In November 2024, I came across a tweet from Nathan McNulty which taught me something new: Chrome and Edge support capturing network data directly from within the browser and storing it to a file! I did some digging and NetLog is great! This is a full-featured logging mechanism within the browser and it doesn’t require administrator access. And it’s supported in both Chrome (chrome://net-export) and Edge (edge://net-export)! Wireshark Support? NetLog’s viewer is powerful, but its GUI is busy and I’m much more comfortable with using Wireshark to analyze traffic.

One of the company’s I interact with uses an online platform to share photos and videos. The platform has both a website and an Android app. However, the website only displays low-quality thumbnails while the app displays higher-quality photos. I wanted to download the higher-quality pictures, in bulk. To do that, I need to examine the underlying API requests so I can mimic them. How can I examine the app’s web requests so I can download the higher-quality photos from my PC?

Network Intrusion detection systems have been around for decades. However, going from intrusion detection to intrusion prevention can be scary because false positives can break production systems. In this writeup, I describe how I was able to deploy Palo Alto Networks’ threat prevention in blocking mode in an enterprise environment to help us move our network security closer to zero-trust. I am also publishing the Python script used to make the bulk firewall changes and create the spreadsheet for analyzing threat alerts.

SSL inspection is an amazing technology for empowering network defenders. However, because it can potentially break every single HTTPS connection in your network it’s important to deploy it carefully to avoid major outages. This writeup aims to give a basic overview of SSL inspection and how to deploy it in an enterprise environment to help avoid some of those issues. What is SSL and how does it work? Internet traffic goes through many devices before it reaches its destination.

One of our systems was having a problem that the SNMP health monitoring was unreliable. The vendor blamed it on the SNMP process using too much memory, causing either the system to run out of memory or restart the process. One of the vendor’s articles stated that the system uses Net-SNMP as the SNMP agent. That led me to a question: Could I find and fix the Net-SNMP bugs that were causing problems for us?

One of the more common challenges in the world of incident response is the multitude of tools in an analyst’s toolbox. Pivoting from one tool to another is often slow, with much copy-pasting between their interfaces. For example, when you’re analyzing a website, you might want to check its reputation on Google Safe Browsing or scan it with SSL Labs. Or when examining traffic to a host, you might want to run ping or traceroute to it.

I recently received an email that I needed to schedule an appointment on a website. However, when I attempted to visit the page, Chrome displayed a nasty error message: I had never encountered an ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error before and since googling it resulted in all pages that didn’t explain the issue, my next step was obvious: Analyze the traffic with Wireshark! Analyzing the TCP session in Wireshark To prepare for the analysis, I configured my browser to store TLS secrets and Wireshark to read them, so I’d be able to view the plaintext traffic.

I’ve wanted to play with WinAFL since it was released. Here’s how I used WinAFL to fuzz IrfanView v4.57 and find several bugs. Background Fuzzing is testing software for bugs by sending invalid, unexpected, or random data as inputs to a computer program. WinAFL is a fuzzer for Windows which can take a corpus of input files, track which code is executed, and generate new inputs to execute new execution paths.

A common task in incident response is to work backwards from a web request to determine the actions that led to the web request being made. For example, when a user visits a malicious web page, did they reach it from a Google search? A phishing link? Or from somewhere else? To aid in this analysis, I developed a new Wireshark feature called HTTP Request Sequences. HTTP Request Sequences uses HTTP’s Referer and Location headers to graph a PCAP’s HTTP requests as a tree.

This post will go over how I created AppArmor profiles for two of the most well-known programs in the aircrack-ng suite of tools, aircrack-ng and airodump-ng . Installing AppArmor AppArmor is installed by default on Ubuntu. What we’ll need is the apparmor-utils package, which contains the utilities to simplify creating new AppArmor policies. Installing that is as easy as running: sudo apt-get install apparmor-utils Creating your first profile  aircrack-ng We could start with an empty profile, and then refining that until it works.