JCSC Incident Response - Brisbane CTF

Introduction

I was fortunate enough to attend a JCSC Incident Response training sessions today in Brisbane. Even more fortunate since Yaleman allowed me to join his team. The incident response scenario was that of responding to an incident for the Wind in case of no daylight (WIND) corporation where an information security incident appears to have occurred and a wind turbine has stopped operating.

We were provided some artefacts to perform analysis on and submit responses to to get points for the CTF. I had never used volatility, so the exercise provides an excellent opportunity to learn to use volatility.

[Read More]

Cross compile libpcap for Arm

This has been tested on Ubuntu 16.04.1 Desktop (64-bit), and assumes that arm-linux-gnuabi-gcc has already been installed, e.g. sudo apt-get install -y gcc-arm-linux-gnueabi

  1. Download the latest libpcap source tar ball from [http://www.tcpdump.org/#latest-releases], e.g. libpcap-1.8.1.tar.gz
  • tar zxvf libpcap-1.8.1.tar.gz
  • apt-get install flex bison byacc
  • export CC = arm-linux-gnueabi-gcc
  • ./configure –host=arm-linux –with-pcap=linux
  • make

Once the library has been compiled, it may be linked to other code, using the -L gcc flag and the location of the library. e.g. -lpcap -L/home/nkush/development/libpcap-1.8.1

[Read More]

PCAP or it didn't happen

“PCAP or it didn’t happen” is a good network security philosophy. The primary idea being to capture network traffic for analysis. In a non-corporate environment where a CentOS-based Linux host has been used as a dual homed firewall (refer to the lame ASCII art network diagram below), tcpdump was used for continuous traffic capture.

  _( )______     ________     +-----+     _( )__
 ( Internet )---/ Router \----| F/W |----( DMZ  )
(____________)  \________/    +-----+   (________)

Firstly, we create a location to save the pcap files. Next, since contemporary version of tcpdump are baked with the -Z switch which causes tcpdump to drop into a less privileges account (tcpdump in the case of this particular version of CentOS) we change ownership and permissions to the location, and change permissions to allow the tcpdump user and group to have full read and write permission.

[Read More]