Finding the Source of Windows Password Spraying Attacks

Password Spraying

Finding the source of Windows password spraying attacks can be daunting as the Event log does not provide the source IP of the machine making the calls.

Windows Event Logs

Ideally all of your Windows Event logs from your domain controllers should be going in to some type of SIEM. I will be . . . → Read More: Finding the Source of Windows Password Spraying Attacks

Windows Batch Programming Notes and Examples

Recently I’ve been writing a lot of windows batch files that need to be compatible with both Windows 7 and Windows 10. I’ve decided to document some of what I have learned below.

Check if .bat file was ran with elevated privileges WHOAMI /Groups | FIND “12288” >NUL IF ERRORLEVEL 1 ( ECHO This batch . . . → Read More: Windows Batch Programming Notes and Examples

vmfusion cannot write to new drive windows 10

Recently I added a new drive to my Windows 10 VM using VMFusion 10.0.

I was unable to write to it even after making myself owner of it.

After digging in this for a while it appears that VMWare is treating new SCSI drives as USB devices and blocking writing (even though I can format . . . → Read More: vmfusion cannot write to new drive windows 10

Disabling Internet Explorer Security Mode from PowerShell

Internet Explorer Enhanced Security mode can be frustrating to disable. Here is a fast way to disable it.

First open an Administrative PowerShell Window.

Next run the following:

$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” $UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer . . . → Read More: Disabling Internet Explorer Security Mode from PowerShell

Analyzing Windows Registry Keys on OSX

I’ll be reviewing how to analyze a .reg file for unique values on OSX

Prerequisite

dos2unix will be required

brew install dos2unix Instructions

In this example we will assume you have dumped all of HKEY_CURRENT_USER\Software\ in to a file named software-all.reg

Converting the .reg file to UTF-8

The .reg file must be converted to a . . . → Read More: Analyzing Windows Registry Keys on OSX

Extracting Password Hashes from Active Directory

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article

Prerequisites

You must be logged on to a domain controller.

Extracting the Database

To extract . . . → Read More: Extracting Password Hashes from Active Directory

iis disable debug

In IIS to disable debug do the following.

Modify the Web.config File Open the Web.config file in a text editor such as Notepad.exe. Web.config file is typically located in the application directory.

Modify the compilation element and set debug=”false”

<compilation debug=”false” />

Save the Web.config file. The ASP.NET application automatically restarts.

Modify the Machine.config file . . . → Read More: iis disable debug

Using lzop on Windows

I wanted a fast way to backup an AppDynamics MySQL database directory on windows. The answer was lzop.

Tools GoW 0.8.0 (GNU on Windows) lzop for Windows Setup Set your Enviornment PATH

After installing GoW and extracting lzop.exe set your environment PATH to include the directory where you extracted lzop.exe

Stop AppDynamics Controller and Database . . . → Read More: Using lzop on Windows

Active Directory Password Expiration Date

To find out the password expiration date for an Active Directory user you must first determine your domain’s password expiration policy and then when the password was last set.

Find your Domain Password Expiration Policy import-module activedirectory Get-ADDefaultDomainPasswordPolicy

Property MaxPasswordAge will tell you the default password expiration policy

Determine Date User Password Was Last Set . . . → Read More: Active Directory Password Expiration Date

iis 7.5 The format of the specified network name is invalid – IIS Error 0x800704BE

Problem IIS 7.5 is holding on to an IP and you cannot get it to listen to the right IP.

You might see this error message:

The format of the specified network name is invalid – IIS Error 0x800704BE Solution

You will need to remove and add the listening ip via netsh (see below)

Determine . . . → Read More: iis 7.5 The format of the specified network name is invalid – IIS Error 0x800704BE