{"id":2159,"date":"2021-01-09T15:08:43","date_gmt":"2021-01-09T14:08:43","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2159"},"modified":"2023-12-20T21:29:27","modified_gmt":"2023-12-20T20:29:27","slug":"various-blue-team-red-team-notes","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2159","title":{"rendered":"Various blue team \/ red team&nbsp;notes"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Blue team<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Use <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=177\">knockd<\/a> to hide&nbsp;<span class=\"caps\">SSH<\/span><\/li><li>List the arp cache and check if mul\u00adti\u00adple IPs routes to the same phys\u00adi\u00adcal adress. Maybe a MitM attack is in progress.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">More secure development<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If an attack\u00ader can write files but not direc\u00adto\u00adries, it could be a good idea to store sen\u00adsi\u00adtive files in anoth\u00ader sub\u00addir. If this sub\u00addir does\u00adn\u2019t exist nor\u00admal\u00adly, exploit like MySQL <span class=\"caps\">INTO<\/span> <span class=\"caps\">OUTFILE<\/span> exploits does\u00adn\u2019t&nbsp;work.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Samba misusage<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Detect cur\u00adrent run\u00adning sam\u00adba ses\u00adsion (e.g. from rpclient)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\net session<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">A ses\u00adsion can be removed with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\net session \\&lt;attacker_ip&gt; \/del<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Play with the attack\u00ader (<a href=\"https:\/\/www.sans.org\/blog\/plundering-windows-account-info-via-authenticated-smb-sessions\/\">source<\/a>): Kill attack\u00ader ses\u00adsions each second<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\&gt; FOR \/L %i in (1,0,2) do @net session \\[LinuxIPaddr] \/del \/y &amp; ping -n 2 127.0.0.1&gt;nul<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Red Team<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Use alias or cre\u00adate a func\u00adtion (see bash notes) to so some\u00adthing if a user exe\u00adcutes some\u00adthing with his permissions.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Blue team Use knockd to hide&nbsp;<span class=\"caps\">SSH<\/span> List the arp cache and check if mul\u00adti\u00adple IPs routes to the same phys\u00adi\u00adcal adress. Maybe a MitM attack is in progress. More secure devel\u00adop\u00adment If an attack\u00ader can write files but not direc\u00adto\u00adries, it could be a good idea to store sen\u00adsi\u00adtive files in anoth\u00ader sub\u00addir. If&nbsp;this&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[482],"tags":[187,211],"class_list":["post-2159","post","type-post","status-publish","format-standard","hentry","category-notes","tag-blue-team","tag-red-team"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2159"}],"version-history":[{"count":2,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2159\/revisions"}],"predecessor-version":[{"id":3059,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2159\/revisions\/3059"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}