Scan and Fix Unquoted Service Path Vulnerability with PowerShell

As many security experts and system administrators are aware, Microsoft has really dropped the ball at addressing a decade old flaw in the way the Windows API handles service paths… What amazes me is how prevalent this issue still is and how easy it is for any common script kiddie to elevate privileges and gain a foothold in your system. I will discuss the vulnerability and how I scanned for and remediated vulnerable systems using Windows PowerShell.

Powershell Incident Response Scripts

Powershell Incident Response During the past few months I have been rather quiet with my online presence mainly due to my professional life becoming more and more demanding, thus not leaving time to blog about my experiences. Even though I have not been sharing any experiences with the online community, I have been working diligently on leveraging PowerShell Incident Response tool. I want to share a scenario in which I used PowerShell scripts to gather info, determine a scope, and begin remediation for a particular security related incident with a client out of the country.

Part I: Powershell Multithreading: Asynchronous Network and Host Discovery Scanner

Part I of my Get-SecNetMap “Mini-Module”: Get-SecNetMap. (This Post) Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable A Quick Word about Powershell + Multithreading At the time of this post, it has been just over a year since I started using Powershell as my “go-to” scripting language. As my skills developed and my scripts became more robust, I now see that what has been lacking in my Powershell journey was true performance metering.

Part II: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part II of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan (This Post) Get-SecIPRange Convert-SecIPAddress Get-SecArpTable Get-SecPortScan You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecPortScan is unique in that it can scan a target host for many ports at once. This is done so by using .NET runspaces in PowerShell. This script will target a host and throw many asyncronous TCP socket connections over various ports either specified by the user, or using default top ports.

Part III: Powershell Multithreading – Asynchronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange (This Post) Convert-SecIPAddress Get-SecArpTable You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecIPRange Get-SecIPRange is designed to enumerate all IP addresses within a given range. I have intentionally coded this to support a max range of 65534 addresses or a (/16 CIDR) because seriously, who needs to scan such a large range like that. Anyway, this function will loop through only the third and fourth octets of an IP address range to determine each address in the range for scanning.

Part IV: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress (This Post) Get-SecArpTable You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Convert-SecIPAddress The Convert-SecIPAddress function is actually pretty cool. I was able to use mathematics learned from my cryptography courses during my undergrad to convert an IP address to an integer and vice-verse. It is performance optimized and has support for long integers which was where most of the errors I had during development were.

Part V: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part V of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable (This Post) You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecArpTable The Get-SecArpTable is more or less a framework surrounding the already existing executable ARP.exe. The only issue with simply calling ARP.exe in your scripts is that the output is all strings. This function is designed to parse the output of the ARP table and return a PSObject so that it can be used in scripts and other functions more easily.

Powershell Simple Substitution Cipher

Powershell Simple Substitution Cipher Another assignment from my Cryptography course in my undergrad was to develop our own Powershell simple substitution cipher programmatically. This code is merely a framework to provide any type of substitution key you want. I wanted to do a custom cipher to allow a bit more security (though any security expert knows that substitution ciphers are highly crackable)… though, it is still better then clear-text at least…

Factoring Prime numbers with Java

Factoring Prime numbers with Java This was an assignment from a cryptography class during my undergrad. This mainly assisted in decrypting a low-bit RSA algorithm but can be used for any purpose. Essentially it will loop through and perform some mod calculations to figure out the prime factors in the specified range. The three algoritems are used to show that even if a number doesn’t seem to be prime at first, it could be a prime number used in an encryption algorithm.

Windows Forensic Analysis using PowerShell

Windows Forensic Analysis using PowerShell As I continue on with my undergrad in Information Assurance, I try to apply techniques and concepts in real-world applications. It helps me “drill” the concepts into my forgetful brain, and because security interests me, I think its fun! As stated before in my post Controlling/Monitoring Local Admin Rights using PowerShell. PoshSec is seeking to tackle Information Security concerns using PowerShell. What PoshSec hasn’t quite looked at (yet), is Forensic Analysis.

Controlling/Monitoring Local Admin Rights using PowerShell

Almost a month has gone by since my last post so I am long overdue to place some good content. I feel this script I wrote up should be sufficient 🙂 Enjoy! SANS Critical Control 12: Controlled Use of Administrative Privileges http://www.sans.org/critical-security-controls/control.php?id=12 VIDEO DEMONSTRATION EXPLAINING EXAMPLES TO COME SOON Download the SourceCode https://app.box.com/s/3ki7g8zpyw16x047tc5v MD5 – 2AF4224E79672658DCC05AF90A4D0FC8 Recently joined up as a new developer for a great project in my area called PoshSec (https://github.

Change Local Account Name and Password using PowerShell

PowerShell is a great scripting utility that can drastically speed up administrative tasks in the “IT world”. Since Microsoft is trying to make it so all their products can be managed using PowerShell, it is a great idea to be proficient in it because PowerShell is not going away anytime soon. I plan to utilize this blog as a means to share my scripts with the public and gain valuable feedback from any followers in the IT field.