McAfee ePO4 Database maintainence

ePO Database size usually grows very fast in my case it had grown to 40 Gb in just couple of months. To keep the size below 20Gb i had to perform some steps for which i had created a sql server 2005 T-SQL script, you can copy and optimize/change it as per your need. Please find the script below.

----------------------------------------------------

-- BACKUP Database on Disk\Network Location

----------------------------------------------------

USE Master;

-- Database backup with INIT option will replace the existing file in the backup folder

-- to avoid this comment 'WITH INIT' option from the next line

DECLARE @@LOCATION nVARCHAR(100)

set @@LOCATION = ('disk_or_network_location\epo4database-'+convert(varchar, getdate(), 112)+'.bak')

BACKUP DATABASE [ePO4_DATABASE] TO DISK = @@LOCATION WITH INIT

GO

----------------------------------------------------

-- Clear Database for keeping only one month records

----------------------------------------------------

USE [ePO4_DATABASE];

GO

delete from EPOEvents where ReceivedUTC < (getdate() - 31)

GO

----------------------------------------------------

-- Truncate EPO Database to 4 MB

----------------------------------------------------

USE [ePO4_DATABASE];

GO

-- Set database recovery model to SIMPLE.

ALTER DATABASE [ePO4_DATABASE]

SET RECOVERY SIMPLE;

GO

-- Shrink the truncated log file to 4 MB.

DBCC SHRINKFILE ([ePO4_DATABASE, 4);

GO

-- Set database recovery model to FULL.

ALTER DATABASE [ePO4_DATABASE]

SET RECOVERY FULL;

GO

Identifying Number of Connections on a linux device

i had a problem at one of my security devices whose host operating system was linux, all i need was to identify number of connections per IP without identifing the software along with how many new connections it is requesting in a certain time for smtp (this can be changed to your required protocol id as specified with tcpdump). After doing some googling and making some changes to the scripts/commands this worked for me.

Run these commands on your consoles to get the desired results.

Number of connections per IP with all types of Socket states

netstat -nta | cut -b 45-80 | grep -o -P "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" | sort | uniq -c | sort -n -r -k 1,7

Number of connections per IP that are currently in ESTABLISHED state


netstat -nta | grep ESTABLISHED | cut -b 45-80 | grep -o -P "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" | sort | uniq -c | sort -n -r -k 1,7

Number of SYN Requests received


time /usr/sbin/tcpdump -ns 200 -c 500 '(dst port smtp) and tcp[13] & 2!=0' | grep -o -P '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,5}\s\>' | cut -d '.' -f 1-4 | sort | uniq -c | sort -n -r -k 1,7 | head -25

Security Management And Risk Tracking (SMART)

Security Management and Risk Tracking is a web based application to manage information security practice. This is a comprehensive solution that enables a corporation to manage:

Information security policy

Security policy exception handling

Security Certification and Accreditation (SC&A)

Issue tracking for security audit, pen testing, SOX, and so on

Third party connection management

Asset and vendor management

A number of other services are also included in this solution. This is an enterprise ready application that greatly reduces the time and effort to manage a security practice. [Download]

Site: http://smart.conformix.com/ 

Russex - Wireless Pentesting Distribution

Site: http://www.russix.com/

Russix evolved from an internal UK Military Wireless auditing tool (debian based) which russ had developed while working for them as a penetration tester. Russix is a free download for auditing. It scripts together several WLAN attacks and will allow the user to break a WEP key in about 6 keystrokes! It will not be modified by us to make it into a phishing tool as that would be evil.

Snapshots

image 1, image 2, image 3, image 4

I'm back

Well its been a year approx since i've written any thing. Well i had switched jobs, now i am plannin to write some of experiences with McAfee Products and Security Distributions.

So lets hope i can keep on posting.

Want to use IPFW of FreeBSD on Windows ?

WIPFW is a MS Windows operable version of IPFW for FreeBSD OS. You can use the same functionality and configure it as only you work with IPFW.

IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the kernel in its routing decisions.

There are two related parts to ipfw. The firewall section performs packet filtering. There is also an IP accounting section which tracks usage of the router, based on rules similar to those used in the firewall section. This allows the administrator to monitor how much traffic the router is getting from a certain machine, or how much WWW traffic it is forwarding, for example.

As a result of the way that ipfw is designed, you can use ipfw on non-router machines to perform packet filtering on incoming and outgoing connections. This is a special case of the more general use of ipfw, and the same commands and techniques should be used in this situation.

for more details visit the following link

http://wipfw.sourceforge.net/index.html

Need an Example Policy or Template?

SANS has received permission to provide sanitized security policies from a large organization. These policies were developed by a group of experienced security professionals with more than 80 years of combined experience in government and commercial organizations, and each policy went through a vigorous approval process. They should form a good starting point if you need one of these policies.

Some tips about these policies. Anything that is in should be replaced with the appropriate name from your organization. The term "InfoSec" is used throughout these documents to refer the team of people responsible for network and information security. Replace "InfoSec" with the appropriate group name from your organization. Any policy name that is in italics is a reference to a policy that is also available on this site.

for further details visit the following link

http://www.sans.org/resources/policies/

Firecat

Convert your firefox into ultimate auditing tool use Firecat, it encompasses all of the plugins mentioned below

Information gathering

• Whois and geo-location
  • ShowIP : Show the IP address of the current page in the status bar. It also allows querying custom services by IP (right mouse button) and Hostname (left mouse button), like whois, netcraft.
  • Shazou : The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing.
  • HostIP.info Geolocation : Displays Geolocation information for a website using hostip.info data. Works with all versions of Firefox.
  • Active Whois : Starting Active Whois to get details about any Web site owner and its host server.
  • Bibirmer Toolbar : An all-in-one extension. But auditors need to play with the toolbox. It includes ( WhoIs, DNS Report, Geolocation , Traceroute , Ping ). Very useful for information gathering phase

• Enumeration / fingerprinting
  • Header Spy: Shows HTTP headers on statusbar
  • Header Monitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.

• Social engineering
  • People Search and Public Record: This Firefox extension is a handy menu tool for investigators, reporters, legal professionals, real estate agents, online researchers and anyone interested in doing their own basic people searches and public record lookups as well as background research.

• Googling and spidering
  • Advanced dork : Gives quick access to Google’s Advanced Operators directly from the context menu. This could be used to scan for hidden files or narrow in a target anonymously (via the scroogle.org option) [Updated Definition. Thanks to CP author of Advanced Dork]
  • SpiderZilla : Spiderzilla is an easy-to-use website mirror utility, based on Httrack from www.httrack.com.
  • View Dependencies : View Dependencies adds a tab to the "page info" window, in which it lists all the files which were loaded to show the current page. (useful for a spidering technique)

Security Assessment / Code auditing

• Editors
  • JSView : The ’view page source’ menu item now opens files based on the behavior you choose in the jsview options. This allows you to open the source code of any web page in a new tab or in an external editor.
  • Cert Viewer Plus : Adds two options to the certificate viewer in Firefox or Thunderbird: an X.509 certificate can either be displayed in PEM format (Base64/RFC 1421, opens in a new window) or saved to a file (in PEM or DER format - and PKCS#7 provided that the respective patch has been applied - cf.
  • Firebug : Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page
  • XML Developer Toolbar:allows XML Developer’s use of standard tools all from your browser.

• Headers manipulation
  • HeaderMonitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.
  • RefControl : Control what gets sent as the HTTP Referer on a per-site basis.
  • User Agent Switcher :Adds a menu and a toolbar button to switch the user agent of the browser

• Cookies manipulation
  • Add N Edit Cookies : Cookie Editor that allows you add and edit "session" and saved cookies.
  • CookieSwap : CookieSwap is an extension that enables you to maintain numerous sets or "profiles" of cookies that you can quickly swap between while browsing
  • httpOnly : Adds httpOnly cookie support to Firefox by encrypting cookies marked as httpOnly on the browser side
  • Allcookies : Dumps ALL cookies (including session cookies) to Firefox standard cookies.txt file

• Security auditing
  • HackBar : This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT learn you how to hack a site. Its main purpose is to help a developer do security audits on his code.
  • Tamper Data : Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
  • Chickenfoot : Chickenfoot is a Firefox extension that puts a programming environment in the browser’s sidebar so you can write scripts to manipulate web pages and automate web browsing. In Chickenfoot, scripts are written in a superset of Javascript that includes special functions specific to web tasks.

Proxy/web utilities

• FoxyProxy : FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s proxy configuration. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, etc
• SwitchProxy: SwitchProxy lets you manage and switch between multiple proxy configurations quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes
• POW (Plain Old WebServer) : The Plain Old Webserver uses Server-side Javascript (SJS) to run a server inside your browser. Use it to distribute files from your browser. It supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX. It has security features to password-protect your site. Users have created a wiki, chat room and search engine using SJS.

Misc

• Hacks for fun
  • Greasemonkey : Allows you to customize the way a webpage displays using small bits of JavaScript (scripts could be download here)

• Encryption
  • Fire Encrypter : FireEncrypter is an Firefox extension which gives you encryption/decryption and hashing functionalities right from your Firefox browser, mostly useful for developers or for education & fun.

• Malware scanner
  • QArchive.org web files checker : llowing people to check web files for any malware (viruses, trojans, worms, adware, spyware and other unwanted things) inclusions.
  • Dr.Web anti-virus link checker : This plugin allows you to check any file you are about to download, any page you are about to visit
  • ClamWin Antivirus Glue for Firefox : This extension scans every downloaded file automatically with ClamWin.

• Anti Spoof
  • refspoof : Easy to pretend to origin from a site by overriding the url referrer (in a http request). — it incorporates this feature by using the pseudo-protocol spoof:// .. thus it’s possible to store the information in a "hyperlink" - that can be used in any context .. like html pages or bookmarks

MindMap of firecat

Real Cool video of 1947

Auditing RDP using Backtrack

First thing, there is no support by default for rdp auditing/cracking. for that we will be patching rdesktop 1.5.

Follow the following steps

1. First remove the rdesktop package, use pkgtool to remove the rdesktop package
2. Download the rdesktop version 1.5 from www.rdesktop.org
3. Download the patch from the following link http://www.foofus.net/jmk/rdesktop.html

Patching rdesktop

cd rdesktop1.50/
patch -p1 -i rdp-brute-force-r805.diff
./configure
make
make install

Usage

Brute-force attack using password file:
rdesktop -u administrator -p passwords.txt 192.168.0.100

Brute-force attack sending passwords via STDIN:
rdesktop -u administrator -p - 192.168.0.100

The following example shows one way to use rdesktop with the MEDUSA wrapper module:

medusa -M wrapper -m TYPE:STDIN -m PROG:rdesktop -m ARGS:"-u %U -p - %H" -H hosts.txt -U users.txt -P passwords.txt

One possible method for hiding the graphical output from rdesktop:
% Xvfb :97 -ac -nolisten tcp &
% export DISPLAY=:97

Cracking WEP

Lets see how can it be done on windows and Linux

Cracking WEP on Linux (BackTrack 2)



Cracking WEP on Windows using Cain and Abel

Backtrack Introduction

Backtrack Preview

Video 1



Video 2

Tor and its initialization Problem

Initially when i started tor, it prompted the following message

[notice] I learned some more directory information, but not enough to build a circuit.

Problem after spending some minutes i found was since the version of tor comes with Backtrack 2, is a bit old one, so it has some old info regarding the virtual circuit. End result you have to leave the tor running for some while, it keeps on polling and will establish a virtual circuit after while.

Setting up GPRS (Warid, Pak) on BackTrack 2 (linux)

Well i had to use to warid GPRS after some googling I found some pppd scripts, i have modified these scripts for my need. Phone i used was Nokia E50 and i had used USB Cable. BackTrack 2 is based on Slackware, kernel version is 2.6.20-BT-PwnSauce-NOSMP

In /etc/ppp/peers you will have to create three files namely, gprs, gprs-connect-chat, gprs-disconnect-chat.

gprs file

# $Id: gprs,v 1.4 2004/04/28 08:40:32 mcfrisk Exp $
#
# File:
# gprs
#
# Description:
# Serial cable, IrDA, Bluetooth and USB pppd options for GPRS phones.
# See 'man pppd' for detailed option descriptions.

# Most GPRS phones don't reply to LCP echo's
lcp-echo-failure 0
lcp-echo-interval 0

# Keep pppd attached to the terminal:
# Comment this to get daemon mode pppd
nodetach

# Debug info from pppd:
# Comment this off, if you don't need more info
debug

# Show password in debug messages
show-password

# Connect script:
# scripts to initialize the GPRS modem and start the connection,
# wvdial command is for Orange SPV while other phones should work with chat
connect /etc/ppp/peers/gprs-connect-chat
#connect "/usr/bin/wvdial --chat --config /etc/ppp/peers/gprs-wvdial.conf radiolinja_usb_orange_spv"

# Disconnect script:
# AT commands used to 'hangup' the GPRS connection.
disconnect /etc/ppp/peers/gprs-disconnect-chat

# Serial device to which the GPRS phone is connected:
# /dev/ttyS0 for serial port (COM1 in Windows),
# /dev/ircomm0 for IrDA,
# /dev/ttyUB0 for Bluetooth (Bluez with rfcomm running) and
# /dev/ttyUSB0 for USB
#/dev/ttyS0 # serial port one
#/dev/ttyS1 # serial port two
#/dev/ircomm0 # IrDA serial port one
#/dev/rfcomm0 # Bluetooth serial port one
#/dev/ttyUSB0 # USB serial device, for example Orange SPV

/dev/ttyACM0
# Serial port line speed
115200 # fast enough
#57600 # perhaps usefull with IrDA as some phones don't like
# speeds higher than this

# Hardware flow control:
# Use hardware flow control with cable, Bluetooth and USB but not with IrDA.
crtscts # serial cable, Bluetooth and USB, on some occations with IrDA too
#nocrtscts # IrDA

# Ignore carrier detect signal from the modem:
local

# IP addresses:
# - accept peers idea of our local address and set address peer as 10.0.0.1
# (any address would do, since IPCP gives 0.0.0.0 to it)
# - if you use the 10. network at home or something and pppd rejects it,
# change the address to something else
:10.0.0.1

# pppd must not propose any IP address to the peer!
noipdefault

# Accept peers idea of our local address
ipcp-accept-local

# Add the ppp interface as default route to the IP routing table
defaultroute

# Newer pppd's also support replacing the default route, if one is
# already present, when the GPRS connetion should be set as the default route
# to the network
#replacedefaultroute

# DNS servers from the phone:
# some phones support this, some don't.
usepeerdns

# ppp compression:
# ppp compression may be used between the phone and the pppd, but the
# serial connection is usually not the bottleneck in GPRS, so the
# compression is useless (and with some phones need to disabled before
# the LCP negotiations succeed).
novj
nobsdcomp
novjccomp
nopcomp
noaccomp

# The phone is not required to authenticate:
noauth

# Username and password:
# If username and password are required by the APN, put here the username
# and put the username-password combination to the secrets file:
# /etc/ppp/pap-secrets for PAP and /etc/ppp/chap-secrets for CHAP
# authentication. See pppd man pages for details.
# Example, Radiolinja operator pap-secrets:
# "rlnet" * "internet" *
#user "rlnet"

# The persist tries to reopen the connection if it is dropped. This
# is usefull for example with a Nokia 7650 which only manages to
# 'dial' with every second attempt or when the network likes to drop the
# connection every now and then. It's not fun when the over-night
# 'apt-get dist-upgrade -d -y' fails constantly...
#persist
#maxfail 99

# Asyncmap:
# some phones may require this option.
#asyncmap 0xa0000

# No magic:
# some phones may require this option.
#nomagic

# Require PAP authentication:
# some phones may require this option.
#require-pap

#----------------------------------------------------------------

gprs-connect-chat file

#!/bin/sh
#
# $Id: gprs-connect-chat,v 1.2 2004/02/02 23:19:28 mcfrisk Exp $
#
# File:
# gprs-connect-chat
#
# Description:
# chat script to open Radiolinjas GPRS service with GPRS phones. If ppp
# negotiation stalls, try restarting the phone. To try with other GPRS
# operator setting, change the PDP contex setting. The settings work with
# most Ericsson models, but Nokia 8310 and 30 do not support QoS parameters
# with AT commands, so just delete those lines and it'll work.
#
# Set PDP context CID=1, protocol=IP, APN=internet:
# AT+CGDCONT=1,"IP","warid","",0,0
#
# Set CID=1 QoS requirements from the network, not supported by Nokia:
# AT+CGQREQ=1,0,0,0,0,0
#
# Set CID=1 minimum acceptable QoS parameters, not supported by Nokia:
# AT+CGQMIN=1,0,0,0,0,0
#
# 'Call' CID=1 (activate PDP context one, perform GPRS attach):
# ATD*99***1#
#
# Some phones like the Orange SPV (yes, the Microsoft Smartphone) use this
# dial string to start GPRS connection:
# ATD*99#
#
# The actual chat script:
exec chat \
TIMEOUT 5 \
ECHO ON \
ABORT '\nBUSY\r' \
ABORT '\nERROR\r' \
ABORT '\nNO ANSWER\r' \
ABORT '\nNO CARRIER\r' \
ABORT '\nNO DIALTONE\r' \
ABORT '\nRINGING\r\n\r\nRINGING\r' \
'' \rAT \
TIMEOUT 12 \
SAY "Press CTRL-C to close the connection at any stage!" \
SAY "\ndefining PDP context...\n" \
OK ATH \
OK ATE1 \
OK 'AT+CGDCONT=1,"IP","warid","",0,0' \
OK ATD*99# \
TIMEOUT 22 \
SAY "\nwaiting for connect...\n" \
CONNECT "" \
SAY "\nConnected." \
SAY "\nIf the following ppp negotiations fail,\n" \
SAY "try restarting the phone.\n"

#----------------------------------------------------------------

gprs-disconnect-chat file

#!/bin/sh
#
# $Id: gprs-disconnect-chat,v 1.3.2.2 2006/02/14 20:20:17 mcfrisk Exp $
#
# File:
# gprs-disconnect-chat
#
# send break
exec /usr/sbin/chat -V -s -S \
ABORT "BUSY" \
ABORT "ERROR" \
ABORT "NO DIALTONE" \
SAY "\nSending break to the modem\n" \
"" "\K" \
"" "\K" \
"" "\K" \
"" "\d\d+++\d\dATH" \
SAY "\nPDP context detached\n"


#----------------------------------

If there is DNS problem, please modify /etc/resolv.conf and add your gprs provider dns servers there.