PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Blue Team Tactics

From: rbutturini at epictn.com (Russell Butturini)
Date: Tue, 28 Jul 2009 13:44:41 -0500
How much of this complies with John's "command line only" rules? Sure
you can invoke MRTG from the command line, but you still need the
browser to view the output ;-)

 

If the rules are command line only still, I think you'd have to say
carry around telnet/SSH clients that can be invoked from the command
line in your toolkit, then log into your infrastructure devices and
observe the NBAR/NetFlow data manually.  

 

 

 

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Tim
Mugherini
Sent: Tuesday, July 28, 2009 11:56 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics

 

Very Nice. Does Autopatcher allow you to manually copy over patches
(already have many downloaded)?

To add some:

Again Sysinternals Tools: Process Monitor, PSTools, TCPView
Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
Nessus - Home Feed of course
Dumpsec - NTFS File Permission dumper
Your favorite free sniffer - Wireshark, etc..
MRTG - Router bandwidth monitoring
AVG or other decent free AV
Snort





On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez
<carlos_perez at darkoperator.com> wrote:

8 GB stick  prepared with autopatcher http://www.autopatcher.com/
<http://console.mxlogic.com/redir/?b3RS4hMVcSMed7apEVpv76M0mJPGJIX4_zO-6
XZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa9EVvKrhjouuLssYMrpodwLQzh0
qmMJHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zq9JUSMed7apEVhd79EVdU7g9VzbAy-
ry> http://www.autopatcher.com/
<http://console.mxlogic.com/redir/?b3RS4hMVcSMed7apEVpv76M0mJPGJIX4_zO-6
XZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa9EVvKrhjouuLssYMrpodwLQzh0
qmMJHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zqpJUSMed7apEVhd79EVdU7g9VzbAy-
ry>  I would have patches for all versions of windows. 

I would also place portable firefox, and xamp in case i need to migrate
an apache LAMP server to an updated version since I have seen a trend of
putting apache on windows in this competition, also place several
pre-made security templates for use with GPO or local application,
URLscan installer and pre-made urlscan.ini files. Komodo free firewall
installer and the NSA cisco templates, acl templates, Nipper for
checking the cisco equipment config quickly and some pvaln sample
configs. Keepass for password storage and generation.

 

that is what comes now to mind.  

 

On Tue, Jul 28, 2009 at 8:54 AM, John Strand <strandjs at gmail.com> wrote:

        Please! PSW land! Share your Blue Team tactics!

         

        What tools, scripts, and techniques do you use as part of
Incident Response and Blue Team Activities?  

         

        I have sat in on one to many Red/Blue/CTF games where the Red
team gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able,
Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture
techniques (including IronGeek's rubber hoses) and the the Blue team
gets....

         

        "An un-patched Windows 2000 box and a slew of un-patched
software!!!!!''

         

        Please see the following video for reference:

         

        http://www.youtube.com/watch?v=Y77n--Af1qo
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo08JlKrp3-nMNIX
4OhAU3zxQ2Vsgth5GCXZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa9EVvKrhj
ouuLssYMrpodwLQzh0qmMJHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zr1JUSMed7apE
Vhd79EVdU7g9VzbAy-ry> 

         

        Yea..  Thats right.... As of today the Blue Team is what you get
assigned to when you are caught stuffing peas up your nose.

         

        This stops today!!!

         

        There are a few rules.  Tricks and scripts must be able to run
at the command line of your operating system of choice and all tools
must be freeware or open source.

         

        Thats it!!!

         

        Look, the Blue Team can rock!!!  So please share your tricks.  

         

        I am going to collect and add to them so we have a solid list
and this will serve as the playbook for the Blues going forward.

         

        Be expecting this on the PDC site soon.

         

        strandjs

         

        _______________________________________________
        Pauldotcom mailing list
        Pauldotcom at mail.pauldotcom.com
        http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0cjVrmPQaPnVv0
4bA9gMjlS67OFek7qUJHpW5pHCXZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa
9EVvKrhjouuLssYMrpodwLQzh0qmMJHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zrVJU
SMed7apEVhd79EVdU7g9VzbAy-ry> 
        Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01HqSuxmq_bCXZu
WrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa9EVvKrhjouuLssYMrpodwLQzh0qmM
JHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zrxJUSMed7apEVhd79EVdU7g9VzbAy-ry>


 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?b3RS4hMVcSMed7apEVpv76M0oDOSJDElCLO-0
8n8ixwCHIcfBisEeRNrmPQaPndTWZQTQnDzhOyUrKrmRIZ2IROV2Hsbvg52vbqSuxmq_bCQk
jhO_sSyCMYZuUVVwSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76NNJU
SMed7apEVhd79EVdU7g9VzbAy-ry> 
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01HqSuxmq_bCXZu
WrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPqa9EVvKrhjouuLssYMrpodwLQzh0qmM
JHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zrNJUSMed7apEVhd79EVdU7g9VzbAy-ry>


 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090728/a72b68e9/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: