Skip to main content

My Notes

1 - Windows

- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\ config start= disabled
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1 .%i | find "Reply"
- - Auto NSlookup
- - for /L %i in (1,1,255) do @nslookup .%i 2>nul | find "Name" && @echo .%i
- - Password Guesser
- - for /f %i in (password.lst) do @echo %i & @net use \\[ip] %i /u:[Username] 2>nul && pause
- - or && echo UserName: %i >> success.txt
- - User and Password Guesser
- - for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\ %j /u:%i 2>nul && echo
- - %i:%j >> success.txt && net use \\ /del)
- - IIS HTTPERR Logs - %windir%/system32/Logfiles/HTTPERR
- - IIS URLSCAN Logs - %windir%/system32/inetsrv/urlscan/logs
- - Retrieve Windows proxy settings
- - reg query HKCU\Software\Microsoft\Windows\CurrentVersion /s /f AutoConfigURL
- - reg query HKCU\Software\Microsoft\Windows\CurrentVersion /s /f ProxyServer /t REG_SZ

2 - *NIX

- Escaping wildcards in grep/egrep > grep ' 10\.0\.0\.1 ' or >egrep ' 10\.0\.0\.[0-9]+ '
- Finding Big Files for Deletion > find / -xdev -type f -size +1000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
- Total unique lines and sort > grep whatever somefile | sort | uniq -c | sort -r
- WGETIE > alias wgetie='wget -U '\''Mozilla/4.0 (compatible); MSIE 6.0; Windows NT 5.1; SV1)'\'''

3 - Security

Quotes
Spafford's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'.

"[S]ystem vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice, it does exactly what its code (and settings) tells it to" - Air Force

“Freedom, Security, Convenience: Choose Two” - Dan Geer

"If you know the enemy, and know yourself, you will succeed in every battle;
If you know the enemy, and not yourself, for every victory you will suffer a defeat;
If you know neither the enemy nor yourself, you will succumb in every battle."
- Sun-Tzu

Didier Steven's Safe Website Analysis
1 - Make working directory "mkdir _"
2 - cd into working directory
3 - echo "hxxp://something' > 01.url
4 - wgetie -d -o 02.log -i 01.url
5 - review log for 200 OK and data
6 - review file for malicious traits, rename to 03..html.vir if confirmed
7 - run "extractscripts.py 03..html.vir"
8 - rename to 04.script.1 and review file
9 - deobfuscate with spidermonkey "js 04.script.1"
10- rename output files
11- review logs for binaries or other downloads
12- download the binaries "wgetie -d -i 08.log -i 07.url"
13- review log for 200 OK and data, rename the file
14- pecheck.py 09..exe > 10..exe.pecheck
15- Check entropy for packing and other peinfo and a hash search possibly

4 - Browsers

- Firefox Hacks
- Render pages faster > nglayout.initialpaint.delay :int 0-50
- Reduce Reflows > content.notify.interval :int 500000<>1000000 & content.notify.ontimer :bool true
- Search Tool results in new tab > browser.search.openintab :bool true
- Increase http connections > network.http.max-connections :int 32
- Increase server connections > network.http.max-connections-per-server :int 16
- Increase persistent connections > network.http.max-persistent-connections-per-server :int 8
- Reduce interval for persistent connections > network.http.request.max-start-delay :int 0
- Activate pipelining > network.http.pipelining :bool true & network.http.pipelining.maxrequests :int 16

5 - Wireless

- WAP Security Tips

1. Update the firmware on the AP and on all of the STAs.
2. Change the administrators password to a very complex one that you can remember and or document.
3. If the AP allows you to do so, change the name of the administrators account.
4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.
5. Change the default IP address of the AP to something that will work for your STAs.
6. Use the strongest authentication and encryption that the AP and STAs can all use.
7. Turn off the broadcasting of the SSID in the Beacon frame.
8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.
9. Place a space or two at the end of the SSID. (War Drivers will not see them)
10. Implement a MAC filter allowing only your STAs to connect.
11. Turn the transmit power down on the AP to just what is required for desired coverage.
12. Use a non-overlapping channel, preferably not channel 6.
13. Change your PHY to 5GHz if possible.
14. Use Anti-Spyware on your STAs.
15. Use a personal firewall on the STAs.
16. Use end point protection software if possible.
17. Install the AP in a physically safe location.
18. Do not disclose your configurations to others.
19. Limit the number of allowed associations to just your STAs.
20. When not in use, turn off the AP.
21. If there is a breach in security, change all security settings as soon as possible.
22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.

6 - DNS

- DNS SecurityTips
- Restrict Zone Transfers. Only Secondary server should be allowed to transfer from Primary.
- Log all Zone Transfer requests
- Disable Recursion for external hosts, only exception would be roaming hosts and trusted partners.
- Restrict Queries
- Restrict dynamic updates, only authorized hosts should be able to make updates.
- Deploy Split DNS, logically and physically separate internal and external address space.
- TCP Port 53 is required for more then just zone transfers, don't block it on your secondary servers.
- Split-Split DNS setup seperates Resolving and Advertising functions. Requires 6 total DNS servers.
- SRV and _msdcs records contain internal Active Directory naming information
- Attacks -- DNS Rebinding "The Princeton Attack" - javascript (document.domain) and same-origin policy allow for domain name to be modified
-- DNS Pinning - sets DNS TTL very low and javascript forces another lookup with a bogus domain/ip pair. This allows for users to be forced to scan their internal network, which the attacker cannot access external due to IP restrictions.

Popular posts from this blog

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here. If you are interested in jumping straight the slides you can visit here . Opening The conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of