Banner 1

bolsa anti-robo para sandwiches

0 comentarios


via vagos

Atacar WPA/WPA2 PSK (parte IV de IV)

0 comentarios
Hace poco coloque un eco del trabajo realizado por estos 2 autores utilizando CUDA , ahora vamos a ver como utilizan otros programas para los que no poseemos una targeta envidia :S

***************************************************************************************
Atacar WPA/WPA2 PSK (parte I de IV)
Atacar WPA/WPA2 PSK (parte II de IV)
Atacar WPA/WPA2 PSK (parte III de IV)
Atacar WPA/WPA2 PSK (parte IV de IV)
***************************************************************************************
[Este artículo ha sido escrito por Alejandro Martín y Chema Alonso]

Espero les guste el aporte saludos

Passive Network Security Analysis with NetworkMiner

0 comentarios
Passive Network Security Analysis with NetworkMiner


It is disturbing how often networks are not properly documented in terms of IP plans, network segmentations and network security. Having a good view of the network is essential when performing a network security assessment. As such, one might choose to perform an active network scan with a tool such as Nmap or Nessus in order to quickly gather inventory information of the hosts on a network.

Performing active scanning is, however, not very suitable for situations when the network is being used for operations of critical IT systems such as process control, radar, SCADA, or telecommunications systems. These types of critical IT systems always need to be in operation and scheduled service windows are very rare, so any active scanning should be avoided since it might affect the performance of the network or hosts on the network. Even the so-called "safe checks" in Nessus can cause critical IT systems to malfunction since these systems often are embedded systems running proprietary software with a high number of undiscovered vulnerabilities and bugs.

To avoid an emergency shutdown of a nuclear plant on which you might be performing your network security assessment, it is recommended that the analysis be based on passively captured network traffic from the system under investigation.

To passively capture traffic with focus on security is often referred to as "Network Security Monitoring" or "Packet Sniffing"; the less suitable term "Passive Scanning" is also used at times. Performing passive network analysis can be very useful also for non-critical IT systems such as normal business IT systems. One such example is when BlackBox internal penetration testing is performed since it is useful to enumerate hosts, services and protocols while remaining stealthy. Often during an internal penetration test, part of the test is to determine when the organization detects the ethical hacker on the network. The use of passive network analysis can therefore be helpful in the early phase of penetration testing so as to avoid detection as it reduces the need for an active portscan.

The network security tool that I will be relying on in this article is called NetworkMiner (sourceforge.net/projects/networkminer). It is an open source network forensic analysis tool (NFAT) that I developed.


Network discovery

Network traffic is best captured by connecting a packet sniffer to a network tap or monitor port of a switch located at a central point of a network or preferably at the perimeter between two different networks. Ideally, one should ensure that the machine which performs the monitoring cannot emit network traffic to the network being monitored. The packet sniffer can, for example, be a machine running tcpdump or Wireshark, which stores the captured traffic to a pcap file which can be processed later. There are also more comprehensive network monitoring solutions available such as Sguil, but that is beyond the scope of this article. You can, of course, use Network- Miner to perform live sniffing of network traffic, but the recommended practice is to capture traffic to a pcap file with a purpose built sniffer and to subsequently perform offline analysis with a network forensic analysis tool. The pcap file can also be used as evidence if any illicit traffic is captured.

Note: Click images to view full size

I have used the publicly available pcap file "Scan of the Month 27" (sotm27), from The Honeynet Project (tinyurl.com/66jbz2), in order to demonstrate the strength of Network- Miner in host discovery. When loading the sotm27 capture file into NetworkMiner, it generates an impressive list of 169 hosts together with the host names and the operating systems of the detected hosts. By expanding the nodes in the host list, details such as server banners, open ports and domain names can be displayed. Most of this information is easily retrieved directly from the captured network packets since protocols such as DNS, SMB and HTTP are implemented in NetworkMiner. Other information, such as operating systems, are determined by performing matching of specific fields from protocols such as TCP, IP and DHCP against databases from applications such as Ettercap, p0f and Satori.

A good approach for high security networks is to block all incoming and outgoing traffic except for the specific sessions (client-serverport combinations) which are expected and allowed to cross the network boundary. To create good and tight firewall rules, a network administrator needs to know which sessions are actually taking place across a network boundary. Luckily for the administrator, NetworkMiner provides a list of all incoming and outgoing sessions for each host, so monitoring the traffic between the two network segments is a good first step in creating better firewall rules.


Investigating potential rogue hosts

While looking at captured network traffic from a known network with NetworkMiner, new unknown hosts might show up as well as evidence indicating that a host has been compromised. Such hosts might be rogue hosts and should be handled with care. Common procedures might be to locate the rogue host in order to shut it down or remove it from the network, but it is often useful to monitor all the traffic to and from the host for awhile in order to get a better understanding of what is going on. The captured traffic can also provide forensic evidence that might be of value later on. An attacker might also be able to erase all log files and traces on the compromised host but would not be able to delete the captured traffic from your network monitoring system.

The network-based evidence might be the only evidence available for forensic analysis if you are dealing with a skilled attacker. If you do not have the possibility to monitor a host!s traffic from the network, then another more primitive option is to actually log into the machine and perform the packet capturing locally. NetworkMiner supports this feature since it can be run directly from a USB thumbdrive and does not require installation. Monitoring hosts locally is, however, more suitable for troubleshooting and network discovery than it is for monitoring a compromised machine since you normally do not want to alter anything on the host being investigated.

Nowadays, a large amount of traffic is being sent through wireless networks, so be sure to monitor your airspace for rogue hosts and rogue access points that use IEEE 802.11 WiFi. Tools such as Kismet can be used to detect hosts and access points using WiFi, but unfortunately Kismet does not provide much information about the detected hosts. By loading Kismet capture files into NetworkMiner, or by performing live WiFi sniffing with Network- Miner using an AirPcap device, you will be able to get the most out of your wireless monitoring.


Reassembling transferred files

NetworkMiner is also useful for reassembling and extracting files from captured network traffic. Examples of protocols from which NetworkMiner can perform file reassembly are HTTP, FTP and SMB. By loading the pcap files from The Honeynet Project!s "Scan of the Month 28" (sotm28) (tinyurl.com/5quoav) into NetworkMiner you will be able to examine not only what the attacker did, but also the contents of the files he downloaded to the compromised machine. By selecting the "files" tab and right clicking a file you get a context menu which allows you to open the file or the parent folder. By looking at NetworkMiner!s files tab after loading the pcap files from sotm28, one will see that after gaining control of the machine, the attacker started out by using ftp in order to download wget to the compromised machine. The attacker was then able to use wget to download other applications such as psyBNC, which often is used as a backdoor into a compromised machine or to allow someone to remotely control the machine as a part of a botnet. The file reassembly functionality in NetworkMiner also allows you to view any webpage which has been retrieved across the monitored network. Therefore, by rightclicking an html file you will be able to open an offline version of that particular web page. Apart from the normal file transfer protocols, NetworkMiner is one of the few applications that also support reassembly of files transferred with the TFTP protocol. TFTP is a lightweight file transfer protocol that is often used by bootloaders of embedded systems in order to retrieve executable firmware images (such as a kernel and a file system) from a remote server. The TFTP protocol might be used by an attacker to replace the firmware of your printers, routers, switches, WiFi access points and even firewalls with a special purpose built firmware. This firmware might, for example, be designed to monitor your network traffic and report data such as captured user credentials to the attacker. This implies that you should not fully trust your firewalls unless you have the ability to see which traffic is entering and leaving your firewall.

By monitoring the network traffic to and from the embedded systems on your network, you actually have the possibility to see if they are acting as expected; you would, for example, not expect your printers to post files to an external FTP server, would you?

If you monitor the traffic that leaves your network you will be able to see what information is being exposed to external non-trusted parties. NetworkMiner also has a keyword search functionality that allows you to search all traffic (regardless of protocol) for keywords such as "confidential".


Data leakage and data seepage

Another use of NetworkMiner is in evaluating how much data, regarding you and your computer, is being disclosed to the network without your knowledge. By connecting your laptop to an unknown network or unencrypted WiFi access point you make this data available to any malicious lurker who might be sniffing that particular network. Not only might the lurker be able to read your emails and see your passwords, he may also be able to identify your previous IP address and to see which file servers you have network shares on. This type of information is called "Data Seepage" and can be used by an attacker to gain useful information in order to, for example, plan an attack. By launching NetworkMiner locally on your own machine, you will be able to see what information your computer is leaking to potentially malicious network-lurkers who might be performing Man-in-the-Middle or WiFi sniffing. After using NetworkMiner, you will soon learn that connecting your computer into an unknown network (wired or wireless) cannot be considered "safe sex"; so be sure to use protection if you wish to connect your Ethernet cable to a non-trusted RJ45 socket.




--

Erik Hjelmvik is an independent network security researcher and open source developer. He also works as a software development consultant, specialising in embedded systems. In the past, Erik served as an R&D engineer at one of Europe!s largest electric utility companies, where he worked with IT security for SCADA and process control systems.

Fuente:http://www.forensicfocus.com/passive-network-security-analysis-networkminer

.Win32dd is a free kernel land and 100% open-source tool to acquire physical memory

0 comentarios
Because of user-land restriction access to \Device\PhysicalMemory since Windows 2003 SP1, a kernel-land access is needed to dump the physical memory. With win32dd you can do it for free! Moreover, the full source-code is provided.


Download win32dd v1.2.1.20090106 now!





README file for win32dd - Kernel mode physical memory acquisition v1.2.1.20090106

Web
-----

Author website:
- http://www.msuiche.net


Authors
---------------
Win32dd - v1.2.1.20090106 - Kernel land physical memory acquisition
Copyright (c) 2007 - 2009, Matthieu Suiche
Copyright (c) 2008 - 2009, MoonSols

Changelog
---------

- 2009-01-06
- Multi-processors support (32 max) for Microsoft crash dump generation.
- v1.2.1

- 2008-11-05
- Several improvements.
- Two types of raw dump. and Two types of MSFT dmp file.
- v1.2

- 2008-08-18
- Security guidelines. Bug fixing on XP SP2.

- 2008-06-15
- Bug fixing: Small dump and ZwSection() (Thanks Aaron)
- v1.0.20080615

- 2008-06-14
- Initial release v1.0.20080614

Greets
------
We would also like to acknowledge those who have provided valuable
feedback, bug reports, and testing:

Aaron Walters
Andy Ward
Brendan Dolan-Gavitt
DiabloNova
Frank Boldewin
George M. Garner Jr.
Harlan Carvey
Jon Evans
Martim Carbone
Michael Cohen
Nicolas Ruff
Peter Silberman
Ivanlef0u
Rob Lee
Sebastien R.


Licence
-------
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Copyright (C) 2007 Free Software Foundation, Inc.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

Preamble

The GNU General Public License is a free, copyleft license for
software and other kinds of works.

The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.

When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.

To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.

For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.

Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.

For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.

Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.

Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.

The precise terms and conditions for copying, distribution and
modification follow.

TERMS AND CONDITIONS

0. Definitions.

"This License" refers to version 3 of the GNU General Public License.

"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.

"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.

To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.

A "covered work" means either the unmodified Program or a work based
on the Program.

To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.

To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.

An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.

1. Source Code.

The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.

A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.

The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.

The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.

The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.

The Corresponding Source for a work in source code form is that
same work.

2. Basic Permissions.

All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.

You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.

Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.

3. Protecting Users' Legal Rights From Anti-Circumvention Law.

No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.

When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.

4. Conveying Verbatim Copies.

You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.

You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.

5. Conveying Modified Source Versions.

You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:

a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.

b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".

c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.

d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.

A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.

6. Conveying Non-Source Forms.

You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:

a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.

b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.

c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.

d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.

e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.

A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.

A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.

"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.

If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).

The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.

Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.

7. Additional Terms.

"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.

When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.

Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:

a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or

b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or

c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or

d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or

e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or

f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.

All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.

If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.

Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.

8. Termination.

You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).

However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.

Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.

9. Acceptance Not Required for Having Copies.

You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.

An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.

You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.

11. Patents.

A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".

A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.

Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.

In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.

If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.

If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.

A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.

Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.

12. No Surrender of Others' Freedom.

If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.

13. Use with the GNU Affero General Public License.

Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.

14. Revised Versions of this License.

The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.

Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.

If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.

Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.

15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

17. Interpretation of Sections 15 and 16.

If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.

END OF TERMS AND CONDITIONS

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.


Copyright (C)

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see .

Also add information on how to contact you by electronic and paper mail.

If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:

Copyright (C)
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".

You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
.

The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read

Fuente:http://win32dd.msuiche.net/
.

Mas sobre inyecciones

0 comentarios
Aqui dejo mas links sobre textos muy buenos sobre inyeccion de procesos y mas

http://inexinferis.in.funpic.org/index.php?name=articles&req=viewarticle&artid=9&pagid=2
http://foro.elhacker.net/programacion_cc/inyeccion_dll_en_c-t124782.0.html
http://inexinferis.in.funpic.org/index.php?name=Articles

que los aprovechen saludos

Ataque: ¿Qué es Command Fixation Attacks (CFA)?

0 comentarios
Este término se ha comenzado a utilizar entre lo que se conoce como Terminologia BlackHat.
Este es un tipo de ataque evolucionado de XSS.

Existe una creciente tendencia de utilizar características de tecnologías en el lado del cliente que permiten a los atacantes ejecutar comandos sin la autorización del usuario. Entonces llamo un Command Fixation Attacks (CFA) e incluso en algunos casos se introducen los parámetros de comandos, ya que los ataques son muy similares a Session Fixation Attacks, bien conocidos en el mundo la seguridad Web. En esta sección se describen numerosos casos de estudio dentro de esta categoría.

Fuentes:
http://pwneds.blogspot.com/2008/08/nueva-terminologia-blackhat.html
http://www.gnucitizen.org/blog/new-terminology/
http://blog.segu-info.com.ar/2009/01/ataque-que-es-command-fixation-attacks.html

Google Chrome: Modo incógnito… o navegar sin dejar rastros

0 comentarios

El anonimato en Internet es un tema muy importante, claro está que muchos quisiéramos no existir (cibernéticamente) para que nadie se de cuenta de nuestros pasos. Sin embargo ésto en la actualidad ya (por lo general) es casi que imposible para los usuarios regulares.

Ahora bien, Google Chrome nos ofrece una nueva característica que sin duda es una de sus ventajas de cara a otros navegadores web: su “modo incógnito”, o lo que es lo mismo, navegar en Internet sin dejar rastros en el ordenador en donde está instalado Chrome.

El modo incógnito es utilizado cuando se desea navegar sin dejar rastros de páginas web vistas en el historial web, ni mucho menos los archivos que descargues. Muy útil cuando por ejemplo (como sugieren los de Chrome) hacer una sorpresa, o queremos ocultar algo.

Al momento de cerrar la navegación por modo incógnito, Google Chrome eliminará todos los cookies y archivos temporales de tu navegación, lo cual es el objeto del mismo. Claro está que los archivos que descargues a tu disco no los eliminará, ya eso es de tu parte.

Si lo que quieres es navegar con modo incógnito, puedes hacer clic derecho en un enlace para luego seleccionar la opción “Abrir enlace en una ventana de navegación incógnita“; o mediante el menú (botón de la llave) de configuración escoges la opción Modo incógnito.

Así que ya saben, para aumentar su privacidad, les recomiendo usar Google Chrome con ésta funcionalidad que es bastante interesante y bastante oportuno en ciertas situaciones.

Más información de Modo incógnito

Fuente:http://www.bloginformatico.com/google-chrome-modo-incognito-o-navegacion-anonima.php

Suite Aircrack-ng-1.0-rc1

0 comentarios
bueno vamos a darle una mirada por ensima de que trata todo esto:

El aircrack como tal simplemente coje un archivo .cap osea el que contiene todo el trafico capturado del cual vamos a sacar la contrasen'a , este paquete es la suite que contiene todo lo necesario en uno solo osea detector , sniffer , inyector , crackear etc..

"Aircrack-ng es un programa capaz de descodificar las claves WEP y WPA-PSK una vez que ha capturado un número suficiente de paquetes de la red Wifi que utilice este tipo de codificación de contraseñas."

Link de descarga

aircrack-ng-1.0-rc1.rar
http://rapidshare.com/files/121950919/aircrack-ng-1.0-rc1.rar



Airbase-ng 1.0 rc1 - (C) 2008 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org

usage: airbase-ng

Opciones:


-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)

-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file

Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file

--help : Displays this usage screen

No replay interface specified.


Changelog:

* airbase-ng: Multi-purpose tool aimed at attacking clients as opposed to the AP.
* airbase-ng: Added replay tool for external packet processing feature.
* aircrack-ng: Fixed: Displaying twice the wep key at the end and "Warning: Previous crack is still running".
* aircrack-ng: Fixed detection of WPA handshake (was not working correctly in previous release).
* aircrack-ng: Fixed PTW attack against QoS and WDS packets.
* aircrack-ng: Added oneshot option to try PTW only once.
* airodump-ng: Fixed channel numbers (Fixed "fixed channel" messages).
* airodump-ng: Added frequency selection (-C).
* aireplay-ng: Fixed injection on OpenBSD.
* aireplay-ng: Fixed a rtc bug which freezed aireplay-ng in case /dev/rtc0 is not available.
* aireplay-ng: Fixed chopchop attack against QoS packets.
* aireplay-ng: Added Caffe-Latte attack.
* aireplay-ng: Added CFrag attack: Turns every IP and ARP packet into an ARP request against the client.
* airtun-ng: Added support for fragmented packets.
* airdriver-ng: Updated drivers.
* airserv-ng: Various fixes.
* airmon-ng: Added nl80211 usage.
* airmon-ng: Use 'iw' when it is found.
* airmon-ng: Fixed error with madwifi-ng when creating new VAP.
* wesside-ng: Added option to ignore ACKs.
* OSdep: Fixed endieanness bugs.
* OSdep: Orinoco: attempt to bring interface down before switching to monitor mode.
* All: Added copyright and GPL in missing files.
* All: Fixed compilation on Mac OSX 10.5.2 (PPC).
* GUI: Fixed "Choose" button (airdecap-ng).
* Makefile: Fixed usage of iCC versions other than 9.0.
* patches: Updated rtl8187 patch.
* patches: Updated madwifi-ng patch.
* patches: Updated sqlite patch (cygwin).
* patches: Added mac80211 frag patch.
* patches: Added b43 and updated bcm43xx patches.




Suite Aircrack-ng-1.0-rc1

airbase-ng.exe
Aircrack-ng GUI.exe
aircrack-ng.exe
airdecap-ng.exe
aireplay-ng.exe
airodump-ng.exe
airolib-ng.exe
airserv-ng.exe
airtun-ng.exe
buddy-ng.exe
cygcrypto-0.9.8.dll
cygwin1.dll
cygz.dll
easside-ng.exe
ivstools.exe
kstats.exe
makeivs-ng.exe
msvcr70.dll
packetforge-ng.exe
wesside-ng.exe
wzcook.exe



fuentes:

http://lampiweb.com/foro/index.php/topic,2110.0.html
http://www.luchoedu.org/descargas/aircrack-ng-10-rc1-video-guia/ --Video guia (linux)
http://www.pisitoenmadrid.com/blog/2006/12/tutorial-hacking-wireless/ --buen tutorial

bueno con esta informacion creo que deben quedar unos conceptos claros para empezar de cero , cualquier duda aqui :D

saludos

Hacking de Redes UPnP - Parte II

0 comentarios

Una vista general sobre el protocolo UPnP

EL protocolo UPnP usa la dirección mulicast (multidifusión) 239.255.255.250 y el puerto TCP 1900. Los dispositivos que ofrecen servicios UPnP periódicamente enviarán mensajes SSDP NOTIFIY a 239:255:255:250:1900, anunciándose a cualquier cliente UPnP que en este en escucha. Si observas el tráfico en tu LAN que use un router con los servicios UPnP activos, notarás que éste envía una ráfaga de mensajes SSDP NOTIFY cada pocos segundos; esto ocurre porque la mayoría de los routers en realidad se anuncian como multiples dispositivos UPnP, y envían una notificación por cada tipo de dispositivo.

Asimismo, los clientes UPnP pueden enviar peticiones SSDP M-SEARCH a 239:255:255:250:1900 para ver si algún dispositivo UPnP responde. Los clientes pueden enviar una petición M-SEARCH buscando algún dispositivo UPnP, o pueden especificar que están buscando algún dispositivo en particular, o pueden consultar solo por algún dispositivo que soporte un servicio UPnP específico. Los hosts UPnP que concuerden con los dispositivos/servicios pedidos responderán con un mensaje SSDP RESPONSE, el cual contiene la misma información que la enviada en un mensaje SSDP NOTIFIY.

Un mensaje SSDP NOTIFY enviado por un host UPnP contiene una cabecera ‘Location’ la cual especifica la ubicación de un archivo XML. Este archivo XML contiene datos indicando, entre otras cosas, el tipo de dispositivo y los servicios soportados por el host, así como las rutas a otros documentos XML adicionales que describen los servicios detalladamente. Para descubrir las capacidades UPnP completas de un IGD, se debe analizar todos los archivos XML para extraer los tipos de dispositivos, servicios, y acciones ofrecidas por el IGD.

Los servicios UPnP soportan varios servicios que a su vez anuncian las acciones que soportan. Un cliente UPnP puede enviarle alguna petición al dispositivo UPnP en cualquier momento, esta podría ser una petición para abrir un puerto, cambiar el servidor DNS por defecto, o cualquier otra que el dispositivo soporte. Los datos enviados/devueltos en cualquier petición o respuesta son enviados usando SOAP, el cual usa XML para estructurar la información enviada entre las dos partes. Las peticiones SOAP son esencialmente peticiones HTTP POST con alguna cabecera SOAP adicional incluida en las cabeceras HTTP.

Auditando dispositivos UPnP manualmente

Para descubrir si algún router soporta UPnP, puedes ir a la interfaz administrativa de este y verificar si hay alguna opción para habilitar/deshabilitar UPnP, mientras que la mayoría de los routers tienen UPnP habilitado por defecto, algunos no.

Para realmente auditar la configuración de algún dispositivo UPnP, puedes encender Wireshark y buscar paquetes SSDP NOTIFIY siendo enviados a la dirección multicast 239.255.255.250 al puerto 1900; estas notificaciones serán dispositivos UPnP anunciándose a la red. Una vez los mensajes SSDP NOTIFIY son capturados, puedes examinar las cabeceras SSDP de los datos arrojados para obtener la ubicación del archivo XML raíz. Una vez tengas ese archivo (simplemente haciendo una petición HTTP GET), puedes examinarlo para ver que dispositivos y servicios soporta el host UPnP. Luego, puedes solicitar los archivos XML adicionales al host (uno por cada servicio) y analizar esos archivos XML para determinar que acciones soporta cada servicio, y luego correlacionar las posibles variables de estado (variables de entrada/salida) usada para cada acción, así como identificar cuales variables son usadas como “entrada”, y cuales como “salida” (una acción puede usar una variables como parametro de entrada, mientras que otras usan la misma variable como parametro de salida).

Obviamente, auditar hosts UPnP manualmente puede consumir extremadamente mucho tiempo y nos forza a generar manualmente peticiones a los dispositivos UPnP para lanzar ataques contra ellos. Usar una herramienta para automatizar el proceso haría nuestra vida mucho más fácil… Esto será lo que trataremos en la parte III del artículo.

=======================
Hacking de Redes UPnP - Parte I
Hacking de Redes UPnP - Parte II
=======================

Segunda parte del articulo Plug-N-Play Network Hacking traducido por Cortex en nuestra seccion Traducción de Artículos de La Comunidad.


fuenTE:http://www.dragonjar.org/hacking-de-redes-upnp-parte-ii.xhtml

Windows Viewers & Information Extractors for Various File Types

0 comentarios

I’d been doing a bit of work with EnCase to optimize my configuration and minimize the amount of work required to view various file types or extract specific data from them. The results from this are a list of applications and a few associated options for use in employing them as viewer plugins for your forensic tool of choice.

1. Regripper

This tool, developed and maintained by Harlan Carvey, author of Windows Forensic Analysis, is a great all-purpose registry data extractor. It has many different plugins that handle extraction of different information, and I believe that Harlan updates it frequently. I sometimes browse its output by eye when digging for things that are frustratingly nonspecific.

It’s a command-line-only utility, but you can run it from within a GUI tool such as Encase by specifying CMD as the actual command, and then putting the meat into the options, such as “/c cd /d fullpathregripper&rip -r [file] -f sam&pause” this will dump the text output into the buffer of the CMD shell (which will, of course need its default size expanded), then pause until the user hits the spacebar. You can copy and paste items of note out of the buffer while it’s open if desired. I have 6 different lines of this nature in my Encase configuration to deal with the various different registry file types supported by regripper.

2. NavRoad Offline HTML Browser

Often, html files recovered from a subject’s browser cache won’t display properly in a browser because of missing content that’s expected to be downloaded directly. NavRoad gets around that, and will usually format all of an html document’s content for display.

3. 7zip

The 7zip archive browser, 7zFM, is a great way to deal with a large assortment of archive formats which may or may not be directly supported by your forensic tool of choice.

4. GlobFX Swiff Player

When examining downloaded multimedia web content, you often come across downloaded shockwave flash (.swf) movies. This application allows them to be played normally.

5. Wimpy FLV Player

FLV is a different flash video format. I’ve found it typically used for youtube content.

6. VideoLAN VLC

I’ve found this open source multimedia player application to be one of the most reliable ways to play almost any audio/video content. There’s no need to download any special codecs. The only things I’ve found so far that it won’t play are flash and some of the realmedia formats. It may also have issues with DRM protected files, but I haven’t run into any yet.

7. RealPlayer

As mentioned above, VLC has issues with some of real.com’s special formats, so I also include their player as a viewer.

8. SQLite Database browser

There are a number of applications that store cache or configuration data in the sqlite database format. I’ve mentioned a couple of them in previous blog postings. This application lets you examine the data contained in such a database directly.

9. Exiftool

I originally obtained this tool specifically for extracting embedded metadata from within .jpg files. I’ve since discovered that it also does a pretty good job on MS Office documents, and examination of the documentation shows that it supports a plethora of other file types.

10. AccessPDF pdftk

This tool is specifically designed to extract metadata from within PDF documents. Like regripper above, it’s a command-line-only tool, so executing it from within a GUI application takes some finagling. As with regripper, I use CMD as the application, and put the meat in the options, “/c fullpathpdftk-1.12pdftk.exe [file] dump_data output - & pause”.

11. Pinpoint Metaviewer

Another GUI application for extracting metadata from MS Office documents.

12. Codeplex JSON Viewer

I dug up this utility while working on analyzing the content of gmail datapack files. It’s able to take the text from one of those files and format it so that it’s easy to make visual sense of. I don’t use it a lot, but I think it’s handy.

13. Extract

Extract is a command line utility that’s provided as part of the open-source libextractor library for linux. It’s what metagoofil uses to extract metadata, and was the first metadata viewer that I attempted to install. By dint of much persistence, I was able to compile it under Windows using the current version of cygwin. I also had to download and install the following packages (most of them were just trying to get PDF extraction to work, and not all of them may have actually been necessary): freetype-2.3.1, lesstif-0.95.0, libgsf-1.14.10, libmpeg2-0.5.1, t1lib-5.1.0, xpdf-3.02. This may or may not actually be worth the work, as I’m not sure that it extracts any data that the other metadata viewers I’ve found since (see above) do not.

14. Please add comments with file types you can’t browse, or file browsers that you think are useful

I’ll start the ball rolling. I’m looking for something I can use to play .qtch Quicktime cache files. Alternatively, I’d like to at least be able to determine what the URL download was that caused the creation of the cache file. Does anybody know anything that can be done with these files?

As always, you’re also welcome to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.


fuente:http://sansforensics.wordpress.com/2008/12/17/windows-viewers-information-extractors-for-various-file-types/

Forensic Gmail Artifact Analysis

0 comentarios

Forensic Gmail Artifact Analysis

I don’t know if you’ve had the pleasure of trying to extract GMail message content from a drive image, but there aren’t a lot of references out there. Those that I found helpful, I’ve listed below.

Gmail uses JavaScript to manage the user experience on the front end, and passes content back and forth between the client and server using ‘datapack’ files, which are formatted using JavaScript Object Notation (JSON). See Google for details on JSON, but basically a complete datapack file looks something like the following (indentation & newlines added):

while(1);
[
[
["tag1","string1.1","string1.2","string1.3","string1.4","string1.5"]
,["tag2","data2.1"]
,["tag3"
,[]
,[]
]
,["tag4",number4.1]
,["tag5",number5.1]
,["tag6","string6.1","string6.2","string6.3","string6.4",number6.5,
number6.6,number6.7,"string6.8","string6.9"]
.
.
.
.
]
]

Each pair of brackets is a data structure. Given a complete datapack file and a complete description of each tag, including its name and the ordering and individual descriptions of each of its various subordinate data fields, one could format the contents for display as the GMail application did originally.

Here’s what I’ve got so far (no subfield descriptions, sorry):

Keyword/Tagname Description
["gn", Account Name
["st", Server name
["qu", Account Quota
["ds", Folders
["t", Message List (Thread)
["cs", Conversation Summary
["mi", Message Information/Index
["mb", Message Body (This is where the meat is)
["ma", Message Attachments (Number & Filenames)
while(1); GMail Data Packet header (beginning of file)
["i", Invitation
["ft", Fast Tip (no I don't know what that means)
["ct", Categories/Labels/Contacts
["ts", Thread Summary (Similar to Conversation Summary)
["te", End of Thread List
["v", GMail Version

"So where do I find the files that contain this content?", you ask. Sad to say, sometimes you don't. The reason that this data is sometimes lying around to benefit a forensic analyst is largely because of browser bugs or lack of proper support for the no-cache HTML meta tag. This data isn't supposed to be written to disk in the first place, but due to a number of issues outside the scope of this article, it often is. I understand that support is improving for this in newer browser versions, so most GMail forensics may soon be a thing of the past. Then again, some people are still running Windows 95 (shudder) so this will probably be useful for a while at least.

When the files are cached, you will find them named "mail[somenumber]“, and located either in Temporary Internet Files, or wherever your tool of choice puts files it can’t identify the previous location of. You’ll also quite often be able to find these files in unallocated space by searching for the various keywords I’ve specified. Additionally, you will find other files in the same places named “mail[somenumber].htm”. While these contain other ‘stuff’, there’s often some JSON as described above buried inside them.

Finally, the most useful part of this is the “mb” datapacks, which contain the formatted body of a message. All message body elements found in a given file belong to the same message, and can simply be concatenated to produce a mostly readable body. The following UNIX/cygwin shell script can be applied to a datapack file to render any message body it might contain back into more-or-less displayable HTML:

for I in $*
do
cat $I | grep \"mb\" |while L=`line`
do
echo $L| \
sed -e s/\\\(\\\\n\ \\?\\\)\\+/\/g \
-e s/\\\\u003e/\>/g \
-e s/\\\\u003d/=/g \
-e s/\\\\u0026/\\\&/g \
-e s/\\\\u003c/\ -e s/^,\\\[\"mb\",\"// \
-e s/\",1\\\]$// -e s/\\\\\"/\"/g \
>> $I.html
done


fuente:http://sansforensics.wordpress.com/2008/09/19/forensic-gmail-artifact-analysis/
done

If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.

References: (Some may not be available to those without Guidance Software portal access, sorry)

Slides from CEIC 2008 Presentation on Gmail Forensics

Codeproject page for GMail Agent API / Mail Notifier & Address Importer

Locating GMail Traces Article at ForensicFocus.com

A perl interface to Google’s webmail service

GMail Agent API/Mail Notifier & Address Importer

GMail Evidence - EnCase User’s Group Posting

Web Mail Question - EnCase User’s Group Posting

JSON (Google)

So, You Don’t Want To Cache, Huh?

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

A Metadata Format For CSV Files

0 comentarios

Using CSV files in batch processing applications has many advantages, most prominently interoperability between programming languages and tools. One of its weaker points is data integrity though. The format has no way to declare data types or additional metadata other than assigning names to data fields using a header.

The simple metadata format proposed in this article can help to mitigate this disadvantage.

A Case for CSV

First of all, why would anyone use such a simple plain text format? After all it’s just a semi-structured collection of data sets.

Sure, CSV isn’t exactly the most sophisticated data format available, but it has many advantages that make up for this flaw:

  • CSV is simple and well-understood.
  • There are libraries available for many programming languages or they can easily be written.
  • It can be analysed in a text editor.
  • Samples of a file can be loaded into a spread sheet application.
  • Files can be processed using standard Unix utilities.
  • It is easy to split CSV files into individual, self-contained chunks.

See The Pragmatic Programmer, "The Power of Plain Text" (chapter 3) for a more detailed discussion.

Unfortunately, there are disadvantages, too. Parsing the file format is usually a bit more expensive than for carefully designed binary formats (though it’s much cheaper than parsing XML). And since the ASCII representation of numbers can easily be three times as big as the usual binary representation, CSV files tend to be rather large.

Fortunately, streaming compressors like GZIP typically reduces files to about 20% of their original sizes even on the lowest compression ratio. Compression saves disk space and network bandwidth but it comes at a slightly increased processing cost. In many scenarios, however, the added overhead is negligible compared to the cost of the actual processing.

Using a Simple Metadata Format

There are basically three places where metadata can reside:

  • Inside the data file.
  • As a file next to the actual data files.
  • In a remote metadata repository.

If the data file format is extended to include metadata, we’d have to abandon the CSV format together with its advantages listed above. A remote metadata repository may be useful, but testing is a lot easier if you aren’t coupled to network resources, so a file next to the data seems to be the way to go.

The metadata format proposed here uses XML because it is human readable, well-understood and has excellent tool support (that should sound familiar). The format serves several purposes:

  • It declares the overall representation of CSV files (field separator, whether compression is used etc.).
  • It lists the set of files that make up the entire collection of data sets.
  • It defines the data fields and their respective types.

Here’s an example of how it looks (see the Relax NG Schema for the semi-formal definition):






















fuente:http://unmaintainable.wordpress.com/2008/04/26/metadata-for-csv/

This format is pretty much self-explanatory, except for the data field declarations which use data mining terminology. The continuous type is for floating point numeric values, while the categorical field can be compared to enums in programming languages like C. The optional missing attribute defines how an unknown (aka NULL) value is represented. Of course, different and/or more data types with arbitrary
restrictions could be defined.

The data fields have to be listed in the order they appear in the CSV files. Reading applications may choose to accept any order though. Field names have to be unique and may not contain the field separator for obvious reasons.

Depending on policy, applications can either ignore unknown elements (or attributes) or flag an error. There’s also the option of declaring optional parts of the format in a different XML namespace. Some applications can use those elements while others may ignore them safely.

There are several ways of extending XML schemas, either by explicitly allowing unvalidated content (usually in a different namespace) or by including the basic schema from another, more specialized schema that extends definitions as necessary. Updating the base schema can be done via namespace and/or schema versioning, but since this isn’t entirely trivial I’ll leave it for a future article.

A Note on Container Formats

When you split your files into multiple chunks for parallel processing, you end up with lots of files. To avoid confusion and to simplify transfer between systems you might be tempted to use a container format that packages all your data into a single file (using tar, for example). This may work in some cases, but if your data files are large and created in parallel, the creation of the container is a long and I/O-intensive operation. In batch operations this causes a significant overhead that you have to subtract from your time window.

A compromise is to use a natural but cheap container format: A file system directory. It may only be a "virtual" container, but combined with a proper delivery protocol, it’s still useful.

The Delivery Protocol

If you’re handing collections of CSV files from one system to another make sure you follow a simple protocol: Copy the data files first and the metadata file last. The delivery isn’t complete until the metadata file is there. The best approach is to take advantage of the atomic renaming feature many file systems provide (see the rename(2) syscall on Unix). Copy the metadata to a temporary file and then rename it. That way the receiver will never try to read an incomplete file.

The Verification Process

With the information contained in the metadata file, it is easy to verify the CSV files as much as required. The most basic check would only make sure that all of the listed files are there and have the declared file sizes. A simple consistency check would parse the headers to see if all data fields are there. This would also detect if the field separator is correct.

The most thorough check would then go through all of the files and make sure the data fields match their declarations. Since this is extremely expensive, it should usually be a side effect of regular processing rather than an up-front operation.

Recovering Open But Unlinked File Data

0 comentarios

Recovering Open But Unlinked File Data

By Hal Pomeranz, Deer Run Associates

If you’ve ever been a Unix system administrator, you may have encountered “open but unlinked” files in the course of your normal duties. The typical scenario is a user who’s launched a process that creates an unexpectedly large output file which consumes all of the free space in the partition. In a panic, the user deletes the output file but leaves the process running. Unfortunately, the operating system is not allowed to reclaim the space until the last process that has the output file open actually exits. So until the user kills their process, the space is still in use and the file system is full. But when you as the system administrator logs in to free some space in the partition, you’re unable to find the massive file that’s consuming all of the space with your normal file system tools because the file has been unlinked (deleted) from the file system. Finding the process that’s holding the file open and killing it would free the space, but that requires some specialized knowledge and trickery which we’ll see a little later.

In an incident, attackers have been known to use open but unlinked files to hide their data. For example, suppose the attacker were running a packet sniffer that was capturing usernames and passwords off your network and storing it in a file. Perhaps they have another process that’s reading the data as it’s placed in the file and using some covert channel to move it off system. At this point the attacker could delete the data file: the packet sniffer would continue writing data to the file and their reader process could continue reading the data because they opened the file before it was removed from the file system, but the system administrator would have trouble locating the file because it’s now unlinked from the file system. In fact, the attacker can even delete the executables for the packet sniffer and the reader process from the file system and the current processes will continue to run.

This kind of open but unlinked file data can be difficult to recover from a “cold” system image, because the minute the system is shut down and the attacker’s processes are terminated, the data in these files just becomes part of the free block collection and must be recovered like any other deleted file data. However, if you have the luxury of analyzing the running system, it is extremely easy to spot and recover this kind of file data.

Creating Our Test Case

As a stand-in for our attacker’s hypothetical packet sniffer, I’m going to start a tcpdump process and have it dump its packet captures into a file. Since I plan on removing the tcpdump binary as part of my demonstration, I’m first going to make a copy of the binary in /tmp:

# cp /usr/sbin/tcpdump /tmp/tcpdump
# /tmp/tcpdump -w /tmp/capture &
[1] 12437
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
# ls -l /tmp/tcpdump /tmp/capture
-rw-r--r-- 1 root root 4096 2009-01-21 18:08 /tmp/capture
-rwxr-xr-x 1 root root 639416 2009-01-21 18:07 /tmp/tcpdump

So far, so good. Our tcpdump process is running and has captured a little bit of data. Now I’m going to remove the binary and the output file and verify that the process is still running:

# rm /tmp/tcpdump /tmp/capture
# ls -l /tmp/tcpdump /tmp/capture
ls: cannot access /tmp/tcpdump: No such file or directory
ls: cannot access /tmp/capture: No such file or directory
# ps -ef | grep tcpdump
root 12437 12289 0 18:08 pts/1 00:00:00 /tmp/tcpdump -w /tmp/capture

Great! The process is still active, but neither the binary nor its output file are visible to standard Unix tools like ls. Now let’s have some fun.

The Power of lsof

It turns out that the highly indispensible lsof utility has an option for detecting exactly these open but unlinked files:

# lsof +L1
COMMAND PID USER FD TYPE DEVICE SIZE NLINK NODE NAME
init 1 root 0u CHR 5,1 0 623 /dev/console (deleted)
init 1 root 1u CHR 5,1 0 623 /dev/console (deleted)
init 1 root 2u CHR 5,1 0 623 /dev/console (deleted)
wineserve 10510 hal 31u REG 254,1 16777216 0 42233 /tmp/.wine-1000/server-fe05-4ee00e/anonmap.WKvI4J (deleted)
firefox 10826 hal 60u REG 254,4 8200 0 139466 /var/tmp/etilqs_wkK3U9h1sAcQpD3 (deleted)
tcpdump 12437 root txt REG 254,1 639416 0 25463 /tmp/tcpdump (deleted)
tcpdump 12437 root 4w REG 254,1 65536 0 25500 /tmp/capture (deleted)

The “+L1″ option is translated as “show me all files with link count less than one”– in other words, “show me all files with link count zero” which is just another way of saying “files which have been unlinked from the file system”. It’s almost anti-climactic how easy it is to spot these files with lsof.

However, the above output also demonstrates another important aspect of this discussion: not all open but unlinked files are necessarily cause for concern. There are a few processes that are common to the Unix/Linux platform that sometimes make use of open but unlinked files as part of their normal operations. This is clearly a situation where one must “know thy systems”– be familiar with how the operating systems you’ll be investigating appear during normal operations– so that you can spot discrepancies. That being said, programs that I’ve seen regularly using open but unlinked files include the Linux init process, Firefox, the Wine Windows emulator (all of which you can see in the output above), and VMware Server.

OK, at this point we’ve spotted the open but unlinked files, but how can we recover the data that’s in them? The lsof output above gives us the inode numbers for the files if you look in the “NODE” column (25463 for our deleted tcpdump binary and 25500 for the output file). This means we could use a tool like icat from the Sleuthkit to dump the contents of these files. But it turns out that there’s another approach that doesn’t require any tools that aren’t already present in most Unix-like operating systems.

/proc to the Rescue!

The lsof output also gives us the process ID of the processes with open but unlinked files. In this case, our tcpdump process is PID 12437. Let’s head over to the /proc/12437 directory and see what we can see:

# cd /proc/12437
# ls
attr cpuset io mountinfo oom_score smaps
auxv cwd latency mounts pagemap stat
cgroup environ limits mountstats root statm
clear_refs exe loginuid net sched status
cmdline fd maps numa_maps schedstat task
coredump_filter fdinfo mem oom_adj sessionid wchan

There’s a lot of interesting data in /proc, but for our purposes the “exe” object is the first interesting thing: “exe” is always a copy of the binary image of the running process. So all we have to do to recover the deleted executable is make a copy of this “file” under /proc. Obviously in a real incident you wouldn’t want to copy the file back into the file system of the compromised machine because you’d potentially be overwriting important evidence. You’d either want to copy it to a portable drive you’ve connected to the system, or move the executable off the machine via the network with a command line like:

# cat /proc/12437/exe | nc 192.168.1.1 9999

This assumes you’ve got a machine acting as a “collector” at 192.168.1.1 with another netcat process listening on port 9999/tcp and writing the incoming data into a file.

Just to prove to you that this works, however, let me just copy the binary into my local file system and demonstrate that the result is a working executable:

# cp /proc/12437/exe /tmp/testing
# /tmp/testing --version
testing version 3.9.8
libpcap version 0.9.8
Usage: testing [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -Z user ]
[ expression ]

Again, in a real incident you wouldn’t just blindly execute a suspicious program you’d recovered in this manner. You’d only want to experiment with a copy of the executable in an isolated “sandbox” type system.

OK, so what about recovering the data file that the tcpdump process is writing? If you look at the directory listing of /proc/12437, you’ll notice that there’s an object called /proc/12437/fd. “fd” here stands for “file descriptor” and /proc/12437/fd is actually a directory that contains links to all files this process currently has open. Let’s take a look at this directory in more detail:

# ls -l /proc/12437/fd
total 0
lrwx------ 1 root root 64 2009-01-21 18:14 0 -> /dev/pts/1
lrwx------ 1 root root 64 2009-01-21 18:14 1 -> /dev/pts/1
lrwx------ 1 root root 64 2009-01-21 18:12 2 -> /dev/pts/1
lrwx------ 1 root root 64 2009-01-21 18:14 3 -> socket:[4197672]

Fuente:http://sansforensics.wordpress.com/2009/01/27/recovering-open-but-unlinked-file-data/
l-wx------ 1 root root 64 2009-01-21 18:14 4 -> /tmp/capture (deleted)

Notice that the link names are named for the internal file descriptor number used by the process, but the names of the files associated with these file descriptors can be clearly seen, along with the fact that the /tmp/capture file has been deleted.

The cool thing is that you can use these links as arguments to normal Unix file system commands. For example, if you wanted to copy the data in the deleted file over the network to your capture workstation:

# cat < /proc/12437/fd/4 | nc 192.168.1.1 9999

There’s a little bit of subtlety to the command above. Notice that I’m not just doing “cat /proc/12437/fd/4″, because that would only give me a snapshot of the contents of the file at a particular instant in time. Instead I’m using input redirection (”<”) to dump the current state of the file and then continue reading data and dumping it into netcat as it’s being written into the file. Our cat process will only terminate when the tcpdump file closes its output file. This is one of the things that makes this approach superior to just using a tool like icat to dump the current state of the file.

Some Final Thoughts

It’s fairly uncommon to find attackers making use of open but unlinked files in this manner. But if you’re accessing the compromised system anyway– for example to capture a memory dump before you shut the machine down– it doesn’t hurt to run a quick lsof command to check for any instances of these files. In the cases where they do exist, the techniques described above can allow you to quickly recover some information that is typically critical to analyzing what the attacker is doing to your system.

Also, don’t forget about the /proc//cwd link, which is a link to the current working directory of the process. If the attacker was foolish enough to start the suspicious process from their rootkit installation directory, you may be able to zero-in on the compromise in record time!

Hal Pomeranz is an independent Computer Security/IT consultant and SANS Institute Faculty Fellow. He wants to name his first child “Elesso’ef Slashproc”, which probably means it’s a good thing he’s not planning on having kids.

Powered by Bad Robot
Helped by Blackubay