25zerotwo.com

Oct 23 2009

Windows 7 ISO creation post Digital River download

Category: Practical,Programs — Parker @ 9:41 am

So I got the Digital River digital download of Windows 7. Assuming that I would receive all the details promptly and that I would be able to download an ISO image, was it seems, a HUGE assumption, because neither was the case. What I did receive via email, was guidance text with blank spaces where my download link and product key should have been. Still waiting on my key, but at least this morning I was able to locate the download tool within my orders on the Digital River site.

So, whilst awaiting my product key I have been trawling the internet, in the hope of finding some guidance on turning their exe installer, into an ISO.
Having found some miss-guidance, I have finally found a guide with the correct steps so though it best to note it here.

To create the ISO, first download the installation, move it to your C:/ root drive and double click on the exe.
A expandedSetup folder will be created, when the installation window opens close it down.
Grab this file and extract it to your C:/Windows/System32 folder
Now open up cmd as admin and type the following (without quotations at either end)
“oscdimg -bC:\expandedSetup\boot\etfsboot.com -h -u2 -m -lWIN_EN_DVD C:\expandedSetup\ C:\win7.iso”

Within 5 minutes you should have an ISO image ready to burn called Win7.iso within your C:/ drive.

Thanks and praise goes to ‘robbdn’ on technet, who was the first person I found who provided the correct command syntax.

Tags: Digital River, ISO, Windows 7

Comments (0)

Jul 11 2009

Cracking WEP keys using Backtrack 4 pre & aircrack-ng

Category: Practical,Programs,Theory,WEP key cracking — Parker @ 10:18 am

Ok. First off, cracking someone else’s WEP key and gaining access to their Network is illegal.
Doing so, may result in you getting an enforced reach-around by a man much bigger than you. Remember, you are sat at a PC, whilst he is out shanking grannies or robbing banks.

You can however have lot’s of ‘fun’ as I have, setting your own (or a spare) router to WEP and turning this theory into practical experience

———————-

I’m no expert, but here is the theory from what I have picked up.

An ARP packet is basically your router or PC saying “Who is on IP 192.168.0.3?”, the response would be “I am, and my MAC is 00:00:00:00:00″. So because an ARP packet has a defined size, everything in addition to that can be considered the enclosing WEP encryption, so by collecting enough of these ARP packets and running a comparison, you should be able to find the static data across all of the packets, which will be the WEP key.

Anyone who has sat watching a packet analyser like WinPcap, will know that ARP packets are not that common, maybe 1 every few minutes. To crack a 56bit WEP key you need about 30,000; for a 128bit key you’ll need 60,000+. So we need to trick the router into sending an excessive amount of ARP packets.

ARP INJECTION

Now I may be wrong, but from my testing I believe the following to be true “If the AP has no clients connected there will be no ARP packets being sent”, hence any attempt to increase this flow will fail, anything multiplied by zero is zero.
There are ways to trick a router into thinking a client is connected (see Frag and Chop Chop attack to follow), but I am less aware of how these two techniques work at present. If however there is a connected client then you can continue.

Before we begin, I’ll give some background regards my own setup which may help the following make more sense.

My mac [-h] is 00:22:69:35:6D:C5,
My routers BSSID (mac) [-a & -b] is 00:0F:B5:BF:C2:8C,
It is on channel [-c] 6,
It’s ESSID [-e] is Hackyou.
Your wireless lan card’s identifier, mine is wlan0
I am using BT4 pre on my Acer Aspire One. (Your wireless card must support injection, you should check this on the madwifi site, before you waste your time)

The science bit

You want to open a konsole window and be on root (sudo) for all of the below steps.

Airodump-ng wlan0

Screenshot of

Grab the ESSID, BSSID & Channel details, you will need all of this to complete the crack. (You can Ctrl+C to stop it at this point, allows copy and paste to work) You want one with an associated client (bottom detail) for this attack to work.

Airodump-ng –w wep –c [channel] –bssid [bssid] wlan0 (There are two – before bssid)

Screenshot of

Locks onto AP for ARP data collection and begins saving it to the defined -w file-name.

New konsole Aireplay-ng -1 0 –a [bssid] –h [mac] wlan0

Screenshot of

This associates your mac address with the AP, allowing you to ‘communicate’ with it.

New konsole Aireplay-ng -3 –b [bssid] wlan0

Screenshot of

Starts collecting ARP packets – Wait for 30,000 for 64bit key or 60,000 for 128bit (Below screen shot of airodump at work. We care about the #data value at the top, currently at 12152)

aireplay-ng -3 -b wlan0

New konsole Dir

Screenshot of

Copy the wep*.cap file name, you’ll need this (the data airmon-ng has collected) to crack the WEP key. Mine was full of previous attempts, suggest you either delete after each attack or give a unique -w file-name.

Aircrack-ng [wep*.cap]

Screenshot of the

This will keep trying if the collected data is not enough, but the end result should be “Key Found” et voila!

Tags: aircrack-ng, aireplay-ng, airmon-ng, ARP Injection, BT4, WEP cracking

Comments (0)

May 28 2009

Sky Broadband – Cut the bullshit.

Category: Practical — Parker @ 10:32 pm

OK,

So, I’m soon be a Sky Broadband customer, leaving a BT service which has caused me no pain, but costs more and in these tough times, money talks.

So far, less than impressed with the way things are going and I don’t yet know how much faster or slower my connection speed will be. So why so mad?

The T’s&C’s state that you must use the router they supply you with. In my case, it’s some hunk of shit Sagem black box. Having spent a long time tweaking my port forwarding and Static LAN IP’s, there is no way I’m installing that.
Sky don’t give you your username or password, because it is hard coded within the router, stopping you from changing to your own.
They apparently monitor your external WAN MAC address to ensure that you do not install your own hardware.
Besides cutting down their support base (which given the 15min waiting time and 10 day email response, seems to be struggling), they gain nothing more and angry customers.
Numerous cock ups with charges, refunds and miss-leading letters / web site tracking advice.

So, what to do.?

Go to https://www.cm9.net/skypass/generate.cgi and choose your Sky supplied router type and enter the details you are prompted for. This will then perform the formula they use to generate your login and password (Login is always your external WAN MAC address @skydsl)
Now this only counts for the router I have (DG834GT). Go to the router login (default 192.168.0.1) and login.
Then go to the Maintenance section and choose Backup Settings, then Save a copy of current settings. Place this somewhere you can find it.
Now open that .cfg file within Wordpad, search for the lines which state
# MAC address
[20701]“Use This MAC Address”=
#< Router MAC Address >
Type the MAC address of the router supplied to you, after the [=] symbol then click save.
Now go back to your router, select Restore Saved Settings From a File and upload your edited .cfg file. Your router will reset and the new MAC address should be in place.

So in theory, unless you tell them, there should be no way for Sky to know you’re breaching their miss-guided T’s&C’s and using your own router.
If your router of choice is not the same as mine then a search on google for how to spoof mac address of [insert router name] will probably give you the answers you need.

Nb. Doing this, effectively counts you out of any tech support from SKY, should things go wrong.

The end.

Tags: DG834GT, MAC Spoofing, Netgear, Sagem, SKY Broadband, SKY LOGIN DETAILS

Comments (0)

Jan 12 2009

Acer Aspire One – Windows 7 Beta

Category: Practical,Programs — Parker @ 5:53 pm

Have had the Acer One for a while now, and I’ve tried to get along with Linpus Linux (no good, kept crashing it) and then gave up and installed Windows XP (Surprisingly easy to do with an XBOX 360 HD-DVD drive).

Anyway, having done all that I’ve found myself caught up in the Windows 7 hysteria and was very keen to see how it performs. Having downloaded the 2.44gb 32bit beta ISO from Microsoft’s website, I now have a fully functioning Windows 7 Netbook.

Not had a great amount of time with it yet, but below are my first impressions.

Performance
Functions as quickly, if not slightly quicker than Windows XP did. No real issues with programs freezing or slowing to a painful level. It is true to say that clearly the Netbook would struggle with certain applications, that said, unless you’re stupid, you would never buy one of these devices with the goal of conducting system intensive tasks. Windows 7 certainly performs far better than Vista would have done, so that’s one in the back of the net for Microsoft.

Reliability
So far everything on the Netbook that worked with XP works now, I’ve been able to download all my normal programs, add my network D120 printer and get a free version of the Kaspersky 8 beta AV software.
The only slight issue I have had thus far has been when installing Trusteer Rapport. To be fair their site does mark the software as being Vista and XP only but, the memory dump that took place afterwards (and every reboot then on) was a little more extreme than I would expect.
Fortunately Win7 had created a restore point close enough to my current position to be able to resolve the issue without losing any real work.

So all in all very impressed with how it functions. Have taken on board some of Paul Thurrot’s advice and have amended Messenger to sit outside of the task menu ala Vista and some further tweaks to change how the task menu appears.

Further updates may follow, possibly.

Tags: Acer, Aspire One, Windows 7

Comments (0)

Oct 19 2008

First attempt – Binary ‘analysis’.

Category: Malware,Practical,Programs,Trojan — Parker @ 9:11 pm

Trojan-Downloader.WMA.Wimad.o

Well, having tried for a few days to find a good source of viruses to play with and having come up with little except spyware, I visited my parents for Sunday Roast (Lamb, it was good). Whilst fixing their second PC, which is used by my sisters to download music via Limewire, I find that Nod32 has detected and quarantined 20 viruses so far, including Trojans. Finally giving me something to play with…

So roll up the first file, “Sam Sparo Black n Gold Sexy girl has shaking orgasm.mp3″ – 450KB

OK, so initially I learned two things here.

DO NOT take a regshot before you open Windows Media Player for the first time, the amount of registry changes it will make will make locating malware related additions a nightmare.
IDA is completely above my head. I will have to learn what all those codes mean.

Beyond that I was able to see a few things changing and some data packets that indicated linked oddities.

Firstly the Trojan connects to a site at http:// 208.91.207.92 and commits a number of GET commands to load images, see below examples (Can you guess what kind of site it is?);

GET /r/100×100/w/r/Trouble702-19.jpg HTTP/1.1
GET /r/100×100/w/r/boredxxx-18.jpg HTTP/1.1
GET /r/100×100/w/r/caliCockluvr-30.jpg HTTP/1.1
GET /r/100×100/w/r/35608-S-3.jpg HTTP/1.1
GET /r/100×100/w/r/Trisha_69-20.jpg HTTP/1.1
GET /r/100×100/w/r/Savana-20.jpg HTTP/1.1
GET /r/100×100/w/r/sexyhannah-30.jpg HTTP/1.1
GET /r/100×100/w/r/fuckmyass-22.jpg HTTP/1.1
GET /user-images/12940/12940122-S-0.jpg HTTP/1.1
GET /user-images/9473/9473802-S-3.jpg HTTP/1.1

Having done all of that and loaded a new IE7 window full of naughty pics some odd network traffic picks up. From my potentially flawed view-point it looks like an attempt to first find out whether I’m behind a router and then attempt a remote connection .

192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
64.13.192.114 192.168.0.13 TCP http > remote-as [FIN, ACK] Seq=869 Ack=202 Win=6432 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [ACK] Seq=202 Ack=870 Win=16812 Len=0
Z-Com_97:c9:39 Broadcast ARP Who has 192.168.0.1? Tell 192.168.0.13
Netgear_bf:c2:8c Z-Com_97:c9:39 ARP 192.168.0.1 is at 00:0f:b5:bf:c2:8c
192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
192.168.0.13 85.92.200.253 TCP brvread > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
87.248.211.192 192.168.0.13 TCP [TCP Retransmission] [TCP segment of a reassembled PDU]
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1361 Win=17680 Len=0 SLE=1416 SRE=1417
87.248.211.192 192.168.0.13 HTTP [TCP Retransmission] HTTP/1.1 200 OK (PNG)
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1417 Win=17625 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [RST, ACK] Seq=202 Ack=870 Win=0 Len=0
192.168.0.13 87.248.211.192 TCP td-postman > http [FIN, ACK] Seq=486 Ack=1417 Win=17625 Len=0
87.248.211.192 192.168.0.13 TCP http > td-postman [ACK] Seq=1417 Ack=487 Win=65534 Len=0
192.168.0.13 208.67.222.222 DNS Standard query A playmoviesx.com
208.67.222.222 192.168.0.13 DNS Standard query response A 64.20.49.14
192.168.0.13 64.20.49.14 TCP kiosk > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
64.20.49.14 192.168.0.13 TCP http > kiosk [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=1 Ack=1 Win=17680 Len=0
192.168.0.13 64.20.49.14 HTTP GET /go/?a=vidwmv&t=search&cmp=wmv_audio&embedded=false HTTP/1.1
64.20.49.14 192.168.0.13 TCP http > kiosk [ACK] Seq=1 Ack=388 Win=6432 Len=0
64.20.49.14 192.168.0.13 HTTP HTTP/1.1 301 Moved Permanently (text/html)
192.168.0.13 208.67.222.222 DNS Standard query A www.playmoviesx.com
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=388 Ack=764 Win=16917 Len=0

I’m guessing that the below GET request may be an attempt to utilise a script that can be dynamicaly updated and used to download further malware onto my PC, but am not 100%.

“GET/enter.php?prg=1&t=search&id=inxioltd2&cmp=wmv_audio HTTP/1.1″

When checking the DNS results for the main IP’s you get one for the UK, US and Netherlands, so no need to blaim the Eastern Block or Chinese for this one.

Finally there seems to have been some kind of tracking taking place with an IP 66.165.186.99, which is registered in the US. This IP conducts a TCP GET action against a imgcount.cgi string. There is also mention of instl_bootc which is a request to Install Bootstrap Protocol Client which I understand to be a prelude to the DHCP system and likely offer any sites / attackers further IP / MAC address info for my machine and network.

So nothing mental going on that I could see, no obvious sign of new running processes or of opened listening ports, but given that this was my first bit of analysis, I have probably missed lots.

Packet Traffic Info File
Registry Info File

Comments (0)

Oct 16 2008

First Find… BT clear text authentication

Category: Practical,Programs — Parker @ 5:27 pm

Well, getting everything installed and having a bit of a poke around to see what’s what.

The first real interesting find is the authentication that takes place when I grab email from my BTYahoo mail. (For my sins I use Windows Live Mail Beta so grab it all via POP3).

When looking at the packets as they leave my PC I could see the POP request, then the server respond, the username gets sent off in clear text (no biggy) but then to my astonishment my password shows up on screen. So first thing I do is head into Live Mail and check the options, sure enough the authenticate in clear text option is selected. Now I must have done, but I don’t recall choosing that option, and when sitting back and thinking about it, even now I stupidly assume that some form of obscuring will take place, clearly not.

So I pick up the phone and speak with BT, they install some remote gumph on my PC and the Indian chap starts clumbsely clicking about the place (he clearly didn’t know much). I then stepped in and showed him the options and asked “Can I use either secure password authentication or authenticated POP (APOP)?” “No” he replied. So I get off the phone and spend a little time removing everything BT just put on my machine.

So I’m pretty confident that nobody is able to get into my network as such, but all that needs happen is some kind of proxy or packet grabbing malware to get in-between me and BT and I’m f*cked. My greatest concern was around the other services I use which share this password rather than my email, suffice it to say they are all now changed and I’m looking to move my email elsewhere. (I know that sharing passwords is stupid but the reality is my mind can only cope with so much).

So now I wonder, what other insecure stupid options have I blindly clicked??

First

Comments (0)

Oct 16 2008

Step 2. Toys to play with

Category: Practical,Programs — Parker @ 1:04 pm

Having spoken with some of my friends and colleagues who work in this arena and comparing that advice with information found on the Internet, I have been gifted with the following shopping list. I have not put links for fear they will move location, let Google be your guide.

Vmware – Allows you to run a ‘sandbox’ environment and prevent your machine from infection.
SteadyState – Allows you to set a static hard disk ‘image’ that is reloaded when you restart your PC.
Wireshark – Used for identifying command and control channels.
Capturebat - A behavioral analysis tool of applications for the Win32 operating system.
Ida pro - A Windows or Linux hosted multi-processor disassembler and debugger.
Packetyzer - A network enabled packet analyser.

From system internals (Which largely now allows remote execution);

Process explorer – Shows you information about which handles and DLLs processes have opened or loaded.
Process Monitor – Replaces Filemon and Regmon on Vista and other M’Soft OS’s (not XP).
FIlemon – Monitors and displays file system activity on a system in real-time. *See Process Monitor
Regmon - A Registry monitoring utility that will show you which applications are accessing your Registry. *See Process Monitor
Tcpview – Shows detailed listings of all TCP and UDP endpoints on your system.
Regshot – A tool allowing snapshots / comparisons of the registry.

Best get installing then

Comments (0)

Oct 16 2008

Step 1. Knowledge

Category: Practical,Theory — Parker @ 1:03 pm

So I had a word with a guy from SkillsTrain (who was very nice but their product / support is pretty terrible. I quit same day claiming back the £100 deposit and cancelling the £3700 direct debit).
He and I talked for a while about various options for learning and gaining some form of recognised certification in a field of interest and use, my biggest problem is that I have a ‘pro-sumer’ level of knowledge in supporting, building, maintaining and using PCs and Macs but no actual proof of that knowledge. (It could be troublesome explaining / demonstrating my skills in an interview and if I were to leave my employer i’d be pretty much f*cked!)

Having had a think he suggested that working towards the COMPtia Security + certification is probably a very good idea. I had a look at the syllabus and it looked very interesting, sadly though the very sensible and probably required pre-lude to that certification is the COMPtia Network +, which doesn’t look as interesting, but as said, is needed.

If you think about it as I have, you will likely realise that to protect a product or indeed to attack a machine via any kind of network, you will need to first understand how that Network works. As it happens I am currently around two thirds of my way through the learning for the Network + examination (hoping to take the exam in November) and have found it very useful and interesting. For anybody who cares I have chosen to use the Network + Certification Kit, and it seems to be pushing the information into my head.
(Note to others, these books are in order, I suggest you start with the first more in-depth book rather than the thinner 3rd ‘first pass’ overview book as I did).

Comments (0)

Oct 16 2008

Learning to be a better Geek

Category: Theory — Parker @ 1:02 pm

Well, this may more than likely turn out to be a self serving page (if even that much), but my intentions are to document everything I learn along my route of self-discovery (that is to say my new found focus that caters for both personal and work life).

For anyone that stumbles on this let me try to set the scene. Having basically floated around without really knowing what I want to do / could do to further my knowledge and/ or career I’ve come face to face with a field within IT that caters for both. This blog is hopefully going to list what I’m doing / learning and achieving. Which will help me and may help someone else.

Let’s go.

Comments (0)

« Previous Page

September 2010
M	T	W	T	F	S	S
« Jun
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30