I'm doing some activity in my class in digital forensics I was able to find the last user who login on the computer (found it on WINDOWS/SYSTEM32/CONFIG/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENT VERSION/WINLOGON/DEFAULT USER NAME). There are 5 user accounts on the computer and I need to find the log-in count per user and last log-in date per user, in what folder should I find it? I'm using the Autopsy software.
This explanation should help, but this will be a generic answer, as the problem is not reproducible.
Normally the "C:\Windows\System32\winevt\Logs" folder is containing the event logs on Windows systems, tracing login events. You should look for the Security.evtx file(there will be plenty of logs in there, and you are looking for 4624 logs in it). If your Autopsy version is parsing this, you should try to find interactive logins(~= normal keyboard logons, or logon type 2 see the explanation. This is an assumption).
You can either count them or it's an old Autopsy version which doesn't support parsing, export the Security.evtx file instead, and open it in Event viewer on your forensic analysis host locally, and filter(open up Security.evtx with Event Viewer, Actions/Filter Current Log/Includes Event IDs: 4624, Keywords: Audit Success, User: Xyz(and change it to the next one once examined)
Related
About once a month, my Lucee app stops sending emails, and I get thousands of emails listed in the Administrator's Failed Task list. I can select them, click execute, and they are sent out but I want to do this programmatically so I can monitor for failed emails and then send them programmatically. Is there any way to do this?
In Adobe ColdFusion, I used to just check for files in the bad email folder and mover then to the good email folder.
Too long for a comment... See this related question over on Lucee.org - Undeliverable Mail
Unfortunately Lucee does not offer the same functionality as Adobe ColdFusion for re-spooling failed emails. It only offers the function within the admin UI.
In the post I referenced above, ddspringle mentions that you can just simulate what the admin UI is doing in your own code. One of the benefits of open source software is that you can see the code. So he includes a link to the admin code that re-spools the email. The link is here - services.tasks.cfm lines 68-73
I will copy that code block here as well:
<cfadmin
action="executeSpoolerTask"
type="#request.adminType#"
password="#session["password"&request.adminType]#"
id="#data.ids[idx]#">
And here is a link to the documentation for the cfadmin tag - cfadmin on cfdocs.org
CFADMIN ATTRIBUTE REFERENCE
action string Required - The administrative action to perform.
type string Required - The admin context: web or server.
password string Required - The admin password.
Hope that helps.
I am looking for assistance to find out how I can download and move a OneDrive file that is accessed through a shared directory, via the shared link method of sharing.
I have two users:
user 'A' who is a Microsoft Consumer and has a regular OneDrive account and will host a csv file 'test.csv' in a folder 'toshare'
and user 'B' who is also a regular Microsoft Consumer who should use the graph API to download test.csv and then move the file to a subdirectory /toshare/archive
Aside: I am currently using the chrome app "advanced REST client" to manually make the REST calls, and am getting Authenticated OAuth BEARER tokens by inspecting network traffic from Microsoft's online "Graph Explorer" tool. After we understand the calls, we'll integrate it into our Java app.
I have succesfully followed the instructions here:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/shares_get
to view the folder contents.
To be more explicit, user 'A' has went into OneDrive and has right clicked the folder 'toshare' and selected shareLink. I have converted the shareLink to a share token and then used the following API call with the Graph API as user 'B':
GET https://graph.microsoft.com/v1.0/shares/<share-token>/root?$expand=children
this shows me all the files in the directory, which includes 'test.csv'
Now, using this information, how can I download test.csv? Assuming user 'B' doesn't know the name of the file, but can identify it by being a .csv file (we can do this in code). There does not appear to be much documentation on how to download the files through a share.
The closest I've gotten was to take the "webUrl" attribute of the children object for my file, and then turn that into a share token and call
GET https://graph.microsoft.com/v1.0/shares/<child-share-token>/root
This will show me the file meta-data. and then I try to download it by roughly following the api documentation to download https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/item_downloadcontent
GET https://graph.microsoft.com/v1.0/shares/<child-share-token>/root/content
This is interesting because this works if I make the call with user 'A' but does not work for user 'B' who instead gets a 403 in advanced REST client. (If I run it in Graph Explorer, I get "The site in the encoded share URI is invalid." instead, which I've discovered with other experimentation, really means there's an authorization issue.)
GET https://graph.microsoft.com/v1.0/shares/<share-token>/root:/test.csv:/content
Also does not work, it returns: "400 Bad Request" with message: "Resource not found for the segment 'root:'." It seems like the path style file navigation does not work for shared directories?
At this point I'm rather stuck. After downloading the file, I also would like to move it into a subdirectory, denoting that it has already been read in. I'd also like to get this working for OneDrive for Business, but that seems to be another set of challenges that I'll leave for another day.
Any insight would be great thanks,
Jeremy
It's best to consider the shares/{id} segments to be similar to drives/{id}, at which point all of the previous documentation around children access is applicable. Given your scenario I'd use the path syntax:
https://graph.microsoft.com/v1.0/shares/<share-token>/root/children/test.csv
This obviously necessitates knowing the file name, but it sounds like you already have an algorithm to do that.
Theoretically your approach for creating a child-share-token would work, but it would now require that User B both provide authentication as well as to have explicit permissions. Since your share-token was a sharing link User B is most likely getting permission by virtue of the fact that they have the URL, in which case generating a new one is probably removing the special token that allows this to work. That's why it's best to always use the original share-token where possible.
Similar rules will apply to move the file. First off, we'll assume that the sharing link provides the ability to "Edit" otherwise none of this will work :). Second, we'll assume that the archive folder already exists (if it doesn't you'd need to create it using a POST to https://graph.microsoft.com/v1.0/shares/<share-token>/root/children that looks like what we've documented here).
To move the file you'd want to PATCH to https://graph.microsoft.com/v1.0/shares/<share-token>/root/children/test.csv and provide a new parentReference as documented here. It's always best to use id values if you have them, but you should also be able to provide the path to the parent in the form of /shares/<share-token>/root/children/archive.
I found an Ajax service running as I called my Event tracker calendar.
[myserver]/tiki-tracker_calendar-list?trackerId=30&beginField=startDate&endField=endDate&resourceField=title&coloringField=null&filters=%0D%0A%7Bfilter%20field%3D%22tracker_field_eventCategory%22%20content%3D%22%22%7D%0D%0A&start=1488085200&end=1491710400&_=1490626987241
If the attacker leverage this and enter:
tiki-tracker_calendar-list?trackerId=30&beginField=startDate&endField=endDate&start=0&end=9999999999
The system will return all the events in tracker 30.
I tried to enter:
`if (! isset($user))
{
header('Location: index.php');
die;
}`
in File: /var/www/html/tikisvn15/tiki-ajax_services.php
At line 35
It works. Is there any other way? Would my modification stop the Ajax service from other components?
You can set which groups can see what using the Tiki permissions system. See the documentation here
Note that once you have set your tracker not to be visible for anonymous (not logged in) users you will need to rebuild your search index (on Control Panels -> Search) because TrackerCalendar uses the search index extensively.
I would advise against putting arbitrary user checks like this in the tiki code as things will stop working and it will be very hard to work out why, i think.
In IBM Connections 4.0 is there any way to get another users activity stream. I can get my steam with #me but if I try my connections id or another users id I get the following error:
This works:
/opensocial/basic/rest/activitystreams/#me/#following/#all?rollup=true
This returns an error - my id:
/opensocial/basic/rest/activitystreams/7AF0B251-9F97-CA6D-8525-61370072A674/#following/#all?rollup=true
Error 400: The user ID(s) [7AF0B251-9F97-CA6D-8525-61370072A674] is/are not recognized by the system.
And I know this is my ID....
<userid>7AF0B251-9F97-CA6D-8525-61370072A674</userid>
Any suggestions...the manual says the following which doesn't sound good but doesn't totally close the door either:
As per the OpenSocial standard, a given users Activity Stream is retrievable by:
1. Specifying that user (#me in the URLs below, IBM Connections does not generally allow retrieval of other users streams).
Any help would be appreciated....
This should do it: https://connections.ibm.com/common/opensocial/basic/rest/activitystreams/urn:lsid:lconn.ibm.com:profiles.person:91ae7240-8f0a-1028-8400-db07163b51b2/#involved/#all?rollup=true&shortStrings=true&format=atom (plug in the right user id)
My scenario:
I navigate to a login page.
I put in a known username with a bad password.
ZAP picks this up no issue.
I select the POST to the login page.
I find the lines that contain the Username and password. The password:
ctl00%24ContentPlaceHolder1%24cpLoginAspx%24ctl00%24LoginControl1%24LTLogin%24Password=12345&
I highlight the 12345 and right click to select Fuzz.
I had put in a custom list with the correct password for the test account and I select that.
When I do, it works its way through the list as I expected. Changing the 12345 to the various options in the list.
But, when it gets to the word I KNOW is the correct password. It does nothing different to alert me that it was correct. The password in this case was Password5. I expected that it would reflect or something showing it was directed to a new page. But, that happens for 'password' which is not correct for the test user.
I see this in the Fuzzer tab:
OK, I think the first point you're raising is that ZAP doesnt pick up that you've tried an invalid password. That is not a security risk - you supplied a bad password, the app didnt let you in. Everything's working as it should.
ZAP will only alert you of vulnerabilities via the active or passive scanners.
The fuzzer is for manual testing. If we work out a way to automate the detection of a vulnerability then we put that in the active or passive scanners :)
So you have to interpret the fuzzer results rather than expect ZAP to do that for you.
In any case, successfully logging in is not a vulnerability (in ZAPs terms).
What the fuzzer will tell you is if the string you supplied was included in the response (which is useful when looking for XSSs), the response code, the time taken and the response length.
When logging in I'd expect that the response length would be significantly different, so one option would be to look for a response with a length significantly different to the others.
However the easiest option is probably to search the fuzz results.
To do this go to the Search tab, select 'Fuzz Results' in the pull down and either search for a string that you know will be shown when you successfully log in, or do in inverse search for a string that you know will be shown when you fail to login.
Does that help?
Note that we do have a load of info on the ZAP wiki, including videos, FAQs and much more: http://code.google.com/p/zaproxy/wiki/Introduction
BTW we do have a ZAP user group which is intended for exactly these sort of questions: http://groups.google.com/group/zaproxy-users
You can also access it via the ZAP 'Online / ZAP User Group' menu item.
I try to keep an eye on forums, but there are so many that some questions are bound to slip through.
If anyone can suggest how I can convince people to use the ZAP user group (which all the ZAP developers subscribe to) instead of general purpose forums like this (which is very useful for other questions) then I'd be very grateful :)
Simon (ZAP Project Lead)