Sunday, October 1, 2017

How to check flash wear via PowerShell within Windows 10

To check the wear value of an internal SSD drive via PowerShell within Windows 10, launch an elevated PowerShell session and use the following command.

Get-PhysicalDisk | Get-StorageReliabilityCounter | Select Wear

image

Not all drives accurately report this value to Windows. In some cases, the counter may be blank. Check with your manufacturer to see if they have proprietary tooling you can use to retrieve this value.

https://blogs.technet.microsoft.com/filecab/2017/08/11/understanding-dwpd-tbw/

Google Chrome URL shortcuts

Below are some Google Chrome URL shortcuts.

chrome://version

Show version information

image

chrome://system

Show system information

image

chrome://policy

Show policy information

image

chrome://flags

Show advanced configuration settings

image

vSphere 6.5 Topology and Upgrade Planning Tool

This tool aims to help customers plan and execute both upgrades to vSphere 6.5 as well as new deployments. With this initial release, the tool is focused on the most common upgrade paths and deployments of vCenter Server 6.5. Updates to the content within the tool are planned to occur over time.

http://vspherecentral.vmware.com/path-finder

https://vspherecentral.vmware.com/

image

BroadbandNow

BroadbandNow is a web site with ISP information, as well as a speed test based on zip code.

https://broadbandnow.com/

jSQL

jSQL is an automatic SQL Injection tool written in Java, it’s lightweight and supports 23 kinds of database.  It is open source and cross-platform (Windows, Linux, Mac OS X).

https://github.com/ron190/jsql-injection

Microsoft ColorTool

Microsoft has an utility to allow the command prompt to use different color themes.

https://www.howtogeek.com/322432/how-to-customize-your-command-prompts-color-scheme-with-microsofts-colortool/

https://github.com/Microsoft/Console/tree/master/tools/ColorTool

How to uninstall Quick Assist within Windows 10

To uninstall the Quick Assist feature use the following command within an elevated PowerShell session.

Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0

image

UACme

UACme is a compiled, C-based tool which contains a number of methods to defeat Windows User Account Control commonly known as UAC. It abuses the built-in Windows AutoElevate backdoor and contains 41 methods.

https://github.com/hfiref0x/UACME

This utility may be flagged by anti-virus applications.

image

DuckDuckGo Bangs

The search engine DuckDuckGo has a feature named bangs.  These are shortcuts to certain web sites.  Below are some examples.

!a –> Amazon

!w –> Wikipedia

!ebay –> eBay

!yt –> YouTube

A list of bangs can be found at https://duckduckgo.com/bang.

image

Disable Apps from asking for ratings within iOS version 11

With iOS version 11, an option is available to disable applications from asking for ratings.  This feature can be found under Settings –> iTunes & App Store.  Scroll down the list and disable the “In-App Ratings & Reviews” option.

image

Friday, September 1, 2017

Disable PowerShell version 2

Future versions of Windows 10 (such as the Fall Creator Edition) are scheduled to deprecate PowerShell version 2.  If you wish to disable version 2 manually, use the following command within an elevated PowerShell session.

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

image

Additional details can be found at https://www.petri.com/microsoft-deprecate-powershell-2-0-windows-10-fall-creators-update and https://blogs.msdn.microsoft.com/powershell/2017/08/24/windows-powershell-2-0-deprecation/

How to disable Flash support within Chrome

To disable Flash support within Chrome, enter chrome://settings/content within the URL window.  Find the “Flash” section within the list.

image

The current default is “Ask first.”  Slide the menu option to disable support.

image

List installed updates via PowerShell

To view installed updates, use the PowerShell commands below.

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | ft -a title

image

To view only one particular patch:

$Searcher.Search("IsInstalled=1").Updates | Where {$_.Title -like "*KB4025342*”} | ft title

image

FAT32 Format

FAT32 Format is an utility to format large USB drives with the FAT32 file system.

http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm

Kolab

Kolab is an open-source scalable and secure collaboration platform that provides shared email, calendaring, notes, and tasks.  This application could be considered a replacement for Microsoft Exchange.

https://www.kolab.org/

DRS Lens

DRS Lens provides an interface to highlight the value proposition of vSphere DRS.  DRS Lens provides different dashboards in the form of tabs for each cluster being monitored:

  • Cluster Balance
  • VM Happiness
  • vMotions
  • Operations

https://labs.vmware.com/flings/drs-lens

T50

T50 is a high performance mixed packet injector tool designed to perform stress testing. 

T50 is capable of sending sequentially the following fourteen protocols:

  1. ICMP – Internet Control Message Protocol
  2. IGMPv1 – Internet Group Management Protocol v1
  3. IGMPv3 – Internet Group Management Protocol v3
  4. TCP – Transmission Control Protocol
  5. EGP – Exterior Gateway Protocol
  6. UDP – User Datagram Protocol
  7. RIPv1 – Routing Information Protocol v1
  8. RIPv2 – Routing Information Protocol v2
  9. DCCP – Datagram Congestion Control Protocol
  10. RSVP – Resource ReSerVation Protocol
  11. GRE – Generic Routing Encapsulation
  12. IPSec – Internet Protocol Security (AH/ESP)
  13. EIGRP – Enhanced Interior Gateway Routing Protocol
  14. OSPF – Open Shortest Path First

https://github.com/fredericopissarra/t50

SOF-ELK

SOF-ELK (Security Operations and Forensics Elasticsearch, Logstash, Kibana) is a pre-configured virtual machine to be used within one of SANS’s forensics classes.

https://github.com/philhagen/sof-elk

https://isc.sans.edu/forums/diary/Adversary+hunting+with+SOFELK/22592/

Hindsight

Hindsight is a history forensics utility for Google Chrome/Chromium.  Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.

https://github.com/obsidianforensics/hindsight

Monday, August 14, 2017

Current Branch for Business setting within Windows 10 Professional

The Current Branch for Business was released around four months after the Current Branch in the past, though this appears to be changing within the Fall Creator update time period.  The CBB was originally designed to give organizations time to test the new version.  To configure Windows 10 Professional to use this parameter, launch gpedit.msc with local administrative authority and navigate to Computer Configuration –> Administrative Templates –> Windows Components –> Windows Update –> Defer Windows Updates.  Modify the “Select with Feature Updates are received” entry and set it to Enabled.  Use the drop-down dialog box to select “Current Branch for Business” and enter a day value such as 90 days.

image

Another option at the same path is “Select when Quality Updates are received.”

image

This will delay the installation of monthly updates for the number of days that are specified.  When checking the Update section under Settings, a notification warning will appear stating some settings are hidden or managed.

image

Tuesday, August 1, 2017

CyberChef

CyberChef is an online utility with a large number of available parameters.  Examples would be to convert data formats such as to and from Hex, to and from Binary, etc.  A portable version can be downloaded as well.

https://gchq.github.io/CyberChef/

image

PowerShell Group-Object

The Group-Object cmdlet within PowerShell is similar to the GROUP BY command within a normal SQL statement.  Below are a few examples of using the cmdlet to obtain count totals.

image

image

NoMoreRansom.org

The web site for NoMoreRansom allows an individual to upload a sample file encrypted by a ransomware varient to determine if a solution is available for decrypting.

https://www.nomoreransom.org/

SessionGopher

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

https://github.com/fireeye/SessionGopher

Stitch

Stitch is a cross-platform Python Remote Administration Tool. This framework allows you to build custom payloads for Windows, Mac OSX and Linux.

https://github.com/nathanlopez/Stitch

VMware Technical Papers web site

The URL below is the main page for the Technical Papers resource on the VMware web site.

http://www.vmware.com/techpapers.html#/?client=tech_paper&num=25&filter=0&site=tech_paper&ie=UTF-8&oe=UTF-8&getfields=*&partialfields=(default:default)&requiredfields=&entqr=0&start=0&sort=meta:revisionDate:D&tlen=200&numgm=3&cn=vmware&cc=en&cid=&tid=&stype=main

Saturday, July 1, 2017

How to perform a full shutdown within Windows 10

By default, Windows 10 does not perform a full shutdown when the normal power menu option is used.  The Fast Startup Mode uses the hibernation file to restore a previously saved image of the Windows kernel and all necessary drivers for installed devices.

To modify the default, access Power Options and then select “Choose what the power buttons do.”  A shortcut without modifying the default is to hold the Shift key down when selecting the Shut Down menu option.

https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/

windows10_disable_faststartup

Check a Chromebook’s Battery Health

To check a Chromebook’s battery health, access the Chrome shell via Control + Alt + T and use the command battery_test.

image

Another method is to use the URL of chrome://power.

image

whoer.net

Whoer.Net is a web site that displays information concerning your network address and web browser.

https://whoer.net/

image

Pybelt

Pybelt is a Python-based hackers tool belt capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

https://github.com/Ekultek/Pybelt

DBShield

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

https://github.com/nim4/DBShield

VMware Tools Client

VMware Tools Client allows you to interact with your vSphere VMs without network connectivity, it executes scripts and transfer files to the vSphere Virtual Machines through VMware Tools.

http://pierrelx.com/vmware-tools-client/

Lineage OS

Lineage OS is the successor to the CyanogenMod project, and offers firmware for certain Android devices.

http://lineageos.org/

File2pcap

File2pcap is a tool which will create a pcap from any input file, simulating this file in transit, using various protocols and encodings. The resulting pcap file can then be used to create or test rules for Snort.

http://blog.talosintelligence.com/2017/05/file2pcap.html

https://github.com/Cisco-Talos/file2pcap/

Maltrail

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value.

https://github.com/stamparm/maltrail

Etherape

EtherApe is a graphical network monitor for Unix modelled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically as hosts and links change in size with traffic.

http://etherape.sourceforge.net/

Sysmon Configuration Template

The link below contains a template for the Sysinternals’s Sysmon utility.

https://github.com/SwiftOnSecurity/sysmon-config

Thursday, June 1, 2017

How to disable the Customer Experience Improvement Program within Windows 7

To disable the Customer Experience Improvement Program within Windows 7, click on the Start Menu and type “customer”.  One of the available selections should be Control Panel –> Change Customer Experience Improvement Program settings.  Once launched, select the “No” option and use the Save Changes button.

image

Several scheduled tasks may be present under Microsoft –> Windows –> Customer Experience Improvement Program that can be disabled.

image

Additional scheduled task entries can be disabled under Microsoft –> Windows –> Application Experience.

image

The screen captures below are from Windows 8.1.

image

image

Acunetix Free Manual Pen Testing Tools

Acunetix has released a free set of security-related utilities.  Some of the tools are a HTTP Editor, a HTTP Sniffer, and a HTTP Fuzzer.

acunetix_manual_tools

http://www.acunetix.com/vulnerability-scanner/manual-tools/

The plugs-in URL within Google Chrome

Starting with Google Chrome version 57, the existing URL of chrome://plugins was removed.  The URL of chrome://settings/content allows control of Adobe Flash content, and chrome://components to display the version of Flash installed.

image

image

Issue with .MP3 files on a SD card within Android

Media such as .MP3 files are copied to an external SD card.  But the default media player would not recongize the files.  One potential issue is the present of a .nomedia file on the SD card.

image

Once this file was removed, applications such as VLC detected the .MP3 files that were present on the SD card.  Additional information can be found at the link below.

http://www.easycodeway.com/2016/08/hide-files-in-android-using-nomedia-file.html

vCenter Cluster Performance Tool

vCenter Cluster Performance Tool is a Powershell script that uses vSphere PowerCLI to obtain performance data for a cluster by aggregating information from individual hosts.

https://labs.vmware.com/flings/vcenter-cluster-performance-tool

Chrome Cleanup Tool

Google offers a cleanup utility for Chrome for the Windows platform.

image

https://www.google.com/chrome/cleanup-tool/

Sn1per

Sn1per is a penetration testing automation scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.  It performs several different tasks, such as testing for anonymous FTP and LDAP access.

https://github.com/1N3/Sn1per

Ettercap

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

https://ettercap.github.io/ettercap/

Exchange Analyzer

Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 and reports on compliance with best practices.

https://gallery.technet.microsoft.com/office/Exchange-Analyzer-6e20132e

https://exchangeanalyzer.com/

Monday, May 1, 2017

How to monitor Google Chrome extensions

To monitor network traffic for a specific extension within Google Chrome, access the Settings and then the Extensions section.  Click on the Developer Mode checkbox near the top of the page.

image

Find the extension in question within the list and then click on the link to the left of Inspect views.

image

A new dialog box should appear.  Click on the Network menu option near the top to display network traffic for the extension.

image

How to view digital certificate details within Google Chrome

Starting with Chrome version 56, the following method is required to view the details of a digital certificate.

Three Dots Menu -> More Tools -> Developer Tools, then click on the Security Tab. Access the View Certificate Button.

image

With Windows, a shortcut key combination is Control + Shift + I.

PowerMemory

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory.

https://github.com/giMini/PowerMemory

HTTP-PING

Http-ping is a free Windows-based command line utility to perform network connectivity checks via HTTP.  The application can be downloaded from:

https://www.coretechnologies.com/products/http-ping/

No installation is required.  The example below includes the date and time stamp, uses an interval of 5 seconds, and also writes the output to a text file.

http-ping –d –i 5 –f test.txt google.com

image

Windows 10 Creator Edition–Only Allow Apps From Store

Windows 10 Creator Edition includes an option to only allow applications to only be installed from the app store.  Under Settings –> Apps –> Apps and Features,  Use the drop-down dialog box to set the parameter for installing applications.

image

If the parameter is set to only use the app store and a “normal” application is attempted to be executed, a dialog box will appear.

image

This includes portable applications or any .EXE program.

image

If the parameter is set to warn, a new button is available when the dialog box appears.

image

Night Light within Windows 10 Creator Edition

Windows 10 Creator Edition includes a new “Night Light” feature, which is designed to allow reduce eyestrain.  The option can be enabled via Settings –> System –> Display.  A link to additional settings is available as well.

image

image

The feature can also be found via the Action Center.

image

Using Storage Sense to automatically purge files within Windows 10 Creator edition

Within Windows 10 Creator edition, a new feature is available to automatically purge files to free up disk space.  Access Settings and then the System section.  Click on Storage within the left hand column.  To the right, an option to enable Storage Sense should be present.

image

To view the parameters of the feature, click on the “Change how we free up space” link.

image

Stop Windows 10 From Automatically Updating Hardware Drivers

To configure Windows 10 to not automatically update hardware drivers, use the following Registry hack.  Note that driver updates may be bundled with security updates or feature updates, so this modification may not be 100% effective.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ExcludeWUDriversInQualityUpdate"=dword:00000001

Certain versions of Windows 10 may allow the parameter to be set via the Local Group Policy.  Use the command “gpedit.msc” to launch the Local Group Policy Editor and navigate to the following path:

Computer Configuration/Administrative Templates/Windows Components/Windows Update

Find the entry “Do not include drivers with Windows Updates” and enable the policy.

image