Just Another IT Security Blog

It's been a long time since I last blogged. I've changed jobs and started my own company. Recently, I started gearing up for the SANS GCFA exam as I only have a month left to study until my voucher expires. I took the practice test and scored little better than I thought going off memory so it shouldn't be too bad with the books. Computer forensics has been an interest of mine for a while and recently I've began studying about it more. This got me thinking on an idea that someone mine find useful. I've spent most of my career doing vulnerability analysis, pentesting and other offensive type of IT security and now that I've began looking into the defensive, mainly the incident response and remediation, I thought about writing how to leverage the tools I know for incident response. Take Nessus for example. There are plenty of plugins that would provide you with useful information that you would need in the event you suspect a system has been compromise. So over ...

I just recently started to mess around with MS Powershell and have found it very useful. As a Nessus Audit Writer, I'm able to perform checks like I could on linux/unix. Here is an example just one of items you can do with Powershell. Find file/drive shares that have the user 'Everyone' assigned to them PS C:>get-wmioject -namespace root\cimv2 -class win32_share | where-object {$_.path -ne ""} -erroraction silentlycontinue| get-acl | where-object {$_.accesstostring -match "everyone"} | format-list -property path,accesstostring Path : Microsoft.PowerShell.Core\FileSystem::C:\ AccessToString : Everyone Allow ReadAndExecute, Synchronize CREATOR OWNER Allow 268435456 NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow AppendData BUILTIN\Users Allow CreateFiles BUILTIN\Users Allow ReadAndExecu...

Recently, I've ran into a few situations were I had to start testing for if SSLv2 was allowing connections. Instead of using a tool such as a vulnerability scanner, I found that the best way to go about this was with openssl and s_client. This would allow me to fine tune my request to get the information that I needed manually and cut out the time spent waiting for a scanner to finish. Here is an example of how you can check if SSLv2 is allowed on a system using openssl Allowed Connection: root#openssl s_client -ssl2 -no_ssl3 -no_tls1 -connect 192.168.1.2:443 CONNECTED(00000003) ...certificate exhange etc.... SSL handshake has read 879 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher : DES-CBC3-MD5 Session-ID: 26691A60E4F2220AB63D22A032E26872 Session-ID-ctx: Master-Key: CC2E5772DA1C9908333FC4905136041BAD...

Anyone interested in learning how to write exploits should check out the following blog http://www.corelan.be:8800/