JewelRunner: quickly analyze tcp/ip traffic for a target host and create host-based firewall rules

  1. https://github.com/kbandla/dpkt/blob/master/examples/print_packets.py
  2. http://www.commercialventvac.com/dpkt.html
  3. http://engineering-notebook.readthedocs.io/en/latest/engineering/dpkt.html
  4. https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file/
  5. http://dpkt.readthedocs.io/en/latest/print_icmp.html
  6. https://github.com/jeffsilverm/dpkt_doc/blob/master/decode_tcp_iterator_2.py
  7. http://patgardner.blogspot.com/2008/07/solaris-10-ipfilter.html
  8. https://gist.github.com/garrettdreyfus/8153571
  9. http://patgardner.blogspot.com/2008/07/solaris-10-ipfilter.html
  10. https://stackoverflow.com/questions/13464152/typeerror-unhashable-type-list-when-using-built-in-set-function
  11. https://web.stanford.edu/~ssklar/articles/ipsec-filtering.html
  12. http://www.unisys.com/offerings/security-solutions/unisys-stealth-products-and-services
  13. https://www.illumio.com/home

Adopted from original scripts created by:

brifordwylie @ https://github.com/brifordwylie
RemiDesgrange @ https://github.com/RemiDesgrange
saylenty @ https://github.com/saylenty




JewelRunner is intended to quickly analyze tcp/ip traffic for a target host and create host-based firewall rules in support of micro segmentation activities. In its current form it will:
  • Parse pcap files and summarize tcp/ip traffic to and from a target IP;
  • Parse ipFilter (Solaris) log files and generate firewall rules; and
  • Parse ipSec (AIX) logs and generate firewall rules.
  • JewelRunner was built and tested with Python 2.7.14+




The set-up is relatively simple. The required modules may be installed using the command below

pip install -r /path/to/requirements.txt


Parse pcap file and analyze traffic for target IP
./jewelRunner.py -f /path/to/file.pcap -io pcap -target

Parse pcap file and analyze traffic between target IP and
./jewelRunner.py -f /path/to/file.pcap -io pcap -target -filter

Parse ipFilter log for target IP and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target

Parse ipFilter log for target IP, isolate entries for and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target -filter

Parse ipSec log for target IP and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipsec.log -io ipsec -target

Parse ipSec log for target IP, isolate entries for and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipsec.log -io ipsec -target -filter

  • I have tried to include references wherever I borrowed from others. If I have missed someone, it was unintentional, lest I incur the wrath of the squirrel man.
  • In retrospect I should have done this in Bro-Script. This is on my list. I'd also like to try using scapy to create and deploy the rules in real time as packets are read.
  • This code is in-efficient. Several functions are repeated in each module. Future work includes plans for the creation of a utility module to consolidate these functions.
  • The higher port is always assumed to be the initiator of the connection. This may not always be the case.
  • JewelRunner will not create rules for high-port (>50000) to high-port traffic. However, it will report these flows in the output.
  • JewelRunner will not create rules for low-port (< 1023) to low-port traffic. However, it will report these flows in the output.
  • When an filter IP is specified, jewelRunner makes no assumptions about the source port (ie. > 1023) when creating the host-based firewall rules. Rules will be created using the source port specified in the log file. It is up to the user to generalize these rules later on.
  • JewelRunner assumes that any traffic it sees is allowed. Any rules should be ultimately adjudicated by the application and product teams.
  • JewelRunner is intended to support "proof-of-concept" activities for micro-segmentation. There are several Enterprise tools that will do this far more effectively at the enterprise level (12 ,13).

  1. Add support for iptables
  2. Give user the choice to create specific flavor of firewall rules using pcap contents
  3. Filter out passive ftp traffic
  4. Parse ipv6
  5. Handle broadcast traffic
  6. Add option for file output
  7. Add feature that will make recommendations to consolidate rules from single IPs to VLANs
  8. Add ephemeral cmd line switch to clean up ports
  9. Remove redundancies. Create module for utility functions.


Configuring Kismet for the Hak5 Wifi Pineapple Nano from Factory Reset

Just documenting some steps and gotchas ... tired of having notes in three different places and fighting through it every time 


- Firmware

- Set-up script

[*] GEAR
- HAk5 Wifi pineapple nano - firmware version 1.1.3
- GPS dongle - Model Number - BU-353S4
- Kali (2.0 rolling) running on host laptop

- Wifi Pineapple Nano is disconnected
- GPS dongle is disconnected
- Boot up Kali 2.0 host laptop
- Open terminal window
- Run the wp6.sh script from the Hak5 github repository
---> choose "G" for guided
---> verify that the correct internet interfaces are chosen for internet access on the laptop
---> connect wifi pineapple when prompted
---> choose "C" to apply settings and exit
- After running the script, the IPs for the host and Wifi Pineapple Nano are:
---> Kali 2.0 -
---> Wifi Pineapple Nano -

- Install the following packages on the Kali 2.0 host
> apt-get install gpsd
> apt-get install gpsd-clients
> apt-get install libgps-dev
> apt-get install libgps22

- Verify that the routing table on the host resembles the example below:
> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 wlan0         <--- Routes connections to the internet   U     0      0        0 eth1           <--- This is the IP assigned to the host by the Wifi pineapple nano via the USB ethernet adapter. The Nano provides DHCP and DNS.   U     600    0        0 wlan0    <--- Local network that the host laptop is connected to

- Browse to
- Choose values for the following
---> administrator password
---> management SSID
---> SSID PSK/passphrase
- Close browser

> ssh root@
- Stop the Pineapple GUI as is wastes resources and it will not be used
> /etc/init.d/nginx stop
- Update all packages
> opkg update

- This is important as it allows clients that connect to the Nano to be routed back out to the internet through the Kali host once we have our way with them 
> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 br-lan        <--- Routes connections to the internet from the Wifi Pineapple Nano through the Kali 2.0 host @   U     0      0        0 br-lan    <--- Local network that was created by the Wifi Pineapple Nano

- Install kismet client and server
- Check to see if it is already installed
> opkg list-installed|grep kismet
- View available packages
> opkg list|grep kismet
- Install client and server
> opkg --dest sd install kismet-server
> opkg --dest sd install kismet-client

- Download manufacturer list
> wget -O /sd/manuf http://anonsvn.wireshark.org/wireshark/trunk/manuf
- Verify that the Kismet_client is located in /sd/usr/bin/kismet_client
- Verify that the Kismet_server is located in /sd/usr/bin/kismet_server
- Create a kismet.conf file and place it in /sd/etc/kismet.conf
- CHECK: make sure that the kismet.conf file points to the manufacturer list located at /sd/manuf
- CHECK: verify that the gps choice is gpsd
- CHECK: when the kismet_client is started it will automatically call the server. However, it calls it at /usr/bin/kismet_server. Unless a sym link is created the Kismet server will error out
- Create sym link
> ln -s /sd/usr/bin/kismet_server /usr/bin/kismet_server
- CHECK: a sym link also needs to be created for for the kismet.conf file
- Create sym link
> ln -s /sd/etc/kismet/kismet.conf /etc/kismet/kismet.conf

[*] OPTIONAL Install GPS packages directly on the Wifi Pineapple Nano SD card
> cd /sd
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/libgps_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/libgpsd_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/gpsd_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/gpsd-clients_3.7-1_ar71xx.ipk
> opkg --dest sd install libgps_3.7-1_ar71xx.ipk
> opkg --dest sd install libgpsd_3.7-1_ar71xx.ipk
> opkg --dest sd install gpsd_3.7-1_ar71xx.ipk
> opkg --dest sd install gpsd-clients_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-usb-serial-pl2303_3.3.8-1_ar71xx.ipk
> opkg install kernel kmod-usb-serial-pl2303_3.3.8-1_ar71xx.ipk

- Connect GPS dongle to the Kali 2.0 host laptop
- Start gpsd
> gpsd -G -D 5 -N -n /dev/ttyUSB0
-G ---> listen on all interfaces
-n ---> don't wait for a client to connect
-N ---> don't daemonize
-D ---> set debug level @ 5 
- verify that GPS signal is being received. NOTE: There should be lots of activity in the terminal. Wander around a bit and you should see it grab a lat/long and display it in the cgps terminal window
> cgps
> gpsmon

- Place the interface in monitor mode. This may be different depending on your set-up. For me it was wlan1.
> ifconfig wlan1 down
> iwconfig wlan1 mode monitor
> ifconfig wlan1 up
- Verify the configuration
> iwconfig wlan1
wlan1     IEEE 802.11bgn  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=20 dBm   
          RTS thr:off   Fragment thr:off
          Power Management:off
- CHECK: To avoid running out of space, it helps to start kismet from within the /sd/kismet directory. This is where it will store the pcap files.
- Run the kismet_client
> kismet_client
- Allow it to automatically start the kismet server
- There may be other notices to click through
- Add the wlan1 interface when prompted

- Hit "~" to enter into the Kismet menu
- The arrows keys can now be used to move within the menu
- Be sure to sort by anything other than "Autofit" to drill down into individual networks
- The "!", ".", or blank next to each network is a decay indicator.
---> ! recent activity
---> . less activity
---> <blank> no activity
- Highlight network and press <enter> to see more data about the network


Enumerating Windows Domains with Powershell: DomainEnum v0.1.0

REPO:  https://github.com/pjhartlieb/post-exploitation/tree/master/powershell/DomainEnum

|    p.j.hartlieb
|    powershell post-exploitation
|    DomainEnum module v.0.1.0
|    2015.06.24
|    last verified 2015.06.24

[*] references

## [0] Reference: https://www.veil-framework.com/veil-powerview/
## [1] Reference: http://technet.microsoft.com/en-us/library/ff730967.aspx
## [2] Reference: http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher(v=vs.110).aspx
## [3] Reference: http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

[*] background

The DomainEnum module is intended to support post-exploitation activities from within the user context on the target domain. It will enumerate domain computers, servers, users, emails, groups, group membership(s), sites, subnets, and subnets per site and save the results to one or more files. Whenever possible it will also enumerate computers, servers, users, groups, and group membership per OU. It's really intended to establish situational awareness once you drop onto "patient 0" and set you up to make the most of who you pivot to.

This module was created and tested with:
 Windows Powershell 2.0
 Windows 7 Professional SP1

[*] requirements

- n/a

[*] execution
- Create the following directory structure %USERPROFILE%\documents\windowspowershell\modules\DomainEnum
- Load the contents of the 'DomainEnum' directory into the new directory
- Open terminal
- Type
 >powershell -ExecutionPolicy Bypass -
 PS>import-module DomainEnum
 PS>get-command -module DomainEnum
- All output will be posted to C:\Users\Public\

[*] functionality

- Get-Homebase   identify DC and target domain
- Get-Pedigree   returns baseline information from the target host (patient 0)
- Get-Computer   returns all computers in the current domain
- Get-DC   returns the DCs and PDC for the current domain
- Get-Group   returns all groups in the current domain
- Get-GroupUser   returns all users in each group for the current domain
- Get-Server   returns all servers in the current domain
- Get-User    returns all users in the current domain
- Get-Email    enumerate all email for all users in a domain.
- Get-OU    returns all OUs in the current domain
- Get-OUUser    returns all users for each OU in the current domain
- Get-OUServer    returns all servers for each OU in the current domain
- Get-OUGroup    returns all groups for each OU in the current domain
- Get-OUComputer   returns all computers for each OU in the current domain
- Get-SiteServer   returns all servers for each site in the current domain
- Get-SiteSubnet   returns all subnets for each site in the current domain
- Get-GroupMember  enumerate all users in a specific group in the current domain
- Get-HighValueGroup  locate high value groups, enumerate users, harvest email addresses
- Get-DomainDump  returns all data from all functions

[*] thanks
- Lucius for helping to find those unholy syntax errors and figuring out to get it to execute hassle free.


yeyo.pl : Quickly harvest user data for a specific organization or keyword


[1] http://www.blackhatlibrary.net/Security101_-_Blackhat_Techniques_-_Hacking_Tutorials_-_Vulnerability_Research_-_Security_Tools:General_disclaimer <---- I borrowed content from here for the disclaimer below.


This script is intended to quickly and easily generate contact information for a specific keyword or organization based on the content returned from www.yatedo.com.  From what I can gather, Yatedo sources its information from publicly available resources on the web and concatenates it all together to present a reasonably accurate user profile.  There is no API and parsing the html seems straightforward.  If you are one of those folks who operates multiple puppet accounts on social media networks (which is a gross violation of the ToS and is not recommended) then this is a good way to whip up some seed accounts to connect with and/or pivot from.  The output is csv formatted as:

First Name, Last Name, Organization, Role


This script violates the ToS for www.yatedo.com and may get you banned.  This script is intended for educational purposes only.  I will not be held liable for a third party's use (or mis-use) of this information in any way.  Readers, end-users, and downloaders of content are responsible for their own actions.  Readers, end-users, and downloaders of content agree not to use content provided for illegal actions.  Content is provided as an educational resource for security researchers and penetration testers.


[*] https://github.com/pjhartlieb/recon-and-mapping/blob/master/yeyo.pl

## caveats
- I am not a programmer.  This script is not nearly as tight and clean as it could/should be.
- Improvements and TBD tasking is captured at the top of the script

## usage
> perl yeyo.pl -k <keyword or organization> -s <sleep time between harvesting contact data>

### output

> perl yeyo.pl -k "benchmade" -s 5

[*] Validating keyword/organization ...
[*] Validating sleep time ...
[*] Keyword entered "benchmade".
[*] Sleep times will be between 0 and 5.

[*] Retrieving frontpage for www.yatedo.com
[*] Yatedo appears to be up
[*] Sleeping for 2 seconds to avoid lockout

[*] Submitting search for benchmade
[*] Search successful. Content retrieved
[*] 20 unique links to users and additional results pages were found on the first page
[*] Cummulative results are here: http://www.yatedo.com/s/companyname%3A((benchmade))/normal
[*] Sleeping for 0 seconds to avoid lockout

[*] Retrieving cumulative results for benchmade
[*] Successful. Content retrieved
[*] 16 Links to users found
[*] 1 Links to additional results pages found

[*] Harvesting user data with sleep times between 0 and 5 seconds between records

[*] 11 suitable users found to date

[*] Retrieving target URLs from results page 2
[*] Successful. Content retrieved
[*] 12 Links to users found
[*] 0 Links to additonal results pages found

[*] Harvesting user data with sleep times between 0 and 5 seconds between records

[*] 11 suitable users found to date

[*] candidate user list

Chuck,Alf,Benchmade of Buffalo,Owner
Lyudmila,Ezersky,Benchmade Inc., Benchmade...,Human Resources Administrator
Dan,Janovicz,Benchmade Knife Company,Manufacturing Engineer
Vance,Collver,Benchmade Knife...,Product Development Manager, Process Development Technician,...
Enzo,Cardillo,Benchmade Leatherworks Inc.,President
Martin (Marty),Mills,Benchmade Knife Company,Manufacturing Engineer
Dillon,Daniel,Benchmade Knife Company,undef|past-role
Kathryn,Delaplain,Benchmade Knife Company,...,Customer Service, Warranty Repair Manager, Multiple
Joe,Verbanac,Benchmade Knife Company,...,Marketing Manager, Sr Art Director
Zack,Hilbourne,Benchmade Knife Company,...,Design Engineer, Mechanical Designer


I would like to port this over to python and share it with the recon-ng community.  Hopefully, folks will find it useful.


Passive Recon: Collapsing your target's wavefunction.

We recently had the opportunity to speak with the fine folks at the Charleston ISSA.  We had a great time and are thankful for the opportunity.  The abstract is included below.  The link is provided at the bottom.


Title: Passive Recon: Collapsing your target's wavefunction.

An open and accurate accounting of the available intelligence for an individual, organization, or business is typically an undervalued component of both offensive and defensive information security activities. From the defender.s perspective, it is important to understand how the source, content, and fidelity of publicly available data can affect the overall security posture of the organization. For the attacker, the gathering and analysis of publicly available data, which often includes usernames, emails, hostnames, subnets, technologies deployed, new product initiatives, employee habits, hobbies, and relationships, will provide actionable intelligence products that can be leveraged to gain a foothold in the target organization and provide the foundation for a successful attack. This presentation will cover intelligence sources, gathering and analysis methods, and the supporting toolset. Individual use cases will highlight how a specific piece of information can be developed into an actionable intelligence product that can then be incorporated into a larger attack plan. This presentation also provides suggestions for limiting, detecting, and mitigating against the information that is made available to the public.

Presentation is here