ØSecurity (Page 3)

Helpful Nmap Notes

Nmap can take script arguments in a fashon such as the following nmap -Pn -sU -sS --script "rdp-ntlm-info,smb* and not smb-brute and not smb-flood and not smb-psexec and not smb-enum-shares" -T4 -p U:137,U:138,T:137,T:139,T:445,T:3389 192.168.1.30 Note

Stresspaint Malware IOC's

One thing that continues to amaze me is that anytime something like this hits the news, IOC's are limited to what files (by name) it drops. Ya know what's even more useful? Hashes, hashes are more useful. So here's a few I was able to pull. Note: I seem to

Fixing a raw shell with Python and stty

I've seen the python pty trick in a few places, first when taking OSCP labs. However, if you've noticed there's still some problems. 2 years ago at HackFest @r00k [https://twitter.com/_r00k_] did a presentation where he improved the quality of the shell dramatically. Last year at HackFest, @jeffmcjunkin

OpenSSL and Private Key Compromise

This is a problem I've run into several times in the past, so I wanted to document this a bit. While processing certificate signing requests (CSR's) I've occasionally had external entities send the private key along with the CSR. I guess they assume it's needed for some reason... Needless to

changes

Changes

If you closely follow this site (which I doubt anyone actually does), you may have noticed some differnces to the theme and a bit of downtime yesterday. I'm making some changes to the site with the following goals in mind * Save some money * Reduce complexity * Improve security With these things

Browser Cryptominer

Finally found a live site mining crypto currency tonight. Really quick post on detection. WARNING! As of this writing, this site drives CPU to >70% and mines cryptocurrency. As far as I can tell, that's all it does, but you know... So first, the site in question: http://www.arrowheadology.

FUZZBUNCH, msfvenom, meterpreter, and YOU!

I've read a few of the FUZZBUNCH / ETERNALBLUE / DOUBLEPULSAR tutorials, and decided to create my own. The others work, but I found one or two things that I modified, and always like to make my own notes. So diving right in... Terms/Notes * Target = 10.1.0.5 - Windows

Session Hijacking, XSS, and cookies

Brief tutorial/walk through. We will be creating a cookie (manually) for testing, and a very basic test site containing a script that could be embedded in a site via XSS, and then sending our cookie to a remote server[1]. For this exercise, you'll need... * Publicly hosted website, DigitalOcean

Narrowing down the cause of ICMP traffic

Most StackOverflow questions which cover narrowing down the source of traffic on a machine deal with TCP or UDP. There's a few for other protocols, but ICMP isn't one that I saw a lot of coverage on. So lets say we are made aware that there is some odd ICMP

Fixing PuTTY

I suppose you could call this another "First (X) Things to Do". I'm talking about the installed version of putty here, and really there isn't much to do. There's really only two things I wanted to make a note of. 1) Disable right click to paste Maybe you're a fan,

Hashcat 3.0 on a 32-bit Linux VM

One issue I've had with the new hashcat 3 is the ability to run it within 32-bit linux VM's. Intel doesn't make 32-bit OpenCL drivers [https://software.intel.com/en-us/articles/opencl-drivers#core_xeon]. IBM made some back in 2011 apparently (PDF link [https://www.ibm.com/developerworks/community/files/

RDP sessions with xfreerdp using PTH

I was trying something very simple today on Kali 2016.1 (Kali 2 rolling), passing the hash to an RDP session based on this Kali blog post [https://www.kali.org/penetration-testing/passing-hash-remote-desktop/]. It should have been as simple as apt-get install freerdp-x11 and then the correct command. Again and

[Kali] Running BeEF-XSS on Port 80

BeEF XSS Framework is awesome. However, I wasn't getting good results on port 3000. I have the feeling the firewall on or between the target host was blocking this port. To test this, I wanted to start Beef on port 80 and launch the attack. However, beef-xss runs as a

[Windows] What user am I?

I'm working through exercises in pen-testing and I ran into an slight problem. How do I tell what user I'm currently logged in as? * whoami - Doesn't work, box is too old (pre-vista) * echo %username% - Literally echos %username%, variables don't work. * set - Doesn't display username, and home directory

OSSEC HIDS agent installation script for RHEL/CentOS.

I found a very useful script for automating the installation of the OSSEC HIDS agent on RHEL/CentOS servers. This isn't mine, all credit goes to whomever runs 13Cubed. It automatically pulls down the Atomic Repo, installs the HIDS Agent, takes care of file renaming, launches the manager, and cleans

Top 1,000 TCP and UDP ports (nmap default)

Some quick notes on what nmap scans by default, the commands below will give you the ranges scanned, and there's also some lists suitable for copy/pasting. * Top 1,000 TCP Ports: nmap -sT --top-ports 1000 -v -oG - * Top 1,000 UDP Ports: nmap -sU --top-ports 1000 -v -oG

Hashcat goes open source with v2.00

The official announcement is on the Hashcat forums [https://hashcat.net/forum/thread-4880-post-27398.html#pid27398]. This is amazing news, I can't wait to see what this brings. Among the things I can't wait for... * OSX Support * Huge improvements in several algorithms * Contributions from others in the security industry * Better integration

First (X) things to do after installing Windows 10

I reinstalled Windows 10 the other day and realized that there were several settings I needed to tweek, so in the spirt of my Kali post, here's Windows 10 First Things. 1) Uninstall Build-In Apps Launch Powershell with Administrator rights and enter the following. Note that this removes what I

Starting up Metasploit Framework in Kali Linux 2.0 (Sana)

Lack of updates, I know, I'm still busy. Today's entry is a direct copy and paste from the Kali site. In case you missed it (like I did) Kali 2.0 handles Metasploit a bit different, its no longer a service. This is mostly just a reminder for me. Without

Victim Blame vs. Negligence

So I think it's time for my first "opinion piece". This is in response to the following article, and several tweets I've seen saying that pulling security clearances is a bad idea and amounts to a blame the victim mentality. http://arstechnica.com/security/2015/09/dhs-infosec-chief-we-should-pull-clearance-of-feds-who-fail-phish-test/ > "I get the

Setting random Expiry Times for KeePass Entries

I've been using KeePass for years. A while ago I also started using the expire function. However, only a handfull of my accounts actually have this turned on so far. I've been meaning to go through and set this up for all entries, but it's been terribly difficult. I don't

Opening RDP sessions from KeePass

I'll add this to it's own post, instead of my KeePass tutorial, since it's a more advanced feature. There's a way to launch RDP sessions with KeePass, making it much easier for sysadmins and the like to log into servers they have access to. Here's the original tutorial [http://blog.

Quick check for "AD User Exists"

There's a ton of examples of this kind of script, but for some reason each one I tried gave me an error. I'm not sure if it was due to powershell version changes or what, but this one should work on Powershell v4 and Windows Server 2012 r2. # Takes a

Extracting other malicious content

So a while ago I did a short piece on extracting malicious VBA [http://www.nullsec.us/extracting-malicious-vba/], something I seem to run into more and more. Today I ran into a different attachment. It was a .zip file containing a .shtml file. SHTML is (appearently) an HTML file that

Securely empty linux trash can

You can thank the user testingresults over on the Kali forums [https://forums.kali.org/showthread.php?485-How-To-Securely-Sanitize-your-Trash] for this one. That link will take you to his guide, which is much better than what I have. Very quick reproduction of the guide follows. apt-get install scrub vim empty_trash.