Wednesday, June 1, 2016

snort oinkmaster

To modify Signatures using oinkmaster.

modifysid 1000000 "\$EXTERNAL_NET" | "!\$HOME_NET"

modifysid 1000001 "\$EXTERNAL_NET" | "![,]"

modifysid 1000001 "\-> any" | "\-> ![]"

disablesid 1000002

DANGER:  Don't you dare leave spaces between the IP address while you are negating them in modifysid shown in the second line.  The reference for that is shown below from snort manual.

Wednesday, April 6, 2016

Auto shutdown - Debian

5 1 6 4 * /sbin/shutdown -h now /var/log/shut.log

Sunday, March 20, 2016

Different EAP

* Cisco purely password-based Lightweight EAP(LEAP).

* Other vendors&Microsoft, use EAP and Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates.

If EAP-TLS is being used, the authentication server and wireless device exchange digital certificates for authentication purposes.

When EAP-TLS is being used, the steps the server takes to authenticate to the wireless device are basically the same as when an SSL connection is being set up between a web server and web browser. Once the wireless device receives and validates the server’s digital certificate, it creates a master key, encrypts it with the server’s public key, and sends it over to the authentication server. Now the wireless device and authentication server have a master key, which they use to generate individual symmetric session keys. Both entities use these session keys for encryption and decryption purposes, and it is the use of these keys that sets up a secure channel between the two devices.

* Protective EAP (PEAP), where only the server uses a digital certificate.

 If PEAP is being used instead, the user of the wireless device sends the server a password and the server authenticates to the wireless device with its digital certificate.

* EAP-TTLS provides authentication that is as strong as EAP-TLS, but it does not require user certificate. however require server certificates.

User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

* EAP-Tunneled TLS (EAP-TTLS) is an EAP protocol that extends TLS. 

Thursday, February 11, 2016

Using Tar

We can use TAR to get a bulk of files and directories from one machine with their absolute path and move to another machine in the same absolute path with the following commands.

$ cat files.txt

Now for creating a tar file with the directory structure shown above issue the following command.
$ tar cvpfP a.tar -T files.txt

c will create the archive called a.tar
v will give us a verbose output
p will preserve the permission of the file
f will use the following archive file name
P will not ignore the / before the tmp.

Now for deflating all the files and folders in the corresponding absolute path use the following command.
$ tar xvpfP a.tar

Saturday, January 2, 2016

Friday, November 20, 2015

Windows10 Security

Starting powerpoint from cmd line
> bp user32!setwindowstextw "ezu @eax \"Untitled:Powerpoint\" ;bd*;gc"

1) Tokens / Elevated Tokens

Launch two cmd prompt one as normal user and other as admin and run
> whoami /all
This would give you your SID.

Once we login, WinLogon will give us an elevated access
Then a Second token which is filtered
Then create a process called explorer.exe using the filtered token mentioned above.

Elevation process uses Shell Execute API.  This will called in "AppInfo Service" if this is turned off we cannot elevate our rights.  This in turn would invoke consut.exe.

The elevation is driven by "Local Group Policy Editor" under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Now that we are here if we scroll down way down we get to all the "User Account Control: **********".

UAC master switch is controlled by "User Account Control: Run all administrators in Admin Approval Mode"

The two most important things which we need to be worried about are
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
"User Account Control: Behavior of the elevation prompt for standard users"

In Windows we have a collection of "Logon Sessions" which contains a collection of "Desktops" which contains a collection of "Windows" which can again contain a collection of "windows".

MSRA.exe is Microsoft Remote Assistance the one which looked similar to conf remember ???

Microsoft Application Compatibility Administrator Tool - This is a part of Application Compatibility Toolkit.  This is hidden inside the Windows ADK (Assessment and Deployment Kit) 5.61 we will get the Kernel one.

Double clicking on Setup we have *Setup*
Under update we have *Update*
Under Installer Detection we have *instal*
Under Patch we have *patch*

Under "Compatibility Fixes" We have something called as "RunAsAdmin", "RunAsHightest" and "RunAsInvoker".
We also have something called as "SpecificInstaller" and "SpecificNonInstaller".

When we launched "whoami /all" we can see something called as "Medium Mandatory level" that comes into play when we have the situation of do we trust all our apps to the same degree ?

"S-1-16" is the Integrity
8192 is the Level, This is a 32 bit number which determines the integrity level.

psexec -l -d c:\Windows\SysWOW64\notepad.exe

The -l on psexe would execute notepad as a low integrity process.  This would even prevent notepad from writing to the user home directory as whom we launched the notepad process as.

chml is a change integrity level tool.  To change a file to low integrity file use the command as follows.

chml file.txt -b 0-i:ll

Let us launch an application called "Microsoft Spy++" which is distributed as part of visual studio.  This will show us how many windows are launched on our system.

2) Integrity Levels

3) User Interface Privilege Isolation.

4) Capabilities (New in Win 8 and Win 10)

5) App Containers

Saturday, September 5, 2015

SED Kufu

This saved me from a boring task.  Here I tried to rename a bunch of files by removing some standard text and including leading zero to single digit file titles.

ls -ltrh | grep -o Java.* | sed -e 's/.*/mv_&" "&"/g' -e 's/ "Java Programming Tutorial/ "/g' -e 's/" - /\n"Java/g' | sed -E '/(mv_Java)/!s/ //g' | paste -d" " - - | sed 's/mv_/mv "/g'
sed -E "Would skip lines with mv_Java"
This would help add leading zero to single digits.
ls -ltrh | grep -o -P Java[0-9]{1}-.* | sed 's/.*/mv_&\n&/g' | sed -E '/mv_/!s/Java/Java0/g' | paste -d" " - - | sed 's/mv_/mv /g'