Friday, July 31, 2015

Windows Important Commands

Windows Important Commands 

what is WMIC ?

Windows management instrumentation command. The wmic command to me is one of the more powerful commands on windows. 

This command is very useful for the anlyst who is performing analysis on windows OS as well as Forensics.
This commands helpful to gather information without 3rd party tools.
You can do multiple tasks with one command

List of running processes in brief

wmic process list brief
kill a process

wmic process where name="wordpad.exe" delete
Determine open shares

net share
wmic share list brief
Determine ip address

Get a new ip address

ipconfig /release
ipconfig /renew
Disk drive information

wmic diskdrive list full
wmic partition list full
List all patches

wmic qfe
List services

wmic service list brief
List user accounts

wmic useraccount list brief
List number of times a user logged on

wmic netlogin where (name like "%adm%") get numberoflogons

shutdown /r /t 0

shutdown /s /t 0
Spawn a new command prompt

start cmd
Command line history

Determine the current user

Determine who is apart of the administrators group

net localgroup administrators
Add a user where rocky is the username and password is redhat

net user rocky redhat /add
Add user rocky to administrators group

net localgroup administrators rocky /add
List user accounts

net user
List network connections and the programs that make connection

netstat -an
Display contents of file text.txt

type text.txt
Edit contents of file text.txt

edit text.txt
Determine PC name

Determine whether a system is 32 or 64 bit

wmic cpu get DataWidth /format:list
Startup applications

wmic startup get caption,command

Tuesday, July 21, 2015

How To Set Up vsftpd on Ubuntu 12.04 | BlackHatTrick blog

How To Set Up vsftpd on Ubuntu 12.04 | BlackHatTrick Blog

About vsftpd

Warning: FTP is inherently insecure. If you must use FTP, consider securing your FTP connection with SSL/TLS. Otherwise, it is best to use SFTP, a secure alternative to FTP.

The first two letters of vsftpd stand for "very secure" and the program was built to have strongest protection against possible FTP vulnerabilities.

Step One—Install vsftpd

You can quickly install vsftpd on your virtual private server in the command line:

sudo apt-get install vsftpd

Once the file finishes downloading, the VSFTP will be on your droplet. Generally speaking, it is already configured with a reasonable amount of security. However, it does provide access on your VPS to anonymous users.

Step Two—Configure vsftpd

Once vsftpd is installed, you can adjust the configuration.

Open up the configuration file:
sudo nano /etc/vsftpd.conf

The biggest change you need to make is to switch the Anonymous_enable from YES to NO:

Prior to this change, vsftpd allowed anonymous, unidentified users to access the server's files. This is useful if you are seeking to distribute information widely, but may be considered a serious security issue in most other cases.

After that, uncomment the local_enable option, changing it to yes and, additionally, allow the user to write to the directory.local_enable=YES


Finish up by uncommenting command to chroot_local_user. When this line is set to Yes, all the local users will be jailed within their chroot and will be denied access to any other part of the server.chroot_local_user=YES

Save and Exit that file.

Because of a recent vsftpd upgrade, vsftpd is "refusing to run with writable root inside chroot". A handy way to address this issue to is to take the following steps:
Create a new directory within the user's home directorymkdir /home/username/files

Change the ownership of that file to rootchown root:
root /home/username

Make all necessary changes within the "files" subdirectory

Then, as always, restart: 
sudo service vsftpd restart

Step Three—Access the FTP server

Once you have installed the FTP server and configured it to your liking, you can now access it.

You can reach an FTP server in the browser by typing the domain name into the address bar and logging in with the appropriate ID. Keep in mind, you will only be able to access the user's home directory.

Alternatively, you can reach the FTP server on your virtual server through the command line by typing: ftp

Then you can use the word, "exit," to get out of the FTP shell.

Toolbox for Security Analyst | BlackHatTrick Blog

Toolbox for Security Analyst | BlackHatTrick Blog

If you're just getting started in this field, know that half the battle is finding all the tools and understanding what they're best at. Here's my list of the sites I find myself using most and what they're good for:
Website Open Source Intelligence
  • CentralOps Domain Dossier - A nice simple DNS/WhoIs lookup tool.
  • Robtex - Horrible layout, good info for historical and current DNS records, infrastructure and findings all sites on a given IP.
  • DNSDumpster - A newcomer, makes a nice graph of subdomains for a given domain.
  • PassiveTotal - Requires being accepted in, but another great source for passive DNS data.
  • URLQuery - Search for the site in question, will give you a picture and all sorts of other awesome data on the site.
  • Page2Images - Get a picture of what a site looks like without going there.
  • Internet Archive - Actual snapshots of many pages at various points in history, unlike URLQuery, these can still be dangerous if the snapshot is captured at the point an infection was active.
Finding and Researching Malware Samples
  • Malwr - A standard in online dynamic and static analysis, uses the great Cuckoo Sandbox package. Great for submitting samples, even better for using their search terms for OSINT on related samples. Many samples are available for download.
  • Payload Security - A newcomer in online dyanmic/static analysis, but so far I like the analysis of samples even better than Once they get more samples submitted this will likely be a contender for best. Unique feature of searching for viruses by family.
  • VirusTotal - One of the best sources for historical DNS lookups and IP/FQDN/URL reputation. They do basic static analysis and dynamic analysis, HUGE collection of samples.
  • PassiveTotal - Mentioned above, but also great for researching malware domains.
  • URLQuery - Mentioned above, good for testing if a site is infected, much more useful for finding the history of infection on a given website. Snapshots of compromised sites from here can be invaluable to an investigation.
  • VirusShare - A private site that collections LOTS of samples for download, also offers massive bittorrent download of gigs of malware.
  • MalwareViz - A unique site that takes a sample and draws a graph of network and file interactions.
  • KernelMode Malware Forum - A great place to find discussion and samples of most of the malware families.
  • IDA (Free Edition) - Unless you have tons of money, you'll be stuck with the free edition that doesn't support 64 bit code. That's ok, it's plenty good to get started.
  • Hopper Dissassembler - The affordable disassembler. It's gotten dramatically more powerful in a short amount of time and is actually affordable. I think it's great for the price.
  • OllyDbg - The standard debugger for Windows programs. Tons of great plugins, use version 1 or 2 depending on the plugins you want to be able to use. There's also a GREAT tutorial series here, it's focused on binary cracking, but the skills involved in that are very similar to reverse engineering malware. It will teach you Olly very quickly.
  • REMnux - A great linux distro that comes with 95% of the malware analysis tools you'll like want to use ready to go. Lenny Zeltser, the creator of REMnux, also has a awesome tools catalog organized by task so you can find what you need. P.S. Lenny also runs the SANS Malware Reverse Engineering course which is great for getting started in this field, I've taken it and can vouch that it's an awesome way to start.
  • Type 2 Hypervisors - What you want for running malware in a safe environment.
    • VMWare Workstation/Fusion - The standard, works great, used by many, and can control ESXi if you have it. Windows / OS X
    • VirtualBox - The free virtualization solution, works pretty much just as well as VMWare, but sometimes seems to be not as fast and may have a few less features. Windows / OS X / Linux
    • Hyper-V - Comes free with some versions of Windows 8+, can also be used to control a free Windows Hyper-V Server 2012 box. A great option if you want a headless server for VMs and have an extra, decently powerful computer laying around. Windows only.
    • KVM - Perhaps technically a Type 1 hypervisor, this typically runs along a host OS and can be run locally or headless like with Promox. A great option if you use Linux as your main OS. There's lots of options for GUI management here depending on how you want to manage it.
  • Type 1 Hypervisors - For advanced setups with lots of VMs and multiple networks.
    • VMWare ESXi - A industry stanard, the free version is very limited in advanced features, but is ok for making and using basic VMs. It's good to know for professional development, but the down side is their free management client is windows only. It's also very picky with hardware, most server hardware will work, but if you try to put this on consumer hardware you might run into trouble. If you want this, try one of the next two options.
    • Proxmox - The free, web managed ESXi alternative. I love Proxmox, I've written about previously how I currently use it for running Sophos UTM for my home router/firewall. It will work with mostly anything Linux works with. It's slightly less user-friendly than ESXi due to it's somewhat lacking documentation, but most problems that aren't specifically solved in the wiki are a quick Google to find the answer to.
    • Microsoft Hyper-V Server - Honestly, if you're in an all Windows environment, this is free and the management portion comes built into windows so you should probably try it before anything else. Runs on tons of different hardware since it's Windows. Don't confuse Windows Server with the Hyper-V role installed with the standalone Hyper-V Server, the former is not free, the latter is. Also know that Windows 7 can only control up to Hyper-V Server 2008R2, you must have Windows 8+ to use Hyper-V server 2012+.