Showing posts with label Softwares. Show all posts
Showing posts with label Softwares. Show all posts

Proxy Server Lab Setup using Wingate

Albert Einstein always said "Imagination is important than knowledge" and this imagination accompanied by knowledge helps our world to more and more every day. Thus, technology grows and grows and succeeds to reduce human effort and increase our potential. And there is much software that helps us to do so.

One of that software is Wingate. This software helps us to monitor internet activities of our employees or students or anyone as this software helps us to setup a proxy server which further allows all the traffic from a network passes through it to reach the router as per their request. We can say that this software helps us to share and control access to the Internet through a single computer connection. The computer with Wingate acts as a proxy server for the computer users inside the home or business network.

To install WinGate, download it from Once you have downloaded it,
Open it and the folowing screen will appear on your computer. Click on Next option on the dailogue box.

After clicking on next option, it will ask you the Program Features that you would like to install. Select all the three options and then again click on Next button.

Now it will ask you to enter an Administrative E-mail on which you want all of your alerts. Enter you r E-mail address. And then click on Next option.

Now a dialogue box will open as shown below. Select localhost option from it.

Now a Licience Activation Dailogue Box will open and it will ask wheather your connection is offline or online. Select online on it and click on Next.

It will further ask you if you have bought WinGate or if you have it on trail bases. Select the appropriate option such as select activate a purchased lenience if you have bought it or else select activate a free full-featured 30 day trail.

Then your activation request will be processed. It may take a minute or two.

After the activation process click on Next and it will ask you to provide a database for Wingate. For it, simply click on Next.

Now, select the Wingate user database engine as you database and click on Next.

To complete WinGate installation just click on Finish.

After installing it will ask you computer to restart. Once the computer is restarted you wil find WinGate in the hidden icons on the Task bar.

Now right click on WinGate icon and select WinGate Management. After doing so, WinGate management window will open. And then click on localhost.

After clicking on localhost, it will ask you weather you want to work with current windows or want to use another user.

Now click on use another user and it will ask you for username and password.
(I have given administrator as username and i have kept password blank)

Once you have given username and password click on OK. And so, the welcone panel of WinGate will open

You can now start working with Wingate.
PS. For to learn how to setup a proxy server using Wingate, do wait for part-2. 

Session Hijacking using Ettercap, Hamster and Ferret (A Beginner Guide)

Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

First of all, login to Kali Linux and select ettercap .

Click on sniff. Select unified sniffing option.

It will ask for network interface. Select eth0 and click OK

Now select Hosts and click on scan for hosts or press ctrl+s.

It will show the IP Addresses in the network. Select the target IP Address like and click on add to Target 1.

Now select  Mitm ( man in the middle) option. Click on ARP poisoning.

It will ask for sniff remote connections or only poison one-way. Check the option sniff remote connections.

Now Select start option and click on start sniffing or press   shift+ctrl+W.

It will show sniffing.

Now select hamster tool to manipulate data by using proxy.

It will show browser proxy such as

Now select ferret tool to grab the session cookies.

Type the command ferret  –i  eth0.

Now type in the browser and click on target IP. It will show Session Cookies.

How to Make Dual Audio Movies (MKVMerge Tutorial)

MKVToolNix is a set of tools to create, alter and inspect Matroska files under Linux, other Unices and Windows. They do for Matroska what the OGMtools do for the OGM format and then some.

First download the latest version of MKVToolnix, install it and let's get started

Press the Add button and first load your .mkv file. Press Add once more and load your .srt subtitles file

Click Add Button in MKV Tool Nix and add the movie to which you want to add the dual audio.

Once added, you will be able to see Audio and Video seperated in the 'Tracks,chapters,tags:' container and all boxes checked for an existing movie.

Now, add the mp3 audio to the container which you wanted as second audio for the movie and it will appear as the next entry in the 'Tracks,chapters,tags:' container.

Now all you have to do is click 'Start Muxing'. Done

How to Fix Disk Drive and Recover Data from Suddenly Became RAW

When attempting to access the drive in Windows you may see a message asking you to you need to format the disk in Drive E: before you can use it

After installing it on your computer, choose Complete Recovery which is used when hard drive or partition becomes inaccessible.

Select the file types you want to recover and select the "RAW" partition or other inaccessible logic drive and click "NEXT" to start scanning.

Select the files or directory that you want to restore and select a pass to save the files.

After above steps, you are able to recover files from RAW disk, save them and then perform format, you will achieve to repair RAW disk.

Volatility - An advanced memory forensics framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Windows Features
Basic / Informational
·         Current date, time, CPU count, CPU speed, service pack
·         Current thread and idle thread
·         Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc

·         List active processes (column or tree view)
·    Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
·         Enumerate DLLs in the PEB LDR lists
·         Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
·         Print open handles to files, registry keys, mutexes, threads, processes, etc
·         List security identifiers (SIDs) for processes
·         Scan for cmd.exe command history and full console input/output buffers
·         List process environment variables
·         Print PE version information from processes or DLLs (file version, company name, etc)
·         Enumerate imported and exported API functions anywhere in process or kernel memory
·         Show a list of virtual and physical mappings of all pages available to a process
·         Dump process address space to disk as a single file
·         Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
·         Represent the VAD in tree form or Graphviz .dot graphs
·         Dump each VAD range to disk for inspecting with external tools
·         Parse XP/2003 event log records

Kernel Memory
·         List loaded kernel modules and scan for hidden/unloaded module structures
·         Extract PE files including drivers from anywhere in kernel memory
·         Dump the SSDT for all 32- and 64-bit windows systems
·         Scan for driver objects, print IRP major function tables
·         Show devices and device tree layout
·         Scan for file objects (can show deleted files, closed handles, etc)
·         Scan for threads, mutex objects and symbolic links

GUI Memory
·         Analyze logon sessions and the processes and mapped images belonging to the session
·         Scan for window stations and clipboard artifacts (clipboard snooping malware)
·         Scan for desktops, analyze desktop heaps and attached GUI threads
·         Locate and parse atom tables (class names, DLL injection paths, etc)
·         Extract the contents of the windows clipboard
·         Analyze message hooks and event hooks, show the injected DLL and function address
·         Dump all USER object types, pool tags, and flags from the gahti
·         Print all open USER handles, associated threads or processes, and object offsets
·         Display details on all windows, such as coordiates, window title, class, procedure address, etc
·         Take screen shots from memory dumps (requires PIL)

Malware Analysis
·         Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
·         Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
·         Analyze services, their status (running, stopped, etc) and associated process or driver
·         Cross-reference memory mapped executable files with PEB lists to find injected code
·         Scan for imported functions in process or kernel memory (without using import tables)
·         Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
·         Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
·         Dump details of threads, such as hardware breakpoints, context registers, etc
·         Enumerate kernel callbacks for process creation, thread creation, and image loading
·         Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
·         Detect hidden processes with alternate process listings (6+ sources)
·         Analyze kernel timers and their DPC routine functions

·         Walk the list of connection and socket objects for XP/2003 systems
·         Scan physical memory for network information (recover closed/terminated artifacts)
·         Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes
·         Registry
·         Scan for registry hives in memory
·         Parse and print any value or key cached in kernel memory, with timestamps
·         Dump an entire registry hive recursively
·         Extract cached domain credentials from the registry
·         Locate and decrypt NT/NTLM hashes and LSA secrets
·         Analyze user assist keys, the shimcache, and shellbags
·         Crash Dumps, Hibernation, Conversion
·         Print crash dump and hibernation file header information
·         Run any plugin on a crash dump or hibernation file (hiberfil.sys)
·         Convert a raw memory dump to a crash dump for opening in !WinDBG
·         Convert a crash dump or hibernation file to a raw memory dump

·         Link strings found at physical offsets to their owning kernel address or process
·         Interactive shell with disassembly, type display, hexdumps, etc

How to use Volatility

Before you can conduct victim system analysis you need to capture memory.

Step 1: First Download dumpit and capture victim pc memory (How to use Dumpit)

Step2: Download Volatility for windows PC from here

Step3: Now Open Volatility from command prompt and use the Following Commands

If you don't know what type of system your image came from, use the imageinfo command

volatility.exe –f (Windows Dump Path) imageinfo

To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActive Process Head. It does not detect hidden or unlinked processes.

volatility.exe –f (Windows Dump Path) pslist

To enumerate processes using pool tag scanning, use the psscan command. This can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit.

volatility.exe –f (Windows Dump Path) psscan

To display a process's loaded DLLs, use the dlllist command. It walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures which is pointed to by the PEB's In Load Order Module List. DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll) and they aren't removed until Free Library is called and the reference count reaches zero.

volatility.exe –f (Windows Dump Path) dlllist

To view the SIDs (Security Identifiers) associated with a process, use the getsids command. Among other things, this can help you identify processes which have maliciously escalated privileges.

volatility.exe –f (Windows Dump Path) getsids

To detect listening sockets for any protocol (TCP, UDP, RAW, etc), use the sockets command. This walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module. This command is for Windows XP and Windows 2003 Server only.

volatility.exe –f (Windows Dump Path) sockets

To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use the hivelist command.

volatility.exe –f (Windows Dump Path) hivelist

To get the UserAssist keys from a sample you can use the userassist plugin.

volatility.exe –f (Windows Dump Path) userassist

Volatility is the only memory forensics framework with the ability to list Windows services. To see which services are registered on your memory image, use the svcscan command. The output shows the process ID of each service (if its active and pertains to a usermode process), the service name, service display name, service type, and current status. It also shows the binary path for the registered service - which will be an EXE for usermode services and a driver name for services that run from kernel mode

volatility.exe –f (Windows Dump Path) svcscan

 Command Reference & More Commands Visit:

DumpIt – RAM Capture Tool

This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines. The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.

First Download Dumpit from Here and Save in Your Desktop
Now run Dumpit.exe file the raw memory dump will be generated and save to the same directory

How to View Last Activity in Your PC

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.

How to detect vulnerable and out-dated programs

The Secunia Personal Software Inspector (PSI) is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs which can leave your PC open to attacks. Simply put, it scans software on your system and identifies programs in need of security updates to safeguard your PC against cybercriminals. It then supplies your computer with the necessary software security updates to keep it safe. The Secunia PSI even automates the updates for your insecure programs, making it a lot easier for you to maintain a secure PC.

 Key Features
·         Detects insecure versions of common/popular programs installed on your PC.
·         Verifies that Microsoft patches are applied.
·         Assists you in updating, patching, and protecting your PC.
·         Activates additional security features in Sun Java.
·         Runs through your browser. No installation or download is required.
·         Covers about 100 Microsoft and third-party programs.

Lynis - Security and System auditing tool for Linux

Lynis is an auditing tool for UNIX (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of UNIX based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/DVD).

Supported operating systems
Arch Linux
Fedora Core 4 and higher
Mac OS X
Mandriva 2007
OpenBSD 4.x
Red Hat, RHEL 5.x
Slackware 12.1
Solaris 10

How to Install Lynis on Backtrack
 First download lynis from here and save on your desktop
Now untar the file tar zxvf lynis.tar.gz

You can start it with 'lynis' (if installed and the file is available in your binary path)./lynis

Lynis will give you a valid list of parameters and return back to the shell prompt. At least the '-c' (--check-all) parameter is needed, to start the scan process
./lynis --check-all
It automatically start a system auditing. You just need to press the enter Key.

System tools

Boot and Services


User, Groups and Authentication

To stop the process press [Ctrl]+C.