create installer from iso to usb

1- cucuk usb ke pc
2- unmount usb(tapi jgn tanggalkan)
3- sudo dd bs=4M if=/home/sana/Downloads/ubuntu-18.04.2-live-server-amd64.iso of=/dev/sdb status=progress oflag=sync

Convert virtual disk to RAW disk image

1- Format VBox

vboxmanage clonemedium  ./disk.raw --format=raw

Now disk.raw can be read by mmls to get partition offset.

mmls disk.raw

(ref https://www.andreafortuna.org/2017/06/28/extract-filesystem-bodyfile-from-a-virtualbox-vm/)

2- VMDK

If your mmls support afflib, you can directly process it.

mmls -i afflib vmDisk.vmdk

If yours does not support afflib, you need to convert to raw format using qemu-img

qemu-img convert -f vmdk -O raw vmImage/vm_disk.vmdk vm_disk.raw

Now disk.raw can be read by mmls to get partition offset.

mmls disk.raw

Snapshot:

Lets say the image has 2 snapshot of disk vm_disk.vmdk

File *.vmsd will track this snapshot(mapping snapshot name to the vmdk file). Lets say vmImage.vmsd is as as follow:

.encoding = "UTF-8"
snapshot.lastUID = "2"
snapshot.current = "2"
snapshot0.uid = "1"
snapshot0.filename = "vmImage-Snapshot1.vmsn"
snapshot0.displayName = "asal"
snapshot0.createTimeHigh = "365944"
snapshot0.createTimeLow = "26982807"
snapshot0.numDisks = "1"
snapshot0.disk0.fileName = "vm_disk.vmdk"
snapshot0.disk0.node = "scsi0:0"
snapshot.numSnapshots = "2"
snapshot.mru0.uid = "2"
snapshot1.uid = "2"
snapshot1.filename = "vmImage-Snapshot2.vmsn"
snapshot1.parent = "1"
snapshot1.displayName = "kedua"
snapshot1.createTimeHigh = "365947"
snapshot1.createTimeLow = "170475548"
snapshot1.numDisks = "1"
snapshot1.disk0.fileName = "vm_disk-000001.vmdk"
snapshot1.disk0.node = "scsi0:0"
snapshot.mru1.uid = "1"

This file show the image has 2 snapshot, 'asal' and 'kedua'. 

Snapshot 'asal' point the disk to vm_disk.vmdk. 

Snapshot 'kedua' point the disk to vm_disk-000001.vmdk.

Current state of disk is set in the vmImage.vmx file:

scsi0:0.fileName = "vm_disk-000002.vmdk"

To convert the snapshot disk to raw disk, just pass the any of snapshotXX.diskXX.fileName value(eg: vm_disk-000001.vmdk) to the qemu-img convert as pointed previously.

qemu-img convert -f vmdk -O raw vm_disk-000001.vmdk /tmp/snap_kedua.raw

source: https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vddk.pg.doc_50%2FvddkDataStruct.5.3.html

winlogbeat change index name

For NonCluster

  setup.template.name: 'my-winlogbeat-%{[beat.version]}'
  setup.template.pattern: 'my-winlogbeat-%{[beat.version]}-*'

  output.elasticsearch.index: 'my-winlogbeat-%{[beat.version]}-%{+yyyy.MM}'

Notes: Winlogbeat version 7 when push to CLUSTER will default to 'ilm'(index lifecycle management) 

For Cluster :
  setup.ilm.enabled: auto
  setup.ilm.rollover_alias: "my-winlogbeat"
  setup.ilm.pattern: "{now/d}-000001"




ref: 
1- https://discuss.elastic.co/t/changing-the-index-name-for-winlogbeat-sent-to-elasticsearch/168722/6

DNS ubuntu18 'resolv.conf vs systemd-resolve --status'

Dah set di netplan utk guna more than  1 DNS, (boleh verify guna systemd-resolve --status)
Tapi di /etc/resolv.conf masih guna 127.0.0.53

Penyelesaian:

cd /etc
sudo ln -sf ../run/systemd/resolve/resolv.conf /etc/resolv.conf




ref: https://www.linode.com/community/questions/17081/dns-stops-resolving-on-ubuntu-1804

services dan svchost dalam windows

1- services adalah senarai services

2- svchost adalah process yg akan hostkan service. Ini berlaku jika service tersebut hanya ada dll file. (Bagi services yg ada exe file, tak perlukan svchost)


Contoh 1(Servis guna exe file)-----------------------

HKLM\SYSTEM\CurrentControlSet\Services\
-- ImagePath -> c:\dir\contoh.exe


Contoh 2 (Servis guna dll file)---------------------

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
-- NetworkService: DNSCache lanmanworkstation DHCP

(Dnscache)
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
-- ImagePath : %SystemRoot%\system32\svchost.exe -k NetworkService -p

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
-- ServiceDll : %SystemRoot%\system32\dnsrslvr.dll

(LanmanWorkstation)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
-- ImagePath : %SystemRoot%\system32\svchost.exe -k NetworkService -p

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
-- ServiceDll : %SystemRoot%\system32\wkssvc.dll

ref: https://web.archive.org/web/20150320155229/https://support.microsoft.com/en-us/kb/314056

Mengenali disk image via mmls fsstat fls losetup

image: disk1.dd


1- mmls utk listkan partition dlm disk
2- dapatkan offset partition yg berkenaan
3- fsstat -o xxx akan listkan maklumat file system pada offset xxx
4- fls perlu guna -o xxx utk create body file partition tersebut.

5- loosetup boleh create /dev/loopX utk mudahkan akses partition tersebut. Namun perlukan maklumat offset dalam unit byte. (mmls papar maklumat berdasarkan sektor)
 Maka :  xxx * 512(byte persektor) utk dptkan offset.



1-

# mmls -t dos disk1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

 Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000002047   0000002048   Unallocated
02:  00:00   0000002048   0000499711   0000497664   Linux (0x83)
03:  00:01   0000499712   0041940991   0041441280   Linux (0x83)
04:  -----   0041940992   0041943039   0000002048   Unallocated

3-

# fsstat -o 2048 disk1.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext3
Volume Name:
Volume ID: 2c71dce497ca7d83694ea172de905590

Last Written at: Tue Oct  5 11:06:10 2010
Last Checked at: Tue Oct  5 10:04:19 2010

Last Mounted at: Tue Oct  5 11:05:31 2010
Unmounted properly
Last mounted on: /boot
[...]

4-  fls -o 2048 -r -m C: disk1.dd > fls-bodyfile.txt

      Then you can create timeline:
      mactime -z UTC -y -d -b fls-bodyfile.txt 1500-01-01..2020-01-01 > mactimeline.csv

5- 

# expr 499712 \* 512
255852544
# losetup -f
/dev/loop0
# losetup -r -o 255852544 /dev/loop0 disk1.dd

Masalah mount windows share folder

semak senarai share folder windows dari linux

smbclient -L  -U  -d 256

ubuntu 16 default guna protokol smb 1

Manakala window tak support smb1, sebaliknya smb2.1 dan 3.

Maka tambah -m utk specify protokol

smbclient -L  -U  -d 256 -m smb2

Utk mount tambah vers=3 pada parameter -o

sudo mount -o vers=3.0,username=,uid=,gid=,forceuid,forcegid, //IP_Address/share_name /mnt/path/

Domain(Active Directory) user:

smbclient -L  -U _user_  -W _domain_name_ -d 256 -m smb2

sudo mount -o vers=3.0,username=_user_,domain=_domain_ //IP_Address/share_name /mnt/path/

Interactively:

smbclient //10.108.242.242/FSC -U _user_ -W _domain_

ref:  https://superuser.com/questions/1273456/windows-10-share-not-accessible-from-ubuntu-16-04-lts

lupa kata laluan ubuntu

http://tipsonubuntu.com/2016/09/02/reset-forgotten-passwords-ubuntu-16-04/

Disk Image forensic

1) ftk imager ->  multiple raw file

2) affuse     ->   /mnt/fuse/multipleRawFile.001.raw

3) mmls  (utk cari partition offset)

4) losetup -> /dev/loop0   (guna partition offset)

5) file -s /dev/loop0    (check partition format)

For Timeline----

1) fls -r -m C:  /dev/loop0 > fls-bodyfile.txt

      Then you can create timeline:
      mactime -z UTC -y -d -b fls-bodyfile.txt 1500-01-01..2020-01-01 > mactimeline.csv

For Mount
1) mount





ref:
1) https://forensicsferret.wordpress.com/2010/06/28/mounting-split-raw-and-encase-segmented-files-with-affuse/
2) https://digital-forensics.sans.org/blog/2010/09/15/dealing-split-raw-type-images

command untuk eksploitasi

/usr/share/metasploit-framework/exploit/pattern_create.rb -l 5010
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q



First create folder: !mona config -set workingfolder c:\logs\%p
Command generate: !mona bytearray

!mona compare -f C:\ -a



!mona find -type instr -s "jmp esp" -b 0x6250800



msfvenom -a x86 --platform windows -p windows/messagebox TEXT="say hi" -f python -b "\x00" -v buf

Sebelum masuk kernel exploit

Kena tahu dulu

CFG
Memprotect
ASLR
KASLR
DEP
SEHOP

kecilkan vmdk

utk guest linux
  - run vmImage tersebut
  - sudo vmware-toolbox-cmd disk list  # utk list senarai virtual disk
  - sudo vmware-toolbox-cmd shrink / # akan shrinkkan vmdk tersebut



utk bantuan
  - vmware-toolbox-cmd help disk