Wylie Bayes

Building A Detection Lab With Security Onion

Google Docs Slides - https://docs.google.com/presentation/d/1ojFY5Jvc6M9dKXs1qSuh6UoWc2zqL6xREbojRL921bU/edit?usp=sharing PDF Slides - https://wmfb.co/txt/SecOnion_DetectLab.pdf Above are the slides that were presented at the Security Onion + Bsides Augusta conference on October 4th 2019. Recorded talk on YouTube:https://youtu.be/JOvWCQ-PHHY

Alternate Data Streams, and Extended File Attributes.

Alternate data streams (ADS) are an NTFS file system only capability to be able to add data onto an additional "Stream" of a file without altering the contents of the file itself, or modify it's hash value in anyway. First we are going to create a new file, and add

AlienVault OTX(Online Threat Exchange) - Powershell IoC Collector

So I wanted to automate IoC(Indicators of Compromise) collection and discovered AlienVault OTX product. I work in a primarily windows workstation environment and Powershell is my goto language for just about everything since since it is native on every system since Windows 7. Below is a script I developed

Powershell

Abusing Tenable Nessus / Security Center with Audit Files and Powershell. #Nessus #Infosec #ExploitDelivery #RBACBypass #InsiderThreat

Title: Abuse of Tenable Nessus/Security Center with Audit Files and Powershell. Class: Exploit Delivery System/RBAC Bypass/Insider Abuse/Pivot Vector. Signed PDF with Keybase PGP key [http://wmfb.co/txt/Tenable_Compliance_Disclosure.pdf] Wylie's PGPKey [https://wyliebayes.com/pgpkey/] Date Published: 2017-07-27 Last Update: 2017-06-22 Vendors contacted:

OpenBSD -current IPv6 Router. Clients: #Windows, #Android, #Linux, #Openbsd. Xfinity/Comcast cable internet. Native #IPv6

So this is a follow up article revisiting using native Comcast(Xfinity) internet with your OpenBSD router provide IPv6 connectivity to all of your devices on your LAN. I first attempted this around OpenBSD 5.4, and had moderate success, but there were still some bugs to be worked out.

Blog

Quick and dirty #Powershell forward and reverse #whois.

Just a real quick way to do whois lookups on domains, and IP addresses, in Powershell. Forward lookup uses Webservicex.net, and reverse uses Arin.net. function whois($site) { #Syntax: whois google.com $web = New-WebServiceProxy ‘http://www.webservicex.net/whois.asmx?WSDL’ $web.GetWhoIs("$($site)") } function rwhois($ip){ #syntax: whois

Blog

Checking #Lastpass saved sites for #Cloudflare with #Powershell. #Cloudbleed #Infosec

So as everyone already knows there was a huge leak of data for months for websites who use Cloudflare services. To make my changing of passwords a bit easier, and more focused / targeted I put together a little setup to check all of my Lastpass saved sites for Cloudflare name

Blog

#VMWare Killing Stuck, or Hung tasks with #Powershell #PowerCLI

Recently I ran into an issue where a Powered Off VM was stuck in a vMotion host migration for over 3 days. I assume that the VM was powered off during the migration, which is what caused it to hang. Afterwards two backup job snapshot tasks were also in queue

Switched to Ghost blogging platform. #ghost #openbsd #nginx

Just throwing up a quick note to say I switched my site to Ghost blogging platform. Am running wordpress/httpd side by side for my other peeps. SSL cert is up and operational. All the encryptions.

Blog

Adventures with Hyper-V, Information Security, Route Hijack, Exfiltration, and Compromise. #HyperV #Microsoft #Compromise #Exfiltration

Microsoft has confirmed there is a mitigation already in place by going to settings for a VM go to Network Adapter -> Advanced Features -> DHCP Guard and enable it. "It is not disabled by default due to it being a performance impact"? I personally powershell to just disable DHCP

Powershell

Fix windows unquoted service path enumeration vulnerabilities with #Powershell

Here is a function to fix windows unquoted service path enumeration vulnerabilities automatically with powershell! Cheers! function fix-servicepath { $hosts = get-content C:\Users\*****\Documents\WindowsPowershell\Servers.txt foreach ($box in $hosts) { $services = $null $services = get-wmiobject win32_service -computername $box foreach ($service in $services){ $Displayname = $service.DisplayName if (($service.PathName -like "* *") -and

Powershell

HP OA, Netapp, and Vmware environment monitoring with #Powershell

Here is a custom script I made to check HP Onboard Administrators, Netapp Controllers, and vCenter servers for health issues in Powershell. Cheers! This relies on a few things first: VMWare PowerCLI 5.5+ Netapp DataOnTap 4.0 modules HP OA Powershell Cmdlets to function properly. If you want to

Powershell

Disable DHCP on Hyper-V created vSwitch Host NICS. #hyperV #dhcp #hosthijack

So playing with Hyper-V the past few weeks quite a bit and noticed that when creating a vSwitch, no matter if External and bridged to a real NIC on the host or not, it will create a NIC on the Windows host machine correlating to the vSwitch in Hyper-v. If

Blog

VPN Bonding: Pushing through the challenges!

New Foundations #1 – VPN Bonding – Pushing through the challenges. by Wylie Bayes VPN Bonding Hey everyone! Wylie is back in action and this topic is all about VPN bonding and the challenges you can face when coming up with a solution that is right for your organization. I know many

Blog

Network Wide Transparent Proxying with #OpenBSD #Proxy #webfiltering

Network Wide Transparent Proxying By: Wylie Bayes & Brandon Folchi The purpose of this article is to guide anyone who is interested in setting up their own transparent proxy capable of filtering outbound web-browsing of all devices on a network. While researching options to accomplish this we came across a program

Powershell

Convert most “OVA” virtual machines, to VHD or VHDX with Powershell, for use with Hyper-V.

Hey everyone! Just thought I’d post up a quick set of instructions to take a VMware formatted OVA file, extract out the .VMDK file and then convert it to a VHD or VHDX with Powershell. First, you will need the Microsoft Virtual Machine Converter package, and installed it. You

Blog

VMWare Over-provisioning report with #Powershell

Just thought I would put this out here for anyone monitoring a large Vmware environment. Cheers! You would need to change $ss to a remote location you wish the report to be stored, our putting a local location would be fine as well, but then would have to local copies

Blog

IPv6 Router / Client Instructions. OpenBSD 5.4 / Comcast native ipv6 connectivity.

See updated post for OpenBSD 6.1 @ https://wyliebayes.com/openbsd-router-clients/

Blog

OpenBSD and PF – iblocklist.com cheap blacklisting #openbsd #firewall

You need buy a $10.00 per year subscription from http://iblocklist.com. You will get a “Pin” number for your downloads. Then you plug the pin number into the end of the URL’s from the wget commands in this script: http://wmfb.co/txt/iblocklist.sh.txt You

Blog

Fun with Bash. Patch status script for RPM based systems.

The script below is a Patch Status script for rpm based systems (Redhat, Centos, Fedora, etc.) You must query a known good, fully patched server. Query this server with “rpm -qa” and pipe it to a “current.txt” file. Your servers are pulled from “hosts.txt” file. Each IP address

Bash scripts to change passwords on remote servers.

I have systems that are secured with PAM authentication / SSH. When attempting to execute “passwd” commands remotely with SSH, the system does not allow this. These systems are setup with Public Key Authentication, and NOPASSWD option in /etc/sudoers. Script 1 – This script runs from a management server. It copies

Blog

OpenBSD 5.5, 5.6, or 5.7 and OpenVPN with easyrsa3

!!!!!UPDATE!!!!! When upgrading from 5.6 to 5.7. I had to add the following rules to the bottom of my pf.conf to allow for proper vpn pass through. I do not know why it isn’t being allowed through the match rule out egress, but that is what

Blog

Installing Windows 8.1 Remote Administrator Tools – BUG

So I recently discovered when attempting to get Active Directory Users and Computers installed on a Windows 8.1 machine, that the update claims it is not applicable to my computer, even though the update is not already installed, and is applicable. I am using a windows 8.1 64bit