Recover WiFi Passwords – Windows

This is more of a personal note on finding the wireless password on Windows as I can never remember the full command.

  1. Open a Command Prompt and run the following command to display previous wireless networks.
  2. Command: netsh wlan show profile
  3. Next, use the following command to show the password.
  4. Command: netsh wlan show profile <SSID> key=clear

 

Saucs – Vulnerability Alerting

Site: https://saucs.com

This site allows you to subscribe various vendors and products to receive CVE (Common Vulnerabilities and Exposures) alerts on new releases and changes to existing ones. The emails contain just your selections, so you do not need to scroll through multiple products or vendors that are not of interest. This allows more targeted alerts to products that you use in your environment. I really like this compared to other subscription services as looking through a list of various products/vendors that might be applicable was always a waste of time and had the risk of missing important CVEs.

Improvements: This website is new in the last 6 months and quite basic for the time being. I would like to see an option to specify the level of alerts based on the rating (low, medium or high). Right now, the website will alert you to all new CVEs for the specified products/vendors and any changes regardless of level. Luckily, you just need to go to the site and can filter based on the rating.

Sysmon Install Script

Below is the script that I have been working on to install Sysmon through group policy so you do not have to install it on each workstation/server. I hope to make a few more modifications around updating the .xml file or creating a separate script. The guide for this should be coming over the next week or two and will tie into our WEF deployment guide. From there we will export the logs from our WEF server to Splunk for easier manipulation of the data. To use the script, just replace the <<DOMAIN>> with your domain/file location.

IF NOT EXIST "C:\sysmon" (mkdir "C:\sysmon" & copy /v "\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmonconfig-export.xml" "C:\sysmon\sysmonconfig-export.xml")

IF NOT EXIST "C:\Windows\Sysmon.exe" GOTO Install
IF EXIST "C:\Windows\Sysmon.exe" GOTO StartService

:Install
"\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmon64.exe" -accepteula -i C:\sysmon\sysmonconfig-export.xml
GOTO EOF

:StartService
net start Sysmon
GOTO EOF

:EOF
END && EXIT

User Agent Strings

The following is a list of helpful user agent strings that I have found to help block bogus requests to your website. On an unknown site, you are going to see these block a few thousand attempts every day. The largest one I frequently see is Jorgee. They are vulnerability scanners which are using the default user agent. These are likely looking for low hanging fruit but nice to block them anyway. Below, I have separated my Wordfence user agent block and use the equal (=) sign as the delimiter between the string and a description. I will be updating this post when I find more and the new ones will be added at the end.

*Jorgee* = Vulnerability Scanner

*Nikto* = Vulnerability Scanner

*ZmEu* = Vulnerability Scanner

Useful Nmap Scans

Here are some helpful nmap scans for SQL, SMTP, SMB, and FTP. These can give you ideas by helping to enumerate the target system. Just replace the 192.0.2.0/24 with the target address or range. If a single host is targeted, the option –open can be removed.

SQL
nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.0.2.0/24 -p 3306 –open

SMTP
nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 192.0.2.0/24 –open

SMB
nmap -p 139,445 –script smb-v* –script-args=unsafe=1 192.0.2.0/24 –open

FTP
nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 192.0.2.0/24 –open

CVESearch

This was a new python script that I saw which works similarly to searchspoilt. Basically, it will search through all the CVEs for your search terms. If you are on a fresh install of Kali, you will need to install Pip for Python 3. This can be accomplished with:

Git clone https://github.com/highmeh/cvesearch.git
Sudo apt-get install python3-pip

Next, you will need to install the python module Untangle which will reach XML files and present a more human readable format. Run the following command to get Untangle:

Pip3 install requests untangle

Finally, update the database with:

 ./cvesearch.py -d

You can use either the CVE number with the -c argument or use -s and search by a keyword. Below, I searched for the version number of ISC Bind 9.8.1-P1 on a Vulnhub.

 

Source: https://github.com/highmeh/cvesearch

Hello World!

This will be where I keep scripts and quick notes for what I find interesting on the topic of information security. I am currently working towards the OSCP and hope to have it completed this fall. Expect to see a few vuln hub write ups, general Active Directory information, and how to articles posted over the next few months. This is primarily a test website to try out using Amazon EC2 and further expand my knowledge of their hosted infrastructure offerings.