System7

Spread the word, information is free.

Archive for November, 2009

GPS Forensics & Google Earth

Nov 26

Posted by The Gunslinger in forensics | No Comments

I previously wrote about online GPS Forensic references and wanted to put them to use.  I had a suspicion that my girlfriend has been seeing another man.  When she was at work I grabbed her GPS (Garmin Nuvi 205) and connected it via USB (don’t forget a write blocker).  For Garmin models, the file you want to look for is “Current.gpx

Once I copied Current.gpx, I installed Google Earth.  Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints.  It makes it very convenient to find out where someone has been, where they might live (home location), etc.  Think about all the applications i.e. rental car GPS units.

***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML).  You’ll be looking at lat/longitude coordinates that you can plot yourself.

Successfully running De-Ice on a virtual machine….

Nov 21

Posted by The Gunslinger in pentest | No Comments

I’ve seen several folks wondering how to setup the De-Ice pentest environments in a virtual machine.  It’s actually a fairly simple setup and I’ve included the steps needed below….

Here’s the config I used to get level 1(1.100) working:

  1. Configure the De-Ice VM Guest for Host Only networking
  2. Modify routing on host VM: “ifconfig 192.168.1.X vboxnet0” — X can be anything that’s not in use; vboxnet0 would be the name of the virtual interface – in this case I’m using Virtual Box.
  3. Modify host routing table: route -add host 192.168.1.100 vboxnet0 — – this is biggest problem for people; make sure your host is using the correct interface to find De-Ice

Here’s the config I used to get level 2 (2.100) working:

  1. Configure the De-Ice VM Guest for Host Only networking
  2. Modify routing on host VM: ifconfig 192.168.2.X vboxnet0
  3. Modify host routing table: route -add host 192.168.2.100 vboxnet0

DD-WRT Rollback

Nov 19

Posted by The Gunslinger in news | 1 Comment

I previously wrote about installing and using the alternative linksys firmware, DD-WRT. Well, after running DD-WRT for about 5 months I’ve decided to roll back to the original linksys firmware.  Here’s my reasoning:

  • My linksys wrt54g v8 was only capable of running dd-wrt MICRO.  Micro has the least amount of features of any of the dd-wrt releases (the linksys doesn’t have enough nvram to store any more features/applications)
  • IPtables support was crippled in dd-wrt micro v24 that I was running.  I wanted to setup a span/mirror port which was not possible (at least not for me).  I’ll have to spend a few bucks now and buy a hub (if i can find one anywhere!  No one seems to sell hubs..)
  • The DD-WRT was randomly forgetting all of its settings (port forwardings etc, which was causing me to lose all remote access to my machines).  DD-WRT doesn’t run SSH at the micro level and there’s no way I’m leaving telnet open publicly.
  • DD-WRT was unreliable.  I had to reboot it at least once a month because it would lock up and stop routing packets.

Has anyone tried OpenWRT?

Try something new…. AskEraser….

Nov 13

Posted by The Gunslinger in google, privacy | 1 Comment

I’ve been looking around for a new search engine besides Google.  I’m worried about giving them all the business and their privacy policy scares me.  They’re collecting more and more of our information and no one seems to notice.  (Take a look at Google’s new Dashboard if you want to see what they’re collecting on you)  I’ll admit, I haven’t started running my own MTA again but I’m getting close. Do you want my public key?  I hope you have one.  There’s guys in Utah and St. Louis looking through your email contents as I write this….

Anyways…back on track….

It’s not the easiest task comparing privacy policies even if you limit your search to the big players (google, yahoo, bing, baidu, ask, altavista).  Besides Scroogle which is a Google proxy — returning scrubbed results cookie free, most of the large search engines are very similar with their policies.  They all store some type of tracking cookie and say they can use this to target specific advertisements towards you and or share with third parties.  HOWEVER, all is not lost, I did come across the Ask.com AskEraser.  Navigate over to Ask.com and in the top right corner you’ll see “AskEraser On | Off”  turn this guy and check your cookies for yourself….it does make a difference…

When enabled, AskEraser will completely delete your search queries and data from Ask.com servers, including: your IP address, User ID and Session ID cookies, as well as the complete text of your search query–all within a matter of hours,

We’ll have to take Ask’s word that they’re actually removing our search data from their servers unless someone has a better idea?  Raid one of their NOCs on a Friday night hoping to bribe the night security guard with a pizza and a hooker? (maybe the pizza and a mountain dew would be enough)

Windows Anti Forensics Tip of the Day…

Nov 11

Posted by The Gunslinger in forensics, microsoft | No Comments

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

Time Warner Cable – Road Runner DMCA Notice

Nov 10

Posted by The Gunslinger in news | 1 Comment

I recently got slapped with a DMCA notice from my ISP, Time Warner. Below is a copy of the page where all of my traffic was redirected to. All of my requests were hijacked until you acknowledge the notice. Using FireBug I tried altering the javascript to send different return codes back to Time Warner. Unfortunately, they seem to be performing input validation on the return code and nothing was working.  Has anyone else had any success manipulating this?  What kind of workarounds have you tried?  OpenDNS?  Any pirate firmware for the Motorola Surfboards to change the physical address?  How do you get the new MAC address registered on Road Runner’s end?

Road Runner DMCA Violation


Below is an excerpt of the webpage:


    ....






     



....

?

<script language="JavaScript" type="text/JavaScript">

<!--

// Push the window forward if the user goes back...

window.history.forward(1);

function MM_reloadPage(init) {  //reloads the window if Nav4 resized

if (init==true) with (navigator)

{

if ((appName=="Netscape")&&(parseInt(appVersion)==4))

{

document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage;

}

}

else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();

}

MM_reloadPage(true);

 function RequestRelease(sReasonCode) {

 document.ReasonForm.ClickedCode.value = sReasonCode;

 document.ReasonForm.submit();

 }

//-->

</script>

<td align="left" background="imgs/index_r2_c2.gif" bgcolor="#ffffff" valign="top">

<form name="ReasonForm" method="post" action="ReasonPg.aspx?[SOME_HASH_KEY_1]" id="ReasonForm">

<input name="__VIEWSTATE" value="[SOME_HASH_KEY_2]" type="hidden">

<input name="ClickedCode" id="ClickedCode" type="hidden">

<td rowspan="5" align="left" valign="top" width="94%"><span><span><a href="Javascript:RequestRelease('[I TRIED DIFFERENT VALUES HERE]')"><b>I am aware of this issue and will take steps to resolve it.<b></b></b></a><b><b><br><br></b></b><pre><b><b>Dear Subscriber:

(message here --- see screenshot)

Road Runner Customer Care</b></b></pre><b><b><br><br><a href="Javascript:RequestRelease('ABUSE-LEGALCOPY')"><b>I am aware of this issue and will take steps to resolve it.<b></b></b></a></b></b></span>

Test your web pentest skillz

Nov 5

Posted by The Gunslinger in security | No Comments

I previously posted on testing your host/network penetrating testing skills. There are several projects whose purpose is to provide exploitable web applications to test different different security flaws.

Here’s what I’ve come up with so far:

Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10

OWASP WebGoat: deliberately insecure J2EE web application

Damn Vulnerable Web App: PHP/MySQL web application that is damn vulnerable

Samurai Web Testing Framework: live linux environment that has been pre-configured to function as a web pen-testing environment

Moth: VMware image with a set of vulnerable Web Applications and scripts

Hacme Bank: simulates a “real-world” web services-enabled online banking application
Hacme Books: representative of real-world J2EE scenarios
Hacme Casino: extensible online casino platform is written using Ruby on Rails

Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10