ASM Cheat sheet

Back to basics.  Everything needed to learn ASM is available for free online.  Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language.  Towards the end, you’ll switch to actual assembly little endian full on ASM programming. All course files are available Read more…

GNS3 for INE v5 and more

This config is working great with the INE R&S 5.0 training. I have a trunk over to 4 physical 3560s.   LINK to GNS3 Configs Using c7200-adventerprisek9-mz.152-4.S1.image.   The appliance marketplace has grown substantially.  https://gns3.com/marketplace/appliances/ Here’s an example with Cisco ISE. asdfasdf  

Learning Security

There are many free sites and utilities you can use to learn more about attack vectors. DO NOT RUN THESE IN PRODUCTION. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  OWASP top 10 scenarios. https://www.hackthissite.org/  Lots of web hacking scenarios. http://www.dvwa.co.uk/  Vulnerable web app. https://github.com/Subterfuge-Framework/Subterfuge/blob/master/README.md  easy MITM.  Not even fair.  Try learning the old ways with Ettercap, Read more…

SMTP file extraction with bro ids

I needed to be able to extract attachments from SMTP in order to do a poor mans Fireeye type solution.  I can then hash the files and submit to virustotal and/or cuckoobox. Create the file “extract-smtp.bro” in your bro $PREFIX/policy/misc/ directory global mime_to_ext: table[string] of string = {        [“application/x-dosexec”] = Read more…

Timemachine with PF_RING

Timemachine is a great solution for a full pcap system.  Nothing fancy, but extremely good at it’s job. https://www.bro.org/community/time-machine.html #Install EPEL.http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel GeoIP GeoIP-devel gperftools # install Read more…

Timemachine for full PCAP

Timemachine is just raw pacp and while it does integrate with Bro, Moloch’s gui is way waaaaayyy better. Command line is king. 1. Install prereqs yum install cmake make gcc gcc-c++ flex bison l openssl-devel python-devel swig zlib-devel git numactl numactl-devel httpd-tools readline readline-devel 2. Grab timemachine git clone –recursive Read more…

AAA Reference

This is a work in progress. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!There are only 3 default privilege levels on a cisco device. 0 – no access1 – user15 – enable There are a few differences between Radius and Tacacs.  One is command authorization.  With Radius, you can grant privlege levels.  With Tacacs you can grant Read more…

Cisco IPS inline VLAN Pairing

Trunk two VLANs to the sensing interface of the IPS.  Hosts in vlan 10 and 20 are in the same subnet, and the IPS bridges. SW1:interface FastEthernet0/1 description R1 switchport access vlan 20 switchport mode access!interface FastEthernet0/10 description PC1 switchport access vlan 10 switchport mode access!interface FastEthernet0/11 description Trunk_To_IPS switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20 switchport mode Read more…