System7

Spread the word, information is free.

Archive for category hardware & software

Determining the optical cluster size for your volumes

Jan 31

Posted by The Gunslinger in hardware & software | No Comments

If you’re like most people then you have a separate partition where you store your data (mp3s, torrents, software, movies etc).  Most people set these partitions up with the default settings (NTFS, 4kb cluster size).  However, in most cases the 4kb cluster size is horribly inefficient for the purpose of these data partitions.  Chances are most of the files on this data partition will be at least 1mb.  The smaller cluster size causes your drive to perform extra seeks to read and write the data.  With the sudden rise of the new GUID Partition Table (GPT) and drives beginning to ship with a larger default sector size than 512bytes you should get ahead of the curve.

First, you need to determine what the optimal cluster(block) size is for your data.  The best way to figure this out is taking the median file size of the partition.  Once you know the best cluster size then you will need to copy the data to another partition or drive.  Finally, you can repartition with the new cluster size and then copy your data back.

Here are the steps:

  1. Run one of the below scripts, open in Excel/Calc and run the median() function — does anyone have a quicker way to determine median file size?  keyboard kung fu?
  2. Calculate the median size of files on the volume (listFilesSize – vbscript) (listFileSizes_python/linux — first attempt at python!)
  3. Move data off the volume
  4. Reformat volume using optimal cluster size
  5. Verify new cluster size: [root@localhost]# ntfsinfo -m -d /dev/sdaX

Try something new…. AskEraser….

Nov 13

Posted by The Gunslinger in google, privacy | 1 Comment

I’ve been looking around for a new search engine besides Google.  I’m worried about giving them all the business and their privacy policy scares me.  They’re collecting more and more of our information and no one seems to notice.  (Take a look at Google’s new Dashboard if you want to see what they’re collecting on you)  I’ll admit, I haven’t started running my own MTA again but I’m getting close. Do you want my public key?  I hope you have one.  There’s guys in Utah and St. Louis looking through your email contents as I write this….

Anyways…back on track….

It’s not the easiest task comparing privacy policies even if you limit your search to the big players (google, yahoo, bing, baidu, ask, altavista).  Besides Scroogle which is a Google proxy — returning scrubbed results cookie free, most of the large search engines are very similar with their policies.  They all store some type of tracking cookie and say they can use this to target specific advertisements towards you and or share with third parties.  HOWEVER, all is not lost, I did come across the Ask.com AskEraser.  Navigate over to Ask.com and in the top right corner you’ll see “AskEraser On | Off”  turn this guy and check your cookies for yourself….it does make a difference…

When enabled, AskEraser will completely delete your search queries and data from Ask.com servers, including: your IP address, User ID and Session ID cookies, as well as the complete text of your search query–all within a matter of hours,

We’ll have to take Ask’s word that they’re actually removing our search data from their servers unless someone has a better idea?  Raid one of their NOCs on a Friday night hoping to bribe the night security guard with a pizza and a hooker? (maybe the pizza and a mountain dew would be enough)

Windows Anti Forensics Tip of the Day…

Nov 11

Posted by The Gunslinger in forensics, microsoft | No Comments

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

Jailbreak: Export non-exportable Windows certificates

Oct 13

Posted by The Gunslinger in microsoft, security | No Comments

I came across a handy (& free) Windows utility that allows you to export “non exportable” certificates.  Do you want to get at those recovery certificates or private keys? Jailbreak can be snatched here: https://www.isecpartners.com/jailbreak.html

Assault on PHP Applications

Oct 8

Posted by The Gunslinger in hardware & software, security | 1 Comment

This is a must read if you’re a pen tester or PHP developer.  Some great things on PHP security including file include, upload vulnerabilities, command execution, and of course SQL injection…

Assault on PHP Applications

Blackhat Forums

Author: Aelphaeis Mangarae

Date: June 13, 2009

Setting up Windows Honey Pot Shares

Sep 12

Posted by The Gunslinger in microsoft, security | No Comments

I recently setup a honeypot share on a Windows server.  I put some very “interesting” files and directories in there (financial information, PII etc) and then enabled audit logging in Windows.  There’s a very powerful but mostly unknown Windows tool called LogParser which can be used to query your System/Security event logs.  It’s possible to write a script that will query your system security log every so often and look for requests to the honey pot.  You can get very sophisticated using LogParser, a few hand written scripts, and the Windows Task Scheduler.

  1. Create the honeypot file share.
  2. Create sexy files in the share: bank_statement.pdf, password_list.txt, 08taxes.pst, gmail.doc, megan13.jpg, etc….
  3. Enable audit logging on shared folder.
  4. Install LogParser.
  5. Learn to use LogParser here: http://128.175.24.251/forensics/logparser.htm

Reduce ssh brute force attempts…

Jul 26

Posted by The Gunslinger in linux, security | 1 Comment

In case you’re still running sshd on port 22 (which you should change!) you’re probably getting hammered with brute force attempts.  Take a peak at /var/log/secure or /var/log/wtmp or the “last” command and have a looksy.

There’s a great little application called “denyhosts” which will automatically add suspected brute forcers to your DENY list.

 

URL        : http://denyhosts.sourceforge.net/
License    : GPLv2
Description: DenyHosts is a Python script that analyzes the sshd server log
           : messages to determine which hosts are attempting to hack into your
           : system. It also determines what user accounts are being targeted.
           : It keeps track of the frequency of attempts from each host and,
           : upon discovering a repeated attack host, updates the
           : /etc/hosts.deny file to prevent future break-in attempts from that
           : host.  Email reports can be sent to a system admin.

Penetration Testing & Capture the Flag

Jul 23

Posted by The Gunslinger in forensics, hardware & software, news | 1 Comment

Penetration Testing

Nowadays penetration testing is where it’s at.  Whether trying to learn security, becoming a white hat, or consulting it’s a must have skill.  However, it can be intimidating on where to start.  Besides picking up books the next best way to learn is through capture the flag events.

Important truths about pen testing

Capture the Flag

Computer/hacking capture the flag events are usually team based timed events where you’re pitted against several opponents and trying to earn the highest score.  Points are awarded for both offensive and defensive maneuvers.  Typically each team will have a virtual machine they need to defend while trying to exploit vulnerabilities in other team’s VM.

The best place to find one in your area (besides attending a con) is your local 2600 chapter.  If they don’t hold CTFs then try a local information security club.  If you live in the mountains and can’t find either you can use Hack This Site which runs virtual CTF events 24/7.

Remember, hacker (white hat) and cracker (black hat).

Malware Analyzers Part deuce

Jul 17

Posted by The Gunslinger in hardware & software, malware | No Comments

Several weeks ago I posted about different free malware analyzers (sandbox environments).  I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

*I believe all their tools only run on Windows.

Google Hacking

Jul 15

Posted by The Gunslinger in google | No Comments

Google hacking has been around for a while but unfortunately it is still very relevant.  Basically because the Google crawler is so powerful you can use this to your advantage to discover sensitive data.  You can find password files as well as locating vulnerable versions of web servers, forum software, etc….

Google hacking database: http://www.hackersforcharity.org/ghdb/