This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
Passive Fingerprinting of HTTP/2 Clients by Ory SegalCODE BLUE
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
WiFi practical hacking "Show me the passwords!"DefCamp
Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
A Deep Dive into Structured Streaming in Apache Spark Anyscale
This presentation was given at Apache Spark Meetup in Milano by Databricks software engineer and Apache Spark contributor Burak Yavuz. It covers how to write end-to-end, fault-tolerant continuous application using Structured Streaming APIs available in Apache Spark 2.x
We share our experience with Apache Kafka for event-driven collaboration in microservices-based architecture. Talk was a part of Meetup: https://www.meetup.com/de-DE/Apache-Kafka-Germany-Munich/events/236402498/
Spark Streaming API walk-through and insights of the dynamics of how it works. Presented at the Spark Belgium Meetup. (Presentation included live demo on backpressure)
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
The detail architecture of the most relevant consumer drones will be introduced, continuing with the communications protocol between the pilot (app in the smartphone or remote controller) and the drone. Manual reverse engineering on the binary protocol used for this communication will lead to identifying and understanding all the commands from each of the drones, and later inject commands back.
Learning Objectives:
1: Understand whenever a protocol between drone and pilot is secure.
2: Learn about a new reverse engineering methodology for these protocols.
3: Review a set of good practices to secure the environment surrounding a drone.
(Source: RSA Conference USA 2018)
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018DevOpsDays Tel Aviv
Tcpdump is awesome for debugging issues on the network layer. But sometime you want to do a bit more, like look into the application layers or do some aggregation. In this talk I’m going to show you how to use python together with the pcapy and dpkt modules to take tcpdump to the next level.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
9. PortscanningAdvNetFor.
Author: Prof Bill Buchanan
NMAP (Port Scanning)
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given
ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
OS DETECTION:
-O: Enable OS detection
C:Documents and SettingsAdministrator> nmap -sS 192.168.47.134
Host is up (0.00088s latency).
Not shown: 973 closed ports
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
..
5900/tcp open vnc
8099/tcp open unknown
MAC Address: 00:0C:29:0F:71:A3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
[SYN], Port 1
[SYN, ACK], Port 1
[SYN], Port 21
[RST, ACK], Port 21
Port
open
Port
closed
[ACK], Port 1
13. DetectingScanningAdvNetFor.
Author: Prof Bill Buchanan
NMAP (Port Scanning)
Time: 01/05-16:22:35.960159
event_ref: 0
192.168.47.171 -> 192.168.47.134 (portscan) TCP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 192.168.47.171:192.168.47.171
Port/Proto Count: 200
Port/Proto Range: 6:60443
C:Snortbin>nmap 192.168.47.134
Starting Nmap 6.40 ( http://nmap.org ) at
2014-01-05 16:22 GMT Standard Time
Nmap scan report for 192.168.47.134
Host is up (0.000028s latency).
Not shown: 972 closed ports
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
...
5900/tcp open vnc
8099/tcp open unknown
MAC Address: 00:0C:29:0F:71:A3
(VMware)
Nmap done: 1 IP address (1 host up)
scanned in 1.78 seconds
C:snortbin> type 1.rules
preprocessor sfportscan:
proto { all }
scan_type { all }
sense_level { high }
logfile { portscan.log }
C:Snortbin>snort -W
Index Physical Address IP Address Device Name
Description
----- ---------------- ---------- ----------- -----------
1 00:0C:29:0F:71:A3 192.168.47.134 Device
NPF_{BEB6E6E9-8D1A-463E-
B650-4C388AEE925D} Intel(R) PRO/1000 MT Network Connection
C:Snortbin>snort -i 1 -c 1.rules -l log
14. Author: Prof Bill Buchanan
AdvancedNetwork
Forensics
Signature Detection
16. FileTypesAdvNetFor.
Author: Prof Bill Buchanan
Detecting File Types in Payloads
alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10000)
alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001)
alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10002)
alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003)
[**] [1:10001:0] PDF [**]
[Priority: 0]
01/05-20:08:06.177354 61.67.219.91:80 -> 192.168.47.171:2700
TCP TTL:128 TOS:0x0 ID:62294 IpLen:20 DgmLen:1238
***AP*** Seq: 0x6BFA2147 Ack: 0xC3534C66 Win: 0xFAF0 TcpLen: 20
17. Author: Prof Bill Buchanan
AdvancedNetwork
Forensics
Converted Formats
21. PCREAdvNetFor.
Author: Prof Bill Buchanan
PCRE for Credit Card Details
alert tcp any any <> any any (pcre:"/5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/";
msg:"MasterCard number detected in clear
text";content:"number";nocase;sid:9000003;rev:1;)
alert tcp any any <> any any (pcre:"/3d{3}(s|-)?d{6}(s|-)?d{5}/";
msg:"American Express number detected in clear
text";content:"number";nocase;sid:9000004;rev:1;)
alert tcp any any <> any any (pcre:"/4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/";
msg:"Visa number detected in clear
text";content:"number";nocase;sid:9000005;rev:1;)
[**] [1:9000005:1] Visa number detected in clear text [**]
[Priority: 0]
01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25
TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20
[**] [1:9000003:1] MasterCard number detected in clear text [**]
[Priority: 0]
01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25
TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20
smtp matches "5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}"
23. ARPSpoofingAdvNetFor.
Author: Prof Bill Buchanan
ARP Spoofing
Who has 192.168.47.1? Tell 192.168.47.171
192.168.47.171
192.168.47.1
192.168.47.x
192.168.47.1 is at 00:50:56:c0:00:08
192.168.47.1 is at 00:0c:29:1d:b3:b1
arp.opcodes==2
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.47.200 00:0C:29:0F:71:A3
25. DDoSAdvNetFor.
Author: Prof Bill Buchanan
[SYN][SYN][SYN]
192.168.47.171
192.168.47.1
alert tcp any any -> any 80 (msg:"DOS flood denial of
service attempt";flow:to_server;
detection_filter:track by_dst, count 60, seconds 60;
sid:25101; rev:1;)