ØSecurity (nullsec.us)

History of Nmap Top Ports

Nmap’s top 1,000 ports haven’t changed since 2008, but the internet has. New services have emerged, and attack surfaces have shifted. This post revisits port scanning’s evolution, highlights outdated assumptions, and stresses the need to know your target—because defaults don’t always cut it.

Custom Shortlinks with Shlink

I setup Shlink in a Digital Ocean droplet, and put it behind Cloudflare. There's nothing super unique here, but I wanted to document it both for my sake, and anyone else that has a similar setup. I'm using the smallest/cheapest Digital Ocean droplet I can.

CSC-STD-002-85 (Green Book)

GitHub - BeanBagKing/CSC-STD-002-85: DEPARTMENT OF DEFENSE PASSWORD MANAGEMENT GUIDELINE - 12 April 1985 - CSC-STD-002-8512 April 1985 - CSC-STD-002-85 - BeanBagKing/CSC-STD-002-85GitHubBeanBagKing For whatever reason, I decided to try to recreate the 1985 Department of Defense Password Management Guideline book. I've only ever seen the text, which

I wish it need not have happened in my time

I'm going to stray from the topic of cybersecurity and infosec for a moment, and likely more and more over the next few years. What I'm seeing in the world around me, particularly in the country and state where I live, scares the absolute hell out

AppCompatCache Part 3

In my previous post, I went though the structure of the AppCompatCache and then parsed out the actual values found. I expect this to be the last part of this series and goes over some additional findings and thoughts. However, I'm working with Richard of 13Cubed on this,

Building a Custom AppCompatCacheParser.exe

I’m still digging into the values found in my previous post (AppCompatCache Deep Dive) and as part of that, wanted to see the actual values being flagged, not just Yes for 01 00 and No for everything else. This is a bit of a side quest into doing that,

AppCompatCache Deep Dive

Let’s set some background first. Back in Windows XP and prior, the mere existence of AppCompatCache (aka Shimcache) could be used to prove execution. A program wasn’t shimmed unless it was actually executed. This changed in Windows 7, 8, and 8.1 (presumably Vista as well, but nobody

Examining SMS Phishing

I received a phishing message via SMS today directing me to hxxps://cutt[.]ly/WegUqPxy?Lgp=brg1CtzWGg. I haven't done a post in a while, and thought this might be interesting to examine. urlscan.io This is a great site for examine single page phishing or suspect sites.

Forensic Collection from Proxmox VE

The following are some notes and a bit of a guide regarding collecting memory and disk from Proxmox Virtual Environment (hereafter PVE). There doesn't seem to be nearly as much information regarding best practices and potential pitfalls as there is for Hyper-V or ESXi. However, with the growing

Plaso Windows Build

I'm trying to nail down the steps to build the Log2Timeline Plaso Windows executable. Part of this is to make it more accessible to the community (for example, Autopsy, which still uses a 2018 version). Part is to make my job faster and easier (rather than having to

VSS Carving - Pt. 2, Halfway There

I intended for this to at least be a two part series, part 1 is here [https://nullsec.us/carving-for/]. I'm not sure yet if this will be the end of it or not. I did successfully recover some information from a deleted snapshot, so success there. However,

VSS Carving - Pt. 1, Setup

I'm actually having some problems getting the final results in a lab, so I'm going to go through the tool and lab setup first. Hopefully this will encourage someone to point out what I'm doing wrong or a lab setup that will work. I&

Windows Baseline Logging

When people ask what their baseline configuration should be, in terms of logging, I feel like it often gets answered with general advice regarding knowing your environment, having different configurations for file servers vs domain controllers, etc. This is true advice, but not particularly helpful. You might not know your

Log4j / Log4Shell / CVE-2021-44228

For average/home users Someone on twitter [https://twitter.com/Rooster_75/status/1470746847790706698] asked two questions that I thought might be valuable for this article, paraphrasing: > Can someone explain the Log4j vulnerability in non-IT terms, and is there any mitigation my level as average mere mortal? 1) A

Super Timeline Quick Reference

If you haven't watched it already, there's some great YouTube videos by Richard Davis of 13cubed that I suggest you start with. If you're just looking for the commands to run, scroll towards the bottom. There are a LOT of advanced options that could

PSScriptPolicyTest Files

There is an often-referenced article here [https://www.deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-why-and-what-are-those-files/] that lays out what these files look like, what they do, and where they originate. From the perspective of trying to identify them however, it was a bit out of date, and nobody really goes over everything that these

Finding Unusual PowerShell with Frequency Analysis

I have, for a long time, been watching my logs for unusually long command line artifacts. Something suspicious doesn't have to be long, but except for a few well-known and easily ignored applications, most long command lines are suspicious. For example, imagine you came across this [https://threatpost.

Mongo 3.6 on Ubuntu 20.04

I'm sure the first thing you're asking yourself is why. Stubbornness is your answer. I was playing with Zeek at home (if you want to get started, check out Zeekurity Zen [https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-on-centos-8/] on Eric Ooi's page, quality stuff) and built

Cloud-Hosting FoundryVTT in Lightsail

Plus CloudFlare and proper LetsEncrypt Certs I got bored and decided to play with a cloud-hosted Foundry VTT server. They have some great guides for getting started with some of these. I could get a little more bang for my buck though if I went with Amazon Lightsail. Lightsail is

Converting .sid (MrSID) files

Just notes because every forum post I came across for this was 10 years old, and all the references and links were out of date. Once you find the files, there's nothing difficult here. From the Wiki [https://en.wikipedia.org/wiki/MrSID] "MrSID (pronounced Mister Sid)

Battery Powered PIR IR Illuminator

I've spent some time searching for an additional IR illuminator to supplement my security cameras. For those of you not familiar with what these are, the IR lights (or near-infrared, 850nm) on your camera are what allows it to see in the dark. Most cameras have decent lights,

Volatility 3 Framework (v 1.0.0-beta.1) Requirements

Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded # ./vol.py -h [...] The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump, volatility.plugins.windows.

Discussion on Domain Credential Extraction

It's been a while since I have posted anything, and today I ran across a Tweet and had a conversation that I thought would make a perfect subject. It begins with "A mini thread: I periodically see folks suggest that to prevent weak passwords you should dump

Password Analysis - LiveJournal

Updated: 29 May 2020 @ 13:25 UTC - Added additional Pipal analysis. This is the first of my "Password Analysis" posts that I've published, but the second one I've written. I started with 000webhost, but had not completed that when this breach hit. This

"Deleted" LiveJournal Accounts

Update 27 May 2020 @ 13:17 UTC - See bottom Update 27 May 2020 @ 19:48 UTC - Related post analyzing passwords in use: https://nullsec.us/livejournal-password-analysis/ [https://nullsec.us/livejournal-password-analysis/] There's a lot of talk about the LiveJournal breach going on right now. I wasn'