Graylog Query by IP Address with Wildcard/CIDR

If you are searching Graylog logs that are not properly indexed (ip address is not in a field) you may need to perform a text search for an IP Address or IP Addresses.

IP Address Queries

The following queries are examples of how to query Graylog for one or more IP addresses (not using a . . . → Read More: Graylog Query by IP Address with Wildcard/CIDR

Compare two Files and Print Lines that Match

The proper way to compare two files and print lines that match:

awk ‘NR==FNR{arr[$0];next} $0 in arr’ file1.txt file2.txt

Here is a shell script you can run:

#!/bin/bash # Filename: showdupes.sh # source: http://brakertech.com/compare-two-files-and-print-lines-that-match/ # this file takes two text files as input # sorts them and outputs lines from # file 2 that match . . . → Read More: Compare two Files and Print Lines that Match

Manually Install Kali Linux 2018.4 x64 with VM Fusion 10

Problem

Kali Linux 2018.4 x64 fails to install manually when using VM Fusion 10.1.5 (hangs during “copying data to disk” portion of the install).

Solution Create a new Custom VM Select the iso you downloaded When prompted for the OS of ISO select “Debian 8.x 64 bit” Name the VM ‘kali-linux-2018.4-vm-amd64’ (not required) Set the . . . → Read More: Manually Install Kali Linux 2018.4 x64 with VM Fusion 10

Extracting IP Addresses in Bash

One very handy function to have in your .bash_profile is a function to extract IP addresses.

ipextract function

I frequently use this function during investigations and though I should share it with everyone.

ipextract () { # example ipextract < filename egrep –only-matching -E ‘(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)’ } Example

I’ll demonstrate how to use the function

Source . . . → Read More: Extracting IP Addresses in Bash

Combine Multiple PCAP Files into a Single File

Problem

You have many smaller pcap files that you would like to combine in to a single file

10.0.0.10_1.pcap 10.0.0.10_2.pcap 10.0.0.10_3.pcap 10.0.0.10_4.pcap 10.0.0.10_5.pcap Solution mergecap -a 10.0.0.10* -w output_file.pcap

Source: https://www.wireshark.org/docs/man-pages/mergecap.html

How to Perform Bulk IP Lookup – Location and Owner

I recently analyzed a pcap file with a large list of destination addresses. In order to quickly determine the owner of those IP addresses I found this one liner.

# cat ips.txt | xargs -I% curl -s http://ipinfo.io/%/org | paste -d”,” ips.txt –

Source: https://ipinfo.io/developers/bulk-lookups

Please check out my Daughter’s Coding Site, CodewithMargo.com

My 7 year old launcher her coding site last year and I think it is a great resources for kids that want to learn how to program in Scratch Jr.

http://codewithmargo.com

Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article

Prerequisites

You must be logged on to a domain controller.

Extracting the Database

To extract . . . → Read More: Extracting Password Hashes from Active Directory

Announcement – I was Recently Published in an Ebook

I am pleased to announced that I was recently published in an ebook, “10 Experts on Active Threat Management”

https://www.countertack.com/ebook-experts-on-active-threat-management

threatmanagement #ebooks

Use ngrep to capture syslog traffic

Instead of using wireshark on Linux to capture traffic try ngrep

# sudo ngrep -d <interface> ‘<search string>’ ‘port 514’

source: http://ngrep.sourceforge.net/usage.html