George Starcher

This past week Rob Fuller (@Mubix) turned on public search for his awesome Deep Magic DNS project.

This is a great project where he is collecting DNS records for as much as the Internet as he can manage with some really creative methods. Currently he has turned on PTR record searching.  So let’s say you are doing a pen test or joining a new organization. You need to gather what information is available for the domain you are being employees to help. Just put the domain in quotes up in the search field and you will get back the resulting records. The search results are limited to 1,000 records by default but can be increased to up to 10,000.  Small personal domains may not show up. It is giving great results for larger more established domains for organizations.

Just dump as many of the records you can. Drop it in a text file and grep with fun words like ldap, dc, mail, ftp etc can speed up your learning curve.

Reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp697557

Scenario:
Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”

Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.

(more…)

I like to remind folks when moving their Apple laptop to public wifi that they need to remember to turn off the iLife application sharing such as iTunes and iPhoto. Then turn on their firewall.

So here is an AppleScript that will do just that. It is written and tested on OSX Lion with iLife 11. So you may have to play with it for your version if that is not what you are running.  Keep in mind it is a toggle script.  It will reverse the settings of iPhoto, iTunes sharing and the firewall. So it is assumed you share both with the firewall off when at home.

Also you need to ensure Enable access for assistive devices is checked under Universal Access in System Preference.

Just cut and paste the below script into the AppleScript editor.  Then save either as an application on your desktop you can double click. Or save as an AppleScript where an application like LaunchBar can use it as an action. ~/Library/Application Support/LaunchBar/Actions

(more…)

Here are my slides and the tutorial I made for Rolling your own logging vm. Between the slides and the tutorial you can find all the links I referenced.

The VM tutorial uses Ubuntu Linux, syslog-ng and Splunk.  I go over how to use syslog-ng with fifo queues to handle multiple sources and even rewrite forwarded syslog events coming from Kiwisyslog before indexing in Splunk.  The tutorial zip has both pdf and epub formats in it.

*update* I was asked some questions today during my presentation on MS Log Parser.  I added my post on it below to the link list.  Also for those downloading my actual logging vm from the link I gave those whom attended my talk.  The url does redirect to dropbox so do not be surprised.

*second update* a question came up today on a forensics mailing list to search some evtx event log files.  I suggested using MS Log Parser to replay output to syslog.  The target being spunk say like in my logging vm tutorial.  Then the logs are easily searchable.

• Slides Download (pdf)
• Tutorial – Rolling your own Logging VM
• Fun with dumpevt and MS Log Parser