Just Another IT Security Blog

Over the last year I have been performing research on mobile devices. My last job had me analyzing the security of Android applications and recently I found my new job drawing on my past experience to help someone analyze some Android malware. First we started to do some research on potential solutions that could help automate analysis or at least do some type of dynamic analysis and that is were I stumbled onto CuckooDroid (https://github.com/idanr1986/cuckoo-droid). After a day or two of  messing with CuckooDroid I decided that it was a little overkill for what I needed to do which was grab a PCAP of the traffic. In one of my next post I'll cover setting it up but for now here is what you need to do if you want to do a quick and easy analysis of an Android malware sample.  1) Install Android Studio (http://developer.android.com/sdk/installing/index.html) 2) Use the SDK Manager to install the SDKs and Images to work for the malware you are going to be analyzing. ...

I spent some time cleaning up my laptop the other day which included removing unused programs and files. It then hit me that I probably had a bunch of wifi profiles that I don't need anymore so I thought about writing a script to call the netsh command to output this info. After working on this for about an hour and finally having a crude Powershell command that did output me this info I did a search and sure enough someone else had already wrote on. Anyways, here is the command I came up with and a link to the script I found. PS C:\Windows\system32> netsh wlan show profiles | Select-String -Pattern "All User Profile"  | ForEach-Object {$_.ToString()} | ForEach-Object {$_.Replace("    All User Profile     : ",$null)} | ForEach-Object {netsh wlan show profile name=$_ key=clear} | Format-List Profile Wireless1 on interface Wi-Fi: ======================================================================= Applied: All User Profile   Profile informa...

It's been a few weeks since my last post so I've decided to try out some more Powershell scripting. Here is a script to do some port scanning from a Windows system with Powershell. Right now it only allows for IP Addresses to be used. ############################################################################################### # # Script: PSPortScanner.ps1 # By: Tim Muniz # Date: 20160120 # ############################################################################################### <# .SYNOPSIS This script scans a remote host to check what ports are open. .DESCRIPTION This script scans a remote host to check what ports are open. .PARAMETER Target Remote host to scan .PARAMETER SPort Port to start scan with. .PARAMETER EPort Port to end scan with. .EXAMPLE Scan remote host to check what ports are open. PSPortScanner.ps1  1  1024 10.1.1.2 .NOTES Please let me know what you think or if it isn't working. #> [CmdletBindin...

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla ...

In the next couple of weeks I will be moving onto a position with Cisco Talos as a Research Engineer. I'm very excited about the move and the chance to work with an awesome group of people. I can't wait to get started and the move has rekindled the love I once had for staying up late to learn some new techniques. So here is a script I created to grab useful IR info from a Windows box with PowerShell. I guess you could also use it to grab info while doing pentests as well. It's very generic and crude as I'm just starting to get into PowerShell. # # Name: Win_IR.ps1 # Desc: Powershell script for gathering useful information for # performing IR on a Windows Host # # by: Tim Muniz # Date: 20151221 get-date -format s whoami hostname #Get Boot Time systeminfo | select-string -pattern 'System Boot Time.*' #Get Running Processes Get-Process | Format-Table #Get Registry Keys Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersi...

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus. Here is a list of the information that I need: - Running Processes 70329 Microsoft Windows Process Information - Active Connections 34220 Netstat Portscanner (WMI) 58651 Netstat Active Connections 64582 Netstat Connection Information - AutoRuns (Checking for persistence) 70615 Microsoft Windows AutoRuns Boot Execute 70621 Microsoft Windows AutoRuns Logon 70625 Microsoft Windows AutoRun Sch...

A few of weeks ago I took SANS 560 Network Penetration Testing and Ethical Hacking course. It was an awesome course and I had a lot of fun completing the exercises and practical. I gave myself a week to study for the exam and scheduled the GIAC GPEN exam for the following Monday.  I studied a couple of hours each night trying to finish at least one of the 5 books a night. When the day came I felt ready. The exam is open book so I took all my materials in the event I couldn't remember something and had to look it up. I scored an 87% and was extremely happy having passed the exam. There were a few questions I had to look up but not many so I feel comfortably that I know the material. For anyone looking to taking the GIAC GPEN I have a few recommendations. Take the course, whether that is live, online or by some other means that SANS offers as I feel it is well worth it. Prior to the exam give yourself a few hours each night to study at least one section at a time and re-read the pa...