Saturday, July 21, 2012

Fixed DVD Driver not opening

Wow I have never removed almost all the components of a DVD drive and put them back togather to this extent.

LG DVD tray opening problem, It stopped opening even when I take a pin and push the pin hole.

Note:  I don't take responsibility if you break you DVD by following my steps.

Step1: Remove the drive from CPU by removing all the screws.
Step2: Remove Four Screws to remove the back plate of DVD drive.
Step3: Detach two sets of Ribbon cable from the main board and remove the board, be careful there are two more cable behind the board as well.
Step4: Now you can just see under side of the board where in two more cable are attached.  The smaller Ribbon cable will pop out as soon as you pull it, However the larger one is clipped down, we have to move the clip up before pulling the largest Ribbon Cable.
Step5: Remove the assemble which holds the Lens by unscrewing two screws towards the end of the box.  The other side is just held with Rubber which can be squeezed to pull them out.
Step6: Now remove the Plastic where the Rubber was attached to the Lens assembly.
Step7: Now remove the Tray by sliding it out,  Here I broke a small notch as I did not know how to remove it.
Step8: Now clean all the place where you see movement and I applied Lip Vaseline.
Step9: Do all the steps shown above in reverse :-)
Step10: You have now breathed new air into your old DVD which was about to be dumped :-D Hurray.


Tuesday, July 10, 2012

Analyzing a Snort Alert

Yesterday I was going about doing my things and suddenly noticed that there were three alerts on my IDS with the signature shown below.


I tried looking at the payload it was really huge like shown below.


I tried looking up the IP http://whois.domaintools.com/91.229.143.59 however I did not get any information useful to me.

I wanted to clean up the payload shown above to see just the URL, so I used the command as shown grep http tmp.txt | cut -d" " -f1 | grep \' | cut -d\' -f1


Well fair enough except the first one all the others does seem to be malicious, so I set out seeking my Web Proxy logs to see how did I land up on the IP.

One look at the proxy logs I almost felt like a amnesia patient getting back his\her memories :-D, because yesterday I was using urlquery.net for some experiment which I was performing. 


Bottom line: Long story short it really pays to have logging enabled to determine if an incident is a false positive or not :-)

Sunday, July 8, 2012

Metasploit SNMP

Here we will try to enumerate all that we could using an unprotected SNMP on an XP machine.

Let us load up msfconsole and use this auxiliary scanner.

msf > use auxiliary/scanner/snmp/snmp_enum


Let us set the RHOST to 192.168.1.17
msf  auxiliary(snmp_enum) > show options

Module options (auxiliary/scanner/snmp/snmp_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS     192.168.1.17     yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>
Let the enumeration begin :-)
msf  auxiliary(snmp_enum) > run

[*] 192.168.1.17, Connected.
[*] System information

Host IP                       : 192.168.1.17
Hostname                      : TEST-COMP
Description                   : Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
Contact                       : -
Location                      : -
Uptime snmp                   : 4 days, 08:42:26.92
Uptime system                 : 00:04:07.25
System date                   : 2012-7-8 22:23:32.0
User accounts:
     ["Admin"]
     ["Guest"]
     ["Analyst"]
     ["Administrator"]
     ["HelpAssistant"]
     ["SUPPORT_388945a0"]
Network information:
    IP forwarding enabled         : no
    Default TTL                   : 128
    TCP segments received         : 16205
    TCP segments sent             : 7460
    TCP segments retrans          : 7576
    Input datagrams               : 20191
    Delivered datagrams           : 20192
    Output datagrams              : 16540
Network interfaces:
     Interface                    : [ unknown ] AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
      Id                          : 2
      Mac Address                 : 08:00:27:1a:c8:46
      Type                        : unknown
      Speed                       : 100 Mbps
      MTU                         : 1500
      In octets                   : 8255084
      Out octets                  : 1517158

Network IP:
     Id     IP Address     Netmask     Broadcast
     1     127.0.0.1     255.0.0.0     1
     2     192.168.1.17     255.255.255.0     1
Routing information:
     Destination     Next hop     Mask     Metric
     0.0.0.0     192.168.1.1     0.0.0.0     20
     127.0.0.0     127.0.0.1     255.0.0.0     1
     192.168.1.0     192.168.1.17     255.255.255.0     20
     192.168.1.17     127.0.0.1     255.255.255.255     20
     192.168.1.255     192.168.1.17     255.255.255.255     20
     224.0.0.0     192.168.1.17     240.0.0.0     20
     255.255.255.255     192.168.1.17     255.255.255.255     1
TCP connections and listening ports:
     192.168.1.17     1430     192.168.1.16     80     unknown
     192.168.1.17     1431     192.168.1.16     80     unknown
     192.168.1.17     1433     192.168.1.16     3333     unknown
     192.168.1.17     4444     192.168.1.16     44817     unknown
Listening UDP ports:
     Local address     Local port
     0.0.0.0     161
     0.0.0.0     162
Network services:
     Index     Name
     0     Server
     7     SNMP Service
     21     SNMP Trap Service
Storage information:
     Description                  : ["C:\\ Label:  Serial Number 501d446f"]
      Device id                   : [1]
      Filesystem type             : ["Fixed Disk"]
      Device unit                 : [4096]
      Memory size                 : 9.99 GB
      Memory used                 : 3.47 GB
     Description                  : ["Physical Memory"]
      Device id                   : [4]
      Filesystem type             : ["Ram"]
      Device unit                 : [65536]
      Memory size                 : 511.44 MB
      Memory used                 : 349.00 MB
Software components:
     Id     Status     Name     Path     Parameters
     1     Microsoft Office Enterprise 200
     2     Oracle VM VirtualBox Guest Addi
     3     Python 2.7 PIL-1.1.7
     4     J2SE Runtime Environment 5.0 Up
     5     Python 2.7.1
     6     WebFldrs XP
     7     Adobe Reader 9.4.0


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(snmp_enum) >

Saturday, July 7, 2012

Metasploit 10n11 and 12n13




Remote Desktop Problem from Ubuntu 10.04 to Ubuntu 10.04

OMG I spent a lot of time trying to troubleshoot this simple one, which will keep me haunting for a lot of days to come :-(

The task was very simple at hand,  I had to take remote desktop of System A running Ubuntu10.04 natively with a nvidia graphics card on to SystemB running Ubuntu10.04 inside a VirtualBox.

First step I tried vino the inbuilt remote desktop service.  I turned it on and sure enough it was running however when I attempted to connect to it from SystemB I got just a Black screen over VNC viewer, at times I was able to see the remote system and move my mouse and click on certain thing, it does work on the remote system however the VNC screen locally was not refreshing :-(


Second step I tried removing all Desktop effects in SystemA still no change.

Third Step I installed vnc4server, with apt-get install vnc4server and started VNC server on port 5901 with the command vncserver :1 now I was able to see and interact with just a bash terminal no gnome.  To fix the VNCServer running on port 5901 I had to edit the file in the path ~.vnc/xstartup

The only change is I had to add sh on the exec /etc/X11/xinit/xinitrc and kill the current vncserver session and restart it.

http://www.havetheknowhow.com/Configure-the-server/Install-VNC.html

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec sh /etc/X11/xinit/xinitrc


[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
x-terminal-emulator -geometry 1280x1024+10+10 -ls -title "$VNCDESKTOP Desktop" &
Now I was able to see and interact with the desktop of SystemA, However I was not able to see display:0 of SystemA.  When I attempted to start vnc4server on display 0 like vncserver :0 I got an error saying that it is already in use so I jumped to 4th solution.

Fourth Step: I installed X11VNC still I was having the same problem as I had at step 1.

Fifth Step: I clicked on System > Administration > Hardware drivers
I saw a green dot with nvidia properitary driver being installed on systemA and I chose to Remove it and restarted systemA. Viola now my problem got fixed at last.