ØSecurity (Page 2)

Windows Event Log - Audit-CVE

Update: This event appears for both binaries and websites in build 1809 and 1909, but only for binaries in 1903 (not web). So if you're looking for this event and not finding it, that may be why. I have not confirmed this myself, so if someone else comes

Splunk REST API Python Example

There's really nothing special here except a mildly updated example of the code found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Python_example Basically, updated to python3 due to the impending end-of-life (print() adjustment, and urlencode had changed in Python3). While I was

Wireshark From Source / RHEL 7

Wireshark on Red Hat Enterprise Linux is, for some reason, about a decade out of date. The current version available via yum install is 1.10.14. This version was released in June 2013, and reached end of life in June 2015. Now, RHEL might be back-porting security patches (I&

Auditing Default Credentials with a Custom Python Script

From time to time I need to audit a large number of devices for default credentials. I typically use Metasploits http_login module for this. You can pass it a file of rhosts with something like set rhosts file://root/hosts.txt and have it check numerous systems quickly. However,

Top 4 Cybersecurity Threats That Small Companies Face

I thought this tweet [https://twitter.com/granick/status/1154137384906153985] might make a good blog post. I'm sure everyone in infosec will have their own answers, and all will be, generically, correct. Most of what I've seen is disagreements over one or two of the points,

news

[Cybersecurity News] 8 Jul - 15 Jul

School Vandals Caught When Smartphones Connect to Wi-Fi https://slate.com/technology/2019/07/glenelg-high-school-graffiti-wifi-login.html Four students who spray-painted hateful symbols on their school were caught, despite covering their faces, when their phones automatically connected to the schools wireless. School administrators simply checked for who had authenticated during the

news

[Cybersecurity News] 1 Jul - 8 Jul

July Patches for Android Devices Have Been Released https://thehackernews.com/2019/07/android-security-update.html https://source.android.com/security/bulletin/2019-07-01 Of the 33 vulnerabilities patched this month, 9 of these are considered critical and 3 could be used for remote code execution (RCE) on a device. Remember, laptops

news

[Cybersecurity News] 24 Jun - 1 Jul

I feel like I'm getting better at this, at least I got the day right this time... Third Florida Town in Three Weeks hit by Ransomware https://arstechnica.com/information-technology/2019/06/is-there-something-in-the-water-third-florida-city-hit-by-ransomware/ It appears all three incidents started with a city employee clicking in an email attachment.

news

[Cybersecurity News] 17 Jun - 24 Jun

Not off to a great start. I forgot to post last week and I'm a day late this week. Still, here it is. Two Additional Universities Announce Email Compromise https://threatpost.com/university-breaches-email-threats/145759/ On the heels of OSU (last week), Graceland University in Iowa and Missouri Southern

news

[Cybersecurity News] 3 Jun - 10 Jun

I started developing a Cybersecurity Newsletter for those around me (parents, colleges, etc.) and was told it would be a good weekly addition here. The notes below each headline are my own and how they are relevant, a brief summary, or quotes from the article as appropriate. Australian National University

ESXi Update fails with "[Errno 28] No space left on device"

This appears to be a somewhat recent problem, and when searching for an answer, a lot of posts reference solutions or VMWare KB's that don't help (enabling swap, checking inodes, etc.). This problem appeared somewhere between ESXi-6.7.0-20190104001-standard (Build 11675023) and ESXi-6.7.0-20190404001-standard (Build

Password Spraying SMB

TL;DR - I wanted to audit for the presence of a particular username, with a particular password, across every endpoint in our environment. As usual, I had a theory. The theory was that, when we applied LAPS several years ago, there were things that got missed (as their always

Port Inversion/Diff Tool

I've been in need of a tool that would take two different sets of port numbers, and subtract one set from the other. This would be similar to comm -13, but would be able to act upon ranges in a list (e.g. 8,12,23-56). Scenario Here&

Mystery Scan - Leveraging Nmap flags to find the box that wasn't listening

I found a really cool thing several months ago. I was scanning my network from an external perspective (AWS specifically), and found a live host. The very odd thing about this finding is that there were no open ports, no listening services, and ICMP requests were disabled. I -nearly- chalked

EventFinder2 - Finding Events by Time

TL,DR upfront - I created a small program to grab all event logs between a beginning and end time mark and write them to a CSV. Find it here: https://github.com/BeanBagKing/EventFinder2 About I created this with the SOC analyst/blue team/threat hunter maybe? in mind.

9211-8i

RAID Controller Heat Considerations

I did quite a bit of reading before purchasing a RAID card (though it's never enough) and one fairly consistent thing I noticed is how hot people seemed to think they ran if they didn't have air blowing across them. When sitting in a rack mounted

LSI

Flashing LSI 9211-8i Firmware

I built a home ESXi lab, which I will be documenting a bit more later. Before I do though I wanted to document some of what I've learned about RAID before I forget it. Edit: This started out as more than just flashing firmware, but it got pretty

Force HP Printer Firmware Install

I'm re-posting something from redleg/Memory Sieve [https://www.memorysieve.co.uk/2015/10/update-firmware-hp-officejet-6500a-plus.html] regarding HP firmware upgrades. In their case, it was a matter of not being able to install the latest firmware package. However, in my case I wanted to force the reinstall of

Windows Event ID 1029 Hashes

While reviewing Windows RDP event logs for the RDP project [https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/] , I noticed one in particular. Windows Event ID 1029 can be found under Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx. This event is created on the computer initiating the connection, and contains a hash of the username being used. (update

Windows RDP-Related Event Logs: The Client Side of the Story

This article is going to cover the other side of Windows RDP-Related Event Logs: Identification, Tracking, and Investigation [https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/] and RDP Event Log Forensics [https://www.youtube.com/watch?v=myzG11BP3Sk]. Both of these document the events that occur when viewing logs from the server

Integrating BeEF and Metasploit

This isn't exactly undocumented, but I definitely feel like it's underdocumented. I've seen the metasploit browser_autopwn feature in the modules in the past, but what I didn't realize until recently is that BeEF integrates directly with Metasploit. There's a

Stitching together UniFi Video Footage

I recently wanted a video of a large amount (lets say 24 hours worth) of footage from my Ubiquiti UniFi camera. If you're doing 24/7 recording, the NVR interface chunks videos into 10 minute segments. You can check multiple videos to download at one time, but that&

dirb multiple hosts wrapper

I've had the need in the past to run dirb (dirbuster like web directory brute force tool) against a range targets. However, dirb only takes a single host as an argument. It would be pretty easy to wrap it in an loop, but you're probably going

Office 365's Secret "Activities" API

The TL;DR up front, because I hate buried leads. Microsoft created an undocumented API that gave incident handlers, forensic teams, and blue teams a tool that they have long wished for and that Microsoft denied having. This API was known to five major forensics firms for some time, and

ghost

Disqus on Ghost

Updated 6 Mar 2021 - Scroll to bottom for the update More adventures into self-hosting Ghost. I have Disqus up and running again, all the comments are still there. Since Disqus was based on URL, and the URL didn't change, everything just started working once the Disqus universal