Ahmad Mahfouz

Random notes

Regex to find mac address

today i was doing some forensics to find mac address inside syslog in linux systems i wrote this simple grep command to filter mac address from log files grep ‘[0-9a-zAz]\{2\}:[0-9a-zAz]\{2\}:[0-9a-zAz]\{2\}:[0-9a-zAz]\{2\}:[0-9a-zAz]\{2\}:[0-9a-zAz]\{2\}’     have fun

find duplicated UID in the linux system

u can identify the duplicated uid in your system this useful to identify if there some manipulation inside the users’ accounts getent passwd|cut -d : -f3 |sort -n|uniq -d it only returns the duplicated uid btw: if it returns 0 😀 you know the rest

users in shadow file explanation

this article explain the /etc/shadow this file content the users information example of the user data

username -> n1x password -> $6$UoDmVdoW$tYQQm5uHgOpeEKPygIaQ1GM/0IBbdYVrLHu8ZYF5pT17D3VM.FFKa2wS8J6gqbGKC2IpgImXy7SYVJK9r/fdw. last date password update since 1970-1-1 -> 16631 you can calculate it simply in python

minmum password age -> 7 maximum password age -> 15 warning days -> 2 inactive days

AIDE : Intrusion Detection Environment

this article about Intrusion Detection for file system changes like modification changing owner extra, for critical files or directories in our environment we using a software called AIDE Advanced Intrusion Detections Environment this software base on a library called mhash this lib used to calculate file hashes and AIDE save the file info inside DB

umask permissions explanation

what is umask? umask is the default permissions for writing a file in the system where the settings for umask? 1 – /etc/profile 2 – /etc/bashrc

Google Drive Information Leak

Google Drive & Gmail attachments Leak This part of Google bounty program [IDOR] exploit to allow the attacker to leak your Google Drive files and this mean attacker could leak Gmail attachments that uploaded to Google Drive, Photos you shared with Gmail or any other third party

removable disk could lead to privilege escalation

privilege escalation Linux with flash disk removable media with setUID, setGID files could give privilege escalation example copy nice command to ur flash storage and ask ur friend to print files in his system then run the command nice like

it will say root the problem occurs from a mounted partition without noexec,nosuid parameter

Persistent mount for luks with unlock Key

creating a encrypted disk with luks our  Little problem here to mount a encrypted disk  automatically on boot so no need to enter the pass for mounting but this risky if the machine theft happen because we will use a key inside the system and it will be leaked if our machine stolen so lets

Linux Disk Encryption with LUKS

today we going to make an encrypted disk partition list prepare our partition I have a new disk in  /dev/sdb I will create a partition 100 on it with fdisk

RPM integrity and scripts

Yum repository comes with gpg  and md5 support to verify the validity of the package You can list installed gpg keys in your system via

It will show the unique id for the installed keys in your  system gpg-pubkey-e8562897-459f07a4 gpg-pubkey-217521f6-45e8a532 To list all information related to a key rpm -qi pgp-key-unique-id

  It