0×05 Moving to new blog….!

tnagareshwar — Tue, 24 Apr 2007 04:40:54 +0000

I have finally setup new blog at http://nagareshwar.securityxploded.com. This will focus entirely on variety of computer security topics as the current blog did.

Please move on to my new blog at http://nagareshwar.securityxploded.com. Hope you will find it more exciting and informative than the current one.

– Nagareshwar Talekar

0×04 SecurityXploded.com: my new security website

tnagareshwar — Mon, 16 Apr 2007 19:33:11 +0000

I have moved my old website ( http://nagmatrix.50webs.com) to a new security website
http://securityxploded.com. This website will focus on advanced computer security topics such as antivirus, malware research, vulnerability research, reverse engineering, wireless security, security tools etc.

Hope you will find it interesting .Your suggestion will help me to make it better. So don’t hesitate to drop your comments.

Meanwhile have a look at http://securityxploded.com

- Nagareshwar Talekar

0×03 Office 2007: 4 bugs, 3 hours, 7 lines of python fuzzer

tnagareshwar — Mon, 09 Apr 2007 18:58:04 +0000

Muts (BackTrack guy) has claimed that he has found 4 zero day vulnerabilities in Windows office 2007 suite using 7 lines of python fuzzer code in just 3 hours.

Here are the details on each vulnerabilities and possible exploitation
=================================================================

+ Unspecified Overflow in word 2007 – Crash in wwlib.dll . Code execution is not trivial.
+ Word 2007 CPU exhaustion DOS – CPU shoots up to 100 %.
+ Word 2007 CPU exhaustion DOS + ding – CPU shoots up to 100 %, and windows goes .ding!.
+ Heap overflow in Windows HLP files – Funky heap overflow crash.

The files can be found at http://www.offensive-security.com/0day/0day.tar.gz

Note : These are not normal bugs. The documents in this zip file are actually POC files to demonstrate the above mentioned security vulnerabilities and just opening this file may not be good for your system’s health

If 7 lines of python can find these many vulnerabilities in mere 3 hours, then you can imagine how secure is Office 2007 which has gone through extensive security screenings. Its going to be treat for security researchers

- Signing out -
Nagareshwar Talekar

0×02 ReactOS : open source clone of Windows XP

tnagareshwar — Thu, 05 Apr 2007 19:16:59 +0000

ReactOS® is an advanced free open source operating system providing a ground-up implementation of a Microsoft Windows® XP compatible operating system. ReactOS aims to achieve complete binary compatibility with both applications and device drivers meant for NT and XP operating systems, by using a similar architecture and providing a complete and equivalent public interface.

Well, developers have to do lot of reverse engineering to make it as much perfect clone of Windows as possible. This will not only help the users to get free OS but also help the developers to understand internals of Windows in much better way.

Though it is still in alpha stage, it is capable of running most of Windows XP applications without any modification. You can look at screenshots here to get a feel of ReactOS running most popular applications including some of the games as well.

Only time will answer, if ReactOS will be able to bring out the best of Linux and Windows world …!

– Nagareshwar Talekar

0×01 Remotely detecting directory servers

tnagareshwar — Mon, 02 Apr 2007 04:57:59 +0000

Most of the applications use directory servers such as Active Directory, eDirectory etc. Some of the applications even work with multiple directories. In such scenario where multiple directories are being used, there is need to know the type of directory servers without physically checking the system.

I myself had to play with multiple directory servers in the lab and every time I had to login to detect the directory server running on the system. Its often time consuming when large number of systems are involved.

To simplify this task, I did some research on multiple directory servers and their behavior. As a result I had comes up with a tool named RemoteDirDetector which scans the entire network range and reports the type of directory servers running on each of those machines within few seconds.

You can find my original article on behaviors of different directory servers here.

Hope you will find it useful, do write your feedback.

- Nagareshwar

0x0d Is it a virus or not?

tnagareshwar — Sat, 24 Mar 2007 14:19:36 +0000

Most of the time any virus entering your machine will be detected by antivirus software. But these softwares are programmed to protect your PC from known viruses only. So if you are being attacked by any new virus for which your antivirus softwares does not have signature then you are at the mercy of virus coder…!

Some times a virus which is detected by one antivirus software goes undetected by another software especially when the virus is in the initial stages. Also some times you may not have antivirus on your machine and wants to know if the suspicious program is virus or not.

In such cases you can submit any such program to VirusTotal.com which provides free online virus scanning facility. VirusTotal has got latest signatures from all antivirus vendors on the earth and provides latest information about virus infection status. You can not only detect any infection but also find out name of the virus as named by different vendors.

If the VirusTotal does not show any infection, then you can submit the binary file to different antivirus vendors and get the details of infection caused by the program.

Here are some of the online submission links from top antivirus vendors.

Company	Virus Submission Link
Symantec	http://www.symantec.com/avcenter/submit.html
McAfee	http://vil.nai.com/vil/submit-sample.aspx
F-Secure	http://support.f-secure.com/enu/home/virusproblem/sample/index_sample.shtml
CalmAV	http://cgi.clamav.net/sendvirus.cgi

Alternative way is to directly email the sample program to these antivirus vendors. You can find the complete mailing list here.

Now you know what to do if you find any suspicious virus hanging around your PC…!

- Nagareshwar

0x0c Remove BHO and speed up your computer

tnagareshwar — Thu, 22 Mar 2007 07:16:58 +0000

BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But most of the times these BHO’s get loaded into explorer.exe and slow down your computer considerably. Also it is being misused by many spyware programs which monitor user’s browsing habits and also steal the online credentials silently.

To remove such BHO’s from the system I have written a tool, BHORemover which makes it easy to identify suspicious plugins and then remove them completely. The important feature of BHORemover is to make it easy to differentiate between legitimate and non-legitimate plugins by providing information such as full path of BHO, vendor name etc.

BHORemover tool allows you to quickly scan your machines for all installed BHOs, then displays the complete list as shown in the above screen. Then you can select suspicious or unwanted BHO’s and then remove them from the system completely.

Once you restart, your computer will be more faster and better than earlier..!

- Nagareshwar

0x0b Making application Vista UAC compliant

tnagareshwar — Tue, 20 Mar 2007 09:38:12 +0000

Vista has new feature called User Account Control in short UAC which will control the way applications are executed by different users. The applications which access certain parts of registry and system folders has to be made UAC compliant to work properly on Vista. By making applications UAC compliant means that you have to inform Vista, the privilege level required by your application and other such information. This can be achieved by embedding a manifest file containing all these details into the existing executable file.

I have written a tool VistaUACMaker which automatically makes any windows application Vista UAC compliant. This program creates the manifest file based on the specified privilege level and then puts it into the target application. So Vista knows how to execute that application and does it silently without prompting the user for anything.

Here you need not have to change any of the default settings most of the time. I have also written console version of this tool which is helpful for automation. You can get the same from here..

That’s for the day..

- Nagareshwar

0x0a RainbowCrack : Recovering the windows password in seconds

tnagareshwar — Mon, 19 Mar 2007 08:27:59 +0000

Gone are the days when we have to wait for the days together to crack the windows password. Thanks to the rainbow crack technology. Now you can crack the passwords in few seconds and that too with 100% success rate.

This Rainbow cracking technology works on simple concept. Instead of computing the LM hashes dynamically during cracking, hashes are computed in advanced for all character sets.These hashes are then stored in rainbow tables. So cracking involves just comparing the precomputed hashes with the LM hash to be cracked. Hence it takes very less time compared to traditional method of brute force cracking.

Read the detailed tutorial on using rainbow crack to recover windows password here. This will give you deep insight on windows password recovery process.

Hope this article has enlightened you on new quick method of password cracking. Do write your comments…

- Nagareshwar

0×09 using BackTrack to fix windows registry

tnagareshwar — Sat, 17 Mar 2007 08:39:56 +0000

BackTrack is the most popular Linux live CD distribution focused on penetration testing.It comes loaded with all the top security tools so that you can immediately startup with your work without the need for downloading and installing any of the tools.

One of the use of BackTrack is to fix windows problems such as fixing the registry, resetting the user passwords etc. Here I am going to explain how we can use BackTrack to fix the windows registry.

Often times, we mess up with the windows registry leaving the system in hanged state.There comes the BackTrack into picture to restore our system. It has little but powerful tool called chntpw which not only allows resetting the user passwords and also comes with full fledged registry editor.

I have written detailed tutorial on troubleshooting the registry problems using BackTrack. This article explains step by step from starting backtrack to editing the registry using chntpw tool. You can find the article on my website.Hope you have enjoyed every bit of it as much as I do whenever I am on BackTrack.

- Signing out
Nagareshwar