Re: [Full-Disclosure] Windows Registry Analzyer
Sysinternals Regmon. http://www.sysinternals.com/ntw2k/source/regmon.shtml Laters, Dave King CISSP http://www.thesecure.net Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
Another possibility for static analysis would be to use Regedit to export the registry to a text file before and after and then use WinDiff or ExamDiff or some other file comparison utility to find the changes for you. Laters, Dave King http://www.thesecure.net Cassidy Macfarlane wrote: You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: 03 March 2005 15:36 To: Full-Disclosure (E-mail) Subject: [Full-Disclosure] Windows Registry Analzyer Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New Phising attack FUD or Real?
There have been several sites that have announced a new phishing attack that's been found in Brazil that rewrites the hosts file so that when certain bank urls are entered they get directed to the site in the hosts file rather than look it up on their DNS server. While I've never seen such an attack, I've been expecting this to happen eventually (if it hasn't already happened). The part of the stories I've read that seem a little strange is that they say this attack will happen without any type of user interaction besides opening the email. It seems that the writers are leaving out the unpatched Outlook, no SP2 and basically assuming that the user is using either Outlook or Outlook Express. It seems that the machines I've mentioned would not only have to open the email, but manually run the script. While I'm not saying this wouldn't ever happen, it's not what they're saying. To me this is spreading FUD and not responsible reporting. Let me know if I'm wrong and other mail clients would be vulnerable to this attack or if SP2 machines are vulnerable. I also believe it is a good idea to disable WSH unless you need it (as it's a good idea to disable anything you don't use). Here are links to several stories about this new phishing scan. http://story.news.yahoo.com/news?tmpl=storycid=74e=4u=/cmp/20041104/tc_cmp/51202564 http://story.news.yahoo.com/news?tmpl=storycid=75e=3u=/nf/20041104/tc_nf/28135 http://www.net-security.org/press.php?id=2626 http://www.vnunet.com/news/1159171 http://www.theregister.co.uk/2004/11/04/phishing_exploit/ the only article that seems to says anything about patched users being protected that I could find was this one: http://software.silicon.com/security/0,39024655,39125549,00.htm Dave King http://www.thesecure.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New Phising attack FUD or Real?
There have been several sites that have announced a new phishing attack that's been found in Brazil that rewrites the hosts file so that when certain bank urls are entered they get directed to the site in the hosts file rather than look it up on their DNS server. While I've never seen such an attack, I've been expecting this to happen eventually (if it hasn't already happened). The part of the stories I've read that seem a little strange is that they say this attack will happen without any type of user interaction besides opening the email. It seems that the writers are leaving out the unpatched Outlook, no SP2 and basically assuming that the user is using either Outlook or Outlook Express. It seems that the machines I've mentioned would not only have to open the email, but manually run the script. While I'm not saying this wouldn't ever happen, it's not what they're saying. To me this is spreading FUD and not responsible reporting. Let me know if I'm wrong and other mail clients would be vulnerable to this attack or if SP2 machines are vulnerable. I also believe it is a good idea to disable WSH unless you need it (as it's a good idea to disable anything you don't use). Here are links to several stories about this new phishing scan. http://story.news.yahoo.com/news?tmpl=storycid=74e=4u=/cmp/20041104/tc_cmp/51202564 http://story.news.yahoo.com/news?tmpl=storycid=75e=3u=/nf/20041104/tc_nf/28135 http://www.net-security.org/press.php?id=2626 http://www.vnunet.com/news/1159171 http://www.theregister.co.uk/2004/11/04/phishing_exploit/ the only article that seems to says anything about patched users being protected that I could find was this one: http://software.silicon.com/security/0,39024655,39125549,00.htm Dave King http://www.thesecure.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Google Desktop Search
If you noticed during the install, it gives you the opportunity to include https pages in web history caching. When it said this it made me curious since I didn't know it indexed web history at all, but apparently it does and this option can be disabled on the preferences page if you don't want it. I tried to reproduce what you said happened with Hotmail and it did index the messages I have viewed and brought them up in the search results, and it did let me view a cached copy without a username/password, but it did not allow me to access the real message in my account without my username/password. Are you set to login automagically? Dave King http://www.thesecure.net DogoBrazil wrote: Hi everybody! I decided to test Google Desktop Search yesterday, 10-14-04. It's supposed to seach almost any kind of information inside my hard-drive. In the beginning I put my nick to play with, Dogo. The research came with a bit more than I expected 'cause the engine went to some webmail based accounts: Yahoo and MSN. I could click in the results and opened my Yahoo Mail inbox page without a password. Maybe some password lost in my HD? Maybe some page cached? I really don't know yet but didn't like to see my mail exposed this way. Well, I just used for maybe 20 minutes until the index was being prepared. I uninstalled the tool. Did someone try it? Any opinion? Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Google Desktop Search
snip Admittedly, that first quote sounds scary, and it certainly doesn't hurt to test and see what information, if any, is being sent out, but really. You people are security professionals. . . do you honestly think that it magically came up with the password to your email account from a cached web page? /snip I completely agree and possibly by use of the word automagically was confusing (sorry). Just in case I was misunderstood, like I said I tested this with Hotmail and was unable to replicate the results because I didn't have the little box marked Sign me in automatically on the Hotmail Login page. So, I tried this again after logging into Hotmail and asking it to Sign me in automatically and it allowed me to view the message automagically, just as I expected. After logging out of Hotmail and trying again, it again brought up the sign in prompt before it let me view my message, again as expected. So, once again, I was unable to replicate the automagic sign in without having explicitly enabled it on a previous sign in, looks like Google's not pulling any crazy hacker tricks after all. Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: Hello All; At the risk of being flamed, I would submit that you didn't know it indexed web history at all, because you didn't read the part of the info page where it says: It's a desktop search application that provides full text search over your email, computer files, chats, and the web pages you've viewed. This can be found at: http://desktop.google.com/about.html Where it also says: The Google Desktop Search program does not make your computer's content accessible to Google or anyone else. You can learn more by reading the Desktop Search privacy policy. And, whether security pro or good consumer you should READ the privacy policy, before using the product. What if it said by downloading this software, you agree that we can access all contents of your hard disk whenever we want to, and share the information with all of the vendors on the planet? Admittedly, that first quote sounds scary, and it certainly doesn't hurt to test and see what information, if any, is being sent out, but really. You people are security professionals. . . do you honestly think that it magically came up with the password to your email account from a cached web page? Read the javascript in the headers of Yahoo's login page: -- Begin javascript comments from Yahoo -- /* * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message * Digest Algorithm, as defined in RFC 1321. * Copyright (C) Paul Johnston 1999 - 2000. * Updated by Greg Holt 2000 - 2001. * See http://pajhome.org.uk/site/legal.html for details. */ -- End Javascript comments from Yahoo -- THEY don't even cache, or pass, your password. Like all secure programs, they store, and transmit, an MD5 Sum. Besides, why would you keep confidential information in a Yahoo email account anyway? I don't mean to chastise anyone, and it certainly isn't my place, but we should all try to avoid generating FUD when we can. M. If you noticed during the install, it gives you the opportunity to include https pages in web history caching. When it said this it made me curious since I didn't know it indexed web history at all, but apparently it does and this option can be disabled on the preferences page if you don't want it. I tried to reproduce what you said happened with Hotmail and it did index the messages I have viewed and brought them up in the search results, and it did let me view a cached copy without a username/password, but it did not allow me to access the real message in my account without my username/password. Are you set to login automagically? Dave King http://www.thesecure.net DogoBrazil wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
F-Secure is reporting it as bangle.al. Looks like it's your basic email virus with a trojan backdoor. http://www.f-secure.com/v-descs/bagle_al.shtml Dave King, http://www.thesecure.net Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] A Popup! In Mozilla!
This isn't a normal popup in that it doesn't open a new browser window. All they're doing is placing this great animated gif over the middle of the page using absolute positioning in the DIV tag. Notice that it looks like an IE window even in Firefox. Really this is a sneaky trick that is pretty annoying. I think this type of ad placement is going to be hard to block since most of the time absolute positioning images is just part of the normal page and has nothing to do with ads, even though I guess at one time pop-ups were used legitimately almost exclusively. At least this page seems to be thoughtful enough to only display the ad the first time you visit it. Tricky little devils aren't they (and getting trickier all the time). Dave King http://www.thesecure.net James Woodcock wrote: This might seem like it should be going to a webdev list, but there's a possible security implication, so here goes; http://2-spyware.com/file-cnfrm-exe.html In Mozilla 1.5 and FireFox 0.9 with the pop-up blocker turned on, I get a pop-up! It's purporting to be an important notice from my Network Administrator - you'll probably recognise it; http://2-spyware.com/images/2SPYRR1C.gif Looking at the source of the page, I see that the pop-up is being generated by a DIV statement that comes after the closing /html tag which - I thought - was supposed to indicate the end of the document. Is a web browser supposed to be able to render code outside the html/html tags? Using IE 6.0.2800.1106, on viewing the source, I find that the DIV statement that followed the closing /html tag is now the last statement BEFORE the /html tag. What gives? James ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MD5 hash cracking service
It's true that MD5 hashes are one way. This simply means you can't do math on them and get back to what you started with, as you can with encryption. Basically what this site does is make a huge sorted list of MD5 hashes. It can then quickly search through them and find your hash. Since the same plaintext always makes the same MD5 hash, then you've got your plaintext. It's bascially a memory vs. time tradeoff. I agree with you about potential problems publically posting stuff to be cracked, be leary. 150 hashes a day is pretty fast though. . . Dave King www.thesecure.net Gregory A. Gilliss wrote: Interesting, since MD5 hashes are supposed to be one way, are they not? I've often discussed setting up an online cracking service (think Alex Moffet's crack seriously networked a la Beowulf with a Web interface). Aside from the technical challenges of setting up and maintaining such a project, the obvious issue, from a security perspective, would be trust. For example, if I know that Alice connected from 12.3.4.5 and supplied a hash/password, and I retained the unencrypted hash/password, would I not now (potentially) have access to something (maybe accessible, maybe privileged, maybe not) at 12.3.4.5? Still, bravo to you for setting it up :-) G On or about 2004.07.01 19:03:33 +, md5er ([EMAIL PROTECTED]) said: I've set up a quick website and system to crack md5 hashes online using Rainbow tables. The project is using RainbowCrack and currently ~47 Gb of tables. At the moment it can crack hashes of lowercase letters and/or numbers up to 8 characters long. The cracking service is free If you are interested you can check out the site here: http://passcracking.com Regards, staff ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] antivirus and spyware scanning
I've looked at several bootable Linux cd's and haven't found one to remove Window's spyware. BartPE ( http://www.nu2.nu/pebuilder/ ) is a Windows XP/2003 based bootable CD that will allow you to run Adaware. The one limitation seems to be that it won't scan the registry on the Windows installation on the hard drive. If you haven't checked it out, BartPE is really a cool project that basically lets you master your own cd to your own liking. It has a pretty large comunity backing and you who make all sorts of addins. You can, for example, add virus scanning to your BartPE cd as well. You may also be able to get Adaware, or some similar program, to run using WINE on a Knoppix based distro like Auditor Security Collection or Knoppix-STD. Good Luck, Dave King http://www.thesecure.net Lee Leahu wrote: Hello Everyone, I recently came across a linux based live-cd designed for virus scanning, disaster recover, network analysis, etc. http://www.inside-security.de/insert_en.html I think it is very useful to scan a windows machine from viruses while having that machine booted to linux. This pretty much ensures that you will find all the virii on that system. Does anyone know of a spyware scanner that can also work from within Linux? I dis-like the idea of having to boot to windows just to scan the box for spyware. One could argue that the harddrive could be put into another machine and scanned there, but what if your in an environment where that is just not possible (making housecalls, no unused machine, etc)? Also, if you know of a better solution that this, I am always interested. Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Pentesting an IDP-System
You might try nessus (http://www.nessus.org) and turn on all the dangerous plugins and turn safe checks off. It also has some detection evasion stuff. Good luck. p.s. Marcin asked what to pentest means. It's just a slang term for penetration test. Dave King http://www.thesecure.net H D Moore wrote: On Saturday 29 May 2004 06:03, ph03n1x wrote: Do you guys have an idea how i could test it more efficiently, is there some software that automatically tries to attack with a bunch of the most common and new exploits so i dont have to do it manually? Preferably some GPL or other free stuff since i dont have a budget for this. Check out the Metasploit Framework, it was designed with IDS testing in mind. There is an environment option that you can set from the console that forces all nop instructions to be randomized; you may want to try setting this and see if the attack is detected at all :) [1] The Framework is available from: http://metasploit.com/projects/Framework/ Version 2.0 is the latest public release. If you read through the Crash Course PDF on the documentation page, it will describe how to configure random nop sleds, as well how the system works in general. The 2.0 release includes about twenty exploits; updated and new modules are sent out to the Framework mailing list. If you have any questions about using the Framework, or the general development status, drop us a message at msfdef[at]metasploit.com. -HD 1. Something you may want to keep in mind is that intrusion detection systems which follow a first-exit methodolgy (Snort, etc) will normally report only one event for a given attack. If the nops rule matches before the exploit rule, that would be the only event reported. The Snort team has added something called event queueing in the 2.1.3/2.2 version (currently in CVS), that allows much better control over which types of events override each other. Some day we may post our paper on bypassing every single signature with event masking... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html