Streets Ahead - AIC
  I made some significant steps forward in AIC training and development over the last couple of days.  I seem to work in bursts of creativity/motivation because I haven't been this productive all summer.  I digress.

The first bit of code I wrote a couple of days ago is a script ( that automates the collection and publication of security headlines to my site.  The resources being accessed are publicly available RSS feeds that are simply retrieved, organized and posted to the links page of the site.  This action occurs every morning right around the time I get up --ready to read the latest of course.  Further, I'd like to separate out the link collection by type and possibly implement different update intervals each type (e.g. vulns get updated hourly, etc.).  For now this will work as a centralized location for my daily digest.

Once I started thinking about what my daily digest should consist of, I tracked down an old cronjob I used to have configured on an old linux host of mine.  It would fire in the mornings and hit my inbox with something to watch, something to read, and a tool to play with.  I have some aspirations of turning it into my CIDST training script, but my students lost interest early on and I went back to the drawing board.

That old training email cron job worked out perfectly for a daily reminder to maintain a continous learning habit.  I simply converted the output method from email to HTML page construction. Naturally this lead me to visualizing what the training room would consist of and I began to build that out.  (more on that later).

When I recognized that I needed a quicker way to create web pages from my existing template, I decided to modularize page creation, view, and upload functions so I could make quick additions to the site as needed.  The code works great, it just needs an upload function and the ability to read from an external file/resource.  By the way, my Urlkel module for working with pages and links has come in extremely handy in my testing and development.

Finally, a major piece of the puzzle has been solved with my newly designed custom data structure for all OSINT content.  It came to me in a flash and I realized how the entire resource (Bazzell's Book) can be operationalized.  I began by visiting Bazzell's site and scraping out the links provided in the book.  I placed them in the structure design I set up after analyzing the content layout and now I have an interactive console that will potentially be able to execute huge collective searches on one target.  The initial goal for this collection of not-yet-fully-operationalized content is to enumerate the search query syntax for each so I can throw a single argument at a huge collection of online resources and then pilfer through the results.  This is much more effective than visiting a site manually (or even via a bookmark) -- plus I just like the idea of executing bulk searches from the CLI.

OSS Developments
Operational Security Software is a vision I have that combines operational secuirty practices with rapid software development and data visualization.  Python just happens to be the perfect language for this as its dynamic nature allows you to build out core functionality at a rapid pace, and even build a GUI in real-time.  Python provides the perfect technology to build an interactive offensive and defensive security framework to use in all disciplines of Adversarial Informatics Combat.

Python is an elegant language, and because of this, many tasks can be completed in very few lines of code.  This means for almost any aspect of R&B teaming can be condensed into a script, or even a highly cohesive module of methods that accomplish complicated tasks in real-time.  With this theory in mind, I've been collecting and organizing code examples from a variety of resources with intentions of integrating the collection into the AIC module (after I complete the search functionality).  I believe such a collection of searchable code will be extremely beneficial in practice, on the job, and in the field.

Most of the best code examples come from the textbooks.  I simply download the freely available code and learn by example.  Who has time to read the books these days anyway?  Currently the OSS collection includes the source code from:

  • Black Hat Python (100%)

  • Gray Hat Python (100%

  • Offensive Countermeasures (all the Python code)

  • SPSE Training Course (100%)

  • Understanding Network Hacks (just started importing)

I hopped onto PackT publishing's website and created a fake profile so I could download more source.  Their selection of books is quiet impressive to say the least.  While I don't think it's all required reading material, the code examples are excellent and should be explored.  I'll be importing the source code of the following books into the repo:

  • Python Penetration Testing Essentials

  • Python High Performance Programming

  • Python for Secret Agents

  • Building Maching Learning Systems with Python

  • Python Network Programming Cookbook

  • Python Data Visualization Cookbook

  • Python Web Penetration Testing Cookbook                

I might remove the Machine Learning Systems, but I feel like the examples will apply to Security Engineering Science in the near future -- it's just a matter of time.  In fact, Security Engineering Science will come out of Big Data and the birth of the Security Data Scientist.

There's something to be said about having all of that instantly usable code at your fingertips.  The ability to quickly pull up and adapt workable source will eventually be criticial to success in the field of battle.  I say this because I realize that the power is in the plan.

This is essentially the core philosophy of AIC.


I also realized that I can start to design my operational training activities around the existing outline that exists in the AIC module itself.  For one, it's in logical order (as I designed it that way) so you can step through each process of a test or task in order.  Which also reminds me of something else I can add to the functionality.  Because one of my main goals is to develop a training regiment, I should implement a training mode in the module that incorporates a timeclock/procedure feature that can track your speed and progress through things like "Post Ex" procedures.  This promotes one of the core philosophies of AIC -- that system and network navigation should be second nature.  I will integrate the timeclock I wrote for tracking my time at work into the module. 

Weekend Theoretical Ramblings
Yesterday evening I meditated in the middle of my office, right after a workout.  It was relieving, impromptu and unprecedented, and left me clear minded for the rest of the night.  During the meditation my mind would wander, eventually leading up to a breakthrough or idea based on my most recent encounters and development in my research and tradecraft.  (For some reason I want to call it cyber tradecraft, but I think that's ridiculous.)  It became a common occurrence.  In attempts to clear my thoughts, I would more or less hyper-focus on the problems I encountered during the day and formulate a rather elegant solution or two.  That's when I grabbed a legal pad.  This brought me to two revelations: one, it makes me realize I'm far to overstimulated to solve problems like I used to, and two, I need shut down everything and meditate (solve problems) like this more often.

It's important to let your mind clear and consequently work out the issues you're presently plagued with.  I remember reading that most hacking occurs away from the keyboard.  I believe this more now than I ever have.  Hacking occurs when an idea is conjured up, written down, scratch-a-napkin designed, and eventually implemented at 1am after a couple pints and a rowdy good time at the local pub.  Hacking is creatively coming to a conclusion (or solution) after trudging over a problem for weeks, to only have it come to you in the shower a couple of days before it's due.

These days I've learned to operationalize my activities.  "Offensive Operationalization", is what I should call it.  It's the practice of treating offensive security as an abstract adversarial sport with fields (networks), moves (attacks), combos (chained attacks), and enhancers (scripts/automation).

Network Security and Penetration testing can be broken down into multiple categories and phases.  There are tools and procedures that coincide with each phase in order to perform the necessary steps to acquire the critical information.  Every phase in the penetration testing cycle has a key deliverable.  These key deliverables should be the primary focus of each step, mainly to keep things simple and focused.  The better focused one is on the goal at hand, the easier it will be to accomplish the goal.  This relates back to the idea that the majority of hacking is performed away from the keyboard.  Once you touch the keyboard, you should already know exactly what it is you're about to do.  Training, reps, and drilling home AIC concepts will allow one to adapt in environments when plans are deviated by outside sources.

Neumonics for the PENTRN process

#Daily Learns

[+] Use the 'which' command in NIX to identify the full path of executables in the $PATH environment variable.


Operation Prince of Pima

Attack Path
Access to the Wireless AP pw: inthe*****
MITM of Host on the network ettercap -T -M arp:oneway,remote /target1/ /target2/
Capture MITM traffic content tcpdump -i eth0 -XX host [target]
Capture cleartext password packets tcpdump -vvXX -i eth0 host -w newcapture.pcap
Extract the password strings strings newcapture.pcap | grep "os_username"
//Someone uses the same password for everything.  Developers are stupid like that.
//Find someone that has their primary password the same as their work passwords.
Find a way to log someone out, based on the capture of their JSESSIONID:

Tools and the Tetris Effect
 I recently downloaded Parrot 1.9  to test out.  It's an alternative to Kali.  It could be interesting.

Instead of using EasyIDS, I'm looking into SmoothSec 3.4.1 in the virtual lab.  Also, the virtual lab's license key is about to expire.  I need to either crack it, find a key online, or roll back the install.

Web2Py was also downloaded this morning.  I have some limited experience ripping it apart and looking at source, but I haven't built anything with it.  My boss and one of my co-workers don't like it.  I don't have a reason not to like it yet so I'll hold off on judging it.


Using the failed authentication notifier I built last summer, I'm going to put together an automated daily training program that will randomly generate daily objectives to promote continuous learning.  The daily emails will be fired off at 6am and will include the following:

  • Something to read

  • Something to watch

  • A tool to learn, play with

  • A recon/enumeration assignment

  • A coding assignment

All of this came about when I was driving in this morning listening to the audio of a youtube video.  I became frustrated because what I was listening to is not what I'm interesting in learning and expanding upon right now.  That's when it hit me, you listen to and watch videos to either A) improve understanding of concept(s) you're unfamiliar with or B) introduce yourself to new areas you haven't explored.

There's so much media and content readily available, it comes back to the individual, and what they want to focus on.  For example, I know that I could brush up on my crypto knowledge, so I should listening to more Crypto talks and vids.  Saturation is a good thing -- to an extent.

Repetition Training
Before I head out, I'm tossing around ideas of implemetning this in SL4A, or whatever the hell it's called now.  I'd like voice rec, but starting off, I don' think it'll need it.  It'll be interesting to test, however.

#Module contains Stimulus and Syntax (S&S), lists, and procedures

[List] List 10 reliable sources for OSINT data recon when researching an individual.
[List] List 10 reliable sources for OSINT data recon when researching an organization.

[S&S] Syntax for ping sweep
[S&S] Syntax for TCP scan, & when and why to use it
[S&S] Syntax for SCTP scan & when and why to use it
[S&S] Syntax for UDP scan & when and why to use it
[S&S] Syntax for Maimon scan & when and why to use it
[S&S] Syntax for Idle scan & when and why to use it
[S&S] Syntax for ACK scan & when and why to use it
[S&S] Syntax for SYN scan & when and why to use it
[S&S] Syntax for Window scan & when and why to use it
[S&S] Syntax for FIN scan & when and why to use it
[S&S] Syntax for NULL scan & when and why to use it
[S&S] Syntax for XMAS scan & when and why to use it
[List] List 12 services to immediately scan for when assessing a new network

[Proc] Detail the steps for pivoting from a compromised machine
[List] Name 3 common vulnerabilities with exploits for OpenSSH
[List] Name 3 common vulnerabilities with exploits for Apache
[List] Name 3 common vulnerabilities with exploits for IE
[List] Name 3 common vulnerabilities with exploits for Mozilla Firefox
[List] Name 3 common vulnerabilities with exploits for Chrome
[List] Name 3 common vulnerabilities with exploits for Windows
[List] Name 3 common vulnerabilities with exploits for UbuntuServer
[List] Name 3 common vulnerabilities with exploits for any FTP package
[List] Name 3 common vulnerabilities with exploits for IIS

[S&S] Syntax for adding a user on windows
[S&S] Syntax for adding a user on linux
[S&S] Syntax for natively cycling through a file on windows (FOR loop)
[S&S] Syntax for natively cycling through a file on linux (FOR loop)

Adversarial Informatics (Revisiting the Program)
#Adversarial Informatics
I want to find the quickest, easiest way of performing these actions.  Wrap them up in something I call operationalization
and practice the hell out of them so they become second nature.

Pygame for Linux -> Kali -> PENTRN -> USB Game Controller for Penetration Testing engagements
    Shoulder buttons would allow you to cycle through techniques to map to an attack button.
A lot of experts say that to really learn how to improve your skills you need hands on training, which I agree with.
However, there's a lot to be said about the procedural nature of security work.  Yes, it's important to understand
the fundamentals of the technologies, but when you get to the point where you only want to be better and ultimately faster,
the old addage still applies; repetition is king.

The goal behind Adversarial Informatics is to devise a system that will reprogram the brain of the target to the point
where all techniques, tactics and procedures are firmly ingrained in the operatives' mind.

Adversarial Informatics students will not take the traditional route anymore.  The goal is to program them for war.
    [+] Flash Card Style:  Application to constantly review attacks and TTPs
    [+] Lab Training:  Goal-based, hands-on program
    [+] Recorded Content:  Pre-recorded or self-recorded MP3s that cover attacks, TTPs, and concepts
    [+] Syntax Matching game:  Syntax matching game that solidifies

7 Intelligences:
    Linguistic intelligence - describe the material out loud, or use question and answer format.
    Logical-mathematical intelligence - use a flowchart or diagram for the material.
    Spatial intelligence - make an image of the material.
    Musical intelligence - play background music as you learn.
    Interpersonal intelligence - teach someone else.
    Intrapersonal intelligence - ruminate on the material.
    Bodily-kinesthetic intelligence - use index cards sorted in different ways.

GOAL: "Complete Recall"


In an effort to improve and develop advanced skills quickly I propose the goal oriented approach.

#Fuzzing Engines and Optimization [ GOAL:  To improve the ability to discover new vulnerabilities ]
 [Level 1] Write a remote fuzzer for a remote FTP service.  Fuzzer should enumerate all commands, test them, track crashes, and generate a report.  (30pts)
 [Level 2] Write a fuzzer using ctypes for a local PE.  Use GHP as a guide.  Fuzzer should track data entry points and crashes.                        (75pts)

#Security Visualization [ GOAL:  To ensure security data can be made consumable in a timely fashion ]
 [Level 1] Develop a framework that will take a list of hosts and an additional column of arbitrary data and graph it in an HTML page.                 (30pts)
 [Level 2] Develop a web based UI that is interactive.  Data sources vary.  Ensure the design is scalable and supports extensibility.                  (60pts)

# Pentration Testing Techniques  [ GOAL: To ensure the skills needed to locate and enumerate potential points of entry are memorized and made second nature ]
 [Level 1] Write a script that will take an argument and search all the OSINT sites in the CIDST module by opening a new window with new tabs that show the results
 [Level 1] "Still, the skill most valuable for penetration testing is the ability to locate and enumerate potential points of entry."
 [Level 1a] Operationalize the detection, service identification, and organization of common/vulnerable network services.  Solution should ensure all data is structured and searchable.  (50pts)
 [Level 2b] Develop a solution that can maintain a collection of C&P content for organization, tracking, searchability and reporting.  (60pts)
# Post Exploitation Training  [ GOAL:  To solidify immediate actions to take upon the compromise of an asset
 [Level 1] Pop a Win10.1 box in the lab and walk through the McCray Standard Procedure (in CIDST) (10pts/walkthrough)
 [Level 2] Master the McCray Standard Procedure so the steps can be performed by second nature      (50pts)
 [Level 2] Develop and publish your own PostEx procedures for Windows, WinServer, *nix (15pts/each)
 [Level 2a] Master each specific procedure so the steps can be performed from memory and/or by second nature (50pts)
 [Level 3] Memorize Common Persistence Techniques for Windows / Unix (50pts per OS mastered)
# Exploit Development [ GOAL:  To further develop the skillset to write custom exploit code for new vulnerabilities ]
 [Level 1] Identify an exploit, interpret the code and port it to a different language.  (50pts for ported code that works)
 [Level 4] Download a beginners level Crackme and develop and exploit for one of its vulnerabilities.  (100pts)

  [+]     Components of Defending
        [-] Firewalls/ACLs
        [-] IDS Systems
        [-] WAF Systems
        [-] HIDS
        [-] Open Source Tools
  [+]   Incident Response / Digital Forensics
  [+]     Hunting / IoC Detection

(no subject)
Considering my current and socially limiting situation, I'm going to make it a point to not only blog every day, but to update my CI site every day as well.  And that is all I have to say about that.

I've got some work to do tonight.  I'm sorely behind in a lot of my work and it makes me anxious.

I just downloaded Just-Metadata-1.0.  It's command line driven so it's cool.  I'll write up a review later.


I dug up an old post from 09 detailing the only things I find intersting about security:

  •       Packet Creation

  •       Network Device Testing / Evasion

  •       Socket Programming (Python, C#)

  •       Remote Vulnerabilities

  •       Archiving Shellcode (accessibility, custom exploit libraries, custom exploits)

  •       Interworkings of DNS

  •       DNS Flaws and Vulns

  •       Python for Pentesters

That was 5 years ago.  And I have to admit, I'm rather versed in most of those categories (which justs proves the power of writing things down -- they become almost official).  My new list includes the following:

  • Developing fuzzing engines and optimization

  • Security visualization

  • Penetration testing techniques and efficiency improvement

  • Post exploitation training

  • Security Testing Labs and Environments

  • All things CLI

  • Reverse engineering

  • Malware development / Persistence techniques

The vision outweighs the acquired technical skill.  The vision is to first develop a framework/curriculum to turn offensive security into a practice akin to playing a fighting game.  I'll have to explore more of this later.

(no subject)
So... fuckin Brian K. Fite has been essentially working on my idea with his Simulating Cyber Operations paper that was released last year.  It's got some interesting tidbits in it, but the point is to develop a framework for cyber operations wargames.  Sound familiar?  Yeah, my Combat Informatics program is sorely behind -- especially because entities like Packetwars have already begun to adopt his Simulation Definition Language (SDL).

Anyway, the content that I read and listened to this morning exposed me to a variety of programs, documents, models and frameworks that attempt to define the necessary skills and curricula needed to adequately conduct adversarial operations.  Below are those I feel are worth exploring and expanding upon.

(Adversarial Informatics)  <--- I like that better that Combat Informatics

Kite's approach is to standardize cyber operations training into a language and framework that can be used to describe environments and training exercises.  His SDL consists of 9 primary object types called Primitives:

  • Node:  Any element with OSI connectivity

    • Name:

    • Host/Gateway:

    • Operating System

    • Interface Address(es)

    • Routing Table

    • ARP table

    • Listening ports

    • Optional: (Accounts, applications, artifact and services)

  • Network:  Communication path between nodes (OSI 1-3)

    • Name

    • Layer 1 (Protocol, Address, Domain [Pub/Priv/DMZ])

    • Layer 2 (Protocol, Address, Domain [Pub/Priv/DMZ])

    • Layer 3 (Port, Protocol, Address, Domain[Pub/Priv/DMZ])

    • Optional: (Routing, Capacity, ACL’s, Local/Remote flag)

  • Software:  An operating system, utility, application or service

    • Name

    • Vendor

    • Version

    • Optional:  (Dependencies, Requirements, Files, File Sizes, File Hashes, Config, Comments)

  • Artifact:  A file or credentials

    • Name:

    • Media Type

    • Artifact Type (binary, service element, identity element, informational message)

  • Constraint:  Simulation limiting shape that defines range of motion

    • Name:

    • Constraint Type: (Environmental or Capability)

  • Objective:  The relative goals of a simulation

    • Name

    • Objective Class: (Attacker, Defender, Assessment)

    • Objective Type (Intel, Compromise, Escalate Priv, Exfil, Destroy, Disrupt, Degrade, Deny, Deceive, Exploit, Influence, Protect, Detect, Restore and Respond).

    • Objective and Attestation Method (key, flag, file, shared secret, hash file, moderator observation or, demonstrate capability

  • Actor:  Human participant in an active simulation

    • Name

    • Alignment: (Attacker, Defender, Both or Neutral)

    • Actor Class

    • Role

    • Capabilities

    • Handicap

  • Process:  The workflow associated with a pre-defined simulation element

    • Name

    • Function Description

    • Function Flowchart

  • Message:  Information, data or instructions between elements

    • Name

    • Media Type (live, written/proposal, email, sms/text, file, audio or video)

Kite's paper and model uses the above layout to standardize language so scenarios can be defined for training exercises.  The example in the paper is as follows:

“Your mission is to identify your adversary’s security posture by enumerating the attack surface represented by their external network address You must submit your findings by 17:00 ET today (1 hour from now). “

This is an interesting approach.  I developed something simular in 2011 as recgnized the need for objective/goal based exercises to develop skill.  I can borrow Kite's framework to expand upon my work to design a repeatable approach to practicing in my newly built out virtual environment.


In 2006, the US Chairman of the Joint Cheifs of Staff identified 11 core capabilities that need to be developed and perfected in order for the US to "gain and maintain information superiority."  As I looked at this, I realized it was close to my DST model (minus the Surveillance and Theft aspects).  The US Joint Forces doctrine defines the following skill-based categories as areas that need to be mastered in the adversarial informatics space in order to maintain cyber operations superiority:

  • Destroy

  • Disrupt

  • Degrade

  • Deny

  • Deceive

  • Exploit

  • Influence

  • Protect

  • Detect

  • Restore

  • Respond

Finally the paper provides a list of well-known simulations that i'll be exploring in the coming days.  They are as follows:


Professional hacking is becoming a sport -- as I knew it always would.  And with that, there's an added incentive to learn... competition and employability.  IMHO, viewing hacking, and thus learning about hacking/security, as a game is the best motivation to practice and learn.  Having an interest in computer security doesn't mean you're a criminal anymore.  And striving to improve your skillset can be as appealing as sitting down to session in Tekken.

Future Blog/Topic:  Adversarial Informatics:  Exploring The Fighting Game Model

Home Lab Configuration Goals
My new virtual pentest lab is up, running, and not quiet fully configured.  At this point, policy needs to be established for all of the access control components.

The border router needs ACL's to allow traffic to the firewall (

The border router needs an Any Any egress policy (as of right now).

The firewall needs to allow TCP/80,443, and SSH from the perimeter VLAN to the into the DMZ network segment (
The only open services available to the "public" in my private network are *=(80,443,22).  Everything else is just uncivilized.

Internal network hosts need access to the web an only the web.  Internal hosts should not be able to communicate with DMZ hosts -- only vice versa.

More on this later.  Gotta run.


Log in