Every hacker I know is always looking for ways to practice and improve their skills. One of the things I feel that is in short supply, is access to realistic networks to actually break into. Even here on this blog, we have a lot of posts about systems you can create to subsequently hack. In the real world, though, you will need more skills than running (or even creating an ... READ MORE
Encryption Basics: HMAC
We have covered a method for key exchange, and we have covered a way to implement public key encryption and message signing. Our topic today is hash-based message authentication codes or HMAC (a subset of message authentication codes). An HMAC provides us with most of the features of message signing, but it is quicker. There are times when you will use one over the other, and ... READ MORE
Encryption Basics: RSA
Number two in our encryption basics series. This time we are going to get into a well-known form of public key encryption, RSA. I plan on giving the same boiler plate warning for each of these; if you promise not to use this for encrypting anything truly important, you are allowed to skip the next couple of lines. The programs contained herein (obligatory lawyer speak) are for ... READ MORE
Encryption Basics: DHKE
As a side project I have been doing some self-study on encryption to better understand it. It is how we protect our data as it travels across the internet or when at rest, we use concepts from it to verify that we sent messages, and whole currency schemes are built around the idea. Encryption is an incredibly dense topic and it is easy to mess up. As such, all of the code I ... READ MORE
How to Bypass SEP with Admin Access
I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this. A little bit of backstory: I was able to acquire a shared local administrator's credentials during a pen test. I was using them to gain access to ... READ MORE
Decrypting SSL Traffic with Wireshark
I recently was involved in an responding to an incident and one thing that was key to our investigation was decrypting SSL traffic. The attacker got a web shell on one of the servers and was mucking around with that. All of the traffic was over HTTPS, but we fortunately had the key. This allowed us to decrypt the traffic and view all of the commands issued. It was quite ... READ MORE
CTF – Malware Analysis Walkthrough
RSM hosted a capture the flag tournament for high school students at Mount Union back in April. This is the walkthrough for the forensics 400 CTF challenge. ("It should have been posted earlier, but it fell through the cracks." -patchwork). In my first walk-through I spent a lot of time talking about how I meant for the problem to be able to be solved without much prior ... READ MORE
Find Sensitive Data with Bulk Extractor
Bulk Extractor is a great tool for searching a file system for sensitive data. Bulk extractor ignores the file system and scans it linearly. This, in combination with parallel processing, makes the tool very fast. It will have an issue with fragmented files, but typically, files aren't fragmented. Follow the directions here for installation. Using BEViewer, the ... READ MORE
Real World Malware Analysis Part 4: Dynamic Analysis
Last time we used Malwr.com to automate a lot of our analysis, but the process was not without a few sticking points. Malware analysis typically falls into two categories, static and dynamic. These two really go hand-in-hand, and while it is possible to alternate between them, today we will focus on dynamic analysis. Remember to properly set up your lab environment! We are ... READ MORE
Collecting Volatile Data with AWK
On a recent forensics case, a coworker and I noticed some interesting logs on a Linux web server. TCPDump showed some strange traffic from a handful of IPs, but the access logs were not showing any visits from the offending addresses. The traffic was encrypted so it wasn't possible to see what was being sent, so we needed to do some additional digging. A lot is required to take ... READ MORE