mleo2003

http://rss.slashdot.org/~r/Slashdot/slashd...-Sold-To-Rapid7 Just saw this come across the reader, and I'm wondering what this will mean for other projects that include this utility, like BackTrack.

BTW, the MovaLiveCD thing is based on QEMU.

Saw this on lifehacker, had to show that someone else has a solution too: http://lifehacker.com/5356882/mobalivecd-u...b-drive-support

If your birthday is today (from what I read, it is), happy birthday, and you share your birthday with my wife. Makes things weird for me...

http://blogs.computerworld.com/twitter_phishing Did someone leave Evil Server alone for too long? I saw the title of this on Slashdot, and couldn't believe my eyes. I guess it was only a matter of time before someone took the crew serious about something like this.

No noob-lube here, just something I heard before: JavaSpaces. Anything that can run Java, can be used as part of a cluster. For people of this site, search in the archives of cons for a "Distributed Password Cracking" talk by "Bern". He goes over most distributed system options, and his talk helped connect the dots for me.

I do it with the USB version, only thing I had to do was pick a lower option that didn't try xconf first, just startx. It was on down the list, Safe VGA or something like that.

@paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;) @TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes. As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one. Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.

I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine. VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.

I'm not sure about Autoruns either. Looking on their website, there are options for the program to save output to files, as CSV and XML, so that might be an option. As to the VSS, it is a little more in-depth than the normal dump, but it would record hidden data, as well as preserve time stamps that those hives might contain. It might be a good follow up technique, but this tool is designed to be a first response in a forensics investigation. I'd say the MBR dump, and bootable environment were also secondary techniques, not to be done right off the bat. As for a good environment to use, instead of making one, try the Helix project, it was designed to do a lot of this on its own.

I'm sure that, if some problems arise with licensing, I'm sure some members of the forums would be willing to help you by making programs that emulate the features you want. I know I'd be willing to make a few free programs to help with this. To everyone suggesting normal SwitchBlade things to add to this, keep in mind that this tool wasn't designed to steal anything from someone, but be a first response action in the event of an forensics investigation. The necessary information for this is very different than just a dump and go that we are used to. Just try to keep that in mind when suggesting things. As for my suggestion, the Autoruns program would probably be a very good idea, as it would also go through the Startup folder for users and show what is listed there to startup, as well as the registry, and I can see both lists being needed in this kind of information. Also, as to the registry, there is a trick using the Shadow Copy service to get a copy of each actual hive, which would include hidden info that the regular export may not get. I have some information on it, if your interested. Only problem is it requires that service to be on to actually work, so it might be a good secondary measure if possible. Just my recent thoughts on this.

I was doing my daily stroll around the web, checking to see what all had come out recently, and I came across this: MobaLiveCD In a nutshell, it allows you to run a VM (using Qemu) of an ISO from one executable, no install needed, and can be ran from a Thumbdrive (I think qemu can do that by itself, but this is pretty and handles a lot of things for you). Well, after seeing that, I remembered seeing Mubix's blog post on a DVD that has multiple LiveCDs on it. (It is here for those interested). That would be a good pairing, but then I read down near the bottom where Mubix referenced uNetBootin which lets you boot ISO's from a USB key, if I read that right. I put all this together in my head, and you should be able to create a USB drive that not only can boot from 1 of 10 (or more) Live CDs on it, but then, if you already have a running Windows Machine, you can then run the same Live CDs just on Windows and not even have to reboot. Just thought I'd share this idea with the people here, and see what others thought about doing this.

Another good solution, if your afraid to go the Linux route, is a BartPE disc with DriveXML added to it. The compilation of tools called the Ultimate Boot CD for Windows has this already on it. I've used it, and it works very nice, especially in a Windows environment. As for something a little more enterprise oriented, look on Sourceforge for a project called FOG. Allows you to use PXE to reimage machines across a network. Haven't had the time to play with that one, but it looks very interesting.

This is a little old school, but seeing you talk of this reminded me of an old segment on Hak5. An NSLU2 was used to make an Asterisk box in episode 2x03, and I've always thought that was very cool. After doing some research today, I found that some very smart people have found a way to run Debian on the NSLU2, which fits perfectly with what your looking for: a small device that could attach to the network, and dump files off to somewhere else (or even another USB drive, as the device was intended to work as a NAS). The only catch is, according to Wikipedia, the device has been discontinued by Linksys, though only in this year, so you should be able to get one easily. Seeing this was also good for me, as I have a few ideas on how to use this differently.

What exactly are you looking for in a MD5 program? FastSum looks pretty good, but if you don't like it, it might be good to know what your baseline requirements are. As to what I use, I don't (due to not only running Ubuntu on my desktop, but just not doing MD5 stuff on the Windows machines I use anyway, or the Ubuntu machine either). If I did, I'd probably hack something together myself. Just as a general question, does keeping MD5 values of files really help with integrity? Most of the time for me, if stuff starts corrupting, it's a whole disk. I don't download that much stuff (mainly due to being on dialup still), so I guess that's why it's slightly lost to me how helpful this could be.

If you do have those problems, I'm sorry. I didn't want to sound mean, just trying to keep people trying to do their best, and if that's what your doing, good. As far as help, most of your projects seem like revenge things, or programs that could cause major harm to innocent people, should they spread beyond this site. If you came here specifically for that kind of stuff, I'm sorry, you came to the exact WRONG place. There are places that do this kind of thing, but it's not here. Hak 5 is more about the true art of the hacker, figuring things out that have never been done for, looking at things in new ways and discovering how to work around any problem, inventing new solutions as needed. (And yes, for the older members of the forum, I do realize which forum I'm making that statement in.) I hope you don't leave us, just because of this, but decide to stay to see what all you can learn about.

Not to be mean, but... If you write code half as bad as you spell your posts, it probably crashed the computer due to faulty programming. Your not leet, your not texting, your typing a post onto a forum. You have every character on the keyboard, USE THEM. I don't want to have to sit here for 10 minutes, trying to figure out what you meant to say, questioning my sanity as I reread it again to get more insight into your mind. Even if your native language is not English (which I'll bet it is), you should know better than to use numbers for letters, no other language does it, so it's not even the beginnings of an excuse. Say it right, or don't say it at all. Now, back on topic... That has been done before, but they get caught by in memory scanners eventually.

uNpRo1337, just no. Not that it's impossible, but no.

There's one thing I have that I might post: the vbscript that autoruns from the CD partition bugged me, so I remade it in AutoIt, gave it the U3 Launcher's Icon, and just made it look like the original. All it did was search all drives for "go.exe" off the root, and try to run it. I think I'll rewrite it, to have a little error checking, and also search for go.bat, as well as go.exe. Something like that could be very useful, in a non-destructive way.

I play with AutoIt, and had a payload made in it too, but decided not to release it. AutoIt is an interpreted language that makes exe's by combining the source you write with a static binary header. What this means is, if your payload starts getting flagged as a virus/hacktool by anti-virus software, so will all other AutoIt scripts, including other people's. Not wanting to be that much of an asshole, I decided it was best not to give that to people. This isn't just a problem with AutoIt, but with any interpreted language that can be compiled to an exe, which I believe both Perl and Ruby can. I'm not trying to rain on your parade, just letting you know while it is possible, it's not something that would be good for everyone (course, the switchblade could also be seen as something not good for everyone).

Works for me, and this title bar looks exactly like the one on the other IPB forums I visit, so everything looks good.

Google for Time Machine on Mac, it's not what you think.

I frequent another board (IPB board) that uses the minimum post count idea to keep things cleaner in a subforum of there's, but you can still read and reply to anything in there before your post count is high enough, you just can not post a new topic in that subforum until you get above 10. Now, what I've usually seen happen is if someone had something that really was good and deserved to be there, but couldn't due to the post count, they just posted it in the next most relevant subforum, and the mods moved it into the proper place. I've been there for about a year or so now, and it works very well. No one is flamed for posting in the wrong area in that sense, because it is understood that they can't. In my opinion, if someone has something worthwhile to post, they will find a way to post it. If they are intelligent enough to come up with something that original, having to post in a different forum shouldn't stop them from posting the idea in the first place. Now, that's not to say that I like the idea of restricting anyone. I don't, and I really wish it didn't have to be that way. But, as has been the case so far, it has provided a way for the Mods here to alleviate some problems. Speaking as someone who originally found Hak5 due to another site containing information on the USB hacks, and following the trail back here, I am glad they were there or I may not have ever known about this community, so I surely don't want them to go (and I know they won't). However, I also wasn't a "skiddie" when I joined, I was out of college with a job, and had matured past the age of wanting to do any harm with them. They were an interesting idea for me to play with, and see how they did what they did, and what else they could do (still use one as a way to auto-deploy some software in a much more maintainable way than CDs ever could have been). I can think of at least 5 of my fellow classmates, who, even right out of college, I wouldn't have wanted to find out too much about this, due to the kind of things I can only imagine they would have done (possibly to my stuff). I still know kids I wouldn't want to have this, due to their attitude (as was already pointed out). All in all, I think the post count is the least violent way to help control the "Skiddie problem". If having to post a few times puts someone off, so be it.

Not really a hardware man myself, I saw this and started thinking of how to do it on the software side. With any of these dual-nic boards, my instant reaction is Linux (any version) with the NICs setup in an Ethernet Bridge (built in to all the newest linux kernels), and Snort rules to do the watching. I've been looking into doing something like this at my house for intrusion detection, but I can see how it would work this way too. As far as the PXE boot idea, I like it. I've always thought about setting up a PXE server and seeing just how many PCs I could have connect back to me just because they were setup default like that. A mini way to do it to just 1 machine is one more tool I could use here at work to fix PCs (honestly). Oh, another sniffer that could be done in a mini way: Go Old school, get a small 3-4 port hub, put it inline with a computer, and use a sniffer cable in another port tied to any computer you want to watch unseen on. For those who don't know, a Sniffer cable is just one that, on one end, has the send and receive pairs tied together, and on the other, just the recieve wires are there. That would essentially be the same setup as above, but on a cheaper budget (the true hacker sense).

I've been studying encryption and password hashing for sometime now, and as a project, I decided to make a database in the same style as the one that powers md5lookup.com, but for a different algorithm. Since this was a test, I decided to choose a much easier, and smaller hash method, to reduce the size I would have to hold, as well as the time it would take to make the database. To that end, I chose the Lanman hash, that older versions of Windows used, due to it being relatively easy to compute, plus I could use it myself. Well, just to lookup words from LM hashes didn't seem enough, so I thought about how to make it work even better, and decided that, once a word was found with the LM database, I could do some munging to the text in it, and discover the NTLM hash that matched the correct case. So, I did. The end result is my pwdump companion website: http://skinnywhiteguy.ath.cx Since this website has a few tools that make using pwdump on computers a little easier, I figure everyone who has those logs might want a way to easily discover what is behind those prompts. At least, I figured I would, so I figured I would share my new toy with others. When you run pwdump, you get a few lines of output, one for each user on the machine. Just take one of those lines (that actually has output for LM and NT hashes), paste it into the input box on the website above, and hit the Enter button. If it's stored in my database, you will find the plaintext version of the password. The current character set I'm using is: 0 - 5 : All Chars allowed by LM (look in the Hak5 wiki for a list of those) 6 : Alpha & Numeric 7 : Alpha And, given how LM works, those apply for the next 7 too, so 8-12 also have all chars, etc... The entire database only takes up 68GB of data, so it's not even that huge. I can't remember how big a relative Rainbow Table is, but this provides instant lookup, and I have a feeling it is pretty close on size, so it will work for my purposes. Just as a general note, this is hosted on a virtual machine on my home connection, which is dialup, so it is likely to be up and down at random times. Please be nice to my box, I'd hate to lose any of this. As it was given to me by Jason Davis, I also offer up the source to the utils that made the data files for this project, and will gladly try to help anyone interested in doing this with another algorithm. It only took me around 1 day to make the database I have now, and that was through an emulated machine, so I can only imagine how fast a complete hardware solution would be. Until I get a better connection, I'll be trying email the utils to interested parties. Just shoot me a line here, and let me know. Have fun, and happy hacking.