Check Installed Windows Patches on Windows

Windows offer few ways to check your current installed windows (security, office, ie and etc) patches.

All you have two do is by running the following commands in your command prompt, I believe the second option also allows us to include parameters for better result, check and comments on this post. Thanks for reading guys

syseminfo – Provides more information on your current system which includes the windows updates latest patch installed.

wmic qfe list – Shows you the list of windows patches installed in your PC.
Option 1 result:

Option 2 result:

Installing and Uninstalling IPv6 in Windows XP

Are we running out of IP’s? Yes indeed, IPv4 is not going to be used any more in this few more years. Internet Engineering Task Force (IETF) team have revamp the existing IPv4 to Internet Protocol Version 6 (IPv6). This new generation IP promise us with more benefit in terms of usage and security.

Installing IPv6

1. In your computer, go to Start -> All Program -> Accessories and choose “Command Prompt”.

2. Once the command prompt window open, type “ipv6 install” and press enter.

3. Wait for few minutes till the processing complete.

4. Reboot your machine for the new version IP to take effect.

Uninstalling IPv6

1. Open the command prompt from your computer.

2. Type “netsh int ipv6 uninstall”, for uinstall and press enter.

Retrieving Executable File Hidden Information

Before the emerging of web application all the program in our daily use were written in *.exe files. This file is also known as the executable files and mostly run in windows platform. For a client-server architecture program, the client was needed to be installed in each machine. This was the main drawback of client-server application.

Once an executable file has been compiled, it is quite difficult for you to retrieve its source code as it will be changed to binary format. In this state you can only see garbage characters while trying to open it in your text editor, unless you are using other forensic tools like decompiler and hex editors.

In this current technology, developer has the same methodology as the above statement. While developing a program they tend to ignore the security features as they think it’s not necessary and might not able to disclose sensitive information to the hackers.

Today, let me show you how to retrieve string which has been hardcoded or hidden in an executable file while it’s running on the background of your windows.

Steps

1. Download process explorer from the Sysinternal website.

2. Run the executable program and open your process explorer.

3. Once in the process explorer window you will be able to see all the list of process running.

4. In this list, double click the process name which has the hidden strings information.

5. Once you have the main window for the process, navigate to the “Strings” tab.

6. Here you will be able to see all the strings information available to the process.

Note: In steps 6, you can also copy all this contents shown in the windows an export it to a text file format for easy reading.

Although this is a simple process, it can still disclose as information like password to the hacker which able them to access database, login screen and so on. So developers, beware of hard coding sensitive information even in a executable file, cause the hacker will use all kind of ways to access your application:)

Auditing Registry, Services and File Permissions

Auditing services, files and folder permission in the windows machine is not an easy task. We might need to drill down on each of the folder to find its users and access rights. Think about the hassle you need to face when you doing an investigation on the permission level. You will be spending more time on opening each of the  security windows to read the permission.

What if your boss ask you to capture the screenshot of each of the folder permission. Its going to put you on big trouble extracing those information in a short time. To save your time from all this hassle. I would suggest you to use “accesschk“.

Accesschk is a product part of sysinternal, It has more functions compare to the windows command prompt “attrib” commands. It allow you to view the service and file level permissions by allowing filtering option. The sysadmin would be able to generate all the list of file accessible  by a certain user.

Auditors would love this program as they dont need to spend more time on preparing scripts for their auditing purpose. Accesschk also has option to check permission on the registry level.

You may download and “accesschk” from the sysinternal website

Modifying HTML, Javascript On Webpage Request

Have you ever try to manipulate Javascript in web application?

For those who dont know what is javascript. JavaScript is widely use in the web application as a medium which ables to provide validation, animation and other cool stuff.  Try visiting jsmadeeasy, you can find thousand of javascript examples.

Any javascript in an web application can be easily modified by using “Firebug“. Firebug allow javascript to be  bypass easily from being validated. In case of “firebug” is not working properly for certain webpage, due to its security settings. You can still use Paros.

Paros act as a proxy between the browser and web server. This program allow you to to modify any response/request coming through it. Paros also has other feature like vulnerability scanning and crawler. You can download paros from Paros Website. This is my favourite program and till now it have not disappointed me.

So programmers, stop depending on client validation, because the hackers knows how to bypass your validation checking😛

Paros

Firebug

Checking/Kill processes without Task Manager

There are few ways to check processes running on your Windows machine. Task Manager & Process Explorer is one of the commonly used application for viewing the current active process. Allowing access to the Task manager could be harmful as it would let a user to kill a process which is protecting your machine. In an secure environment the administrator always ensure this programs are not accessible by the normal users.

Process Explorer is not pre-default application installed in you machine, so chances to access this application is also limited.
How can view the processes then?

Forensic security experts uses “tasklist” to view the process information. “Tasklist” is more powerful than the “Task Manager”. It has options to even show you the dll or services used in each of the process.

While for those who wants to kill processes, you may use “taskkill” command. “Taskkill terminates running process by specifying the PID number.

View Process Information Using “tasklist”

Kill Running Process Using “taskkill”


Listing HTTP Methods

How well do you know aboout HTTP Method? In my past experience I have only came acrsos of GET and POST.
But In Actual fact, HTTP has more method than what we think.

TRACE, DEBUG, PUT, DELETE, OPTIONS is also known as HTTP method. Every each of this method has its function by it ownself. Some of this method can be consider dangerous when it falls to the wrong hand.

DELETE” as what the name says it allows user to delete files from the web server without any special user ID.

During the hardening purpose, security experts always ensure this type of method are blocked. To do this, you may want to list all the available HTTP method in your server.

Steps:

1. Go to the “Windows command prompt”

2. Issue the “telnet <servername/URL> 80” command run it to get connected.

3. Once connected, run “OPTIONS * HTTP/1.0” and press enter for few times.

4. THis will show you all the list of HTTP methods can be used in that server.

Note:

<servername/URL> is your server name or web address.

TCPView For Security Incident Response

While doing security incident response you might want to gather information as you can to come out with the proper finding.

Personally I have come across a lot of incident where I’m required to capture the ports open on the infected machine.

This is a not a difficult task, however with the current emerging of technology, the hacker get smarter too. They design the malware to hide their process from being captured by the task manager, netstat commands and other system admin useful commands. Rootkits is one of the example malware which sits on the handle use by the windows to hide itself from “netstat”.

TCPView is a Sysinternal product which allows you to capture all the relevant ports and its protocols with detail overview of its attached processes. This program has an advance future. It allows you to capture the malware ports or connection hidden from a normal Windows “netstat” program.

Firefox 3.6.7 – Assertion Failed

Firefox is a very powerful web browser. To be honest I always like the Internet Explorer till some of my friend bugs me to use the Firefox instead.

Recently I have upgraded my Firefox to version 3.6.7. This version is looks cool but currently having some small bug which forces you to close your browser if you are not an IT tech person.

Its all happen when I try to drag and drop an item in the “new tab”. Every time I do this, I might accidentally bring the item above the new tab, where the bookmarks field resides.

This causes me to have the “Assertion Failed” error message. To close this error I will need to keep on clicking on the “X” (Close) button provided on the error pop-up window till this window close.

Everything will be back to normal when this window disappear. This is not an issue for me, but for those users out there might not know this kind of tricks and might end up losing their other data by killing the Firefox process.

I have logged the bugs to Bugzilla team Bug 582260. Hopefully they can provide the resolution on this issue.

Look at the screen shots below:

Steps 1

Steps 2


Analyze File Before Execution

Do you receive a lot of suspicious files in your email, server or home machine?

Be aware of this kind of file as it might already being embedded with some other malicious code.

Virustotal run on a sandbox, offers free analysis service for scanning Virus and Malware files.

It keeps all the history about a file specification like its MD5 hash value, variant, antivirus scan details and the file API’s.

To perform the analysis you will need to upload the file for analysis and wait for the result.