Analysis with Wireshark
TShark VS. Wireshark (Terminal vs. GUI) TShark is a purpose-built terminal tool based on Wireshark. TShark shares many of the same features that are included in Wireshark and even shares…
Posted inCheat Sheets IDENTIFY DETECT
TCPDump
Locate tcpdump which tcpdump Install TCPdump sudo apt install tcpdump Tcpdump Version Validation sudo tcpdump --version TCPDump will resolve IPs to hostnames by default. Traffic Captures with Tcpdump Basic Capture…
Posted inElastic SIEM DETECT
Elastic SIEM: Developing Dashboards & Visualization
Use case 1: Failed Logon Attempts (Disabled Users) https://youtu.be/7Uyqek-FdwI Use case 2: Failed Logon Attempts (using Admin Accounts) https://youtu.be/UGRmsoqk0EM Use case 3: Successful RDP Logon Related To Service Accounts https://youtu.be/eRjA6TpEryk…
Posted inBLUE TEAM DETECT Elastic SIEM
SIEM Use cases
How To Build SIEM Use Cases Comprehend your needs, risks, and establish alerts for monitoring all necessary systems accordingly. Determine the priority and impact, then map the alert to the…
Posted inTraffic Analysis
Traffic Analysis Essentials
There are two main techniques used in Traffic Analysis: Flow AnalysisPacket AnalysisCollecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary…
Posted inBrute Force Attacks
Login Brute Forcing
Where to find the passwords/hashes WindowsLinuxunattend.xmlshadowsysprep.infshadow.bakSAMpassword Types of Password Attacks Dictionary attackBrute forceTraffic interceptionMan In the MiddleKey LoggingSocial engineering
Posted inAttacking Active Directory
Understanding Kerberos Authentication
Kerberos Authentication Referenceshttps://www.youtube.com/watch?v=snGeZlDQL2Q https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/b4af186e-b2ff-43f9-b18e-eedb366abf13 krbtgt account -→ KDC Service Account Ticket Details Authorization Data is Microsoft addition to Kerberos; can be manipulated to modify Group membership..etc and launch attacks. Domian…
Posted inEnumeration Attacking Active Directory
PowerView Cheat Sheet
up-to-date version of PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 New function naming schema: Verbs: Get : retrieve full raw data sets Find : ‘find’ specific data entries in a data set Add : add…
Posted inAttacking Active Directory
Attacking Kerberos
Kerberos Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more "secure" than NTLM by using third party ticket authorization as well as stronger…