CloudShark 2018 Halloween Challenge

CloudShark 2018 Halloween Challenge

Well, Tom and the team at CloudShark have put together an excellent packet capture challenge on their blog once again. It has actually been awhile since I've dug into a capture due to my recent shift in focus to Amazon Web Services, so this was a lot of fun for me. I feel like once you're a "packet junkie" you are always one! *SPOILER ALERT* The rest of this post describes the challenge and the process I followed for solving the challenge. If you have not completed it and intend to do so please stop reading here.   The Challenge This challenge essentially boiled down to exporting the shared capture file and then analyzing it to find 5 (or more) hidden pumpkins. My time is limited these days, so I found 5 and stopped there.   My Approach I approached this challenge similar to how I handle most cases. I thought up a few possible scenarios that I could chase down quickly, a few more that could...
Read More

Case of the Large Header

Just because you can do something doesn't always mean you should. One such example of this is using large HTTP headers. While the HTTP specification itself doesn't set boundaries, most web servers have default limits around 8 KB. Other devices in the path such as firewalls/WAFs, proxies, and load balancers also have similar limits.   Problem The application testers were receiving a reset error. Their application and web server logs did not show any problems.   Analysis The first question asked was, "If the web server isn't sending the reset error, what is?" In this case we found there were several devices in the path including a domain firewall and a load balancer. The firewall admin saw two-way traffic hitting an accept rule and passing through. That left the load balancer.┬áThe load balancer admin confirmed via a packet capture that it was, in fact, sending a reset near the end of the TCP stream. Why would the load balancer send a reset? A load balancer does exactly that....balances...
Read More

Packet Threat Analysis

Everyone needs to do some housekeeping at different points, and I figured it was time I did some a basic security sweep of my setup. To get started, I performed a quick packet capture on the very server that hosts this blog. I decided to give one of CloudShark's newer and more distinct features a spin with my recently created account; their Threat Assessment tool. I thought it would be interesting to pit this against PacketTotal as well. These are both great tools with similar, but also different purposes. At the time, I had SSH and web ports open along with a few other unused ports for various common services. The only true security measure in place was a few basic iptables rules. CloudShark What I Liked: Up front, quick severity level rating dashboard Brief descriptions of issues which helps puts everything in laymen's terms World map view Privacy settings External references to source data and additional information Ability to view the...
Read More