Open source intelligence is collecting information from publicly available resources. If you are doing incident handling it’s one of the things that will use up a lot of your time. And it can quickly become very tedious. Imagine a list of IPs that you found hosts on your network connecting to. Query different public available resources (VirusTotal, Shodan, SANS, Cymon, XForce Exchange, …) for each and every IP and then converting that data into one … Read more.
Do Tor exit nodes alter your content? (or is Tor safer than Vodafone?)
The short answer : no, TOR exit nodes do not alter your content.
A recent post by @adrellias got my attention. The link in the post refers to an article where a user spots a case of content (Javascript) injection by Vodafone. The details can be found in the blogpost Am I hacked? Oh, it’s just Vodafone. Needless to say this is very bad behavior by Vodafone.
Vodafone eavesdrops on your conversation, causing this to … Read more.
Doing open source intel with recon-ng – part 2
This is the second part of a post on doing open source intel with recon-ng. The first part focused on gathering open source information for user accounts. This second part focuses on gathering domain and host information.
I started with one single domain. I’m interested in what other hosts related to this domain can be found. To do this I use the search command SEARCH domains-hosts.
The list shows modules that use for example Baidu, … Read more.
Doing open source intel with recon-ng – part 1
recon-ng is a tool for open source reconnaissance. Reconnaissance is the first phase in a penetration test and it is the act of gathering preliminary data or intelligence on your target.
Recon-ng has a look and feel similar to the Metasploit Framework and provides an easy to use interface to gather open source intelligence.
This is a post on doing open source intel with recon-ng. The post is split in two parts :
the … Read more.
Defending Against Apache Web Server DDoS Attacks
I had a post published on the IBM Security Intelligence website : Defending Against Apache Web Server DDoS Attacks. I cover the use of the modules Modsecurity, mod_evasive and Fail2ban for protecting Apache web servers.
If you’re looking for general information on how to deal with DDoS attacks then have a look at the whitepaper DDoS: Proactive and reactive measures. That document serves as a guideline, help and advice for the Belgian public and private … Read more.
Introduction to Modbus TCP traffic
Modbus is a serial communication protocol. It is the most widespread used protocol within ICS.
It works in a Master / Slave mode. This means the Master has the pull the information from a Slave at regular times.
Modbus is a clear text protocol with no authentication.
Although it was initially developed for serial communication it is now often used over TCP. Other versions of Modbus (used in serial communication) are for example Modbus RTU … Read more.
Intro to PLCs, ICS and SCADA
Industrial Control Systems or ICS have received a lot of attention lately. In the US the ICS-CERT was established and ENISA has a whole unit devoted to Industrial Control Systems/SCADA. But for most people working in IT it is still a relatively new playing field.
Because every area in technology has its own specific vocabulary I wrote a small intro to PLCs, ICS and SCADA of the different components that play in the ICS field.
… Read more.
Fixing the Kibana geo_point error for MHN (Modern Honey Network)
I have been working with honeypots for a long time. I consider them one of the best sources for statistics and ongoing trend. Most importantly they give insight information on new exploit and attacker activity.
In the past I used my own set of tools to collect the information from different honeypots. The tools are available on GitHub cudeso-honeypot. I have an old blog post on ‘Using ELK as a dashboard for honeypots’.
Since … Read more.
Use netflow with nfdump and nfsen
In a previous post I described what is netflow and when do you use it. This post describes how to use netflow with nfdump and nfsen.
Having netflow is great but of course you’d like a way to view your netflow data. I’m covering the nfdump and nfsen tools.
nfdump is the command line interface whereas nfsen is the web interface. Both tools can be used together. In fact, nfsen is a web wrapper around … Read more.
Hunting for Dridex C2 info
Dridex, the multifunctional malware package that leverages macros in Microsoft Office to infect system has seen an increase in the number of campaigns.
Dridex will first arrive on a user’s computer as an e-mail with an attached Microsoft Word document. If the users opens the attachment (with macros enabled) then a macro embedded in the document triggers a download of the Dridex banking malware, enabling it to get installed.
See for example in an article … Read more.