Two articles introducing IPv6.
http://www.windowsnetworking.com/articles_tutorials/Crash-Course-IPv6-Part1.html
http://www.windowsnetworking.com/articles_tutorials/Crash-Course-IPv6-Part2.html
It introduces the IPv6 address space and how it is represented normally and in HTTP URL.
Then it explains the significance of various bits in an IPv6 address; what is site-prefix, subnet-ID and interface-ID; unicast, multicast, and anycast.
Dec 23, 2006
Dec 21, 2006
KB Articles QuickSearch
Here's a registry mod that will have you looking up Microsoft
Knowledge Base articles instantly in your browser.
Modify the registry to add the capability to quickly search
the KB articles (formerly referred to as Q articles) in Windows XP
or Windows Server 2003. Here's the procedure:
To test this procedure, open Internet Explorer and type KB followed
by the name of the KB article number (for example, to search for
article number 917021, type "kb 917021"). It should take you directly
to the article in your browser.
Make sure that you don't add KB as a key in the SearchUrl folder.
KB should be a subfolder of SearchUrl folder and it should contain
the above entry in the right-hand pane.
I've tested this procedure successfully on Windows XP and Windows
Server 2003 operating systems, and on Internet Explorer and Mozilla
Firefox browsers.
Knowledge Base articles instantly in your browser.
Modify the registry to add the capability to quickly search
the KB articles (formerly referred to as Q articles) in Windows XP
or Windows Server 2003. Here's the procedure:
- Run regedit.exe.
- Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl.
- From the Edit menu, select New, Key and name it KB.
- Select the new KB folder that you just created under the SearchUrl folder, and in the right-hand pane double-click Default.
- For Value data, enter http://support.microsoft.com/?kbid=%s
- Click OK and close the registry editor.
To test this procedure, open Internet Explorer and type KB followed
by the name of the KB article number (for example, to search for
article number 917021, type "kb 917021"). It should take you directly
to the article in your browser.
Make sure that you don't add KB as a key in the SearchUrl folder.
KB should be a subfolder of SearchUrl folder and it should contain
the above entry in the right-hand pane.
I've tested this procedure successfully on Windows XP and Windows
Server 2003 operating systems, and on Internet Explorer and Mozilla
Firefox browsers.
How Skype Works
Tags:
articles
Interesting read on how skype works trough firewalls.
http://www.heise-security.co.uk/articles/82481/0
http://www.heise-security.co.uk/articles/82481/0
Dec 14, 2006
Rule-based Access Control
Tags:
articles
A very good article in describing Rule-based Access Control, to improve security and make programming easier with an authorization framework.
http://www-128.ibm.com/developerworks/webservices/library/ws-soa-access.html
http://www-128.ibm.com/developerworks/webservices/library/ws-soa-access.html
Dec 11, 2006
Taking pwdump to next level with fgdump
Tags:
tools
New versions of the ultracool tools pwdump (1.4.2) and fgdump (1.3.4) have been released.
Both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.
If you don’t know..what are pwdump6 and fgdump?
pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.
fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.
Darknet definately DOES recommend fgdump, super cool update of the old favourite pwdump.
fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump. Certain vendors’ solutions would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such, we as security engineers had to remember to shut off antivirus before running pwdump and similar utilities like cachedump. Needless to say, we’re forgetful sometimes…
So fgdump started as simply a wrapper around things we had to do to make pwdump work effectively. Later, cachedump was added to the mix, as were a couple other variations of AV. Over time it has grown, and continues to grow, to support our assessments and other projects. We are beginning to use it extensively within Windows domains for broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl) for discovering implied trust relationships.
fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. :-) Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.
Sep 3, 2006
TiddlyWiki
Just come across this today. It is called TiddlyWiki.
TiddlyWiki is a reusable non-linear personal web notebook. It is like a blog because it's divided up into neat little chunks, but it encourages you to read it by hyperlinking rather than sequentially: if you like, a non-linear blog analogue that binds the individual microcontent items into a cohesive whole.
I think that it has represented a novel medium for writing, and will promote its own distinctive writing style in the future.
It is at http://tiddlywiki.com/
TiddlyWiki is a reusable non-linear personal web notebook. It is like a blog because it's divided up into neat little chunks, but it encourages you to read it by hyperlinking rather than sequentially: if you like, a non-linear blog analogue that binds the individual microcontent items into a cohesive whole.
I think that it has represented a novel medium for writing, and will promote its own distinctive writing style in the future.
It is at http://tiddlywiki.com/
May 24, 2006
Internet Explorer Developer Center: Fiddler PowerToy - Part 1: HTTP Debugging
Check out this tool at Microsoft MSDN web site.
Fiddler PowerToy - Part 1: HTTP Debugging
It is great!
Fiddler PowerToy - Part 1: HTTP Debugging
It is great!
May 19, 2006
May 9, 2006
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
SANS - Windows CMDline Kung-Fu with wmic
To kill a process, like 'kill -9 [pid] and killall-9 cmd.exe'
C:\> wmic process [pid] delete
C:\> wmic process where name='cmd.exe' delete
Like the 'top' command
C:\> wmic process list brief /every:1
To simulate 'net user'
C:\> wmic useraccount
To show hotfixes and service packs. [qfe = quick fix enginering]
C:\> wmic qfe
For malware analysis, including all files loaded at startup.
C:\> wmic startup list full
Similar to 'ps -aux | grep cmd.exe'.
C:\> wmic process list brief | find "cmd.exe"
Similar to 'man wmic'
C:\> wmic /?:full > wmic_docs_that_stink.txt
Similar to 'ifconfig -a'
C:\> wmic nicconfig where IPEnabled='true'
Similar to ' ifconfig'
C:\> wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
For DHCP
C:\> wmic nicconfig where Index=1 call EnableDHCP
Others:
c:\> wmic ComputerSystem GET Model
c:\> wmic computersystem get name,systemtype
c:\> wmic bios get serialnumber
c:\> wmic nic get macaddress,description
c:\> wmic csproduct get identifyingnumber
c:\> wmic baseboard get product,Manufacturer,version,serialnumber
c:\> wmic COMPUTERSYSTEM get TotalPhysicalMemory
c:\> wmic process get workingsetsize,commandline
c:\> wmic partition get name,size,type
c:\> wmic COMPUTERSYSTEM GET MANUFACTURER
c:\> wmic csproduct get version
c:\> wmic service list brief
c:\> wmic process list brief
c:\> wmic startup list brief
c:\> wmic csproduct get "UUID"
May 3, 2006
Office 2003 file attachment exploit
Tags:
0day
Found an interesting exploit from here:
Inge Henriksen's Technology Blog
Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17
Severity: Low
Type: Stealing files
From where: Remote
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status: Not notified
Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@somewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"
would become
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com"
There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.
Proof-of Concept:
The mailto application protocol can be axploited by entering"", this will cause
OUTLOOK.EXE to attach the file to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.
To attach the SAM file to a email a html file could contain this:
Click here to email me
i.e.:
Click here to email me
The command being run would now be:
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com""..\..\..\..\..\windows\REPAIR\SAM"
, thus attaching the SAM file.
Inge Henriksen's Technology Blog
Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17
Severity: Low
Type: Stealing files
From where: Remote
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status: Not notified
Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@somewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"
would become
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com"
There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.
Proof-of Concept:
The mailto application protocol can be axploited by entering
OUTLOOK.EXE to attach the file
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.
To attach the SAM file to a email a html file could contain this:
Click here to email me
i.e.:
Click here to email me
The command being run would now be:
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com""..\..\..\..\..\windows\REPAIR\SAM"
, thus attaching the SAM file.
May 1, 2006
Subscribe to:
Posts (Atom)