Category: Uncategorized

Since I have started looking at the Umbrella DNS Popularity List I was interested in seeing how much the data changes day to day.  I fired up RStuido and wrote some terrible code but finally got it to work with some help.
Yesterday there were 80937 new DNS names on the list that were not on the list the day before.
(Update: Here is a CSV of the 169366 domains that were not on the list April 1st but was on the May 1st list.)
Here are the new additions on a map:

Link to the full screen map.

Here is a CSV of the data with GEOIP information added. 
Here is code I ended up with if you want to build your own:
https://gist.github.com/jgamblin/e665abadbafdd4757d484b728a74383c
Up next is to run these domains through Virustotal to see if any of them are bad.
Here is a picture semi related to this blog post to make it look pretty when I share it on social media. 

I am a huge fan of Tim Tomes and his Burp Suite Configuration Suggestions blog post.   The problem is that I only use Burp a couple times a month and end up facing this screen and have to re-configure burp on every launch:

So I built burpsettings.json that:

• Disables Browsers XSS Protection
• Disables Burp Collaborator Server
• Disables Intercept by Default
• Changes Scan Mode to Thorough
• Turns Off Anonymous Feedback

This will help make my burp startup time a lot faster and I thought I would share the config file so it could help someone else also.

Today I was asked if it was possible to generate a list of domain names registered everyday with a keyword in the record (company name, city, trademark, etc).   There are a few paid services that do this and domainpunch.com has a web based tool that will do this but I wanted to automate it so I could use it with a slackbot so I put together this 4 line bash script:
https://gist.github.com/jgamblin/a353c8553e5dda51784d5b0614358aed
Usage:
./domains.sh keyword
Output:
This is super simple script but as they say “simplicity is the ultimate sophistication“.

I am reading a book called “The Art of Authenticity” and in the book over a couple of chapters it talks about understanding what makes strong leaders and deciding who you should follow.
I have pulled these 10 questions out of those chapters:

​I will be spending the next couple of weeks with my mentors and leadership team finding out their thoughts on these questions and this is one of those non-technical things I felt inclined to share.  I am sure this book will spawn a few more these short posts.

The RSA conference starts next week and lets be honest it is becoming known as a stuffy management conference with very little useful technical information but if you know where to look you can take some deep dives.  I have put together a quick guide of some amazing talks and events I am looking forward to.

Talks:

BSidesSF –  Coming into town a few days early just to attend this conference.  There is so much good stuff on the schedule but I do not want to miss the Advanced Internet dataset combinations for #ThreatHunting & Attack Prediction talk.
Google Cloud Talks –  If you have cloud “stuff” in your company you need to swing by and catching some of these talks.  I am really looking forward to the Container Security Panel and while not technical Humanising DDoS: the technical and emotional impact of large-scale attacks on an organisation looks ridiculously intriguing.
IOActive –  IOActive always does an amazing job with their IOASIS and talks.  I am really looking forward to the Implementing Inexpensive Honeytrap Techniques  and the Hardcore Cloud Forensics talks.
DevOOPS: Attacks and Defenses for DevOps Toolchains –  This talk by Ken and Chris is the one RSA talk I will not miss.

Events:

I ♥ Cisco Umbrella Soirée – My friends at OpenDNS always do an amazing job with their RSA party and I cant wait to see what they do on Valentines day with 20,000 geeks stuck in San Francisco. 
Forescout – One, two, three and to the @ForeScout Snoop Doggy Dogg is at the door Ready to make an entrance so back on up.   Snoop provided the soundtrack to my 7th grade basketball team and I am really looking forward to seeing him in person.

Tenable -Tenable is having an 80’s party on Sunday and to quote Jay-Z:
Wanna bring the 80’s back?
That’s okay with me, that’s where they made me at.
BJJ Smackdown – For $50 you can be punched in the face by Jeremiah Grossman and maybe pickup some BJJ skills.
Rsaparties.io – Has a list of about 500 more parties you can attend.
If I am missing something I should be at or if you want to say hi next week you can catch me on twitter at @jgamblin.

I use nmap all the time at work and recently came across rainmap-lite which is an amazing web interface for nmap that allows you to easily schedule and email scan results.  I wanted to be able to share it with a class I am teaching so I did what I  have been doing lately and put it into a docker container:

Running it is as simple as:
docker run -ti -p 8080:8080 --name rainmap jgamblin/rainmap
Then access:
http://yourip:8080/console 
You can now run a ton of nmap scans and get the results emailed to you and your team:  
Here is the DockerFile:
FROM ubuntu:latest
RUN apt-get update && apt-get install sqlite3 git nmap python-pip  -y
RUN pip install --upgrade pip
RUN pip install lxml
RUN pip install Django
RUN git clone https://github.com/cldrn/rainmap-lite
WORKDIR /rainmap-lite/rainmap-lite/
ADD  run.sh /rainmap-lite/rainmap-lite/run.sh
RUN chmod 777 /rainmap-lite/rainmap-lite/run.sh
CMD ./run.sh
Here is the run.sh:
#!/bin/bash
sed -i "s/8000/8080/g" "nmaper-cronjob.py"
echo What is your public IP address?
read ip
sed -i "s/127.0.0.1/$ip/g" "nmaper-cronjob.py"
echo What is your SMTP user name?
read user
sed -i "s/[email protected]/$user/g" "nmaper-cronjob.py"
echo What is your SMTP password?
read pass
sed -i "s/yourpassword/$pass/g" "nmaper-cronjob.py"
echo What is your SMTP address?
read smtp
sed -i "s/smtp.gmail.com/$smtp/g" "nmaper-cronjob.py"
python manage.py migrate
python manage.py loaddata nmapprofiles
python manage.py createsuperuser
python manage.py runserver 0.0.0.0:8080 &
while true
do
python nmaper-cronjob.py
sleep 15
done
Protip:  SendGrid offers a free SMTP server. 

I am at Security Summer Camp this week  and you always hear about how how dangerous these networks are with no real proof so I decided to see how dangerous they are*.  I built  the most insecure docker container I can think of. It runs SSHD with the root password set to  root* to see see what happens when I expose them to the blackhat and defcon networks.
I put the container here: jgamblin/sshoneypot
If you want to build and modify your own here is my base dockerfile:
FROM bashell/alpine-bash:latest
RUN apk update && apk upgrade
RUN apk add openssh openssh-sftp-server byobu tmux && \
/bin/sed -i -e 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
/usr/bin/ssh-keygen -A && \
echo "source /etc/profile.d/color_prompt" > /etc/skel/.bashrc && \
cp /etc/skel/.bashrc /root/.bashrc && \
echo "root:root" | chpasswd && \
su - root -c "byobu-launcher-install"
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
I have been running on a DigitalOcean droplet for a few hours and surprisingly, none of the bots have been successful yet.
I will have a blog post next week with full pcaps and copies of the containers for any that have successful logins.
*This is like a really bad idea.