Blog | Security Whole: Recent Comments

Comment on Finding Old or Unused Accounts with Powershell v2

Tim Medin — Fri, 10 Feb 2012 14:27:37 GMT

That is the easiest part. You simple pipe the command into Export-CSV and you have the file.

myscriptname.ps1 | export-csv myfile.csv

Comment on WinXP Embedded and MS08-067

Tim Medin — Fri, 10 Feb 2012 14:26:26 GMT

In my case, the embedded device allowed the image to be unlocked and we could modify the firewall and block all services. Since it was a terminal we didn't need to allow any services to be accessible. Why it was enabled in the first place, I just don't know.

In your case, I'm guessing you'll either have to upgrade or update the firmware. Lacking that ability, you'll have to firewall that segment of the network and hope nothing malicious gets on that segment.

Comment on Finding Old or Unused Accounts with Powershell v2

Marc — Thu, 09 Feb 2012 08:35:30 GMT

Hi Tim,

Very good script. Took indeed just a couple of seconds to execute. But now I'm wondering how I can export this to a csv file so I can import it in Excel?

Kind regards,
Marc

Comment on WinXP Embedded and MS08-067

NA — Wed, 19 Oct 2011 19:56:38 GMT

Did you identify the root cause? I haven't run into this scenario specifically, but I have friend who is fighting this issue on XP embedded. At a glance, I thought he had overlooked something obvious - but the symptoms he reported are the same. Did you identify a path-forward?

Comment on Getting registry last write time with PowerShell

bill — Mon, 15 Nov 2010 22:18:42 GMT

Nice but I'm looking for a script that will recursively walk the registry, showing the last write time on every key. This is for live forensics data collection.

Comment on .NET Padding Oracle Attack, padBuster.pl, and the Microsoft Recommended Workarounds

Tim Medin — Sat, 30 Oct 2010 21:17:35 GMT

I don't think you can. If the site is using and MD5 HMAC to sign the viewstate this attack doesn't work.

Comment on GoDaddy is teh suck

JM — Fri, 29 Oct 2010 02:23:10 GMT

We have a Dreamhost account and it's awesome. (I have a referral code if you want to go that way.)

Right now, I don't want to mess with keeping web content up to date, so my blog is over at Posterous, which is dead easy to use, but I don't do much formatting of the content. Pretty much all plain text or pictures there.

Comment on .NET Padding Oracle Attack, padBuster.pl, and the Microsoft Recommended Workarounds

gamble — Wed, 27 Oct 2010 14:39:46 GMT

I would like to use the padding oracle on encrypted viewstate that using MD5. May I know how I can do on tat ? Thanks

Comment on Powershell Port Scan

Mike Summers — Sat, 02 Oct 2010 07:45:15 GMT

Great post and its a really nice

Comment on Finding Meterpreter

Ryan M. Ferris — Wed, 21 Jul 2010 01:37:06 GMT

Thanks for this post. I extended your post some. I found this PS code of interest:
$findMM=foreach ($id in ( Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"} )) {write $id.MainModule}
$findMM | Select Modulename,FileName,ModuleMemorySize,Size,EntryPointAddress,BaseAddress,Description,Company | ft -auto