IDNeon
-
Posts
66 -
Joined
-
Last visited
-
Days Won
1
Posts posted by IDNeon
-
-
Here is an example of automating/generalizing a task mixing batch and powershell, the requirement of batch in this example is obvious, because to run a powershell script remotely requires an execution policy, but this can be bypassed using batch:
Quotewmic product get name,version > t:\installed-programs-%computername%.txt
net start > t:\running-services-%computername%.txt
set Var1A=get-windowsfeature -computername $env:computername
set Var1B=where-object installstate -eq installed
set Var1C=out-file t:\server-roles-$env:computername.txt
echo:%Var1A% ^| %Var1B% ^| %Var1C% >> t:\server-roles.ps1powershell -ExecutionPolicy ByPass -File t:\server-roles.ps1
There are features not always installed so you might need to include a "get module" to get, for instance, servermanager which is where "get-windwosfeature" lives in older versions of powershell.
The program creates a powershell script and executes it.
This can be made as complex and lengthy as you want it in order to grab as much information as you want in a generic process, and pipe the results (out-file, output, etc.) to a single folder, or even append to a single file, where you can collect the data from some common location.
If you create a loop you, with a few more pieces, you can cycle through a laundry list of variables to grab information from a list of computers, etc. -
I think it'd be useful to share some basic tasks for beginners in order to help them start to conceptualize "automation". And so the goal of this thread is to provide a "forum" to post useful tid-bits. And I'll kick it off with something on my mind below, but first, I think it's important to mention that the basics of automation requires generalization. So any solution requires a generalized form. If you're involved in mathematics any that term should ring a bell.
A generalized form would for example, use variables to contain lists that are generated by the host, such as a list of computers generated by an Active Directory that is a variable with a For loop (or other mechanism) so your task applies to all computers, or a set of those computers, contained in that list.
The goal of this thread is not to contain the entirety of an automated process, but rather to contain the bits and pieces that form parts of automation. In terms of Programming this might be considered "functions", or the tools in your program you call upon to do things.
The one that came to mind that led me to generate this thread is just a little tid-bit I picked-up and discarded as not useful right now. Written for batch, and the purpose was to uninstall a program I don't know the full name of and remove (scour) any left-overs from an unclean uninstall.
Each post should be a contribution, or comment on a contribution. I'll make a second post with another contribution just to keep the ball rolling. For organizational reasons, putting the contribution in quotes seems pertinent.
Quotewmic product where "name like '%%example%%'" call uninstall >> "append results to a debugger file (always good to have).txt"
ping -c 1 -w (time in seconds) >> debug.txt
for /d %%x in ("c:\program files (x86)\example*") do rd /s /q "%%x" >> debug.txt
dir "c:\program files (x86)" >> debug.txt
ping -c 1 -w (time in seconds) >> "debug.txt
>do some other stuff<So this short snip will unistall an example that is part of the program name with wild cards on either side of the part. It'll scour for directories with that same snippet with a wild card after (for instance if the directory is formed by program name with a random number generated after).
You can get creative.
I was thinking about it, because strangely deleting folders with wild cards using Batch is NOT intuitive.
The pings are timers, to give each process enough time to complete, depending on your target system a WMIC might take a while, so having a timer is critical.Post Script: Oh I forgot to mention a critical part. For some reason (which I've not taken the time to figure out it's just not that important to me right now) running this script REMOTELY breaks at the WMIC. However, the script runs normally if run locally. If the script were to start on start-up I'm sure it'd run normally. There's something in the remote process that WMIC hangs-up the authentication token is my guess so when ran remotely it kills the batch.
-
6 minutes ago, digininja said:
You just have to be careful about support. Advice swings between nvidia and AMD and some devices aren't supported or don't work as well as expected.
Not always the highest priced or highest gaming spec is best.
Yeah I suppose but I figure you're already stepping out of scope for their actual applications, it's better to seek what is common in a scientific computing setting, just ask vendor what they recommend for large multivariable statistical analysis.
All of this is academic, I think in pentesting proving you CAN brute force, is more important than ACTUALLY brute forcing.
Whether or not it takes your system 100 million years versus the latest and greatest super computer is irrelevant.
You don't need to brute force anything to prove the vulnerability exists.
For instance do you have a lock-out policy on your domain accounts for OWA logins? No? Then that CAN be brute forced. -
Regarding CPU, not much is needed.
I suppose whatever you consider mid-level is overkill, but you probably need some CPU for Microsoft Office suite so you can run your administrative overhead decently.Regarding GPU, if you have the right tools, the BEST GPU you can fit and afford will server you well. The GPU can be used to do parallel programming and parallel computing which means you can utilize those 32 cores for your password cracking, giving you much more power than what CPUs are currently out there.
https://en.wikipedia.org/wiki/General-purpose_computing_on_graphics_processing_units -
Maybe you twittered your passwords 2x to the world...are you Press Secretary Spicer by any chance?
-
On 3/5/2017 at 5:55 AM, barry99705 said:
I take it you're still a student then. In the 25ish years I've been working in IT, I've only seen a couple networks where the user's didn't have local admin rights. Not every company has the money to pay someone to go around and update Adobe flash/reader every time it updates. The whole "don't allow software to run in the user's directory" bullshit causes tons of applications to shit itself. It's just not worth the headaches, vs the "maybe they will get a crypto virus". Sure you can set up a local admin account that the user's can use, but within a week, they'll just use that account for everything. At least this way when files on the server get encrypted, we can look at the user profiles and find the user, since it will be encrypted too. Server files get rolled back to before the trojan, and the desktop gets wiped and reimaged.
Which my adversarial-question is, why is that an advantage?
Because in this case, the host can't be compromised.Virtual machines. I don't think there's many students out there that would think it's a good idea to have local admin rights to users.
If your environments are still that way then you're dealing with a very slow-to-change large enterprise, or SMBs that are unwilling to invest in virtual machines. -
On 2/22/2017 at 10:06 PM, Glowinghot666 said:
Not if u dont have more info do some recon uniscan so forth THINK really hard
Not sure this answer makes sense.
A connection is the exchange of packets (files). You can't possibly have a connection to another computer WITHOUT sending files. Will the computer just magically decide to send you its files? And to where? -
4 hours ago, haze1434 said:
Thanks for those laughs
Sun Tzu said that offense is the best defence.
Not so for the average PC user. A strong defence is the best defence.i.e.; make those passwords decent!
Haze, your point is apt, but I'm just heaping way too much info here for fun, to elaborate some lesser known factoids :)
The original title "The Art of War" belongs to Jomini's title of his scientific work which defeated Napoleon (and was misapplied by Jomini-Napoleonic trained US-Confederate Generals during the Civil War to disastrous outcomes).
Sun Tzu's "Art of War" is wrongly titled for western audiences and is actually called "Master Sun's Rules of Warfare". (It's a pet-peeve of mine that they stole Jomini's title to promote it to western audiences).
Most of it deals with the appropriate magical spells and which way the wind farts to divinate success on the battlefield, the rest are maxims that could be learned from the game Go. :)
It's also a pet-peeve of mine since a phenomenon called "Orientalism" exists where Westerners heap condescending praise upon useless works as if they are profound because Westerners simultaneously think that Easterners are spiritual, philosophical and wise, and also are extremely culturally racist toward them.
Jomini's works are still the basis of all military thought, even more important than Clausewitz who was largely a philosopher and not a military scientist. -
On 3/4/2017 at 0:06 AM, GermanNoob said:
Thank you very much, @IDNeon for your detailed answer! I really appreciate the time you invested in trying to help me!
As I have access to the network using wifi. So if I understand you right, then I could do this:
Asking a device that is also connected using wifi for its hardware address. As I got that within my ARP table I could arpspoof that device and as the packets are already addressed to the hardware address of the target it shouldn't be sent over the whole network where an IDS could be used.
Is that right?
Well if I understand your question right, then yes you should be able to arpspoof your traffic on the network and piggy-back on the traffic of legitimate devices as long as it doesn't need to be routed, but the reply will only go back to the devices you spoofed depending on how the AP makes a connection to each device, and depending on how creative you are in building your packets (i.e you could arguably change the return mac to what you want it to be but defeats the purpose of spoofing).
Might be easier to connect authentically with a bunch of virtual adapters with their own MAC addresses -
This: https://www.amazon.com/Practice-System-Network-Administration-Second/dp/0321492668
And learn CCNA ICND1 & ICND2 -
20 minutes ago, Jason Cooper said:
Actually it does explain why it worked, but I'll go into it in a bit more depth.
When using the $Group in double quotes it stringifys the value of the object so we have four strings
@{Name=@Testone} @{Name=@Testtwo} @{Name=Testthree} @{Name=Testfour}The regular expression the OP provided as a solution is looking for an @ symbol followed by a character that is in the range or a - z, A - Z or 0 - 9. While all four strings start with an @ symbol those are immediately followed by an open brace '{' which doesn't match the pattern that the regular expression is looking for. The first and second strings have another @ symbol which does match the pattern as they're followed by the letter 'T' which is in the range being matched.
The OP's solution however doesn't actually meet the criteria of only matching groups starting with an @ symbol as any groups that contain an @ symbol in the middle of their name (e.g. Test@five) as it will be matched by the "`@[a-zA-Z0-0]" regular expression as well.
Brilliant thanks for that clarification.
That's why I wanted to get deeper into this, my gut feeling was that the big-picture wasn't well understood and as you said, the "solution" was really not a solution.
Reason I wanted to pursue that was it's in those patch-jobs that problems are created. Your explanation would provide for a completely exact answer. -
21 minutes ago, Jason Cooper said:
Seeing your output suddenly makes it all make sense. The $group variable isn't a simple string, it's actually an object with a Name property. When you put it in double quotes Powershell produces a stringified version of the object, which starts with the @ symbol (e.g. "@{Name=@Testone}". You then do a regular expression match against that string, which sees the first character as the @ symbol, which is matches what it's looking for exactly.
I don't have access to an active directory to test, but try matching against the $group object's Name propery instead, e.g.
$y = Get-ADuser JOEBLOGGS -property MemberOf | % {$_.MemberOf | Get-ADGroup | select Name | sort name} foreach ($group in $y) { if ($group.Name -match "^@") { echo "yep $group" } else { echo "Nope $group" } }Not sure that's the answer though EITHER?
Because the OP provided a solution "`@[a-zA-Z0-9]" which has an intended result
This means your explanation does not explain why his solution would work to segregate as it did? -
3 hours ago, haze1434 said:
Not sure what you mean, sorry.
$Group is a variable already recognised by PowerShell - The line 'foreach($Group in $CurrentGroups)' works fine.
I was in the middle of a thought process (and editing my previous posts to update) but got busy, usually that happens and you'll just have to move on from those posts when I don't get back to them.
What I was trying to show before I had to abandon it was what the value of $Group actually was when -match compares it to your expression.
I wanted to see if the $Group value was carrying the @ through its comparison.
I was in the process of writing a little debugger for that but got busy and this is the first time in 3 days I have had time to revisit this thread. -
On 2/6/2017 at 1:44 AM, haze1434 said:
Ah!
`@[A-Za-z0-9]
Success!!
Ok, but can you answer WHY it failed when it was just "`@"?
Because WHY it failed is more important than how to make it work.
I don't know how often you code, but sometimes it's good to build your own debuggers into code:
Thought about it for a moment and the why is the match is you are NOT matching $Group but matching $CurrentGroups.
I haven't thought of a way to test this yet, but it's the only logical way I can think of why your first code failed. -
Sorry for the multiple replies, I'm working and work is hectic per usual so I'm piece-mealing this together.
Refer to the previous diagram, notice from left to right, a switch, a hub, and a router.
Your task, should you choose to accept it, is to cause the ports to fail to 10/100/half-duplex and prove if your device is acting like a switch/router, or a hub.
I put switch/router together because functionally in the above diagram both devices segregate their collision domains because they are built to do so.
A bridged AP, should not.
This is more authoritative than looking around the office for what kind of connections there are.
And if you did not have physical access to a building but only access to its wifi from the parking lot, this could be an important tool in your inventory for knowing what your traffic is doing.
You can do this fail-state test passively. -
See the diagram below.
While almost everyone thinks of a network now as the broadcast domain (logical not even physically, that is layer 2 and 3, not even layer 1) a broadcast and collision domain are INITIALLY layer 1 concepts.
If you apply fail-state tests like I described you can answer your question because the collision domain is physically different from other collision domains.
Your question is more accurately "is my device in its own collision domain" or not.
Because that tells you how it's behaving regarding NAT/Bridge as others have suggested you want to know.
-
11 hours ago, GermanNoob said:
Hi @digininja,
it seems that I wasn't clear about my intention... Sorry, for that! I'm not going to do something illegal. I just want to understand how big the risk of arp spoofing in the described setup is and if countermeasures like IDS behind the AP would work or what would have to be done to work. Of course I will set up a test environment, but I can't do that before next week as I'm on a short vacation at the moment...
Hi @IDNeon,
sorry, if my following question is dumb as shit... IP assigning is working over DHCP. During the IP assignment process the client will only test the received IP with an ARP package (as far as I understood). While also a bridge could be configured to forward DHCP packages to the DHCP server (DHCP-relay agent), I didn't find anything that it also relays ARP packages...
So, I think that I could still get an IP address (not from the AP but from the DHCP server in the LAN behind) and ARP packages might still stay only in the WIFI... Am I wrong?
There is no "only in the WIFI".
WIFI is a method of network access but isn't a "network" unto itself.
The network is all addressing....what broadcast and collision domains are you in? That's the fundamentals.
ARPs work in a broadcast domain. A collision domain may be the same as the broadcast domain, but it may not be the same.
Anything else requires routing.
The concept of collision and broadcast domains are obfuscated now but basically we say "subnets" to describe broadcast domains but you'll miss critical components of a network if you forget the two are actually separate. Collision/Broadcast represents a physical/logical problem. While subnets is completely logical and has nothing to do with the physical devices it exists on.
To the heart of your question, what happens to ARP packets, depends entirely on what collision and broadcast(subnet) domains it exists in.
A bridged AP exists in the same collision domain as the switch it is plugged into.
A NAT AP is its own collision domain.
If you can think of a way to test what collision domains you are in, you can accurately determine this feature of the switch.
Soooooo, your question can your ARP be seen on the LAN port. Someone mentioned if you target a device ... not sure what they mean, if a device's MAC isn't in the ARP table, then your ARP will be sent across an entire broadcast domain until it bumps into a router, and will be like ripples in a pond reflecting off trees in the pond which represent other ports that are searching for the MAC address you are requesting.
The only way that won't happen is if the AP is itself performing NAT.
To prove that without having authentic access to the LAN, requires some creative fail-state testing.
What does all devices fail-state to?
10/100 Half-Duplex.
Hence why collision domain should still matter.
-
On 2/23/2017 at 3:10 AM, hamzaabdullahmoh said:
I got an access to a web server and I can upload and execute but how can I install a script that I can go back to when I ever I want to upload, read, write and delete!!? Please hurry up!!
Bear in mind I am a noobie!!
"Please hurry up" > shove it you wanker.
-
On 2/27/2017 at 1:27 PM, Clean said:
So recently my Amazon account was hacked (my fault due to weak password I guess) and my Steam account attempted to be accessed at the same time along with several of my other accounts as well.
So luckily Amazon reversed the transaction made and Steam sent me an email (thank god for multi factor authentication) and Steam also sent me the IP address of the attacker, I have pinned down the location to a residential apartment in Russia, my question is what next as they keep trying to gain access every few months?!?!?
That apartment is probably just a bounce box. It's not accurate.
Nor would it be.
IP addresses are dynamically assigned, so that address could belong to a smart toilet in Bangladesh by now.
While not that extreme (because blocks of addresses are owned by different providers) you get the drift....
To access a database of previous address listings would require a subpoena with approval from the authority having jurisdiction. So in this case, Russia > Oblast > Gorod. (and these records are purged like every 2 weeks or so).
Which I know you don't have, so most likely you did some kinda google-fu and got a bull.hit answer. -
On 3/1/2017 at 2:38 AM, GermanNoob said:
Nope...
Try if it assigns IP addresses or not. A Bridged AP shouldn't assign IP addresses.
-
On 2/18/2017 at 8:57 AM, Teabot 5000 said:
If you count the "tiktak" each as a "press and depress" sound then the number of written tikks takks etc. are equal to the characters input into the search field.
Amazing consistency, except probably entirely accidental. -
22 hours ago, barry99705 said:
Okay, which one of your assholes killed Amazon's E2 environment?
Still waiting for Google Chrome to say Amazon.com is a known malware distributor and redirect you to their security page lol
-
On 2/23/2017 at 7:29 PM, bored369 said:
Exactly! That's what I think IDNeion isn't getting, that a process is not the same as a separated virtualized environment. A process, service aren't really separated from Windows itself, in fact they have clear easy access to actually manage Windows through API calls. Windows is more an environment that allows things to do whatever they want however they want. It's not really managing much of anything, quite the opposite considering programs can manage Windows however they want once they gain appropriate permissions. Which is extremely easy to do in Windows, mainly because of their focus on backward compatibility.
It's not all Microsoft's fault though, the users complain anytime they actually try to secure the OS because it causes inconvenience or breaks legacy applications, because some company (like the US Defense Department) using Windows still wants to run software from 1989.
I finally got some time to return to this thread, but unfortunately not to read much documents on the Qubes methodology itself.
In my estimation Qubes would be exposed to the same problems that any virtual-app or VM environment would be exposed to.
Which my adversarial-question is, why is that an advantage?
If we were so concerned it seems to me you could throw together a Qubes using an app-publisher and a VM tool and from your own desktop you just run a VM as your machine and publish apps to your VM from different hosts. -
On 2/23/2017 at 3:17 PM, barry99705 said:
Windows apps are all run in the same user space. You get a virus from a "fedex" email, your whole system is most likely borked. The main gui in Qubes is just xfce on top of the xen(I think) hypervisor. No programs are actually run in this environment. Your email app is run in it's own vm, the cryptovirus can't do a damn thing to the dom0 hypervisor. Any malware that may get installed in any vm goes away when you shutdown the computer for the day, or if you know something happened, restart that vm. Nothing is persistent except your saved files in your home directory. It's almost like running a live os from a flash drive with persistence. Now you can have a personal, work, and fuck-all browser. Do your shopping and my-face-space in the personal vm. Work in the work vm, and your late night browsing in the fuck-all vm. You accidently click on one too many jigglies late at night and your work and personal stuff is still safe.
If you're getting hosed by a virus that works just with user-level ACLs you got a bigger problem. Now since your email app HAS to communicate with the hypervisor to use the processor there is a security level that the dom0 and the email app VM share. That is where this whole thing breaks down. I think we're talking about two different levels of exploitation of a system. Also there is a saved-state somewhere for each VM or else you'd have no continuity. Working from a persistentless state each time would be very annoying. That may very well be the case for Qubes.
I ask questions through an advocate-adversarial approach so it may seem I'm adversarial but I'm not. I haven't used Qubes and am genuinely interested in how it works and what's the point.
Qubes OS
in Everything Else
Posted
I've been busy but I finally got to talk with a friend whose more technical at the engineering level of OS's and he basically confirmed the same idea I had.
Qubes provides an extra layer of user security but that's about it. We both conceptualized it as essentially being like you were using published apps for everything.
On the hardware it makes no sense for it to function any differently than Windows OS etc.
So anything exploiting something at those levels, kernel/root, bios, would not be affected by the virtualization.
Virtualization to over simplify it is basically different "user_processes" interacting.