Monday, December 11, 2017

Making a simple network traffic graph with tshark and afterglow

Outputting a pcap file for CSV format for using afterglow. pl and neato (Graphviz) to create a graph
To make a simple source and destination graph..
First make the capture file using tcpdump
tcpdump -nn -i -q
Then use tshark to extract the source and destination IP address and output to a comma separated file
tshark -T fields -nn -r capture.pcap -E separator=, -e ip.src -e ip.dst > output.txt
Sort and remove duplicates
cat output.txt | sort | uniq > output.csv
or just sort to see all connections
cat output.txt | sort > output.csv
Edit file to remove any lines with incorrect data (like just a comma)
Process the file through afterglow to format in dot graph format that Graphviz can use
cat output.csv | afterglow/afterglow.pl -t > output.dot
Create your graph in .png format
cat output.dot | neato -Tpng > output.png

Wednesday, September 27, 2017

DerbyCon 7 videos

Full list of DerbyCon 7 videos of presentations here:

http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist

Monday, August 28, 2017

Cyber Chef

Nice site at https://gchq.github.io/CyberChef/ - Allows you to do all sorts of conversions of data format, generate encoding and encryption, parse network data, extract strings, IPs, email addresses, etc., analyze hashes and a lot more.

Tuesday, August 1, 2017

DerbyCon 7 Live Stream

If you weren't fortunate to get a ticket to DerbyCon this year, the conference will once again be live streaming talks. More information will be available closer to the conference at www.derbycon.com.

But did you know every talk (almost) is also available for viewing after the conference is over? You can find past Derbycon presentations here as well as dozens of other conferences, or on IronGeek's YouTube channel here. Not as interesting or as much fun as being there, but if you're looking for good presentations to learn pen testing or blue teaming tactics, it's a great resource.

Wednesday, June 14, 2017

Simple Username Harvesting (from SANS SEC542)

Go to a web site that requires a login. Put in any username with any password. Did the page come back with both the User and Password fields blank? Now put YOUR username in, but with some password you make up. Does the form come back with your username in the User field and nothing in the Password field? If so, here's what you just discovered. The developer is making his form more efficient by not hashing and testing the password to see if it's correct unless the username is valid. If the username IS valid, he populates the User field with it and checks the password. If the password is incorrect, he only clears the Password field so you can retry your password. You just discovered a crude form of username harvesting. Try different usernames and if they remain in the User field, that's a valid account on the server. I know, that would take a lot of time to do it that way. That's why hackers write automated tools.

Monday, May 8, 2017

Using Wildcards To Change the Functionality of Search

In the packet capture framework Moloch, there are a large variety of keywords you can use to grep through packets, such as http.uri. An http.uri query would look something like this:
http.uri == "misc.php?v=4112&js=js" That's a powerful tool, but what if you wanted to just see all packets with an URI in the last hour? http.uri and other search fields require a boolean, (==, >=) and then a search string. The simple way to change the functionality of the search is just to wildcard the search string.
http.uri == * will show you all the packets that contain an URI in the timeframe specified. Easy way to expand the functionality of the search when you're not sure exactly what you're searching for.

Monday, March 20, 2017

msfrpcd

Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:


msf > load msgrpc
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: aKCU4AgT
[*] Successfully loaded plugin: msgrpc
msf >

Now start msfrpcd with -P and you're set. 


Reference https://help.rapid7.com/metasploit/Content/framework/msf-rpc-service.html for more info.

Tuesday, February 14, 2017

PacketTotal

The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes, packettotal.com.



Monday, February 6, 2017

Fixing the Nations CyberSecurity Professionals Shortage Problem

There is no shortage of security vendors. There is not a shortage of good security tools. Whatever tool you need, there are probably a dozen companies that have a tool that fits your need. Automation is necessary, given the huge amount of alerts, logs and IOC's a security analyst must deal with. But not everything can be automated. Automation is a means to an end, not the end itself. It sorts and reduces the amount of data an intrusion analyst must look at and can point him/her in the right direction. But at the end of the day, it's the analyst, not the tool, that must make the correct assessment. And that takes education, experience and then continual training. Without good analysts looking at the output of the tools, the end result is nothing more than a slightly educated guess. And the protection of our networks and data stores can't rely on guesses based on a tool. 
Apprenticeship and mentoring may be one way to speed up the on-boarding of new cyber-security professionals.

Blog Archive