Category: quick tips

Forensics Netwars First Day

I was planning to attend DFIR Summit for last two years and now I am in Austin for that. As part of DFIR summit I am attending Forensics netwars. Forensics netwars is a fun practice that help you to remember the forensics knowledge you may forget and learn some new tricks. The best thing is if you screw up, that’s okay. You cannot damage anything but your netwars score…

I remembered the power of stat command when it comes to mac time.  I also found a new tool called Fred for analyzing registry.  I also remembered that -iname option will ignore case when you use it in “find” command.

I am planning to write how to install and use Fred this week.

 

 

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.

 

Google search results warn of compromised sites

Google has been warning Web surfers about sites that appear to be hosting malware in search results for years. Now, the company is adding a warning in search results when the site appears to be compromised but may not be actually downloading malware to visitors’ computers.

Starting today, Google search users should start seeing a new hyperlink warning that says “This site may be compromised,” adjacent to some results if Google’s system has detected something on the site that would indicate that it has been hacked or otherwise compromised. Clicking on the warning link leads to a Help Center article with more information.

“If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission,” the article says. “Hackers may change the content of a page, add new links on a page, or add new pages to the site. The intent can include phishing (tricking users into sharing personal and credit card information) or spamming (violating search engine quality guidelines to rank pages more highly than they should rank).” Web surfers can also just click on the result to go directly to the site.

Google first started putting warnings next to results in late 2006, but focused on sites that were hosting or actively serving malware. Those warnings say “This site may harm your computer,” and clicking on the result itself takes you to another page that provides more information.

The new warning is designed to focus on Web sites that may not be actively infecting computers, but that may be compromised and conducting other types of attacks, such as spam or phishing.

Along with warning Web searchers, Google tries to notify Web masters when they detect that their site may be compromised via messages in the Google Webmaster tools console, Google said.

“Of course, we also understand that Webmasters may be concerned that these notices are impacting their traffic from search,” Google says in a post on the Webmaster Central blog today. “Rest assured, once the problem has been fixed, the warning label will be automatically removed from our search results, usually in a matter of days. You can also request a review of your site to accelerate removal of the notice.”

Originally posted at InSecurity Complex



How to Suck at Information Security

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don’t give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don’t have to worry about security, because your company is too small or insignificant.
  • Assume you’re secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as “top secret.”

Security Practices

  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say “no” whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don’t apprise your manager of the security problems your efforts have avoided.
  • Don’t cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! ismail@realinfosec.com

Networking Setup on Debian Based Systems

Setting up network on linux machine can be a little challenging if you want to do static ip address.

First you need to be familiar with networking files and commands in linux.

Briefly ifconfig is the command you will use oftenly.

ifconfig will list network interfaces with their IP, and broadcast, netmask.
To see your gateway use route -n

Where is your dns servers?
Well check /etc/resolv.conf

If you want to use dhcp (which is by default on all Debian based systems) you should not touch any of these.

However what if you need to use static configuration?

Then lets take a look at our interfaces file /etc/network/interfaces

Typical static logical device configuration

# The primary network interface
auto eth1
iface eth1 inet static
address 192.10.119.240
netmask 255.255.255.224
network 192.10.119.224
broadcast 192.10.119.255
gateway 192.10.119.241
dns-nameservers 192.10.119.241
# The secondary network interface
auto eth0
iface eth0 inet dhcp

Here eth1 was configured to use a static IP: 192.10.119.240
netmask, network, broadcast and gateway ips are also defined here as well as dns-nameservers.

auto means interface will automatically be up after boot.
as you see eth0 use dhcp configuration.

If you want to just change the gateway i then

ifconfig eth1 down
route add default gw 192.1o.119.254
ifconfig eth1 up

For more info you can check this document: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch03_:_Linux_Networking#How_to_Change_Your_Default_Gateway

TCPTraceroute to Bypass the Firewall filters

Introduction

The first step for penetration testers is getting information about the system. Traceroute is a great tool for this purpose.

Traceroute shows the route between you and the target machine.  Linux has a command line utility called traceroute.

traceroute

traceroute uses UDP.

Windows has a tool called tracert.

tracert

tracert uses ICMP.

It is quite common for firewalls to be configured to block ICMP or UDP and thereby prevent Traceroute from returning useable information.

One program designed to get around this issue is Michael Toren’s TCPTraceroute.

TCPTraceroute uses TCP SYNpackets insted of ICMP or UDP and is able to bypass common firewall filters.

Installation

TCPTraceroute is currently available for only Linux. You can install on your debian based machine by using apt-get:

<p style=”background: black; color: white”>
</p>ISMAIL

sudo apt-get install tcptraceroute

Example

tcptraceroute

Summary

As a penetration tester to gain information about the target system, you need to be familiar with several tools. One of these tools is tcptraceroute. It can bypass most of the firewalls since it uses TCP unlike tracert and traceroute.