Thursday, November 29, 2007

Using and Abusing Alternate Data Streams

This blog post is to detail a very simple method that has been used by viruses, malware authors and others to hide data.

What are Alternate Data Streams (ADS)
Alternate Data Streams (ADS) were created to make NTFS compatible with the HFS file system. In NTFS there are 2 streams to a file, the data portion and the resource portion. It is relatively simple to hide data in the resource portion and without using specific tools this data would remain hidden.

How to Hide Data in an ADS
Below is an example of how to hide a file in the Alternate Data Stream. The file can be any type of file such as a normal text file, a word file or in this case an executable. This example is run from a command prompt and the disk i am using is NTFS formated.

1. Copy calc.exe into the directory your in, my examples will assume C:\ads\

2. Making sure you are in C:\ads\ run "echo test >hello.txt". This will create a file called hello.txt with the word "test" in.

3. Run "start hello.txt". This should open the file you just created in notepad or your text file editor of choice. This demonstrates the file is accessible and usable.

4. Run "type calc.exe > C:\ads\hello.txt:calc2.exe" This puts calc.exe into the ADS of hello.txt and renames it to calc2.exe. After placing calc.exe in the ADS of hello.txt run dir to check the file sizes.

By looking at the file size before and after the calc.exe is added into the ADS you will notice that no there is no change to the file size.

5. Run "del calc.exe". This deletes the calc.exe that you copied in step 1.

6. Run "start C:\ads\hello.txt:calc2.exe"

This will start calc.exe from he ADS. The full path is important to start the file.

By running "start hello.txt" (or by opening the file in the normal way) you will only see the original file, this can be added to or amended without affecting the file in the ADS.

If the file is copied to a partition that is not NTFS or a USB device that is not NTFS it will lose the file in the ADS.

Tools such as LADS.EXE and SFIND.EXE from the Forensic Toolkit (foundstone) will both discover files hidden in ADS.

Futher Reading

Saturday, November 24, 2007

Basic Vulnerability Scanning With Nessus

I would like to preface this entry by stating that vulnerability scanning is not a penetration test. It is merely one part of a test and should be combined with other forms of activity to result in a thorough examination of all vulnerabilities, whether they be human, policy or technical.

About Nessus

Nessus is the worlds most popular open source vulnerability scanner. Nessus is available for Windows or Linux. The version i will be using throughout this blog entry will Nessus 3 running in Ubuntu. Nessus uses a Client Server model.

Nessus Server
The Nessus server is called nessusd. The server does not have to be on the same computer as the Nessus Client and communications between the server and client can be encrypted.

Nessus Client
The Nessus Client i will be using is called NessusClient. Below is a screenshot of the NessusClient interface.

Nessus consists of the following:

plugins are checks for vulerabilities that Nessus performs. The plugins database can be updated using the following command.

Unless you have a paid subscription to Nessus you will only recieve plugins that are older than 7 days. Plugins can be written using the Nessus scripting language NASL. Update the plugins before starting the nessusd server.

A task is created to hold duties. a task can be something such as Weekly Checks or Unauthorised Program Scan etc....

Scopes represent connections to the Nessus Server (nessusd) are part of a task. Scopes contain lists of hosts (Targets) to scan and tasks can hold many scopes such as Web Servers, File Servers or VNC Hosts etc...

Targets are hosts or lists of hosts. These can be entered in as fully qualified domain names, IP addresses or IP ranges.

Getting Nessus Up and Running

1. Download and install Nessus 3. you will need the NessusClient package also. The packages are available at
2. Once installed update the plugins using /opt/nessus/sbin/nessus-update-plugins

Setting Up
1. Start nessusd from /opt/nessus/sbin/nessusd
2. Start NessusClient from /usr/bin/NessusClient
3. Log into the Nessus Client with the account credentials created during the installation.

Using Nessus

In the example below i will perform a targeted audit of web Servers in my home lab.

I first used NMAP to find alive hosts using:

nmap -sL

This turned up 2 hosts (shown below).

I then use NMAP to determine if any of the 2 hosts found are listening on port 80 using:

nmap -sV -p80,20

In a pentest i would look for Web Servers on non-standard ports such as 8080 8008 or 81 also.

Now i have found a web server and from looking at the version i see it's IIS 6.0 i turn to Nessus.

After firing up Nessus i configure the following options.

1. Select Global Settings and click the connect icon. This will allow me to alter the global configuration and give me access to the plugins. These global settings can be changed and will form the default settings for new tasks.

2. I create a new Task called "Web Servers" and a scope called "IIS Servers"

3. Within the scope i set my target as

3. As in this example I'm only going to scan for IIS Vulnerabilities i set my filter for "IIS" on Name and Description and then select Enable All Plugins. This just enables the plugins related to IIS. details of plugins can be viewed by double clicking on a particular plugin.

4. After executing the Scan within Nessus Client, Nessus will perform a portscan of my target and then scan for vulnerabilities.

5. Following the scan i check out the report that Nessus produces and look for any vulnerabilities that may have been found.

The test above is a basic description of a vulnerability scan of a IIS web server to familierise you with Nessus. If you are serious about scanning for vulnerabities you will need to explore the Interface and adjust the various option for your scan

In another example rather than targeting a particular service i have opted to scan use all vulnerability checks (plugins). Although this is particularly noisy and has a better chance of finding a vulnerability it may crash services so use with caution.

This scan found a few vulnerabilities, one being a vulnerability in the server service that has not been patched (ms06-035). If i wanted to exploit this vulnerability the next step i would perform would be to find a working exploit for this platform. After a few minutes of searching i find an exploit at

Addition Options

When setting the options, either globally or for a particular scan, you can set the following:

  • Provide a username and password for the target.
  • Not to scan fragile devices (printers)
  • Global variables (CGI Scanning, network types, reports, logs, debugging)
  • Http login credentials
  • Login configurations (FTP, NNTP, HTTP, POP2, POP3, IMAP, SMB)
  • Nessus scanner options
  • Oracle settings
  • Ping options
  • Services (SSL options, number of connections, timouts)
  • SMB Enumeration options
  • SNMP options

Nessus Knowledge Base

by using the Nessus Knowledge Base Nessus will provide various options to remember previous findings from scans and utilise that information in future scans

Further Reading

Sunday, November 18, 2007

Securing a Wireless Connection

This blog entry is primarily for me to give as a reference to friends and family who ask me about the best way to secure the wireless connection. I will attempt to not focus on any vendor specific wireless routers i.e. Linksys, Netgear, etc… and focus on the basics of wireless security instead. Throughout this blog entry i will use the terms Wireless Access Point (WAP), Wireless Router and router interchangeably.

Many wireless routers do not have security features turned on by default. The reason for this is so when you get the router home you can plug it in and it will work quite seamlessly. At this stage your router is in what is known as an Open Wireless Configuration. This may seem all well and good but there are some serious downsides. I detail these below.

  1. If you can connect to the router quite easily and seamlessly then anyone who is within range of the wireless signal can also.
  1. Anything someone does who is using your internet connection will point back to you. This could be downloading illegal files, downloading pornography, illegal fileshareing etc…
  1. If another computer on your Open Wireless Network has a virus it can easily infect your computer.
  1. Anything you do on the internet, such as banking or email, may be seen from other computers connected to your wireless connection.
  1. Your internet connection may become slower due to sharing your bandwidth with other people connected to your wireless network.

Hopefully the points listed above illustrate why it is important that you secure your wireless connection.

To secure your wireless connection I recommend a layered approach. This means that you have multiple layers of defence. If one layer fails then another layer is in place to still provide some security.

The layers I suggest are as follows:

  • Change the routers default password.
  • Change and hide the routers default SSID.
  • Implement MAC Address filtering.
  • Configure Encryption.
  • Harden the routers configuration.

Change the Routers Default Password

When you buy a router it will have a password to enter the administration interface. Often you will connect the router up as described in the documentation supplied with the router and from an internet browser enter the address in the address bar.

You will often be brought to a login page requiring a username and password, again these will be supplied. Now here’s the thing. These supplied credentials the same for the router for everyone who has brought that model router so quite a few people will know them. There are also websites that list usernames and passwords for popular models. They are easy to find on the internet and I have listed one below.

So as you can see it's important to change the password from the default.

Look for a page or tab that comes up called something like General, or Administration or Advanced. Each Router is different so you may need to click around a bit until you find it. Change the password to something that is difficult to guess, something that is quite long and something not in a dictionary. Write this down and keep it private and safe where you will be able to find it when you need it.

Change and Hide the Default SSID

The SSID is the name that your router broadcasts out to identify itself. Again, when you get your router this is set to a default, such as Netgear or Linksys. Now the problem with this is the following:

  1. The default SSID will tell other people what equipment you have. If a problem is found with your model of router that is publicly disclosed it makes an attackers job easier to find a vulnerable router. i.e YOURS!
  1. If you have a SSID of Linksys and one of your neighbours has a default SSID of Linksys, you may be connecting to the wrong Wireless Access Point (WAP). Information you send over the internet could easily be seen by your neighbour.

As well as changing the SSID to something unique but not obvious, such as your house number or your name, you prevent somebody acedently connecting to your WAP by mistake. You also prevent people from guessing the type of WAP you have.

Hiding the SSID is another layer of protection. Admittedly, it won’t stop a determined attacker from discovering it but it will stop the average computer user from seeing it. Sometimes it may be easier to hide the SSID once you have connected to it with encryption and things are working. So it may be an idea to come back to this one at the end.

MAC Address Filtering

MAC Address filtering, sometimes known as Hardware Address Filtering is another measure you can take to protect yourself from someone using your WAP to access the internet. All network cards in computer, both wireless and normal network cards, have physical (MAC) addresses. One way to view the MAC address is to bring up a DOS prompt (Start Menu > Run type “cmd” press OK), at the prompt type:

Ipconfig /all

You will then be presented with a screen of information similar to that on the screenshot below.

As you can see, the physical address of my wireless network card is:


By using MAC address filtering I would enter this number into the configuration on the WAP to instruct my WAP only to let network cards with that address to connect it. Below is an example screen from my wireless router admin page where I set up MAC Address Filtering.

Depending on your model of router you may have to search around for this page. A good bet is in Wireless Settings, or Wireless Security.

If you have people visit you and they want to use your access point you will have to update your router with their MAC address. If you want to administer the router from another computer should yours become unavailable you will have to use the wired connection and physically connect to the router to make changes.

MAC Address Filtering is not a strong security measure and a determined attacker will be able to bypass this. An attacker could do this is because at this stage your traffic is still unencrypted. He could simply look at the traffic with what’s called a sniffer and easily determine the MAC address that you are using. He would then change his MAC address to be the same and he could once again use your internet connection.

All you have done so far is secure the WAP and raise the bar slightly and prevent your access point from being used by someone else.


The next step is to encrypt your traffic. The reason for doing this is privacy. It is important to remember that by applying encryption, your traffic is only encrypted between your computer and the WAP i.e your wireless router. Once the traffic gets out onto the internet it is often (but not always) back in clear, but this is fine because there is so much traffic that yours is just mixed up with all the other internet traffic.

If you are using a site where the URL (the address of the website) begins with https then your traffic is encrypted between your computer and that site. Your banking site, sites where you shop or enter a password or enter credit card details should always have addresses which begin with https and are thus encrypted.

There are different types of encryption available on most home wireless routers, WEP and WPA2. I will cover the basics setting up both encryption protocols even though WEP is not very secure and should only be used if WPA2 (or WPA) is not available.

The following is method I use for setting up WPA2 or WEP in Windows XP.

  1. From the Start Menu > Control Panel > Network Connections. View the properties of the wireless network card. From the Preferred Network list check the properties of the Wireless Access Point and identify which encryption protocols and algorithms your computer supports.
  2. Connect to the wireless access point (WAP) using an Ethernet cable.
  3. From the web browser log into the home page of the WAP.
  4. Enter the page for wireless security.
  5. Set your encryption to a protocol and algorithm to one that is supported by your computer (preferably WPA2 and AES) and choose a long secure password.
  6. Save the changes to your WAP configuration.
  7. Go back into the properties on the entry on the preferred Network list and adjust them to be the same as the settings on the router.

That’s it. Now if you are working wirelessly and you mess up the settings for encryption just plug back into the router and go through the process once again.

Router Configuration Hardening

This is just a quick section about a few settings you can change and why it is important to change them. Also about any effects these changes may have.

You will have to click around in the web interface of the WAP to find the settings that I refer to but they are pretty general so they will most likely be there somewhere.

  1. Disable Unplug and Play (UPnP)

Unplug and Play is a feature that allows programs to open up ports on your router without your intervention. This is a useful feature in some respects but a security risk also. If genuine programs can open up ports then so can programs such as viruses, Trojans and Spyware. If a Trojan managed to get onto your computer and disable your computers firewall you may still be protected as it would not be able to alter the router configuration. It is important to remember that some programs may require this to be left enabled though.

  1. Disable the Remote Web Admin and wireless web access.

By disabling the Remote Web Admin features you are restricting access to the routers management interface to those who have physical access to the router via an Ethernet cable.

  1. Change default password.

As mentioned in an earlier section, it is very important that you change the default password to something secure. If you forget the default password you can reset the router to the factory defaults by following the manufacturer’s instructions. Be aware that this will also remove any other settings you have specified such as MAC address filters and encryption.

  1. Update firmware.

    I thought I would include this although I think it’s unlikely anyone will do it. The firmware on the router is the software that is installed on the router that provides all the features such as wireless encryption and MAC address filtering. Sometimes the manufacturer will update the firmware to fix a know vulnerability or to provide an additional feature. It is therefore useful to look at the manufacturers web site occasionally and apply firmware updates as they become available.

  1. Backup Configuration

    After applying all the settings mentioned above find the section in the administration interface that allows you to back up the configuration and perform a backup. It’s best to name the backup with a date and perform a new backup each time you change settings. This way you can roll back to a good configuration if you mess things up.

Further Reading

If you are interested in knowing more about wireless security the links below may be of interest.

Monday, November 5, 2007

Hunting Malware in Windows

The purpose of this blog entry is to help the reader identify Malware on a PC. I look at the some of the changes made to the PC by the malware and the effect that Malware might have on a system.

First, here are a few answers to some basic questions.

What is Malware?
Malware are a programs that have code that performs actions with malicious intent. Often the owner of the system will not agreed to the Malware being installed. System owners may not be aware of the presence of the Malware.

What Can Malware Do?
I classify programs such as viruses, Trojans and Spyware as Malware. These types of programs can steal personal information and corrupt data. Infected systems can attack other systems and be used for other illegal activities..

How Does Malware Get onto a System?
Malware can be installed when installing a legitimate program or it can be installed by visiting a website hosting malicious code. Malware can be installed by a virus or worm or it can be installed by someone with malicious intent that has access to the system.

Okay, with those questions answered lets get down to the detail.

After Malware has been installed by whatever means, be it a payload from a file you open, a website you visit or by someone hacking your system and placing it there as a backdoor or a keylogger. The Malware will need to be initiated every time the system reboots (persistence), it’s going to run as a process and it’s going to communicate. I’ll address each of these separately. But first I’ll list the tools that I use throughout my Malware hunting process.

  • Tools
  • Regedit
  • Netstat
  • Tlist
  • Tasklist
  • Autoruns
  • Process Explorer
  • PUList
  • TaskList
  • Net
  • Handles
  • ListDlls
  • Nbtstat
  • Netstat
  • TCPView
  • Procmon
  • SmartSniff

All the tools listed do not require installation to run. The tools can be run from a CD or other read-only medium which is good practice, as then you then know that the tools have not been affected by any Malware on the PC you are examining. It’s best to take tools directly from the vendor or from a clean installation of Windows.

I have listed methods to detect Malware using both command-line tools and a GUI alternative.

Okay, lets hunt!


Once Malware is on the system it will need a way of starting every time you log on. Listed below are some common places it can start from.

1. The Registry
Use Regedit to examine the contents of the following registry keys:
  • HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is a popular key for malware to start from. Other keys that have been known to be used for Malware are listed below.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • HKCU\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKCU \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKCU\Control Panel\Desktop\Scrnsave.exe
Other keys to note:
  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
The 3 keys listed above tell windows what to do when opening a bat, exe or com file. The values of these keys should be “%1”%”

Malware has been to modify these values so it is started up when either an exe, bat or com file is started.

The screenshot below is from my HKLM\Software\Microsoft\Windows\CurrentVersion\Run key.

As you can see there are quite a few keys to become familiar with.

Become familiar with the contents of these keys and if in doubt use Google to identify the values. When using Google I find it is best look at a few different results rather than the first that comes up. There are many sites that will say that this.exe or that.dll is spyware and it'll sell you just the tool to remove it. You'll get to know which sites you can trust.

2. The File System
The Malware may even be listed in the startup folder. Check out:

C:\Documents and Settings\\Start Menu\Programs\Startup

If you find programs listed here that you don’t recognise, Google them.

3. Scheduled Tasks
Scheduled tasks are another place that Malware can start from. Use the Scheduled Tasks program from Start > Programs > Accessories > System Tools to view scheduled tasks.

Using schtasks.exe you are able to view or from the command-line:

C:\schtasks /query

The benefit of the command-line option is that scheduled tasks can be hidden from the GUI by creating a new scheduled task and then using attrib +h against the task listed in %WINDIR%tasks. This may fool the GUI but it will not get by the command-line tool.

Here is an example.
I have created a task called test which is viewable in Scheduled Tasks

After hiding test.job with the command C:\Windows\Tasks\Attrib +h test.job the task is hidden even though in my folder options I display hidden files.

However, after running C:\schtasks /query I can still see the task.

4. Services
Malware is often installed as a service. This is another way that it can be guaranteed to start. You can view the services using the tools listed below.

Services.mcs. Run this or look in computer manager (Right Click My Computer > Manage) for a list of services on your PC. Malware authors or hackers can install a program to run as a services using the tool Srvany.exe. This is a legitimate Microsoft tool available in the Resource Kit.

To view running services from the command-line use:

C:\net start

Now for the fantastic AutoRuns from SysInternals. Autoruns provides all of the above information in seconds and you can do some funky stuff with it too.

If you want to see a list of all programs that are being started from all the places listed above run AutoRuns and check out the Everything tab (shown below).

From here you can see which programs are set to start, where they are initialised from (Registry, Scheduled Tasks etc..), the Publisher, the Description and the path to the image. On selecting an entry, additional details are supplied in the bottom pane. Entry’s can also be selected or deselected here to start them upon startup or prevent them from loading.

The list of entries and the applied settings can also be saved to a file and then compared to at a later time to identify new entries that have been created. Any new additions will be highlighted in green.

Running Processes

After Malware has started it will be a running process on your PC. There are a number of tools you can use to view the running processes. Again what’s important here is any processes you find that you are unsure of should be Googled.

Below are the different tools I use to list the running processes.

PSlist is a free command-line tool developed by SysInternals. It can be used on local and remote computers and can display a great deal of information. Below is a screenshot of running the tool on the local PC using the process tree option (-t). Output can be piped out to a text file if necessary using >filesname.txt. Additional options can be viewed by using the /? switch.

What can be seen in the screenshot above is a number of processes with the same name, svchost In XP svchost appears 5 times and in Windows 2003 there are 7 occurrences of it. Svchost is a system process that runs several other services as we shall see and should always be listed under the System process as shown above. If you find svchost running as a process on its own or under cmd (as demonstrated below) it should definitely raise eyebrows and warrant further investigation.

Some Malware will be named so it looks legitimate and will look at home when displayed in outputs from programs like PSList. For example, would you spot a program named scvhost amongst the list above? Probably not at first glance.

A useful program is PUlist. PUList from the Microsoft resource kit will display the user account that has been used to start a program. So in the case of a legitimate svchost process this should be the NT AUTHORITY SYSTEM user.

To help demystify what some of those svchost processes are run TList with the –c switch. This will display all the running services and the command-line used to launch the service. The screen shot below clearly shows that my disguised svchost process is was started with syntax that is strangely similar to netcat!

Another useful TList option is the –s switch. This will list the active services in each process.

Tasklist is a native tool to both XP and Windows 2003 and Tasklist /svc will provide similar information to the tlist –s option.

ListDLLs will display all running processes and the DLL’s used by them and the path to the DLL. ListDLLs will also provide the DLL version also.

Running ListDlls against the PID of my mystery svchost process provides the following information.

Looking at a few of the DLL’s listed such as DNSAPI.dll and mswsock.dll may give a hint to the type of program the svchost is being used as.

Handle will display information on what the process is interacting with in regards to other handles, the registry and the file system. Handle is also developed by SysInternals (now Microsoft). As with all the command-line tools listed above the output of handle can be directed to a text file by appending >filename.txt to the command.

Process Explorer
And for the GUI inclined, the brilliant SysInternals have developed yet another great tool that rolls all of these tools into one, Process Explorer.

The interface is very easy to navigate yet can provide you with all information regarding running processes. All information is updated in realtime and can be saved to a tab delimited text file.

It has fantastic search capabilities to quickly find handles or dll-substrings. By enabling the lower pane you can easily view the DLLs associated with each process. By selecting a process and using ctrl+h and ctrl+d you can toggle between viewing the handles and the dll’s for the selected process.

The integrated searchable Strings function clearly identifies my mystery process as being a renamed instance of netcat (shown below).

The TCP/IP tab will display any connection that the process has open.

Which brings us to connections.


So the Malware is on your PC, it’s running as a process and it’s likely at some stage going to try to connect to another system somewhere on the internet to attack, send information or spread. Below I have listed the tools you can you to monitor your network connections to capture details of the connection.

Netstat is very useful for showing exactly what connections are being made to and from a PC. Nestat /? will display all available switches for use with the tools. I find the following very useful:

netstat -anobv

This command will list all connections (-a), list the numerical values of he ports (-n), list the owning process for the connection (-o), list the executable that created the connection (-b), and will be verbose (-v).

Another trick I have used in the past with Netstat is to close down all my programs that may make an internet connection and wait a few minutes then run netstat to ensure that all connections are down. I’ll then run the following command and leave my PC connected to the internet:

Netstat –bn 5 >netstatlog.txt

This will create a log file watching for any connections and refresh every 5 seconds. I leave this to run overnight and then stop the task running with ctrl+c. I then review the log and investigate any connections that show up in the log

Fport from Foundstone is another useful program for displaying ports and the paths to the executable used to launch the connection

Nbtstat is a native windows utility and the command nbtstat –S will list any network connections using the NBT protocol. Nbtstat –s will convert IP addresses to NETBIOS names. And using nbtstat –S 5 >nbtlog.txt will create a log file that is updated every 5 seconds.

And once again SysInternals do it again with a nice GUI that does it all. TCPView provides a realtime view of connections so you can easily identify what is listening or connected. It can resolve DNS for you and you have the option of only listed established connections or viewing all unconnected endpoints as well (shown below).

As new connections are established they are displayed briefly in green and as they are terminated they are displayed in red before disappearing.

Smartsniff from Nirsoft is a fantastic tool for viewing live connections. But it does a few extras also. SmartSniff can capture from either RAW sockets or using a WinPCAP driver, can display the contents of the connections, can easily apply filters to traffic to focus on particular connections, hosts or protocols. SmartSniff can save the contents of the captures to file for further analysis and can also produce detailed HTML reports. Below is a screenshot of SmartSniff in action.


Once Malware is installed and running on your system it will leave various footprints, as Locard’s exchange principle states, when two objects come into contact a transfer of material takes place between them. Using the information I have provided and the free tools I have listed, the discovery of that material may be a little easier.

Personally, if I locate Malware on a PC all that the current build of that PC is good for is investigation. Following that, format and reinstall.