GMAIL and TOR, what the heck!!! GMAIL finds my IP :-((

August 16, 2010

Hey Fellas,

Lately, I was checking all my Privacy filters and Firewalls and IDS, and when i checked on my Tor and Vidalia, guess what?

GMAIL was showing up my real IP, from my ISP, and not the one which i was spoofing, however, when i checked @ whatismyip they showed the one which was spoofed using Tor>>

so, guess what, Google is really upto something fishy?

why the hell on earth they would step ahead and extract your private info, other than for legal purposes.

I know it is possible to get this information in java/ JS

now, There are two ways java/javascript can be used to get your IP:
1. your IP is read from a variable, then it is transmitted to the
server,
2. a connection is made back to the server (royally ignoring your proxy
settings) and this allows the server to read your IP (gateway).

Method 1 is quite natural and is bound to be used by conventional web
sites. Method 2 is more tricky and a web site making this could be
blamed because ignoring the proxy settings of the browser isn’t
right.

A way to avoid that your IP is revealed through Method 1 is to stay
behind a NAT router: in this case what is read from the variable is
your internal address, which is worthless.

Against Method 2 one can identify the outgoing traffic and block it,
but this breaks the workflow of the application.

so, the best way is to avoid using such services  :-DD

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

How’s & Whyto’s of GSM-900 Interception a.k.a GSM Hacking

August 2, 2010

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area–the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it’s possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren’t my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained “Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers.”

Did you not see the movie “Sneakers”? Great movie. Starred Robert Redford, Sidney Poitier, Dan Aykroyd, and River Phoenix.

Seriously, are you aware that, given enough time and energy, no code is unbreakable? The one used for GSM has to be relatively lightweight, due both to the way it works, on low power devices, and when it was developed, over ten years ago – when CPU power was at least an order of magnitude less on every scale.

What wireless provider networks are affected?

Good news for Sprint and Verizon customers–those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile–as well as most major carriers outside of the United States–rely on GSM.

This is probably already known to most, but for the newer readers, GSM is so popular because it is a free protocol, which can be implemented by anyone, without fees. To use the superior CDMA technology, fees must be paid to the developer, Qualcomm. That few dollars per phone is what keeps most of the world on the inferior technology of GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier–equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Should I be worried that my mobile phone calls are being tapped?

Yes and no. The hack demonstration at Def Con proves it can be done, but it doesn’t mean that it’s in widespread use. $1500 is a relatively low investment, but it’s still enough to be out of range of most casual hackers that just want to experiment.

If you seriously believe that your calls are important to someone, and you don’t work for an institution that is more known by initials, work for an entity that has corporate secrets that you are privy to – and must speak of them over the phone, or are a criminal involved in high level crime, you generally need not worry. Even so, you can remember that “loose lips sink ships”, keep your mouth shut about anything possibly interesting over the phone, and do just fine.

Now that the information is out there, though, hackers with the financial resources to put the IMSI catcher together could start intercepting calls. But, as noted earlier–if you are a Sprint or Verizon customer you don’t need to worry.

If you are on a GSM network like AT&T and T-Mobile, though, it is possible that an attacker could intercept and record your calls. The range of the IMSI catcher is relatively small, so the odds of your phone connecting to a random IMSI catcher are almost negligible, and it would only be an issue as long as you stayed in close proximity to the IMSI catcher.

However, if a user is specifically targeted, the rogue GSM tower could be an effective means of intercepting calls. The IMSI catcher could be used by corporate spies to target specific high profile individuals in a company to gain corporate secrets or other sensitive information.

Again, either remember “loose lips” and keep mum, get a CDMA phone (much harder to gain access to), or simply don’t use a phone at all – yes, that’s the ticket!

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Intercepting GSM calls GSM 900

August 2, 2010

Jul 31, 2010 | 06:36 PM
By Kelly Jackson Higgins
DarkReading

DEFCON18 — Las Vegas — A hardware hacking expert here at Defcon18 successfully faked several attendees’ cell phones into connecting to his phony GSM base station during a live demonstration that had initially raised concerns at the Federal Communications Commission (FCC).

Security researcher Chris Paget’s presentation here was aimed at demonstrating security weaknesses in the GSM protocol using a homegrown GSM base station running over ham-radio frequency. His so-called “IMSI Catcher” acted as a spoofed GSM tower and fake base station that could convince GSM handsets to connect to as the closest “tower” in proximity.

GSM technology is used in 80 percent of the world’s mobile phone calls, and has been the subject of previous security research poking holes in it. Paget said his intention was to demonstrate how the protocol is basically broken: “The main problem is that GSM is broken. You have 3G and all of these later protocols with problems for GSM that have been known for decades. It’s about time we move on,” Pager said in a press briefing yesterday prior to today’s demo.

Paget’s demo almost didn’t happen at all: it wasn’t until the late last night that he decided to go forward with the live demo of the hack after conferring again with Electronic Frontier Foundation attorneys after the FCC voiced its concerns that the demo might involve the unlawful interception of phone calls: “The response we got from the FCC is that [they couldn't] advise whether this is a good thing or bad thing, but here’s a long list of statutes you should read to make sure you’re not in violation,” Paget said yesterday. “It seemed almost a scare tactic to convince me not to go ahead.”

Paget was careful to issue warnings about his demo to attendees during his presentation today and that his demo was in no way for malicious purposes nor would it retain any data gathered from “owned” phones. His use of ham-radio frequency to carry the GSM signal got around any spectrum violation issues, he said.

He built the IMSI (International Mobile Subscribe Identity) Catcher, a phony GSM tower/base station, for about $1,500 using open-source technology, which he said is “a thousand times” cheaper than a similar commercial device used by providers. Aside from the device, the setup also used two directional antennas, and a Debian laptop running OpenBTS and Asterisk, an open source tool that turns a computer into a voice communications server. He used the device only to intercept and handle outgoing voice calls — which were sent via voice-over-IP — and not incoming calls nor data. SMS messaging would require getting caller ID information, which is difficult to obtain, he said.

“When the phone is looking for a signal, it looks for the strongest tower. This offers the best signal,” Paget said, even though it’s only 25 milliwatts.

The system only intercepts outbound calls, and callers whose phones connected to Paget’s phony tower would get a recorded message when trying to dial out. “When attached to my tower, your phone is [considered] off, so incoming calls go straight to your voicemail,” he said.

Overall, Paget captured anywhere from 17 to 30 phones at a time during the demo, even after configuring the base station to appear as an AT&T tower. The phones automatically defaulted to 2G because Paget’s base station is 2G. The base station could also be configured to disable encryption, he notes, as well as to target specific brands of phones to connect to it.

Paget destroyed the USB key that held any data gathered from the cellphones after the demo, so he didn’t know for sure the total number of phones that connected to it.

In previous tests, Paget found that iPhones most commonly connect to his fake GSM station.

He also discussed methods of speeding up the capture of cellphones during his presentation. The solution, he said, is to move to 3G. “3G and later is the solution … 3G authentication is much better,” Paget said. But that’s no small feat: the conversion would entail upgrading all phones, networks, and towers, he said.

Adding encryption could help protect phones from a malicious GSM interception attack, as well as using VoIP and noticing when the 3G icon is no longer present during a call, he said.

This isn’t the first time Paget has been at the center of controversy over his research. At Black Hat DC in 2007, his talk on cloning HID’s RFID-based proximity cards was pulled from the program at the eleventh hour after the RFID vendor threatened him with a patent lawsuit. “I had no choice,” said Paget, who was a researcher with IOActive at the time. “We were a very small company and we had to pull the talk … they threatened patent litigation, which is extremely expensive and can cost [millions]” even if it turns out the suit has no legs, he said.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Notes for Forensic Beginners’ Part1

June 5, 2009

Hello All,

I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.

I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.

However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.

So, Let’s start with NTFS Filesystem:-

Currently it is NTFS v3.1 for XP/2000/2003/Vista

NTFS: New Technology File System

formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.

Going a bit deeper,

NTFS consists of records and entries of MFT,

$MFT= Master File Table

The length of the $MFT within NTFS is 1024 bytes.

Standard Sector size within NTFS is 512 bytes

Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)

MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.

Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:

File Name, File Size, dates about the file included:-

Created=C

Entry Modified=M

Written=E

Accessed=A

ocation of the data of the file.(MACE)

Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.

The first 16 MFT entries within the MFT are reserved.

In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Restore Point and Forensics

June 4, 2009

Hello All,

Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-

within Windows XP, Windows creates “Restore Points”.  These restore points are contained in numbered folders at the following location:

\System Volume Information\-restore{GUID}\RP###  (### are sequential numbers as these restore points are created)

These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.

1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint

2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.

3>These are often created whenever a user installs any software or application

4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.

There may have been other reasons which I may not be fully aware, or havent come across.

Now, how the above can help in an ongoing Forensic Investigation?

Well,

1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.

2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG

The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.

The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”

Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.

System restore can be Disabled by a user or an Adminsitrator.

An Administrator can create a System restore Point manually

\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.

There are Registry settings for System restore at:-

HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.

If you have any other inputs to add, or anything i have missed Please feel free to comment.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Can Defeat Forensics upto 50%

June 4, 2009

Hello All,

After a long time, and Yes you read the Title right!!

With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.

as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.

and nothing changes!!

I am still trying to figure out other possibilities for recovering the Artefacts.

However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..

Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.

NMAP as a VA tool !!

March 30, 2009

NMAP a great Penetration-testing tool, which was only used as a Port-Scanning and Enumeration tool, has now got some additional and more powerful features then it’s previous versions.

with the newly added “NSE” Nmap Scripting Engine which uses “Lua”

The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.

The NSE scripts can be found under:-

/usr/share/nmap/scripts/

There are currently the following categories:

auth, default, discovery, external, intrusive, malware, safe, version, and vuln.

the above categories can be used together as well, seperated by commas:

nmap -v –script=malware,vuln,discovery hostipaddress.com

Some common examples of using NMAP with NSE are as follows:-

to update the Scripts use the following:  nmap --script-updatedb

nmap -v -sC hostipaddress.com

nmap -v –script=all hostipaddress.com

nmap -v –script=default hostipaddress.com

nmap -v –script=malware hostipaddress.com

there can be many more options, depending upon what exactly you are trying to find out.

however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Laser Printer dots raise privacy concerns !!

January 20, 2009

Laser Printer dots raise privacy concerns

now, you’re able to be tracked by your laser printer.

By Thomas Frank, USA TODAY

WASHINGTON — The affordability and growing popularity of color laser printers is raising concerns among civil liberties advocates that your privacy may not be worth the paper you’re printing on.

More manufacturers are outfitting greater numbers of laser printers with technology that leaves microscopic yellow dots on each printed page to identify the printer’s serial number — and ultimately, you, says the San Francisco-based Electronic Frontier Foundation, one of the leading watchdogs of electronic privacy.

The technology has been around for years, but the declining price of laser printers and the increasing number of models with this feature is causing renewed concerns.

The dots, invisible to the naked eye, can be seen using a blue LED light and are used by authorities such as the Secret Service to investigate counterfeit bills made with laser printers, says Lorelei Pagano, director of the Central Bank Counterfeit Deterrence Group.

Privacy advocates worry that the little-known technology could ensnare political dissidents, whistle-blowers or anyone who prints materials that authorities want to track.
FIND MORE STORIES IN: Secret Service | Hewlett-Packard | Canon | Xerox | Brother | Epson | Ed Donovan | IDC Research

“There’s nothing about this technology that limits its application to counterfeit investigations,” says Seth Schoen, a computer programmer with the Electronic Frontier Foundation. “Some people who aren’t doing anything wrong may have their privacy threatened.” Schoen’s tests have found the dots produced by 111 color laser printers made by 13 companies including Xerox, Canon, Hewlett-Packard, Epson and Brother.

The dots are produced only on laser devices and not ink-jet printers, which are most commonly used at home. But laser printers, which produce more durable images, are becoming increasingly popular as their price has dropped to as low as $300, says Angele Boyd, a vice president of IDC Research.

Although laser printers made up only 4% of the 33 million printers sold last year in the USA, their sales have been growing by double digits since 2004, Boyd says.

The technology began as laser printers were first produced in the mid-1980s and governments and banks feared an explosion of counterfeiting, Xerox spokesman Bill McKee says. “In many cases, it is a requirement to do business internationally that the printers are equipped with this technology,” McKee says.

The dots tell authorities the serial number of a printer that made a document. In some cases, it also tells the time and date it was printed, Pagano says. “The Secret Service is the only U.S. body that has the ability to decode the information,” she says.

Printer makers “cooperate with law enforcement” and will tell authorities where a printer was made and sold, McKee says.

The Secret Service uses the dots only to investigate counterfeiting, agency spokesman Ed Donovan says.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Vmware ThinApp or Thinstall, The Good, the Bad and the Ugly!!

July 11, 2008

Hi all,

Here is something which is really all The Good, the Bad and the Ugly for developers, IT guys and Forensics Community!

Read on!

Application Isolation and DLL Hell

VMware ThinApp (Formerly Thinstall) allows applications to run without any modification to the host PC’s registry or file system. Other applications running on the same PC will not be aware of virtualized applications, so regression testing can be eliminated or drastically reduced.

Much of the cost for application deployment relates to testing new applications against other applications deployments. Some other Virtualization solutions make registry and file system changes virtual to the entire system temporarily or permanently, so regression testing continues to be needed and application roll-outs still have the possibility for breaking other applications on the desktop.

ThinApp enables conflict free installation of any program on any Windows platform. Applications that require DLL or ActiveX components can experience installation and runtime problems due to corrupt computers or locked down administrator rights. ThinApp enables any application to run conflict free regardless of the state of the host computer.

ThinApp benefits include:

• Reduce desktop support costs. When installing commercial software on computers ‘in the wild’, installation conflicts are one of the top 3 issues requiring an expensive support call.
• Eliminate all installation conflicts. With ThinApp, all registry keys, DLLs and third party libraries are packaged into a single, compressed EXE. Other applications, Windows upgrades, or registry key deletions, OS corruptions will not affect a ThinApp packaged application.
• Eliminate the need for administrator rights. Because software is not installed, administrator rights are not required to run a ThinApp packaged application. This is key when running applications in a corporate locked down desktop environment or home computers that don’t know how to access administrator capability. Additionally, OCX and ActiveX components do not need to be registered.
• Run directly from any media. ThinApp packages all code components into a single EXE so that the application can be run directly from a CDROM, USB key, or network, without requiring installation.
• A positive out of the box experience. ThinApp insures a successful first time end user experience for your product.

Source:-http://www.thinstall.com/solutions/dll_hell.php

http://www.vmware.com/products/thinapp/using.html

Now, if you read it all right, now it is time to find what exactly

“The Good, the Bad and the Ugly” is??

Need all your comments.

Thanks

Nitin Kushwaha

Unlock any Read-only Word Document !

June 1, 2008

All,

Many a times we need to make some changes to documents or even need to fill-up some online documents which are in MS Word, and they have a read-only protection in place,

So here is how to bypass, or Unlock them.

If you are using office XP or 2003, you can change the view to HTML-Code using Microsoft Script-Editor by pressing the [Alt]+[Shift]+[F11] key combination.

Search for “Password”, or scroll down till you will find something like this:

DocumentProtection>Forms
UnprotectPassword>60B9DAE3

To remove the protection:
Just remove those two lines, and after saving the document , the protection is gone.

To remove the password:
-replace the Password, here “60B9DAE3″, with “00000000″, save the Document and close “Script-Editor”.

Hope this helps.

Thanks

Nitin Kushwaha