Retrieving Executable File Hidden Information

Before the emerging of web application all the program in our daily use were written in *.exe files. This file is also known as the executable files and mostly run in windows platform. For a client-server architecture program, the client was needed to be installed in each machine. This was the main drawback of client-server application.

Once an executable file has been compiled, it is quite difficult for you to retrieve its source code as it will be changed to binary format. In this state you can only see garbage characters while trying to open it in your text editor, unless you are using other forensic tools like decompiler and hex editors.

In this current technology, developer has the same methodology as the above statement. While developing a program they tend to ignore the security features as they think it’s not necessary and might not able to disclose sensitive information to the hackers.

Today, let me show you how to retrieve string which has been hardcoded or hidden in an executable file while it’s running on the background of your windows.

Steps

1. Download process explorer from the Sysinternal website.

2. Run the executable program and open your process explorer.

3. Once in the process explorer window you will be able to see all the list of process running.

4. In this list, double click the process name which has the hidden strings information.

5. Once you have the main window for the process, navigate to the “Strings” tab.

6. Here you will be able to see all the strings information available to the process.

Note: In steps 6, you can also copy all this contents shown in the windows an export it to a text file format for easy reading.

Although this is a simple process, it can still disclose as information like password to the hacker which able them to access database, login screen and so on. So developers, beware of hard coding sensitive information even in a executable file, cause the hacker will use all kind of ways to access your application

Auditing Registry, Services and File Permissions

Auditing services, files and folder permission in the windows machine is not an easy task. We might need to drill down on each of the folder to find its users and access rights. Think about the hassle you need to face when you doing an investigation on the permission level. You will be spending more time on opening each of the  security windows to read the permission.

What if your boss ask you to capture the screenshot of each of the folder permission. Its going to put you on big trouble extracing those information in a short time. To save your time from all this hassle. I would suggest you to use “accesschk“.

Accesschk is a product part of sysinternal, It has more functions compare to the windows command prompt “attrib” commands. It allow you to view the service and file level permissions by allowing filtering option. The sysadmin would be able to generate all the list of file accessible  by a certain user.

Auditors would love this program as they dont need to spend more time on preparing scripts for their auditing purpose. Accesschk also has option to check permission on the registry level.

You may download and “accesschk” from the sysinternal website

Modifying HTML, Javascript On Webpage Request

Have you ever try to manipulate Javascript in web application?

For those who dont know what is javascript. JavaScript is widely use in the web application as a medium which ables to provide validation, animation and other cool stuff.  Try visiting jsmadeeasy, you can find thousand of javascript examples.

Any javascript in an web application can be easily modified by using “Firebug“. Firebug allow javascript to be  bypass easily from being validated. In case of “firebug” is not working properly for certain webpage, due to its security settings. You can still use Paros.

Paros act as a proxy between the browser and web server. This program allow you to to modify any response/request coming through it. Paros also has other feature like vulnerability scanning and crawler. You can download paros from Paros Website. This is my favourite program and till now it have not disappointed me.

So programmers, stop depending on client validation, because the hackers knows how to bypass your validation checking

Paros

Firebug

Checking/Kill processes without Task Manager

There are few ways to check processes running on your Windows machine. Task Manager & Process Explorer is one of the commonly used application for viewing the current active process. Allowing access to the Task manager could be harmful as it would let a user to kill a process which is protecting your machine. In an secure environment the administrator always ensure this programs are not accessible by the normal users.

Process Explorer is not pre-default application installed in you machine, so chances to access this application is also limited.
How can view the processes then?

Forensic security experts uses “tasklist” to view the process information. “Tasklist” is more powerful than the “Task Manager”. It has options to even show you the dll or services used in each of the process.

While for those who wants to kill processes, you may use “taskkill” command. “Taskkill terminates running process by specifying the PID number.

View Process Information Using “tasklist”

Kill Running Process Using “taskkill”

Listing HTTP Methods

How well do you know aboout HTTP Method? In my past experience I have only came acrsos of GET and POST.
But In Actual fact, HTTP has more method than what we think.

TRACE, DEBUG, PUT, DELETE, OPTIONS is also known as HTTP method. Every each of this method has its function by it ownself. Some of this method can be consider dangerous when it falls to the wrong hand.

“DELETE” as what the name says it allows user to delete files from the web server without any special user ID.

During the hardening purpose, security experts always ensure this type of method are blocked. To do this, you may want to list all the available HTTP method in your server.

Steps:

1. Go to the “Windows command prompt”

2. Issue the “telnet <servername/URL> 80″ command run it to get connected.

3. Once connected, run “OPTIONS * HTTP/1.0” and press enter for few times.

4. THis will show you all the list of HTTP methods can be used in that server.

Note:

<servername/URL> is your server name or web address.

TCPView For Security Incident Response

While doing security incident response you might want to gather information as you can to come out with the proper finding.

Personally I have come across a lot of incident where I’m required to capture the ports open on the infected machine.

This is a not a difficult task, however with the current emerging of technology, the hacker get smarter too. They design the malware to hide their process from being captured by the task manager, netstat commands and other system admin useful commands. Rootkits is one of the example malware which sits on the handle use by the windows to hide itself from “netstat”.

TCPView is a Sysinternal product which allows you to capture all the relevant ports and its protocols with detail overview of its attached processes. This program has an advance future. It allows you to capture the malware ports or connection hidden from a normal Windows “netstat” program.