Hacking
I haven’t had tea but I was thinking about the MAC i was remoting into and I suddenly thought.. I wonder how to crack the hashes from a MAC. Surely it’s just cat /etc/passwd and cat /etc/shadow and then unshadow and run hashcat right?
WRONG!
The hashes for local users are stored here:
Read more “Hash Cracking for Modern OS X (10.8+)”
Hacking
When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.
It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.
You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:
Read more “Linux Privilege Escalation”
Guides
Checking an environment configuration is one of those things where it’s easy to say and harder to do. If we take the cyber essentials standard and look at the requirements, they are quite different from say the CIS baselines. This alone makes for some fun, let’s investigate this further:
CIS baselines are based on a specific component e.g., Windows Server or Windows client and is contextually aware of roles: e.g., Domain Controller vs Member Server.
Is this registry key set?
Read more “Measuring Cyber Essentials: Windows Security Configuration”
Defence
Spotted on twitter (thanks Danny!):
already ahead of u
— MrR3b00t | #StandWithUkraine #DefendAsOne (@UK_Daniel_Card) June 9, 2022you know that all the infosec pros have to read every one…. well ones relvent to their environment/scope….
x pic.twitter.com/AnMqiLjNvB
CISA updates the known exploited vulnerabilities list (KEV) yesterday with another 38 updates!
That means an update is required for OFFESNIVE KEV!
Read more “Offensive KEV Updates! CISA releases 38 more CVEs to KEV”
Hacking
TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.
Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:
Read more “Priviledge Escalation Hunting – Scheduled Tasks and Scripts”
Guides
Have you ever tried to SSH into a server and recieved the following error?
no matching key exchange method found. Their offer: diffie-hellman-group1-sha1Well that’s probably becuase you are using a bit of kit with legacy software or firmware.
Then when you try to SSH and you add diffie-hellman-group1-sh1 you get the following back?
Read more “SSH oh MY: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1”
Education
I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:
Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!
The question is simple, it’s easy to ask, look:
Education
I build VM labs. Lots of them, but I tend to go full machines. I was checking out the new TCM web app course the other day (honestly i’ll write a review if I get time to finish it!) and it’s built around using docker for DVWA and OWASP JUICE SHOP so I figured I should write a quick blog about how to deploy these so people can get started learning in minutes.
Now here we have:
but you don’t have to stop there, i’m sure there’s others you can use as well!
This isn’t an exhaustive guide, but it will get the docker instances up and running.
Guides
Have you ever wanted to run a quick test of egress ports from userland from a windows machine?
Well worry not, I didn’t even have to write anything, the nice people at Black Hills security have done it for us. However I did decide that there’s a few other things we might want to do, so I made a quick modification, now we have colours, randomisation and some sleeps.
Read more “Testing Risky Egress Ports”
Education
You can deploy Nessus in a range of ways, from direct install through to using a cloud-based deployment or virtual appliance.
A common reason for deploying on Kali or other distro rather than using the virtual appliance is for mobility, ease of use but also you might want to VPN or proxy traffic.
The install process is simple, log into your account on tenable community portal and download the relevant installation package.
Read more “Installing Nessus Pro on Kali Linux”