search

alphasoc / flightsim

A utility to safely generate malicious network traffic patterns and evaluate controls.
https://alphasoc.com
Other
1.27k stars 134 forks source link

Problem with the hijack module #11

Closed chrisforce1 closed 5 years ago

chrisforce1 commented 5 years ago

Please take a look and let's fix this up:


AlphaSOC Network Flight Simulator™ v1.0.4 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.20.10.2
The current time is 28-May-19 00:20:31

Time      Module   Description
--------------------------------------------------------------------------------
00:20:31  hijack   Starting
00:20:31  hijack   Resolving alphasoc.com via ns1.sandbox.alphasoc.xyz
00:20:31  hijack   Test failed (queries to arbitrary DNS servers are blocked)
00:20:32  hijack   Finished

All done! Check your SIEM for alerts using the timestamps and details above.

Reports as failed, but alphasoc.com resolves just fine using that name server, as below.

$ dig @ns1.sandbox.alphasoc.xyz alphasoc.com +short
216.239.32.21
216.239.34.21
216.239.36.21
216.239.38.21
tg commented 5 years ago

Please rerun using the latest version (v1.1.0) as this has been fixed via 507691f.

chrisforce1 commented 5 years ago

Works like a dream..

$ ./flightsim run hijack

AlphaSOC Network Flight Simulator™ v1.1.0 (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.20.10.2
The current time is 28-May-19 16:18:23

Time      Module   Description
--------------------------------------------------------------------------------
16:18:23  hijack   Starting
16:18:23  hijack   Resolving alphasoc.com via ns1.sandbox.alphasoc.xyz
16:18:24  hijack   Success! DNS hijacking is possible in this environment
16:18:24  hijack   Finished

All done! Check your SIEM for alerts using the timestamps and details above.