Archive for category Tools
Ways for Tracking your Stolen Laptop
Posted by Mourad Ben Lakhoua in Open-Source, Safety rules, Tools on August 25, 2010
Getting back your lost laptop is always possible, for mobile devices it is easier to find it because of IMEI number which can identify your device on the GSM Network and it can be displayed by entering *#06# into the keypad on most phones. Changing this unique number is possible but not simple.
Now for the Notebook things are getting more serious because without a special technique you cannot track you laptop or computer, at each network there is a getaway and even if you will have access to all cities getaway logs you should look at the Mac address of your Network devices, well this is not simple.
Creating a VPN will solve the issue because when your laptop boots it will search for the VPN server on Internet and you can get by IP the location of your laptop, LogMeIn Hamachi² which is a hosted VPN service that securely connects devices and networks, extending LAN-like network connectivity to mobile users can help in performing this.
Well this comes as one solution but for sure there are many, another Open Source and free project that can track any Machine using any operating system is Prey, Prey helps you locate your missing laptop by sending timed reports with a bunch of information of its whereabouts. This includes the general status of the computer, a list of running programs and active connections, fully-detailed network and wifi information, a screenshot of the running desktop and — in case your laptop has an integrated webcam — a picture of the Gangsters.
Prey uses a remote activation system which means the program sits silently in your computer until you actually want it to run. If so, it gathers all the information and sends it to your Prey web control panel or directly to your mailbox. The thief will never know his movements are being watched.
The last very useful tool is TeamViewer which gives you the opportunity to connect your laptop even if you don’t know the IP address so you can have the location and turn on your webcam to see who is sitting in front of your Laptop.
make sure you subscribe to my RSS feed!
Wardriving These Days (Part 2)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 20, 2010
Tools for the first part may not be completed without SpoonWEP/SpoonWPA which firstly introduced in BackTrack3, this is also a part of aircrack-ng with a graphical interface allows pentester to take the same channel of the Access point and crack the security keys of the AP.
Another very interesting tool is Karmetasploit which allows you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
Wireless penetration testing does not exist as programs only as in Backtrack but you can find a ready solution as the wifi peanaple. which is a nice trick that any person at home, the office, coffee shops or airports will not doubt that the peanaple contains a rogue access point that may conduct a Man in the middle attack and have all users credential, the price of WiFi Pineapple is 119$.
When any person turn on their laptops the wireless network software automatically connects to access points they remember. So the laptop starts to send out beacons. These beacons say “Is such-and-such wireless network around?” , wifi peanaple replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”.
WiFi Pineapple is powered over battery and wireless hacking device based on the Fon 2100 access point.
make sure you subscribe to my RSS feed!
Wardriving These Days (part 1)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 1, 2010
In the past it has been very difficult to crack wireless network we should search for the right software under Linux distribution checking the necessary driver compatibility to inject the packet on the network and finally you get access to the Wi-Fi network, the question do we still have the same difficulties today?
To answer this question we will be searching some online resources to prepare the correct distrubution and making it easy to get the required tools within few steps to evaluate any wireless network.
Today we can find two types of wireless network the first are non-encrypted network that’s mean you will need just a wireless device to be connected, second are using encryption under three forms WEP encryption which is also not any more secure because it can be cracked within few minutes and for 100% but we rarely find this type of encryption, Now most network are encrypted using WPA/WPA2 encryption.
First you need to get a Backtrack copy and you can make it on USB stick using UNetbootin, So you can have it with you everywhere , even if you forget your laptop you pull the USB and you boot on it to have all required tools to do your work.
Now you should check your wireless adapter to be sure that it can work on mode monitoring and this can be made by visiting Aircrack-ng portal.
This will make you ready to use latest tools for wardriving the first one is AUTOMATIC WPA HANDSHKE CAPTURE this tool is a Python script that helps you to get WPA handshakes, what you need to have is the Wlan interface, both Mac addresses of the AP/Client and as a result you will receive the dump traffic with the Handshake.
GerixWiFiCracker is a tool that can be as an extra add to Aircrack-ng for using it you just go to configuration settings and select the interface than press (Start Sniffing and Logging) and (perform a test of injection AP). By using Gerix you can also create a fake AP on the desired channel so your pc will respond to any probe request with a proper probe response, which tells the client to authenticate to the BSSID as in the airbase-ng this will also disrupt all AP on the same channel.
These tools come as update for all previous wireless penetration testing mentioned on SecTechno and there still others to come.
To be continued….
make sure you subscribe to my RSS feed!
TrueCrypt 7.0 New Release
Posted by Mourad Ben Lakhoua in Encryption, Software Security, Tools on July 19, 2010
TrueCrypt one of the popular tools for encrypting and hiding partition under Linux, MacOS and Windows system has released a new version.
The new features at this release include:
* AES Hardware-accelerated encryption this function is supported by some processors and helps to accelerate encryption performed in a faster way than by purely software implementations on the same processors.
* Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.
* Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes.
* Favorite Volumes Organizer this means that now you can organize your mounted device upon logon to system as read only or removable medium
* The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted.
It is always recommended to use Truecrypt instead of other built in encryption system because it can hide your volumes and make it impossible for anyone to note the file existing on the HD, plus it provides a flexible way to choose encryption algorithms.
With TruCrypt your data remains encrypted until you need it. Go get your copy by following this link.
make sure you subscribe to my RSS feed!
Finding the Hidden
Posted by Mourad Ben Lakhoua in Computer Forensics, Software Security, Tools on June 6, 2010
If a hacker managed to compromise a server, it can be used for several things like spreading viruses, sending spam, attacking other hosts or steeling and destroying sensitive information stored on the server.
Restoring a previous copy of the system will not guarantee that the incident do not happens again. That’s why it is now important to learn how to conduct a forensics and determine what really happened.
Forensic investigation will help in solve situation after a breach to help ensure the situation does not occur again, because updating software packages and antivirus definition will not prevent a hacker from using the same method to break into the system one more time.
And it’s very important to determine when the attack occurred, because at some moment it is possible to restore a non-clean copy which could contain a backdoor, but it will look a normal copy.
Collected evidence will also play a big role in identifying where has been the vulnerability (can be a system/ human error or insider breach).
Technology has a good face and at the same time it also has a bad face, as some modern malwares do not leave traces on your hard disk.
As an example, the SQL slammer worm works only on the RAM level and can be detected only on the network activity (port 1434). Encryption is also widely used as a protecting measure (Bitlocker, EFS…) and no key to have access to this information
Forensic tools can help in handling these situations by analyzing and collecting information on the compromised host, this includes:
- Tools for cloning the system and save a copy of partitions
- Tools to create checksums and digital signatures files
- Tools for network activity analyzing and system configuration.
- Tools for analyzing system (processes, libraries…)
Depending on the situation, today we have on the market very few commercial Forensics tools such as ProDiscover from technology pathways, EnCase Forensics and Forensic Toolkit.
Some tools provide a limited versions like ProDiscover Basic Edition Freeware, which is available for download but do not includes network capabilities. On the other hand we can find a special linux distribution where all required tools integrated and configured such as DEFT Linux, FCCU GNU / Linux Forensic Boot CD, Helix3 and others.
Now let’s start browsing some forensics tools.
The first one is TCT (The Coroner’s Toolkit), which allows for both Dead and Live Analysis. The project was replaced by The Sleuth Kit. TSK allows performing analysis on Linux, Mac OS X, Cygwin, FreeBSD, OpenBSD and Solaris for data stored on NTFS, FAT, Ext2, Ext3, UFS1 and UFS2. It includes 24 utilities under following groups:
- File system Layer (f*)- to work with the file system,
- Meta Data Layer (i *) – describes a file or directory
- Data Unit Layer (blk *) – the actual content of blocks, clusters, fragments;
- File System Journal (j *) – log file system;
- Volume System (mm *) – analysis of sections, disk utilities (disk_ *).
For recovering or searching deleted files on partition, we can use fls and icat, to see a list of deleted files using a utility fls:
# Fls-rd / dev/***
-r – makes the program go on all directories; while -d : show only the deleted files.
To find a particular file you can use grep as follows:
# Fls-rd / dev/sda1 | grep-v
‘(Realloc)’ | grep file.doc
For the encrypted volume we can use hfind which looks up hash values in a database using a binary search algorithm. This allows one to easily create a hash database and identify if a file is known or not.
It works with the NIST National Software Reference Library (NSRL) and the output of ’md5sum’.NSRL projects is supported by reputable organization like the National Institute of U.S. Department of Justice (NIJ), National Institute of Standards and Technology (NIST).
For example to create an MD5 index file for NIST NSRL:
# hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
To lookup a value in the NSRL:
# hfind /usr/local/hash/nsrl/NSRLFile.txt 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found
Steulth Kit contain a large number of utilities, which makes it difficult to manage, but for this there is a on the official website a visualization tool – Autopsy Forensic Browser, it is an HTML-based graphical interface for the command line tools in The Sleuth Kit. This makes it much easier and faster to investigate a system.
Sysinternals is also very important for conducting forensics operation. To have the whole package you should get the Sysinternals Suite. The sysinternal can helps you to get comprehensive information on everything loaded at the system level such as logs and processes. The tool displays all the registry keys, drivers, DLL, codecs…
PsInfo, PsLogList and ProcessExplorer can get complete information on the system and running processes. List of DLL with their versions, as well as where they were launched, look through ListDLLs. Handle Utility shows a list of open files with an indication of what processes they opened.
Learn about different LogonSessions, PendMoves, PSFile, PsLoggedOn, TCPVcon, TCPView, as well as the standard – ipconfig, netstat, arp, openfiles, systeminfo.
Tool are distributed under the Freeware license and it is possible to maintain the state of memory with ManTech Memory DD which supports Microsoft® products (Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008) which gives user non free functionality in EnCase.
These are quick list of free tools to help us in conducting a forensics analyses.
make sure you subscribe to my RSS feed!
Blackhat Europe: Fireshark – A Tool To Link the Malicious Web
Posted by Mourad Ben Lakhoua in Tools, Vulnerabilities & attacks, Web Security on April 18, 2010
Stephan Chenette has introduced at BlakHat Europe conference in Barcelona a new utility for Firefox, this plugin called Fireshark. Fireshark is a tool, made up of a Firefox plugin and a set of postprocessing scripts that allows you to capture web traffic from the core of your web browser, enabling you to log events and download content to disk for post-process analysis.
Over the past 12 months the number of compromised website has increased by 225%. Inserting a malicious code on website has become very often to infect users machines or redirecting victims to other malicious resource. Stephan Chenette has demonstrated how Fireshark can solve this problem by giving users list of resources that requires study of website source code.
That’s mean after identifying that the source is suspicious using Fireshark. User can start conducting more in depth analysis to on the website to classify and identify the vulnerability or exploit on the site.
The Information gathered by this plugin is stored locally in a folder under the extension .Yml and you can download the plugin here.
make sure you subscribe to my RSS feed!
Windows7 New Utility for Meeting Security Compliance
Posted by Mourad Ben Lakhoua in Operating System, Software Security, Tools on April 12, 2010
A new tool has been introduced by Microsoft for analyzing Windows 7 and Internet Explorer 8 security level. Security Compliance Manager is the name of this tool which is designed to simplify protection standard usage and security requirement at the IT environment.
Security Compliance Manager provides a single application to automate system management configuration and eliminate potentially dangerous situations such as missing service pack, account wrong configuration or a risky software vulnerability…
Microsoft Security Compliance Manager allows IT specialist to create, deploy, execute and manage client and server windows editions, including windows7 as well as related applications. The tool allows an access to a full Microsoft recommended settings database to perform changes on system directly by M$FT. The format of downloads can take different kinds —including Desired Configuration Management (DCM) packs, Security Content Automation Protocol (SCAP), XLS, or Group Policy objects (GPOs)—to export the baselines to your
environment and automate the security baseline compliance verification process.
For more details you can visit Microsoft TechNet page.
make sure you subscribe to my RSS feed!
Secunia Releases Patch Management Utility
Posted by Mourad Ben Lakhoua in Software Security, Tools on March 26, 2010
Secunia Danish computer security service provider announced the final version of the Secunia Corporate Software Inspector 4.0 (CSI 4.0). This tool may identify vulnerabilities for about 13 000 applications from 2300 developers.
CSI 4.0 has a free trial version which can be downloaded from the official website. And brings CSI 4.0 with Microsoft server operating system updates (WSUS) and the Center for configuration management (SCCM) to make it possible to perform a full corporate devices scan and identify any unpatched application at the enterprise and manage all Microsoft and third-party software installation and configuration.
According to Secunia all computer users have to install about 76 patches per year from 22 different software developers. And this task at the corporate environment is complicated. Especially that the client on companies LAN are more exposed to new outstanding gaps, so it I important to check there system frequently.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Tools category.
SUBSCRIBE
Latest Comments