Saturday, June 30, 2012


Chrome Hidden Features

1. Omni box
The browser has an address bar with auto-completion features called „omnibox; Google says it offers search suggestions (“Omni” is a prefix meaning “all”, as in “omniscient” – “all-knowing”). The simple way to explain separate search box is combined with the address bar in what it calls the "Omnibox." Pure google search simply put a “?” before your query. 


2. Quick calculation
We can do simple mathematical calculations like addition, subtraction, multiplication, finding percentage and more. Quick calculation results from address bar. It is faster than opening up your calculator. Just type (e.g. sin(30)+cos(30)) the result will come up automatically. Google chrome address bar only applicable these features.

 3. Drag downloaded files
Easily drag downloaded files from Chrome to your desktop or any other folder on your computer. That means, from now on, no need to find the folder or change the download location each time.


4. Resize Multi-line textboxes

This feature is related to Multi-line Text Boxes. Google has observed this carefully and allowed the user to change the size of such Multiline Text Boxes according to users' requirements. It is very easy to use this feature. A lot of times, the text boxes on webpages are annoying. They are too small and just typed a few lines; we get a scroll bar which is irritating. On Chrome, actually drag that box from the corner and make it bigger.



5. Create application shortcut
Creating desktop shortcuts for frequently visited sites is a smart move that saves time. Google Chrome provides an easy option to create desktop application shortcuts. Its not the same as creating the shortcut of a webpage in other browsers. These shortcuts help you open the site in a chrome window dedicated to them. Launch any website from the desktop, start menu, quick launch bar. Open any site and choose "Create application shortcut" from the Wrench menu.


6. Developer tools
The Developer Tools are available in Chrome and Safari, allows web developers and programmers deep access into the internals of the browser and their web application. The Developer Tools are part of the open source Webkit project. This article applies to the Google Chrome browser on windows. To access the developers tools, open a web page in google chrome. Then select the Wrench menu at the top of the top right of your browser window, then select tools à developers tools (Control-Shift-I).


7. Memory comparison
Use this simple trick to compare browsers memory usage. Open a new tab inside Chrome browser and type in the address bar about:memory (or) chrome://memory-redirct. Chrome can track the memory used by itself, but also other browsers currently open and running on your computer.



8. Chrome commands
Back in 2008, Damien wrote an article going through various Firefox about page tricks. Well, Chrome has similar functions behind the scenes, whereby accessing various about pages lets you turn on and off features that you might not otherwise have access to. They can also provide a window into information that might be useful in debugging a problem you might be having, or useful for some other purpose.To view all the available chrome commands, type (chrome://about) in your chrome browser URL as shown below. 








Friday, June 29, 2012


CHROME RLZ


The RLZ information includes a non-unique promotional tag that contains information about how Chrome was obtained, the week when Chrome was installed, and the week when the first search was performed. This parameter does not uniquely identify your computer, nor is it used to target advertising. This information is used to understand the effectiveness of different distribution mechanisms, such as downloads directly from Google vs. other distribution channels. This cannot be disabled so long as your search provider is Google. If your default search provider is not Google, then searches performed using the address bar will go to your default search provider, and will not include this RLZ parameter. The RLZ means “Rules” project is a library for grouping promotion event signals and anonymous user cohorts. The tag looks similar to “1T4AAAA_enUS236US239”. This non-unique tag is included when performing searches via Google (the tag appears as a parameter beginning with "rlz=" when triggered from the Omnibox, or as an “x-rlz-string” HTTP header). We use this information to help us measure the searches and Chrome usage driven by a particular promotion.

Client applications with the RLZ library can use explicit cohort tagging to manage promotion analysis. A client application with a particular tag can transmit that tag as it chooses for payments and analysis purposes. As an example, the RLZ parameter "rlz=1T4AAAA_enUS236" indicates the client application is Toolbar version 4, distributed with AAAA software bundle, English version, to a US user. 


Installations of Google Chrome obtained via promotional campaigns also send a token when you first launch Chrome and when you first search from Google. The same token will be sent if Chrome is later reinstalled and is only sent at first launch and at first use of the Omnibox after reinstallation or reactivation. Rather than storing the token on the computer, it is generated when necessary by using built in system information that is scrambled in an irreversible manner. Google Chrome uses a software library called "RLZ" to generate and send this information.

Thursday, June 28, 2012



HOMOGRAPH ATTACK AND CONFUSABILITY


Homograph is a letter or string that has enough of a visual similarity to a different letter or string that the two may be confused for one another.


Looks like amazon.com of course, but it’s not. The first ‘a’ is the Cyrillic small letter a, not the English, or Latin rather, small letter ‘a’, although they look identical they are from two different languages. In your browser’s status bar you should see the Punycode encoded version of the domain name:

http://www.xn--mazon-3ve.com/

Because DNS does not support Unicode (only a subset of ASCII characters are allowed), we have IDN standards which define how domain names with Unicode characters should be encoded. Punycode is the name of the encoding mechanism. The above is often referred to as an IDN homograph attack.

We have included another two examples below which look identical to a human and they will still appear to be the same if you copy them into your address bar:


and


The second URL has one character which has been replaced. We have shown the URL below using the Unicode values of the second ’o’ is the Greek small letter.


These are very simple examples but hopefully you can see the potential dangers of clicking on a link just because it looks genuine. Aside from spoofing with lookalike characters from completely different alphabets, we can do a bunch of spoofing just within our own alphabets. For example, certain fonts make combinations of characters hard to determine. Just like the letter’s ‘r’ and ‘n’ together can look like the letter ‘m’: rn = m Zero’s can look like ‘O’ and the number 1 can look like a lower case ‘l’. 

  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com
  • www.rnu11ets.com looks a lot like www.mullets.com

I have listed the same text here in several different fonts, because in some fonts, you wouldn’t be able to tell the visual difference between the two words. The visual appearance of characters has a lot to do with the fonts used to display the glyph, not just the alphabet.


Crypters


Early on in the learning of cryptography, one may come across a very basic and easily decoded method of encryption: ASCII shifts or substitution. Substitution is generally taking a block of characters and replacing one character with another. For example: (I LOVE YOU) if you shifted each letter one step forward in the alphabet, this message would become: (J MPWF ZPV). This is the basic information about crypting or cryptography. Hacker will use a crypter, which will add junk code to our server; of course there is lot of crypting methods for this kind of things.

Crypter is a program that makes other programs UnDetectable (UD) or FullyUnDetectable (FUD).UD can be detected only by a few antiviruses and FUD cannot be detected by any antivirus. It is used to hide viruses, RATs (Remote Administration Tools), or any Keyloggers from antiviruses, so that they are not detected and deleted by antiviruses. Thus a crypter is a program that allows users to crypt the source code of their program. Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system. The aims of crypter are protect the executables, making difficult to analyze it or reverse engineer it. Actually the malwares are basically distributed as executables; public malwares are generally detected by antiviruses, so crypters are used to make them Fully Undetectable (FUD).

Wednesday, June 27, 2012


Antivirus Identification Methods 


1. Signature Based Detection


Traditionally, antivirus software heavily relied upon signatures to identify malware. Signature based detection is the most common method. This can be very effective, to identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces. But cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature based approaches are not effective against new, unknown viruses.

As new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. An example of software used in reversed engineering is Interactive Disassembler. Such software does not implement antivirus protection, but facilitates human analysis. Although the signature based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of them or otherwise modify them as a method of disguise, so as to not match virus signatures in the dictionary.

2. Heuristics detection


This is effective way to locate unknown threats for the most up to date real time protection. Obviously this sort of scanning and analysis can take some time, which may slow down system performance. The main concern with heuristic detection is that it often increases false positives. False positives are when the antivirus software determines a file is malicious (and quarantines or deletes it) when in reality it is perfectly fine and desired. Because some files may look like viruses but really aren’t, they are restricted and stopped from working on your computer.

Heuristic virus detection is a fancy way of a scanner saying, "I'm guessing that is a virus". Heuristic scanning engines work on the principle that viruses will usually use certain tricks or methods of infecting, and therefore if a program looks like it might be using those tricks; there is a possibility that the program is a virus. The more aggressive heuristic scanner may well detect large numbers of so called "False Positives" i.e. files that are really totally innocent but look like they might alter other files, the less aggressive ones might miss files that really are viruses. In reality heuristics works are quite well for some types of viruses, such as Macro Viruses, but not so well for other types. However, they are a reasonable attempt at providing protection against currently unknown viruses.

Variants of viruses are referred to with terminology such as: "oligomorphic", "polymorphic" and "metamorphic", where the differences between specific variants of the same virus are significantly high. In such cases, there are dedicated statistical analysis based algorithms, implemented in the "real time" protection, which analyses software behaviour. This approach is not absolutely exact and results in higher resource usage on the computer. Since "oligomorphic", "polymorphic" and "metamorphic" engine development is difficult and the resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate. This approach may imply human ingeniousness for the design of the algorithm. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. Due to the existence of the possibility of false positives and false negatives, the identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.

FINDING REMOTE FILE INCLUSION VULNERABILITY

In a web application, one way data is passed to a script is by sending a parameter name and value in the URL. This parameter and the data it contains is associated and accessed via a variable inside the script. PHP like other languages has an include directives that allows us to include and execute code from another file. In PHP, variables do not have to be initialized before they are used. PHP assigns uninitialized parameters to variables of the same name. We will check the basic vulnerabilities with the manipulation of GET arguments and look for error message. It is like the one above. However as we said, it’s not always we will get an error message. Sometimes, the script might even redirect to the home page or something when it detects an error. Here are a few examples of GET arguments manipulation: Normal URL → Manipulated or error creating URL

www.site.com/index.php?id=1 → www.site.com/index.php?id=1awdasgfaeg
www.site.com/index.php?page=index → www.site.com/index.php?page=qqqqqqq
www.site.com/index.php?site=index → www.site.com/index.php?site=qqqqqq

Use our view and imagination. The arguments do not need to be "id" or "page" or "site". It can be anything. If we are not getting any error or just a blank page or website redirected. If the server is set up to not display error messages and there is vulnerability, then your remote code will still work even though you didn't get any error messages indicating that there is vulnerability there. Some code designers think that if they check the GET arguments and see if it contains "http://" or "www." and not include the files if they do, they will be secure. However, it can be in many cases bypassed by writing HTTP:// or HtTp:// or WWW. or WwW or wWw etc. If it is not, the include() function will fail trying to include remote content. The other functions like require(), require_once() and include_once().


Tuesday, June 26, 2012


Helios Lite: Malware Scanner


Helios Lite is a stand-alone binary that can quickly scan a system for system service dispatch table (SSDT) hooks, hidden processes, hidden registry entries, and hidden files. Helios Lite uses a GUI program to communicate with its kernel-mode driver, helios.sys. Together these two components are able to detect most rootkits hooking and hiding techniques.


Usage:

  • Click à Scan type, select hidden files,
  • Enable à Show all alternate data stream (ADS), click scan
  • Click à Scan type, select hidden registry, hidden processes, ssdt hooks, click scan.
This is very powerful tool to find SSDT hooks. 



DIFFING- Comparative Technique


Diffing is the practice of comparing two things for differences, especially after some change has been made. The two things in question could be files, Registry entries, memory contents, packets, emails almost anything. The general principle is that you take some sort of snapshot of the item in question (for example, if it’s a file, save a copy of the file), perform the action you think will cause a change, and then compare the snapshot with the current item, and see what changed. In computing, diff is a file comparison utility that outputs the differences between two files. It is typically used to show the changes between one version of a file and a former version of the same file. Diff displays the changes made per line for text files. Modern implementations also support binary files. The output is called a "diff", or a patch, since the output can be applied with the UNIX program patch. The output of similar file comparison utilities is also called a diff; like the use of the word "grep" for describing the act of searching, the word diff is used in jargon as a verb for calculating any difference. Diffing is a highly successful tactic that hackers use to analyze different versions of the same file in order to pinpoint the differences between the files. This comparative technique has been used by hackers for years.

Now we’re going to work with the real analysis.

 File Name: Msvcm80.dll

  • File description: Microsoft C Runtime Library, Microsoft Visual Studio2005
  • Version: 8.00.50727.762
  • File size: 0.12 Mb


File Name: Msvcm80d.dll

  • File description: Microsoft C Runtime Library, Microsoft Visual Studio2005
  • Version: 8.00.50727.762
  • File size: 0.22 Mb


See the both files date and values are different. Compare Suite is a very flexible tool. Once you’ve chosen your files, you can also choose how to compare them. Compare “by Keywords” to find similarities between unrelated documents. Compare drafts of the same document “word by word.” Or, compare “character by character” perfect for software developers Compare Suite can also tell you the number of words in your documents, the number of changes between them, and more. Set up a list of your interests, and Compare Suite will watch for these personal keywords in every document. There are many diffing tools are available in the market, but most of them support text, html, word, C coding, etc. But Compare Suite Pro is supported to DLL, and EXE files.

Monday, June 25, 2012


Computer Forensics: Dos commands 


Computer Forensics is the method of investigating electronic devices or media in order to realize and analyze available, delete, or “hidden” information that can serve as useful evidence to support claims and defences of a legal perception and may help when data have been accidentally or purposefully deleted and lost due to hardware failures. Computer forensics has transformed the way digital evidence is gathered and as evidence of a crime and makes use of sophisticated techniques and technologies. A computer forensic expert uses these techniques to find evidence of an electronic device for storing a possible crime. Computer forensics can be used to detect scam, illegal use of a computer, a violation of company policies, inadequate record keeping, email monitoring, chat history, files, tapes, people browsing sites or any other form of electronic communications. Data can be any type of electronic device like Pen drives, discs, tapes, handhelds, PDAs, memory cards, emails, logs, hidden or deleted files, etc. Here we will discuss the basic commands to get started on computer forensics. Let us start...

1)       Date and Time:

One of the first pieces of information you want to collect when you’re investigating an incident is the system date and time. This will give a great deal of context to the information collected later in the investigation, and will assist in developing an accurate timeline of events that have occurred on the system.


2)       Systeminfo.exe:

The native systeminfo.exe command allows you to create a system profile that includes Original install date, system boot time, host name, registered owner, OS name, total physical memory, and hotfixes.



3)       Wmic bios get name, serialnumber, version:

WMIC expands Windows Management Instrumentation Command-line, which uses the power of Windows Management Instrumentation (WMI) to enable the System Management from the command line. It can be used in Command Prompt on Windows without installing any additional third-party software components. It will show the bios name, serial number, and version.



4)       Wmic csproduct get name, identifyingnumber, uuid:

It will explore the computer product information like computer name, Identifying number or serial number, and Universally Unique Identification Number (uuid).



5)       Netstat –ano:

This command will show TCP and UDP network connections, listening ports, and identifiers of the processes (PIDs) using those network connections.



6)       Netstat –r:

This command will displays the kernel routing table in the way we have been doing with route, another command ‘route print’ also display the same.



7)       Tasklist /v:

The tasklist command does provide options for output formatting, with choices between table, CSV, and list formats. The /v verbose switch provides the most information about the listed processes, including the image name, PID, name and number of the session for the process, the status of the process, the user name of the context in which the process runs, and the title of the window, if the process has a GUI. An investigator can also use the /svc switch to list the service information for each process.





8)       Net users:

This command will shows user names and user group of the local and remote account.



9)       Net share:

Net share displays information about all of the resources that are shared on the local computer. When you display all of the shared resources on a computer, the share name of the resource, the device names or path associated with the resource, and a descriptive comment about the resource is displayed.


Sunday, June 24, 2012


Spypig: Find out when your email has been read

(Free Email Tracking Service)


You need to know what happened to the email that you've sent for job application, relation development, notification, confirmation, etc. Find out if your email has been read, When, Where, Recipient IP address, and many details easier to get a simple way. Spypig is an online and free web service which offers read receipt confirmation for Emails. This is not an Email sending service at you will be adding a small tracking code (Image) in your Email and when ever receiver open your Emails, you will get notification for the same, Deploy your free email tracker in just 1min with Spypig.

How to Use:

Using Spypig is very simple; all you need to do is follow 1-2-3 step. Go to www.spypig.com and type your email address and message title.


Select the image which you want to use. You need to copy and paste that image along with your Email to the Email you wish to track. Make sure you copy it within 60 seconds.

Once receiver will open your Email, you will get instant notification in your (spypig assigned) email.




Mince: Text Encryption Tool



Mince is an easy to use very reliable text encryption tool. It encrypts a text file to another (scrambled) one, and adds its own extension to it. Because this new file is also merely a text file, you can send it as an attachment in an e-mail message.

Installation:

  • Unzip the Mince folder onto your desktop or elsewhere
  • Make sure at least Mince.exe and Mince.inf are in that folder
  • Right-click the Mince.inf file and select install
 See also the install.jpg screenshot in the unzipped Mince folder



How to use Mince:


Right-click on a .txt file in Windows Explorer and select Mince-Encrypt. Type in a password, type the same password again in the second box, and click on Encrypt. Mince will now encrypt your file and give it the .mce extension. These files can be decrypted by double-clicking them and entering the password (and clicking the Decrypt button).

Windows Vista & Windows 7 users:


Access to Program Files, Windows and other system related folders are by default protected by the operation system, and will trigger an access denied error when you want to 'Mince' files in there. To avoid that, make sure you run Mince with administrator privileges. (In the Windows folder, right click the Mince executable, select Properties, hit the Compatibility tab, and at the Privilege Level mark the "Run this program as an administrator" box).

Caution:


It's IMPOSSIBLE to decrypt a file if you don't remember the password! Also, please don't EVER edit a .mce (encrypted) file!

How secure is Mince?


It hashes its strings to 24 bits of unique key data. Not completely unhackable, but it would take any experienced hacker a great deal of time to unscramble a 'Minced' file.




Saturday, June 23, 2012

A Quick Demo of Splunk log analyzer  



Splunk is to search, monitor and analyze machine generated data by applications, systems and IT infrastructure at scale via a web style interface. Splunk captures indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations. Splunk aims to make machine data accessible across an organization and identifies data patterns, provides metrics, diagnoses problems and provides intelligence for business operation. It is a perfect log analyser.

Splunk offer its software in two license type, one is enterprise license for companies and large organizations, and another one is free license designed for personal use. The freeware version is proprietary software, not free software is limited to 30 days trial period and 500MB of data a day. First we need to register with (www.splunk.com) then allow users to download.  

For installing splunk on windows with the graphical user interface (GUI) based installer.  Launch splunk in a default web browser. Like ( http://localhost:8000) local host meaning this computer.

First login username “admin” and password “changeme”. We will change the default password and create a new password.

Here, We will walk through a demo

First Login Page: enter the username and password


Home Page:



Click àAdd Data à Choose Data Type


(In my case) I select àwindows event logs à Collect Windows Event logs from this splunk server à Next àSelected logs (Application, Security, Setup, System, Internet Explorer,etc,...)à Save


Click àStart Searching



All indexed Data (In Live Dashboard)




that's it.

Link : www.splunk.com 

Thursday, June 21, 2012


The basics: Crawler

The Web consists of many billions of pages. Each of these pages has a unique URL, content (text, pictures, video) and links that connect them to other pages. One page connects to another, which connects to another and so on and so on. This set up creates a huge “web” of interconnected pages. Web crawler is a computer program that gathers and categorizes information on the Internet.

Crawling – Indexing – Retrieving – Ranking


Crawling pages is done by search engine automated robots, commonly referred to as “spiders”, and is one of the main functions of a search engine. The spiders “read” one page and then follow any links from that page to another page. Through links the spiders can reach billions of interconnected documents.

Indexing is the process by which search engines select pieces of relevant code (including keywords and surrounding text) from the web page and catalogue them. They store that code and related information organized in massive data centers that are located all around the world. This is no small task.

Retrieving comes into play when a search engine user types in a keyword or a string of keywords. The search engine goes into action retrieving all of the urls that it has stored which are relevant to the keyword and returns this information to the user.

Ranking of web pages is essential for the satisfaction of the user’s query. Search engines rank each web page that they find according to things like trust factors, page rank and even go as far as considering the user’s search history and where they are geographically. Hundreds of factors are weighted and considered by the engine in concert with one another.

Wednesday, June 20, 2012


How to Find Email Sender IP Address and Location

Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP address is stored in an email header delivered to the recipient along with the message. Email headers can be thought of like envelopes for postal mail. They contain the electronic equivalent of addressing and postmarks that reflect the routing of mail from source to destination.

Finding IP Addresses in Email Headers

Many people have never seen an email header, because modern email clients often hide the headers from view. However, headers are always delivered along with the message contents. Most email clients provide an option to enable display of these headers if desired.

Internet email headers contain several lines of text. Some lines start with the words Received: from. Following these words is an IP address, such as in the following fictitious example:

Received: from abc.ab.ac (65.54.x.x) by mail1.aol.com with SMTP; 20 Jun 2012 02:27:02 -0000

These lines of text are automatically inserted by email servers that route the message. If only one "Received: from" line appears in the header, a person can be confident this is the actual IP address of the sender.

How do I get the header to start the trace email process?

Each electronic messaging program will vary as to how you get to the message options. I'll cover the basics to start the trace...the rest is up to you.
  • GMail - Open the correspondence. In the upper right corner of the email you'll see the word Reply with a little down arrow to the right. Click the down arrow and choose Show Original.
  • Hotmail - Right click the memo and choose View Message Source.
  • Yahoo! - Right click the note and choose View Full Headers.
You can see that no matter the program, the headers are usually just a right click away.

Internet Email Services and IP Addresses

Finally, the popular Internet-based email services differ greatly in their use of IP addresses in email headers. Use these tips to identify IP addresses in such mails.  
  • Google's Gmail service omits the sender IP address information from all headers. Instead, only the IP address of Gmail's mail server is shown in Received: from. This means it is impossible to find a sender's true IP address in a received Gmail.
  • Microsoft's Hotmail service provides an extended header line called "X-Originating-IP" that contains the sender's actual IP address.
  • Emails from Yahoo contain the sender's IP address in the last Received: entry. 


Then open the website http://www.ip2location.com/demo paste the ip click lookup button. There you will get the complete details of the IP.