Fri, 01 Feb 2013
Converting Microsoft time to Real Time .:.permalink.:.
Lots of ldap attributes, registy entries, etc use microsoft's "custom" time format of 100 nanoseconds since 1601.
I suck at that much math, so here's a simple python script to convert that to my timezone:
Posted at: Fri, 01 Feb 2013 | category: /itsec
Sun, 16 Sep 2012
pinpoint for presentations: patch .:.permalink.:.
I can't stand powerpoint and openoffice isn't much better for presentations, especially if you're on linux. I ran into pinpoint and it looked great! Away I went happily making a presentation, backgrounds, etc. all good until..speaker mode.
Posted at: Sun, 16 Sep 2012 | category: /itsec
Wed, 05 Sep 2012
windowtitle .:.permalink.:.
A simple python utility to rename the xwindow title bar to something else.
If you're like me you easily end up with dozens of terminal sessions open and most are just named according to their respective current directory.
I hate that when alt-tabbing to find the one I want, hence this tool to rename them to something meaningful.
Code requires xdotool and is written for python3 and it's subprocess.getoutput module
Posted at: Wed, 05 Sep 2012 | category: /itsec
Mon, 13 Aug 2012
Brute Forcing DNS with python .:.permalink.:.
Often DNS is helpful in telling you what's out there without scanning. No one allows DNS zone transfers anymore so simply brute-force resolving dns is a quick workaround.
Here's a simple python script to resolve a range of IP addresses to their hostname (if available):
Posted at: Mon, 13 Aug 2012 | category: /itsec
Fri, 06 Jul 2012
Dead simple nessus xml file parsing with python .:.permalink.:.
Love nessus but hate the xml output?
Get the output you want via simple parsing the xml file with python in 20 lines or less:
Posted at: Fri, 06 Jul 2012 | category: /itsec
Wed, 27 Jun 2012
Python gets you from nmap xml to graphviz dot files: .:.permalink.:.
I was looking for a script to get from nmap's xml to graphviz..but no joy? This post from 2008 is about the closest I could find ?!
Anyway, once you've got the xml parsing, graphviz output is just a step away with python in ~20 lines:
Posted at: Wed, 27 Jun 2012 | category: /itsec
Dead simple nmap xml file parsing with python .:.permalink.:.
Love nmap but hate the xml output?
Get the output you want via simple parsing the xml file with python in 20 lines or less:
Posted at: Wed, 27 Jun 2012 | category: /itsec
Fri, 15 Jun 2012
Quick dump of an .ioc file via python .:.permalink.:.
The OpenIOC initiative from Mandiant is a great way to share actionable intel about indicators of compromise. Mandiant has some tools to create and search for entries in an ioc file but poking around the inernets I've not seen much traction or tools for the format especially from the open source community.
Lets change that shall we? Here's a quick python script to get some feet wet and dump an .ioc file's Indicator Items:
Posted at: Fri, 15 Jun 2012 | category: /itsec
Thu, 29 Dec 2011
Python3 and metasploit msgpack .:.permalink.:.
Last post was the basics of metasploit, python2 and msgpack. Getting this to work in python3 take a tweak or two
Posted at: Thu, 29 Dec 2011 | category: /itsec
Tue, 27 Dec 2011
In which we Metasploit via python over msgpack .:.permalink.:.
Recently metasploit changed it's rpc interface from xmlrpc to msgpack over http. Sad because it breaks kinectasploit but all things change, so this is a quick bit about interfacing python to metasploit via msgpack rpc.
Posted at: Tue, 27 Dec 2011 | category: /itsec
Sat, 02 Jul 2011
APT=Asteroids Persistent Threat .:.permalink.:.
Sometimes old skool is best. In a recent pen test I wanted to experiment with ways to use simple non-zero-day attacks to test common security controls like egress filtering, a brand-name IPS and endpoint protection suites.
Posted at: Sat, 02 Jul 2011 | category: /itsec
Fri, 06 Jun 2008
gltail .:.permalink.:.
Just discovered gltail the other day, here's how I got it working for me on gentoo: (mostly so I don't forget!)
Links: Homepage: http://www.fudgie.org/ Code: http://rubyforge.org/projects/gltail/
sudo emerge -av ruby sudo emerge -av freeglut sudo gem install -y ruby-opengl --version 0.40.1 sudo gem install -y net-ssh-1.1.4 gltail-0.1.6.gemI wrote an asa parser that's available here http://gltail.rubyforge.org/svn/trunk/lib/gl_tail/parsers/asafwsm.rb or whenever that's rolled up into the release.
Posted at: Fri, 06 Jun 2008 | category: /itsec
Wed, 28 May 2008
modrewrite .:.permalink.:.
Got sick of seeing proxy attempts in my logs so I send 'em to disney
<Directory /var/www>
#rewrite attackers
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*isp_verify.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*yahoo.com* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*proxy.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*google.com.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*myadmin.* [NC]
RewriteRule ^.* http://www.disney.com/$1 [R,L]
</Directory>
I've seen some folks that send 'em to fbi.gov. Wonder if they check their logs?
Posted at: Wed, 28 May 2008 | category: /itsec
Wed, 16 Apr 2008
Fix a corrupt event log .:.permalink.:.
When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:
Here are simple instructions or repairing a "corrupted" (reportedly corrupted) event log.... This works with all three common Event logs (app, sec, sys) Copy out the event log and use your favorite hex editor: 1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22 2. Skip 20 from the beginning of the found text (\x11\x11...etc) 3. Copy the next 8 bytes and paste at the begining of the file, starting at offset 20 4. Goto offset 36 and change value to "8" 5. Save the file 6. Open with Windows Event Viewer (eventvwr.exe)
Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!
Posted at: Wed, 16 Apr 2008 | category: /itsec
winevtsysparse .:.permalink.:.
Here is a script to parse your windows event logs.
Caveats;
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so
tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse
I use remark to filter out the cruft like so:
tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse
where the winevtlog file has entries for things I don't care about like:
#windows event descriptions to ignore: /Successful Network Logon/ skip /Service Ticket Request/ skip /User Logoff/ skip /Authentication Ticket Request/ skip /Logon attempt by/ skip /Privileged object operation/ skip /Special privileges assigned to new logon/ skip /Service Ticket Renewed/ skip /Object Operation/ skip /Computer Account Changed/ skip /Set ACLs of members in administrators groups/skip /Logon Failure.*An error occurred during logon/skip /The master browser has received a server announcement/skipHope it's of use to ya.
Posted at: Wed, 16 Apr 2008 | category: /itsec
yim2text .:.permalink.:.
Instant messaging is everywhere. Yahoo IM often logs it's messages locally on the hard disk of the computer used when sending the message. The log files are 'encrypted' using a simple xor. yim2text is a python script to decode these files and show you the chat logs. Download it here
Posted at: Wed, 16 Apr 2008 | category: /itsec
ipsinline .:.permalink.:.
A simple utility to grab the ip addresses from stdin and spit them out by number, and optionally resolve the dns name.
Handy for adding to a command line when whiddling down data from a firewall, syslog, etc.
examples: tail -f firewallsyslogfilename | ipsinline --dns #will print and resolve all ips it finds in those lines head -n 10 somefilewithipsinit | ipsinline --head 1 --dns #will print and resolve the first ip found in the line only.
You can get it here
Posted at: Wed, 16 Apr 2008 | category: /itsec
Domain controllers in realtime .:.permalink.:.
Yeah I'm a geek and I blog about tools. Here the list of me favs for watching logs in realtime:
Lately I've been working up a script to parse (in realtime) windows syslog entries send via evtsys from Purdue that I'll post here when it's stable.
Should be dandy for watching domain controllers in your enterprise
Posted at: Wed, 16 Apr 2008 | category: /itsec