Wednesday, August 29, 2018

Netcat and Ncat

Everyone in NetSec knows of, or has at least heard of netcat, the brainchild of Hobbit, written in 1995 and ported to Windows by Weld Pond in 1998. It's called the "TCP/IP Swiss Army Knife of Networking" for good reason. You can create just about any type of network connection you need, and it's flexibility is amazing.
That said, the original version is no longer maintained and has become outdated. The feature set in it hasn't changed in over 20 years. So a couple of different projects set out to update this ubiquitous little tool and keep adding to it's arsenal.

One of the ports is from the GNU Project, who released GNU Netcat for portability to other platforms and adherence to the original netcat. That project's last release was in 2013, version 0.7.1. This more compliant version is still in use, with over 2,000 downloads at the time of this writing.

Another more ambitious port of netcat is from Fyodor, called Ncat. Ncat is included with the Nmap port scanner, and is a fantastic tool for pen testers. It has support for a wide variety connections, including:

  • IPv6 support
  • Shell execution after connecting
  • Shell command execution after connecting
  • Lua support
  • Loose source routing support
  • Client and server modes (naturally)
  • Specifying source port, source address (spoofing), UDP or SCTP instead of TCP, receive data only, SSL ciphers to use, ssl certs to use and more.
  • Accept multiple connections
  • Telnet mode
  • No DNS resolution (Shhhhh....)
  • Idle time out and more
All of these are straight from the help output of ncat. There are lots of articles about using Ncat and netcat for advanced options. If you can think of a connection you need to make (and it's physically possible), you can probably set it up in Ncat. The Nmap project page about Ncat can be found here.

Friday, August 10, 2018

Mind Map of Hack Me Practice sites

There's an excellent mind map of Internet practice sites set up to train pen testers by offering a place to practice their skills. Put out by Aman Hardikar, you can find the list here. There's also an URL only version here, which can be easier to read. Some of the sites are old, some brand new, and they are broken down into category for easy concentration on whatever you are learning. Aman has a whole catalog of other mind maps, found here.

Wednesday, December 20, 2017

Transitioning from Blue Team to Red Team

I moved from Desktop Supervisor to Network Security in 2000. I did Blue Team for two companies from 2000 until early this year. At that point I was given an opportunity to move to Red Team as the company's in-house penetration tester. Starting in a new discipline in Network Security is a daunting task after spending so many years in another area, but a couple of things already were in my favor. I had taken two Red Team oriented SANS courses and certified in both and I had been doing deep dive intrusion analysis for all those years. I was exposed to a lot of methodologies and exploits.

But defending isn't attacking, and the learning curve was (is) still very wide. Fortunately, there are shared areas of knowledge between being an intrusion analyst and a pen tester. If you're just breaking into network security, those areas will serve you well regardless of what direction you go (or change to in the future).

1. Linux

Linux is the operating system of choice for the majority of tools for both pen testing and intrusion analysis. There are some exceptions, tools you can only run on Windows, but that's a very small subset. The more Linux you learn, the better prepared you'll be to use whichever tool is the correct one for any given situation. Fortunately, there's more free (and excellent) self training on Linux than any other subject I know of. You don't need to spend thousands of dollars taking training courses or get a Linux certification; there are hundreds of sites that will teach you step by step. Of course, if you're fortunate enough to work for a company that wants you to do RedHat or Linux Foundation training and will pay for it, by all means do so. Certifications will help you both move up in your current position and, if you should need to or choose to, find a new position. Redhat is the most well known name and bigger companies will be running it because of their excellent support, but there are other good courses and certs you can obtain. But by all means, spin up a Linux machine and get in it and learn. The more you learn, the better off you'll be.

2. Scripting

You don't need to be a programmer to do either job, but learning some scripting skills will really help you. Whether it's Bash or a language like Python or Ruby or Perl, being able to create a script to do repetitive tasks is an immense time saver. Another advantage is that if the tool you need to use is written in a shell or a language you understand, you can open it and follow the logic to see what it does, or even modify it, tweak and customize it, to suit your unique purpose. Python is extremely popular right now so a lot of the tools being released are written in it. And it's one of the easiest languages to learn. And, like Linux, there are a lot of free resources to learn Python.

3. Networking

Learning about networking is essential, whether you're running exploits or investigating an attack. Without a basic knowledge of how networks work and the components that comprise them, you'll be confused and lost in a short amount of time. You don't have to be a packet jockey to do intrusion analysis (the vast majority of attacks have switched from server side to client side anyways), but you will need to be able to follow the flow of traffic and understand the protocols in use to get a clear picture of the attack and whether it was successful or not. From a pentester's vantage point, you need to understand the network you're attacking to find the correct target and use the correct tool, and to be able to understand the responses your attack receives. If it's unsuccessful, you need to be able to determine why and what to change. The more you understand, and it's a vast and complex field, the better off you'll be.

Finally, whatever direction you go in, invest in yourself learning. The hardest part of doing that is your free time. You're not going to be able to learn everything you need to know while at your job or in a weeks worth of training once a year. If you want to advance, you'll need to sacrifice some of your own free time to study and learn. If it's something you naturally enjoy learning about, it won't be too big a burden. If you absolutely hate studying the subject matter, maybe it's time to step back and reassess if this is really what you want to do the rest of your life.

Good luck in your career, and Merry Christmas and have a Blessed New Year.

Monday, December 11, 2017

Making a simple network traffic graph with tshark and afterglow

Outputting a pcap file for CSV format for using afterglow. pl and neato (Graphviz) to create a graph
To make a simple source and destination graph..
First make the capture file using tcpdump
tcpdump -nn -i -q
Then use tshark to extract the source and destination IP address and output to a comma separated file
tshark -T fields -nn -r capture.pcap -E separator=, -e ip.src -e ip.dst > output.txt
Sort and remove duplicates
cat output.txt | sort | uniq > output.csv
or just sort to see all connections
cat output.txt | sort > output.csv
Edit file to remove any lines with incorrect data (like just a comma)
Process the file through afterglow to format in dot graph format that Graphviz can use
cat output.csv | afterglow/ -t >
Create your graph in .png format
cat | neato -Tpng > output.png

Wednesday, September 27, 2017

DerbyCon 7 videos

Full list of DerbyCon 7 videos of presentations here:

Monday, August 28, 2017

Cyber Chef

Nice site at - Allows you to do all sorts of conversions of data format, generate encoding and encryption, parse network data, extract strings, IPs, email addresses, etc., analyze hashes and a lot more.

Tuesday, August 1, 2017

DerbyCon 7 Live Stream

If you weren't fortunate to get a ticket to DerbyCon this year, the conference will once again be live streaming talks. More information will be available closer to the conference at

But did you know every talk (almost) is also available for viewing after the conference is over? You can find past Derbycon presentations here as well as dozens of other conferences, or on IronGeek's YouTube channel here. Not as interesting or as much fun as being there, but if you're looking for good presentations to learn pen testing or blue teaming tactics, it's a great resource.

Wednesday, June 14, 2017

Simple Username Harvesting (from SANS SEC542)

Go to a web site that requires a login. Put in any username with any password. Did the page come back with both the User and Password fields blank? Now put YOUR username in, but with some password you make up. Does the form come back with your username in the User field and nothing in the Password field? If so, here's what you just discovered. The developer is making his form more efficient by not hashing and testing the password to see if it's correct unless the username is valid. If the username IS valid, he populates the User field with it and checks the password. If the password is incorrect, he only clears the Password field so you can retry your password. You just discovered a crude form of username harvesting. Try different usernames and if they remain in the User field, that's a valid account on the server. I know, that would take a lot of time to do it that way. That's why hackers write automated tools.

Monday, May 8, 2017

Using Wildcards To Change the Functionality of Search

In the packet capture framework Moloch, there are a large variety of keywords you can use to grep through packets, such as http.uri. An http.uri query would look something like this:
http.uri == "misc.php?v=4112&js=js" That's a powerful tool, but what if you wanted to just see all packets with an URI in the last hour? http.uri and other search fields require a boolean, (==, >=) and then a search string. The simple way to change the functionality of the search is just to wildcard the search string.
http.uri == * will show you all the packets that contain an URI in the timeframe specified. Easy way to expand the functionality of the search when you're not sure exactly what you're searching for.

Monday, March 20, 2017


Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:

msf > load msgrpc
[*] MSGRPC Service:
[*] MSGRPC Username: msf
[*] MSGRPC Password: aKCU4AgT
[*] Successfully loaded plugin: msgrpc
msf >

Now start msfrpcd with -P and you're set. 

Reference for more info.

Tuesday, February 14, 2017


The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes,

Monday, February 6, 2017

Fixing the Nations CyberSecurity Professionals Shortage Problem

There is no shortage of security vendors. There is not a shortage of good security tools. Whatever tool you need, there are probably a dozen companies that have a tool that fits your need. Automation is necessary, given the huge amount of alerts, logs and IOC's a security analyst must deal with. But not everything can be automated. Automation is a means to an end, not the end itself. It sorts and reduces the amount of data an intrusion analyst must look at and can point him/her in the right direction. But at the end of the day, it's the analyst, not the tool, that must make the correct assessment. And that takes education, experience and then continual training. Without good analysts looking at the output of the tools, the end result is nothing more than a slightly educated guess. And the protection of our networks and data stores can't rely on guesses based on a tool. 
Apprenticeship and mentoring may be one way to speed up the on-boarding of new cyber-security professionals.

Monday, October 3, 2016


DerbyCon was fantastic again this year, with talks from some of the best and brightest in NetSec. If you're not familiar with it, it's been held each year in September in Louisville, Kentucky since 2011. Admission to the conference (3 days) is only $175.00, and there are (relatively) inexpensive training classes held the previous two days before the con. If you've never been to a hacker conference, I highly recommend DerbyCon. The atmosphere is very friendly and helpful, and even someone brand new to NetSec can find plenty to learn and participate in.There is a lock pick village, a hardware hacking village, a SOHO router hacking room, a Capture The Flag contest and lots more, as well as official parties Friday and Saturday nights. This was my fifth year attending, and it gets better each time.
All the talks are recorded and available on Adrian Crenshaw's web site. This years talks are at:

Thursday, August 11, 2016


Here is my opinion on FPC. 

Full packet capture can be an intrusion analyst's best friend. Consider this example: You receive an alert that an internal device accessed a piece of JavaScript on some web site and the rule says there was an object use-after-free attempt. You need to inspect that code and see if it is malicious and preferably, what occurred afterwards. 

You could use a tool like wget or Spondulas to download the code, or you could use a sand boxed machine to browse to the URI and view the source. You could put the URI into some online site checker and see what it finds. You could check the reputation of the domain.

But, what if you are capturing full packets going in and out of your network to the Internet?

You can pull up the URI in a tool like Moloch or a commercial tool, and look at the session. You can see the JavaScript as it was delivered exactly to THAT client, running that OS, using that browser and user-agent and see what happened afterwards. You can save the code off as a file to further inspect it and run the pcap through Wireshark or SteelCentral Packet Analyzer or Netwitness or some other analysis tool.

You CAN do intrusion analysis without FPC, but you can't do it as quickly OR as effectively. 
Flow data and logs and threat intelligence are all fine (well, maybe not so much on the threat intelligence) but having packets trumps them all.

Tuesday, July 26, 2016

Infosec Writers

Got a topic you've become very knowledgeable about and would like to share your expertise? Want to add to the cumulative knowledge base of InfoSec/NetSec? You can write and upload your paper(s) to, and if it meets their criteria for suitability, have it published on their site.

Blog Archive