Sunday, August 23, 2009

Dump all IPs from pcap with tshark

Simple command to dump all IPs from a PCAP using tshark (custom fields are RED):

tshark -nr sample.pcap ip awk '{print $3 ; $ 5 }' sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 uniq > output_file

By section:
- Summarize all IP traffic in the PCAP without resolving names or ports
- Print the source and destination IPs on separate lines (the ;)
- Sort the results appropriately for IP addresses (thanks to
- Remove duplicates
- Redirect the output to a file

Wednesday, August 19, 2009

Automated Malware Analysis - Lab or Live

The internal debate:

A. Lab only (with a minor exception for legit DNS lookups) with all traffic hitting mock services on a mock Internet


B. Uber-throttled, hardened, and ham strung Internet connection to improve scope and accuracy of analysis

The obvious knock on B is that "You put others on the Internet at risk". Really? If the outbound ports are severely limited, connections throttled, and duration capped, isn't that risk wildly overstated? At that point, what is the difference between approach B and manually wget'ing links on a live system, only to move those files into the lab, rinse, and repeat?

Saturday, August 15, 2009

Reverse Engineering Cheat Sheet

Ran across this cheat sheet from Microsoft on X86/Win32 for Reverse Engineers. Also found this one by Lenny Zeltser that is more how-to centric. Both are handy one-pagers to keep with an IDA book.

Lenny also has a number of other InfoSec cheat sheets on his site covering everything from Internet Application Security to DDoS Incident Reponse, as well as links to InfoSec cheat sheets by others.

Friday, August 14, 2009

Thursday, August 13, 2009

Lock down single user sign-on

Add the following to /etc/inittab


Updated Cheatsheets Available

SANS post on updated cheatsheets details the following:

- Jeremy Stretch's work at

- Forensic cheatsheets for XP and Vista/Win7.