I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
This panel was a lot of fun!
Here's more good stuff from Way West 2022...it's "Everything Old is New Again" with @hal_pomeranz , @edskoudis , @AlyssaM_InfoSec, and Tony Sager!
youtube.com/watch?v=cT3YXCqe…
2
Thanks everybody for your concern. We are prepared for Ian and will be fine. If you are stuck in central Florida and need help, please reach out. DMs are open.
2
1
19
Daily Linux Forensics Trivia #23 - You find these commands in /root/.bash_history: "dd if=/dev/urandom of=/junk bs=1M; rm -rf /junk". What did these commands accomplish?
7
3
1
9
Trivia Answer #22 -- The quick summary is that the entry for the deleted file becomes "slack space" at the end of the previous directory entry. The inode number and file name from the deleted file entry are still visible. More details at sans.org/blog/understanding-…
1
Daily Linux Forensics Trivia #22 - Explain what happens in an EXT directory file when you delete a file from that directory.
1
1
Trivia Answer #21 - Shout out to @lux_amalgamated for chiming in on this one. Assuming you have your evidence mounted on /mnt/evidence, the easiest thing to do is "find /mnt/evidence -newer /mnt/evidence/tmp/evil". This will show all files with a later mtime than /tmp/evil.
1
2
Important thread here. Everybody fails. The people who I look up to are honest about their failures, figure out why things failed, and come back better.
Got several DMs about this.
Folks, I fail in tech all the time.
SPOILER: EVERYONE DOES.
The reason you don't hear about the issues is everyone wants to put their best foot forward.
If you think somehow folks "level up" and don't have these issues, please think again.
1
1
5
Hal Pomeranz retweeted
Big web app pen test this week. Went to bed with a huge case of imposter syndrome. "Maybe I should open a coffee shop?"
This morning I got server-side code execution, found VPN keys, and pivoted to internal network.😬
Don't let your struggles define what you can accomplish.
3
8
68
GIF
Hal Pomeranz retweeted
A reminder, it’s all fun and games until the #WaffleHouse Index hits red.
WAFFLE HOUSE INDEX: As Tropical Storm Ian threatens to make landfall in Florida as a major Category 3 hurricane, there is one indicator that could tell us how bad the storm impacts Florida: the Waffle House. fox35orlando.com/news/waffle…
3
6
1
29
Orlando is my home base. If your travel plans get messed up by the weather and you get stuck in the City Beautiful, reach out and we will help. DMs are open.
1
8
Hal Pomeranz retweeted
Changing jobs is scary, trusting people is scary, making big decisions that involve finances is scary. Meeting new people is scary. I see this in people of all genders and ages.
8
6
2
237
Hal Pomeranz retweeted
You can spend 2 hours staring at your screen, wondering why your code won’t work.
Or you can go for a 20 minute walk and probably figure it out right after.
28
113
18
898
Hal Pomeranz retweeted
Is it "be very afraid that instead of penny candy, people will give your trick or treaters expensive street drugs that your children will obviously not confuse for individually wrapped candy" season yet?
11
7
2
135
Daily Linux Forensics Trivia #21 - You find the attacker's privilege escalation exploit installed as /tmp/evil. You want to find all files on the system that were modified since the privileged escalation exploit was dropped. How would you do this in Linux?
6
4
Trivia Answer #20 - Shout out to @countuponsec for a great list-- linux_check_modules and linux_hidden_modules to look for modules that are hiding, linux_check_syscall to look for kernel hooks, and linux_check_inline_kernel to look for patching
3
Hal Pomeranz retweeted
/dev/kmem + GDB Stub = kmemd
This is an introduction to kmemd - a tool for exploring a live Linux kernel’s memory in a non-intrusive way using GDB.
wkz.github.io/post/kmemd/
Explore a live Linux kernel's memory using GDB
github.com/wkz/kmemd
4
78
213
Daily Linux Forensics Trivia #20 - Name two Volatility modules that can help to search for hidden loadable kernel module rootkits.
2
2
Trivia Answer #19 - Congrats to @lux_amalgamated for checking in with the correct answer! $HOME/.lesshst tracks search terms and shell eacape commands entered by the user in the “less” program. It DOES NOT track which files the used has viewed.
1
Hal Pomeranz retweeted
The pandemic is only "over" if you need a political talking point.
The CEO of Pfizer has caught COVID twice in two months despite being quadruple vaxxed.
The pandemic is over in the sense that we’ve decided to live with it instead of making any structural changes, the same way we live with gun violence and homelessness.
4
6
41