This year has been one of the toughest in my career. After leaving my previous role in August, I thought it would be easy to find a new gig. It took over a month just to land an interview. I was constantly tweaking my resume and kept trying to get Read more
Back to basics. Everything needed to learn ASM is available for free online. Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language. Towards the end, you’ll switch to actual assembly little endian full on ASM programming. All course files are available Read more
Say you keep loads of domain indicators in file lists for Bro to consume. If some user hits a bad domain, bro alerts. But you want to auto block the domain. That’s where RPZ could come into play. The domains are all in INDICATOR_DOM flat files like: cat ALINAPOS_DOM adobeflasherup1.com Read more
This config is working great with the INE R&S 5.0 training. I have a trunk over to 4 physical 3560s. LINK to GNS3 Configs Using c7200-adventerprisek9-mz.152-4.S1.image. The appliance marketplace has grown substantially. https://gns3.com/marketplace/appliances/ Here’s an example with Cisco ISE. asdfasdf
There are many free sites and utilities you can use to learn more about attack vectors. DO NOT RUN THESE IN PRODUCTION. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OWASP top 10 scenarios. https://www.hackthissite.org/ Lots of web hacking scenarios. http://www.dvwa.co.uk/ Vulnerable web app. https://github.com/Subterfuge-Framework/Subterfuge/blob/master/README.md easy MITM. Not even fair. Try learning the old ways with Ettercap, Read more
I needed to be able to extract attachments from SMTP in order to do a poor mans Fireeye type solution. I can then hash the files and submit to virustotal and/or cuckoobox. Create the file “extract-smtp.bro” in your bro $PREFIX/policy/misc/ directory global mime_to_ext: table[string] of string = { [“application/x-dosexec”] = Read more
Timemachine is a great solution for a full pcap system. Nothing fancy, but extremely good at it’s job. https://www.bro.org/community/time-machine.html #Install EPEL.http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel GeoIP GeoIP-devel gperftools # install Read more
Timemachine is just raw pacp and while it does integrate with Bro, Moloch’s gui is way waaaaayyy better. Command line is king. 1. Install prereqs yum install cmake make gcc gcc-c++ flex bison l openssl-devel python-devel swig zlib-devel git numactl numactl-devel httpd-tools readline readline-devel 2. Grab timemachine git clone –recursive Read more
Got a huge JBOD and you would like to RAID them? It’s easy. ####First, figure out what Linux picked up the drives as. fdisk -l > disks.txt cat disks.txt | grep /dev | grep -v Disk ####Then i just copied that into notepad, removed all the “1s” and formatted like Read more
This is a work in progress. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!There are only 3 default privilege levels on a cisco device. 0 – no access1 – user15 – enable There are a few differences between Radius and Tacacs. One is command authorization. With Radius, you can grant privlege levels. With Tacacs you can grant Read more
Trunk two VLANs to the sensing interface of the IPS. Hosts in vlan 10 and 20 are in the same subnet, and the IPS bridges. SW1:interface FastEthernet0/1 description R1 switchport access vlan 20 switchport mode access!interface FastEthernet0/10 description PC1 switchport access vlan 10 switchport mode access!interface FastEthernet0/11 description Trunk_To_IPS switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20 switchport mode Read more
Configuration. !HUB:!!!ISAKMP Phase 1crypto isakmp policy 10 authentication pre-share hash md5 encr 3des group 5!!!Wildcard keycrypto isakmp key Password123 address 0.0.0.0!crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-des esp-md5-hmacmode transport!!!IPSec phase 2 crypto ipsec profile DMVPN_PROFILE set transform-set DMVPN_TRANSFORM_SET!interface Tunnel0 ip address 10.255.255.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication Password123!!Hub is dynamic ip nhrp map multicast dynamic ip nhrp network-id Read more
SOCKS proxy over SSH for browsing HTTP/SSL. In Putty, create a connection to your favorite SSH server that has unfettered access, or at least the access you need. Setup a tunnel on some port as Dynamic. Set your browser up with a SOCKS 5 proxy. Connect to the SSH server Read more
EZVPN is a client/server VPN solution where dynamic tunnels are created.http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-sec-for-vpns-w-ipsec-12-4t-book/sec-ipsec-virt-tunnl.html In IPSec, you need to remember 3 things.WhoWhatHow Who: Who’s the endpointWhat: Proxy ACLHow: Transform set !!!!SERVER! !!Configure authentication. Local for testing! aaa new-modelaaa authentication login local_list localaaa authorization network local_list local aaa session-id common! username cisco password cisco!!!Create Read more
There’s a built in cheat for VPN configurations. It can be tough to remember every step involved. This makes it super easy. Just type vpnsetup ? from config mode, select the type and steps, and the firewall will give you example configs and all steps involved for every type of Read more
A quick howto on ZBPF. Its not difficult, but can get really confusing when the configs start to grow. I always try to name the entries with the easiest detail possible. Like if it’s an http class map specifically, i name it HTTP_CLASS_MAP so it’s easy to grep. Sticking to Read more
Continuing on the bind RPZ stuff. If you need to build a walled garden, Inetsim would be great for that. It runs fake services and will serve up anything you ask it for. Great for studying malware. CentOS 7 this time. cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/netwwork-scripts/ifcfg-eth0:0 Edit eth0:0 and change the IP Read more
RPZ Specification: https://kb.isc.org/getAttach/22/AA-00512/rpz.pdf When doing lookups on hosts, my nameserver recursively resolves it. If the response matches what is in the RPZ zone files, the nameserver will send whatever is set back to the client. This is great for low cost malicious activity blocking. . for NXDOMAIN *. For Read more
#Kind of a funny way to accomplish this, but it’s the only way I could get pf_ring to build and actually work. #CentOS 6.6. #Install EPEL.http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html sudo yum install git swig python-devel byacc kernel-devel libtool automake make autoconf pcre-devel flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel If you’re using Read more
CentOS 6.6 First enable passwordless SSHsshkeygen if you haven’t already cat .ssh/id_rsa.pub Copy that to /root/.ssh/authorized_keys on the new system. Then change permissions chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keys #Install EPEL.http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex Read more