Skip to main content

Old Wiki

1 - Windows

- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes http://www.cotse.com/nbcodes.htm
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\ config start= disabled
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1 .%i | find "Reply"
- - Auto NSlookup
- - for /L %i in (1,1,255) do @nslookup .%i 2>nul | find "Name" && @echo .%i
- - Password Guesser
- - for /f %i in (password.lst) do @echo %i & @net use \\[ip] %i /u:[Username] 2>nul && pause
- - or && echo UserName: %i >> success.txt
- - User and Password Guesser
- - for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\ %j /u:%i 2>nul && echo
- - %i:%j >> success.txt && net use \\ /del)

2 - *NIX

- Escaping wildcards in grep/egrep > grep ' 10\.0\.0\.1 ' or >egrep ' 10\.0\.0\.[0-9]+ '
- Finding Big Files for Deletion > find / -xdev -type f -size +1000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
- Total unique lines and sort > grep whatever somefile | sort | uniq -c | sort -r
- WGETIE > alias wgetie='wget -U '\''Mozilla/4.0 (compatible); MSIE 6.0; Windows NT 5.1; SV1)'\'''
- Stop overwriting files
- in .bashrc> set -o noclobber
- set immutable bit> chattr +i

3 - Security

Quotes
Spafford's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'.

"[S]ystem vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice, it does exactly what its code (and settings) tells it to" - Air Force

“Freedom, Security, Convenience: Choose Two” - Dan Geer

Didier Steven's Safe Website Analysis
1 - Make working directory "mkdir _"
2 - cd into working directory
3 - echo "hxxp://something' > 01.url
4 - wgetie -d -o 02.log -i 01.url
5 - review log for 200 OK and data
6 - review file for malicious traits, rename to 03..html.vir if confirmed
7 - run "extractscripts.py 03..html.vir"
8 - rename to 04.script.1 and review file
9 - deobfuscate with spidermonkey "js 04.script.1"
10- rename output files
11- review logs for binaries or other downloads
12- download the binaries "wgetie -d -i 08.log -i 07.url"
13- review log for 200 OK and data, rename the file
14- pecheck.py 09..exe > 10..exe.pecheck
15- Check entropy for packing and other peinfo and a hash search possibly
4 - Browsers

- Firefox Hacks
- Render pages faster > nglayout.initialpaint.delay :int 0-50
- Reduce Reflows > content.notify.interval :int 500000<>1000000 & content.notify.ontimer :bool true
- Search Tool results in new tab > browser.search.openintab :bool true
- Increase http connections > network.http.max-connections :int 32
- Increase server connections > network.http.max-connections-per-server :int 16
- Increase persistent connections > network.http.max-persistent-connections-per-server :int 8
- Reduce interval for persistent connections > network.http.request.max-start-delay :int 0
- Activate pipelining > network.http.pipelining :bool true & network.http.pipelining.maxrequests :int 16
5 - Wireless

- WAP Security Tips

1. Update the firmware on the AP and on all of the STAs.

2. Change the administrators password to a very complex one that you can remember and or document.

3. If the AP allows you to do so, change the name of the administrators account.

4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.

5. Change the default IP address of the AP to something that will work for your STAs.

6. Use the strongest authentication and encryption that the AP and STAs can all use.

7. Turn off the broadcasting of the SSID in the Beacon frame.

8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.

9. Place a space or two at the end of the SSID. (War Drivers will not see them)

10. Implement a MAC filter allowing only your STAs to connect.

11. Turn the transmit power down on the AP to just what is required for desired coverage.

12. Use a non-overlapping channel, preferably not channel 6.

13. Change your PHY to 5GHz if possible.

14. Use Anti-Spyware on your STAs.

15. Use a personal firewall on the STAs.

16. Use end point protection software if possible.

17. Install the AP in a physically safe location.

18. Do not disclose your configurations to others.

19. Limit the number of allowed associations to just your STAs.

20. When not in use, turn off the AP.

21. If there is a breach in security, change all security settings as soon as possible.

22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.

6 - DNS

- DNS SecurityTips
- Restrict Zone Transfers. Only Secondary server should be allowed to transfer from Primary.
- Log all Zone Transfer requests
- Disable Recursion for external hosts, only exception would be roaming hosts and trusted partners.
- Restrict Queries
- Restrict dynamic updates, only authorized hosts should be able to make updates.
- Deploy Split DNS, logically and physically separate internal and external address space.
- TCP Port 53 is required for more then just zone transfers, don't block it on your secondary servers.
- Split-Split DNS setup seperates Resolving and Advertising functions. Requires 6 total DNS servers.
- SRV and _msdcs records contain internal Active Directory naming information
- Attacks -- DNS Rebinding "The Princeton Attack" - javascript (document.domain) and same-origin policy allow for domain name to be modified
-- DNS Pinning - sets DNS TTL very low and javascript forces another lookup with a bogus domain/ip pair. This allows for users to be forced to scan their internal network, which the attacker cannot access external due to IP restrictions.

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...