Change Color for your BSOD

In case you don't know what is BSOD, see some BSOS through the ages.

In Windows 2000/XP/2003, each time the Windows Kernel crashes, a blue screen appears, giving the administrator some clues and information as to what has caused the error. This screen, because of its blue color and catastrophic nature, was nicknamed BSOD - Blue Screen Of Death.

Why blue - no one knows, but what I do know is the fact that the blue screen can be changed to a different color, thus creating your own YSOD or RSOD or even WSOD...

To do so follow these steps:

1. Hit Win-R (Run), and type "notepad %systemroot%\system.ini" (without the quote). Or you can run the command "sysedit" (without the quote).

2. In system.ini file, locate the [386enh] section in the file:

3. If not already present, create the following new entries:

MessageBackColor=
MessageTextColor=

and give it a value according to the following list:

• 0 = black
• 1 = blue
• 2 = green
• 3 = cyan
• 4 = red
• 5 = magenta
• 6 = yellow/brown
• 7 = white
• 8 = gray
• 9 = bright blue
• A = bright green
• B = bright cyan
• C = bright red
• D = bright magenta
• E = bright yellow
• F = bright white

For example, to have Red Screen of Death (white text):

MessageBackColor=4
MessageTextColor=F

Note: Use CAPITAL LETTERS, i.e. F and not f.

4. Save SYSTEM.INI file and restart the computer.

If you want to test it (cause the system kernel to crash), try manual BSOD.

The reason behind this tweak is for people that have certain forms of visual impairment and are only able to use Windows when it is set to high contrast mode. This setting allows the BSOD to be set to high contrast colors as well, making it easier for the visually impaired to read the information in them.

Check this http://support.microsoft.com/kb/90740

Manual BSOD

Do you know you can "cause" BSOD manually? This isn't a bug, it's a "feature" in Windows that is designed to let users trigger a crash dump for testing purposes. There's even a whole Microsoft KB article on the subject.

To enable this feature, open up regedit and then browse down to one of these keys, depending on your keyboard type:

USB Keyboard

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters

PS/2 Keyboard

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Now right-click on the right-hand pane and add a new DWORD key named CrashOnCtrlScroll, giving it a value of 1.

Reboot your computer, and when it starts back up you can trigger the Blue Screen of Death by using the following keyboard shortcut:

 Hold down Right Ctrl and hit Scroll Lock twice

To remove this "feature" you can just delete the registry key and then restart your computer again.

Metasploit Unleashes Ver. 3.1

The latest version of the Metasploit Framework, as well as screen shots, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://metasploit3.com/

Master Boot Record Rootkit

Just found some useful information on MBR rootkit. Below is the timeline.

• Aug 1, 2005 - eEye publishes PoC code
  http://research.eeye.com/html/tools/RT20060801-7.html
• Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
  http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
• Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
• Dec. 12, 2007 – First known attacks installing MBR code
  about 1,800 users infected in four days.
• Dec. 19, 2007 - Second wave of attacks installing MBR code
  about 3,000 users infected in four days
• Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
• Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
  http://www2.gmer.net/mbr/
• Jan. 5, 2008 - Prevx Blog has a good writeup located at http://www.prevx.com/blog/75/Master-Boot-Record-Rootkitis-here-and-ITW.html
  
• Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
• McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.
• 10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
• 12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

According to SANS, the next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan. The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

• Microsoft JVM ByteVerify (MS03-011)
• Microsoft MDAC (MS06-014) (two versions)
• Microsoft Internet Explorer Vector Markup Language (MS06-055)
• Microsoft XML CoreServices (MS06-071)

NMAP 4.50 Release

Nmap was first released in 1997, so this release celebrates the 10th anniversary. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and nearly 1,500 new version detection signatures.

The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (tested on Linux, Windows, Mac OS X) GUI which supports all Nmap options. It allows easier browsing, searching, sorting, and saving of Nmap results. Zenmap replaces the venerable but dated NmapFE, which was the default Nmap GUI for more than 8 years.

2nd Generation OS Detection

Nmap revolutionized OS detection when the feature was first released in October 1998, and it served us well for more than 9 years as the database grew to 1,684 fingerprints. The new 2nd generation system incorporates everything we learned during those years and has proven itself more effective and accurate. The new database has 1,085 signatures, ranging from the 2Wire 11701HG wireless ADSL modem to the ZyXEL ZyWall 2 Plus firewall. In addition to more than 500 general purpose OS fingerprints, it contains 94 switches, 92 printers, 81 WAPs, 63 broadband routers, 31 firewalls, 19 VoIP phones, 16 webcams, 8 cell phones, and more. Nmap currently only have fingerprints for 1 ATM machine and 2 game consoles. The new system is extensively documented.

Nmap Scripting Engine

The Nmap Scripting Engine helps change that by allowing users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. Nmap 4.50 includes 40 scripts ranging from simple (showHTMLTitle, ripeQuery) to more complex (netbios-smb-os-discovery, SQLInject, bruteTelnet). An NSE library system (NSELib) allows common functions and extensions to be written in LUA or C. NSE can efficiently handle normal TCP or UDP sockets, or read and write raw packets using Libpcap. The system and API are extensively documented. You can try NSE (along with other features) out by adding the -A option to your Nmap command-line.

Performance and accuracy improvements

Not only were the host discovery and OS detection systems completely replaced, but Nmap improved the port scanning algorithms in the process. We also optimized the configure scripts and removed a lot of dead code to improve compile times and reduce the distribution size. Another performance boost came from ignoring certain rate-limited ICMP error messages in cases such as SYN scan where the ICMP error means the same as the lack of any response does anyway.

Version detection enhancements

It allows Nmap to determine the service listening on a port using protocol communication rather than making assumptions based on port number. In addition to the service name, the system can also often deduce other information such as application name, version number, device type, operating system, and more. The DB has grown more than 40% since 4.00 to 4,542 signatures representing 449 services. The service protocols with the most signatures are http (1,473), telnet (459), ftp (423), smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46) and nntp (44).

Host discovery (ping scanning) system rewritten

The old host discovery system (massping()) was removed and the primary port scanning engine (ultra_scan()) augmented to support host discovery. The new system is more accurate, and in some cases faster. We removed the artificial limits on the number of ports and protocols (such as -PS arguments) which can be used for discovery. A new IP protocol ping type (-PO) was added which sends IP headers with your specified protocol numbers in the hope of eliciting a response.

--reason explains why a port is open/closed/filtered

The new --reason option adds a column to the Nmap port state table which explains why Nmap assigned a port status. For example, a port could be listed as “filtered” because no response was received, or because an ICMP network unreachable message was received. With --reason, you can find out which was the case without digging through --packet-trace logs.

Advanced traceroute support

Nmap now offers a --traceroute option which uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. The -A option now includes traceroute.

TCP and IP Options

Nmap now supports IP options with the new --ip-options flag. You can specify any options in hex, or use “R” (record route), “T” (record timestamp), “U” (record route & timestamp), “S [route]” (strict source route), or “L [route]” (loose source route). Specify --packet-trace to display IP options of responses. For further information and examples, see this post. TCP options are now reported by --packet-trace too.

Other changes to enjoy in Nmap 4.50:

• Added the --open option, which causes Nmap to show only open ports. Ports in the states “open|closed” and “unfiltered” might be open, so those are shown unless the host has an overwhelming number of them.
  
• The --scanflags option now also accepts “ECE”, “CWR”, “ALL” and “NONE” as arguments.
• The new --servicedb and --versiondb options let you specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
  
• IP Protocol scan (-sO) now sends proper protocol headers for TCP, UDP, ICMP, and IGMP.
  
• Improved nmap.xsl, which is used to transform Nmap XML output into pretty HTML reports.
  
• Added the --unprivileged option, which is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken.
  
• Nmap now allows multiple ignored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like “Not shown: 64330 filtered ports, 1000 closed ports” or “All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)”, and omit all of those ports from the table. Open ports are never ignored.