-
How To: Creating Your Own Animated Threat Map
One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I’m not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more
-
Various Shell Tricks
Quickest way to get your ssh key to a remote host: ssh-copy-id username@host.example.com Shuffle items in a file: cat file.txt | perl -MList::Util=shuffle -e 'print shuffle(<STDIN>);' >file-shuffled.txt Count the number of comma-separated items on each line in a file: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' Count number of comma-separated items on each line in a file, and generate average of items: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' |awk '{ sum += $1; n++ } END { if (n > 0) print sum / n; }' Give the average of a list of numbers in a file: cat numbers-list.…more
-
Walking through a basic buffer overflow
I’m learning about buffer overflows in preparation for the PWK course and OSCP exam. I haven’t touched assembly language in more than 20 years, and the protections present in modern OSes just didn’t exist back when I first learned all this (let alone the fact that I was working on 680x0 and 650x assembly at the time). After trying desperately to make the mental leap from the 1990s to modern operating systems and following along in Aleph One's Smashing The Stack For Fun And Profit, I decided to use the material from Chapter 16 of Georgia Weidman's excellent Penetration Testing: A Hands-On Introduction to Hacking, and write this to ensure I understand exactly what I’m doing and what’s going on in that chapter.…more
-
Quick tips for linux screenshots from the shell
As part of your workflow, you may need to take multiple screenshots quickly. There are several methods to do this within Linux, but the easiest and most efficient I’ve found is called import. The manpage deatails all the options, but my most typical usage is simply: import foo.png (substituting the actual name I want to use for “foo”, of course) This will cause your cursor to change to crosshairs. You can then position the crosshairs and draw a bounding box around the area you want to capture by pressing and holding the left mouse button.…more
-
Analyst Tip: Suspicious DNS Behavior
The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible. Reference Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference IP assigned to domain changes frequenty over a period of time Reference…more
-
Converting pcap files to network flow data
Pcap data is a wonderful resource; indispensible when doing certain kinds of analyses. Sometimes, however, you want to be able to use network flow data instead. Flow is much more compact, and allows you to more easily explore the relationships among hosts on a network before digging into the nuts and bolts with pcap. It also allows you to archive months or years of data in a much more efficient manner than you can with pcap.…more