Analyst Tip: Testing Firewall Egress

A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you’re on.…more

Simple Check For OptionsBleed vulnerability

Shortly after CVE-2017-9798 (a.k.a. “OptionsBleed”) was announced, the good folks over at The Fuzzing Project posted a great write-up, including a quick check for the vulnerability. I adapted it to check a list of sites, as analysts often have more than one web property to test. for j in `cat domains.txt`; do for i in {1..20}; do curl -sI -X OPTIONS https://www.$j/| grep -i "allow:"; done >optionsbleed-https-www.$j.out ;done This will run through a list of domains in the file domains.…more

Analyst Tip: Researching IPs, Domains, And URLs From The Shell

In the course of an average day, an analyst needs to look up various bits of information about IPs, domain names, and URLs. Various workplace tools may do some of this enrichment automatically, but every now and then the analyst needs a quick, effective way to either get this information for a single indicator, or for a large list of them. Tools While there are numerous websites that can be used to obtain this information, in my opinion, nothing beats the flexibility of command-line tools.…more

Hunting For Insecure Amazon S3 Buckets

Breaches caused by insecurely-configured Amazon S3 buckets are not new. Researchers have been sounding the alarm since 2013. However, S3-related breaches continue to make the news. Last Friday (20170901), researchers announced the discovery of records for four million Time Warner Cable customers due to an improperly secured Amazon S3 bucket. Amazon has been proactive in raising awareness of this issue. However, the problem persists, and is widespread. Let’s be clear: The problem here isn’t just one of potential exposure of PII.…more

Analyst Tip: Spotting Botnet Members

You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more

How To: Creating Your Own Animated Threat Map

One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I’m not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more

Various Shell Tricks

Quickest way to get your ssh key to a remote host: ssh-copy-id username@host.example.com Shuffle items in a file: cat file.txt | perl -MList::Util=shuffle -e 'print shuffle(<STDIN>);' >file-shuffled.txt Count the number of comma-separated items on each line in a file: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' Count number of comma-separated items on each line in a file, and generate average of items: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' |awk '{ sum += $1; n++ } END { if (n > 0) print sum / n; }' Give the average of a list of numbers in a file: cat numbers-list.…more

Practice for OSCP

There are several excellent places online you can practice for the PWK/OSCP course and certification. In no certain order, they include: OverTheWire HackThisSite VulnHub HackSplaining CTF365 Root-Me Hacking Lab Pentester Lab

Learning remote enumeration (Part 2)

In Part 1, I introduced some sound methodology for approaching remote enumeration, which I now realize needs a bit of revision. It’s not that it’s a bad approach, it’s just too aggressive and would potentially miss certain aspects of the target that may prove useful or time-saving. Act like a user, not a hacker The first thing I’ve learned is that it’s best to act like a user, not an attacker.…more

Walking through a basic buffer overflow

I’m learning about buffer overflows in preparation for the PWK course and OSCP exam. I haven’t touched assembly language in more than 20 years, and the protections present in modern OSes just didn’t exist back when I first learned all this (let alone the fact that I was working on 680x0 and 650x assembly at the time). After trying desperately to make the mental leap from the 1990s to modern operating systems and following along in Aleph One’s Smashing The Stack For Fun And Profit, I decided to use the material from Chapter 16 of Georgia Weidman’s excellent Penetration Testing: A Hands-On Introduction to Hacking, and write this to ensure I understand exactly what I’m doing and what’s going on in that chapter.…more