Installing IPv6

1. In your computer, go to Start -> All Program -> Accessories and choose “Command Prompt”.

2. Once the command prompt window open, type “ipv6 install” and press enter.

3. Wait for few minutes till the processing complete.

4. Reboot your machine for the new version IP to take effect.

Uninstalling IPv6

1. Open the command prompt from your computer.

2. Type “netsh int ipv6 uninstall”, for uinstall and press enter.

Once an executable file has been compiled, it is quite difficult for you to retrieve its source code as it will be changed to binary format. In this state you can only see garbage characters while trying to open it in your text editor, unless you are using other forensic tools like decompiler and hex editors.

In this current technology, developer has the same methodology as the above statement. While developing a program they tend to ignore the security features as they think it’s not necessary and might not able to disclose sensitive information to the hackers.

Today, let me show you how to retrieve string which has been hardcoded or hidden in an executable file while it’s running on the background of your windows.

Steps

1. Download process explorer from the Sysinternal website.

2. Run the executable program and open your process explorer.

3. Once in the process explorer window you will be able to see all the list of process running.

4. In this list, double click the process name which has the hidden strings information.

5. Once you have the main window for the process, navigate to the “Strings” tab.

6. Here you will be able to see all the strings information available to the process.

Note: In steps 6, you can also copy all this contents shown in the windows an export it to a text file format for easy reading.

Although this is a simple process, it can still disclose as information like password to the hacker which able them to access database, login screen and so on. So developers, beware of hard coding sensitive information even in a executable file, cause the hacker will use all kind of ways to access your application

What if your boss ask you to capture the screenshot of each of the folder permission. Its going to put you on big trouble extracing those information in a short time. To save your time from all this hassle. I would suggest you to use “accesschk“.

Accesschk is a product part of sysinternal, It has more functions compare to the windows command prompt “attrib” commands. It allow you to view the service and file level permissions by allowing filtering option. The sysadmin would be able to generate all the list of file accessible  by a certain user.

Auditors would love this program as they dont need to spend more time on preparing scripts for their auditing purpose. Accesschk also has option to check permission on the registry level.

You may download and “accesschk” from the sysinternal website

For those who dont know what is javascript. JavaScript is widely use in the web application as a medium which ables to provide validation, animation and other cool stuff.  Try visiting jsmadeeasy, you can find thousand of javascript examples.

Any javascript in an web application can be easily modified by using “Firebug“. Firebug allow javascript to be  bypass easily from being validated. In case of “firebug” is not working properly for certain webpage, due to its security settings. You can still use Paros.

Paros act as a proxy between the browser and web server. This program allow you to to modify any response/request coming through it. Paros also has other feature like vulnerability scanning and crawler. You can download paros from Paros Website. This is my favourite program and till now it have not disappointed me.

So programmers, stop depending on client validation, because the hackers knows how to bypass your validation checking

Paros

Firebug

Process Explorer is not pre-default application installed in you machine, so chances to access this application is also limited.
How can view the processes then?

Forensic security experts uses “tasklist” to view the process information. “Tasklist” is more powerful than the “Task Manager”. It has options to even show you the dll or services used in each of the process.

While for those who wants to kill processes, you may use “taskkill” command. “Taskkill terminates running process by specifying the PID number.

View Process Information Using “tasklist”

Kill Running Process Using “taskkill”

TRACE, DEBUG, PUT, DELETE, OPTIONS is also known as HTTP method. Every each of this method has its function by it ownself. Some of this method can be consider dangerous when it falls to the wrong hand.

“DELETE” as what the name says it allows user to delete files from the web server without any special user ID.

During the hardening purpose, security experts always ensure this type of method are blocked. To do this, you may want to list all the available HTTP method in your server.

Steps:

1. Go to the “Windows command prompt”

2. Issue the “telnet <servername/URL> 80″ command run it to get connected.

3. Once connected, run “OPTIONS * HTTP/1.0” and press enter for few times.

4. THis will show you all the list of HTTP methods can be used in that server.

Note:

<servername/URL> is your server name or web address.

Personally I have come across a lot of incident where I’m required to capture the ports open on the infected machine.

This is a not a difficult task, however with the current emerging of technology, the hacker get smarter too. They design the malware to hide their process from being captured by the task manager, netstat commands and other system admin useful commands. Rootkits is one of the example malware which sits on the handle use by the windows to hide itself from “netstat”.

TCPView is a Sysinternal product which allows you to capture all the relevant ports and its protocols with detail overview of its attached processes. This program has an advance future. It allows you to capture the malware ports or connection hidden from a normal Windows “netstat” program.

Recently I have upgraded my Firefox to version 3.6.7. This version is looks cool but currently having some small bug which forces you to close your browser if you are not an IT tech person.

Its all happen when I try to drag and drop an item in the “new tab”. Every time I do this, I might accidentally bring the item above the new tab, where the bookmarks field resides.

This causes me to have the “Assertion Failed” error message. To close this error I will need to keep on clicking on the “X” (Close) button provided on the error pop-up window till this window close.

Everything will be back to normal when this window disappear. This is not an issue for me, but for those users out there might not know this kind of tricks and might end up losing their other data by killing the Firefox process.

I have logged the bugs to Bugzilla team Bug 582260. Hopefully they can provide the resolution on this issue.

Look at the screen shots below:

Steps 1

Steps 2

Be aware of this kind of file as it might already being embedded with some other malicious code.

Virustotal run on a sandbox, offers free analysis service for scanning Virus and Malware files.

It keeps all the history about a file specification like its MD5 hash value, variant, antivirus scan details and the file API’s.

To perform the analysis you will need to upload the file for analysis and wait for the result.

Some of the Oracle Forms build application uses this functionality to store its password configuration.

To customize the Oracle Profile we might need to create a new profile and tag the resources with a different values.

To do this, list all the resources and values available in the “DBA_PROFILES” and change the values based on your requirement for a profile value

“select * from dba_profiles“