Table of Contents
Sans 2008
Audit 521 (Day 1 & 2)
Randy's cell phone 250-7618
jungledisk.com cheap storage.
ips – intrusion protection system
metasploit – pen testing tool.
tripwire
514 (Day 3)
iftop, ntop, dnstop
honeywall – installed on a box with 3 interfaces can work as a tap.
block outbound 80,443 on web servers
531 Windows Command-Line Kung Fu In-Depth (Day 4)
powershell available for windows, but that is not what we are covering today.
pwd:
cd
command prompt location
c:\windows\system32\cmd.exe
with colors:
start /t:0a
Windows File protection
wfp
service control query
sc query
command line registry editor
reg reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
network configuration
netsh
starting control cpl's“
http://www.vlaurie.com/computers2/Articles/control.htm
netsh firewall set opmode disable
Security 601 Reverse-Engineering Malware (Day 5 & 6)
Behavioral analysis
- controlled VMware “laboratory”
- System monitor tools
- Process monitor
- Process explorer
- snort
snort -vd | tee /tmp/sniff.log Code Analysis
- disassembler
- IDA Pro -freeware version
- debugger
- OllyDbg free
- f7 step
- f8 step with skip
- f2 breakpoint
- Ctrl-f9 runs
- Ctrl-N to list symbolic names
- eax is used for returns a pointer to a value of strings
products to revert a system
CoreRestore hardware board $150
Rebuild PE headers
imprec
—- common passwords
infected virus malware
—- Windows diff command. This works on binaries!
fc
—-
Analyzing Malicious Sites
Use a text based browser
wget lynx
wget “http://malicious.com/” –user-agent=“Mozilla/4.0…Page 4-29..” let you pose as another browser.
Javascript decoder if encoded with the Microsoft encoder tool jscript.encode. not used much since not compatible with other browses.
c:>scrdec14.exe installer.htm decoded.htm
Now custom obfuscation techniques used
print script text to page and don't execute.
firebug for firefox
don't execute scripts
noscript
ARUBA Networks
airPwn Karma metasploit kismit newcore
WiFiDEnum wireless Driver vulneralbility assessment