Everyone knows about wireshark, which is a tool to capture packets on Windows OS. Until now this was the only easy way you could do packet capture on Windows for troubleshooting or analyzing traffic.

Recently Microsoft has added a native took to do packet capture on Windows that comes built in to the OS. This article will touch on the basic commands you can use to run packet capture on Windows 10.

The packet capture tool on Windows is called pktmon.exe. You can run the tool from your command prompt. Just type pktmon in your command prompt to see the basic usage commands.

It comes with a builtin help to check what each command and switch does. To check details of any command type

pktmon <command> help

Capture packets in realtime

We will create a simple filter to capture icmp traffic and show it on the screen as the packets are captured by pktmon.

Note: Please make sure the Command Prompt is running as administrator to be able to capture packets. If command prompts is not running as administrator you will get <strong>access denied error</strong> while starting a capture.

First, create a filter to tell pktmon what type of packets you want to capture.

We will be capturing any type of icmp packets so set the filter using below command.

pktmon filter add PingFilter -t ICMP

In the above command PingFilter is the name of the filter and ICMP is the type of the packets we want to capture.

To show all the options available to set up capture filter use the below command

pktmon filter add help

Check if the filter is added successfully using filter list command

pktmon filter list

Once the capture filter is set start capture using pktmon start command

pktmon start –etw –log-mode real-time

In the above command –etw –log-mode real-time is to show the packet commands matching the filter on screen in realtime.

After starting the capture, ping some device in your network or on the internet and pktmon should show the captured packets on the command prompt

This was a simple packet capture filter. You can also configure complex packet capture filter like

pktmon filter add DNS-PACKETS –data-link IPv4 –ip-address 8.8.8.8 –transport-protocol udp –port 53

This capture filter will capture all the dns queries and responses to/from 8.8.8.8

To remove all capture filter use the command

pktmon filter remove

This were the basic commands to do a simple packet capture using windows 10 pktmon tool.

Ubuntu by default tries to connect to ipv6 address for apt update. This is not a problem as after the ipv6 connection fails it will try ipv4.

If your network does not have ipv6 connectivity the time it takes to fall back from ipv6 to ipv4 everytime you run updates is annoying.

Disable IPv6 only for APT

If you disable ipv6 only in APT other programs will continue to use ipv6. Follow the below steps to disable ipv6 only for APT by adding to the APT configuration.

First create a file in apt config directory

sudo nano /etc/apt/apt.conf.d/99force-ipv4

Add the below line to the file and save it

Acquire::ForceIPv4 “true”;

After adding the above configuration APT will only use IPv4 for connecting to the internet.

This post guides how to migrate DNS manageement from Freenom to Cloudflare.

Freenom provides facility of registering free domain names for unpopular tlds.

You can check this previous post to know more about it.

The DNS management of Freenom is not that intuitive and it does not support API to automate dns record changes.

This is where Cloudflare shines. Cloudflare’s DNS management is faster and easier than Freenom and it also has API support to automate DNS management.

Move the DNS name server from freenom to Cloudflare

  1. Create a free account on cloudflare
  2. After logging in to cloudflare it will ask to add the domain. Once the domain is registered it may take some time for cloudflare to detect the domain, if you get an error, please wait for 30 mins and try to add the domain name again.
  3. Add an A record in the next page where cloudflare asks to add a dns record and click Continue.
  4. Once domain is added cloudflare will give 2 nameservers to add to freenom to migrate the dns management. Add these 2 name servers in your freenom account in your domain management under Management Tools >> Nameservers
Nameservers
  1. On cloudflare click Done, Check Nameservers button. It will take 5 mins to 30 mins for the nameservers to update, cloudflare will send an email once the nameserver is active and the domain is added to cloudflare
  2. Once the domain name is activated in cloudflare the dns entries can be added in DNS tab under the domain name in cloudflare
cloudflare_dns_github

If you don’t want to spend approx $10 every year to get a domain name there is a free alternative available.

Freenom gives out free domain name on some least popular TLDs. These TLDs are good enough to use in home lab or for testing.

You can get free domain name on the below TLDs

.tk, .ml, .ga, .cf, .gq

By default you can get the domain name for free for upto 12 months. You can renew the domain name after 12 months for free again.

So essentially you are getting the domain for free for lifetime or up until freenom shuts down.

How Sim Swap Scam works:

The scammer may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone they own.

If your mobile service provider believes the story and activates the new SIM card, the scammer will get a sim with your number on it and will get all your text messages, calls, and data on the new phone.

The scammer could open new cellular accounts in your name or buy new phones using your information.

They could also log in to your accounts that use text messages as a form of multi-factor authentication. How? Because they’ll get a text message with the verification code they need to log in.

Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts.

How can you protect yourself from Sim Swap Scam

  • Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
  • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and login to your accounts.
  • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
  • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use Multi-Factor Authentication, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.
  • Consider using Google Authenticator or similar Time-Based OTP app as multifactor authentication instead of SMS wherever possible

What to do if you are a target of a SIM swap scam

  • Contact your cellular service provider immediately to take back control of your phone number. After you regain access to your phone number, change your account passwords.
  • Check your credit card, bank, and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution.

A remote code-execution (RCE) vulnerability (CVE-2019-1579) has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. It’s an unusual zero-day case, having been previously unknown but inadvertently fixed in later releases.

The vulnerability (CVE-2019-1579) is a format string vulnerability in the SSL Gateway, which handles client/server SSL handshakes. Its a critical bug because it allows an unauthenticated attacker to execute arbitrary code. Its recommended to update the Gateway OS ASAP.

First publicized by researchers Orange Tsai and Meh Chang last week, the bug was a previously unknown vulnerability, but later versions of Palo Alto’s products happen to be inoculated against it, meaning that up-to-date systems are not in danger.

The Affected versions are

  • PAN-OS 7.1.18 and earlier
  • PAN-OS 8.0.11 and earlier
  • PAN-OS 8.1.2 and earlier

PAN-OS 9.0 is not affected.

The fixed versions are

  • PAN-OS 7.1.19 and later
  • PAN-OS 8.0.12 and later
  • PAN-OS 8.1.3 and later

For those who can’t update yet, Palo Alto recommended that users update to content release 8173 or later, and that they make sure that threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.

TCP Selective Acknowledgment (SACK) has to be disabled on the Linux kernel. TCP Selective Acknowledgment (SACK) is used to improve performance of data transfer on TCP stack.

When TCP SACK is enabled the TCP packet capture will have TCP options similar to below screenshot

TCP packet capture sample when TCP SACK is enabled

Disable TCP SACK

To disable SACK run the below command on Linux cli as root.

# sudo echo “net.ipv4.tcp_sack = 0” >> /etc/sysctl.conf
# sudo sysctl -p

After running the above commands the Linux server needs to be rebooted to apply the new configuration.

Once the server is rebooted the Linux server will not do TCP SACK any more.

Disabling TCP SACK will negatively effect the data transfer performance. The magnitude of performance hit depends on type of data transfer.

Cloudflare dns server 1.1.1.1

 

Cloudflare has launched new free public DNS resolvers 1.1.1.1 and 1.0.0.1 on April Fools day 2018 (This is not a joke, its a real service). This service competes directly with Google’s and OpenDNS’s public resolvers.

Cloudflare claims to build the new resolvers with Security and Speed as basic features. Here are the results for latency test for both 1.1.1.1 and 8.8.8.8 from all over the world for comparison (Click on the image to zoom).

CloudFlare 1.1.1.1 DNS Latency Test

Cloudflare

Google 8.8.8.8 DNS Latency Test

Google

 

 

 

 

 

 

Of course this is just a simple latency test and actual performance may vary depending on different other factors.

Memorable IP Address

Until now Google 8.8.8.8 used to be the most memorable publicly used ip address followed by Level 3’s 4.2.2.2. Cloudflare’s 1.1.1.1 is not more memorable than Google’s 8.8.8.8 but I have to admit its way cooler. This is important because you can use domain names so you dont have to remember ip addresses of websites but you cannot do it with DNS servers and you need to know the ip address.

DNS-over-TLS and DNS-over-HTTPS Support

DNS protocol was not designed with security in mind because at the time it was designed it did not need it. Its not true for today’s internet. For that reason CloudFlare’s DNS servers support both DNS-over-TLS and DNS-over-HTTPS from day 1.

Fastest DNS Server

Cloudflare has also posted in their blog that DNSPerf has ranked 1.1.1.1 as the fastest DNS server with an average of 14ms of query speed. Of course you will get different results based on your location and whether or not you are a Cloudflare customer.

DNS Query Name Minimisation to Improve Privacy

Cloudflare also supports DNS Query Name Minimisation to Improve Privacy as defined in RFC7816 which means that Cloudflare’s DNS resolvers do not send full query to the upstream name servers which reduces the information leaked to upstream DNS servers, like the root and TLDs.

IPv6 Support

Along with 1.1.1.1 and 1.0.0.0.1 Cloudflare has also provided memorable ip addresses for their IPv6 DNS servers 2606:4700:4700::1111 and 2606:4700:4007::1001.

You can learn more about Cloudflare’s DNS server’s on https://1.1.1.1

Let’s Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.

This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.

Install Certbot

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed

sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp1hyvak__/secring.gpg’ created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg’ created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key “Launchpad PPA for certbot” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

Update packages

sudo apt update

Run below command to install certbot

sudo apt install certbot

Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.

Steps to generate wildcard certificate

Run this below command on the linux cli.

$ sudo certbot certonly –manual -d *.asknetsec.com –agree-tos –no-bootstrap –manual-public-ip-logging-ok –preferred-challenges dns-01 –server https://acme-v02.api.letsencrypt.org/directory

Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.

The command output will be similar to the one below

debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): admin@asknetsec.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asknetsec.com

——————————————————————————-
Please deploy a DNS TXT record under the name
_acme-challenge.asknetsec.com with the following value:

AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs

Before continuing, verify the record is deployed.

——————————————————————————-
Press Enter to Continue

Create a text DNS record for the sub-domain  _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.

You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/privkey.pem
Your cert will expire on 2018-06-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.