Friday, December 1, 2017

OpenVAS configuration

OpenVAS http://openvas.org/ is an open-source security scanner.  The instructions below are concerning how to configure the application within Kali Linux.

The following commands are used once Kali Linux is installed and updated.

apt-get install openvas
openvas-setup
openvas-start
https://127.0.0.1:9392

openvas1

openvas2

openvas3

Once the initial configuration is completed, a default initial password should be displayed.  Start the required services and log in via the web interface to set a new password value under Administration -> Users.  The default user name is admin.

Log into the web interface of the OpenVAS service and use the Feed Status menu option under Extras tab to verify the local databases are current.
 
To update the NVT feed via a terminal session, use the command greenbone-nvt-sync.  The commands to update the other databases would be greenbone-scapdata-sync and greenbone-certdata-sync.

openvas4

View local root certificates within Windows using PowerShell

The local root certificate entries can be viewed within Windows using PowerShell.

ls CERT:\CurrentUser\AuthRoot

image

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("root","LocalMachine")
$store.Open("ReadOnly")
$store.certificates | select ThumbPrint,FriendlyName,NotAfter

image

A script is available at https://isc.sans.edu/forums/diary/Keep+An+Eye+on+your+Root+Certificates/23030/ to compare hashes to a previous dump.

Quad9 DNS Service

The Global Cyber Alliance (GCA) has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. The system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts. The service is named Quad9 and it will not return name resolutions for sites that are identified via threat feeds the service aggregates daily.  The DNS IPv4 number is 9.9.9.9.

https://www.globalcyberalliance.org/initiatives/quad9.html

https://quad9.net/

Lingering Object Liquidator for Active Directory

Lingering objects are objects in AD than have been created, replicated, deleted, and then garbage collected on at least the DC that originated the deletion but still exist as live objects on one or more DCs in the same forest.  This utility provides an option to find and remove such objects.

https://blogs.technet.microsoft.com/askds/2017/10/09/introducing-lingering-object-liquidator-v2/

https://www.microsoft.com/en-us/download/details.aspx?id=56051

Spaghetti

Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations, and misconfigurations.

https://github.com/m4ll0k/Spaghetti

https://www.darknet.org.uk/2017/10/spaghetti-download-web-application-security-scanner/

OSSIM

OSSIM is an open source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.

https://www.alienvault.com/products/ossim

https://www.darknet.org.uk/2017/10/ossim-download-open-source-siem-tools-software/

WAFNinja

WAFNinja is a Python-based Web Application Firewall Attack Tool designed to help penetration testers execute WAF bypass by automating the steps necessary to bypass input validation.

https://github.com/khalilbijjou/WAFNinja

https://www.darknet.org.uk/2017/11/wafninja-web-application-firewall-attack-tool-waf-bypass/

Specops Password Auditor

Specops Password Auditor is a freeware utility that scans Active Directory for weak password policies and high-privilege user accounts.

https://specopssoft.com/product/specops-password-auditor/

https://4sysops.com/archives/specops-password-auditor-detect-weak-password-policies/

PowerShell transcript feature

PowerShell has a feature to create a transcript of a session.  To start the process, use the cmdlet Start-Transcript.

image

To stop the process, close the session or use the cmdlet Stop-Transcript.

image

image

Thursday, November 2, 2017

Windows Exploitation resources

The web site below is a list of exploits for the Windows platform.

https://github.com/enddo/awesome-windows-exploitation/blob/master/README.md

PowerShell Module Browser Site

The PowerShell Module Browser site is a location to find scripts or modules.  In running some tests, the current version appears to be focused on Azure.

https://docs.microsoft.com/en-us/powershell/module/

CrackMapExec

CrackMapExec (CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.  CME can be used to assess account privileges, find possible misconfigurations and simulate attack scenarios.

https://github.com/byt3bl33d3r/CrackMapExec

Pestudio

Pestudio is an utility can be used for malware analysis. The application will attempt to display the imports, the resources and it will send the MD5 hash of the file to VirusTotal.

https://isc.sans.edu/forums/diary/Triaging+suspicious+files+with+pestudio/22706/

https://www.winitor.com/binaries.html

image

EFA

EFA (Email Filter Appliance) is a virtual appliance for spam fighting using open-source tools.  Both VMware and Hyper-V appliances are available to download.

https://efa-project.org/

WINspect

WINspect is a PowerShell script that will return security-based information.  Examples of returned data would be:

  • Checking for installed security products.
  • Enumerating world-exposed local filesystem shares.
  • Enumerating domain users and groups with local group membership.
  • Enumerating registry autoruns.
  • Enumerating local services that are configurable by Authenticated Users group members.
  • Enumerating local services for which corresponding binary is writable by Authenticated Users group members.
  • Enumerating non-system32 Windows Hosted Services and their associated DLLs.
  • Enumerating local services with unquoted path vulnerability.
  • Enumerating non-system scheduled tasks.
  • Checking for DLL hijackability.
  • Checking for User Account Control settings.
  • Checking for unattended installs leftovers.

https://github.com/A-mIn3/WINspect

https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/

nbtscan

Nbtscan is a command-line NetBIOS scanner for Windows that scans for open NetBIOS name servers on a local or remote TCP/IP network.

http://www.unixwiz.net/tools/nbtscan.html

Yuki Chan

Yuki Chan is an Automated Penetration Testing Tool that carries out a whole range of standard security auditing tasks automatically.

The standard functions performed by this tool out of the box are:

  • Automated
  • Intel Gathering
  • Vulnerability Analysis
  • Security Auditing
  • OSINT
  • Tracking
  • System Enumeration
  • Fuzzing
  • CMS Auditing
  • SSL Security Auditing

https://github.com/Yukinoshita47/Yuki-Chan-The-Auto-Pentest

Use older file formats for photos and videos with iOS 11

With iOS version 11, the operating system uses newer file formats for photos and videos.  To use the previous .JPG and .MP4 file formats, access Settings –> Camera -> Format and select Most Compatible instead of High Efficiency.

image

Sunday, October 1, 2017

How to check flash wear via PowerShell within Windows 10

To check the wear value of an internal SSD drive via PowerShell within Windows 10, launch an elevated PowerShell session and use the following command.

Get-PhysicalDisk | Get-StorageReliabilityCounter | Select Wear

image

Not all drives accurately report this value to Windows. In some cases, the counter may be blank. Check with your manufacturer to see if they have proprietary tooling you can use to retrieve this value.

https://blogs.technet.microsoft.com/filecab/2017/08/11/understanding-dwpd-tbw/

Google Chrome URL shortcuts

Below are some Google Chrome URL shortcuts.

chrome://version

Show version information

image

chrome://system

Show system information

image

chrome://policy

Show policy information

image

chrome://flags

Show advanced configuration settings

image

vSphere 6.5 Topology and Upgrade Planning Tool

This tool aims to help customers plan and execute both upgrades to vSphere 6.5 as well as new deployments. With this initial release, the tool is focused on the most common upgrade paths and deployments of vCenter Server 6.5. Updates to the content within the tool are planned to occur over time.

http://vspherecentral.vmware.com/path-finder

https://vspherecentral.vmware.com/

image

BroadbandNow

BroadbandNow is a web site with ISP information, as well as a speed test based on zip code.

https://broadbandnow.com/

jSQL

jSQL is an automatic SQL Injection tool written in Java, it’s lightweight and supports 23 kinds of database.  It is open source and cross-platform (Windows, Linux, Mac OS X).

https://github.com/ron190/jsql-injection

Microsoft ColorTool

Microsoft has an utility to allow the command prompt to use different color themes.

https://www.howtogeek.com/322432/how-to-customize-your-command-prompts-color-scheme-with-microsofts-colortool/

https://github.com/Microsoft/Console/tree/master/tools/ColorTool

How to uninstall Quick Assist within Windows 10

To uninstall the Quick Assist feature use the following command within an elevated PowerShell session.

Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0

image

UACme

UACme is a compiled, C-based tool which contains a number of methods to defeat Windows User Account Control commonly known as UAC. It abuses the built-in Windows AutoElevate backdoor and contains 41 methods.

https://github.com/hfiref0x/UACME

This utility may be flagged by anti-virus applications.

image

DuckDuckGo Bangs

The search engine DuckDuckGo has a feature named bangs.  These are shortcuts to certain web sites.  Below are some examples.

!a –> Amazon

!w –> Wikipedia

!ebay –> eBay

!yt –> YouTube

A list of bangs can be found at https://duckduckgo.com/bang.

image

Disable Apps from asking for ratings within iOS version 11

With iOS version 11, an option is available to disable applications from asking for ratings.  This feature can be found under Settings –> iTunes & App Store.  Scroll down the list and disable the “In-App Ratings & Reviews” option.

image

Friday, September 1, 2017

Disable PowerShell version 2

Future versions of Windows 10 (such as the Fall Creator Edition) are scheduled to deprecate PowerShell version 2.  If you wish to disable version 2 manually, use the following command within an elevated PowerShell session.

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

image

Additional details can be found at https://www.petri.com/microsoft-deprecate-powershell-2-0-windows-10-fall-creators-update and https://blogs.msdn.microsoft.com/powershell/2017/08/24/windows-powershell-2-0-deprecation/

How to disable Flash support within Chrome

To disable Flash support within Chrome, enter chrome://settings/content within the URL window.  Find the “Flash” section within the list.

image

The current default is “Ask first.”  Slide the menu option to disable support.

image

List installed updates via PowerShell

To view installed updates, use the PowerShell commands below.

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | ft -a title

image

To view only one particular patch:

$Searcher.Search("IsInstalled=1").Updates | Where {$_.Title -like "*KB4025342*”} | ft title

image

FAT32 Format

FAT32 Format is an utility to format large USB drives with the FAT32 file system.

http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm

Kolab

Kolab is an open-source scalable and secure collaboration platform that provides shared email, calendaring, notes, and tasks.  This application could be considered a replacement for Microsoft Exchange.

https://www.kolab.org/

DRS Lens

DRS Lens provides an interface to highlight the value proposition of vSphere DRS.  DRS Lens provides different dashboards in the form of tabs for each cluster being monitored:

  • Cluster Balance
  • VM Happiness
  • vMotions
  • Operations

https://labs.vmware.com/flings/drs-lens

T50

T50 is a high performance mixed packet injector tool designed to perform stress testing. 

T50 is capable of sending sequentially the following fourteen protocols:

  1. ICMP – Internet Control Message Protocol
  2. IGMPv1 – Internet Group Management Protocol v1
  3. IGMPv3 – Internet Group Management Protocol v3
  4. TCP – Transmission Control Protocol
  5. EGP – Exterior Gateway Protocol
  6. UDP – User Datagram Protocol
  7. RIPv1 – Routing Information Protocol v1
  8. RIPv2 – Routing Information Protocol v2
  9. DCCP – Datagram Congestion Control Protocol
  10. RSVP – Resource ReSerVation Protocol
  11. GRE – Generic Routing Encapsulation
  12. IPSec – Internet Protocol Security (AH/ESP)
  13. EIGRP – Enhanced Interior Gateway Routing Protocol
  14. OSPF – Open Shortest Path First

https://github.com/fredericopissarra/t50

SOF-ELK

SOF-ELK (Security Operations and Forensics Elasticsearch, Logstash, Kibana) is a pre-configured virtual machine to be used within one of SANS’s forensics classes.

https://github.com/philhagen/sof-elk

https://isc.sans.edu/forums/diary/Adversary+hunting+with+SOFELK/22592/

Hindsight

Hindsight is a history forensics utility for Google Chrome/Chromium.  Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.

https://github.com/obsidianforensics/hindsight

Monday, August 14, 2017

Current Branch for Business setting within Windows 10 Professional

The Current Branch for Business was released around four months after the Current Branch in the past, though this appears to be changing within the Fall Creator update time period.  The CBB was originally designed to give organizations time to test the new version.  To configure Windows 10 Professional to use this parameter, launch gpedit.msc with local administrative authority and navigate to Computer Configuration –> Administrative Templates –> Windows Components –> Windows Update –> Defer Windows Updates.  Modify the “Select with Feature Updates are received” entry and set it to Enabled.  Use the drop-down dialog box to select “Current Branch for Business” and enter a day value such as 90 days.

image

Another option at the same path is “Select when Quality Updates are received.”

image

This will delay the installation of monthly updates for the number of days that are specified.  When checking the Update section under Settings, a notification warning will appear stating some settings are hidden or managed.

image

Tuesday, August 1, 2017

CyberChef

CyberChef is an online utility with a large number of available parameters.  Examples would be to convert data formats such as to and from Hex, to and from Binary, etc.  A portable version can be downloaded as well.

https://gchq.github.io/CyberChef/

image

PowerShell Group-Object

The Group-Object cmdlet within PowerShell is similar to the GROUP BY command within a normal SQL statement.  Below are a few examples of using the cmdlet to obtain count totals.

image

image

NoMoreRansom.org

The web site for NoMoreRansom allows an individual to upload a sample file encrypted by a ransomware varient to determine if a solution is available for decrypting.

https://www.nomoreransom.org/

SessionGopher

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

https://github.com/fireeye/SessionGopher

Stitch

Stitch is a cross-platform Python Remote Administration Tool. This framework allows you to build custom payloads for Windows, Mac OSX and Linux.

https://github.com/nathanlopez/Stitch

VMware Technical Papers web site

The URL below is the main page for the Technical Papers resource on the VMware web site.

http://www.vmware.com/techpapers.html#/?client=tech_paper&num=25&filter=0&site=tech_paper&ie=UTF-8&oe=UTF-8&getfields=*&partialfields=(default:default)&requiredfields=&entqr=0&start=0&sort=meta:revisionDate:D&tlen=200&numgm=3&cn=vmware&cc=en&cid=&tid=&stype=main

Saturday, July 1, 2017

How to perform a full shutdown within Windows 10

By default, Windows 10 does not perform a full shutdown when the normal power menu option is used.  The Fast Startup Mode uses the hibernation file to restore a previously saved image of the Windows kernel and all necessary drivers for installed devices.

To modify the default, access Power Options and then select “Choose what the power buttons do.”  A shortcut without modifying the default is to hold the Shift key down when selecting the Shut Down menu option.

https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/

windows10_disable_faststartup

Check a Chromebook’s Battery Health

To check a Chromebook’s battery health, access the Chrome shell via Control + Alt + T and use the command battery_test.

image

Another method is to use the URL of chrome://power.

image

whoer.net

Whoer.Net is a web site that displays information concerning your network address and web browser.

https://whoer.net/

image

Pybelt

Pybelt is a Python-based hackers tool belt capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

https://github.com/Ekultek/Pybelt

DBShield

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

https://github.com/nim4/DBShield

VMware Tools Client

VMware Tools Client allows you to interact with your vSphere VMs without network connectivity, it executes scripts and transfer files to the vSphere Virtual Machines through VMware Tools.

http://pierrelx.com/vmware-tools-client/

Lineage OS

Lineage OS is the successor to the CyanogenMod project, and offers firmware for certain Android devices.

http://lineageos.org/

File2pcap

File2pcap is a tool which will create a pcap from any input file, simulating this file in transit, using various protocols and encodings. The resulting pcap file can then be used to create or test rules for Snort.

http://blog.talosintelligence.com/2017/05/file2pcap.html

https://github.com/Cisco-Talos/file2pcap/

Maltrail

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value.

https://github.com/stamparm/maltrail

Etherape

EtherApe is a graphical network monitor for Unix modelled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically as hosts and links change in size with traffic.

http://etherape.sourceforge.net/

Sysmon Configuration Template

The link below contains a template for the Sysinternals’s Sysmon utility.

https://github.com/SwiftOnSecurity/sysmon-config

Thursday, June 1, 2017

How to disable the Customer Experience Improvement Program within Windows 7

To disable the Customer Experience Improvement Program within Windows 7, click on the Start Menu and type “customer”.  One of the available selections should be Control Panel –> Change Customer Experience Improvement Program settings.  Once launched, select the “No” option and use the Save Changes button.

image

Several scheduled tasks may be present under Microsoft –> Windows –> Customer Experience Improvement Program that can be disabled.

image

Additional scheduled task entries can be disabled under Microsoft –> Windows –> Application Experience.

image

The screen captures below are from Windows 8.1.

image

image

Acunetix Free Manual Pen Testing Tools

Acunetix has released a free set of security-related utilities.  Some of the tools are a HTTP Editor, a HTTP Sniffer, and a HTTP Fuzzer.

acunetix_manual_tools

http://www.acunetix.com/vulnerability-scanner/manual-tools/

The plugs-in URL within Google Chrome

Starting with Google Chrome version 57, the existing URL of chrome://plugins was removed.  The URL of chrome://settings/content allows control of Adobe Flash content, and chrome://components to display the version of Flash installed.

image

image

Issue with .MP3 files on a SD card within Android

Media such as .MP3 files are copied to an external SD card.  But the default media player would not recongize the files.  One potential issue is the present of a .nomedia file on the SD card.

image

Once this file was removed, applications such as VLC detected the .MP3 files that were present on the SD card.  Additional information can be found at the link below.

http://www.easycodeway.com/2016/08/hide-files-in-android-using-nomedia-file.html

vCenter Cluster Performance Tool

vCenter Cluster Performance Tool is a Powershell script that uses vSphere PowerCLI to obtain performance data for a cluster by aggregating information from individual hosts.

https://labs.vmware.com/flings/vcenter-cluster-performance-tool

Chrome Cleanup Tool

Google offers a cleanup utility for Chrome for the Windows platform.

image

https://www.google.com/chrome/cleanup-tool/

Sn1per

Sn1per is a penetration testing automation scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.  It performs several different tasks, such as testing for anonymous FTP and LDAP access.

https://github.com/1N3/Sn1per

Ettercap

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

https://ettercap.github.io/ettercap/

Exchange Analyzer

Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 and reports on compliance with best practices.

https://gallery.technet.microsoft.com/office/Exchange-Analyzer-6e20132e

https://exchangeanalyzer.com/

Monday, May 1, 2017

How to monitor Google Chrome extensions

To monitor network traffic for a specific extension within Google Chrome, access the Settings and then the Extensions section.  Click on the Developer Mode checkbox near the top of the page.

image

Find the extension in question within the list and then click on the link to the left of Inspect views.

image

A new dialog box should appear.  Click on the Network menu option near the top to display network traffic for the extension.

image

How to view digital certificate details within Google Chrome

Starting with Chrome version 56, the following method is required to view the details of a digital certificate.

Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. Access the View Certificate Button.

image

With Windows, a shortcut key combination is Control + Shift + I.