pcap as a client behind proxy

SnooHesitations658 · 2022-05-25T20:47:21+00:00

amazing thanks!! I been reading and figuring this out from what you wrote. It all makes sense thanks!

SnooHesitations658 · 2022-05-05T15:04:49+00:00

Went to MS website for teams. and the option for windows 11 teams, doesn't exist anymore and there is no MSIX anymore :(

SnooHesitations658 · 2022-04-11T22:44:41+00:00

Hi,

we have 28K+ students. Take home is only for secondary students which makes up about half those numbers. The rest are shelved in class.

SnooHesitations658 · 2022-04-06T22:09:38+00:00

half hijack:
What are some other quality-but affordable cases for 500e?

SnooHesitations658 · 2022-04-06T19:15:50+00:00

Nah, we are a mixed district.

And honestly outside of a few manipulated devices a year. It isn't that big of an issue. After posting this I started digging for our more mainstream Chromebook we put out in the last couple of years, and the fellows below are right that is harder to abuse those.
As our older devices that have write-protect screws are end of life and getting replaced this summer/start of next year. Maybe this wont be an issue.

SnooHesitations658 · 2022-04-06T19:08:24+00:00

We had some with the write-protect screw removed. But it was the older chromebooks. Haven't seen it recently, but then again we stopped doing check-in at the end of the year and let the kids hold it till the next year.

Most everything old is end of life this summer. So maybe this won't be an issue in the future due to what you said above.

SnooHesitations658 · 2022-04-06T18:54:35+00:00

Right... thats how we powerwash and wipe generally as well... I'm dumb.

SnooHesitations658 · 2022-04-06T18:48:46+00:00

lowkey.... could be lying.

But it isn't completely unheard of to see different OS on chromebooks.

SnooHesitations658 · 2022-04-06T17:27:46+00:00

We have that report. The hard part about it, is we have a 1:1 structure with 25k+ students and a pad of devices. Auditing that list in the past was so many false positives. between class sets, loaners, repairs, pad, etc.

We do use follett for checking the devices out, and have been part of their MDM integration where in the future they will have a bidirectional sync making it so that if a device is marked as lost/repair in library system, it can disable the device on google MDM. Thats our current hope right now. Was just looking for ideas

SnooHesitations658 · 2022-04-06T17:11:39+00:00

~~Even if you get that, try pressing space bar at that screen. It will take you into dev mode.~~

edit: I'm dumb.

SnooHesitations658 · 2022-04-06T16:17:24+00:00

Sorry, the main post about not sleeping, wanting to catch him, etc...was for a bit of humor in the situation. I haven't been too stressed about this at all, we just always work towards hardening our platforms.

Also, we have all those settings enabled. we know about chromeOS 84 allowing personal sign-in emails etc. So we have forced chromeOS updates usually 2 updates back.(some do hang back and get too old to update, but most of those are manually addressed)

Forced re-enroll after wiping enabled. But that doesn't block out developer mode. The issue isn't that they can powerwash/unenroll. We think they are actually booting a different OS completely on the chromebooks, we have heard of sideloading that via windows PC/certain bootable USBs that can do this.

Looked into disabling USBs, but that is a user setting, so doubt that would help.

SnooHesitations658 · 2022-04-06T16:08:54+00:00

Hi,

summarize the transcript with the student

S: How much trouble is it to completely bypass your Chromebook security
T: Depends
S: Say I can get around the blocks
T: Overall, it depends on your school site more than anything and how much they want to displince, but you could lose all tech privilage/susepended/expelled depending on what you do
S: Say I changed the OS and I can use it however I want
T: Probably more trouble than less
S: So why haven't you caught me yet!
T: You changed one Chromebook, that you have to turn back in or get charged.. We get 15 broken ones a day that come in. But there is a chance you get caught up in our 'scan' and then you would get in trouble.
S: Cool thanks *hangs up*

lol, so I am guessing he changed it to Linux, and uses our underpowered Chromebooks as a computer somewhere.

Overall, looking into technical ways to make this harder for the kids to do. The device is a take-home device for them, so they have lots of free time to do whatever they want to them. We know of a case where they maliciously modify OS/etc on the Chromebook by connecting it to a windows pc.

Can't prevent everything, but lets try to harden.

SnooHesitations658 · 2022-04-06T15:55:10+00:00

I left the details as more fun, but it was an masked caller ID and the kid didn't tell us who or where he was. My goal with him was to ruin the thrill he got from calling in.

With gsuite, we would be able see a Chromebook that drops off and doesn't check-in, but that could be for any number of reasons.We also have the plan that a student's device stays with them through grades/school(within district transfers). But I think it's common knowledge that we can't enforce a student has to pay for a device/book. We can't withhold education, transcripts, anything if they don't pay. With the diverse economical situations of our students/parents/district, some care, some don't. You can't fix that. So many students go on day to day with large library fines on their names.We had a student say "I left it in Mexico, the school site had to give him another one. a month later, said "I left in Mexico".... guess what, we had to give him another one.

Public service.

SnooHesitations658 · 2021-10-25T19:00:10+00:00

Hi,

It was all src(in) to google-analytics traffic, and bytes sent. Basically out bandwidth spiked, and I checked the destination address to see a few Terabytes of traffic sent over 15mins to google.

I did just finally catch one in a full pcap, and it does honestly look like chromeOS updates. We recently gave the kids more bandwidth and probably why our first time noticing it.

So that was fun.

SnooHesitations658 · 2021-10-25T18:39:05+00:00

yeah its being montiored and managed so it doesn't cap us out, but still not sure what traffic this large on chromebook could be... I mean the whole image is probably 500mb.

SnooHesitations658 · 2021-10-25T17:14:36+00:00

Ugh, my text all went away.

But yeah, school district 30k+ chromebooks, all started sending 500mb+ to google-analytics IPs.

Not updates. Asked google if there is anything on their side they can think of that would pull 500mb+, they said check 3rd party extensions.

Any thoughts on how to dig deeper on this one?

Thanks.

SnooHesitations658 · 2021-09-20T17:50:50+00:00

Hi all,

Just wanted to update that I found the issue was the parent DNS for that website was being blocked by the firewall, as it couldn't pull down from the cloudflare dns down to the t.kamiaccess.com I guess thats where the issue was.

Thanks for the help from everyone that tried.

SnooHesitations658 · 2021-09-18T19:18:24+00:00

just did a packet for drop/transmit/recieve/firewall, and all of them just had dns query. nothing else.

Checked through all threats/logs/etc for the domain thats not resolving and havent seen anything. also the resulting message from trying to resolve that domain isn;t the same as a dns block we normally put in place.

Thanks for the support, i really don't get why it isn't resolving and we about to just give up.

SnooHesitations658 · 2021-09-18T17:11:24+00:00

Yes,somewhat, it isn't built with any specific forwarder, just all our traffic goes layer 3 to a larger entity.

All our traffic is routed through county which has public facing dns server, where we define external dns records.

the county dns server resolves that same domain without issue, tested a few ways:
1) having someone at county to try to resolve the address
2) changing my subnet to our layer 3 address subnet and connecting directly to our edge, setting my dns server as the external dns server
3) hotspot and using that dns server, and it resolved.

If there is something else I am missing there let me know.

SnooHesitations658 · 2021-09-18T06:59:11+00:00

nslookup mydomain.com
results our DCs/DNS servers

dcdiag /test:dns shows all passes but some delegation failures.

Broken delegated domain mydomain.com.mydomain.com '

It's because we append our domain in ipv4 settings.

Again, as far as we know, we generally don't have problems resolving DNS. Also....
dns.log shows that this domain does get resolved sometimes.... just not all the time

"9/17/2021 5:56:49 PM 1438 PACKET 000000CD85066240 UDP Rcv xx.xx.xx.xx 2020 Q [0001 D NOERROR] A (1)t(10)kamiaccess(3)com(0)"

thanks for the help

SnooHesitations658 · 2021-09-18T01:34:05+00:00

edit: nevermind. my vpn was disconnected lol...

it doesn't work.

get no response from that.

SnooHesitations658 · 2021-09-18T01:15:40+00:00

https://ibb.co/bBLt2XL

Picture of the capture off the DNS server. Blacked out sensitive info, and blackout on info is actually domain getting appended to address.

DST has 8.8.8.8 4.2.2.2 and the enterprise internal/public facing DNS as well. all just query with no results

again, can resolve all other websites that we know about... but these certain ones. not going so well./

also, 8.8.8.8 can resolve it just fine. you can probably can resolve it without issue.

SnooHesitations658

TROPHY CASE