Surviving the Con.. Or at least the day after.....

So like I, many of you are returning to your real world jobs after a hard weekend of “con life”.  As we settle back into our work weeks many of us will take the time to reflect on our experiences.  Who we met, what we heard, and what we learned.  Many of the things I am going to say may sound weird, may sound a little  old, and even may sound completely off the wall.

The first rule is Cardio! Yes… You will walk your ass off. There is no way else to say it. The con is a never ending sea of people. All moving to and from different talks. You will go upstairs, downstairs, sideways, and other ways… In the end it will be a blur.

Stay close to the Con! Not always a plus due to price, but when you’re drunk at 3am, trying to make your way back to your hotel room… It’s a huge bonus…

Know your limits… This is a big one. Each con is a little different. Some are one day, and other last 3 days. Know when you are done. Get a nap. Eat something. Take a mental break. We meet so many new people, we see so many new and exciting things, and that we often end up Short-circuiting ourselves.

Participate!!! This is a huge one… The con will come and go, and the talks will happen. Some of the best talks I have ever experienced, did not happen in the talk itself. They came after the talk. It’s typical that there are meetups after the con. Here is where the conversation flows freely. No format. No time limits… Listen… Ask questions… Share your ideas or thoughts.

Make a Friend!!! Not everyone who is at the con, has been there before. If you see someone standing alone. Strike up a conversation. You never know the history of the person you’re going to meet. Each year I am introduced to some very exciting people that are doing some very exciting things.  For me the con is about meeting people… not just new people, but people that i have communicated with over social platforms during the year, but they are not in the same area as i am.

But for whatever reason you’re there, whatever you’re doing, and whoever you meet… remember it… Leave with a sense that you were part of something… That something happened….

See you at the next Con!!!


Maybe it meant something. Maybe not, in the long run, but no explanation, no mix of words or music or memories can touch that sense of knowing that you were there and alive in that corner of time and the world. Whatever it meant. – Hunter S. Thompson, Fear and Loathing in Las Vegas

Sandbox Stories : Flight of the Great Cuckoo Bird

Recently I had the chance to deploy a Cuckoo Sandbox System… OMG! This was a pure tale of madness. While in the end I won, the journey was filled with peril… Much Peril… Forget it… It’s too perilous… While I found a million tutorials and videos on the net. I noticed one thing… None of them really did what I wanted it to do.  Yes they set it up in the most basic way, but I needed more… I wanted to watch this bird fly… So I grabbed my tin-foil hat, made a pot of coffee and set out to see what results the net would show me.

At first glance around the net I found a few scripts for setting all of this up. The issue with scripts is that you never know if they are going to work. So they way that I went about its more of the Long Way. But at least I learned how to set it up by hand. The old Fashion Way…..

For you that do not know what Cuckoo Sandbox is?  It is a system that you analyze malware with. Basically you send a file to a Virtual Machine with Cuckoo and it runs that file. Anything that that file does, is reported back to cuckoo. Kewl!! So I headed out to get the installation Docs at Cuckoos Website.

A few things became instantly clear about cuckoo.

  • It was going to take more thank cuckoo itself
  • I was going to need Virtual Machine Software
  • I was going to need an Operating System for the Malware
  • I was going to need Applications for the malware to use
  • I was going to need Malware

So pieces of software you will want to have are freely available in most repos. Other pieces you will have to purchase or may already own.  I use Licensed VMWare Workstation to do all of my labs, and I own my Copies of Windows. So keep it Legit… Also if you don’t require sudo then please leave that off all commands.

The first thing is to create a VM to hold our complete Sandbox Environment. I have used both Ubuntu and Debian 8 to complete this lab. I failed a lot and had dependency issues, so if you’re not fluent in nix then choose Ubuntu 15.10 Desktop. When creating this VM take into account how much malware you will be running. If you’re going to do a lot of memory dumps or pcap traces then increase the HD size to compensate. Also there are options in configuring cuckoo.conf that will delete certain files or not. Check there as well.

After creating the Ubuntu Install you need to make sure it’s up to date… This is really important. If you do a kernel upgrade please reboot the system before going any further…

On most debian based systems you can just do the following command:

  • sudo apt-get update -qq&&sudo apt-get upgrade -qq&&apt-get dist-upgrade -qq

Make sure you reboot if you have upgraded your kernel image. Later will be installing some kernel packages and will need to get the running version. So make sure you U-P-G-R-A-Y-E-D-D!! The two D’s are for a “double-dose of admin pimp’n!”

U-P-G-R-A-Y-E-D-D!! The two D's are for a "double-dose of pimpin

So now that our system is up to the latest version lets create a user called cuckoo with this command:

  • sudo adduser cuckoo

This is the account that you’re going to be running the sandbox as, and creating your actual malware virtual machine. I have seen things on the net that state if you do not build the malware vm as cuckoo user you will have issues.  So to be safe we will build as the user.

So now that we have our user let install cuckoo sandbox from their git source.  This will ensure that we are running the latest release of cuckoo. If you do not have GIT installed please do so with this command:

  • sudo apt-get install git -y

Now change to the cuckoo user directory:  cd /home/cuckoo

  • sudo git clone git://

This will install the latest version of Cuckoo to the cuckoo user’s folder. After that run the next command to change the ownership of these files to the cuckoo user and group.

  • sudo chown -R cuckoo.cuckoo /home/cuckoo

Now that we have the Cuckoo Source, we want to install some build packages… Use the following commands to prep the system.

  • sudo  apt-get install build-essential checkinstall -qq
  • sudo chmod u+rwx /usr/local/src
  • sudo  apt-get install linux-headers-$(uname -r) -qq
  • sudo apt-get install python python-pip python-pefile libpq-dev python-dev python-magic python-dpkt python-mako python-sqlalchemy python-jinja2 python-bottle libffi-dev libssl-dev libgeoip-dev exiftool tesseract-ocr libfuzzy-dev libboost-python-dev genisoimage subversion -qq

One of the packages we just installed was tesseract-ocr. This is what will screenshot the desktop on the vm that we are running the malware on. By deafult it is disabled. Enabling it will consume more disk space.

Now we need to get the python environment installed.

  • sudo apt-get build-dep python-psycopg2 python-pymongo mongodb libcap2-bin tcpdump -qq

Now we need to modify tcpdump to let the cuckoo user have access to it.

  • sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Let’s now test to see if it worked. Run the following command. CTL + C stops. If the command fails fix issue.

  • sudo getcap /usr/sbin/tcpdump

Now we need to install SSDeep.

SSDeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. ”

You can find their site here: SSDeep Website

  • sudo pip install ssdeep
  • sudo apt-get install python-pyrex -qq
  • cd /opt
  • sudo git clone
  • cd pySSDeep
  • sudo python build
  • sudo python install

Next we are going to install Yara. But first let’s get some supporting packages…

  • sudo apt-get install g++ libjansson-dev libmagic-dev -qq
  • sudo apt-get install libpcre3 libpcre3-dev -qq

Ok let’s install Yara.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a Boolean expression which determine its logic”

You can find their site here: Yara Website

  • sudo apt-get install yara python-yara libyara-dev -qq

New we need to install Yara Python.

YARA can be also used from Python through the yara-python library. Once the library is built and installed as described in Compiling and installing YARA you’ll have access to the full potential of YARA from your Python scripts.”

  • cd /opt
  • sudo git clone –recursive
  • cd yara-python
  • sudo python build
  • sudo python install

Now we need to install some Yara Rules (Optional)

  • cd /opt
  • sudo git clone

Now we are going to Install DTrace,

DTrace is a performance analysis and troubleshooting tool that is included by default with various operating systems, including Solaris, Mac OS X and FreeBSD.”

You can find their site here: DTrace Website

  • cd /opt
  • sudo git clone dtrace
  • cd dtrace
  • sudo tools/
  • sudo make all
  • sudo make install
  • sudo make load

Now we need to Install Virtual Box. This is where the Malware or Virus will be allowed to run.

  • sudo apt-get install virtualbox-qt virtualbox-guest-additions-iso -qq
  • sudo apt-get install libvirt-bin virt-manager checkinstall -qq

Now that we have our Virtual Machine Software we can start installing some of the extra software we need to user the web interface, backend storage, and java. If you want to use elasticsearch 1.7 remove it from the pip install line below.

  • sudo updatedb
  • cd /opt
  • sudo pip install sqlalchemy bson jinja2 markupsafe libvirt-python pymongo bottle pefile django chardet pygal clamd django-ratelimit pycrypto rarfile jsbeautifier dpkt nose dnspython pytz requests python-magic geoip pillow elasticsearch java-random python-whois git+
  • sudo apt-get install postgresql-9.4 postgresql-contrib-9.4 libpq-dev -qq
  • sudo pip install psycopg2
  • sudo apt-get install openjdk-7-jre-headless -qq

To search past reports you need to have Elasticsearch installed.

  • sudo wget -qO – | sudo apt-key add –
  • sudo echo “deb stable main” | sudo tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list
  • sudo apt-get update -qq
  • sudo apt-get install elasticsearch -qq
  • sudo /bin/systemctl daemon-reload
  • sudo /bin/systemctl enable elasticsearch.service
  • sudo service elasticsearch start

Let’s add some fonts and web hooks

  • sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi -qq

Now we need to install Clam AV

ClamAV is an open source antivirus engine for detecting Trojans, viruses, malware & other malicious threats.”

  • sudo apt-get install clamav clamav-daemon clamav-freshclam -qq

Now we need to install PYDeep. These are the Python/C bindings for the ssdeep.

  • cd /opt
  • sudo pip install git+

Now we need to install Man in the middle proxy and a few other packages. Mitmproxy is an interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. So when our malware try’s to connect to the internet we can see what its doing.

  • sudo apt-get install libpcre++-dev uthash-dev libconfig-dev libarchive-dev libtool autoconf automake mitmproxy -qq

After you install these packages you need to runthe program mitmproxy and then CTL +C to close it out.  This will create the p12 file you need for cuckoo. If your unsure where it was create use the locate command to find its path.  We need to copy it to a new location for cuckoo.

sudo cp /home/root/.mitmproxy/mitmproxy-ca-cert.p12 /home/cuckoo/cuckoo/analyzer/windows/bin/cert.p12

Now we need to install Malheur.

Malheur is a tool for the automatic analysis of malware behavior. By using machine learning, Malheur collects behavioral analysis data inside sandbox reports and categorizes malware into similar groups called clusters.”

Their website is here: Malheur Website

One thing I noticed is at if you try and build the info part it fails to build. So simple say no, and use 0.6.0 as build number and it will create the deb file.

  • cd /opt
  • sudo git clone malheur
  • cd malheur
  • sudo ./bootstrap
  • sudo ./configure –prefix=/usr
  • sudo make
  • sudo checkinstall

This will build a deb file for install. See note if fails.

  • sudo dpkg -i /opt/malheur/malheur_0.6.0-1_amd64.deb

Now we need to install PEFile

pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections details and their data.”

Their GitHub is here: PEFile

  • sudo apt-get install python-pil python-pefile -qq
  • sudo pip install distorm3 pycrypto openpyxl

Now we need to install Volatility.

The Volatility Framework is open source and written in Python. Releases are available in zip and tar archives, Python module installers, and standalone executables.”

Their website is here: Volatility Website

  • cd /opt
  • sudo apt-get install volatility volatility-tools -qq

Now we need to get v8 and pyv8 Binaries. You need to make sure you set the export path.

  • cd /opt
  • sudo svn checkout v8
  • sudo svn checkout pyv8-read-only
  • cd v8
  • sudo export PyV8=`pwd`
  • cd ../pyv8-read-only
  • cd pyv8-read-only
  • sudo python build
  • sudo python install

Now we need to install Suricata.

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).”

Their website is here: Suricata Website

  • cd /opt
  • sudo add-apt-repository ppa:oisf/suricata-beta
  • sudo apt-get update -qq
  • sudo apt-get install suricata -qq
  • sudo echo “alert http any any -> any any (msg:\”FILE store all\”; filestore; noalert; sid:15; rev:1;)”  | sudo tee /etc/suricata/rules/cuckoo.rules
  • sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata-cuckoo.yaml

Now we need to install Etupdate. Etupdate updates the Emerging Threats open ruleset for Suricata.

  • cd /opt
  • sudo git clone
  • sudo cp etupdate/etupdate /usr/sbin
  • sudo /usr/sbin/etupdate -V

With all of that installed we need to set our VM Host Only Interface”

  • sudo vboxmanage hostonlyif create
  • sudo vboxmanage hostonlyif ipconfig vboxnet0 –ip

Ok now let’s set some IPTables Forwarding

  • sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s -m conntrack –ctstate NEW -j ACCEPT
  • sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
  • sudo iptables -A POSTROUTING -t nat -j MASQUERADE
  • sudo sysctl -w net.ipv4.ip_forward=1

Now Install MYSQL and Python Mysqldb

  • sudo apt-get install mysql-server python-mysqldb -qq

Now Install Snort IDS

“An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. ”

Their website is here: Snort Website

  • sudo apt-get install snort -qq

Now since we have installed all of this we can finally get to install cuckoo itself. We also need to add cuckoo user to the vboxusers group so we can restore snapshots. We also need to change the ownership of the suricata-cuckoo.yaml file. And finally change files to cuckoo ownership.

  • sudo usermod -a -G vboxusers cuckoo
  • sudo chown cuckoo:cuckoo /etc/suricata/suricata-cuckoo.yaml
  • cd /home/cuckoo/cuckoo
  • sudo pip install -r requirements.txt
  • sudo git pull
  • sudo chown -R cuckoo:cuckoo /home/cuckoo/
  • sudo chmod -Rv 777 /etc/snort/
  • sudo chmod -Rv 777 /var/log/snort/

Next we need to install VMCloak.

VMCloak is a utility for automatically creating Virtual Machines with Windows as guest Operating System. It has been tailored to generate Virtual Machines directly usable from within Cuckoo Sandbox, but it can also be used for other purposes as Cuckoo‘s components can be omitted through the configuration.”

Their GitHub is here: VMCLoak GitHub

  • cd /opt
  • sudo git clone
  • cd vmcloak
  • sudo pip install -r requirements.txt
  • sudo python install

You can also install from pip, but it will not be the latest release.

  • sudo pip install vmcloak –upgrade

Next we need to create some mount points for the iso images we are going to be installing. I am using WinXpSp3 Pro 32 bit at the time of this writing. VMCloak also supports Win7 as well. I’ll show both below.

For Windows Xp

  • sudo mkdir -p /mnt/winxp
  • sudo mount -o loop,ro /home/cuckoo/diskimage/winxpsp3pro.iso /mnt/winxp

and for Windows 7

  • sudo mkdir -p /mnt/win7
  • sudo mount -o loop,ro /home/cuckoo/diskimage/win732pro.iso /mnt/win7

Now that we have our mount points, we can use vmcloak to install our operating systems into virtualbox.

As I stated before, I have heard stories about cuckoo having issues if the vm is not built as the cuckoo user. So we need to either add cuckoo to the sudoers file or chomod 777 /user/bin/genisoimage. VMCloak needs to call genisoimage and will fail for permissions on some systems.

At this point we need to log into the account as the cuckoo user. We will be creating the Virtual Machine, assigning packages to that machine and finally taking a snapshot. As we submit malware to cuckoo, it restores the snapshot, does the analysis, and then submits the results to the reporting server. I use the –vm-visible option because I like to watch the malware run.

As the cuckoo user do the following steps.

  • vmcloak-vboxnet0
  • vmcloak-init –winxp –iso-mount /mnt/winxp –serial-key “Your Serial Number “–vm-visible -d winxp
  • vmcloak-install –vm-visible winxp adobe9 wic pillow dotnet40 firefox_41 java7 silverlight5 pil chrome iexplore
  • vmcloak-snapshot –vm-visible winxp xpcloaked

The first command brings up the vm interface. The second command starts the winxp install. This may take a while. The third command installs various packages into the vm. The last command snapshots the vm. You may want to connect to the vm and install more software and then snapshot after.

I found a few things wrong and needed to correct them before running the snapshot. First the file is out of date with cuckoo. So updating it and changing the name to agent.pyw needed to be done. You will need to edit the registry entry on the vm to point to agent.pyw. Also this will background the agent script so you do not see it in any screenshots. Remember to disable the “auto update” or “check for updates” feature of any additional software that you install.

After our snapshot is created you will see it in the virtual machine manager.

Now that that you have your snapshot. Let’s configure cuckoo and then start analyzing some malware.

The configuration files for cuckoo are in /home/cuckoo/cuckoo/conf/ folder. The first file we want to edit is cuckoo.conf. Here are the items that you will need to check. Each item has a description above it (I left it out of here) that describes what it is. Please check it as I have not listed all the options here. Only ones that I wanted to make sure you look at. Please pay special attention to the highlighted ones.

  • delete_bin_copy = off
  • machinery = virtualbox
  • memory_dump = on
  • terminate_processes = off
  • reschedule = on
  • process_results = on
  • max_analysis_count = 0
  • max_machines_count = 0
  • max_vmstartup_count = 10
  • freespace = 64
  • tmppath = /tmp
  • rooter = /tmp/cuckoo-rooter
  • route = none
  • internet = none
  • upload_max_size = 10485760
  • analysis_size_limit = 104857600
  • resolve_dns = on
  • sort_pcap = on
  • connection =
  • timeout =
  • default = 120
  • critical = 60
  • vm_state = 60

Now open auxiliary.conf and edit the sniffer and the mitm as well as verify the paths on your system.

  • [sniffer]
    enabled = yes
    tcpdump = /usr/sbin/tcpdump
  • [mitm]
    enabled = yes
    mitmdump = /usr/bin/mitmdump

The next file we need to open is memory.conf  and edit a few things. Again I have listed a few things you need to pay attention too. Guest Profile needs to match your Operating system or you will get errors.

  • guest_profile = WinXPSP3x86
    delete_memdump = no
  • [malfind]
    enabled = yes
    filter = on
  • [yarascan]
    enabled = yes
    filter = on
  • [ssdt]
    enabled = yes
    filter = on

The next file that needs to be edited is virtualbox.conf. Please pay attention to this file. Xpcloaked is the label for my virtual machine settings and needs to be defined. The definition is [xpcloaked]. The default will say cuckoo or something like cuckoo1. The “snapshot” setting is the name you have it when you created it. In my case it was vmcloak.

  • mode = gui
  • interface = vboxnet0
  • machines = xpcloaked
  • [xpcloaked]
  • label = xpcloaked
  • platform = windows
  • ip =
  • snapshot = vmcloak

The next file is reporting.conf that we want to edit.

  • [jsondump]
    enabled = yes
    indent = 4
    encoding = latin-1
    calls = yes
  • [reporthtml]
    enabled = yes
  • [mongodb]
    enabled = yes
    host =
    port = 27017
    db = cuckoo
    store_memdump = yes
    paginate = 100
  • [elasticsearch]
    enabled = yes
    hosts =
    calls = no
  • [malheur]
    enbaled = yes

Ok that last file in this folder we want to edit is processing.conf

  • [analysisinfo]
    enabled = yes
  • [apkinfo]
    enabled = no
  • [baseline]
    enabled = no
  • [behavior]
    enabled = yes
  • [buffer]
    enabled = yes
  • [debug]
    enabled = yes
  • [droidmon]
    enabled = no
  • [dropped]
    enabled = yes
  • [dumptls]
    enabled = yes
  • [googleplay]
    enabled = no
    android_id =
    google_login =
    google_password =
  • [memory]
    enabled = yes
  • [network]
    enabled = yes
  • [procmemory]
    enabled = yes
    idapro = no
    dump_delete = no
  • [screenshots]
    enabled = yes
    tesseract = /usr/bin/tesseract
  • [snort]
    enabled = yes
    snort = /usr/sbin/snort
    conf = /etc/snort/snort.conf
  • [static]
    enabled = yes
  • [strings]
    enabled = yes
  • [suricata]
    enabled = yes
    suricata = /usr/bin/suricata
    conf = /etc/suricata/suricata-cuckoo.yaml
    eve_log = eve.json
    files_log = files-json.log
    files_dir = files
  • [targetinfo]
    enabled = yes
  • [virustotal]
    enabled = yes
    timeout = 60
    scan = 0
    key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088

Now we need to edit /etc/suricata/suricata-cuckoo.yaml and uncomment some items. Find the entry’s below and uncomment them.

  • eve_log = eve.json
  • files_log = files-json.log
  • files_dir = files

Wow. That’s a lot of edits… As you can see it takes a number of 3rd party software to really get this running. So what we need to do now is install the cuckoo community scripts. As the cuckoo user navigate to /home/cuckoo/cuckoo/utils/ folder and execute this command

  • python -afw

After this has completed, we are ready to start our cuckoo sandbox.

As the cuckoo user execute these commands from the /home/cuckoo/cuckoo folder

  • python

If you get an error simply start the virtual machine and then stop it. It will bring up the network interface.


In another terminal run this command as the cuckoo user from the /home/cuckoo/cuckoo/web/ folder.

  • ./ runserver

Ok now that we have started cuckoo and the webserver we can open our browser and go to the Cuckoo Web Interface. This is where we will submit our malware to and get our reports.


Ok so far so good. Next we need to submit a piece of malware to the machine and let it run. There are some options here is you have defined them. Dirty connections let your malware talk to the internet. I have run both.


Let’s click Analyze and see what happens.


Ok, so now we have submitted our malware to the cuckoo system. What we should be seeing is the virtual machine come online like the screenshot below. Once it is online, cuckoo will pass the malware to the machine and execute it. As the malware does different things, the memory and traffic are dumped and pcaps are created.

Now we can see that cmd.exe is being executed. Every time a new piece of malware is loaded, you will see the Virtual Machine “Restore” the snapshot and then do its job.


After the malware has run and the timeout is reached the Virtual Machine is shut down and all of the data should be in the cuckoo system now. If we go to the recent page and click on our submissions, we should see something similar to what’s below.


Here is the lower half of the screen above.


So now that you have a basic malware lab you can play with it for hours exploring how malware and virus work. You can learn a lot by just watching it run. There are many other software packages that you use along with the ones I’ve stated before. I encourage you to adjust this system to your liking. If you need to a great source of older applications to install in your sandbox you can go to

Many times I had to watch the terminal for errors and warnings. This helped me dial in the settings that I needed to get this up and running. A few noted I need to leave off with. Many times I ran out of space. These files can be very big, so make sure you create a vm big enough to hold all the dumps, pcaps, and screenshots. Also I suggest doing small runs of files if you want to do more than one at a time. I had a lot of fun with this project and there were many different ways to do this. I hope it helps someone.

Last thing.. I want to say thanks to @da_667 and @MalwareUtkonos for motivation, and a few quick pointers…


So you just got a new computer, the cable company came in to put in your new line, and you just can not wait to jump on twitter. One thing is making you a bit worried tho, all those digital fingerprints have been left from before and you can’t shake the feeling that your last boyfriend has been following your Facebook posts a little too closely. Whats a young lady/man to do? Well, its time to go … SECRET SQUIRREL!

Internet safety or as I like to call it PIISec is something that more often then not is overlooked when we surf or buy stuff online. I don’t subscribe to the notion that it is OK to spy on me because i am not doing anything wrong, in fact it kinda disgusts me.  If you wish to know something about me, say for instance, what type of cool gadget I just bought from Hak5 Shop then please ask. Don’t place a cookie in my cache and have me sign something you know I am not going to read. I want to be as safe online as I can be and deep down, i would like you to be safe too.

Live like a spy, THINK like a spy!

Fake it till you make it is a long overused phrase but in security its always wise to be a little if not very paranoid. In the post snowden world its no longer an if but a WHO is watching me in my everyday boring life. Keeping this in mind we need to make some personal choices and STICK WITH THEM! The methodology I use is stolen from the Microsoft security model called the “Ring of Trust”. Imagine you are the sun and around you are three orbits, each one granted a little bit more knowledge about you as they get closer and each one given a bit more PII (Personal Identifiable Information). The reason we want to start doing this sort of micromanagement is because sometimes in this day and age we find ourselves saying we have 25,000 friends yet only 3 show up to our parties. These kind of social networks are HUGE kinks in our PIISec and allow our threatscape to be very large for anyone wanting to social engineer us. The way I break up my online contacts is like this:

Ring 0

  • Family – Close
  • Work – Bosses
  • REAL Friends

By real friends I mean people who can or would drive to your house and knock on the door if they thought you were in danger or missing. NOT people you talk to “all the time” or people who “liked” your posts.

Ring 1

  • Family – Not so close
  • Work – Associates
  • Friends – People you talk to often and normally but not ring 0 friends.

This is a middle ground, these people have a phone number to you and an email address for you but its saved in a contact list and probably under some name like “Hairy dood” or “Loud Chick”.

Ring 2

  • Work – Vendors or random people from work, they need to send that e-vite to the boss’s birthday SOMEWHERE.
  • “Friends” – Everyone else … They know your Twitter handle or Facebook profile.

These are of course just suggestions but after a while, it becomes second nature so please don’t give up before trying a few of them. The whole reason we are breaking our life up like this is because it makes it easier to not only give the person asking the right information but if your PIISec is broken its easy to see where it all went wrong. The goal of course is not only to be safe but to trust our most private of information to only the closest people in our lives. We should also take some time to consider WHAT information is sacred and what can be disposable. I like to be vague to everyone, even if your my best friend its very unlikely you will know my address until its absolutely necessary. My Social Security Number is known to only my immediate family and my phone number to a select few I have chosen. So before we get started and the comments come in let me just say this. It is 100% possible to do this with any mix of the following, including adding extras along the way but to be honest sometimes you have to just be happy with being secure enough because to be totally secure you have to be totally off the grid. That being said I recommend the following setup and uses.

  • 2 phones
  • 3 email address’s
  • 2 PGP Keys

This is a good start. One phone can be a crappy throw away and the other can be your personal phone. You do not want to have two IPhone 6’s when your faced with throwing one into a garbage can. You want to have 3 email address’s at the very least, one for your services, one for your bills and one for your ring 0 friends. This ensures that the email you check the most wont be filled with spam or stupid notifications and keeps your personal email off any lists you may not want to be a part of. Use your Ring 0 email address for correspondence ONLY! There is no need to use it to sign on to any services. 1 PGP key is usually enough but I recommend two. One will be used for your ring 1 contacts and the other is your secret squirrel key. IF some nation state is looking for you its probably best to have that backup key to buy you a bit of time. I recommend for your forward facing pgp needs since it does all the handwork for you and allows you to easily verify your contacts. If you need an invite you can hit me up on twitter and if I got some left will happily send one to you. I will need an email address so have your ring 2 email address handy! Simple copy/paste tools allow you to be secure without a whole suite of tools….however you still may want some.

For instant communications I recommend some sort of XMPP system, preferably one that supports OTR. There are tons of applications so to go over each would be crazy. I like to think in these terms: Use OTR or End-to-End encryption chat systems if available and if they are not then wrap your text in PGP and feel good that your doing better then most. The EFF has a great site dedicated to this and more over at its Surveillance Self-Defense site.

Browsing Safe

For general browsing needs I prefer to use Firefox over chrome however security wise they are both as vulnerable as the other. One can argue and argue over which is better, I will leave that to you to decide. To me I have seen them both render slow, both get exploited and both render fast. I personally run both but I do tons of web programming and like to check for cross platform compatibility. What to install on your browser however is a whole different thing. Every browser should have both Privacy Badger and AdBlock installed. Together these tools will ensure that you have a totally different web experience. You may actually start to enjoy surfing the web again!  Another addon that I suggest is NoScript for Firefox or uMatrix for chrome. These will limit the effects if you happen to find yourself on a site loaded with drive by malware software and generally keep you safe while you surf. Also since we are trying to ensure we take the safe route where ever we go, I should mention HTTPS Everywhere, its a great plugin that tries to force HTTPS where ever possible. While not something that is a MUST for every site you should install it simply because if you can make it harder for the bad guys you might as well. Plus we don’t EVER want to push credentials over a plain HTTP connection.

Password Vaults and Physical Security

So the biggest complainant most people have with not using the same password over and over is trying to securely keep all those passwords around and accessible. Even having a bank of say 3 passwords is a bad choice when you consider that if I was tasked to brute force them the mathematical probability of me succeeding would be huge. The other problem I see is keeping data safe. If its a full hard drive or simply your key vault it should be wrapped in some sort of secure container to keep it from being lifted and broken into offsite. While having a secure vault is a good start having that extra layer is even more comforting. These problems seem huge but with a couple pieces of software/hardware we can tackle them hands on.  For password vaults the most often used is Keepass. This vault not only works on a multitude of operating systems but allows you to throw in special files that must be there in order for the password to work. This is essentially a poor mans 2FA (Two Factor Authorization) since it can be placed on each computer you use and carry your vault with you or better yet two USBs. One with your special file (can literally be any type of file) and one with your vault. I personally prefer LastPass since it is also available on plenty of platforms but goes a step further and offers browser extensions and mobile support for a price. LastPass also has 2FA like Keepass using their software sesame but can also use hardware 2FA generators like the ones sold by Yubico (I have yet to purchase one yet since money has been tight so Yubico if your listening get at me!).These are pretty cool and can be used with plenty of software packages. If you got the money buy one now, if you got extra money, by me one!


Now many people may ask why I have yet to suggest TOR and to that the answer is simple. I do not trust TOR enough to take the speed loss it offers. I have seen the tests ran by some of the top scientists and while I will not deny that THEORETICALLY Tor will keep your connections anonymous it is still too predictable for me to lose so much bandwidth. A good VPN company will offer you decent security and speeds while not breaking the bank.  For most people however TOR is simply overkill and should be used to help those truly censored to be heard. Run a node if you want to support TOR but don’t expect it to be safe. That brings me to another issue I have with TOR. Many users feel OVER safe while using it and it causes them to not only leak data but put themselves at risk by feeling much more brave then they should. I see TOR as the drunk glasses of the internet.

If your looking for a good round up on VPN’s this is a good read.


While the internet is still very much the same dangerous place it always was if not more so its not somewhere I’m willing to stay away from. That being said, keeping safe online is as much a mindset as it is a software/hardware problem and I hope I have helped even in the smallest way. I will expand this post as information and questions comes in.

I'll have what she's having

Getting a malware lab installed is one thing, but configuring it to be useful is a whole undertaking in itself. One of the first problems we run into when setting up a proper lab environment is simulating the internet. Sure a network will allow each computer to talk to another but what about those pesky URLs, who is going to do all the resolving? It can of course be easily simulated with scripts and custom applications but let me tell you something. As a programmer for the last 20 years the one most annoying thing to have to do is reinvent the wheel. That’s EXACTLY why they have frameworks for these types of things. That being said, to simulate the internet from 4chan to google, I am going to use a framework called InetSim. This collection of applications included can emulate everything from IRC to basic HTTP.

To perform a quick run-time analysis of the network behavior of unknown malware samples, we were in need of a tool to simulate internet services which are commonly used by malware in our laboratory environment. We started off with a bunch of home-grown Perl scripts together with specially configured server service implementations like Apache, Postfix, dnsmasq and ntpd, but we were not happy with this because of a lot of disadvantages resulting from the combination of many programs (e.g. problems with correlation of log data).

While talking to other security analysts, we noticed that there is definitely a need for a comfortable single suite to simulate different internet services with common logging and centralized control functions. So we decided to start the project ‘INetSim’ to develop such a suite.

Nice piece of awesomeness yes? Ok, so now we have to prepare a VM for it to be installed too. Wait… you mean there are VM ready versions of Linux that I can just download and run? Aye there is, and its called TurnKey Linux. TurnKey Linux is great for just these types of projects, it can be downloaded and ran in such short time that all one must really pay attention to is the configuration, which is really, really, really easy. Now the version of Debian Linux that I prefer is Jessie, and unfortunately v 14.0 of TurnKey Linux is in ISO format only.  Its ok though, soon it will be available in one of the many other formats that TurnKey Linux is known for so just enjoy the ease of use and install your VM already.

Install TurnKey Linux

  • Memory 2GB
  • HDD 40GB
  • Network Adapter NAT (Will change to our Malware Lab Network after updates and software installs)
  • TurnKey Linux Core

networkconfigSo, once a VM is created and you fill in your specific details, I chose these settings because I wanted some wiggle room to add shared directory space so it seemed like a good idea.  It first asks you for a root pw, then for the Hub services API key, I personally skip it since I backup my own stuff but your free to do what you want. They also ask you to sign up for their security updates but im anal about updates so no need to tell me! Same with the auto install of security updates. After that you simply quit the configuration menu are your presented with a login prompt to your newly installed and updated TurnKey Linux box.

One of the reason I like Debian so much is that they usually have some version of software I am going to use in their repository. Now it working is something completely different but hey, at least they try.  Knowing that most if not all the dependency’s I was going to need were in the Debian repo it was time to add the INetSim repo and get this beast running!!

nano /etc/apt/sources.list.d/sources.list

and add the following line:



deb binary/

Your going to want to install the signature key also so run wget then update Apt-get

wget O | apt-key add –

apt-get update

If everything goes according to plan you simply have to install INetSim now

apt-get install inetsim

That gets her installed but we need to edit some configuration files if we want her to purrrrr. The first thing is that since this box’s sole purpose is to fakes the net, we need to ensure that she starts up on boot.

nano /etc/default/inetsim

That will open up the configuration file, and we need to change ENABLED from 0 to 1.

The next thing we want to do is configure the actual main configuration file to enable services and setup our dns.

nano /etc/inetsim/inetsim.conf

As you can see it has a lot of services turned on, I personally will leave them that way and simply play with our DNS. Our IP Address is local so I want to make sure we bind to it instead of the default localhost to

Next we are going to uncomment the dns_bind_port and dns_default_ip, changing the latter to your static IP.

There are tons of things to configure and to go over each one would be crazy, the documentation is available and the system is pretty well commented. So, after its been nice and configured to the way I want her, its time to configure my malware test platforms to talk to her and test it out. If everything is working, and it should be since the system is made to be easily configurable, you can type in and should get a nice simulated internet page.



Vulcan mind meld

For those familiar with the popular series Star Trek the mind meld is a pretty cool trick. It exposes the mind of the person to be probed and all the deepest secrets known along with some other cool tricks, few of which I know since while it is a wildly popular show, I myself did not follow it. My point is that a social engineer is a great asset to any team but a really good social engineer would be able to do more then trick a low level secretary into reveling her password and undies over snap chat.IMG_0634 Some one who could get so far into your psyche that you would knowingly hand over your assets without question is a far more valuable tool and dangerous foe then any simple Jedi trickster. For those of us who wish to bring our game up to a whole new level I present you with not a literal 120 step program but in depth information that will allow you much more control over yourself and thus, those you interact with. This is not going to be a short post since a whole lot of information has to be explained. Please take the time to read my points and learn a thing or two to be a great social engineer.

Before we get too crazy here let me explain that you will not find a simple tactic that works 100% of the time in this post, each person you will encounter will have different levels of different tells and knowing all the possibilities of each will allow us to better do what every social engineer must do. Guess the advisory’s feelings towards you so that you may change tactics before you hit a brick wall. These observations come from my life’s work of studying people. I am above all an observer, someone who watch’s interactions between people and groups while challenging myself to interpret each signs significance. I have read many books and practiced daily so while I am very confident on the correctness of my methods and observations, I am in no way saying that the information presented is 100% across all boundaries.  Case in point, a variable that will need to be addressed is something as strange as comfortable talking distance. An American has a higher chance of feeling uncomfortable by you being close to them then say a Japanese national simply because of culture differences.  Keeping this in mind will make it easier for you to inadvertently come off as rude for being too close, or too far away from the person you are talking to. While  stereotyping is generally a very bad idea when you are trying to make friends or hire someone, it is your best bet when trying to profile someone as quickly as possible, filling and altering the opinion as you learn more about them.


Getting to know someone

451488687_a7f661f768_zWhile you are essentially judging your target you are doing so with as much of an educated guess as possible.  These tells allows us to alter a judgment and refine our understanding of our target. For instance. If you were yelling at me to get into your car, I would judge the situation different if the setting was outside, at night, and in a dark alley then if we were say, outside a noisy night club. While it may seem obvious, it is because the example was made to be so,  many times we need to go over our assessment to ensure that we are taking in all possible variables.  In predicting someone’s attack surface its best to consider the following 7 points so that your first impression of your target is well informed. There are over 700,000 distinct physical signs given off by the human body we need to keep track of, 1000 are body postures, 5000 hand gestures, 250000 are facial expressions.  We have to make sure we take in everything about the person we are talking to.

  1. Personal Appearance
  2. Voice
  3. Body Language
  4. Actions
  5. Communication Style
  6. Environment
  7. Content of communication

When you are engaging your target try to stay away from the following influences as not doing so gives the target the chance to create the answers we are looking for and causing us to guess wrong or interpret wrong.

  1. Emotional / Commitment
  2. Neediness
  3. Fear
  4. Defensiveness

By keeping these feelings out of your statements you will be able to form questions that are more informative and less judgmental. When you are “interviewing” someone make sure you set the mood for them to be as informative as possible. Since ANY distraction is a potential interruption and interruptions are conversation killers try to keep you target engaged in conversation. Never interrupt, condemn, argue or patronize your target since that judgment can lead to the target injecting tells and false information to protect their pride. Be empathetic, involved yet not overly so, stay comfortably close to your target and answer with “Right” or “I understand”. Be aware of your body language and stay away from giving off tells that may be picked up and give away your true motives; never get too familiar too fast when talking about yourself so that you can return as quickly as possible to the target.  Listen with all your senses and if possible always in person so that you have control of the environment. Listen on their turf and somewhere they feel comfortable while avoiding an audience. Go slow and easy, the best answers come when you don’t allow somebody too long to ponder the possible replies. Think ahead of some questions that you want to ask but don’t be afraid to improvise also. Questions should generally start in these categories: compassion, socio-economic background, satisfaction with life.

A good beginning lineup would be, Where were you born?, What do you do for a living?, Do you belong to any organizations?,  What are your goals in the next 5 years.

Try to remove physical obstacles between you and your target so that they feel more closely connected and part of the conversation. Most importantly consider the context of the conversation. If the target is often exaggerating or misquoting others then its best to interpret the information under that context. In general there are three types of questions

  1. Open Ended – No suggestion on what you may want the answer to your question to be.
  2. Leading – Same as open ended but with a restricted scope to elicit a response you are looking for.
  3. Argumentative – Dangerous but can force someone into a reluctant admission.

Using these 3 types of questions one can craft a great line of questioning that will lead to hopefully the information you are seeking. Don’t forget that after each question you should ask good follow up questions to ensure the information you are getting is as clear to you as possible. You may rephrase your last question or if needed completely repeat it with emphasis on certain words you want your target to concentrate on.


Discovering Patterns

As I have mentioned before there is no silver bullet in character development but knowing what the tally is at the end of an evaluation will help you understand that person that much more. When undergoing the character development stage of an interview make sure to note things down so that you can keep track if said trait changes or is altered in an attempt to change your personal picture of the target. Keep the following in mind when you first meet someone to get the most information from each additional meeting.

  • Persons most striking traits, and is it consistent?
  • Consider each characteristic in light of the circumstances.
  • Look for extremes
  • I.D. deviations from the learned pattern of the individual your targeting.
  • Is the individuals state of mind temporary or a permanent one.
  • Distinguish between elective and non-elective traits.
  • Give special attention to certain highly predictive traits.

When you first meet someone new, take notes, mental or otherwise of the two or three characteristics that stand out to you the most. To be able to accurately identify patterns in peoples traits and behaviors you need to consider the “stage” upon which they act. Note each change in a person as the settings change and they become more comfortable around you. The significance of nearly EVERY trait depends directly on how big,small , intense or subtle it is. Anything unusual is usually important in understanding people. Ask yourself, is the clue I am evaluating just an isolated event or have I seen this before. Someone’s level of compassion, socioeconomic background, and satisfaction with life almost always revel most about a person so try to touch on each when in a conversation.

Elective Traits
Non Elective
Clothing, Jewelry, Mannerisms, Tattoos, Makeup
Sex, Age, Race, Body, Handicaps

First Impressions

Personal Appearance

first-impression-1cpq5ujOf all the methods available the first impression is the least reliable but it is where we all must begin. Look for consistent combinations of clues, they will be there if your on the right track. Someone wearing inappropriate clothing, makeup, using inappropriate gestures and hairstyles can reflect many things so try not to allow one bias override all others.

Body Language

Involuntary body language may be the ONLY sign of negative traits or emotions. Pay special attention to inappropriate actions. Look for anything that is peculiar or peculiarly unique. Consistency is one key to interrupting body language so make sure they match the person before relying heavily on them. As you will see many signs will show up in multiple categories and you must be able to use all the clues you collect to decipher just which sign the speaker is conveying. Keep in mind that if a person is not lying their manner will not change significantly or abruptly. People who are bored will usually distort themselves physically. Defensive people close up.  Make sure you do not misinterpret boredom as surrender or frustration. Someone who is nervous will need an outlet for this nervous energy.

Psychological Profile of someone deceiving.

  • Humans see the world as a reflection of ourselves. If consistently accused be weary.
  • Is person focused internally or externally ? Confident people are more interested in you understanding not how they appear.
  • Point of view of third part is often missing
  • Leaves out negative aspects
  • Willingly answers questions but asks none back

Signs of Dishonesty. (Honesty would be opposite signs)

  • Shifty or wandering eyes
  • Change in voice
  • Rapid Speech
  • Any type of fidgeting
  • Shifting back and forth on ones feet or in a chair.
  • Any signs of nervousness
  • Exaggerated version of the “sincere, furrowed brow” look
  • Sweating, shaking or licking lips
  • Any activity that obscures the eyes, face or mouth.
  • Running ones tongue over the teeth.
  • Leaning forward
  • Inappropriate familiarity such as invading your personal space.

Signs of Attentiveness / Pensiveness

  • Maintaining strong eye contact
  • Gazing steadily a an object
  • General stillness
  • tilting or cocking ones head
  • Chewing ones lip/pencil
  • Furrowing one’s brow
  • Folding ones arms and staring into space
  • Leaning back in ones chair
  • Looking upward
  • Scratching ones head
  • Holding ones head in ones hand
  • Resting ones head on the hands/fingers.


  • Letting ones eyes wander
  • Gazing into the distance
  • Glancing at watch or other objects
  • Sighing Heavily
  • Yawning
  • Crossing and uncrossing legs & arms
  • Tapping fingers or feet
  • Twiddling thumbs
  • Pointing ones body away
  • Shifting weight
  • Leaning forward and backward in ones chair
  • Rolling the eyes
  • Moving ones head from side to side
  • Stretching
  • Cradling ones chin in hand
  • Picking at things (clothes, shoes, ring, etc)
  • Attempting to do another task

Anger / Hostility

  • Arms, legs, ankles crossed
  • Short or rapid breath
  • Frequent reputation of certain phrases
  • Finger pointing
  • Rapid speech
  • Rapid body motions
  • Tightly closed lips
  • Stiff, rigid posture
  • Shaking
  • False / Sarcastic laughter
  • Frozen expression / scowl

Frustration / Confrontational

  • Frequent eye contact
  • Within your personal space
  • Gesturing with hands
  • Shrugging or pointing

Surrender / Total Surrender

  • Sighs
  • Grimacing
  • Rapid exhaling
  • Hands on hips
  • Hands on head
  • Exaggerated movements
  • Rolling / Closing eyes
  • Walking Away
  • Shaking ones head
  • Shrugging


  • Isolation from social contact
  • Poor concentration
  • Inability to focus or plan ahead
  • Low / Quiet speech
  • Downcast eyes
  • Slow and deliberate movements
  • Change in appetite (either under or over eating)
  • Forgetfulness
  • Inattention to hygiene or dress

Grief / Sorrow

  • Tears
  • Listlessness
  • Inability to complete normal daily tasks
  • Isolation
  • Down cast eyes
  • Apathy
  • Signs of depression & confusion
  • Relaxed facial muscles
  • Slumped or slacked body
  • Motionlessness or slow movement


  • Shifting back and forth
  • Looking back and forth between objects
  • Tilting head from side to side
  • Opening and shutting hands or moving one hand then another
  • Opening and closing mouth without saying anything


  • Eyes darting back and forth
  • tensing of the body
  • Curling up of the body
  • Shifting weight side to side
  • Rocking in ones chair
  • Crossing / Uncrossing arms/legs
  • Tapping hands, fingers, feet
  • Adjusting o diddling with objects
  • Wringing the hands
  • Clearing the throat
  • Nervous cough
  • Smile tick (a quick smile then back to their normal expression over and over)
  • Biting the lip
  • Looking down
  • Chattering nervously
  • Shaking or quaking (Extreme situations)
  • Sweating
  • Chewing nails or picking cuticles
  • Hands in pockets
  • Rotating side to side with upper body
  • Becoming silent



0x600Learn to hear between the lines as every conversation is built from two distinct dialogs. The actual words and the conscious / subconscious vocalization, volume, cadence and tone of voices. To hear the unspoken message focus on the voice not the words in short spurts. Consider if vocal characteristics are voluntary. Listen for patterns and changes as the conversation continues, consider context and the environment. Lastly compare the voice to the body language your picking up and the words being used. Keep the following in mind when interviewing someone since they can be indicators of someone trying to fool you.

What is said: Verbal Content

  • Uses YOUR words to make a point
  • Keeps adding information unit they are sure your sold on the story.
  • May stonewall to limit challenges to position held by accuse
  • Watch out for Freudian slip
  • Depersonalizes answer by offering belief n the subject instead of directly answering.
  • Implies an answer but never states it directly

How something is said

  • I, we , us are underused pronouns or absent
  • Deceitful responses to questions take longer to think up
  • Reactions that are all out of proportion to the question
  • Speaks in monotones and passive voice.
  • Statements sound like questions.

Decoding Vocal Clues

Loud Voice

  • Control
  • Persuasion
  • Compensation for a perceived flaw
  • Reaction  hearing loss
  • Inebriation

Is this voice appropriate? Is the loudness constant or does it vary? How is the voice being used?

Soft Voice

  • Can be used to manipulate
  • Lacks confidence and assertiveness
  • Maybe reflects calm self-assurance
  • Arrogance

Does the speaker seem tired? Is the speaker internally forcing someone within ear shot? Is the speaker maybe lying? Is the speaker limiting who can hear?

Rapid Speech

Fast speaking by someone who is usually normal paced can mean

  • Nervousness
  • Anxiety
  • Impatience
  • Insecurity
  • Excitement
  • Fear
  • Drugs & Alcohol
  • Anger
  • Caught in a lie
  • Desire to persuade.

Slow Speech

  • Anxious
  • Ill
  • Confused
  • Under the influence
  • Confused
  • Lying
  • Deep in thought
  • Fatigued
  • Sad or grieving

Is slow speech normal or is it discomfort?

Halting Speech

  • Insecurity
  • Nervousness
  • Confusion
  • Untruthfulness
  • Attempt at precision

Speech patterns in halting speech include pitch, intonation and emphasis, flat, unemotional voice, pretension/snobbery and whining.


  • Anger
  • Sexual interest
  • Disbelief
  • Excitement
  • Frustration
  • Nervousness

Raspy Voice

  • Smoking
  • Illness
  • Gives speech’s

Mumbling (chronic)

  • Lack of confidence
  • Preoccupation
  • Insecurity
  • Fatigue
  • Anxiety
  • Inability to articulate thoughts.
  • Self-consciousness
  • Illness

Mumbling (unchronic)

  • Distracted
  • Tired
  • Chewing
  • Under the influence

Mumblers seldom demonstrate significant leadership ability or even any desire for such control

Accents: May tell you about cultural mannerisms.


Communication Style

In general there are 6 different communication styles, each style tells us a little bit about the person speaking along with some details about who they are vs. who they want us to think they are. On a simple scale from 1 to 6, one is the hardest to communicate with while 6 is the easiest. Here is a quick rundown of each style along with its ranking.

  1.  Nobles – Believe communication is to exchange information ONLY.
  2. Magistrates – Opinionated, argumentative and difficult to deal with.
  3. Senator – Chooses whatever communication style works best in the situation.
  4. Candidates – Seek to communicate along a path of least resistance.
  5. Socratic – Purpose of communication is to talk. Loves discussion and debate.
  6. Reflectives – “Touchy feely” people. VERY communicative.

Looking for motive

There are many reasons for manipulative conversations including but not limited to avoid embarrassment, trick someone, avoid hurting other people, cover up a lie, or pull someone into an argument. Manipulative answers can be broken down into 5 categories.

  • Non responsiveness – May be avoiding embarrassment, conflict, truth or an emotionally difficult subject.
  • Not denying or explaining when expected – Hiding something, wants to avoid conflict, playing “games”, may be offended or trying for control.
  • Short answers – May be early signal for dishonesty.
  • Long Answers – May be used to hide the truth. Used to avoid lying outright to try and spread the truth about. Is answer candid or incoherent?
  • Answering questions with a question – Used if someone doesn’t want to commit to an answer, used to redirect the conversation and may show them as being secretive.


Conversational Detours

The pregnant pause

A pause after you have said something provocative, threatening or off subject catching the other person off guard could mean that you were surprised or offended. A brief pause could mean anger, frustration or disgust. Look closely for clues in the persons face, eyes, and mouth.


Constant or poorly timed interruptions may be motivated by impatience or boredom. Are they trying to control the topic by changing or altering the topic?


Rambling usually revels nervousness, confusion, insecurity, a need for attention or . If this is not normal for the individual then it could mean intoxication, severe fatigue or simply distraction.

Changing Subjects

Intention can be gathered by looking at the relationship between the old topic and the new one.

Revealing habits of conversation

Defensive Behaviors

  • Withdraw – Grows silent suddenly, pay attention to tone and content.
  • Aggressive Attack – Blame someone else or you to excuse or sidestep issue.
  • Profess religious beliefs, family values or high morals.
  • Emotionally disarm attacker by flattering them with praise.
  • Unprovoked protestation of innocence – Really overblown excuses for innocence.

People commonly volunteer information to make a connection with you by telling you what they think you want to hear.

Verbal calling cards

  • Slang – Can shed light on cultural influences and social economic background. This includes bad grammar. How and when slang is used is also important.
  • Word Themes – The more a person relies on word themes the more strongly he relates to some aspect of those favored words.
    • “Aggressive Terms” – Won, battle, out flanked, aggressor.
    • “Honesty” – Frankly, to be honest, to tell the truth.
  • Use of titles – The way a person uses a tittle can revel his geographic background. I.e. Sir or Ma’am can be a sign that the speaker is from the south or military. Can show or ignore respect and be sarcastic for example changing Dr. Oz’s title to Mr. Oz .
  • Profanity – May equal being socially inept, excitable, or insensitive to the reaction to others. If used in anger the person may be seen as aggressive and a volatile temper. Excessive is threating and may be used as intimidation. To gauge profanity consider how often and under what circumstances its used.
  • Braggadocio – Takes the form of interjecting ones accomplishments when they are not relevant, name dropping or exaggerating ones success. They always lack true confidence.
  • Exaggeration – No room for grey. Signals insecurity and trying to get noticed. Trying to control the conversation and trying to control their true behavior.
  • Ingratiating behavior – Blatant manipulation, kissing up, brownnosing, consider the context, may be trying to comfort you or make you feel accepted. May lack confidence. Brownnosers fall into two categories.
    • Those who ingratiate to gain personal advantage.
    • To win your approval.
    • If demeanor, appearance and other clues point to passive then they probably were not trying to manipulate you.
  • Self Criticism – If speaker does this more then twice, start to ask “why”. Very insecure and low self esteem. May be looking for support, encouragement, help or you to disagree with them. May be used to put you at ease. How they respond to others remarks is a good test to gauge reasoning.
  • The broken record – Either senile or mental issue or nervously filling space in conversation, or sending a loud clear signal that something is on his mind and wants acknowledgement.
  • Gossiping – Consider target and context to find motives.
  • Humor – Can be sarcastic, subtle, genuine or insincere. Can be a weapon or a shield. Frequently use to disguise true feelings. Used to turn conversation from serious to lighter one. Compassion to show empathy or understanding. Disguise emotions they don’t want to expose.
  • Sarcasm – Used to either get a laugh or make a point indirectly

Actions in / with speech

  • Words < actions
  • Focus on how one behaves towards others.
  • We all make mistakes, but not patterns
  • People MAY change, ask yourself
    • How long is it set?
    • How recently has it changed?
    • How quickly?
    • What could have motivated him?
  • Look for patterns – Question ANY time someone deviates from their known pattern.
    • Selfishness
    • Performance under fire
    • Unkempt promises
    • Avoidance
    • Preaching
    • Fanfare
    • Spending habits
  • Environment
    • Read environment with all your senses.
    • See the big picture – Clues are everywhere but focus on props, calendars, photos, books, magazines, art, plants, desk or refrigerator props.
    • Watch for differences in peoples public vs. private environments.
    • Find out where target goes for “me” time.
    • Birds of a feather, who we hang with says a lot about how we think.
    • Everything about us is effected by our environment

Exceptions to our rules

  • Always consider whether your missing something.
  • Be alert for:
    • The elastic person – time and exposure will show up lies.
    • Rehearsed Presentation – remove from comfort zone
    • Liars – focus on nothing that he says
    • Delusional Thinker – Fool yourselfers
    • Physically Disabled – They think and react differently depending on the condition.
    • Illness, fatigue and stress
    • Drugs and Alcohol – will case changes from one moment to another
    • Cultural influences
    • Never forget coincidences do happen! Don’t assume too much.
  • When listening to your inner voice make sure you review evidence that made you feel your “hunch”


Snap Judgments

Sometimes we have to make our decisions as quickly as possible. With time and practice you will be able to do a pretty decent snap judgment that is pretty close to truth. Please keep in mind that this is something that takes a great amount of concentration to ensure you don’t miss anything that will bias your judgment incorrectly.

A quick way to do such a snap judgment is to follow a simple workflow

  • Work from overall picture down to subtle clues.
  • Keep I mind the question your trying to answer. No reason to over analyze.
  • Zoom in on “key elements”, if you see a unique trait, does it tell you something if you watch closely?
  • Look for patterns
  • Decide quickly, second guessing yourself can lead to lots of problems!
    • Error on the side of caution and practice, practice, practice!


Interpreting Traits

These are probably the most socially arguable part of this method but you will find that tied together with the information collected using the methods already mentioned you will be able to draw some very interesting conclusions quickly.


  • Tan – outdoors a lot or tanning salons
  • Pale – No so outdoorsy, oober skin health, ill or from somewhere with lots of snow and bad weather.
  • Irregularities – Facial, maybe they cant afford to remove or don’t care


  • Poor hygiene – out of touch, high level of self centeredness, lack of common sense, insensitive, mentally ill, drug use, ill, poor, lazy.


  •    OCD, egotistical, structured, vain, inflexible, unimaginative, concerned about others opinions

Writing, logos and pictures on clothes

  • T-shirts with sports insignias – Fan of sport
  • Souvenir T-shirt – Traveler or Outdoorsman
  • Prominent Designer – Image conscious and may lack confidence.
  • Regional style
    • Tip off where they are from
    • Where they lived or currently live.
    • May identify them with that region.
  • Cultivated images – May not reflect true inner identity but outward role.

Flamboyance VS Conservativeness

  • F = Bright colors, shocking or distinctive styles.
  • C = Classic styles, subdued colors, careful and meticulous grooming
  • F = Want to stick out generally
  • C = want to bend in.

Conservative dressers are generally confident.

Flamboyance – Creative, artistic, imaginative

  • Usually not overly “poor” or very practical
  • are non conformists and don’t care about opinions as long as they got an audience
  • Independent even a bit flaky


  • Are conformists
  • Often practical, authoritarian, ad analytical
  • Most people are conservative in their thinking habits.

Practicality VS Extravagance

  • Practicality – Anything that points to comfort, cost or utility over style
  • Extravagance – Simply opposite


  • At ease with themselves
  • Not self-centered
  • Willing tot be non conformists
  • Frugal


  • Image conscious
  • Poor self esteem
  • Desire acceptance and approval

Sexual Suggestiveness

  • Tremendously confident
  • Very insecure
  • Trying to get attention
  • Sexually liberated
  • Outgoing, vain, self centered


  • Out of social mainstream
  • Insensitive to issues of appearance
  • Poor or lower socioeconomic background
  • preoccupation elsewhere
  • Sloppiness
  • Artistic, intellectual or absent minded
  • Professor syndrome


Interpreting body languagebodylanguage


Preen, glance at themselves, make grand gestures, keep great distance from others, bore easily, make sexual maneuvers and posturer, boast, adopt affections.


Good listening skills, self-depreciating humor, quiet demeanor, shows courtesies.


Lead\control conversations, surrounded by peers, volunteer for unpleasant tasks, good listeners, self assured smile, walks with confidence, almost striding. Firm handshake, better dressed, good hygiene, dress appropriately or more expensive, engaging, seldom follows trends, physical and athletic, good eye contact, conservative haircut, erect posture, squares body to talk.


Verbal repletion, repetitive motions, signs of indecision or frustration, conflicting or inconsistent behavior, shifting or shuffling


Crossing arms, legs, and/or ankles, clenching teeth, jaws or lips, averting the eyes, body squared to talker, hands on hips, quick exhaling, closing mouth tightly and refusing to talk. Leaving abruptly


Turning away, flushing, nervous laughter, avoiding eye contact, shaking ones head, avoiding people, leaving the room.


Wide open eyes, screaming , blushing, hands over the face, being frozen, gulping and swallowing, looking a around, clutching other objects or hands tighter, hands in front of the body, leaning or shifting backward, turning away, quick, jerky flailing or stretching out of the extremities, shaking, heavy breathing, quick swallow breathing, holding ones breath, walking quickly, stiffness, licking lip, small tentative steps.


Stiffening body, powting, crossing arms, grimacing, avoidance, signs of anger.


Whispering, set jaws, a guarding posture, covering ones mouth, body turned away, avoiding social interaction, revealing little emotion, brief, mechanical handshake, frequently locks down, looking around when being addressed, removing personal stuff from view.

Openness: Worm smile, kissing on greeting, long eye contact, standing close, firm handshake, enjoying social interactions.

Sexual or Romantic Interest

Exaggerated smile, laughter, staring, winking, wetting lips, thinking, crossing/uncrossing legs, thrusting out chest/hips, walking with swagger or wiggle, primping lounging back, coy smile, flipping hair, personal space invasion, reveling clothing, touching ones clothing, touching object of affection, excessive perfume, makeup or cologne, overdressing, whispering, intent listening, intently looking the other person up and down, isolating ones affection by trying to get them alone.


Suspicion:  Furrowed bow, squint in the eyes, turning head slightly down, looking slightly upward, tilting head, tight lips, signs of pensiveness.

Disbelief: Eye-rolling, head shaking, grimacing, frustration, turned up mouth corners, quick teeth exhale.


repeated action, biting nails, shaking, wringing hands, fidgeting, face rubbing, hands through hair, lack of focus.


Using the provided information above you should be able to reliably and consistently judge a person simply by talking to them. This technique along with knowledge in the field of Information Security would make anyone a dangerous honey pot in of themselves. Please handle with care and never stop learning.

Wireshark is by far one of the most used tools among all I have in my arsenal. Its is my goto tool once I decide to open the trunk of a protocol and see exactly what is going on inside the wire. Let me start off by stating that this is very much a rabbit hole of learning. To master WireShark is to master not only your hardware and software skills but to get an in-depth understanding of the protocols used by these systems. Just because it can is a complicated endeavor to explain EVERYTHING that this piece of software does I will occasionally link to outside sources for more information. The objective of this post is to introduce you to a piece of software I happen to love, get it installed, and get you practicing. Wireshark is not something learned overnight and no amount of tutorials could ever cover all it does. Like most things however a little bit of practice and perseverance goes a long way.

Here are just SOME of the features posted on wiresharks website which show off just what this little beast can do.

  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

As you can see this tool supports many capture formats, access abilities and platforms. This write up will shine a light on simply the basics with future posts going deeper into the subject.



aptitude install wireshark
apt-get install wireshark


Simply download the Wireshark installer from: and execute it. Official packages are signed by the Wireshark Foundation. You can choose to install several optional components and select the location of the installed package. The default settings are recommended for most users.

There are so many platforms which support wireshark that the best place to check is here, the softwares provided installation manual broken down depending on OS.

Time to tinker


After downloading and installing Wireshark, you should then launch it and click the name of an interface under Interface List to start capturing packets on that interface. Under Linux it is not advised to run Wireshark as root, the installation will ask you if you want to setup a special group, we recommend you do just that.

captureAs soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark will capture each packet sent to or from your system. In the case that you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.

Screenshot from 2015-09-26 20:53:21You’ll probably see packets highlighted in green, blue, and black. Wireshark uses colors to help you identify the types of traffic at a glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems.

Custom rules can also be made to highlight JUST the packets your interested in. There are two types of coloring rules in Wireshark: temporary rules that are only in effect until you quit the program, and permanent rules that are saved in a preference file so that they are available the next time you run Wireshark. Temporary rules can be added by selecting a packet and pressing the Ctrl key together with one of the number keys. This will create a coloring rule based on the currently selected conversation. It will try to create a conversation filter based on TCP first, then UDP, then IP and at last Ethernet. Temporary filters can also be created by selecting the Colorize with FilterColor X menu items when right-clicking in the packet detail pane. To permanently colorize packets, select ViewColoring Rules -

Here are some coloring rules provided by the Wireshark wiki.

Filtering those packets

If you have specific traffic you’re interested in inspecting, it helps to close down all other applications using the network so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through so we narrow your aim using filters.

Screenshot from 2015-09-26 21:08:43

The most basic way to apply a filter is by typing it into the filter box at the top of the window and clicking Apply (or pressing Enter). For example, type “icmpv6” and you’ll see only opv6 packets. When you start typing, Wireshark will help you autocomplete your filter so its quick to find exactly what your looking for.

Once you get the basics of capturing and analyzing the data it becomes easy to listen in on just about any conversation your network is having. For some added fun, right click a packet and click “follow stream” to follow the conversation your machines are having. Practice with some Sample Captures  if your network isn’t exactly interesting. If your really up to the challenge Netresec hosts a great collection of public pcap files that cover everything from malware live on the wire to CTF traces from Defcon CTF contests.


Wireshark User Guide

Learn Wireshark

Sample Captures

Sign In

Reset Your Password