Handler on Duty: Johannes Ullrich
Threat Level: green
Rob VandenBrink Diaries
- NMAP Scanning without Scanning (Part 2) - The ipinfo API
- Scanning without Scanning with NMAP (APIs FTW)
- Why yq? Adventures in XML
- Got MFA? If not, Now is the Time!
- API Rug Pull - The NIST NVD Database and API (Part 4 of 3)
- The CVE's They are A-Changing!
- A Vuln is a Vuln, unless the CVE for it is after Feb 12, 2024
- Netstat, but Better and in PowerShell
- What is sitemap.xml, and Why a Pentester Should Care
- JQ: Another Tool We Thought We Knew
- Shodan's API For The (Recon) Win!
- Citrix ADC Vulnerability CVE-2023-3519, 3466 and 3467 - Patch Now!
- HAM Radio + Enigma Machine Challenge
- Taking a Bite Out of Password Expiry Helpdesk Calls
- Today I Learned .. a new thing about GREP
- DNS Recon Redux - Zone Transfers (plus a time machine) for When You Can't do a Zone Transfer
- Finding that one GPO Setting in a Pool of Hundreds of GPOs
- Update to RTRBK - Diff and File Dates in PowerShell
- Playing with Powershell and JSON (and Amazon and Firewalls)
- Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!)
- Finding Gaps in Syslog - How to find when nothing happened
- Breakpoints in Burp
- NMAP without NMAP - Port Testing and Scanning with PowerShell
- Taking Apart URL Shorteners
- A "DHCP is Broken" story, and a Blast from the Past (or should I say "Storm" from the past)
- It's New Phone Day! Time to migrate your MFA!
- Using NMAP to Assess Hosts in Load Balanced Clusters
- When Get-WebRequest Fails You
- Finding the Real "Last Patched" Day (Interim Version)
- Using Passive DNS sources for Reconnaissance and Enumeration
- Geoblocking when you can't Geoblock
- DR Automation - Using Public DNS APIs
- Microsoft Out of Band Update Resolves Kerberos Issue
- Changing your AD Password Using the Clipboard - Not as Easy as You'd Think!
- Sorting Things Out - Sorting Data by IP Address
- SharpRDP - PSExec without PSExec, PSRemoting without PowerShell
- Fun with DNS over TLS (DoT)
- Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers
- Fun with NMAP NSE Scripts and DOH (DNS over HTTPS)
- Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3)
- Using the NIST Database and API to Keep Up with Vulnerabilities and Patches - Playing with Code (Part 2 of 3)
- Using the NIST Database and API to Keep Up with Vulnerabilities and Patches (Part 1 of 3)
- What's in Your Clipboard? Pillaging and Protecting the Clipboard
- Office 365 Mail Forwarding Rules (and other Mail Rules too)
- SHA3 Hashes (on Windows) - Where Art Thou?
- Hashes in PowerShell
- Base Conversions and Creating GUI Apps in PowerShell
- Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe
- No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files
- VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC)
- Not all Ethernet NICs are Created Equal - Trying to Capture Invalid Ethernet Frames
- Whodat? Enumerating Who "owns" a Workstation for IR
- Auth-mageddon deferred (but not averted), Microsoft LDAP Changes now slated for Q3Q4 2020
- March Patch Tuesday is Coming - the LDAP Changes will Change Your Life!
- VMware Patch Alert!
- More on DNS Archeology (with PowerShell)
- Mining Live Networks for OUI Data Oddness
- Vulnerability on specific Cisco Industrial / Grid router models
- Mining MAC Address and OUI Information
- Investigating Gaps in your Windows Event Logs
- Combining Low Tech Scams: SMS + SET + Credit Card Harvesting
- When Users Attack! Users (and Admins) Thwarting Security Controls
- The Other Side of Critical Control 1: 802.1x Wired Network Access Controls
- Samba Project tells us "What's New" - SMBv1 Disabled by Default (finally)
- Dumping File Contents in Hex (in PowerShell)
- Using Powershell in Basic Incident Response - A Domain Wide "Kill-Switch"
- Verifying Running Processes against VirusTotal - Domain-Wide
- Finding the Gold in a Pile of Pennies - Long Tail Analysis in PowerShell
- The Other Side of CIS Critical Control 2 - Inventorying *Unwanted* Software
- Netstat Local and Remote -new and improved, now with more PowerShell!
- Unpatched Vulnerability Alert - WebLogic Zero Day
- Pillaging Passwords from Service Accounts
- Service Accounts Redux - Collecting Service Accounts with PowerShell
- Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators
- Finding Local Administrators on a Domain Member Stations
- Using AD to find hosts that aren't in AD - fun with the [IPAddress] construct!
- Powershell, Active Directory and the Windows Host Firewall
- Mitigations against Mimikatz Style Attacks
- Wikipedia Articles as part of Tech Support Scamming Campaigns?
- Struts Vulnerability CVE-2017-5638 on VMware vCenter - the Gift that Keeps on Giving
- Microsoft LAPS - Blue Team / Red Team
- Still Running Windows 7? Time to think about that upgrade project!
- Is it Time to Uninstall Flash? (If you haven't already)
- Data Exfiltration in Penetration Tests
- Certificates Revisited - SSL VPN Certificates 2 Ways
- Using Certificate Transparency as an Attack / Defense Tool
- Dissecting Malicious MS Office Docs
- Where have all my Certificates gone? (And when do they expire?)
- Let's Trade: You Read My Email, I'll Read Your Password!
- Digging into Authenticode Certificates
- Cracking AD Domain Passwords (Password Assessments) - Part 1 - Collecting Hashes
- Passwords Part 2 - Passwords off the Wire using LLMNR
- Should We Call it Quits for Passwords? Or, "Password Spraying for the Win!"
- What is My IP Again?
- SSH Server "Time to Live"? Less than a cup of coffee!
- Attacking SSH Over the Wire - Go Red Team!
- Securing SSH Services - Go Blue Team!!
- Auditing SSH Settings (some Blue Team, some Red Team)
- No IPv6? Challenge Accepted! (Part 1)
- Rooting Out Hosts that Support Older Samba Versions
- As Your Admin Walks Out the Door ..
- What did we Learn from WannaCry? - Oh Wait, We Already Knew That!
- OAuth, and It's High Time for Some Personal "Security-Scaping" Today
- The Quest for the Universal Fingerprint
- Migrating Telnet to SSH without Migrating
- Packet Captures Filtered by Process
- Phishing for Big Money Wire Transfers is Still Alive and Well (or: For Want of Good Punctuation, all was Lost)
- Infected Apps in Google Play Store (it's not what you think)
- Microsoft Patch Tuesday, or is that "Patch Next Tuesday"? - Flash Player RCE patched today
- 2 Apple Updates Today as Well - GarageBand and Logic Pro X
- Investigating Off-Premise Wireless Behaviour (or, "I Know What You Connected To")
- RTRBK - Router / Switch / Firewall Backups in PowerShell (tool drop)
- Stuff I Learned Decrypting
- Do You Use VirusTotal? Give PacketTotal a Spin!
- Making Windows 10 a bit less "Creepy" - Common Privacy Settings
- Protecting Powershell Credentials (NOT)
- If DDOS Attacks are Natural Disasters, is it Time to Update your DR Plan?
- What Does a Pentest Look Like?
- Microsoft Patch Tuesday Analysis
- Apple iOS 10 and 10.0.1 Released
- If it's Free, YOU are the Product
- MS Office 2013 - New Macro Controls - Sorta ...
- Using File Entropy to Identify "Ransomwared" Files
- Pentesters (and Attackers) Love Internet Connected Security Cameras!
- LogMeIn Captain! A "Not so Phishy" Phishing Campaign
- Controlling JavaScript Malware Before it Runs
- DNS and DHCP Recon using Powershell
- A Wall Against Cryptowall? Some Tips for Preventing Ransomware
- Pentest Time Machine: NMAP + Powershell + whatever tool is next
- Assessing Remote Certificates with Powershell
- Powershell and HTTPS ? It Ain?t All Rainbows And Lollipops! (or is it?)
- Libraries and Dependencies - It Really is Turtles All The Way Down!
- New Burp Feature - ClickBandit
- Uninstalling Problem Applications using Powershell
- The Perils of Vendor Bloatware
- Nessus and Powershell is like Chocolate and Peanut Butter!
- Google Reconnaissance, Sprinter-style
- Windows Service Accounts - Why They're Evil and Why Pentesters Love them!
- Yes Virginia, Stored XSS's Do Exist!
- SSL, SSL - Where Art Thou SSL?
- The Powershell Diaries 2 - Software Inventory
- The Powershell Diaries - Finding Problem User Accounts in AD
- Select Star from PCAP - Treating Packet Captures as Databases
- Syslog Skeet Shooting - Targetting Real Problems in Event Logs
- No Wireshark? No TCPDump? No Problem!
- A Different Kind of Equation
- Throwing more Hardware at Password Cracking - Lessons Learned
- oclHashcat 1.33 Released
- BURP 1.6.10 Released
- Raising the "Creep Factor" in License Agreements
- Which NTP Servers do You Need to Patch?
- Bridging Datacenters for Disaster Recovery - Virtually
- What's Wrong with Bridging Datacenters together for DR?
- Flushing out the Crypto Rats - Finding "Bad Encryption" on your Network
- Google Web "Firing Range" Available
- "Big Data" Needs a Trip to the Security Chiropracter!
- CSAM Month of False Postives - False Positives from Management
- Hacking with the Oldies!
- CSAM Month of False Positives: Ghosts in the Pentest Report
- CSAM Month of False Positives - Our ISP Says We're Hosting a BotNet!
- Identifying Firewalls from the Outside-In. Or, "There's Gold in them thar UDP ports!"
- "Death" of Internet Services
- Apple iCloud Security Incident
- Dodging Browser Zero Days - Changing your Org's Default Browser Centrally
- One More Day of Trolling in POS Memory
- Point of Sale Terminal Protection - "Fortress PCI at the Mall"
- Trolling Memory for Credit Cards in POS / PCI Environments
- Metasploit Update Alert
- Egress Filtering? What - do we have a bird problem?
- Finding the Clowns on the Syslog Carousel
- Certificate Errors in Office 365 Today
- New Security Advisories / Updates from Microsoft - Heads up for Next Patch Tuesday!
- Canada's Anti-Spam Legislation (CASL) 2014
- Assessing SOAP APIs with Burp
- Another Site Breached - Time to Change your Passwords! (If you can that is)
- Collecting Workstation / Software Inventory Several Ways
- Breaches and Attacks that are "Not in Scope"
- Beefing up Windows End Station Security with EMET
- Heartbleed, IE Zero Days, Firefox vulnerabilities - What's a System Administrator to do?
- Apache Struts Zero Day and Mitigation
- Fun with Passphrases!
- Be Careful what you Scan for!
- The Other Side of Heartbleed - Client Vulnerabilities
- Brace Yourselves (and your Users / Clients) for Heartbleed SPAM
- All things not Heartbleed
- Windows 8.1 Released
- Dealing with Disaster - A Short Malware Incident Response
- Patch Tuesday pre-Announcement - XP officially becomes the enemy next week
- TCP/5000 - The OTHER UPNP Port
- Mitigation Fail for Gas Pump Skimmers
- More on HNAP - What is it, How to Use it, How to Find it
- A Tale of Two Admins (and no Change Control)
- Isn't it About Time to Get Moving on Chip and PIN?
- New ISO Standards on Vulnerability Handling and Disclosure
- Hello Virustotal? It's Microsoft Calling.
- You Can Run, but You Can't Hide (SSH and other open services)
- How-To's for the Holidays - Java Whitelisting using AD Group Policy
- Target US - Credit Card Data Breach
- Passive Scanning Two Ways - How-Tos for the Holidays
- Adobe Updates today as well.
- Those Look Just Like Hashes!
- Scanning without Scanning
- Even in the Quietest Moments ...
- Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel 0 day exploit in wild
- ATM Traffic + TCPDump + Video = Good or Evil?
- Kaspersky flags TCPIP.SYS as Malware
- CSAM - Why am I seeing DNS Requests to IANA.ORG in my Firewall Logs?
- Oracle releases Oracle Critical Patch Update Advisory
- Java Quarterly Updates
- CSAM: Microsoft Logs - NPS and IAS (RADIUS)
- Am I using my Fingerprints yet?
- How do you spell "PSK"?
- More Goodies in the Apple Security Update Basket!
- Apple DDOS? Nope, just the update coming down!
- Cisco DCNM Update Released
- Apple IOS 7 - Brace for Impact!
- Happy Friday the 13th !
- Java and Old Hash Algorithms
- Get Ready for PCI 3.0
- What's Next for IPS?
- Building Your Own GPU Enabled Private Cloud
- Is "Reputation Backscatter" a Thing?
- Fibre Channel Reconnaissance - Reloaded
- ZMAP 1.02 released
- Hmm - where did I save those files?
- Can You Hear Me Now? - - - Um, not so well ...
- Java 7 Update 21 is available - Watch for Behaviour Changes !
- Oops - You Mean That Deleted Server was a Certificate Authority?
- Sourcefire VRT Community ruleset is live
- Several Cisco IOS DOS Issues Resolved
- Which IPS is "The Best"?
- IPv6 Focus Month: Barriers to Implementing IPv6
- All I need Java for is ....
- Silent Traitors - Embedded Devices in your Datacenter
- "Get Java Fixed Up"
- Be Careful What you Wish For!
- When Disabling IE6 (or Java, or whatever) is not an Option...
- What Else runs Telnets? Or, Pentesters Love Video Conferencing Units Too!
- Firefox and Thunderbird Updates
- Hotmail seeing some temporary access issues
- SQL Injection Flaw in Ruby on Rails
- All I Want for Christmas is to Not Get Hacked !
- What's in Your Change Control Form?
- Risk Assessment Reloaded (thanks PCI ! )
- Cyber Security Awareness Month - Day 23: Character Encoding Standards - ASCII and Successors
- Cyber Security Awareness Month - Day 18 - Vendor Standards: The vSphere Hardening Guide
- Cyber Security Awareness Month - Day 17 - A Standard for Risk Management - ISO 27005
- Firefox 16 / Thunderbird 16 updates
- Cyber Security Awareness Month - Day 11 - Vendor Agnostic Standards (Center for Internet Security)
- What's on your iPad?
- IE Zero Day is "For Real"
- Auditing a Network for VOIP Call Quality Metrics
- Snort Updated today
- Vote NO to Weak Encryption!
- Vote NO to Weak Keys!
- Today at SANSFIRE - Dude Your Car is PWND !
- Today at SANSFIRE (09 July 2012) - ISC Panel Discussion on the State of the Internet
- Browsers and SSL Security - a Race to the Bottom !
- vSphere 5.0 Hardening Guide Officially Released
- It's Phishing Season! In fact, it's ALWAYS Phishing Season!
- What's in Your Lab?
- Too Big to Fail / Too Big to Learn?
- Are Open SSIDs in decline?
- Patch for Oracle TNS Listener issue released !
- FCC posts Enquiry Documents on Google Wardriving
- An Impromptu Lesson on Passwords ..
- Stuff I Learned Scripting - Fun with STDERR
- It's Cyber Monday - Click Here!
- Pentesters LOVE VOIP Gateways !
- Stuff I Learned Scripting - - Parsing XML in a One-Liner
- Juniper BGP issues causing locallized Internet Problems
- Stuff I Learned Scripting - Evaluating a Remote SSL Certificate
- The Theoretical "SSL Renegotiation" Issue gets a Whole Lot More Real !
- Critical Control 11: Account Monitoring and Control
- Critical Control 4 - Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Apache HTTP Server mod_proxy reverse proxy issue
- Critical Control 2 - Inventory of Authorized and Unauthorized Software
- TLS 1.2 - Look before you Leap !
- When Good CA's go Bad: Other Things to Check in Your Datacenter
- Should We Still Test Patches?
- America's Got Telnet !
- Disaster Preparedness - Are We Shaken or Stirred?
- When Good Patches go Bad - a DNS tale that didn't start out that way
- Putting all of Your Eggs in One Basket - or How NOT to do Layoffs
- 8 Years since the Eastern Seaboard Blackout - Has it Been that Long?
- Ping is Bad (Sometimes)
- "There's a Patch for that" (or maybe not)
- "Too Important to Patch" - Wait? What?
- Update for RSA Authentication Manager
- More on MAC OSX Malware - MACDefender Fake Antivirus
- "Do It Yourself" Crimeware Kit for OSX
- Sony PlayStation Network Outage - Day 5
- What's Your (IP) Address Worth?
- The Recent RSA Breach - Imagining the Worst Case, And Why it Isn't Time to Panic (Yet)
- Where have all the COM Ports Gone? - How enumerating COM ports led to me finding a “misplaced” Microsoft tool
- Blackberry BES Server Updates for PDF Vulnerabilities
- Is Infosec seeing "Death by a Thousand Budget Cuts"?
- Network Reliability, Part 2 - HSRP Attacks and Defenses
- Interesting DDOS activity around Wikileaks
- How a Tablet Changed My Life
- Cyber Security Awareness Month - Day 19 - VPN and Remote Access Tools
- Cyber Security Awareness Month - Day 19 - Remote User VPN Access – Are things getting too easy, or too hard?
- Cyber Security Awareness Month - Day 19 - VPN Architectures – SSL or IPSec?
- Cyber Security Awareness Month - Day 19 - Remote User VPN Tunnels - to Split or not to Split?
- Cyber Security Awareness Month - Day 19 - Remote Access Tools
- SORBS.NET - email RBL issues
- Cyber Security Awareness Month - Day 7 - Remote Access and Monitoring Tools
- Network Reliability - the Good, the Bad, the Ugly, and the Not-so-Bright
- Change is Good. Change is Bad. Change is Life.
- Access Controls for Network Infrastructure
- FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
- Snort 2.8.6.1 and Snort 2.9 Beta Released
- NoScript 2.0 released
- The 2010 Verizon Data Breach Report is Out
- Bogus Support Organizations use Live Operators to Install Malware
- New Mac malware - OSX/Onionspy
- SPAM pretending to be from Habitat for Humanity
- Layer 2 Security - Private VLANs (the Story Continues ...)
- Adobe Shockwave Update
- Security Awareness – Many Audiences, Many Messages (Part 2)
- Layer 2 Security - L2TPv3 for Disaster Recovery Sites
- The Many Paths to Security Awareness
- Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication
- Microsoft Security Advisory 981374 - Remote Code Execution Vulnerability for IE6 and IE7
- What's My Firewall Telling Me? (Part 4)
- Not Every Cloud has a Silver Lining
- New Risks in Penetration Testing
- Cisco Security Agent Security Updates: cisco-sa-20100217-csa
- Cisco ASA5500 Security Updates - cisco-sa-20100217-asa
- Multiple Security Updates for ESX 3.x and ESXi 3.x
- Defining Clouds - " A Cloud by any Other Name Would be a Lot Less Confusing"
- Support for Legacy Browsers
- APPLE-SA-2010-02-02-1 iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch
- NMAP 5.21 - Is UDP Protocol Specific Scanning Important? Why Should I Care?
- VMware vSphere Hardening Guide Draft posted for public review
- Microsoft OfficeOnline, Searching for Trust and Malware
- Cisco WebEx WRF Player Vulnerabilities
- Beware the Attack of the Christmas Greeting Cards !
- Layer 2 Network Protections – reloaded!
- SPAM and Malware taking advantage of H1N1 concerns
- Updates to Sysinternals Toolkit
- Microsoft Black Screen of Death - Fact of Fiction?
- Using a Cisco Router as a “Remote Collector” for tcpdump or Wireshark
- Windows 7 / Windows Server 2008 Remote SMB Exploit
- Apple Safari 4.0.4 Released
- Layer 2 Network Protections against Man in the Middle Attacks
- Microsoft releases v1.02 of Enhanced Mitigation Evaluation Toolkit (EMET)
- Cyber Security Awareness Month - Day 30 - The "Common" IPSEC VPN Protocols - IKE / ISAKMP (500/udp), ESP (IP Protocol 50), NAT-T-IKE (500/udp, 4500/udp), PPTP (tcp/1723), GRE (IP Protocol 47)
- New version of NIST 800-41, Firewalls and Firewall Policy Guidelines
- ICANN Strategic Planning (2010-2013) Consultation
- New VMware Desktop Products Released (Workstation, Fusion, ACE)
- AT&T Cell Phone Phish
- THAWTE to discontinue free Email Certificate Services and Web of Trust Service
- Cyber Security Awareness Month - Day 9 - Port 3389/tcp (RDP)