Check out this tool at Microsoft MSDN web site.
Fiddler PowerToy - Part 1: HTTP Debugging
It is great!
May 24, 2006
May 19, 2006
May 9, 2006
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
SANS - Windows CMDline Kung-Fu with wmic
To kill a process, like 'kill -9 [pid] and killall-9 cmd.exe'
C:\> wmic process [pid] delete
C:\> wmic process where name='cmd.exe' delete
Like the 'top' command
C:\> wmic process list brief /every:1
To simulate 'net user'
C:\> wmic useraccount
To show hotfixes and service packs. [qfe = quick fix enginering]
C:\> wmic qfe
For malware analysis, including all files loaded at startup.
C:\> wmic startup list full
Similar to 'ps -aux | grep cmd.exe'.
C:\> wmic process list brief | find "cmd.exe"
Similar to 'man wmic'
C:\> wmic /?:full > wmic_docs_that_stink.txt
Similar to 'ifconfig -a'
C:\> wmic nicconfig where IPEnabled='true'
Similar to ' ifconfig'
C:\> wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
For DHCP
C:\> wmic nicconfig where Index=1 call EnableDHCP
Others:
c:\> wmic ComputerSystem GET Model
c:\> wmic computersystem get name,systemtype
c:\> wmic bios get serialnumber
c:\> wmic nic get macaddress,description
c:\> wmic csproduct get identifyingnumber
c:\> wmic baseboard get product,Manufacturer,version,serialnumber
c:\> wmic COMPUTERSYSTEM get TotalPhysicalMemory
c:\> wmic process get workingsetsize,commandline
c:\> wmic partition get name,size,type
c:\> wmic COMPUTERSYSTEM GET MANUFACTURER
c:\> wmic csproduct get version
c:\> wmic service list brief
c:\> wmic process list brief
c:\> wmic startup list brief
c:\> wmic csproduct get "UUID"
May 3, 2006
Office 2003 file attachment exploit
Tags:
0day
Found an interesting exploit from here:
Inge Henriksen's Technology Blog
Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17
Severity: Low
Type: Stealing files
From where: Remote
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status: Not notified
Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@somewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"
would become
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com"
There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.
Proof-of Concept:
The mailto application protocol can be axploited by entering"", this will cause
OUTLOOK.EXE to attach the file to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.
To attach the SAM file to a email a html file could contain this:
Click here to email me
i.e.:
Click here to email me
The command being run would now be:
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com""..\..\..\..\..\windows\REPAIR\SAM"
, thus attaching the SAM file.
Inge Henriksen's Technology Blog
Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17
Severity: Low
Type: Stealing files
From where: Remote
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status: Not notified
Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@somewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"
would become
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com"
There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.
Proof-of Concept:
The mailto application protocol can be axploited by entering
OUTLOOK.EXE to attach the file
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.
To attach the SAM file to a email a html file could contain this:
Click here to email me
i.e.:
Click here to email me
The command being run would now be:
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@somewhere.com""..\..\..\..\..\windows\REPAIR\SAM"
, thus attaching the SAM file.
May 1, 2006
Subscribe to:
Posts (Atom)