Fireside Fridays

We all have gaps in our security knowledge. Fireside Fridays is an opportunity to fill in those gaps. Each Friday we will pick a topic and go over the basics in a webcast. These sessions will be a combination of lecture and hands on labs. We’ll cover a single topic and hopefully fill in some of those cracks. Think of it as a single focused “ask us anything” session. No judgment on the questions that get asked, just a chance to raise the bar for all of us.
Below is an archive of previous Fireside Friday webcast recordings, including additional content and transcripts.
(The schedule of future Fireside Fridays webcasts is over here.)
Fireside Friday – Windows Command Line
January 10, 2025
Recording:
Show/Hide Transcription:
I also wanted to give a really special thank you uh to Herman AKA HK and I
noticed he’s here um along with Emily who goes by fire serpent on Discord um
they have spent the last couple of months uh in the middle actually for
Herman dude correct me if I’m wrong but I think like you were helping me out at like 3:00 a.m. your time so he was
literally like sleeping in his office to make sure he could kind of help develop this content and still make it to his
work on time uh so I just really appreciate the effort folks um I do you
know this is never I never want anyone to feel like you know oh Chris did
everything Chris does everything and no not even freaking close not even freaking close and this is a great
example of that so Herman and Emily uh very much appreciate it and to everybody else you know see them online please
give them a Pat in the back so requirements today pretty
straightforward uh you need access to a Windows system you need access to the command prompt um it having
administrative access will will would be helpful but if you don’t you can still do about 90 95% of what we’re going to
cover so what’s up with this series what is this so we’ve done as Keith mentioned
we’ve done Fireside Fridays internally within uh uh within active countermeasures and the concept is
always been you know hey let’s kind of raise each other up everybody knows stuff that other few people don’t so
it’s always a good idea to go through and and you know kind of help each other out and and kind of cut the curve on
learning um because that just benefits everybody uh good example was you know a
couple of years ago I did a class internally on Docker hey this is docker this is how it works this is what it
does and it was shortly after that we started converting everything to using darker awesome so this is an attempt to
kind of extend that out to the public eye the other thing I’ve noticed too is uh especially in like the ask me
anything sessions we all have gaps in our knowledge base you know we all have these we we we know the main part of the
topic but this little missing pieces here and there and what I wanted to do
is kind of do a series of classes is around filling in those missing pieces um I’m not trying to replace any of the
training that takes place over on an siphon what I’m trying to do is kind of create a good foundational uh um class
that will give you the tools you need to be able to walk into like an an siphon class or something else uh and able to
be uh successful as part of that a lot of these I’m going to try and keep the lab simple so that the it’s really easy
to kind of set up and get going you know I want to avoid the hey go download this eight VM and figure out how to get it to
work with your hypervisor I want to try to avoid that I want to make this something that like you know folks can
come hang out you know during lunchtime on a Friday and do some pretty simple Labs um I’m G to kind of primarily focus
on uh network security to go through and do this why because this is kind of the
glue that holds everything together you know regardless of whether you’re blue team or red team if something’s not
working it’s probably going to be something on the network or at the very least the network becomes a
troubleshooting point to go through and figure it out so a lot of this stuff will kind of revolve around how to
networks work and you know how to packets flow back and forth and you know how do we work with that stuff but we’re
certainly going to be doing things on the host side as well um and I also want to make sure I kind of fill in some of
the things that sometimes we wing it and there might be better ways to do it uh risk analysis is probably a good you
know good example of that right like you know when you bought comes to you and says oh hey so what do we need to
protect that server most of us kind of guess well there’s actually quantitative
and qualitative accept acceptable methods to go through and do a true evaluation on that that’ll get you a
little bit more closer on target so we’ll be covering topics like that as well so why focus on security network
design I already went through and talked about this best practices yeah definitely Eric we’re going to hit some of those as well but you know today
we’re going to start kind of simp and we’re going to start just by working with stuff on the Windows command line
so what I want you to do is just open up a Windows command prompt preferably with
administrative access so the way to do that is drop a copy of the icon on your
desktop right click on that and then go through and um excuse me uh then go
through and select run as administrator it’ll pop up and say hey this wants to run as administrator uh go in and tell
it yes I did that on purpose it’s okay it’s okay to go through and let that run and then uh once you do that you should
be sitting at a command prompt in pretty good shape now let me get mine up and running here
too there we [Music] go there it is there it is so all I did
was uh you know right click run as administrator and bang this kind of puts me here so
just a quick kind of description of where we are right so we’re we’re in the windows system 32 directory so
directories can be kind of nested underneath each other think of this as like a tree with branches right so the
SE drive is kind of like the the main uh core of that tree and then all the
directories underneath it are branches and on all of these branches we can go through and we can save files so we can
go in and if I type in something like dir that’ll show me whatever files happen to be located within the system
um what I’m going to do for a lot of these is I’m going to work in the temp directory so if you type in cdspace do
dot that navigates you up one spot if I type it again that’ll get me all the way
up to the root of the C drive and then if I do a dir here I can see what files and directories are located at this
location here and notice I got a directory named temp so the way to um go
through and create it is just MK Di and then the name of the directory that you wanted to create so if I wanted to
create like a temp two I could go through and do that and now when I go in and do my listing you can see I’ve got a
temp and temp two directory here now great I’m going to move into
temp just to be in an area without any files so I don’t accidentally break
anything now one of the things if you’ve kind of move back and forth between Windows and Linux or if you’ve worked
with Linux at all uh one of the things we like to take advantage of a lot is the ability to go in and use
autocomplete so autocomplete is just simply uh the ability uh can we get the
text a little bigger in the video I can try I already tried expanding it but I
got to leave it small enough that like stuff still fits on the screen let me go up one level here there we go see if
that makes it a little bit more legible for folks um and I’ll go full screen
but I want to make sure that uh if you can let me know in the channel if that’s
like
um sometimes Zoom cuts off the last line so can you see see colon temp below that
looks good awesome all right so this should give you a little bit of a bigger font to work with this should make it a little bit easier to go through and kind
of work with this stuff um so yeah so we started about autocomplete what’s that
so autocomplete is just the ability to go through and um type out the rest of a
command so for example if I type in the letter n and then hit
tab make a liar out of me do I
just okay see even e even folks like me still learn stuff on occasion why isn’t that working
is it just Powershell that has uh autocomplete no it’s not just Powershell
okay it it should be available on the prompt as well um and in fact I ran
through and tested it earlier and it worked just fine um it’s almost like I don’t have a path
statement yeah I
do um um something’s up with my shell let me close
that me run that
again let me try it here here we go
okay so I’m back in my temp directory if I typ the letter
N oh this should be showing me stuff of my pet too capital
N yeah that shouldn’t matter that shouldn’t
matter it may just want to only works in Powers shell and uh it should it should
yeah see it is working here okay so what I’m okay so here’s what I’m
running into I um a little bit of a brain fart here so autocomplete with lenux looks at
your path so it’ll start in your path statement so if I type like the letter N
on lenux and then hit tab it looks at my path statement and says oh okay let me start uh showing let me show you
everything that has to do with n that’s located you know in your path with Windows it looks at the local directory
so the reason it’s working here and it wasn’t working in the temp directory was because in the temp directory I didn’t have any files that named that were
named in I got to be in a directory that has that file information in it the
other thing that’s a little bit different about autocomplete with Windows is that with lenux when I typed
in N if I hit Tab Key twice it’ll show me all of the end possibilities and it
won’t show me anything more well if I continue to hit tab on Windows you’ll
notice it’s just going to sit here and keep cycling through all the possibilities that start with the letter
N so it’ll actually try to give you the full uh the full command is that better
is that worse that’s totally up to you it’s totally up to you as far as like
you know what you think is a good idea and what’s not type of thing um I can also use my up arrow and my down arrow
to scroll through commands that I’ve typed in the past so for example you know I just up arrowed to my CD colon uh
CD space c backt command and now I can hit enter on that this works a little
bit differently versus lenux as well with lenux when I hit the up Arrow it
always goes back to the last command I typed with Windows if let’s say I have
10 commands I’ve typed and then I hit the up arrow and I go back to command number five the next time I hit the up
Arrow it’s going to try and pick up again at that point it’s already it’s going to try and pick up five commands back uh so that’s a little bit different
than what you get on the Linux side as well uh wish there was more control and autocomplete yeah I agree I agree um I I
think some of what Microsoft does on the command prompt is kind of from the perspective of we’re going to do this
just because people want something but we’re not going to put a whole lot of time or effort into the whole thing um
so if I type in dur that’s showing me hey I’m in an empty directory right now that’s perfectly fine
um excuse me if I want to see what command line switches does dur support I
type in dir now we’ve got a couple of possibilities this might be
dashh nope this might be Dash question mark nope this might be backs slh nope
this might be backslash question mark oh hey look that worked um so I I did that
probably in the reverse order that you want to you know back SL question mark is a good place to start if you’re
looking for the online help but any one of those four commands are a possibility
when you’re working with Windows stuff you know it’s it’s not as consistent as like manspace something if you were on
the lenux side to get help with the command um it’s going to be worked in as a switch and it might be a backslash it
might be a dash it might be an H it might be a question mark you know go through all those four and you’ll end up
running into something that works for you if I want to clear the screen CLS
will do that for me so that’ll get me back to having an open screen if I want to look at the contents of a file I have
a couple of possibilities first let’s create a file let’s go in and create an a real simple file so I’m going to use
the echo command for that so with Linux I need to put quotes around what I want
to Echo with windows I don’t so I’m just going to type in Echo and then I’m going to cre uh type in the contents of what I
want to put in the file so I’m just going to say this is just a regular
file now I need to tell it where do I want to send that information well I’m
going to say greater than and that tells me I want to redirect that information now where do I want it to redirect it
well I have to give it a file name to redirect it to so the file I want to redirect it to is just food. text just
because hey I you Foo is always something for me that um if I see that I
know it’s okay to delete it you know in other words uh Foo is always kind of my scrap file names that I use so anytime
I’m in trying to clean something up anything that said has is named Foo I know I can easily delete and it’s not
going to cause any problems all right so now I’m going to hit enter on this now if I typ my dir command again hey I have
a file named food. text that’s 30 bytes in size and if I went through and car counted I’d probably have 30 characters
in there that’s where my 30 bytes are coming from now how could I view that file well I have a couple of options I
could type in type and I’m just going to type in fo and hit Tab and that’ll fill in the full name for
me and see there’s my contacts right there this is a regular file I could also do more space
f. text and if it’s more when I use the more command if there’s more than a Page
worth of information um it’ll pause and wait for me to hit the space bar to be able to continue from there more is kind
of like the less command on lenux uh but it’s not quite as capable you know less
has a lot more capability to it than than more does in fact we can say more back slash question mark and here’s all
the different uh switches and capabil ities that’s built into the more
command cool now uh let’s see what else is fun
oh I know so I’m GNA CD back to the main directory and I’m going to type in tree
t e hit enter yeah what’s going by there the tree command will show me a kind of
a graphical outlay of everything that’s located uh from this point on down I can
always point to something too if I want to and I can also use more to kind of
pause the screen as needed so for example I could say tree C colon backslash hey I want to run the tree
command from the root of the drive and then I want to pipe that through more so that when I get a Page worth of
information it pauses and now when I hit enter here is my directory
structure my whole system the switches to include files or not include files
have different choices sometimes having this kind of graphical layout of what everything looks like um is a little bit
easier for folks to go through and consume sometimes this makes it a little bit easier you know your your mileage
may vary the nice thing is is you can go in and you can kind of mess around with stuff now let’s uh take a look at our
directory here again come on we’re done all right so if I say dir that shows me I’ve got food.
text if I type in di/ a that’ll give me any more uh that’ll show me any hidden files that are in
this directory and right now you can see there’s no files that have the uh hidden
attribute associated with it however one of the things that folks
sometimes learn and forget or maybe they don’t learn is that Windows uses a really weird oper uh file system that
has a hidden section underneath it referred to as alternate data strings so
alternate data streams date back to when NT was first being created and they and
Microsoft wanted Apple Computers to be able to save their files onto an NT
system right because Apple uses a meta file and then it uses a data file so they needed a place to be able to store
both of those pieces of information so they created uh alternate data streams
the problem is alternate data streams is kind of turned into a great place to go through and hide file information right
so we use the echo command to create this file named food. text
right let’s go through and use the echo command again only this time I’m GNA say
Echo this is a hidden
file and now what I’m going to do is I’m going to redirect that into f.txt
right so this is the file name that’s sitting in this directory already but I’m going to append don’t hit enter yet
at the append of that do a colon and then come up with a new file name
like hidden stuff. text there we go that’s a good one and now I’m going to
hit enter okay we didn’t get an error right so it looks like it wrote that somewhere
let’s run dur again uh we still don’t see it and look my file has hasn’t changed in size still still sitting at
30 let’s try Dira show me hidden stuff well no it still doesn’t show up there
try this switch d-r oh look at this now I’m seeing a
second resource in that directory that has kind of a we weird name to it what’s
this this is an alternate data stream file so this is something I’ve actually
appended to that existing file and hidden it underneath notice you know
looking for hidden attributes doesn’t show it uh look looking at uh the file
looking for a file size change doesn’t show it so this allows you to uh save
multiple files underneath an existing file that doesn’t immediately become
apparent uh let me show you what I mean by that so if I go to file
explorer and you can you can do this to or you don’t have to doesn’t matter um
but here’s my file explorer and now if I go to the temp directory well I can see food. text I can’t see the hidden stuff
file so file explorer is not compatible with the alternate data streams format
that Microsoft uses on their own file system oh my God sometimes you can’t make this stuff up right so I this so
file explorer doesn’t give me any way to actually be able to go in and view that file I can however see it doing a
d-r like you just saw so if I ever need to get in and actually see that stuff
you know that may be one way to do it so how do I view the context of this file
right so I’ve got this file hidden stuff. text and the doll assign data at the end tells me it’s a hidden data
stream how do I see what’s in there well let’s try some of the commands we’ve worked with let’s say type
fu. text uh what did I name it hidden stuff.
text no that doesn’t work type isn’t compatible oops I hate it when that
happens uh let’s try the more command so we we’ll try more F now notice also I’m hitting tab I
can’t tab through anything in the alternate data streams so tab is not
compatible with alternate data streams so I’m going to have to manually type out the rest of this
hidden stuff. text cannot access that file oh that’s
an interesting error right so what if we run the more command but we shovel back
that file instead what does that do oh hey look now we can actually see the context of that file
what about notepad so if I say notepad who.
text here’s what just opened up on my screen so this is showing me that regular file let’s close that up and now
I’m going to hit my up Arrow key and I’m going to say
colon hidden stuff. text oh look so no pads comp comp able
type is not compatible more is only sort of compatible if you mess with it this
is a great place to hide it stuff this is a great place to be able to go
through and kind of hide things on a system that you don’t want people to find now what if you want to kind of
search your drive for this stuff dur SLS I want to do my uh checks recursively
for the whole system Dash R show me those hidden data streams and then what I’m going to do is I’m gonna pipe this
through if I just run that command let’s run that through more actually I got to go up one there
we go so if I just run that command that just starts listing out all my files and
directories okay cool but what I want to do is I only want to see the alternate
data streams so what I’m going to do for that is rather than print out everything
like we were just doing I’m going to use the find command to go in and identify a
specific string of information that I wanted to look for so I’m going to say find Dash e and then I get to Define
what it is I want to look for well let’s look for that colon dollar sign data that was showing
up at the end anytime we had a hidden data string and then I’m going to go through and I almost pumped it through
less because I’m used to working on lenux but we’re going to pump it through more and let’s see what happens um
invalid data switch oh thank you for that what’s it uh which one’s invalid here
what did I get wrong D- s-r yeah that’s right oh sorry I had this command wrong
St find Str Str that’s right it’s not find it’s find Str Str that should do it
and then this will pause for a second because it’s going to wait until it gets a full screen worth of information before it shows me
anything come on you can do it I can hear my drive thrashing there we go
so here’s all the stuff that has that associated with it notice we got a ton
of Zone identifiers here we’ve got a bunch of PNG files that looks like it’s
um CED PNG information what’s all this stuff so have you ever noticed that when you
download let’s say like a spreadsheet off of the internet and then you go to open it up with Excel Excel will pop up
and say hey you got this from the internet internet I don’t know if this is something you know are you sure you
want to trust this I’m only going to open it read only well how does it know you got that off the internet well the
way it knows it got the off the internet is that there is a alternate data stream
associated with that file that said hey this came from an untrusted
Source ohuh well what if I wanted the person to think that spreadsheet is
trustworthy is there a way to fool the system system into that yeah there is go into this file and change it to a
trusted source and now Excel will happily open that file up not give any
warnings automatically kick off scripts or you know whatever is embedded inside of that uh spreadsheet and then you’re
off to the races after that um so if if you wanted up you know so this command
here I’ll throw this into disc I’ll throw this into Discord just everybody’s got it
so if you wanted to kind of play around with where are there existing alternate data streams on your system this is the
command to go through and do that uh this will go through and find that stuff for you so that’s kind of a fun one um let’s
see yeah I think that’s it for file system stuff for now um let’s play with another one oh I know I know so let’s uh
going to clear the screen here go back to temp uh CLS to clear the screen and
let’s play with task manager T MGR so well spelling matters Chris t a k
MGR there we go that’s how you spell task manager and then once you do you should
get a another graphical window that opens up that looks something like this
so this is designed to go through and kind of show you what’s running on your system right the default system uh the
default screen is showing me my running processes it’s telling me that Zoom is using a moderate amount of power whereas
uh PDF Pro is using a high amount you know now that went to high and then very high and you know it’s going back and
forth um I’m sure that’ll change as I change stuff going on in the screen but you get the idea here are my active
processes here are my processes sitting in the background so anytime you need to go through that stuff task manager is
the way to go but what I really like about this tool is this startup tab
right here so if I click on the startup tab this shows me everything getting
started up on my system regardless of whether it’s in the registry if it’s in you know if someone
creates like an autoexec.bat file which Windows is still backwards compatible
with because of Doss and launches stuff out of that that’ll show up on this screen too so this is kind of cool and
what’s nice about it is you can see you can disable things right I’ve got a bunch of stuff like office don’t start
that up automatically it start so if I rightclick on it I’ll have an enable or disable option uh depending upon what
the current state is you know teams is currently enabled I could say nope don’t start up teams on boot so this allows
you to easily be able to go in and kind of pick and choose what it is you want to start up which you don’t um so that’s
kind of kind of a nice capability to go through and use but this launches a graphic
utility sometimes we kind of need to stay at the command line for that
another command you can use is Task Lisk let me pump that through more you
can see the whole thing what I do wrong
oh there we go notice this the top of the task list
supported switches what does that mean well I’m open nothing with do spider
extensions yeah I completely agree
dude spider or if you’re in Florida or anything with a python extension yeah
that’s it so uh so yeah what’s that stuff up there well that stuff up there
is I can run this against my own local system or if I have the creds I could
run this against remote systems as well so if I need to be able to log into remote systems and collect information
about what processes may or may not be running task Lisk is an awesome tool to be able to go through and do that so I
can see locally I can see uh remotely we’re not going to be logging into a
remote system uh in this but you know if that’s something you want to play around with feel free to go through and do it
but if I all I do is just run task list without any switches that’ll give me a list of all my running processes that
are on this machine which is kind of fun so again if I was looking for let’s say
I ran across a file that I’m suspicious about and I wanted to see is it locate
is it running on any of my other systems I could use task list to systematically reach out to each of those systems get a
list of the running tasks use find Str Str to see is this uh process one of
those processes that are running on that system and that be very quick way to go through and figure out what’s there and
what’s not if I want to look at subprocesses I can go in and say task
list Dash uh SVC I believe is the command and this shows me uh any
subprocesses that are associated with any of the processes that are running now again I can use find right so I we
didn’t have any pop up on this main screen I but instead of paging through uh let’s go in and use find to go in and
look for that and I’m going to say uh LS a.exe yeah that’s it that should give me
something there we go so what this is telling me is that this process has
launched a number of child processes as well so I can see what’s causing things
to go through and get launched if I wanted to go through and do it this that way so I’ve got some capabilities to be
able to look at local processes and remote processes with this as well uh kind of moving on to if I need to
like audit let’s say Network stuff uh ip config is the tool for that so if I just
type in ip config that goes through and that’ll list out uh some adapter information if I wanted to make sure I
this pauses just pump it through more and now it’ll get a full page worth of
information and it’ll stop from there hopefully you like my domain honest I’m not evil.com really I’m not I know it
seems that way sometimes but honest I’m not but this will show each of my uh
each of my adapters some of these like this one here is part of my virtual BLX
setup so that’s not a real network adapter per se it’s not like it’s a physical device plugged into my computer
that’s just a virtual adapter that’s used anytime I have systems running on uh virtual
box oh thanks for that clarification Bill oh why find versus find St
bill I am impressed you knew the answer to a Windows question I am like totally
thrilled dude that is awesome Bill tries to avoid Windows as
much as he can so that’s why it’s kind of a thing um but yeah I’ve got all my interface information here if I do an IP
config slash all that’ll add in some additional information about what’s going on um so
again if I kind of need to see what’s going on with network interfaces which ones are working which ones aren’t um I
can go in and I can use this the problem with this command though is that it’s
not showing me what my interface numbers are some tools you know so like uh let’s
say I wanted to use I don’t know this ethernet adapter right let’s say I’m running a sniffer or something and I
need to specify this interface how do I do that well some tools want you to
specify the interface number that’s associated with that interface well IP config doesn’t print that out
for you so how do you find that well there’s another command we can use called netstat and netstat has all sorts
of really awesome information you can extract out of it but if I say- RN and
then pump that through more one of the things this will show me is all of my network interfaces here’s that killer G
gigabit Ethernet interface and what the interface number is that’s associated with with it so that’s that number right
at the beginning of the line This is the MAC address that’s associated with that interface so if I wanted to run my
sniffer and I wanted to make sure it’s listening on this interface I could specify interface number 21 so ip config
doesn’t give you that but you can get that information out of netstat you’ll also notice that this is showing me my
routing table so this is showing me you know what networks does my system know about and how is it going to go try to
go about getting to that networ work so um let’s see 56 yeah so like 192 168 56
it’s saying it’s got to go through 56.1 to get there that’s off of one of my interfaces um 69 is the main local
network so you get the idea you know active Roots this gets into like
IPv6 the routing table although I don’t do a lot with IPv6 on my local network but that shows up under this information
as well so I can get some pretty cool information about what’s going on on the network uh out of this which is kind of
nice um the other thing let’s see what else can I pull out of there that’s fun oh actually back to IP config for a
second so one of the other things this I’ve run into this a couple of times now sometimes you kind of want to know what
DNS records are being catched on your system right I want to display them I
might want to delete a particular entry how do I go about doing that you use the IP config command for that that one as
well so if I go in and I say display DNS and then we’ll pump that through
more here is all of the DNS records that are being cached on my system currently
so my record name is this is what they tried to look up and then the PTR or the
a record is going to give me what whatever the answer was to these these are all PTR queries and we know that
because it’s listing the IP address backwards and it’s got this domain in address arpa anytime you see that you
know a PTR type of query was uh performed but if I scroll through this a little bit and get past oh I had one and
I lost it uh let’s get P my system does a lot of PT PTR record
queries um try to look for one that’s like an a record just so we have that to show here
we go this is showing as a name record oh well except it’s ip4 ARA that it’s looking for yeah that’s not helpful come
on give me here we go Zoom oh no that was a PTR record query too yeah so it’s
showing me my query types I know I got a queries in here oh and I hate the fact that I can’t Arrow
up I scroll back no I can’t scroll back yeah freaking Windows give us a page up
and page down with more please it make stuff like this a whole lot easier here we go here’s a quad a query that took
place there we go here’s something so what this is telling me is that my system needed to get to Modzilla
cloudflare dns.com and then here was the a record answer that came back in response to
that question uh quick question it came in a little late why would you use CMD over Powers
show Windows command line um so you should work with whatever makes your life easier what I’m trying to avoid by
kind of doing it this way is not having to teach everybody about Powershell and how to use it um I’m trying to kind of
keep this as simple is possible for now we’ll we’ll come back and we’ll kind of dig back into Windows command line stuff
later but the commands I’m going through and kind of covering today these are the commands that as we start doing Labs
later or if you’re doing Labs as part of other classes when you run into problems
and you’re trying to troubleshoot what’s actually going on these are the commands that can kind of help bail you out right
like if you’re trying to if you’re in a lab that says oh you know hey run you know run run the run this packet sniffer
run you know whatever and try and sniff the local network and see if you can’t see some traffic well and you’re not
seeing any traffic well maybe it’s not listening on an active interface and how do you get a list of interfaces to know
where to specify it you know we went through and we kind of covered that as part of the net stamp command so that’s why we’re going
through and kind of talking about this stuff now if I just want to see if I
don’t need the whole thing if I just want to know like what’s being queried right I don’t need the query and the
answer I just want to see see what’s been queried I can actually go through and I can use find for that so I can go
in and I can say let me pull back that command we’re going to say uh display DNS right same command we ran before and
and not hit the enter key Chris pipe that through the find command which
allows us to go in and search for text and the text we’re going to look for is this right here record name because
that’s what was being queried so I’ll paste that in and now that’ll give me a list of all queries that have been
performed by my system so if I ever need to know you
know when I’m trying to get to array 6621 p.d. dp. mp.
microsoft.com what IP address is it going to as part of that I can go in and look at that if I’m running a sniffer or
something and I see hey my system is connecting to you know 17 253 21 uh you
know 2011 why is it well I can go in and I can search this information to see
what fully qualified domain name was queried that resulted in that IP address
being returned back in again so again it’s a good way to be able to go through and just kind of troubleshoot what’s
going on with the whole thing um jumping back to the netstat command again one of
the other things you kind of need to figure out sometimes is do I have any open listening ports so if I go in and
say nit st- that’ll show me what’s going on with network traffic on my system so there’s
a couple of things to kind of take a look at here so this first line says TCP
and it shows all zeros for an IP address what does that mean there’s two ways
that an application can get bound to the IP stack it can get bound to a specific
interface or it can get bound to all of them so for example down here this is
bound to just the loop back interface 12701 that’s it it any other network
interface that’s on uh on my system Port 5354 will not be open and listening it’s
only going to be on the loop back interface but Port 135 because it’s
specified as 0000 that means every interface so any interface I plug into
this computer is going to immediately start listening on Port 135 445 903 9131
1844 got to love Windows we’ve got all sorts of open ports here that’s it’s going to go through and listen on so
anytime you see the state is listed as listening that means that that’s an open port that’s capable of serving servicing
connections where it can service them from depends on the network interface if
it’s all of them oh that person could potentially be anywhere if it’s on the loop back interface only well only the
local system can go in and actually communicate with that now notice we have some entries here that are listed as
established what that means is that’s actually an act of session running right now so my system is talking to itself
between TCP ports 1844 and
49962 why well that’s the easiest way to go through and exchange information between applications right if I have my
application set up so that it talks over the network well now I can talk to that other application whether it’s on the
same local system or if it’s off on a remote system just by specifying a different Target IP
address so if I want to see do you know what active sessions do I have going and
where this will go through and this will show me that so if I go in I’m going to hit uh page I just want to see if we
have any other states listed here um close weight here we go Cent actually
yeah there a good one cent what does that mean that means that at the time
this command had run a s packet was sent out but we’re waiting for the reply to
come back to see if that Port is actually open and listening so you you know when you grab that it tends to be
kind of quick uh meaning that that three packet handshake you know with which
that was this is a part of doesn’t last very long what is closed close weight mean
close weight means that we’ve gone through the tcp3 pack at handshake we’ve
gone through our established state to exchange information back and forth and one side of the connection has said hey
I’ve sent you all the data I plan to send you so I’m not going to be sending you any more data anymore therefore I am
ready to close my side of the connection and we’re waiting for the other side to
finish sending data in order to be able to go through and close this whole thing out now we’ll get into this more when we
talk about firewalls but one of the places where you know seeing this type of stuff can be super helpful is when
you’re trying to troubleshoot problems with stateful firewalls um stateful firewalls use
timeouts to kind of decide is a connection dead or not and one of the things you’ll run into is that those
timeouts are drastically different when you’re in an established state versus
when you’re in like a half closed State like a Clos weight state so the timeout the firewall may be willing to
wait an hour to see if any additional traffic goes through while it’s at an established state but once you get a
close weight session it might only wait like 10 seconds and if it doesn’t see any traffic in 10 seconds it may
actually just kill the session so if one side still trying to send the data that it needs to because the one uh the first
half of the connection went into a Clos weight State the second half of the connection is still trying to send over
all sorts of data well if there’s only a 10-second window window before the firewall will decide yeah that fire that
connection is dead I’m just going to toss that that entry um you’re far more likely to get data transfers that get
interrupted uh so you know a firewall may say oh yeah the state table timeout
is an hour well usually what they’re talking about is in an established state in the other states those timers tend to
be a lot smaller and that tends to be where you go in and run into problems and we’ll get into that more as we go
through and kind of talk things through um when you get into you so yep here’s
my uh IPv6 stack and the ports that are being open as part of that now with UDP
notice it doesn’t have a state listed right why well UDP is stateless
so what this is saying is hey UDP 500 is is there people can try and talk to it but
because it’s connectionless because it doesn’t have any states there’s no states that actually can be tracked as
part of that so that’s what we got there um let’s see yeah so there’s more
UDP stuff then we get into the IPv6 uh Duo was saying yep connectionless protocol absolutely UDP
is a connectionless protocol so we were talking about firewall stuff and you know most endpoints have some sort of a
firewall on it what if I want want to go in and see the firewall configuration on
the local system well I could go through the graphical interface for that right I can go in and you know there’s a nice
gooey firewall management setup for that but what if I want to be able to record that information and easily write it out
to a file well it probably be easier to go through and do it at command line what if I want to do it on a remote
system well again it might be easier to go through and do it on the command line so this is where netsh comes in so netsh
netsh is an awesome tool you can do so many cool things with this I highly recommend you spend some time um just
even if you just kind of breathe through and then Google things that look
interesting to you there’s all sorts of fun stuff that you can go through and you can use with n AG like manage the
local firewall that’s on this local system or notice up here I can connect
to remote systems and manage the firewalls on them if I need to as well so that’s kind of cool so how do I use n
netsh to see what’s going on with my firewall setup well if I say net sh
spelling matters Chris and that was a uh advv short for advanced
firewall so I want to go in and work with that context now if I’m ever not sure what commands to use where and when
I can always go in and just say backs slash question mark again and this will show me what my next valid commands are
after this so we want to see what the firewall settings are so I’m going to use the show command but notice one of
my options is set I can actually change firewall rules at this point here I can
also go in and change the default policy if I want to go through and do that so I’m going to hit my up arrow and now I’m
going to say show I want to show firewall rules back slash question mark
what do I want to show well what are my options well my options are current profile global private blah blah blah
let’s look at all profiles that way I’ll get everything right so notice what I’m doing I’m just kind of stepping through
and each time I get a new command line switch I’m just using bat SL question mark to go through and see what are my
options at that point there so I’m going to say all
profiles yeah I think that’s spell right and then I could say back slash question mark and notice uh I guess some
additional options here I could go through and I could look at State I could look at the default policy I can
see whether logging set up or not um or I can try just running it at this point
here and now this will go through and this will show me what all my policies are so what this is saying is if I’m
logged into a domain this is what the firewall policy looks like if I’m on a private Network like my home network
this is what the firewall policy looks like if I’m on a public network here’s what it looks like now you may notice
yeah I’ve got everything shut off that’s probably not a good thing hopefully yours is go in a in a different state um
yeah can’t it never saying yep netsh Advanced firewall set all profile State off yes you can do that um what I like
to do or actually and what I need to do on this system that I haven’t done yet is I just create an an an icon on my
desktop that says one is labeled Shields up the other one is labeled Shields down
and what I that allows me to do is when I want to have the firewall running on this system click the shields up icon
and that just goes through and runs a set command that turns on firewalling when I need to shut that firewall off
for some reason click the shields down icon and I can go through and do it that way so I just haven’t gotten around to
doing it on this particular system yet so I don’t have those icons set up but yeah you can use the set command to go
in and make those changes I’m confused what is that Shield icon so what I’m talking about is um I create an icon
right and so when you go in and you create an icon it says you know what command do you want to run well I say I
want to run the netsh advanced firewall command and I want to set my firewall to
an on state or an off State it can be one or the other so that’s kind of what
I’m talking you know and when you uh you also need to name that something right
so I could name it fire firewall on firewall off um you know little bit of a Star Trek geek so I just name it Shields
up Shields down or shields on Shields off you know whatever something along those those lines but you can make uh so
these commands that we’re running you can actually go through and just create an icon that runs the command with these
switches and you know that way instead of having to open a command prompt and then type this whole thing in manually
you just click in an icon to be able to go through and run it that way instead um that makes life a whole lot
easier to be able to go through and do so yeah I can go in I can look at my
profiles I can change them if I want to um let’s see what else is good oh so if
you want to get a look at what’s on my local network right like are there any other hosts connected up to my own local
network here the command for that is ARP so ARP stands for address resolution
protocol this is systems community indicating at Layer Two if I say- a that’ll show me everything that this
system knows about and I’m going to pump that through the more command and now when I do I get output kind of like this
so this is showing me okay off of this interface here’s all the systems I know about off of this interface here’s what
I know about off of that interface here’s what I know about so this is broken out on a per interface basis now
that first interface is my active interface that’s the one I’m actually using right now so notice it knows about
69.1 and here’s the MAC address that’s associated with that system notice it’s
listed as Dynamic what does that mean there are two different ways to generate
AR entries static or dynamic static means it’s pre-programmed
in right so if I look at an ecstatic example right this one here if it’s
going to the bro address you know that’s all it that’s going to be all FS that’s a static entry
that’s something that um you know gets pre-programmed into the system this is a
multicast address that Microsoft uses to talk to other Microsoft systems that gets statically programmed in so that’ll
be there all the time regardless anything listed is dynamic like this one
this is something that the system learned on its own so it’s some point I
my system tried to send a packet for whatever reason to 69.1 and the local computer said I don’t
know where that system is I don’t know what Mac address it’s using so I’m going to send an our packet and say hey who’s
using 192168 69.1 please come back and tell me and when that system responds to me I’ll
get to see its Mac address and then I’ll create a cash entry for it just like you see here so anything listed as Dynamic
so from that entry all the way down to this one these will eventually age out and go away and they’ll just get dropped
off of this list let’s say one of these systems gets shut off or I just sto talking to it for whatever reason this
this entry will actually end up getting removed um Dynamic entries can also get messed
with we’ll talk about that a little bit more as we go through so like I can see
you know this 209 system what if that’s like a local host that um I need to be
able to communicate with for some reason right let’s say that’s like my database server or something and my database
interface isn’t working and I want to know is that system online or not how
can I figure it out well one way might be to use this ARP command like we just
did and if you’ve got an ARP cach entry at some point that system was responding
to you this doesn’t tell you if it’s accessible right now this tells you it’s
been it was accessible over whatever the timeout period is for the arpes which
tends to be two minutes on both systems so all this tells me is it was reachable at least up to 2 minutes ago it doesn’t
necessarily tell me is it reachable right now if I want to see if it’s reachable right now the command for that
is Ping so I could say ping 192 168 69
209 and now when I run that I get this output here okay what’s this telling me
this is telling me that this ping command went through and sent a packet
to that IP address and it was able to get a response back it sent a
um it sent a packet that was 32 uh the response it got back was 32 bytes in
size it took 2 milliseconds to get a response from this system and the TTL
said in the in the packet was set to 64 we’ll talk more about what that means a little bit later but what this is
telling me is that system is currently accessible and then down the bottom what I get is I get a little summary of what
went on so this is telling me hey we sent four packets we got back four
packets hey that’s a good sign because sometimes you’ll send four you’ll only get back two that tells you you’ve got
something weird going on in the network and this 0% packet loss that’s what we want to say this is also saying that hey
roundtrip time is down around the minimal I’m capable of measuring right this tool won’t really report anything
faster than a millisecond and hey if your connectivity is a is a millisecond or less you’re in good shape you’re not
going to have to worry about that it’s when it’s over a longer period of time so if I want to know if that system is
reachable I can use ping now ping will tell me is that system online what it
will not tell me is is the database server running is the web server running
I can’t get that information off paying so this is just like a a simple connectivity chck check so let’s say I
tried to Ping something across the internet and for whatever reason I couldn’t get to it right let’s say I was
trying to Ping dubdub dub. google.com and this should respond and
it does but let’s say for some reason Google wasn’t responding I wasn’t getting a response back from that well
there’s two possibilities at play here right if this normally works if I could normally ping Google and now all of a
sudden I can’t the problem could be on my local network maybe my router’s down
maybe my ISP internet link is down maybe something’s wrong with the backbone on the internet maybe there’s something
wrong with the Google server server it could be any of those things the tool I
can use to go through and kind of check this out is called uh Trace rout or as
short Trace RT what this does the output’s going to
be a little bit different than what we saw with ping let me describe what the difference
is so with ping this just came back and said hey to get to that remote server
and come back again it was taking 9 milliseconds to go through and do that
notice the output from Trace RT is a little bit different it’s showing me a bunch of different lines in order to get
to Google I got to go through multiple routers right so I got to be able to go
through the router that leads to my ISP there’s probably a couple of different routers at my ISP I’m going to have to
cross go across I got to Traverse the backbone of the internet I got to get into Google’s environment I might have
to cross a couple of routers there and then I’ll eventually get to whatever server is acting is
www.google.com so there’s a bunch of routers along the way any one of those could be the potential problem as to why
I can’t talk to www.google.com right now what Trace RT
does for me is it sends a packet to wherever it is I want to go right so
it’s sending packets to www.google.com but see this TTL value
the TTL value tells the network how much longer this packet is allowed to stay
out on the network before it needs to throw it away and return an error if this number ever drops to one that tells
that receiving system hey I can’t forward this packet anymore the ttls already dropped a one so I’m just going
to send an error packet back to the host that was trying to do that transmission so what Trace RT does is it artificially
deflates that TTL value to one and then tries to send the packet to Google well when it does that it gets to this first
device and this first device says hey sorry TTL expired you can’t get there
well when it returns those error packets to me I get to see that system and where it’s located now Trace RT will set that
TTL to two it’ll do it again the next system respond then it’ll set the TTL to three the next system respond it’ll set
it to four set it to five notice here I maybe I had a system that was having
trouble responding more likely there’s some sort of filtering on there that tries to filter out it its ability to
try and send any type of error messages like this but notice we did eventually get to where we were going and we were
trying to get www.google.com but the IP address that we ended up at this is actually the name
of that system so you can actually see you know what’s buried under C names running this
type of command on occasion too uh let’s see I saw a bunch of comments go by oh
hey Chuckles or Hearn is here awesome I’ve known Charles since like forever uh
Charles has been doing this stuff as long as I have uh let’s see for those that want to do pcap captures natively
and newer Windows versions check out packet on uh you probably already knew that yep uh so I knew that people
probably didn’t so thank you for tossing that one in there and yeah that is a a Windows native tool to be able to go
through and do do packet capturing and I will get into that uh packet captures and what they are what it means and how
to read them in a much later class uh DNS versus IP is always fun yeah and you can always do all sorts of like cool
things with it as well um one of the things you have uh on any type of system
is a host file and I can get into this in a later class if folks want to but
the when you try to get somewhere on the internet before your system checks DNS
it checks that host file to see if there’s an entry for that and what there H um Services up on GitHub if anybody
has a favorite feel free to kind of post it into Discord but if you’re um you can
download their host file that will filter out all of the damn Banner at
sites so you can load up a host file that doesn’t know how to get to add.
doubleclick.net anymore so now when your system tries to get to that Network or
tries to get to that host it checks the host file and the host file says oh that’s it you know 127.0.0.1 you know in
other words yeah you know I’m not going to let you look up the correct IP address and that can actually re
dramatically reduce the amount of um excuse me the amount of uh ad servers
that you have to deal with personally I prefer using py hole because that will
do it for your entire network all at once but if you don’t have any type of home infrastructure and you want to do
something about all the banner ads download one of these host files that lists all those Banner ad servers is it
being at at being at the address 1271 and that’ll clean up the problem for you uh let’s see I’m confused that
statement if the database server is up you should still get a respon from the Ping command yes lenx girl you’re exactly right so if I ping the server
and the server is up I should get a response for that however that doesn’t
tell me if the database process itself is running so let’s say the database
process running on the database server crashed that port’s no longer open and listening ping will tell me that server
is accessible but now when I go to run my utility there’s no port to talk to
now I know yeah okay I’ve got connectivity to that box it’s just the process isn’t responding for some reason
so it’s a great way to go through and kind of break things out so I probably didn’t SP uh clarify that when I said it
I apologize uh yes especially if you’re watching Chris oh that could always be
bad um let’s see we got a we got a bunch of
folks jumping in helping out with questions thank you so much for that uh let’s see this great session
board [Music] member Training
Guy oh would love to collab yeah sure I’m happy
to cool uh let’s see we are already yeah we’re already past the top of the hour
so uh let’s just kind of jump here I’m pretty sure I hit everything so
yeah if you want to grab the slides feel free uh they’re in the channel That is f
labeled as fire- content just below this one um but yeah thank you for jumping in
on this first session um we’ll have some you know Sears and stuff like that that’ll go out there’ll be a recording
of this video that’s made going to be made available Keith went through and created a single page that’s going to
archive all this stuff so that uh there’ll be a nice index at the top once we have three or four of these created
so it’ll be really easy to be able to jump in and find this and that’ll have a link to the video as well is a link to the slides so you have access to all of
that um but you may for the folks that kind of hang out with us a lot you may notice that we didn’t use our regular
webcast channel for this um that’s actually a feature so Fireside Fridays
it’s its own section on our server now this live chat isn’t just for live chat
this Live Chat is for anybody who’s taken the class that wants to come back later and ask questions uh so those of
you who again have been here before probably know I usually throw my email address at the end and I have no problem with people emailing me but I kind of
want to use the chat session here for this because that way if I’m tied up
doing something or I’m busy and someone has a question that opens up the opportunity for somebody else to be able
to go through and answer that uh also when I was developing this content with
Emily and Herman Emily and Herman actually got together and kind of worked on this stuff when I wasn’t available on
their own and I was like that’s cool I want to leave that possibility open when we start doing these live so if folks
want to like you know bounce additional ideas off each other or come up with labs for each other that’s what that
chat uh uh is their fla if you have uh like content you come up with as part of
doing that uh please at me on Discord and we’ll get that added into the content Channel as well uh where can I
find the recording please the recording is going to be uh in our Zoom excuse me
in our uh YouTube channel so if you go to the active counter measures YouTube channel we’re going to have a whole
section that’s just these recordings uh they’ll also be posted to our website
under the education section you’ll see h a page for Fireside Fridays all of it
will get linked off of that as well um as far as like when will it get posted
hey I’m going to invite the other folks to come back in on this session and we can go through and someone someone who
knows more than I can go through and answer that
question I think that would be uh Ryan or Megan would have the answer that question of when the recording is
available but I don’t think it takes that long anymore no they’re they’re amazing yeah they’re amazing what I
notice is that um within like hours if that uh they post something that has the
pre-show banter and you know has the entire stream in it and then within a day they’ve already gone through and
edited that up so that it’s just the actual content which is awesome so for this session it well it’s available on
YouTube like now right now you can watch it on YouTube now you can go back and rewatch it already even though we’re not
done uh but for if you’re if you want to watch it back on Zoom again the zoom’s got to process the recording it takes
maybe an hour or two there usually an email that gets sent out to everybody that says hey the recording’s ready
click here to come back and watch it and uh you can watch it there as well but the probably the easiest way is just to
go to YouTube cool awesome and Shelby how did we land on the registrations do people
have to register for each individual class I seem to remember that’s how we left
it that is the way it is right now but you can register for multiple multiple
things so if you if you’ve only registered for this one and you want to go back and add more to it go back to
the registration page and there’s below the buttons there’s a little little text blur that should say register for more
add more or something like that I forget uh exactly but it brings up a little popup and it says all the ones that we
currently have published as coming up and you can check the box for the other ones that you want to register for oh
perfect and I just a link to that Zoom page uh in the Discord and I also pinned it so it’s it’s it’ll be there
forever will the link be the same yeah I think we’re using a reoccurring Zoom session for this yes yeah it that when
you open the session you usually get this window that’s like um Zoom calls it a Lobby and in there that’s where you
see the join button on on Zoom itself there should be the the most current one
should be at the top but if not there’s there’s all listed out in that Lobby section for you so you can just hit the
button that you want to watch and usually that Lobby will also have a button to watch a recording for a
previous session so once we get to next week’s session the recording for this
week’s session should be accessible from that lobby as well as the join button to
watch the upcoming session or the current one during that time so it’ll
make more sense when you see it but awesome thank you
guys no no no this is ACM team a anti counter measures even though they are
all yeah thanks as always to the any siphon team hey I I have like no problem
thanking the any siphon team too you know as Eric said we can be
confusing sometimes because we kind of like are all the same thing but we’re not
so go out singing We Are Family oh no we we’ll we’ll let you do
that bill come on come on you’re the one who does
AR capella we’ll leave that to you we might need special outfits for that so
that’s true and a disco ball awesome thank you all for joining
us and thank you Chris that was really really good um in fact I I learned a few things too so I hope everyone else did
as well yeah yeah happy to happy to yeah and uh
so next week we’re going to be doing kind of similar but on the Lennox side um so that should be fun and yeah I
think I have uh oh Emily’s asking what’s the drink today
zombie brain juice that’s what keeps me running today
so today it’s all about the zombie rain juice and uh since I just saw both Emily
and HK uh posting in the channel I’m going to toss this up one more time because I really appreciate all the help
that they gave me um yeah you know again Herman and Emily let’s all give them uh kudos for helping out on this uh the
content definitely improved dramatically having their help as part of this so
yeah nice work guys thank you yeah thank I second that thank you and and also in
Discord I mean they’re they’re actively in here helping live as well as many
other people I mean and I love how everyone just kind of jumps in and has the knowledge to help answer questions
so yeah it’s appreciated yeah yeah I try to be a dick but everybody
else is too nice so get balances out
yeah exactly never give up trying man
yeah awesome I think we are done all
right awesome yeah Andy said it both my Spinners are now dead so I guess we’re done we can only we can only go as long
as the Spinners are spinning once they stop we have to stop too it’s I’m sorry it’s just the rules yeah yeah there’s
your sign right yep all right thanks everybody see you
next time take care
Slide Deck:
Fireside Friday – Linux Terminal
January 17, 2025
Recording:
Show/Hide Transcription:
26:40
get in and do this thing so thanks as always to our sponsors you know all our
26:45
sister companies uh thank you to Herman and Emily mentioned this last week they’ve
26:50
gone through and did QA on a lot of this stuff uh really help me kind of vet things through so when you see either
26:55
one or both online please give them a thank you and lab requirements for today
27:01
are just you need it would be nice if you had access to a Linux system that’ll give allow you to go through and kind of
27:07
follow along with a lot of the commands we’re going to be working with and I wanted to start here which is
27:13
you know typically most of us are remoting into a Linux system so when you you know go to
27:20
connect up for the first time um you need an SSH tool there is one built into windows so you can just say SSH your
27:28
login name at and then whatever the IP address is of the system and you’ve got a command line based connection to be
27:34
able to go in an SSH into things um I think I’ve mentioned this before my personal favorite is smart TTY because I
27:43
can go through and I can keep track I can keep a profile for all the different systems that I want to log into so in
27:50
order to connect to let’s say the Rita system I can just double click on that
27:56
and then that’ll pop open a terminal session for me if I need another terminal running with that same system I
28:02
can click the little plus symbol down here and now I’ve got two tabs at the bottom both are connecting up to that
28:08
same box if I need to do a connection with a different system I can just uh click on the little star symbol and then
28:15
that gives me a connection to shows me my list of profiles excuse me and that’ll let me go
28:21
through and launch an additional session so now this is that um system out on my internet one of my public class Cloud
28:28
systems I’m using and then this one here is my internal system so I like using smart gty uh the other thing that’s kind
28:35
of nice about it is let me show you this real quick when you go in and you set up
28:41
your profiles say I want to do a new connection you tell it where you you know where is it located what’s the IP
28:48
address will they qualified domain name what’s your login name you can come up with some sort of descriptive Alias if
28:54
it’s password based you can put your password in here if you’re using public private Keys you can point to your a
28:59
private key down here or if you’re using passwords but you want to start using
29:05
public private Keys you can click off here and say hey set up public key for me automatically and now it’ll never
29:12
prompt you for a password again um you can also set up keep Al lives those can come in handy so smart TTY also a really
29:20
cool tool but let’s go back to here for a second
29:27
so the first time you log into an SSH a Linux system via SSH you’re going to see
29:32
something like this where it pops up and says hey the a authenticity of this host can’t be
29:38
established here’s a sha 256 fingerprint are you sure you want to
29:44
connect what’s actually going on here so what’s going on here is that um SSH by
29:50
default now you can set up digital certificates and use that and if you’re doing a lot of SSH it’s definitely worth
29:55
your time uh yeah build did a great webcast on set this type of stuff up
30:01
but if you’re just logging in for the first time what this is saying is hey
30:06
you should have someone go to This Server right go to This Server have
30:12
someone go to the console have them extract a hash of the public key of that
30:19
server and check to see that the value they generate matches exactly what you
30:24
see here if it does you are connecting do the system that you think you are if
30:30
it does not match you may be connecting to some other system that you didn’t actually intend to connect to um you may
30:37
want to just back off and go away from here so how do you do this on the server
30:43
itself well let me uh let me throw this into Discord just to make it a little bit easier so people can just copy paste
30:50
uh that’s the command you want so I’m going to go in and I’m just going to paste it in here so what’s this
30:58
doing so what uh SSH key gen is doing is it’s looking at this file here so this
31:05
is the uh ecdsa Keys it could you could be Lo if it’s an older system it might
31:10
be RSA it might be DSA this is kind of the new standard everybody’s using but there’ll be a couple of different Pub
31:16
files in that same directory you need to make sure you go to the right pub file
31:21
and this will tell you which one to use here right ecdsa so now I know I need to
31:28
go look at the ecdsa public key and what this does is this generates a shaash off of excuse me let me make this
31:36
font a little bit bigger this creates a shaash off of the public key itself well
31:44
Chris couldn’t I just run shot 256 sum against this file and get the same
31:49
setting o nice thought but unfortunately no that won’t work it won’t work because
31:57
that file actually has other information inside of it it has you know your name
32:02
the server name there’s a couple things in there you want to make sure you’re only hashing the public key so this
32:08
function takes care of doing that for you so you don’t have to worry about it so if you’ve ever wondered what that
32:15
stuff is and what it’s for you know this is it and I gave you the command here to
32:22
go in and use so like like I said the idea is if I run this command at the command line should generate the exact
32:29
same hash that that person is seeing when they log in that’s how you verify first use with an SSH system after you
32:36
verified first use you’re fine after that SSH will take care of making sure you’re always going back to the same
32:41
system um in fact if you spin up a new system that’s at the same IP address of one that you used to SSH into you may
32:48
notice it’ll pop up and say hey the key is changed this is exactly what it’s talking about is it’s trying to verify
32:54
that F you and it can’t anymore okay so that’s about it for SSH for now so let’s kind of talk about some of the command
33:01
uh uh commands you may want to go through and use uh one of the most basic LS LS is going to go through and list
33:08
out any files or directories that are in my current location if I type in LS
33:14
space- that’s going to list everything out but it’s also going to give me daytime
33:21
information this is a little hard to read Because especially once you start
33:26
getting into bigger files sizes because it it I got to start checking oh you
33:32
know every three I got to go to kill and Meg and gig after that and if you want to just have it tell you what it is you
33:39
can add an H to the switches so I just hit the up Arrow key that pulled up the
33:45
ls- command that I just typed and now I added an H to the end and when I do
33:51
notice now it’s instead of telling me you know 140000 it’s telling me 14k
33:58
3.6k so this truncates it it makes it a little bit easier to read this is how we tend to kind of think about file sizes
34:05
you know versus the the the raw number all on its own type of thing um let’s
34:12
see what else uh PWD will always tell you what directory you’re in so right
34:17
now I am in the homec brenon directory if I type in uh
34:24
cdspace SL USR that’s going to move me to the USR
34:31
directory and notice the prompt changes so here it had a little squiggle when I was in my home directory but here it
34:37
actually shows me the directory that I’m in at the time so if you watch The Prompt change that can kind of help you
34:43
figure out where you are at any time the squiggle is kind of a special placeholder to mean your home directory
34:50
and you can actually use it if I say CD squiggle enter that’ll put me right back
34:56
into my home directory all over again um I can also use autocomplete on this
35:02
stuff so if I go to let’s see user local is probably a good one so I’m saying CD
35:08
space user local then I’m going to add a forward slash and now I want to go to some
35:14
directory below that but I forget what the name of the directory is I can hit the Tab Key twice quickly and that’ll
35:21
say oh at this level Ben Etsy games include lib man blah blah blah these are
35:27
all the options for directories at this point here if I hit the letter L lib is
35:33
the only directory at this location now if I hit tab it’ll autocomplete that for
35:39
me now if I hit tab twice quickly oh there was only one option for
35:45
each so it filled in those directory names and now if I hit tab twice nothing
35:51
happens that tells me I’m at the lowest directory level at that point there so
35:56
by navigating around by leveraging the tab key that can help show me what’s going to be where and what my different
36:02
options are so if I hit enter on that now I am under user local lib python
36:09
disc packages cool so it’s pretty easy to get around that way now if I want to
36:15
go back to my home directory CD space squiggle hit enter now I’m back at my
36:20
home directory again so that’s basic navigation in order to be able to get around on the system now lenux um
36:29
enforces permissions there are things that users can do and there are things
36:34
that only root can do so some things like running the PW command anybody can
36:40
do that because anybody may need to run it but what if I wanted to work with the firewall on this system well that’s the
36:47
IP tables command so if I say IP tables – capital L
36:52
nvx I want to go through and take a look at my firewall roles if I hit enter it
36:57
says whoa wait couldn’t fetch the rule set permission denied you must be
37:03
root so in the past what I would have to do is I would need to log in as root so
37:09
I might have to use Su to change to that account I may have to log out and log back in if I didn’t know Su was a thing
37:16
but today what we use is we use pseudo and as long as you’re part of the pseudo users group you can use pseudo to run
37:24
root level commands so what I’m going to do is I’m actually going to hit up Arrow to pull back that IP tables command I
37:31
just typed I’m going to arrow to the left and I’m just going to add in the command PSE
37:39
sudo I’ve called called A nobody before yeah there is actually a user nobody believe it or not now notice when I ran
37:46
that command now I can see all of the firewall rules now I can see what’s
37:51
actually being implemented on this system pretty cool but again I had to be
37:57
pseudo for that now when you run the pseudo command it may pop up and prompt you for your password what pseudo will
38:04
do by default is when you type in uh the first time you go to run pseudo it will
38:10
save that and uh excuse me it’ll prompty for your password but then it will save
38:16
the fact that you’ve uh identified yourself properly and so long as you keep using pseudo and Bill correct me if
38:23
I’m wrong I think it’s every five minutes you don’t have to reauthenticate again but if you go longer than 5
38:28
minutes you may have to type your password in again so pseudo will go through make sure you are in fact you
38:35
and then let you go through and run the command from there so that’s pseudo the firewall stuff we’ll come
38:42
back to that as at a later date if I want to check disc space on my system DF
38:48
is the command for that actually I’m going to type in clear to clear my screen right that gets rid of all the
38:54
stuff that have been typed earlier and now I’m going to say d F to see what I have for dis base and just like we saw with the file
39:03
listings with the ls command everything is just a raw number if I want to have
39:09
that excuse me if I want that designated is you know kilobytes megabytes
39:15
gigabytes Etc same as what I did with ls I just add in a-h h and when I do that
39:21
you can see the difference in and what’s getting outputed here so now instead of
39:27
um this I’m seeing this well it’s a little bit easier to read
39:34
right so this is how I can go through and check this space on the machine what’s all this stuff here with Linux so
39:41
with with Windows I’ll have a C drive if I add another drive I’ll have a D drive right if I add another drive I’ll have
39:48
an e Drive well with lenux I can actually add space under directory
39:53
locations which is pretty powerful that way I have one consistent seamless system but I can add storage where I
40:01
need to be able to go through and add it in so what’s been done here is the system has been broken up into different
40:06
directory locations with different amounts of storage but the one we’re most concerned about is this one because
40:13
what this says is hey except for these specific directory locations every other
40:19
directory is going to get located under here so you know my user home directory
40:25
is going to use storage out of that location anything under user under VAR is going to use storage under that
40:31
location so this is the one I always want to keep an eye on to make sure I’m not running out of dis
40:37
space now your drive might be petitioned differently and that’s okay what you
40:42
want like I said what you want to look for is which one most closely Maps will
40:48
you want to be able to store files if you don’t see a path that leads to where you want to store files there’s always
40:54
going to be a route so it’ll fall back on being whatever root you know whatever amount of space is left on the root
41:02
size cool now let’s say we want to go looking for files right let’s say hey I
41:10
know I got a file on here somewhere I want to go and look for that well the command for that is find f n d now if I
41:20
want to search just the directory I’m currently in right so right now I’m in
41:26
my home directory so let’s say I want to try and find a file that’s in my current directory
41:32
location I’d specify that with a period so that’s telling find search from here
41:38
and then I’m going to search for directories down below that now I need to tell it how I want to go through and
41:44
do a search what what’s the uh what’s the criteria I want to be uh be able to match on there’s two common switches
41:51
people use Dash name or Dash iame I always use- iame
41:57
why because it’s not case sensitive if I put in you know so I’m going to Define
42:03
what I want it to look for let’s say the first letter is capitalized and I didn’t realize that well if I use just use Dash
42:10
name it isn’t going to find it but if I use- I name it will always find it so
42:15
what do I want to look for let’s say I want to look at this location and lower to see is there a con. log file that’s
42:22
one of my Z logs cool let’s go through and run that
42:27
all right notice it’s found a bunch of them here right there’s a bunch of them under the testing directory cool now
42:34
what if I said well wait a minute I wonder if I have this file somewhere
42:40
else besides in my home directory I actually want to search my entire Drive
42:45
well I’m going to hit the up Arrow key and now what I’m going to do is I’m going to change that dot to a backslash
42:52
just like we saw in the DF output I’m specifying the root of the lenux drive
42:58
so now when I hit enter we had a couple things go on here and I’ll talk about each right the first thing we’re running
43:05
into is this permission denied permission denied permission denied
43:11
what’s all that about what that’s what’s happening there is this directory
43:17
location I don’t have read access to it I’m not allowed to read files in that
43:23
location so it’s saying hey maybe the files there maybe not I can’t tell because you don’t have permissions to go
43:30
look at that directory okay fine so I’m going to hit clear to clear my screen
43:35
and now I’m going to hit up Arrow twice and now I’m going to go to the beginning of my command and type in pseudo so now
43:44
I’m going to execute this command as if it has root level PR
43:49
privileges Chris’s patient when explaining things well hey that’s how I learn
43:54
so hopefully it works for you too so I’m just adding pseudo to the beginning now I’m going to hit enter and
44:01
now it’s still finding con. log and all those directories we found before but now it’s
44:08
also come up with a new one we didn’t see before right so it found it under opt now sometimes when you do a full
44:17
drive search like this you’re going to see errors pop up you’ll see errors pop
44:23
up that may say something like I’m trying to remember the exact error off the top top of my head but it’s
44:28
something along the lines of like no such file or directory or couldn’t read this file or directory or something
44:33
along those lines and when you run across those errors typically they’re going to be under the proc directory
44:40
location slpr what’s going on there proc does a couple of things one is is it
44:46
creates files and tears them down very quickly sometimes so it may be that when
44:52
find checked the table uh uh check the file all location table it said oh hey
44:58
there’s a file at that location and then when it tried to find it it couldn’t because it disappeared in that amount of
45:04
time that’s one possibility the other is sometimes proc creates files that it
45:10
can’t let get modified because it’ll totally screw things up so it locks the
45:16
file so that even the root user can’t go in and read it or make changes to it so
45:22
that may be what you’re running into as well so if you if you’re running the file command and you see errors under
45:28
proc don’t worry about that that’s perfectly normal cool so I found all my cond dolog
45:36
files here right now let’s say when I ran DF space- Capital H let’s say this
45:43
was reading like 98% under the used column I’m running out of dis space this
45:48
is something common we run into a lot right we end up with more interesting things than we expect so I need to get
45:55
back some of that dispas how do I do that well one of the easiest ways is to go and look and see hey where are all my
46:01
big files because I might not need all of those big files anymore and if I can
46:06
delete them that will free up dis space well fine can help you with that too so
46:12
I’m going to go in and I’m going to say pseudo find right because we’re going to want to look check the whole drive for
46:17
big files so we want to use the pseudo command and then I’m going to say find backs slash start from the root of
46:25
the drive and search everything and then this time we’re going to say Dash type f i want to go in and I want
46:33
to specify a a file criteria and the file criteria I want to specify is size
46:41
and I’m going to say plus 1G what does that mean that means hey
46:48
match on any files that are one gigabit or larger hit enter on that okay it
46:56
found proc this is part of my boot kernel I definitely don’t want to delete that but hey look at this I’ve
47:03
got a peap file in my home directory that’s bigger than a gig so that’s one
47:09
that I may be able to go through and delete swap I definitely don’t want to delete that because that’s what Linux is
47:15
using when it runs out of physical RAM and here are all those proc errors that I talked about before so those are ones
47:23
I would just go through and ignore I don’t have to worry about those so I can do it based on an exact size I could say
47:30
minus one gig if I wanted to find all files that were less than 1 gig um I could go in and I could say uh size is
47:41
minus let’s say 1K there’s all my really tiny files if I
47:48
wanted to go in and look to see anything that’s uh zero C uh zero I could go in
47:54
and I could say you know size is zero and there’s all of my empty files
48:00
sometimes Linux will create a file just for the sake of creating a file to know that some event occurred it doesn’t need
48:06
to store anything in the file itself just the file being there means something these timers are a great
48:12
example of that you know because what it’s doing is it’s just looking at the fact that the T the file exists and the
48:18
day time stamp that’s associated with when it existed it doesn’t actually need to store anything in it and there’s a
48:24
ton of files like that as you can see because we just went through and said show me all files that don’t have any
48:30
data inside of them cool um let’s see what else can we talk
48:36
about oh so we got a lot of output here right when we were looking at this we saw that let me hit my up Arrow we had a
48:44
ton of zero length files what if I just want to see do I have any I don’t need
48:49
to see the whole list and have it scroll by on the screen like this what if I just want to see is there any in there I
48:56
can pipe it through let me clear the screen so it’s easier to read what I’m going to do is I’m going to do the
49:02
little pipe bracket uh pipe bracket here so that’s usually shift and the key just
49:07
above your Enter key and then I’m going to send this through head and what head will do is head will limit the output to
49:14
10 to 10 lines and then stop so when I run this command here’s the first 10
49:21
files that are zero length and size if I need to change that let’s say I need to see 25 of them head-
49:29
25 and now I’ve got a list of 25 instead of just 20 excuse me instead
49:36
of just 10 which is the default all right I’m going to clear the screen again I’m going to hit up arrow
49:42
and instead of head also say
49:49
tail that by default notice this took a little longer to run with head it’s
49:55
grabbing the first 10 lines output and then it’s just shutting it off after that with tail it’s actually going to
50:02
look at all of the output and then go grab those last 10 lines so it’s not uncommon for tail to take a little bit
50:08
longer to go through and run um the other thing you might notice with head and I just kind of skipped over this is
50:16
um oh it didn’t didn’t show up here that’s okay cool so we’re looking at a tail let me go back to
50:25
that now what if I want to see the start and the end of this this
50:33
information there’s actually a special function for that and I don’t know for certain I have it loaded on this screen
50:39
so we’ll actually see if this works but there’s a function called Head tail that
50:44
ships with M Linux systems and it just takes the head command and the tail command and mushes them together so when
50:50
you hit enter yep command not found what if I do that on the other system instead
50:57
because that’s a newer operator a newer version of a buntu let me try it on this
51:02
one nope didn’t work on this one okay all right see this is what happens when
51:08
I Stray From the regular content um a lot of systems will have head tail on it
51:13
and it will give you the first 10 lines of output the last 10 but it’s not there all the time as you can say but that is
51:20
one possible command you may run across that you might find useful um we’ve been
51:28
yep you can use the Alias to create create those shortcuts absolutely absolutely and that’s one of the ways we
51:33
could go through and do that now if I want did want to actually review all of
51:39
this output rather than trying to send it through head where I only see the beginning or tail where I only see the
51:44
end I could run it through the less command so the less command is similar
51:50
to the more command that we covered last week with Windows but it’s so much more flexible so for example example I’m
51:56
going to hit enter right and with with the more command on Windows my only real options
52:03
are hit the space bar and go one page at a time or hit Q to quit out well I can
52:10
hit the space bar here and go one page at a time but I can also use page up and
52:15
page down so I’m going to hit page up and go right back to the beginning of where I started I’m going to hit the
52:21
down arrow key and just increment by one line hit the up Arrow key I can increment by one line so it’s a lot more
52:29
granular in its ability to go through things the other thing you can do with this command which is pretty cool uh let
52:36
me find a good file for this let’s go on testing me find a decent file yeah DNS
52:43
Cat 2 will have one I’m going to say
52:48
less con. loock so I just typed in less space Co n and then hit Tab and autocom
52:56
completed the rest of that file name and then I’m going to go through and I’m going to hit enter and that’ll show me
53:01
the contents of this file now here’s the problem with this output and you may run into this from time to time
53:09
see all of this that’s highlighted in blue that’s actually a single line of
53:16
output it’s had to line wrap because all of that output wouldn’t fit on my screen
53:23
with font size I’m using so that kind of makes this hard to read right as I’m looking through it I’ve got
53:28
lines that kind double back on themselves I can clean this up with the less command so I’m going to hit Q to
53:34
quit out of this and now I’m going to say less Dash capital
53:41
S Co in and then hit tab to complete the file name and now you’ll notice
53:46
everything’s on a single line and see I’ve got little arrows pointing to the right here that tells me hey there’s
53:52
more data off the right hand side of the screen so now if I hit my right arrow key I can navigate over to that
54:02
data now here’s another problem we’re running
54:08
into up here these are supposed to be my columns so TS is timestamp that’s this
54:15
information here uid is this unique information here this is my source IP
54:22
which is over here or is over here you can see what’s happening my data is Shifting to the right of all my titles
54:29
so that by the time I get over to the right look at this I’ve got a bunch of titles with nothing showing up underneath it because all the data
54:36
finished already can I clean that up actually yeah you can with the L command so I’m going to hit Q I’m going to hit
54:43
the up arrow and what I’m going to do is I’m going to add in dhx which tells it I want to specify the
54:52
width you should use for each column and I’m going to put in I’m going to guess I’m going to say 30 I don’t think
54:59
there’s more than 30 characters that are part of any of these fields and now I’m going to hit enter and once I do that oh
55:06
hey look things start lining up a whole lot cleaner so that Dash X is a really good
55:12
way to kind of help sort things out now it doesn’t fix everything here’s timestamp but it’s left Justified well
55:19
that’s because this file starts with this and what Les is doing is it’s
55:25
actually lining it up up with that Fields because it doesn’t know that that’s just a descriptor right it
55:32
expects everything to be one left justified in all the titles to match up with the columns they didn’t do that in
55:37
this file for whatever reason so it l can’t fix that but it does do a much
55:42
better job of cleaning up the output so it’s a whole lot easier to read and then once I’m done excuse me all I got to do
55:50
is uh go in and hit q and that’ll exit out now let’s say you’re on a lenux
55:57
system and you’re saying oh I got this file and it’s line wrapping and the columns are a mess oh wait Chris had a
56:04
class where he taught me about a command that would clean this up but shoot I
56:09
don’t remember what that command is and I don’t remember what I did with the PDF how do you figure this stuff out one of
56:15
the awesome things about lenux is that you always have online manuals called
56:21
Man pages so if you type in man and then hit the space bar
56:26
and then type in whatever command you want to learn about let’s say we want to learn about the less
56:33
command oh that’s right I have that truncated off on that system that was
56:39
dumb let’s try that over here man less I don’t have the man page installed in
56:44
that first system just to save space because I don’t use them that often but by default a Linux system will install
56:50
the main pages so this will usually be here for you but here is the manual on using the less command notice the
56:57
description opposite of more I always thought that was kind of a cute descriptor but then it’ll show you hey
57:04
here are all the different valid switches and then as I arrow down or I hit space bar to go one page at a time
57:10
or I hit page up or page down this starts going through what are all the different options so like it’ll tell me
57:16
if you hit the space bar or contrl v f contrl f this will scroll and number of
57:22
lines down uh what was one of the other ones we we using dat s let’s find
57:29
that I’m sure it’s in here somewhere using DS and
57:35
DX it’ll be in here somewhere should be oh no this is in
57:41
where you’re actually like doing searches and well any they’re in here somewhere I forget exactly where uh you
57:47
can search do searches in here so let’s say I know that um I want to learn about
57:55
a esape all capitalized what I can do is I can hit the backs slash key and when I
58:02
do notice the lower left here it the prompt changes and it just shows a backslash and I can
58:10
say case sensitive what do I want to search for and now hit enter and it’ll
58:16
jump right to where it finds those characters and if I just hit backslash
58:21
with nothing else and hit enter it’ll jump to the next time it finds it backs slash slit enter and it says pattern not
58:29
found so it’s gone to the end of the file and it hasn’t found any matches against that so with the less command
58:34
when I’m viewing a file I can actually do searching inside of that which is pretty
58:41
cool so that’s my uh so that’s the Man pages that’s how you can go through and find
58:47
help on anything so you know the other one I was using was IP tables man IP tables hit enter here’s all the valid
58:55
commands that are associated with IP tables so you’ve oh yeah so this is like Google built into your uh built into the
59:02
command prompt on every Linux system you can go through and use that uh let’s see what else might you need oh so you might
59:08
want to see running processes so if I type in PS and hit enter that’s will
59:14
show me all the processes that I am currently running on that system well the only process I have running right
59:21
now is me being logged in so here’s the bash shell that I’m logged in through
59:27
right so when I sshed in I was given a bash shell to work within so that’s this
59:32
process right here and then this process was actually me running the PS command
59:37
up here so those are the only two things I have running now if I want to see everything that’s running on this system
59:44
I can say PS space- ax and then I can you know pump
59:50
that through more or less or you know head or tail or whatever I need to do I’m just going to hit enter on it
59:56
because this will show me all the processes that are running on this system and there’s other switches you can play with to tell you who owns it
1:00:04
you know what child processes might be associated with what um there’s a lot of functionality with the PS command the
1:00:10
basics of just being able to look at what’s running right now uh ps- ax will
1:00:15
show you everything that’s running on that box it was our Google a couple of years ago yes I totally agree SG ninja M Pages
1:00:24
was Google before there was Google so uh if you want you want to see if you
1:00:29
want like a slightly different view of these processes or if you want to know you know how much memory of CPU time
1:00:35
these processes are using up there is the top command top so I’m going to hit
1:00:41
T to I’m going to type out top top hit enter and when I do I get this output
1:00:47
this will actually update every couple of seconds for me and it will show me
1:00:52
which processors are using the most processing time so notice mongod DB is my biggest processor hog although it’s
1:00:59
still using less than 1% e CPU and then my next one after that yeah that that
1:01:04
one just kind of keeps changing um what else can I do I I can
1:01:10
go through and I can if I hit the letter M I can change my search to be based on memory and I can even get these pretty
1:01:17
little asky Graphics up here to show me how much memory am I using you know this
1:01:23
is the this is showing me that I’m using you know I could go all the way out to here so this is showing me I’m using
1:01:29
what 10% of my available Ram physical RAM and then I’m using zero of my
1:01:35
Swap and then hitting M again we’ll change it to solid bars it’ll make it go away and then it’ll add it in as just
1:01:42
numeric values so there’s a couple of ways to kind of customize the output and top if you want to go in and you want to
1:01:48
play around with that uh let’s see Noob question what do tools like VM Vim emac
1:01:54
get one that text Ed like Nano don’t oh good question um so which text editor is
1:02:03
best oh that’s a personal choice right like the for for people way younger than
1:02:10
me nano seems to be the one they all go with and I totally get that right if I drop out of this for a second and I’m
1:02:17
just going to say Nano Fubar or a file name I’ve got a nice
1:02:23
little menu down here on the bottom tell me how to write out how to exit you know
1:02:29
everything is here and it’s useful and I I admit that this is much better then
1:02:34
let’s say um let me exit out um answer no we discard changes yes I want to
1:02:41
discard changes cool if I say VI
1:02:47
boar where’s my menu right and now I’m going to type type uh I’m going to start
1:02:52
hitting the letter e well wait why isn’t the letter e showing up up here oh
1:02:57
that’s right I have to hit the letter i to put it in insert mode and now I can
1:03:02
hit the letter e to get that V Vim is not intuitive at all vim and VI are not
1:03:09
intuitive but when you are an old fart like me and you’ve been using VM
1:03:17
forever it it’s just kind of second nature I would be rich if I had a dollar
1:03:26
for every time I typed colon WQ while using
1:03:32
Nano why would you do that Chris because colon WQ is how you tell VI to write the
1:03:39
changes I’ve made and then quit but Nano doesn’t use that right Nano you know
1:03:44
control and tell it to save and then control and you can exit from there it’s it’s a different menu function but I’ve
1:03:50
just been using VI so long I just go with that so which one is best you know which is the best text editor for you to
1:03:57
use whichever one you feel most comfortable with and like I said for most folks that are new at this Nano
1:04:02
really is the best tool for that but for old die hards like me the is just
1:04:09
programmed into my neurons so even if you put Nano in front of me I’m still going to try and use it like it’s VI I’m
1:04:17
going to start hitting the Escape key and not being sure why nothing’s happening well it’s because you know Nano doesn’t use the Escape key the same
1:04:24
way cool good great question great question all right uh what else can we poke
1:04:30
around with oh hey what if I want to know the IP addresses that are associated with this system well we have
1:04:37
a new command called IP and they’re trying to consolidate a lot of things that used to be available through
1:04:43
different other commands all under this IP Command so if I type in IP I can type
1:04:48
in IP address or I can just type in IP in the letter a and that will show me
1:04:54
all my network inter interfaces that are on this box so here’s my eth zero
1:05:00
interface and here’s the public IP address that’s been assigned to that system um if I jump to my other box and
1:05:07
I type in ip- a here’s all these network interfaces notice here’s my regular
1:05:14
network interface that’s on there that’s emp6 S18 oh that’s intuitive
1:05:21
right so you may and both of these are running a buntu so it’s not uncommon to run into
1:05:28
situations where you know it might use the E zero it might use the um if but if you need your interface
1:05:35
name IP space a hit enter that’ll show you all your interfaces that are on your
1:05:40
machine now what I will ask you is that when you run this command on your system
1:05:45
identify the network interface that you’re connecting through right now right so it might be like an EMP
1:05:51
interface it might be e zero e one or something like that but identify the
1:05:57
interface you’re currently connecting through and just jot it down real quick cuz we’re going to come back and use that information a little bit
1:06:04
later cool so that shows me all my network interfaces well of course the problem here is this inter this output’s
1:06:11
kind of busy right there’s a lot of information on the screen here is there any way for me to go through and kind of
1:06:18
clean that up well yeah one of the things I can do so I’m going to um type in IP space a same as I did before
1:06:26
but I’m going to use a tool that’ll let me search through the output to only
1:06:32
look for specific patterns well when I’m looking for files on the system we were using the find command but when I want
1:06:39
to search text output right whether it be output from a command or if I want to
1:06:45
search files for information inside of those files the command to use is GP
1:06:52
grep and what I’m going to do is I’m going to say GP inet notice when my IP address is listed
1:07:01
it’s preceded by inet so now when I hit enter notice the difference rather than
1:07:07
getting you know the MAC address with the broadcast address who cares about that you know valid blah blah blah blah
1:07:14
blah blah broadcast blah blah blah who cares if all I care about is hey what IP addresses are assed on this system if I
1:07:22
GP on inet that’s all that comes back well that that’s less information to search through to say oh hey okay let me
1:07:28
look at these addresses oh this is the only legal ipv4 address okay that must be the legal address that’s associated
1:07:35
with this system so that makes it really easy to go through and find now the problem is notice it’s showing me IPv6
1:07:42
addresses as well why CU we told it go in and look for inet well if inet was
1:07:50
down here out on the line someplace or something it’s going to match on that it’s look saying I’m going to look for
1:07:57
the character string I ne and anytime I see it I’m going to go through and I’m going to grab that line of information
1:08:04
and inet 6 obviously includes inet well what if I want to make sure it only
1:08:10
grabs inet it doesn’t grab these inet sixes well I need to add some switches to my GP command in order to have that
1:08:17
happen so I’m going to hit up arrow and then what I’m going to do is right before the inet search I’m going to say
1:08:24
Dash w What does DW do DW tells grep match on
1:08:31
this as if it’s a word what that means is that there needs to be either white
1:08:38
space before it and after it this character sequence right so this means
1:08:43
that here it either needs to be the start of the line or a space character
1:08:49
or a tab or something like that and this side here either needs to be the end of
1:08:55
the the line or a Spates character or a white Spa you or tab or something like that so when I go in and I do that
1:09:01
search notice this time none of the inet sixes appear if I don’t know the case of
1:09:09
what I’m searching for right like I knew this was all lowercase let’s say I didn’t know that for sure just like we
1:09:15
were talking about before add in a Dashi that makes the search in case
1:09:20
insensitive so I can go through and I can use that I life it if conf Pig I
1:09:25
don’t know why Linux moved on from it and made IPS its default oh HK you’re
1:09:31
becoming a crabby old dude just like me that’s awesome that is awesome man yeah
1:09:37
because I felt exactly the same way it’s like wait I know how to use if conf fig everything work I get I it does
1:09:43
everything I needed to why are you making changing this so that I have to learn new stuff yeah I I totally agree
1:09:51
with that sentiment but with that said you know if you take like what net does and what if config does and what ARP
1:09:57
does and combine them all together that’s all part of the IP Command now now to me I actually find it a little
1:10:04
bit more helpful to have the command separate because then there’s not as
1:10:10
many switches to try and keep track of but you know tomato tomato everybody’s a little bit different so you know it’s
1:10:18
yeah I’m not writing the tool someone who is investing time that I’m not is so
1:10:25
I need to go through and you know recognize that they get to make the choices I don’t but you know I mentioned
1:10:31
like you know the ARP command we use the ARP command on Windows and you know the ARP command will work here too so if I
1:10:36
say ARP space- there’s all my Mac addresses but I can also say see if I can remember
1:10:43
this uh IP I think it’s neighbors NE e i g h b o r s I think that will do it
1:10:51
too um is it just neighbor yeah neighbor so no s at the end so it’s
1:10:59
IP space neighbor will give you the same information uh wait a minute here notice
1:11:04
an interesting pattern look at all the Mac
1:11:10
addresses notice anything interesting about all the Mac addresses that are associated with every single one of
1:11:16
these IP addresses I’ll I’ll I’ll let’s look at it this way I’m going to go to one of my local systems and I’m going to
1:11:22
say r- and there’s some local boxes that are online and here are the Mac addresses
1:11:27
that are associated with them now if I go back to that first one besides there being more entries here notice something
1:11:34
interesting they all have the same Mac address what the heck is going on
1:11:39
here this is a cloud vendor running everything through a software switch so
1:11:44
they can control my data so when you’re on a cloud you’re not on a typical
1:11:50
ethernet Network you’re on a software switch that’s going to control what you can send and where you can send it this
1:11:57
is their way to kind of make sure they can more closely monitor if you try to you know go adjacent to other systems
1:12:03
and things of that nature this we’ll get into this more later but when you look at a MAC address let me jump back to the
1:12:09
other system first when you look at a MAC address the first three bytes are a
1:12:15
vendor code associated with the vendor who produced this particular network
1:12:20
interface card the last three bytes are a unique s uh serial number used by that
1:12:27
vendor to uniquely identify this card versus any other card they’ve ever
1:12:34
produced so I could always look at the first three bytes of a MAC address to figure out who made it and there’s
1:12:41
actually you know there are files and databases and resources out on the internet if you do a search on Mac
1:12:47
address search you know you’ll run into something that will say yeah put your Mac address in here and we’ll tell you
1:12:52
who the vendor is and you can go in and you can do a search well Fe
1:12:59
000000 is not a valid vendor code it hasn’t been assigned to anybody so this
1:13:06
vendor has said well no one else is using it so this won’t cause any problems so I’m just going to go through and use this so if you’re in a cloud
1:13:13
environment and you’re trying to look at layer 2 information and it’s looking kind of weird yeah that might be a
1:13:19
feature from the perspective of the cloud vendor now remember I told you to keep track
1:13:27
of your interface name right so when we said IP space a we went and we looked at
1:13:34
what was our interface name we asked it to keep an eye on that because one of the things you can do with the IP
1:13:40
Command is you can Nest it inside of the watch command to kind of monitor
1:13:45
statistics that are associated with that interface um I’m going to throw this
1:13:50
command in to the channel
1:13:59
just so people don’t have to worry about
1:14:04
typos there we go so I’m gonna let me clear my screen and I’m going to say I
1:14:10
want to watch w a TCH dn1 once per second and then I need to
1:14:18
tell it what is it I want to watch well I want to watch and I need to use double quotes the IP space-
1:14:26
s link show command that’s going to show me my my link interface statistics
1:14:34
actually I should have showed you that first let’s do that let me copy this part of
1:14:40
it and then let me clear this command paste that
1:14:47
in and eth Zer is my local interface Ys may be different right so if I want to
1:14:53
go in and I want to use the IP Command to look at my network statistics this is showing me how many bytes has been
1:15:01
received how many bytes has been transmitted how many packets have been received how many packets have been
1:15:07
transmitted and if I hit the up arrow and hit enter I’m going to see those numbers change right if I look at like
1:15:14
the last couple of btes I can see oh yeah that’s incrementing up well if I want to see how much is coming through
1:15:20
as a flow I could just keep hitting up Arrow like I was doing there but the other way to do it is to use that watch
1:15:26
command I was starting to give you so I’m going to say watch Dash and once n
1:15:32
one I want to monitor it once per second so what I’m saying is once per second I want you to run this command that I’m
1:15:39
putting inside of the quotes now once I do that watch what happens it clears the
1:15:44
screen and you’ll notice every second you’ll see the uh you’ll see the
1:15:49
statistics climbing up the reason I know for certain the statistics are going to climb up is because I’m sshed into this
1:15:57
box so even if nothing else at all is going on one of the things that will be
1:16:02
going on is it will be uh uh recording the statistics for my SSH connection
1:16:08
sending traffic back and forth so I’m using the watch command
1:16:13
here with um IP Link just as an example but if you have any commands you want to
1:16:19
be able to run once a second every 10 seconds or whatever to see you know what the output looks like you can you could
1:16:25
use the watch command for that as well if you wanted to if you ran this command and it didn’t work for you what you may
1:16:31
have run into is you’re not using the right interface name so I just hit control C to get out of that so remember
1:16:38
you know we needed to find the ne network interface using IP space a you your interface may not be e zero you
1:16:45
know in which case you just got to change it to whatever it happens to be and you should be in pretty good
1:16:51
shape from there uh let’s see what else is fun oh open port on the system let’s talk about that so we’re going to say
1:16:57
netstat d and I’m going to pipe this through less because I know they’ll probably be
1:17:03
more than a Page worth of output so net netstat dasen so the D A says show me
1:17:09
Port activity dashn don’t try and resolve it to any fully qualified domain
1:17:15
names and now I’m going to run that through less and here’s what this is telling me
1:17:21
this is telling me that I have a TCP Port
1:17:27
27017 open but it’s only bound to the loop back interface only the local
1:17:34
system could potentially connect to this and the fact that it’s a in a listen State tells me that’s port is open and
1:17:41
they’re waiting to accept connections this entry pretty similar P
1:17:47
53 is open on the local system but only the local system can talk to that Port
1:17:53
because it’s bound to the loop back interface and that’s in a listening State however look at
1:17:59
SSH ssh is bound to 0000 well that’s a wild card that means
1:18:06
any network interface so SSH is not only listening on the loop back interface it’s listening on all the ethernet
1:18:13
interfaces as well and again because it’s in a listen State it’ll accept any inbound connections that are coming in
1:18:20
this entry is my connection into this box so here’s the IP address I’m coming
1:18:27
from here’s the source port on my system here I am talking to this remote system
1:18:33
on Port 22 how do I know it’s this one because this is the only one here that’s in an established state established
1:18:40
means a connection has already been created I’ve got couple of ports open on
1:18:47
TCP 6 as well and then I get to UDP and this is where it gets a little bit funky
1:18:54
notice it isn’t listed as listen UDP ports are default listening if it’s
1:19:00
there it’s listening it’ll accept it’ll potentially accept data coming into it but this is showing me all my open ports
1:19:06
on the system and then this shows me any domain sockets that happen to be on that box we’ll come back and we’ll talk more
1:19:12
about these and what they mean later I don’t want to get down that road because we got a couple other commands we want to go through first but you know what
1:19:18
ports are open on my box net stat space- pump it through less and look at any TCP
1:19:25
Port listed as being in a listen state or any UDP Port that gets listed at all
1:19:32
those are my open ports that could potentially accept an inbound connection the exception is if it’s only bound to
1:19:39
loop back yes that port is open but only that system can get to
1:19:45
it why would you ever open up a port that only the local system can get to that kind of almost makes no sense right
1:19:51
like why would you have to talk to yourself see this port here that’s actually
1:19:58
so I’ve got a database running here so let’s say I have a process that I want to have it be able to exchange
1:20:04
data with the database well I could do it at a file level but now my
1:20:10
other process kind of needs to understand and it needs to understand how to do inserts into the
1:20:15
database well by having an open port I don’t have to worry about any
1:20:20
compatibility like that I can just send it to the port so long as I’m using valid man for that Port this becomes
1:20:26
pretty portable at that point so it’s actually a pretty decent way to have applications exchange information with
1:20:33
each other you just have them open a port but bind it to loop back only and that way only the local system can
1:20:38
access those ports um I mentioned okay I’m logged in
1:20:44
through this connection here right how do I know I’m the only one logged in
1:20:49
well I’m going to hit Q to get out of this page right that’s going to stop my L command and I’m going to hit hit W and
1:20:56
that’ll show me who’s logged into this box so you can see I logged in about 18 minutes
1:21:02
ago back when we started not much idle time so w will tell you who’s logged
1:21:08
into that system at any given time if I want to look at my history of when I’ve
1:21:14
been logged in last space-
1:21:22
AF right last um it doesn’t like the
1:21:29
F day yeah D day does it okay cool I don’t
1:21:34
know where I was getting the dhf command from then all right so what’s this showing me so this is showing me all the
1:21:40
different times I’ve logged in right so here I logged in back on January 13th I
1:21:45
logged in a bunch of times on the 14th here’s where I came from here’s how
1:21:51
long I was in for notice this one I wasn’t logged in long at all I’m not sure what I was doing with that session
1:21:57
here you know but you get the idea this is my audit history so if I go through
1:22:02
this and I see hey one of these IP addresses is Chinet well that probably wasn’t me logging in I don’t remember
1:22:10
being on the Chinet Network so something else funky is going on now the first
1:22:15
time you run the last command you may actually not get any output so if you go in and you’re doing a last- a and you’re
1:22:22
saying Chris I know I’ve logged in before but I’m not seeing any of this last doesn’t actually start recording
1:22:28
that information until the first time you go in and use the command once you go in and run it now log out log in and
1:22:36
now you should start seeing entries after that so um so yeah so there’s that so
1:22:43
you may need to give it a little bit of time to actually do its thing now what if I want to see failed
1:22:48
logins well there’s a command for that too now again I have to run this command
1:22:54
in to tell it to start recording this data before I can actually use that data
1:22:59
but the command is pseudo I have to have root level permissions last B so rather
1:23:07
than just last I’m using last B that’s the difference between the two and I’m
1:23:12
just going to pump that through the head command so I can see what the last 10 are that’s prompted me for my password
1:23:19
so now I need to remember what my password is on this system I
1:23:25
think that’s it yes it is yay Chris didn’t screw it up and notice oh I had
1:23:30
somebody see Korea trying to log in da Daz user Root Root Root Root yeah oh hey
1:23:39
yeah look at this anything 21892 that’s Chinet Chinet is constantly
1:23:46
trying to log in to different systems in fact um let’s go through and let’s
1:23:52
analyze that a little bit closer I’m going to go in and I’m going to say I’m going to hit my up arrow and instead
1:23:59
ahead I’m going to say grip
1:24:08
21892 Dot and then pump it through less and
1:24:14
this will show me anything that’s associated with that I pay now I want you to notice something lots of root
1:24:21
logins three attempts from this IP address and then one attempt from that
1:24:28
three from this one oh and then it pulls in a couple more from that 165 address
1:24:33
and then it moves on to 207 oh this is clearly a coordinated scan this is not
1:24:38
one person like you know running in map or something like that this is a bunch
1:24:45
of different IPS have been allocated because what’ll happen is a lot of folks
1:24:50
uh will run fail to ban I’m one of them and what failed to ban says is say hey if you fail your login X number of time
1:24:58
uh X number of tries in y amount of time I’m just going to stop you from being
1:25:03
able to look connect to the system at all and I’m going to shun you away for an hour or whatever the default time
1:25:08
happens to be set to so what this what they’re doing here is they’re coordinating across multiple IP
1:25:15
addresses so that if they trigger fail to ban they can keep trying different passwords as root but just now it’s
1:25:23
coming from a different IP address us I don’t think field to ban has a subnet
1:25:28
setting where you can go in and say oh hey if you know 192 excuse me if 21892
1:25:35
0.167 fails when it tries to connect ban anything from 2189 to20 I don’t think it
1:25:43
has an option for that but there are other options you can use to lengthen the time change the error code that
1:25:48
comes back I actually did a Blog on that up on the active counter measures website you know maybe like a month or
1:25:53
two ago um so if you’re interested in failed to ban and how to kind of tweak that I actually went through and kind of
1:25:59
um kind of hit that one to kind of give you some additional detail um if I wanted to see hey so I’m seeing a lot of
1:26:05
root logins is root the most popular login being used huh let’s find out so
1:26:11
I’m going to say pseudo last B and then I’m going to pipe that and let’s see
1:26:18
what do I want to do well the login name is in this First Column right so I’m
1:26:24
going to want to go through and cut that column out I don’t want to look at this other information right now I just want
1:26:29
to see what is the most popular account that people are trying to log in as so I’m going to use cut cut and I’m going
1:26:37
to say Dash F1 I want to cut the first field this is field one field two field
1:26:43
three and so on I want to cut so that it’s only giving me the first field and then I have to tell it what separates
1:26:49
the fields well it’s space characters separating the fields and now I’m just going to pipe that through her head to
1:26:55
check to make sure the commands work in the way I expected um oh I have to spell last B
1:27:01
right that would help ah it doesn’t have two B’s Chris come on there we go hey
1:27:07
look at that now I’ve just got that First Column information that’s what I was looking for cool so now what I’m
1:27:14
going to do is I’m going to say okay let’s take that data and let’s run that through sort what will that do for me
1:27:21
well when I run it through sort anytime things the same and I’ve got some blank lines so it’s consolidating all the
1:27:27
blank lines here it’s not showing me data yeah that happens um but now one
1:27:32
line after the other when they’re the same it’s going to correlate those all together so root will always be one line
1:27:38
after another you know what we saw here was a a blank line was one line after
1:27:43
another cool now I’m going to say uni- C unique – c says rather than list root 50
1:27:51
times only print one line fud and just write the number 50 that way I know it
1:27:57
matched 50 times let’s run that through head and see what we got oh that looks pretty good right 136 blank lines we’ve
1:28:06
got you know they they didn’t use a login name we’ve got some exclamation points here we got some weird oh it
1:28:12
looks like they’re trying to log in with some binary that’s kind of interesting I haven’t seen that one before cool now
1:28:19
let’s see what else do we want to see about this let’s sort this
1:28:26
highest to lowest so the names they’re trying to use most frequently will get listed first the names they’re trying to
1:28:33
use least frequently will be listed last and now we’ll pump that through head and I’m pretty certain this is going to work
1:28:41
so I’m going to copy that and I know we’ve run a couple of minutes over I apologize we only got a couple more slides left so I’ll go through them all
1:28:49
but I just pasted in this command that I was using and on my system look at this
1:28:55
21,000 attempts to log in as route 12,000 attempts to log in as admin we’ve
1:29:01
got some logins as a buntu gee that’ll work on ac2 it’s not going to work here so that’s kind of weird but whatever
1:29:07
they’re trying to log in as an oracle valid oh so valid is actually a a
1:29:16
service to go look for vulnerabilities so that looks like maybe they’re not validating the ownership of their
1:29:23
endpoints that’s kind of scary uh they’re like a like a um like a cloud pen testing
1:29:29
service so you can go to them and say oh hey you know come check my boxes and they’re checking my box and I didn’t
1:29:35
hire them so that tells me yeah maybe something else is going on
1:29:41
here cool yeah thanks dude yeah so what I run into is I kind of run into oh it’
1:29:47
be cool to teach people this it’d be cool to teach people that and yeah sometimes these get a little long but we’re getting into the home stretch here
1:29:53
um the last thing I wanted to go through is commands right so I’ve been typing
1:29:59
all these commands here you have two what if you need to try and remember a command on that system that you’ve run
1:30:06
before there’s a couple places you can check so if I’m in my home directory so I’m going to type PWD that shows me I’m
1:30:12
in my home directory and I’m going to type ls- to show me all files I’m not
1:30:18
going to bother with h because I don’t care about file sizes what I’m looking for and I got a lot of in this directory
1:30:25
what I’m I’m going to pump that through less what I’m looking for is this file
1:30:33
here bashore history what’s that well hey let’s find out so I’m going to say
1:30:40
cat cat is a way to list out the contents of a file do
1:30:47
bashore history so I just typed in hist and hit tap and when I do that here’s the
1:30:54
contents of that file well notice what’s in here there’s a lot of all the commands I’ve typed in the past all the
1:31:00
way down to exit well wait a minute you haven’t seen me type exit yet so the
1:31:06
these commands get stored to this file when you end your session it will record
1:31:11
the last 2,000 commands you have typed on that system so if you have tools you
1:31:18
run that have you set passwords and you’re setting the password on the command line guess what but that command
1:31:25
is stored in your history file if someone got into your account they could find that other password just by going
1:31:31
through the history files so keep that in the back of your head if I want to see the stuff that I’ve done
1:31:39
recently command is history so if I go in and I say history
1:31:44
it’s going to list out everything right notice the last thing I did just before this I catted the bashore history file
1:31:52
here’s where we were working through Pudo with last B and including where I
1:31:57
had two B’s in there so history will show me my most recent commands as well
1:32:03
I can also say things like you know history uh 10 if I only want to see like
1:32:10
um the last 10 commands that were run type of thing that works too so H um
1:32:15
while I can go to the bashore history file and search for things there it’s a little easier to just go in and use the
1:32:22
history command to go through and do it and now if there was a command I wanted to look for I could say history type
1:32:29
that through grip um IP tables have I run the IP tables command before Oh hey
1:32:35
here’s all the instances where IP tables has been run uh this is actually triggering as part of my uh fi band
1:32:42
setup all the stuff that you see in here that also is for another
1:32:47
day um let’s see oh so the last thing I want to hit with you is patching so this
1:32:53
is going to to be a little different depending upon what platform you’re on so with auntu and Debian the um the
1:33:01
patching system is called AP so if I say pseudo a update what that
1:33:09
does is that checks the local system to say where are the patching servers located do I can I still communicate
1:33:16
with them do they and I did this one on purpose do they actually still have
1:33:22
valid signature in other words one of the things the patching system will do is it only wants
1:33:28
to talk to valid servers and if the key is changed on expectedly it isn’t going to pull Patches from that system anymore
1:33:34
it isn’t going to trust it so by running pseudo app update that ver validates all the servers to store reachable and which
1:33:41
ones still have valid keys and which ones don’t what that allows me to do is now I can use all my other potential um
1:33:50
pseudo excuse me AP commands so I could go in and I could say pseudo
1:33:55
AP um let’s say list and I want to say uh Das Das
1:34:04
upgradeable so what that’ll list out is any software that might be upgradeable on my system right now
1:34:11
[Music] um I didn’t use Dash pay oh I missed d
1:34:17
double w list upgradeable yeah that’s it I’ll post this in I just needed uh
1:34:23
two dashes instead of just one there’s that in the chat for you so what this is telling me is so by default
1:34:32
most Linux systems will install any missing security patches so each day it’ll go out and check and say hey is
1:34:38
this security related if so let’s get this system secured let’s lock it down but if there functional updates that
1:34:45
come out those don’t get installed automatically necessarily so these are
1:34:50
uh packages on my system that I could choose to go through and update if I wanted to so if I want to update that
1:34:58
the command for that is pseudo because again I get to do this as root cuz I’m changing files on the entire system
1:35:06
a-y upgrade what does the Dy do the dashy says don’t prompt me to tell me
1:35:13
how much dis space is going to be used when you install these patch files trust me to be smart enough to know I have
1:35:20
enough dis space to install these updates and ignore that prompt so now
1:35:25
when I hit enter this will go out and those P those upgradable packages that
1:35:30
were listed will now pop up and automatically get updated on this system
1:35:36
this is cool I don’t have to download and you know and build anything or anything like that you know it makes it
1:35:42
nice and easy to go through and do the last thing I want to go through and show you is how to install
1:35:48
software um so the tree command is really cool because that’ll show you
1:35:54
what the directory structures look like but notice it says hey I can’t find this tree command then it’s telling me here
1:36:02
are your options for installing the tree command on this system so it’s telling
1:36:08
me how to go through and find it cool so I’m going to say PSE sudo AP
1:36:15
install tree that’s it hit enter it’ll go out and find that foring it’ll
1:36:22
install it on the system now when I type tree oh hey look here’s
1:36:27
my full directory structure including all the files that are under it and a nice asky graphical format you know
1:36:33
let’s say that’s what I was going through when I was looking for so that was the last thing I wanted to cover was how to go through and
1:36:40
install patches um what else oh yeah so what if
1:36:45
I want to learn more well yall know Bill he’s always in this channel um I made a
1:36:51
mention a couple of us were talking about about like Lennox and stuff and I mentioned that I’ve known bill for 25
1:37:00
years and I met bill when he was hosting a lenx and stall Fest so a lenx and
1:37:06
stall Fest was hey bring your hardware and we’ll help you get Lennox up and running on your system so he was running
1:37:13
one of those events the first time I’ve met him so Bill’s been working with Lennox forever and I used to try Bill
1:37:20
blew me away with how much he knew about Lennox to the point where I felt it necessary to actually try and keep score
1:37:28
of every time I could teach Bill something about Lennox that he didn’t
1:37:33
already know about and it hasn’t been easy I can honestly say that after 25
1:37:40
years I haven’t made it to 10 items I think I I think I’ve maybe made it to
1:37:45
four or five I haven’t made it to 10 yet so bill has some really good content on
1:37:51
lenux it’s definitely worth going through and uh checking out I think he’s got some stuff on the anti siphon side
1:37:56
he’s got a bunch of blog entries um up on the active countermeasures site uh
1:38:01
Hal pomerance is freaking phenomenal um he’s definitely smart so anything by Hal
1:38:09
is definitely worth going through and checking out um there’s some online tutorials that can teach you a lot of
1:38:15
really good stuff I gave you links to that if you know of another good resource please please go ahead and
1:38:21
share that in the chat Channel with everybody now so one of the awesome things about
1:38:27
you know this format is that hey if you know something I don’t you can share it with people
1:38:32
too and that’s all I got that is all I got for today so we
1:38:37
ran you know while it’s going to end up being 15 minutes by the time we get done saying goodbye we’re in 15 minutes over
1:38:43
I appreciate you know the folks sticking out towards the end of this uh even though we ran a little bit long but I
1:38:49
really had a hard time picking any of that stuff to make it go away so uh but
1:38:55
thank you everybody so next week um I don’t remember what we’re talking about
1:39:01
I hate it when that happens uh let’s see what are we talking about in the next Fireside Friday if I go up to the active
1:39:08
countermeasures site go to events next Friday ooh evaluating risk
1:39:16
that’ll be fun so yeah so when it comes to cyber risk a lot of times we tend to just kind of wing it right like do I
1:39:24
need to worry about that Well everybody’s talking about it so it must be a big deal there are actually like
1:39:29
processes and formulas and stuff like that to do the two most common methods are quantitative and qualitative risk
1:39:38
assessment to go through and actually you can actually go through and try and figure out how many dollars does it make
1:39:45
sense to try and protect against this particular type of vulnerability um so we’re actually going to go through and
1:39:52
talk about that next week um there will not be any Hands-On slide or Hands-On Labs next week is going to
1:39:58
be strictly lecture um but hopefully I can make it at least somewhat entertaining when we go through that so
1:40:05
with that said Thank you folks yeah bill you got something no it’s me sorry but scroll bit you next week is actually
1:40:12
introduction to security architecture ah scroll bit me yeah yeah
1:40:17
you’re right you’re right actually no the like inability to know what the date is is is what bit me well yeah but
1:40:25
you’re talking and typing and you know multitasking so yeah so yes so Keith is right so next week is actually
1:40:32
introduction to security architecture so that is um what are the you know what’s
1:40:39
a layer defense what does that mean where does it make sense to apply resources um how do you architect things
1:40:46
to try and make it a little bit easier to actually monitor your security in the first place so next week there will also
1:40:53
not be any labs it’ll let just be lecture but tomorrow uh next week now that we’ve kind of got some Windows
1:40:59
command stuff down some Linux command stuff down I’m going to start giving you some of the overall fundamentals and
1:41:05
then later we’ll be able to jump back and forth as we go in and start applying them next week is my wheelhouse or so I
1:41:12
think awesome dude awesome cool Bill Keith and and team
1:41:19
anything else before we uh finish up that’s great Chris thanks so much for bringing all that up and and doing the
1:41:26
live demos as well that’s fantastic also okay big big question Bill did you learn
1:41:32
anything new this week uh I learned that I know very little about
1:41:38
Windows oh no that doesn’t count we’re talking about Lennox this week okay okay
1:41:43
all right so I’m still stuck at only teaching Bill five things about Lennox in the last 25 years so okay call that
1:41:50
for what it is thank you so much Chris all right folks everybody take care I
1:41:55
will catch you next Friday thank you Chris that was awesome
Slide Deck:
Fireside Friday – Introduction to Security Architecture
January 24, 2025
Recording:
Show/Hide Transcription:
0:00
ear uh this week we’re going to be talking about security architecture I want to go through and kind of cover
0:05
this from a high level standpoint because we’re then going to start getting into the Weeds on a bunch of
0:10
different topics and it will be nice to kind of have an overall view in place uh
0:16
in order to be able to go through and cover those better so thank you to all our sponsors for this uh thank you again
0:21
to Herman and Emily for not only starting up the book club but for also uh helping to make this content possible
0:28
uh two of them gave up a lot of good time so so uh you know give them a warm thank you if you can uh I definitely
0:33
appreciate their time there’s not going to be any Hands-On labs for this one uh just because of the content matter it’s
0:39
kind of hard to generate labs around it so uh this is going to be mostly me just talking so this used to be easy yeah so
0:46
you know go way back to the old days back when I used to write books and you know figuring out perimeter security was
0:53
pretty easy and figuring out you know network security was pretty easy you just throw a firewall at it and you know
0:58
this setup here where we have a firewall anything that’s going to be internet
1:04
accessible goes off its own network link everything else goes behind it this would be referred to as the trusted Zone
1:11
you know was how we went through when we kind of set things up um it was always kind of thought that hey if I have
1:19
private addresses back here those systems are safe I don’t have to worry about them you know maybe I’ll run some antivirus on them but that’s about it
1:26
and that’s not what we have today by a long shot um this stuff gets more complicated and
1:33
gets more complicated very quickly and sometimes it can be challenging to kind
1:38
of figure out so what do I actually need to do what do I actually need to you
1:44
know kind of pull together to kind of work through security a lot of that comes down to risk assessment and we’re
1:50
actually going to be talking about risk assessment next week but there’s a couple of kind of highlevel Concepts I
1:55
want to go through and and kind of identify here one is that where monitoring and managing security from
2:02
its own little isolated segment you know systems that receive logs or have the
2:07
ability to get administrative access to other systems are very critical to our
2:13
infrastructure so it kind of behooves us to be able to shove them off to the side one of the nice things about shoving
2:19
things off to the side is that it makes monitoring what they’re doing a whole lot easier right like I could go in and
2:26
say hey anytime you see Powershell anything you know go ahead and and trigger an alert off of that because on
2:33
this subnet there shouldn’t be a whole lot of that that taking place whereas you know on the internal Network where
2:39
you know all my endpoint clients are I might not be able to do that because
2:44
there’s a wider range of protocols that are going through and taking place so again one of the nice things about
2:50
isolation is it allows me to limit the possibilities of what’s legitimately
2:55
acceptable for that portion of the network which makes it easier to go in and Implement some security standards
3:01
around that um High trust Zone medium trust
3:08
Zone trust zones are dead you know I I still see people using those that
3:14
terminology I like to refer to them as security zones why because when you hear trust Zone trust Zone trust Zone trust
3:21
Zone your brain triggers and says oh so that’s a trustworthy portion of my network and hopefully you know today no
3:30
portion of your network is trustworthy it just doesn’t happen there are sections of your network depending upon
3:36
how you set things up that are less likely to become malicious but the the
3:42
risk never drops to zero you can never say it’s trusted so I like to use
3:47
security zones instead and you’ll hear me using that terminology as we go through um but as you can see we’ve gone
3:54
through we’ve tried to kind of break things off based upon uh value and risk
4:00
level those tends to be the two things that you kind of look at to figure out how things could kind of get lumped in
4:06
together you know one of the things that um you’ll hear people talk about is oh
4:12
you can’t trust virtual machines right it’s possible to break out of virtual machines you can’t trust virtual
4:18
machines well yeah
4:23
but it it’s not easy you know when we find that we patch it it’s not like we
4:29
say oh oh you can break out of a virtual machine well you know this exploit will live forever no we we fix that stuff
4:35
when we find it where where that really becomes problematic is when you don’t
4:40
take the risk level of the systems you’re running on the same hypervisor into account you know in other words if
4:47
I’m running all of my internet accessible systems and they’re all running on you know one hypervisor
4:54
that’s great you know I run another hypervisor for maybe my internal servers
4:59
I don’t want to use one hypervisor for both because that becomes a potential alternate path into my environment and
5:06
that’s where uh one of the other places where I see us fall down a lot is we kind of look at this from the perspective of you know oh hey the only
5:14
way through the network is this you know connection cable here and in through the firewall and you know and that’s it so
5:19
long as I monitor that I’m fine well maybe maybe not if I’ve if I’m running
5:25
VMS internally and externally on the same hypervisor that’s a potential path
5:30
around the firewall if I’m terminating a VPN on my internal Network someplace
5:37
that becomes a way to circumvent the firewall well technically Chris it’s going through the firewall well yeah it
5:42
is but it’s a VPN going through the firewall so I don’t actually have any
5:48
real controls to go through you know in other words I can’t necessarily see what’s coming out of the tunnel on the
5:54
other side so it’s always a good idea to take the internal side of that VPN Gateway throw it off onto a Network link
6:00
and then monitor everything that’s coming out of that so that you have better um so that you have better
6:07
control uh esxi on internet Zone yeah yeah that mean you know we we
6:13
talked about you know you don’t want to bridge the hypervisor you may not necessarily want to run a hypervisor at
6:20
all on exposed systems that really comes down to a risk call that gets made for
6:27
that particular environment and I’ll give you an example if this is Bob and Mary’s Pizza Shop
6:33
yeah go ahead and use a hypervisor don’t worry about it if this is uh we we have
6:39
a we’re a three-letter government agency that a majority of the country don’t know what those initials are don’t
6:46
freaking run this on a hypervisor right you know one is obviously a lot more risk than the other and that’s one of
6:52
the things we’re going to work through as we go through and uh talk about architecture and talk about risk
6:57
assessment so where do we start right this can seem daunting right like oh you
7:03
know we’re going to try and build something like this how where how do you start and you know one of the things I
7:09
always kind of fall back on is hey you know those big huge pyramids in Egypt it started with one stone right there was
7:17
one stone that got placed and then another and then another and then another we may not be 100% certain how
7:23
the stones were getting placed I’m sure it wasn’t space aliens but a lot of people think it was uh you know but it
7:29
was one stone at a time you know just take this big problem cut it up into
7:35
smaller manageable pieces and this actually becomes a whole lot easier at that point there whips it was giant
7:41
whips yeah it could have been giant whips who knows so what I like to do is kind of
7:48
look at this from a perspective of what’s the business need right we always need to kind of look at what is the goal
7:53
of the organization right for a lot of them it’s to make money okay what are we
7:59
going to do to make money what type of connectivity is required to support that
8:04
effort to make money doing whatever it is we do to make money um that’s really where this starts what
8:12
type of connectivity is needed what type of assets are needed in order to be able to uh support that um so we want to go
8:19
through and we want to kind of build a set of business requirements you know in a lot of ways think of uh think of the
8:25
internet connection as like an HVAC system right when you have a building
8:32
specs need to be made for the HVAC system you know uh piping of certain diameters has to go to certain areas in
8:39
order to be able to get enough AC or heat or whatever where it needs to you know we we we kind of break down the
8:45
components and kind of work at it there this is the same type of thing that we’re talking about here what are the
8:50
risks Evol involved to those assets we’re actually going to dedicate a whole class to that next week next week I’ll
8:56
be talking about uh quantitative and qualitative risk assess mment um so we’ll go in and we’ll kind of hit that a
9:02
little bit more one of the things that um I see a lot of places fall down on
9:08
though is how will security be maintained this unfortunately is a common Problem by that I mean we go out
9:15
we buy a tool we install it and we maintain it for a week or two and then we ignore it right unless like some
9:22
alert comes out of it that we have we have to pay attention to We tend to kind of alert it when we go through and we
9:28
build these things up we really need um uh we really need the
9:34
ability to go through and um oh sorry oh
9:40
so I’m GNA deviate for just a second here uh so there was a question earlier about running uh can we could we get
9:47
Rita on arm yeah it’s actually it looks like it’s a possibility um give
9:53
me uh give us a couple of months to fin uh to work through some of the things we have in the queue right now now and I’ll
10:00
see about a get getting an armed version of uh reader out there for folks to use
10:06
I’m not so sure about AC Hunter I’ll have to go back talk to the devs and see how much of a need there really is for that but I think it would be good if we
10:12
at least had reader out there so apologize that was a question that came up earlier um want to make sure that’s
10:18
there um let’s see lenx girl said very good point how do you maintain it yeah so like one of the things I remember is
10:24
um I was I was managing yeah I I had a bunch of different groups reporting to me one of them was the security team and
10:31
I had tenable come in with their seam solution you know this was their kind of hey throw all your alerts and everything
10:38
here and we’ll sort it out and figure out what’s going on so they came in and did a demo of the system and kind of
10:43
pitched it to me and I remember looking at it and thinking this is a cool system
10:50
we could use this but I have one
10:55
employee my my senior network engineer is the only one with the skills to run
11:01
this system properly and I’ve already got them booked about 50 hours out of a
11:06
40 hour week so there’s no way I can kind of dump this into their head as well so we ended up not buying the tool
11:13
it would have been nice but because they had a really complex interface because you really needed to know what they were
11:19
doing in order to go through and uh work this um no it’s not worth buying it so
11:27
when we look at how are we going to solve this problem front and center has to be how are we going to maintain it
11:34
how is this going to be managed over the long term I would love to have Chris as a manager oh I’m a pain in the ass I
11:41
really am a systematic approach is worth is worth the investment yeah so in other
11:47
words taking the time to go through and do this and kind of lay this out is is worth it because the the
11:55
the the other option is easy in the moment but it’s a whole lot harder long
12:01
term right like how does this usually go down well this usually goes down as you
12:07
know oh hey there’s this cool tool out there or hey this was in Gartner’s upper
12:12
right hand corner we must have this tool you know it tends to be kind of ad hoc
12:17
how we pull things together you really need to have a good understanding of you know what are those what are the assets
12:24
that we need what type of connectivity is required to them um what is it that’s you know what level of exposure are we
12:31
going to have to deal with and where you really need that to then go through and create a plan to say Okay I want to do a
12:38
layered defense I want to go through and make sure that I have everything covered
12:43
but if you don’t know what the full picture is first you’re never going to fill in all the gaps um I I’ve been in
12:49
environments where they’re basically running like three different network-based intrusion protction
12:56
systems no no no go with one and then
13:01
figure out someplace else where you have a weakness and spend the tool on something that might help you there and
13:06
by spend the tool I don’t necessarily mean you always have to go out and buy commercial products you know that could be hey we’re going to go open source but
13:13
we’re going to you know pay for training to make sure that folks know what they’re doing with that system you know that’s Poss that’s possible as well you
13:20
know found the tool on GitHub yeah that’s a good one that is definitely a good one too I’ve seen people go through
13:26
and do that so like I said trust zones dead um think of them as security zones
13:35
I think that is a better nomenclature for the back of your head uh for anybody
13:40
who’s taken like a a packet decoding class from me or something like that you know I’m not big on
13:46
resolving um ports to their well-known name right like you know if we’re if
13:53
we’re working with like TCP dump or something I’ll always do the dhnn so it’s telling me Port 80 instead of http
13:59
it’s telling me Port 443 instead of https why because I know my brain I know
14:05
if I see it print the words HTTP I am going to feel like oh that’s an HTTP
14:11
session when the reality is at that level all I know for sure is it’s just
14:17
datao a TCP Port 80 it could be anything unless I go in and decode the application layer which TCP dump does
14:24
not do I don’t know what’s actually running through that Port so I like to look at the raw port number is a
14:30
reminder of that Hearing security Zone as opposed to trust zone is kind of the
14:35
same type of thing because when you’re hearing trust zones your brain’s eventually going to feel like well hey this is somewhat trustworthy whereas if
14:42
you say security Zone well a zone that needs security is usually thought to be
14:48
there’s going to be some insecurities here right well you know that’s why it needs to be a security Zone there’s some
14:53
threats here that we need to be concerned about that we’re going to want to go through and deal with mitigating so segregation of resources
15:00
by Zone yeah like I said so we want to look at what type of access is required and what are the value of those
15:07
assets and segregate things off that way like you know my internal users you know
15:13
if you think about your internal users what do they need access to well they’ll need access to the internal servers
15:19
they’ll need access you know to some number of sites that on the internet um you know there’s going to be a lot of
15:24
outbound access from them there is the potential for people to click things that that they shouldn’t have okay what
15:31
don’t they need well one of the things they don’t need is the ability to talk to each other so one of the first things
15:38
I could usually do with like a a a collection of end users is to put in some sort of monitoring or control so
15:45
that one desktop system can’t try and talk to another in fact if I see that
15:50
that may be an indication that that system’s gone Rogue whether it be the user at the keyboard or you know
15:56
software that’s been installed on that system that may help me give me a heads up of what’s going on so again it starts
16:02
with kind of understanding the requirements what’s needed and kind of working with that to say okay given
16:08
those needs what can I do to better reduce the risk within this
16:13
environment uh let’s see Chris you’re squarely on one of my soapbox topics
16:19
there yeah yeah I’ve been on the soapbox for a while
16:24
absolutely uh let’s see what else yeah so what could be said about on Prem users yeah so we were just talking about about this you know what they need
16:30
access to and what they don’t need access to so th there are things that we can go through and leverage to be able
16:36
to say okay knowing these types of flows are going to exist what can be done to
16:42
go through and reduce the risk we’re never going to eliminate it you know not
16:47
going to happen you know which again is another reason why I hate the term trust Zone because that assumes you can trust
16:53
it I don’t care if there’s an air gap it’s not a trusted Zone there’s always going to be something level of
16:59
insecurity you got to worry about you
17:04
know so what are some of the zones we may end up having to work with well you know there’s a lot of different
17:09
possibilities right like so we talked about like on Prem users what about off- Prem users do we give the do we have the
17:17
same types of security controls with on Prem that we do with offprem well
17:23
probably not right one of the benefits of my users that are on my internal
17:28
Network and they live on my internal Network all the time you know someone with let’s say like a desktop system is
17:34
that I have a firewall there I can monitor the network there but as soon as that person goes home and connects in
17:41
from there those security um th those security tools
17:47
immediately go away I have a lot less visibility there’s physical security
17:52
against them right if I’ve got you know again desktop sitting on people’s desk in order to somebody to get to the
17:59
keyboard they have to get through the front door first well for someone coming in over a VPN I have no control over
18:05
physical access to that system so it’s always a good idea to kind of look at um
18:13
you know what do we lose when we when we change the location of a Zone and what might we need to do
18:19
to go through and mitigate that you know so in other words we may say hey internal users yeah we’ll let them
18:25
access all the servers no problem and we’re not going to worry too much about monitoring that because users are going
18:30
to be accessing them on a very regular basis but people coming through the VPN
18:36
yeah we may want to pay really close attention where they’re trying to go what they’re trying to do because again
18:41
we don’t have as much control over that endpoint anymore so even though you know
18:47
those internal users and remote users are still users running a desktop system the requirements for each of those two
18:54
security zones is going to end up being drastically different
18:59
the importance of a test environment yeah I can’t stress this enough and this is one thing that you know a lot of
19:06
folks go through in uh just miss sometimes you can’t do this right
19:12
like I may have you know the the firewall burner 3000 is my firewall that
19:19
protects my environment and I only have one of them well it makes it a little hard to go through and do changes and
19:25
test them right I I kind of forced to go through and make changes in the production environment because I don’t
19:32
have another one of those firewalls kicking around recognize that as being a risk to your environment have a backup
19:39
plan to be able to get out of that if you need to you know in other words have a way that okay if the worst occurs if I
19:46
push up this config change or if I push up um you know a a a firmware update
19:54
what’s my plan B now Plan B may be hey I’ve got a lenux box that has a couple
20:01
of network cards in it and if my main firewall dies I can swap this in it may
20:08
not have all the same monitoring it may give just like a minimal level of access to the you know resources that are
20:14
required but at least it gives me a path to recovery so now I can take that box offline and say oh my God how am I going
20:21
to get this firmware fixed so test environments you know obviously allow us
20:26
to kind of avoid some of that but if we can’t make sure that you got a plan B
20:33
the other thing with the test environment is make sure you understand how these things are working you know so
20:39
if you have let’s say like a vulnerability scanner isolate that and to a test environment monitor the
20:47
network traffic what is it doing how much traffic is it generating um I’m reminded of a a customer that came in
20:54
and bought AC Hunter and one of the first things they tagged where it was an
20:59
iot device that was talking back to its uh
21:05
controller 10,000 times a second or something like that there was literally
21:10
there was like 10,000 connections per second going back or maybe it was a th it was thousand 10,000 per second
21:16
somewhere in that range there but it was this insane number of connections coming back and that was you know thrashing
21:24
their Network and they didn’t even know it until they had installed our cool because no one had paid attention to it
21:30
before no one had bothered to look at the network yeah when you start plugging this stuff in have it in a test
21:36
environment first make sure you understand what’s going on with it I’m reminded of another one that um they
21:42
they bought some IP based cameras and as it turned out the IP based cameras were pre- compromised by the vendor to take
21:49
pictures of the inside of the facility and send it back to you know I think it was kwanu China was where those images
21:55
were going back to if this had they had been deployed into a test environment first someone would have seen hey this
22:03
thing’s calling out kwanu China um you know every 10 minutes or whatever it was
22:09
that may be something interesting that we might want to learn more about before we actually plug this into our
22:14
production environment itself you know so again test environments can really help um if you can’t do it at work for
22:22
whatever reason sometimes you can get away with doing a lot of this stuff in a home lab um that’s always kind of been
22:29
the way I’ve worked is that a lot of the stuff I deploy at at the office I’ve run
22:34
it through its Paces at home first uh for two reasons one is I have more bandwidth to go in and do stuff with it
22:41
I have more control over the environment to be able to Monitor and watch what’s going on with this thing plus it makes
22:47
me seem smarter right I I get to like walk in the office and oh hey we got
22:52
this tool oh I know how to set that up I know how to configure it I know how to do this Chris knows everything and you
22:58
now Chris doesn’t know everything chti took the time to go through and put it through its paces and beat the heck out
23:03
of it before he was willing to let it actually go get run within a production environment so that that’s something to
23:09
kind of keep in the back of your head as well diminishing your Returns versus
23:17
risk mitigation yeah so again we’re never going to re achieve zero risk
23:22
isn’t going to happen no matter what we do everything we do de May decrease the risk
23:29
but something is going to offset that it’s going to be Administration time it’s going to be money or it’s going to
23:34
be a combination of the two and the more we spend we’re not going to get equivalent improvements every single
23:41
time you know so for example if we spend time to deploy a firewall that’s going
23:47
to give us some dramatic Improvement in the level of security with what we have within our environment but if I go out
23:54
and spend $200,000 for a firewall versus you know
24:01
a thousand am I going to get that same increment of improvement obviously not
24:08
right it’ll get a little better but it’s going to start tapering off you know that’s something that’s worth kind of
24:13
keeping in the back of your head too now that doesn’t mean we do nothing it just means we need to look at okay if we
24:19
fortified our security in this spot here where’s my where’s my next weakest link
24:26
maybe I move on and kind of go through and address that as well but you know it’s important to learn that you when we
24:32
talk about risk mitigation I kind of don’t like that term just because risk mitigation sounds
24:39
like we’ve mitigated all of the risk and we never mitigate all of it we typically
24:45
red just reduce it so can we achieve absolute security
24:50
yeah I tried to think about like so what would be needed to maintain an absolutely secure environment and this
24:56
is what I came up with but even then I’m not C this we could call this 100%
25:02
secure right no physical access so people have to like live down there you need to pass this job off to your kid
25:08
afterwards you know there can’t be any type of electronic communication or physical access to this whole thing um
25:15
you know beyond that you know it isn’t going to happen so there’s always keep
25:20
in mind when you hear oh yeah we’ve mitigated that risk don’t think of that
25:26
as we’ve reduced the risk to zero it means that you know the risk was a
25:31
hundred we’ve reduced it to some smaller amount than that you know maybe it’s 20%
25:37
maybe it’s 50% maybe it’s five but there’s still some level of risk there and now we need to look at that and say
25:44
is it worth additional expenditure of time and money to mitigate that further or do we go off and do something else
25:51
and again I’ll get more into evaluating risks and how to deal with them next week
25:59
so yeah how much risk do you really need to Mi mitigate you know I’ll get in and I’ll
26:04
kind of talk about that more um you know the other thing we’ll kind of get into is like the value of the assets right so
26:10
when we talk about you know risk next week you know one of the things we’ll kind of talk about is what is the value
26:16
of the asset to the organization so imagine we have a I don’t know fidget
26:22
maker we have something we have something that is generating a dollar a day towards our company right I wanted
26:29
to keep these numbers low and small so it’s easy to go through and do the math in your head so if I have something
26:35
that’s responsible for $1 worth of the organization’s Revenue every single day
26:41
does it make sense to go through and spend $50 to mitigate that risk to near
26:46
zero well that’s $50 that’s 50 days you know would that server ever be offline
26:54
for 50 days probably not right if the server goes offline it may only be
27:00
offline for like you know a day maybe two or three worst case scenario
27:07
so I’ve spent $50 to save $3 right we’ve spent $50 to keep from
27:14
possibly being down for three days which would cost us $3 it doesn’t make a whole lot of sense well what if we went
27:21
through and we said all right instead of trying to mitigate that risk to as close
27:26
to zero as we can and have to spend $50 for that maybe we spend $5 to just go
27:32
through and uh that $5 annual to go through and do some level of early detection so that if something does
27:40
someone does break into that system we have a way to detect it and we have a path to recover quickly so now instead
27:46
of being three days down now yeah maybe it’s down for like a half a day if something wor you know worst case
27:51
scenario takes place and we’re only spending $55 annual for that well that
27:57
may make a lot more financial sense right I know it kind of sounds like I’m
28:04
saying spend less money on security but when you start getting into management roles right if you’re if you’re like a
28:11
ciso or you’re a you know director of security or you know security manager or
28:17
whatever the folks above you are going to want to know you’re thinking about it this way if you if you come across as
28:25
hey I’m just trying to get every dollar I possibly can you they’re going to feel like you’re a
28:30
child that needs to be managed but if you can look at this from a realistic standpoint and even better balance the
28:38
security risks versus the other risks to the organization you’re going to be
28:43
taken a lot more seriously you know you’re far more likely to be able to get a seat at the table you’re far and if
28:49
you can’t get a seat at the table the people who are sitting at the table are far more likely to take what comes out of you as
28:55
gospel that’s more Security leaders ship and I may do some more about that at the end of the uh at the end of the series
29:01
if folks are interested now there’s a lot of security Frameworks out there you know PCI Hippa
29:08
sock 2 are probably good example some are mandatory some are not and they tend to get a lot of hate right like you you
29:15
will find plenty of people who will tell you oh sock 2 it sucks you’re not really
29:21
secure if you’ve implemented a sock 2 yeah I I will agree
29:28
I if you’ve done like the bare minimum possible and your only goal was to achieve that at a station yeah yeah it
29:36
probably hasn’t done a whole lot for you security wise um Frameworks do a couple
29:41
of things for us one is they create a Common Language right so let’s say your
29:47
company and my company are thinking about being business partners with each other one of the things we have to
29:52
figure out is what have you done to lock down your network because if we’re business partners and we’re exchanging
29:58
information you become a potential conduit into my environment that might
30:03
be easier for an inacker to come through versus trying to get at me directly so I
30:08
I kind of care about what you’re doing to deal with security if you tell me
30:13
you’re sock to compliant I don’t necessarily know everything that you’ve
30:18
done to kind of lock down your environment but I do have a pretty good handle on the structure that you have in
30:26
place so in other words these ad these Frameworks become um a a a starting
30:32
point in the language between us you know if you’re familiar with what the controls are that are part of a
30:37
particular ad station I know what things you’ve kind of gone after so to speak so that’s the first thing they’re
30:44
good for the second thing they can be good for is freeing up budget money and
30:51
freeing a budget money to spend the way you want to spend it depending upon which ad station you go after for
30:58
example sock 2 sock 2 is very vague sock 2 will say things like you know verify
31:07
users before they’re allowed access to the system you know and you need to meet that requirement you’re the security
31:14
person you’re the one who’s going to have to translate that to upper management to have that get converted
31:20
into a budget so you kind of get to choose what does that mean in other words if the if the requirement is
31:28
verify users before they get access to resources okay I’m gonna have a single
31:34
login and password that everybody uses technically that meets that requirement
31:39
right yeah or I could say oh no it’s got to be you know MFA with three Factor
31:46
authentication you know it’s going to be you know something you have something you know in BIO we’re going to do all
31:52
three every single time you could interpret it that way as well it’s up to you to kind to decide how do you want to
32:00
Define it and that’ll help Drive where you can get actually get to go in and spend your budget money um that’s a
32:07
whole other thing we can go off on a tangent on is like how to do this properly to be able to get budget allocated but the the basic gist of that
32:15
is if you’ve done this assessment that we’re talking about if you’ve looked at your environment and looked at the requirements to support the business and
32:22
you’ve looked at creating a layered defense you may have a pretty good idea
32:28
where those layers need help get creative and when you’re talking so HK and uh fire serpent we’re
32:36
talking about hey you know one of the books they want to want to start with is psychology absolutely yeah you know it
32:43
it may seem like oh no no it’s supposed to be a security book club why you talking about psychology because a big
32:48
part of what we do in security is social engineering psychology can help um I’m
32:54
also a big one on body language you need that um um one of the things I miss
33:00
about working from home is seeing people’s feet and it’s not a fetish thing when you’re talking with someone
33:07
and they’re lying to you we tend to kind of feel like oh well you know if you want to tell if
33:13
somebody’s lying you want to look at their face right the face will give it away when do we start learning to lie
33:20
with our face at right after we’re born right you
33:25
know I I noticed my granddaughter is good at I’m not happy with things let me put on a sad face and now people give me
33:32
stuff that I like oh look I’m perfectly happy now you know and it’s not that she’s truly sad she’s figured out if I
33:39
make my face look this way good things happen to me so she you know before she
33:44
was a year old learned to lie with her face people don’t learn to lie with their feet so I’ve noticed that like
33:50
when I’m talking with someone if they’re uncomfortable with the conversation their feet will act believe
33:57
it or not your feet actually start moving more and they actually start pointing towards an exit point so if I’m
34:04
sit you know talking to someone and I notice the feet are kind of pointing towards the door yeah they’re not happy with what they’re telling me they’re
34:10
either holding back some of the truth or they’re outright lying to me and of course the problem we have in the remote world is that you know if I created an
34:17
edict within my company that said everybody must put their webcam underneath their desk yeah I’d end up in
34:23
jail pretty quickly for that I’m sure so you know there’s some things we do lose by all working remotely you can’t watch
34:29
each other’s feet uh but it is a great way to go through and figure out if somebody’s lying so you know so wait how
34:35
did we end up talking about feat Chris because I said psychology is an important part of this but also body
34:41
language is an important one as well so uh I’m G I’ll I’ll talk with uh HK I’ll talk with fire serpent about putting a
34:47
decent uh uh how to read body language book on that list as well but to go back to where we were we
34:55
were talking about the Frameworks and you getting to choose where to allocate this stuff yeah learning that psychology
35:01
is going to help you uh work better with the with the other departments as well as Senior
35:14
Management so there are lots of Frameworks what everybody is saying yeah
35:20
Joe navario that guy is awesome that guy is awesome thank you for that yeah that
35:26
was and actually funny when I was saying hey I’ll talk to HK and fire serpent about adding a book to the reading list
35:33
on body language that was the exact book I was thinking of um I go back so I I’ll
35:40
so I’ll be honest I tend to be kind of busy so I don’t always have time to sit and hold a physical book and read
35:46
through it um I do consume a lot of things through audiobook but that is one of them that I probably go back and
35:52
listen to about every other year um and I’ve done that since it’s come out it’s worth it cool so there are a number of
35:59
different Frameworks out there to kind of work on a layer defense and actually you know when we’re talking about PCI
36:05
sock hippo whatever that’s usually one of the goals of those Frameworks is to go through and how to create a layered
36:12
defense right like we don’t have any Frameworks that say do this with your firewall and that with your firewall and
36:18
the whole thing is just about your firewall you know or do this to secure the desktop and that to secure the desktop and the whole thing is just
36:24
about trying to lock down the desktop none of the Frameworks so like that they say Hey you need some centralized login
36:30
over here you need good authentication over there they try to layer out the defense so there’s a number of
36:35
Frameworks you can work with pick something that kind of works for you this is one that I tend to use and it’s
36:42
not a popular one but that’s okay I never worry about popular I worry about something that wires well with my brain
36:49
and works effectively if you look at that stack on the left for those of you who are familiar with the OSI model that
36:56
should actually be uh um you’re missing information classification okay um that
37:02
stack on the left should look kind of similar to like the OSI model because it is it’s effectively that you know when
37:09
you talk about what does it take to go through and get a resource deployed that either internal and or external people
37:16
can get access to this is kind of what goes into that right it’s going to have to be in a building someplace that’s the
37:23
facility it’s going to have to get wired up that’s the network it’s going to need some CP puu and storage you know that’s
37:29
compute storage it may or may not have a viperv visor you know that layer is
37:34
optional but there may be virtual machines that it runs on if not it’s going to be running on a you know like a
37:40
bare metal OS so there won’t be a virtual machine but there’ll definitely be an OS there there’s a solution stack
37:46
meaning there’ll be some programming code that’s being used so this could be python this could be C sharp this could
37:52
be you know whatever it is you want to go through and use and we’re going to use that to build application
37:58
that will then be accessible to either people via a GUI or other computers via
38:04
an API so there’ll be some entry point into this application that we need to deal with if you look over on the right
38:11
this kind of breaks out what can help at that layer right
38:17
like authentication right we can have some layer of authentication to control who gets access to the facility we could
38:24
Implement knack to control who gets access to the network yeah there’s something we can do with
38:29
authentication all the way through now does that mean we have to do something with authentication all the way through
38:35
of course not but that means that’s one of our fall back options that’ll help us out just about every
38:43
situation you know uh what’s another good one log review same type of thing that could kind of pass all the way
38:49
through um firewalling you know takes care of you know couple of layers and
38:54
that’s about it network monitoring takes care of about couple of layers and that’s about it you know how we actually
39:00
architecture the environment and how you know the procedures we create you know
39:05
that can take care of different layers here as well so this is one possible way to go through and and look at
39:12
this here’s another way to look at it miter attack Matrix so what this looks
39:18
at is and I hate this term you know the kill chain of it basically goes through
39:24
and this is what an attacker does right like they start off doing some reconnaissance to figure out your
39:30
environment they do some resource development they get some initial access they try to execute things they try to
39:36
maintain persistence all the way through you know here’s the different steps that are going to take place so one of the
39:42
ways we could look at it too is how do we get coverage in each of these different categories to make sure that
39:49
we’re safe from you know maybe not 100% of a tax but a majority of the tax that may may be out there so this is another
39:56
one you can go through in reference and you know they’re obviously not exclusive I could you know level uh
40:04
leverage this I could leverage this both at the same time again it everybody’s
40:09
wired a little different we’re looking for a layer defense we never want to put all of our eggs in one basket whatever
40:15
helps you achieve that goal that’s probably the best tool for you to go through and use common initial threat vectors you
40:23
know so this may be one of the places we start you know we may say okay we want to do a layer defense but we really want
40:30
to focus here because if we can keep them out in the first place the rest of
40:35
it becomes a little bit easier after that right so that may be one of the
40:40
things that I want to go through and look at and and it’s also good to look at it from the perspective of
40:48
um what what can people do to you this is one of the things I love about hiring
40:54
like a decent red team is they will show you things that you didn’t think of yourselves um I reminded of an
41:00
environment I was associated with they used to want to go through and do uh attack simulations so they wanted to go
41:06
through twice a year and simulate an attack that’s taken place against their environment and when I went through okay
41:13
so what are they doing in each of these what are they doing every time they do a simulated attack it was hey let’s let’s
41:19
simulate a Dos attack let’s simulate a DS attack let’s simulate a Dos attack and after that what should we do I don’t
41:25
know let’s simulate a Dos attack in other words every simulation they did was a Dos attack why because that’s what
41:31
they knew best that’s what they had tools for therefore that’s what they went through and tested and then the
41:36
first time I uh had a fishing exercise done against them literally about 40% of
41:43
the environment failed 40% of the folks clicked on the thing they weren’t supposed to go in and clicked on and and
41:49
you know can’t really fault the end users for that because they had never really been tested on they actually had
41:55
not been tested on it at all but you get the idea if we kind of look at what are these an initial attack points do we
42:03
have a way to go through and help mitigate each of these this is going to make the rest of the process a whole lot
42:08
easier after that there’s a lot of talk about Insider
42:14
threat my personal experience has been an overwhelming majority of Insider
42:20
threats are not hostile insiders it’s mistakes it’s people doing things wrong
42:28
improperly trained employees if you will so the other thing we may want to
42:34
look at is what might be an OB if someone was to attack us what might be
42:40
the reason why right an opportunistic is always there you know I’ve seen plenty
42:45
of organizations that said oh we’re a small environment nobody bother attacking us yes they would you have
42:51
computers if nothing else opportunistic is already always a potential objective
42:56
and if if you have resources it they that makes you worth attacking just because you have those resources that
43:02
somebody can go in and try and use so that one’s always there but you know you’re more likely to get hit by like a
43:09
ransom attack you’re more likely to uh to get hit with like advanced persistent threat because you have IP that’s worth
43:15
stealing or are you doing things that is worth monitoring to somebody outside so
43:20
it kind of comes down to that whole um uh Lance spinster and I used to do a thing on know your enemy you you know we
43:27
did the series um out of the uh honey net project called know your enemy and the
43:33
whole idea behind that was you know know who they are know why they might come after you what might make you a tempting
43:41
Target yeah crypto mining is actually another big one too I’ve seen that in environments before too oh I have a
43:48
funny story around that but it’s way too long to kind of bring up in the middle of class I don’t want to deviate that far down a down a
43:54
tangent so number of studies ID Insider is the greatest threat you know I talked about that but I’ve also kind of found
44:03
that there’s a couple of fairly simple things that you can do to kind of help
44:10
mitigate the risks here and they’re not quick fixes right one is
44:16
obviously continuous testing that’s going to help that helps to kind of train people to stay into this stay in
44:23
this mindset um but the other is culture if you if you run an environment
44:30
where people feel like they always have to worry about somebody stabbing them in the back a majority of your attention is
44:37
going to end up getting focused on dealing with people who might stab them in the back it’s not going to be on the
44:43
job they have to do at hand it also means that you I’ve also seen environments where um they’re just toxic
44:51
you know you try to do something new and it doesn’t work and you get beat up by your boss and you know everybody body
44:57
gives you hell well why would you ever try something new again you know that was part of what killed
45:02
Sears there were people within Sears that saw Amazon coming knew what kind of
45:08
a threat that was to their business model but because Sears was such a toxic
45:14
environment at that time they were like hey I’m not going to stick my I I’m pretty certain Amazon’s going to kill us
45:21
because uh buying things online instead of in a store is going to become popular and I could try and make case for that
45:27
internally and I do have ideas how we could make that happen but if I stick my neck out and I’m wrong or even if they
45:34
just think I’m wrong even if I’m right I’m G to end up getting it chopped off and I don’t care enough to want to let
45:40
it get chopped off so f it and you know that’s why Sears kind of well it sort of
45:46
exists today but not really it’s not anywhere near what it used to be um so the culture of your environment is
45:53
really a big one to kind of help maintain this as well um I know it sounds odd but yeah culture plays an
46:00
awful lot into security absolutely so and um how you go through and resolve
46:09
problems is another one I think I got a slide on this but just in case I don’t uh one of the things I’m really big on
46:15
is blameless post-mortems so you know for anybody who’s like worked with me before you
46:21
know I am big on blameless post-mortems I do not want to hear Bob screw screwed
46:27
up I do not want to hear a person’s name as being R cause and the sad part is
46:33
that’s pretty common right in a lot of environments real easy to say oh Bob
46:38
screwed up oh how how did this failure occur oh Bob screwed up oh Bob screwed up oh okay we’ll we’ll spank Bob and
46:45
tell him he was naughty and now hey this is resolved and we can just move on from here in other words it it’s easy to
46:51
blame a person my personal experience is very rarely is the problem the
46:59
individual usually it’s a process problem meaning the process that they
47:04
were supposed to be following isn’t well documented or there isn’t a good audit
47:10
function to pick up mistakes that they might make inadvertently right that there should be
47:16
something you know if if humans are doing things you know we’re not computers so if we do something 50 times
47:23
chances are at least two or three of those times we’re going to make a slight deviation that may break things it’s
47:29
just you know we’re not wired that way so is there an audit function in place to be able to go through and check that
47:35
so like uh my developers you know when they write code the first thing they do
47:41
is they write a unit test and other words they know hey I need to create this function that you plug in a and b
47:48
comes out the other side so I’m going to write a test that will only pass when a
47:53
comes in and then b gets put out because of that and if C or something else comes out that unit test is going to fail so
47:59
they create the test and then they go in and write the code so there’s a validation check in there for them now
48:05
my my developers are freaking awesome I mean they are brilliant people you think
48:12
I’m smart they’re smarter and and I’m not just saying that I I I am blessed with being able to work with some
48:18
incredibly smart people so the chances of them making mistakes in code are
48:24
pretty minimal so we could probably get away with not doing the unit test but
48:30
because they’re there this stuff gets picked up on right you know very quickly and it also comes in handy with hey what
48:36
if two years from now somebody goes in and makes a change and they think it only impacts this one thing well if it
48:42
impacts something else that unit test is going to go through and start failing so again that’s a uh something built into
48:47
our culture to go in and catch these things in a very blameless
48:53
way the reason a lot of environments don’t do it that way is because to fix process is hard if I say oh Bob screwed
49:00
up oh Bob you screwed up bad Bob bad bad Bob don’t do that again I’m done I don’t
49:07
have to do anything else after that right because I scoll Bob but if it’s a process problem well wait a minute now
49:13
we’re going to have to sit down and talk about what’s the existing process where might there be problems in it we need to
49:19
vet a new process we need to vet some checks and balances that’s going to take time that’s going to take resources H
49:25
eff it it’s a whole lot easier to blame Bob again that’s a culture issue so blameless post-mortems to me are just
49:34
huge incident handling response what is it so you know I’m sure we’re kind of all familiar with
49:40
this you know this is you know something has gone horribly wrong right so any
49:46
event that can negatively impact the organization is something we would consider to be a uh an incident and do I
49:52
have yeah I do good so that’s pretty straightforward blend list postmortem we already talked about this one and you
50:00
know I’ll I’ll come back into this stuff a little bit later but I do want to say
50:05
that the most important connection Point here right so we’ve got a go uh one
50:12
going to two two going to three three going to four four going to one the most important part of this that always gets
50:19
ignored is from four to one Lessons Learned hey somebody broke
50:24
in somebody broke in we cleaned it up we got them out hey let’s just move on no
50:30
no how did they get in what fell apart in the process was there a patch that
50:36
should have been installed if so how did that patch get missed you know what’s missing from our processes that allow
50:43
that system to to become an you know in an unpatched state is it a configuration issue okay how did that get missed are
50:50
we not doing you know internal configuration checks what do we need to do to make sure that doesn’t happen
50:56
again how could we potentially apply this to other things to make sure that we don’t end up finding vulnerability
51:02
over there as well so that you know POS incident activities what did we learn
51:09
that is huge and that tends to be one of the things that gets missed the most because it’s kind of you know hey we’re
51:14
in an incident it’s stressful everybody jumps in everybody’s going to go through and deal with this and oh woo now it’s
51:21
done and I can get caught up on the work I was missing once I was dealing with this incident no no no no no
51:27
no no no just because everything’s back and working doesn’t mean we’re done with incident at that point there so don’t
51:32
skip this part so goals of the in incident response cycle continuous Improvement
51:39
obviously you know that to me has always been one of the biggest things how do we go through and how do we make sure that
51:46
we’re only making a m a mistake once I am totally cool with people making
51:52
mistakes we’re human and quite honestly if you don’t let your people make make mistakes you’re never going to innovate
51:59
you know everybody brings a different life experience to the table which means they have the ability to look at
52:06
problems in a different way than I do so they may be able to think of solutions
52:11
that I can’t so let them try something new and if it works great that’s awesome
52:17
if it doesn’t work great that’s awesome we know not to try that path now right
52:22
you know that that continuous Improvement is really important important uh third parties can help
52:28
generate unexpected vectors yeah like I talked about you know that environment that only tested their dos attack
52:34
ability because that’s all they could think of well by bringing in a third party in a couple of different third
52:39
parties they were able to go through and say wow we’re really weak in these other areas you know it’s pretty easy to
52:45
actually break into us if somebody tries a different Vector besides dos maybe that’s something we need to go through
52:52
and address yeah that probably wasn’t such a bad idea you should test this more frequently than you think yeah
52:58
absolutely you know it just because the um the framework the security framework
53:04
you’re following says that you need you know annual pen tests and that’s it
53:10
doesn’t mean you should only be doing annual
53:15
pentest and that’s all I’ve got for today so uh I tried to keep this a
53:21
little shorter because the last two classes I ran over by like 10:50 minutes
53:27
and I try to be mindful that people might have other meetings you know coming up right after this um so I
53:32
wanted to make sure I actually start stopping these on time um I also kind of
53:38
wanted to ask the crew is there any questions that you saw in Discord that
53:43
uh may be worth addressing I did see a couple of questions and I was like oh that’s a good question let me I I’ll go
53:48
through and I’ll answer that and then you know Eric or somebody else would jump in and answer it in Discord it’s
53:53
like well okay they got an answer to that now so we’re good there yeah actually you grab uh a lot of
54:00
them and everybody else in Discord grab the rest so it’s it’s awesome it’s a great thing this this community is
54:07
freaking awesome it really is totally agree yeah it’s I I just love how it’s
54:13
like I know I said it before but it’s like self-healing you know there’s any
54:18
you know un unknown answer or question or whatever there’s somebody going to jump in so we appreciate the engagement
54:26
oh absolutely absolutely yeah and you know we we get the glory because we’re
54:33
on camera and you know it makes it look like we’re the ones doing this and we’re not you know I mentioned I had people
54:39
helping out with these slides you know we just mentioned we’ve got plenty of people jumping in on Discord and helping
54:45
out others when they need it so uh you know this is very much a community effort uh we just to get to be made to
54:52
look good by this community a lot better than we actually are so yeah well you
54:59
know what was the old phrase it takes a village well it takes a crowd right so I mean we got an awesome crowd here and
55:07
and I also appreciate how everyone’s polite I mean yes yeah it’s a you’re
55:12
right it’s a great Community I love this so thank you all yep and uh so the live
55:18
chat is always running so if you weren’t able to attend live and you’re actually
55:24
like listening to this on you know YouTube or wherever the hell it ends up end up ends up ending up um the live
55:32
chat Channel and Discord on the thread hunting server is always here uh please please feel free to come in and ask
55:38
questions um I used to kind of toss my email address in these but I found that sometimes it takes me a little bit to
55:43
respond and I’ve noticed that like when people post things to Discord even when it’s like 2 amm on a Sunday somebody’s
55:52
there to jump in and help out other people which is always freaking awesome so
55:57
yeah this is great Chris so thank you and and also thank you for bringing up the blameless postmortem I believe it’s
56:04
it’s a very important thing yeah oh yeah I totally agree I totally agree because
56:09
like you it’s something I experienced in other companies as well and that was the the first go-to oh man it was Steve
56:17
freaking Steve you know and they they didn’t even bother to look at the real problem you know so yeah exactly yeah
56:24
it’s just it’s too easy to just blame a person yeah exactly it’s an easy way out yeah
56:29
the the only times I honestly feel like it’s the person is when they are
56:36
blatantly disregarding what they know they’re supposed to do right like I I i’
56:42
I have had employees that you know they they’re supposed to let’s say be doing a log check of the firewall and instead of
56:50
doing the log check they just check off they did it and they don’t even bother looking at anything you know and and for
56:55
all they the the questions that pop up about you know hey did you verify this did you verify that yes yes yes yes yes
57:02
you know okay you’re lying now it is your fault yeah yeah yeah and you’re and
57:07
you’re right there are cases where it’s absolutely the person but it is absolutely not the majority it is
57:14
definitely a very small minority so when we talk about you know oh Insider threat
57:20
I really feel I honestly feel based on my experience a majority of Insider threat poor processes poor culture fix
57:28
those two things and you’d be amazed at how quickly that problem goes away yep
57:33
well and like most rules they’re never 100% right y so yep agreed all right with that said
57:40
thank you everybody appreciate your time today I I I recognize you could have done other constructive things with your
57:47
hour so I appreciate you spending it with us and uh we’ll be doing another one of these again next week next week
57:52
we’ll be on risk assessment yay everybody’s favorite topic everybody loves risk yay I’m just kidding I’ll try
57:59
and make it fun awesome awesome take care folks ciao
58:04
everybody thanks Chris thanks everyone thanks Chris bye bye
Slide Deck:
Fireside Friday – Evaluating Risk
January 31, 2025
Recording:
Show/Hide Transcription:
0:00
thank you welcome uh welcome to Fireside Friday I am your Chris I am your host for the day and today we are going to be
0:07
talking about evaluating risk um I’ve got a copy of the um slides in the fire
0:15
content channel so that’s the channel that’s one below uh where we actually in you doing live chat well yep see the
0:22
gong is going off so that means it’s time to start cool oh we’ve just got it all over the
0:30
play today thanks to our sponsors thanks to Herman and Emily for helping out with
0:35
uh getting all this content together and I mentioned a little bit earlier today’s just going to be lecture uh we we’ll
0:41
we’ll do a little bit of we’ll do a little bit of stuff as far as like working through wrist together but uh no
0:48
no need for like configuring a laptop or anything like that
0:53
so if you’re a security person you’re kind of assumed to know this stuff already right like oh uh Eric was asking
1:02
where’s Keith uh Keith is actually on PTO today so he he is he is with us in
1:08
spirit but not in video so um yeah as a security person
1:14
you’re kind of expected to be able to understand risk and how it works and how to evaluate it and all that other fun
1:20
fun stuff which is not necessarily the case I we we tend to kind of wing this
1:25
right like if someone says you know oh well what’s the likely hood of X or how
1:31
much do I have to worry about y getting compromised for the most part we tend to just kind of ballpark guest without a
1:37
whole lot to go on but there are actually some established methodologies we can go through and use to try and
1:44
maybe maybe not get an exact Bullseye but maybe be a little bit closer to the Target on the whole thing um as far as
1:52
like you know dealing with risk you know a lot of this is going to come back to the systemic approach as we talked about
1:58
last week you know where we want to look at you know what are the different layers that we want to go through and
2:03
protect we want either want to accept a framework that you know describes those layers and we can see what we want to go
2:10
after with each so I showed one that used like the miter attack Matrix last week um I showed one that used the OSI
2:16
model um you know you can go with something like sock 2 I mean there’s a bunch of different options out there you can go through and choose from but the
2:23
idea is to go through and plan your architecture as opposed to expand your
2:29
architecture you know based on what you read on Discord one particular week so
2:35
what is risk risk is a combination of three things first is an asset this is
2:40
something that has value to an organization so this could be a physical item it could be intellectual property
2:45
it could be data it’s something that has some level of value that you know the
2:51
organization leverages to make a profit or whatever their business model happens to be the other is a vulnerability
2:59
against that that asset so this could be hey you know our servers are our asset
3:04
but we store them on the front sidewalk well you know there’s our point of vulnerability they’re kind of open to
3:10
anybody to grab them or you know this could be so you and typically is software based and then a threat which is
3:17
somebody who would be willing to go through and exploit that you know there are folks that live in communities where
3:24
no one locks their doors you know that could be considered a vulnerability but
3:29
there you know these rural areas that tends to be no threat actors so it you
3:36
really the risk is relatively low because there isn’t anybody who’s actually trying to take uh take
3:41
advantage of those vulnerabilities and I always kind of
3:47
like to look at this as like um a game of Clue right you know the whole thing
3:52
with the game of Clue was to go through and kind of figure out um you know who
3:57
who performed the murder and where and how did they do it right well risk
4:03
assessment is kind of the same thing and I gave you some examples here you know instead of Kernel mustard in the library
4:08
with a Candlestick it could be an untrained employee in production using poor procedures it’s the same type of
4:14
thing so if you kind of for me it’s always kind of helped for me for whatever reason to kind of refer back to
4:20
clue to be able to think about you know what are the different components here uh that’s a good way to go through and
4:26
describe it so what are assets as I said this is
4:31
anything that has value towards the organization um it’s usually something that helps support whatever the business
4:37
model happens to be and you know assets are obviously going to have different
4:43
levels of value to them you know if we’re storing customer private information obviously that’s going to
4:48
have a certain value to it um the waste basket under my desk so I don’t have to
4:54
walk outside to the dumpster every time I want to walk away that has a value to it as an asset you know it’s saving me
5:01
time every day so there’s you know there’s a lot of assets that we end up having to deal with and sometimes that
5:07
can get a little bit overwhelming we’ll we’ll talk about some methods to try and kind of sift through what you really
5:13
need to worry about and what you don’t at least from a cyber security
5:20
perspective and these can be tricky to tricky to Value right like i’ I’ve noticed that when people tend to look at
5:26
the value of an asset they look at the Direct Value that asset contributes to
5:33
the organization and they don’t necessarily stop and think about uh there any other possibilities here and
5:39
I’ll give you a great example a network printer right so we got a printer that’s hooked up to the network that people can print to and you may look at that and
5:46
say well that’s a real fairly low value Asset right it’s a printer we got three
5:52
of them if we lose one we still got two you know it’s not a big deal and we don’t print that off in anyway so you
5:58
know if an attack haer was to take that printer offline you know that really wouldn’t be that big of a deal that’s
6:04
not going to be a lot of a lot of a business loss well okay but what if they use it as a foothold what if that’s the
6:11
conduit to get in and get access to everything else in your environment so from the attacker perspective that value
6:19
that asset could have a lot of value to them as far as moving with their attack
6:24
against your environment so that’s something that we need to kind of tweak into this as well so when we’re looking
6:30
at the value of an asset a majority of this is what’s its value to us but it
6:36
behooves you to kind of pause and think about okay are there other possibilities off of this like does this have value to
6:42
the attacker themselves you know in which case you know maybe we need to
6:48
maybe we need to consider this asset to be a higher value than it normally would
6:55
be so what are our threats you know in other words we we we talked about so
7:01
we’ve got assets they have a value to them who may want to explo a vulnerability against them either
7:07
knowingly or unknowingly you know we’ve got a lot of possibilities you know there’s a lot of talk about you know
7:13
Insider threat and you know you’ll you’ll hear a lot of folks say oh Insider threat is the
7:20
biggest threat that’s out there and that kind of tweaked me right just from like
7:25
a our our people inherently good or evil perspective because what that implied to me was that uh there are more bad people
7:33
than good people and you know that’s why we have this Insider threat problem and the reality is when you go through and
7:40
pick through the data a majority of The Insider threats are human error it’s
7:46
people making mistakes and it’s not necessarily that human’s fault you know
7:52
we talked last week about the importance of doing blameless postmortem you know it’s easy for me to say oh Bill screwed
7:58
up you know Bill mess this up we’ll spank Bill and tell him not to mess up again and now we’ve got a corrective
8:04
action to move forward and we’re fine but the reality is no if Bill messed up
8:10
you know more than like now it could be Bill’s gone Rogue but that isn’t the
8:15
case most of the time with most of the you know most of the instances where this stuff occurs usually what it is is
8:21
it’s either it’s the procedures poorly documented or it’s not documented at all
8:26
so it’s easy to introduce mistakes or there’s no audit process to go in and
8:34
check that right like if if my process says oh you need to manually go in and
8:39
change these configuration files well if I know a human’s making those changes
8:45
shame on me if I don’t have an audit process behind that right because humans make mistakes sometimes you know we
8:51
Meant to hit the letter e and we hit the letter r instead and now there’s a typo and something will fail so do we have a
8:58
process in place in order to be able to fix that you know we’ve seen uh situations where you know an error will
9:05
get pushed out into production to multiple systems at the same time and usually it’s because there’s no decent
9:12
QA process in place to test those changes to make sure they’re not going to cause everything to break you know
9:18
that’s a process issue so part of it you know part of one of the best ways to deal with Insider is to look at this
9:24
from process process perspective um but the other is also
9:29
you know damn it run a decent culture you know these cultures where you feel like everybody has to be in it for
9:36
themselves because everybody else might stab them in the back and you know accounting may decide that it’d be more
9:42
profitable to you know lay off X number of employees this week because that might actually increase stock by y
9:48
amount or you know some BS like that if you’re operating like that don’t be
9:53
surprised when no one gives a crap don’t be surprised when someone might look at something and say you know that doesn’t
10:00
look quite right or hey it would be pretty easy to improve on that but f it
10:05
it’s not my job I don’t care and if you’ve got a poor culture people are going to feel that way they also may
10:10
feel like yeah I could fix that but that might get me attention and a lot of times when people get attention they get
10:17
laid off so I’m going to try and hide in the background so no one pays attention to me so I don’t have to worry about my
10:22
job so you know again good culture goes a long way towards dealing with Insider
10:28
issues uh could possibly be competitors you know organized crime uh generic
10:34
jerks you know they do it just because they can yeah some people are like you like that there are folks that kind of
10:39
feel like yeah it’s O it’s okay to for me to break into your environment because I didn’t have malicious intent I
10:47
wasn’t breaking in because I wanted to steal your data I broke in just because
10:53
I wanted to see if I could do it well gee thanks that still screws up my day
10:58
week month whatever turn whatever it takes to be able to uh recover after that type of an issue non-hostile
11:06
threats like I said you know accidental and inverting you know changes to things
11:12
a typo those happen blameless postmortem is the way to go through and kind of deal with that uh structural problems so
11:19
things like um just not having good processes in place to be able to deal
11:25
with things you know how do we how do we go through and prioritize what vulnerabilities get fixed for us first
11:31
of all how do we figure out if we’re vulnerable to things we need a process for that now once we figure out what
11:36
we’re vulnerable to how do we prioritize those to make sure they’re getting addressed accordingly to reduce the
11:43
amount of risk against us as quickly as possible so those would be structural in nature the environmental ones are there
11:49
but they don’t really apply to us because they’re not necessarily cyber
11:54
related and there are different types of risks so you know again some of these
12:00
kind of cross multiple categories like the human mistakes um one we haven’t talked about yet is strategic risk this
12:07
doesn’t apply to us in cyber that frequently but it is good to kind of be
12:13
aware of them just so you being a little bit more holistic within the environment itself you know in other words um
12:21
ability to execute a specified time what do I mean by that well markets tend to kind of EB and flow right like the
12:27
iPhone when that came out it hit the market exactly when people were ready for that type of a product if it if the
12:34
iPhone was delayed 3 4 years I can guarantee Apple wouldn’t have the market share they do today so being able to
12:41
execute when needed is a strategic risk because maybe you’re not going to be able to go through and do that so like I
12:47
said these don’t necessarily directly apply to security but every organization
12:53
deals with them it it’s good to kind of be aware of what’s within the organization and prioritize accordingly
13:00
you know in other words if you see a um a risk to the business you know let’s
13:05
say this there’s a potential failure of being able to implement the business plan and actually make a profit even
13:11
though it’s not cyber related you know is someone who works for that company that or that organization that will be
13:18
out of a job if it goes out of business it kind of behooves you to get involved to say hey how can I help you know we
13:24
have this problem it’s a bigger risk against the organization than any of the Cyber stuff I’m dealing with right now
13:32
I’m happy to jump in and lend a hand if I can I’ve been involved with that type of thing more than once um compliance
13:42
risks this is uh so I you know I’ve got here fines penalties due to lack of compliance really where I see it uh have
13:51
the biggest Financial hit is the inability to break into certain market
13:57
segments right like if you want to do business with like an Amazon let’s say
14:03
they’re going to want to make sure that you know you have your you know your sock 2 your ISO
14:10
27,000 there’s certain security Frameworks that going to want to make sure that you’re following and if you
14:16
don’t have those in place they may not be willing to do business with you because you would pose a risk to their
14:22
environment because you don’t have enough security controls in place so the compliance risk for me
14:29
you know the fines the penalties yeah those are all well and good but the actual inability to execute on what
14:37
you’re trying to accomplish uh that’s the one that can really cost an organization an awful lot of
14:45
money Okay so we’ve got an asset that is
14:52
vulnerable and a some form of threat actor that could potentially take advantage of that vulnerability to comp
14:59
compromise our asset what can we do to try and deal with the risk that gets created by that
15:06
situation well we’ve got four possibilities and typically we’ll end up
15:12
going with a combination usually accept is part of that combination in other
15:18
words we might try to avoid or mitigate but we’re not going to be able to avoid or mitigate 100% so there may be some
15:26
percentage that we end up just saying okay that’s good enough and we’ll talk in a little bit about okay so how do we
15:32
figure out when enough is good enough so one of the things we could try
15:38
and do is risk avoidance um this the how successful this can be
15:45
really depends upon like what’s the risk and how are you trying to avoid it right
15:51
like we can say oh hey I’m I’m worried about the windows vulnerabilities so I’m going to avoid all those windows
15:59
vulnerabilities by running a lenux system instead well but lenux has vulnerabilities against it too so yeah
16:06
you’re you’re probably safe from all those windows vulnerabilities now but that doesn’t mean there aren’t other
16:12
vulnerabilities that you’re going to have to take on instead and does it make sense to make that kind of change you
16:17
know that’s a decision that needs to get made within the organization itself so you get the idea you know sometimes
16:24
avoidance just simply shifts what it is we need to be concerned about
16:31
mitigation is what we typically tend to do so with mitigation I say okay there’s
16:36
a risk and I’m going to try and reduce that risk as much as I possibly can so
16:42
for example I have a web server it has remote access via SSH and it’s got tcp8
16:48
and TCP 443 open so that people can come in and access our web pages and I may say okay well only administrators need
16:57
access to SSH so I’m going to put some firewall rules in place so that only the
17:03
organization’s assigned IP address space can actually access that SSH port and
17:08
now that’ll dramatically reduce all the all the potential SSH risks because you’ve got to beyond that internal
17:15
environment in order to be able to get to that port in the first place and for the web stuff I might decide okay I’m
17:20
going to run a reverse proxy in front of it and that may help me go through and clean up a lot of the vulnerabilities
17:25
that are associated with you know the web traffic as well but it isn’t going to get rid of
17:31
everything and you know and with limiting SSH access to the internal Network well but what if there’s a VPN
17:38
right what if someone can like password spray a VPN that gets them access to the internal Network now they could turn
17:45
around and from there go to Port 22 on the web server so you know so by implementing some firewall rules
17:52
implementing a reverse proxy we’ve probably eliminated 90% of the risks
17:58
that that are involved there but there’s still going to be some level left over after that so now we have to ask
18:04
ourselves you know how much are we going to worry about that you know like so for example we could say well we’re going to
18:11
create a policy that says you know you must use public private key and we you
18:18
need to use all three factors of authenticate actually you know not just public private Keys you need to use all three factors of authentication so the
18:24
public private key just you know gets you minimally into the server and then from there you need a UB key and you
18:31
know after that it does a you know a a scan of your eardrum to make sure it’s actually you or you know whatever the
18:37
case may be uh you know we’re going to add in all these additional layers of authentication to help protect
18:43
SSH well you could but is it worth it right like if we’ve eliminated 90% of
18:50
the risk is it worth spending that much time and effort to go after that last
18:55
10% probably not so we may end up in a situation where we say okay we’re just
19:00
going to go through and accept what’s left over you know we’ve mitigated the big stuff we’ll deal with the other
19:06
stuff through system logging or whatever the case may be risk transfer so this is one that you
19:14
going to get different answers from different people right like with PCI you
19:19
know PCI clearly states that hey you can Outsource processing your credit cards
19:26
to a third party but that doesn’t exempt you from the responsibility of those remaining in a
19:34
secure State well yes and no right like you can you can say that you know and it
19:39
sounds good and I I get where you’re going you want to make sure people don’t feel like they have no responsibility at all anymore so I get why you’re saying
19:47
that but the reality is that isn’t how it works out right so imagine like I use
19:52
I don’t know stripe to process credit cards and stripe gets compromised
19:58
technically per the letter of the law any of my customers credit cards that
20:04
got accessed I’m kind of responsible for as well but in reality is that actually
20:11
true right like you know what what’s my get out of jail free card my get out of chill free card is hey stripe is an
20:17
authorized credit card processing company you know they’re listed on the PCI website they they have their
20:24
attestations in place you know there’s there was nothing that I could have
20:29
looked at that would have hinted to me that they may have been you know open to compromise so I did the best job I could
20:36
so rather than me being in front of all the people with the pitchforks and Tor and torches who were pissed off about
20:42
the credit cards getting stolen I actually get to kind of sneak into that group of people grab my own pitch walk
20:48
or torch and say oh stripe you were ril you know and and this probably going to be no Fallout for that so while some
20:56
folks will read contracts and say you can’t transfer risk the reality of it is and we’ve seen
21:03
this over and over again in the wild yeah you can’t because if that entity gets whacked it isn’t just going to be
21:09
the credit cards you gave them that got that gets compromised it’s going to be a bunch of others so people are going to
21:15
go after them they’re not going to go after you so you can actually transfer risk and there can be an awful lot of
21:22
benefits to that we’ll get into this later when we talk about different security Frameworks but like you know
21:28
one of the things that kind of comes out of this very quickly is that if I’ve given my credit card processing to
21:34
stripe I have far fewer controls to deal with you know PCI DSS has I think
21:40
they’re up to like 350 controls now but if I go through and I um use iframes to
21:50
have stripe do the credit card processing for me my the number of
21:55
controls I’m responsible for drops down to like 12 there’s not much
22:01
responsibility I have anymore cuz they’re dealing with all of that so yeah you can actually transfer
22:07
risk and then there’s acceptance and acceptance of risk is okay when it’s an
22:14
informed decision the problem is most of the time it’s acceptance of risk out of
22:21
ignorance meaning we don’t know any better you know I I I I think I
22:26
mentioned earlier there was an environment I was working with that did quarterly vulnerability tests you know
22:34
they did quarterly uh simulated incident responses where you know a security
22:39
event would occur and they would you know go through and practice responding to that which is great except everyone
22:46
they had done for like the couple of years before I saw it was was um they had done dos simulations
22:56
because that’s what they knew you know they didn’t do anything where hey so you know this web server that’s hanging his
23:01
butt out there gets compromised and it’s got customer information on it how are we going to respond to that they didn’t bother with any of that so they were IGN
23:10
they were um knowledgeably accepting the level of risk associated with DOs
23:17
attacks because they understood that model and how it worked and what they could do but the actual getting a system
23:22
broken into and getting data stolen that was an acceptance through ignorance because they really weren’t dealing with
23:30
that and didn’t really know how to deal with that uh let’s see Chris under PCI if you
23:36
Outsource responsibility is still with the outsourcer to ensure the vendor is following the PCI standard yeah I I I
23:42
completely agree with that statement and and as I said I I you know I stated per
23:48
the letter of the law you are still responsible but the reality is if their
23:54
if their PCI documentation is lined up right if they’ve had had a a a a proper
24:00
auditor come in and look them over over the last year and all their paperwork straight I don’t have a whole lot of
24:08
Ability Beyond saying oh check mark you’ve got your paperwork in place to know what how vulnerable to attack they
24:15
are and if they are attacked like I said they’re not just going to get the data
24:20
that’s associated with my account with them they’re probably going to get multiple accounts so people are going to
24:25
be pointing the pitchforks that way so yeah I totally agree that’s what the PCI documents say but the reality is it
24:32
doesn’t work that way uh it’s kind of the same way that like if you get your out of station you know you’re you’re
24:38
you’re safe and it’s not you know we’ve had people while a PCI audit has just
24:45
finished and the auditor was giving them their blessing there were uh miscreant
24:51
on that Network stealing credit card information and had been for a couple of years prior during the prior PCI audits
24:58
as well so yeah there’s what’s said and there kind of like the reality that kind of works around
25:06
that so we talk about dealing with risk right we’re going to try and mitigate it
25:11
we’ve got a couple of ways we can go through and uh try and do that one is through you know administrative and
25:17
administrative is always kind of my least favorite because what we basically do is an edict you know Thou shalt not
25:22
go to you know Thou shalt not click on suspicious links you know we have a policy that says you’re not allowed to
25:29
click on suspicious links oh come on really really you think that’s going to
25:34
fix it oh well it’s a law now you know so no no one will ever do that again no that that isn’t the problem the problem
25:41
typically what I don’t like about administrative is the problem isn’t usually administrative right the person
25:48
isn’t saying ooh someone’s attacking me I’ll bet this malware is going to
25:53
encrypt my drive and I’ll lose all my data I’m going to click that link oh wait we got a policy saying I can’t do
26:00
that so I guess I won’t yeah no that’s the situation never goes down that way so administrative to me is more about
26:07
making Auditors happy right Auditors want to see you have policies in place
26:12
that say these things that doesn’t necessarily mean it’s actually helping you mitigate that risk per se it it it
26:19
really comes down to the controls themselves and how you’ve implemented operational that’s one I’m really big on
26:26
because again we’re human we make mistakes one of the nice things about M uh about computers is that when they
26:33
tend in automation is when they screw things up they screw it up in Mass right like think about so the analogy I like
26:40
to do is think about how we copied books a thousand years ago what happened you’d
26:46
have a scribe who would have a book in front of them they would read what’s on the page and then they’d have a blank
26:52
book below that and they would write in that blank book what Was Written in the other book well what’s our possib Poss
26:58
ities for error there well our possibilities for error there are pretty high right like what could get screwed
27:03
up well everything because it’s a human you know they could write an a instead
27:08
of an e they could spell a word wrong they could swap a word for something else they could decide oh I don’t like
27:13
that sentence I’m just going to leave that out or they may lose their place and leave something out because of that
27:19
so with a human we kind of need a really strict auditing process we need to check
27:25
every little single data point because any of them could possibly go bad so
27:31
there’s a lot of auditing that needs to take place when you get into automation though right so think photocopier right
27:39
what happens when a photocopier goes bad you know well if I’m making let’s say a bunch of booklets with 10 pages you know
27:45
all of them might be missing page three right because when The copier screws up it screws up everything right I don’t
27:51
have to worry about it changed an a to an e on page two that’ll never happen it’s a photocopy or it’s an automated
27:57
process but but it might end up missing a page it might do a page backwards it might you know have a blank page in
28:03
there but it will end up being as part of every kit that’s one of the things I
28:08
kind of like about automation because if I am let’s say I manually deploy 50
28:13
servers I have to manually check 50 servers if I’ve deployed 50 servers
28:20
through ansible or through you know let’s say through Chef all I got to do is go in and check my recipes and Spa
28:27
check one maybe two systems bang I’m done I don’t have to do a granular check of everything because again everything’s
28:33
in an automated process so I personally feel one of the best ways to deal with mitigating risk is doing as much
28:40
automation as you possibly can technical possibilities you know this comes down to the software we use and stuff like
28:46
that um that one’s pretty common most people are kind of up to speed on that now when we talk about trying to
28:53
identify how much risk are we dealing with right how much risk is actually
28:58
there that I need to worry about there’s two methods that we tend to fall back on
29:05
qualitative and quantitative and their approaches are slightly different although you honestly qu even
29:12
quantitative does include a little bit of qualitative processes processing inside of it we’ll talk about that when
29:18
we get to it so but let’s start with qualitative this is the first one and actually let’s talk about how do you how
29:25
do you remember the difference between them right cuz this qualitative and quantitative what do they mean well
29:31
we’ll we’ll get into the deep parts of the definitions in just a second but for the most part qualitative comes down to
29:37
make your best guess that’s really what qualitative comes down to is make your
29:43
best guess quantitative actually comes down to measuring things and calculating
29:51
things so the way I tend to remember this is qualitative requires a quality
29:58
person to do the process right so qualitative
30:04
quality link those two together quality you know quality person to do a qualitative a audit quantitative
30:11
calculates quantities so I kind of look at it that way to try and remember which one is
30:17
which so qualitative what is that gu diation and
30:23
money yeah yeah you can look at that that way too absolutely although I I I like it to
30:29
rhyme a little bit that tends to make it a little bit easier for me to go through and remember so qualitative is not an
30:35
exact science this tends to be um you use your your years months days
30:43
centuries whatever it is of experience to go through and make your best guess as to how likely something is to occur
30:51
now the problem with this is that you can ask 10 people to do a qualita ative
30:59
audit and you’re going to get not only you going to get 10 different answers you may get 10 wildly different answers
31:07
depending upon who it is that you talk to right so let’s say there’s a certain you know there’s a potential for a
31:13
vulnerability against a web server you know some folks may look at that and say oh well you know that’s really high and
31:19
then someone else would say well actually that’s pretty low because the server in question is behind the firewall when the first person didn’t
31:26
actually think about the fact that well you can’t get access to the West server from the internet anyway so that’s going to reduce the risk again it comes down
31:33
to the quality of the person that went through and did that estimation so it’s not just the fact that you’ll get 10
31:38
different answers you’ll get 10 different wildly different answers so
31:44
qualitative kind of is a last resort but even with that it tends to be what we
31:49
use an awful lot of the time and you know there are lots of
31:55
charts out there like this one to help you kind of rank what it is that you
32:00
need to go in and worry about and it’s a it’s a matter of looking at impact and probability now we kind of look at those
32:07
as part of a quantitative process as well but with quantitative we actually
32:12
try and put some dollar values and numbers around them here we’re just kind of ballparking it it’s almost like uh
32:19
Sprint Cycles right if I have like a CT if I have like a feature I want to add
32:24
one of the questions I might ask my team is you know not how many many hours will that take you because it’s hard to
32:31
Define an exact number of oh you know well it’s going to be exactly you know
32:36
173 lines of code therefore it will take me 3 hours 42 minutes and 10 seconds
32:42
yeah no no you know we we tend to do it based on like t-shirt sizes or something general like that oh this is a small
32:47
this is a medium this is a large oh this is an extra large project you know you it’s going to be within a range type of
32:53
thing and I I like to look at these kind of that same way so you’re looking at at How likely is this to occur and what
33:00
would the impact be to the organization that’s going to identify the severity
33:05
level that we’re going in and dealing with so what kind of plays into all of
33:13
that age is one of them how long has this vulnerability existed for is this something that just got introduced with
33:19
the last minor release or is this something that got introduced eight years ago and we’re now catching it now
33:26
you know the probability of being exploited is going to vary widely between those two right because you can
33:32
have far more people who’s used some version of the software over the last eight years and still hav it play today
33:39
versus who might have that one specific version that happens to be vulnerable complexity how hard is it to actually
33:45
perform this exploit you know sometimes these are dead easy point a bread web browser at it type this in bang you’ve
33:52
hosed that system you know it might be as easy as that some of these are well actually you need to string string
33:59
multiple vulnerabilities together or multiple exploits together in order for this vulnerability to exist uh in which
34:06
case you know that makes it far more difficult you know if you can automate it in a script that means anybody can
34:12
run it that tends to mean that you know you know the complexity is pretty low you’re far more likely to run into
34:18
somebody trying to exploit this accessibility how easy is this to go
34:25
through and do it you know I mentioned oh well hey if it’s in a script well that’s still going to throw some people
34:31
off because they’re not comfortable working within a terminal or command line but make it into a gooey and oh
34:36
yeah now everybody can point and click so that’s going to increase the probability of this occurring even more
34:42
and is there a fix available that’s a huge one right is you
34:48
know if if it’s known this vulnerability is there does the person does the each organization who’s vulnerable actually
34:55
have something they can install to make make that go away or are they going to be stuck trying to come up with some
35:01
other means to mitigate that right like SSH is vulnerable well if there’s a
35:06
patch I can just go through and Patch it if there isn’t a patch well about the
35:13
only thing I can do is try and restrict what IPS can actually get to my uh
35:18
system and how easy or hard or possible that is is going to be different for
35:24
each environment so not every environment might be able to uh Implement those mitigating factors so
35:31
that’s another one that’ll go through and kind of drive you know what’s what’s the severity level that we’re dealing with
35:36
here and this is what the CVSs system is for so the common vulnerability scoring
35:42
system attempts to go in and give you a numeric value between zero and 10 to
35:49
help you identify what is the severity of this now I’ve seen people argue so so
35:55
full disclaimer I was involved with this in the early days when it first started up so you know disclaimer there so take
36:02
whatever else they say you know with with that as a kind of a preface to it um I I will say I do feel like these
36:09
have value are they always 100% accurate no of course not right like if there’s a
36:14
web server vulnerability the score that gets assigned is going to be based on that web server being exposed to
36:21
internet access well if you have a proxy in front of it that may reduce that the
36:26
severity level of this issue you know somewhat if I’m running it internally
36:32
only and only my internal users who I can fire if try and do this have access
36:37
to that server well that’s going to reduce this score value even more the severity level even more so part of that
36:44
score the score is a number of things they kind of work in to figure out um you know what that number should be but
36:51
some of it is you know accessibility and the ability for you know how many people can actually go through an an exp this
36:58
uh let’s see is there anything Chris wasn’t a part of in the early days yeah there were definitely things I
37:05
was not a part of but yeah I I do try to jump in and help out anytime I can so and most people are familiar with the
37:11
CVSs system uh most vulnerability scanners directly refer to this and give you a score number based on this system
37:18
uh whenever a vulnerability gets found so to kind of give you an example of how this works uh last year
37:25
connectwise it was discovered it had a vulnerability um the age of this was
37:32
this is had existed in every version of their product since version one so it
37:37
had been around for many years and every single version was vulnerable connectwise makes a tool that allows
37:45
people to manage networks remotely and they specifically ma uh Market to manage
37:51
security providers so the idea is I’m a manage security provider I’m going to manage you know security or the it
37:58
environment or both or whatever for you know let’s say I specialize in LW offices so I have a bunch of small law
38:05
offices that I take care of their it needs and their security needs and what I might do is drop a connectwise box on
38:11
their Network so that I can remote into that connectwise box and then from there I can jump to any system that I need to
38:17
and that gives me remote access to the entire environment and allows me to collect statistics about what’s going on
38:22
I can do all sorts of cool things with it but this vulnerability was found that existed since the tool was first created
38:30
that the high-end hack or tool you needed to exploit this vulnerability was
38:35
a web browser any web browser you know it wasn’t like it was just Chrome or just Firefox any web browser could be
38:46
used accessibility well you know how easy was it to exploit this well you you
38:51
you heard me say this is used by msps to remotely manage their customers which
38:57
means these boxes tend to be internet accessible so and they have a unique
39:05
string that gets sent back when you connect to this web server so it’s really easy to go into showan and say
39:12
hey showan go check these ports for me and look for this value and if you find it tell me what that IP address is and
39:18
showan can quickly go out and find the literally tens of thousands of these that are out there on the internet very
39:24
quickly no problem uh the complexity I mentioned it was a web browser what did I have to do with the web browser I had
39:30
to go to a specific URL that is normally only used when the box is first brought
39:36
online when you first boot this box up right the first thing you’re supposed to
39:41
do is connect to it with a web browser and it says oh hey I’m a brand new Server create an administrator password
39:49
and you create an administrator password and then it forces you to log in with that administrative password and then
39:54
you go in and you start going through your setup process well that page was still accessible even
40:01
after the system was up and running so if I knew what that URL was all I did
40:07
was go to that URL on that connect y system and it would tell me go ahead and create a you know an an administrator
40:14
password and that would overwrite the existing administrator password so now I have admin access to that box but the
40:21
legitimate owners owners no longer do unless I use a poor password and they can guess the password I was using but I
40:28
now have admin access and I can get into the back end of all these different networks ouch so you know this one was
40:36
given a score of a perfect 10 for what should be obvious reasons right anybody
40:41
with a web browser can do this show in can tell you what systems are vulnerable and where and all you need to know is
40:48
that you know super secret URI which wasn’t all that super secret so that’s why this got a 10 and we tend to see
40:54
about 40 of these a year but there usually some level of mitigating circumstances that keep things from
41:01
being 10 you know I mentioned you know if you drop from a 10 down to a 9.8 now we’ve got about 2,300 on average that
41:08
kind of show up at that level there uh Chris is not a vulnerability CSV it’s a feature D team yeah that’s
41:16
it awesome so limitations of qualitative
41:22
you know one is it really comes down to how skill is the person doing it so this
41:29
is one of those things that hey I’m I’m new to this right you know I I just went through some training I’m going to go in
41:35
and start doing some risk analysis I’m kind of green because you’re green it’s going to
41:42
be harder for you to be good at this you know it it it it really kind of comes down to that um you know not not as much
41:50
of an option when you were new the other part of it too is okay so I tell you something is critical that that doesn’t
41:57
necessarily identify the potential Financial impact to the environment right like I mentioned hey msbs are
42:04
dropping these boxes on everybody’s Network and someone could log in and change the admin password and get access to all the internal systems through a
42:10
remote console session what’s the financial impact of that pretty damn huge right but how big
42:17
is it well qualitative doesn’t necessarily pull that in I need to kind of stop and start looking at the
42:23
individual pieces and start making guesses about what I think the fin potential Financial impact of all of
42:29
that could be but like I said we tend to use this a lot so despite all of those um caveats
42:40
this is the number one method we tend to use when we go in and we do risk analysis the one you want to use if you
42:46
can because it will impress your boss it’ll impress the finance group it’ll uh
42:52
put you in a more likely position to actually get your projects funded is
42:57
quantitative so what quantitative does is quantitative actually tries to put some numbers down to calculate the
43:05
potential Financial losses that could be associated with certain risks there’s a lot of algorithms here
43:13
right so there’s the probability risk assessment we’ll we’ll come back and
43:19
talk about that one a little bit more but you know the pro uh excuse me prob probabilis probabilistic I can never say
43:27
that word risk assessment you right that that’s going to be kind of our final evaluation of you know how bad could
43:33
this be what could it cost us and knowing that dollar value is going to help Drive what we may be able to spend
43:41
in order to go in and try and uh uh try and uh reduce or mitigate this
43:46
risk single loss expectancy what’s that single loss expectancy is what’s the
43:53
potential loss due to a single event and I’ll actually get into these a little bit more detail as we go through so I
43:59
I’ll I’ll I’ll Circle back into these in just a bit annual rate of occurrence is just how often do we think we might get
44:07
hit with this and that annual loss expectancy is actually a calculation
44:12
that looks at hey what’s it going to cost me if this happens once and how
44:18
often do I think this might happen right so to keep this so to keep this simple
44:23
and easy to follow right let’s say my single l expectancy excuse me is
44:30
$10 right if this if this risk comes to fruition and we get exploited it’s going
44:37
to cost us $10 just to keep the numbers easy if the annual rate of occurrence is
44:43
we think it’s going to happen every year well now we can look at hey it’s going to cost us $10 a year to deal with this
44:51
if we can spend $5 to make this go away that may be beneficial to us and we
44:57
think it’s going to happen twice a year well now the single loss expectancy is
45:03
$10 we think it’ll happen twice a year 10 times two it’s going to cost us $20 a
45:09
year to deal with this so now we start looking at hey if we could mitigate this for you know up to like instead of $5 we
45:15
could go as high as $12 to mitigate this and it may make sense what if the you
45:21
know single loss uh expectancy is $10 but the annual rate of occurrence is
45:27
every other year well if it’s every other year then that cuts the $10 half
45:34
it’s only $5 so the cost of the annual cost of dealing with this particular uh
45:40
risk is $5 now our budget needs to fit within that $5 range in order to be able
45:46
to actually make sense you see where I’m going with this if I look at this and I say um you know I want to spend
45:54
$40 to mitigate risk I’ve got to be able to clearly make an argument that the
46:01
risks I will mitigate could cost us much more than that $40 think of it as like
46:06
uh so think of like like your car insurance right if your insurance agent said we’re going to charge you $1,000 a
46:13
year but we will never pay more than a ,000 if you get in a car accident you’re
46:19
going to look at that car insurance every differently right what the hell is this getting me I don’t get in a car
46:24
accident every year you know I have been in a car accident in 10 years so they they need to be able to potentially
46:31
protect me from spending you know 10 times that at least before I’m even
46:36
going to consider that car insurance this is how we end up kind of dealing with budgets as we go through this uh
46:43
let’s see I saw a question pop through HK was saying uh what will uh what will
46:48
be what will we be basing Aro so that’s the annual rate of occurrence of uh
46:55
previous be breach reports yest know that’s a great question dude uh so the
47:00
reality is there’s some general guesstimates but that’s probably one of
47:05
the least studied things out there by that I mean I haven’t seen really good
47:11
studies that go through and kind of talk about you know oh hey for a web exploit
47:16
you know if you are in the um you know Services you know vertical you may run
47:24
into it every 5 years if you’re a hospital you might run into it every seven years if you’re into you know
47:31
automotive repair you know you might see it every 3 years whatever I I haven’t seen a really good study along those
47:38
lines uh I the ballpark tends to be people get whacked about every five to
47:43
eight years it’s may be the same exploit twice if they’re dumb or it may end up
47:49
being something different but five to eight years getting whack tends to be about the typical Cadence for most
47:55
organizations globally great
48:00
question okay so that’s single loss expectancy right so we were saying single loss expectancy
48:07
times the annual rate of occurrence how often do we think this is going to be occurring that’s going to kind of help
48:14
us figure out what’s the overall cost of dealing with this risk and that’s going to help us kind of figure out budget
48:19
based on that but single loss expectancy is actually a combination of
48:26
two different things the value of the asset and the exposure factor of the asset meaning um excuse me the exposure
48:35
factor is the percentage of the um the percentage of the asset value that we
48:41
may lose during an event and this this is where things get really funky this is
48:47
where this method gets kind of hard right e time a equals L yeah um so this
48:56
this is where things get kind of funky because what if they break in and they
49:01
steal private data well the asset’s still there we could still use it the
49:07
data is still there but there’s reputational stuff that we have to worry about from there right what
49:13
if excuse me you know what if they get in and they’re running crypto mining on
49:19
the asset well now the data is still there the server is usable it just runs
49:25
much slower data hasn’t been stolen we’re just losing CPU time H what’s the
49:32
dollar value that we associate with that see where I’m going with this
49:39
sometimes these calculations get get get a little bit challenging so I mentioned that even with quantitative where we’re
49:46
calculating quantities there’s still going to be some level of qualitative you know using a quality
49:53
person to make their best guesses because we’re still kind of ballparking some of this as we go through because
50:00
there aren’t you know definitive clear numbers we can always fall back on and data breach example yeah so you
50:08
know I kind of mentioned this one really quick so we’re in a situation where someone’s broken into one of our systems
50:14
and they’ve stolen the personal identifiable information associated with all of our customers so what’s the cost
50:20
of recovery for something like that the asset’s still there it’s still working but now we’re kind of deal de
50:26
with reputational information we got to get legal involved there may be disclosures we have to go through we may
50:32
have to hire a team to to to run incident response if we don’t have the skill sets for that on staff you know
50:40
even though technically nothing’s been broken right that thing is still
50:45
working just having data copied off of it could have a whole lot of costs that are associated with
50:52
that so that exposure Factor you know applying it to this specific use case is
50:58
kind of hard right because the database is still functional you know you could also you know like how much is this
51:03
going to cost us from a PR perspective well hell everybody gets compromised these days right it it’s not the stigma
51:10
it used to be go back 20 years ago 25 years ago and if you got compromised
51:18
there was a really strong chance that you could lose an awful lot of business
51:24
today that’s possible but it’s far less likely because we’ve almost kind of become numb to these right I I remember
51:32
that like um I I I can remember when Home
51:37
Depot got compromised you know they the like three days after they got
51:43
compromised I needed to go home to Home Depot and buy a lot of stuff and did I say well you know they got compromised
51:50
so I guess I won’t buy these things after all well they were the only ones really selling the stuff I needed so I
51:57
went in and basically said okay which credit card am I going to use that if it gets popped it’s not going to mess
52:02
things up on me I’ll use that credit card you know it doesn’t it isn’t the Fallout that it used to
52:08
be but if we kind of look at this and we look at so what could be the cost that’s
52:15
associated with there are a number of studies out there that actually kind of guesstimate what is this cost for the
52:21
average organization and it’s about 4 A5 million in it in uh an episode
52:27
so every time you know you get popped and somebody steals some data expect it
52:32
to be around 4 and a half million dollars to recover from that now you
52:37
know small shop it might be a whole lot less than that larger shop it might be a whole lot larger than that this is you
52:44
know kind of global average type of thing we’re looking at about 4 and a half million now HK was asking about this how
52:53
often is this going to occur and as I mentioned there really is isn’t good data in this space because I might see
53:00
Acme Corp got popped and then got popped again six seven years later but that doesn’t necessarily mean it was because
53:06
of the same risk it might have been a completely different risk that caused them to get popped the second time you
53:12
know they may not get popped for this same risk until all the people
53:18
responsible for maintaining those systems leave they bring in new systems and the new staff doesn’t know to
53:23
mitigate that type of a risk and then they get popped again and might take 10 years 15 years you know who knows so if
53:31
you look at what’s out there you come up with around 6 and a half years and that’s a really loose
53:37
guess as far as frequency goes so we’ve got we could probably lose about $4.5
53:44
million every time we get popped we’re probably getting looking at getting popped every six and a half years so
53:51
that’s 0.15 events per year so if I just go through and do the math I end up at
53:58
around $670,000 just to kind of deal with this one type
54:03
of an issue so when I now when I start looking at okay what do I need to spend to mitigate this that 670 kind of ends
54:11
up being my top end of my scale right because if I spend that well I’m not gaining anything because I’m going to
54:18
end up spending that if I get popped and hey maybe you’ll get lucky and it’ll take longer to get popped than than it
54:23
normally does you know I might get lucky people always hope they get lucky and it very rarely happens so that might be a
54:30
possibility here too um not a lot to work with though right when you talk
54:35
about like hiring staff and having software and processes and all this stuff you know one of the things I’m big
54:41
on is security tends to be a cost center as the senior most security person so
54:49
whether you’re the you know ciso director of security security manager
54:54
whatever your damn title is within the that organization you’re the senior person in security your number one goal
55:01
in life has to be getting you reclassified from being uh part part of
55:10
customer acquisition somewhere in that Revenue string you want to be Revenue
55:15
enablement as opposed to being a cost center what’s the difference well okay let me put it this way so facilities you
55:22
know is responsible for like emptying out the trash cans how much money does a company really want to spend emptying
55:29
out the trash cans they do it because they have to but it doesn’t help them sell more product so they don’t put any
55:35
more into it than they have to right we’re getting classified the same way as that well we want to be get get
55:41
classified as the same as sales or marketing right because with sales and marketing they kind of look at it as hey
55:48
give us more money and we can get more you know more Revenue coming in we want to be able to rewrite the story to be
55:54
able to look at it that way and I I do teach a leadership class I go through processes from that but the bottom line
56:01
is you need to kind of look at what is the purpose of your organization what is it they are trying to accomplish how can
56:08
you align security to better support that you know that might be sitting in on sales calls in order to be able to
56:14
answer any security questions that come up during an initial Discovery phase that might be you know coming up with
56:21
security attestations and getting those put into place so that when a large company says
56:26
well you know we need to ask you some questions about your security you get to say sure no problem and hey just so you
56:31
know we’ve got a sock to or rice of 27,000 And1 we’ve got you know hippo we’ve got you whatever you know here’s
56:37
here’s the full list and now the customer feels a lot less worried about signing up with us just from a security
56:43
perspective which will not only drive more customers but larger customers with bigger pocketbooks as well so again
56:50
senior security person your number one job is to stop being a cost center that’s more important for you to do than anything security needs to be an enabler
56:57
not a blocker I totally completely agree with that assessment
57:03
absolutely you know we’re security we’re here to help well you know maybe you don’t word it quite that way but you get
57:09
the idea you know Mor on risk transfer well actually we kind of beat this one up a lot but I talked about
57:16
how um yeah technically you can’t Outsource
57:22
that risk but actually you kind of can and how much of that you get to offload on a third party it kind of comes down
57:29
to where is the assets located right like if I have servers in my data center
57:35
but I hire a third party to manage those for me if those servers get popped I’m
57:40
still on the hook because I fully control those assets but if I move those assets to
57:48
let’s say ec2 well now I might be able to make or have Amazon response take
57:54
over responsibility for these layers while I only need to worry about these layers up here oh that’s a whole lot
58:01
better well what if I can go to assass service right so like credit card
58:06
processing I could do it on my own data data in my own servers in my own data center well now I’m responsible for
58:13
everything or I could spin up instances in ec2 well now Amazon is responsible
58:19
for these layers and I still take on responsibilities for these layers or I sign up for a service like stripe and
58:26
now my security kind of comes down to who has access and do they use proper
58:32
authentication right like are we enforcing strong passwords and two Factor if so check we’re done that’s
58:39
what we’re really going to be responsible for because everything else is being handled by the organization
58:44
that we outsourced it to now there are some fuzzy lines right
58:51
like uh when you when you look at uh when you talk about like let’s say PCI right if I go into East
58:57
2 the you know the lineation of responsibility is kind of right above the hypervisor type of thing um so that
59:04
would imply that Amazon is responsible for the firewall because the firewall is
59:10
a network device but what you’ll find is that if you try to uh achieve your PCI
59:15
out of station with nc2 Amazon will provide you with a
59:21
firewall but you’re responsible for managing that firewall so you end up in
59:26
a situation where you know like I said there’s a fuzzy line it’s kind of split duties at that point um is that not a
59:32
real hybrid model transfer mitigate except yeah absolutely it is absolutely
59:37
it is and packed on yeah so you know is this technically get out a jail free
59:43
card you you could kind of argue that either way which we already have if you want more on this topic I do have a
59:50
class around this um there are a lot of really good resources out there um I
59:55
would recommend you know if like leadership is something you’re actually interested in I would highly recommend
1:00:00
uh starting your journey by reading uh Leaders Eat Last by uh Simon synic that is an awesome
1:00:08
book and next week next week on Fireside Fridays so wait so should we go to like
1:00:15
a two-minute commercial and then come back with previews for next week yeah that’s it no uh well actually I guess we
1:00:21
technically did that right so I was like oh hey I got a leadership class ha um yeah so next week we’re going to go back
1:00:27
to doing Hands-On stuff we’re going to go back to kind of working with the stack and we’re going to talk about
1:00:33
layer 2 Communications so we’re going to talk specifically about how do systems
1:00:38
when they’re on the same logical Network segment with each other how do they exchange data back and forth type of
1:00:45
thing that’s what we’re going to be talking about next week uh well like as I said there’ll be some Hands-On Labs
1:00:50
you can do if you have a window access to a Windows and or a Linux system you will have everything need to do the
1:00:56
Hands-On stuff next week and with that said uh we are done so I want to say
1:01:02
thank you to everybody for turning out this week uh I appreciate it um you know
1:01:08
we get a lot of love because you know we’re we’re hosting this and you know my name gets tacked on this or whatever um
1:01:15
but I really do want to give a good shout out to like you know HK and Eric and all the others that show up all the
1:01:22
time every pretty much every time every week and I’ve been doing it for bloody
1:01:29
years and jumping in and helping out other folks that have questions um it
1:01:34
puts a smile on my face how often I see somebody has a question and I say oh
1:01:40
that’s a good question I’ll have to answer that let me just finish this train of thought and before I can answer it two or three other people have
1:01:46
already jumped in and helped out so uh yeah I just like want to send a Little Love the Way of the folks that are here
1:01:53
helping out all the time with this stuff so with that said uh thank you everybody
Slide Deck:
Fireside Friday – Layer 2 Communications
February 07, 2025
Recording:
Show/Hide Transcription:
0:00
all right uh slides for today are in the fire- content channel right below the
0:07
one that we using for chat so feel free to go ahead and grab those um thank you to our sponsors and thank you to Herman
0:14
and Emily Emily who still doesn’t lives up north and still doesn’t have snow
0:20
tires um I’ve tried to convince her if anybody else can do a better job it would really be appreciated uh but I
0:26
want to thank her uh Herman and Emily for helping out on this uh Herman who may have a special announcement in a
0:34
couple of weeks wink wink hint hint nudge nudge know what I mean no what I mean um we’ll be talking about that in a
0:41
little bit lab requirements for today so I got a couple little Hands-On things you can
0:46
do if you’ve got a Windows and a Linux uh terminal command line available great
0:52
if not uh let’s see Valk said snow tires are unnecessary they are unnecessary for
0:57
me I live in Florida uh if you live with where it’s cold it’s not I am happy to
1:02
have a flame War about that online just keep in mind I taught rally for many years I knowes pretty well so if you
1:11
have access to a Windows and a Linux terminal command line that’ll be great you can kind of follow along with what
1:16
I’m doing it’ll make things a little bit more interactive for you and this is kind of a preface to we’re going to be
1:23
talking about some traffic flow Technologies yeah I’m kind of building into talking about things like you know
1:28
firewalls and intrusion prevention systems and things of that nature and it’s kind of hard to understand how they
1:35
work and what they’re good for if uh you don’t really understand how traffic flow
1:42
works so we’re going to kind of start with
1:48
that now I’m going to be referencing The OSI model um I I’ve heard folks say the
1:54
osmi model doesn’t really do anything and that’s partially true right it’s
2:00
it’s not really something people code around or anything like that really what this is is it’s a framework right it’s a
2:07
reference point it it allows me to you know rather than having to say to you um
2:15
you know protocols that do local communication and broadcast to discover
2:20
and blah blah blah and this big long explanation I can just say later two and that’s it so it it’s a nice little
2:28
framework to kind of get a quick reference to you know we’re in the communication stack or any of us talking
2:34
about things at any given time so you’ll hear me referring to layer 2 layer three as we go through um
2:41
I’m referencing The OSI model there is a model specifically for TCP that actually
2:47
predates the OSI model but most of us tend to use the OSI model just because it’s a little bit more granular so I
2:53
tend to stick with that so what are we looking at here so this is so imagine a
2:59
bunch of ones and zeros all in a row that is how systems communicate with
3:05
each other on the network so the concept is I’ll pause and then I’ll start signaling sending ones and zeros and I
3:12
send those ones and zeros in a very specific order and we’ll kind of talk about you know what lines up what where
3:20
but kind of in general terms the first thing I’m going to transmit is information related to how those two
3:28
systems that are on the same subnet to each other should communicate with each other now you might be thinking wait
3:33
Chris but sometimes I don’t talk to a local system sometimes do I talk to a host out on the internet that’s
3:39
different right no it’s not we’ll get into this deeper but when we talk to a
3:45
host out on the Internet it’s actually just a series of layer 2 Communications
3:50
all tied together neatly so we’re always doing layer 2 Communications with other
3:56
systems so you know what is you know what data is needed to do that how do we make that work that’s all part of the
4:03
beginning of what’s referred to as a frame you’ll hear two terms used interchangeably frame and packet and
4:09
they’re not really interchangeable frame refers to the entire chunk of
4:15
information that’s being transmitted including the data needed to communicate with local systems when we talk about
4:23
packets we we tend to kind of ignore the local communication and just talk about
4:28
the information that’s need needed to get it from one network segment out to another so you know when you talk about
4:34
like packet decoding technically your frame decoding but we’re probably not
4:40
maybe not paying a whole lot of information or paying a lot of attention to the frame information we’re more
4:45
focused on the packet information so that’s how people tend to use it that way so if someone says frame or packet
4:52
they may be using it properly you know referring to the entire chunk of information that’s getting transmitted
4:58
versus just a sub ET of that or they may be incorrectly using him interchangeably
5:04
uh if you’re not clear sometimes it’s good to ask so
5:10
but all of this information gets transmitted in a predetermined order
5:15
that’s how two systems can communicate with each other think of it as like letters in a word right let you know
5:23
letters are laid out a specific way to form a word if I decide that you know
5:28
let’s say book right so that’s B okay well if I decide I don’t want to spell
5:33
book that way I want to you know use the O’s first and then you go spell it KB so
5:39
o KB I’m going to spell it that way instead you’re going to have absolutely no idea what I’m talking about right
5:45
well transmissions on the network work exactly the same way things have to be transmitted in a very specific order but
5:53
they’re not going to be understood by systems that are sitting on the other side so the first thing that always gets transmitted is the layer two in
5:59
information that’s the little number two here and this is like I said local Communications talk systems talking to
6:05
each other we’re going to dive deeply into this as part of this session next session what we’ll get into is more of
6:12
the layer three information this is how we can talk from one network segment off to another and we’ll get into these
6:19
other layers as we go through but I’ve gone through and just kind of broken things out and yeah let’s start here
6:25
this is what we’re going to be talking about today so how do Communications work well
6:32
like I said when we talk to a remote system that’s many networks away let’s say we’re talking to you know
6:40
www.google.com and it is there’s 15 routers between us and that in that system that we want to talk to how does
6:46
that work it’s actually a bunch of layer 2 Communications strung together in fact
6:53
what happens is if I go back to this slide here again for a second so the beginning kind of helps local systems
7:00
talk to each other at the end excuse me at the very end of all
7:05
this is a CRC check that goes through and just validates that all the data was
7:11
transmitted
7:16
properly sorry needed a drink of my worm ooze to clear my
7:21
throat um so our Layer Two information in this Frame is actually the sum of the
7:26
beginning the sum of the end every time this hits a router so we’ll get more
7:33
into routers next week but for now routers are devices that hook logical networks together routers are what allow
7:41
packets of information to move from one network segment to another every time I touch a router with
7:50
my packet this Frame information completely gets destroyed and gets
7:56
rebuilt again from scratch this ethernet Header information has to have data that’s specific about
8:02
this system and and this interface on this router so when it gets to this
8:07
router all that information is stripped off it gets recreated for this network
8:12
segment now it’s get information about this network interface and that network interface that gets it to this router it
8:18
again gets stripped off so when you think about like what’s going on with
8:24
every packet you send it’s not just like building the packets and tearing them
8:29
down on the two end points this is happening on every single router in between there’s a lot going on so the
8:36
fact that like you can access a website and get a fairly immediate response you
8:42
know to to your data request that to me is just like amazing right when you stop
8:47
and kind of think about like everything we’re doing with these packets because it’s the route is not just stripping off
8:53
the frames that CRC check here this is a validation to make sure that all this data is okay
9:00
so what the router is going to do is it’s going to check that CRC and if that’s okay now it’ll strip this off it
9:05
may make some changes within the I IP header it needs to reference its router table it needs to figure out what
9:11
interface to send it out next it needs to rebuild this header it needs to recreate that CRC and then it needs to
9:18
spit that packet out on the ins of the side and this happens through every single router it goes through ouch so
9:26
again it’s almost kind of amazing that this actually works at all and works as consistently as it
9:33
does so what’s the side of that ethernet Header by default there are three
9:38
different fields that are set up there’s the destination Mac address where is this going Mac stands for not Mac is not
9:46
a type of type of uh computer Mac is uh stands for a media access control number
9:53
so it’s just a unique number that gets assigned to that uh to that network interface we’ll talk more about that just a little bit
10:00
but the first thing that’s in there is the destination Mac where is it going the next thing after that is the source
10:05
Mac where did it come from the next thing after that is an identification of
10:11
what type of packet has this been wrapped around so if we see 800 that
10:18
tells us an ipv4 packet if we see 86 DD obviously hex that tells us it’s IPv6
10:25
there’s actually a bunch of different codes available uh ipx X is one of the possible codes that was an old netwar
10:32
protocol Apple talk what Apple used originally that that was its own uh type code as well so how does the receiving
10:40
system even know it’s an IP packet that it just received because it’s looking at this field this is what tells it hey
10:47
right after this point right at the end of this Frame header you’re going to need to start decoding that as an IP
10:53
version for packet I’ll dig more into the numbers
10:58
and what they mean and how to read them and stuff like that just a little bit now if we’re talking Wi-Fi there’s a
11:06
lot more fields in there right so here’s our ethernet header three Fields that’s
11:11
it here’s a Wi-Fi header oh there’s a whole bunch more fields in there right
11:17
there’s a lot more data why well because there’s a lot more going on we we’re trying to transmit over the Airways to
11:24
an access point that technically isn’t part of the conversation even though it really is and it’s just kind of
11:30
forwarding data along as it receives it and we need to make sure that we understand what frequency we’re using
11:36
and the modulation and all this other fun stuff so there’s an awful lot of checks that are taking place in here
11:41
this is one of the reasons why if I have let’s say a 100 megabit ethernet Network
11:48
and I have a 100 megabit Wi-Fi network you’re going to get better performance out of the ethernet Network why well the
11:56
signaling is the same the transmission speed is the same the difference is the
12:01
overhead right so overhead is what information is there just to help us get
12:08
stuff from point A to point B it’s not the data we actually want to transmit so
12:13
to go back to our original here right this here the payload this is what we’re trying to get
12:20
from point A to point B this is a portion of a file an answer to a question whatever it happens to be this is the information that we’re interested
12:26
in the users of the computer all this other crap that’s all there just to make
12:31
sure that data gets transmitted from point A to point B properly so the bigger we make the overhead the less
12:39
room we have to do a payload which means the less data we can transmit uh remember back when I got started in this
12:47
industry um a lot of the Telco guys I was working with was really into ATM and
12:53
I forget what ATM stood for but it was a transmission protocol and they were like
12:58
oh this is so much better than e than ethernet and everybody’s going to be using ATM because you can use it locally
13:05
you can use it as a wide area network protocol it’s awesome everybody’s going to use ATM and the first time I went in
13:10
and decoded I noticed it was like 56 bytes in size 64 bytes in size there
13:16
were these really tiny packets and they were like oh well you know that’s part of the magic of it because you know now
13:22
you can use little H send it over low speed networks no problem well yeah except now what you’ve done is you’ve
13:27
said most of what I’m going to transmit is overhead and I’m going to leave this tiny little space available for data
13:34
well what does that translate into more packets being needed right if I can you
13:41
know just picking round numbers here if I can fit a 100 in here and I have a 100
13:46
to send I only need one packet but if I can only fit 10 well now I need to send
13:52
10 packets to send that full 100 you know 100 bytes or whatever worth of data which means I’m G to have the overhead
13:59
for nine additional packets going by as well that’s going to use up bandwidth on my network that could be being used for
14:05
using data so it kind of behooves us to make these frames as big as we can
14:11
possibly get but we get to keep backwards compatibility there’s some other issues talk about that later but
14:17
you get the idea there’s a lot more overhead involved when we get into talking about Wi-Fi now when we look at
14:22
our ethernet uh Mac addresses it is six numbers and you’ll
14:28
see these written different ways right like here I have dashes between each double set of number you might see
14:34
colons that’s fine sometimes it’s a space uh sometimes the letters are
14:39
capitalized sometimes the lowercase different people want to write it different ways that’s fine whatever
14:44
it all means the same thing this is a six byte value the first half is a unique vendor code so if you go to this
14:52
link you’ll get a list of what numbers have been assigned to what vendors well
14:59
that’s kind of cool because uh 48 bytes in a Cell on ATM John you’re as old as me thank you that’s awesome you
15:06
remembered that so yeah 48 bytes so so to put that into contrast your standard
15:12
ethernet frame is uh $500 bytes 48 bytes
15:18
yeah it doesn’t give you a whole lot of room to send data so this is assigned to each vendor right
15:25
and some vendors have more than one code but what’s kind of nice about that is if I see a frame getting transmitted on the
15:32
network and I read the MAC address of the transmitting system and I look at
15:37
those first three bytes that may help me identify what was the network card that
15:42
the transmitting system was using and sometimes that can help me determine what was that endpoint system so for
15:48
example if this vendor Code maps to Cisco hey that device was probably a router if it maps to Intel okay that’s
15:57
probably a you know standard PC type typ a computer you get the idea the last half of it is a unique
16:04
serial number within that vendor if everything is perfect you will
16:10
never have two network cards anywhere in the world that have this exact same Mac
16:16
address assigned to them now with that said it happens I’ve actually had to troubleshoot that and it’s a pain in the
16:22
backside it can happen but ideally it should never happen now with all of that
16:28
said it’s possible to change this value if you have high permissions to the
16:33
system you’re using and the vendor has created the proper drivers you can go in
16:38
and change the MAC address to anything that you want to including a MAC address being used by another system which will totally host the network but we’ll get
16:45
into those types of conversations a little bit later uh let’s see yeah fley was saying
16:52
no about 1500 bytes jumbo frames 9,000 plus absolutely yeah I’ll get into that a little bit more as we kind of dig
16:58
through switching and all of that uh another good resource is this link here uh that’s the one I tend to use so this
17:05
is uh wire Shar keeps track of what numbers have been allocated they’ve got a nice little web interface you can put
17:12
multiple Mac addresses in this little search screen all at the same time it’s the same reference they use within wi
17:19
shark itself so when you use wire shark and some of you may have noticed it it’s
17:25
saying broad Kum okay I think that’s supposed to be broadcom but it’s saying that hey the
17:32
first half of the address maps to broadcom and it’s saying for this one the first half of the address maps to it
17:39
being an Intel card so that that’s how uh wire shark goes through and uses it to try and give you as much information
17:46
about what’s going on as possible so yeah let’s uh let’s play
17:52
around with a couple things here so I am going to start with a Windows system
18:01
so let me so let me get a command prompt going
18:07
here here we go come on all right that should be big
18:13
enough to be able to see it of course that completely hosed the
18:18
way I had all my screen stuff laid out so there we go all right so lenux Mac
18:25
Windows doesn’t matter what platform you’re on try this command if you never have before ARP space- a so ARP space
18:33
lowercase a and you’re going to see output kind of similar to this so notice this just scroll by because I’ve got so
18:40
many network interfaces on this uh system it just scroll by in a missing stuff off the top of the screen so what
18:46
I’m going to do is I’m going to hit the up arrow and because I’m on Windows I’m going to pipe it through the more command if you’re on lenux you’re going
18:53
to want to pipe it through the Les command and that’ll just pause it once you get a full screen worth of
19:00
information now you’re going to notice a couple things
19:05
here notice these addresses at the beginning are all labeled as
19:13
Dynamic what does that mean these are all addresses these are all Hardware
19:20
addresses the physical address the MAC address these are all Mac addresses that were learned by this computer after it
19:27
got booted up and started working so in other words this these are ones that it’s learned on the fly as it’s gone
19:36
along uh let’s see oh Rus says that it looks like okay so Rus it looks like
19:41
you’re on a Linux system it says AR not found try a uh pseudo or yum whatever
19:48
your package installer is or excuse me uh uh AP or Su or yeah AP or yum
19:54
whichever is your package installer do a pseudo well I’ll throw it checked
20:00
so this will be a bun to change it to yum um if you’re uh running on a red hat
20:07
type system but what you want to install is net tools so that looks that’s probably missing from your system hey we
20:14
got a bill yay bill is here I wonder if Bill got tired of
20:20
having to answer DMS that are asking him is icmp layer three or layer four
20:25
protocol okay so back to this stuff so yeah so this is stuff that was learned
20:30
on the on the Fly these entries notice these are listed as static these are
20:35
pre-programmed into the system these will not change except for running an
20:41
administrative command on the system itself now some of these kind of make sense right like I’m on the 192 16869
20:49
Network 255 is my broadcast address so that maps to a layer two broadcast
20:55
address so that’s been you know calculated based on the IP address assigned in my system so that’s there
21:02
that’s not going to change 20 the two 224 addresses these are all um uh excuse
21:08
me these are all um uh multicast addresses so those are figured in
21:13
statically hey this last one here this is my all network broadcast address so again these are ones that are kind of
21:19
programmed in if I just kind of randomly grab another one here at some point my system tried to talk to this system here
21:27
192 168 6916 and as part of doing that it needed
21:32
to learn that system’s Mac address so it learned it dynamically it asked the network hey who whoever is at this IP
21:39
address what’s your Mac address and this was the answer that it got back so that’s the information that uh we’re
21:45
kind of looking at with this one here now if I uh on a Linux excuse me on a
21:51
Windows system if I want to go in and um just look at a specific interface all I
21:57
got to do is know what my IP address is so for example in this one here let me
22:03
copy that so let’s say all I wanted to display was just that one interface if I
22:08
know the IP on the interface I want to see ARP Dash a SL a sln so it doesn’t
22:15
change names and then uh name that leaves doesn’t use names it uses numbers
22:22
and then I put in the IP address of my local interface and when I go through and run that it tells oh it tells me I
22:29
can’t spell ARP correctly okay let’s try this again and trying to spell ARP correctly there we go so now it’s just
22:35
showing me that one network interface so rather than having all the data scroll off the screen I could use the more command or if I know the IP address of
22:42
the interface I want to take a look at I can go in and I can do it that way either one of those will work fine now
22:48
let me uh pull up a Linux system this looks like a Linux system
22:55
here we go and I’m just going to go through and run that same command R space-
23:03
A you know when you have troubles um
23:09
when you have trouble creating or writing words that are only three letters you know you’re having a really
23:15
bad day uh let’s see so this is saying it only knows
23:21
about one system and actually I’m going to say Das that way it just leaves it as Mac
23:27
addresses so what’s this telling me well it’s telling me that hey this system here
23:33
69.1 that’s off of this network interface here’s the MAC address that’s associated with that and if I compare
23:40
that to what I got on Windows hey look at that 8447 09 3371 DB it’s the same
23:48
one so these two systems are on the same network with each other it’s saying uh 1781 1804 at
23:57
incomplete what does that mean that means that system’s probably offline right now there’s actually better ways
24:02
to get more detail out of this I’ll show you that in just a second so but you get the idea so with the on a Linux system
24:10
I’m actually seeing the interface name as part of each line Windows just goes through and kind of organizes it based
24:16
on each interface that way instead you know whichever way works better for you is is
24:21
cool all right and I just moved a window too much so Windows decided hey let’s
24:27
close all of Chris’s windows because why
24:32
not okay let’s uh let’s get the lenux one back again so ARP is actually the
24:41
old way to go looking for Mac addresses on a window system the new way is to use
24:46
the IP Command so there’s there kind of two schools of thoughts here um some
24:52
folks want to have one tool that does a lot of different things some tool want
24:58
to have them kind of broken up into different tools and historically Linux has kind of done this with separate
25:04
tools and to me that kind of makes sense you know if I want to do if I want to
25:09
work with like routing tables I can use netstat if I want to work with Mac addresses I can use ARP um you know it
25:16
it helps you to kind of categorize it and that way you don’t have a tool that has you know 173 different command line
25:23
switches and it’s hard to remember exactly which one does what um but lenux
25:28
is moving the other way now so lenux is moving towards hey let’s have one command do everything and the one
25:35
command to do everything these days is the IP Command so if I say IP
25:44
neighbor and then hit enter on that this will go through and this will show me um
25:50
the same ARP entries but what it’s showing me here is I’ve got this
25:55
information at the end so I’ve got a failed let’s talk
26:00
let’s start with the easy one what does failed mean failed means it knew the MAC
26:05
address for this system at some point but it that system stopped responding so
26:12
it can’t figure out what Mac address is associated with it anymore and that information has been completely aged out
26:19
stale means I learned this Mac address more than 30 seconds ago maybe it’s
26:26
still valid maybe it’s not I’m not sure if I you know wanted to if
26:33
I if you need to talk to that system again I’m going to have to reprobe it to find out if that Mac address is still
26:39
valid and there’s a weird way that Lennox is doing that these days and I’ll talk about that just a second reachable
26:46
means this is an active entry this is an entry that I know is okay I’ve learned
26:51
that this is a valid Mac address Associated this within the last 30 seconds uh initially just look at the
26:57
local cam table like a switch yep you could do that too yeah actually it does kind of look like a camp table too
27:02
that’s true but um so the stale entry so this
27:08
is where things changed a little bit so historically what would happen is a
27:13
system would learn this Mac address information cat it for about 30 seconds
27:19
and then after 30 seconds it would need to relearn it again and the way it would relearn it is it would broadcast for it
27:26
so the idea would be is would send a a broadcast out to every system on the network to say hey who’s using you know
27:34
192 168 69.1 please come back and tell me and then some smart folks said well
27:40
you know why why are we doing that we know the MAC address was
27:47
this why are we sending a broadcast to every system on the net Network which
27:53
means because it’s a broadcast every system has to process it and every system needs to look look at that AR
27:58
request and say oh not me I don’t need to spend any additional time on this but
28:04
now they’ve actually shed some CPU time right in order to check it to see this doesn’t apply to me it’s still going to
28:11
spread it’s still going to use up some processing time doing that so what some smart folks said is well we know it used
28:17
to be this so once this goes stale let’s just ARP directly at this system with
28:24
that IP and that Mac to see if it’s still valid and if it is great we’ll
28:30
just keep going from there and now we’ve been able to save you know one broadcast from going out from the network if we
28:36
try this and it doesn’t work well now we’ll go back we’ll fall back and we’ll send the
28:41
broadcast so what you’ll see is right this entry is stale if we go to
28:48
talk to it you’ll see it very quickly move into a probe state which means it’s going to try the unicast connection and
28:55
if that doesn’t work it’s then going to go in and try the broadcast Direction um and then
29:00
um after that actually so it’ll move to probe it’ll move to delay and then it’ll
29:06
leave move to being you know reachable or it’ll uh move to being failed one of
29:12
those two conditions so uh ones that you don’t see here are delay in probe
29:18
because they’re kind of hard to catch in the moment because you got to catch it exactly when a probe goes out before the
29:23
response gets back in but you might actually see those as part of this table on to and if you do then that’s what
29:30
that means now there was one other one I wanted to show you give me a second
29:35
because I thought this was kind of neat the first time I ran across it so what
29:40
I’m going to do is I’m going to connect to a cloud instance that’s in digital
29:46
ocean and I have so many SSH servers here here we
29:51
go here we go and I’m going to go take a look at
29:57
the the ARP table for that notice anything interesting about this ARP
30:03
table look at the Mac addresses they’re all the same right
30:10
wait Chris there’s different IP and they all have the same Mac address I thought that Mac address was
30:17
supposed to be unique it is I thought you couldn’t have two systems on the same network and have stable Communications if they both have the
30:23
same Mac address assigned you can’t so what’s going on here this is a little
30:29
trick the cloud vendor is using to get all of your traffic to go through a single point so they can go through and
30:35
do whatever level of monitoring it is they want to go through and do on it so you’re getting spoofed replies back that
30:41
are sending you to the same system every single time by the way if you’re like
30:47
being hit with like an ARP spoofing attack it may look something like this
30:52
the difference would be this Fe 00000000 is a is a unassigned vendor
30:59
code this is not actually assigned to anything that’s out there whereas when I’ve seen Ops spoofing attacks in the
31:06
wild or when I’ve done them myself um this has actually been a valid Mac address that’s associated with a
31:12
specific vendor so it could go any possible way but like I said Cloud instances you may see stuff like this
31:19
going on and this is just an example of somebody trying to Route all of that
31:24
traffic through a single point to either do monitoring Implement security whatever it is they want to go through
31:30
and do on it you should normally see that on your Network all right so yeah we talked
31:37
about that uh we talked about that we looked at ARP on lenux yeah we
31:45
looked at IP neighbor um let’s see oh here’s one so here’s a delay right so
31:51
right when I ran this command this one was in the process of being updated and
31:56
like I said after the after see it go through delay you might see it go through probe and then it’ll move into either a reachable state or a failed
32:04
State and then the public Cloud I gave you an example of that here too all right so what is ARP and how
32:11
does it work I I’ve mentioned this a couple of times as far as it being used to uh establish Communications with the
32:17
system so what ARP does is ARP so this how ARP has always worked and then
32:24
there’s how lenux has recently implemented it and distinguish between these two how ARP has classically worked
32:32
is it’ll go out as a broadcast so here I have a system that’s going to the broadcast address so this is going out
32:38
to ffffffff it’s an ARP request and the AR
32:45
request is who’s using this IP address please tell me and then what we should
32:52
see if everything’s working properly is a response going to the system that sent
32:57
the AR request that says this IP address is being used by this Mac address and
33:04
then that’s the MAC address that’s actually doing the transmission so in other words broadcast goes out hey who’s
33:10
using 10.1.1.1 and the system that’s using that says oh wait that’s me AR reply hey
33:17
I’m the one using it and here’s my back address and now what you’ll see after that is when that system communicates
33:23
right this line here in pink it transmits to that IP add address using that Mac address
33:30
information so link layer yes so this is what’s going on at the link layer this
33:36
is link uh layer two of The OSI so this is how layer 2 Communications work
33:44
now let’s see yep here’s the ARP response I got a decode on it here
33:49
although I already kind of described it through on the last one you know which is just that IP address will respond and
33:55
say oh hey that’s me and here’s my Mac address after that now we’ll actually start
34:01
seeing data getting delivered from there so there’s a whole decision tree
34:08
that kind of comes into play here so here’s how this works right so a
34:13
system boots up it gets its IP address via DHCP or whatever it’s manually
34:18
assigned it doesn’t matter you know it gets its IP address and what the system does is it looks at its IP address and
34:24
it looks at its subnet mask that tells it what what portion of its address is network and what portion of its address
34:32
is specific host I’m actually we’ve had a couple of conversations take place in
34:37
Discord uh about IP addressing and subnetting and how it works and some of it has been highly accurate and some of
34:44
it’s been a little off so we’re actually going to do I’m going to do a class on this uh come the end of February so I’ll
34:50
get more into subnet masking and how it works and all of that later but you know the idea is if I have an IP address of
34:56
let’s say 192 68110 and then I have a subnet mask of
35:02
2552552550 well any place where there’s a 255 that portion of the address is
35:09
designated as Network any place that there’s a zero that’s designated as a unique host address now there’s ways to
35:15
do uh subnet masking and break it down even more than that I will get into it when I get into that specific class but
35:22
the point is the system is going to go through and do that to figure out what portion of its address is Network which
35:28
is host and that’s how it learns what network it’s actually connected to now
35:34
what it needs to go through and send traffic it goes through this little logic tree to say hey the target IP
35:39
address that this is going to go to is that on my local network because if it is I’m just going to ARP for that
35:46
specific IP address if it’s not on my local network well now I got to get the routing table
35:53
involved and I got to look and see do I have a route entry that points to the
35:58
network where this packet is going if I have a specific route entry for it I
36:04
need to look at what router gets to that remote Network and then I need to ARP
36:10
for that predefined router if I don’t have a route entry that matches it if it matches on the
36:17
default route entry meaning hey if you don’t know what to do with this send it to this router here then I’ll go through
36:23
and I’ll ARP for that default router but notice What’s Happening Here regardless of whether the final destination is on
36:30
the local network or out on the internet this always starting with ARP all
36:35
conversation start with ARP regardless if the destination is local or
36:40
not so here’s an example 192168 1.10 here’s my subnet mask so that tells me
36:47
1921 68.1 is my local network right here’s my network address here’s my
36:53
broadcast address so I’m part of this network here I’m sending to 192 16812 is that on my local network well
37:01
do25 is within this range so therefore I’m just going to AR for that host
37:07
directly if however I’m sending to 4.4.4 do4 with the same network information
37:14
here I know okay that’s not on my local network so I need to look and see do I have a specific route entry to get to
37:21
this network so I could have a route entry that goes to anything on the 4 Network anything at 4.4 and anything at
37:28
4.4.4 or you know all four fours anything going to 4444 I could have any one of those as a
37:35
possible route entry if I do I will fall back on that route entry if I do not I’m
37:40
going to fall back on my default route entry which my default router is pre-programmed as
37:46
192.168.1.1 therefore I will ARP for that particular router uh let’s see Kfar
37:52
was asking can’t you get a remote ARP cach from another PC using
37:58
MBT stata A- IP address maybe I’ve never
38:03
tried that so dude you just taught me something new I don’t know if you if
38:09
that’s like a Windows thing a Linux thing maybe it works on both and I’ve just never noticed that as an option um
38:15
but yeah it might be possible to kind of preload an AR cach from another system if you wanted to that could actually be
38:22
well actually I’m not sure how useful that would be because you tend to want to kind of learn the things dynamically
38:28
because sometimes they change and move around and I’ll get into that a little bit more later but yeah that’d be a command to play I’ll play around with
38:34
that find out that’s cool so what are switches so switches
38:40
work at Layer Two what that means is that switches work with this Mac address information that we’re working with in
38:47
fact uh switches try to be as fast as they possibly can what do I mean by that
38:53
I mean that we talked about what a router does right we talked about how the router is going to go go through and it’s going to you know check crc’s and
39:01
it’s going to go through and rewrite Header information and all sorts of fun like stuff like that routers don’t do
39:08
any of that and in fact one of the things that’s kind of interesting about that let me jump back for a second here
39:14
I want to go back to this no no no I want to go back to the
39:21
decode this here we go one of the things that’s a little
39:27
different about ethernet frames is the is is it lists the destination before the
39:34
source for those of you who are little OCD like me that might kind of mess with
39:39
you a little bit right because we’re used to the linear progression is source to destination right so the source
39:45
should come before the destination and if we look at our IP header you know that’s written that way right it writes
39:50
out the source and then it writes out the destination but they did it this way on purpose with swi uh with uh ethernet
39:58
because switches can then go through and rather than try and read in this entire
40:05
frame all the switch does is it reads the very first six bytes and that’s it
40:11
because what’s in those first six bytes well the first six bytes are telling it the destination Mac address this goes to
40:17
and what switches will do is they’ll keep a mapping of what Mac addresses are located off of what ports so by just
40:25
reading the first six bytes and that’s it I immediately can reference this
40:30
table figure out what port it goes to and make a decision about what to do with this Frame right there I don’t have
40:37
to read the whole frame into memory those first six bytes and bang I’m off to the races and telling it where to go
40:43
that allows me to be as fast as possible in handling these frames it also allows
40:48
us to do it as less overhead as possible now what if this was swapped could we
40:54
not do that anymore well that would mean we’d have to read 12 bytes instead of six it means we’d be using twice as much
41:02
memory in our buffer and would need to offset before we went in and did our measurement so there’d be a little bit
41:08
more code involved so you know we might take a couple you know we might take a
41:13
half a millisecond hit per per frame or something it would still work but it
41:18
wouldn’t be as fast and wouldn’t be as optimized as the way it’s set up today so that’s why you know if you you may
41:25
have noticed destination comes before Source within the ethernet frame that’s why now with IP you don’t need to worry
41:32
about that because we’re going to have to strip the frame off we’re going to have to increment the TTL there’s so many other things going on that putting
41:40
the destination IP address first in the header isn’t going to save us anything it wouldn’t do us any
41:45
good but all devices have these Mac address numbers we’re talking mostly about uh ethernet and how that works but
41:53
you know Wi-Fi fit they all kind of work the same um even when you get back into like token ring and stuff they had the
42:00
equivalent of like a medium access control number that they went through and used but a switch’s job is to learn
42:06
what Macs are located off of uh each switch Port how do they learn that well
42:11
when my system transmits it sees my source Mac and says aha Chris’s Mac
42:17
address of you know a b c d whatever it is is located off of Port three so now I
42:23
know anything trying to transmit to that Mac address I’m going to send it to Port three and Port 3 only that way nobody
42:29
else gets to see it and this is why you have challenges trying to sniff in a
42:34
switched environment because the switch is designed to only send the traffic to
42:40
each system that that system is supposed to say so if I’m off of Port three and I
42:46
launch a sniffer on my system the only traffic I’m going to see is traffic that
42:51
is specifically destined to me or traffic my system is transmitting out to
42:56
anywhere or traffic going to a broadcast address or a multicast address which as we said
43:03
that’s going to get blasted out every single switchboard so beyond that I’m not going to be able to see much now
43:09
let’s see I thought I sorry the think Comm in Chris Chris is bringing back to my Cisco days yeah I was there too dude
43:17
I went through the Cisco CNA and what was there whatever their design class was I went through that one too uh store
43:24
and forward slowest yep cut yeah yep yep
43:29
exactly this stuff gets pretty deep so why a switch so ethernet was
43:37
originally designed around switches limit the collision domain yes exactly
43:43
right and I’ll explain what collision domain means in just a second so the way
43:48
ethernet used to work the way networking used to work was ethernet was a shared
43:54
media right Ethier was carrier sense Collision of uh Collision detection so
44:00
what that basically meant was when I wanted to it’s almost like pulling out of your driveway on the street right
44:06
your driveway is your driveway so you know you can you know you can kind of move around anytime you want to but the
44:12
switch excuse me the the street is a shared medium so what you’re going to do is stop hopefully what you’re going to
44:19
do is stop at the end of your driveway look both ways make sure there’s no
44:24
other cars coming and then you’ll pull out well that’s how ethernet used to work so when my system needed to
44:31
transmit on the network it needed to stop it needed to listen it needed to see if any other systems were
44:37
transmitting and if a certain period of time went by with no Transmissions taking place bam I could jump in and
44:43
start trying to send my packet now it’s entirely possible that some other system
44:48
is doing the same we would have a collision we would try talking over each other in which case there was this whole
44:54
algorithm around backing off before you try to retransmit again and that type of thing but ethernet historically was
45:00
sheared medium well switches changed that because now as I said the only
45:05
thing going out my switch Port can just be stuff coming to me and that’s it well
45:11
there’s no opportunity for a collision there right anytime we have just two systems there those are the only two
45:18
systems that can transmit on that Medium that means that the only place I need to
45:24
worry about having a collision is between the s switch in the system well
45:29
one of the things I could do is ethernet cabling has eight little wires in it I
45:35
can go in and I can say hey these two wires here this is just for the switch to transmit on and these two wires here
45:42
this is just for that computer to transmit on well now they’ve got their
45:47
own shared or excuse me they’ve got their own exclusive medium right it’s
45:52
kind of like having the highway all to yourself you know you don’t have to worry about pulling out if this is your
45:58
Highway you own it no one’s ever going to be on it but you you can pull out not think twice about whether a car is coming or not this is the same type of
46:04
thing so what we’re describing is the size of and this kind of came up in um
46:10
this came up in Discord is the size of the collision domain the collision domain is how many systems could
46:18
possibly Collide as they try to communicate with each other and when ethernet was running through hubs or
46:25
when it was running through thin net or thick that it was a shared medium I might have 30 different systems that I
46:32
have to play nice with and wait my turn in order to communicate so my collision domain would include all 30 of those
46:38
systems but with a switch and a s one system plugged into one switch Port well
46:44
now that collision domain is basically nil right because again we’re all we’re
46:50
both using our own little pair to go through and do our transmitting so that allows things to go uh a whole lot
46:56
faster uh let’s see Kfar saying didn’t only two pairs of wires were used in the early days happy to be corrected um I
47:03
think so I I I don’t want to sound like a jerk
47:09
I would have to reference my book so I wrote a book back in the 90s called
47:14
multi-protocol Network design and troubleshooting and in part of that I went through Ethernet and I talked about
47:20
ethernet and what connect what wires were used and where I believe it’s
47:25
always been four wires two to transmit two to receive one was my you know one
47:31
was my signal the other was my uh neutral on on each side I think it’s always been
47:38
four which kind of makes sense because you need a you need a reference voltage of zero to know whether you’re signaling
47:44
high or signaling low so you always got to make sure you got a solid ground so that’s what that second wire was for in
47:50
each Direction cool uh let’s see provide
47:55
security through obscurity what do that mean well like I said if I launch a sniffer I see my traffic and broadcast
48:01
that’s it I don’t see everything now that sounds better than it actually
48:08
ends up being by that I mean um you can learn a lot about what’s on a network
48:14
just based on the broadcasts that are taking place especially if it’s a Windows environment because Windows
48:20
systems love to broadcast hey I’m here please pay attention to me I’m lonely
48:25
you know they do that all the time so you can actually do a lot of device Discovery just by looking at what
48:30
broadcasts are taking place but it does give you a little bit of uh security through obscurity now if you’re the
48:37
administrator and you need to override that you know let’s say hey I’m the admin I want to run a sniffer and I want
48:43
to be able to see everything what can you do well what you can do is something called uh Port mirroring or creating a
48:50
span Port different vendors call it slightly different things but the concept is always the same you can say
48:57
hey everything going in and out this one particular Port I want to M send a copy
49:03
of all of those frames going in both directions to this other Port so for
49:08
example let’s say I have my firewall plugged into Port 10 and I want to go
49:13
through and monitor all the traffic going in and out of my internet link well I can go to the switch and say Hey
49:20
I want to mirror Port 24 to Port 10 so now everything that goes in and out of
49:25
port 10 gets mirror it over to Port 24 I can run a port siffer on Port 24 and I
49:31
can see all the traffic that that’s going by now with that said there’s one big caveat here and Bill’s got a great
49:38
blog he wrote on the active counter measures website about this if you want to go look at up if he need some more details around this remember we said
49:46
with switching if I have two systems hooked up I don’t have to wait I can transmit so let’s say I’ve got a one gig
49:53
switch Port that means theoretically right so in practicality this will
49:59
probably never happen but theoretically I could have the switch
50:04
sending one gig gigabit per second of information to the firewall and the firewall could be sending one gigabit
50:11
per second of information to the switch so even though it’s a 1 gig switch Port
50:16
I could theoretically get about two gigs worth of throughput through it because I can do one gig in each Direction now
50:24
I’ve set up a mirror port I want to send all that data to the mirror Port you see where I’m going here is a problem right
50:31
if I can send one G up to one gig in each Direction that’s two gigs worth of data but the switch Port is only one gig
50:38
so the switch can never send more than one gig of information to my packet sniffer so what happens well switches
50:46
don’t have a lot of ram to buffer those frames so what it’ll start doing is
50:52
throwing frames away so if I’m consistently running let’s say a gigabit and a half between those two ports
50:59
what’s end up going to happen is about a third of my traffic is going to get thrown away because it can’t make it out
51:04
the one gig Port right I’ve got a gigabit and a half getting copied trying to send it down a one gig Port it’s
51:10
never going to fit it’ll buffer it a little bit but for the most part it’s going to go through and start throwing it away uh that’s where Network Taps
51:17
come in so Network Taps actually allow me to tap in between the switch and the server and I’m less likely to run into
51:24
that type of a problem oh and we’re talking about BNC connectors and tea connectors yeah we
51:30
had that talk in uh the coffee in the coffee Channel or the coffee shop Channel a little while back uh some of
51:37
us were reminiscing about how we do not miss those days of trying to run down bad tea connectors stuff like that yeah
51:44
no thank you all right so let’s talk about how to attack a switch what can I do to go through and
51:51
kind of make life miserable through a switch now I want to be clear here the attacker must already have local access
51:59
to the network for any of the stuff I’m going to talk about to really work in other words I can’t be 15 hops away from
52:05
you and mess with your switch this way this because remember this Mac information is getting stripped off
52:11
every time it goes through a router so this isn’t going to work I need a system that’s on the local subnet where that
52:18
switch is located in order to truck go through and try and do any of these attacks so that’s caveat number one
52:24
caveat number two a lot of these attacks there are features built into some switches that will help protect you from
52:30
them and we’ll talk about those as we go through but one of the possibilities is
52:36
just basic ARP spoofing right so we said this system’s going to go through and
52:41
say it’s going to send a broadcast so that means it’s going to go out everywhere that says hey who’s using
52:47
1921681254
52:56
going to wait 50 milliseconds and then I’m going to respond as well what happens then what happens on most
53:03
systems is the ARP cach will cach this entry and then it will overwrite that
53:09
entry with this entry and it’ll change it if you don’t believe me test it he
53:14
kind of blew me away the first time I saw it so yeah some nefarious actor can
53:20
overwrite these cash entries well now when this system goes to send to 1921 16812 5 it’s sending it to this system’s
53:29
Hardware address this is the system actually using that IP address but it’s going to send it to this system’s
53:34
Hardware address switches as we said forward traffic based on the hardware address so even though this is going to
53:41
25 and that’s over here because it’s using this system’s Mac address that’s going to come out this Systems Port and
53:46
go to that system that system is now inserted itself into the middle of the connection it can sniff traffic it can
53:53
change it it can do whatever it wants it’s pretending to be each side of the connection during this session now if
53:59
when you we’ll get into like VPN technology and stuff that can help protect from these types of tracks
54:04
attacks we’ll talk about those more later but yeah you know this used to be a very real possibility to kind of worry
54:11
about so I was referring to is Arc poisoning there’s a couple of different Flav flavors of this one is responding
54:18
to the broadcast like I talked about uh there’s another one referred to as Port stealing where I just try to convince
54:23
the switch that you know oh hey yeah no I’m off of this you need to send everything off to me um ARP cach
54:30
flooding so what that does is that says okay the switch has a limited amount of physical memory to store Mac addresses
54:38
so what I’m going to do is I’m going to send bogus traffic from made up different Mac addresses so I can fill up
54:45
that switch’s memory so that it can’t keep track of anymore and once I hit that now all of a sudden that switch
54:52
actually starts talk acting like an o old timey hub and blowing out traffic that it wasn’t able to store a MAC
54:59
address for out every single port it’s kind of cool to watch it happen right if you run a sniffer on a system you’ll
55:06
notice you’re only seeing stuff going to and from you in the broadcast address and that’s it and then all of a sudden
55:11
the switch gets hit with this uh this cash flooding attack and now all of a sudden you start seeing packets for with
55:18
different random Mac addresses showing up at your sniffer because the switch is blasting it out everywhere because it
55:23
wasn’t able to keep track of that information anymore uh DHCP spoofing so with DHCP spoofing what I do is when you
55:31
come online and you say hey I need IP address information I spoof the DHCP
55:37
server and I send you a response and I say oh okay yeah hey yeah use this IP
55:43
address and here’s your subnet mask and here’s your you know and your default router is me any time you want to
55:51
transmit off the local network send that data to me well now you’ll still be able to communicate with local systems okay
55:58
but anytime you want to talk to the internet that packet’s going to get routed through me in order to be able to get there I can now go through and
56:04
change it I can sniff it I can do whatever it is I want to it um icmp redirects so with icmp redirects what
56:12
that’s designed for is let’s say we’ve got two routers on our Network and one is our default route that leads out to
56:18
the internet and one leads out to a field office that’s in Chicago and I want to go through and I want to send
56:24
traffic to that office in Chicago but the only router my system knows about is the default route well it’ll
56:31
create that packet it’ll send it to the default router and then the router will look at its routing table and say oh hey
56:37
I’m going to send this packet back out the same interface I received it on to
56:42
another router on this same subnet that’s not very efficient and it will
56:48
forward that traffic volum but it will then send you an icmp redirect that is
56:54
an update to your routing table that says hey if you want to keep sending me these things you can and I’ll forward
56:59
them for you but there’s a better route to get to where you need to go if you were to send it to that second router
57:05
directly instead of sending it to me that’s going to be far more efficient well there’s no authentication with icmp
57:13
redirects so I can go through and start redirecting everybody and telling them oh hey I’m a better router to get to
57:19
this you know this address space on the internet no problem and we’ll get into this more when we get into routing
57:24
tables next week but we always go most specific to least specific so if you
57:29
have a default route that says hey if you don’t know how to get there go to this s go to this router here go to
57:35
router a and I start sending out these redirect packets that say Hey if you
57:40
want to get to one. anything send it to me if you want to get to two. anything send it to me three. anything and send
57:45
it to me that’s a more specific route than the default route entry systems will fall back on that one
57:52
instead yikes so how do we deal with all these attacks well there’s a couple of
57:58
different ways we can deal with it switches have and this has a couple of different names depending upon the vendor but it tends to be referred to as
58:05
Dynamic ARP inspection what the switch will do is the switch will notice what
58:10
Mac address and IP address are use so it’ll not only record your Mac address it’ll record your IP address as well and
58:16
it’ll say hey this IP this Mac is off of Port three that’s Chris’s system so now
58:22
if someone else tries an ARB spoofing attack and they try to say hey that IP
58:27
address that Chris is using that’s associated with my Mac address and I’m off of Port nine and it tries to respond
58:35
the switch will look at that and say whoa wait a minute I saw Chris using that Mac and that IP address not 5
58:42
seconds ago off of Port three there’s no way he’s over on Port nine now I’m going
58:48
to block that traffic on Port 9 not let it through and log it as a security
58:53
event cool that’s a great way to go through and prevent these types of attacks from taking
59:00
place um Arash flooding one of the easiest ways to kind of prevent against that is just have a switch that specs
59:07
more overall memory than it does for a specific Port so you’ll see a spec like
59:12
hey you can have up to a 100 host off of any single port number or any single
59:18
port but the switch will keep track uh you know 4,096 different Mac addesses
59:23
great now one poor can’t use any more than a 100 MACC addresses that leaves
59:29
plenty of overhead in the switch for all the other ports as well uh DHCP spoofing you can do dhtp snooping so that
59:36
basically you go into your switch and you say hey the dhtp server is off of Port two if anything else tries to send
59:43
a DHCP reply drop it and that’s one way to take care of that icmp redirects this
59:49
one’s tough because there’s no way to really fix that in a switch the only way
59:55
to really fix that that is to preconfig every single system to ignore icmp
1:00:01
redirects which you can do but if you ever need them like a new route comes up
1:00:07
and you want everybody to automatically start being able to talk to it yeah you
1:00:12
host so if I’ve told it don’t dynamically learn routes it’s only go to
1:00:17
network segments that I’ve pre-programmed in I can’t D dynamically try to fix anything on the Fly and that
1:00:23
can be problematic so you can fix this by modifying H endpoint but this could
1:00:29
potentially give you problems if you need to make Network changes later last one Wi-Fi deauthentication
1:00:36
attacks so this is also Layer Two attack uh one of the issues we have with WiFi
1:00:43
is While most things get authenticated deauthentication packets are not what
1:00:49
that means is there’s no encryption there’s no authentication that takes place so the idea is if there’s a
1:00:54
misbehaving system the access point can kick them off of the network anytime it wants to so it
1:01:00
can go through and it can tell the system you’re kicked off you’re done something’s gone wrong with our Communications you need to reestablish
1:01:08
your connection all over again well because it’s not authenticated
1:01:14
anybody can spoof those and it was I think it was Hyatt that actually got
1:01:20
sued by the federal government for this because what hayatt did is hayatt created WiFi access within their hotel
1:01:29
and they were charging like 25 bucks a day or something like that people were looking at that like saying I’m not
1:01:35
going to spend 25 bucks I’m going to turn my phone into a access point and I’ll just access the internet through my
1:01:41
phone and now I’m getting internet free because you know I don’t have a data plan and you know life is good and what
1:01:47
Hyatt started doing was installing these boxes that would kick you off of any
1:01:52
access point that wasn’t theirs and what would happen was you would try and use your phone and you’d have this horribly
1:01:59
unstable internet access so you’d eventually give in and give them the 25 bucks they want use their access point
1:02:05
instead and they got sued for that uh but we’ve also seen that being used at conferences and things like that because
1:02:12
if I can kick you off your the the network and make you reauthenticate with it again I might be able to send up a
1:02:18
rogue access point that looks like it’s part of that same network get you to try and authenticate with me instead and now
1:02:25
I can passed through those credentials and now I’m in the middle of that conversation um the other thing I can do
1:02:30
with it too is I can you leverage that to try and crack what the Wi-Fi password
1:02:36
is if I can get you to authenticate multiple times looking for patterns in
1:02:41
that Cipher text that goes by through those multiple authentication attempts it makes it easier for me to go
1:02:48
through and figure out what’s the Wi-Fi password that you’re using so there’s actually a number of attacks that can
1:02:54
happen at Layer Two to that um are still valid today the ethernet ones they’re
1:03:00
they’re harder the Wi-Fi ones oh these are still valid and and and you know it’s like the deauthentication packets
1:03:08
those are considered a feature so it’s not likely to be something we’re going to see happen anytime soon uh Kfar was
1:03:14
saying Rogue twin yes so the idea is I set up an access point that looks like
1:03:20
you know it’s a rogue it looks like the access point you were trying to connect to in the first place and if I can get
1:03:25
you to connect to me instead bang I can now start grabbing your
1:03:30
credentials so next week we’re going to talk about routing and vlans yay VLS yay
1:03:35
routing so today we were on layer two of The OSI next week we’ll move up to layer
1:03:41
three I want to thank everybody for coming out uh this week I really appreciate it um yeah I know this is a
1:03:48
free webcast but technically it’s not you gave up an hour of your life plus to spend time with us and we really do
1:03:55
appreciate that uh we are going to leave the chat Channel open in Discord so if
1:04:00
you go through if you’re watching this on YouTube or something later and you have questions come jump into the
1:04:07
Discord Channel and ask ask that question there’s always folks hanging out here and any conversations about any
1:04:13
of this stuff that anybody wants to continue that’s what discord’s for so with that said hey Keith you got
1:04:18
anything uh you want to TOS in before we’re done no actually uh you jumped or
1:04:24
grabbed all the questions in there but I got to say this was really solid thank you cool thank you dude this was really
1:04:31
good thanks man I try yeah that that was great stuff you
1:04:38
know and and a lot of it it’s good to revisit you know even if you know it I mean it it just kind of helps spark the
1:04:44
brain and and I I gotta say that’s even true for me there there’s times I’ll go
1:04:49
through this stuff that it’s like oh yeah I forgot about that at some point
1:04:54
that’s still valid yeah yeah exactly exactly yes thank you this is really good and thank you all for joining us
1:05:01
and uh you know thanks for all the engagement on Discord everybody asking and answering questions uh good
1:05:08
stuff all right everybody everybody stay safe drive fast take chances and have a
1:05:13
good weekend awesome thanks everybody later bye
Slide Deck:
Looking for more webcasts?