Sunday, July 31, 2011

Collecting Details on Processes running on the system

PID & Process Name

We can use a tool from PStool Suite called as pslist.exe to obtain CPU Time and the amount of time since the process has started.

c:\Tools>PsList.exe

pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals

Process information for BALA-PC:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   1    0      0     0:44:19.103     0:00:00.000
System                4   8  92  380      0     0:01:06.645     0:52:29.643
smss                384  11   4   28    248     0:00:00.250     0:52:29.633
csrss               452  13  11  487   1528     0:00:01.772     0:52:25.607
wininit             496  13   3   97   1064     0:00:00.530     0:52:23.394
csrss               504  13   9  242   2472     0:00:25.857     0:52:23.374
winlogon            532  13   3  133   1976     0:00:01.141     0:52:22.532
services            568   9   5  225   1880     0:00:03.485     0:52:21.471
lsass               580   9  10  569   2916     0:00:02.824     0:52:21.321

We can also user PrcView from the following link to get similar information.

http://www.teamcti.com/pview/prcview.htm

c:\Tools>pv

taskeng.exe         2556
Dwm.exe              728
Explorer.EXE        2840
MSASCui.exe         2956
VBoxTray.exe        2960
sidebar.exe         2792
wuauclt.exe         2872
cmd.exe             3660
wsqmcons.exe        3312
PrcView.exe         3652
pv.exe              3960

c:\Tools>PrcView.exe



Memory Usage

We can see the memory usage of the system by using the tasklist command.

c:\Tools>tasklist




pstat can also give a similar information in a more detailed manner.

http://support.microsoft.com/kb/927229



Linking running Processes with Executables.
This is very well accomplished with the PRCView with the -e switch.  We can also do the same with CurrProcess tool.

  http://www.nirsoft.net/utils/cprocess.html



 Linking Process on computer with User's on computer


We can use a simple little command such as tasklist -V or pulist to accomplish this.
c:\Tools>tasklist -V > c:\Tools\out.txt


We can alternatively use pulist from http://207.46.19.190/downloads/details.aspx?FamilyID=9b9da78d-f7d1-4b8a-8a31-3bb725c7a069&displaylang=en

c:\Tools>pulist.exe
Process           PID  User
Idle              0
System            4
smss.exe          384
csrss.exe         452
wininit.exe       496
csrss.exe         504
winlogon.exe      532
services.exe      568
lsass.exe         580
SearchIndexer.exe 208
eeyeevnt.exe      2296
taskeng.exe       2556 Bala-PC\Bala
dwm.exe           728  Bala-PC\Bala
explorer.exe      2840 Bala-PC\Bala
MSASCui.exe       2956 Bala-PC\Bala
VBoxTray.exe      2960 Bala-PC\Bala
sidebar.exe       2792 Bala-PC\Bala
wuauclt.exe       2872 Bala-PC\Bala
cmd.exe           3660 Bala-PC\Bala
cmd.exe           2596
wsqmcons.exe      3312 Bala-PC\Bala
PrcView.exe       3652 Bala-PC\Bala
WmiPrvSE.exe      2604
pulist.exe        3136 Bala-PC\Bala

c:\Tools>


Child Processes

If we need to see all the child processes spawned by another process we can use the pslist with the -t switch.


Command Line Switches to an executable

If we want to see the command line switches provided to an executable we can use the tools such as PRCView with -l as a switch or cmdline tool developed by diamondcs.com.au



Dependencies Loaded by Running Processes.

We can make use of a tool called as listdlls.exe from Microsoft to accomplish the same.
http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx./


Even pv command can pull out the same details with a -m switch.

c:\Tools>pv -m cmd.exe
  Module information for  'cmd.exe'(3660)
  MODULE          BASE     SIZE     PATH
cmd.exe         4a750000   327680 C:\Windows\System32\cmd.exe
ntdll.dll       76f80000  1212416 C:\Windows\system32\ntdll.dll
kernel32.dll    76cd0000   897024 C:\Windows\system32\kernel32.dll
ADVAPI32.dll    76b60000   811008 C:\Windows\system32\ADVAPI32.dll
RPCRT4.dll      76220000   794624 C:\Windows\system32\RPCRT4.dll
msvcrt.dll      76760000   696320 C:\Windows\system32\msvcrt.dll
apphelp.dll     75430000   180224 C:\Windows\system32\apphelp.dll
USER32.dll      76c30000   643072 C:\Windows\system32\USER32.dll
GDI32.dll       770e0000   307200 C:\Windows\system32\GDI32.dll
IMM32.DLL       770b0000   122880 C:\Windows\system32\IMM32.DLL
MSCTF.dll       76810000   819200 C:\Windows\system32\MSCTF.dll
LPK.DLL         76440000    36864 C:\Windows\system32\LPK.DLL
USP10.dll       76540000   512000 C:\Windows\system32\USP10.dll


Recent and Current Network Connections

Active Connections

We can see the currently active connections with the help of netstat command.

C:\Users\Bala>netstat -aon

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       856
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       496
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       1024
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1072
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       580
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       568
  TCP    [::]:135               [::]:0                 LISTENING       856
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5357              [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       496
  TCP    [::]:49153             [::]:0                 LISTENING       1024
  TCP    [::]:49154             [::]:0                 LISTENING       1072
  TCP    [::]:49155             [::]:0                 LISTENING       580
  TCP    [::]:49156             [::]:0                 LISTENING       568
  UDP    0.0.0.0:123            *:*                                    1224
  UDP    0.0.0.0:500            *:*                                    1072
  UDP    0.0.0.0:4500           *:*                                    1072
  UDP    127.0.0.1:1900         *:*                                    1224
  UDP    127.0.0.1:49153        *:*                                    1224
  UDP    [::]:123               *:*                                    1224
  UDP    [::]:500               *:*                                    1072
  UDP    [::1]:1900             *:*                                    1224
  UDP    [::1]:49152            *:*                                    1224
  UDP    [fe80::100:7f:fffe%11]:1900  *:*                                    1224


DNS queries made from infected system.
We can see the recent DNS queries with the command

C:\Users\Bala>ipconfig /displaydns

Windows IP Configuration

    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
    Record Type . . . . . : 12
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record  . . . . . : localhost


    1.0.0.127.in-addr.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.127.in-addr.arpa.
    Record Type . . . . . : 12
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record  . . . . . : localhost


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 1
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 28
    Time To Live  . . . . : 86400
    Data Length . . . . . : 16
    Section . . . . . . . : Answer
    AAAA Record . . . . . : ::1


NetBIOS Connections


we can use

nbtstat -c the cached connections.
nbtstat -S (or) net sessions To see the current sessions.

If any files were transmitted over this network we can use the

net file command to display them.


ARP Cache

we can see the ARP cache of the machine under question with the command

arp -a





Python Hello World 2

bala@bala-laptop:~/python$ which python
/usr/bin/python
bala@bala-laptop:~/python$ python helloworld.py
Hello World
bala@bala-laptop:~/python$ ls
helloworld.py
bala@bala-laptop:~/python$ chmod u+x helloworld.py
bala@bala-laptop:~/python$ ./helloworld.py
Hello World
bala@bala-laptop:~/python$ cat helloworld.py
#! /usr/bin/python
# Author: Balasubramaniam Natarajan
# Purpose: Basic helloworld script

print "Hello World"

# End
bala@bala-laptop:~/python$

Python Hello World


Cloning Disks in Virtual Box

If you are looking at cloning a disk in Virtual box, don't just copy and paste the *******.vdi file because when you are creating a new Virtual machine to have that harddisk imported it would complain that the same UUID exists.  The best way to do it with the Virtual Box tools

bala@home-laptop:~$ VBoxManage clonevdi ubuntu.vdi ubuntucloned.vdi
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%..100%.


Collecting Infected system details

System Date and Time

C:\WINDOWS\system32>date /t
Sun 07/31/2011

C:\WINDOWS\system32>time /t
03:06 AM

http://support.microsoft.com/kb/927229
C:\Tools>now

Sun Jul 31 03:07:22 2011

C:\Tools>

System Identifiers

C:\Tools>hostname
Bala-PC

C:\Tools>whoami
bala-pc\bala

C:\Tools>ver

Microsoft Windows [Version 6.0.6001]

C:\Tools>

If we want to know if a particular interface is in Promiscuous mode or not go to the following link and run promiscdetect.exe

http://www.ntsecurity.nu/toolbox/promiscdetect/

System Uptime

We can see how long the system is running by using the uptime command from the URL 
http://support.microsoft.com/kb/232243

C:\Tools>uptime
\\BALA-PC has been up for: 0 day(s), 0 hour(s), 16 minute(s), 26 second(s)


http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx

C:\Tools>PsInfo.exe

PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\BALA-PC:
Uptime:                    0 days 0 hours 18 minutes 52 seconds
Kernel version:            Windows Vista
Product type:              Professional
Product version:           6.0
Service pack:              1
Kernel build number:       6001
Registered organization:
Registered owner:          Bala
IE version:                7.0000
System root:               C:\Windows
Processors:                1
Processor speed:           1 GHz
Processor type:            Intel(R) Core(TM) CPU     T6600 
Physical memory:           256 MB
Video driver:              VirtualBox Graphics Adapter

C:\Tools>

http://www.niiconsulting.com/innovation/tools.html.


C:\Tools>DumpWin.exe
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)

Parameters :
         -i : List installed Programs.          -d : Drive Information.
         -s : System Information.               -m : Check for Modem Drivers.
         -h : List shares present.              -t : List Startup Programs.
         -p : List active Processes.            -v : List of Services.
         -g : List Local Group Accounts         -u : List User Accounts.
         -l : dumpACL                           -n : Account Lockout Policy              -a : All of a
bove.

 Dont forget to check the new releases of DumpWin.

C:\Tools>DumpWin.exe -d
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)


=====================
Drive Information

=====================

Drive C:\ :  Fixed
Drive D:\ :  CD-ROM
Drive E:\ :  Network drive
Drive Z:\ :  Network drive
C:\Tools>

Identifying Users Logged into the System.

We can find which user has currently logged on to the system with the help of psloggedon.exe which is part of the sysinternals tool suite.

C:\Tools>PsLoggedon.exe

PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     31-07-2011 16:17:40        Bala-PC\Bala

No one is logged on via resource shares.

C:\Tools>


We can also user Netusers to find out the last logon date of each users.

http://www.systemtools.com/free.htm


We can also user logonsessions.exe -p tool to see all the processes which are running in the logged-on sessions.

http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx

c:\Tools>logonsessions.exe -p

Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com


[0] Logon session 00000000:000003e7:
    User name:    WORKGROUP\BALA-PC$
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          S-1-5-18
    Logon time:   31-07-2011 16:17:14
    Logon server:
    DNS Domain:
    UPN:
      380: smss.exe
      456: csrss.exe
      500: wininit.exe
      508: csrss.exe
      536: winlogon.exe
      576: services.exe
      588: lsass.exe
      596: lsm.exe
      764: svchost.exe
      812: VBoxService.exe
      896: svchost.exe
     1052: svchost.exe
     1068: svchost.exe
     1160: svchost.exe
     1492: spoolsv.exe
     1724: eEyeUpdateSvc.exe
     1896: RetinaEngine.exe
     2016: svchost.exe
      256: SearchIndexer.exe
     3676: eeyeevnt.exe
     3196: WmiPrvSE.exe

[1] Logon session 00000000:000090ea:
    User name:
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          (none)
    Logon time:   31-07-2011 16:17:15
    Logon server:
    DNS Domain:
    UPN:

[2] Logon session 00000000:000003e4:
    User name:    WORKGROUP\BALA-PC$
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-20
    Logon time:   31-07-2011 16:17:16
    Logon server:
    DNS Domain:
    UPN:
      860: svchost.exe
     1176: SLsvc.exe
     1364: svchost.exe
     1872: svchost.exe

[3] Logon session 00000000:000003e5:
    User name:    NT AUTHORITY\LOCAL SERVICE
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-19
    Logon time:   31-07-2011 16:17:18
    Logon server:
    DNS Domain:
    UPN:
     1024: svchost.exe
     1208: svchost.exe
     1516: svchost.exe
     1984: svchost.exe

[4] Logon session 00000000:00015279:
    User name:    NT AUTHORITY\ANONYMOUS LOGON
    Auth package: NTLM
    Logon type:   Network
    Session:      0
    Sid:          S-1-5-7
    Logon time:   31-07-2011 16:17:25
    Logon server:
    DNS Domain:
    UPN:

[5] Logon session 00000000:0001cbb7:
    User name:    Bala-PC\Bala
    Auth package: NTLM
    Logon type:   Interactive
    Session:      1
    Sid:          S-1-5-21-2753564925-3547717165-4264054735-1000
    Logon time:   31-07-2011 16:17:38
    Logon server: BALA-PC
    DNS Domain:
    UPN:
     3488: cmd.exe
     1868: logonsessions.exe

[6] Logon session 00000000:0001cbcc:
    User name:    Bala-PC\Bala
    Auth package: NTLM
    Logon type:   Interactive
    Session:      0
    Sid:          S-1-5-21-2753564925-3547717165-4264054735-1000
    Logon time:   31-07-2011 16:17:38
    Logon server: BALA-PC
    DNS Domain:
    UPN:
     2336: taskeng.exe
     2480: dwm.exe
     2516: explorer.exe
     2592: MSASCui.exe
     2600: VBoxTray.exe
     2620: sidebar.exe
     2820: cmd.exe
     2704: wuauclt.exe
     1572: wsqmcons.exe

[7] Logon session 00000000:00038117:
    User name:    Bala-PC\IUSER_RETINA
    Auth package: NTLM
    Logon type:   Interactive
    Session:      0
    Sid:          S-1-5-21-2753564925-3547717165-4264054735-1001
    Logon time:   31-07-2011 16:19:02
    Logon server: BALA-PC
    DNS Domain:
    UPN:

c:\Tools>

 

Sample Viruses URL

This URL has sample viruses which we can work with.

http://www.malwareblacklist.com/showMDL.php

Ubuntu has lots under the hood

I feel ashamed that I am an user of Ubuntu and still did not discover this command which personalizes Gnome.


$gnome-control-center


Saturday, July 30, 2011

FOG - Free Open source Disk cloning software

Here we have a project which will clone the disk of windows machines.


http://www.fogproject.org/

http://ping.windowsdream.com/ping/howto-2.01.html

Cuckoo - Automatic Malware Analyzing tool

Wonderful tool, I need a spare computer to try out this@home.

http://vimeo.com/23801978

http://vimeo.com/24128028

Sunday, July 24, 2011

Send Email from Ubuntu to Anywhere

First you need to install ssmtp on you Ubuntu box, which can be done by.


sudo apt-get install ssmtp


Now let us edit the ssmtp configuration file.

sudo gedit /etc/ssmtp/ssmtp.conf


The username and password are fake don't try them it is not my responsibility.
AuthUser=someone@gmail.com
AuthPass=s0m3p@$$w0rd
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES


Your Sendmail client should not be running at this point.


You need to have a program called mail installed on your system as well.

sudo apt-get install mailutils
 

echo "THIS is a test" | mail -s "TEST" XYZ@gmail.com

You can check the status of the mail with the help of the exit codes.  If it returns a Zero the program ran fine.

echo $?

Saturday, July 23, 2011

Adding Path in Linux

#PATH=$PATH:/something:/someother/things

Download videos from Youtube Vimeo

Here we have a wonderful way of downloading files from youtube.

http://www.ubuntugeek.com/howto-download-videos-from-youtube-in-ubuntu.html

Install youtube-dl

youtube-dl -o 1.flv "http://www.youtube.com/watch?v=bqrlBicM8lE"

Vimeo - http://ossguy.com/?p=172

Wola :-D

Temp Java Files

All temp java files get saved in here.

C:\Users\\AppData\LocalLow\Sun\Java\Deployment\cache


Wow SWF plays on Blogger :-)

video

Tuesday, July 19, 2011

Index.dat files in Vista

http://www.acesoft.net/delete_index.dat_files.htm


On Windows Vista Computer, index.dat files are located :
\Users\\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
\Users\\AppData\Roaming\Microsoft\Windows\Cookies\low\index.dat
\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\\AppData\Local\Microsoft\Windows\History\Content.IE5\index.dat

On Windows 2000 and Windows XP  there are several "index.dat" files in these locations:


\Documents and Settings\\Cookies\index.dat

\Documents and Settings\\Local Settings\History\History.IE5\index.dat

\Documents and Settings\\Local Settings\History\History.IE5\MSHist012001123120020101\index.dat
\Documents and Settings\\Local
 Settings\History\History.IE5\MSHist012002010720020114\index.dat

\Documents and Settings\\Local
 Internet Files\Content.IE5\index.dat

On a Windows 9x computer these files are located in the following locations:

\WINDOWS\Cookies\index.dat
\WINDOWS\History\index.dat
\WINDOWS\Temporary Internet Files\index.dat
\WINDOWS\Cookies\index.dat
\WINDOWS\History\index.dat
\WINDOWS\Temporary Internet Files\index.dat

Saturday, July 16, 2011

Flasm & Flare

Flasm can decode a swf file and Flare can decompile an action script.

remnux@remnux:~/Desktop$ flasm -d old/pages.swf
movie 'old/pages.swf' compressed // flash 6, total frames: 6, frame rate: 0.25 fps, 612x792 px
end
remnux@remnux:~/Desktop$ flasm -d jpeg.swf
movie 'jpeg.swf' // flash 4, total frames: 3, frame rate: 1 fps, 419x292 px
end



remnux@remnux:~/Desktop$ flare old/pages.swf
remnux@remnux:~/Desktop$ flare jpeg.swf
remnux@remnux:~/Desktop$

Need to do more work on flare, some one please let me know how to proceed with it.

jpeg2swf

Here three Jpeg pictures are combined to form a single swf file,

-r specifies the frame rate.
-o  specifies the output file.

remnux@remnux:~/Desktop$ jpeg2swf -r 1 image1.jpeg image2.jpeg image3.jpeg -o jpeg.swf
remnux@remnux:~/Desktop$ ls -ltrh
total 76K
-rw-r--r-- 1 remnux remnux 15K 2011-07-16 13:10 image1.jpeg
-rw-r--r-- 1 remnux remnux 17K 2011-07-16 13:10 image2.jpeg
-rw-r--r-- 1 remnux remnux 17K 2011-07-16 13:10 image3.jpeg
-rw-r--r-- 1 remnux remnux 17K 2011-07-16 13:12 jpeg.swf
remnux@remnux:~/Desktop$ swfdump jpeg.swf
[HEADER]        File version: 4
[HEADER]        File size: 16514
[HEADER]        Frame rate: 1.000000
[HEADER]        Frame count: 3
[HEADER]        Movie width: 419.00
[HEADER]        Movie height: 292.00
[009]         3 SETBACKGROUNDCOLOR (00/00/00)
[015]      5279 DEFINEBITSJPEG2 defines id 0001
[002]        38 DEFINESHAPE defines id 0002
[01a]         5 PLACEOBJECT2 places id 0002 at depth 0001
[001]         0 SHOWFRAME 1 (00:00:00,000)
[015]      5526 DEFINEBITSJPEG2 defines id 0003
[002]        38 DEFINESHAPE defines id 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[01a]         5 PLACEOBJECT2 places id 0004 at depth 0001
[001]         0 SHOWFRAME 2 (00:00:00,1000)
[015]      5508 DEFINEBITSJPEG2 defines id 0005
[002]        38 DEFINESHAPE defines id 0006
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[01a]         5 PLACEOBJECT2 places id 0006 at depth 0001
[001]         0 SHOWFRAME 3 (00:00:01,999)
[000]         0 END
remnux@remnux:~/Desktop$ swfstrings jpeg.swf
remnux@remnux:~/Desktop$




Since this swf file is from an image swfstrings was not able to pull out any details.

video

swfdump

Here I am dumping A.swf which contains 6 frames from A, B, C, D, E and F.

remnux@remnux:~/Desktop$ swfdump A.swf
[HEADER]        File version: 6
[HEADER]        File is zlib compressed. Ratio: 63%
[HEADER]        File size: 2320
[HEADER]        Frame rate: 0.250000
[HEADER]        Frame count: 6
[HEADER]        Movie width: 612.00
[HEADER]        Movie height: 792.00
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[030]      1060 DEFINEFONT2 defines id 0004
[020]        34 DEFINESHAPE3 defines id 0001
[01a]         7 PLACEOBJECT2 places id 0001 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0002
[01a]         5 PLACEOBJECT2 places id 0002 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0003
[01a]         7 PLACEOBJECT2 places id 0003 at depth 0003 (clip to 0004)
[021]        34 DEFINETEXT2 defines id 0005
[01a]         5 PLACEOBJECT2 places id 0005 at depth 0004
[001]         0 SHOWFRAME 1 (00:00:00,000)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0003
[01c]         2 REMOVEOBJECT2 removes object from depth 0002
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[020]        34 DEFINESHAPE3 defines id 0006
[01a]         7 PLACEOBJECT2 places id 0006 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0007
[01a]         5 PLACEOBJECT2 places id 0007 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0008
[01a]         7 PLACEOBJECT2 places id 0008 at depth 0003 (clip to 0004)
[021]        38 DEFINETEXT2 defines id 0009
[01a]         5 PLACEOBJECT2 places id 0009 at depth 0004
[001]         0 SHOWFRAME 2 (00:00:03,994)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0003
[01c]         2 REMOVEOBJECT2 removes object from depth 0002
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[020]        34 DEFINESHAPE3 defines id 0010
[01a]         7 PLACEOBJECT2 places id 0010 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0011
[01a]         5 PLACEOBJECT2 places id 0011 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0012
[01a]         7 PLACEOBJECT2 places id 0012 at depth 0003 (clip to 0004)
[021]        38 DEFINETEXT2 defines id 0013
[01a]         5 PLACEOBJECT2 places id 0013 at depth 0004
[001]         0 SHOWFRAME 3 (00:00:07,988)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0003
[01c]         2 REMOVEOBJECT2 removes object from depth 0002
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[020]        34 DEFINESHAPE3 defines id 0014
[01a]         7 PLACEOBJECT2 places id 0014 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0015
[01a]         5 PLACEOBJECT2 places id 0015 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0016
[01a]         7 PLACEOBJECT2 places id 0016 at depth 0003 (clip to 0004)
[021]        34 DEFINETEXT2 defines id 0017
[01a]         5 PLACEOBJECT2 places id 0017 at depth 0004
[001]         0 SHOWFRAME 4 (00:00:11,981)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0003
[01c]         2 REMOVEOBJECT2 removes object from depth 0002
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[020]        34 DEFINESHAPE3 defines id 0018
[01a]         7 PLACEOBJECT2 places id 0018 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0019
[01a]         5 PLACEOBJECT2 places id 0019 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0020
[01a]         7 PLACEOBJECT2 places id 0020 at depth 0003 (clip to 0004)
[021]        39 DEFINETEXT2 defines id 0021
[01a]         5 PLACEOBJECT2 places id 0021 at depth 0004
[001]         0 SHOWFRAME 5 (00:00:15,975)
[01c]         2 REMOVEOBJECT2 removes object from depth 0004
[01c]         2 REMOVEOBJECT2 removes object from depth 0003
[01c]         2 REMOVEOBJECT2 removes object from depth 0002
[01c]         2 REMOVEOBJECT2 removes object from depth 0001
[020]        34 DEFINESHAPE3 defines id 0022
[01a]         7 PLACEOBJECT2 places id 0022 at depth 0001 (clip to 0004)
[020]        40 DEFINESHAPE3 defines id 0023
[01a]         5 PLACEOBJECT2 places id 0023 at depth 0002
[020]        38 DEFINESHAPE3 defines id 0024
[01a]         7 PLACEOBJECT2 places id 0024 at depth 0003 (clip to 0004)
[021]        39 DEFINETEXT2 defines id 0025
[01a]         5 PLACEOBJECT2 places id 0025 at depth 0004
[001]         0 SHOWFRAME 6 (00:00:19,969)
[000]         0 END
remnux@remnux:~/Desktop$

swfcombine & swfstring

Swfcombine will combine two swf files in to one file,

-a is used for concating two swf files.
-v is user for verbose.



 Swfstrings will scan a swf files for text.




  video

PDF to SWF

Here I created six pages in libre office saved them as pdf and converted them to swf,  the result is a swf which loops around all the six pages in swf format.





Starting SSH on Remnux

Do the samething for RSA keys as well.

Converting your existing .vmdk Virtual Disc Image To a .vdi File

STEP1: If we have multiple vmdk-files like "vm.vmdk, vm-flat.vmdk, vm-0001.vmdk", we have to reorganize our .vmdk-files with:

vmware-vdiskmanager -r vm.vmdk -t 0 hardrive-name.vmdk



STEP2: sudo apt-get install qemu

STEP3: qemu-img convert harddrive-name.vmdk raw.bin


STEP4: VBoxManage convertdd raw.bin new.vdi


Step5:  Now create a new virtual machine and add the new.vdi harddisk.

Extracting for pcap file

This is one way of extracting files from PCAP file.


Now click on what needs to be saved and click on Save As, 


Thanks Alpha Alpha Jack (AAJ)

Importing Snapshots on VirtualBox

I had a laptop with a VM on VirtualBox. The VM had some 5 snapshots. I had
to format the laptop for some reason. So I just copied the VM directory. Now
I want to import it into my newly installed VirtualBox.

I am able to attach the harddisk to a new VM which gives me the last snapshot. Now I want to import my snapshots into it. I have a .vbox file which seems to have information about the snapshots in some XML format. Please help.

Did this in the terminal:

VBoxManage registervm /path/to/filename.vbox

This imported the VM complete with snapshots. :)
 

Friday, July 15, 2011

Recover lost Yahoo mail

What a wonderful link.

http://help.yahoo.com/l/us/yahoo/mail/yahoomail/mail_restore.html?pir=HYfmUv1ibUlNGbXTGAHgqOgcde6uKbSpNEhRiCxVjEG.gsCc.l.jo67K5i74wezDGTwoif0IDvvG.ys.mslUXUzlnRYvLQ--

Wednesday, July 13, 2011

Creatign BAT file

With this code we can create a bat file with a list of files in a folder.

On Error Resume Next
dim outfile
dim str
set fileobj=Createobject("Scripting.FileSystemObject")
objStartFolder = "."
Set objFolder = fileobj.GetFolder(objStartFolder)
Set colFiles = objFolder.Files
set outfile=fileobj.opentextfile(objFolder.Path &"\script.bat",8,true)
i=0
For Each objFile in colFiles
If UCase(Right(objFile.Name, 4)) = ".DOC" Then
outfile.WriteLine("c:\some.exe " & chr(34) & objFile.Name & Chr(34) & " bla bla bla ")
i=i+1
End IF
Next
'outfile.WriteLine("total number of doc files = "&i)

outfile.close
If Err.number <> 0 Then
    'Msgbox "Unexpected Error" & vbCrlF &vbCrLf & Err.Description
End If

Editing the range of Y axis in a Chart in Open Office SpreadSheet

First right click on the chart select Edit.



Second right click on the Y Axis number and select Format Axis.



Third the box you needed gets opened.

Sunday, July 10, 2011

Fake DNS & Mailpot

This link has Fake DNS and Mailpot listening on localhost.

http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack

CaptureBAT

http://www.honeynet.org/node/315

Using this file we can capture the network activity and all the shift deleted files.

capturebat -n -c

 We need to have the following pre-requisites so that capture bat will run properly.

http://www.microsoft.com/download/en/details.aspx?id=3387

http://www.winpcap.org/install/default.htm

Process Monitor

This tool will allow you to see the process which are created on the system. 

Now we will create a filter to show just those process with the name talk associated with it.



Here it has captured all the process which have started when Gtalk was clicked.

RegShot

This tool will take a Registry snapshot of the system at two different times and tell what has changed.

http://sourceforge.net/projects/regshot

Strings to analyse Executables

Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.

 http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx

Saturday, July 9, 2011

Digging Web Browsers

This tool would show the IE Cache.

http://www.nirsoft.net/utils/ie_cache_viewer.html

This tool would show the IEHistory.

http://www.nirsoft.net/utils/iehv.html

This tool would show My Last Search.

http://www.nirsoft.net/utils/my_last_search.html



This tool would show the Mozilla's History View.

http://www.nirsoft.net/utils/mozilla_history_view.html

This tool would show the Mozilla's Cache.

http://www.nirsoft.net/utils/mozilla_cache_viewer.html

This tool would show the Favorites in both IE and Mozilla.

http://www.nirsoft.net/utils/faview.html

Mozilla and IE password recovery

Kindly use these tools only for the good, I am no way responsible for your irresponsible acts.

IE 7 > http://www.nirsoft.net/utils/pspv.html
IE 7 < http://www.nirsoft.net/utils/internet_explorer_password.html



Firfox: http://www.nirsoft.net/utils/passwordfox.html

Mozilla's and IE Cookie Viewer

For Mozilla: http://www.nirsoft.net/utils/mzcv.html


For IE: http://www.nirsoft.net/utils/iecookies.html

Registry

http://www.systemtools.com/download/dumpreg.zip

This tool will just dump the Registry.





http://www.nirsoft.net/utils/usb_devices_view.html

This can show us all the details about the USB key which was plugged in.

USBDeview.exe /stext c:\txt.txt

==================================================
Device Name       : USB Network Controller
Description       : USB Network Controller
Device Type       : Unknown
Connected         : No
Safe To Unplug    : No
Disabled          : No
USB Hub           : No
Drive Letter      :
Serial Number     :
Created Date      : 7/9/2011 3:14:34 AM
Last Plug/Unplug Date: 7/9/2011 3:14:34 AM
VendorID          : bla bla bla
ProductID         : number bla bla bla
Firmware Revision : 1.01
USB Class         : 00
USB SubClass      : 00
USB Protocol      : 00
Hub / Port        : Hub 0, Port 1
Computer Name     :
Vendor Name       :
Product Name      :
ParentId Prefix   :
Service Name      :
Service Description:
Driver Filename   :
Device Class      :
Device Mfg        :
Power             :
Driver Description:
Driver Version    :
Instance ID       : USB\Vid_bla bla bla bla p;0&1
==================================================

Examining File System

http://www.ntsecurity.nu/toolbox/macmatch/

MACMatch lets you search for files by their last write, last access or creation time without changing any of these times.

macmatch.exe H:\Tools -c 2011-07-09:02.00 2011-07-09:02.15

Examine the File System

http://www.foundstone.com/us/resources/proddesc/forensictoolkit.htm



hfind and sfind can be used to find hidden files and alternate stream files.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

Streams.exe can find alternate data streams.

Sunday, July 3, 2011

Online Morse code Generator

Wow what a wonderful tool of the 19th Century :-D

http://morsecode.scphillips.com/jtranslator.html

All credit to the source from here http://www.wikihow.com/Image:Morse_Code_219.JPG

The pictures here are just for my bookmark references.