Using Hashcat to Crack Hashes on Azure

More than one friend recently has had their social media account compromised or stolen. Often this is a consequence of a combination of bad password hygiene and a third party data breach. If you use the same password on multiple sites, and one of those sites suffers a breach, you run the risk that your account on every other site where you reused that password is vulnerable to compromise. As an excuse to try out the new Azure N series VMs with their NVidia GPUs, I found an email I recognised in one of the breaches, and followed it from hash through to brute-forced password to prove the point. Continue reading

When Good SSL Goes Bad

I spent a bit of time over the Christmas break revamping this site and preparing to write more posts. I moved to the nice clean theme – not unlike Medium for ease of reading, and I wanted to move the whole site to HTTPS. Why enable SSL for the whole site? Continue reading


Recently I needed to write a script that could locate a folder on a system that had particular characteristics.  I was looking for hidden folders that the logged on user had rights to read, write/append and execute on.  ie, they can drop a binary into the folder and then run it.

This is the script I came up with.  It uses a WMI query and method to first locate all the hidden folders on the system, and then compare each ones effective permissions to a mask I created:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Win32_Directory Where Hidden = True")
wscript.echo "Hidden folders which you can write to..."
intW = 0 ' initialise Writable folder count
' Iterate through each hidden folder on the computer
For Each objFile in colFiles
	' Ignore some well known hidden folders
	If InStr(lcase(objFile.Name), "documents and settings") or _
		InStr(lcase(objFile.Name), "$nt") or _
		InStr(lcase(objFile.Name), "$hf_mig$") or _
		InStr(lcase(objFile.Name), "ie7updates") or _
		InStr(lcase(objFile.Name), "visual studio") or _
		InStr(lcase(objFile.Name), "dllcache") or _
		InStr(lcase(objFile.Name), "$patchcache$") Then
		' Can we read (1), write (2, 4), and execute (32) in this folder?
		intPermissions = 39
		' Use WMI method to compare permissions
		If objFile.GetEffectivePermission(intPermissions) Then
			wscript.echo objFile.Name
			intW = intW + 1
		End If
	End If
wscript.echo intW & " vulnerable folders."

This was important as part of a wider effort to prove a particular vulnerability existed.  Imagine the scenario where a standard user is prevented from running unknown binaries except for one hidden folder somewhere on the system which is excluded from this protection.  If one could quickly find that folder, the user could run whatever he liked.

I’m aware that there are plenty of command line tools that would have helped in this endeavour (such as AccessChk) but remember: this is a system where unauthorised apps can not be run.  It’s VBScript or nothing.