Results for Windows Xp

Ramnit : Worm that loves Facebook

Friday, January 20, 2012
ramnit malware
 "Ramnit"  the worm with multifaceted spreading capabilities,first detected on 2010 for infecting local systems. Now the hackers behind it have redesigned it into a more advanced kind of worm.The worm has already stolen 45000 facebook credentials and still on move.





It is also confirmed that this worm is able to bypass the two level authentication used by banking organizations and online money transfer.Below I have taken the snapshot of the code of the worm that was detected in 2010.
 It comes from online malicious sources and   creates infected .html files through that it infects the executable and .dll files. As,depicted in the video below.





But as the worm has spread its root to financial and social media so it a big concern.Users are advised to change there credentials in every 14 days.
Ramnit : Worm that loves Facebook Ramnit : Worm that loves Facebook Reviewed by Satyajit (Admins,a.k.a Satosys) on Friday, January 20, 2012 Rating: 5

winAUTOPWN V2.7 | Windows Interactive exploit framework Tool

Wednesday, September 21, 2011
winAUTOPWN is a simple tool which works on windows platform and is quick in systems vulnerability exploitation.This is tool which takes less information from your side and does more effective work.

winAUTOPWN V2.7


Why you should use this tool?

1. It takes simple inputs like IpAddress,Hostname,CMS Path

2. It also does a smart multi-threaded port scan (1 to 65535).

3. Exploits written by other writers can be added to it to evoke a remote shell from target box.

4.It helps the attacker to check the no of exploits it has used on the target box.

In the new version this tool has added few extra features like
  • Commandline parameters for Reverse Shell URL 
  • Mail-to,mail-from(Email server exploit)
Download
winAUTOPWN V2.7 | Windows Interactive exploit framework Tool winAUTOPWN V2.7 | Windows Interactive exploit framework Tool Reviewed by Satyajit (Admins,a.k.a Satosys) on Wednesday, September 21, 2011 Rating: 5

How to change Mac Address manually and spoof using tool.

Wednesday, January 05, 2011
Computers talk or communicate over the network using Mac address(Media Access Control Address ) which is unique for each and every machine.Here in this post we will see how we can spoof or change the Mac Address manually and using tools.

Procedure:

Using Registry:

Step 1.
Type "Regedit" in run and press enter.In the regedit winodow follow the path
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318] as shown in the image below.
Step 2.
Check all the values under the above path to find the correct driver description(DriverDesc) as shown in the above image.For me it was "0009",Now search for "NetworkAddress" in the right side of the editor,if you find it then change the value to your desired 12 digit number(MacAddress).If you cannot find "NetworkAddress" then create a new "string value".
Step 3.
 Now rename the new string value to "NetworkAddress" and set the value to a random 12-digit number as shown below.
Step 4.
Now disable the connection and enable then open up command prompt and type the command ipconfig /all to find the change in Mac Address.

Using tools:

1.SMAC :
It is not a freeware tool to use but it is a very useful tool and widely used for spoofing MacAddress(Download)

2.Macshift:
It is an opensource tool and has a command line usage.(Download)

3.MadMACs:
If it a very user friendly tool you just need to double click on the executable thats it.(Download)

If you find this post useful and interesting then do drop your comment,it will be appreciated... :)
How to change Mac Address manually and spoof using tool. How to change Mac Address manually and spoof using tool. Reviewed by Satyajit (Admins,a.k.a Satosys) on Wednesday, January 05, 2011 Rating: 5

Retrieve Windows password using Samdump2 and John with Backtrack4

Thursday, December 30, 2010
Earlier I posted on "How to hack Windows administrator password" using backtrack.This post is the final post of it where we will see how we can retrieve the password without reseting it.

Here I will be using Backtrack4 and boot it from USB but you can also boot it from a CD.

Requirements:

1.Backtrack 4.iso (Download)

2.UseNetbootin (Download)

If you have any problem in installing backtrack in your usb then read here.

Procedure:

Step 1.
Having made a bootable usb now reboot the system and boot Backtrack4.Use username:root and password:toor and use startx

Step 2.
Now open up the console window to type the command "df"(Disk free) or fdisk -l to find the drive where you can find the SAM file of your Windows box.Here i will be using "df".
Step 3.
If you find the desired drive in the above step then its ok,if not then you can mount it by using the command mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Here force you may not use).

Step 4.
As we know that SAM file of windows there in config directory of system32.So we need to be in that directory to do our further work.Type in the command cd /mnt/sda1/WINDOWS/system32/config (Mark the "WINDOWS" in the command is in caps on).

Step 5.
Now use bkhive to get a key file to be used in further steps by typing in the command
bkhive system ~/Desktop/key.txt  here "~/Desktop/key.txt" is the path of the key file to be created.Having executed the command you can check your desktop if the file has been created.

Step 6.
Here we will be using samdump2 for dumping the hashes by using the key file created in the previous step.The command format is samdump2 [samhive path] [keyfile path].So the command to be used here is samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt  here "~/Desktop/SHunk_Hash.txt" is the path where the hashes from the SAM file will be copied which can be copied.You can check the desktop for the Shunk_Hash.txt file.
Step 7.
In order to view the hash,type in the command cat ~/Desktop/SHunk_Hash.txt as shown below.
Step 8.
Now change the directory to /pentest/password/jtr or simply type "john" you will see the directory has been changed to the desired one.

Step 9.
Now type in ./john ~/Desktop/SHunk_Hash.txt here the john the ripper will search for all the passwords but you can limit it by using ./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces].Here "~/Desktop/SHunk_Hash.txt" is the path of the hash file that we created in the previous step.
Command Summary:

1.df

2.mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Optional)

3.cd /mnt/sda1/WINDOWS/system32/config

4.bkhive system ~/Desktop/key.txt

5.samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt

6.cat ~/Desktop/SHunk_Hash.txt(Optional)

7.cd /pentest/password/jtr

8../john ~/Desktop/SHunk_Hash.txt

OR

./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces]
Retrieve Windows password using Samdump2 and John with Backtrack4 Retrieve Windows password using Samdump2 and John with Backtrack4 Reviewed by Satyajit (Admins,a.k.a Satosys) on Thursday, December 30, 2010 Rating: 5

How to create Virtual Environment using Virtualbox.

Thursday, December 02, 2010
There are many occasions where we will need to have several operating systems in our computer. Think that you’re a software developer and now you need to test your software under different platforms! Or, you need to try out several operating systems to review about them or to pick the best OS for your machine! Or suppose you download a file from torrent or other external link and don’t trust that file then you can run it in your virtualbox to notice its behavior and save your Host PC from getting infected.
*But the problem is what is the easiest method to have several operating systems in your PC? Install them in your hard drive and mess things up when you want to remove them? Actually, there’s a better way to solve this problem.

What is a Virtual Environment?

"Here the programs are run in an isolated OS on a virtual hard disk as shown in the image below.The program do not have physical access to the host OS. Refer the image below to understand the concept."


Do you know that we can run several operating systems right from your desktop? Well, you can run several virtual machines under one OS and remove them gracefully without harming your system

*VirtualBox is one of the best free applications which will allow you to easily install and manage several virtual machines.
 *Virtual box is a great asset a computer security professional, hackers, penetration testers.Using it one can create a pentesting lab to work on with out spending a buck from the pocket. So, today we are going to see how to install Ubuntu inside Windows as a virtual machine!

Requirement :

1.You need to download and install VirtualBox (Download)

2.Must have a RAM of atleast 1GB  for proper running.

3. Installation CD or .Iso file of any desired OS of your choice.(As here is Ubuntu.iso)

Procedure:

Step 1: After you download and install Virtual Box, open it and click on “New” as shown in the image :

Step 2: In the next window, click on “Next”. After that give a name for your Virtual Machine. For “Operating System” select “Linux”. For the version select “Ubuntu” and click “Next”

Step 3: Next set the amount of memory for the virtual machine and click “Next” (Do not give too much; keep some to your own system. Do not go to the red colored area.) In my system, I have 4 GB of memory, so I gave 1 GB for my virtual machine. The memory amount changes from OS to OS. For windows, you need more memory than Linux, so choose it carefully!

Step 4: In the next window select “Boot Hard Disk” (By default it’s selected) and select “Create New Hard Disk”. Now click “Next”.
 *After that, the Create New Virtual Disk Wizard will start. Click “Next” in the Welcome screen.
Now, select “Fixed Size Storage” and click “Next”
 *Next, give the size of the disk you want. For Ubuntu, the default size they offer (8 GB) is more than enough. So, keep it like that and click Next. After that, click on Finish to create the virtual disk. This will create an 8 GB virtual disk on your machine.

Step 5: At the end, it will give you a summary screen. Click “Finish” to continue
Now, in the main windows, select the OS that you have just created and click on “Start”

Step 6: If you see any information box, Just press “OK”

*Now that you’re running your virtual machine for the 1st time, they will run a wizard called “First Run Wizard” which will help you to select the installation media of your guest OS. Click on “Next” in the first screen.
*Next, insert the installation CD of your OS (in this case its Ubuntu) to your CD ROM. Now select your CD drive in the “Media Source” Field. But if you want to install form an image. Click on the little folder icon next to the media source filed. Next, in the “Virtual Media Manager” Window, click on “Add” and select your image file. After you have added the image, click on “Select”

After you’re done adding the image or setting up the CD drive. Click on “Next”. Finally, click “Finish”.

Now it will load the installation CD you have provided and you can continue with installing your OS! So, what do you think? Isn’t it a piece of cake? How many operating systems are you planning to install? Please feel free to share your ideas with us!

About Author:
This is a Guest post by Pubudu Kodikara who is a writer at Tech Hamlet, a state of the art tech blog which aims at educating people about the latest technology,news,hacks
tutorials,tricks and many more. 

"If you find this post useful and informative do post your comment and share it."
How to create Virtual Environment using Virtualbox. How to create Virtual Environment using Virtualbox. Reviewed by Satyajit (Admins,a.k.a Satosys) on Thursday, December 02, 2010 Rating: 5

Prefetcher | What is it? and Forensic Analysis.

Tuesday, November 09, 2010
It is indeed very vital for a computer forensic analyst to get the details of the application we launch,the timestamp and the path.Here in this post we will discuss how to can find that and the tools needed for this...so lets start.......
Prefetcher
What is a Prefetcher?

It is a feature added to Ms Windows Xp to speed up or improve boot time and the loading time of applications we run on a windows box.During booting a large no of files are loaded into the memory and there by a specific amount of time is consumed in this process.But the prefetcher keeps a track of the files and the data that are loaded during boot time and make a trace of it.So when again the system is booted then this information stored by the prefetch can be used and this can certainly reduce the boot time...the same thing happens with the application that we launch after the system has been logged in.

Where we can find this prefetch?

1.It is stored in the a folder named "Prefetch" in the system root "%SYSTEMROOT%\Prefetch",in my testing system it is found in "C:\WINDOWS\Prefetch"

2.It can be enabled by changing the registry value at as shown in the image below.(By default it is enabled.)

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"


Information stored in Prefetch file:

*When a application is loaded or launched then a prefetch file is created with .pf extension.Suppose an application called "XYZ.exe" is launched then a prefetch file is created in the "Prefetch" directory and named is in a format as "XYZ.EXE-0870E38D.pf" as shown in the image below.

*Above the hash file contains the path of the application.If the same application is launched from different location then also two different files are created.

*The Prefetch contains information like:

-Name of the application

-The no.of times the application is launched.

-Volume serial number

-Dll used by the application.

-Serial numbers of external thumb drives.

-MD5 hash

-Some binary data and some unicode information

-Volume information

-Application path

-Timestamp of volume creation.

Forensic view of Prefetch file:

If some unknown application say a malware is launched from the hard disk or from external drive then the launch time its path can be found out.If the malware is being deleted still then its leaves its traces in the prefetch which can come handy to a forensic analyst.


How to get the information:

Once you browse to the "Prefetch" folder then u can open the .pf file using a hex editor but it may be bit difficult and confusing.So here I will show you few tools which you can use to retrieve the information.

1.Windows File Analyser.(Download)

2.Win Prefetch View.(Download)

3.Prefetch Parser.(Download)


Here I have show you the screen shots of "Win Prefetch View" , here you cannot find all the information mentioned above but the others tools that I mentioned above can surely retrieve that so do give it a try.

"If you find this post useful and informative do post your comment and share it."
Prefetcher | What is it? and Forensic Analysis. Prefetcher | What is it? and Forensic Analysis. Reviewed by Satyajit (Admins,a.k.a Satosys) on Tuesday, November 09, 2010 Rating: 5

How to use John the Ripper Tutorial and Pwdump7

Wednesday, October 20, 2010
In Microsoft Windows user account password and information are stored in a file called SAM. The windows SAM file location is “%systemroot%\system32\config” and also a backup copy of the file is also stored in ”%systemroot%\repair”.Here in this post we will see how to use John the Ripper for windows to extract the information.

As part of Windows 10 Password hack, we will be using brute force password cracker that is John the Ripper and Pwdump7.In this John the Ripper tutorial we will keep things simple for understanding and keeping in mind if any beginner is following it.
SAM-Password-cracking

In Windows 10 and earlier versions till Windows SP3 the SAM file is by default locked with syskey enabled so we cannot open it as such and view its content so here in this post, I will show you how we can crack it and retrieve the hash.

You may be wondering what does SAM stand for?

It is can be expanded as Security Accounts Manager, it stores the user credentials information.

Requirements:

1. Pwdump7: (Download)

2.John the ripper Download

Procedure:

Step 1. You need to have the administrative privilege then open up command prompt window, using the command prompt go to the directory where pwdump7 is present and follow the on-screen information as shown below.
SAM-Password-cracking

Step 2. After all the hashes are being displayed on the command prompt screen right click on the title bar copy it then pastes and saves it in a text file.First right click and mark the screen before copying. Here I have saved it as pw-hash.txt
SAM-Password-cracking

Step 3.Having downloaded John the ripper for windows browse into John’s root directory and use the command as shown in the image below.
SAM-Password-cracking

Step 4.The command we have used above is “C:\JOHN\RUN>john-386 C:/pw-hash.txt –users=Administrator”, the format of the command is “john-386 [Hash file path] –users=[Username]”.Here the hash file path is “C:/pw-hash.txt” and the username is “Administrator”, by using the above command then the John will search for the password of Administrator.

You can also use “C:\JOHN\RUN>john-386 C:/pw-hash.txt” so that John will search for the password of all the usernames available.

If you have a John the ripper wordlist then you can use the wordlist mode as well.

john --wordlist=password.txt pw-hash.txt

I think from this post we were able to understand how to use John the Ripper for windows Tutorial and Pwdump7 .

If you find this post useful then do drop a comment it will be appreciated.
How to use John the Ripper Tutorial and Pwdump7 How to use John the Ripper Tutorial and Pwdump7 Reviewed by Satyajit (Admins,a.k.a Satosys) on Wednesday, October 20, 2010 Rating: 5

Few Security Tips for Windows user.

Saturday, September 11, 2010
Well!! security is the buzzing word these days because of new form of  attacks and threats.These attacks are mainly targeted to Windows user compared to Linux or other OS in the series.One thing I must say that 90% of the victims fall in the trap of attackers due to there lack of alertness and there own flaws.Lets see how we can avoid these types of attacks if not completely but to some extent.

1.I would recommend that always update your OS and software that are installed if the update is available.If  you do not do that then there may be some vulnerability in your present OS or software and the attacker can find that by Fingerprinting and Banner grabbing and plant an exploit for it.

2.Attacker  install R.A.T or Keylogger on a remote PC by tricking the user by social engineering.So I will recommend you to always look out for the extension of the file before clicking on it.It may sometime be the case that the file sent to you may look like an image but having an extension of an executable format(.exe).How to tackle it? Read here.

3.Always use an updated AntiVirus,Anti-Logger,Link Checker,Site Advisor and keep with you a latest rescue disk of an Antivirus.
  • Anti-logger:I would recommend  Zemana antilogger compared to KeyScrambler because the later can protect your keystrokes from the browser window but Zemana has anti-keylogger,anti-screen logger,anti-webcam logger,anti-clipboard logger.
  • Link Checker:You can use Dr.Web link checker,by this you can scan a file before downloading it.Just right click on the required link and click on the Dr.web icon.It is also available as a Firefox addon.
  • Site Advisor:Here you have two options,you can use Macfee site advisor or WOT both can be integrated with your browser.
  • Rescue Disk:I would recommend using Kaspersky's.Download the .iso file and burn it into a Cd and can use it.
4.If  sometime you have left your PC  "ON"  in your absence then it may be possible that someone may have plugged in an USB (Pendirve) and done some data transfer or some unethical activity.Read here how to find out this.

5.Most of the time attackers bind a file with another file inorder to trick the victim.Learn how to find this,Read here.

6.A simple Autorun.inf can even crash your PC.Learn how to avoid it,Read here.

7.Have you ever given a thought that someone may have logged into your box in your absence.Learn how to find out,Read here.

8.Always look out for print and file sharing option before using internet.I would recommend to disable it as it can open gateway for netbios attack.Follow the path  Control panel > Network Connection > Right click on the desired icon >Networking Tab > Disable the print & file sharing option.

9.Always use a strong password to your administration account,try to access internet form a limited user account rather than from administration account.

10.Use a good firewall rather than using the default windows firewall,you can choose from Comodo or Zone Alarm but I would recommend using Zone Alarm even if it is the free version.

I must say even if you follow all these tips still then you cannot make your PC 100% hack proof because nothing is non-hackable.I recommend to follow these tips so that you can avoid certain attacks or threats to some extent.

If you find these tips helpful and read worthy then do drop a comment,it will be appreciated.
Few Security Tips for Windows user. Few Security Tips for Windows user. Reviewed by Satyajit (Admins,a.k.a Satosys) on Saturday, September 11, 2010 Rating: 5

Track/Recover your stolen Laptop

Tuesday, September 07, 2010
Computer that too Laptop has become every man's need these days.Many laptops are being stolen everyday in railways station,airport and even from home.If your laptop contain some thing very useful and private I mean your credit card info or saved passwords then it can cause you nightmare if it is stolen.So before going to the police station and banging your head there if you would follow these simple steps illustrated  below then I feel your half of the work is done.

The tool we will be using is ADEONA,it is a open source software and still on its development stage.
This tutorial is for Windows Xp/Vista/7.
1.Download  the tool Adeona and open it.

2.A terminal window will open up where there will be two options adeona client,adeona recovery tools.I would recommend checking both the options as shown below.
3.Then follow the on screen steps to install the tool then you will be prompted to use a password,do use a strong password.
4.Having entered the password click on next then a command prompt window will popup wait for few seconds till the tool is initialized and executed as shown below then press any key to exit.
 5.Now as  the tool is completely installed then it will automatically form a file with ".ost" extension on the desktop.I would recommend to email this file to your own email-id  so that you can use it when your laptop is stolen.That file is the key to tracking/recovering your laptop so keep it in a safe place.

6.Now if your laptop is stolen having adeona installed in it then use someother Computer and install adeona but this time check only the adeona recovery tool option in step 2.

7.Go to the start menu and select the recovery tool option of adeona then browse and select the file of step5.

8.Having done that you will be given the option to select the interval of time and date from the day the laptop was stolen and the no.of result you want to see.
9.Then follow the on screen instructions to find the result.

Note:To get the information about the stolen laptop the thief has to connect the laptop to internet then adeona client installed in it will send information about IP address and local network topology.The user has to also connect to the internet to get the information sent by the client.

If you find this post helpful then do drop your comment,it will be appreciated.
Track/Recover your stolen Laptop Track/Recover your stolen Laptop Reviewed by Satyajit (Admins,a.k.a Satosys) on Tuesday, September 07, 2010 Rating: 5

HoneyPot : Intrusion detection and Malware analysis.

Monday, September 06, 2010
In few of my post we have discussed what is honeypot all about?.It is basically used for intrusion detection and malware analysis.It also comes with different software package for different types of platform like Windows,Linux etc.The different types of software available are....(click here).

How to install HoneyPot?

I have written a guest post on "how to install honeypot?" in Hackers Enigma.Read it here
If  you find this post useful then do comment there,it will be appreciated... :)
HoneyPot : Intrusion detection and Malware analysis. HoneyPot : Intrusion detection and Malware analysis. Reviewed by Satyajit (Admins,a.k.a Satosys) on Monday, September 06, 2010 Rating: 5

EICAR test file:To check if Anti-Virus is working Properly & effectively

Thursday, August 12, 2010
Well!!!what I feel Anti-Virus programs ensure computer security to (50-60)% but it is also essential to check whether it is working properly & effectively.Today in my post I will show you how it can be accomplished using "Eicar Test File" in few simple steps.
EICAR test file

What is Eicar Test File?

Eicar Test File (EICAR STANDARD ANTI-VIRUS TEST FILE) developed by European Institute for Computer Anti-Virus Research(EICAR) inorder to test the effectiveness of Anti-Virus Programs.This file is just a sample virus of .com extension or can be placed in multilevel archive format to examine the realtime response of the Anti-Virus program and its effectiveness in scanning archive files.This file doesnot cause any harm to the PC and can be removed after testing.This file can only be run in Windows platform.

Why Anti-Virus Testing is essential?

1.This is really a  good question but at the same time some may find it foolish to ask....lol.Yeah!!! anti-virus program testing is indeed very much essential,I would try to explain it with a simple example....suppose by any means i get to know the anti-virus running on your PC,its verison and details about it.I will try to search for the vulnerability it has or find a zero day of my own...lol,then i may plant an exploit for it.This can surely make your anti-virus cripple and nonfunctional.All these things can be done silently without your knowledge.So,at this point if you would do this Eicar Test file testing then you can catch the flaw.

2.Now a days many Remote Administration Tools(RATS) have the functionality of crippling the Anti-Virus programs.So,this test can be done to catch that deformity.

3.You can use it to test the realtime capabilities of different anti-virus programs and select the best one among them.

Procedure:

Step 1:First dowload the file (Eicar.com)

Step 2:If your anti-virus is working properly then it will immediately detect it as shown below by my Anti-Virus(Avira Premium Security Suite)
You can also use the above file in Single Zip Archive or Multiple Zip Archive to check upto what level your anti-virus detects.This is a very good option.......and a must do one.
 Single Zip Archive (DOWNLOAD     Multiple Zip Archive (DOWNLOAD)

Note:The code in the file is X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  ,you can copy this code to a .txt file and change the extension to .com

  How to edit the string?
 -You can edit it by using whitespace characters with the total file length not exceeding 128   characters.
-Whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.
-Only upper case letters, digits and punctuation marks, and does not include spaces.
-The third character is the capital letter "O", not the digit zero.

How to remove Eicar.com file from PC?

You can delete this .com file as you delete other files because it doesnot make any registry change when it is run.But sometimes when it is detected by the anti-virus program,the access to the file is restricted so you may not be able to delete it.At this point you can use UNLOCKER (Download) to resolve the restriction and delete it.

Source:www.eicar.org/

If  you find this post worthy to read then do drop a comment,it will be appreciated.
IF YOU LIKED THE CONTENT OF THIS BLOG THEN DO "VOTE" FOR IT........Click here to Vote!
EICAR test file:To check if Anti-Virus is working Properly & effectively EICAR test file:To check if Anti-Virus is working Properly & effectively Reviewed by Satyajit (Admins,a.k.a Satosys) on Thursday, August 12, 2010 Rating: 5

Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability(CVE-2010-2568)

Thursday, July 29, 2010
Well it is always advisable to use an up-to-date  OS and patch the OS with the available update files,if you donot do that then some person aware of the vulnerability in your system can plant an attack.Few days back i came across a  security flaws in Microsoft's design,technically speaking it is called as "Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability(CVE-2010-2568)".
Microsoft Windows Shortcut 'LNK/PIF' Files

How does it Works?

Actually it a flaw in the Windows OS design,this is mainly caused by Windows control panel shortcut image display routine.The flaw is that windows incorrectly parses the shortcut in such a way that the trojan/malware code can be installed when the icon of the shortcut is displayed.The vulnerable file is shell32.dll and the vulnerable routine is contol panel related where the windows does correcctly manage the parameters of the shortcut file as shown in the image below.
 Image source:http://community.websense.com

How the system can be exploited ?

The vulnerable system having this flaw (except Mac & Linux) can be exploited by using USB or through networks or CD/DVD.Since the Ms windows OS is unable to properly handle "lnk/pif" and automatically runs a file therefore an attacker can run any arbitrary code from USB,CD or through networks.
Since the milw0rm is down nowadays....i found the exploit in http://www.securityfocus.com/bid/41732/discuss ,here you can download the exploit file and use it for educational purpose.

Watch the Demo.....






Note:This expliot is possible on Win Xp/7/Vista etc.

Countermeasures....

1.You can download Sophos's windows shortcut protection tool  to detect and block exploit from running.
(Download)

2.Read Microsoft Security Advisory(2286198) ,scan for available updates and patch them.

3.If you are really panic about this exploit then hop up to Mac or Linux.....lol.

4.If you are using a third party firewall and it has custom file blocking fuctions then you can use it to block "lnk/pif" shortcuts.

If you find this article worth reading then do drop a comment it will be appreciated.



IF YOU LIKED THE CONTENT OF THIS BLOG THEN DO "VOTE" FOR IT........Click here to Vote!
Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability(CVE-2010-2568) Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability(CVE-2010-2568) Reviewed by Satyajit (Admins,a.k.a Satosys) on Thursday, July 29, 2010 Rating: 5

How to Spy a Remote PC using RATS ?(General Tutorial)

Monday, July 26, 2010
Note: Earlier CompufreakS.blogspot.com is now SECURITYHUNK.

Spying on Remote PC can be done in many ways....but today we are going to see how it can be done using RATS(Remote Administration Tools).This tutorial is a general one which can be followed for installing server of all types of RATS.Only thing that you have to notice are the terms associated and data that are to be filled.
RATS
This is a Black Hat Tutorial so I would suggest my readers to go through the DISCLAIMER before reading the tutorial.

For carrying out this attack you will need......

a)A Remote Administration Tool (Here i will be using Spy Net2.7Beta)

b)A FTP service and a host under No-Ip.com (How to?....Read here )

Note:Click on the images to Zoom them.
 So lets start......

1.First download the RAT,here i will use Spy Net 2.7Beta.
Purposefully I have not given the download  link,you can take the help of our best friend.... "Google"

2.Run it and click the "START  BUTTON"select your suitable language as shown in the image below.

3.Then click on "CREATE SERVER " and give a suitable name to it as shown in the image below.

4.After step 3. a user with the desired name has been created,now select that and click on "FORWARD"as shown in the image below.

5.Now you will be guided to the server installation process,so fill in the details as shown in the image below...inorder to know  how to fill  read this.


6.After that hop up to the next tab and fill that excatly as show in the image below,i have chosen "svchost.exe" as these are found in multiple in  MS boxes..... lol.

7.The next tab is the message...which means if  you enable this then that message will pop-up when the server is run on the victim's computer,here I am not using it.

8.Then open up the keylogger tab and fillup as shown below but in step 2. fill as said  described here.

9.Now hop up to "Create server" tab and fill as shown in the image below.

10.Now since the server is ready so make it FUD(Fully UnDetectable) by using crypter and you may bind it to some other file using a binder and scan it with novirusthanks.org(do not click on distribute option.)This part will be covered in detail my later post.

For Countermeasures read from below.....



( RATS:Remote Administration Tools & Spying on Remote PC )


If you find this post worth reading do drop a comment it will be appreciated...... :)

This is black hat tutorial is for Educational purpose,Compufreaks condemns black hat.(Disclaimer).

IF YOU LIKED THE CONTENT OF THIS BLOG THEN DO "VOTE" FOR IT........Click here to Vote!
How to Spy a Remote PC using RATS ?(General Tutorial) How to Spy a Remote PC using RATS ?(General Tutorial) Reviewed by Satyajit (Admins,a.k.a Satosys) on Monday, July 26, 2010 Rating: 5
Subscribe to: Posts ( Atom )
Powered by Blogger.