Monday, August 14, 2017

Current Branch for Business setting within Windows 10 Professional

The Current Branch for Business was released around four months after the Current Branch in the past, though this appears to be changing within the Fall Creator update time period.  The CBB was originally designed to give organizations time to test the new version.  To configure Windows 10 Professional to use this parameter, launch gpedit.msc with local administrative authority and navigate to Computer Configuration –> Administrative Templates –> Windows Components –> Windows Update –> Defer Windows Updates.  Modify the “Select with Feature Updates are received” entry and set it to Enabled.  Use the drop-down dialog box to select “Current Branch for Business” and enter a day value such as 90 days.

image

Another option at the same path is “Select when Quality Updates are received.”

image

This will delay the installation of monthly updates for the number of days that are specified.  When checking the Update section under Settings, a notification warning will appear stating some settings are hidden or managed.

image

Tuesday, August 1, 2017

CyberChef

CyberChef is an online utility with a large number of available parameters.  Examples would be to convert data formats such as to and from Hex, to and from Binary, etc.  A portable version can be downloaded as well.

https://gchq.github.io/CyberChef/

image

PowerShell Group-Object

The Group-Object cmdlet within PowerShell is similar to the GROUP BY command within a normal SQL statement.  Below are a few examples of using the cmdlet to obtain count totals.

image

image

NoMoreRansom.org

The web site for NoMoreRansom allows an individual to upload a sample file encrypted by a ransomware varient to determine if a solution is available for decrypting.

https://www.nomoreransom.org/

SessionGopher

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

https://github.com/fireeye/SessionGopher

Stitch

Stitch is a cross-platform Python Remote Administration Tool. This framework allows you to build custom payloads for Windows, Mac OSX and Linux.

https://github.com/nathanlopez/Stitch

VMware Technical Papers web site

The URL below is the main page for the Technical Papers resource on the VMware web site.

http://www.vmware.com/techpapers.html#/?client=tech_paper&num=25&filter=0&site=tech_paper&ie=UTF-8&oe=UTF-8&getfields=*&partialfields=(default:default)&requiredfields=&entqr=0&start=0&sort=meta:revisionDate:D&tlen=200&numgm=3&cn=vmware&cc=en&cid=&tid=&stype=main

Saturday, July 1, 2017

How to perform a full shutdown within Windows 10

By default, Windows 10 does not perform a full shutdown when the normal power menu option is used.  The Fast Startup Mode uses the hibernation file to restore a previously saved image of the Windows kernel and all necessary drivers for installed devices.

To modify the default, access Power Options and then select “Choose what the power buttons do.”  A shortcut without modifying the default is to hold the Shift key down when selecting the Shut Down menu option.

https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/

windows10_disable_faststartup

Check a Chromebook’s Battery Health

To check a Chromebook’s battery health, access the Chrome shell via Control + Alt + T and use the command battery_test.

image

Another method is to use the URL of chrome://power.

image

whoer.net

Whoer.Net is a web site that displays information concerning your network address and web browser.

https://whoer.net/

image

Pybelt

Pybelt is a Python-based hackers tool belt capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

https://github.com/Ekultek/Pybelt

DBShield

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

https://github.com/nim4/DBShield

VMware Tools Client

VMware Tools Client allows you to interact with your vSphere VMs without network connectivity, it executes scripts and transfer files to the vSphere Virtual Machines through VMware Tools.

http://pierrelx.com/vmware-tools-client/

Lineage OS

Lineage OS is the successor to the CyanogenMod project, and offers firmware for certain Android devices.

http://lineageos.org/

File2pcap

File2pcap is a tool which will create a pcap from any input file, simulating this file in transit, using various protocols and encodings. The resulting pcap file can then be used to create or test rules for Snort.

http://blog.talosintelligence.com/2017/05/file2pcap.html

https://github.com/Cisco-Talos/file2pcap/

Maltrail

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value.

https://github.com/stamparm/maltrail

Etherape

EtherApe is a graphical network monitor for Unix modelled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically as hosts and links change in size with traffic.

http://etherape.sourceforge.net/

Sysmon Configuration Template

The link below contains a template for the Sysinternals’s Sysmon utility.

https://github.com/SwiftOnSecurity/sysmon-config

Thursday, June 1, 2017

How to disable the Customer Experience Improvement Program within Windows 7

To disable the Customer Experience Improvement Program within Windows 7, click on the Start Menu and type “customer”.  One of the available selections should be Control Panel –> Change Customer Experience Improvement Program settings.  Once launched, select the “No” option and use the Save Changes button.

image

Several scheduled tasks may be present under Microsoft –> Windows –> Customer Experience Improvement Program that can be disabled.

image

Additional scheduled task entries can be disabled under Microsoft –> Windows –> Application Experience.

image

The screen captures below are from Windows 8.1.

image

image

Acunetix Free Manual Pen Testing Tools

Acunetix has released a free set of security-related utilities.  Some of the tools are a HTTP Editor, a HTTP Sniffer, and a HTTP Fuzzer.

acunetix_manual_tools

http://www.acunetix.com/vulnerability-scanner/manual-tools/

The plugs-in URL within Google Chrome

Starting with Google Chrome version 57, the existing URL of chrome://plugins was removed.  The URL of chrome://settings/content allows control of Adobe Flash content, and chrome://components to display the version of Flash installed.

image

image

Issue with .MP3 files on a SD card within Android

Media such as .MP3 files are copied to an external SD card.  But the default media player would not recongize the files.  One potential issue is the present of a .nomedia file on the SD card.

image

Once this file was removed, applications such as VLC detected the .MP3 files that were present on the SD card.  Additional information can be found at the link below.

http://www.easycodeway.com/2016/08/hide-files-in-android-using-nomedia-file.html

vCenter Cluster Performance Tool

vCenter Cluster Performance Tool is a Powershell script that uses vSphere PowerCLI to obtain performance data for a cluster by aggregating information from individual hosts.

https://labs.vmware.com/flings/vcenter-cluster-performance-tool

Chrome Cleanup Tool

Google offers a cleanup utility for Chrome for the Windows platform.

image

https://www.google.com/chrome/cleanup-tool/

Sn1per

Sn1per is a penetration testing automation scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.  It performs several different tasks, such as testing for anonymous FTP and LDAP access.

https://github.com/1N3/Sn1per

Ettercap

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

https://ettercap.github.io/ettercap/

Exchange Analyzer

Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 and reports on compliance with best practices.

https://gallery.technet.microsoft.com/office/Exchange-Analyzer-6e20132e

https://exchangeanalyzer.com/

Monday, May 1, 2017

How to monitor Google Chrome extensions

To monitor network traffic for a specific extension within Google Chrome, access the Settings and then the Extensions section.  Click on the Developer Mode checkbox near the top of the page.

image

Find the extension in question within the list and then click on the link to the left of Inspect views.

image

A new dialog box should appear.  Click on the Network menu option near the top to display network traffic for the extension.

image

How to view digital certificate details within Google Chrome

Starting with Chrome version 56, the following method is required to view the details of a digital certificate.

Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. Access the View Certificate Button.

image

With Windows, a shortcut key combination is Control + Shift + I.

PowerMemory

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory.

https://github.com/giMini/PowerMemory

HTTP-PING

Http-ping is a free Windows-based command line utility to perform network connectivity checks via HTTP.  The application can be downloaded from:

https://www.coretechnologies.com/products/http-ping/

No installation is required.  The example below includes the date and time stamp, uses an interval of 5 seconds, and also writes the output to a text file.

http-ping –d –i 5 –f test.txt google.com

image

Windows 10 Creator Edition–Only Allow Apps From Store

Windows 10 Creator Edition includes an option to only allow applications to only be installed from the app store.  Under Settings –> Apps –> Apps and Features,  Use the drop-down dialog box to set the parameter for installing applications.

image

If the parameter is set to only use the app store and a “normal” application is attempted to be executed, a dialog box will appear.

image

This includes portable applications or any .EXE program.

image

If the parameter is set to warn, a new button is available when the dialog box appears.

image

Night Light within Windows 10 Creator Edition

Windows 10 Creator Edition includes a new “Night Light” feature, which is designed to allow reduce eyestrain.  The option can be enabled via Settings –> System –> Display.  A link to additional settings is available as well.

image

image

The feature can also be found via the Action Center.

image

Using Storage Sense to automatically purge files within Windows 10 Creator edition

Within Windows 10 Creator edition, a new feature is available to automatically purge files to free up disk space.  Access Settings and then the System section.  Click on Storage within the left hand column.  To the right, an option to enable Storage Sense should be present.

image

To view the parameters of the feature, click on the “Change how we free up space” link.

image

Stop Windows 10 From Automatically Updating Hardware Drivers

To configure Windows 10 to not automatically update hardware drivers, use the following Registry hack.  Note that driver updates may be bundled with security updates or feature updates, so this modification may not be 100% effective.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ExcludeWUDriversInQualityUpdate"=dword:00000001

Certain versions of Windows 10 may allow the parameter to be set via the Local Group Policy.  Use the command “gpedit.msc” to launch the Local Group Policy Editor and navigate to the following path:

Computer Configuration/Administrative Templates/Windows Components/Windows Update

Find the entry “Do not include drivers with Windows Updates” and enable the policy.

image

Where to disable ads within Windows 10 Creator edition

To disable ads within Windows 10 Creator edition, verify the parameters at the following areas.

Lock Screen

image

Start

image

Windows Explorer

image

Share

image

Notifications

image

Sunday, April 2, 2017

Disable WPAD within Windows

The WPAD protocol is designed to allow organizations to provide proxy settings to all devices that connect to the network. The organization can place a WPAD configuration file in a standard place, and when WPAD is enabled, your computer or other device checks to see if there’s WPAD proxy information provided by the network. Your device then automatically uses whatever settings the proxy auto-configuration (PAC) file provides, sending all traffic on the current network through the proxy server.

Within Windows 7, access Control Panel –> Internet Options  -> Connections tab –> LAN settings button –> clear the “Automatically detect settings” check box.

image

Within Windows 10, access Settings -> Network & Internet –> Proxy –> disable the “Automatically detect settings” option.

windows10_wpad

Turn Off File Explorer Advertising within Windows 10

To disable advertising dialog boxes from appearing within Windows Explorer with Windows 10, launch Explorer and access View –> Options -> Change folder and search options.  Under the View tab, disable the feature “Show sync provider notifications.”

image

iTunes Alternatives for Windows

Below are some alternatives for iTunes on the Windows platform.

http://getmusicbee.com/

http://www.mediamonkey.com/

http://www.foobar2000.org/

https://www.clementine-player.org/

http://getnightingale.com/

Posh Web Server

Posh is a web server via PowerShell.  Installation is not required; simply load the module within PowerShell.

http://www.poshserver.net/

Skydive

Skydive is an open source real-time network topology and protocols analyzer. It aims to provide a comprehensive way of understanding what is happening in the network infrastructure.

https://skydive-project.github.io/skydive/

https://github.com/skydive-project/skydive

Raspberry Pi Linux Distro

The company behind the Raspberry Pi hardware units have decided to offer a Linux Distro for x86 computers.  Built on top of Debian, the OS is light enough to run most old machines that have at least 512MB of RAM.

https://www.raspberrypi.org/blog/pixel-pc-mac/

Ubuntu OVA for VMware Horizon

Ubuntu OVA for Horizon is a pre-packaged OVA built on Ubuntu that automates most of the customization and configuration needed for a Linux Desktop Template to be used in a VMware Horizon 7 or later environment.

https://labs.vmware.com/flings/horizon-ova-for-ubuntu

OpenShot Video Editor

OpenShot is a free video editor application for Linux.

http://www.openshot.org/

IPFire

IPFire is a Linux-based security gateway.  Some features include Cache Management, URL filter, DHCP server, Snort IDS (Guardian), SquidClamAV, IPSec, and OpenVPN.  Snort is an add-on, and several more are available.

http://wiki.ipfire.org/en/addons/start

http://www.ipfire.org/

Wednesday, March 1, 2017

Blocking outbound PowerShell traffic using the Windows Firewall

Some malware use PowerShell to download additional components, such as highlighted in the blog posting found at https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/.  To block outbound traffic using the Windows Firewall, add two rules:

64-bit

%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

32-bit

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

image

To test the rule, use the command below.

cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://test.com','%TMP%\test.txt');

image

The following commands can be excuted as a test within PowerShell.

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("http://www.test.com/","%TEMP%")

image

How to disable the Customer Experience Improvement Program within Windows 7

To disable the Customer Experience Improvement Program within Windows 7, click on the Start Menu and type “customer”.  One of the available selections should be Control Panel –> Change Customer Experience Improvement Program settings.  Once launched, select the “No” option and use the Save Changes button.

image

Several scheduled tasks may be present under Microsoft –> Windows –> Customer Experience Improvement Program that can be disabled.

image

Additional scheduled task entries can be disabled under Microsoft –> Windows –> Application Experience.

image

Another entry may be present under WPD.

image

Also verify that the Diagnostic Tracking Service is disabled.

image