tag:blogger.com,1999:blog-17340716632479036662012-01-15T23:26:10.055+08:00Securing the world one entity at a time.commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.comBlogger1181100tag:blogger.com,1999:blog-1734071663247903666.post-86172450989796016392012-01-04T22:48:00.002+08:002012-01-04T22:52:11.269+08:00

My latest and first column of the year is out. Here is the excerpt."Do you trust your ISP’s DNS setup? I don’t! DNS is susceptible to attack by malicious entities to target innocent victims just like any other protocol. The solution is to engage OpenDNS as your trusted DNS service which is harnessed by home and enterprise networks globally."

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-71900054850328696422011-12-20T01:26:00.003+08:002011-12-20T01:32:52.247+08:00

Technology is never foolproof and here is an excellent example where common sense is overwhelmingly essential.I received the highlighted link in my Gmail which wasn't marked as spam. A quick glance at the path and I knew this was obviously a ruse but I wondered why Gmail's spam detection didn't pick this up. I quickly ran the suspicious link against the scanners hosted on VirusTotal and was

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-64337952341771316642011-12-03T00:54:00.003+08:002012-01-04T22:52:36.329+08:00

Rushed out 2 columns drafts ahead of schedule and Hakin9 decided to use them in consecutive issues. Here is the excerpt of the latest one."This column was inspired by the international screening of the Tintin movie by Steven Spielberg and Peter Jackson. Just like Tintin, Wireshark is an international icon too. It is primarily harnessed for network troubleshooting and packet analysis but did you

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-11335603387825636872011-11-28T00:03:00.004+08:002011-11-28T00:13:31.601+08:00

I upgraded "Firefox" to v8 and realised that it was sluggish due to configs being wiped by v3.0 of my "ubuntuprivacy" script. I modified the script as follows.#!/bin/shecho "\033[0;34mProceeding to clean your system to ensure your privacy.\033[0m"echoecho "\033[0;31mWiping Firefox history and cache.\033[0m"#sudo srm -rllv .mozilla/firefox/*.default/*.sqlitesudo srm -rllv .mozilla/firefox/*.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-4607313804378029372011-11-02T21:30:00.005+08:002012-01-04T22:53:31.461+08:00

Finished this column months ahead of schedule and it was finally published in this month's issue of "Hakin9".An excerpt of it below."HTTPS Everywhere is a Firefox extension that was developed and is maintained by the Electronic Frontier Foundation (EFF). It was first released in June 2010 and is not available from Mozilla but can be downloaded from EFF’s site (https://www.eff.org/files/

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-330757297169367722011-10-21T00:46:00.005+08:002011-10-23T22:59:44.403+08:00

Wrote a batch script that triggers "ubuntuprivacy", "patch" and "avastupdate" sequentially.#!/bin/sh./ubuntuprivacy.sh./patch.sh./avastupdate.shThe scripts can be downloaded here.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-69442355494305000822011-09-29T00:01:00.002+08:002012-01-04T22:53:39.523+08:00

My new column is out in Hakin9 magazine. It was 2 months overdue so it is a relief that it is finally published.An excerpt of it in the "Tool Time" column this month."Since the issue 7/2010 article Prey: A new hope, there have been developments in the device tracking tool. It has been enhanced to now be able to monitor lost Android smartphones and tablets when activated. There was a reported case

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-81013746849568091542011-09-24T00:42:00.003+08:002011-10-21T00:57:13.068+08:00

Was lazy to memorise the Nessus commands to start/stop the service as well as update its plugins so I decided to dump them into the following script.#!/bin/shecho "\033[0;34mPrepping Nessus for scanning.\033[0m"sudo /etc/init.d/nessusd stopecho "\033[0;31mUpdating Nessus plugins.\033[0m"sudo /opt/nessus/sbin/nessus-update-plugins echo "\033[0;31mStart Nessus service.\033[0m"sudo /etc/init.d/

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-55760121034457984692011-08-31T23:07:00.004+08:002012-01-04T22:53:52.679+08:00

Hakin9 asked me to be a bimonthly contributor to their new column entitled "Tool Time" and here is an excerpt of it."Hispasec Sistemas has managed the service, VirusTotal, since 1st June 2004. The website (http://www.virustotal.com) offers the public access to multiple Antivirus (AV) engines hosted by them to provision online scanning of individual files to uncover malware by harnessing a

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-88541343830628494952011-07-22T01:08:00.002+08:002011-09-24T00:41:08.461+08:00

I updated "ubuntuprivacy.sh" to comment out wiping of OpenOffice history and include wiping of LibreOffice history.#!/bin/shecho "\033[0;34mProceeding to clean your system to ensure your privacy.\033[0m"echoecho "\033[0;31mWiping Firefox history and cache.\033[0m"#sudo srm -rllv .mozilla/firefox/*.default/*.sqlitesudo srm -rllv .mozilla/firefox/*.default/addons.sqlitesudo srm -rllv .mozilla/

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-55263970847946969772011-07-21T00:10:00.005+08:002011-07-22T00:58:45.603+08:00

When I ran "sudo-apt update" command in Terminal, I get the following error.commandrine@bridge:~$ sudo apt-get update[sudo] password for commandrine: Hit http://sg.archive.ubuntu.com lucid Release.gpgIgn http://sg.archive.ubuntu.com/ubuntu/ lucid/main Translation-en_SG Ign http://sg.archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_SGIgn http://sg.archive.ubuntu.com/ubuntu/ lucid/

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-31416841154992635912011-07-20T23:45:00.006+08:002011-07-21T00:14:28.603+08:00

Was reading this article about an alleged Anonymous hacker uploading a file “aspydrv.asp;.jpg” onto servers to compromise them.This piqued my interest. I Googled the above file and found numerous sites hosting this file. Further research educated me that using the ";.jpg" at the end of the ASP file can fool insecure IIS servers.Accessing one of the vulnerable sites, I try uploading a test ASP

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-67857850263912246872011-07-11T21:52:00.001+08:002011-07-11T21:54:01.713+08:00

Interesting research done on the fake AV industry and eye-popping statistics.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-31071079371337088452011-07-02T22:35:00.003+08:002012-01-04T22:54:03.458+08:00

My new article is out this month in Hakin9 magazine. It is for paid subscribers only and here is an excerpt of it."The firewall is the first line of defense on the network perimeter and end points. Firewalls are susceptible to targeted attacks (eg. social engineering, application vulnerabilities) but they are still the foundation upon which access control is built upon."

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-4142999701672802272011-06-21T22:39:00.000+08:002011-07-02T22:46:13.924+08:00

I wanted to take screenshots of my Android smartphone screen for my new security article and was having a nightmare doing so. It took 3 hours of research and troubleshooting to finally achieve success.I relied on detailed information from this article to setup the Android SDK on my Ubuntu laptop.Watch out for my new security article in Hakin9 magazine.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-39285092159509314312011-05-28T02:00:00.002+08:002011-05-28T02:01:45.019+08:00

Friends I talk to are confident that their personal information is not important or critical but this is a scary and real example of what hackers will do with your details.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-16050278942377261882011-05-28T01:56:00.004+08:002011-05-28T02:03:15.681+08:00

New malware targeting Mac OS X that will not prompt users to enter their administrator password before infecting the victim's machine. Mac users and Apple can continue to be in denial but it is a reality now.Install an AV on your Mac.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-36007558292280169302011-05-23T23:12:00.007+08:002011-05-26T21:21:35.718+08:00

I decided to install a digital certificate for my Gmail account. This is simple and free to set up.Apply for a free certificate from Comodo.The certificate will be automatically installed to your browser when you click on the link in the email from Comodo.Install the "Gmail S/MIME" addon from the Firefox addon source.Log into Gmail and the "Encrypt" icon is visible when you compose new mails.You

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com6tag:blogger.com,1999:blog-1734071663247903666.post-78323080317340007922011-05-12T01:09:00.004+08:002011-05-12T01:18:14.835+08:00

A recently added Graphics Engine, WebGL, in Firefox 4 and Chrome 9 are vulnerable to exploit.The article provisions solutions to disabling this component in both browsers. I will quickly summarise how to disable WebGL in Firefox 4.Type in "about:config" in the address bar.Search for "webgl".Set value for "webgl.disabled" to "true".Restart Firefox.Simple steps that will give you peace of mind.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-21425627114957765212011-04-13T22:03:00.007+08:002011-04-13T22:16:39.571+08:00

"Armitage" was a tool that I discovered from the cover of "Linux Journal" in "Page One" today. It shows how outdated I am with the latest fancy security tools available out there.Visiting the website hosting the tool, I came across this demo video of the tool in action.This video is easy to follow and comprehend. It saves me the effort of making a similar video. From the demo, the tool proves to

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-25863367623085669682011-04-12T20:53:00.009+08:002011-04-12T22:03:08.546+08:00

It has been almost 2 years since I last went to a Security seminar. I strongly believe that you learn when you attend an event with good content. Today was a classic example. I was enlightened about the available of a free service from "Websense" called "Defensio". It is a tool for social mediums to protect both users and their followers against threats in the form of unruly followers or

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-90044209189665922022011-04-02T01:33:00.009+08:002011-04-02T01:58:49.057+08:00

Visited "OMG! Ubuntu!" today as I do everyday. I was presented by a terminal upon successfully accessing the site. My first instinct was that it was a mistake made by the server administrator as my request was redirected to "http://www.omgubuntu.co.uk/bash/". I typed in "help" as hinted in the terminal window. Typical Linux commands were revealed along with strange ones like "moo" and "fortune".

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-89169540385287054472011-03-23T22:09:00.007+08:002011-04-12T20:59:34.620+08:00

"PassWindow" is a new type of 2 factor authentication (2FA) in the market. The concept is different from what we are normally used to.It is compact compared to "RSA" tokens. On the topic of "RSA", "RSA" was breached recently and sensitive data was stolen from their network.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-2882557160419885202011-02-22T23:31:00.003+08:002011-02-22T23:37:29.458+08:00

A new study discovers that employing traditional secure deletion techniques on solid state drives result in majority of data residing on those said drives being left intact. This is a security problem as most portable devices contain solid state drives due to their compact form.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-57086376023132475262011-01-20T23:54:00.003+08:002011-01-20T23:58:56.226+08:00

Cross-platform Trojan that infects Windows, Mac and Linux machines via Java. Interestingly enough, the Trojan is not persistent in Linux as it cannot survive reboots.A breakdown of the infection rate by OS can be found here.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-73316325458358729812010-12-20T23:03:00.004+08:002011-07-27T01:11:55.672+08:00

Upgrading to a new kernel version is necessary from a security perspective but it inevitably introduces a new entry in Grub. You can remove those redundant entries by:Launching "Synaptic Package Manager".Searching for "Linux kernel image".Check "Mark for complete removal" for the kernel versions you no longer need.Click "Apply".Update: There is a variation to my recommendation previously.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-34549028868281917752010-11-24T21:38:00.003+08:002010-11-24T21:44:13.687+08:00

In light of the publicity created by Firesheep, HTTPS Everywhere has been updated to force websites to activate a secure flag in cookies used to authenticate their users.I finally tested Firesheep. It is painfully easy to use for hijacking sessions. Here I start Firesheep on a Windows machine (via RDP) and I log into Facebook on a Ubuntu system. As seen in the screenshot, Firesheep quickly

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-59173279815095284042010-11-09T19:54:00.004+08:002010-11-09T19:59:09.089+08:00

Security vendor, Zscaler, unleashes a tool named Blacksheep to warn users of the presence of a machine running Firesheep. It doesn't mitigate session hijacking but sounds an alarm to alert of a malicious party in close proximity.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-15555587195019343572010-11-08T22:42:00.005+08:002010-11-09T19:57:23.141+08:00

Session hijacking is nothing new with early tools such as Ferret supporting this attack. This Firefox extension, Firesheep, has simplied the attack.I can't wait for the Linux version to be released so that I can play with it. Ways of avoiding becoming a victim of session hijacking are:Using encrypted wireless networks.Using a VPN tunnel over insecure wireless networks.Use full HTTPS sessions.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-22173986037349297402010-09-14T21:23:00.003+08:002010-09-14T21:28:02.557+08:00

The concept behind the article "Learning from bruteforcers" in issue 27 of (IN)SECURE Magazine is simple but I appreciate the author’s thorough analysis and trending.Easily one of the most interesting articles that I have read in a long time.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-35810427773487994192010-07-30T19:40:00.003+08:002012-01-04T22:54:14.443+08:00

A combination of inspiration from reading about the tool, Prey, and an email from Hakin9 mag's editor prompted me to write a new article.An excerpt from my new article."Misplaced your laptop or had it stolen? You are not alone. Dell and thePonemon Institute collaborated on a study with 106 United States airportsas well as over 800 business travelers to ascertain the frequency with whichlaptops

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-15966464175189525172010-07-05T23:07:00.004+08:002010-07-05T23:12:35.638+08:00

Ever worried about your laptop getting lost? There's a software called "Prey" that can ease your fears. It is a utility that lets you know where your laptop is and can be installed on Windows, Linux and Mac OS X.It is easy to setup. Register with the Prey website then enter the API and device key information into the configuration window to start the agent.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-22649824853307777132010-06-25T01:53:00.003+08:002010-06-25T01:55:18.288+08:00

These attacks are not new but yet are still very effective against web applications. Here is an article that discusses how to test for such vulnerabilities and how to mitigate them.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com1tag:blogger.com,1999:blog-1734071663247903666.post-28666980181291744372010-06-24T00:44:00.003+08:002010-06-24T00:47:39.195+08:00

A new type of phishing attack conceptualised by this security researcher. Rather than try to rehash his explanation, it is best to read his article.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-39319755795784034572010-06-21T20:04:00.005+08:002010-06-24T00:39:07.784+08:00

Most websites support HTTPS but do not switch users to the more secure protocol when they visit their sites. The EFF and Tor project have collaborated to release a Firefox addon to automatically redirect users' sessions to HTTPS.Here I demonstrate a Google search prior to installing the plug-in. My search is trasmitted over the Internet in cleartext. After installing the tool, my Google search is

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-81607645811918809772010-06-16T03:52:00.003+08:002010-06-16T03:56:00.997+08:00

Another reason to love "Lucid Lynx". Security researcher discovers that Ubuntu 10.04 permits users to access data on iPhone without needing to know the security pin. Too bad I do not own an iPhone to test this myself.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-68556534437025622112010-06-12T11:35:00.002+08:002010-06-12T11:36:14.780+08:00

Cool POC. It again demonstrates how humans are the weakest link in security. You can educate people and display warnings but victims will still click on malicious links.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-21017771755020193062010-05-18T21:23:00.005+08:002010-05-18T21:32:35.250+08:00

Security researchers discover that majority of users can be uniquely identified by fingerprinting their browser. Apparently... the way our browser is set up can give us away. They host a website for you to test this.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-34232140602956203322010-05-05T22:44:00.003+08:002010-05-05T22:48:36.618+08:00

Google has hosted a vulnerable application called "Jarlsberg" to teach interested parties about how to attack and defend applications. Haven't given it a go so I can't comment (yet) how to compares with WebGoat.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-16762155976012410962010-04-07T21:20:00.009+08:002010-04-09T00:37:59.816+08:00

Lumension vendor visited the office. During their presentation, they mentioned whitelisting and blacklisting files to tackle data leakage. I inquired if the Lumension agent was able to detect blacklisted files (eg. executables, audio) embedded inside whitelisted files (Office documents). The vendor couldn't answer my question.That piqued my curiosity. I embedded the same PDF file inside a Word

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-51466470078989640302010-04-05T23:12:00.001+08:002010-04-05T23:14:14.659+08:00

Puzzle #5 is out. I'm going to get started on figuring it out.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-9449010549817687432010-03-30T21:22:00.006+08:002010-04-13T20:56:08.871+08:00

This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after that. Did some googling and someone suggested deleting a file called "400.vps" in the ".avast" folder. I did just that and avast! was able to launch again. However, the same error occurs immediately after the virus definition update is performed. There is an

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com26tag:blogger.com,1999:blog-1734071663247903666.post-2137423411743380652010-03-12T00:29:00.003+08:002010-03-12T00:37:47.666+08:00

Adobe Reader is officially the most exploited software. My decision to remove Adobe Reader from my machines years ago is now fully justified and not a choice out of paranoia. In 2nd place is Microsoft Word which is also not installed on any of my systems at home.A case of security by obscurity? Why do soldiers wear camouflage when they can be killed by weapons of mass destruction?

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-89645729393423270262010-03-08T23:46:00.007+08:002010-03-09T20:55:26.285+08:00

I have demonstrated password reset and cracking of Windows passwords before. I won't even bother demonstrating resetting of Mac OS X passwords because it is so trivial. Lame Apple ships a password reset utility with their Mac OS X installer DVD. DUH!!!Kon-Boot is a powerful tool that gives you root privileges on Linux and administrator rights on Windows without needing to crack or know the admin

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-68276908564368956382010-02-19T21:32:00.004+08:002010-02-26T00:28:47.561+08:00

I always preach about the dangers of revealing too much information. I like this article because it provides a simple example to reinforce my point. Discretion is the key.Researchers develop a Proof-of-concept attack that uncovers the identity of web surfers based on their social networking activities.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-88214405439412507992010-02-18T20:59:00.003+08:002010-02-19T21:29:44.770+08:00

Interesting read about the driving force behind malware writing and distribution.Whilst we are on the topic of malware... malicious PDF installs backdoor on victim’s system and dials home to Singapore hosted server*. Nice!!!Anyone wants to call Alan to give him the bad news?* First came across this cool story on werew01f's blog.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-85376903229325032822010-02-05T00:11:00.006+08:002010-02-06T00:43:24.606+08:00

Puzzle #4 is out. I've been pre-occupied and exhausted by work thus the delay in posting my answers for puzzle #3.The answers for the first 2 answers were straight forward enough.1) 00:25:00:fe:07:c42) AppleTV/2.4The search terms (ie. questions 3 and 8) were a bit tedious to find manually by combing through Wireshark but easier in NetworkMiner. Alternatively, searching using "ngrep" on Ubuntu was

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-39413302337642899412010-01-24T01:58:00.004+08:002010-02-06T01:09:39.206+08:00

Been wanting to attempt to reconstruct HTTP sessions captured in Pcap files. Stumbled across this tool called "PyFlag". They have this amazing script to automatically download, install and set up "PyFlag" on Ubuntu. It was painless to get up and running. I managed to load Pcap files to "PyFlag" for analysis but wasn't able to reconstruct the HTTP sessions.I researched for other tools and found "

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-88072477042846985112010-01-24T01:42:00.002+08:002010-01-24T01:46:41.580+08:00

Antivir is a powerful AV with its heuristic detection of malware. I gave up on it because of the ridiculous time it took to update. I replaced it with Microsoft's "Security Essentials".

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-13686189536982334802010-01-17T01:34:00.002+08:002010-01-17T01:35:02.786+08:00

New network forensics puzzle is out. Inline with contest rules, I can't post my answers till the deadline is over.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-33920558314888097002010-01-01T03:03:00.006+08:002010-01-01T03:25:02.652+08:00

I demonstrated cookie hijacking previously but never elaborated about how the stolen cookie can be used.To make use of stolen cookie information, the session must still be active for cookie manipulation to be successful. Here I manually add cookies using the "Web Developer" Firefox addon to successfully access an active Gmail session.The high res version of this demo can be downloaded here.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-27992924589915069602009-12-26T12:09:00.002+08:002009-12-26T12:13:53.017+08:00

M$ IIS webserver is vulnerable to an attack using a semicolon in conjunction with benign extensions to fool it into executing malware.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-3564991206789739932009-12-25T01:00:00.005+08:002009-12-27T13:31:51.456+08:00

Security-themed jokes are rare and very refreshing when I come across them. This sketch was the inspiration behind VirusZoo.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-25526184069009473722009-12-23T23:14:00.004+08:002009-12-25T00:58:59.336+08:00

AppSec Research creates a challenge to the public to find a web app vulnerability to uncover the hidden message. The vulnerable webpage is located here.Update: Solution posted here. I will try out the steps during the Xmas long weekend.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-90505028930570607682009-12-23T23:09:00.002+08:002009-12-23T23:13:23.009+08:00

Dark Reading compiles a list of 9 cool hacks uncovered this year.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-1690859245518268822009-12-23T22:56:00.003+08:002009-12-23T23:09:06.325+08:00

Ever deleted a file by accident? Well... you don't need to be a forensics guru to reclaim the deleted file.From the genuises who created, CCleaner, comes Recuva... a portable tool that you can copy to a flash drive and insert into any machine to recover lost files. This is ideal compared to installing recovery tools as it reduces the risk of accidentally writing over files that you wish to

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-6398872628270636822009-12-21T22:59:00.008+08:002009-12-21T23:04:45.276+08:00

With Rapid7's funding of Metasploit, both NeXpose and Metasploit are seamlessly integrated to automatically scan and remotely exploit target machines. Far out!!! I ran the plugin to successfully exploit my vulnerable virtual machine.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-51542287500557570832009-12-21T01:33:00.006+08:002011-10-09T02:03:02.204+08:00

I've used Nessus for years. I only recently heard of NeXpose after Rapid7 started funding Metasploit and promised to integrate their scanner with Metasploit. I decided to give NeXpose a whirl. The learning curve wasn't steep when using the scanner.Scanned the same target machine with Nessus.The 2 scanners produce the same result but I always believe in the need to use multiple tools to assess

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com4tag:blogger.com,1999:blog-1734071663247903666.post-24804340744421449972009-12-03T23:15:00.005+08:002009-12-03T23:44:47.956+08:00

Found out about this resource from attending a Symantec security seminar today. ThreatExpert provides a list of free services including a "Memory Scanner". This tool scans your memory for malware. Users can submit suspicious files for analysis to discover the file's behaviour without having to execute it.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-66027362559274882062009-12-01T21:09:00.001+08:002009-12-01T21:10:38.958+08:00

Fascinating research that explains how the humble English text can be harnessed to perform shellcode injection.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-20129627991539945532009-12-01T21:08:00.002+08:002009-12-04T23:29:32.754+08:00

Visually, it is easier to comprehend what is occurring during a session when reviewing a recording as compared to keystrokes. However, recordings consume a lot of storage and cannot be indexed for easy searching unlike keylogging. Session video recording is more secure as it does not record the privilege password. It is also less intrusive because no software or tweaking is required on the

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-86787841182251879252009-11-20T22:15:00.018+08:002009-12-01T21:05:11.213+08:00

My answer to the new digital forensics puzzle. I ran "ngrep" in Ubuntu to search for lines containing the "@" symbol. Ann's email address is "sneakyg33k@aol.com". Her secret lover's email address is "mistersecretx@aol.com". She requests him to bring his fake passport and bathing suit.Searching for strings matching "aol.com" reveals "AUTH=LOGIN". I locate the login sequence in Wireshark.I figure

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-58732819636986853372009-11-05T01:01:00.010+08:002010-07-30T19:49:47.546+08:00

My article entitled "Network Forensics: More Than Looking For Cleartext Passwords" is finally out. After months of anxiously waiting, I look forward to having it in my hands and seeing it in print. Grab it from a good bookstore near you!

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com1tag:blogger.com,1999:blog-1734071663247903666.post-47563624341796212552009-11-04T01:29:00.001+08:002009-11-04T01:29:52.657+08:00

Interesting statistics but I wonder how reliable the source is. It is fascinating the difference and benefits that passwords with a length of 12 yields over those with 11.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-5311576250399451912009-10-26T12:31:00.005+08:002009-10-26T12:44:44.729+08:00

One of the rules of application security is to never implement client-side validation but rely on server-side validation.I came across an e-card greeting on the "Uniquely Singapore" website and decided to try it out. Hmmmm... the form doesn't allow me to submit an e-card with the recipient and sender emails being the same. Did they implement client-side validation? I decided to disable Javascript

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-26568991948384801652009-10-22T23:10:00.013+08:002009-12-01T21:05:40.864+08:00

Downloaded a sample of "Zbot" from Offensive Computing's site. I'm no reverse engineering guru but decided to give it a go at analysing this nasty piece of malware. Fired up "Regshot" to detect modifications made to my virtual machine.The following registry keys were added.HKLM\SOFTWARE\Classes\.exe HKLM\SOFTWARE\Classes\.exe \PersistentHandler HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-632940994117868752009-10-01T02:31:00.003+08:002009-10-01T19:54:14.724+08:00

Google now warns its users of sites with malicious content. Google displayed a warning when I searched for the URL of my toy supplier. It also blocked my access to the suspect site.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-32934206336012037132009-10-01T02:22:00.004+08:002009-10-01T02:31:17.949+08:00

M$ released a free AV called "Security Essentials" for home consumers. I gave it a test drive and found it intuitive to manage as well as use.I tested it against the malicious MP3 file that I analysed previously and "Security Essentials" effortlessly detected the malware instantaneously. Avast! on the other hand needed me to manually trigger a scan before it warned me of the presence of malware.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-66792190988207117952009-09-25T23:24:00.002+08:002009-09-25T23:29:23.888+08:00

Malware patiently waits for victims to successfully log into their online banking account using their 2 factor authentication token before proceeding to steal their money.I'm not surprised that most AV engines can't detect Zeus. I proved previously how ineffective AV engines are against malware.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-77370748574380945532009-09-23T22:02:00.005+08:002009-09-24T12:11:30.159+08:00

First, it was cookies residing on your system that could compromise your privacy. Now I read about the threat of Flash cookies??? WTH???Windows users are safe thanks to the almight Ccleaner. It wipes Flash cookies on your computer.Ubuntu users can add the following command to "ubuntuprivacy" if you have Flash Player installed on your system.sudo srm -rllv .macromedia/Flash_Player/#SharedObjects/

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-36726602600503216572009-09-17T00:00:00.003+08:002009-09-22T22:43:39.301+08:00

I wrote a new script for the paranoid. This script will wipe your memory, swap and free space on your Ubuntu system. Please note that this is a time consuming process.#!/bin/shecho "\033[0;34mProceeding to wipe your memory, swap and free space. Please be warned that this is time consuming and may take hours.\033[0m"echoecho "\033[0;31mWiping memory.\033[0m"sudo smem -lvecho "\033[0;32mMemory

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-65728707914479135932009-09-14T21:08:00.009+08:002010-01-09T00:10:26.327+08:00

I have modified "ubuntuprivacy" for enhanced privacy.#!/bin/shecho "\033[0;34mProceeding to clean your system to ensure your privacy.\033[0m"echoecho "\033[0;31mWiping Firefox history and cache.\033[0m"sudo srm -rllv .mozilla/firefox/*.default/*.sqlitesudo srm -rllv .mozilla/firefox/*.default/Cache/*echo "\033[0;32mFirefox history and cache wiped.\033[0m"echo "\033[0;31mWiping Trash.\033[0m"sudo

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-91810413522904470622009-09-13T22:48:00.004+08:002009-09-13T23:24:55.890+08:00

My passion for Information Security began when I took a module called "Internet Security" in university. It was in the lab sessions where I was first exposed to Linux, host-based firewalls, encryption, sniffing, spoofing and Trojans.A flip was switched in my head and I realised my calling in life. I was hooked and the rest as they say is history.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-49992436136503064532009-09-12T23:25:00.009+08:002009-09-22T22:44:26.234+08:00

Realised that "wipefox" was too limited as it only wiped files related to Firefox usage. I wrote a new script that I named "ubuntuprivacy" to include commands to clear other traces left behind as a result of activities performed on your system."ubuntuprivacy" currently wipes your Firefox history and cache, Ubuntu Trash and "Recent Documents" history.#!/bin/shecho “Proceeding to clean your system

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-49842945717755443182009-09-11T22:41:00.008+08:002009-09-13T13:50:17.541+08:00

Need to assess your SSL/TLS-enabled webserver to ensure that it is configured securely? Use SSLScan.commandrine@bridge:~$ sslscan 10.10.10.12It is an accurate and fast scanner. As seen in the extracted output below, it determines that my test webserver supports the weak SSLv2.Testing SSL server 10.10.10.12 on port 443 Supported Server Cipher(s): Accepted SSLv2 168 bits DES-CBC3-MD5

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-87128264512126792822009-09-11T15:00:00.004+08:002009-12-01T21:05:48.955+08:00

Sent in my submission for the SANS network forensics contest and since its past the entry deadline, I decided to post my answer.My forensics machine of choice is a Lenovo Thinkpad T60 running Ubuntu 9.04. It has an Intel Duo Core processor with 3GB RAM. Samples of tools I have installed to facilitate network forensic analysis are: ngrep, Splunk, Wireshark, Netifera, Tcpxtract, Foremost, GHex,

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-39939506674158670012009-09-04T23:22:00.005+08:002009-09-22T22:45:16.949+08:00

I got tired of manually keying in commands to wipe my Firefox surfing history and cache so I decided to write my own shell script called "wipefox".#!/bin/shecho “Clearing Firefox surfing history and cache”sudo srm -rllv .mozilla/firefox/*.default/*.sqlitesudo srm -rllv .mozilla/firefox/*.default/Cache/*sudo srm -rllv .mozilla/firefox/*.default/OfflineCache/*#"wipefox" written by commandrine.#

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-64660388331161286732009-09-02T20:21:00.004+08:002009-12-01T21:05:58.370+08:00

Had a need to inspect HTTPS to scrutinise application data. Installed ssldump and fired it up.commandrine@bridge:~$ ssldump -r https.pcap -k server.key -d host 10.10.10.13 > appdata.txtEnter PEM pass phrase:commandrine@bridge:~$Pretty cool stuff. You need the server's private key before you can view session data associated with the said key.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-23429449780961273732009-09-01T22:30:00.001+08:002009-09-02T20:19:08.721+08:00

I am currently tinkering with a new pet project. I need a self generated cert for my experiment. I've created a cert using Microsoft's CA offering but it turns out that it is easier to use OpenSSL which is native to Ubuntu. The first step is creating a private key.commandrine@bridge:~$ openssl genrsa -des3 -out server.key 1024Generating RSA private key, 1024 bit long modulus......................

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-63182098430988375062009-08-30T13:56:00.005+08:002009-12-01T21:06:08.615+08:00

It is curious that LogMeIn doesn't require a user to enter their LogMeIn profile information during installation... yet the installed client knows which account it is associated with.This piqued my interest and I took a peek at the installer file. It seems that LogMeIn uses a VeriSign digitial certificate to encrypt information within the installer?

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-68302369000549342802009-08-22T01:38:00.001+08:002009-08-22T01:39:47.911+08:00

Eye-opening article about a botmaster. Freaked out yet?

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-5337183625477349052009-08-15T11:19:00.009+08:002009-12-01T21:06:21.450+08:00

Packers are tools used to compress executables to reduce their file size whilst retaining their executable property. Hackers harness packing as one of the numerous tricks to avoid detection. However, there are times when software authors pack their legitimate tools and thus not all packed executables are malware.UPX is a popular packer. I packed several files with it and analysed them in a hex

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-27973298670145407602009-08-11T22:50:00.003+08:002009-08-11T23:00:02.070+08:00

I have been telling my network engineer friends for years that DDOSs are impossible to stop regardless of what anti-DDOS vendors tell you. I never believed that some magical algorithm can throttle the flood of network packets originating from a bot army of 10,000s. How do you withstand 30Gbps peak of traffic?

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-24660898798977175462009-08-09T15:00:00.008+08:002009-12-01T21:06:30.236+08:00

Metadata analysis is not new. This topic was revisited at the recent Defcon. Chema Alonso and Jose Palazon presented a tool called FOCA.I decided to give it a whirl. Performed metadata extraction against PDF files hosted on Splunk's website. Besides names of Splunk employees, nothing else interesting to discover.Tested FOCA against the Central Narcotics Bureau's website. Shocker!!! Besides

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-38006024597282770662009-08-04T20:02:00.004+08:002009-12-01T21:06:38.369+08:00

Was reading the latest issue of Hakin9 magazine (4/2009). There is an article about harnessing music and videos to attack innocent parties. It struck me as strange that it never occurred to me to use a hex editor to analyse the malicious Mp3 file that I studied previously. Lo and behold! I found the URL that was triggered when victims try to play the fake song.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-89549940670902115992009-08-03T23:29:00.007+08:002009-08-04T00:26:22.915+08:00

Previously blogged about Clickjacking. Came across this new plugin called RequestPolicy that protects users against CSRF attacks. Decided to try it against the Zscaler Clickjacking demo. It works like a charm!!!The high res version of this demo can be downloaded here.NoScript is another tool to secure against Clickjacking. Neither are for n00bs though... it requires some knowledge to know what to

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-88584294994868444472009-08-02T22:38:00.007+08:002009-08-02T23:05:14.990+08:00

Tired of remembering passwords? You can now "encrypt" files using an image instead of a password. PixelCryptor is a simple tool with an intuitive interface. You choose the file that you want to protect then the image you want to secure it with.Original file versus the "encrypted" form. It seems to be "encrypted" but I'm sceptical because this tool does not seem to follow any industry standard

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-55551446946869597992009-07-29T21:58:00.006+08:002012-01-04T22:54:20.479+08:00

My next article will be published in Hakin9 magazine issue 6/2009 available at a good bookstore near you in November. I finished writing it last month but the magazine has a backlog of article contributions.An excerpt of my soon-to-be available print article."Logs and alerts from varied network devices (eg. Firewalls, IPS, routers) report what was blocked. They do not offer Security Analysts with

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-8572877922142145882009-07-16T13:45:00.004+08:002009-07-16T14:13:43.678+08:00

I posted about XSS previously. XSS is commonly used by malicious parties to steal session cookies in order to hijack a victim's active session and impersonate them.For session cookie hijacking to be successful, the victim must already be logged into the application. Next, the victim must be tricked into clicking on a link to invoke the Javascript to compromise their cookie. In my video, I first

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-72442697992150324772009-07-16T00:09:00.012+08:002009-07-16T11:40:35.361+08:00

Clickjacking is a social engineering technique where a hacker fools a victim into performing seemingly innocuous click(s) but ends up being compromised as a result of their actions.Attended Zscaler's seminar today and was pretty impressed by the speaker's presentation and demo. He demonstrated Clickjacking and I decided to make a video of their demo page instead of building my own.In this

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-81268225641140930372009-07-08T13:17:00.004+08:002009-09-22T22:47:41.083+08:00

I am in the midst of transitioning jobs and being the paranoid person I am, I needed to wipe my office laptop before handing it over. I booted up the laptop using Dban but it complained about bad sectors and wouldn't perform its job.What happens when Dban fails? Time for Plan B. Boot up your machine with any Linux LiveCD. I happened to have BackTrack 3 with me but Ubuntu's installation CD would

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com3tag:blogger.com,1999:blog-1734071663247903666.post-22777521500732819342009-06-30T00:59:00.013+08:002009-09-22T22:48:06.374+08:00

Locate your Firefox cache by entering "about:cache" in your browser address bar.Note: The cache folder location (eg. u0p8r5n2.default) is randomly generated and different from system to system.Navigate to both "Cache" and "OfflineCache" folders to wipe by running the "sudo srm -rllv *" command.There are other traces of your surfing history (eg. search keywords, files downloaded, URLs entered)

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-74066408216138436762009-06-29T22:21:00.006+08:002009-06-30T00:19:41.346+08:00

I use Firestarter to manage my firewall on Ubuntu. It is easily installed from Ubuntu's "Add/Remove Applications" window. Launch Firestarter from the menu and the wizard is triggered when starting the program for the first time.Follow the instructions in the wizard and Firestarter will be started soon after. Start adding rules to permit inbound and outbound traffic. Firestarter allows advanced

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-37061694587449929662009-06-28T01:49:00.008+08:002009-12-01T21:06:54.136+08:00

I posted about file carving previously. I recently discovered a manual way of carving files out of network packets whilst writing a new article. Locate the file you want to extract from your captured packets in Wireshark. The suspicious file I want to extract is shown as "malicious.doc" in the packet stream but you can tell that it is actually an executable file from the ASCII values of "MZ" at

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-39842531539763554912009-06-19T10:38:00.008+08:002009-06-19T16:25:21.542+08:00

Had a requirement to convert pcap files to text because Splunk's Sales Engineer advised me to do so before Splunk can index information from packet captures.Tshark is the tool to fulfill this need. From Windows:C:\Program Files\Wireshark>tshark -r c:\Forensic\network.pcap -T text > c:\Forensic\network.txtFrom Ubuntu:commandrine@bridge:~$ tshark -r network.pcap -T text > network.txtBy default,

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-54921041137934087452009-06-17T20:53:00.009+08:002009-06-20T13:16:45.550+08:00

Splunk is a search technology that can be used to analyse enterprise data such as logs from security devices and even pcap files. I've heard a lot about it and decided to evaluate the enterprise edition.Reading their FAQ and documentation, it is pretty obvious that Splunk is Windows centric. Installing Splunk on Ubuntu was a headache and that's why I decided to document the installation process

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-23693803693291705902009-06-15T20:05:00.009+08:002009-09-22T22:48:56.306+08:00

The secure deletion tools that I recommended previously are effective when wiping whole drives or partitions but cannot be used against individual folders or files.One tool that can tackle this is "secure-delete". I use it to wipe files in my Ubuntu Trash.commandrine@bridge:~$ sudo srm -rllv .local/share/Trash/filesUsing /dev/urandom for random input.Wipe mode is insecure (one pass [random])

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-7636539923669922442009-06-15T01:25:00.003+08:002009-06-15T01:28:26.122+08:00

This is the newest addition to my lab. Thanks to GC for his donation. I have started to make use of it by installing WebGoat on it.WebGoat hacking posts coming soon.

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com2tag:blogger.com,1999:blog-1734071663247903666.post-41568904588032687492009-06-05T14:39:00.015+08:002009-11-03T22:13:15.455+08:00

I previously demonstrated Ophcrack which is a Windows password cracker that uses pre-computed hashes to match the password hash from the target machine's dumped SAM table. Password reset is as the name suggests substituting the password hash from the target machine's dumped SAM table so that you can stipulate the password that you wish to use.My weapon of choice for password reset is Offline NT

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0tag:blogger.com,1999:blog-1734071663247903666.post-85946795344819265352009-06-01T22:28:00.005+08:002012-01-04T22:54:26.090+08:00

This article is 6 months in the making. I finished writing this article in November 2008. It took me 4 months to find an editor who would publish it and it was another 2 months before the article appears in print.An excerpt from my published article on page 106."Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) is a protocol that promises integrity of data transmitted over this channel

commandrinehttp://www.blogger.com/profile/01323772593681299075noreply@blogger.com0