DIY IP Threat Feed

A threat feed is a collection of actionable information about threats that allows for mitigating harmful events. This blog post is concerned with developing an IP based threat feed or blacklist. We will look at how to gather, aggregate, enrich, and extract threat data for consumption. Gathering the threat data I have several servers in … Read more

Deploying Splunk Universal Forwarders via GPO

When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs … Read more

A Tale of an MSBuild In-Line Task

I analyzed a suspicious file found during an Incident Response (IR) that turned out to be an in-line MSBuild task. The file had a byte array with an extremely long sequence of bytes. My first thought was that it was a binary of some sort. I extracted the bytes and wrote a few lines of C … Read more

Stack Smashing at Home

There are various wargaming sites such as SmashTheStack, OverTheWire, and IO Wargame that provide a platform for users to legally exploit real world software vulnerabilities. Source code is provided with a few of the challenges, which you can copy to a local research machine instead of working remotely. Keep in mind that the sites hosting … Read more

Ansible User Account Provisioning

Whenever I stand up a new Linux machine, I always find myself doing the same four things:  Creating my main user account  Creating an ansible user account  Configuring sudoers  Copying over SSH Public Keys. Definitely, not something that evokes fun. I have tried various automation tools, but ansible has found a very special place in … Read more

Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA. Step 1: Create the directory for the certificates splunk@siem:~$ mkdir /opt/splunk/etc/auth/certs Step 2: Generate the private key and temporary password splunk@siem:~$ cd /opt/splunk/etc/auth/certs splunk@siem:~$ splunk cmd openssl genrsa … Read more

Working with Raw LVM Disk Images

Mounting disk images on Linux is fairly straight forward, however an image with a Logical Volume Manager (LVM) partition requires a little more attention. The first thing I do is find out some information about the image(s): root@box:# fdisk -l -o Device,Type,Size disk.img Device Type Size disk.img1 Linux 1G disk.img2 Linux LVM 952.9G -l lists … Read more

Slackware LVM over LUKS

This is mostly a post to document my process of setting up Full Disk Encryption (FDE) using the Linux Unified Key Setup (LUKS) and the Logical Volume Manager (LVM). Most major distributions already enable this process at installation, however Slackware does not and it must be done by hand. I am going to use an … Read more

Using NetworkManager with DNSMasq and Slackware

dnsmasq on Slackware 14.2 is compiled without D-Bus. lab$ dnsmasq -v | grep options Compile time options: IPv6 GNU-getopt no-DBus i18n no-IDN DHCP DHCPv6 <snip> … The logs show NetworkManager trying to start dnsmasq, but failing: dnsmasq[4466]: DBus not available: set HAVE_DBUS in src/config.h dnsmasq[4466]: FAILED to start up NetworkManager[3101]: <warn> dnsmasq exited with error: … Read more

Migrating and Upgrading Apache Guacamole to Docker

UPDATED: I have created an all-in-one (AIO) version that includes nginx using TLS. Apache Guacamole is a client-less remote desktop gateway. I use it in order to access my lab when traditional methods are not available. Guacamole does not use agents or fancy plugins, you only need an HTML5 supported browser and you can access … Read more