-
Questions, who should be answered easily: Tips for analyzing log files Search a log and count the hosts: cat log | jq -c '.host' | sort | uniq -c | sort -n To see more about the host “Apache” cat log | grep "Apache" | jq Search in gzipped logs: zgrep log.gzzcat log.gz | grep "Apache" Convert…
-
Use cases Tools Standard unix tools like awk can also been used with a cat of a flow file. nfdump SiLK argus
-
JA4S is a system to hash the configuration of a TLS connection. More: ja4/technical_details/README.md at main · FoxIO-LLC/ja4 · GitHub Possible use cases:
-
Scapy fundamentals Commands for the interactive scapy interpreter: conf.iface shows the currently used interface conf.iface='tun0' sets the interface to use ls shows all protocols ls(TCP) shows all known headers for a given protocol lsc shows build-in functions Details about a packet p: p shows general information p.summary() shows also general information p.show() shows each field and…
-
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
-
See also MemProcFS The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory. Start by getting general information about a memory dump: volatility -f image.mem imageinfo Now use the following commands to get more information:…
-
Yet another ridicolous acrynom is a tool for detect information in binary and text files. YARA rules are writen in text files. By calling yara with a rule file and a file to test, it either returns nothing if no rule was detected or one or multiple rules which matches the provided file. Example: The follwing rule…
-
Note that iptables and ip6tables should be used always together! Tables Iptables manages a set of tables which act as ACL Access Control Lists. Actions Actions are defined via the -j option. Examples Show all rules iptables -Lip6tables -L Ignore all packets from a network: iptables -A INPUT -s 192.168.5.1/32 -j DROPip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j…
-
tcpdump Get incoming ICMP packets: sudo tcpdump -i any icmp and src host $target Nützliche Parameter Domains nicht auflösen, IPs anzeigen -n Dump der Daten anzeigen -X Paket in ASCII anzeigen -A Umgang mit Dateien Dump in Datei schreiben tcpdump -w file Dump aus Datei lesen tcpdump -r file Standard-Abfragen tcpdump -n src|dst 10.10.10.10 and port…
-
See a packet in its context Kontextmenü, Follow auswählen Show only ICMP packets from a host tcpdump host 10.11.1.128 and icmp -i tun0 Show other systems communicating outside the own address ip.addr == 10.11.1.0/24 && !(ip.addr == 192.168.119.0/24) && ! dns && !browser && !ssdp && !nbns && !llmnr Record audio Wireshark can transform captured audio…
-
With knockd a server can be configured to respond only after some ports were checked before. Its often used for SSH. Coutermeasure: Sniff traffic and wait for an user to login and reconstruct the knocking pattern out of the pcaps.
-
Sniffing and live content filtering. Operation modes: Unified: sniffs all packets from one interface. Packets for an attack host are ending here, but are directly forwarded after receiving Bridget: Forwards traffic from one interface to another. Absolutely secret because there is really no one “between the cable” Usage ettercap OPTIONS TARGET1 TARGET2 Targets are defined as MAC/IPv4s/IPv6s/PORT…