Tag Archives: tools

My Intrusion Detection Honeypot

Leave a reply

Please note that some of the links below may be affiliate links. As an Amazon Associate I earn from qualifying purchases.

For the last several years, I’ve been working on a honeypot system to detect “east to west” internal traffic that doesn’t go “north to south” to the internet. The reason is to detect potential threat actors moving laterally in the network. While this doesn’t catch all internal to internal traffic, it does alert on internal traffic to the device. The need for such a device came from a job several years ago.

At a place where I worked, the managers would comment that we could see North-South traffic to and from the internet. But we couldn’t detect potentially malicious East-West traffic internally between systems. We could see East-West between Zones, but not systems in the same zone.

Which lead to the suggestion of Honeypots. Both Management and Legal said we can’t have a honeypot because they believe them to be entrapment devices. Management also didn’t want to give threat actors a beachhead device to take over and use to attack other devices.

What was needed was a device that could act like an alarmed/monitored door, that would alert when used. Something that had next to zero interaction. It took a couple of years but I found a workable solution with Chris Sanders’ Intrusion Detection Honeypots (affiliate link).

Continue reading

Always remember to document with screenshots when doing investigations

Leave a reply

I’ve been looking for a job. I applied to one recently and came across something a little scammy. Seconds after getting a thank you for applying email, I got an email saying I had to run software to prove I met the requirements to work from home. Plug the computer into the modem and run their test. Wasn’t happening on my daily driver. I ran it through some VMs.

The link in the email was for what looks like a head hunter software firm. It redirected to the company’s website. The company I applied to. I tested with Flare Vm running on Proxmox on an old I3 server I have. The Flare VM passed everything but the processor test. It wanted an i5 or higher. I didn’t bother to get screenshots, because I thought I’d run it again on something with a newer processor.

I spent today (the day I wrote the blog post, not the day it was published) setting up a Flare VM on my laptop. I loaded up the Flare VM, and started Wireshark, Regshot, and Procmon. I started Edge, went to the link again, only to get a blank page with no option to test. Note: The site said after I ran the test to try again from another computer. But there was nothing there to run this time.

There were two takeaways from this.

1. I should have built some Flare VMs sooner, because they take a while to build. Build them before you want to use them.

2. Follow the rules of getting screenshots and taking notes as you work because it would have made a great blog post walking through the steps.

Walking Through Applied Network Security Monitoring – Forward through Chapter 1

Leave a reply

Back in December, it really doesn’t feel that long ago, I talked about how I was prepping for a project.

The end goal is to brush up on Network Security Monitoring (NSM) and use it to better monitor my home network. I occasionally check the logs but think I would be more active if I had a centralized tool to help. Right now, I have a log of blocked domain alerts in my PFSense Firewall’s PFBlocker-NG reports screen. Most of the entries are tracking related that the Pi-Hole isn’t blocking and is getting to the second block list on the firewall.

Note: I say my home network, not my home lab. As I said in the past, I no longer maintain a home lab due to cost and space. I have parts of my network isolated, but I wouldn’t call that a lab.

Continue reading

Current Python Working Environment.

Leave a reply

Over the last nine to ten months, I’ve changed how I’ve been using Python, again.

Working environment:

I work in either Debian or Xubuntu Linux, or Windows Subsystem Linux (WSL) Debian. I prefer Debian on bare metal hardware. The VMs I use at work are usually Xubuntu (faster, easier setup). Work’s laptop has Windows 10 Enterprise on it, which is where WSL comes in.

Continue reading

How I’m currently using Python Virtual Environments

Leave a reply

So as mentioned previously, I’m looking at using Python’s Virtual Environments, to keep code straight. Figuring out how to set it up was a bit of fun. I’m sure there are some great plugins for Atom, but I haven’t found them yet.

So far here is how I’m using it. I’ve created two directories, .venv and Projects. Both are in my home folder. When I create a new project directory, like AtBS_Udemy, I create a matching env directory under .venv. In AtBS’ case, it is AtBS_Udemy_env.

It’s actually working out pretty well so far, but I’ve only done this on 2 *Nix based boxes so far. A work VM and my travel-laptop.  We’ll have to see how this goes long term.

More thoughts on python – projects

Leave a reply

This is kind of picking up on where the last “Thoughts on Python post left off.” One of the things I’ve learned over the last few weeks playing with Python is some new lexicon.  Things like Projects, to mean programs. Linters, which are hooks to call out mistakes in the code to help fix it.

Anyway, besides the quick and dirty proxy I listed last time I have two other projects I’m working on.

One is taking a list of domain names that currently don’t have web pages, or have parked pages, and checks to see if they have changed to active. There are several ways to do this, but those methods didn’t work for me.  A couple are using GoDaddy and they seem to have several different pages that host the parked page, which returns different data each time the page is visited. So the simple way of using cURL and a hash doesn’t look like it will work. I’m thinking Requests with BeautifulSoup and .find()

The second uses data pulled from a Shodan search, and searches for context for me from an internal system at work. This is the one I learned the most from, over the last week. Mainly because it has changed several time. I’ve learned some web scraping tricks, mainly using Ryan Mitchell’s book Web Scraping with Python second ed (Amazon affiliate link) . I really want to work through the book from cover to cover but mainly it is a reference guide at this point.

During this project, from WSwP2e, I learned how to use Sessions from requests to capture authentication cookies and replay them during a session while scraping a website for data. I learned how to use BeautifulSoups .get_text() to print only the data I needed. Outside of the book I learned how to drill down to get to drill down to get to the right part of the table. I also learned of the getpass module to ask a have a user input their password without reveling it to the screen or .history_file.

After I got that all figured out and written, with “Open with” and some testing on the table results to get past out of ranger problems; I found out there was an API option. So I can get the  same data from a single URL in JSON. That will make getting the data easier since it ill be in the forms of JSON keys / dictionary like, and not in the form of rows in a table.

So the code is a mess right now, written with the old scrapping way, and with the API mixed in. I’m waiting for the people who wrote the API to tell me if I’m going to have to write a for loop or if I can feed it the whole list I need information on.

A third project  I want to work on deals with collecting IOCs. The other week at work I was going through some Emotet related emails, and the SOC analysts asked for all the related domains my team could find. So I was going to URLhaus to look up the domains we had from the PowerShell script. Then grabbing the hash, and all the domains the hash was found on.

I got real tired of copy, go to terminal window, open file, paste, awk print and sort uniq, copy paste to note pad file.  I set the terminal command line up so all I had to do was up arrow. It would remove the old temp file, get the data, sort it and the print it to the screen. So I could copy and paste.

Even that was a bit of a mess to use, because it needed human interaction and there was a few times that the data didn’t copy so I ended up repeating a few copies a few times.

Without looking at the API for URLhaus, which I’ll get around to eventually, I want to write a script, that while running will watch the clipboard, copy the data, manipulate it, sort it, and paste it to a file, or even just write it to the file. Still trying to flesh that one out. But it will be helpful beyond just the one site.

* Update 2024-10-06: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

Thoughts on Python

Leave a reply

I’ve been trying pick up more Python again. It’s hard, having to constantly put it on the back burner for college classes.  I get a little more retained each time at least.

A couple of weeks ago, @WyattRoersma posted an interesting link from Real Python about publishing to PyPI. Which led to a great conversation. I was curious if I should post something. I wrote a quick and dirty module to import required proxy info for the boxes I use at work. Scrubbing it to share wasn’t that hard. But wondered if it was worth sharing to PyPI. To be honest I only wrote it because I was tried of having to copy and paste the same code from a file on my desktop every time I wanted to use it.

Anyway Wyatt offered to review some of what I wrote on his twitch channel. I didn’t get to see the show live, I had to watch later. Man, it was brutal. I knew I was bad, but I didn’t know I was that bad. He didn’t look at the code I wanted but instead looked at some of my older code. My one per environment (Windows, Cygwin, Linux) ping code. He made some great suggestions.

Since then, the first thing I did, was stop using Notepad++ and Vim for coding. I’ve installed Atom. I’ve installed some Linters, I didn’t even know what those were, that really helped with things like following pep8, one of Wyatt’s biggest comments about my code. However, Automate the Boring Stuff with Python, doesn’t teach pep8. Which of course means that I’m now trying to learn Python, AND break bad habits.

Atom might be a bit of a crutch. It has spell checking which my code did badly on in the comments. It also has a linter catch not matching pep8, plus an autopep8 on save option. Really that one gets used for spacing on multi-line commands. I think I’m learning to make things a little more pythonic, but not sure. Though I apparently need to  use m ore modules.

I will say this, in the last 3 weeks, coding Python has become fun again.

scripts to decode base64 and hex

Leave a reply

About a month ago, I added a couple shell scripts to my DFIR Github repository. Three of the four scripts are used at work daily in either a Linux terminal, or a Cygwin terminal. The fourth script is something I use to help with quarantined mail, and not really DFIR based.

b64Decode.sh and hexConvert.bash take command line arguments and reports back the result. For example:

Continue reading