I am not a forensics expert, nor do I play one on TV. I do, however, play one at work from time to time and I own some of the key tools: a magnifying glass and a 10baseT hub. Oh, and a Sherlock Holmes hat – that’s the key. Unfortunately, these weren’t much help when I was handed a pile of drives and was asked to find out which version of Windows they had been running. I wasn’t allowed to boot them, and I couldn’t really find the full answer of how to get the version after a lot of googling, so I figured it out the hard way. Hopefully I can save you guys some time by explaining it in detail.
And if there’s a better way, which I’m sure there is, please let me know. I don’t doubt that I did this the hard way – that’s kinda my thing.
The order of events is, basically:
- Step 1: Copy the system's registry hive to your analysis system
- Step 2: Mount the registry hive in regedit.exe
- Step 3: Navigate to the OS version in regedit.exe
- Step 4: Unmount the registry hive.
If you know how to do all that, then thanks for reading! Check back Tuesday for a brand new blog posting! I have an interesting blog that combines DNS and cross-site scripting lined up.
Otherwise, keep reading. Or just look at the pictures.
Continue reading →
Exotic XSS: The HTML Image Tag
There are the usual XSS tests. And then there are the fun ones. This is a story about a more exotic approach to testing XSS….
I was testing a company that had passed all XSS tests from their pentester. I found that they allowed users to write HTML tags. Of course they didn’t permit <script> tags or <iframe> tags. (Well, they did allow those, but that was an oops - no server side filtering.) This company had whitelisted a variety of “safe” tags for use by clients.
That’s boring, right? Heh, thanks to Ron, I had a way to abuse their whitelist. (I’ve since found this in Web Application Hackers Handbook, but I seem to have overlooked it at the time I read it.) Three HTML 4 tags in particular allow javascript to be run from one of the elements and these are: <img>, <object>, and <style>.
Continue reading →
Nmap script to generate custom license plates
Hey all,
In honour of this special day, I’m releasing an Nmap script I wrote a few months ago as a challenge: http-california-plates.nse. To install it, ensure you’re at the latest svn version of Nmap (I fixed a bug in http.lua last night that prevented this from working, so only the svn version as of today will work), download http-california-plates.nse, and install it.
Continue reading →