Welcome!

How secure is your network?

David Dodd

Subscribe to David Dodd: eMailAlertsEmail Alerts
Get David Dodd via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by David Dodd

Having your network environment protected with the latest virus protection, control what software is installed and allowed to run, restrict ingress and egress network access, protect web browsing, limit user account access, update security patches, change management practices, etc. All these efforts are critical to follow in the corporate environment but all will fall short if you don't have the proper monitoring in place to detect badness on your network and to respond quickly and effectively when it happens. When your network has the proper monitoring in place and knowledgeable engineers to monitor for outbreaks you will begin to have better visibility of how network traffic flows in your environment. When you understand how traffic flows on your network you can respond better when badness happens. I will demonstrate how to use a number of tools to analyze a memory... (more)

Malware Analysis | Part 2

In a previous article [1], I described how to obtain a memory image from a Windows computer that would allow forensic analysis. I briefly discussed using F-Response TACTICAL [2] to get the memory image, and then Volatility [3] and Mandiant Redline [4] for further investigation. In this paper, I dive more deeply into Redline and Volatility. To begin, I review a raw memory dump of a known malware variant (see the "Malware Image" box) with Mandiant Redline. After firing up Redline, I chose By Analyzing a Saved Memory File under Analyze Data and browsed to the location of the memory... (more)

Planning, Scoping and Recon Techniques

The purpose of this article is to describe some tools and techniques in performing the planning, scoping, and recon portion of a penetration test. In covering these tools and techniques the reader will learn how to use them to find vulnerabilities in their organization and help improve security posture. Some other names for this first phase of penetration testing are; OSINT (Open Source Intelligence), Footprinting, Discovery, and Cyberstalking. Introduction During reconnaissance we'll gather information from public sources to learn about the target and try to find what is importan... (more)

Network Security: Arp Cache Poisoning and Sniffing Packets

In a switched network environment packets are sent to their destination port by MAC address. This requires that hardware be able to create and maintain a table associating MAC addresses to ports. In a switched environment packets are only sent to devices that they are meant for. Even in this switched environment there are ways to sniff other devices' packets. One such way is to spoof your MAC address and poison the arp table. Since there is no state information about ARP traffic kept, as it's a simple protocol, the arp cache can be overwritten (unless the entry was explicitly mar... (more)

Intruder Detection with tcpdump

To capture, parse, and analyze traffic tcpdump is a very powerful tool. To begin a basic capture uses the following syntax. tcpdump -n –i -s -n      tells tcpdump to not resolve IP addresses to domain names and port numbers to service names. -I       tells tcpdump which interface to use. -s      tells tcpdump how much of the packet to record. I used 1515 but 1514 is sufficient for most cases. If you don’t specify a size then it will only capture the first 68 bytes of each packet. A snaplen value of 0 which will use the required length to ... (more)