Extracting IP Addresses in Bash

One very handy function to have in your .bash_profile is a function to extract IP addresses.

ipextract function

I frequently use this function during investigations and though I should share it with everyone.

ipextract () { # example ipextract < filename egrep –only-matching -E ‘(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)’ } Example

I’ll demonstrate how to use the function

Source . . . → Read More: Extracting IP Addresses in Bash

Combine Multiple PCAP Files into a Single File


You have many smaller pcap files that you would like to combine in to a single file Solution mergecap -a* -w output_file.pcap

Source: https://www.wireshark.org/docs/man-pages/mergecap.html

How to Perform Bulk IP Lookup – Location and Owner

I recently analyzed a pcap file with a large list of destination addresses. In order to quickly determine the owner of those IP addresses I found this one liner.

# cat ips.txt | xargs -I% curl -s http://ipinfo.io/%/org | paste -d”,” ips.txt –

Source: https://ipinfo.io/developers/bulk-lookups

Please check out my Daughter’s Coding Site, CodewithMargo.com

My 7 year old launcher her coding site last year and I think it is a great resources for kids that want to learn how to program in Scratch Jr.


Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article


You must be logged on to a domain controller.

Extracting the Database

To extract . . . → Read More: Extracting Password Hashes from Active Directory

Announcement – I was Recently Published in an Ebook

I am pleased to announced that I was recently published in an ebook, “10 Experts on Active Threat Management”


threatmanagement #ebooks

Use ngrep to capture syslog traffic

Instead of using wireshark on Linux to capture traffic try ngrep

# sudo ngrep -d <interface> ‘<search string>’ ‘port 514’

source: http://ngrep.sourceforge.net/usage.html

Export flow logs to an Amazon S3 Bucket

I found the instructions on Amazon’s website to be useless.

This is what worked for me

Define some variables bucket=my-bucket region=us-east-1 log-group-name=primary-nat prefix=my-prefix taskname=my-task start-epoch=1516255200000 end-epoch=1516860000000 Create the bucket aws s3 mb s3://$bucket –region $region Create the Policy cat <<‘EOF’ > ./policy.json { “Version”: “2012-10-17”, “Statement”: [ { “Action”: “s3:GetBucketAcl”, “Effect”: “Allow”, “Resource”: “arn:aws:s3:::replace-bucket”, “Principal”: . . . → Read More: Export flow logs to an Amazon S3 Bucket

How to Install nginx and PHP on CentOS7

Install nginx and PHP on CentOS7

These are some notes from installing nginx on CentOS7

Install some prerequisites sudo yum -y groupinstall “Development tools” sudo yum -y install mlocate sudo yum -y install iptables-services sudo yum -y install php-mysql php-dom sudo yum -y install wget sudo service php-fpm restart Install GeoIP cd /tmp wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz . . . → Read More: How to Install nginx and PHP on CentOS7

iis disable debug

In IIS to disable debug do the following.

Modify the Web.config File Open the Web.config file in a text editor such as Notepad.exe. Web.config file is typically located in the application directory.

Modify the compilation element and set debug=”false”

<compilation debug=”false” />

Save the Web.config file. The ASP.NET application automatically restarts.

Modify the Machine.config file . . . → Read More: iis disable debug