viernes, 1 de diciembre de 2006

X11 en MacOS X (Tiger)


1) Insert Disk 1 of Tiger Install Disk (you don't have to boot from it)
2) Double click DVD icon to open Finder window
3) Scroll down window till you find "Optional Installs" package.
4) Double click on this and follow install till you get to "Installation Type"
5) Select "Applications" and under it you'll find "X11"
6) Select it and follow the rest...

jchuzi

miércoles, 29 de noviembre de 2006

Testing Security FatWire 6 (administrator.pdf)

Copiado de la documentación de FatWire, en concreto del manual de administración. Me ha venido bien para una auditoría.

Security Tests for All Systems
After you have implemented your security measures, test your systems.
Security Tests for All Systems
Complete the following steps on your development, management, and delivery systems:


  1. Try to log in to the database with Content Server Explorer using the default user
    accounts:

    • - DefaultReader
      If you can log in using SomeReader as the password, the
      secure.CatalogManager and secure.TreeManager properties are set to
      false. Change them to true.
    • - ContentServer
      If you can log in using FutureTense as the password, change the password
      immediately.
    • - editor
      If you can log in using xceleditor as the password, change the password
      immediately.
    • - fwadmin
      If you can log in using xceladmin as the password, change the password
      immediately.

  2. Verify that the sample site users do not exist on the management or delivery systems.
  3. Verify that you cannot log in as ContentServer/FutureTense using a CatalogManager
    http://servername/pathToservlet/
    CatalogManager?ftcmd=login&username=ContentServer&password=
    FutureTense
  4. Verify that you cannot flush the entire cache as ContentServer/FutureTense using a
    CacheServer URL:
    Note
    Do not remove this directory from the application server. Remove
    it from the web server only.
    http://servername/pathToservlet/
    CacheServer?all=true&authusername=ContentServer&authpassword=Fu
    tureTense
  5. Verify that you cannot log in to the application server as the default administrator user.
  6. Verify that you cannot log in to the database as the default administrator user.
  7. Verify that you cannot log in to the web server as the default administrator user.

Additional Security Tests for the Delivery System

In addition to the preceding six steps, complete the following tasks to test your security
setup on the delivery system:

  1. Verify that you removed the developer forms from the web server:
    http://yourhost/futuretense_cs/Dev
    If the futuretense_cs directory is present, delete it and then set the
    cs.wrapper property to false.
  2. Verify that you cannot log in to CS-Direct:
    http://yourhost/Xcelerate/LoginPage.html
    If you can log in, change the names of the LoginPage and LoginPost pages.
  3. Verify that you mapped URLs for all servlets other than ContentServer, BlobServer,
    CookieServer, and Satellite to display a “404 Page Not Found” message. If you can
    send a request to any other servlet, you should map that URL to an error page
    immediately.


jueves, 23 de noviembre de 2006

Herramientas SQL Injection

Listado al canto:

  • sqlbf: sin duda alguna, la primera, la mejor. Los genios hacen genialidades.
  • sqlinjector: de NGSSoftware, a dia de hoy, un poco desfasada.
  • bfsql blind sql injection para mysql (la mia, vamos). un TODO infinito. y un BUGS infinito++
  • sqlpowerinjector: mysql, oracle, sql-server, postgresql, ¿sybase?.. sql injection normal y blind. Jamas la he conseguido hacer funcionar.
  • sqlmap: blind para mysql y postgresql
  • sqlninja: injection para sql-server.
  • bobcat: para sql-server. no está mal, pero hay que montar un MSDE para hacerla rular... y le cuesta!
  • absinthe: : postgresql, oracle, sql-server, ¿sybase?... bastante maja, aunque tiene un par de fallos que podrian mejorarse...
  • sqlbrute: sql-server y oracle. blind sql injection para dumpear tablas. no va todo lo fina que deberia.
  • automagic: automatización para explotar sql-server.
  • webinspect - sql injector: Comercial, solo disponible en el paquete de webinspect, oracle, sql server, sybase... realmente buena.
  • SQLIBF: realmente buena, muy potente. nice work!
  • Priamos SQLdump de sql-server. Muy sencillo/eficaz en mi experiencia.
  • FG-Injector: un poco liosa en su uso, pero eficiente.
  • SQLDumper:No la he testado aún.
  • SQL Injection Tool: Sin probar.
  • ISR-sqlget. Sin probar
  • SQLix De OWASP, bastante simple.
  • SQLID En ruby, no me convence
  • SQLier script en bash... ehm..
  • Pangolin En los 3 SQL que he probado, no ha funcionando en ninguno, eso si, tiene buena pinta.
  • Squeeza Para MSSQL, liberado en bh2007, ataque basado en tiempo.
  • BSQLHacker Funciona bajo windows, para MSSQL, Oracle y en beta MySQL, basado en tiempos.
  • Marathon Tool de nuestros amigos de ElLadoDelMalisimo, basada en tiempo, d16, una pasada.
  • Witool, koreana, SQLServer y Oracle. No testeada

viernes, 17 de noviembre de 2006

Comprobar cabecera Server de HTTP en HTTPS


Básicamente:

aramosf~$ echo -e "GET / HTTP/1.0\nHost:www.gmail.com\n\n" | openssl s_client -quiet -connect www.gmail.com:443 2>/dev/null|awk -F: '/^Server:/ { print $2 }'

lunes, 13 de noviembre de 2006

Burning BIN/CUE Image en MacOS

El archivo .cue tiene que contener correctamente el directorio del archivo .BIN.

Comandito en consola:
$ drutil -drive internal burn -noverify -eject Imagen.cue


domingo, 12 de noviembre de 2006

Registry MRU Keys / Forensic

No he encontrado mucha información ni ningún listado de claves del registro de windows donde encontrar los MRU más importantes y que se deberian de consultar en todo forense que se precie.

Haciendo un poco de reversing sobre MRU-Blaster y mirando en varios registros, he podido obtener un listado medianamente aceptable.

Trataré de gestionar esta información en un excel que dejaremos colgado en la web de 514.es.

Esta información se puede consultar mediante perl sobre un archivo .reg (exportable facilmente desde el propio regedit, o herramientas como WRR de mitec) o mediante comandos de sistema si el equipo esta encendido:

C:\> reg query "HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery" /s

O hacer un script para que recorrar un archivo y pruebe todas las posibles opciones:
C:\> for /F %i in (forensic_mru.txt) do reg query "%i" /s

Una forma de buscar estas claves de forma rápida y ampliar la lista, podría ser:

C:\>reg query HKCU\ /s | find "Opened" | find "HKEY"
C:\>reg query HKCU\ /s | find "MRU" | find "HKEY"
C:\>reg query HKCU\ /s | find "Recent File List" | find "HKEY"


Y esta es la lista....

HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\New from Existing Document\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Select File to Merge Into Current Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\Any Text MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft PowerPoint\Settings\Save\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Excel\Recent File List
HKCU\Software\Microsoft\Office\9.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
HKU\.DEFAULT\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Templates
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent Templates
HKCU\Software\Microsoft\Office\10.0\Word\Recent Templates
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
HKCU\Software\Gabest\Media Player Classic\Recent Dub List
HKU\.DEFAULT\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Recent File List
HKCU\Software\Foxit Software\Foxit Reader\Recent File List
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\FileMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\ProjectMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Microsoft\MSE\10.0\FileMRUList
HKCU\Software\Microsoft\MSE\10.0\ProjectMRUList
HKCU\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Corel\User Assistant\9\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
HKU\.DEFAULT\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\SaveAsDir
HKCU\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath
HKCU\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
HKCU\Software\Google\NavClient\1.1\History
HKU\.DEFAULT\Software\7-ZIP\FM
HKCU\Software\7-ZIP\FM
HKCU\Software\ahead\Nero - Burning Rom\Settings\BrowserDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\ImageDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\NeroCompilation
HKCU\Software\ahead\Nero - Burning Rom\Settings\WorkingDir
HKU\.DEFAULT\Software\Macromedia\Flash 6\Open Document
HKCU\Software\Macromedia\Flash 6\Open Document
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir
HKCU\Software\SmartFTP\Queue
HKCU\Software\SmartFTP\LocalView
HKCU\Software\WinRAR\General\LastFolder
HKCU\Software\Nico Mak Computing\WinZip\directories
HKCU\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles\c1
HKCU\Software\MGI\VideoWave\Recent File List
HKCU\Software\Sierra Imaging\Image Expert 2000\Recent Album List
HKCU\Software\ahead\Nero - Burning Rom\Recent File List
HKU\.Default\Software\ahead\Nero - Burning Rom\Recent File List
HKCU\Software\ahead\nero wave editor\Recent File List
HKU\.Default\Software\ahead\nero wave editor\Recent File List
HKCU\Software\ahead\Cover Designer\Recent File List
HKU\.Default\Software\ahead\Cover Designer\Recent File List
HKCU\Software\BVRP Software\Annuaire\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Project Files
HKCU\Software\Microsoft\HTML Help Workshop\Html Titles
HKCU\Software\Microsoft\HTML Help Workshop\Compressed HTML
HKCU\Software\Microsoft\Picture It! Publishing\5.0\Recent File List
HKCU\Software\Software602\602Tab\Recent File List
HKCU\Software\Software602\WinMgr\1.0\602Tab\Recent Files
HKCU\Software\Software602\602Text\2000\Settings
HKCU\Software\TMT Development\TMT Pascal Lite 3
HKCU\Software\HeadLight\GetRight\TypedURLs
HKU\.Default\Software\HeadLight\GetRight\TypedURLs
HKCU\Software\Jasc\Paint Shop Pro 6\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 7\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 8\Recent File List
HKCU\Software\Greatis\Regrun2\RegAdviser\LocateHistory
HKCU\Software\Ontrack\PowerDesk\CurrentVersion\PDFind\FileNames
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKU\.DEFAULT\Software\JetCar\JetCar\Recent File List
HKU\.DEFAULT\Software\JetCar\JetCar\DownDir
HKCU\Software\JetCar\JetCar\Recent File List
HKCU\Software\JetCar\JetCar\DownDir
HKU\.DEFAULT\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKCU\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKU\.DEFAULT\Software\CursorArts\MRU Items
HKCU\Software\CursorArts\MRU Items
HKU\.DEFAULT\Software\Spidersoft\WebZIP\Settings
HKCU\Software\Spidersoft\WebZIP\Settings
HKU\.DEFAULT\Software\Advanced Grapher\RecentFiles
HKCU\Software\Advanced Grapher\RecentFiles
HKU\.DEFAULT\Software\MeeSoft\ImageAnalyzer
HKCU\Software\MeeSoft\ImageAnalyzer
HKU\.DEFAULT\Software\InstallShield\Express\4.0\Recent File List
HKCU\Software\InstallShield\Express\4.0\Recent File List
HKU\.DEFAULT\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Librarian\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKCU\Software\Impact\Microangelo\Librarian\MRU List
HKCU\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKCU\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKU\.DEFAULT\Software\ORL\VNCviewer\MRU
HKCU\Software\ORL\VNCviewer\MRU
HKU\.DEFAULT\Software\PowerArchiver\Files
HKCU\Software\PowerArchiver\Files
HKU\.DEFAULT\Software\Microsoft\DevStudio\6.0\Recent File List
HKCU\Software\Microsoft\DevStudio\6.0\Recent File List
HKU\.DEFAULT\Software\e-merge\WinAce\2.0\MRU Items
HKCU\Software\e-merge\WinAce\2.0\MRU Items
HKU\.DEFAULT\Software\JGsoft\EditPadLite\Search
HKCU\Software\JGsoft\EditPadLite\Reopen
HKU\.DEFAULT\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\7-ZIP\FM
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Files-BMP&PCX
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-IMG
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-MP3
HKCU\Software\Vallen-Systeme GmbH\Vallen Zipper\MRU-Files-ZIP
HKU\.DEFAULT\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\WinRAR\ArcHistory
HKCU\Software\Trident Software\PowerZip\Recent File List
HKCU\Software\Trident Software\PowerZip\Doc
HKCU\Software\WinRAR\DialogEditHistory\ExtrPath
HKCU\Software\Nico Mak Computing\WinZip\extract
HKCU\Software\Gnucleus\Searches
HKCU\Software\Kazaa\Search
HKU\.Default\Software\Kazaa\Search
HKCU\Software\Jasc\Animation Shop 2\Recent File List
HKCU\Software\Jasc\Animation Shop 3\Recent File List
HKCU\Software\Jasc\Jasc Media Center Plus\Recent File List
HKCU\Software\Jasc\Jasc WebDraw 1\Recent File List
HKCU\Software\Macromedia\Flash 5\Recent File List
HKCU\Software\Macromedia\Flash 6\Recent File List
HKCU\Software\Macromedia\Firework 6\Recent File List
HKCU\Software\Macromedia\Dreamweaver 4\Recent File List
HKCU\Software\Macromedia\Dreamweaver 6\Recent File List
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
HKCU\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
HKCU\Software\Ulead Systems\Ulead PhotoImpact\7.0\Recent File List
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKU\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Creative Tecg\Creative Wavestudio\Settings
HKCU\Software\Freeware\VirtualDub\MRU List
HKCU\Software\Microsoft\Journal Viewer\MRU
HKCU\Software\Ying3\DLExpert\MAIN
HKCU\Software\Microsoft\Search Assistant\ACMru\5001
HKCU\InstallLocationsMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HCKU\Software\ORL\VNCviewer\MRU
HCKU\Software\RealVNC\VNCViewer4\MRU
HCKU\Software\Ahead\Cover Designer\Recent File List
HCKU\Software\Ahead\Nero - Burning Rom\Recent File List
HCKU\Software\Ahead\Nero WaveEditor\Recent File List
HCKU\Software\DVD Shrink\DVD Shrink 3.2\Recent File List
HCKU\Software\DVDAuthor2\DVD-lab\Recent File List
HCKU\Software\JetCar\JetCar\Recent File List
HCKU\Software\Macromedia\Dreamweaver 8\Recent File List
HCKU\Software\Macromedia\Fireworks\8\ini\Recent File List
HCKU\Software\Macromedia\Flash 8\Recent File List
HCKU\Software\Microsoft\Consola de administración de Microsoft\Recent File List
HCKU\Software\SoulSeek\SoulSeek\Recent File List
HCKU\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List

miércoles, 1 de noviembre de 2006

Aplicaciones utiles en XP de microsoft.com

Para limpiar el HIVE del registro, en concreto el CURRRENT_USER, funciona como servicio:
http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

PowerToys interesantes en Microsoft:
http://www.microsoft.com/spain/windowsxp/downloads/powertoys/xppowertoys.mspx

En concreto merecen la pena: TweakUI: para optimizar parámetros del XP SP1 o superior, TaskSwitch: para añadir un thumbnail cuando se hace Alt-Tab, Deskman: Virtual Desktops al puro estilo de Linux

lunes, 30 de octubre de 2006

Montar particiones de un loopback.

Otra opción para unir ficheros creados con 'dd' y divididos es hacer un cat file1 file2 file3 >blah.img

si ese blah.img contiene una imagen de un disco, tendrá dentro la tabla de particiones, por lo que no se puede montar con un simple mount -o loop...

Para hacerlo:

# losetup blah.img /dev/loop0
# fdisk -l -u /dev/loop0

Disk /dev/loop0: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders, total 156301488 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/loop0p1 * 63 156296384 78148161 7 HPFS/NTFS


Seria genial que existiera /dev/loop0p1, pero no es el caso y lo peor es que no se puede crear con un mknod como cualquier otro dispositivo. El remedio es calcular en que offset empieza la particion y usar losetup con el:

(se multiplica el numero de bytes (512) por el offset de comienzo (63))
$ echo $((512*63))
32256
$ losetup -o 32256 /dev/loop1 /dev/loop1
$ mount -t ntfs /dev/loop1 /mnt/hd1


Montar varias imagenes de un dd como un solo device

Usando mapper y el loop, es posible montar una imagen realizada mediante 'dd' y dividida entre varios archivos...

how-to del pelon:

15:30 Pci: [root@Leviatan tmp]# ls -l root_fs_armeb.*
15:30 Pci: -rw-r--r-- 1 root root 100 Sep 12 15:27 root_fs_armeb.dmsetup
15:30 Pci: -rw-r--r-- 1 root root 41411584 Sep 12 13:17 root_fs_armeb.ext2
15:30 Pci: -rw-r--r-- 1 root root 20971520 Sep 12 13:18 root_fs_armeb.partaa
15:30 Pci: -rw-r--r-- 1 root root 20440064 Sep 12 13:18 root_fs_armeb.partab
15:30 Pci:
15:30 Pci: [root@Leviatan tmp]# losetup /dev/loop0 root_fs_armeb.partaa
15:30 Pci: [root@Leviatan tmp]# losetup /dev/loop1 root_fs_armeb.partab
15:30 Pci: [root@Leviatan tmp]# losetup /dev/loop1 root_fs_armeb.partab
15:30 Pci: [root@Leviatan tmp]# cat root_fs_armeb.dmsetup
15:30 Pci: # List of linear stripes (Pci: r0x++^2)
15:30 Pci: 0 40960 linear /dev/loop0 0
15:30 Pci: 40960 39922 linear /dev/loop1 0
15:31 Pci: [root@Leviatan tmp]# cat root_fs_armeb.dmsetup |dmsetup create test
15:31 Pci: [root@Leviatan tmp]# mount /dev/mapper/test /mnt
15:31 Pci: [root@Leviatan tmp]# ls /mnt

15:31 Pci: bin dev etc home lib linuxrc lost+found mnt opt php proc root sbin tmp usr var
15:34 Pci: solo una cosa..
15:34 Pci: tienes un limite inicial de 256 loop's
15:34 Pci: aunq por defecto son 16
15:35 Pci: tienes q cargar el modulo de loop con max_loop=256 (o X) para poder mapear los N 4gb-ficheros
15:41 dab: como has pillado los datos
15:41 dab: de los bloques
15:42 Pci: dab: tamaño_fichero/512
15:42 Pci: aunq cuidado con hacer $(du -B 512 fichero)
15:43 Pci: pq no da lo mismo q un $[$(ls -l fichero| sed -e 's/^\([0-9]*\) .*/\1/g')/512]
15:44 Pci: yo he puesto los tamaños a partir del size/512 que da el ls
15:44 Pci: si os da probs.. usad el q da el du -B512 y sino.. el del ls
15:44 Pci: me sigues?

miércoles, 25 de octubre de 2006

Mapeo de teclado Macos-Windows

Muy útil para super-nuevos en mac como yo

Desde:
http://www.xvsxp.com/misc/keyboard.php



The following table outlines common keyboard shortcuts found on both Mac OS X and Windows XP:





















































































































































































































































TaskMac OS XWindows XP
UndoCommand-ZCtrl-Z
New FileCommand-NCtrl-N
New WindowCommand-NWindows-E (Windows Explorer), Ctrl-N (Internet Explorer). Not available for Command Prompt
New FolderShift-Command-NContext-W-F
OpenCommand-OCtrl-O (within applications), Enter (in Windows Explorer), Context-O (on the desktop)
CloseCommand-WAlt-F4 (Ctrl-F4 to close a child window of an MDI application)
Close All (Files, Windows)Option-Command-W (available in the Finder, but not all applications)Shift+Alt+F4
SaveCommand-SCtrl-S
Don't Save (within Close dialog)Command-DAlt-N
CancelCommand-.Esc
Copy (Selection, File)Command-CCtrl-C
Paste (Selection, File)Command-VCtrl-V
Beginning of LineCommand-left arrowHome
End of LineCommand-right arrowEnd
Beginning of DocumentCommand-up arrowCtrl-Home
End of documentCommand-down arrowCtrl-End
FindCommand-FCtrl-F (within applications), Windows-F or Windows-S (from the desktop)
QuitCommand-QAlt-F4 (if the application has only one window open)
Desktop (within Save dialog)Command-DTab to "Save in" menu, then arrow up to Desktop (not a "true" shortcut)
Next ApplicationCommand-TabAlt-tab (next window)
Previous ApplicationShift-Command-TabShift-Alt-tab (previous window)
Rename Selected FileReturnF2
Select AllCommand-ACtrl-A
Eject Disc or VolumeCommand-E
Send to Trash/Recycle BinCommand-DeleteDelete
Delete ImmediatelyShift-Delete
Empty TrashShift-Command-Delete
Minimize AllF11 (shows the desktop)Windows-M
Restore AllF11Windows-Shift-M
Up Folder LevelCommand-Up ArrowBackspace
Down Folder LevelCommand-Down ArrowEnter
Expand Selected FolderRight arrow (when in List or Column view)Right arrow (when in Tree view)
Collapse Selected FolderLeft arrow (when in List or Column view)Left arrow (when in Tree view)
Connect to ServerCommand-KCtrl-Windows-F
Force Quit/End Task DialogCommand-Option-EscCtrl-Alt-Del
Force Quit Current ApplicationShift-Command-Option-Esc





Apple keyboard shortcuts can be found in this Apple Tech Document.



viernes, 20 de octubre de 2006

sed

dab: pci
dab: como hago en sed que me borre una linea
dab: y 2 que vienen debajo
Pci: eh?
dab: en sed
dab: quiero matchear una linea
dab: y borrar esa linea y dos que la suceden
Pci: cat /etc/passwd |sed -n '/^andres.*$/{N;N;d;};p'
Pci: dab: con eso borro a andres y a los dos user de debajo

domingo, 15 de octubre de 2006

aplicaciones de forense que siempre olvido url

MiTeC, para estudiar el prefetch, thumbnails, lnks, el registro, información de la papelera de reciclaje.... etc etc http://www.mitec.cz/
Parece que el WRA ya no esta disponible en la web oficial, un día subo un backup.
Actualizado: Mon Oct 16 00:04:20 CEST 2006


WRA.zip (danke DS)

Urls de reverse whois y otros..

Nota mental: no olvidar estos links

http://www.netcraft.com
http://webhosting.info
http://www.domainsdb.net/
http://www.searchmee.com/web-info/ip-hunt.php
http://www.domaintools.com/reverse-ip/
http://www.archive.org
http://search.msn.com <-- Buscar por IP:x.x.x.x

Actualizado: Sun Oct 15 23:59:01 CEST 2006
http://www.seologs.com/ip-domains.html (thx aklis)
Actualizado: Sun Thu Mar 15 12:03:33 CET 2007
http://www.tomdns.net/index.php

Nota mental 2: usar algun dia la feature de bookmarks del browser

domingo, 30 de julio de 2006

ntp read variables

Obtencion de informacion mediante ntp:


echo -ne '\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00' | nc -u hora.rediris.es 123

o

ntpq -c rv hora.rediris.es


viernes, 23 de junio de 2006

Para activar el añadir y quitar programas

Si no os dejan añadir y quitar programas, podeis cambiarlo en:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
Key NoAddRemovePrograms tiene que estar a 0

martes, 30 de mayo de 2006

Utilidades de proxy para tcp/udp.

Leido en pen-test:

http://tripp.dynalias.org/


http://www.imperva.com/application_defense_center/tools.asp


http://www.int0x21.com/


http://jacquelin.potier.free.fr/networkstuff/

martes, 16 de mayo de 2006

Bind 8 - Bind 9

Otra cosa interesante que me he encontrado hoy es fingerprint en bind9:

The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors". So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x. With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version
queries. Some attackers may remove ambiguity by skipping servers that
reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).

% dig ns.example.com authors.bind chaos txt

or

% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
Server: ns.example.com
Address: 23.23.23.23

authors.bind text = "Bob Halley"
authors.bind text = "Mark Andrews"
authors.bind text = "James Brister"
authors.bind text = "Michael Graff"
authors.bind text = "David Lawrence"
authors.bind text = "Michael Sawyer"
authors.bind text = "Brian Wellington"
authors.bind text = "Andreas Gustafsson"

The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)
http://whitehats.com/info/IDS480

Max

http://archives.neohapsis.com/archives/bugtraq/2001-01/0491.html