Just Another IT Security Blog

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus. Here is a list of the information that I need: - Running Processes 70329 Microsoft Windows Process Information - Active Connections 34220 Netstat Portscanner (WMI) 58651 Netstat Active Connections 64582 Netstat Connection Information - AutoRuns (Checking for persistence) 70615 Microsoft Windows AutoRuns Boot Execute 70621 Microsoft Windows AutoRuns Logon 70625 Microsoft Windows AutoRun Sch...

A few of weeks ago I took SANS 560 Network Penetration Testing and Ethical Hacking course. It was an awesome course and I had a lot of fun completing the exercises and practical. I gave myself a week to study for the exam and scheduled the GIAC GPEN exam for the following Monday.  I studied a couple of hours each night trying to finish at least one of the 5 books a night. When the day came I felt ready. The exam is open book so I took all my materials in the event I couldn't remember something and had to look it up. I scored an 87% and was extremely happy having passed the exam. There were a few questions I had to look up but not many so I feel comfortably that I know the material. For anyone looking to taking the GIAC GPEN I have a few recommendations. Take the course, whether that is live, online or by some other means that SANS offers as I feel it is well worth it. Prior to the exam give yourself a few hours each night to study at least one section at a time and re-read the pa...

It's been a long time since I last blogged. I've changed jobs and started my own company. Recently, I started gearing up for the SANS GCFA exam as I only have a month left to study until my voucher expires. I took the practice test and scored little better than I thought going off memory so it shouldn't be too bad with the books. Computer forensics has been an interest of mine for a while and recently I've began studying about it more. This got me thinking on an idea that someone mine find useful. I've spent most of my career doing vulnerability analysis, pentesting and other offensive type of IT security and now that I've began looking into the defensive, mainly the incident response and remediation, I thought about writing how to leverage the tools I know for incident response. Take Nessus for example. There are plenty of plugins that would provide you with useful information that you would need in the event you suspect a system has been compromise. So over ...

I just recently started to mess around with MS Powershell and have found it very useful. As a Nessus Audit Writer, I'm able to perform checks like I could on linux/unix. Here is an example just one of items you can do with Powershell. Find file/drive shares that have the user 'Everyone' assigned to them PS C:>get-wmioject -namespace root\cimv2 -class win32_share | where-object {$_.path -ne ""} -erroraction silentlycontinue| get-acl | where-object {$_.accesstostring -match "everyone"} | format-list -property path,accesstostring Path : Microsoft.PowerShell.Core\FileSystem::C:\ AccessToString : Everyone Allow ReadAndExecute, Synchronize CREATOR OWNER Allow 268435456 NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow AppendData BUILTIN\Users Allow CreateFiles BUILTIN\Users Allow ReadAndExecu...

Recently, I've ran into a few situations were I had to start testing for if SSLv2 was allowing connections. Instead of using a tool such as a vulnerability scanner, I found that the best way to go about this was with openssl and s_client. This would allow me to fine tune my request to get the information that I needed manually and cut out the time spent waiting for a scanner to finish. Here is an example of how you can check if SSLv2 is allowed on a system using openssl Allowed Connection: root#openssl s_client -ssl2 -no_ssl3 -no_tls1 -connect 192.168.1.2:443 CONNECTED(00000003) ...certificate exhange etc.... SSL handshake has read 879 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher : DES-CBC3-MD5 Session-ID: 26691A60E4F2220AB63D22A032E26872 Session-ID-ctx: Master-Key: CC2E5772DA1C9908333FC4905136041BAD...

Anyone interested in learning how to write exploits should check out the following blog http://www.corelan.be:8800/