Tue, 26 Aug 2014

One year at Mozilla .:.permalink.:.

Amazingly it's been a year already! Seems like it's an unofficial tradition to do a 'first year at Mozilla' blog post, so here we go!

read more...

Posted at: Tue, 26 Aug 2014 | category: /itsec

Sun, 13 Oct 2013

Quick dump of an .ioc file via python .:.permalink.:.

The OpenIOC initiative from Mandiant is a great way to share actionable intel about indicators of compromise. Mandiant has some tools to create and search for entries in an ioc file but poking around the inernets I've not seen much traction or tools for the format especially from the open source community.

Lets change that shall we? Here's a quick python script to get some feet wet and dump an .ioc file's Indicator Items:

read more...

Posted at: Sun, 13 Oct 2013 | category: /itsec

gltail .:.permalink.:.

Just discovered gltail the other day, here's how I got it working for me on gentoo: (mostly so I don't forget!)

Links: Homepage: http://www.fudgie.org/ Code: http://rubyforge.org/projects/gltail/

 sudo emerge -av ruby
 sudo emerge -av freeglut 
 sudo gem install -y ruby-opengl --version 0.40.1
 sudo gem install -y net-ssh-1.1.4 gltail-0.1.6.gem 
I wrote an asa parser that's available here http://gltail.rubyforge.org/svn/trunk/lib/gl_tail/parsers/asafwsm.rb or whenever that's rolled up into the release.

Posted at: Sun, 13 Oct 2013 | category: /itsec

Dead simple nmap xml file parsing with python .:.permalink.:.

Love nmap but hate the xml output?

Get the output you want via simple parsing the xml file with python in 20 lines or less:

read more...

Posted at: Sun, 13 Oct 2013 | category: /itsec

Domain controllers in realtime .:.permalink.:.

Yeah I'm a geek and I blog about tools. Here the list of me favs for watching logs in realtime:

  • python
  • remark (regex markup)
  • Lately I've been working up a script to parse (in realtime) windows syslog entries send via evtsys from Purdue that I'll post here when it's stable.

    Should be dandy for watching domain controllers in your enterprise

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Converting Microsoft time to Real Time .:.permalink.:.

    Lots of ldap attributes, registy entries, etc use microsoft's "custom" time format of 100 nanoseconds since 1601.

    I suck at that much math, so here's a simple python script to convert that to my timezone:

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    windowtitle .:.permalink.:.

    A simple python utility to rename the xwindow title bar to something else.

    If you're like me you easily end up with dozens of terminal sessions open and most are just named according to their respective current directory.

    I hate that when alt-tabbing to find the one I want, hence this tool to rename them to something meaningful.

    Code requires xdotool and is written for python3 and it's subprocess.getoutput module

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    APT=Asteroids Persistent Threat .:.permalink.:.

    Sometimes old skool is best. In a recent pen test I wanted to experiment with ways to use simple non-zero-day attacks to test common security controls like egress filtering, a brand-name IPS and endpoint protection suites.

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    pinpoint for presentations: patch .:.permalink.:.

    I can't stand powerpoint and openoffice isn't much better for presentations, especially if you're on linux. I ran into pinpoint and it looked great! Away I went happily making a presentation, backgrounds, etc. all good until..speaker mode.

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Dead simple nessus xml file parsing with python .:.permalink.:.

    Love nessus but hate the xml output?

    Get the output you want via simple parsing the xml file with python in 20 lines or less:

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    In which we Metasploit via python over msgpack .:.permalink.:.

    Recently metasploit changed it's rpc interface from xmlrpc to msgpack over http. Sad because it breaks kinectasploit but all things change, so this is a quick bit about interfacing python to metasploit via msgpack rpc.

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Python gets you from nmap xml to graphviz dot files: .:.permalink.:.

    I was looking for a script to get from nmap's xml to graphviz..but no joy? This post from 2008 is about the closest I could find ?!

    Anyway, once you've got the xml parsing, graphviz output is just a step away with python in ~20 lines:

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    modrewrite .:.permalink.:.

    Got sick of seeing proxy attempts in my logs so I send 'em to disney
    <Directory /var/www>
    #rewrite attackers
            RewriteEngine On
            RewriteCond %{REQUEST_URI}  ^.*isp_verify.*     [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*azenv.php.*      [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*yahoo.com*      [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*proxy.*      [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*azenv.php.*      [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*google.com.*      [NC,OR]
            RewriteCond %{REQUEST_URI}  ^.*myadmin.*      [NC]
            RewriteRule ^.* http://www.disney.com/$1 [R,L]
    </Directory>
    
    
    I've seen some folks that send 'em to fbi.gov. Wonder if they check their logs?

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    yim2text .:.permalink.:.

    Instant messaging is everywhere. Yahoo IM often logs it's messages locally on the hard disk of the computer used when sending the message. The log files are 'encrypted' using a simple xor. yim2text is a python script to decode these files and show you the chat logs. Download it here

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    winevtsysparse .:.permalink.:.

    Here is a script to parse your windows event logs.
    Caveats;
    they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
    you're using unix and can tail the syslog files piping them through this script like so

     tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse

    I use remark to filter out the cruft like so:
     tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse

    where the winevtlog file has entries for things I don't care about like:
    #windows event descriptions to ignore: 
    /Successful Network Logon/ skip
    /Service Ticket Request/ skip
    /User Logoff/ skip 
    /Authentication Ticket Request/ skip
    /Logon attempt by/ skip
    /Privileged object operation/ skip 
    /Special privileges assigned to new logon/ skip 
    /Service Ticket Renewed/ skip 
    /Object Operation/ skip
    /Computer Account Changed/ skip
    /Set ACLs of members in administrators groups/skip
    /Logon Failure.*An error occurred during logon/skip
    /The master browser has received a server announcement/skip 
    
    Hope it's of use to ya.

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Python3 and metasploit msgpack .:.permalink.:.

    Last post was the basics of metasploit, python2 and msgpack. Getting this to work in python3 take a tweak or two

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Brute Forcing DNS with python .:.permalink.:.

    Often DNS is helpful in telling you what's out there without scanning. No one allows DNS zone transfers anymore so simply brute-force resolving dns is a quick workaround.

    Here's a simple python script to resolve a range of IP addresses to their hostname (if available):

    read more...

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    ipsinline .:.permalink.:.

    A simple utility to grab the ip addresses from stdin and spit them out by number, and optionally resolve the dns name.

    Handy for adding to a command line when whiddling down data from a firewall, syslog, etc.

    examples: 
    	tail -f firewallsyslogfilename | ipsinline --dns #will print and resolve all ips it finds in those lines
    	head -n 10 somefilewithipsinit | ipsinline --head 1 --dns #will print and resolve the first ip found in the line only.
    

    You can get it here

    Posted at: Sun, 13 Oct 2013 | category: /itsec

    Fix a corrupt event log .:.permalink.:.

    When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:

    Here are simple instructions or repairing a "corrupted" (reportedly 
    corrupted) event log....
    
    This works with all three common Event logs (app, sec, sys)
    
    Copy out the event log and use your favorite hex editor:
    
    1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22
    2. Skip 20 from the beginning of the found text (\x11\x11...etc)
    3. Copy the next 8 bytes and paste at the begining of the file, 
    starting at offset 20
    4. Goto offset 36 and change value to "8"
    5. Save the file
    6. Open with Windows Event Viewer (eventvwr.exe)
    

    Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!

    Posted at: Sun, 13 Oct 2013 | category: /itsec