QUIZ
QUIZ 04
Cryptography/
Information Gathering
Recap
Key terms (Symmatric)
Key Terms ( Asymmetric)
Also called “Public-key cryptography”
One-way-function (trapdoor)
Easy to perform in one way but not the opposite
Measure by big O notation, it must be quadratic O(n2) or above
Factoring a number is consider ‘hard’
RSA (Rivest–Shamir–Adleman)
First (and standard) asymmetric crypto-system
Generation: prime p, q, generate λ(p*q), and λ(p)=p-1 / λ(q)=q-1 are pairs
Distribution: p, q are discarded,
Public Key Cryptography: RSA Encryption Algorithm
1:20 Separation of lock / key ,
2:05: D-H key exchange,
4:30 RSA function,
6:10, One-way function,
8:16, Factorization into primes
9:15 , Euler’s totient function
aφ(n) ≡ 1 (mod n)
13:15, RSA operation
14:18: (DANGOURS, too small e)
Steganography
Hide message ( not necessary encrypted) from regular file
In file header / Metadata
Part of image
Single frame in video
Also work as watermark
.onion
.onion is a special-use top level domain name designating an anonymous onion service, which was formerly known as a “hidden service”
reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with .onion addresses by sending the request through the Tor network.
Cicada 3301: An Internet Mystery
https://www.youtube.com./watch?v=I2O7blSSzpI
0:00-4:30 story of Cicada, 12:10
DEF CON 2020 CTF Quals Welcome
Flag format ooo{xxxx,xxxx,xxxx}
Say it if you know it
CMYK
RGB
#RRGGBB
CMYK
CMYK
Easy to verify,
Hard to separate
PortSwigger CA
Let’s Encrypt
Let’s Encrypt
A nonprofit Certificate Authority providing TLS certificates to ANY websites.
Many malware sites are now signed with Let’s encrypt
Try this:
https://ssl1.hkuspace.net
https://ssl2.hkuspace.net
X.509
X509 and PKI
Root CA
Issued by CloudFlare, trusted by Baltimore CyberTrust
Issued by Let’s Encrypt, trusted by DST
Fake Certificated issued by BurpSuit CA
Self-signed certificates
Root-CA for HK – HKPost
Similar as DNS
Chain of trust
Limited number of Root CA (DNS root)
All Intermediate CA should be trusted by CA
All Certificate should be signed then issued by Issuer
Certificate / Intermediate CA may be revoked by its parent trust
Superfish
Lenovo poisoned its own PCs with Superfish adware
Tutorial for SSL decryption on wireshark
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/
PEM
PEM format (Privacy-Enhanced Mail)
The PEM format solves this problem by encoding the binary data using base64.
PEM also defines a one-line header, consisting of “—–BEGIN “, a label, and “—–“, and
a one-line footer, consisting of “—–END “, a label, and “—–“.
The label determines the type of message encoded. Common labels include “CERTIFICATE”, “CERTIFICATE REQUEST”, “PRIVATE KEY” and “X509 CRL”.
PEM data is commonly stored in files with a “.pem” suffix, a “.cer” or “.crt” suffix (for certificates), or a “.key” suffix (for public or private keys)
Certificate example
% openssl s_client -connect ssl2.hkuspace.net:443
Certificate chain
0 s:/CN=ssl2.hkuspace.net
i:/C=US/O=Let’s Encrypt/CN=R3
1 s:/C=US/O=Let’s Encrypt/CN=R3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIFKDCCBBCgAwIBAgISA6bdGFm4UrrympZdh+8op3uAMA0GCSqGSIb3DQEBCwUA
eAAUi3hoxX5ONnOlR9XnDSCwHJXGu57QrhSTZIQHHd0Ew69MempK7jOG62RfjWjL
trefh29yWMYpsy/Tkj8Mm8uLTM5tVI34sbkJSQ==
—–END CERTIFICATE—–
subject=/CN=ssl2.hkuspace.net
issuer=/C=US/O=Let’s Encrypt/CN=R3
OCSP
The Online Certificate Status Protocol (OCSP)
inurl:
https://cdn-cybersecurity.att.com/blog-content/GoogleHackingCheatSheet.pdf
APINIC
RIR
the Regional Internet Registries (RIRs) were established to assume this regional allocation and management role in cooperation with IANA. Today, there are five RIRs – APNIC, ARIN, RIPE NCC, LACNIC, and AFRINIC.
17.0.0.0/8
All IPv4 class A block assignment
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
Apple Owns 17.0.0.0/8
Class A network
It contains max of
256 * 256 * 256 = 16777216
16 Millions IPv4 addresses
https://stats.apnic.net/
IPv4 address exhaustion
The raise of CDN and hosting / Cloud computing (AWS, Azure, GCP, AliCloud)
Corporates use intensely with NAT to save IPv4 addresses
Archive.org
https://web.archive.org/web/*/hkuspace.hku.hk
Github
Act as ‘archive’ for wiki pages and others
DNS SOA
SOA
A Start of Authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers
dig notexist.hkuspace.net
AUTHORITY SECTION:
hkuspace.net. 1799 IN
SOA jake.ns.cloudflare.com.
dns.cloudflare.com. 2036592492 10000 2400 604800 3600
MX
MX is responsible for INCOMING emails
A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name
DNS TEXT
TXT records are a type of Domain Name System (DNS) record that contains text information for sources outside of your domain. You add these records to your domain settings. You can use TXT records for various purposes. Google uses them to verify domain ownership and to ensure email security.
Used as service checking / additional functions
DNS record is up to 253 chars, TXT is usually the longest
_amazonses.dnscheck.co “yAbMEC/HCY7VBhG2KA4cBwQ2I+T7raTN3o5XnMKxOd8=”
% dig _amazonses.dnscheck.co txt
#dig @
dig
Specify getting IP resolution by a specific server
What is the default output of #dig ?
How to perform dig over other protocols (HTTP)
1.1.1.1
/ 8.8.8.8
/ 114.114.114.114
List of public DNS
Cisco OpenDNS: 208.67.222.222 and 208.67.220.220;
Cloudflare 1.1.1.1: 1.1.1.1 and 1.0.0.1;
Google Public DNS: 8.8.8.8 and 8.8.4.4;
Quad9: 9.9.9.9 and 149.112.112.112.
China: 114.114.114.114
Aliyun: 223.5.5.5, 223.6.6.6
Baidu Yun: 180.76.76.76
360 DNS: 101.226.4.6 , 123.125.81.6, 101.226.4.6, 101.226.4.6
ASN
https://bgp.he.net/
ASN = autonomous system
~= one service provider on internet
How the world reaches the internet via BGP
Peering map from ASN9381 (HKBN Biz)
List of IPv4 with PTR set
https://bgp.he.net/AS131279#_graph4
Peering map from AS131279 (North Korea)
It peers with AS20485 (TTK, Russia)
And AS134544, (cenbong, HK) /
AS4837 (China Unicom 169, CN)
Korea, Democratic People’s Republic of
HKIX
https://www.hkix.net/hkix/participant.htm
Most of the world-wide service providers peers with HKIX to offer fast response time, and save overseas bandwidth
RouteView
http://www.routeservers.org/
Mostly are read-only routers / virtual rotuers
% nc route-views.sg.routeviews.org 23
Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
??????”??route-views.sg.routeviews.org> show ip bgp 8.8.8.8
show ip bgp 8.8.8.8
BGP routing table entry for 8.8.8.0/24
Paths: (18 available, best #9, table Default-IP-Routing-Table)
137831 15169
27.111.229.144 from 27.111.229.144 (10.100.165.2)
Origin IGP, localpref 100, valid, external
Last update: Tue Feb 23 06:12:55 2021
Looking Glass
https://lg.telia.net/
API
Application Programming Interface (API)
Data gathering automations
Automations (eq. to CLI)
OSINT
Open-source intelligence (OSINT) is a multi-methods (qualitative, quantitative) methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context
Most of those are passive information gathering are OSINT
Search engine: Google, Baidu, Yandex
Network: DNS, IP, ASN
Social Media (Twitter, FB, Instagram, Weibo)
IM ( Whatsapp, WeChat, Telegram, Signal, etc)
Repository ( Github,
/docProps/thumbnail.jpeg