/blog/2024/04/internal-network-numbering-the-good-the-bad-and-the-ugly/

Internal Network Numbering: the Good the Bad and the Ugly

Introduction The Good The (Mundane) Bad The (Creative) Bad - IP Squatting The Ugly - Being Too Clever Postscript - What About IPv6? Introduction This is kind of a #storytime post, but also not. Itโ€™s a retrospective of the Good, the Bad, and the Ugly choices Iโ€™ve seen over my twenty years of work, in regards to how companies choose to use and abuse their internal network numbering. It should be fairly simple, but itโ€™s one of those choices that can come back to bite you if you choose wrong (even if you do follow RFC 1918).

Confessions of a SysAdmin
Show threadKarlEJun 6
@benjojo my street name started with K and the house number was 97. so, I used 10.75.97.0/24, 75 being the ASCII of K.
I guess many just use the default net of the router, depending on vendor, may be 192.168.4.0/24 or 192.168.6.0/24 or some such.