Quick tips for linux screenshots from the shell

As part of your workflow, you may need to take multiple screenshots quickly. There are several methods to do this within Linux, but the easiest and most efficient I’ve found is called import. The manpage deatails all the options, but my most typical usage is simply: import foo.png (substituting the actual name I want to use for “foo”, of course) This will cause your cursor to change to crosshairs. You can then position the crosshairs and draw a bounding box around the area you want to capture by pressing and holding the left mouse button.…more

My OSCP workflow

Taking the Offensive Security PWK class and their OSCP exam while working a full-time job presents several challenges, the greatest of which is time management. To make effective use of my available time, I need to ensure I can work wherever and whenever I have a spare few moments. This means a few things: I need to have access to my notes from everywhere I need to have access to all collected lab information from everywhere I need to be able to access the labs from everywhere All of these boil down to personal preference.…more

Learning remote enumeration (Part 1)

When many people hear the term “enumeration”, they think “port scanning.” But enumeration is so much more than that. There are two major categories of enumeration: Remote enumeration Local enumeration To properly perform remote enumeration on an unknown target, I prefer the following steps: Quickly determine what hosts are on the network Quickly port scan the discovered hosts for low-hanging fruit Perform a more thorough port scan of the discovered hosts Begin enumerating the hosts via the various available services Start looking for possible remote vulnerabilities 1.…more

Analyst Tip: Suspicious DNS Behavior

The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible. Reference Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference IP assigned to domain changes frequenty over a period of time Reference…more

Converting pcap files to network flow data

Pcap data is a wonderful resource; indispensible when doing certain kinds of analyses. Sometimes, however, you want to be able to use network flow data instead. Flow is much more compact, and allows you to more easily explore the relationships among hosts on a network before digging into the nuts and bolts with pcap. It also allows you to archive months or years of data in a much more efficient manner than you can with pcap.…more