akde/infosec

Information security is ultimately about managing risk

Various blue team / red team notes

,

Blue team

  • Use knockd to hide SSH
  • List the arp cache and check if mul­ti­ple IPs routes to the same phys­i­cal adress. Maybe a MitM attack is in progress.

More secure development

  • If an attack­er can write files but not direc­to­ries, it could be a good idea to store sen­si­tive files in anoth­er sub­dir. If this sub­dir does­n’t exist nor­mal­ly, exploit like MySQL INTO OUTFILE exploits does­n’t work.

Samba misusage

Detect cur­rent run­ning sam­ba ses­sion (e.g. from rpclient)

C:\net session

A ses­sion can be removed with

C:\net session \<attacker_ip> /del

Play with the attack­er (source): Kill attack­er ses­sions each second

C:\> FOR /L %i in (1,0,2) do @net session \[LinuxIPaddr] /del /y & ping -n 2 127.0.0.1>nul

Red Team

  • Use alias or cre­ate a func­tion (see bash notes) to so some­thing if a user exe­cutes some­thing with his permissions.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';