Tag Archives: hats off security

SMB Tree Connect/Response Details

If you want to play along at home, the sample PCAP I will be using for SMB2+ is here, the SMB v1 PCAP is not something I can give away sadly. Tree Connect Request/Response When the SMB protocol connects to … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , | Leave a comment

SMBv2+ SYNC Header Explained

SMB2 Header The SMB2 Header will either be ASYNC or SYNC, you need to look this up from the flags. SYNC is the most common header as this can be in the form of a request or a response, where … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , , | Leave a comment

SMB Quick Introduction

SMB There are currently 3 major versions of SMB version 3 is quite new (2012) and has been implemented on the latest versions of Windows (8, 2012), Samba 4.1+ and macOS 10.10 Yosemite. I say ‘quite new’ as it takes … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , | Leave a comment

Ringzer0team – Forensics Challenge 35 – Poor internet connection

This writeup is to explain how to get the answer (flag) to the Forensic Challenge named “Poor Internet Connection” I will not be posting the flag here as I am giving you all of the instructions to get it yourself! … Continue reading

Posted in Competitions, Cyber, Network Analytics, Network Forensics, PCAP Analysis | Tagged , , , , , , | 1 Comment

TTLs and where to find them

Recently I have been conducted a lot of interviews for SOC Analysts; one of the questions I ask is as follows: You are reviewing your DNS logs and find an answer to a DNS query which shows rabbitcoldhotel.evil.com on <AnyExternalIP> … Continue reading

Posted in Network Analytics, Network Forensics | Tagged , , , , | 2 Comments

Windows Spotlight Image Location

Bit of a change from my typical security related posts. I was hunting around on my machine for a new blog post when I stumbled across a folder full of oddly named files. The files were named as their SHA1 … Continue reading

Posted in Content Delivery Manager, Windows Spotlight | Tagged , , , , , | 1 Comment

OpenDoor Scanner vs SimpleHTTPServer (PCAP)

Often when analysing attacks, scans or just general traffic it is difficult to identify the specific tool or technique in use. This is simply because there isn’t a reference database for every tool. So I thought I would upload a … Continue reading

Posted in Network Forensics, PCAP Analysis, Research, Wireshark | Tagged , , , , , | 1 Comment

Cyber Security Challenge Masterclass 2016

This year’s Cyber Security Challenge Masterclass saw over 40 contestants battling to become crowned the winner. I was fortunate enough to be invited as an assessor for the whole event. What follows are my views and interpretation of the event. … Continue reading

Posted in Competition, Cyber, Cyber Security Challenge, Memory Forensics, Network Forensics, Pen Testing, Windows Forensics, Wireshark | Tagged , , , , , , , , , | 1 Comment

Flash Cookies – aka Locally Shared Objects

Flash Cookie Location [Throughout this article I will use the term ‘flash cookie’ over ‘LSO’ as these posts are currently about finding and removing cookies] %AppData%\Macromedia\Flash Player\#SharedObjects\<random text>\ Under this folder you will a list of the sites which have … Continue reading

Posted in Browser Forensics, Cookies, Firefox | Tagged , , , , | Leave a comment

HTTP Cookies – Part 4 – Safari Cookies

Safari Location Pretty sure this location has been the same for a number of years now, if not let me know in the comments: ~/libraries/cookies Removing Safari Cookies I am not a MAC expert, so I am going to bow … Continue reading

Posted in Browser Forensics, Cookies, Safari | Tagged , , , , , | Leave a comment