Metasploit Decloak V2

The Metasploit project, has released a tool that demonstrate a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed. 

It's an interesting tool, to check if your proxy configuration is really anonymizing your connections, or if you are under a false anonymity.

You can check your proxy anonymity here:  Metasploit decloak

-CMM

Oracle Forensics

Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about  Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

You can register here.

Also he will publish a book about Oracle Forensics very soon, you can pre order it at amazon, the book is called "Oracle Forensics Using Quisix"

And if you want to check all his presentations and papers about the issue you can  go here.

There are few persons working in this field, and besides Litchfield we can refer to Paul M. Wright, author of the first Oracle Forensic Book, you can check his blog here.

Enjoy!

-CMM

Panda Security advertisement

This is an unusual post but it is very funny, and is related with security:

The guys from Panda Security made a great advertisement with a concept very far from the information security but very funny and effective, at least the main idea is very well transmitted.




-CMM

Python Regexp tester

When you are coding in python and need to use a regular expression, i always end up firing up a python interpreter and trying the regexp on the fly, now i discovered www.pythonregex.com , a web application created over Google App Engine that allows you to try regular expressions without having to code a line, you just need to write the regexp and put the string or text where do you want to apply it.


Give a try here

-CMM

Jsky - a free Web Application Scanner

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

• SQL Injection
• XSS
• Unsecure object using
• Local path disclosure
• Unsecure directory permissions
• Server vulnerabilities like buffer overflow and configure error
• Possible sensitive directories and files scan
• Backup files scan
• Source code disclosure
• Command Execute
• File Include
• Web backdoor
• Sensitive information
• And so much more......

It also claims  that also exploits the vulnerabilities, but i didn't try that option yet.

Here is a screenshot of the tool in action:

You can download it from here

-CMM

Shellcode2Exe

Here is a tool that could be handy when you stumble with a shellcode, and you want to create a binary to analyze with a debugger:

Shellcode2Exe

Just paste the shellcode and click submit, right now supports 3 types of shellcode:

1) %u urlencoded IE shellcode payloads
2) \x style C strings
3) raw hex strings with no spaces ex. 9090EB15

It's based on a tool that you can find in the Malcode Analyzing Pack from Idefense

Thanks Vicente for the tip

-CMM

Windows Prefetcher and forensic analysis

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used.  (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.

Do you know more places to find information about applications runs?

More info on Prefetch

A tool for analyzing Prefetch directory: Windows File Analyzer

-CMM