RUTHWIZ: Hacking and Security

Microsoft ended its support for Windows XP officially more than a month ago on April 8, 2014. This made a large number of users to switch to the latest version of Windows, but still a wide portion of users are using Microsoft oldest and most widely used operating system, despite not receiving security updates

While some companies and organizations who were not able to migrate their operating system’s running Windows XP to another operating system before the support phase ended, are still receiving updates by paying Microsoft for the security patches and updates.

Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019.

It makes use of updates for Windows Embedded POSReady 2009 based on Windows XP Service Pack 3, because the security updates which are being released for POSReady 2009 are inevitably the same updates Microsoft would have rolled out for its Windows XP, if it was still supporting XP Operating System.

Windows Embedded POSReady 2009 is the operating system installed in "point-of-sale" (POS) systems such as restaurant machine, ticket machines or other customized version of Windows Embedded systems. POS machine most likely uses the XP operating system, therefore receives the same updates that are delivered by Microsoft for the officially unsupported version of Windows XP.

You are not allowed to directly install these Windows updates for your OS. In order to download new security updates for your Windows XP, you just need to perform a simple intervention into the Windows registration database.

STEPS TO FOLLOW:

Open Notepad and create a new file.Add Below given code to it:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001

Save file as .reg extension and run it by double clicks.

Once executed, you will find lots of pending updates in your Windows Action Center.

Because the extended support for Windows Embedded POSReady 2009 systems ends after 5 years, Microsoft will continue to deliver new security updates and patches for this version of its embedded operating system till April 9th, 2019, so users can use this trick to get security updates of Windows XP for another five years.

Important Note for our Readers - Despite receiving security updates for Windows XP by using such tricks, it is not possible to secure the complete system appropriately. So we highly recommend all of you to upgrade your operating system to the latest versions, i.e. Windows 7 or 8 or any Linux Distro.

Tuesday, 31 January 2012

AN INTRODUCTION TO RATS - REMOTE ADMINISTRATION TOOLS

WHATS A TROJAN HORSE

TROJAN IS A MALICIOUS PROGRAM/CODE WHICH IS USED FOR REMOTE ACCESS TO TARGET COMPUTER AND THEN ATTACK USING UNAUTHORIZED ACCESS TO TARGET OR VICTIM'S COMPUTER AND CAUSES DAMAGE TO THE SYSTEM. TROJAN IS A SMALL HIDDEN CODE INSIDE ANOTHER PROGRAM THAT'S WHY IT EASILY ENTERS SYSTEM WITHOUT KNOWLEDGE OF COMPUTER USER.THE TERM IS DERIVED FROM THE TROJAN HORSE STORY IN GREEK MYTHOLOGY.

IN THE 12TH CENTURY B.C., GREECE DECLARED WAR ON THE CITY OF TROY. THE DISPUTE ERUPTED WHEN THE PRINCE OF TROY ABDUCTED THE QUEEN OFSPARTA AND DECLARED THAT HE WANTED TO MAKE HER HIS WIFE, WHICH MADE THE GREEKS AND ESPECIALLY THE QUEEN OF SPARTA QUITE FURIOUS.

THE GREEKS GAVE CHASE AND ENGAGED TROY IN A 10-YEAR WAR, BUT UNFORTUNATELY FOR THEM, ALL OF THEIR EFFORTS WENT DOWN THE DRAIN. TROY WAS SIMPLY TOO WELL FORTIFIED.

IN A LAST EFFORT, THE GREEK ARMY PRETENDED TO BE RETREATING, LEAVING BEHIND A HUGE WOODEN HORSE. THE PEOPLE OF TROY SAW THE HORSE, AND, THINKING IT WAS SOME KIND OF A PRESENT FROM THE GREEKS, PULLED THE HORSE INTO THEIR CITY, WITHOUT KNOWING THAT THE FINEST SOLDIERS OF GREECE WERE SITTING INSIDE IT, SINCE THE HORSE WAS HOLLOW.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDc0lQOjDe_53RbnTgZrV9wXFHdtGjMOM0IEVKSWcfCUGrQhV53BqLO6hkqfSdRp6OqL0I_Q81xr2pb0t0KwIvYLU8brOFf5WD6u5kBu8dJCVC_5o8o2epUkVCKDKSbDZpwJ31Vq4loFE/s200/1.jpg

UNDER THE COVER OF NIGHT, THE SOLDIERS SNUCK OUT AND OPENED THE GATES OF THE CITY, AND LATER, TOGETHER WITH THE REST OF THE ARMY, KILLED THE ENTIRE ARMY OF TROY.

THIS IS WHY SUCH A PROGRAM IS CALLED A TROJAN HORSE - IT PRETENDS TO DO SOMETHING WHILE IT DOES SOMETHING COMPLETELY DIFFERENT, OR DOES WHAT IT IS SUPPOSED TO BE AND HIDES IT'S MALICIOUS ACTIONS FROM THE USER'S PRYING EYES.

THERE ARE MANY TYPES OF TROJAN HORSE ,SOME OF THE COMMON ONES ARE AS FALLOWS

· RATS (REMOTE ADMINISTRATION TOOLS )

· PRIVILEDGES-ELEVATING TROJANS

· DENIAL OF SERVICE (DOS)

· FILE SENDING TROJANS(FTP TROJAN)

· DESTRUCTIVE TROJANS

AND MANY MORE..

RATS - REMOTE ADMINISTRATION TOOLS
REMOTE ADMINISTRATION TOOL ALSO KNOWN AS RAT IS USED TO REMOTELY CONNECT AND MANAGE SINGLE OR MULTIPLE COMPUTERS. RAT IS ONE OF THE MOST DANGEROUS TROJAN BECAUSE IT COMPROMISES FEATURES OF ALL TYPES OF TROJANS. IT PROVIDES AN ATTACKER WITH NEARLY UNLIMITED ACCESS TO HOST COMPUTER ,THE FOLLOWING ARE SOME OF THE COMMON FEATURES FOUND IN A RAT (REMOTE ADMINISTRATION TOOL)

· SCREEN/CAMERA CAPTURE OR CONTROL

· FILE MANAGEMENT (DOWNLOAD/UPLOAD/EXECUTE/ETC.)

· SHELL CONTROL (USUALLY PIPED FROM COMMAND PROMPT)

· COMPUTER CONTROL (POWER OFF/ON/LOG OFF)

· REGISTRY MANAGEMENT (QUERY/ADD/DELETE/MODIFY)

· OTHER PRODUCT-SPECIFIC FUNCTION

HOW RATS WORK
REMOTE ADMINISTRATION TROJANS OPEN A PORT ON YOUR COMPUTER AND BIND THEMSELVES TO IT (MAKE THE SERVER FILE LISTEN TO INCOMING CONNECTIONS AND DATA GOING THROUGH THESE PORTS). THEN, ONCE SOMEONE RUNS HIS CLIENT PROGRAM AND ENTERS THE VICTIM'S IP, THE TROJAN STARTS RECEIVING COMMANDS FROM THE ATTACKER AND RUNS THEM ON THE VICTIM'S COMPUTER.

SOME TROJANS LET YOU CHANGE THIS PORT INTO ANY OTHER PORT AND ALSO PUT A PASSWORD SO ONLY THE PERSON THAT INFECT THIS SPECIFIC COMPUTER WILL BE ABLE TO USE THE TROJAN. HOWEVER, SOME OF THESE PASSWORD PROTECTIONS CAN BE CRACKED DUE TO BUGS IN THE TROJAN (PEOPLE WHO PROGRAM RATS USUALLY DON'T HAVE MUCH KNOWLEDGE IN THE FIELD OF PROGRAMMING), AND IN SOME CASES THE CREATOR OF THE TROJAN WOULD ALSO PUT A BACKDOOR(WHICH CAN BE SOMETIMES DETECTED, UNDER CERTAIN CONDITIONS) WITHIN THE SERVER FILE ITSELF SO HE'LL BE ABLE TO ACCESS ANY COMPUTER RUNNING HISTROJAN WITHOUT THE NEED TO ENTER A PASSWORD. THIS IS CALLED "A BACKDOOR WITHIN A BACKDOOR".

ARE RATS ILLEGAL ?
WELL, IT IS ACTUALLY BOTH. THERE ARE RATS THAT ARE LEGAL AND THAT ARE ACTUALLY ILLEGAL. THE DIFFERENCE BETWEEN THEM BOTH ARE THE FACT THAT, LEGAL RATS INFORM THE CONNECTED REMOTE THAT YOU ARE ON THE COMPUTER, AND ILLEGAL RATS DO NOT INFORM THE REMOTE THAT YOU ARE ON THE COMPUTER.

LEGAL :-
LEGAL MEANS THE PERSON HAS FULL CONTROL AS WELL, THEY CAN KILL THE CONNECTION ANY TIME THEY PLEASE, NO BACKDOOR IS LEFT ON THEIR PC, AND IT IS IN YOUR NETWORK.

ILLEGAL:-
ILLEGAL MEANS THE PERSON DOES NOT KNOW YOU ARE CONNECTED AND THEY HAVE NO KNOWLEDGE YOU ARE TILL YOU TAKE ACTION, THEY HAVE NO CONTROL TOKILL THE CONNECTION (UNLESS THEY UNPLUG THE INTERNET), BUT EVEN THEN, A BACKDOOR IS LEFT ON THE COMPUTER MEANING ANYTIME THE COMPUTER IS ON AND THE INTERNET IS UP, YOU CAN CONNECT ANYTIME YOU WANT. YOU CAN DESTROY FILES, DOWNLOAD FILES, STEAL INFORMATION, BASICALLY MAKE THEIR LIFE MISERABLE.

How to Make your Web cam as Survilence Camera

Using some softwares you can change your web camera as spy or survilence camera. here i give you some softwares links.

Rise Sun(Complete Free Software)

Adjustable Motion Detection Sensitivity
Adjustable Webcam Performance
Automatically takes a snapshot when movement is detected
Automatically logs a record when movement is detected
Automatically sounds an audible alarm when movement is detected
Automatically displays a silent message when movement is detected

Screen Shots:

Download:

http://www.reohix.com/risesun.htm
TeboWeb(Freeware)

Set the sensitivity of movement detection.
Detection motion within or outside a specified area .
Receive emails with images of any movement detected.
Publish movement images to your website.
Publish webcam images at regular intervals.
Timestamp your images (choice of colours and position within image)
Graph of movement over time (with calendar facility).
Start movement detection at a specified time.
Command line startup options.
Save your individual settings to different profiles.
Receive notification of new versions as they become available.
New versions autoinstall on one mouseclick(so you only need to install TeboCam once).

Screen Shots:

Download:

http://www.teboweb.com/TeboWebDownload.html

Saturday, 26 November 2011

PROXY CHAINING USAGE - BE ANONYMOUS ONLINE

THIS IS TUTORIAL HAS BEEN RETURN TO SHOW U HOW U CAN UTILIZE THE INTERNET BY HIDDING UR IP - ADDRESS BY BEING ANONYMOUS BY USING THE PROXY.

WHAT IS PROXY CHAINING AND WHAT IS THE PURPOSE OF IT ?

A PROXY IS AN IP - ADDRESS OF A SERVER(PROXY SERVER) THAT IS PLACED BETWEEN YOUR COMPUTER AND THE INTERNET.

THE ADVANTAGE OF A PROXY IS THAT YOUR REAL IP ADDRESS IS HIDDEN SO WHEN YOU HACK ANY SYSTEM YOUR GIVING THE IP ADDRESS OF THE PROXY SEVER AND NOT YOUR REAL IP ADDRESS. SAME WAY IF YOUR A NORMAL INTERNET USER THE HACKER WON'T GET YOUR REAL IP BUT THE IP OF THE PROXY SERVER.

PROXY CHAINING :

PROXY CHAINING IS BASICALLY THE IDEA OF USING MORE THAN ONE PROXY TO CONNECT TO THE INTERNET, THE MAIN USE OF PROXY CHAINING IS TO HIDE YOUR IDENTITY .YOU CAN CONNECT TO AS MANY PROXIES YOU WANT. THE MORE YOU CONNECT, THE MORE ANONYMOUS YOU WILL BE, PROXY CHAINS MAKES IT VERY DIFFICULT TO TRACE YOU BACK FOR.

EG:- LETS TAKE PROXY CHAIN WHICH PASSES THROUGH VARIOUS COUNTRIES

<-------------- PROXY ------->
URPC >INDIA -> USA -> CHINA -> UK -> WEB SITE

ITS VERY DIFFICULT TO TRACE BACK SUCH PROXIES SINCE IT PASSES THROUGH VARIOUS COUNTRIES, THUS PROXY CHAINING IS GENERALLY A TECHNIQUE USED BY HACKERS TO HIDE THEIR IDENTITY ONLINE, HOW EVER THAT BEING SAID ITS NOT IMPOSSIBLE TO TRACE PROXY CHAINS BUT STILL IT MAKES HARD TO FIND THE ORIGINAL IP - ADDRESS.

THERE R MANY TUTORIALS AVAILABLE FOR PROXY CHAINS IN YOUTUBE.

THANK Q

D.B.V RUTHWIZ

Friday, 28 October 2011

Windows 7 exploit via hosted network, a security threat to enterprises

Windows 7 boasts of a new feature known as the wireless hosted network, available on all Windows 7 and Windows Server 2008 R2 systems with an installed wireless LAN. The MSDN developer resource documentation for hosted networks can be read here.

With the hosted network feature, using a single Wi-Fi adapter on a Windows 7 machine, a software-based access point (AP) can be created by virtualizing the physical adapter, making it possible to host multiple interfaces on the same physical adapter. The hosted network works with all wireless cards that are Windows 7 ready, with no extra installation.

Figure 1: Active hosted network and client interface

In a hosted network setup, one would be designated as the regular client interface, and the second as a software-based access point. The device can operate in both modes simultaneously (access point as well as client). One obvious advantages of this hosted network setup is Internet connection sharing (ICS) through Wi-Fi. Windows 7 systems can thus effectively act as Wi-Fi relays or share connectivity from a wired interface. While this is a legitimate feature, it has the potential of becoming a Windows 7 exploit.

Figure 2: Aerodump-ng monitoring for available networks

To study this scenario we shall use the following setup: Windows 7 PC with built-in or external Wi-Fi adaptor, Wi-Fi adaptor with packet injection capability, and Backtrack 5 running in VirtualBox. This demo is conducted using a Windows 7 system that is up to date as of August 2011. We will monitor the air using a utility called aerodump-ng.

We first connect to a regular AP and create a soft AP or hosted network on the same Windows 7 machine by issuing the following command:

Netsh wlan set hostednetwork mode=allow ssid=”YourHostedNetwork” key =YourHostedNetworkKey

A soft AP under Windows 7 must be at least WPA2 PSK secured. The hosted network needs to be explicitly enabled by issuing the following command:

Netsh wlan start YourHostedNetwork

The hosted network can be disabled by substituting ‘start’ in the previous command with ‘stop’. Note that the client connection to the client network “OfficeNetworkAP” is still up (Figure 1). Secondly, unlike regular wireless connections that are reported via a blurb, the OS gives no indication whatsoever that a network profile has been created or that a hosted network is up and running.

Figure 3: Virtual interface created under network connections

Aerodump-ng shows that the hosted network is up and running in conjunction with the active client interface (Figure 2). This simultaneous functioning is the most important aspect of this feature, but adds to the exploitability of Windows 7, since the lack of any warning/blurb coupled with the fact that there is no loss of connectivity means that the user would be completely unaware of what is happening. All that is needed is shell access to the system to turn the hosted network feature on.

Note that the hosted network is started on the same channel as the client device. This is because the Wi-Fi adapter has only one radio interface, which enables it to tune into one channel at a time. It might be possible to multiplex between two channels at a very fast rate, akin to multi-processing with a single CPU. This adversely affects factors like switching-time and throughput.

Since the hosted network ships with its own DHCP server, as soon as a network is available one can connect and get assigned a DHCP generated IP. No alerts are received even when a device connects to a hosted network.

The key take-away from this exercise is that the client aspect of the device is totally unaffected by the soft AP aspect of the same device. The only indication of a hosted network could possibly be the creation of a virtual wireless miniport interface that handles the soft AP portion of the hosted network (Figure 3). This is passive at best, considering the user would not be prompted. This is possibly because the user is expected to explicitly enable the hosted network. It becomes a problem when a system gets targeted. This feature thus becomes a Windows 7 exploit.

From the perspective of a malware author, there are full-blown APIs to do all this. If an attacker is able to activate the soft AP and install a backdoor on the system, this Windows 7 exploit will enable complete remote access, and rogue APs can be created. Each node has a client and AP functionality, and is a potential Wi-Fi repeater. Nodes can be daisy chained by hopping from one machine to another once one machine is compromised. Rogue APs are the bane of every network administrator; considerable effort goes into finding and protecting against them.

Since the attacker connects to the victim over a private wireless network when used as a Windows 7 exploit, there are no wired-side network logs for firewall, IPS or IDS. As a Windows 7 exploit, this is difficult to detect even during an ongoing attack. The stealth factor could be further increased with tools such as Metasploit.

If the attacker can obtain the network key for a corporate network from the victim — this is possible since WPA2-PSK keys can be decrypted — the hosted network feature can also be used to impersonate the legitimate AP with this Windows 7 exploit to lure other Windows 7 systems into connecting to the compromised system. Since this is an abuse of a legitimate feature, a worm using this Windows 7 exploit to propagate over a private Wi-Fi network will not be detected by anti-virus or anti-malware programs.

Disclaimer: This tip is based exclusively on inputs from Vivek Ramachandran’s talk at SecurityByte 2011, held in Bangalore last month. This is purely a proof-of-concept and is not intended to encourage criminal abuse of this feature.

About the author: Vivek Ramachandran is the founder of SecurityTube.net, and has been working with Wi-Fi Security for eight years. He is the discoverer of the Caffe Latte attack, and is also credited with breaking WEP Cloaking, a WEP protection schema publicly at Defcon 2007. Vivek has recently authored a book titled: “Wireless Penetration Testing using BackTrack 5" released by Packt publications in September.