Threads for nikojojo

9

unbalancedparentheses 6 years ago | link | on: My First 10 Seconds On A Server

I don’t get why he uses docker to capture all the traffic from the host. Why not use tcpdump directly?
1. 9
  
  felixgallo 6 years ago | link
  
  docker is the new background job, apparently. Maybe he doesn’t know about nohup.
  1. 13
    
    tedu 6 years ago | link
    
    Maybe systemd doesn’t know about nohup. :(
    1. 16
      
      mulander 6 years ago | link
      
      So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.
      
      source: http://jerrygamblin.com/2016/05/28/a-docker-container-to-capture-all-traffic-from-host/
      
      I just don’t know what to say about that… guess I’m not a self-respecting security professional! :(
    2. 13
      
      felixgallo 6 years ago | link
      
      well, he’s not running systemd-docker (yes really) in the shell script so presumably it’ll get terminated in the same way anyway. What a time to be alive!
2. 4
  
  nikojojo 6 years ago | link
  
  I’m not saying it’s a useful consideration for anyone’s threat model, but process isolation is the likeliest answer. If the tcpdump docker image drops privileges and has a small userland it could be difficult to escalate from there.
  1. 8
    
    voidzero 6 years ago | link
    
    tcpdump itself can drop privileges:
    
    http://www.securityartwork.es/2012/06/18/tcpdump-drop-privileges-2/

5

nikojojo 6 years ago | link | on: Browser ktrace browsing

“/home/tedu/.pki/nssdb/.15412819dOeSnotExist.db”

This behavior reminds me of how chrome attempts to detect DNS poisoning attacks, e.g. if aslkdjakrgjalekrgjadlkjg resolves to something, then there is likely an attack underway. Maybe this is how they detect malware that tries to provide bogus certs to chrome? it would be easy to evade if so.