Cybersecurity Learner
0%

Posted on In

Armitage is an extension of the Metasploit Framework - it adds a Graphical user interface and is written in Java, and is similar to Cobalt Strike. And a more important point is it is free.

OS detection scan

Exploit it via ms17_010_eternalblue (Drag the payload file to the target machine icon)

Posted on In

When I used the MERN stack service on DigitalOcean and developed a web app by using TypeScript language, I got some HTTP request issues. After modifying the Nginx conf file on the remote server, this issue was solved finally.

Posted on In

Due to unknown reasons, A bridged issue with VMware could not be resolved.
Step 1: We can find VMware through the programs in the control panel, right-click to make changes, and select Repair.
Step 2: If the problem cannot be solved, the likely cause is a previous upgrade to the virtual machine version or inappropriate deletion of VMware’s configuration files, resulting in the disappearance of the network card. At this point, we need to download the VMware installation package and ccleaner software.
Step 3: Use the VMware Workstation in the control panel to uninstall the installed VMware. Search for the keyword vm under the directory C:\Program Files, and then delete all files containing vm.
Step 4: Use ccleaner to scan the registry. Select all, then fix all errors after scanning is complete.
Step 5: Reuse VMware for installation, and all network card and network issues will be resolved.

Reference:
https://blog.csdn.net/czg13548930186/article/details/77099377

Posted on In

Digital forensics

  1. Registry keys and their locations
  2. Prefetch files
    Find from C:\Windows\Prefetch
  3. Browser history - use Browsinghistoryview-x64
    Find from C:\Users%username%\AppData\Local\Microsoft\Windows\History
  4. Cache - use IECacheView
    Find from C:\Users%USER%\AppData\Local\Microsoft\Windows\WebCache
  5. Cookies - use IECookieViewer
    Find from C:\Users%username%\AppData\Roaming\Microsoft\Windows\Cookies
  6. Windows firewall logs
    Find from C:\Windows\system32\logfiles\firewall\pfirewall.log
  7. Windows event logs
    Find from C:\Windows\System32\config
  8. If you have full access to the source, the easiest way to determine when a USB was installed
    Find from C:\Windows\inf\setupapi.dev.log
  9. OS name and product ID
    Find from HKEY_LOCAL_MACHINE\TEST\Microsoft\Windows NT\CurrentVersion 14
  10. Check URLs under NTuser.dat
    under raw data\software\microsoft\typed urls
  11. SYSTEM file can show the network connection information
  12. Chrome cache - use ChromeCacheView
    Find from C:\Users%username\Desktop\Google\AppData\Local\Google\Chrome\User Data\default\Cache
  13. Chrome history - use ChromeHistoryView
    Find from C:\Users\username\Desktop\Google\AppData\Local\Google\Chrome\User Data\Default\History
    More useful tools
    Autopsy, Windows Registry Recovery, RegRipper, Technology Pathways ProDiscover Basic.

Network forensics

  1. Some useful tools
    Snort, Security onion, Pfsense, Wireshark, NetworkMiner.
  2. A useful website to practice
    Find from https://www.malware-traffic-analysis.net/training-exercises.html

Memory forensics

  1. A useful tool - Volatility
  2. Some examples:

Identify the information for the captured image

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem imageinfo

Print process list as a tree

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 pstree

Show the running processes

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 pslist

Print list of loaded dlls for the Pid 404 process

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 dlllist -p 404

View active & previous network connections

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 connections

To find hidden and injected code

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 malfind

IE history records

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 iehistory

Review the services list

1
volatility_2.6_win64_standalone.exe -f citadeldc01.mem --profile=Win8SP1x64 svcscan

Live response (triage)

Use LiveResponseCollection-Cedarpelta
Find from https://www.brimorlabsblog.com/2019/04/live-response-collection-cedarpelta.html

Posted on In

Cherrytree is a good note-taking tool, which has already been installed in Kali. It’s also friendly for the Windows system, just download it from Google, which could be helpful for your study.

Posted on In

If we have downloaded Visual 2012 and it still doesn’t work, try to use the following link to install Visual 2015-2022.
https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
As for the missing DLL files, try to use the following two links to download the related files, then move them under “C:\Windows\SysWOW64” and “C:\Windows\System32” if your machine is (Windows10/8/7/2008r2)64 bits.
https://www.dll-files.com/msvcp120.dll.html
https://www.dll-files.com/msvcr120.dll.html

References:
https://blog.csdn.net/weixin_42629862/article/details/85175692
https://sourceforge.net/projects/wampserver/files/WampServer%203/WampServer%203.0.0/wampserver3.2.6_x64.exe/download

Posted on In

Here are some useful links for reference, I believe they are enough.
Note: as for the docker and docker-compose installation and uninstallation, pay attention to some port numbers.

References:
https://github.com/vulhub/vulhub
https://phoenixnap.com/kb/how-to-install-docker-on-debian-10
https://docs.docker.com/compose/install/#alternative-install-options
https://docs.docker.com/engine/install/debian/#install-from-a-package
https://www.cnblogs.com/--kisaragi--/p/15393747.html