Considering Windows audit event logging, there are plenty of guides available in the Internet to follow. Most of the event configurations would overlap. However, we have to consider the most optimal and practical implementation based on our business case, server capability, security requirements & experience.
1) Microsoft audit policy recommendations
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
2) What event ID's to monitor for AD compromise (This is a good example to show that if we already collect these events, we would be able to monitor them in SIEM)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
3) Collection of event log configurations (The site contains cheat sheets for other log functionalities such as Sysmon too. If we like to cover MITRE ATT&CK techniques, that is also possible)
https://www.malwarearchaeology.com/cheat-sheets
If we go through the above guides, we would understand that apart from the Security audit log, we can utilize several other default log files (RDP, Powershell, SMB) and external log files such as Sysmon logs, are helpful in covering the full picture. Some of the event logs are more useful in a AD and some are more useful in a File server. Therefore, start with simple but proper security audit log configuration(e.g. CIS or Microsoft) first and get into the process. Then integrate other log files into the collection. Understand the practical issues in implementation such as log file size. Then look into the monitoring and visualization. SIEM may have a set of default use cases which is now useful after proper log configuration. If not, with your experience and business requirement, a new use case can be defined.
For Linux audit log
1) Audit configuration rule compilation by Florian Roth. The rule set is commented and can be used as a guide to understand the required audit configurations.
https://github.com/Neo23x0/auditd
For other Applications
1) Consider logs such as Apache access log, MySQL or even email logs. Security team should go through the log and check whether the log is rich enough and have all the necessary data required in auditing perspective. If not, it should be improved before forwarding to the SIEM for monitoring and alert generation.
Friday, November 27, 2020
Thursday, November 19, 2020
Event Log Retention Requirements as mandated by Major Compliance Regulations
November 19, 2020 / by Kushan Sharma / with No comments /
On September 20th, 2016, Digital Edge released an article on Log Management Laws and Regulations. Below is a little "Cheat Sheet" on the Event Log Retention Requirements as mandated by major compliance regulations:
Regulation |
Retention Requirement |
---|---|
7 years |
|
1 year |
|
7 years |
|
3 years |
|
3 years |
|
3+ months |
|
3 years |
|
6 years |
|
5 years |
|
3 years |
Sunday, August 30, 2020
Remove PostgreSQL in Ubuntu 18.04
August 30, 2020 / by Kushan Sharma / with No comments /
Once I was using PostgreSQL and when I no longer need to keep the installation, I wanted to remove it completely.
So I used the command listed below to remove the PostgreSQL.
#sudo apt-get --purge remove postgresql
Even though the un-installation was successful, when I go to login there's still a "PostgreSQL" user. I tried running sudo deluser PostgreSQL but all I get is
/usr/sbin/deluser: The user `PostgreSQL' does not exist.
In order to verify the existence of the user, I checked the passwd file.
cat /etc/passwd | grep -i postgre
postgres:x:1001:1001:PostgreSQL:/opt/ManageEngine/OpManager/pgsql:/bin/sh
Then only I realized that the Login Name and User Name are not the same. So I tried removing the user "postgres" using the command below and it was successful.
sudo deluser postgres
Wednesday, August 12, 2020
Why / Why Not Virtual Patching
August 12, 2020 / by Kushan Sharma / with No comments /
While the goal of many organizations is to maintain operating systems and other business application software are always up to date with latest security patches, realities impede the progress in being able to quickly address a vulnerability before a malicious adversary can be taken advantage.
There are many factors that complicate the ability to mitigate a given vulnerability once it has been identified. These factors include:
- Obsolete/legacy applications being used by the organization.
- Application dependencies that can caused the functional errors when being patched. Therefore, proper testing is required before applying a patch to the software or operating system in a application system and to address issues that can be introduced by the patch.
- Operational delays due to lack of resources and expertise within the organization to allocate for vulnerability management.
Therefore, the patch response time vary greatly due to the above given circumstances.
In a situations where traditional patches are not feasible, a virtual patch can be utilized to reduce the likelihood of a successful cyber attack. It helps to mitigate vulnerabilities in a separate layer, where you get to fix problems in applications without making alteration to the application directly. A virtual patch deals with the process or method of fixing problems by altering or eliminating vulnerabilities by controlling the inputs and outputs to and from the applications.
The virtual patching solution helps organizations to:
- Mitigates the risk of an exploit quickly, until an effective, permanent patch can be tested and released by the application vendor for vulnerabilities in operating systems and business applications.
- Maintain normal patching cycle without interrupting operations, if a vulnerability arises midway between scheduled patch releases.
- Reduces or eliminates time and money spent performing emergency patching.
- In certain cases, before the original patch is released virtual patching could have the risk mitigation.
- While virtual patching offers many advantages to the organization, it also has limitations such as:
- Virtual patching will not be able to address all possible ways, or all of the possible locations, in which an exploit can occur as a result of a particular vulnerability.
- Development of countering exploitation for each security issue due to rapidly discovered new vulnerabilities
- While virtual patching serving as a compensating control to delay the patch cycle, the organization always need to fix vulnerabilities to prevent the associated risks.
- While a virtual patch can avert an immediate crisis, the virtual patch cannot eliminate inherent defects in an application program that is poorly developed.
Hence, a successful implementation of a virtual patching solution provides an additional layer of security to the organization's IT infrastructure which helps to reduce the risk of many critical security vulnerabilities that cannot be resolved due to various dependencies.
Thursday, July 16, 2020
Is Microsoft Windows User Account Control (UAC) a Security Feature?
July 16, 2020 / by Kushan Sharma / with No comments /
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.
Policy setting "User Account Control: Admin Approval Mode for the Built-in Administrator account" controls the behavior of Admin Approval Mode for the built-in Administrator account.
- Enabled The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
- Disabled (Default) The built-in Administrator account runs all applications with full administrative privilege.
The UAC User Experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
Is UAC secure?
UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together [4].
There’s a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels:
- Always notify
- Notify only when apps try to change settings, use the secure desktop
- Notify only when apps try to change settings, don’t use the secure desktop
- Never notify
Although it looks like there are four settings, in a theoretical sense, there really are only two settings.
- Always notify
- Never notify
UACMe [3]
Reference:
[1] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings
[3] https://github.com/hfiref0x/UACME
[4] https://channel9.msdn.com/
[5] https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
Wednesday, July 15, 2020
SigRed (CVE-2020-1350) Registry Workaround
July 15, 2020 / by Kushan Sharma / with No comments /
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
TcpReceivePacketSize
Value = 0xFF00
Note You must restart the DNS Service for the registry change to take effect.
The Default (also max) Value = 0xFFFF
The Recommended Value = 0xFF00 (255 bytes less than the max)
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
Tuesday, July 7, 2020
Cracking Passwords with John the Ripper
July 07, 2020 / by Kushan Sharma / with No comments /
- Dictionary attack
- Brute-force attack
- Rainbow tables: A pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form.It should be noted that this approach will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity.
- Single crack mode: JtR creators recommend running this mode first as it’s considered the quickest. Single crack mode uses information from UNIX passwd files -- users' full names, usernames, etc. -- as present in GECOS fields within UNIX passwd/shadow files to “guess” passwords. This can be helpful in cases when a user has set a password for an account based on commonly available information or phrase in the username (e.g. admin:password, john:john123).
- Wordlist mode: This mode relies on the user providing a text file with a list of passwords, ideally one per line and no duplicates.
- Incremental mode: JtR’s equivalent of brute-force is the most powerful cracking mode, but is so time consuming that for a password complex enough, it may never be able to complete in practical course of time and never terminate.
john mypasswd
This will try "single crack" mode first, then use a wordlist with rules,
and finally go for "incremental" mode.
john --show mypasswd
If the account list gets large and doesn't fit on the screen, you should, of course, use your shell's output redirection.
You might notice that many accounts have a disabled shell. You can make John skip those in the report. Assuming that the disabled shell is called "/etc/expired", the command would be:
john --show --shells=-/etc/expired mypasswd
or shorter, but will also match "/any/path/expired":
john --show --shells=-expired mypasswd
or if you also want to ignore some other shell, say "/etc/newuser":
john --show --shells=-expired,newuser mypasswd
To check if any root (UID 0) accounts got cracked:
john --show --users=0 mypasswd
or to check for cracked root (UID 0) accounts in multiple files:
john --show --users=0 *passwd* *.pwd
To display the root (username "root") account only:
john --show --users=root mypasswd
And finally, to check for privileged groups:
john --show --groups=0,1 mypasswd
4. You might prefer to manage the cracking modes manually. It is wise to start with "single crack" mode:
john --single mypasswd
or since the GNU-style double dashes are optional and since option names can be abbreviated for as long as they remain unambiguous:
john -si mypasswd
You should not abbreviate options in scripts which you would want to work with future versions of John since what is unambiguous now might become ambiguous with the addition of more options.
If you have more files to crack, it is preferable to load them at the same time:
john --single passwd1 passwd2
or even:
john --single *passwd* *.pwd
This way, John will run faster and might even crack more passwords than it would if you ran it on each password file separately.
5. To catch weak passwords not derived from readily available users' personal information, you should proceed with cracking modes demanding more processor time. First, let's try a tiny wordlist with word mangling rules enabled:
john --wordlist=password.lst --rules mypasswd
or abbreviating the options:
john -w=password.lst -ru mypasswd
Then proceed with a larger wordlist, also applying the mangling rules:
john --wordlist=all.lst --rules mypasswd
If you've got a lot of spare disk space to trade for performance and the hash type of your password files is relatively slow, you may use John's "unique" utility to eliminate any duplicate candidate passwords:
john --wordlist=all.lst --rules --stdout | unique mangled.lst
john --wordlist=mangled.lst mypasswd
If you know that your target hash type truncates passwords at a given length, you may optimize this even further:
john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
john --wordlist=mangled8.lst mypasswd
Alternatively, you may simply use huge.lst available on Openwall wordlist collection CDs. It has word mangling rules pre-applied for the most common languages and it has any duplicates purged.
Depending on target hash type, the number of different salts (if applicable), the size of your wordlist, rules, and processor performance, wordlist-based cracking may take anywhere from under a second to many days.
You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP ("hangup" signal) and continue running. Alternatively, you may prefer to start it in the background right away:
john --wordlist=all.lst --rules mypasswd &
Obviously, the "&" is specific to Unix shells and will not work on most other platforms.
You may further enhance this by specifying a session name:
john --session=allrules --wordlist=all.lst --rules mypasswd &
This ensures that you won't accidentally interfere with the instance of John running in the background if you proceed to start other sessions.
To view the status of a running session, use:
john --status
for the default session or:
john --status=allrules
for any other session. This works for both interrupted and running sessions. To obtain the most up-to-date information from a running session on a Unix-like system, send a SIGHUP to the appropriate "john" process.
Any interrupted sessions may be continued with:
john --restore
or:
john --restore=allrules
Finally, to make John have less impact on other processes, you should set the option "Idle = Y" in the configuration file.
To only crack accounts with a "good" shell (in general, the shell, user, and group filters described above work for all cracking modes as well):
john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd
Like with all other cracking modes, it is faster to crack all the files you need cracked simultaneously:
john --wordlist=all.lst --rules passwd1 passwd2
You can crack some passwords only. This will try cracking all root (UID 0) accounts in all the password files:
john --wordlist=all.lst --rules --users=0 *passwd*
Alternatively, you may wish to not waste time cracking your very own passwords, if you're sure they're uncrackable:
john --wordlist=all.lst --rules --users=-root,solar *passwd*
Sometimes it is useful to split your password hashes into two sets which you crack separately, like:
john --wordlist=all.lst --rules --salts=2 *passwd*
john --wordlist=all.lst --rules --salts=-2 *passwd*
This will make John try salts used on two or more password hashes first and then try the rest. Total cracking time will be almost the same, but you will get some passwords cracked earlier, which is useful, for example, for penetration testing and demonstrations to management. Similarly, you may check all password hashes with a small wordlist, but only those that you can check faster (with "--salts=2") with a larger one. With large numbers of password hashes and/or with a highly non-uniform distribution of salts, it may be appropriate to use a threshold larger than 2 with "--salts" (sometimes even values as high as 1000 will do).
Note that the default wordlist rules include ":" (a no-op - try words as they are in the list) on the first line. If you already ran through a wordlist without using rules, and then decided to also try the same wordlist with rules, you'd better comment this line out.
6. The most powerful cracking mode in John is called "incremental" (not a proper name, but kept for historical reasons). You can simply run:
john --incremental mypasswd
or:
john -i mypasswd
This will use the default "incremental" mode parameters, which are defined in the configuration file's section named either [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for Windows LM hashes). By default, the [Incremental:ASCII] parameters are set to use the full printable ASCII character set (95 characters) and to try all possible password lengths from 0 to 13 (if the current hash type has a lower maximum password length, incremental mode's length limit is reduced accordingly). [Incremental:LM_ASCII] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves being limited to 7 characters each.
In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 10 different characters only, passwords from "0" to "99999999999999999999" (in an optimal order):
john -i=digits mypasswd
Of course, you can use most of the additional features demonstrated above for wordlist mode with "incremental" mode as well. For example, on a large-scale penetration test, you may have John crack only root (UID 0) accounts in a set of password files:
john -i -u=0 *.pwd
7. If you've got a password file for which you already have a lot of passwords cracked or obtained by other means, and the passwords are unusual, then you may want to generate a new charset file, based on character frequencies from that password file only:
john --make-charset=custom.chr mypasswd
Then use that new file with "incremental" mode.
If you've got many password files from a particular country, organization, etc., it might be useful to use all of them for the charset file that you then use to crack even more passwords from these files or from some other password files from the same place:
john --make-charset=custom.chr passwd1 passwd2
[ Configure your custom "incremental" mode now. See below. ]
john -i=custom passwd3
You can use some pre-defined or custom word filters when generating the charset file to have John consider some simpler passwords only:
john --make-charset=my_alpha.chr --external=filter_alpha mypasswd
If your "pot file" got large enough (or if you don't have any charset files at all), you might want to use it to generate a new set of main charset files:
makechr
where "makechr" is a script that invokes "john --make-charset=..." with varying filenames, for all of the external mode word filters defined in the configuration file. In this example, John will overwrite the charset files with new ones that are based on your entire $JOHN/john.pot (John uses the entire "pot file" if you don't specify any password files).
8. Finally, you might want to e-mail all users with weak passwords to tell them to change their passwords. (This is not always a good idea, though, since lots of people do not check their e-mail or ignore such messages, and the messages can be a hint for crackers.) Edit the "mailer" script supplied with John: the message it sends and possibly the mail command (especially if the password file is from a different machine). Then run:
mailer mypasswd
Friday, June 19, 2020
Lessons to Learn from Recent Cyber Attacks in Australia
June 19, 2020 / by Kushan Sharma / with No comments /
Australian Cyber Security Centre (ACSC) has revealed the tactics, techniques and procedures (TTPs) identified during the investigation carried out by them.
This advisory aims to share the TTPs with the industry peers to increase the awareness and to take necessary precautionary actions against the emerging threat landscape.
Attackers have leveraged number of initial access vectors including:
- Remote code execution vulnerability in unpatched versions of Telerik UICVE-2019-18935
- Deserialisation vulnerability in Microsoft Internet Information Services (IIS) (Reference 03)
- icrosoft SharePoint vulnerabilityCVE-2019-0604
- Remote code execution vulnerability in Citrix Application Delivery Controller and Citrix GatewayCVE-2019-19781
- Links to credential harvesting websites
- Emails with links to malicious files, or with the malicious file directly attached
- Links prompting users to grant Office 365 OAuth tokens to the actor
- Use of email tracking services to identify the email opening and lure click-through events.
Recommendations:
As key mitigation techniques, below recommendations have been proposed:
- All the internet facing operating systems, applications and devices need to be patched with latest security updates.
- Applying multifactor authentication to all internet-accessible remote access services.
Additionally the below listed recommendations shall also be implemented:
- Apply necessary controls to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
- Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- Operating system and application hardening. For example configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
- Restrict administrative privileges based on the least privilege principle.
- Maintaining regular backups (daily, weekly) of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months.
In addition to the above, it is essential to enable logs including operating system logs ( Microsoft Windows event logs), web server logs (Access log, error logs, SSL Logs) and internet proxy logs at least for internet accessible servers and applications in order to help digital forensic investigations.
Reference:
[1] https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
[2] https://www.cyber.gov.au/threats/advisory-2020-004-telerik
[3] https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services
[4] https://www.cyber.gov.au/publications/essential-eight-explained
[5] https://www.cyber.gov.au/publications/windows-event-logging-and-forwarding
Thursday, June 18, 2020
Analysing Windows Event Logs collected in CSV Format
June 18, 2020 / by Kushan Sharma / with No comments /
$ grep -i "EventID=4624" <log_cvs_file_names> | awk -F"","" '{print $5 "\n"}' > Logon_4624.txt
---------------------------------------
*4624 Successful account log on
*4625 Failed account log on
*4634 An account logged off
*4648 A logon attempt was made with explicit credentials
*4647 User initiated logoff
*4778 RDP Session Reconnect (A session was reconnected to a Window Station)
*4779 RDP Session Disconnect (A session was disconnected from a Window Station)
*1102 Audit log was cleared. This can relate to a potential attack
*4720 A user account was created
*4722 A user account was enabled
*4723 An attempt was made to change the password of an account
*4725 A user account was disabled
*4738 A user account was changed
*4740 A user account was locked out
*4767 A user account was unlocked
*4782 Password hash an account was accessed
*4697 A service was installed in the systems
*4688 A new process has been created
*4689 A process has exited
*5140 A network share object was accessed
4801 Unlocked (The workstation was unlocked)
4670 Permissions on an object were changed
4719 System audit policy was changed.
4964 A special group has been assigned to a new log on
4728 A user was added to a privileged global group
4732 A user was added to a privileged local group
4756 A user was added to a privileged universal group
4735 A privileged local group was modified
4737 A privileged global group was modified
4755 A privileged universal group was modified
4772 A Kerberos authentication ticket request failed
4777 The domain controller failed to validate the credentials of an account.
4616 System time was changed
4657 A registry value was changed
4697 An attempt was made to install a service
4698, 4699, 4700, 4701, 4702 Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
4946 A rule was added to the Windows Firewall exception list
4947 A rule was modified in the Windows Firewall exception list
4950 A setting was changed in Windows Firewall
4954 Group Policy settings for Windows Firewall has changed
5025 The Windows Firewall service has been stopped
5031 Windows Firewall blocked an application from accepting incoming traffic
5152, 5153 A network packet was blocked by Windows Filtering Platform
5155 Windows Filtering Platform blocked an application or service from listening on a port
5157 Windows Filtering Platform blocked a connection
5447 A Windows Filtering Platform filter was changed
To check successful logoffs from IP Address 192.168.13.90.
$ grep "192.168.13.90" <log_file_name> | grep -i "EventID=4647/4634" | awk -F"","" '{print $5}'
Check for account session parameters. Trace account activity.
Usefull OIDs when using snmpwalk
June 18, 2020 / by Kushan Sharma / with No comments /
Friday, June 12, 2020
Download Youtube Playlists in Ubuntu
June 12, 2020 / by Kushan Sharma / with No comments /
youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific.
To download a playlist, simply run the following command. Where “playlist_url” is the URL of the playlist that you want to download.
#youtube-dl -cit <playlist_url>
In order to download the playlist, I used the below command.
#youtube-dl -cit 'https://www.youtube.com/watch?v=_7OwE7twvfQ&list=PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0'
Alternatively, you can just use the playlist ID:
#youtube-dl -cit PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0
Some of the useful switches when using youtube-dl to download contents.
-i, --ignore-errors Continue on download errors, for example to skip unavailable videos in a playlist
--geo-bypass Bypass geographic restriction via faking X-Forwarded-For HTTP header (experimental)
--playlist-start NUMBER Playlist video to start at (default is 1)
--playlist-end NUMBER Playlist video to end at (default is last)
-r, --limit-rate RATE Maximum download rate in bytes per second (e.g. 50K or 4.2M)
-R, --retries RETRIES Number of retries (default is 10), or "infinite".
-f, --format FORMAT Video format code, see the "FORMAT SELECTION" for all the info
-x, --extract-audio Convert video files to audio-only files (requires ffmpeg or avconv and ffprobe or avprobe)
--audio-format FORMAT Specify audio format: "best", "aac", "flac", "mp3", "m4a", "opus", "vorbis", or "wav"; "best" by default; No effect without -x
--audio-quality QUALITY Specify ffmpeg/avconv audio quality, insert a value between 0 (better) and 9 (worse) for VBR or a specific bitrate like 128K (default 5)
In a shell, & is a special character, advising the shell to start everything up to the & as a process in the background. To avoid this behavior, you can put the URL in quotes.
These days YouTube videos have different resolutions, you first need to check available video formats of a given YouTube video. For that run youtube-dl with “-F” option. It will show you a list of available formats.
#youtube-dl -F <video_url>
Its output will be like:
Setting language
BlXaGWbFVKY: Downloading video webpage
BlXaGWbFVKY: Downloading video info webpage
BlXaGWbFVKY: Extracting video information
Available formats:
37 : mp4 [1080x1920]
46 : webm [1080x1920]
22 : mp4 [720x1280]
45 : webm [720x1280]
35 : flv [480x854]
44 : webm [480x854]
34 : flv [360x640]
18 : mp4 [360x640]
43 : webm [360x640]
5 : flv [240x400]
17 : mp4 [144x176]
Now among the available video formats, choose one that you like. For example, if you want to download it in MP4 version and 1080 pixel, you should use:
#youtube-dl -f 37<video_url>
If you just want to download the audio from a YouTube video, you can use the -x option to simply extract the audio file from the video.
#youtube-dl -x <video_url>
The default file format is Ogg which you may not like. You can specify the file format of the audio file in the following manner:
#youtube-dl -x --audio-format mp3 <video_url>
If you want to update youtube-dl, you can use the below command. However pip should be installed in your Utube instance.
#sudo pip install --upgrade youtube_dl
The above steps will install latest version of youtube-dl that can be checked using youtube-dl --version. As of now the output of youtube-dl --version is:
I hope this article helped you to download YouTube videos on Ubuntu. If you have questions or suggestions, please drop a comment below.
Sunday, May 31, 2020
Using WMIC to communicate with remote hosts
May 31, 2020 / by Kushan Sharma / with No comments /
We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.
WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:#wmic process list
Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief
#wmic process call create "calc.exe"
#wmic process where name="calc.exe" call terminate
#wmic process where name="explorer.exe" call setpriority 64
#wmic process list brief find "cmd.exe"
You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list
#wmic /output:c:os.html os get /format:hform
#wmic /output:c:product.html product get /format:hform
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
#wmic /node:<ID Address> bios get serialnumber
#wmic /node:"HOST" baseboard get product
#wmic STARTUP GET Caption, Command, User
#wmic os where buildnumber="2600" call reboot
#wmic startup list full
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>] Usage information.
In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.
I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:
#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"
Saturday, May 30, 2020
Searching Through /var/log Folder
May 30, 2020 / by Kushan Sharma / with No comments /
#last -f wtmp
Wtmp is a file on the Linux, Solaris, and BSD operating systems that keeps a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands
To check for failed login attempts
#last -f btmp
btmp logs failed attempts into your system. In theory this could mean someone is trying to brute force passwords. You can empty this file but should not remove it since software could crash when it expects the file to be there.
# ausearch --input <filename> -i | grep -i sshd | grep -i USER_AUTH
USER_AUTH is triggered when a user-space authentication attempt is detected.
- -i,--interpret Interpret results to be human readable
- -if,--input Specify the file name rather than default audit file
- -a,--event <Audit event id> search based on audit event id
- -gi,--gid <Group Id> search based on group id
- -ui,--uid <User Id> search based on user id
- --session <login session id> search based on login session id
- ADD_USER Triggered when a user-space user account is added.
- CRED_ACQ Triggered when a user acquires user-space credentials.
- CRED_DISP Triggered when a user disposes of user-space credentials.
- CRED_REFR Triggered when a user refreshes their user-space credentials.
- CRYPTO_KEY_USER Triggered to record the cryptographic key identifier used for cryptographic purposes.
- CRYPTO_LOGIN Triggered when a cryptographic officer login attempt is detected.
- CRYPTO_LOGOUT Triggered when a crypto officer logout attempt is detected.
- DEL_GROUP Triggered when a user-space group is deleted
- DEL_USER Triggered when a user-space user is deleted
- SYSTEM_RUNLEVEL Triggered when the system's run level is changed.
- SYSTEM_SHUTDOWN Triggered when the system is shut down.
- USER_LOGIN Triggered when a user logs in.
- USER_LOGOUT Triggered when a user logs out.
- USER_START Triggered when a user-space session is started.
At lease one work shoudl match: ^.*(21/May/2020|POST).*$
Both word should match: ^(?=.*21/MAY/2020)(?=.*POST).*$
Reference:
RedHat Audit record type can be found on:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types
Wednesday, January 29, 2020
Poking a hole through a firewall
January 29, 2020 / by Kushan Sharma / with No comments /
For example, leaving the Oracle Listener port 1521 open to untrusted networks, allow the database to connect to the Internet or the Internet to connect with the database. This could introduce significant security vulnerabilities that hackers are likely to exploit. Hackers could enable even more port openings through the firewall, create multithreaded operating system server problems, and enable access to crucial information on databases behind the firewall.
If the database listener services are running without passwords or with weak credentials, then hackers can probe for critical details about the databases on which it is listening. These details include trace and logging information, banner information, and database descriptors and service names, enabling malicious and damaging attacks on the target databases.
When it comes to database traffic, it is always recommended to encrypt network traffic when transmitting over untrusted networks. For example you may utilize Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers.
Further I recommend to harden the host operating system of the database server by disabling all unnecessary operating system services. Many UNIX and Windows services are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. For each disabled service, be sure to close both the UDP and TCP ports. Leaving either type of port enabled leaves the operating system vulnerable.
Finally It is generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 3306 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.