Black Ice Defender
This is a very user-friendly comprehensive firewall program. I highly recommend it to both advance and novice users. It has a simple graphical interface that is easy to understand and pleasing to the eye.It detects your attacker, stops their attack and or scan and gives you as much information available on the “attacker.”
You can download Black Ice Defender at: http://www.networkice.com
Lockdown 2000
I also recommend Lockdown 2000 as a security measure.Lockdown2000 has a very nice graphical interface to it also and is user friendly. It does the same thing Black Ice Defender does but also runs scans on your system for Trojans. It monitors your registry and system files for changes that occur. Then gives you the option of either undoing all the changes or allowing it.
You can obtain a copy of Lockdown2000 from:http://www.lockdown2000.com
What do you do now that you know that someone is attempting to hack into your computer?Before you can do anything you will require some utilities. I recommend getting the following program.
• NetLab
Netlab has a variety of utilities combined into one easy to use application.
You can obtain a copy of Netlab from: http://www.filedudes.lvdi.net/win95/dns/netlab95.html
socks
socks is an IP encapsulation technique that permits TCP connections to use a proxy server to complete a connection. It permits users to conveniently use Internet services across a gateway without being aware that a gateway is being crossed. socksd is frequently used to turn a Unix workstation that has a Internet connection as well as an internal company network connection into a firewall system. As a result, SATAN’s scan of target firewall systems will frequently indicate the presence of a socksd. While no vulnerabilities are currently known to exist in socksd, if properly configured, SATAN’s discovery of socksd can indicate that the system is not just a host connected to the Internet, but a firewall.
If your firewall configuration supports a socks server, you must have socksified clients to take advantage of this service. (An HP-UX–specific socks includes a socksify program that enables you to convert binary versions of network programs.)
The addresses follow:
---n socks: ftp://ftp.nec.com/pub/security/socks.cstc
---n socks home page: http://www.socks.nec.com
---n HP-UX socks: ftp://ftp.cup.hp.com/dist/socks
Saturday, October 3, 2009
SYSTEM INTRUSION IN 15 SECONDS
System intrusion in 15 seconds, that’s right it can be done. If you possess certain security flaws your system can be broken into in less that 15 seconds.
Connect to the Internet using your dial up account if you are on dial up. If you are on dedicated service like High Speed connections (ie, Cable and DSL) then just proceed with the steps below.
• Click Start
• Go to Run
• Click Run (It’s a step by step manual) :-)
• Type Winipcfg
• Hit the Enter Key
This should bring up a window
What you should see under IP address is a number that looks something like this. 207.175.1.1 (The number will be different.)
If you use Dial Up Internet Access then you will find your IP address under PPP adapter. If you have dedicated access you will find your IP address under another adapter name like (PCI Busmaster, SMC Adapter, etc.)
Once you have the IP address write it down, then close that window by clicking (OK) and do the following.
• Click Start
• Go to Run (Click on Run)
• Type command then Click OK
Type the following at the Dos Prompt
• Nbtstat –A IP address
For example: nbtstat –A 207.175.1.1 (Please note that you must type the A in capitol letters.)
This will give you a read out
The numbers in the <> are hex code values. What we are interested in is the “Hex Code” number of <20>. A hex code of <20> means you have file and printer sharing turned on.
Once they have encountered a system with sharing turned on the next step would be to find out what is being shared.
This is how: Net view \\
For the hacker to then get access to those folders his next command will be. Net use x: \\\temp
At this point the hacker now has access to the TEMP directory of his victim.
• Netstat –a
This command will give you a listing of everything your computer is communicating with online currently.
There is software available that will show you this information without typing all those commands.
The name of the software is called Xnetstat, you can obtain a copy of it from here: http://www.arez.com/fs/xns/.
Connect to the Internet using your dial up account if you are on dial up. If you are on dedicated service like High Speed connections (ie, Cable and DSL) then just proceed with the steps below.
• Click Start
• Go to Run
• Click Run (It’s a step by step manual) :-)
• Type Winipcfg
• Hit the Enter Key
This should bring up a window
What you should see under IP address is a number that looks something like this. 207.175.1.1 (The number will be different.)
If you use Dial Up Internet Access then you will find your IP address under PPP adapter. If you have dedicated access you will find your IP address under another adapter name like (PCI Busmaster, SMC Adapter, etc.)
Once you have the IP address write it down, then close that window by clicking (OK) and do the following.
• Click Start
• Go to Run (Click on Run)
• Type command then Click OK
Type the following at the Dos Prompt
• Nbtstat –A IP address
For example: nbtstat –A 207.175.1.1 (Please note that you must type the A in capitol letters.)
This will give you a read out
The numbers in the <> are hex code values. What we are interested in is the “Hex Code” number of <20>. A hex code of <20> means you have file and printer sharing turned on.
Once they have encountered a system with sharing turned on the next step would be to find out what is being shared.
This is how: Net view \\
For the hacker to then get access to those folders his next command will be. Net use x: \\
At this point the hacker now has access to the TEMP directory of his victim.
• Netstat –a
This command will give you a listing of everything your computer is communicating with online currently.
There is software available that will show you this information without typing all those commands.
The name of the software is called Xnetstat, you can obtain a copy of it from here: http://www.arez.com/fs/xns/.
ANONYMOUS SURFING
There are some people that think that one should be allowed to surf the Internet totally anonymous. An example of these people is Anonymizer.com (www.anonymizer.com). Anonymizer.com allows you to enter a URL into a text box. It then proxy all connections to the specified destination. Anonymizer claims that they only keep hashes (one way encryption, cannot be reversed) of logs. According to documentation on the Anonymizer website there is no way that even they can determine your source IP. Surfing to Hotmail via
Anonymizer thus change the IP address in the mail header.
Another way of tackling the problem is anonymous remailers. These mailservers will change your source IP, your field and might relay the mail with a random delay. In many cases these remailers are daisy chained together in a random pattern. The problem with remailers is that many of them do keep logs of incoming connections. Choosing the initial remailer can be become an art. Remailers usually have to provide logfiles at the request of the local government. The country of origin of the remailer is thus very important as cyberlaw differs from country to country. A good summary of remailers (complete with listings of remailers can be found at www.cs.berkeley.edu/~raph/remailer-list.html).
Yet another way is to make use of servers that provide free Unix shell accounts. You can telnet directly to these servers (some provide SSH (encrypted shells) access as well). Most of the free shell providers also provide email facilities, but limit shell capabilities -e.g. you can't telnet from the free shell server to another server. In 99% of the cases connections are logged, and logs are kept in backup. A website that list most free shell providers are to be found at www.leftfoot.com/freeshells.html
How do we combine all of the above to send email anonymously? Consider this - I SSH (freeshell servers provider) to a freeshell server. I therefor bypass the transparent proxies, and my communication to the server is encrypted and thus invisible to people that might be sniffing my network (locally or anywhere). I use lynx (a text based web browser) to connect to an Anonymizer service. From the Anonymizer I connect to a free email service. I might also consider a remailer located somewhere in Finland. 100% safe?
Even when using all of above measures I cannot be 100% sure that I cannot be traced. In most cases logs are kept of every move you make. Daisy chaining and hopping between sites and servers does make it hard to be traced, but not impossible.
Other techniques
1. The cybercafe is your friend! Although cybercafes are stepping up their security measures it is still relatively easy to walk into a cybercafe without any form of identification. Sit down, and surf to hotmail.com - no one would notice as everyone else is doing exactly the same thing. Compose your email and walk out. Do not become a regular! Never visit the scene of the crime again. When indulging in other activities such as telnetting to servers or doing a full blast hack cybercafes should be avoided as your activity can raise suspicion with the administrators.
2. Search for proxy like services. Here I am referring to things like WinGate servers. WinGate server runs on a Microsoft platform and is used as a proxy server for a small network (read SOHO environment with a dial-up link). In many cases these servers are not configured correctly and will allow anyone to proxy/relay via them. These servers do not keep any logs by default. Hoping via WinGate servers is so popular that lists of active WinGates are published (www.cyberarmy.com/lists/wingate/).
3. With some experience you can hop via open routers. Finding open routers are very easy - many routers on the Internet is configured with default passwords (list of default passwords to be found atwww.nerdnet.com/security/index.php )Doing a host scan with port 23 (later more on this) in a "router subnet" would quickly reveal valid candidates. In most of the cases these routers are not configured to log incoming connections, and provides excellent stepping-stones to freeshell servers. You might also consider daisy chaining them together for maximum protection.
4. Change the communication medium. Connect to a X.25 pad via a XXX service. Find the DTE of a dial-out X.25 PAD. Dial back to your local service provider. Your telephone call now originates from e.g. Sweden. Confused? See the section on X.25 hacking later in the document. The exact same principle can be applied using open routers (see point 3) Some open routers listens on high ports (typically 2001,3001,X001) and drops you directly into the AT command set of a dial-out modems. Get creative.
Anonymizer thus change the IP address in the mail header.
Another way of tackling the problem is anonymous remailers. These mailservers will change your source IP, your
Yet another way is to make use of servers that provide free Unix shell accounts. You can telnet directly to these servers (some provide SSH (encrypted shells) access as well). Most of the free shell providers also provide email facilities, but limit shell capabilities -e.g. you can't telnet from the free shell server to another server. In 99% of the cases connections are logged, and logs are kept in backup. A website that list most free shell providers are to be found at www.leftfoot.com/freeshells.html
How do we combine all of the above to send email anonymously? Consider this - I SSH (freeshell servers provider) to a freeshell server. I therefor bypass the transparent proxies, and my communication to the server is encrypted and thus invisible to people that might be sniffing my network (locally or anywhere). I use lynx (a text based web browser) to connect to an Anonymizer service. From the Anonymizer I connect to a free email service. I might also consider a remailer located somewhere in Finland. 100% safe?
Even when using all of above measures I cannot be 100% sure that I cannot be traced. In most cases logs are kept of every move you make. Daisy chaining and hopping between sites and servers does make it hard to be traced, but not impossible.
Other techniques
1. The cybercafe is your friend! Although cybercafes are stepping up their security measures it is still relatively easy to walk into a cybercafe without any form of identification. Sit down, and surf to hotmail.com - no one would notice as everyone else is doing exactly the same thing. Compose your email and walk out. Do not become a regular! Never visit the scene of the crime again. When indulging in other activities such as telnetting to servers or doing a full blast hack cybercafes should be avoided as your activity can raise suspicion with the administrators.
2. Search for proxy like services. Here I am referring to things like WinGate servers. WinGate server runs on a Microsoft platform and is used as a proxy server for a small network (read SOHO environment with a dial-up link). In many cases these servers are not configured correctly and will allow anyone to proxy/relay via them. These servers do not keep any logs by default. Hoping via WinGate servers is so popular that lists of active WinGates are published (www.cyberarmy.com/lists/wingate/).
3. With some experience you can hop via open routers. Finding open routers are very easy - many routers on the Internet is configured with default passwords (list of default passwords to be found atwww.nerdnet.com/security/index.php )Doing a host scan with port 23 (later more on this) in a "router subnet" would quickly reveal valid candidates. In most of the cases these routers are not configured to log incoming connections, and provides excellent stepping-stones to freeshell servers. You might also consider daisy chaining them together for maximum protection.
4. Change the communication medium. Connect to a X.25 pad via a XXX service. Find the DTE of a dial-out X.25 PAD. Dial back to your local service provider. Your telephone call now originates from e.g. Sweden. Confused? See the section on X.25 hacking later in the document. The exact same principle can be applied using open routers (see point 3) Some open routers listens on high ports (typically 2001,3001,X001) and drops you directly into the AT command set of a dial-out modems. Get creative.
HOW TO GET ANY WINDOWS PASSWORD
This works whether its windows 2000 or windows xp or windows xp SP1 or SP2 or windows server 2003.
this works even if syskey encryption is employed.
the sam file is a file called SAM with no extension.
if it is NTFS.
download a program called NTFSPro.it allows u to read from ntfs drives... the demo version allows read only. the full version is read-write.... you use the program to create an unbootable disk (so u will still need another bootable disk and an empty disk) that has the required files to access NTFS.
use the boot disk to get into dos, then use the disks created with ntfspro to be able to access the filesystem, then copy the SAM and SYSTEM files to another empty disk.
u have to get a program called SAMInside. it doesn't matter if it is demo version. SAMInside will open the SAM file and extract all the user account information and their passwords, including administrator. SAMInside will ask for the SYSTEM file too if the computer you took the SAM file from has syskey enabled. syskey encrypts the SAM file. SAMInside uses SYSTEM file to decrypt the SAM file. After SAMInside finishes, u still see user accounts and hashes beside them. the hashes are the encoded passwords. Use SAMInside to export the accounts and their hashes as a pwdump file into another program, called LophtCrack. it is currently in version 5, it is named LC5. the previous version, LC4 is just as good. u need the full or cracked version of the program. LC5 uses a brute force method by trying all possible combinations of letters numbers, and unprintable characters to find the correct password from the hashes in the pwdump file imported into it from SAMInside. This process of trying all passwords might take 5 minutes if the password is easy, up to a year if the password is long and hard (really really hard). LC5 howver, unlike LC4, is almost 100 times faster. both can be configured to try dictionary and common words before using all possible combinations of everything. Once the correct password is found, it will display the passwords in clear beside each account, including administrator.
LC4 usually took between 1 second and 10 minutes to find the passwords because they were common words found in any english dictionary.
Programs needed: SAMInside (doesn't matter which version or if demo)
LC4 or LC5 (lophtcrack)( must be full version)
NTFSPro (doesn't matter if demo)
any bootdisk maker.
this works even if syskey encryption is employed.
the sam file is a file called SAM with no extension.
if it is NTFS.
download a program called NTFSPro.it allows u to read from ntfs drives... the demo version allows read only. the full version is read-write.... you use the program to create an unbootable disk (so u will still need another bootable disk and an empty disk) that has the required files to access NTFS.
use the boot disk to get into dos, then use the disks created with ntfspro to be able to access the filesystem, then copy the SAM and SYSTEM files to another empty disk.
u have to get a program called SAMInside. it doesn't matter if it is demo version. SAMInside will open the SAM file and extract all the user account information and their passwords, including administrator. SAMInside will ask for the SYSTEM file too if the computer you took the SAM file from has syskey enabled. syskey encrypts the SAM file. SAMInside uses SYSTEM file to decrypt the SAM file. After SAMInside finishes, u still see user accounts and hashes beside them. the hashes are the encoded passwords. Use SAMInside to export the accounts and their hashes as a pwdump file into another program, called LophtCrack. it is currently in version 5, it is named LC5. the previous version, LC4 is just as good. u need the full or cracked version of the program. LC5 uses a brute force method by trying all possible combinations of letters numbers, and unprintable characters to find the correct password from the hashes in the pwdump file imported into it from SAMInside. This process of trying all passwords might take 5 minutes if the password is easy, up to a year if the password is long and hard (really really hard). LC5 howver, unlike LC4, is almost 100 times faster. both can be configured to try dictionary and common words before using all possible combinations of everything. Once the correct password is found, it will display the passwords in clear beside each account, including administrator.
LC4 usually took between 1 second and 10 minutes to find the passwords because they were common words found in any english dictionary.
Programs needed: SAMInside (doesn't matter which version or if demo)
LC4 or LC5 (lophtcrack)( must be full version)
NTFSPro (doesn't matter if demo)
any bootdisk maker.
Subscribe to:
Posts (Atom)