Saturday, December 5, 2015

Windows 10 - Compact OS

Windows 10 deploys a compression algorithm that enables the operating system to reclaim 1.5GB of storage on 32-bit systems, and up to 2.6GB in 64-bit Windows. This system is called Compact OS, and depending on a number of variables, such as processor speed, available RAM, and disk type and size, Windows automatically enables compression of system files during the upgrade process. If Compact OS is enabled, Windows Universal Apps are compressed to save space.

To determine if Compact OS is enabled on your system, open a command prompt and type compact /CompactOS:query.

image

If you want to manually enable or disable Compact OS, open a command prompt with administrator privileges, and run compact /CompactOS:always or compact /CompactOS:never.

Zero Assumption Recovery or ZAR

Zero Assumption Recovery or ZAR is a data recovery application.  A demo is available that allows recovery of images from sources such as SD cards.

http://www.z-a-recovery.com/

Opnsense

Opnsense is an open source FreeBSD based firewall and routing platform.

https://opnsense.org/

Smoothwall

The Smoothwall Open Source Project was set up in 2000 to develop and maintain Smoothwall Express - a Free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface.

http://www.smoothwall.org/

Protect Your Bubble

Protect Your Bubble is a third-party independent electronic insurance company.

https://us.protectyourbubble.com/

ConvertAudioFree web site

ConvertAudioFree has several utilities concerning the conversion of video and audio files from one format to another.

http://convertaudiofree.com/

Autopsy

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.

http://www.sleuthkit.org/autopsy/

Test PDF file that drops a EICAR test file

Didier Stevens has created a test .PDF file that contains a DOC file that drops the EICAR test file.  This can be used to test a security application or if the PDF viewer supports JavaScript.

http://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/

image

Sunday, November 1, 2015

Reset Windows Update Agent Script

The Reset Windows Update Agent Script provides a menu of troubleshooting options for the Windows Update service, including fixing corrupt registry values, resetting the Windows Update components, deleting temporary files, and resetting the Winsock settings.

https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc

image

image

image

Rights Management Services Analyzer Tool

The Rights Management Services Analyzer Tool can analyze and help resolve problems with environments that are both AD RMS and Azure RMS-based. It can also check on local RMS client configuration and Azure RMS connector deployments that help connect on-premises services to Azure RMS.

http://www.microsoft.com/en-us/download/details.aspx?id=46437

testssl.sh

testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws.

https://testssl.sh/

Techwalla

Techwalla is a review site that includes information from multiple sources.

https://techwalla.com/

3D Touch with iOS

Newer iPhone models include a feature called 3D Touch.  It is similar to a right-click on an item within Windows.  To disable this feature, access General –> Accessibility –> 3D Touch.

image

Test IPv6 web site

The Test IPv6 web site will offer details on your current IPv6 configuration.

http://test-ipv6.com/

image

Wi-Fi Assist with iOS 9

iOS version 9 introduced a new feature named Wi-Fi Assist.  It allows an existing communication to switch from Wi-Fi to cellular if the Wi-Fi signal drops too low.  To disable this feature, access Settings –> Cellular and scroll down to the bottom of the list.

image

How to remove Candy Crush from Windows 10

To view installed applications for a particular user, launch an elevated PowerShell prompt and use the command Get-AppxPackage –user username.  This should produce a long list of installed “Modern” applications.

windows10getappxpackage1

To remove Candy Crush, add the parameter –Name king.com.CandyCrushSaga.  The parameter to note is the Full Package value.

windows10getappxpackage2

The cmdlet to remove a “Modern” application is Remove-AppxPackage.  If you attempt to use the command still at the elevated prompt, an error will be returned.

windows10getappxpackage3

If the Remove-AppxPackage cmdlet is used followed by the full package name under the user account name in question, it should be successful.

windows10getappxpackage4

Thursday, October 1, 2015

CanaryTokens.org

The CanaryTokens web site offers a free service to send a notification if a link is accessed.

http://canarytokens.org/

How to disable SMB1 for Windows 7 and Windows 8/10

The KB article at https://support.microsoft.com/en-us/kb/2696547 highlights how to disable various versions of the SMB versions for different editions of Windows.  To disable SMB1 on Windows 8/10 as a server, launch an elevated PowerShell session and use the following command:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

The following command can verify that SMB1 is disabled:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

disable_smb1_windows8

To disable SMB1 for Windows 7, use the following command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force

disable_smb1_windows7

To disable SMB1 with Windows 7/8/10 as a client, launch an elevated command prompt and enter the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

disable_smb1_windows8_2

Low Power Mode with iOS 9

Version 9 of iOS introduced a new Low Power Mode.  You’ll be prompted to activate it each time your iPhone reaches 20 percent battery, but you can also enable it beforehand.  This feature only appears on iPhones and not iPads.  To enable this option, access Settings – Battery.

image

image

Evil Foca

Evil Foca is a network attack toolkit for penetration testing professionals and security auditors whose purpose it is to test security in IPv4 and IPv6 data networks.  Requirements are Windows and WinPCap.

https://github.com/ElevenPaths/EvilFOCA/

How to disable Telemetry in Windows 7, 8, and 10

Microsoft back ported some telemetry features to Windows 7 and 8 that were originally designed within the development of Windows 10.  To disable the service that is tied to this telemetry component, launch an elevated PowerShell session and enter the following commands.

Stop-Service diagtrack
Set-Service diagtrack –StartupType disabled

image

Zero Day Initiative

Zero Day Initiative is a web site created by TippingPoint to highlight outstanding security issues with various products.

http://www.zerodayinitiative.com/

antiX

antiX is a fast, lightweight and easy-to-install Linux live CD distribution based on Debian's "Testing" branch for x86 compatible systems. antiX offers users the "antiX Magic" in an environment suitable for old computers. The goal of antiX is to provide a light, but fully functional and flexible free operating system for both newcomers and experienced users of Linux. It should run on most computers, ranging from 64 MB old PII 266 systems with pre-configured 128 MB swap to the latest powerful boxes. 128 MB RAM is recommended minimum for antiX. The installer needs minimum 2.2 GB hard disk size. antiX can also be used as a fast-booting rescue CD.

http://antix.mepis.org/

PacketLife.net cheat sheets

The PacketLife.net web site has several network-related cheat sheets available in .PDF format.

http://packetlife.net/library/cheat-sheets/

Tuesday, September 1, 2015

Windows 10 keyboard shortcuts

Below are a few keyboard shortcuts for Windows 10.

WINKEY + TAB –> Task View, which provides thumbnails of all open applications and other windows.

WINKEY + LEFT ARROW –> to snap the active window to the left side of the screen.

WINKEY + RIGHT ARROW –> to snap the active window to the right side of the screen.

WINKEY + UP ARROW –> to snap the active window to the top of the screen.

WINKEY + DOWN ARROW –> to snap the active window to the bottom of the screen.

WINKEY + CTRL + D –> to create an empty new virtual desktop.

WINKEY + CTRL + LEFT ARROW (or WINKEY + ALT + RIGHT ARROW) –> to switch between available desktops.

WINKEY + CTRL + F4 –> to close a virtual desktop.

WINKEY + A –> open notifications.

WINKEY + S –> perform a search.

WINKEY + I –> open settings.

WINKEY + H –> share content if the application in question supports this feature.

WINKEY + C –> open Cortana in listening mode

RCC

RCC is a tool that quickly inspects the root certificates trusted by Windows and Mozilla Firefox, and pinpoints possible issues. For instance, it is able to detect root certificates installed by Superfish or other unknown threats.  RCC does not require admin rights.  It is compatible with Windows 7 and later (clients) and Windows 2008 and later (servers).

http://trax.x10.mx/apps.html

image

NetStalker

NetStalker is an utility for Windows that will detect all connections to your computer, both authorized and unauthorized, and alert you for every new connection.  The application will analyze all open ports on your system as well as all running processes.  A portable version is available.

http://www.sterjosoft.com/netstalker.html

image

ESXi web interface fling

The ESXi web interface fling is a HTML 5 based web interface that allows an individual to manage a host without the need of the legacy C++ Windows client. The utility is bundled as a vib and can be installed on ESXi host via SSH without the need to reboot the host.

https://labs.vmware.com/flings/esxi-embedded-host-client

Mimikatz

Mimikatz is a tool to gather Windows credentials.

https://github.com/gentilkiwi/mimikatz

TraceWrangler

TraceWrangler is a network capture file toolkit running on Windows that supports PCAP as well as the new PCAPng file format, which is now the standard file format used by Wireshark. The most prominent use case for TraceWrangler is the easy sanitization of PCAP and PCAPng files removing or replacing sensitive data while being easy to use.

https://www.tracewrangler.com/

FruityWifi

FruityWifi is an open source wireless network auditing tool, it allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. Initially the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

http://www.fruitywifi.com/index_eng.html

SSL Cipher Suite Details of Your Browser

The web site below will return a list of cipher support within a web browser.

https://cc.dcsec.uni-hannover.de/

Infosec Industry web site

This site is a collection of security news from various sources.

https://www.infosecindustry.com/

Monitor network usage within Windows 10

To monitor or view network usage within Windows 10, launch the Task Manager and view the App History tab.  A column should be present with details on network usage for each application.  This option will only show “Modern” applications and not traditional Win32 programs.

windows10_network_traffic_1

Access Settings –> Network & Internet.  Click on the Data usage selection in the left column.

windows10_network_traffic_2

Click on the Usage details link under the graph.  This option should include traditional Win32 applications.

windows10_network_traffic_3

Saturday, August 1, 2015

ChromeOS

Below is some general information concerning ChromeOS by Google.  The screen captures were taken on a Toshiba ChromeBook 2.

To right-click, perform a two-finger click or use the combination of Alt-click.

To take a screen capture of the entire screen, use the Ctrl key + the Windows Switcher key at the same time. 

image

To only select a region, use the combination of Ctrl + Shift + the Windows Switcher key.

image

The OWA interface for Exchange 2010 may only allow the “light” mode for access.  To solve this issue, install the User-Agent Switcher extension via the link below.

https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg

Once installed, access the Permanent Spoof List section and add the domain for the Exchange URL in question.  Use the User Agent String of “Windows Firefox”.

image

To access a shell command prompt, use the combination of Ctrl + Alt + T.  This should open a new tab with the command prompt displayed.

image

More available commands can be found by using the “help_advanced” option.

image

Below is an example of the “network_diag” command.

image

One parameter that should be enabled is the “Require password to wake from sleep.” under Settings.

image

When an update to ChromeOS is available, an up arrow icon should appear when accessing the system tray at the lower right hand corner of the screen.  Click on the “Restart to update” menu option to install the available upgrade.

image

Notifications should appear above the system tray area.

image

A Chromebook may not have a Delete key present.  Use the combination of Alt + Backspace as a substitute.

A task manager similar to Windows can be accessed via the combination of Shift + Esc.  To lock the screen, use the combination of Ctrl + Shift + L.  To quickly log out, use Ctrl + Shift + Q.  To view a list of keyboard shortcuts, use Ctrl + Alt + ?.

image

The ChromeBook in question had a HDMI port.  When connected to an external LCD TV, the display was automatically extended.

image

image

Disable peer updating within Windows 10

To disable the new peer updating feature within Windows 10, access Settings –> Update & Security –> Windows Update –> Advanced options –> Choose how updates are delivered.

windows10_update_peer

Disable Wi-Fi Sense within Windows 10

To disable the Wi-Fi Sense feature within Windows 10, access Settings –> Network & Internet –> Wi-Fi –> Manage Wi-Fi settings.

windows10_wifi_sense

Media Creation Tool for Windows 10

As with Windows 8.1, Microsoft has released a Media Creation Tool for Windows 10.

http://www.microsoft.com/en-us/software-download/windows10

One big difference between this version and the one for Windows 8.1 is it allows for an in-place upgrade.

image

image

image

image

image

image

image

WATOBO

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits.

http://sourceforge.net/projects/watobo/

Egress-Assess

Egress-Assess is a tool used to test network egress data detection capabilities, it works over FTP, HTTP and HTTPS. It can generate various data-types to test detection, credit card details, social security numbers (SSN) and name/address combos.

https://github.com/ChrisTruncer/Egress-Assess

Jawfish

Jawfish is a security penetration tool that is web-based.  It is designed to test web applications.

https://jawfish.io/

image

Pale Moon

Pale Moon is an Open Source, Firefox-based web browser available for Microsoft Windows, Android, and Linux.  64-bit versions are available, which Firefox did not offer in the past.  A portable version is available.

https://www.palemoon.org/

image

Kolab

Kolab is an email service based in Switzerland, which currently has some high privacy legislation in place.

https://kolabnow.com/

View Auto-Connection Utility

The View Auto-Connection Utility allows you to connect the VMware View Client automatically into a View desktop or an application pool when the system starts up. This can be very useful for thin clients or for turning existing Windows endpoints into thin client systems used to automatically connect into a View desktop.

https://labs.vmware.com/flings/view-auto-connection-utility

Wednesday, July 1, 2015

AMTSO "Feature Settings Check” web site

The AMTSO web site has a “Feature Settings Check” page that includes links to several files to test security applications.  The standard EICAR file, as well as a few additional executable files.

http://www.amtso.org/check-desktop

Export-WindowsDriver

Windows 8.1 Update 1 includes a new PowerShell cmdlet with the name of Export-WindowsDriver.  This cmdlet can export installed third-party drivers of an existing Windows computer.  An example would be:

Export-WindowsDriver –Online -Destination c:\export-drivers

export_windowsdriver_1

The output should contain existing drivers in separate subfolders.

export_windowsdriver_2

Basic information on Windows Server 2012 R2 Core

Below is some basic information on configuring a new Windows Server 2012 R2 Core installation.  If installing the new server within VMware, use the menu option as normal to install/update VMware Tools.  Launch a command prompt and use the following command via the D: drive or whatever drive letter the CD-ROM is mapped to.  The server should restart automatically.

Setup64.exe /s /v /qn

2012_r2_core_1

To perform some basic configuration, the sconfig.cmd command will display a menu list of various tasks.

2012_r2_core_2

2012_r2_core_3

A PowerShell prompt can be launched by simply using the command powershell.  Below are some examples of disabling the tunneling protocols and IPv6.

Set-NetTeredoConfiguration -Type Disabled
Set-NetIsatapConfiguration -State Disabled
Set-Net6to4Configuration -State Disabled

Set-NetAdapterBinding -name <NIC name> -DisplayName "Internet Protocol Version 6 (TCP/IPv6)" -Enabled:$false

2012_r2_core_4