Jump to content

mleo2003

Active Members
 View Profile  See their activity

  • Posts

    44

  • Joined

  • Last visited

 Content Type 

Posts posted by mleo2003

    Episode 5x02

    in Hak5

    Posted

    There were no letters, because (as they explain in the episode) no one got last weeks right, so they are redoing it. They even showed it in the episode, with Snubbs beeping and booping about it.

    Edit: I think his question was more onto the placement of the *, either next to char, or next to argv[], and the effects of each choice. I would like to know if there was a difference there, too.

    Episode 4x19

    in Hak5

    Posted

    On Michail's forum, he just released an ATI version. He pointed to it in the show notes (it's the AMD version there, since AMD did buy out ATI).

    I loved the episode. I've been lurking on Michail's forums for awhile now, and I'm glad to see his efforts being shown off. Another good website (and the one that led me to his) is freerainbowtables.com, which is using the power of Distributed Computing to generate very large rainbow tables (similar to the Hak5 effort). They are currently working on lm, but with an expanded characterset that includes more characters than anyone else has done. Some people on their forums figured out how the CodePages map characters typed to actual characters used in passwords, and the most likely chars from that list for the 2 most popular codepages are what is being done now.

    Dave is awesome, as always. Snubs segment was very cool, and appropriate given the previous segment. Other tools that could be shown are chntpw, which just let you change the password without knowing what it was before. For those who will try that, keep in mind that if you change a user's password, certain encrypted things Vista (XP?) has will not let that user back into them. To get those, you have to crack the password.

    I have got to get me some stickers...

    Cross Platform Clustering

    in Community Projects

    Posted

    No noob-lube here, just something I heard before: JavaSpaces. Anything that can run Java, can be used as part of a cluster. For people of this site, search in the archives of cons for a "Distributed Password Cracking" talk by "Bern". He goes over most distributed system options, and his talk helped connect the dots for me.

    U3 Incident Response Payload

    in USB Hacks

    Posted

    @paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;)

    @TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes.

    As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one.

    Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.

    U3 Incident Response Payload

    in USB Hacks

    Posted

    I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine.

    VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.

    U3 Incident Response Payload

    in USB Hacks

    Posted

    that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner.

    Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.

    I'm not sure about Autoruns either. Looking on their website, there are options for the program to save output to files, as CSV and XML, so that might be an option.

    As to the VSS, it is a little more in-depth than the normal dump, but it would record hidden data, as well as preserve time stamps that those hives might contain. It might be a good follow up technique, but this tool is designed to be a first response in a forensics investigation.

    I'd say the MBR dump, and bootable environment were also secondary techniques, not to be done right off the bat. As for a good environment to use, instead of making one, try the Helix project, it was designed to do a lot of this on its own.

    U3 Incident Response Payload

    in USB Hacks

    Posted

    I'm sure that, if some problems arise with licensing, I'm sure some members of the forums would be willing to help you by making programs that emulate the features you want. I know I'd be willing to make a few free programs to help with this.

    To everyone suggesting normal SwitchBlade things to add to this, keep in mind that this tool wasn't designed to steal anything from someone, but be a first response action in the event of an forensics investigation. The necessary information for this is very different than just a dump and go that we are used to. Just try to keep that in mind when suggesting things.

    As for my suggestion, the Autoruns program would probably be a very good idea, as it would also go through the Startup folder for users and show what is listed there to startup, as well as the registry, and I can see both lists being needed in this kind of information. Also, as to the registry, there is a trick using the Shadow Copy service to get a copy of each actual hive, which would include hidden info that the regular export may not get. I have some information on it, if your interested. Only problem is it requires that service to be on to actually work, so it might be a good secondary measure if possible.

    Just my recent thoughts on this.

    Multi Boot USB that works in Windows too?

    in Security

    Posted

    I was doing my daily stroll around the web, checking to see what all had come out recently, and I came across this:

    MobaLiveCD

    In a nutshell, it allows you to run a VM (using Qemu) of an ISO from one executable, no install needed, and can be ran from a Thumbdrive (I think qemu can do that by itself, but this is pretty and handles a lot of things for you).

    Well, after seeing that, I remembered seeing Mubix's blog post on a DVD that has multiple LiveCDs on it. (It is here for those interested). That would be a good pairing, but then I read down near the bottom where Mubix referenced uNetBootin which lets you boot ISO's from a USB key, if I read that right. I put all this together in my head, and you should be able to create a USB drive that not only can boot from 1 of 10 (or more) Live CDs on it, but then, if you already have a running Windows Machine, you can then run the same Live CDs just on Windows and not even have to reboot.

    Just thought I'd share this idea with the people here, and see what others thought about doing this.

    Open Source Ghosting of XP

    in Questions

    Posted

    Another good solution, if your afraid to go the Linux route, is a BartPE disc with DriveXML added to it. The compilation of tools called the Ultimate Boot CD for Windows has this already on it. I've used it, and it works very nice, especially in a Windows environment.

    As for something a little more enterprise oriented, look on Sourceforge for a project called FOG. Allows you to use PXE to reimage machines across a network. Haven't had the time to play with that one, but it looks very interesting.

    Suggestions for Router Torrent box

    in Hacks & Mods

    Posted

    This is a little old school, but seeing you talk of this reminded me of an old segment on Hak5. An NSLU2 was used to make an Asterisk box in episode 2x03, and I've always thought that was very cool. After doing some research today, I found that some very smart people have found a way to run Debian on the NSLU2, which fits perfectly with what your looking for: a small device that could attach to the network, and dump files off to somewhere else (or even another USB drive, as the device was intended to work as a NAS). The only catch is, according to Wikipedia, the device has been discontinued by Linksys, though only in this year, so you should be able to get one easily.

    Seeing this was also good for me, as I have a few ideas on how to use this differently.

    Creating MD5 hashes in Windows

    in Everything Else

    Posted

    What exactly are you looking for in a MD5 program? FastSum looks pretty good, but if you don't like it, it might be good to know what your baseline requirements are.

    As to what I use, I don't (due to not only running Ubuntu on my desktop, but just not doing MD5 stuff on the Windows machines I use anyway, or the Ubuntu machine either). If I did, I'd probably hack something together myself.

    Just as a general question, does keeping MD5 values of files really help with integrity? Most of the time for me, if stuff starts corrupting, it's a whole disk. I don't download that much stuff (mainly due to being on dialup still), so I guess that's why it's slightly lost to me how helpful this could be.

    USB Switchblade Development

    in USB Hacks

    Posted

    If you do have those problems, I'm sorry. I didn't want to sound mean, just trying to keep people trying to do their best, and if that's what your doing, good.

    As far as help, most of your projects seem like revenge things, or programs that could cause major harm to innocent people, should they spread beyond this site. If you came here specifically for that kind of stuff, I'm sorry, you came to the exact WRONG place. There are places that do this kind of thing, but it's not here. Hak 5 is more about the true art of the hacker, figuring things out that have never been done for, looking at things in new ways and discovering how to work around any problem, inventing new solutions as needed. (And yes, for the older members of the forum, I do realize which forum I'm making that statement in.)

    I hope you don't leave us, just because of this, but decide to stay to see what all you can learn about.

    USB Switchblade Development

    in USB Hacks

    Posted

    Not to be mean, but...

    If you write code half as bad as you spell your posts, it probably crashed the computer due to faulty programming. Your not leet, your not texting, your typing a post onto a forum. You have every character on the keyboard, USE THEM.

    I don't want to have to sit here for 10 minutes, trying to figure out what you meant to say, questioning my sanity as I reread it again to get more insight into your mind.

    Even if your native language is not English (which I'll bet it is), you should know better than to use numbers for letters, no other language does it, so it's not even the beginnings of an excuse. Say it right, or don't say it at all.

    Now, back on topic...

    That has been done before, but they get caught by in memory scanners eventually.

    USB Pocket-Knife Development

    in USB Hacks

    Posted

    There's one thing I have that I might post: the vbscript that autoruns from the CD partition bugged me, so I remade it in AutoIt, gave it the U3 Launcher's Icon, and just made it look like the original. All it did was search all drives for "go.exe" off the root, and try to run it.

    I think I'll rewrite it, to have a little error checking, and also search for go.bat, as well as go.exe. Something like that could be very useful, in a non-destructive way.

    USB Pocket-Knife Development

    in USB Hacks

    Posted

    I play with AutoIt, and had a payload made in it too, but decided not to release it. AutoIt is an interpreted language that makes exe's by combining the source you write with a static binary header. What this means is, if your payload starts getting flagged as a virus/hacktool by anti-virus software, so will all other AutoIt scripts, including other people's. Not wanting to be that much of an asshole, I decided it was best not to give that to people.

    This isn't just a problem with AutoIt, but with any interpreted language that can be compiled to an exe, which I believe both Perl and Ruby can.

    I'm not trying to rain on your parade, just letting you know while it is possible, it's not something that would be good for everyone (course, the switchblade could also be seen as something not good for everyone).

    Hak5: Viewership & Community

    in Everything Else

    Posted

    I frequent another board (IPB board) that uses the minimum post count idea to keep things cleaner in a subforum of there's, but you can still read and reply to anything in there before your post count is high enough, you just can not post a new topic in that subforum until you get above 10. Now, what I've usually seen happen is if someone had something that really was good and deserved to be there, but couldn't due to the post count, they just posted it in the next most relevant subforum, and the mods moved it into the proper place. I've been there for about a year or so now, and it works very well. No one is flamed for posting in the wrong area in that sense, because it is understood that they can't.

    In my opinion, if someone has something worthwhile to post, they will find a way to post it. If they are intelligent enough to come up with something that original, having to post in a different forum shouldn't stop them from posting the idea in the first place.

    Now, that's not to say that I like the idea of restricting anyone. I don't, and I really wish it didn't have to be that way. But, as has been the case so far, it has provided a way for the Mods here to alleviate some problems. Speaking as someone who originally found Hak5 due to another site containing information on the USB hacks, and following the trail back here, I am glad they were there or I may not have ever known about this community, so I surely don't want them to go (and I know they won't). However, I also wasn't a "skiddie" when I joined, I was out of college with a job, and had matured past the age of wanting to do any harm with them. They were an interesting idea for me to play with, and see how they did what they did, and what else they could do (still use one as a way to auto-deploy some software in a much more maintainable way than CDs ever could have been). I can think of at least 5 of my fellow classmates, who, even right out of college, I wouldn't have wanted to find out too much about this, due to the kind of things I can only imagine they would have done (possibly to my stuff). I still know kids I wouldn't want to have this, due to their attitude (as was already pointed out).

    All in all, I think the post count is the least violent way to help control the "Skiddie problem". If having to post a few times puts someone off, so be it.

×
×
  • Create New...