serversniff: August 2009

Friday, August 28, 2009

Extracting Files from a tcpdump

I'm working as consultant, pentester and sometimes still as second-level-security guy for a rather huge company.

Occasionally I have to analyze tcp-streams, and occasionally I came to a point where i had to extract files out of huge dumps. What I found during my last research about a year ago was not really usable - i hacked together a few lines of perl to extract exactly what i wanted - this didn't deliver exact files, but was enough to help me solve a problem.

Jim Clausing, one of the more practical guys over at ISC described the same problem recently and asked the readers of the ISC-Blog for software that is able to extract files from pcap-dump. People came out with a load of promising solutions:

* NetworkMiner http://networkminer.sourceforge.ne/

* tcpxtract http://tcpxtract.sourceforge.net/)

* bro http://www.bro-ids.org/

* tcpflow http://www.circlemud.org/~jelson/software/tcpflow/

* foremost http://foremost.sourceforge.net/

* dsniff http://www.monkey.org/~dugsong/dsniff/

* Chaosreader http://chaosreader.sourceforge.net/

* pyflag http://www.pyflag.net/cgi-bin/moin.cgi

* tcptrace http://www.tcptrace.org/

* tcpick http://tcpick.sourceforge.net/

* xtract.py http://www.malforge.com/npeid/xtract.py

Not all of them might do exactly what you want - but this is defintely the best overview on pcap-file-extractors I ever came across.

Tom

Thursday, August 27, 2009

Network-Cheatsheets

I'm on my way to become a friend of cheatsheets. A nice suite of network-related sheets is here: http://packetlife.net/cheatsheets/

Tom

Tuesday, August 04, 2009

How to find Elite-Security-People

Ever wondered where to find those real elite-security-people?

Maybe look for those who did their cissp-certification years ago: http://attrition.org/misc/ee/20050426-cissp.txt

~4.700 Names, employers, functions, addresses etc pp. of all those early CISSPs.

Real elite? - look for those who have an account at osvdb.org - especially check their id - the smaller the ID, the more 4337 they are. Get the (huge!) db here: https://www.metricscenter.net/amCharts/osvdb-metrics/raw/osvdb-csv.latest

Around 5.000 names here - but it reads like a who's who of those it-security-swamp. Also look here if you look for a human security-contact at some soft- or hardware-company - you find quite a few in those database.

Ever wondered how to find elite-security-guys, the leading edge security professionals?

You know other security-pro-listings? - Write a comment.

"The reason people search for themselves is that they're curious about what other people see when they search for their name," says Joe Kraus, Google's director of product management. (here)

Funny, those public databases.

tom

Sunday, August 02, 2009

How to check a site for E-Mail authentication

Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.

Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.

I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.

DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.

But how to verify SPF-Records and Domain-Key-Sigs?

I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this: