Wargames Archives - Tech Chronicles

Powershell Digital Forensics And Incident Response (DFIR) – Leveraging Scripts For Effective Cybersecurity

Majordomo — Wed, 21 Feb 2024 23:49:00 +0000

This repository contains multiple PowerShell scripts that can help you respond to cyber attacks on Windows Devices.

The following Incident Response scripts are included:

DFIR Script: Collects all items as listed in section DFIR Script.
CollectWindowsEvents: Collects all Windows events and outputs it as CSV.
CollectWindowsSecurityEvents: Collects all Windows security events and outputs it as CSV.
CollectPnPDevices: Collects all Plug and Play devices, such as USB, Network and Storage.
DumpLocalAdmins: Returns all local admins of a device.
LastLogons – List the last N successful logins of a device.
ListInstalledSecurityProducts – List the installed security products and their status.
ListDefenderExclusions – List the FolderPath, FileExtension, Process and IP exclusions that are defined.

DFIR Script – Extracted Artefacts

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named ‘DFIR-hostname-year-month-date’.

This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below).

The DFIR script collects the following information when running as normal user:

Local IP Info
Open Connections
Aautorun Information (Startup Folder & Registry Run keys)
Active Users
Local Users
Connections Made From Office Applications
Active SMB Shares
RDP Sessions
Active Processes
Active USB Connections
Powershell History
DNS Cache
Installed Drivers
Installed Software
Running Services
Scheduled Tasks
Browser history and profile files

For the best experience run the script as admin, then the following items will also be collected:

Windows Security Events
Remotely Opened Files
Shadow Copies
MPLogs
Defender Exclusions

SIEM Import Functionality

The forensic artefacts are exported as CSV files, which allows responders to ingest them into their tooling. Some example tools in which you can ingest the data are Sentinel, Splunk, Elastic or Azure Data Explorer. This will allow you to perform filtering, aggregation and visualisation with your preferred query language.

The folder CSV Results (SIEM Import Data) includes all the CSV files containing the artefacts, the folder listing is shown below.

Name
----
ActiveUsers.csv
AutoRun.csv
ConnectedDevices.csv
DefenderExclusions.csv
DNSCache.csv
Drivers.csv
InstalledSoftware.csv
IPConfiguration.csv
LocalUsers.csv
NetworkShares.csv
OfficeConnections.csv
OpenTCPConnections.csv
PowerShellHistory.csv
Processes.csv
RDPSessions.csv
RemotelyOpenedFiles.csv
RunningServices.csv
ScheduledTasks.csv
ScheduledTasksRunInfo.csv
SecurityEvents.csv
ShadowCopy.csv
SMBShares.csv

DFIR Commands

The DFIR Commands page contains invidividual powershell commands that can be used during your incident response process. The follwing catagories are defined:

Connections
Persistence
Windows Security Events
Processes
User & Group Information
Applications
File Analysis
Collect IOC Information

Windows Usage

The script can be excuted by running the following command.

.\DFIR-Script.ps1

The script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.

Powershell.exe -ExecutionPolicy Bypass .\DFIR-Script.ps1

DFIR Script | Defender For Endpoit Live Response Integration

It is possible to use the DFIR Script in combination with the Defender For Endpoint Live Repsonse. Make sure that Live Response is setup (See DOCS). Since my script is usigned a setting change must be made to able to run the script.

There is a blog article available that explains more about how to leverage Custom Script in Live Response: Incident Response Part 3: Leveraging Live Response

To run unsigned scripts live Response:

Security.microsoft.com
Settings
Endpoints
Advanced Features
Make sure that Live Response is enabled
If you want to run this on a server enable live resonse for servers
Enable Live Response unsigened script execution

Execute script:

Go to the device page
Initiate Live Response session
Upload File to library to upload script
After uploading the script to the library execute: run DFIR-script.ps1 to start the script.
Execute getfile DFIR-DeviceName-yyyy-mm-dd to download the retrieved artifacts to your local machine for analysis.

Docs

The post Powershell Digital Forensics And Incident Response (DFIR) – Leveraging Scripts For Effective Cybersecurity appeared first on Tech Chronicles.

Penetration Testing Framework – Pure Blood

Majordomo — Thu, 07 Jan 2021 19:55:45 +0000

Introduction

Pure Blood is a Penetration Testing Framework intended for all hackers, pentesters, bug hunters and those that wants to get involved in pentesting and cybersecurity area. It’s simple tool, created for everyone who need help for daily pentesting tasks, such as information gathering (Whois, DNS Lookup, Reverse DNS Lookup, etc), vulnerability analysis, etc.

Penetration testing, also known as pentesting or ethical hacking, is the practice of testing a computer system, network/web application to find security vulnerabilities that an evil user (attacker) could exploit. Penetration testing can be automated with software apps/ programms, penetration testing frameworks or performed manually.

Pure Blood v2: A Penetration Testing Framework created for Hackers

This penetration testing tool is tested on Windows and Kali Linux, but should work on any Linux distro and OS X.

Features

Web Pentest/Information Gathering

Banner Grab
Whois
Traceroute
DNS Record
Reverse DNS Lookup
Zone Transfer Lookup

Port Scan
Admin Panel Scan
Subdomain Scan
CMS Identify
Reverse IP Lookup
Subnet Lookup

Extract Page Links
Directory Fuzz
File Fuzz
Shodan Search
Shodan Host Lookup

Web Application Attack:

WordPress (WPScan, WPScan Bruteforce, WordPress Plugin Vulnerability Checker)
Auto SQL Injection

Generator:

Deface Page
Password Generator
Text To Hash

Requirements:

Python v2/3
All from requrements.txt file: (colorama, requests, python-whois, dnspython, bs4, shodan)

Modules can also be installed independently.

Install

Clone it form the Pure Blood GitHub repo:

$ git clone https://github.com/cr4shcod3/pureblood

Then navigate to the Pure Blood directory and install modules (requirements.txt):

$ cd pureblood
$ pip3 install -r requirements.tx

Usage

To start Pure Blood, run:

$ python3 pureblood.py

██▓███   █    ██  ██▀███  ▓█████  ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄                                                                                              
▓██░  ██▒ ██  ▓██▒▓██ ▒ ██▒▓█   ▀ ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌                                                                                             
▓██░ ██▓▒▓██  ▒██░▓██ ░▄█ ▒▒███   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌                                                                                             
▒██▄█▓▒ ▒▓▓█  ░██░▒██▀▀█▄  ▒▓█  ▄ ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌                                                                                             
▒██▒ ░  ░▒▒█████▓ ░██▓ ▒██▒░▒████▒░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓                                                                                              
▒▓▒░ ░  ░░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░░░ ▒░ ░░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒                                                                                              
░▒ ░     ░░▒░ ░ ░   ░▒ ░ ▒░ ░ ░  ░▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒                                                                                              
░░        ░░░ ░ ░   ░░   ░    ░    ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░                                                                                              
            ░        ░        ░  ░ ░          ░  ░    ░ ░      ░ ░     ░                                                                                                 
                                        ░                            ░                                                                                                   
     --=[ Author: Cr4sHCoD3                     ]=--                                                                                                                     
| -- --=[ Version: 2                            ]=-- -- |                                                                                                                
| -- --=[ Website: https://github.com/cr4shcod3 ]=-- -- |                                                                                                                
| -- --=[ PureHackers ~ Blood Security Hackers  ]=-- -- |


[ PureBlood Menu ]

     01) Web Pentest / Information Gathering
     02) Web Application Attack
     03) Generator
     99) Exit

PureBlood>

Usage is very simple. Just choose an option, pick the target and follow the instructions.

Web Pentest/Information Gathering Example:

Choose Web Pentest from menu:

PureBlood> 1
[ Web Pentest ]
   01) Banner Grab
   02) Whois
   03) Traceroute
   04) DNS Record
   05) Reverse DNS Lookup
   06) Zone Transfer Lookup
   07) Port Scan
   08) Admin Panel Scan
   09) Subdomain Scan
   10) CMS Identify
   11) Reverse IP Lookup
   12) Subnet Lookup
   13) Extract Page Links
   14) Directory Fuzz
   15) File Fuzz
   16) Shodan Search
   17) Shodan Host Lookup
   90) Back To Menu
   95) Set Target
   99) Exit

PureBlood (WebPentest)>

Then select one of the options, and set the target:

PureBlood (WebPentest)> 2

PureBlood(WebPentest)> 95
[#] - Please don't put "/" in the end of the Target.
PureBlood>WebPentest>(Target)> www.google.com

Result:

"domain_name": [
    "GOOGLE.COM",
    "google.com"
  ],
  "registrar": "MarkMonitor, Inc.",
  "whois_server": "whois.markmonitor.com",
  "referral_url": null,
  "updated_date": [
    "2018-02-21 18:36:40",
    "2018-02-21 10:45:07"
  ],
  "creation_date": [
    "1997-09-15 04:00:00",
    "1997-09-15 00:00:00"
  ],
  "expiration_date": [
    "2020-09-14 04:00:00",
    "2020-09-13 21:00:00"
  ],
  "name_servers": [
    "NS1.GOOGLE.COM",
    "NS2.GOOGLE.COM",
    "NS3.GOOGLE.COM",
    "NS4.GOOGLE.COM",
    "ns4.google.com",
    "ns2.google.com",
    "ns1.google.com",
    "ns3.google.com"
  ],
  "status": [
    "clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
    "clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
    "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
    "serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
    "serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
    "serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
    "clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
    "clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
    "clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
    "serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
    "serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
    "serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
  ],
  "emails": [
    "abusecomplaints@markmonitor.com",
    "whoisrelay@markmonitor.com"
  ],
  "dnssec": "unsigned",
  "name": null,
  "org": "Google LLC",
  "address": null,
  "city": null,
  "state": "CA",
  "zipcode": null,
  "country": "US"
}

Web App Attack Example:

Web Application Attack Usage Example (DEMO)

Download Pureblood

The post Penetration Testing Framework – Pure Blood appeared first on Tech Chronicles.

How to stay Anonymous online in 2020: VPN, TOR, WHONIX & TAILS

Majordomo — Fri, 21 Feb 2020 13:21:15 +0000

In many applications including surfing the internet, chatting, sending confidential documents anonymity has become a necessary and legitimate desire. A piece of information can be encrypted by using many encryption techniques, but it will only give you the encrypted content and will not hide your identity because It is still possible to know the source and destination of the communicating end. Anonymity in a business network can be devastating as it can make an organization vulnerable to security risks, liability and potential litigation and it is very useful for your competitor to know your moves. Moreover many renowned big companies like Amazon, Microsoft, and Google have collected your personal information in order to serve up targeted ads.

There is nothing wrong to be anonymous and controlling your own personal privacy if you are doing the legitimate business. Several ways are present to ensure your privacy while browsing the internet

VPN

VPN is the acronym for the Virtual Private Network, a technology that allows you to connect to one or more computers by using a private network from public internet connection. Your IP (internet protocol) address is the prime identity number that Internet provider assigns your computer to let you go anywhere on the Internet. It’s exactly like the house number on your home. It masks an IP address so all online activities are virtually untraceable from any one. User’s initial IP address is replaced with one from the Virtual Private Network provider so that a communication take place without being tracked, monitored, and identified.

Why VPN is called a network because you’re using a special network of VPN servers that covers the entire globe.

How does VPN Work?

VPN works in a way to bypass censorship by creating a pathway within a client and server ends with different control points through which data packets travel. When using a VPN an encryption and authentication layer is applied to that pathway in order to protect the traffic and data packets travel. Data packets travel through virtual, private and secure channel. This technique is called VPN Tunneling which creates a secure communication channel within network of computers.

Drawbacks of VPN

For end-device users, VPN might be an easy set up since you just need to download your VPN application and install it on your device but it has the drawback of being monitored from VPN service providers as they allow you to use their private servers in exchange for your data. There have been cases where VPN service providers are monitoring the data from their users for their own benefits in that way your communication is not all private but be monitored by service providers.

What is TOR?

The Onion Router (TOR) is a free and open-source software for enabling anonymous communication. It is designed to stop people tracking your browsing habits including government agencies and corporations. The name (The Onion Router) refers to the way that Tor protects your data by wrapping it in multiple layers of encryption like an onion.

How does TOR work?

TOR Browser routes all web traffic through the TOR network, making it anonymous. As the image below shows, TOR consists of a three-layer proxy, like layers of an onion. At first, TOR Browser connects at random to one of the publicly listed entry guards, bounces that traffic through a randomly selected middle relay, and finally directed the traffic through the third and final exit relay.

Drawbacks of TOR

One of the drawbacks of TOR browser is that your ISP can see that you’re connected to TOR hence it can draw attention to you. Although, your ISP can’t see your activities but it will raise suspicion about what you’re doing.

Another drawback of using TOR browser is that it only hides traffic going through TOR network and won’t anonymize other apps on your computer hence not completely giving the concept of anonymity.

WHONIX OS

Whonix is a Debian based Linux operating system used to provide anonymity, privacy and security on browsing the Internet. It consists of two main components i.e. Whonix workstation and Whonix gateway.

Both components are VirtualBox virtual machine appliances, so as to run it on any operating system that has VirtualBox.

How Does Whonix Work?

At first the Whonix workstation and gateway are configured on host machine. Workstation consists of the desktop application, routes all of its traffic to the gateway which is connected to the workstation. The gateway is further connected to the TOR network for accessing the internet. Whonix gateway is the only way for the workstation to transmit the information through internet because the workstation is an isolated machine and it has no idea about its own host IP and configuration.

From the image we can see that all the traffic that is directed through the gateway is TORrified while the traffic from the host machine in non TORified.The host machine does not participate in the Whonix private network and that is why continues to use its normal internet connection.

It is a huge advantage of isolating the workstation from a network to keep an IP address private even if any application in a Whonix workstation is compromised, it is almost impossible to reveal your IP because it does not know your IP.

Drawbacks of Whonix

Although Whonix provides transparency of your IP address, it has a notable disadvantage in terms of physical security. If your host machine is ever compromised, all the stored personal information and your internet browsing activity could be discovered easily.

TAILS Linux OS

If your goal is to leave no trace of every activity you did on the host machine then choose Tails. Tails or The Amnesic Incognito Live System is a live Debian based linux operating system that aims to provide privacy and anonymity. You can start TailsOS on almost any computer from a USB stick or a DVD. Tails sends its traffic by using TOR network, leaving no trace on the system you are using.

Live means it runs on the medium typically a USB, immediately upon starting the system. The entire operating system lives on that USB. All you have to do is first download the live operating system, write it on a USB, insert it to the system, after turning it on you will get a live operating system simply boots from a USB device.

The portability of TailsOS solves the problem of physical security as if your USB device ever gets lost or compromised, there will be no personal information present on that USB as well as the system on which you have inserted that USB and nothing can be learned about your specific usage.

And The Winner Is?

As we have seen there are many techniques and tools available to hide a person’s identity while browsing the internet. The above mentioned techniques provide anonymity at some point and has some notable drawbacks which can lessen the degree of anonymity so by comparing VPN, TOR, WHONIX and TAILS, the technique that is said to be the best practice for providing complete anonymity as well as safe and secure communication is TAILS as it gives you complete security for traffic transmission, privacy of identity and the physical security.

The post How to stay Anonymous online in 2020: VPN, TOR, WHONIX & TAILS appeared first on Tech Chronicles.

WhatTheHack – A Collection Of Challenge Based Hack-A-Thons Including Student Guide, Proctor Guide, Lecture Presentations, Sample/Instructional Code And Templates

Majordomo — Fri, 07 Feb 2020 10:27:06 +0000

WhatTheHack is a collection of challenge based hack-a-thons including student guide, proctor guide, lecture presentations, sample/instructional code and templates.

What, Why and How

“What the Hack” is a challenge based hackathon format
Challenges describe high-level tasks and goals to be accomplished
Challenges are not step-by-step labs
Attendees work in teams of 3 to 5 people to solve the challenges
Attendees “learn from” and “share with” each other
By having to “figure it out”, attendee knowledge retention is greater
Proctors provide guidance, but not answers to the teams
Emcees provide lectures & demos to setup challenges & review solutions
What the Hack can be hosted in-person or virtually via MS Teams

How to Add Your Hack
We welcome all new hacks! The process for doing this is:

Fork this repo into your own github account
Create a new branch for your work
Add a new top level folder using the next number in sequence, eg:
- 011-BigNewHack
Within this folder, create two folders, each with two folders with in that looks like this:
- Host
  - Guides
  - Solutions
- Student
  - Guides
  - Resources
The content of each folder should be:
- Student/Guides: The Student’s Guide
- Student/Resources: Any template or “starter” files that students may need in challenges
- Host/Guides: The Proctor’s Guide lives here as well as any Lecture slide decks
- Host/Solutions: Specific files that the proctors might need that have solutions in them.
Once your branch and repo have all your content and it formatted correctly, follow the instructions on this page to submit a pull request back to the main repository:
- https://help.github.com/articles/creating-a-pull-request-from-a-fork/

Download WhatTheHack

The post WhatTheHack – A Collection Of Challenge Based Hack-A-Thons Including Student Guide, Proctor Guide, Lecture Presentations, Sample/Instructional Code And Templates appeared first on Tech Chronicles.

OverTheWire Bandit Walkthrough – Level 0 – 6

Majordomo — Fri, 07 Feb 2020 10:16:10 +0000

What is OverTheWire?

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

Link: https://overthewire.org

What is OverTheWire Bandit?

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

Getting Started

To get started with the wargames, you need to use SSH to connect to the OverTheWire bandit servers, you can do this by using SSH clients on both Windows and Linux. The preferred SSH client for Windows is Putty and the preferred client for Linux is OpenSSH.

You can install the OpenSSH client on Linux by running the following command:

sudo apt-get install openssh-client

Alternatively, if you are running an Arch-based distribution you can run the following command with pacman:

sudo pacman -S openssh

After you have an SSH client installed you can connect to the OverTheWire Bandit server by using the following syntax.

ssh username@address -p

Level 0 – 1

We can get started with level 0 by connecting to the server with the following credentials:

Username: bandit0

Password: bandit0

We can connect to the server via SSH with the following syntax:

ssh bandit0@bandit.labs.overthewire.org -p 2220

After authenticating with the server, we should have access as bandit0. After listing the files in the current working directory, we are greeted with a readme file. We get the password for the next level by displaying the content of the file.

Level 1 – 2

The objective for this level is to display the content of a file called -. After displaying the content of the file with cat, we get the password for the next level.

Level 2 – 3

The objective for this level is to display the content of a file with spaces in the filename. We can use cat to display the content of the file as shown in the screenshot below.

Level 3 – 4

The password for level 4 can be found in the inhere directory. After listing the files in the directory, we are greeted with a dot file called .hidden. We can use cat to display the content of the file to get the next password.

Level 4 – 5

This level involves finding a human-readable file stored in the inhere directory. We can utilize the find command in conjunction with the xargs utility. This will display the files in the directory and their type. In this case, we find that the only human-readable file in the directory is -file07. We can use cat to display the content of the file to get the password for the next level.

Level 5 – 6

This level involves finding a file in the inhere directory with specific parameters:

Is human-readable
1033 bytes in size
not executable

We can utilize the find command with specific arguments tailored to the specific characteristics of the file we are looking for.

find . -type -f -size 1033c ! -executable

After running the command, we find that the file that matches the search parameters is .file2. We can display the content of the file with cat to get the password for the next level.

Level 6 – 7

Similar to level 5, this level involves finding a file on the server with specific parameters and ownership permissions:

Owner by user bandit7
owned by group bandit6
33 bytes in size

We can use the find command with the following options and parameters to fine-tune our results.

find / -type f -user bandit7 -group bandit6 -size 33c

After running the command we find the file that we were looking for.

The post OverTheWire Bandit Walkthrough – Level 0 – 6 appeared first on Tech Chronicles.