I gave a talk in November to a local high school about computer science as a career field. Aha, I think – I’ve given this talk before – I’ll just brush up my well-prepared slide deck.

My slide deck has a graphic in it that looks something like the below. All credit to Daniel van der Ende and his work on the GitHub Data Challenge in 2014. It’s an interesting way to show the various combinatrics of languages that are used in projects today. It’s actually common nowadays that a project has multiple types of code in it. Often there’ll be the front-end (often JavaScript + HTML + CSS) with some sort of back-end. The point I wanted to convey in the original presentation was that software engineers often don’t just need to know one language. I then would riff lightly one which of the languages they could see in my slide I’d worked with in some form or fashion. (In the snippet you can see of the image, Perl, Scala, Go, JavaScript, Ruby, and Lua. I did just enough of CoffeeScript to not want to do it anymore…)

Well, now it’s 2021. The slide information needs to be updated, and Mr. van der Ende has not updated his image, but he was kind enough to make available his source code and a handy README file which walks (loosely) through how to get the data.

Challenges then solved so far:

  • getting access to BigQuery
  • finding new sources of the data, since the dataset van der Ende references doesn’t seem to exist anymore
  • making BigQuery convinced that I have permission to run queries
  • updating the query to match the new data source, including figuring out how to flatten arrays – really not in his original flow
  • downloading mysql to my developer machine and setting up a database and username/password combo
  • updating van der Ende’s code to read directly from a CSV, rather than assuming I’m using a JSON file
  • getting php to work on my developer workstation – this particular box has done lots of things for me lately, but php hasn’t been one of them
  • figuring out how to populate the languages list the code asked for, given the languages represented in the dataset I downloaded. (For the record, awk, sort, uniq was the happy combo.)
  • uh, figuring out a better way to ingest the CSV, since pulling in the full file at once took up too much memory for my computer
  • (more to come undoubtedly to get it working…)

Note: I ultimately ran into enough things with it that I left the original image. Still on my todo list to bring this to resolution…

My masters classes keep sending us into Wireshark to analyze packet files. I thought I had a decent understanding of how to use Wireshark from some previous experience through work, but I keep finding new tricks as I try to figure out things about unknown protocols. Note that I’m using Wireshark 3.0.3, because that’s what’s installed in the lab infrastructure. I am aware that Wireshark 3.4 is out: my plan is to play with that version on my personal computer to see new goodies.

Copy and Paste

We keep needing to fill out spreadsheets of interesting things learned. We’re running Wireshark through a VDI infrastructure and I’m typically doing my homework on a laptop, so with limited screen real estate, even my touch typing skills aren’t helpful enough. The Copy capability in Wireshark lets me capture just the value for the field – highly useful for things like MAC addresses.

Protocol Hierarchy

Forget about randomly traversing files which including 100K packets – let the protocol hierarchy show likely interesting data points within the file. Filter by said protocol, and data patterns emerge. Worth calling out also the Conversations and Endpoints statistics areas, as well. Nice ways to get a holistic view of what’s going on in the file and what might be worth diving into.

Statistics -> …

We’re looking at SCADA pcap files, including BACnet. Delighted to find a traversal means for BACnet that let me inspect the devices and services seen in the pcap. I was less happy to see that iFix wasn’t in the list, and that Wireshark just treats it as plain TCP (again, with my older version of Wireshark, with its default set of dissectors, etc). Possibilities for expansion.

Expert Analysis

There’s a menu option for ‘Expert Analysis’ that I hadn’t played with before. Add its data, and then allow it to create filters to show just that data – voila. Evidence of TCP retransmissions? Yes, please.

My masters class had us writing Yara rules for our project lab. Given that I recently gave a talk at DataWorks MD that took a brief foray into describing the use of Yara rules for static malware analysis – well – I was prepared for and looking forward to this particular lab.

The challenging part of the lab: to help us understand how analysts decide which byte(s) to check for hex strings, the lab had use the Linux utility, hexeditor. As instructed, we were to

  • sudo hexeditor
  • use the keyboard’s arrows to navigate into a particular file
  • press Ctl-W to invoke ‘search’
  • use the arrows to navigate to the hex search option, as opposed to text search
  • type in the appropriate hex string. Note: the hex string could be longer than the editor would show us in its entry window. With a long enough string, we were then working blind with typos
  • if the hex string was found, jot down at what byte position so that we could later use that in our Yara rules

Bleah… Too many opportunities for typos. Too slow, as we needed to iterate across five files. _Really_ too slow when you consider we were doing this in a VM hosted on university infrastructure, using its GUI via NoMachine.

Improvement 1: sudo hexeditor filename at least got me into a particular file, and importantly, let my file history show me what files I had already interacted with.

I then looked for command-line options to target hexeditor with a search string. That would at least let me repeat previous commands and edit the filename or the hexstring. Unfortunately, hexeditor doesn’t support anything of that sort. grep would apparently have gotten me to whether the pattern existed in the file, but not given me the byte location.

Long-ish story short, although the lab itself had no reason to cause me to do this, and it certainly took me longer to work this out than to just hand jam it, I now have scripts to iterate over a set of files and a set of hex strings to determine if the hex string is represented in the files, and if so, where. My geek demon is satisfied this evening, and I’m holding onto the files here to help in CTFs or other future geekish fun. Credit to here for the general approach for finding hex data locations in files, and here for helping work out the problem of iterating over lines that contain spaces.

#!/bin/bash

# test_hex_find.sh
# Examine file for hex value
# Argument 1: file name to check
# Argument 2: hex string to look for

position=$(od -v -t x1 $1 | sed 's/[^ ]* * //' | tr '\012' ' ' | grep -b -i -o "$2" | sed 's/:.*//')

if [ ! -z "$position" ]
then	
  position=$(( position/3 ))

  echo "filename: $1, hex value: $2"
  printf '%06X\n' $position
fi
#!/bin/bash

# find_hex.sh
IFS=$'\n' hex_strings=( $(xargs -n1 <hex_strings.txt) )


for hex_string in ${hex_strings[@]}; do
	echo $hex_string
done

for file in *.exe; do
  for hex_string in ${hex_strings[@]}; do 
    ./test_hex_find.sh $file "$hex_string"
  done
done
"C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73"
"8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF"
"5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D"

Things I’m in the middle of reading, also known as glimpses into my psyche:

  • Thinking, Fast and Slow, by Daniel Kahneman: we’re reading this for our Women In Technology Group at work. So far, a couple of chapters in, my System 1 brain is convinced the book should progress more quickly
  • The Clown in You, by Caroline Dream: reading this to try to think about my clowning in new ways, to spark my thinking in new paths
  • Hacking, the Art of Exploitation, by Jon Erickson: my cyber masters program is leaving me less than inspired, and more feeling slogged in its various papers. Hoping this book gives me some new angles and inspiration

I’m more geek goddess than domestic diva. That said, tonight’s dinner was GOOD! Crab dip with pita chips, chicken and sausage jambalaya, and cheesy shrimp and grits. Oh, and I have dough rising for an attempt at beignets. The things you can do with a four day weekend… I had a day to shop and prep and have two days (!!) to recover.

I love having a happy family around the dinner table. We’re all in our pajamas – some of us in the Christmas family pajamas we put on last night, and some have changed into sets they got as Christmas presents. Our bellies are full and my heart is very happy.

Yeah, this kind of joke is just my kind. Thank you, Ian Coldwater, for enlivening my day. Thinking about posting it at work, too.

As the leader of our Women In Tech group for work, I particularly appreciate the pun-blaming on MOM! All the better that it’s the capitalized, exclamation-pointed version.

I frequent some Facebook groups related to buying and selling used clown and circus supplies. Last month, a guy posted 3 or 4 pictures of this massive yard sale amount of stuff. Folks kept offering him money for individual items, but he’d say he’d only deal with folks who’d pick up. He ALSO said he’d be willing to take a reasonable offer for the lot. After seeing enough folks make individual offers, I decided, heck, the guy’s in New York, I’ll make him an offer, and if he takes it, I’ll make it back by shipping out just the things folks have offered on.

So, that’s what I did. I made the guy an offer. I came back with a mini-van chock full of things. A full-size Scooby Doo costume. A full-size Easter bunny costume. 6 large Lowes’ boxes filled with costumes and supplies, including a couple of puppets that run usually for $300+. Two boxes of videos. Another full (+!) box of clown magazines. A full bin of various magic tricks. A box of juggling bean bags. All in all, a bonanza of random fun. I spent a weekend building out an inventory spreadsheet and looking things up to figure out their probable retail value. I’ve been putting them up on Facebook, selling them off at a bit at a time.

So, if you know anyone who wants an Easter bunny costume or a set of dove pans, I’m your gal! I’ll be taking at least a representative box or two to the local clown convention next month – see if I can find some willing homes for another thing or two, at least!

When you’re experienced in life…

And you have a 10-15 page paper due for your masters class…

You start with a beer…

And you don’t plug in your laptop, so time is ticking…

And you write a WordPress post…

And then maybe, just maybe, you write your paper.

After another beer.

(Inspired by “When You Give a Mouse a Cookie” and an impending group project deadline.)

While my thoughts are fresh on my latest CTF…

Pluses:

  • Throughout the event, in top 3. Currently in top 2, but closing out for the day to get other things done.
  • Figured out a few things: interrogating VMDKs via extracting them; linking up a shared drive in Kali
  • Had some success with python scripting to interrogate Word documents to find hidden data, as well as to find md5 and sha1 hashes. Sha-1 grep string was: ‘[0-9A-Fa-f]{40}’

Need to learn:

  • reverse engineering to interrogate malware or other executables
  • faster ways to traverse Wireshark data. Getting protocol statistics is a good starting point – want to get better there
  • executing random files – need VMs stood up for Windows to have them ready to roll…

Hmmm – I thought the CTF was closing out tonight, but it’s not until Sunday night. I need to carefully tread this, for the sake of my health and marriage..