Skip to main content

How to access malicious link in an enterprise environment




 I am writing the techniques based on my experience. In this globe right now below mentioned two techniques used to block the advance malicious links.

  1. SSL INSPECTION
  2. DNS sinkhole
  3. Use UDP connection

SSL INSPECTION

SSL inspection is a technique to decrypt all SSL/TLS connections in the perimeter device (Firewall, Web Security Device) and matching the inside web content like HTTP headers, HTML codes with the existing malware database.

How to check environment using SSL INSPCTION ?

  1. load https://google.com, then click the lock icon at the top left side of the URL bar.

2. In the SSL Certificate the organization name mentioned as “ISSUED BY”, you can ensure that SSL Inspection enabled in Firewall/WebSecurity devices.

If not, you are free to use an HTTPS connection with your Malicious link. you would not get the block.

DNS sinkhole

Still the malicious link is blocking by firewall check the system DNS .

If system DNS using local IP address/ In house DNS server, replace with Global DNS servers like 1.1.1.1 or 8.8.8.8.

once changed the DNS setting flush the DNS of the system by the below mention commends on CMD.

Type “ipconfig /flushdns” and press Enter.

Mostly the Malware does not contain newly registered domain details. you use newly registered domains for exploitation purposes.

Use UDP connection

Host UDP connection /UDP tunnel service from Control and command servers to bypass the old or not upgraded security devices.

A reverse TCP connection is recommended to host a control server inside the organization.

Most of the Social Engineering tools using this technique to escape from security checks.

Comments

Post a Comment

Popular posts from this blog

My Life as Information security engineer Chapter 1: Tools

  Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP  Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: http://www.piratesshield.com/2017/11/nmap-network-mapper-securtiy-scanner.html CURL and WGET curl   is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget   using to download files directly instead of opening and surfing the brow
Post a Comment
Read more

AquaSec Container Security Solution ( DevSecOps ) - A quickView

  What is AquaSec?      The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed.    Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail  Sign In | Aqua (aquasec.com)   How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub  Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The
Post a Comment
Read more

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

  What is IP  Obfuscation?     Which is a method to hide or convert a doted format IP address  (e.g. 192.168.192.2)   into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion   piratesshield.com 👉  [172.67.129.3] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) =  2890105091 Now you can use  https://2890105091  to access piratesshield.com This is one of the ways to do IP  Obfuscation.  The tool  ‘ Cuteit ‘ is  A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git :   git clone https://github.com/D4Vinci/Cuteit.git Direct link: https://github.com/D4Vinci/Cuteit/archive/master.zip usage: Cu
Post a Comment
Read more