Tuesday, December 22, 2020

Reverse SSH usage example 1

(Just for my reference) 
Scenario: 
  1. Server 10.0.0.18, 10.0.0.19, 10.0.0.20 are behind firewall. 10.0.0.18 has full access to the other servers. 
  2. Server 10.0.0.18 has a public IP x.x.x.x 
  3. Laptop 192.168.1.16 can only ssh connect to x.x.x.x on port 22 with certificate myCert
Requests: 
  1. The Laptop need to access Server 10.0.0.18 on https port 8834 (https://x.x.x.x:8834 won't work because only port 22 is opened to the Internet). 
  2. The Laptop need to access other servers on https port 443 
Steps: 
  1. On Laptop run "sudo ssh -D 1081 -i myCert root@x.x.x.x. 
  2. Setup Firefox proxy: use socket 4, localhost, port 1081 
  3. Open Firefox, browse https://localhost:8834
  4. Browse https://10.0.0.18
  5. Browse https://10.0.0.19

Friday, March 27, 2020

Office 365 Forensics (1)

(Just for my reference)
When an attacker gets the office 365 portal admin access, the first thing he is going to delegate a user to get full access to the user’s account, contact and calendar etc.

To get the full access of another user’s account, Login to https://outlook.office365.com/ecp/,
Select “recipients” -> “Mailboxes”.


Double click the user that need to be full access, on the “Edit User Mailbox” window, Under “Full Access”, add the compromised email account.



Then the attacker can open the user’s mailbox through File -> Open -> Other User’s Folder




To see if someone access your mailbox, Login to https://outlook.office365.com/ecp/, select “compliance management” -> “auditing” -> “Run a non-owner mailbox access report”



On the popup window, select start day and end date, on “Search for access by” dropdown list, select “All non-owners”, click “Search”.




Tuesday, March 17, 2020

Forensics Android APKs on the phone

(Just for my reference)
Purpose: Check .apk files in the phone using VirusTotal.

Tools:
1.     VirusTotal website: https://virustotal.com
2.     MOBILedit Forensic Express 7

Steps:
1.     Use MOBILedit to create a full report

2.     Open a command line window and Go to the report folder Run sigcheck64 -h -a -c -w ..\apks.csv -u -s .\*.apk


3.     Run sigcheck64 -c -w .\samsung.csv -vrs -vt -o .\apks.csv to get these


4.     Open the csv file and analyze the output.