JeffSoh on NetSec
802 FOLLOWERS
Jeff Soh began blogging in 2007, and continues to share suggestions on the new intrusion analyst and other miscellaneous news on information security. Soh also offers book recommendations, product recommendations, and useful tips for information security professionals and everyday users.
JeffSoh on NetSec
4M ago
Filelight is a handy disk forensics tool though it wasn't designed to be, that I know of...in a CTF question I am looking in an appdata folder called Comms for evidence and I wanted to see if the folders were all the same size ..read more
JeffSoh on NetSec
1y ago
Untitled
Byte 0 - Bits 0-3 - IP version
Byte 0 - Bits 4-7 - IP header Length
Byte 1 - Differentiated Services or TOS
Byte 2 & 3 - Total IP datagram length
Byte 4 & 5 - IP Identification Field
Byte 6 - Bit 0 - Reserved Bit
Byte 6 - Bit 1 - Don't Fragment bit
Byte 6 - Bit 2 - More Fragments bit
Byte 6 - Bit 3 - First bit of Fragment Offset Field
Byte 7 - Fragment Offset Field (with one bit from byte 6)
Byte 8 - Time To Live Field
Byte 9 - Embedded Protocol (TCP, UDP, ICMP, etc.)
Byte 10 & 11 - IP Header CheckSum Bytes Bytes 12-15 - Source IP Address Bytes
Bytes 16-19 - Destinat ..read more
JeffSoh on NetSec
1y ago
Threat Hunting in a nutshell. No Big Red Easy button. Not something that can be automated. Need analysts, trained analysts. Not an automated process, not something ML can do, regardless of what vendor xyz tells you. Has some similarities to law enforcement. Sometimes discoveries come on a hunch... Something just doesn't look "right" though it doesn't trigger any alerts, uses institutional knowledge, experience, and lots of familiarity with normal activity and malicious activity. IMO, it's the most exciting silo of network/information security because success will be based on training ..read more
JeffSoh on NetSec
2y ago
Wireshark is a nice tool for keeping your packet dissecting knowledge fresh and finding things you didn't know were there...you can play with the colorization settings and click through the fields in the packet dump and see which fields in the header and payloads they correspond to. Below I have the start of the IP header selected, which shows us the first nibble is the IP version field, and the other half of the first byte is the header length. Whatever is in the IHL, multiply it by five to get the bytes. So a 4 means the header is 20 bytes, the minimum length of an IP header, whic ..read more
JeffSoh on NetSec
2y ago
Nmap 101 Tutorial
Two common types of scans, syn scan and full connect scan
-sS - Syn scan send a syn packet, if it receives a sysn-ack marks the packet as open and sends a reset and tears down the session. Must be root to run a Syn scan, as it manipulates the network stack to send the reset out of sequence. (edited)
-sT - Connect scan. Completes the full TCP/IP hand shake. Any user can run a connect scan as the network stack is not manipulated. (edited)
-v verbose mode. Can be repeated for increased verbosity, will update the status more often. If -v is not used, using ..read more
JeffSoh on NetSec
2y ago
Introduction
What are Berkeley Packet Filters? BPF’s are a raw (protocol independent) socket interface to the data link layer that allows filtering of packets in a very granular fashion1.
BPFs were first introduced in 1990 by Steven McCanne of Lawrence Berkeley Laboratory, according to the FreeBSD man page on bpf2.
Working with BPF
If you use tcpdump for very long, you encounter what are called “primitives”, filter expressions to tune your results to only see certain traffic. Examples of primitives are “net”, “port” “addr” and qualifiers to those such as “src” or “dst”.
With these ..read more
JeffSoh on NetSec
2y ago
Wild West Hackin' Fest - Deadwood: I so love this conference. It's so much like DerbyCon. There aren't any "I hacked a car/plane/drone/coffee maker" talks. There aren't 10,000 people there and it won't make the national news like BlackHat or Defcon, but what it will do is give you the information you can use in your day-to-day job. Things to actually make your network safer. Flash and glitter are great and lots of fun. Huge parties and massages courtesy of IoActive at the Oasis are cool too if that's what you like. Less interesting but much more relevant is information you can apply to y ..read more
JeffSoh on NetSec
3y ago
In computer science, speed is all. Everything we do, we want to do as fast as possible. Right? No. Consider slow hashing algorithms. Some hashes are intentionally computationally expensive. Why? Because attackers have multi-GPU dedicated password cracking machines that can try millions of variations per second. A hash that requires more computation power is much slower to crack because of the time it takes to try each variation. Sure, your user may have to wait for half a second longer for the authentication form to go away and his page to load, but his/her credentials are many times mor ..read more
JeffSoh on NetSec
3y ago
Ten to fifteen years ago, a company having FPC (full packet capture) was an indicator of the seriousness of the company's information security efforts. Having trained analysts that could use those packets to analyze alerts from NSM devices was an even better indicator.
Today, the network landscape has changed to the point of having little similarity to a decade ago. The workforce was already starting to go mobile before COVID, and the pandemic forced a large swath of workers home. Mobile devices used for work became common and the services in the cloud, prevalent.
We started ..read more