1 - Windows
- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes http://www.cotse.com/nbcodes.htm
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\ config start= disabled
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1.%i | find "Reply"
- - Auto NSlookup
- - for /L %i in (1,1,255) do @nslookup.%i 2>nul | find "Name" && @echo .%i
- - Password Guesser
- - for /f %i in (password.lst) do @echo %i & @net use \\[ip] %i /u:[Username] 2>nul && pause
- - or && echo UserName: %i >> success.txt
- - User and Password Guesser
- - for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\ %j /u:%i 2>nul && echo
- - %i:%j >> success.txt && net use \\ /del)
2 - *NIX
- Escaping wildcards in grep/egrep > grep ' 10\.0\.0\.1 ' or >egrep ' 10\.0\.0\.[0-9]+ '
- Finding Big Files for Deletion > find / -xdev -type f -size +1000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
- Total unique lines and sort > grep whatever somefile | sort | uniq -c | sort -r
- WGETIE > alias wgetie='wget -U '\''Mozilla/4.0 (compatible); MSIE 6.0; Windows NT 5.1; SV1)'\'''
- Stop overwriting files
- in .bashrc> set -o noclobber
- set immutable bit> chattr +i
3 - Security
Quotes
Spafford's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'.
"[S]ystem vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice, it does exactly what its code (and settings) tells it to" - Air Force
“Freedom, Security, Convenience: Choose Two” - Dan Geer
Didier Steven's Safe Website Analysis
1 - Make working directory "mkdir_"
2 - cd into working directory
3 - echo "hxxp://something' > 01.url
4 - wgetie -d -o 02.log -i 01.url
5 - review log for 200 OK and data
6 - review file for malicious traits, rename to 03..html.vir if confirmed
7 - run "extractscripts.py 03..html.vir"
8 - rename to 04.script.1 and review file
9 - deobfuscate with spidermonkey "js 04.script.1"
10- rename output files
11- review logs for binaries or other downloads
12- download the binaries "wgetie -d -i 08.log -i 07.url"
13- review log for 200 OK and data, rename the file
14- pecheck.py 09..exe > 10..exe.pecheck
15- Check entropy for packing and other peinfo and a hash search possibly
4 - Browsers
- Firefox Hacks
- Render pages faster > nglayout.initialpaint.delay :int 0-50
- Reduce Reflows > content.notify.interval :int 500000<>1000000 & content.notify.ontimer :bool true
- Search Tool results in new tab > browser.search.openintab :bool true
- Increase http connections > network.http.max-connections :int 32
- Increase server connections > network.http.max-connections-per-server :int 16
- Increase persistent connections > network.http.max-persistent-connections-per-server :int 8
- Reduce interval for persistent connections > network.http.request.max-start-delay :int 0
- Activate pipelining > network.http.pipelining :bool true & network.http.pipelining.maxrequests :int 16
5 - Wireless
- WAP Security Tips
1. Update the firmware on the AP and on all of the STAs.
2. Change the administrators password to a very complex one that you can remember and or document.
3. If the AP allows you to do so, change the name of the administrators account.
4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.
5. Change the default IP address of the AP to something that will work for your STAs.
6. Use the strongest authentication and encryption that the AP and STAs can all use.
7. Turn off the broadcasting of the SSID in the Beacon frame.
8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.
9. Place a space or two at the end of the SSID. (War Drivers will not see them)
10. Implement a MAC filter allowing only your STAs to connect.
11. Turn the transmit power down on the AP to just what is required for desired coverage.
12. Use a non-overlapping channel, preferably not channel 6.
13. Change your PHY to 5GHz if possible.
14. Use Anti-Spyware on your STAs.
15. Use a personal firewall on the STAs.
16. Use end point protection software if possible.
17. Install the AP in a physically safe location.
18. Do not disclose your configurations to others.
19. Limit the number of allowed associations to just your STAs.
20. When not in use, turn off the AP.
21. If there is a breach in security, change all security settings as soon as possible.
22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.
6 - DNS
- DNS SecurityTips
- Restrict Zone Transfers. Only Secondary server should be allowed to transfer from Primary.
- Log all Zone Transfer requests
- Disable Recursion for external hosts, only exception would be roaming hosts and trusted partners.
- Restrict Queries
- Restrict dynamic updates, only authorized hosts should be able to make updates.
- Deploy Split DNS, logically and physically separate internal and external address space.
- TCP Port 53 is required for more then just zone transfers, don't block it on your secondary servers.
- Split-Split DNS setup seperates Resolving and Advertising functions. Requires 6 total DNS servers.
- SRV and _msdcs records contain internal Active Directory naming information
- Attacks -- DNS Rebinding "The Princeton Attack" - javascript (document.domain) and same-origin policy allow for domain name to be modified
-- DNS Pinning - sets DNS TTL very low and javascript forces another lookup with a bogus domain/ip pair. This allows for users to be forced to scan their internal network, which the attacker cannot access external due to IP restrictions.
- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes http://www.cotse.com/nbcodes.htm
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1
- - Auto NSlookup
- - for /L %i in (1,1,255) do @nslookup
- - Password Guesser
- - for /f %i in (password.lst) do @echo %i & @net use \\[ip] %i /u:[Username] 2>nul && pause
- - or && echo UserName: %i >> success.txt
- - User and Password Guesser
- - for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\
- - %i:%j >> success.txt && net use \\
2 - *NIX
- Escaping wildcards in grep/egrep > grep ' 10\.0\.0\.1 ' or >egrep ' 10\.0\.0\.[0-9]+ '
- Finding Big Files for Deletion > find / -xdev -type f -size +1000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
- Total unique lines and sort > grep whatever somefile | sort | uniq -c | sort -r
- WGETIE > alias wgetie='wget -U '\''Mozilla/4.0 (compatible); MSIE 6.0; Windows NT 5.1; SV1)'\'''
- Stop overwriting files
- in .bashrc> set -o noclobber
- set immutable bit> chattr +i
3 - Security
Quotes
Spafford's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'.
"[S]ystem vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice, it does exactly what its code (and settings) tells it to" - Air Force
“Freedom, Security, Convenience: Choose Two” - Dan Geer
Didier Steven's Safe Website Analysis
1 - Make working directory "mkdir
2 - cd into working directory
3 - echo "hxxp://something' > 01.url
4 - wgetie -d -o 02.log -i 01.url
5 - review log for 200 OK and data
6 - review file for malicious traits, rename to 03.
7 - run "extractscripts.py 03.
8 - rename to 04.script.1 and review file
9 - deobfuscate with spidermonkey "js 04.script.1"
10- rename output files
11- review logs for binaries or other downloads
12- download the binaries "wgetie -d -i 08.log -i 07.url"
13- review log for 200 OK and data, rename the file
14- pecheck.py 09.
15- Check entropy for packing and other peinfo and a hash search possibly
4 - Browsers
- Firefox Hacks
- Render pages faster > nglayout.initialpaint.delay :int 0-50
- Reduce Reflows > content.notify.interval :int 500000<>1000000 & content.notify.ontimer :bool true
- Search Tool results in new tab > browser.search.openintab :bool true
- Increase http connections > network.http.max-connections :int 32
- Increase server connections > network.http.max-connections-per-server :int 16
- Increase persistent connections > network.http.max-persistent-connections-per-server :int 8
- Reduce interval for persistent connections > network.http.request.max-start-delay :int 0
- Activate pipelining > network.http.pipelining :bool true & network.http.pipelining.maxrequests :int 16
5 - Wireless
- WAP Security Tips
1. Update the firmware on the AP and on all of the STAs.
2. Change the administrators password to a very complex one that you can remember and or document.
3. If the AP allows you to do so, change the name of the administrators account.
4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.
5. Change the default IP address of the AP to something that will work for your STAs.
6. Use the strongest authentication and encryption that the AP and STAs can all use.
7. Turn off the broadcasting of the SSID in the Beacon frame.
8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.
9. Place a space or two at the end of the SSID. (War Drivers will not see them)
10. Implement a MAC filter allowing only your STAs to connect.
11. Turn the transmit power down on the AP to just what is required for desired coverage.
12. Use a non-overlapping channel, preferably not channel 6.
13. Change your PHY to 5GHz if possible.
14. Use Anti-Spyware on your STAs.
15. Use a personal firewall on the STAs.
16. Use end point protection software if possible.
17. Install the AP in a physically safe location.
18. Do not disclose your configurations to others.
19. Limit the number of allowed associations to just your STAs.
20. When not in use, turn off the AP.
21. If there is a breach in security, change all security settings as soon as possible.
22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.
6 - DNS
- DNS SecurityTips
- Restrict Zone Transfers. Only Secondary server should be allowed to transfer from Primary.
- Log all Zone Transfer requests
- Disable Recursion for external hosts, only exception would be roaming hosts and trusted partners.
- Restrict Queries
- Restrict dynamic updates, only authorized hosts should be able to make updates.
- Deploy Split DNS, logically and physically separate internal and external address space.
- TCP Port 53 is required for more then just zone transfers, don't block it on your secondary servers.
- Split-Split DNS setup seperates Resolving and Advertising functions. Requires 6 total DNS servers.
- SRV and _msdcs records contain internal Active Directory naming information
- Attacks -- DNS Rebinding "The Princeton Attack" - javascript (document.domain) and same-origin policy allow for domain name to be modified
-- DNS Pinning - sets DNS TTL very low and javascript forces another lookup with a bogus domain/ip pair. This allows for users to be forced to scan their internal network, which the attacker cannot access external due to IP restrictions.
Comments
Post a Comment