So, it’s been a while since we’ve done anything on SA. Honestly my new gig at HP/Fortify (Director of Pentesting) has kept me busy. I did get a chance to play the Mozilla CTF though with a few other HP/Fortify pentesters. The competition was a worldwide CTF run by Mozilla. The Mozilla CTF (capture the [...]
Mozilla CTF && Not Dead, Just Busy belongs to Security Aegis
Posted in Auto, chance, CTF, Dead, Draft, infosec, mozilla, penetration testing, security, web, Web Application, while | Comments (0)
2011 was a busy year for the Security Onion project and its owner Doug Burks. I just did a quick count of the releases on SourceForge and came up with a total of 32 for 2011! A number of these were bug fixes or application upgrades, but there were quite a few new apps added as well. One of these was Snorby which arrived just in time for Christmas.
I've been using Sguil for quite some time to monitor my Snort boxes, but Snorby is fairly new to me. So I did an update of Security Onion and started checking it out. First impression was how easy it was to see what was happening over time, at least in volume of events. You are taken to the dashboard after logging in and are immediately presented with counts of your high, medium, and low severity events. Underneath each of those counts are bar charts displaying the frequency of those events over the last 24 hours. In the screen shot below, you can see that there were 3 peaks for high severity issues and get a feel for when they occurred. Beneath that is a line chart of the events for the same period of time.
Why does that stand out to me? Well, one of the things we learn in incident response is to watch for things outside the norm in the environment. What looks normal and what stands out as an outlier? While this information is limited to just event counts and their severity, I can still see how things are trending over time. And with just a few clicks, I can see that for the last 24 hours, today, yesterday, the week, month, quarter or year. So how do my IDS events look right now when compared to the volume of last week or a month ago? Am I trending up or down? Anyhow, I thought this was very cool.
From there I started working with looking at individual events. Snorby allows us to look at the event, the payload of the offending traffic, examine the rule that fired the alert, add notes to the alert and perform classification on what was attempted. All in all, Snorby provides good information and is easy to work with. And this is just one of the applications in Security Onion. I've used Snort and Sguil for a long time and they're a major part of Security Onion as well. And there is still a long list of other network security monitoring applications to work with. The really cool thing about Security Onion is how easy it is to setup and deploy. Install the OS on a system, launch the setup application and in a few minutes you are looking at traffic and doing analysis. Updates are easy to apply to both the OS and our NSM applications. The ease of installation and maintenance is a major plus, particularly as Doug keeps rolling out new enhancements at the rate he has been.
All this for the price of a little time and either a virtual machine or some hardware. So take a quick look and give the Security Onion a test drive. Security Onion is also up for the 2011 Toolsmith Tool of the year, so if you like it, consider giving it a vote.
http://securityonion.blogspot.com/
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html
Kudos to Doug Burks for his work on Security Onion and to Dustin Webber for his work on Snorby.
Posted in security | Comments (0)
Posted in Auto, Draft, esearchy, Harvesting, infosec, LinkedIn, LinkedIn Harvesting, OSINT, penetration testing, security, video | Comments (0)
So you’re on a social engineering test… and you need to target some users for spear phishing. Previously we’ve used theHarvester and metasploit for this, but I’ve now fully switched over to esearchy by Matias P. Brutti. Install on BT5: sudo gem sources --add http://gems.github.com sudo gem install gemcutter sudo gem install esearchy Let’s Pick [...]
esearchy – my new favorite OSINT script belongs to Security Aegis
Posted in Auto, doug lombardi, Draft, esearchy, infosec, joe rohde, kerry davis, kircher michael, mark behm, penetration testing, reason, security, spear, test, Valve | Comments (0)
Seeing as DirBuster is my brute forcer of choice, and Burp is my interception proxy of choice, bridging the gap between these 2 tools and getting the output from DirBuster into Burp for further analysis is crucial. As you can see below, one bash command, about 140 characters long, does the trick. It takes the [...]
Taking Dirbuster Output into Burp Suite belongs to Security Aegis
Posted in Burp, cat, cat report, dev, error results, infosec, penetration testing, scan line, security, stdout, Suite, target, web requests | Comments (0)
MS11-083 has arrived and people are getting both excited and scared, it looks like its going to be the next MS08-067. Which if you remember, Conficker used to bend windows over and have a jol. Time for a honeypot? In anycase I took a moment and decided to write a script that would capture potential [...]
Honey Potting for MS11-083 belongs to Security Aegis
Posted in bash script, could allow remote code execution, Host, infosec, pcap, penetration testing, port, portlist, security, self, target system, UDP, udp traffic | Comments (0)
The quoting of this page has been removed, please visit: http://danielmiessler.com/projects/webappsec_testing_resources/#methodologies# for the full article.
Web Application Hacking & Testing Resources belongs to Security Aegis
Posted in application, article, Check, Hacking, http://danielmiessler.com/projects/webappsec_testing_resources/#methodologies#, information, infosec, logic flaws, logic test, Management, marcus pinto, page, penetration testing, security, Testing, testing methodologies, Testing Resources, User, web, Web Application, web application security | Comments (0)
Timeline : Vulnerability discovered and reported to ZDI by Aniway Vulnerability reported to vendor by ZDI the 2010-10-18 Coordinated release of the vulnerability the 2011-04-12 Metasploit PoC provided the 2011-11-05 PoC provided by : Aniway abysssec sinn3r juan vazquez Reference(s) : CVE-2011-0105 MS11-021 ZDI-11-121 Affected version(s) : Microsoft Office XP Service Pack 3 Microsoft Office [...]
Microsoft Office 2007 Excel .xlb Metasploit Module (MS11-021) belongs to Security Aegis
Posted in arbitrary code execution, File, file format converter, infosec, metasploit, meterpreter, microsoft excel viewer, microsoft office xp, office xp service pack, penetration testing, PoC, security, Service | Comments (0)
SecTools.Org: Top 125 Network Security Tools For more than a decade, the Nmap Project has been cataloguing the network security community’s favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those [...]
SecTools.Org 2011 Top Network Security Tools belongs to Security Aegis
Posted in decade, favorite tools, form, infosec, network connector, network security tools, nmap security scanner, penetration testing, SecTools, security, site, suggestion form, Top | Comments (0)
I found myself inspired by Vivek Ramachandran’s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos. When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my [...]
Easy Wireless Honey-Pots using Win7 and Metasploit belongs to Security Aegis
Posted in ap points, computer, honey pots, infosec, metasploit, meterpreter, payload, penetration testers, penetration testing, security, victim, wireless access points, wireless nics | Comments (0)