PCAPs Resources
• Download PCAPs
○ Free PCAPS: https://www.netresec.com/?page=PcapFiles
○ SecRepo: https://www.secrepo.com/
• ICS Port Numbers
○ IPv4 Multicast Addresses
§ https://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt
○ Old Digital Bond: https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md
| # Vendor Documentation | |
| * User manauals and administrative documents for all equiment | |
| # Python Tools | |
| * CPPPO - CIP module | |
| * pyModbus - modbus module | |
| * OPCUA - opc-ua module |
| #!/usr/bin/env python | |
| # encoding: utf-8 | |
| """ | |
| Adapted from spi_test.py by Sean Nelson on 2009-10-14. | |
| Modified by Don C. Weber (cutaway) and InGuardians, Inc. 20141015 | |
| This file is part of pyBusPirate. | |
| pyBusPirate is free software: you can redistribute it and/or modify | |
| it under the terms of the GNU General Public License as published by |
| #!/usr/bin/env python | |
| # encoding: utf-8 | |
| """ | |
| Adapted from i2c-test.py from Peter Huewe by Jean-Michel Picod | |
| Modified by Don C. Weber (cutaway) and InGuardians, Inc. 20141015 | |
| This file is part of pyBusPirate. | |
| pyBusPirate is free software: you can redistribute it and/or modify | |
| it under the terms of the GNU General Public License as published by |
When doing forensics, the challenge usually is how can we access data when there are restrictions to the ways we can access the data. For instance, we have recently acquired a Linux disk formatted using EXT3. The acquired disk is a raw image file that is easily mountable in Linux for review (yes, I'm not talking forensic analysis tools).
mount -o ro,loop /media/USB/<image.dd> /mnt
This command will mount the image read-only and we can do our analysis of the contents. Remember when you are doing a "stat" or "ls" on the file you'll want to use the "-n" option so that it doesn't use the local systems UID mappings and just displays the number associated with that file.
But, what if you have to give that drive to someone so THEY can review the contents? And, what if that person is a Windows-only person? Windows does not have a build in method for mounting raw images let alone understanding EXT3 filesystems. Thus, you have to think "outside-the-box".
| from mitmproxy import http | |
| import paramiko | |
| # Original Example: https://stackoverflow.com/questions/27369144/use-mitmproxy-to-translate-a-form-key-value-to-a-body-post | |
| DEBUG = False | |
| #DEBUG = True | |
| class GetRTUCreds: | |
| localhost = '127.0.0.1' |
| ########################### | |
| # Bash ~/.bashrc | |
| ########################### | |
| function CONPS() { | |
| n=$1 | |
| export PS1='\n$n \D{%F %T}\n> ' | |
| } | |
| alias consult00='CONPS Consult00; cd ~/Documents/consult00' |
| Disable Windows Defender | |
| NOTE: These settings may be permeant. | |
| • Get-MpComputerStatus | |
| • Set-MpPreference -DisableRealtimeMonitoring $true | |
| • Set-MpPreference -DisableBehaviorMonitoring $true | |
| • Set-MpPreference -DisableIntrusionPreventionSystem $true | |
| • Set-MpPreference -DisableIOAVProtection $true | |
| • Set-MpPreference -DisableScriptScanning $true | |
| • Get-MpComputerStatus |
| #!/usr/bin/env python | |
| """ | |
| Name: extract_java_server_faces_viewstate | |
| Purpose: Extract and parse the Java Server Faces viewstate | |
| Date: 20150620 | |
| Author: Don C. Weber (@cutaway) of InGuardians, Inc. | |
| Resources: | |
| http://wiki.apache.org/myfaces/Secure_Your_Application |
| escape ^aa | |
| vbell on # default: off | |
| vbell_msg " -- Ring, Ring!! -- " # default: "Wuff,Wuff!!" | |
| autodetach on # default: on | |
| startup_message off # default: on | |
| crlf off # default: off | |
| multiuser on | |
| deflog on | |
| defscrollback 1000 # default: 100 | |
| silencewait 15 # default: 30 |