http://auditcasts.com/ en-us Copyright David Hoelzer & Enclave Forensics, 2011 A free video blog series with practical how-to discussions of audit techniques for various technical IT systems found in enterprises today. The tips and tricks discussed are easy for listeners to replicate and put into practice right away! David Hoelzer A free video blog series with practical how-to discussions of audit techniques for various technical IT systems found in enterprises today. The tips and tricks discussed are easy for listeners to replicate and put into practice right away! A free video blog series with practical how-to discussions of audit techniques for various technical IT systems found in enterprises today. The tips and tricks discussed are easy for listeners to replicate and put into practice right away! David Hoelzer dhoelzer@enclaveforensics.com http://auditcasts.com/assets/itunes_logo.jpg http://auditcasts.com/ no Copyright David Hoelzer & Enclave Forensics, 2011TechnologyBusiness David Hoelzer Welcome to our next episode! Last time we were talking about Powershell, demonstrating some different ways that we could use it to begin to automate some of our audit and administrative tasks. For example, pulling some information out of our Active Directory. In this week's AuditCast we're going to continue on and try to modularize some of the code that we wrote last week. At the same time, we'll try to simplify, clean it up, and finally generalize it just a bit, to create something that we can use in many different tasks that we'll be examining over the next couple of weeks. Before starting the AuditCast, I actually did do one or two things that I've done ahead of time. The first thing is that I took some of the code that we were working with last week, the code that actually got the handle for doing a domain search, and I moved that into what's called a "function." This week we'll see how we can leverage these sorts of things. You should be able to see that see that this code is essentially exactly the same code we wrote last week; the only difference is it's in a function. For a full write-up along with the source code for the scripts written in this episode, please go here: http://it-audit.sans.org/blog/2012/03/15/learning-powershell-how-to-extract-user-objects-from-active-directory-using-powershell/ http://auditcasts.com/screencasts/25-building-powershell-modules-extracting-arbitrary-objects-out-of-active-directory Thu, 15 Mar 2012 16:35:13 +0000 20:21 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Oyn1rH3qTRk:fRkmzDE2cDs:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Oyn1rH3qTRk:fRkmzDE2cDs:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Oyn1rH3qTRk:fRkmzDE2cDs:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Oyn1rH3qTRk:fRkmzDE2cDs:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Oyn1rH3qTRk:fRkmzDE2cDs:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/Oyn1rH3qTRk" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/Oyn1rH3qTRk/25-building-powershell-modules-extracting-arbitrary-objects-out-of-active-directoryhttp://auditcasts.com/screencasts/25-building-powershell-modules-extracting-arbitrary-objects-out-of-active-directoryhttp://auditcasts.com/videos/mov/videos/25/How%20to%20Extract%20User%20Objects%20from%20Active%20Directory%20in%20Powershell.mov David Hoelzer A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that. While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema! Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry. Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for. In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works! The source code for this script can be obtained here: http://it-audit.sans.org/blog/2012/03/05/identifying-inactive-and-unnecessary-user-accounts-in-active-directory-with-powershell http://auditcasts.com/screencasts/24-extracting-last-logon-times-from-active-directory-using-powershell Mon, 05 Mar 2012 18:05:51 +0000 28:55 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=NqnAvJ46C1o:s9YhmYCpjYI:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=NqnAvJ46C1o:s9YhmYCpjYI:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=NqnAvJ46C1o:s9YhmYCpjYI:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=NqnAvJ46C1o:s9YhmYCpjYI:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=NqnAvJ46C1o:s9YhmYCpjYI:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/NqnAvJ46C1o" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/NqnAvJ46C1o/24-extracting-last-logon-times-from-active-directory-using-powershellhttp://auditcasts.com/screencasts/24-extracting-last-logon-times-from-active-directory-using-powershellhttp://auditcasts.com/videos/mov/videos/24/Extracting%20Last%20Logon%20Time%20from%20Active%20Directory%20using%20Powershell.mov David Hoelzer This webcast is a bit off the normal track for us. This recording was made live at a conference a few months back. (Sorry that the first few minutes have the screen capture software in view. Be patient, it goes away before we get to anything really good!) In the recording, David Hoelzer walks through a demonstration of the various phases that a security researcher (or hacker) would go through to discovery a vulnerability, build a proof of concept and finally create a working exploit. A major take-away from this demonstration is how quickly this can be done. The actual demonstration takes only 60 minutes from beginning to end and that's with all of the talking and explaining. This exploit could, after being discovered, have a working POC exploit and Metasploit module written in about 15 minutes. I've had people say, "Well, sure, there's a flaw, but it would be really hard to exploit it." Guess what.. In many cases they're just plain wrong! http://auditcasts.com/screencasts/23-exploitation-step-by-step Wed, 16 Nov 2011 20:47:10 +0000 01:04:57 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=b3yTqck-B8s:VkcbmqtX5Ac:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=b3yTqck-B8s:VkcbmqtX5Ac:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=b3yTqck-B8s:VkcbmqtX5Ac:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=b3yTqck-B8s:VkcbmqtX5Ac:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=b3yTqck-B8s:VkcbmqtX5Ac:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/b3yTqck-B8s" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/b3yTqck-B8s/23-exploitation-step-by-stephttp://auditcasts.com/screencasts/23-exploitation-step-by-stephttp://auditcasts.com/videos/mov/videos/23/Auditcasts%20Intro.mov David Hoelzer How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you? In this episode we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled. This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit. For more details and a link to the source code, please check the Blog article here: http://it-audit.sans.org/blog/2011/11/09/it-security-audit-what-about-wpad/ http://auditcasts.com/screencasts/22-man-in-the-middle-with-dns-spoofing-and-wpad-how-to Wed, 09 Nov 2011 17:38:38 +0000 11:36 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=7b2cyHi3VGM:AhTmabBZ3v0:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=7b2cyHi3VGM:AhTmabBZ3v0:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=7b2cyHi3VGM:AhTmabBZ3v0:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=7b2cyHi3VGM:AhTmabBZ3v0:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=7b2cyHi3VGM:AhTmabBZ3v0:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/7b2cyHi3VGM" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/7b2cyHi3VGM/22-man-in-the-middle-with-dns-spoofing-and-wpad-how-tohttp://auditcasts.com/screencasts/22-man-in-the-middle-with-dns-spoofing-and-wpad-how-tohttp://auditcasts.com/videos/mov/videos/22/DNS%20Spoofing%20plus%20WPAD%20equals%20Compromised.mov David Hoelzer This screencast was created specifically as a support video for our VisualSniff product. The default permissions that are set on the BPF adapters on OS X are a bit atypical and make it impossible for a user to start a sniffer without becoming an administrator. Using the directions in the video with the accompanying script resolves this issue so that VisualSniff will work correctly. The script referenced can be downloaded here: http://enclaveforensics.com/ClientFiles/VisualSniffPerms.sh http://auditcasts.com/screencasts/21-visualsniffperms Tue, 08 Nov 2011 15:23:50 +0000 04:11 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=iJgSRk1Fnwk:2akE6Wdh1Nk:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=iJgSRk1Fnwk:2akE6Wdh1Nk:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=iJgSRk1Fnwk:2akE6Wdh1Nk:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=iJgSRk1Fnwk:2akE6Wdh1Nk:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=iJgSRk1Fnwk:2akE6Wdh1Nk:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/iJgSRk1Fnwk" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/iJgSRk1Fnwk/21-visualsniffpermshttp://auditcasts.com/screencasts/21-visualsniffpermshttp://auditcasts.com/videos/mov/videos/21/VisualSniffPerms.mov David Hoelzer BIND is usually the go-to DNS solution if you're looking to set up a DNS sinkhole to contain and identify malware. While I love BIND as much as the next guy, I find that it's a real pain in the neck to get everything set up just right and the maintenance involved in adding a new authoritative zone is just more than I'm willing to do. As a solution to this, I've revived a tool that I wrote more than a decade ago for Internet usage policy enforcement. As it turns out, it already was a DNS sinkhole, I just never called it one! Watch the episode for a demonstration and discussion and check out the blog article for more information and the source code: http://it-audit.sans.org/blog/2011/11/02/dns-sinkhole-for-malware-defense-and-policy-enforcement/ http://auditcasts.com/screencasts/20-dns-sinkhole-for-malware-defense-and-policy-enforcement Wed, 02 Nov 2011 15:50:22 +0000 10:54 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=tQgQAAFw0Yk:v0Wq_-QyHJk:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=tQgQAAFw0Yk:v0Wq_-QyHJk:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=tQgQAAFw0Yk:v0Wq_-QyHJk:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=tQgQAAFw0Yk:v0Wq_-QyHJk:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=tQgQAAFw0Yk:v0Wq_-QyHJk:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/tQgQAAFw0Yk" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/tQgQAAFw0Yk/20-dns-sinkhole-for-malware-defense-and-policy-enforcementhttp://auditcasts.com/screencasts/20-dns-sinkhole-for-malware-defense-and-policy-enforcementhttp://auditcasts.com/videos/mov/videos/20/DNS%20Sinkhole%20APT%20Defense.mov David Hoelzer In all of the cases that I've worked where a malware infection, suspected APT or other security breach had occurred, detectable file remnants were left behind. How can you find them? Can IT audit techniques help? In this episode we take a look at a super easy technique that allows you to find any type of file or any specific file anywhere within your domain. The script can also be modified to allow you to create an inventory of any other type of file you need to. For a copy of the script and a longer discussion, please be sure to check the show notes: http://it-audit.sans.org/blog/2011/10/17/detecting-malware-apt-like-threats-domain-wide-file-finder/ http://auditcasts.com/screencasts/19-detecting-signs-of-apt-and-malware Mon, 17 Oct 2011 10:08:26 +0000 11:01 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=bCX6N3OS0zE:1Mg9_Y6LbiQ:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=bCX6N3OS0zE:1Mg9_Y6LbiQ:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=bCX6N3OS0zE:1Mg9_Y6LbiQ:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=bCX6N3OS0zE:1Mg9_Y6LbiQ:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=bCX6N3OS0zE:1Mg9_Y6LbiQ:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/bCX6N3OS0zE" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/bCX6N3OS0zE/19-detecting-signs-of-apt-and-malwarehttp://auditcasts.com/screencasts/19-detecting-signs-of-apt-and-malwarehttp://auditcasts.com/videos/mov/videos/19/Detecting%20APT%20-%20Finding%20File%20Traces.mov David Hoelzer I've been saying for years that Change Control is one of the most critical processes in our enterprise and the one that we are failing to follow most often. When you consider the 20 Critical Controls, you'll find that at least 5, and likely more, are directly related to how well you know the systems in your business. In fact, if you know your systems well you are poised to be able to discover any 0-day infections and most any APT like (Advanced Persistent Threat) threats. How can you know your systems well? Watch this webcast for a demonstration! The Show Notes for this episode along with copies of the scripts demonstrated can be obtained here: http://it-audit.sans.org/blog/2011/10/11/detecting-apt-and-other-zero-day-malware-through-service-auditing/ http://auditcasts.com/screencasts/18-detecting-apt-and-malware-through-baseline-auditing Tue, 11 Oct 2011 12:39:00 +0000 13:14 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=ISwSiQs1gF0:ETXpTeo0QUM:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=ISwSiQs1gF0:ETXpTeo0QUM:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=ISwSiQs1gF0:ETXpTeo0QUM:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=ISwSiQs1gF0:ETXpTeo0QUM:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=ISwSiQs1gF0:ETXpTeo0QUM:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/ISwSiQs1gF0" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/ISwSiQs1gF0/18-detecting-apt-and-malware-through-baseline-auditinghttp://auditcasts.com/screencasts/18-detecting-apt-and-malware-through-baseline-auditinghttp://auditcasts.com/videos/mov/videos/18/Detecting%20APT%20and%20Zero%20Day%20Malware.mov David Hoelzer In today's networked world, the vast majority of "work" that we do is done in a web browser. As it turns out, there's a very common configuration setting that creates enormous potential for serious information leakage or compromise in those very web browsers that we trust. In this episode we take a look at a demonstration of the WPAD (Web Proxy Auto-Discovery) service and how it can be leveraged to compromise data, particularly on Windows computers. It is important to note that the actual browser being used is not important! All modern browsers support the WPAD protocol. If a hacker finds himself on a network with even one system configured in this way, he has an immediate attack vector that allows him to start intercepting data. Of course, if he can intercept data, there's no reason he can't inject data too! This is a perfect avenue for the injection of malicious Javascript and other exploits, though we will not explore that in the demo. What's the answer to this problem? The answer is at the end of the episode or, if you don't want to wait, stop by the related show notes over at the SANS site for a quick explanation of what to look for: http://auditcasts.com/screencasts/17-man-in-the-middle-web-attacks-using-wpad Fri, 30 Sep 2011 17:59:37 +0000 10:41 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=xH_B2eIWP3U:v78mbA2d9Mk:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=xH_B2eIWP3U:v78mbA2d9Mk:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=xH_B2eIWP3U:v78mbA2d9Mk:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=xH_B2eIWP3U:v78mbA2d9Mk:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=xH_B2eIWP3U:v78mbA2d9Mk:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/xH_B2eIWP3U" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/xH_B2eIWP3U/17-man-in-the-middle-web-attacks-using-wpadhttp://auditcasts.com/screencasts/17-man-in-the-middle-web-attacks-using-wpadhttp://auditcasts.com/videos/mov/videos/17/Man-in-the-Middle-with-WPAD.mov David Hoelzer If I asked you for your password, no doubt you'd tell me to get lost. If I asked for your username you would be suspicious. If I asked you for your email address, you'd likely give it up. Of course, your email address and your username are quite likely one and the same. What good is your username if I don't have your password? Well, there's not much that can be done with a single username in terms of hacking. In large numbers, however, usernames can be quite useful. How can I get my hands on a large number of usernames? There are many techniques, some for web applications, others for internal attacks. In this episode we depart from our usual audit focus to weaponize an information disclosure that is a part of virtually every Microsoft Windows domain that you'll encounter. Using a few easy tools, we'll extract the usernames and then use an easy technique to capture valid username/password credentials, compromising accounts! For a longer discussion of what's happening in this presentation, please be sure to visit here: http://it-audit.sans.org/blog/2011/09/21/usernames-matter-more-than-passwords http://auditcasts.com/screencasts/16-hacking-windows-user-accounts-with-powershell Wed, 21 Sep 2011 15:22:15 +0000 11:05 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=9-OvT8od4Vo:_dFpYNacSpU:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=9-OvT8od4Vo:_dFpYNacSpU:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=9-OvT8od4Vo:_dFpYNacSpU:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=9-OvT8od4Vo:_dFpYNacSpU:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=9-OvT8od4Vo:_dFpYNacSpU:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/9-OvT8od4Vo" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/9-OvT8od4Vo/16-hacking-windows-user-accounts-with-powershellhttp://auditcasts.com/screencasts/16-hacking-windows-user-accounts-with-powershellhttp://auditcasts.com/videos/mov/videos/16/Hacking%20Windows%20Accounts%20with%20Powershell.mov David Hoelzer What harm is there in having private internal records in your external DNS servers? There are many opinions on this with a number of people saying that there's no real risk involved in exposing this data. In this episode we explore how an attacker could poll your external DNS server to expose this information, what the actual harm could be and how Split DNS solutions solve this problem. The mapping tool described can be found here: http://it-audit.sans.org/community/downloads http://auditcasts.com/screencasts/15-protecting-dns-records-with-split-dns Sun, 11 Sep 2011 07:59:16 +0000 06:00 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=64gquUZfpWQ:EqUUz4N8q90:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=64gquUZfpWQ:EqUUz4N8q90:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=64gquUZfpWQ:EqUUz4N8q90:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=64gquUZfpWQ:EqUUz4N8q90:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=64gquUZfpWQ:EqUUz4N8q90:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/64gquUZfpWQ" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/64gquUZfpWQ/15-protecting-dns-records-with-split-dnshttp://auditcasts.com/screencasts/15-protecting-dns-records-with-split-dnshttp://auditcasts.com/videos/mov/videos/15/Split%20DNS.mov David Hoelzer DNS reconnaissance is a powerful way to research an organization's network infrastructure without ever tripping an alarm in the IDS/IPS if you know what you're doing. In this episode we take a look at a few items that should be examined when it comes the DNS configuration and demonstrate the kind of information that can be revealed when the DNS zone information hasn't been properly secured. Of course, now that you can identify the security issues and know what questions to ask during an audit, you may want to know how you can prevent this problem! Tune in next week for an overview of the solution and things to look for to ensure that your network is properly protected from hackers! The tool demonstrated here for the reverse network lookup recon is called "ReverseMapper" and can be obtained from http://it-audit.sans.org/community/downloads http://auditcasts.com/screencasts/14-violating-the-zone-dns-security-issues Tue, 06 Sep 2011 16:10:58 +0000 08:11 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=MJYWPMxCll8:yWZkb_C7O3A:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=MJYWPMxCll8:yWZkb_C7O3A:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=MJYWPMxCll8:yWZkb_C7O3A:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=MJYWPMxCll8:yWZkb_C7O3A:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=MJYWPMxCll8:yWZkb_C7O3A:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/MJYWPMxCll8" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/MJYWPMxCll8/14-violating-the-zone-dns-security-issueshttp://auditcasts.com/screencasts/14-violating-the-zone-dns-security-issueshttp://auditcasts.com/videos/mov/videos/14/Episode%2014%20-%20DNS%20Recon.mov David Hoelzer Using a network sniffer like Wireshark is pretty easy to do, but network and security engineers only use a sniffer when they're troubleshooting or investigating. Are there any proactive tests that should be done on a network using a sniffer? Yes! In this episode we take a look at a few basics about Wireshark and then jump right into a handy process that I often use when working with businesses of any size. It's not unusual to discover that unusual network protocols have crept in over the months and years, or to find that there are potentially serious layer 2 configuration issues creating security holes. http://auditcasts.com/screencasts/13-network-sniffing-what-why-and-how Thu, 18 Aug 2011 18:10:35 +0000 15:17 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=sjdUsc2TfVE:ost1mC6B9n0:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=sjdUsc2TfVE:ost1mC6B9n0:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=sjdUsc2TfVE:ost1mC6B9n0:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=sjdUsc2TfVE:ost1mC6B9n0:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=sjdUsc2TfVE:ost1mC6B9n0:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/sjdUsc2TfVE" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/sjdUsc2TfVE/13-network-sniffing-what-why-and-howhttp://auditcasts.com/screencasts/13-network-sniffing-what-why-and-howhttp://auditcasts.com/videos/mov/videos/13/Episode%2013%20-%20Network%20Sniffing.mov David Hoelzer In Windows 7 and Vista, Microsoft seems to have gone out of its way to force us to drill through layers and layers of control panels. In this episode we take a look at a nifty easter egg that allows you to get all of those features and options into one easy to navigate spot! This same feature, however, can be used to create an awesome local denial of service on Windows Server 2008! Watch the episode and see what the problem is and how to resolve it. Information on how to exploit this feature can be found in the related show notes: http://it-audit.sans.org/blog/2011/08/22/windows-7-feature-windows-2008-local-denial-of-service/ http://auditcasts.com/screencasts/12-windows-7-god-mode-server-2008-local-dos Tue, 16 Aug 2011 14:57:32 +0000 8:12 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=WEsP3OuFYqI:HfjCEZKLoFA:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=WEsP3OuFYqI:HfjCEZKLoFA:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=WEsP3OuFYqI:HfjCEZKLoFA:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=WEsP3OuFYqI:HfjCEZKLoFA:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=WEsP3OuFYqI:HfjCEZKLoFA:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/WEsP3OuFYqI" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/WEsP3OuFYqI/12-windows-7-god-mode-server-2008-local-doshttp://auditcasts.com/screencasts/12-windows-7-god-mode-server-2008-local-doshttp://auditcasts.com/videos/mov/videos/12/Episode%2012%20-%20God%20Mode.mov David Hoelzer Powershell is fast becoming the way to perform many administrative tasks in Windows environments today. In this episode we build on the idea of extracting Active Directory User and Group information using DSQuery and DSGet, adding to it the ability to automatically process CSV files using Powershell. The goal of the episode is to give you a quick and easy tool to allow you to compare the users who actually exist in your domain to the employees that Human Resources says that you have. A copy of the script can be obtained from the show notes here: http://it-audit.sans.org/blog/2011/08/15/active-directory-user-auditing-automation-powershell/ http://auditcasts.com/screencasts/11-verifying-users-with-powershell Mon, 15 Aug 2011 20:02:15 +0000 19:05 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Duj0vjYSJrc:Yyh7CbkgsgU:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Duj0vjYSJrc:Yyh7CbkgsgU:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Duj0vjYSJrc:Yyh7CbkgsgU:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Duj0vjYSJrc:Yyh7CbkgsgU:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Duj0vjYSJrc:Yyh7CbkgsgU:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/Duj0vjYSJrc" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/Duj0vjYSJrc/11-verifying-users-with-powershellhttp://auditcasts.com/screencasts/11-verifying-users-with-powershellhttp://auditcasts.com/videos/mov/videos/11/Episode%2011%20-%20Valid%20Users%20with%20Powershell.mov David Hoelzer Identifying stale user accounts is an age old problem that all administrators deal with. Accessing Active Directory through DSQuery provides some strong and easy to use mechanisms to quickly identify inactive User accounts and to find Computer accounts for systems that should have been removed from the domain. In this episode we'll demonstrate how to access this information and explain some of the caveats with the DSQuery and DSGet options. The show notes for this episode have been posted here http://it-audit.sans.org/blog/2011/08/08/episode-10-shownotes-more-dsquery-magic http://auditcasts.com/screencasts/10-active-directory-auditing-with-dsquery Mon, 08 Aug 2011 11:35:23 +0000 8:54 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=hUfRItSxkOI:ynt7EQqjxc0:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=hUfRItSxkOI:ynt7EQqjxc0:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=hUfRItSxkOI:ynt7EQqjxc0:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=hUfRItSxkOI:ynt7EQqjxc0:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=hUfRItSxkOI:ynt7EQqjxc0:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/hUfRItSxkOI" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/hUfRItSxkOI/10-active-directory-auditing-with-dsqueryhttp://auditcasts.com/screencasts/10-active-directory-auditing-with-dsqueryhttp://auditcasts.com/videos/mov/videos/10/Episode%2010%20-%20Active%20Directory%202.mov David Hoelzer Active Directory under Windows 2003 and Windows 2008 can be a very powerful resource for both auditors and security researchers. In this episode we examine some uses of the DSQuery and DSGet tools. How can you find out who the users are in your domain? Is there a way to easily extract all of the logon ids for all of the users? Is there an easy way to find out who the members of certain groups are? How about finding accounts that are set with a non-expiring password? All of these things and more can be found with DSQuery and are demonstrated in this episode. For more information, the show notes are available at http://it-audit.sans.org/blog/2011/08/02/episode-9-easy-but-useful-windows-domain-queries/ as usual. Please feel free to send in any questions or post comments over on the show notes! http://auditcasts.com/screencasts/9-active-directory-auditing-security Tue, 02 Aug 2011 11:51:42 +0000 13:43 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=LI_f2YybB-U:lQ8a2XCIY2c:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=LI_f2YybB-U:lQ8a2XCIY2c:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=LI_f2YybB-U:lQ8a2XCIY2c:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=LI_f2YybB-U:lQ8a2XCIY2c:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=LI_f2YybB-U:lQ8a2XCIY2c:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/LI_f2YybB-U" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/LI_f2YybB-U/9-active-directory-auditing-securityhttp://auditcasts.com/screencasts/9-active-directory-auditing-securityhttp://auditcasts.com/videos/mov/videos/9/Episode%209%20-%20Active%20Directory%20Auditing.mov David Hoelzer Using a fuzzer isn't hard, but how can you narrow the thousands or millions of results down to what really matters? This episode explores the use of the WebScarab Search feature in conjunction with the fuzzer (discussed in Episode 7) to demonstrate exactly how to do this! http://it-audit.sans.org/blog/2011/07/25/scaling-input-fuzzing-with-webscarab has the related show notes for this episode. As always, feel free to contact me with comments or questions. Either post them on the blog or contact me by email: dhoelzer at enclave forensics dot com. http://auditcasts.com/screencasts/8-effective-webscarab-fuzzing Tue, 26 Jul 2011 03:21:18 +0000 13:22 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=87tSMmll4Eo:rSQJ6tfK00Q:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=87tSMmll4Eo:rSQJ6tfK00Q:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=87tSMmll4Eo:rSQJ6tfK00Q:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=87tSMmll4Eo:rSQJ6tfK00Q:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=87tSMmll4Eo:rSQJ6tfK00Q:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/87tSMmll4Eo" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/87tSMmll4Eo/8-effective-webscarab-fuzzinghttp://auditcasts.com/screencasts/8-effective-webscarab-fuzzinghttp://auditcasts.com/videos/mov/videos/8/Episode%208%20-%20Webscarab%20Searches.mov David Hoelzer WebScarab is a powerful tool for testing out many different aspects of a web application. One of the more tedious aspects of web application security validation is trying out all of the different possibilities for input on every form. What can we do to make our lives simpler? WebScarab to the rescue! WebScarab ( http://owasp.org ) can be taught to automatically send pre-populated input to a form in a programmatic way. This means that once we create a file containing the tests that we'd like to run we can just point and click and away it goes! In the episode you'll see that we're able to configure WebScarab to run millions of test cases against a form. Looking at the results summary page we can quickly see if any of those requests caused the application to crash (500 Internal Server Error). We'll look at some details of how to mine these thousands of results for useful data in a future episode. http://auditcasts.com/screencasts/7-fuzzing-for-fun-and-profit Fri, 15 Jul 2011 11:54:22 +0000 14:50 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=BJ5EGrGEN1w:uh8gjYwcPM0:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=BJ5EGrGEN1w:uh8gjYwcPM0:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=BJ5EGrGEN1w:uh8gjYwcPM0:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=BJ5EGrGEN1w:uh8gjYwcPM0:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=BJ5EGrGEN1w:uh8gjYwcPM0:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/BJ5EGrGEN1w" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/BJ5EGrGEN1w/7-fuzzing-for-fun-and-profithttp://auditcasts.com/screencasts/7-fuzzing-for-fun-and-profithttp://auditcasts.com/videos/mov/videos/7/Episode%207%20-%20WebScarab%20and%20Fuzzing.mov David Hoelzer NMap is a powerful and useful tool. How do you make the results of your scans manageable? Can you produce a useful NMap report that shows you how your network is changing over time? These are the questions that we answer in Episode 6. The Show Notes for Episode 6 have been posted at http://it-audit.sans.org/blog/2011/07/11/making-nmap-results-useful-and-manageable and include the text of the script created during this episode. You can also find links to the various tools discussed during the episode. If you're interested in the older version of NDiff that produces HTML output, please feel free to send me an email at dhoelzer at enclaveforensics dot com! http://auditcasts.com/screencasts/6-cat-herding-part-deux-nmap-differences Mon, 11 Jul 2011 14:30:15 +0000 15:10 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GdI_tOtVLMw:HbcFvmahmvo:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GdI_tOtVLMw:HbcFvmahmvo:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GdI_tOtVLMw:HbcFvmahmvo:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GdI_tOtVLMw:HbcFvmahmvo:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GdI_tOtVLMw:HbcFvmahmvo:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/GdI_tOtVLMw" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/GdI_tOtVLMw/6-cat-herding-part-deux-nmap-differenceshttp://auditcasts.com/screencasts/6-cat-herding-part-deux-nmap-differenceshttp://auditcasts.com/videos/mov/videos/6/Episode%206%20-%20NMap%20Diffing.mov David Hoelzer In this episode we take a look at using PBNJ coupled with NMap to build and use network information maps. One of the key problems with using a network scanner like NMap is scaling the results out to something that you can actually use to produce useful information. In Part 1 of this series we look specifically at using a front end to NMap to drive the scans and automatically insert the data into a database. We also spend time talking about a strategy for making this work in an enterprise, especially with host based firewalls, and how to deal with systems that become unreliable when scanned. Show notes for this episode can be found at http://it-audit.sans.org/blog/2011/07/05/network-population-management-and-pbnj-show-notes-5 http://auditcasts.com/screencasts/5-herding-the-cats Tue, 05 Jul 2011 15:16:58 +0000 13:59 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Th34zqSXkuY:-iQsIYjE9qY:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Th34zqSXkuY:-iQsIYjE9qY:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Th34zqSXkuY:-iQsIYjE9qY:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Th34zqSXkuY:-iQsIYjE9qY:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Th34zqSXkuY:-iQsIYjE9qY:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/Th34zqSXkuY" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/Th34zqSXkuY/5-herding-the-catshttp://auditcasts.com/screencasts/5-herding-the-catshttp://auditcasts.com/videos/mov/videos/5/Episode%205%20-%20Network%20Population.mov David Hoelzer Most IT auditors and security people are aware of the need to find and disconnect unauthorized access points connected to the corporate network. An equally troubling problem that is less often addressed is identifying whether or not your employees are using business assets to connect to access points that are outside of your control. We're not talking about Starbucks or McDonald's; we're talking about wireless access points that are in range from within your own building. It's not unusual, especially in urban business environments or industrial parks to find that a large number of access points are visible to anyone in the periphery of the building. In these settings, businesses are often somewhat conscious of the need to secure access points with encryption, but unauthorized access points in another business or even private open access point can still mean trouble for you. Visit the Show Notes for more details and the demonstrated script here: http://it-audit.sans.org/blog/2011/06/27/can-you-hear-me-now-show-notes-4 http://auditcasts.com/screencasts/4-can-you-hear-me-now Mon, 15 Aug 2011 20:03:41 +0000 13:11 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GmyxfpLXclo:p-EOuOqyG4E:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GmyxfpLXclo:p-EOuOqyG4E:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GmyxfpLXclo:p-EOuOqyG4E:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GmyxfpLXclo:p-EOuOqyG4E:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GmyxfpLXclo:p-EOuOqyG4E:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/GmyxfpLXclo" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/GmyxfpLXclo/4-can-you-hear-me-nowhttp://auditcasts.com/screencasts/4-can-you-hear-me-nowhttp://auditcasts.com/videos/mov/videos/4/Episode%204%20-%20Can%20You%20Hear%20Me%20Now%20(Web%20800x600).mov David Hoelzer The security of wireless networks remains a widely misunderstood issue in the business community. While most know that WEP should not be considered secure, many believe that running WPA or WPA2 is sufficient to make your network secure. In this episode we demonstrate how to quickly find an access point and attack the key. While not every network will be this easy to break into, it is very important to note that the entire demonstration was recorded without cut and takes about ten minutes from discovery through key recovery even with the talking! For more information on these topics, visit http://audit.sans.org for details! The Show Notes for this episode are here: http://it-audit.sans.org/blog/2011/06/20/auditing-hacking-wpa-wpa2-security-show-notes-3 http://auditcasts.com/screencasts/3-auditing-hacking-wpa-wpa2 Mon, 20 Jun 2011 16:32:25 +0000 10:12 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Angtk1U84sQ:A6NG2uQTbQU:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Angtk1U84sQ:A6NG2uQTbQU:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Angtk1U84sQ:A6NG2uQTbQU:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=Angtk1U84sQ:A6NG2uQTbQU:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=Angtk1U84sQ:A6NG2uQTbQU:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/Angtk1U84sQ" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/Angtk1U84sQ/3-auditing-hacking-wpa-wpa2http://auditcasts.com/screencasts/3-auditing-hacking-wpa-wpa2http://auditcasts.com/videos/mov/videos/3/Episode%203%20-%20Auditing%20WPA%20and%20WPA2.mov David Hoelzer In this episode we round out the discussion from Episode 1 with regard to startup and running configuration files for routers and switches. It is critical that we verify that these files are identical. We will look at several methods for quickly and easily finding the changes and some free tools that can help us along the way! Show Notes can be found at http://it-audit.sans.org/blog/2011/06/13/do-differences-matter-show-notes-2 http://auditcasts.com/screencasts/2-do-differences-matter Mon, 20 Jun 2011 16:32:54 +0000 11:09 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GE6LZXKUHaY:2WPS6C_MHCQ:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GE6LZXKUHaY:2WPS6C_MHCQ:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GE6LZXKUHaY:2WPS6C_MHCQ:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=GE6LZXKUHaY:2WPS6C_MHCQ:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=GE6LZXKUHaY:2WPS6C_MHCQ:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/GE6LZXKUHaY" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/GE6LZXKUHaY/2-do-differences-matterhttp://auditcasts.com/screencasts/2-do-differences-matterhttp://auditcasts.com/videos/mov/videos/2/Episode%202%20-%20Do%20Differences%20Matter.mov David Hoelzer In this episode we take a look at an extremely useful tool for examining router and switch configuration files in addition to identifying various audit questions and potential findings while walking through the administrator's process. Show notes for this episode are posted on the http://audit.sans.org/blog site. Show Notes have been posted: http://it-audit.sans.org/blog/2011/06/07/auditing-routers-switches-with-nipper-show-notes http://auditcasts.com/screencasts/1-auditing-routers-and-switches-with-nipper Mon, 20 Jun 2011 16:33:19 +0000 16:43 noPractical How-To for Technical Auditors and Security/Operations Staff<div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=K1cwNUU9jNg:78mCHdl0EFo:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:-BTjWOF_DHI"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=K1cwNUU9jNg:78mCHdl0EFo:-BTjWOF_DHI" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=K1cwNUU9jNg:78mCHdl0EFo:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?a=K1cwNUU9jNg:78mCHdl0EFo:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/AuditcastsWithDavidHoelzer?i=K1cwNUU9jNg:78mCHdl0EFo:gIN9vFwOqvQ" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/AuditcastsWithDavidHoelzer/~4/K1cwNUU9jNg" height="1" width="1"/>http://feedproxy.google.com/~r/AuditcastsWithDavidHoelzer/~3/K1cwNUU9jNg/1-auditing-routers-and-switches-with-nipperhttp://auditcasts.com/screencasts/1-auditing-routers-and-switches-with-nipperhttp://auditcasts.com/videos/mov/videos/1/Episode%201%20-%20Routers%20and%20Switches.mov David HoelzernonadultA free video blog series with practical how-to discussions of audit techniques for various technical IT systems found in enterprises today. The tips and tricks discussed are easy for listeners to replicate and put into practice right away!