Digital Forensics Tips

Often when I want to learn a skill, I’ll think up a project for myself that forces me to improve that skill. Recently I wanted to improve my Windows post exploitation and privilege escalation so I decided to work on a script to enumerate Windows systems to look for low hanging fruit that can be used to escalate privileges. The definitive guide to Windows priv esc is http://www.fuzzysecurity.com/tutorials/16.html and a good deal of my commands come from that post or resources mentioned in the post. If you’re working on your Windows privilege escalation, you really should spend some time on that page. I decided to use a batch file instead of PowerShell since batch should run anywhere and is easy for others to understand and modify. The output of the script is saved to three different text files. The script will be a work in progress, but I wanted to post a copy to try to help others automate the process. First the script gathers basic enumeration information such as: Hostname Whoami Use...

Recently I had remote access to a Linux terminal with an extremely limited command set and I wanted to place a full featured web shell on the box. My usual methods of netcat and wget weren’t available but someone much smarter than I (Craig Swan at SensePost) suggested I use base64 to encode the shell (to avoid any issues with foreign characters) copy each line, and paste each line on the target box as part of an echo statement which builds a copy of the file on the target box. I thought the idea was great and it worked like a champ. I figured that this likely wasn’t the last time I would use this technique so I wrote a bash script to automate the process as much as possible. base64 $1 > based.tmp file_name=${1##*/} [ -f based_output.txt ] && rm based_output.txt prevar=’echo “‘ postvar='” >> ‘ cat based.tmp | while read line; do echo $prevar$line$postvar$file_name >> based_output.txt done The code takes an input file and prepare...

woo hoo!!! As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills. So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun. I’ve already been asked one question about my e...

When I first started learning about penetration testing sqlmap quickly became one of my favorite tools. For those who haven’t used it, sqlmap is a command line tool which automates the detection and exploitation of SQL injection flaws. I started by feeding sqlmap  URLs which contains a variable in the URL. The command for a URL like this is: ./sqlmap.py -u "http://172.16.222.100/gallery/gallery.php?id=null" Once the command is run sqlmap will automatically try a variety of SQL injection techniques to find vulnerabilities.  If it finds a vulnerability it will ask you if it can stop, once you say yes then you can rerun sqlmap with a variety of different options which can do everything from attempting to use the injection vulnerability to give you a shell to using the vulnerability to dump all of the information from the database. If you’re dumping a database and sqlmap recognizes encrypted password hashes it will even ask you if you’d like it to try to crack the password. After...

I’m a few days late in posting this but last Monday I passed my GCIH exam with a 94. SANS advisory board here I come!!! I watched the course in the On Demand format taught by Ed Skoudis and attended the live training taught by John Strand. It was very time consuming but well worth it to get the material from two world class instructors with different points of view. The key to my high score was taking some great advice from a SANS teaching assistant & mentor named Neal Bridges who encouraged me to make a detailed (mine ended up around 30 pages) index and was kind enough to show me his GSEC index so I had an idea on how to format mine. I’ll write up a blog post soon where I’ll discuss my index and show a few samples.