Friday, August 28, 2009

Extracting Files from a tcpdump

I'm working as consultant, pentester and sometimes still as second-level-security guy for a rather huge company.
Occasionally I have to analyze tcp-streams, and occasionally I came to a point where i had to extract files out of huge dumps. What I found during my last research about a year ago was not really usable - i hacked together a few lines of perl to extract exactly what i wanted - this didn't deliver exact files, but was enough to help me solve a problem.

Jim Clausing, one of the more practical guys over at ISC described the same problem recently and asked the readers of the ISC-Blog for software that is able to extract files from pcap-dump. People came out with a load of promising solutions:

Not all of them might do exactly what you want - but this is defintely the best overview on pcap-file-extractors I ever came across.


Thursday, August 27, 2009


I'm on my way to become a friend of cheatsheets. A nice suite of network-related sheets is here:


Tuesday, August 04, 2009

How to find Elite-Security-People

Ever wondered where to find those real elite-security-people?

Maybe look for those who did their cissp-certification years ago:
~4.700 Names, employers, functions, addresses etc pp. of all those early CISSPs.

Real elite? - look for those who have an account at - especially check their id - the smaller the ID, the more 4337 they are. Get the (huge!) db here:

Around 5.000 names here - but it reads like a who's who of those it-security-swamp. Also look here if you look for a human security-contact at some soft- or hardware-company - you find quite a few in those database.

Ever wondered how to find elite-security-guys, the leading edge security professionals?

You know other security-pro-listings? - Write a comment.

"The reason people search for themselves is that they're curious about what other people see when they search for their name," says Joe Kraus, Google's director of product management. (here)

Funny, those public databases.


Sunday, August 02, 2009

How to check a site for E-Mail authentication

Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.

Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.

I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.
DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.

But how to verify SPF-Records and Domain-Key-Sigs?

I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this:

SPF pass: Google verified an SPF-Record for this mail.

SPF neutral: Google can't verify an SPF-Record for this mail.

SPF pass by "best guess": There is no SPF-Record, but google was able to verify that the originating machine belongs to the originating domain.

And now for different DKIM-Headers:

I'm still not sure what google's spamfilter means with these headers, but it seems to be fairly accurate with even detecting a domain in "test-mode".

I'd be happy to hear from any other solution for verifying Mail-Authentication - write a comment or drop me a mail to