Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

simulator: don't bind to external IP during DNS simulations #40

Merged
merged 1 commit into from
Oct 26, 2021
Merged

simulator: don't bind to external IP during DNS simulations #40

merged 1 commit into from
Oct 26, 2021

Conversation

kmroz
Copy link
Contributor

@kmroz kmroz commented Sep 8, 2021

Should help with DNS queries where the nameserver is not reachable via
the external IP (ie. systemd's 127.0.0.53, etc).
Also report an error if resolve fails due to dial errors.

Addresses: #39

@kmroz kmroz requested a review from tg September 8, 2021 14:55
@kmroz kmroz force-pushed the issues/39 branch 2 times, most recently from 489e76a to fd1fc36 Compare September 10, 2021 05:51
@kmroz
Copy link
Contributor Author

kmroz commented Sep 14, 2021
edited

Added iface handling, etc.

Sample output/errors:

Default iface

./flightsim run
AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:16:45

08:16:45 [c2] Preparing a random sample of C2 domains
08:16:45 [c2] Resolving livdecor.pt
08:16:46 [c2] Resolving matixx.xyz
...
08:16:50 [c2] Done (5/5)
...
08:16:55 [dga] Generating a list of DGA domains
08:16:55 [dga] Resolving uonemmjxkx.net
08:16:56 [dga] Resolving ymswtzhopm.net
...
08:17:10 [dga] Done (15/15)
...
08:17:16 [scan] Preparing a random sample of RFC 5737 destinations
08:17:16 [scan] Port scanning 203.0.113.4
08:17:19 [scan] Port scanning 203.0.113.7
...
08:17:46 [scan] Done (10/10)
...
08:18:06 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:18:16 [tunnel-dns] Done (1/1)

iface set by user (ubuntu, with 127.0.0.53 in /etc/resolv.conf

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 10.186.0.3
The current time is 14-Sep-21 08:12:33

08:12:33 [c2] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:12:33 [c2] Preparing a random sample of C2 domains
08:12:33 [c2] Resolving xeibzs12.top
08:12:34 [c2] ERROR: xeibzs12.top: lookup xeibzs12.top. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:38 [c2] Done (0/5)
...
08:12:43 [dga] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:12:43 [dga] Generating a list of DGA domains
08:12:43 [dga] Resolving wdzowbbvuo.biz
08:12:44 [dga] ERROR: wdzowbbvuo.biz: lookup wdzowbbvuo.biz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
...
08:12:58 [dga] Done (0/15)
...
08:13:03 [scan] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:13:03 [scan] Preparing a random sample of RFC 5737 destinations
08:13:03 [scan] Port scanning 203.0.113.39
08:13:06 [scan] Port scanning 203.0.113.43
08:13:09 [scan] Port scanning 203.0.113.50
...
08:13:33 [scan] Done (10/10)
...
08:13:54 [tunnel-dns] WARNING: You've specified use of interface 'ens4' with address '10.186.0.3' for this module. Overriding defaults may cause connectivity issues.

08:13:54 [tunnel-dns] Simulating DNS tunneling via *.sandbox.alphasoc.xyz
08:13:54 [tunnel-dns] ERROR: sandbox.alphasoc.xyz: lookup pvnxjanknktrudzahtallgpgrmlptm.sandbox.alphasoc.xyz. on 127.0.0.53:53: dial udp 10.186.0.3:0->127.0.0.53:53: i/o timeout
08:14:04 [tunnel-dns] Done (0/1)

@kmroz kmroz mentioned this pull request Sep 20, 2021
Open
@kmroz kmroz marked this pull request as draft October 19, 2021 13:51
@kmroz kmroz marked this pull request as ready for review October 25, 2021 15:16
@kmroz
Copy link
Contributor Author

kmroz commented Oct 25, 2021

Something like this... let me know what you guys think. As discussed, we can hold off on this until the next release, in which case I'll prep a release tomorrow.

ubuntu:~$ ./flightsim run c2

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 10.186.0.4
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:17:33

15:17:33 [c2] Preparing a random sample of C2 domains
15:17:33 [c2] Resolving astro--pacific.com
15:17:34 [c2] Resolving boundertime.ru
15:17:35 [c2] Resolving boldchat.website
15:17:36 [c2] Resolving premieruandcsystems.com
15:17:37 [c2] Resolving officeworkzone.xyz
15:17:38 [c2] Done (5/5)

15:17:38 [c2] Preparing a random sample of C2 IP:port pairs
15:17:38 [c2] Connecting to 3.17.7.232:19832
15:17:39 [c2] Connecting to 192.34.109.104:443
15:17:40 [c2] Connecting to 81.213.59.22:443
15:17:41 [c2] ERROR: 81.213.59.22:443: dial tcp 10.186.0.4:0->81.213.59.22:443: i/o timeout
15:17:41 [c2] Connecting to 136.144.41.168:59666
15:17:42 [c2] Connecting to 178.128.94.170:443
15:17:43 [c2] ERROR: 178.128.94.170:443: dial tcp 10.186.0.4:0->178.128.94.170:443: i/o timeout
15:17:43 [c2] Done (3/5)

All done! Check your SIEM for alerts using the timestamps and details above.

ubuntu:~$ ./flightsim run -iface lo c2

AlphaSOC Network Flight Simulator™  (https://github.com/alphasoc/flightsim)
The address of the network interface for IP traffic is 127.0.0.1
The address of the network interface for DNS queries is 127.0.0.1
The current time is 25-Oct-21 15:21:21

15:21:21 [c2] Preparing a random sample of C2 domains
15:21:21 [c2] Resolving service-mp2sc0gc-1301679103.gz.apigw.tencentcs.com
15:21:22 [c2] Resolving service-azhuvd2i-1305517013.gz.apigw.tencentcs.com
15:21:23 [c2] Resolving mywatchidea.com
15:21:24 [c2] Resolving sec.qaxcn.cf
15:21:25 [c2] Resolving boldchat.website
15:21:26 [c2] Done (5/5)

15:21:26 [c2] Preparing a random sample of C2 IP:port pairs
15:21:26 [c2] Connecting to 47.92.163.5:8443
15:21:26 [c2] ERROR: 47.92.163.5:8443: dial tcp 127.0.0.1:0->47.92.163.5:8443: connect: invalid argument
...
15:21:30 [c2] Done (0/5)

All done! Check your SIEM for alerts using the timestamps and details above.

@kmroz kmroz requested a review from ioj October 25, 2021 15:24
tg
tg reviewed Oct 26, 2021
View reviewed changes
cmd/run/run.go Outdated Show resolved Hide resolved
cmd/run/run.go Outdated Show resolved Hide resolved
simulator/miner.go Show resolved Hide resolved
@kmroz
simulator: rework interface binding for DNS sims; introduce BindAddr
307c698 
Extend how flightsim finds a usable (up until now, only external) IP.
An external IP is favoured, however, allow flightsim to fallback to a
local/internal IP if necessary.  This will correctly show failures in
IP simulations if a user specifies '-iface lo'.  For DNS simulations
using systemd's stub resolver, this will allow the simulation to
succeed.

Further, DNS simulations should use the interface obtained via a DNS
probe, unless overridden via the -iface flag.
@tg tg linked an issue Oct 26, 2021 that may be closed by this pull request
invalid interface being used for DNS queries #39
Closed
@tg
Copy link
Contributor

tg commented Oct 26, 2021

🦭

@tg tg merged commit 1775d49 into master Oct 26, 2021
@kmroz kmroz deleted the issues/39 branch October 26, 2021 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tg tg tg left review comments

@ioj ioj Awaiting requested review from ioj

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

invalid interface being used for DNS queries
2 participants
@kmroz @tg