Not all SD cards are the same. 64 gig on one, is not 64 gig on another. So here’s how to resize and truncate your images so they will fit. First, enable loopback. sudo modprobe loop Then request a free loopback device. sudo losetup -f Create a device. sudo losetup Read more
1. Install prereqs on Debian 8.6 apt-get install libxml2-dev libxslt1-dev python-dev zlib1g-dev python-pycurl python-pip 2. Install libtaxii pip install libtaxii 3. Cron this script to pull different TAXII feeds from hailataxii.com, and convert them into lists that bro can put into the Intel Framework. #!/bin/sh ## TAXII feed script ## Read more
Lots of new features https://www.bro.org/documentation/beta/NEWS.bro.html Installed a test instance on FreeBSD 10.3. pkg install wget swig mkdir /opt wget https://www.bro.org/downloads/beta/bro-2.5-beta.tar.gz tar zxvf bro-2.5-beta.tar.gz ./configure –prefix=/opt/bro && make && make install Get some coffee. I edited /opt/bro/share/bro/site/local.bro and uncommented VLAN logging, Mac logging, and SMB analyzer for testing. I also edited /opt/bro/etc/node.cfg Read more
Apache mod_security can be configured to block OWASP top 10 attacks. Scan me and see. Single server (Debian 8): Install Packages. apt-get install libapache2-mod-security2 service apache2 restart cd /etc/modsecurity/ mv modsecurity.conf-recommended modsecurity.conf Edit modsecurity.conf and enable it “SecRuleEngine On” “SecRequestBodyAccess Off” Grab OWASP Top 10 Rules: git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /opt/OWASP Read more
i3 is a tiled window manager that allows some really cool functionality and customization. Running on Debian 8. Installed the following: sudo apt-get install i3 suckless-tools scrot gmrun terminator nitrogen pip install i3menu set your wallpaper with nitrogen Grab this tray menu. git clone https://github.com/drakmail/snapfly.git $ cd snapfly/package $ ./make_packages.sh Read more
Minecraft is great for learning Python. Here’s how to get the client going on Debian. I’m using spigotMC for the Minecraft server. https://www.spigotmc.org/wiki/spigot-installation/#linux First install java, git and tar # apt-get install git openjdk-7-jre-headless tar Download BuildTools.jar from https://hub.spigotmc.org/jenkins/job/BuildTools/lastSuccessfulBuild/artifact/target/BuildTools.jar to /home/username/spigot/. Then run $ git config –global –unset core.autocrlf and Read more
First, I have to say that I don’t condone running any of this and to use at your own risk. This is ONLY for research purposes and learning from attackers. So if you wanna act like Mr. Robot and disguise yourself as a janitor to go into some business to Read more
Was trying out the Kali Linux Evil ISO but found that I needed to create certs for the VPN. This used to be a huge pain in the ass, but through this I’ve found Easy-RSA, and it truly is easy. 1. Like in the evil ISO howto, copy /usr/share/easy-rsa/ somewhere.#cp Read more
Here’s an example of how bad some AV providers are. They’re just flagging on a string in the file, or an md5 hash of the .idata section. The method below wont defeat the decent AV, but all the crap ones like SCEP, ClamAV etc. About half of them in virus Read more
Back to basics. Everything needed to learn ASM is available for free online. Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language. Towards the end, you’ll switch to actual assembly little endian full on ASM programming. All course files are available Read more
Say you keep loads of domain indicators in file lists for Bro to consume. If some user hits a bad domain, bro alerts. But you want to auto block the domain. That’s where RPZ could come into play. The domains are all in INDICATOR_DOM flat files like: cat ALINAPOS_DOM adobeflasherup1.com Read more
This config is working great with the INE R&S 5.0 training. I have a trunk over to 4 physical 3560s. LINK to GNS3 Configs Using c7200-adventerprisek9-mz.152-4.S1.image. The appliance marketplace has grown substantially. https://gns3.com/marketplace/appliances/ Here’s an example with Cisco ISE. asdfasdf
There are many free sites and utilities you can use to learn more about attack vectors. DO NOT RUN THESE IN PRODUCTION. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP top 10 scenarios. https://www.hackthissite.org/ Lots of web hacking scenarios. http://www.dvwa.co.uk/ Vulnerable web app. https://github.com/Subterfuge-Framework/Subterfuge/blob/master/README.md easy MITM. Not even fair. Try learning the old ways with Ettercap, Read more
I needed to be able to extract attachments from SMTP in order to do a poor mans Fireeye type solution. I can then hash the files and submit to virustotal and/or cuckoobox. Create the file “extract-smtp.bro” in your bro $PREFIX/policy/misc/ directory global mime_to_ext: table[string] of string = { [“application/x-dosexec”] = Read more
Timemachine is a great solution for a full pcap system. Nothing fancy, but extremely good at it’s job. https://www.bro.org/community/time-machine.html #Install EPEL.http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel GeoIP GeoIP-devel gperftools # install Read more
Timemachine is just raw pacp and while it does integrate with Bro, Moloch’s gui is way waaaaayyy better. Command line is king. 1. Install prereqs yum install cmake make gcc gcc-c++ flex bison l openssl-devel python-devel swig zlib-devel git numactl numactl-devel httpd-tools readline readline-devel 2. Grab timemachine git clone –recursive Read more
Got a huge JBOD and you would like to RAID them? It’s easy. ####First, figure out what Linux picked up the drives as. fdisk -l > disks.txt cat disks.txt | grep /dev | grep -v Disk ####Then i just copied that into notepad, removed all the “1s” and formatted like Read more
This is a work in progress. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!There are only 3 default privilege levels on a cisco device. 0 – no access1 – user15 – enable There are a few differences between Radius and Tacacs. One is command authorization. With Radius, you can grant privlege levels. With Tacacs you can grant Read more
Trunk two VLANs to the sensing interface of the IPS. Hosts in vlan 10 and 20 are in the same subnet, and the IPS bridges. SW1:interface FastEthernet0/1 description R1 switchport access vlan 20 switchport mode access!interface FastEthernet0/10 description PC1 switchport access vlan 10 switchport mode access!interface FastEthernet0/11 description Trunk_To_IPS switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20 switchport mode Read more