389 matches found
Zbrunk search launcher and event types statistics
I also changed the priorities. Now I think it would be better not to integrate with Grafana, but to create own dashboards and GUI. And to begin with, I created a simple interface for Searching and Deleting events. upd. 16.12.2019 A small update on Zbrunk. First of all, I created a new API call th...
CentOS 8 with IceWM Desktop Environment
Do you need CentOS 8 with IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun. My reasons were as follows: 1. I wanted to use the same...
Dante SOCKS5 server with authentication
It's not so obvious that socks servers with authentication are a necessary thing. 1. You can run a "local socks service" simply by connecting to a remote host via ssh with -D 2. Most of software products, that support socks, don't support socks servers with authentication The last fact I find ver...
Barapass console Password Manager
I decided to publish my simple console Password Manager. I called it barapass github. I've been using It for quite some time in Linux and in Windows in WSL. Probably it will also work natively in Windows and MacOS with minimal fixes, but I haven't tried it yet. Why do people use password managers...
Zbrunk universal data analysis system
Zbrunk project github began almost like a joke. And in a way it is. In short, my friends and I decided to make an open-source MIT license tool, which will be a kind of alternative to Splunk for some specific tasks. So, it will be possible to: Put structured JSON events in Zbrunk using http...
How to get the Organization Units (OU) and Hosts from Microsoft Active Directory using Python ldap3
I recently figured out how to work with Microsoft Active Directory using Python 3. I wanted to get a hierarchy of Organizational Units OUs and all the network hosts associated with these OUs to search for possible anomalies. If you are not familiar with AD, here is a good thread about the...
Publicly available Tenable .audit scripts
This is most likely a slowpoke news, but I just found out that Tenable .audit files with formalized Compliance Management checks are publicly available and can be downloaded without any registration. However, you must accept the looooong license agreement. So, I have two completely theoretical!...
Kaspersky Security Center 11 API: getting information about hosts and installed products
I spent a lot of time last week working with the new API of Kaspersky Security Center 11. KSC is the administration console for Kaspersky Endpoint Protection products. And it has some pretty interesting features besides the antivirus/antimalware, for example, vulnerability and patch management. S...
The most magnificent thing about Vulnerabilities and who is behind the magic
What I like the most about software vulnerabilities is how "vulnerability", as a quality of a real object and the computer program is real, literally appears from nothing. Let's say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products
On May 21, I spoke at the PHDays 9 conference. I talked about new methods of Vulnerability Prioritization in the products of Vulnerability Management vendors. During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved...
Code IB 2019: Vulnerability Management Masterclass
On March 29, I held one hour master class "HOW to avoid excessive formalism in Vulnerability Management process" at Code IB Profi 2019. Everything went quite well and I've got 88% positive ratings. Not bad result ^^. The main feature of the conference was a very special audience. The only way to...
Vulnerability Management vendors and Vulnerability Remediation problems
It's not a secret, that Vulnerability Management vendors don't pay much attention to the actual process of fixing vulnerabilities, that they detect in the infrastructure Vulnerability Remediation. Although it seems to be the main goal of VM products: to make vulnerabilities fixed and whole IT...
Why Asset Management is so important for Vulnerability Management and Infrastructure Security?
When people ask me how should they start building Vulnerability Management process in their organization well, sometimes it happens, I advice them to create an effective Asset Management process first. Because it's the foundation of the whole Infrastructure Security. The term "Asset Management" h...
Can a Vulnerability Scan break servers and services?
The most serious problem of Vulnerability Scanners is that they are too complex and unpredictable. Usually they don't affect the target hosts, but when they do, welcome to hell! And if you scan huge infrastructure, tens thousands hosts and more, it's not "if" the scanner will break the server it'...
First steps with Docker: installation in CentOS 7, vulnerability assessment, interactive mode and saving changes
Docker and containerization are literally everywhere. IMHO, this changes the IT landscape much more than virtualization and clouds. Let's say you have a host, you checked it and find out that there are no vulnerable packages. But what's the point if this host runs Docker containers with their own...
Vulnerability Management at Tinkoff Fintech School
In the last three weeks, I participated in Tinkoff Fintech School - educational program for university students. Together with my colleagues, we prepared a three-month practical Information Security course: 1 lecture per week with tests and home tasks. Each lecture is given by a member of our...
Tenable IO WAS Chrome Extension
In the comments of the previous post about Tenable IO WAS Fergus Cooney mentioned a new Google Chrome extension for Tenable IO WAS, that should help in configuring scan Authentication setting. You can install it in Chrome Web Store. The idea is great. Authentication process in modern web...
Martian Vulnerability Chronicles
Well, there should have been an optimistic post about my vulnerability analysis & classification pet-project. Something like "blah-blah-blah the situation is pretty bad, tons of vulnerabilities and it's not clear which of them can be used by attackers. BUT there is a way how to make it better usi...
First look at Tenable.io Web Application Scanner (WAS)
When Tenable firstly announced Web Application Security scanner as a part of their new Tenable.io platform, it was quite intriguing. Certainly, they already had some WAS functionality before in Nessus. For example, path traversal check was pretty good. But this functionality was quite fragmental...
How to make Email Bot service in Python
First of all, why you may want to use such service? Despite the fact that currently there are so many different channels of communication including various messaging apps, Email is still a default and universal way to do it. Literally every enterprise service supports email notifications, even if...
Who should protect you from Cyber Threats?
The world is becoming increasingly dependent on information technologies. 1. Government. More and more states provide digital services for their citizens and rely complex information systems. 2. Business. There are no more companies that do not have IT infrastructure on-premises or cloud. IT...
No left boundary for Vulnerability Detection
It's another common problem in nearly all Vulnerability Management products. In the post "What’s wrong with patch-based Vulnerability Management checks?" I wrote about the issues in plugin descriptions, now let's see what can go wrong with the detection logic. The problem is that Vulnerability...
Retrieving data from Splunk Dashboard Panels via API
Fist of all, why might someone want to get data from the panels of a dashboard in Splunk? Why it might be useful? Well, if the script can process everything that human analyst sees on a Splunk dashboard, all the automation comes very natural. You just figure out what routine operations the analys...
Open Positioner: my new project for tracking IT and security jobs
The idea of my new project is to retrieve the data from job-searching websites and provide better filtering, searching and visualization. I think for the most people who read this, searching for a job in Internet is a pretty common activity. Even if you are not going to change job right now, it...
Vulnerability Life Cycle and Vulnerability Disclosures
Vulnerability Life Cycle diagram shows possible states of the vulnerability. In a previous post I suggested to treat vulnerabilities as bugs. Every known vulnerability, as same as every bug, was implemented by some software developer at some moment of time and was fixed at some moment of time...
What is a vulnerability and what is not?
It looks like a pretty simple question. I used it to started my MIPT lecture. But actually the answer is not so obvious. There are lots of formal definitions of a vulnerability. For example in NIST Glossary there are 17 different definitions. The most popular one used in 13 documents is:...
Creating Splunk Alerts using API
As I mentioned in "Accelerating Splunk Dashboards with Base Searches and Saved Searches", Splunk Reports are basically the Saved Searches. Moreover, Splunk Alerts are also the same Saved Searches with some additional parameters. The question is what parameters you need to set to get the right...
What’s wrong with patch-based Vulnerability Management checks?
My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let's review one. It's a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus. If you perform vulnerability scans, you most likely seen...
Managing JIRA Scrum Sprints using API
Atlassian Jira is a great tool for organizing Agile processes, especially Scrum. But managing Scrum Sprints manually using Jira web GUI maybe time consuming and annoying. So, I decided to automate some routine operations using JIRA API and Python. The API calls are described on the official page ...
Packabit project: building Nmap deb packages for Ubuntu
During the long New Year holidays 30 dec - 8 jan I started a new project: Vagrant-based Linux package builder called Packabit. I thought it might be nice to have scripts that will automatically build a Linux packages from sources and will NOT litter main system with unnecessary packages. Somethin...
MIPT/PhysTech guest lecture: Vulnerabilities, Money and People
On December 1, I gave a lecture at the Moscow Institute of Physics and Technology informally known as PhysTech. This is a very famous and prestigious university in Russia. In Soviet times, it trained personnel for Research Institutes and Experimental Design Bureaus, in particular for the Soviet...
New Advanced Dynamic Scan Policy Template in Nessus 8
According to Nessus 8.1.0 release notes, Tenable finally solved the problem with Mixed Plugin groups. At least partially. I will briefly describe the problem. Let's say we found out that some Nessus plugins crash our target systems. This happens rarely, but it happens. So, we decided to disable...
Guinea Pig and Vulnerability Management products
IMHO, security vendors use the term "Vulnerability Management" extremely inaccurate. Like a guinea pig, which is not a pig and is not related to Guinea, the current Vulnerability Management products are not about the actual practically exploitable vulnerabilities and not really about the...
PRYTEK meetup: Breach and Attack Simulation or Automated Pentest?
Last Tuesday, November 27, I spoke at "Business Asks for Cyber Attacks" meetup organized by PRYTEK investment platform. The event was held at the PRYTEK Moscow office in a beautiful XIX century building of a former textile manufactory. The goal of the meetup was to talk about new approaches in...
Making Vulnerable Web-Applications: XXS, RCE, SQL Injection and Stored XSS ( + Buffer Overflow)
In this post I will write some simple vulnerable web applications in python3 and will show how to attack them. This is all for educational purposes and for complete beginners. So please don't be too hard on me. As a first step I will create a basic web-application using twisted python web server...
VB-Trend 2018 Splunk Conference
Today I attended VB-Trend 2018 Splunk conference organized by system integrator VolgaBlob. Video fragments from the event: Comparing to "Splunk Discovery Day", the conference was much smaller less than 100 people, focused on technical aspects, Information Security and informal communication. And...
Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT
The fair question is why in 2018 someone might want to deal with Windows NT and vulnerabilities in it. Now Windows NT is a great analogue of DVWA Damn Vulnerable Web Application, but for operating systems. There are a lot of well-described vulnerabilities with ready-made exploits. A great tool fo...
Adding custom NASL plugins to Tenable Nessus
Making custom NASL scripts plugins for Nessus is a pretty complicated process. Basically, NASL Nessus Attack Scripting Language is an internal instrument of Tenable and it seem that they are not really interested in sharing it with the community. The only publicly available official documentation...
Splunk Discovery Day Moscow 2018
Today I attended the Splunk Discovery Day 2018 conference. It is something like a local equivalent of the famous Splunk .conf. More than 200 people have registered. The event was held in the luxury Baltschug Kempinski hotel in the very center of Moscow with a beautiful view of the Red Square and...
Deploying VirtualBox virtual machines with Vagrant
I often use virtual machines for various tasks: from building software packages to testing software products or PoCs for vulnerabilities. Creating a virtual machine in Oracle VirtualBox is a time-consuming and annoying process: set parameters of VM, attach iso, make dozens of clicks in OS...
What’s new in Nessus 8
Today Tenable released a new version of their famous vulnerability scanner - Nessus 8. The existing scanner nodes don't see the updates yet, but the installation binaries are already available. So you may try to install it. This major release will be way more positive than the previous one. Of...
Accelerating Splunk Dashboards with Base Searches and Saved Searches
Let's say we have a Splunk dashboard with multiple panels. Each panel has its own search request and all of these requests work independently and simultaneously. If they are complex enough, rendering the dashboard may take quite a long time and some panels may even fall by timeout. How to avoid...
How to create and manage Splunk dashboards via API
In the previous post "How to correlate different events in Splunk and make dashboards" I mentioned that Splunk dashboards can be presented in a simple XML form. You can generate it with some script and then copy-past it in Splunk GUI. However, this manual operations can make the process of...
ISACA Moscow Vulnerability Management Meetup 2018
Last Thursday, September 20th, I spoke at ISACA Moscow "Vulnerability Management" Meetup held at Polytechnic University. The only event in Moscow devoted solely to Vulnerability Management. So I just had to take part in it. The target audience of the event - people who implement the vulnerability...
Psychological Aspects of Vulnerability Remediation
In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?...
Making Expect scripts for SSH Authentication and Privilege Elevation
Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures su, sudo to elevate privileges and execute some commands. Like Vulnerability and Compliance...
Retrieving IT Asset lists from NetBox via API
A little bit more about IT Asset Inventory of Internal Network, that your IT team can provide. I have recently worked with NetBox - an open source IP address management IPAM and data center infrastructure management DCIM solution developed by well-known cloud hosting provider DigitalOcean. It's n...
Assessing Linux Security Configurations with SCAP Workbench
Recently I had a chance to work with OpenSCAP. It's a set of free and open-source tools for Linux Configuration Assessment and a collection security content in SCAP Security Content Automation Protocol format. In this post I will write about SCAP Workbench. It is a GUI application that can check...
CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam
Two weeks ago I was speaking at a very interesting information security event - CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors. These meetings have a rather...
Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk
In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it's time to write about the Internal Network. I see a typical IT-infrastructure of a large organization as monstrous favela, like Kowloon Walled City in Hong Kong. At the beginning ...