akde/infosec

Information security is ultimately about managing risk


  • Tools: Exe­cu­tion pos­si­bil­i­ties for a dynam­ic analy­sis, if deob­fus­ca­tion is not soooo good: Tipp: Over­write sen­si­ble meth­ods, if the lan­guage allows it. For exam­ple, in JavaScript: eval = print Now, each eval state­ment is not exe­cut­ed, but just printed :-).


  • Goal: See on a sys­tem if some spe­cif­ic exe­cute­able was executed.


  • See also Autostart (Per­sis­tence) | Hexacorn


  • Registry Windows Event Logging File system analysis See the NTFS arti­cle about logging.


  • Foren­sic tools


  • Dis­sect is a foren­sic tool for file sys­tem images,


  • Ques­tions, who should be answered easily: Tips for analyzing log files Search a log and count the hosts: cat log | jq -c '.host' | sort | uniq -c | sort -n To see more about the host “Apache” cat log | grep "Apache" | jq Search in gzipped logs: zgrep log.gzzcat log.gz | grep "Apache" Con­vert…


  • Use cas­es Tools Stan­dard unix tools like awk can also been used with a cat of a flow file. nfdump SiLK argus


  • JA4S is a sys­tem to hash the con­fig­u­ra­tion of a TLS con­nec­tion. More: ja4/technical_details/README.md at main · FoxIO-LLC/­ja4 · GitHub Pos­si­ble use cases:


  • Case: Ransomware


  • CAINE can be used as a live sys­tem to per­form foren­sic stud­ies of a sys­tem (e.g. after a Incident).


  • If the sys­tem is pow­ered off: If the sys­tem is active: If the sys­tem is a VM: Oth­er systems: Ques­tions:


  • Get hidden content from password fields Sce­nario: Use JavaScript for extrac­tion. Copy and pase the fol­low­ing into the web browser’s console: Extract keystrokes live from a Browser Sce­nario: Do: Extract Cookies Sce­nario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Sce­nario: Then, inject JS which adds an invis­i­ble user/username/name text field and…


  • Pacu can be used to test an AWS account. Setup: Unauthorized enumeration Requires only an AWS access key and secret key. Enu­mer­ate roles. Cre­ate a list with pos­si­ble roles to check. run iam__enum_roles --word-list /tmp/roles.txt --account-id $accountId Enu­mer­ate users which belong to a (pre­vi­ous­ly found) role. Cre­ate also a list of pos­si­ble user names. run iam__enum_users --word-list…


  • Initial (network) enumeration Check where a ser­vice is host­ed by quer­ing the name­serv­er records for our tar­get domain: host -t ns $domain Get more infor­ma­tion / con­fir­ma­tion via a whois query to one pre­vi­ous­ly found domain. whois $previouslyFoundDomain Check where a host is running: host $domainhost $ipFromTheDomain Check more domains of this organ­i­sa­tion / of…


  • Attacking Domain Controller Synchronization The DRS Direc­to­ry Repli­ca­tion Ser­vice is respon­si­ble to repli­cate a DC’s data to mul­ti­ple redun­dant DC’s. Sce­nario: You own a user who has one of the fol­low­ing rights: Nor­mal­ly, users in the fol­low­ing groups have these (could be con­fig­ured oth­er­wise, of course): You can check with the script in Basic Active Direc­to­ry…


  • The four process ID’s For each process, Lin­ux man­ages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has nor­mal­ly also the UID 1000. How­ev­er, with SUID/GUID it becomes more com­pli­cat­ed, since process­es can get oth­er UIDs than the one of the caller. When a process like passwd…


  • Enumeration In PowerShell Cau­tion: This com­mand works via RDP in an inter­ac­tive ses­sion, but NOT in a non-priv­i­leged bind/winrm shell. All ser­vices: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName All run­ning services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';