Hi, I’m Pepper Minstix.
Have you heard of password spraying? It seems we’ve been victim.
We fear that they were successful in accessing one of our Elf Web Access accounts, but we don’t know which one.
Parsing through .evtx files can be tricky, but there’s a Python script that can help you convert it into XML for easier grep’ing.
1- Recommended watch KringleCon - Beau Bullock’ talk about password spraying:
2- Let’s list all files and directories using ls command :
Here you can see two files :
evtx_dump.py Python script that can help you convert evtx into XML for easier grep’ing
ho-ho-no.evtx Web log filled with failure and success in .evtx format
3- Let’s convert
ho-ho-no.evtx to readable xml format using python script
python2 evtx_dump.py ho-ho-no.evtx > ho-ho-no.xml
ls command again to check if the file converted :
ho-ho-no.xml file using cat tool :
Copy the xml text to notepad for easier lookup .
6- The evtx is a Event Viewer file so we will look for windows login event codes:
4624 An account was successfully logged on
4625 An account failed to log on
You can find more about windows login event codes here :
7- Now let’s use grep command to filter results , Look for failed attempts with code 4625 and export it to new file for easier analysis
grep -A 35 “4625” ho-ho-no.xml > 4625.xml
-B, --before-context=NUM print NUM lines of leading context
-A, --after-context=NUM print NUM lines of trailing context
8- Let’s filter IP address of machine from which failed login attempts was performed :
grep “IpAddress” 4625.xml
We will notice this IP “
172.31.254.101” as main source of failed logins, so we will mark this as the attacker ip .
9- Let’s looking for successful attempts with code
4624 and export it to separated xml file for easier analysis
grep -A 43 “4624” ho-ho-no.xml > 4624.xml
10- Let’s filter events by attacker ip address “
grep -B 13 “172.31.254.101” 4624.xml
So we have successfully identified which user was attacked : minty candycane
11- Enter the name “minty candycane” into
Well, that explains the odd activity in Minty’s account. Thanks for your help!
All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.
Unfortunately, the badge-scan-o-matic said my account was disabled when I tried scanning my badge.
I really needed access so I tried scanning several QR codes I made from my phone but the scanner kept saying “User Not Found”.
I researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.
I was going to try some variations I found on OWASP but decided to stop so I don’t tick-off Alabaster.
Barcode Creation > Creating QR barcodes