Jaacostan

This post is an introduction on Kroll Artifact Parser and Extractor (KAPE) and how it can be used to collect evidences.  When a malware is executed, it usually leaves some evidences about its execution. These are important details used for investigation and forensics. KAPE is an evidence acquisition tool and can be used to acquire all the evidence of execution from the victim's system. The KAPE directory has two main folders. Modules and Targets.  KAPE Modules. The modules directory contains different directories and inside it, we can see the module files with .mkape file extension. That is how the modules are identified. These modules defines how to process the collected evidence, can use scripts or the installed applications. To view all the available modules, browse the Kape directory or execute from the command line. Run kape.exe --mlist . to list all the modules. It is also mentioned in the .mkape file on how to format and store the evidence output.  The bin folder contains

Recently i have attended the Cloud security boot-camp from Penetester Academy and has cleared the certification exam (PACSP). This is a simple review about the boot-camp and the certification exam. The boot-camp consists of 5 x 3 hour live interactive sessions. The instructor Jeswin Mathai knows his domain and has delivered the concepts pretty clear. The live sessions are via Zoom meeting and the participants can interact live through the discord channel. No questions unanswered. The discord channel can be also used for support issues, related to labs , access etc. Over all the training channels, delivery methods were excellent. When you signup for the boot-camp, you receives the access code for 50 days of lab access on their AttackDefense platform. Now about the course content, this is an AWS cloud pen-testing course  and as they mentioned on their website, the syllabus of this boot-camp focuses on the teaching you the fundamentals and exploits for the 5 most commonly used components

Most of the attacks targeting AWS are based on exploiting the extensive permissions attached to the roles/accounts. This can be considered as a mis-configuration because the administrator was not following the principle of least privilege while creating roles and permissions. Assume a scenario, Where there is a user in AWS who has the permission to attach user policy. The same user can elevate the privilege because it has the access to attach policies in to it. The user can even gain administrative privileges by exploiting this mis-configuration. The user can search for the ARN for the Administrator role and can try to attach the role to the same user. First list the permission for the user, aws iam list-attached-user-policies --user-name USER1 Note down the policy ARN. And do more research on it , in search of any overly permissive permissions.  aws iam get-policy --policy-arn arn:aws:iam::11223344556:policy/Service   Look for the currently using policy version. Once we identified th

PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting Lab Link : https://attackdefense.pentesteracademy.com/challengedetails?cid=1747 Vulnerable Servers II is a lab from PentesterAcademy, which is rated as easy. The lab topology shows two machines which means, there are two targets and the attacker has to perform pivoting in order to hack and get the flag from the target machine. First Select the nearest Server and Click on Run the lab.   Once the lab is up, a web based terminal will be opened in the Web Browser. Firstly, check the IP address of the attacking machine.  We can see that, there are two interfaces. And as per the instructions, the first target machine should be 192.17.147.3. Let’s perform an Nmap scan of the target. The scan result shows that TCP port 8080 is open and is running an Apache Tomcat webserver/Coyote JSP engine 1.1. Let’s try to connect the webserver using netcat.   We can see that the Webserver is running OpenKM, a Document

Are you interested in learning cybersecurity and having the big question "Where to start?". Well, few months ago, i also had the same question in my mind. Do i need to learn programming languages first, or web applications or networking ??? That's where i want to talk about the popular learning platform Tryhackme . TryHackMe is an online platform that helps people to learn cybersecurity, especially penetration testing by doing hands-on labs.  There are multiple learning paths available on the platform and based on your knowledge and skill, you can select the most suitable one. If you want to learn cybersecurity from the scratch, then you can explore each learning path, finish the rooms (Rooms are a set of learning exercises with an objective) and proceed to the next. But before diving deep, one must understand the technology and basics first. Introducing the Pre Security learning path . This path consists of 40 hours of content and will teach the necessary technical knowl

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes     idmap config * : backend = tdb     s

This month, i have done two certification exams. Certified Ethical Hacker (CEH) Practical and eLearn Security Junior Penetration Tester (eJPT). These were not actually in my plan however when i received the free vouchers, i thought of giving the exams.  So in this post, i am going to give a detailed comparison between the two certification exams.  Certified Ethical Hacker (CEH) Practical I went for the CEH practical exam with an aversion, but i found it not bad. Mostly the basic topics are validated in the exams. However for really really beginners, they might find the practical exam as useful. Most of the guys attempting this exam might sign up for iclass/ilabs for their exam preparation. But in my opinion, that is not necessary. The best alternative exam prep option is to sign up for Tryhackme and then learn + practice. As i mentioned earlier, i got the free voucher and therefore i didn't go through the ilabs/iclass. In the exam, there are some questions based on cryptographic,

I was trying to use the snmpenum.pl in my lab and encountered this error. Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module) I searched over the internet for the fix , but couldn't able to find something direct. However, going through some of the stackoverflow pages, i fixed it and is explained below. 1) First install the required packages related to snmp utilities. sudo apt-get install libsnmp-perl 2) Install the SNMP module for perl. perl -MCPAN -e 'install Net::SNMP' That's it. And i was able to run the script.

Pivoting is a technique used during Pentesting. The attacker gain access on one of the remote machine in the target network segment and use that machine to move around another network. Pivoting is useful in a scenario where you don't have direct access to a remote network. For example, the attacker can access the DMZ server but not the Internal Server segment. But DMZ server can communicate with Internal Server Segment. In such scenario, firstly the attacker gain access to the DMZ server and then use the DMZ server as a foothold to gain access to the Internal Server Segment. Note that the older versions of metasploit supports MSF scripts but the latest version (metasploit 6.x) doesn't support it. So lets see how to perform pivoting using the newer versions of Metasploit. For the illustration, i assume that the attacker has been gained the access to one of the remote machine and now he needs to move around. After establishing a meterpreter shell, background it. Since msfscripts

The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022. Organizations with websites optimized for Internet Explorer may consider configuring IE mode in Microsoft Edge.  If you are configuring IE mode for an enterprise, you may refer the step by step guide from Microsoft. To configure IE mode on your windows machine, follow the below steps. 1) Open Microsoft Edge browser 2) Go to Settings 3) Click on Default Browser option 4) On the right pane, you can see " Allow sites to be reloaded in Internet Explorer mode ". Toggle the button to ON  5) Restart Edge. 6) Now access any website. 7) To view the website in Internet Explorer Mode, click on Settings > More Tools > Reload in Internet Explorer Mode 8) Now the Website will be reloaded in IE mode. You can also see the settings from IE icon next to the address bar. 9) To exit IE mode, click on Settings > More Tools > Exit Internet Explorer Mode  

When a packet is sent to an open UDP port, default behavior should be no response, Simply because UDP is a connection-less protocol. When this happens, Nmap or port scanning scripts  refers to the port as being open|filtered. It could be open or behind the firewall. However, if it gets a UDP response which is very unusual in UDP, then the port is marked as open. Then how Nmap or other port scanning scripts confirms whether there is an open UDP port exists??? For this, one should know about the relation between UDP and ICMP. You may refer to this post to understand. When a packet is sent to a closed UDP port, the target responds with an ICMP (ping) packet containing a message that the port is unreachable. Using ICMP error codes, nmap identifies and confirms the closed ports.