Archiv des Autors: Alex

Security API collection

Veröffentlicht am von
Antworten

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

9Tageticket again a success

Veröffentlicht am von
Antworten

One day to go till the Backfischfest in Worms is starting and we can say, the 9TageTicket this year is again a big success. With more then 650 tickets pre ordered, we are on almost the same level as last year, showing that there is a constant interest in the free tickets that show other visitors the commitment to the Backfischfest.

For the first time we will have flyer for the showman explaining the idea behind 9TageTicket.

Ahoi

Zorrocarry DIY Gepäcktraeger

Veröffentlicht am von
Antworten

Einführung

Radreise geplant und noch unschlüssig wie das Gepäck transportiert werden soll? Wer sich etwas mit der Materie beschäftigt, insbesondere Radreise-Abenteuer mit dem MTB wird früher oder später über die Berichte von Alpenzorro aka Stuntzi aka Stefan Stuntz stoßen. Dieser berichtet im MTB Forum live von seinen Abenteuern, die ihn schon über den gesamten Erdball geführt haben.

Früher oder später kommt immer wieder die Frage nach der Ausrüstung die ihm diese Reisen ermöglicht. Ein besonderer Augenmerk ist dabei regelmäßig der von ihm scherzhaft getaufter „ZorroCarry“. In der neusten Evolutionsstufe wird dieser auch als „Goldicarry“ bezeichnet.

Ich habe mir mal die Mühe gemacht, Beiträge zu dem Thema zu recherchieren und Bildmaterial etc zusammen zu tragen um es dem geneigten Leser zu vereinfachen, ZorroCarry nachbauen zu können und ggf. sogar zu verbessern.

Die folgenden Infos sind komplett basierend auf der Arbeit von Stuntzi, auch die Fotos sind (soweit nicht anders angegeben) sein geistiges Eigentum, er hat lediglich einer Nutzung durch mich in diesem Blog Beitrag zugestimmt. Wenn ihr dem Ideengeber des Alpenzorro etwas gutes tun wollt, er sammelt immer wieder für seine Radreisen via Paypal.

Weiterlesen

MISP Issues with certificates

Veröffentlicht am von
Antworten

Recently I came a across some MISP issues with Certificates with remote servers. Even it is okay with Test connection, if you try to push or pull events it will not do anything. Also logs will not tell you anything. If you run tcpdump to debug and watch in Wireshark you will see something like the screen shot.

Before adding it to the documentation of MISP, here is a brain dump what I did:

Scenario:
Server 1 – running MISP
Server 2 – running MISP

Server 1 wants to push events to Server 2

Server 2 has a TLS / SSL certificate signed by an internal CA. Because cakephp is not respecting the OS CA store. This needs to be done manually.

Looking up the certificate with full chain in Firefox will not reveal the FULL cert patch because it is not showing the ROOT CA.

What you need to do is create a new text file and add all public certificates to that file and save it as a .pem file (including the sign of the Root CA)
This pem file then needs to be added as certificate to the MISP Server config.

Within gitter we had a discussion why it is not okay to simply mark the „self signed“ box. It appears that certificates that are signed by a CA (and not signed locally) have several indications for such signatures:

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
...

and

ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

Useful:

keytool -printcert -file certificate.pem

And:

openssl s_client -showcerts -connect server2:443

OSX disk media is not present

Veröffentlicht am von
Antworten

Trying to mount an ext2 / ext3 / ext4 device using external drivers on OSX might bring up the following error:

disk media is not present

in:
sudo dmesg

To fix that a virtual machine helped.

Attaching the external drive using usb, creating a filter for that usb device to forward it to the ubuntu based VM.

Run
fdisk -l

to find the right device.
E.g. /dev/sdd

Now go with fsck.ext3 (for ext3 only)

fsck -y /dev/sdd

-y means answer every question with yes.

For a 2 TB HDD that might take up to several hours, but after that is finished, you can try to mount the drive again.

eSATA Drive in QNAP

Veröffentlicht am von
Antworten

If you want to use a eSATA drive in a QNAP device without plug and play, read the following.

Attach drive to eSATA drive.
ssh admin@yourip
#dmsg

Check for:

[11936.459226] ata5: SATA link up 1.5 Gbps (SStatus 113 SControl F310)
[11936.499252] ata5.00: ATA-8: WDC …., 04.05G09, max UDMA/133
[11936.499295] ata5.00: 3907029168 sectors, multi 0: LBA48 NCQ (depth 31/32)
[11936.539268] ata5.00: configured for UDMA/133
[11936.539323] ata5: EH complete
[11936.539646] scsi 4:0:0:0: Direct-Access WDC WD…. 04.0 PQ: 0 ANSI: 5
[11936.549494] Check proc_name[sata_mv].
[11936.559626] sd 4:0:0:0: [sdza] 3907…. 512-byte logical blocks: (2.00 TB/1.81 TiB)
[11936.559899] sd 4:0:0:0: [sdza] Write Protect is off

Important is sdza

Format the drive:

mke2fs -t ext3 /dev/sdza

Mount the device

mount /dev/sdza1 esata/

Be happy

Convert vmdk to raw / dd

Veröffentlicht am von
2

Found a vmdk file / image of a virtual server and want to investigate it? Most forensic tools work with image files (such as DD output or raw) and a small tool can help you to convert it:

Install qemu:

apt-get install qemu

qemu-img convert -p -O raw source.vmdk destination.raw
(0.00/100%)