White Hat Can Benefit From Archaic Network Commands

Investigating intrusions has challenges beyond normal Blue Team or even Red Team interests.

However, an alert system administrator may become aware of an intrusion while it is STILL IN PROGRESS:

At that time, the old DOS command "fflush," which instructs the D(omain) N(ame) S(erver) to REASSIGN ALL IP addresses, would be of assistance to him. After the server followed the instruction (which can take fifteen minutes or so,) the bad guys would be faced with searching many local IP addresses to identify the admin's address, before the bad guys could resume the assault. This is less useful to a webmaster since his IP address is available by presenting his site name to DNS outright, as soon as it is re-assigned. Likewise, many applications require a static IP address.

To assist the situation, we can point out that "flush" (note: only one -1- "f") deletes all local DNS cache info. This can assist network requests in obtaining correct IP info to communicate outside the LAN.

Intruders commonly spend weeks identifying files to exfiltrate ON THE NETWORK, before executing it as a batch, or burst broadcast. To hinder this purpose, an fflush BEHIND the VPN would confuse intruders identifying individual machines. Importantly, this would include the local IP address of pivot points.

Finally, we can invent a companion command "xflush" for use AT DNS by the DNS Admin. At the request of law enforcement, xflush would instruct DNS to IGNORE ALL FFLUSH commands for a FINITE TIME-FRAME - four (4) hours as an example. During this time, all bad guys could not get their IP address re-assigned, pinning them to their machine/lan. 

By the creative implementation of these commands, which can be written for a Linux Distro, as well as distributed with an OS update, investigators can be better equipped to identify network intruders, not just intrusions.

Comments

Post a Comment

Popular posts from this blog

A Question About Erasthmus' Sieve

Students of Mathematics are familiar with Erasthmus' Sieve. 2     x 3          x                4       x 5               x 6     x     x 7 8     x 9          x 10       x          x 11 12     x     x 13 14     x 15          x     x 16     x 17 18     x     x 19 20     x          x 21          x 22     x 23 First, we strike all multiples of 2 up to the square root (5.) Then all multiples of 3, then all multiples of 5, etc. I wrote a digital implementation of the Sieve, and used the index cr...
Read more

An Improvement To The Three Second Hold Rule

The rule that a broker has to hold a share for three (3) seconds, or one hundred shares for three hundred (300) seconds, can be improved. Brokers wishing to game the system will simply proliferate buy orders, and hold multiple buys of consolidated numbers of shares for three (3) seconds. To limit this, each broker could be limited to one buy per second. In this way, if he wishes to invest in 60 companies, he will have to use 60 seconds to put the buy orders in. If he wished to buy 1,000,000 shares, but only wishes to hold them for 1000 seconds ( 16.6 minutes,) he would be forced to put in 1000 buys of 1000 shares each. This process would force him to use 16.6 minutes in the buy process, after which each individual buy would be ready to sell in 50 minutes.  Computer programs written to optimize time to hold v time to buy would be forced to keep track of all the buy orders.  An alternative would be to attempt to consolidate all buy orders, but this is game-able by a round robin ...
Read more

Notice of corrupted results: Vigenere may yet be found to be a "group."

Retraction: It is with regret that I do not delete the previous post. I am an individual, not an organization, and I failed to adequately double-check my results, but I am leaving the post to maintain some accountability. I am able to definitively say that the script for 2chars_from_file.py DOES NOT yield an exhaustive list. It develops the ciphertext for all 2 Char combinations of the FIRST 10, three character ciphertexts. This is not due to a logic error, but rather there is a virus that corrupts the indentation of the two write statements.  This may be verified by downloading the relevant code, and examining it, and running it if needed, against the relevant datafile. It is difficult to be exhaustively correct about ALL of the scripts. This calls ALL of my results in question, with regard to the qualification of a mathematical group. If Vigenere IS a group, the resulting substitution is still valid, but there exist 6 Char passwords that will accomplish the same encryption in ONE...
Read more