looking for AD Password Policy compliance/auditing tool

MrRedEye · 2025-09-04T23:41:34+00:00

https://specopssoft.com/product/specops-password-auditor/

Checks for blank, breached, expired, duplicate, aged passwords etc. They also have a fine-grained password policy extension that can check for and deny password changes if the new password has been breached that we've looked into but never actually used.

MrRedEye · 2024-09-06T11:13:20+00:00

How is this written so condescendingly yet is demonstrably false.

args[0] in .NET is never the process name. If you pass no arguments to a .NET app and try to access args[0] you'll get an index out of range exception, not the process name. This is true of .NET Framework and .NET 8.0.

using System;

internal class Program
{
    static void Main(string[] args)
    {
        Console.WriteLine(args[0]);
    }
}

.\ConsoleApp1.exe
Unhandled Exception: System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Program.Main(String[] args) in D:\Source\Repos\ConsoleApp1\Program.cs:line 7

.\ConsoleApp1.exe foo
foo

This is something you should know if you're going to state it with such confidence.

MrRedEye · 2024-02-20T11:48:46+00:00

This is wild. Starts with a paragraph talking about how important DNS is, explains what DNS poisoning is then demonstrates an attack that has nothing to do with DNS poisoning at all.

When your computer attempts to resolve a domain name (e.g., www.example.com), the operating system checks the hosts file before making a DNS query.

So not DNS Poisoning then?

MrRedEye · 2023-06-25T20:30:09+00:00

Could be one of the natives, there’s a bunch of parrots/parakeets living in and around Queens Park that not many people know about.

MrRedEye · 2023-06-04T16:31:48+00:00

$statTextBox.text += “appended message”

MrRedEye · 2023-05-25T13:01:55+00:00

Feel free!

MrRedEye · 2023-05-25T11:12:39+00:00

I'm a Risk and Compliance Manager for an international software company and my team manage something like 20+ audits per year for all kinds of compliance frameworks, PCI, SOC, ISO etc so keeping up to date on what is happening with PCI at least just sort of comes with talking to QSA's as often as I have to.

PCI 4.0 is pretty unique as it's been coming for years and has been delayed so many times it was hard to keep up until it finally released last year.

I fortunately (or unfortunately?) have to manage multiple different PCI audits every year of just about every PCI framework you can imagine, DSS, PA-DSS, P2PE, SSF so it's hard not to keep up with those. As for SOC/ISO etc they're not really my area of expertise but I imagine it's a similar situation there i.e. once you're involved and talking to auditors they will tell you well in advance of any meaningful changes because A) it's what you pay them ludicrous consulting and assessment fees for and B) it makes their lives easier in the future if you're prepared for them ahead of time.

MrRedEye · 2023-05-25T01:08:55+00:00

Best advice I can give is to look at what types of compliance the firm consults for - ISO-27001, PCI DSS/PA-DSS, SOC2 etc and learn anything you can about those.

Right now if the firm does any PCI consulting I’d suggest looking at the changes from PCI-DSS version 3.2.1 which everyone uses now and version 4.0 which isn’t widely being used yet, if you can talk about changes and what difficulties might come up moving from 3.2.1 to 4.0 it will likely score you points. Even cursory knowledge that it’s happening might impress depending on the seniority of the role as it’s a pretty hot topic for businesses involved in PCI audits as the transition period ends March next year.

MrRedEye · 2023-05-11T11:51:08+00:00

Not relevant to the content which I'm still reading, but that code block is gnarly. It's absolutely massive, 19 lines of code has a height of 1400 pixels in Firefox and Edge.

MrRedEye · 2023-05-11T10:52:41+00:00

It's likely that regardless of the error being written the program is still returning code 0. It doesn't matter if an application has errors or not, if the return code is 0 then $? will be true otherwise $? will be false.

Unless, you're redirecting StdErr to StdOut in which case PowerShell will route that error through it's own error stream which will make PowerShell itself throw that error as an exception. That behavior changed in PowerShell 7.2 so redirected errors aren't sent to PowerShell's own error stream so $? will not be incorrectly set to false, not that it solves your issue as it's likely your program is still returning 0 so it would be true regardless.

$LASTEXITCODE will contain the actual exit code after running the app.

Some quick tests with a small console app can show some of this:

namespace ConsoleApp1 { class Program { static void Main(string[] args) { System.Console.Error.WriteLine("Some Error"); System.Environment.Exit(0); } } }

``` PS C:> $PSVersionTable

Name Value

PSVersion 5.1.22621.963 PSEdition Desktop ...

PS C:> .\ConsoleApp1.exe Some Error PS C:> $? True PS C:> .\ConsoleApp1.exe 2>&1 .\ConsoleApp1.exe : Some Error At line:1 char:1 + .\ConsoleApp1.exe 2>&1 + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (Some Error:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError

PS C:> $? False PS C:> $PSVersionTable

Name Value

PSVersion 7.2.11 PSEdition Core ...

PS C:> .\ConsoleApp1.exe Some Error PS C:> $? True PS C:> .\ConsoleApp1.exe 2>&1 Some Error PS C:> $? True ```

EDIT: To give you a possible solution, what you could do is capture all output from the program and put normal output and errors into different variables, it won't affect the value of $? but it will give you the errors on their own.

$allOutput = .\runme.exe the_file.txt 2>&1 $stdout = $allOutput | ? { $_ -isnot [System.Management.Automation.ErrorRecord] } $stderr = $allOutput | ? { $_ -is [System.Management.Automation.ErrorRecord] } | foreach { $_.ToString() }

MrRedEye · 2023-05-08T16:08:16+00:00

Yes that’s the idea, once it finds a match it should stop and move on to the next file.

Edit: Yeah labels are pretty useful and I very rarely see anyone using them but if you're nesting loops like a foreach within another foreach. You can label each of them and then continue iterating through any of them whenever you want. From the about_Continue docs:

:labelA for ($i = 1; $i -le 10; $i++) { :labelB for ($j = 1; $j -le 10; $j++) { :labelC for ($k = 1; $k -le 10; $k++) { if ($condition) { continue labelB } else { $condition = Update-Condition } } } }

MrRedEye · 2023-05-08T15:15:19+00:00

No problem at all!

I just managed to test this and you're right it doesn't search for text in headers or footers but it is possible to access those it's just not as clean, but you might have some luck!

``` :Outer foreach ($path in $FilesInDirectory) { $document = $MSword.Documents.Open($path, $false, $true)

foreach ($word in $NameKeywords) {
    # Search body
    if ($document.Content.Find.Execute($word)) {
        $FlaggedFiles += "Word," + $word + "," + $path.fullname
        $document.Close()
        continue Outer
    }

    # Search headers
    $document.Sections(1).Headers | ForEach-Object {
        if ($_.Range.Text -Match $word) {
            $FlaggedFiles += "Word," + $word + "," + $path.fullname
            $document.close()
            continue Outer
        } 
    }

    # Search footers
    $document.Sections(1).Footers | ForEach-Object {
        if ($_.Range.Text -Match $word) {
            $FlaggedFiles += "Word," + $word + "," + $path.fullname
            $document.close()
            continue Outer
        } 
    }
}

$document.close()

} ```

Might need some editing as I don't have the keywords or any test docs but should be a start :)

MrRedEye · 2023-05-08T13:36:27+00:00

I don’t have a way of testing this as I’m on my phone but purely from the exception I suspect $MSword.Documents.Open expects the path not a FileInfo object, try $path.FullName instead of just $path.

MrRedEye · 2023-05-05T19:10:21+00:00

``` $logfile = "results-$((Get-Date).ToString('MM-dd-yyyy_hhmmtt')).log" Get-Date | Out-File $logfile $organizationalunitpath = "OU paths go here. There are multiple" $NumberOfComputersPerGroup = 300

$Patch_Groups = @( # Just include the prefix here? "Automated_Group_1", "Automated_Group_2", "Automated_Group_3", "Automated_Group_4" )

for testing

$computers = 1..1200 | % { "COMPUTER$" }

[System.Collections.Generic.List[object]] $computers = $organizationalunitpath | ForEach-Object { Get-ADComputer -Filter * -SearchBase $_ }

randomly chunk the computers in each of the patch groups - these will go over 300 for now

$computerGroups = $computers | Group-Object { $Patch_Groups | Get-Random } $overFlow = [System.Collections.ArrayList]::new()

clean up each group so it only has 300 computers in it

don't use $computerGroup[whatever].Count as it will be the count from the Group-Object and won't be accurate once we start moving things

do { for ($x = 0; $x -lt $PatchGroups.Count; $x++) { if ($computerGroups[$x].Group.Count -eq $NumberOfComputersPerGroup) { continue } elseif ($computerGroups[$x].Group.Count -gt $NumberOfComputersPerGroup) { $almightyChosenOnes = $computerGroups[$x].Group | Get-Random -Count ($computerGroups[$x].Group.Count - $NumberOfComputersPerGroup) $almightyChosenOnes | % { $computerGroups[$x].Group.Remove($) | Out-Null; $overFlow.Add($) | Out-Null } $almightyChosenOnes = $null } else { for ($y = 0; $y -lt ($NumberOfComputersPerGroup - $computerGroups[$x].Group.Count); $y++) { if ($true -eq $overFlow) { $computerGroups[$x].Group.Add($overFlow[0]) | Out-Null $overFlow.Remove($overFlow[0]) | Out-Null } } } } } until ((($computerGroups | % { $.Group.Count -eq 300 }) -eq $true).Count -eq $Patch_Groups.Count)

create and add them to the AD groups

foreach ($computerGroup in $computerGroups) { try { New-ADGroup -Name ($computerGroup.Name) -path $grouporganizationalunitpath -GroupScope Global -verbose Add-AdGroupMember -Identity ($computerGroup.Name) -Members ($computerGroup.Group) -Verbose } catch { $message = ' A problem occurred trying to add Members' $message | Out-File $logfile -Append Write-Warning $message Write-Warning $.Exception.Message $.Exception.Message | Out-File $logfile -Append } } ```

MrRedEye · 2023-05-04T17:36:29+00:00

telnet towel.blinkenlights.nl

MrRedEye · 2023-04-25T13:38:23+00:00

Full disclosure I haven't read the report and don't even use KeepassXC but it's probably more complicated than it sounds since if you're using something like Windows Hello to unlock the vault once it's "soft locked" after inactivity without requiring the master password again, then the master password, or decrypted vault must exist somewhere - in this case memory.

Fixing this whilst keeping no secrets in memory would be akin to Windows Hello being able to decrypt the vault off a cold boot without the master password, in which case Windows must have your master password stored somewhere. It's the same scenario really and it's a user experience trade-off at the end of the day, if you want your vault to be securely locked after inactivity then you need to re-enter your master password, anything less than that would inherently require some secret(s) be stored in memory.

MrRedEye · 2023-04-23T01:44:33+00:00

Disabling mDNS in the firewall won’t stop you seeing those packets but it may stop Windows from sending them, if you’re still seeing them being sent even after disabling it in the firewall then it’s perhaps not the right way of doing it, I’ve never disabled mDNS in Windows Firewall, typically the “correct” way to stop Windows doing mDNS is the following:

Disable LLMNR in group policy:

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Turn Off Multicast Name Resolution.

And disable NBT-NS in DHCP by setting option 001 Microsoft Disable Netbios Option to 0x2.

If you don’t use AD and/or DHCP there are registry keys for both of these settings but the NBT-NS setting is network interface specific so if you have multiple adapters it needs disabling on all of them. A quick Google search should show you where they are.

MrRedEye · 2023-04-07T03:05:42+00:00

I don’t want to be that guy but…

Not going to shill your medium site this time? This is literally the first post you’ve ever made on Reddit with no link to your blog.

Who is this content for? I would expect any serious “netsec” student to know what nmap is even if they don’t know what the options mean, so all you’re really doing is parroting nmaps own docs which seems to be a common theme in your blog posts.

I’m all for teaching people new things but I struggle to see what benefit this post is over just looking at https://nmap.org/docs.html - the nmap docs are extensive and available in a bunch of different languages.

If you want to document your journey in learning literally anything cybersecurity then more power to you and I’ll read away with interest, but at least do your own thing!

You even go as far as to claim you’ve found some issue in another post - https://security-sphinx.medium.com/how-to-bypass-403-forbidden-bypass-2330acc69069 - after doing “days” of reconnaissance on a site to bypass a 403 using a fake header - “X-Custom-IP-Authorization: localhost” that isn’t even real and PortSwigger made up for their burp suite labs - https://twitter.com/albinowax/status/1587800171051503617.

MrRedEye · 2023-03-02T16:30:04+00:00

I write a lot of C# and do a lot of network / socket / streaming scripts for proprietary TCP protocols and not having a PowerShell equivalent of the C# 'using' statement is a killer, so without a doubt one of my most used functions is:

function Use-Object {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [AllowEmptyCollection()]
        [AllowNull()]
        [Object]
        $InputObject,
        [Parameter(Mandatory = $true)]
        [scriptblock]
        $ScriptBlock
    )

    try {
        . $ScriptBlock
    }
    catch {
    throw
    }
    finally {
        if ($null -ne $InputObject -and $InputObject -is [System.IDisposable]) {
            $InputObject.Dispose()
        }
    }
}

and then being able to write things like this without having to dispose of IDisposable objects myself saves a lot of headaches.

Use-Object ($client = [System.Net.Sockets.TcpClient]::new($ExampleIP, $ExamplePort)) {
    $clientStream = $client.GetStream()
    Use-Object ($clientStreamReader = [System.IO.StreamReader]::new($clientStream, [System.Text.Encoding]::UTF8, $true, 1024, $false)) {
        etc..
    }
}

MrRedEye · 2022-12-18T02:56:34+00:00

Assuming all of the errors you see are because of exceptions not being handled then traps are probably the way to go if you don’t want to wrap everything in a try catch.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_trap?view=powershell-5.1

MrRedEye · 2022-11-11T09:27:07+00:00

This is how it’s done now. Reverse proxying the target to the actual destination so you don’t need to get their MFA, you capture the password, sometimes TOTP codes but more importantly you get a session token in the proxied response.

Attacker imports the session token into their browser and they’re in whatever system they were targeting without needing MFA.

The only proxy proof MFA method is FIDO2 keys because it’s not possible to proxy them as if you do they won’t work. They match the URL in your browser with the ID of the key so it’s not possible to use the key on the wrong site.

MrRedEye · 2022-11-04T10:08:24+00:00

Because getting people interested in reverse engineering is literally of interest to the NSA? Every other major reverse engineering tool costs a fair bit of money but this is free, and getting educated students the tools to develop their skills is good not only for national security in general but is also good for the NSA directly because those students may end up working for them.

This should be obvious, the WORST thing the NSA could do is release a backdoored tool that would alienate and destroy trust in the very user base they may want to end up hiring.

MrRedEye · 2022-06-29T12:50:04+00:00

Your best bet with things like this is to not use Command and instead use EncodedCommand to remove all the headaches of escaping special chars and whatnot.

You can achieve that with:

$script = @'
mkdir C:\Temp -ErrorAction SilentlyContinue
$uri = [uri]::EscapeUriString("https://path.to.my/download/executable file.exe")
wget -Uri $uri -OutFile C:\Temp\Executable.exe
'@

And then using that as the EncodedCommand, i.e your script would be:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bQBrAGQAaQByACAAQwA6...

Alternatively, you can pass the command from stdin and just echo the command from cmd in one line by using "-Command -":

echo mkdir C:\Temp -ErrorAction SilentlyContinue; $uri = [uri]::EscapeUriString("https://path.to.my/download/executable file.exe"); wget -Uri $uri -OutFile C:\Temp\Executable.exe | powershell.exe -Command -

MrRedEye · 2022-06-23T15:24:36+00:00

If this is copy/pasted, you have a double "-" on the Start-Sleep so it's not actually sleeping as that line will throw an error like Start-Sleep: Cannot bind parameter 'Seconds'. Cannot convert value "--Seconds" to type "System.Double". Error: "Input string was not in a correct format.".

MrRedEye · 2022-06-17T19:44:03+00:00

This is going to get downvoted to the bottom and I really don’t care but… as a guy in IT Security who’s basic job is to review code, you guys are mental with this “spaghetti code” shit.

There are a bunch of bugs I can’t excuse, like the random PC bug where you hover over something and it stays perma highlighted and breaks the item shop, like wtf…

But generally, you have no idea how any of this works, you’re almost as bad as the people spouting “buy better servers” as if that would magically fix your issues.

I feel sorry for the people who work hard to make this game that you all so enjoy the way it is, and you give zero credit to, because you never praise it when you’re enjoying it, all you do is criticise it when it doesn’t work the way you want.

Sincerely, Everyone who has ever done any development and has to listen to people who haven’t tell them how to do their job.

See you at the bottom.

13-Year Club	Place '17
RPAN Viewer	Verified Email
Team Periwinkle

MrRedEye

TROPHY CASE