One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 260988 |
| Date de publication | 2016-11-27 19:24:01 (vue: 2016-11-27 19:24:01) |
| Titre | Scapy vs. CozyDuke, (Sun, Nov 27th) |
| Texte | In continuation of observations from my GIAC Security Expert re-certification process, Ill focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes preconfigured with Scapy and Snort, so youre ready to go out of the gate if youd like to follow along for a quick introduction. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. This includes the ability to handle most tasks such as scanning, tracerouting, probing, unit tests, attacks or network discovery, thus replacing functionality expected from hping, 85% of nmap, arpspoof, tcpdump, and others. If youd really like to dig in, grab TJ OConnors Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (you should already have it), as first discussed here in January 2013. TJ loves him some Scapy: Detecting and Responding to Data Link Layer Attacks is another reference. :-) You can also familiarize yourself with Scapys syntax in short order with the SANS Scapy Cheat Sheet as well. Judy Novaks SANS GIAC Certified Intrusion Analyst Day 5 content offers a nice set of walk-throughs using Scapy, and given that it is copyrighted and private material, I wont share them here, but will follow a similar path so you have something to play along with at home. Well use a real-world APT scenario given recent and unprecedented Russian meddling in American politics. According to SC Magazine, Russian government hackers apparently broke into the Democratic National Committee (DNC) computer systems in infiltrations believed to be the work of two different Russian groups, namely Cozy Bear/ CozyDuke/APT 29 and Fancy Bear/Sofacy/APT 28, working separately. As is often the case, ironically and consistently, one the best overviews of CozyDuke behaviors comes via Kaspersky">syn = IP(src=10.0.2.15, dst=209.200.83.43)/TCP(sport=1337, dport=80, flags=S)/GET /ajax/index.php HTTP/1.1">wrpcap(/tmp/CozyDukeC2GET.pcap, syn), as seen in Figure 2. ">ls(IP). ">Figure 4: ls() If you">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | /ajax/index /get /tcp /tmp/cozydukec2get 200 2013 27th >@holisticinfosec >figure >ls >syn >wrpcap ability able according along already also american analyst analysts another apparently apt arpspoof attacks attribution bear/ bear/sofacy/apt behaviors believed best broke but can capture case center centric certification certified cheat comes committee commons computer consistently content continuation convenience cookbook copyrighted cozy cozyduke cozyduke/apt creative data day decode democratic detecting different dig discovery discussed dnc dport=80 dst=209 edu engineers essential expected expert familiarize fancy figure first flags=s focus follow forensic forge from functionality gate gcia giac given government grab groups hackers handle have here him home hping http/1 https://isc ill includes infiltrations interactive internet introduction intrusion ironically january judy kaspersky layer levels license like link loves magazine manipulation many match material meddling more most much namely national network nice nmap noncommercial nov novaks number observations oconnors offers often one order others out overviews packet packetrix packets path pcap penetration php play politics powerful preconfigured private probing process program protocols python: quick ready real really recent reference replacing replies requests responding russian sans scanning scapy scapy: scapys scenario security seen send separately set share sheet short should similar skill snort some something sport=1337 src=10 states storm such sun syn syntax systems tasks tcpdump testers tests them throughs thus topic: tracerouting two unit united unprecedented use using violent walk well wide will wire wont work working world youd your youre yourself |
| Tags | |
| Stories | APT 29 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.