We start by scanning the target with nmap to find open ports image Navigating to the http ports, we can look at the directories under 50000 using dirb image We navigate to /askjeeves image We navigate to manage jenkins > script console

Fuzzy Security reference Windows Priv Esc Guide -abs Priv Esc Windows Guide -sushant Payload all the things # to get system info use: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # to check patching levels use: wmic qfe

We start by scanning the target with nmap to find open ports image Drilling down to the ports marked with the tcpwrapped service image Using searchsploit searchsploit achat image

We start by scanning the target with nmap to find open ports nmap -sC -sV -oA active 10.10.10.100 image Since we can see dns (53), ldap and smb (445) we are likely on a windows server. Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them. smbclient -L //10.10.10.100 image The IPC$ and SYSVOL shares are expected of a domain controller.

MSF architecture Modules Exploit: contains the exploit code Payload: contains the shell code used after exploit compromises a system Encoder: allows us to modify the appearance of our exploit in order to avoid signature detection NOP: used with buffer overflow and ROP attacks. A NOP generator produces a series of random bytes that can be used to bypass standard IDS and IPS NOP sled signatures. Auxiliary: performs arbitrary actions not directly related to exploitation e.g Scanning, fuzzing, and DOS attacks. Usually used to scan and verify that machines are exploitable. Post: used for looting and pivoting.

I specialize in Cybersecurity covering both Offensive and Defensive operations having accrued experience for over five years through: Conducting research for a Pan-African cybersecurity firm. Working as a SOC Analyst and Penetration Tester at a Managed Security Services provider. Spearheading technical Digital Forensics Operations for the PwC East Africa Forensics team. Leading Security Operations at a multi-national bank. If you are reading this you might be interested in contracting me to do some cyber security work for you. As a client-focused, result-oriented cyber security consultant I offer expertise in both Offensive and Defensive cyber security. It would be my pleasure to get to know more about your needs so that I can best explain how I will be able to meet them should you choose to work with me.

Introduction This article serves as a guide for the use of Tmux, an open source terminal multiplexer. I find it to be fun for security work, ctfs, and generally useful. #install tmux sudo apt install tmux # start tmux tmux

Introduction This article is meant to serve as a 'how to' guide for Incident Response and Digital Forensics practitioners. It assumes prior security knowledge and only highlights a methodology that I have personally found useful when conducting investigations. Agenda The go-to methodology to get up and running with forensics is as follows: Extract Evidence Mount with Arsenal Image Mounter

In this article, we take a look at Database Security controls that should be implemented to enhance the security in the case that you have a web app that uses a database. The measures further apply to databases utilized by other services in various architectures as well. We shall cover 10 controls that can get you upto speed if implemented correctly. Database Security Controls Deploy a Database Activity Monitoring (DAM) tool to continuously monitor database activities and detect abnormal behavior or unauthorized access attempts in real-time. Enforce secure configuration by following vendor best practices and guidelines. Minimize One Acre Fund’s attack surface by disabling unnecessary features and services. Enable Audit features in the database to track and log user activities and changes to data.

Welcome back to the Web Application Security series where we go through a guide on how to better secure your app / web server environments. The article is heavily informed by the OWASP Web Security Top 10 Securing App / Web Servers in line with OWASP For steps 1 to 5 read Web Application Security 101 6. Enforce strong authentication, authorization, and session management mechanisms Use Multifactor authentication (MFA) where possible to prevent brute force attacks, credential stuffing, and stolen credential reuse attacks. Align password length, complexity, and rotation policies with NIST 800-63 b guidelines for memorized secrets and modern evidence-based password policies.

In this article, we delve into the measures one can take to enhance the security of web applications through securing app/web servers. The aim is to give an overview that can guide the secure design and deployment of web applications. The article is heavily informed by the OWASP Web Security Top 10 Securing App / Web Servers in line with OWASP 1. Enforce Role Based Access Control (RBAC) This would implement strong access control mechanisms to restrict unauthorized access to the app/ web server according to the principle of least privilege. Disable web server directory listing and ensure file metadata like git files and backup files are not present within web roots. Log Access control failures and alert admins as needed, e.g. in case of repeat failures.

Core Windows Processes The location of all the executables is C:\Windows\System32, except for Explorer.exe (which is C:\Windows) smss.exe Session Manager Subsystem (smss.exe) - responsible for creating new sessions. is the first user-mode process started by the kernel. starts the kernel mode and user mode of the windows sub system including: win32k.sys (kernel mode) winsrv.dll (user mode)

Priv Esc? Privilege escalation involves going from lower to higher permissions. It is the exploitation of a vulnerability, design flaw or configuration oversight in an operating system or app to gain unauthorized access to resources that are usually restricted. Types of Priv Esc Horizontal: Compromising a user with similar permissions to the ones you already have, possibly to use one of their files with suid access to elevate your permissions. Vertical: Elevating your permissions / gain access to systems that require higher privilege than you already have. Lin Enum

MITRE is a US-based non-profit corporation that not only specializes in cyber security research but also tackles AI, health informatics, space security and other areas with an aim to address challenges facing the stability, safety and well being of the USA. Projects from MITRE that are of interest to the cybersecurity community include: ATT&CK: Adversarial tactics, techniques and common knowledge framework CAR: Cyber Analytics Repository knowledge base SHIELD Active Defense AEP: ATT&CK and Emulation plans APT stands for Advanced Persistent Threat.

I'm doing a Defense Against the Dark Arts series as I build up a curriculum for my incoming cybersecurity mentees. This post will be covering an introduction to YARA. Yet another ridiculous acronym (YARA) is The pattern matching swiss knife for malware researchers (and everyone else) Yara can identify info based on both binary and textual patterns, such as hex and strings contained within a file. Rules are used to label these patterns. Yara rules are frequently written to determine if a file is malicious or not based on the features / patterns it presents. In YARA your rule is only as effective as your understanding of the pattern you want to search for.

Volatility Is a free memory forensics tool developed and maintained by Volatility labs. Gold standard for memory forensics in incident response. You can capture the memory of Live machines using the following tools: FTK Imager from this link Redline from this link DumpIt from this link win32dd.exe / win64dd.exe

Passive Recon We use: whois to query WHOIS servers nslookup to query DNS servers dig to query DNS servers DNSDumpster Shodan.io These are all publicly available records and hence do not alert the target.

DNS stuff DNS transfers # view the address of the dns server nslookup # view the fully qualified name of the returned server server <ip> e.g server 10.0.20.4.azure # attempt a zone transfer ls -d <domain> e.g ls -d contoso.azure

Burpsuite is a framework of web app pentesting tools. You can get it here Note that you need to install the Burp CA certificate in order to be able to load things with SSL You can find this by navigating to local host once burp is running and you've channeled traffic to run through it. Burp Suite... A suite of: Proxy: lets you redirect web traffic to Burp for analysis Target: where we set the scope of the project, can also be used to generate a site map Intruder: does field fuzzing, credential stuffing etc

DNS Domain name system is how we find resources on the internet. TLD - top level domain, classified as generic tld (GTLD) or country code tld (ccTLD). For hackmd.io , .io is the TLD and hackmd is the second-level domain. When registering a domain, the second level domain is limited to 63 characters + the TLD and can only use 0-9 a-z and hyphens, however cannot start / end with hyphens or have consecutive hyphens. Subdomains sit on the left handside of the second level domain and are separated from them by a period. A subdomain name has the same naming restrictions as the second level domain. You can use multiple subdomains split with periods to create longer names, but the length must be >=253 characters.