NETMUX

Operator Notes

Wed, 04 Jan 2023 19:40:07 -0800

Welcome to Operator Notes: the periodic newsletter that delivers the latest techniques, tools, detections, and resources for the cybersecurity operator distilled into copyable cheat sheets.

👇 Subscribe to Operator Notes newsletter and updates 👇

RED

Nuclei by Project Discovery

Nuclei is a tool that allows users to send requests to targets based on a template, in order to perform fast scans on a large number of hosts. It supports a range of protocols, including TCP, DNS, HTTP, SSL, and Whois, as well as specialized protocols like Websockets and Headless. Its templating system allows it to be used for a wide variety of security checks, and it is designed to produce zero false positives.

INSTALL

#git clone https://github.com/projectdiscovery/nuclei.git

#brew install nuclei

#git clone https://github.com/projectdiscovery/nuclei-templates.git

#git clone https://github.com/projectdiscovery/uncover

#git clone https://github.com/projectdiscovery/httpx

#git clone https://github.com/projectdiscovery/subfinder

>Scan single target

#nuclei -u https://netmux.com

>Scanning multiple targets contained with a URL text file

#nuclei -l urls.txt

>Cat out targets list from file into nuclei and use the templates in...Read More

Beacon and the Recipe Bamboozle

Sun, 05 Jun 2022 19:14:37 -0700

TL;DR

Beacon and the Recipe Bamboozle: Available on Amazon now :)
Beacon (unicorn) and Bot (sidekick) are good hackers. When someone steals a secret cupcake recipe from their favorite bakery, the duo decides to help the baker get the recipe back.
All launch proceeds going to charity to support Rural Tech Fund (@RuralTechFund & WWW)

Why a kid's book?

I have two little girls (maybe one-day future digital warriors;) and I read A LOT of books to them. I was searching for fun picture books that could lightly introduce them to cybersecurity topics and thinking about the digital world they will inherit. I also personally wanted them to relate to Daddy's job in cybersecurity. As my 4 year old described my job to someone recently, "He types on a computer and eats snacks all day." The thought of sitting with them reading a fun cybersecurity caper before bed, then looking at me affirming that is Daddy's job, had me hooked.

**Actual imitation by my daughter of me working :)

I scoured Amazon and the local bookstores for weeks, and honestly could not find any that touched on current topics, such as daily E-Crime & APT readings. Cybersecurity can be a pretty dull...Read More

OPERATOR HANDBOOK

Thu, 19 Mar 2020 18:05:35 -0700

TL;DR

+ Red Team, OSINT, Blue Team Reference most common tools & techniques.

+ 100+ Cheat Sheets & References ranging all three disciplines.

+ All launch proceeds go directly to charity.

+ References are in A-Z alphabetical order for ease of use/recall.

+ Operator = Red Team, OSINT, & Blue Team practitioners.

+ Available on Amazon Paperback

Intro

The Operator Handbook has been an ongoing project for me for over two years of nights and weekends when I get 3 hours to myself from 9pm - 12am. It came about because I saw the age some manuals had begun to show, the lack of coverage for macOS, and folks are still carrying various other manuals. Additionally, the burgeoning discipline of OSINT became critical to everyday workflow and various curiosities.

Why should the three disciplines (Red Team, OSINT, Blue Team) always be divided? As team members we are pushed further to explore and apply more skills to perform our jobs with increased lethality. This "Operator" culture should mean a well-rounded team member, no matter the "Team" you represent. We are ALL Operators. Blue should see and understand Red tactics, Red should foster the collaborative nature with Blue, and OSINT should continually work to peel back identities of evil doers spread across the digital landscape. This is a big reason the book is Yellow. I didn't want this book to look like "Oh it's only for Red/Blue Team because it has a red/blue logo with black background". Knowing this is a field where we should all share in success and lessons learned without the artificial separation. Black & Yellow is that perfect neutral between all the sides.

What's Inside?

In the...Read More

GreyNoise Cheat Sheet

Tue, 31 Dec 2019 17:43:42 -0800

GreyNoise - collects and analyzes untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet. Mass scanners (such as Shodan and Censys), search engines, bots, worms, and crawlers generate logs and events omnidirectionally on every IP address in the IPv4 space. GreyNoise gives you the ability to filter this useless noise out. GreyNoise Query Language (GNQL) provides a structure syntax language to methodically query and refine your search parameters. Lastly, accounts for GreyNoise are FREE for personal use and offers amazing data possibilities at your disposal. Consider upgrading to the Enterprise license for large bulk queries.

**Python CLI & WEB UI Available

REFERENCE:

https://viz.greynoise.io/cheat-sheet/queries

https://viz.greynoise.io/cheat-sheet/examples

https://github.com/GreyNoise-Intelligence/pygreynoise

GREYNOISE CLI

https://github.com/GreyNoise-Intelligence/pygreynoise

Install the library:

pip install greynoise

python setup.py install

Save your configuration:

greynoise setup --api-key

Upgrade current install:

pip3 install greynoise --upgrade

#CLI COMMAND OPTIONS

query - Run a GNQL structured query.

account - View information about your GreyNoise...Read More

Th3 L@s7 0f u$

Wed, 28 Aug 2019 14:29:29 -0700

Survivor hashes

What makes a password hash survive for years after a leak and remain uncracked? Despite some website breaches happening nearly 4 years ago, and scores of cracking hobbyist working the Hashes.org dataset, 1,708,665 MD5 hashes across many sources remained uncracked. I thought there must be something new to discover that could yield additional knowledge of what makes a strong user-generated password. So i fired up the "budget cracking rig" and "pentester rig" for a little over two months to find out. They would both run continuously for this time period iterating over different attacks, sifting the found passwords, and begin the process again. All told 75,971 were cracked from the original 1,708,665 MD5 hashes hosted on Hashes.org. It's worth noting some analysis of the results may be skewed due to regional language of the dataset and the site from which they originated. FYI, I didn't find the equivalent of the lost city of Atlantis in the newly cracked passwords ;)

TL;DR

Github with masks and statistics
Unique words, letter combinations, and length contributed to password resilience
Results indicated Eastern country origin

Methodology

The cracking methodology used for this experiment was to modify Larry Spohn's Hate Crack (pretty awesome check it out) Hashcat wrapper script. Modifications allowed for Hashcat to perform a series of attacks, each series lasting for 24 hours.

ATTACK #1 - Purple Rain Attack
In an attempt to find...Read More

Blue Team Planner

Thu, 30 May 2019 07:19:58 -0700

TL;DR

Blue Team Planner aids in threat hunt and incident tracking & documentation.
Six-page custom, concise Investigation Templates for each event.
Bullet & Graph paper provided for freeform note taking.
Available in two colors (Black & Blue) or coming soon (Blue & Black) .
186 total pages contained within the planner.
Send feedback or enhancements to @netmux on Twitter.

Incident Tracking

When responding to a breach, or formalizing a threat hunt strategy, note taking is of crucial importance when coordinating with other responders. Whether the meetings are in-person or over a conference call, its vital to record concise, accurate notes about the incident or TTPs. What I kept noticing was my notebooks would constantly fill up with the same bullet points and feedback needlessly recording the same responses: IR, Data Leak, WebApp, Details Points of Contact (POCs), Status, Logs, Indicators, Systems, Objectives, Tasks... it was killing my time to focus during a meeting, not to mention all the dead whitespace. So I challenged myself to condense this recordkeeping into manageable sections that also allowed flexibility for recording investigation requirements and track the progress of the various objectives and tasks. This iterative process morphed into the Blue Team Planner and it's simplistic style can very nearly record an entire investigations lifecycle in only six small pages.

Investigation Template

The six-page, structured...Read More

Hash Crack v3

Fri, 01 Feb 2019 11:36:03 -0800

Hash Crack v3

It's been over a year since Hash Crack v2 came out and a refresh with some additions were needed. Previous versions of Hash Crack have all tried to build on the foundation of password analysis and cracking tools functionality, but the recent feedback has been on "How do you obtain hashes to crack in the first place?". In the latest Hash Crack v3 the "Extract Hashes" chapter has seen a extensive additions to capturing, extracting, and enumerating hashes from all manner of targets. There is a section devoted toward DevOps tools, Cloud Infrastructure, Virtual Machines, Network Hashes, Hash Leakage, and many more topics (full list below). Many of these techniques have been used extensively in Red Team engagements with near flawless success, and has made the difference between Low-level access turned into Domain Admin in less than a couple of hours. This latest addition adds 28% new material and updates all of the cracking tools to the most recent versions as of its release date.

Updated Material

EXTRACT HASHES

WINDOWS LOCAL PASSWORD HASHES
WINDOWS DOMAIN PASSWORD HASHES
*NIX PASSWORD HASHES
MacOS / OSX LOCAL PASSWORD HASHES
FREEIPA LDAP HASHES
PCAP & WIRELESS
NETWORK HASHES
FULL DISC ENCRYPTION
VIRTUAL MACHINES
DEVOPS
CLOUD SERVICES
NetNTLMv1/v2 HASH LEAKS
DATABASE HASH EXTRACTION
LOCKED WINDOWS MACHINE
MISCELLANEOUS HASH EXTRACTION

OTHER UPDATES & ADDITIONS

Hashcat 5.1 with more BRAIN
Historical GPU Cracking...Read More

Random Password Cheat Sheet

Tue, 29 Jan 2019 15:17:59 -0800

ONE-LINER

LINUX/MacOS

# openssl rand -base64 20
Example) YnKFUmVPYzQDrK3QT5NZ0Wh51kMBaXw=

# pwgen 10
Example) giepahl3Oy

# gpg --gen-random --armor 1 14

Example) 1Hs0a5BYKlcRY0wvPy8=

# uuidgen | tr -d '\n'

Example) 9C3CF72D-175D-41D6-ADC1-173D784CFBD7

WINDOWS

PS> $Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort {Get- Random})[0..8] -join ''
Example) Fj-Rs!4p2z

PS> dir C:\Windows\*.* | Get-Random | Get-FileHash -Algorithm SHA1

Example) 819AABA1653415766D4A6B0F5F89833F4E40AA27

SCRIPTABLE

LINUX/MacOS

@Echo Off
Set /A Rnd=%Random%
Set PassLenght=10
SetLocal EnableDelayedExpansion EnableExtensions
Set TotalChars=72
Set CharSet=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWQYZ()_+-*!@#$
:Loop
Set /A Rnd=%TotalChars%*%Random%/32768
Set Pswd=!CharSet:~%Rnd%,1!%Pswd%
Set /A PassLenght-=1
If %PassLenght% GTR 0 GoTo Loop
@echo %Pswd%
pause

WINDOWS

........

Online Password Generation Resources

Hash Crack Challenge

Sun, 26 Aug 2018 06:17:35 -0700

CHALLENGE OVER
The Challenge
Two plain SHA1 password hashes have been generated using separate techniques from a single "Random-Grid" One-Time Grid (see One-Time Grid write-up ). This password cracking challenge will last one week, which starts Aug 27th, 2018 1200PM EST and ends September 3rd, 2018 at 1200PM EST.
HASH #1
[CRACKED by @BoursierEtienne] fe0c9f335b35c45e92d5e7d07c5933b6c4c0a522
HASH #2
[CRACKED by @lakiw]
120c249bc0f301ef3cba7a0fcbff463aaaded486
Prizes
Claim your prizes by posting on Twitter to @netmux with the cracked password. All valid submissions must be received before Sept 3rd at 1200PM EST.
Crack HASH #1 gets your name in the next Hash Crack: Password Cracking Manual
Crack HASH #2 first person gets a free Pentester's Portable Cracking Rig with a GTX 1070 (~$1,100 value) ***
***Limit=1. Sorry only United States contestants are eligible to receive the password cracking rig. A $500 Amazon gift card will be awarded for an international winner that cracks HASH #2.
**To receive your final prizes contestants must submit a write-up of your strategy for cracking the password hash....Read More

Red Team Planner

Tue, 01 May 2018 17:24:08 -0700

Available on Amazon
TL;DR
Red Team Planner aids in customer engagement requirements & tracking.
Six-page custom, concise Engagement Templates for each customer.
Bullet & Graph paper provided for freeform note taking.
Available in two colors (Black & Red) or (Red & Black) .
186 total pages contained within the planner.
Send feedback or enhancements to @netmux on Twitter.
Repetitive Records
If you've been in the Red Team/Pentest game for a while you know note taking is very important when meeting with customers. Whether the meetings are in-person or over a conference call, its vital to record concise, accurate notes about their needs for a network security assessment. What I kept noticing was my notebooks would constantly fill up with the same bullet points and feedback needlessly recording the same responses: Grey Box, Full-Spectrum, WebApp, Details Points of Contact (POCs), Infrastructure to test, IP's, Limitiations, test accounts, Red Team data, Tasks... it was killing my time to focus during a meeting, not to mention all the dead whitespace. So I challenged myself to condense this recordkeeping into manageable sections that also allowed flexibility for recording customer requirements and track the progress of the various engagement milestones and tasks. This iterative process morphed into the Read More