Fri, 01 Feb 2013

Converting Microsoft time to Real Time .:.permalink.:.

Lots of ldap attributes, registy entries, etc use microsoft's "custom" time format of 100 nanoseconds since 1601.

I suck at that much math, so here's a simple python script to convert that to my timezone:

read more...

Posted at: Fri, 01 Feb 2013 | category: /itsec

Sun, 16 Sep 2012

pinpoint for presentations: patch .:.permalink.:.

I can't stand powerpoint and openoffice isn't much better for presentations, especially if you're on linux. I ran into pinpoint and it looked great! Away I went happily making a presentation, backgrounds, etc. all good until..speaker mode.

read more...

Posted at: Sun, 16 Sep 2012 | category: /itsec

Wed, 05 Sep 2012

windowtitle .:.permalink.:.

A simple python utility to rename the xwindow title bar to something else.

If you're like me you easily end up with dozens of terminal sessions open and most are just named according to their respective current directory.

I hate that when alt-tabbing to find the one I want, hence this tool to rename them to something meaningful.

Code requires xdotool and is written for python3 and it's subprocess.getoutput module

read more...

Posted at: Wed, 05 Sep 2012 | category: /itsec

Mon, 13 Aug 2012

Brute Forcing DNS with python .:.permalink.:.

Often DNS is helpful in telling you what's out there without scanning. No one allows DNS zone transfers anymore so simply brute-force resolving dns is a quick workaround.

Here's a simple python script to resolve a range of IP addresses to their hostname (if available):

read more...

Posted at: Mon, 13 Aug 2012 | category: /itsec

Fri, 06 Jul 2012

Dead simple nessus xml file parsing with python .:.permalink.:.

Love nessus but hate the xml output?

Get the output you want via simple parsing the xml file with python in 20 lines or less:

read more...

Posted at: Fri, 06 Jul 2012 | category: /itsec

Wed, 27 Jun 2012

Python gets you from nmap xml to graphviz dot files: .:.permalink.:.

I was looking for a script to get from nmap's xml to graphviz..but no joy? This post from 2008 is about the closest I could find ?!

Anyway, once you've got the xml parsing, graphviz output is just a step away with python in ~20 lines:

read more...

Posted at: Wed, 27 Jun 2012 | category: /itsec

Dead simple nmap xml file parsing with python .:.permalink.:.

Love nmap but hate the xml output?

Get the output you want via simple parsing the xml file with python in 20 lines or less:

read more...

Posted at: Wed, 27 Jun 2012 | category: /itsec

Fri, 15 Jun 2012

Quick dump of an .ioc file via python .:.permalink.:.

The OpenIOC initiative from Mandiant is a great way to share actionable intel about indicators of compromise. Mandiant has some tools to create and search for entries in an ioc file but poking around the inernets I've not seen much traction or tools for the format especially from the open source community.

Lets change that shall we? Here's a quick python script to get some feet wet and dump an .ioc file's Indicator Items:

read more...

Posted at: Fri, 15 Jun 2012 | category: /itsec

Thu, 29 Dec 2011

Python3 and metasploit msgpack .:.permalink.:.

Last post was the basics of metasploit, python2 and msgpack. Getting this to work in python3 take a tweak or two

read more...

Posted at: Thu, 29 Dec 2011 | category: /itsec

Tue, 27 Dec 2011

In which we Metasploit via python over msgpack .:.permalink.:.

Recently metasploit changed it's rpc interface from xmlrpc to msgpack over http. Sad because it breaks kinectasploit but all things change, so this is a quick bit about interfacing python to metasploit via msgpack rpc.

read more...

Posted at: Tue, 27 Dec 2011 | category: /itsec

Sat, 02 Jul 2011

APT=Asteroids Persistent Threat .:.permalink.:.

Sometimes old skool is best. In a recent pen test I wanted to experiment with ways to use simple non-zero-day attacks to test common security controls like egress filtering, a brand-name IPS and endpoint protection suites.

read more...

Posted at: Sat, 02 Jul 2011 | category: /itsec

Fri, 06 Jun 2008

gltail .:.permalink.:.

Just discovered gltail the other day, here's how I got it working for me on gentoo: (mostly so I don't forget!)

Links: Homepage: http://www.fudgie.org/ Code: http://rubyforge.org/projects/gltail/

 sudo emerge -av ruby
 sudo emerge -av freeglut 
 sudo gem install -y ruby-opengl --version 0.40.1
 sudo gem install -y net-ssh-1.1.4 gltail-0.1.6.gem 
I wrote an asa parser that's available here http://gltail.rubyforge.org/svn/trunk/lib/gl_tail/parsers/asafwsm.rb or whenever that's rolled up into the release.

Posted at: Fri, 06 Jun 2008 | category: /itsec

Wed, 28 May 2008

modrewrite .:.permalink.:.

Got sick of seeing proxy attempts in my logs so I send 'em to disney
<Directory /var/www>
#rewrite attackers
        RewriteEngine On
        RewriteCond %{REQUEST_URI}  ^.*isp_verify.*     [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*azenv.php.*      [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*yahoo.com*      [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*proxy.*      [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*azenv.php.*      [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*google.com.*      [NC,OR]
        RewriteCond %{REQUEST_URI}  ^.*myadmin.*      [NC]
        RewriteRule ^.* http://www.disney.com/$1 [R,L]
</Directory>

I've seen some folks that send 'em to fbi.gov. Wonder if they check their logs?

Posted at: Wed, 28 May 2008 | category: /itsec

Wed, 16 Apr 2008

Fix a corrupt event log .:.permalink.:.

When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:

Here are simple instructions or repairing a "corrupted" (reportedly 
corrupted) event log....

This works with all three common Event logs (app, sec, sys)

Copy out the event log and use your favorite hex editor:

1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22
2. Skip 20 from the beginning of the found text (\x11\x11...etc)
3. Copy the next 8 bytes and paste at the begining of the file, 
starting at offset 20
4. Goto offset 36 and change value to "8"
5. Save the file
6. Open with Windows Event Viewer (eventvwr.exe)

Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!

Posted at: Wed, 16 Apr 2008 | category: /itsec

winevtsysparse .:.permalink.:.

Here is a script to parse your windows event logs.
Caveats;
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so

 tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse

I use remark to filter out the cruft like so:
 tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse

where the winevtlog file has entries for things I don't care about like:
#windows event descriptions to ignore: 
/Successful Network Logon/ skip
/Service Ticket Request/ skip
/User Logoff/ skip 
/Authentication Ticket Request/ skip
/Logon attempt by/ skip
/Privileged object operation/ skip 
/Special privileges assigned to new logon/ skip 
/Service Ticket Renewed/ skip 
/Object Operation/ skip
/Computer Account Changed/ skip
/Set ACLs of members in administrators groups/skip
/Logon Failure.*An error occurred during logon/skip
/The master browser has received a server announcement/skip 
Hope it's of use to ya.

Posted at: Wed, 16 Apr 2008 | category: /itsec

yim2text .:.permalink.:.

Instant messaging is everywhere. Yahoo IM often logs it's messages locally on the hard disk of the computer used when sending the message. The log files are 'encrypted' using a simple xor. yim2text is a python script to decode these files and show you the chat logs. Download it here

Posted at: Wed, 16 Apr 2008 | category: /itsec

ipsinline .:.permalink.:.

A simple utility to grab the ip addresses from stdin and spit them out by number, and optionally resolve the dns name.

Handy for adding to a command line when whiddling down data from a firewall, syslog, etc.

examples: 
	tail -f firewallsyslogfilename | ipsinline --dns #will print and resolve all ips it finds in those lines
	head -n 10 somefilewithipsinit | ipsinline --head 1 --dns #will print and resolve the first ip found in the line only.

You can get it here

Posted at: Wed, 16 Apr 2008 | category: /itsec

Domain controllers in realtime .:.permalink.:.

Yeah I'm a geek and I blog about tools. Here the list of me favs for watching logs in realtime:

  • python
  • remark (regex markup)
  • Lately I've been working up a script to parse (in realtime) windows syslog entries send via evtsys from Purdue that I'll post here when it's stable.

    Should be dandy for watching domain controllers in your enterprise

    Posted at: Wed, 16 Apr 2008 | category: /itsec