Building a Threat Hunting Lab (Part2): The DNS Server and Logs

Setting up the DNS Server

This blog is going to be a bit shorter than some of the later blogs in this series but thanks to the hard work of the team behind PiHole this job VM was actually extremely easy to do. 

Pihole is an extremely efficient and DNS based adblocking server that has a minimal footprint. Since it'd designed to run on a Raspberry Pi 3 the requirements to run it are tiny.  The DNS server I'm using for this is an Ubuntu 17.10 headless server with 1 Core and 512MB of ram. 

Why PiHole?

I chose Pihole for 2 big reasons. First I love Pihole.  I have 2 of them, one that I run on a Raspberry Pi 3 and 1 that I run on a Digital Ocean VPS for friends and family.  

The other big reason I chose to use Pihole is because it does 90% of the set up for me and created a web interface that analysts can use to check through network logs.  The web interface is the most crucial part of why I chose Pihole.  There's no need to over complicate threat hunting if you don't need to.  

Installation

Again the team behind Pihole deserve tons of credit for making this process so simple.  1 Command was enough to get 90% of this VM configured. 
curl -sSL https://install.pi-hole.net | bash
This command will run through an automated installer where you can assign the network for the Pihole to monitor.  The Pihole will assume you want to run it for the /24 of whatever network your on.  For me this was 10.0.2.1/24 but you can configure this to your linking.  If you ever need to change the Pihole monitoring its a simple command.
pihole -r
That one command will allow you to rerun the installer and reconfigure the IP address in case you move it like it did form the NAT network to a Host Only network.

After the Pihole finished installing I wanted to modify it's log file to add in malicious connections. I wasn't actually planning on connecting my Win 7 VM to the malicious domains but I needed logs that made it seem like I did.
sudo nano /var/log/pihole.log
 After that it just became a simple but manual process of adding logs to the file.  I won't bore you all of the random stuff I entered but I added in this nugget:
Nov  19 07:28:53 dnsmasq[1045]: query[A] www.badguy.com from 10.0.2.7
Nov  19 07:28:53 dnsmasq[1045]: reply www.badguy.com is 10.0.2.4
 I actually have an apache webserver running a domain called www.badguy.com with the IP of 10.0.2.4


Now that I have a DNS server running with a "malicious" IOC in it's log file it's time to place that server in deepfreeze (suspend the VM) and move on.

Be sure to check out part 3 where I create and configure the Apache website to be www.badguy.com.

Comments

Post a Comment

Popular posts from this blog

Fingbox Review: Simply not worth it.

Image
I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda. I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed. The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in. Devices Tab I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about
Read more

Cypherpunk: A VPN review

Image
Those of you who know me know that I am a major advocate of VPNs. I think they're great security tools for keeping your public IP address less public. They're similar to a PO box in the sense that you give out that address instead of your actual home address, ideally making it less likely someone unwanted will show up at your front door. VPNs have many practical security applications. First and foremost they protect your information from prying eyes when you're using public Wi-Fi, but a lot of them also provide added features like DNS adblocking, Malware domain blocking, and IPv6 prevention. For this review, I'll be comparing the Cypherpunk to an industry standard Private Internet Access (PIA).  Right off the bat, you can see that Cypherpunk is very stylized. It certainly goes for the look of cyber. It's a simple button press to activate the VPN. Then you get this stylized graphic showing ciphertext moving across the screen. There are 35 ser
Read more

Simple Security: Moderate Difficulty Setup

A few days ago I posted Simple Security: The basics  to cover a few easy and cheap ways to ways to help secure your Windows environment. Today I am planning on going a step further and covering some more advanced techniques to help secure your environment. Given that this is a moderate set up I am going to be trying to keep things as cheap as possible.  On my advanced guide I will be talking about expensive high-quality security solutions like Cisco ASA, SonicWall, Pallo Alto, ESXI, Domain Controllers, enterprise level malware protection like SideWinder, VM servers, and Splunk. In today's guide I will be discussing how to set up tools like Host Level Intrusion Detection Systems (HIDS), Network Level IDS (NIDS),  System Information and Event Management servers, and Smart Firewalls.  I'll also talk about ways to automatically aggregate data from opensource intelligence (OSINT) and using that to feed the analysis systems that will be helping to protect your network. First, l
Read more