Posts

Showing posts from 2015

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla ...

Moving On

In the next couple of weeks I will be moving onto a position with Cisco Talos as a Research Engineer. I'm very excited about the move and the chance to work with an awesome group of people. I can't wait to get started and the move has rekindled the love I once had for staying up late to learn some new techniques. So here is a script I created to grab useful IR info from a Windows box with PowerShell. I guess you could also use it to grab info while doing pentests as well. It's very generic and crude as I'm just starting to get into PowerShell. # # Name: Win_IR.ps1 # Desc: Powershell script for gathering useful information for # performing IR on a Windows Host # # by: Tim Muniz # Date: 20151221 get-date -format s whoami hostname #Get Boot Time systeminfo | select-string -pattern 'System Boot Time.*' #Get Running Processes Get-Process | Format-Table #Get Registry Keys Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersi...

Using your vulnerability scanner to perform Incident Response

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus. Here is a list of the information that I need: - Running Processes 70329 Microsoft Windows Process Information - Active Connections 34220 Netstat Portscanner (WMI) 58651 Netstat Active Connections 64582 Netstat Connection Information - AutoRuns (Checking for persistence) 70615 Microsoft Windows AutoRuns Boot Execute 70621 Microsoft Windows AutoRuns Logon 70625 Microsoft Windows AutoRun Sch...

SANS GPEN Certified

A few of weeks ago I took SANS 560 Network Penetration Testing and Ethical Hacking course. It was an awesome course and I had a lot of fun completing the exercises and practical. I gave myself a week to study for the exam and scheduled the GIAC GPEN exam for the following Monday.  I studied a couple of hours each night trying to finish at least one of the 5 books a night. When the day came I felt ready. The exam is open book so I took all my materials in the event I couldn't remember something and had to look it up. I scored an 87% and was extremely happy having passed the exam. There were a few questions I had to look up but not many so I feel comfortably that I know the material. For anyone looking to taking the GIAC GPEN I have a few recommendations. Take the course, whether that is live, online or by some other means that SANS offers as I feel it is well worth it. Prior to the exam give yourself a few hours each night to study at least one section at a time and re-read the pa...