Windows 11 introduced “Suggested Actions”. When you copy a date, time, or phone number, you will get this little pop up asking if you want to “Create event” or “Call number”.
While this can be helpful, it can also be slightly annoying and get in the way. Fortunately, there is a simple way to turn it off. Hit the little down arrow, then click “Go to clipboard settings”
Once in the System settings, turn “Suggested actions” off.
Git object files are a zlib compressed data file type.
We can check this by running the file command. “6ae4147121f0165e7c0e309bad649c2c4d3a55” is our git file of interest.
$ file 6ae4147121f0165e7c0e309bad649c2c4d3a55
6ae4147121f0165e7c0e309bad649c2c4d3a55: zlib compressed data
https://stackoverflow.com/questions/1532405/how-to-view-git-objects-and-index-without-using-git
The above link has helpful information. Easiest way I found was to install zlib-flate by installing qpdf with apt.
sudo apt install qpdf
We can now use the zlib-flate command with the -uncompress option to decompress the file and print the contents.
$ zlib-flate -uncompress < 6ae4147121f0165e7c0e309bad649c2c4d3a55
var b64 = ("");
console.log(b64);
atob() is a javascript function that decodes base64 encoded text. btoa() is the encoding function. We can use NodeJS to dedcode atob() functions. For instance, we can lanch nodejs woth
nodejs
and decode the sting SGVsbG8gV29ybGQgIQ==
console.log(atob("SGVsbG8gV29ybGQgIQ=="));
If we wanted to break that down into a couple variables we can do something like the following.
> var b64 = atob("SGVsbG8gV29ybGQgIQ==")
> console.log(b64");
You can also create a javascript file and then run the file with nodejs.
var b64 = atob(atob("U0dWc2JHOGdWMjl5YkdRZ0lRPT0="))
console.log(b64);
We can then run the file with
nodejs ./file.js
In the file the string “Hello World !” is double encoded so we process it twice with the “atob(atob(base64);”
There is more info available at the following links
https://www.npmjs.com/package/atob
https://developer.mozilla.org/en-US/docs/Web/API/atob
Check out the following article if you want to use Python to decode base64.
In this post we explore tracking down email logs relating to both Webmail and imap logins.
https://support.cpanel.net/hc/en-us/articles/1500012467681-How-To-List-Email-Login-History
ℹ️There are a few different logs that contain email logins.
/var/log/maillog <-- IMAP Logins
/var/log/exim_mainlog <-- SMTP
/usr/local/cpanel/logs/session_log <-- Webmail logins, logouts, IP changes
/usr/local/cpanel/logs/login_log <-- Failed webmail logins
/usr/local/cpanel/logs/cphulkd.log <-- cphulk log Here are some notes on tracking down email logins on cPanel or WHM.
IMAP logins are fairly easy to track down. Check the /var/log/maillog
Follow the log
tail -f /var/log/maillog | grep email@address.com
Or search the whole log
grep "email@address.com" /var/log/maillog
RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server
Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>You can also view some info about Webmail connections in the main mail log.
tail -f /var/log/maillog | grep email@address.com
or
grep "email@address.com" /var/log/maillog
When logged into webmail, the connection can look like the following.
Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166
Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in the session_log.
Use one of the following two commands to search the session log.
tail -f /usr/local/cpanel/logs/session_log
grep "email@address.com" /usr/local/cpanel/logs/session_log
The output should be similar to the following.
[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0Notice it gives us the IP address of where the user signed in from.
You can also look at the /usr/local/cpanel/logs/access_log however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address. make sure the email is in double quotes. grep "email%40address.com" /usr/local/cpanel/logs/session_log
Details on the Session and Login logs.
The following are examples of a valid login, logout, and what happens when the IP changes.
The Login file will show failed login attempt.
If you receive a Binary file (standard input) matches error, try running grep with the -a option.
Valid Login
The following is what a valid webmail login looks like.
[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.20 NEW email@address.com:1mt4zP_CjWYrHCaG address=192.168.1.20,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0
Logout
The following is the log entry when a user logs out.
[2023-03-27 12:31:21 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:1mt4zP_CjWYrHCaG logoutChange of IP address
If your computer swaps networks and the IP changes, you’ll see that show up in the log like the following. This can also happen if someone happened to steal the cookies, and has tried logging in from a different network. cPanel detects this, and logs both sessions out.
[2023-03-27 12:33:46 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:a513oaqb2f5845m2p badpass [cookie ip check: IP address has changed: IP Address [192.168.1.100] != Current IP Address [192.168.1.20]]
Note that this behavior can be changed in the WHM Tweak settings. “Cookie IP validation”
Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24.
Failed Webmail Logins
Failed webmail login attempts will show up in /usr/local/cpanel/logs/login_log
If you need to track down SMTP or IPs that are sending out emails, check out the /var/log/exim_mainlog
tail -f /var/log/exim_mainlog
grep "email@address.com" /var/log/exim_mainlog
Windows 7 does not support TLS 1.1 or 1.2 by default. This can be an issue if you are still trying to use Outlook 2010 on Windows 7.
Fortunately there is a way that we can enable TLS 1.1 and 1.2.
First we need to verify that we have the correct Windows update in place. Download the appropriate download and double click it to run.
For 64 bit systems download the update from here
or for 32 bit systems
After the update is finished, create a new text file (AKA PowerShell Script) with the following contents.
$arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture
$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000a00"
$regTLS11 = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
$regTLS12 = "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"
Clear-Host
Write-Output "Creating Registry Keys...`n"
Write-Output "Creating registry key $reg32bWinHttp\$regWinHttpDefault with value $regWinHttpValue"
IF(!(Test-Path $reg32bWinHttp)) {
New-Item -Path $reg32bWinHttp -Force | Out-Null
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}
ELSE {
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}
IF($arch -eq "64-bit") {
Write-Output "Creating registry key $reg64bWinHttp\$regWinHttpDefault with value $regWinHttpValue"
IF(!(Test-Path $reg64bWinHttp)) {
New-Item -Path $reg64bWinHttp -Force | Out-Null
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}
ELSE {
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}
}
Write-Output "Creating registry key $regTLS11\$regTLSDefault with value $regTLSValue"
IF(!(Test-Path $regTLS11)) {
New-Item -Path $regTLS11 -Force | Out-Null
New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}
ELSE {
New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}
Write-Output "Creating registry key $regTLS12\$regTLSDefault with value $regTLSValue"
IF(!(Test-Path $regTLS12)) {
New-Item -Path $regTLS12 -Force | Out-Null
New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}
ELSE {
New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}
Write-Output "`nComplete!"
Save the file as “tls-reg-edit.ps1”
If saving it using notepad, change Save as type: All files (*.*)
Open a PowerShell. Change directories “cd” to the location you saved the above script to. ie. cd Downloads
Run the script with the follow command. Note you will most likely need to hit Y to allow the scripts to run.
Set-ExecutionPolicy Bypass -Scope Process ; .\tls-reg-edit.ps1
After the script runs, you’ll need to reboot your computer.
The script and information was taken from the following link. Thanks cPanel!
There is also more information at the following Microsoft link.
Windows 11 seemingly will not let you finish the setup process unless you are connected to a network. Fortunately there is an easy way to side step this issue.
When you get to the “Let’s connect you to a network screen”
Hit the Shift + F10 keys to launch a command prompt
From here, there are two ways we can disable or skip the network setup.
https://www.makeuseof.com/windows-11-set-up-without-internet-connection/
Type OOBE\BYPASSNRO and hit enter. The computer should now reboot and it will give you an option to skip the network setup.
OOBE\BYPASSNRO
Type in “taskmgr.exe” to launch the Task Manager
Find the Network Connection Flow service, select, and End task
It should now skip the network page and go to the License Agreement and let you finish setting up your computer.
First what is acropalypse?
Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.
https://en.wikipedia.org/wiki/ACropalypse
There are a couple specific steps you have to follow for the bug to happen.
The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.
For example in the following two screenshots, notice the size and dimensions
Here is the first screenshot
The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.
Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.
You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.
macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.
Twitter Post about acropalypse.
The following variables are usable inside of the DHCP-Server script tab.
The DHCP server script runs every time there is a new lease, or a lease expires. Doesn’t look to run when static leases renew.
https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#General
The goal for this script is to alert us if a remote site looses power. We can do this using a Mikrotik that has two PSUs. One is plugged into battery backup and the other in the non battery plug.
In this example, we are using PSU2 “number 8” We can find the number using
/system/health/print
We can now create a new scheduler entry with the following. Change out the number 8 to your PSU number, and change the webhook to your Teams webhook.
:local curState [system/health/get value-name=value number=8]
:local name [/system/identity/get value-name=name]
:local webhook "https://teams.webhook.microsoft.com/webhook/more"
if ($curState != $lastState) do={
if ($curState = "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is on.\"}" url="$webhook"
}
if ($curState != "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is off. On battery backup\"}" url="$webhook"
}
:global lastState $curState
}
Set to the appropriate interval (i.e. 5 minutes). The script will only alert once when the power state changes. This minimizes receiving an alert every 5 minutes while the power is off.
The purpose of these scripts is to update the local DHCP lease table with a remote IP Address Management (IPAM) system.
This little script is added to the scheduler and goes through the entire DHCP lease table and uploads each MAC address and IP address pair to a website.
Change out the top three variables. May also need to change out the URL depending on how the website receives data.
:local url "upload.incredigeek.com"
:local username "myapiuser"
:local password "passwordforapiuserwebsite"
/ip/dhcp-server/lease/
:foreach i in=[find] do={ :put ([get $i address]." ".[get $i mac-address])
:local ipaddress ([get $i address])
:local macaddress ([get $i mac-address])
/tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$ipaddress&mac_address=$macaddress&expired=0" mode=https keep-result=no user=$username password=$password
:delay 1s;
}
This script is to be used on the DHCP server script. Can add it by going to DHCP Server -> DHCP -> Double Click Server -> Script
Any time a new DHCP lease is obtained, this script is fired. Note that some of the variables like $leaseBound are specific to the script being used by the “DHCP server”
Also helpful to note that the script only runs if a new lease is obtained, or a lease expires and it disappears from the leases page. A DHCP renew does not trigger the script.
:local username "myapiuser"
:global password "myapipassword"
:global url "upload.incredigeek.com"
# The maximum retries
:local max 60
:local attempts 0
:local success 0
:do {
:set attempts ($attempts+1);
:if ($leaseBound = 0) do {
:do {
/tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=1" mode=https keep-result=no user=$username password=$password
:set success 1;
} on-error={
:log error "DHCP FAILED to send unassignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
:delay 10s;
}
} else {
:delay 1s;
# see note below
:local remoteID [/ip dhcp-server lease get [find where address=$leaseActIP] agent-remote-id];
:do {
/tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=0" mode=https keep-result=no user=$username password=$password
:set success 1;
} on-error={
:log error "DHCP FAILED to send assignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
:delay 10s;
}
}
:if ($success) do {
:log info "DHCP lease message successfully sent $leaseActMAC / $leaseActIP to $url";
:set attempts $max; # break out of the do..while loop
}
} while ( $attempts < $max )
}