Forensic Blogs

An aggregator for digital forensics blogs

June 6, 2021 by Ken Pryor

Training! Cyber5W, CyberDefenders and more

Hello all, thanks for looking in. As I continue trying to figure out what I want to be if/when I grow up, I'm finding so many awesome learning resources, including websites that offer basic introductions to DFIR and other infosec topics along with sites that have challenges to work through. I mentioned in an earlier post that I was considering a move toward learning to be a SOC analyst and that

Read the original at: Digital Forensics BlogFiled Under: Digital Forensics Tagged With: Cyber5W, CyberDefenders, forensics, Malware

March 27, 2021 by Didier Stevens

FileZilla Uses PuTTY’s Registry Fingerprint Cache

Today I figured out that FileZilla uses PuTTY‘s registry key (HKCU\SOFTWARE\SimonTatham\PuTTY\SshHostKeys) to cache SSH fingerprints.

This morning, I connected to my server over SFTP with FileZilla, and got this prompt:

That’s unusual. I logged in over SSH, and my SSH client did not show a warning. I checked the fingerprint on my server, and it matched the one presented by FileZilla.

What’s going on here? I started to search through FileZilla configuration files (XML files) looking for the cached fingerprints, and found nothing. Then I went to the registry, but there’s no FileZilla entry under my HKCU Software key.

Then I’m taking a look with ProcMon to figure out where FileZilla caches its fingerprints. After some searching, I found the answer:

FileZilla uses PuTTY’s registry keys!

And indeed, when I start FileZilla again and allow it to cache the key, it appears in PuTTY’s registry keys.

One last check: I modified the registry entry and started FileZilla again:

And now FileZilla warns me that the key is different. That confirms that FileZilla reads and writes PuTTY’s registry fingerprint cache.

So that answered my question: “Why did FileZilla warn me this morning?” “Because the key was not cached”.

But then I was left with another question: “Why is the key no longer cached, because it was cached?”

Well, I started to remember that some days ago today, I had been experimenting with PuTTY’s registry keys. I most likely deleted that key (PuTTY is not my default SSH client). I verified the last-write timestamp for PuTTY’s registry key, and indeed, 4 days ago it was last written to.

Update:

Thanks to Nicolas for pointing out that fzsftp is based on PuTTY:

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Encryption, forensics, Networking

March 12, 2021 by Didier Stevens

Quickpost: “ProxyLogon PoC” Capture File

I was able to get the “ProxyLogon PoC” Python script running against a vulnerable Exchange server in a VM. It required some tweaks to the code, and also a change in Exchange permissions, as explained in this tweet by @irsdl.

I created a capture file:

More details will follow.

proxylogon-poc-capture-with-keys.zip (https)
MD5: 126B936C76EF0519E07D1249D4C3C32A
SHA256: E6028FAD90498424B36755E9A4750B2735DD2988CAC933A7C9B0097B7903700D

Quickpost info

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: forensics, Networking, Quickpost, Vulnerabilities

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • …
  • 34
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)