Windows Event ID 1029 Hashes While reviewing Windows RDP event logs for the RDP project, I noticed one in particular. Windows Event ID 1029 can be found under Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx. This event is created on the computer
Windows RDP-Related Event Logs: The Client Side of the Story This article is going to cover the other side of Windows RDP-Related Event Logs: Identification, Tracking, and Investigation and RDP Event Log Forensics. Both of these document the events that occur when viewing
Integrating BeEF and Metasploit This isn't exactly undocumented, but I definitely feel like it's underdocumented. I've seen the metasploit browser_autopwn feature in the modules in the past, but what I didn't realize until recently is that
Stitching together UniFi Video Footage I recently wanted a video of a large amount (lets say 24 hours worth) of footage from my Ubiquiti UniFi camera. If you're doing 24/7 recording, the NVR interface chunks videos into
dirb multiple hosts wrapper I've had the need in the past to run dirb (dirbuster like web directory brute force tool) against a range targets. However, dirb only takes a single host as an argument. It would
Office 365's Secret "Activities" API The TL;DR up front, because I hate buried leads. Microsoft created an undocumented API that gave incident handlers, forensic teams, and blue teams a tool that they have long wished for and
Disqus on Ghost More adventures into self-hosting Ghost. I have Disqus up and running again, all the comments are still there. Since Disqus was based on URL, and the URL didn't change, everything just started working
Adding security.txt to Ghost Ghost is pretty great. Simple markdown language for posts, lightweight, and self-hosting allows me to keep costs down and lets me customize some things. However, it also feels a bit goofy when you
I accidentally the whole / Instead of chmod -R ./ 664 * inside a script, I just ran chmod -R / 664 *. Worse, this was inside AWS, no directly console access. Woops... This isn't the worst thing to recover from if
Finding Event Logs Caused by an Action Windows 10 1803 x2 - vanilla install, all commands run from elevated prompt Ever want to find out what Windows Event Logs are created by a particular action? There doesn't seem to be
EternalBlue on Windows XP There's a few articles and exploits out there where EternalBlue has been found to work on Windows XP. However, the metasploit framework does not seem to have a reliable exploit for it. I
Making Firefox tabs behave more like Chrome One of the only things holding me back from using Firefox over Chrome was the behavior of the tabs. I absolutly hated having to scroll back and forth to find a tab, and
Helpful Nmap Notes Nmap can take script arguments in a fashon such as the following nmap -Pn -sU -sS --script "smb* and not smb-brute and not smb-flood and not smb-psexec and not smb-enum-shares" -T4
Stresspaint Malware IOC's One thing that continues to amaze me is that anytime something like this hits the news, IOC's are limited to what files (by name) it drops. Ya know what's even more useful? Hashes,
Fixing a raw shell with Python and stty I've seen the python pty trick in a few places, first when taking OSCP labs. However, if you've noticed there's still some problems. 2 years ago at HackFest @r00k did a presentation where
OpenSSL and Private Key Compromise This is a problem I've run into several times in the past, so I wanted to document this a bit. While processing certificate signing requests (CSR's) I've occasionally had external entities send the
changes Changes If you closely follow this site (which I doubt anyone actually does), you may have noticed some differnces to the theme and a bit of downtime yesterday. I'm making some changes to the
Browser Cryptominer Finally found a live site mining crypto currency tonight. Really quick post on detection. WARNING! As of this writing, this site drives CPU to >70% and mines cryptocurrency. As far as I
FUZZBUNCH, msfvenom, meterpreter, and YOU! I've read a few of the FUZZBUNCH / ETERNALBLUE / DOUBLEPULSAR tutorials, and decided to create my own. The others work, but I found one or two things that I modified, and always like to
Session Hijacking, XSS, and cookies Brief tutorial/walk through. We will be creating a cookie (manually) for testing, and a very basic test site containing a script that could be embedded in a site via XSS, and then
Narrowing down the cause of ICMP traffic Most StackOverflow questions which cover narrowing down the source of traffic on a machine deal with TCP or UDP. There's a few for other protocols, but ICMP isn't one that I saw a
Fixing PuTTY I suppose you could call this another "First (X) Things to Do". I'm talking about the installed version of putty here, and really there isn't much to do. There's really only
Hashcat 3.0 on a 32-bit Linux VM One issue I've had with the new hashcat 3 is the ability to run it within 32-bit linux VM's. Intel doesn't make 32-bit OpenCL drivers. IBM made some back in 2011 apparently (PDF
RDP sessions with xfreerdp using PTH I was trying something very simple today on Kali 2016.1 (Kali 2 rolling), passing the hash to an RDP session based on this Kali blog post. It should have been as simple
[Kali] Running BeEF-XSS on Port 80 BeEF XSS Framework is awesome. However, I wasn't getting good results on port 3000. I have the feeling the firewall on or between the target host was blocking this port. To test this,