Skip to main content

PowerShell IIS Log Objectifier

This script will read the W3C Extended Log File Format with the default logging options. If you add or remove columns from your log then you will have to modify this script.

################################################################
# Description: IIS Log Importer
# Version: 1.0
# Author: Tim Medin
# Email: TimMedin A@T securitywhole D.O.T com
# Note: This script will read the W3C Extended Log File Format
# with the default logging options. If you add or remove columns
# from your log then you will have to modify this script.
################################################################

param
(
  [
string] $Path
)

[
regex]$regex = '\s*(?<date>\S+)\s+(?<time>\S+)\s+(?<sitename>\S+)\s+(?<computername>\S+)\s+(?<ip>\S+)\s+(?<method>\S+)\s+(?<uristem>\S+)\s+(?<uriquery>\S+)\s+(?<port>\S+)\s+(?<username>\S+)\s+(?<sourceip>\S+)\s+(?<UserAgent>\S+)\s+(?<status>\S+)\s+(?<substatus>\S+)\s+(?<win32status>\S*)'

Get-Content
$Path | Select-String -Pattern "^[^#]" | % {
  if ($_ -match $regex) {
    $log = "" | Select TimeStamp, SiteName, ComputerName, IP, Method, UriStem, UriQuery, Port, Username, SourceIp, UserAgent, Status, SubStatus, Win32Status
    $log.TimeStamp = Get-Date "$($matches.Date) $($matches.Time)"
    $log.Sitename = $matches.Sitename
    $log.Computername = $matches.Computername
    $log.Ip = $matches.Ip
    $log.Method = $matches.Method
    $log.UriStem = $matches.UriStem
    $log.UriQuery = $matches.UriQuery
    $log.Port = $matches.Port
    $log.Username = $matches.Username
    $log.SourceIp = $matches.SourceIp
    $log.UserAgent = $matches.UserAgent
    $log.Status = $matches.Status
    $log.SubStatus = $matches.SubStatus
    $log.Win32Status = $matches.Win32Status
    $log
  }
}

Comments

Popular posts from this blog

3 Years of DirecTV User-Agent Command Injection

I found a bug in one of my DirecTV devices in 2015 after I got DirecTV. DirecTV didn't have a bug bounty program at that time so I used it as a demo in my classes. When AT&T bought DirecTV it then fell under AT&T's bug bounty, which is awarded quarterly. I forgot to submit it in the first post-merger quarger (2015Q4), so I submitted it 2016Q1. Screenshots from the bug bounty submission are at the bottom of this post.

EDIT: I in NO way want to steal the thunder from Ricky Lawshae and or diminish his hard work (although I think we can both agree this is about the lamest work either of use have ever had to do ;) ). My goal is to show how long crappy bugs like this sit.

I got bored a few years ago and decided to see what services the devices in my house expose.  A simple Nmap scan found listening web server on one of the devices. I browsed to it and I see this:


This is one of my DirecTV devices (I have DirecTV, solely so I can watch my precious Green Bay Packers on Sundays.…

Doll Hacking: The Good, The Bad(words) and the Ugly (features)

The age of internet connected toys is upon us. Increasingly, we are seeing children's toys connected to the internet, commonly through an app. I recently purchased a My Friend Cayla (http://www.myfriendcayla.com/) for uh…testing. I wanted to test the security of the device to see how safe it is for children.

In short, the toy does a good job of protecting children from inappropriate content, but any device (phone, tablet, laptop) can connect to the toy and play or record audio. That last bit scares me. The only protection against recording and arbitrary sound output is that only one device can be connected at a time. An opportunistic bad guy would only need to wait for the tablet or phone to go out of range or run out of battery.
Initial TestingI first needed to get a basic understanding of what Cayla can do and how she works. So I turned her on, connected her to my iPad via Bluetooth, and played with the app.

She began speaking and asking questions about me and my day. She is quite …

.NET Padding Oracle Attack, padBuster.pl, and the Microsoft Recommended Workarounds

For some stupid reason, Whenever GoDaddy sees h t t p s : / / it turns it into a link and removes the scheme. This even happens if you edit the html manually. Because of this sillyness, I've used https:\\ below.

Since I first heard of the Padding Oracle issue, I've wanted to use it to exploit a site. I had that chance this week. Alex Lauerman and I muddled our way through this confusing (at least to me) attack scenario.

The attack is dependent on the server responding differently to an error in the decryption process vs an error in the application due to invalid data. The different response codes tells us whether or not the padding is valid or invalid. If you want to read more on the background of the issue, check out the great post over at gdssecurity.com.

Now that we have a bit of the background covered, back to the site. Upon quick inspection we saw that 404 and 500 errors are redirected to the same error page. Bantha Herders! How did we know this? The 404 result was easy to t…