Mubarak Ahmed

LDAP is  the Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory "Microsoft" . The major operations can be performed by LDAP : Add :  add new data. Bind : Authenticate ( Use LDAPS over  port  636 not 389 ) Delete :  Delete data. Search and Compare. Unbind :  close the connection. LDAP injection is similar in principle to SQL injection attack, the main objectives of LDAP injection to exploit the web application vulnerabilities in order to exfiltrate login names of users as well as users' information. This step is an important step prior to privilege escalation attack. Let us  suppose  that ABC company had an application called Rocky :). ...

Windows Incidents Response (Practical - 11 Steps ) When a system encounters an incident, the common reaction among most people will be to panic and jump straight into the system to find out the cause and hopefully try to get it back to normal working condition as soon as possible. In most cases, not all systems can afford the downtime to carry a full investigation before knowing the most possible cause (SANS). In this post, I will elaborate basics steps might be will help you in Windows Incidents Response  (IR) to expedite IR. I have summarized the process in 11 steps. Let us assume that a machine named Desktop-ABC connected to the ABC domain was compromised and as the lead incident responder on your system admin team, your task is to use incident response methodologies to determine what happened, identify any malicious files found on the system, and take the appropriate steps to resolve the issue. Let us start, After connected to  Desktop-...

Suspicious Services in Windows Many small/medium companies which don’t have policy, governance, control ..etc. in order to protect their data/services, surely these organizations will suffer from an unstable/insecure environment and in anytime might the whole environment become compromised. Might you have suspicious services are running in your environment but You don't know :).  There are enterprise solutions   might fulfill these requirements to scan such services but if you don't have it you can go ahead and try to play with WMI (Windows Management Instrumentation). Below script will provide all abnormal/suspicious services that are running in the remote desktops and not running in Windows or Program files folder or services are running by different accounts not built-in service logon accounts such localsystem nor networkservice..etc. You can amend on this script based on your  requirements . $Computer ...

Blue Screen in Windows Many of us might face blue screen issue in the operating system whether in desktop or server but no one interested to know what was the root cause of this blue screen due to we consider it as a bug in windows components or exception error in the operation system, we just reboot desktop/server then the OS will start working properly. The reason for having Blue screen actually is someone within windows Kernal trying to call windows Kernal "Kebugcheckex routine" and passing below 4 parameters in "Kebugcheckex routine" as following: VOID  KeBugCheckEx(   _In_ ULONG     BugCheckCode,   _In_ ULONG_PTR BugCheckParameter1,   _In_ ULONG_PTR BugCheckParameter2,   _In_ ULONG_PTR BugCheckParameter3,   _In_ ULONG_PTR BugCheckParameter4 ); https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-kebugcheckex And as per Microsoft analysis of the root causes of crashes indicates the follo...

DNS Security Sometimes DNS misconfigured insecurely and anyone can use this vulnerability to gathering information "Reconnaissance" for target attack even if it's an obsolete approach but it's still useful :( . The  vulnerability  in Zone transfer in Windows DNS which is enabled feature "allowing Zone transfer" from untrusted sources by this way you will allow anyone to obtains all Zone information about your organization such Network scheme, Server and services names...etc  Applying below commands will get all DNS zone information if the feature  "allow zone transfer to any servers"  is enabled in your DNS server. >nslookup > server <DNS Server>  > set type=any  (to get all types of DNS records) > ls -d <Zone Name> > InfoZone.txt  (the actual transfer) Make sure to restrict zone transfers feature in Windows environment to be allowed only from a trusted source as follows: ...