Thursday, February 11, 2016

Using Tar

We can use TAR to get a bulk of files and directories from one machine with their absolute path and move to another machine in the same absolute path with the following commands.

$ cat files.txt
/tmp/a.txt
/tmp/folder1/b.txt
/tmp/folder2/
/tmp/folder3

Now for creating a tar file with the directory structure shown above issue the following command.
$ tar cvpfP a.tar -T files.txt

Here
c will create the archive called a.tar
v will give us a verbose output
p will preserve the permission of the file
f will use the following archive file name
P will not ignore the / before the tmp.

Now for deflating all the files and folders in the corresponding absolute path use the following command.
$ tar xvpfP a.tar

Saturday, January 2, 2016

Friday, November 20, 2015

Windows10 Security



http://video.ch9.ms/sessions/ignite/2015/BRK2308.mp4

Starting powerpoint from cmd line
> bp user32!setwindowstextw "ezu @eax \"Untitled:Powerpoint\" ;bd*;gc"
>g

1) Tokens / Elevated Tokens

Launch two cmd prompt one as normal user and other as admin and run
> whoami /all
This would give you your SID.

Once we login, WinLogon will give us an elevated access
Then a Second token which is filtered
Then create a process called explorer.exe using the filtered token mentioned above.

Elevation process uses Shell Execute API.  This will called in "AppInfo Service" if this is turned off we cannot elevate our rights.  This in turn would invoke consut.exe.

The elevation is driven by "Local Group Policy Editor" under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Now that we are here if we scroll down way down we get to all the "User Account Control: **********".

UAC master switch is controlled by "User Account Control: Run all administrators in Admin Approval Mode"

The two most important things which we need to be worried about are
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
"User Account Control: Behavior of the elevation prompt for standard users"

In Windows we have a collection of "Logon Sessions" which contains a collection of "Desktops" which contains a collection of "Windows" which can again contain a collection of "windows".

MSRA.exe is Microsoft Remote Assistance the one which looked similar to conf remember ???

Microsoft Application Compatibility Administrator Tool - This is a part of Application Compatibility Toolkit.  This is hidden inside the Windows ADK (Assessment and Deployment Kit) 5.61 we will get the Kernel one.

Double clicking on Setup we have *Setup*
Under update we have *Update*
Under Installer Detection we have *instal*
Under Patch we have *patch*

Under "Compatibility Fixes" We have something called as "RunAsAdmin", "RunAsHightest" and "RunAsInvoker".
We also have something called as "SpecificInstaller" and "SpecificNonInstaller".

When we launched "whoami /all" we can see something called as "Medium Mandatory level" that comes into play when we have the situation of do we trust all our apps to the same degree ?

"S-1-16-8192"
"S-1-16" is the Integrity
8192 is the Level, This is a 32 bit number which determines the integrity level.

psexec -l -d c:\Windows\SysWOW64\notepad.exe

The -l on psexe would execute notepad as a low integrity process.  This would even prevent notepad from writing to the user home directory as whom we launched the notepad process as.

chml is a change integrity level tool.  To change a file to low integrity file use the command as follows.

chml file.txt -b 0-i:ll

Let us launch an application called "Microsoft Spy++" which is distributed as part of visual studio.  This will show us how many windows are launched on our system.

2) Integrity Levels

3) User Interface Privilege Isolation.

4) Capabilities (New in Win 8 and Win 10)

5) App Containers







































Saturday, September 5, 2015

SED Kufu

This saved me from a boring task.  Here I tried to rename a bunch of files by removing some standard text and including leading zero to single digit file titles.


ls -ltrh | grep -o Java.* | sed -e 's/.*/mv_&" "&"/g' -e 's/ "Java Programming Tutorial/ "/g' -e 's/" - /\n"Java/g' | sed -E '/(mv_Java)/!s/ //g' | paste -d" " - - | sed 's/mv_/mv "/g'
sed -E "Would skip lines with mv_Java"
This would help add leading zero to single digits.
ls -ltrh | grep -o -P Java[0-9]{1}-.* | sed 's/.*/mv_&\n&/g' | sed -E '/mv_/!s/Java/Java0/g' | paste -d" " - - | sed 's/mv_/mv /g'

http://pastebin.com/sYBCiPau
 

Sunday, August 2, 2015

Treesheets cheatsheet

Treesheet cheatsheet :-)


Treesheets

HI

To install treesheets from Git Respository follow these steps below.

We need GTK > 1.2 to get wxwidgets installed.  wxWidgets is needed for treesheets.
apt-get install libgtk-3-dev

Now let us get the wxWidgets-master.zip MD5SUM (b8833e54675154f3098e9e0f114d3082) from the link https://github.com/wxWidgets/wxWidgets

Now unzip that zip file and go inside and configure it with the following options and then do make as normal user.

$ ./configure --enable-unicode --enable-optimize=-O2 --disable-shared
$ make

Now let us get the treesheets zip file from git treesheets-master.zip (6ede9f8db292d22c91c0a411a9d56d01).

Now unzip that as before and go into the src directory.  Now we need to move the wxWidgets-master folder into the treesheets/src/wx directory.  Then run make.  We should see the treesheets executable in the TS directory.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/std/Downloads/ts/src/wx
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/std/Downloads/ts/src/wx

There is one mystery which I have not been able to solve is why is treesheet listening on port 4242, when we invoke it.