Categories
Kon-Boot Linux Security Ubuntu Windows

Bypass Windows or Linux Logon With Kon-Boot

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems 🙂 Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far 🙂 Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.
Additional notes:

Tested Windows versions
Windows Server 2008 Standard SP2 (v.275)
Windows Vista Business SP0
Windows Vista Ultimate SP1
Windows Vista Ultimate SP0
Windows Server 2003 Enterprise
Windows XP
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows 7

Kon-Boot website & download.
Categories
Linux sdelete Security Windows 2008 Windows 7 Windows Vista

Securely delete files in Windows

The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file’s on-disk data using techiques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application.

You can use SDelete both to securely delete existing files, as well as to securely erase any file data that exists in the unallocated portions of a disk (including files that you have already deleted or encrypted). SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever. Note that SDelete securely deletes file data, but not file names located in free disk space.

Using SDelete
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.

Usage: sdelete [-p passes] [-s] [-q]
sdelete [-p passes] [-z|-c] [drive letter]

-c Zero free space (good for virtual disk optimization).
-p passes Specifies number of overwrite passes.
-s Recurse subdirectories.
-q Don’t print errors (quiet).
-z Cleanse free space.

How SDelete Works

Securely deleting a file that has no special attributes is relatively straight-forward: the secure delete program simply overwrites the file with the secure delete pattern. What is more tricky is securely deleting Windows NT/2K compressed, encrypted and sparse files, and securely cleansing disk free spaces.

Compressed, encrypted and sparse are managed by NTFS in 16-cluster blocks. If a program writes to an existing portion of such a file NTFS allocates new space on the disk to store the new data and after the new data has been written, deallocates the clusters previously occupied by the file. NTFS takes this conservative approach for reasons related to data integrity, and in the case of compressed and sparse files, in case a new allocation is larger than what exists (the new compressed data is bigger than the old compressed data). Thus, overwriting such a file will not succeed in deleting the file’s contents from the disk.

To handle these types of files SDelete relies on the defragmentation API. Using the defragmentation API, SDelete can determine precisely which clusters on a disk are occupied by data belonging to compressed, sparse and encrypted files. Once SDelete knows which clusters contain the file’s data, it can open the disk for raw access and overwrite those clusters.

Cleaning free space presents another challenge. Since FAT and NTFS provide no means for an application to directly address free space, SDelete has one of two options. The first is that it can, like it does for compressed, sparse and encrypted files, open the disk for raw access and overwrite the free space. This approach suffers from a big problem: even if SDelete were coded to be fully capable of calculating the free space portions of NTFS and FAT drives (something that’s not trivial), it would run the risk of collision with active file operations taking place on the system. For example, say SDelete determines that a cluster is free, and just at that moment the file system driver (FAT, NTFS) decides to allocate the cluster for a file that another application is modifying. The file system driver writes the new data to the cluster, and then SDelete comes along and overwrites the freshly written data: the file’s new data is gone. The problem is even worse if the cluster is allocated for file system metadata since SDelete will corrupt the file system’s on-disk structures.
The second approach, and the one SDelete takes, is to indirectly overwrite free space. First, SDelete allocates the largest file it can. SDelete does this using non-cached file I/O so that the contents of the NT file system cache will not be thrown out and replaced with useless data associated with SDelete‘s space-hogging file. Because non-cached file I/O must be sector (512-byte) aligned, there might be some left over space that isn’t allocated for the SDelete file even when SDelete cannot further grow the file. To grab any remaining space SDelete next allocates the largest cached file it can. For both of these files SDelete performs a secure overwrite, ensuring that all the disk space that was previously free becomes securely cleansed.

On NTFS drives SDelete‘s job isn’t necessarily through after it allocates and overwrites the two files. SDelete must also fill any existing free portions of the NTFS MFT (Master File Table) with files that fit within an MFT record. An MFT record is typically 1KB in size, and every file or directory on a disk requires at least one MFT record. Small files are stored entirely within their MFT record, while files that don’t fit within a record are allocated clusters outside the MFT. All SDelete has to do to take care of the free MFT space is allocate the largest file it can – when the file occupies all the available space in an MFT Record NTFS will prevent the file from getting larger, since there are no free clusters left on the disk (they are being held by the two files SDelete previously allocated). SDelete then repeats the process. When SDelete can no longer even create a new file, it knows that all the previously free records in the MFT have been completely filled with securely overwritten files.

To overwrite file names of a file that you delete, SDelete renames the file 26 times, each time replacing each character of the file’s name with a successive alphabetic character. For instance, the first rename of “foo.txt” would be to “AAA.AAA”.

The reason that SDelete does not securely delete file names when cleaning disk free space is that deleting them would require direct manipulation of directory structures. Directory structures can have free space containing deleted file names, but the free directory space is not available for allocation to other files. Hence, SDelete has no way of allocating this free space so that it can securely overwrite it.


Download SDelete
(47 KB)

Categories
Linux Security SSH

Securing SSH on Linux

SSH (Secure Shell) is a protocol which supports logging into a remote system or executing commands on a remote system, using an encrypted communication between the two systems.

By default SSH is running version 1 and allowing direct root access to the system. You should disable direct root access on the sshd_config file and use only protocol 2 which is more secure.

1) vi /etc/ssh/sshd_config
2) Change Protocol 2,1 to Protocol 2
4) PermitRootLogin yes = no
5) Restart SSHD:

/etc/rc.d/init.d/sshd restart

Categories
Linux Security WGET

Installing & Configuring Brute Force Detection on Linux

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the Linux community that work in conjunction with a firewall or real time facility to place bans. To use BFD you must install APF Firewall first.
Download BFD:

wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
tar –zxvf bfd-current.tar.gz
cd bfd-0.9

After the installation is complete you will receive a message saying it has been installed.
Next configure the firewall:

vi /usr/local/bfd/conf.bfd

Find the following lines and replace them with your details:
# Enable/disable user alerts [0 = off; 1 = on]
ALERT_USR=”1″
#
# User alert email address
EMAIL_USR=”your@mail.com”
#
# User alert email; subject
SUBJ_USR=”Brute Force Warning for $HOSTNAME”
#
Now you should put your ip address to allow hosts so you will not accidentally lock yourself out.

vi /usr/local/bfd/ignore.hosts and put your ip address.

Now it is ready to start the BFD system:

/usr/local/sbin/bfd –s

Categories
Cisco DDOS Linux netstat Security Windows

Detecting DoS / DDoS Attack on a Windows 2003 / 2008 Server

How do I detect a DDOS (Distributed denial of service) / DOS attack on a Windows Server 2003 / 2000 / 2008, XP, Vista or Windows 7? Can I use Linux netstat command syntax to detect DDoS attacks?

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

You can always use netstat command to get list of connections under Windows. Open command prompt by visiting Start > Run > Type “cmd” in box.

netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:

netstat -noa

Where,

  1. n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  2. o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
  3. a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

You can use find command as filter to searches for a specific string of text in a file. In the following example you are filtering out port 80 traffic:

netstat -ano | find /c "80"

Find the IP address which is causing maximum number of connection and block it using Cisco firewall or IPSec. Another protective measurement is to harden the TCP/IP stack.

Further readings:

Categories
Linux Security Windows

Delete File Securely / Permanently Delete File Data in Windows

I know how to delete a file securely using GNU/Linux and Open source tools under Linux. I’m looking for DoD 5520.22-M or NNSA NAP-14.x.secure compliant delete utility under Windows. How do I delete a file permanently under Windows XP or Server operating system with NTFS; so that no one can retrieve my data?

Linux offers various programs such as shred or DOD 5220.22-M certified scrub utility.

sDelete: Permanently Delete File

You need to use SDelete which, implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever. Download sDelete (47KB).
It works on following Microsoft operating systems:

  • Client: Windows XP and higher (including Windows 7 and Vista).
  • Server: Windows Server 2003 and higher.

Once downloaded open command prompt by visiting Start -> Run -> Type cmd and press [Enter] key.

To delete all data stored in a file called c:docsfinical.xls, enter:
sdelete -p 10 -z c:docsfinical.xls

To delete all data and files stored in a directory (folder) called c:docsexcel, enter:
sdelete -p 10 -z c:docsexcel

sDelete Quick help:

Usage: sdelete [-p passes] [-s] [-q] 
sdelete [-p passes] [-z|-c] [drive letter]
-c Zero free space (good for virtual disk optimization).
-p passes Specifies number of overwrite passes.
-s Recurse subdirectories.
-q Don't print errors (quiet).
-z Cleanse free space.

Eraser Open Source Free Software

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP, Vista, Windows 2003 Server and DOS. Eraser is Free software and its source code is released under GNU General Public License. Uses the Guttmann (Default), Pseudorandom Data and US DoD 5220-22.M methods. Download Eraser software here.

A note about wiping a hard disk

Use Darik’s Boot and Nuke (“DBAN”) is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Categories
Linux Security

How to delete files securely in Linux

How to remove files securely so that it cannot be undeleted. Peter Gutmann paper “Secure Deletion of Data from Magnetic and Solid-State Memory” has very good information. Here are some commands/tools available under Debian GNU/Linux (it should work with other Linux distributions) to delete file securely.

srm: Securely remove files or directories

This command is a replacement for rm command. It works under Linux/BSD/UNIX-like OSes. It removes each specified file by overwriting, renaming, and truncating it before unlinking. This prevents other people from undelete or recovering any information about the file from the command line. Because it does lots of operation on file/directory for secure deletion, it also takes lot of time to remove it. Download srm from http://sourceforge.net/projects/srm (RPM file is also available for RPM based Linux distributions)

1. Untar and install the srm:

# ./configure
# make
# make install

2. How to use srm?
srm syntax is like rm command. Read man srm. Here is a simple example:

$ srm privateinfo.doc

wipe: It is a secure file wiping utility

Download wipe from http://wipe.sourceforge.net/
1. Untar and install the wipe

# ./configure
# make
# make install

2. How to use wipe?

$ wipe filename

Read man page of wipe for information.

shred: Delete a file securely, first overwriting it to hide its contents.

It is available on most of Linux distributions including Debian GNU/Linux. To remove file called personalinfo.tar.gz :

$ shred -n 200 -z -u  personalinfo.tar.gz

Where,

  • -n: Overwrite N (200) times instead of the default (25)
  • -z: Add a final overwrite with zeros to hide shreddin
  • -u: Truncate and remove file after overwriting

Read the man page of shred(1) for more information. Most of these utilities are not effective (read as useless) only if :

  • File system is log-structured or journaled filesystems, such as JFS, ReiserFS, XFS, Ext3 etc
  • Your filesystems is RAID-based, compressed filesystem etc
  • In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed by these utilities.
Categories
crack hack Linux Passwords Security Windows wireless WPA

Wireless WPA/WPA2-PSK GPU Cracking with Pyrit – How to Use Pyrit in BackTrack

Pyrit is a GPU cracker for attacking WPA/WPA2 PSK protocols. It allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff.  Pyrit works with many platforms including CUDA, ATI-Stream, OpenCL and VIA Padlock.

How to
Listing available cores

pyrit list_cores

Determining performance of cores

pyrit benchmark

Create a new ESSID

pyrit -e Linksys create_essid

Import list of passwords

pyrit -f dict.txt import_passwords

 Start Batch Processing

pyrit batch

Cracking WPA/WPA2-PSK using pyrit/coWPAtty

pyrit -e “Linksys” -f dict.txt passthrough | cowpatty -d – -r wpa2handshake.cap -s “Linksys“
“-e” ESSID for the command
“-f” Filename for the command (’-’ is stdin/stdout)
“-d” Hash file
“-” Accept words on stdin
“-r” Packet capture file
“-s” Network SSID

Categories
Linux Security

Root Access Email Alert

Get notified when a user logs in with root privileges.
1) Edit .bashrc under /root to get notified by email when someone logs in as root
2) Add the following:

echo ‘ALERT – Root Shell Access (Server Name) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” youremail@domain.com

Categories
BackTrack BT BT 4 Linux Passwords Security Ubuntu VMWare WEP Windows WPA

How To Install Backtrack4 Using Grub On Ubuntu

Backtrack is an operating system that is specially designed for networking security. Bactrack OS is based on Linux. As of this writing the latest version of Bactrack is Backtrack4 with many, many useful applications. Before installing BT4, make sure you have installed Ubuntu on your computer so we can use Ubuntu’s Grub for booting.

Follow these steps to install and configure dual booting Ubuntu / Backtrack4.

  1. Prepare your PC
    Ubuntu OS installed on sda2
    BT4 will install on sda3
  2. Run BT4 using LiveCD
    user : root
    password : toor
    #startx
  3. Installation process

    # mkfs.ext3 /dev/sda3

    # mkdir /mnt/BT4
    # mkdir /mnt/ubuntu
    # mount /dev/sda3 /mnt/BT4
    # mount /dev/sda2 /mnt/ubuntu
    # mkdir /mnt/BT4/boot

    # cp /boot/vmlinuz /mnt/BT4/boot
    # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/BT4/
    # mkdir /mnt/BT4/{mnt,proc,sys,tmp}
    # mount --bind /dev/ /mnt/BT4/dev/
    # mount -t proc proc /mnt/BT4/proc/

  4. Edit Grub of Ubuntu
    # vi /mnt/ubuntu/boot/grub/menu.lst

    #you must insert this at bottom page:
    title Backtrack4
    rootnoverify (hd0,2)
    kernel /boot/vmlinuz vga=791 root=/dev/sda3 ro autoexec=xconf;kdm
    boot

  5. Exit and restart your PC. Select “Backtrack4” and login.
  6. Registering sda3 to fstab
    We must register /dev/sda2 and /dev/sda3 so either Ubuntu or BT4 can be booted.

    # mkdir /mnt/BT4
    # mkdir /mnt/ubuntu
    # vi /etc/fstab

    /dev/sda2 /mnt/ubuntu ext3
    /dev/sda3 /mnt/BT4 ext3