Skip to main content

Posts

Showing posts from 2006

Old Wiki

1 - Windows

- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes http://www.cotse.com/nbcodes.htm
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\ config start= disabled
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1 .%i | fi…

SANS - Hacker Track

SANS Track 4 Notes, Comments



Day 1 – Incident Handling

Sample Incident forms are available @ http://www.sans.org/incidentforms/

Giac Practicals are available @ http://www.giac.org/GCIH.php

and contain good working examples

Protect Evidence – get the user away from the machine ASAP to keep the machine unchanged until you can image the drive. Keep the original stored in a safe place and maintain a chain of evidence.

Verify backup integrity to insure you are not restoring a compromised image.

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

Keep up to date on privacy laws, European laws are radically different from US laws

IDS, depending on the vendor, maybe able to monitor encrypted VPN traffic
Always strive to raise security awareness with management

Honeynet – for training purposes it maybe useful to set up a vulnerable system to intentionally let it be compromised to develop the teams investigative skills.

Nice Trojan Port list http://www.dark-e.com/archive/tr…

Hacking Exposed Notes

Hacking Exposed Notes


Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget http://www.gnu.org/software/wget/wget.html

Win – Teleport Pro http://www.tenmax.com/teleport/home.htm

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($) http://www.ferretsoft.com

Web – DogPile http://www.dogpile.com

Registered Networks – internet whois searches

Current Registrars http://www.internic.net/alpha.html

Unix – Whois, Xwhois http://c64.org/~nr/xwhois/

Unix - $ whois “acme.”@whois.crsnic.net (list possible domains)

Unix - $ whois “HANDLE JS1234”@whois.networksolutions.com (list POC info)

Unix - $ whois “@acme.net”@whois.networksolutions.net (list email info)

Web – US http://www.arin.net

Web – International http://www.allwhois.com

Web – US Military http://whois.nic.mil

Web – US Gov http://whois.nic.gov

DNS Interogati…