Friday, November 20, 2015

Windows10 Security



http://video.ch9.ms/sessions/ignite/2015/BRK2308.mp4

Starting powerpoint from cmd line
> bp user32!setwindowstextw "ezu @eax \"Untitled:Powerpoint\" ;bd*;gc"
>g

1) Tokens / Elevated Tokens

Launch two cmd prompt one as normal user and other as admin and run
> whoami /all
This would give you your SID.

Once we login, WinLogon will give us an elevated access
Then a Second token which is filtered
Then create a process called explorer.exe using the filtered token mentioned above.

Elevation process uses Shell Execute API.  This will called in "AppInfo Service" if this is turned off we cannot elevate our rights.  This in turn would invoke consut.exe.

The elevation is driven by "Local Group Policy Editor" under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Now that we are here if we scroll down way down we get to all the "User Account Control: **********".

UAC master switch is controlled by "User Account Control: Run all administrators in Admin Approval Mode"

The two most important things which we need to be worried about are
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
"User Account Control: Behavior of the elevation prompt for standard users"

In Windows we have a collection of "Logon Sessions" which contains a collection of "Desktops" which contains a collection of "Windows" which can again contain a collection of "windows".

MSRA.exe is Microsoft Remote Assistance the one which looked similar to conf remember ???

Microsoft Application Compatibility Administrator Tool - This is a part of Application Compatibility Toolkit.  This is hidden inside the Windows ADK (Assessment and Deployment Kit) 5.61 we will get the Kernel one.

Double clicking on Setup we have *Setup*
Under update we have *Update*
Under Installer Detection we have *instal*
Under Patch we have *patch*

Under "Compatibility Fixes" We have something called as "RunAsAdmin", "RunAsHightest" and "RunAsInvoker".
We also have something called as "SpecificInstaller" and "SpecificNonInstaller".

When we launched "whoami /all" we can see something called as "Medium Mandatory level" that comes into play when we have the situation of do we trust all our apps to the same degree ?

"S-1-16-8192"
"S-1-16" is the Integrity
8192 is the Level, This is a 32 bit number which determines the integrity level.

psexec -l -d c:\Windows\SysWOW64\notepad.exe

The -l on psexe would execute notepad as a low integrity process.  This would even prevent notepad from writing to the user home directory as whom we launched the notepad process as.

chml is a change integrity level tool.  To change a file to low integrity file use the command as follows.

chml file.txt -b 0-i:ll

Let us launch an application called "Microsoft Spy++" which is distributed as part of visual studio.  This will show us how many windows are launched on our system.

2) Integrity Levels

3) User Interface Privilege Isolation.

4) Capabilities (New in Win 8 and Win 10)

5) App Containers







































Saturday, September 5, 2015

SED Kufu

This saved me from a boring task.  Here I tried to rename a bunch of files by removing some standard text and including leading zero to single digit file titles.


ls -ltrh | grep -o Java.* | sed -e 's/.*/mv_&" "&"/g' -e 's/ "Java Programming Tutorial/ "/g' -e 's/" - /\n"Java/g' | sed -E '/(mv_Java)/!s/ //g' | paste -d" " - - | sed 's/mv_/mv "/g'
sed -E "Would skip lines with mv_Java"
This would help add leading zero to single digits.
ls -ltrh | grep -o -P Java[0-9]{1}-.* | sed 's/.*/mv_&\n&/g' | sed -E '/mv_/!s/Java/Java0/g' | paste -d" " - - | sed 's/mv_/mv /g'

http://pastebin.com/sYBCiPau
 

Sunday, August 2, 2015

Treesheets cheatsheet

Treesheet cheatsheet :-)


Treesheets

HI

To install treesheets from Git Respository follow these steps below.

We need GTK > 1.2 to get wxwidgets installed.  wxWidgets is needed for treesheets.
apt-get install libgtk-3-dev

Now let us get the wxWidgets-master.zip MD5SUM (b8833e54675154f3098e9e0f114d3082) from the link https://github.com/wxWidgets/wxWidgets

Now unzip that zip file and go inside and configure it with the following options and then do make as normal user.

$ ./configure --enable-unicode --enable-optimize=-O2 --disable-shared
$ make

Now let us get the treesheets zip file from git treesheets-master.zip (6ede9f8db292d22c91c0a411a9d56d01).

Now unzip that as before and go into the src directory.  Now we need to move the wxWidgets-master folder into the treesheets/src/wx directory.  Then run make.  We should see the treesheets executable in the TS directory.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/std/Downloads/ts/src/wx
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/std/Downloads/ts/src/wx

There is one mystery which I have not been able to solve is why is treesheet listening on port 4242, when we invoke it.

Saturday, July 4, 2015

RaspberryPI xbmc-send - Playing Youtube videos from laptop

If we are watching some youtube videos on our laptop or desktop and want to push that video to RaspberryPI we can follow the following steps.

1. Install xbmc-send software on our system where we are watching youtube.
2. Next copy paste the code from [1] and replace RaspberryPI_ip with your RaspberryPI IP address.
3. Next make the script executable with "chmod +x" Then call it with youtube url as parameter for it.




[1]

http://pastebin.com/mw5LGJpu

Raspberry PI JASON

Wow now we can use Jason to control RaspberryPI :-)


curl -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"GUI.ShowNotification","params":{"title":"This is the title of the message","message":"This is the body of the message"},"id":1}' http://username:password@RasbperryPi_IPaddress/jsonrpc

The list of all method we can using under jason is given under [1].  [2] showed how to explore the methods in a more structured way.

[1]
http://pastebin.com/AmR3r1Gy

[2]
http://jsonviewer.stack.hu/
https://www.jsoneditoronline.org/

Sunday, June 28, 2015

Compressing Large video files

My phone records video in HD nothing new here.  However the file size of each and every video is enormous.  So like any other person I started googling to see how I can compress the video files.  I came up with this following bash script [1].  This script will basically list all MP4 files in our directory.  Then use VLC command line parameters to compress the file. Oh and one more thing it can also rotate the video automatically to Landscape mode if it was taken in Portrait mode.

[1]
http://pastebin.com/5VTBWkG5

I was able to get pretty good compression.  My file size which was 24.7 MB got compressed to ~8 MB.

Wednesday, June 24, 2015

Scapy

Let us start scapy as root.  My reference is [1].

[1]
https://thepacketgeek.com/series/building-network-tools-with-scapy/

# scapy

I list of basic scapy commands can be got from lsc()

>>> lsc()
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
bind_layers         : Bind 2 layers on some specific fields' values


Now let us see about sniff() real quick.

>>> pkt=sniff(count=1)
>>> pkt[0].summary()
'Ether / IP / TCP 192.168.1.2:59845 > 216.58.196.110:https PA / Raw'
>>>


Here we sniffed one packet.  We can type in ls() to see a plethora of all protocols which scapy can support.

>>> ls()
ARP        : ARP
ASN1_Packet : None
BOOTP      : BOOTP
CookedLinux : cooked linux
DHCP       : DHCP options


We can also list individual values inside the protocol by using them inside ls() function.
>>> ls(Ether)
dst        : DestMACField         = (None)
src        : SourceMACField       = (None)
type       : XShortEnumField      = (0)
>>> ls(IP)
version    : BitField             = (4)
ihl        : BitField             = (None)
tos        : XByteField           = (0)
len        : ShortField           = (None)
id         : ShortField           = (1)
flags      : FlagsField           = (0)
frag       : BitField             = (0)
ttl        : ByteField            = (64)
proto      : ByteEnumField        = (0)
chksum     : XShortField          = (None)
src        : Emph                 = (None)
dst        : Emph                 = ('127.0.0.1')
options    : PacketListField      = ([])
>>> ls(UDP)
sport      : ShortEnumField       = (53)
dport      : ShortEnumField       = (53)
len        : ShortField           = (None)
chksum     : XShortField          = (None)
>>>


Now we will see about summary() and show() methods.  show() will detail down in to every fields.
>>> pkt[0].summary()
'Ether / IP / TCP 192.168.1.2:59845 > 216.58.196.110:https PA / Raw'
>>> pkt[0].show()
###[ Ethernet ]###
  dst= c8:d3:a3:c9:72:3c
  src= 00:1e:4f:9e:c0:5f
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 86
     id= 48928
     flags= DF
     frag= 0L
     ttl= 64
     proto= tcp
     chksum= 0x1d2e
     src= 192.168.1.2
     dst= 216.58.196.110
     \options\
###[ TCP ]###
        sport= 59845
        dport= https
        seq= 719414178
        ack= 1834884410
        dataofs= 5L
        reserved= 0L
        flags= PA
        window= 23925
        chksum= 0x5e9c
        urgptr= 0
        options= []
###[ Raw ]###
           load= '\x17\x0e\x0e\x0e)\x0e\x00\x00\x00\x00\x00\x00\r\xb8On\x1a\xaf\xddG\x9a\xdc\xd4\x1e\xf2qb\x11\x83\x15\xbe\xdc\xcd\xf9\xb5\xd4s\xb2\xbaOp\xb2\xa9\x17\xb5'
>>>


We can also increase the number of packets which we sniff.

>>> pkts=sniff(count=10)
>>> pkts

>>> pkts.summary()
Ether / IP / TCP 192.168.1.2:57123 > 216.58.220.40:http A
Ether / IP / TCP 216.58.220.40:http > 192.168.1.2:57123 A / Padding
Ether / IP / TCP 74.125.68.189:https > 192.168.1.2:38372 PA / Raw
Ether / IP / TCP 192.168.1.2:38372 > 74.125.68.189:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
>>> pkts[3]
>>
>>> pkts[3].show()
###[ Ethernet ]###
  dst= c8:d3:a3:c9:72:3c
  src= 00:1e:4f:9e:c0:5f
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 40
     id= 54634
     flags= DF
     frag= 0L
     ttl= 64
     proto= tcp
     chksum= 0x1481
     src= 192.168.1.2
     dst= 74.125.68.189
     \options\
###[ TCP ]###
        sport= 38372
        dport= https
        seq= 759983015
        ack= 3718818381
        dataofs= 5L
        reserved= 0L
        flags= A
        window= 60060
        chksum= 0x50ff
        urgptr= 0
        options= {}
>>>


We can also dig into an individual protocol as shown below.

>>> pkts[0]
>>
>>> pkts[0][TCP].summary()
'TCP 192.168.1.2:57123 > 216.58.220.40:http A'
>>>


We can use command() method to see how we can recreate that very same packet.

>>> pkts[0].command()
"Ether(src='00:1e:4f:9e:c0:5f', dst='c8:d3:a3:c9:72:3c', type=2048)/IP(frag=0L, src='192.168.1.2', proto=6, tos=0, dst='216.58.220.40', chksum=36062, len=40, options=[], version=4L, flags=2L, ihl=5L, ttl=64, id=14308)/TCP(reserved=0L, seq=3914251183, ack=433779807, dataofs=5L, urgptr=0, window=15544, flags=16L, chksum=30248, dport=80, sport=57123)"
>>> 


We can assign an individual packet to a new packet using the eval() command or by just assigning the array value.

>>> newpkt = eval(pkt[0].command())
>>> newpkt
>>>
>>> newpkt = pkt[0]
>>> newpkt
>>>
>>>


Now let us work on creating ARP packets

>>> pkts=sniff(count=5,filter="arp")
>>> pkts

>>> pkts.summary()
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
>>> pkts[0].show()
###[ Ethernet ]###
  dst= ff:ff:ff:ff:ff:ff
  src= 00:1e:4f:9e:c0:5f
  type= 0x806
###[ ARP ]###
     hwtype= 0x1
     ptype= 0x800
     hwlen= 6
     plen= 4
     op= who-has
     hwsrc= 00:1e:4f:9e:c0:5f
     psrc= 192.168.1.2
     hwdst= 00:00:00:00:00:00
     pdst= 192.168.1.100

>>> pkts[0].command()
"Ether(src='00:1e:4f:9e:c0:5f', dst='ff:ff:ff:ff:ff:ff', type=2054)/ARP(hwdst='00:00:00:00:00:00', ptype=2048, hwtype=1, psrc='192.168.1.2', hwlen=6, plen=4, pdst='192.168.1.100', hwsrc='00:1e:4f:9e:c0:5f', op=1)"
>>> ls(Ether)
dst        : DestMACField         = (None)
src        : SourceMACField       = (None)
type       : XShortEnumField      = (0)

>>> ls(ARP)
hwtype     : XShortField          = (1)
ptype      : XShortEnumField      = (2048)
hwlen      : ByteField            = (6)
plen       : ByteField            = (4)
op         : ShortEnumField       = (1)
hwsrc      : ARPSourceMACField    = (None)
psrc       : SourceIPField        = (None)
hwdst      : MACField             = ('00:00:00:00:00:00')
pdst       : IPField              = ('0.0.0.0')
>>>


Now let us create our own packet with the help of eval() function.


Friday, May 29, 2015

Changing mouse button settings

I have a wireless mouse which works partially.  When I say partially the left click alone does not work in it.  It could be due to the fact that it was used for many years.  However other aspects of the mouse works, like the scroll wheel, middle click, right click and the pointer moves smoothly across the screen.

The GUI based mouse setting in ubuntu could only allow you to choose between a right handed mouse or a left handed mouse.  I wanted more, I wanted the ability to say what button was left click and what button was right click.  The idea was I need to make my middle click act as left click.  If this could be accomplished I could again have a working mouse with left, right click and scroll wheel.

The site mentioned below [1] came to the rescue.

[1]
https://wiki.ubuntu.com/X/Config/Input

This pictures shows that when I try to reterive the button settings for my mouse it shows 1 2 3 4 all the way up to 13.  We are interested in 1 2 and 3 which corresponds to Left, Middle and Right.

So in the next xinput set-button-map command I replaced 1 2 3 with 1 1 3.  So this effectively made my left button and middle button do the work of left click.


Thursday, May 28, 2015

Small bash script - Chennai Power Outage check

This is a small script which will check if there is power outage in your are and drop you an email a day before.


http://pastebin.com/6xZaB8nb

#!/bin/bash

if [ -f /var/scripts/powercut.txt ]
  then
    rm /var/scripts/powercut.txt
fi

if [ -f /var/scripts/Tomorrow.txt ]
  then
    rm /var/scripts/Tomorrow.txt
fi

wget http://livechennai.com/powercut_schedule.asp -O /var/scripts/powercut.txt

NextURL=`grep "Power shutdown areas" /var/scripts/powercut.txt  | head | grep --color "href" | head -n1 | grep -P -o href.+ | cut -d\" -f2 | sed 's/^/http:\/\/livechennai.com\//'`


EmailSubject=`grep "Power shutdown areas" /var/scripts/powercut.txt  | head | grep --color "href" | head -n1 | grep -P -o title.+ | cut -d\" -f2`


echo "Power shutdown areas in Chennai on 30-05-15" | sed -e 's/^/NO /' -e 's/areas in Chennai/in your area/'

echo $NextURL

echo $EmailSubject

wget $NextURL -O /var/scripts/Tomorrow.txt

powercutyes=`grep -i "Your Street name" /var/scripts/Tomorrow.txt | wc -l`

echo

echo "From: \"SenderFirstname Lastname\" " > mail.txt
echo "To: \"RecepientFirstname Lastname\" " >> mail.txt

if [ $powercutyes -gt 0 ]
  then
    echo "We have power cut tomorrow"
    EmailSubject=`echo $EmailSubject | sed -e 's/^/YES /' -e 's/areas in Chennai/in your area/'`
    echo "Subject: $EmailSubject" >> mail.txt
    grep -i "Your Street name" Tomorrow.txt >> mail.txt
    curl --url "smtps://smtp.gmail.com:465" --ssl-reqd --mail-from "sender@gmail.com" --mail-rcpt "recepient@gmail.com" --upload-file /var/scripts/mail.txt --user "sender@gmail.com:senderGmailPassword"
  else
    EmailSubject=`echo $EmailSubject | sed -e 's/^/NO /' -e 's/areas in Chennai/in your area/'`
    echo "Subject: $EmailSubject" >> mail.txt
    echo "We don't have power cut tomorrow"
    curl --url "smtps://smtp.gmail.com:465" --ssl-reqd --mail-from "sender@gmail.com" --mail-rcpt "recepient@gmail.com" --upload-file /var/scripts/mail.txt --user "sender@gmail.com:senderGmailPassword"
fi

Monday, May 25, 2015

WiFi Keyboard cleaning

I assume/take no responsibility if you killed your keyboard.

Try to rotate the batteries in its slot to fix any contact issues between the batteries and the battery holder metal leads.







Thursday, April 23, 2015

Mysql Master-Master Replication

This site[1] though me how to do the replication.

[1]
https://www.digitalocean.com/community/tutorials/how-to-set-up-mysql-master-master-replication

Steps
MasterA (192.168.56.110)
MasterB (192.168.56.111)
1
# yum install mysql-server mysql-client vim ntpdate
# yum install mysql-server mysql-client vim ntpdate
2
# ntpdate ntp.org
# ntpdate ntp.org
3
# service mysqld restart
# service mysqld restart
4
# /usr/bin/mysqladmin -u root password 'mapass'
# /usr/bin/mysqladmin -u root password 'mbpass'
5
# vim /etc/my.cnf
#--------------------------------------
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

server-id              = 1
log_bin                = /var/log/mysql/mysql-bin.log
binlog_do_db           = example
bind-address           = 192.168.56.110

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
#--------------------------------------
# mkdir -p /var/log/mysql/
# chown mysql /var/log/mysql/
# service mysqld restart
# vim /etc/my.cnf
#--------------------------------------
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

server-id              = 2
log_bin                = /var/log/mysql/mysql-bin.log
binlog_do_db           = example
bind-address           = 192.168.56.111

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
#--------------------------------------
# mkdir -p /var/log/mysql/
# chown mysql /var/log/mysql/
# service mysqld restart
6
# netstat -antlp | grep 3306
tcp 0 0 192.168.56.110:3306 0.0.0.0:* LISTEN      1655/mysqld
# netstat -antlp | grep 3306
tcp 0 0 192.168.56.111:3306 0.0.0.0:* LISTEN      1558/mysqld
7
# mysql -u root –p
Mapass

8
mysql> show databases;

mysql> create user 'replicator'@'%' identified by 'rapass';
Query OK, 0 rows affected (0.00 sec)

mysql> grant replication slave on *.* to 'replicator'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> show master status \G;
            File: mysql-bin.000001
        Position: 341
mysql>

9
We have to use the mysql-bin.000001 and position of 341 over there in masterB server.
mysql> show databases;

mysql> create user 'replicator'@'%' identified by 'rbpass';
Query OK, 0 rows affected (0.00 sec)

mysql> grant replication slave on *.* to 'replicator'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> show master status \G;
            File: mysql-bin.000001
        Position: 341

mysql> slave stop;

mysql> CHANGE MASTER TO MASTER_HOST = '192.168.56.110', MASTER_USER = 'replicator', MASTER_PASSWORD = 'rapass', MASTER_LOG_FILE = 'mysql-bin.000001', MASTER_LOG_POS = 341;

mysql > slave start;
10
mysql> slave stop;

mysql> CHANGE MASTER TO MASTER_HOST = '192.168.56.111', MASTER_USER = 'replicator', MASTER_PASSWORD = 'rbpass', MASTER_LOG_FILE = 'mysql-bin.000001', MASTER_LOG_POS = 341;

mysql > slave start;

11
Mysql > \! iptables -I INPUT 1 -p tcp --dport 3306 -j ACCEPT
Mysql > \! /sbin/service iptables save
Mysql > \! iptables -I INPUT 1 -p tcp --dport 3306 -j ACCEPT
Mysql > \! /sbin/service iptables save
12
Mysql > create database example;


13

This should create a DB called example here too.
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| example            |
| mysql              |
| test               |
+--------------------+
4 rows in set (0.00 sec)
14
mysql> create table example.Bala (`id` varchar(10));

15
mysql> show tables in example;
+-------------------+
| Tables_in_example |
+-------------------+
| Bala              |
+-------------------+
1 row in set (0.00 sec)
mysql> show tables in example;
+-------------------+
| Tables_in_example |
+-------------------+
| Bala              |
+-------------------+
1 row in set (0.00 sec)
16
The following command will takeout Bala table from example DB on both the servers.
mysql> DROP tables example.Bala;
Query OK, 0 rows affected (0.00 sec)