Thu, 29 Dec 2011
Python3 and metasploit msgpack .:.permalink.:.
Last post was the basics of metasploit, python2 and msgpack. Getting this to work in python3 take a tweak or two
Posted at: Thu, 29 Dec 2011 | category: /itsec
Tue, 27 Dec 2011
In which we Metasploit via python over msgpack .:.permalink.:.
Recently metasploit changed it's rpc interface from xmlrpc to msgpack over http. Sad because it breaks kinectasploit but all things change, so this is a quick bit about interfacing python to metasploit via msgpack rpc.
Posted at: Tue, 27 Dec 2011 | category: /itsec
Sat, 02 Jul 2011
APT=Asteroids Persistent Threat .:.permalink.:.
Sometimes old skool is best. In a recent pen test I wanted to experiment with ways to use simple non-zero-day attacks to test common security controls like egress filtering, a brand-name IPS and endpoint protection suites.
Posted at: Sat, 02 Jul 2011 | category: /itsec
Fri, 06 Jun 2008
gltail .:.permalink.:.
Just discovered gltail the other day, here's how I got it working for me on gentoo: (mostly so I don't forget!)
Links: Homepage: http://www.fudgie.org/ Code: http://rubyforge.org/projects/gltail/
sudo emerge -av ruby sudo emerge -av freeglut sudo gem install -y ruby-opengl --version 0.40.1 sudo gem install -y net-ssh-1.1.4 gltail-0.1.6.gemI wrote an asa parser that's available here http://gltail.rubyforge.org/svn/trunk/lib/gl_tail/parsers/asafwsm.rb or whenever that's rolled up into the release.
Posted at: Fri, 06 Jun 2008 | category: /itsec
Wed, 28 May 2008
modrewrite .:.permalink.:.
Got sick of seeing proxy attempts in my logs so I send 'em to disney
<Directory /var/www>
#rewrite attackers
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*isp_verify.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*yahoo.com* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*proxy.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*azenv.php.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*google.com.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*myadmin.* [NC]
RewriteRule ^.* http://www.disney.com/$1 [R,L]
</Directory>
I've seen some folks that send 'em to fbi.gov. Wonder if they check their logs?
Posted at: Wed, 28 May 2008 | category: /itsec
Wed, 16 Apr 2008
Fix a corrupt event log .:.permalink.:.
When performing forensics on a machine it's often best to pull the plug rather than perform a normal shutdown. On windows boxes this can corrupt the event log. To fix this once I got some good advice from lance Mueller of guidance software:
Here are simple instructions or repairing a "corrupted" (reportedly corrupted) event log.... This works with all three common Event logs (app, sec, sys) Copy out the event log and use your favorite hex editor: 1. Do search for \x11\x11\x11\x11\x22\x22\x22\x22 2. Skip 20 from the beginning of the found text (\x11\x11...etc) 3. Copy the next 8 bytes and paste at the begining of the file, starting at offset 20 4. Goto offset 36 and change value to "8" 5. Save the file 6. Open with Windows Event Viewer (eventvwr.exe)
Worked like a charm for me. I'm posting this here mostly so I don't have to track it down again next time I need it!
Posted at: Wed, 16 Apr 2008 | category: /itsec
Domain controllers in realtime .:.permalink.:.
Yeah I'm a geek and I blog about tools. Here the list of me favs for watching logs in realtime:
Lately I've been working up a script to parse (in realtime) windows syslog entries send via evtsys from Purdue that I'll post here when it's stable.
Should be dandy for watching domain controllers in your enterprise
Posted at: Wed, 16 Apr 2008 | category: /itsec
winevtsysparse .:.permalink.:.
Here is a script to parse your windows event logs.
Caveats;
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so
tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse
I use remark to filter out the cruft like so:
tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse
where the winevtlog file has entries for things I don't care about like:
#windows event descriptions to ignore: /Successful Network Logon/ skip /Service Ticket Request/ skip /User Logoff/ skip /Authentication Ticket Request/ skip /Logon attempt by/ skip /Privileged object operation/ skip /Special privileges assigned to new logon/ skip /Service Ticket Renewed/ skip /Object Operation/ skip /Computer Account Changed/ skip /Set ACLs of members in administrators groups/skip /Logon Failure.*An error occurred during logon/skip /The master browser has received a server announcement/skipHope it's of use to ya.
Posted at: Wed, 16 Apr 2008 | category: /itsec
yim2text .:.permalink.:.
Instant messaging is everywhere. Yahoo IM often logs it's messages locally on the hard disk of the computer used when sending the message. The log files are 'encrypted' using a simple xor. yim2text is a python script to decode these files and show you the chat logs. Download it here
Posted at: Wed, 16 Apr 2008 | category: /itsec
ipsinline .:.permalink.:.
A simple utility to grab the ip addresses from stdin and spit them out by number, and optionally resolve the dns name.
Handy for adding to a command line when whiddling down data from a firewall, syslog, etc.
examples: tail -f firewallsyslogfilename | ipsinline --dns #will print and resolve all ips it finds in those lines head -n 10 somefilewithipsinit | ipsinline --head 1 --dns #will print and resolve the first ip found in the line only.
You can get it here
Posted at: Wed, 16 Apr 2008 | category: /itsec