Fun in the lab with VMware and a Raspberry Pi

This post was originally published on this site

Note: These instructions are only intended for use in a lab environment for non-production use. Do not use the steps described here to further contribute to the number of insecure IoT devices populating our world. Assume everything described is an unsupported configuration. Finally, be mindful of the Windows 10 IoT prototyping restrictions as well as … Continue reading Fun in the lab with VMware and a Raspberry Pi

vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003

This post was originally published on this site

Ok, so I’m just going to call it out straight away, when using wildcard SSL certificates with vRealize Automation 8.0, read the release notes. I did not, and caused myself quite a few headaches with the deployment, which you can read about further in this post. Cannot set wildcard certs for certain domain names, specifically … Continue reading vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003

The post vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003 appeared first on @Saintdle.

vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003

This post was originally published on this site

Ok, so I’m just going to call it out straight away, when using wildcard SSL certificates with vRealize Automation 8.0, read the release notes. I did not, and caused myself quite a few headaches with the deployment, which you can read about further in this post. Cannot set wildcard certs for certain domain names, specifically … Continue reading vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003

The post vRealize Automation 8.0 – Wildcard SSL certificate support and deployment issues – LCMVRAVACONFIG590003 appeared first on @Saintdle.

In the Works – AWS Region in Spain

This post was originally published on this site

We opened AWS Regions in Sweden, Hong Kong, and Bahrain in the span of less than a year, and are currently working on regions in Jakarta, Indonesia, Cape Town, South Africa and Milan, Italy.

Coming to Spain
Today I am happy to announce that the AWS Europe (Spain) Region is in the works, and will open in late 2022 or early 2023 with three Availability Zones. This will be our seventh region in Europe, joining existing regions in Dublin, Frankfurt, London, Paris, Stockholm, and the upcoming Milan region that will open in early 2020 (check out the AWS Global Infrastructure page to learn more).

AWS customers are already making use of 69 Availability Zones across 22 regions worldwide. Today’s announcement brings the total number of global regions (operational and in the works) up to 26.

I was in Spain just last month, and was able to meet with developers in Madrid and Barcelona. Their applications were impressive and varied: retail management, entertainment, analytics for online advertising, investment recommendations, social scoring, and more.

Several of the companies were born-in-the-cloud startups; all made heavy use of the entire line of AWS database services (Amazon Redshift was mentioned frequently), along with AWS Lambda and AWS CloudFormation. Some were building for the domestic market and others for the global market, but I am confident that they will all be able to benefit from this new region.

We launched AWS Activate in Spain in 2013, giving startups access to guidance and one-on-one time with AWS experts, along with web-based training, self-paced labs, customer support, offers from third-parties, and up to $100,000 in AWS service credits. We also work with the VC community (Caixa Risk Capital and KFund), and several startup accelerators (Seedrocket and Wayra).

AWS in Spain
This upcoming region is the latest in a long series of investments that we have made in the Iberian Peninsula. We opened an edge location in Madrid in 2012, and an office in the same city in 2014.We added our first Direct Connect location in 2016, and another one in 2017, all to support the rapid growth of AWS in the area. We now have two edge locations in Madrid, and an office in Barcelona as well.

In addition to our support for startups through AWS Activate, we provide training via AWS Academy and AWS Educate. Both of these programs are designed to build knowledge and skills in cloud computing, and are available in Spanish. Today, hundreds of universities and business schools in Spain are making great use of these programs.

The AWS office in Madrid (which I visited on my recent trip) is fully staffed with account managers, business development managers, customer service representatives, partner managers, professional services consultants, solutions architects, and technical account managers. I had the opportunity to participate in an internal fireside with the team, and I can tell you that (like every Amazonian) they are 100% customer-obsessed, and ready to help you to succeed in any possible way.

Jeff;

PS – If you would like to join our team in Spain, check out our open positions in Madrid and Barcelona.

EML attachments in O365 – a recipe for phishing, (Thu, Oct 31st)

This post was originally published on this site

I’ve recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful.

Office 365, just like any other e-mail gateway with security features, uses a number of complex anti-phishing mechanisms and filters to catch malicious messages. This means that if we try to send an e-mail to a “Target User” which looks like a message from Paypal, but the embedded link points to a phishing site, O365 will correctly identify it as phishing/spam and catch it. The following example, where the link points to playplall.com, instead of paypal.com, illustrates this behavior nicely.

Before we move forward, let’s take a quick look at EML files. These are used to save e-mail messages by many e-mail clients (AKA Mail User Agents) and even Outlook and most other e-mail clients, which do not use EML as the default format for saving messages, at least have the ability to open and display them. EML files have a very simple internal structure – EML is basically just a MIME standard e-mail saved in a text file – and therefore an arbitrary one may be crafted quite easily as the following example shows.

MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Date: Thu, 31 Oct 2019 10:29:47 +0100
From: Dracula <dracula@transylvania.ro>
To: Jan Kopriva <jan.kopriva@domain.tld>
Subject: Halloween


Hi Jan,
<br><br>
Just wanted to let you know I'll see you tonight... ;)
<br><br>
Count

 

This is the reason why e-mail gateways are sometimes configured to either mark messages containing EML attachments as potentially dangerous, scan such attachments or block them outright. Office 365 seems to do an anti-malware scan of EML attachments, but it doesn’t run them through anti-phishing filters… And you can probably see where this is heading.

If we were to craft an EML with the same contents as the first e-mail we looked at (which O365 caught as phishing) and sent it as an attachment, it would get through. If we put a text along the lines of “We’ve noticed you didn’t respond to our original message, so we’re sending it to you again” in the body of the main e-mail, there is quite a good chance that the intended recipient would at least open the attached EML.

But it gets better than that – nothing is stopping us from changing the sender in the EML to a legitimate Paypal (or other) address. The same EML may, of course, bypass other e-mail security gateway scans as well, depending on how they are configured. But with O365, here is (at least to my mind) the best part – if we send such an e-mail, as soon as our Target User opens the attachment in O365, Outlook will helpfully even put a Paypal logo next to the sender address. Thanks to this, the message really starts to look trustworthy.

I’ve informed Microsoft of this behavior of O365 and since they usually don’t consider similar behavior a vulnerability, the reply I got from them was exactly the one I expected (i.e. “Unfortunately your report appears to rely on social engineering to accomplish, which would not meet the bar for security servicing”).

Although I don’t assume attackers to start using this technique en masse, I would still recommend considering automatically marking e-mail messages with EML attachments as potentially dangerous and adding a short warning about the potential risks of EML attachments into end-user security/phishing awareness courses.

If you find this technique interesting and would like to take a closer look at couple of others, consider joining us for a talk dedicated to this subject at SANSFIRE 2020 – we will go through many more tricks and techniques, some of which are not (yet) used in the wild.

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

DSC Resource Kit Release October 2019

This post was originally published on this site

DSC Resource Kit Release

We just released the DSC Resource Kit!

This release includes updates to 9 DSC resource modules. In the past 6 weeks, 91 pull requests have been merged and 41 issues have been closed, all thanks to our amazing community!

Special thanks to everyone who contributed to the Hacktoberfest effort to update xWebAdministration!!! This accounted for 26 of the pull requests closed this month.

The modules updated in this release are:

  • ActiveDirectoryDsc 4.2.0.0
  • ComputerManagementDsc 7.1.0.0
  • SharePointDsc 3.7.0.0
  • StorageDsc 4.9.0.0
  • xDnsServer .16.0.0
  • xDscResourceDesigner .13.0.0
  • xExchange .30.0.0
  • xHyper-V .17.0.0
  • xWebAdministration 3.0.0.0

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our latest community call for the DSC Resource Kit was last Wednesday, October 23. A recording of the call is posted on the PowerShell YouTube channel. You can join us for the next call at 12PM (Pacific time) on August 28th to ask questions and give feedback about your experience with the DSC Resource Kit.

Following this resource kit release, maintainers will begin publishing as soon as they are ready rather than holding 6 weeks to do a group release. In the next community call we will discuss progress and whether we need to do a November release or not. Be sure to follow the DSC Community on Twitter for live updates as modules release.

You can find more information about our progress as a community on the DSC Community page.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or CHANGELOG.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
ActiveDirectoryDsc 4.2.0.0
  • Changes to ActiveDirectoryDsc
    • Resolved custom Script Analyzer rules that was added to the test framework.
    • Resolve style guideline violations for hashtables (issue 516).
  • Changes to ADReplicationSite
    • Added “Description” attribute parameter (issue 500).
    • Added Integration testing (issue 355).
    • Correct value returned for RenameDefaultFirstSiteName (issue 502).
  • Changes to ADReplicationSubnet
    • Added “Description” attribute parameter (issue 503)
    • Added Integration testing (issue 357)
  • Changes to ADReplicationSiteLink
    • Added Integration testing (issue 356).
    • Added ability to set “Options” such as Change Notification Replication (issue 504).
  • Changes to ActiveDirectoryDsc.Common
    • Fix Test-DscPropertyState Failing when Comparing $Null and Arrays. (issue 513)
ComputerManagementDsc 7.1.0.0
  • ComputerManagementDsc:
    • Update psd1 description – Fixes Issue 269.
  • Fix minor style issues with missing spaces between param statements and “(“.
  • SmbServerConfiguration:
    • New resource for configuring the SMB Server settings.
    • Added examples for SMB Server Configuration.
  • Minor corrections to CHANGELOG.MD.
  • ScheduledTask:
    • Fixed bug when description has any form of whitespace at beginning or end the resource would not go into state – Fixes Issue 258.
  • SmbShare:
    • Removal of duplicate code in Add-SmbShareAccessPermission helper function fixes Issue 226.
SharePointDsc 3.7.0.0
        • SPConfigWizard
          • Fixed issue with incorrect check for upgrade status of server
        • SPDistributedCacheService
          • Improved error message for inclusion of server name into ServerProvisionOrder parameters when Present or change to Ensure Absent
        • SPFarm
          • Removed SingleServer as ServerRole, since this is an invalid role.
          • Handle case where null or empty CentralAdministrationUrl is passed in
          • Move CentralAdministrationPort validation into parameter definition to work with ReverseDsc
          • Add NotNullOrEmpty parameter validation to CentralAdministrationUrl
          • Fixed error when changing developer dashboard display level.
          • Add support for updating Central Admin Authentication Method
        • SPFarmSolution
          • Fix for Web Application scoped solutions.
        • SPInstall
          • Fixes a terminating error for sources in weird file shares
          • Corrected issue with incorrectly detecting SharePoint after it has been uninstalled
          • Corrected issue with detecting a paused installation
        • SPInstallLanguagePack
          • Fixes a terminating error for sources in weird file shares
        • SPInstallPrereqs
          • Fixes a terminating error for sources in weird file shares
        • SPProductUpdate
          • Fixes a terminating error for sources in weird file shares
          • Corrected incorrect farm detection, added in earlier bugfix
        • SPSite
          • Fixed issue with incorrectly updating site OwnerAlias and SecondaryOwnerAlias
        • SPWebAppAuthentication
          • Fixes issue where Test method return false on NON-US OS.
StorageDsc 4.9.0.0
  • Disk:
    • Added Location as a possible value for DiskIdType. This will select the disk based on the Location property returned by Get-Disk
    • Maximum size calculation now uses workaround so that Test-TargetResource works properly – workaround for Issue 181.
  • DiskAccessPath:
    • Added Location as a possible value for DiskIdType. This will select the disk based on the Location property returned by Get-Disk
  • WaitForDisk:
    • Added Location as a possible value for DiskIdType. This will select the disk based on the Location property returned by Get-Disk
xDnsServer 1.16.0.0
  • Changes to XDnsServerADZone
    • Raise an exception if DirectoryPartitionName is specified and ReplicationScope is not Custom. (issue 110).
    • Enforce the ReplicationScope parameter being passed to Set-DnsServerPrimaryZone if DirectoryPartitionName has changed.
  • xDnsServer:
    • OptIn to the following Dsc Resource Meta Tests:
      • Common Tests – Relative Path Length
      • Common Tests – Validate Markdown Links
      • Common Tests – Custom Script Analyzer Rules
      • Common Tests – Required Script Analyzer Rules
      • Common Tests – Flagged Script Analyzer Rules
xDscResourceDesigner 1.13.0.0
  • Fix Parameter Blocks to conform to Dsc Style Guidlelines issue 79.
  • Fix README.md MarkDownLint Errors and Formatting Issues
xExchange 1.30.0.0
  • Resolved custom Script Analyzer rules that was added to the test framework.
  • Added xExchAcceptedDomain resource
  • Resolved hashtable styling issues
  • Added xExchRemoteDomain resource
xHyper-V 3.17.0.0
  • MSFT_xVMNetworkAdapter:
    • Added NetworkSettings to be able to statically set IPAddress.
    • Added option for Vlan tagging. You can now setup a Network Adapeter as an access switch on a specific Vlan.
xWebAdministration 3.0.0.0
  • Changes to xWebAdministration
    • Changes to PULL_REQUEST_TEMPLATE.md
      • Improving descriptive text around the CHANGELOG.md entry.
      • Adding note that entry in CHANGELOG.md is mandatory for all PRs.
    • Resolved custom Script Analyzer rules that was added to the test framework.
    • Moved change log from README.md to a separate CHANGELOG.md (issue 446).
    • Remove example “Creating the default website using configuration data” from README.md (issue 488).
    • Removed examples README.md as it was obsolete (issue 482).
    • Updated Ensure property description for xIisHandler resource to match schema.mof
    • Moved examples from Readme.md to respective /Examples/Resources/ folders (issue 486).
    • Created new folder structure for examples so that examples will be placed in /Examples/Resources/$resourceName (issue 483).
    • Added a table of contents for the resource list (issue 450).
    • Alphabetized the resource list in the README.md (issue 449).
    • Optimized exporting in the module manifest for best performance (issue 448).
    • Updated hashtables in the repo to adhere to the style guidelines described at https://github.com/PowerShell/DscResources/blob/master/StyleGuidelines.mdcorrect-format-for-hashtables-or-objects (issue 524)
    • Moved example Sample_EndToEndxWebAdministration from readme.md to a separate .ps1 in /examples/ (issue 491)
    • Removed example “Create and configure an application pool” from README.md (issue 489).
  • Changes to xIisHandler
    • Updated schema.mof to include descriptions for each property (issue 453).
    • Moved MSFT_xIisHandler localization strings to strings.psd1 (issue 463).
  • Changes to xWebSite
    • Fix Get-TargetResource so that LogFlags are returned as expected array of strings (one for each flag) rather than an array containing a single comma-separated string of flags” (issue 332).
    • Moved localization strings to strings.psd1 file (issue 475)
    • Updated schema.mof so that each property has an appropriate description (issue 456).
    • Updated schema.mof and README so that SourceType and SourceName properties for MSFT_xLogCustomFieldInformation are associated with the appropriate descriptions and valuemaps/values (issue 456).
    • Move examples from README.md to resource examples folder (issue 487).
    • Fix case of resource name from xWebsite to xWebSite (issue 535).
  • Changes to xIISLogging
    • Fix Get-TargetResource so that LogFlags are returned as expected array of strings (one for each flag) rather than an array containing a single comma-separated string of flags (issue 332).
    • Moved MSFT_xIisLogging localization strings to strings.psd1 (issue 464).
  • Changes to xSslSettings
    • Updated casing of xSslSettings in all file names, folder names, schema, and documentation (issue 461).
    • Updated casing of xSslSettings in all file names, folder names, schema, and documentation (issue 536).
    • Moved MSFT_xSslSettings localization strings to strings.psd1 (issue 467).
  • Changes to xWebConfigKeyValue
    • Updated schema.mof to include a description for the Ensure property (issue 455).
    • Move localization strings to strings.psd1 file (issue 472).
  • Changes to xWebAppPoolDefaults
    • Move localization strings to strings.psd1 file (issue 470).
    • BREAKING CHANGE: Changed ApplyTo key parameter to IsSingleInstance to bring the resource into compliance with published best practices (issue 462).
  • Changes to xWebApplication
    • Move localization strings to strings.psd1 file (issue 468)
    • Add description on class MSFT_xWebApplicationAuthenticationInformation (issue 454).
  • Changes to xIisModule entry
    • Moved xIisModule localization strings to strings.psd1 (issue 466).
  • Changes to xIisMimeTypeMapping
    • Moved MSFT_xIisMimeTypeMapping localization strings to strings.psd1 (issue 465).
  • Changes to xWebVirtualDirectory
    • Moved MSFT_xWebVirtualDirectory localization strings to strings.psd1 (issue 477).
  • Changes to xWebSiteDefaults
    • Move localization strings to strings.psd1 file (issue 475).
    • BREAKING CHANGE: Changed ApplyTo key parameter to IsSingleInstance to bring the resource into compliance with published best practices (issue 457).
    • Fix case of resource name from xWebsiteDefaults to xWebSiteDefaults (issue 535).
  • Changes to xWebConfigProperty
    • Move localization strings to strings.psd1 file (issue 473).
  • Changes to xWebConfigPropertyCollection
    • Move localization strings to strings.psd1 file (issue 474).
  • Changes to xIisFeatureDelegation
    • Moved MSFT_xIisFeatureDelegation localization strings to strings.psd1 (issue 459).
  • Changes to xWebAppPool
    • Moved MSFT_xWebAppPool localization strings to strings.psd1 (issue 469).

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

# To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 
Find-DscResource

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:
http://www.powershellgallery.com/packages/xWebAdministration

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:

Update-Module

After installing modules, you can discover all DSC resources available to your local system with this command:

Get-DscResource

How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the CertificateDsc module, go to:
https://github.com/PowerShell/CertificateDsc.

All DSC modules are also listed as submodules of the DscResources repository in the DscResources folder and the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:
https://github.com/PowerShell/xPSDesiredStateConfiguration/issues

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Michael Greene
Principal Program Manager
PowerShell DSC Team
@migreene (Twitter)
@mgreenegit (GitHub)

The post DSC Resource Kit Release October 2019 appeared first on PowerShell.

Keep an Eye on Remote Access to Mailboxes, (Wed, Oct 30th)

This post was originally published on this site

BEC or “Business Email Compromize” is a trending thread for a while. The idea is simple: a corporate mailbox (usually from a C-level member) is compromized to send legitimate emails to other employees or partners. That’s the very first step of a fraud that could have huge impacts.

This morning, while drinking some coffee and reviewing my logs, I detected a peak of rejected authentications against my mail server. There was a peak of attempts but also, amongst the classic usernames, bots tested some interesting alternatives. If the username is “firstname”, I saw attempts to log in with:

firstname
okfirstname
mailfirstname
emailfirstname
firstnamemail
domain_firstname

And also the classic generic mailboxes (‘noreply’, ‘info’, webmaster’, ‘admin’, etc)

The peak of activity was interesting:

Email remains an easy attack vector and is often very easy to compromise. Access to a corporate mailbox can be disastrous based on what people store in their mailbox (documents, passwords, pictures, etc) and mail servers remain often available in the wild. Keep an eye on remote accesses to mailboxes, especially for sensitive accounts! (Do you remember my diary about considering people as IOC’s?[1])

[1] https://isc.sans.edu/forums/diary/May+People+Be+Considered+as+IOC/25166/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Generating PCAP Files from YAML, (Tue, Oct 29th)

This post was originally published on this site

The PCAP[1] file format is everywhere. Many applications generate PCAP files based on information collected on the network. Then, they can be used as evidence, as another data source for investigations and much more. There exist plenty of tools[2] to work with PCAP files. Common operations are to anonymize captured traffic and replay it against another tool for testing purposes (demos, lab, PoC).

When you anonymize PCAP files, the goal is to replace IP addresses by other ones (The classic operation is to replace the first byte with a ’10’ value to make the IP address non-routable). However, the payload may contain sensitive data that are more difficult to sanitize. Last week, I attended the hack.lu[3] conference in Luxembourg and, during the lightning talks session, an interesting tool was demonstrated: pCraft. It can be described as a “PCAP file generator from a scenario described in YAML[4]”. The idea behind this tool is to create a scenario of network actions that will be translated into a fully-working PCAP file. 

Here is a quick example to demonstrate how to test an IDS rule:

start: GenerateNewDomain

GenerateNewDomain:
  _plugin: GenerateNewDomain
  _next: DNSConnection

DNSConnection:
  _plugin: DNSConnection
  sleep: {"once-finished": 1}
  _next: HTTPConnection

HTTPConnection:
  _plugin: HTTPConnection
  method: GET
  uri: "/shell?busybox"
  user-agent: "Mozilla/5.0"
  _next: done

The script is easy to understand: We generate a random domain name, we resolve it then we generate an HTTP request to the servers with a suspicious URI.

Let’s generate the PCAP file:

# ./pcraft.py test.yaml test.pcap
['PCraft/plugins/HTTPConnection.py', 'PCraft/plugins/DNSConnection.py', 'PCraft/plugins/TcpRst.py', 'PCraft/plugins/HTTPPostConnection.py', 'PCraft/plugins/PcapImport.py', 'PCraft/plugins/Ping.py', 'PCraft/plugins/GenerateNewDomain.py', 'PCraft/plugins/Cheat.py', 'PCraft/plugins/SMTPReceive.py']
All plugins loaded!
Opening Script File test.yaml
[2019-10-28 18:01:35.324952] Executing: Generate_a_new_domain
[2019-10-28 18:01:35.367461] Executing: DNSConnection
[2019-10-28 18:01:35.368882] Executing: HTTPConnection
[2019-10-28 18:01:36.984010] Executing: done

The PCAP file can now be used to test our IDS or any other application.

Let’s open it in a Wireshark and inspect the HTTP request:

pCraft is written in Python and, if you check the required modules, you see it relies on scapy[5] to generate packets and the PCAP file. Not many types of traffic are supported at the moment but, being based in plugins, it’s easy to expand it. The current list of plugins is:

  • DNSConnection
  • GenerateNewDomain
  • HTTPConnection
  • HTTPPostConnection
  • PCAPImport
  • Ping
  • TcpRst

pCraft has been developed by Sébastien Tricaud and is available on github[6]. Great tool!

[1] https://wiki.wireshark.org/Development/LibpcapFileFormat
[2] https://n0where.net/best-pcap-tools
[3] https://2019.hack.lu/
[4] https://en.wikipedia.org/wiki/YAML
[5] https://scapy.net/
[6] https://github.com/DevoInc/pCraft

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Bridging the Gap Between NHS and Public Cloud with VMware Cloud on AWS

This post was originally published on this site

Following on from How VMware is Accelerating NHS Cloud Adoption, this post dives into more detail around how the UK National Health Service (NHS) can use VMware Cloud on AWS to bridge the gap between existing investments and Public Cloud. Part 1: How VMware is Accelerating NHS Cloud Adoption Part 2: Bridging the Gap Between NHS […]