by

SANS SEC503: Intrusion Detection In-Depth Mentor Class

No comments yet

Categories: Uncategorized

If you live in the New Orleans area and are interested in SANS training but can’t make it to a conference, I will be leading a mentor session starting in March for SEC503: Intrusion Detection In-Depth.

Enter Promo Code MGIAC13 when registering for Security 503 from the Mentor Program to receive your FREE GIAC Exam attempt

Mentor classes meets once a week for 10 weeks in the evening for two hours – much like a graduate school course. No need to be out of the office or travel, and you’ll get more time to digest the content and more interaction. The class includes MP3 audio files so you can study at your own pace in between sessions and have questions ready for the next class. This course spans a wide variety of topics from foundational material such as TCP/IP to detecting an intrusion, building in breadth and depth along the way.

Course Details:

SECURITY 503: Intrusion Detection In-Depth

Start Date: March 27 – 6:30-8:30pm

Registration and full class information: http://www.sans.org/mentor/class/31040

by

Christmas 2012 Hacking Challenge

No comments yet

Categories: Challenges, Penetration Testing

Ed Skoudis and SANS’s holiday hacking challenges are something fun I look forward to every year. They’re always entertaining a good little test of security skills. This year’s “The Year Without a Santa… Hack” was no different. I don’t think I’ve ever seen “The Year Without a Santa,” but the Control Systems twist for the challenge was cool.

Since the submission deadline has passed, I thought I’d post my report here. Looking forward to seeing the results, hopefully this coming week.

2012 Holiday Hack Challenge

by

Christmas 2011 Hacking Challenge

No comments yet

Categories: Challenges, Forensics

I spent a couple nights over my Christmas vacation working on the Christmas 2011 Hacking Challenge on the SANS Pen Test blog. This is the first year I’ve done the challenge, and I had a lot of fun with it. I may have gone a little overboard with the report, but I wanted to try to make it somewhat realistic.

I ended up getting honorable mention when the results were posted. I was pretty happy with that, even though it meant I didn’t win a copy of Ed Skoudis’s book. That wasn’t a big deal since I ended up winning a copy during NetWars at SANS2012 in Orlando, and I wouldn’t really need two copies. I had always meant to post my report when the challenge was over, and I’m just now getting around to that.

Here’s a link to my report and here is what Ed had to say about it in the results post:

Dave Lassalle: Your report was very detailed, and was a close second. You explained the Apple Software Update component of the attack well, explained all of the fields in the CellLocation table, mentioned the GPS anomalies and the duplicate timestamps, and included a great map showing all of the places. You also extracted and ran the iTunesSetup.exe malware and wrote your own handler for it, which was very impressive. Amazing work, beautifully executed.

2011HolidayHackChallenge

by

srch_strings_wrap — history and examples

1 comment

Categories: Forensics, Tags: , ,

I recently took SANS FOR508 with Rob Lee in Las Vegas.  It was a great class and I highly recommend it to everyone interested in Digital Forensics.  I’m new to forensics and learned so much from the class.

One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string.  This is done using the “-t d” option:

$ srch_strings -a -t d sda1.img
 7208 vmlinuz-2.2.14-5.0
 7336 System.map-2.2.14-5.0smp
 7464 module-info-2.2.14-5.0
 262176 lost+found
 262196 kernel.h
 262212 System.map-2.2.14-5.0
 262244 module-info-2.2.14-5.0

Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in.  For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:

Block  String
 7     vmlinuz-2.2.14-5.0
 7     System.map-2.2.14-5.0smp
 7     module-info-2.2.14-5.0
 256   lost+found
 256   kernel.h
 256   System.map-2.2.14-5.0
 256   module-info-2.2.14-5.0

During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:

$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7       7208 vmlinuz-2.2.14-5.0
7       7336 System.map-2.2.14-5.0smp
7       7464 module-info-2.2.14-5.0
256     262176 lost+found
256     262196 kernel.h
256     262212 System.map-2.2.14-5.0
256     262244 module-info-2.2.14-5.0

Eventually, I got tired of typing that out and turned it into a script after getting back home after class.  I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script.  Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.

In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →

by

srch_strings_wrap — forensics tool

No comments yet

Categories: Forensics, Tags: ,

I wrote a tool called srch_strings_wrap (available at GitHub – https://github.com/superponible/Search-Strings-Extension) that extends the functionality of the srch_strings command in the Sleuth Kit.  The idea came from repeatedly having to determine the block that corresponded to the results of srch_strings during FOR508.  I contacted Rob Lee about what I had written and he put me in touch with Hal Pomeranz, who had a similar script and some other ideas.

There are other scripts in my repository that are previous versions of this script, but they are not as fully functional as srch_strings_wrap.

The original srch_strings will pull out the strings within a file and gives the byte offset if requested.  My script srch_strings_wrap will obtain the byte offset, but also will use that byte offset to determine, if available, the block, inode, and filename that string is in.  Several command line options exists for filtering results, modifying output, and automatically carving matched files/inodes/blocks.

Currently, the command line options include:

If no special options are given, srch_strings_wrap can be used in place of srch_strings.

The blocksize of the filesystem can be specified (-b) or automatically determined from the image (-d).  Multiple filesystem images can be given as arguments, but only one full disk image can be specified.  The output can be grouped by file/inode/block (-O) or printed out line by line (default).  It supports custom delimiters (-F) and can output to CSV (-C).  Output can be written, if desired with a header (-H), to a file (-w), to standard out (default), or not at all (-N).  Grep terms can be passed on the command line (-g) or in a dirty word file (-G), with case insensitivity (-i).

If full lookups to the filename layer are not needed, the level can be specified to decrease runtime: byte (-l0, no different from “srch_strings -t d”), block (-l1), inode (-l2), and filename (-l3, the default).  There is an option to autocarve (-A) which will carve out all matching strings at the highest level available.

And if multiple grep searches will be conducted, “srch_strings -a -t d fs.img > output.asc” can be run on an image to capture all the strings and save the output to a file, then -P can be used to accept the output of that file piped in (“cat output.asc | srch_strings_wrap -P -I fs.img“).

See my overview post for some more examples and a little history on the tool.  It should be available in future versions of the SANS Investigative Forensics Toolkit (SIFT) Workstation.

* Link to this post: http://blog.superponible.com/2011/11/17/srch_strings_wrap-forensics-tool/
* Link to the examples: http://blog.superponible.com/2011/11/17/srch_strings_wrap-history-and-examples/
 * Link to GitHub repository: https://github.com/superponible/Search-Strings-Extension

 

by

starting hands

No comments yet

Categories: Poker, Tags:

Time for my quarterly poker related post. I created a single page with tables of the starting hand strategies recommended by Abdul Jalib and the ones for Tight and Loose games in Small Stakes Hold ‘Em.

I thought I could do this and figure out why I’m playing so tight (and losing so much), but it doesn’t seem to be helping. I don’t know what my problem is.