Simple command to dump all IPs from a PCAP using tshark (custom fields are RED):
tshark -nr sample.pcap ip awk '{print $3 ; $ 5 }' sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 uniq > output_file
By section:
- Summarize all IP traffic in the PCAP without resolving names or ports
- Print the source and destination IPs on separate lines (the ;)
- Sort the results appropriately for IP addresses (thanks to networking.ringofsaturn.com)
- Remove duplicates
- Redirect the output to a file
Sunday, August 23, 2009
Wednesday, August 19, 2009
Automated Malware Analysis - Lab or Live
The internal debate:
A. Lab only (with a minor exception for legit DNS lookups) with all traffic hitting mock services on a mock Internet
OR
B. Uber-throttled, hardened, and ham strung Internet connection to improve scope and accuracy of analysis
The obvious knock on B is that "You put others on the Internet at risk". Really? If the outbound ports are severely limited, connections throttled, and duration capped, isn't that risk wildly overstated? At that point, what is the difference between approach B and manually wget'ing links on a live system, only to move those files into the lab, rinse, and repeat?
A. Lab only (with a minor exception for legit DNS lookups) with all traffic hitting mock services on a mock Internet
OR
B. Uber-throttled, hardened, and ham strung Internet connection to improve scope and accuracy of analysis
The obvious knock on B is that "You put others on the Internet at risk". Really? If the outbound ports are severely limited, connections throttled, and duration capped, isn't that risk wildly overstated? At that point, what is the difference between approach B and manually wget'ing links on a live system, only to move those files into the lab, rinse, and repeat?
Saturday, August 15, 2009
Reverse Engineering Cheat Sheet
Ran across this cheat sheet from Microsoft on X86/Win32 for Reverse Engineers. Also found this one by Lenny Zeltser that is more how-to centric. Both are handy one-pagers to keep with an IDA book.
Lenny also has a number of other InfoSec cheat sheets on his site covering everything from Internet Application Security to DDoS Incident Reponse, as well as links to InfoSec cheat sheets by others.
Lenny also has a number of other InfoSec cheat sheets on his site covering everything from Internet Application Security to DDoS Incident Reponse, as well as links to InfoSec cheat sheets by others.
Friday, August 14, 2009
Thursday, August 13, 2009
Lock down single user sign-on
Add the following to /etc/inittab
su:S:wait:/sbin/sulogin
source: http://thedaneshproject.com/posts/password-protect-single-user-mode/
su:S:wait:/sbin/sulogin
source: http://thedaneshproject.com/posts/password-protect-single-user-mode/
Updated Cheatsheets Available
SANS post on updated cheatsheets details the following:
- Jeremy Stretch's work at PacketLife.net: http://packetlife.net/cheatsheets/
- Forensic cheatsheets for XP and Vista/Win7.
- Jeremy Stretch's work at PacketLife.net: http://packetlife.net/cheatsheets/
- Forensic cheatsheets for XP and Vista/Win7.
Subscribe to:
Posts (Atom)