Digital Dominion

Using Sysinternals sigcheck to verify a file's hash

2011-08-22T23:46:00.001-07:00

A file's MD5 or SHA-1 file hash is what I often check to verify a particular file's validity. Software developers often publish these hashes to help users determine if the file has been tampered with.

With the Sysinternals tools is a file and signature viewer called sigcheck. Here a short tutorial on how to use sigcheck to get the file hash from a file.

1. Obtain the file hash from the software developer's website or distribution site.
2. Download sigcheck from Microsoft Sysinternals, or better yet get the whole Sysinternals Suite
3. Run sigcheck.exe with the -h parameter against the file.

It will show the file version and the file hashes of the file. Here is an example of sigcheck in action. Here, I used the lophtcrack password auditing software from http://www.lophtcrack.com. The website offers a CNET website and an alternative download site. Let's compare the file hashes.

Lophtcrack website says the file must have these hashes:

MD5 Hash: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1 Hash: 142590a4751fa26919cc902d91aa9c92c8e602fd

Here's the hashes obtained from the executable file obtained from the CNET website:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h cnet_lc6setu
p_v6_0_12a_exe.exe

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Documents and Settings\machine\My Documents\Downloads\cnet_lc6setup_v6_0_12a_exe.exe:

Verified: Signed
Signing date: 5:58 AM 7/19/2011
Publisher: CBS Interactive
Description: CNET Download.com Installer
Product: CNET Download.com Installer
Version: 1.2.3.0
File version: 1.2.3.0
MD5: 5a888686e6b6744afd3e1c19d84a2b10
SHA1: dadee7f3da2ac8e4916d414fcd500ac85d40cb48
SHA256: a5528ab0650d406a2d526c5608fac24404fe07a49ca90bb4bc1c5dfdc5c912f8

Here's the file obtained directly from lophtcrack's site:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h lc6setup_v6.
0.12a.exe

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Documents and Settings\machine\My Documents\Downloads\lc6setup_v6.0.12a.exe:
Verified: Unsigned
File date: 3:03 PM 8/23/2011
Publisher: L0pht Holdings, LLC
Description:
Product: L0phtCrack 6
Version: 6.0
File version: 6.0
MD5: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1: 142590a4751fa26919cc902d91 aa9c92c8e602fd
SHA256: 786800c069a0aa6db8ca44f9ec9617294ece72d7d0b5154a88ef77d73784d450

Might be a good idea to use the 2nd file in this instance and not to trust the file from the CNET download.com website

Do you have a better methodology to check if a file has been tampered with or contains malware?

Even Microsoft's Bing gets its search results from Google (Hilarious)

2011-02-08T22:23:00.000-08:00

I was looking for the Internet Explorer 9 Beta URL and saw that Google's first result for the keyword "Internet Explorer 9" leads to www.google.com/chrome

It was really hilarious that when I searched for the same keyword in Microsoft's Search engine, bing.com, the same results came up! :D

Finding a file from the Windows command line

2010-05-26T19:41:00.001-07:00

Been using this for a while on Windows machines. dir /S lists and effectively searches for the file you're looking for, on the drive that you executed the command.

Nifty command. Maybe you'd have a better way to search stuff from the command line?

Configuring iptables, daemons and network settings in CentOS 5

2010-03-03T07:19:00.000-08:00

I just wanted to share my notes on how to configure CentOS 5 without a GUI from the command line but need to a more user friendly way of configuring runlevels, iptables and network configuration.

These are ncurses programs that are interface to their esoteric command line equivalents:

1. Configure startup / disable daemons(services) from starting by using ntsysv:

2. Using system-config-network to adjust the Network Interface card configuration:

3. Using system-config-network still to configure DNS and the machine's hostname:

4.. Enabling and Disabling SELinux and configuring what ports are open on the machine using system-config-securitylevel-tui

Hope this helps, maybe you guys have a better way of doing these tasks? Comments and feedback are welcome :)

Altiris Reporting Console - "Wrong number of arguments or invalid property assignment"

2010-01-21T01:01:00.000-08:00

What I've observed when this error happens, is because of:

1. The Altiris ActiveX controls are not installed properly
2. The ActiveX controls could not be installed because of the lack of local Windows administrator privileges of initially opening the Altiris console.

Ensuring that I have the privileges to install the controls and deleting all browser history in IE made it work for me.

Did you encounter the same problem? How did you solve it?

Rake error - no such file to load -- sqlite3 on Fedora 10

2009-03-18T08:09:00.000-07:00

I encountered this error as I was trying to do a rake db:migrate:

[root@julia migrate]# rake db:migrate
(in /home/xander/tickets)
rake aborted!
no such file to load -- sqlite3

Apparently, the sqlite3 gem needs to be installed in Fedora 10. After installation, the migration went smoothly.

[root@julia migrate]# yum install rubygem-sqlite3-ruby

Running Transaction
Installing : rubygem-sqlite3-ruby 1/1

Installed:
rubygem-sqlite3-ruby.i386 0:1.2.4-1.fc10

Complete!
[root@julia migrate]# rake db:migrate
(in /home/xander/tickets)
== CreateTickets: migrating ==================================================
-- create_table(:tickets)
-> 0.0035s
== CreateTickets: migrated (0.0039s) =========================================

Adding a SCSI Disk in Fedora Core 9 Linux

2008-12-31T23:00:00.000-08:00

This is a short guide that provides procedures on how to be able to use a new SCSI disk in Linux. This is based on my own notes. Your comments and suggestions are welcome J

After physically attaching the disk, as root, use fdisk –l to check if the physical disk can now be seen by Linux.

The first disk that I had originally is also a SCSI disk (thus the device name is /dev/sda and the second disk is sdb). We can see that Linux now sees the second SCSI disk, at the device, /dev/sdb. Linux’s naming convention for SCSI devices are usually /dev/sd[a-p].

Now, after confirming the device name of the new disk, (e.g /dev/sdb) you may now use fdisk to create a new partition or initialize the whole disk

As root, type fdisk /dev/sdb
On the command prompt, enter ‘n’ without the quotes to add a new partition.
Choose ‘p’ to create a primary partition
Choose ‘1’ for the partition number
Press enter twice to use the defaults for the cylinder sizes
Type ‘w’ to write the changes to disk and exit

Now, after creating the partitions, you’d need to specify the file system that the disk will be formatted with. In this case, I’ll be using EXT3.

Type mkfs.ext3 /dev/sdb to start formatting the disk as EXT3
When prompted that if you’d want to format the whole disk, choose ‘y’
When prompted for the total blocks of the journal, press enter to accept the defaults

After formatting the device, you would need to create a mount point for the device. Mount points are normal directories that users use to access the device. In this case, we will be creating a directory named disk2 under /opt/disks/

Type mkdir –p /opt/disks/disk2

Now we need to add the mount point and information regarding the new disk into Linux’s fstab. fstab is a file that Linux uses to get information about the various filesystems.

Add the line above at the end of the fstab file, /etc/fstab
Reboot or mount /dev/sdb to be able to access the device
Create directories on the mount point (/opt/disks/disk2/), accessible to non-root users, using the chown command to give them the ownership to the directories.
You may want to create links users to access these directories

After these steps, the second SCSI disk should now be accessible and users will be able to create/access files from the disk. For further details on fstab and other useful information, please visit fstab’s manpage.

Excel Ninjutsu: Highlighting similar items in 2 columns

2008-11-25T18:00:00.000-08:00

I was investigating a case that required me to compare and analyze multiple hosts' requests to similar external sites. In this case, I already have the list of IP addresses. I just needed a way to compare the data. Here's a quick way to do this in Excel.

1. Copy the data to be compared in 2 columns
2. Click Format > Conditional Formatting
3. Choose "Formula is" in the drop down menu
4. Use the countif() function to search the items. $A:$B are the columns being compared. Change this, based on your need.

=COUNTIF($A:$B,B1)>1

5. Choose the format color > Click Ok

Similar items are now highlighted.

Using Google Alerts and Twitter as an Information Gathering/Mining tool

2008-10-27T21:20:00.000-07:00

Google Alerts complement RSS for me. I like being able to get alerts for articles as they are posted online. Technically, you only get alerted if, Google (GoogleBot) has already crawled the web page.

Sometimes, it's quite cumbersome wading through the massive data that RSS mines, and might not to get that much needed information in realtime.

It would be useful for:

- Stock Market junkies and Security Enthusiasts: Getting the latest news on a company that you have positions on, or conducting information gathering tasks as part of a penetration test
- Sports fans: To get real time results of the sporting events that they like
- Journalists: News updates in realtime, a journalists' nirvana perhaps?
- Other: Sky's the limit

On the side note on the possibilities, here's a link to an article that reports the US Department of Homeland Security tagging twitter as a "potential terrorist tool":

http://www.nationalterroraalert.com/updates/2008/10/26/twitter-terrorists-army-warns-of-terror-tweets-security-threat/

... well, there are tons of social networking sites on the net can be used for information gathering and as communication medium for both legal and illegal activities. There's nothing new about this.

Google Alerts:
"Google Alerts are emails automatically sent to you when there are new Google results for your search terms. We currently offer alerts with results from News, Web, Blogs, Video and Groups."

http://www.google.com/support/alerts/

Knowing where and how your Gmail account was accessed

2008-10-18T09:07:00.000-07:00

For people that would like to have a list of hosts and information on how their Gmail account was accessed (Web, IMAP, POP). Gmail has an activity information page that can be accessed at the bottom of your Gmail Mailbox. Clicking the "Details" link will lead you to a screen similar below:

Aside from being paranoid to check this list from time to time, it is advisable to have a complex password, even from free Internat accounts that you use.

It's also a good thing to change your passwords in a scheduled manner. Applications such as Password Safe can be utilized to save the hassle of remembering all those complex passwords.

ChangeThis Newsletter

2008-10-18T07:34:00.000-07:00

Just giving a shout out at the folks at the ChangeThis Newsletter for the great content they constantly share with the community.

Even though they are tidbits or summaries of upcoming books or publications, the information they share is definitely invaluable.

They deliver content on a broad range of topics, ranging from Marketing, Technology, Management, Phsychology, Society, or just any idea that these group of authors have been working on.

Definitely great reads. Check them out at:

http://blog.changethis.com/changethis_newsletter/

Regarding ChangeThis:

"ChangeThis is creating a new kind of media. A form of media that uses existing tools (like PDFs, blogs and the web) to challenge the way ideas are created and spread. We're on a mission to spread important ideas and change minds."

IDA Pro 4.9 Free version

2008-10-01T21:39:00.000-07:00

I recently got word of a free version of IDA pro. Still playing with the features, and getting back my RCE-fu. Will post RCE articles if the time permits.

http://www.hex-rays.com/idapro/idadownfreeware.htm

Encrypted Instant Messages using Pidgin

2008-07-02T07:53:00.000-07:00

The Internet is a public network, and Instant Messaging is one of its insecure applications to transmit data on. As we all know, we send and receive messages as plain-text. Good news for Pidgin users. Using the Pidgin-encryption plug-in, we may now encrypt our messages using RSA(it supports up to 4096 bit keys). Please take note that both IM sender and IM recipient should be running Pidgin and the plug-in.

Procedures to use the plugin:

1. Download the installer for your Operating system at:
http://pidgin-encrypt.sourceforge.net/
2. After the download, close all pidgin sessions.
3. Install the plug-in and reopen Pidgin.
4. Click Ctrl+U to Open the plugins menu.
5. Ensure that the checkbox "Automatically encrypt if sent an encrypted message"
6. Open a chat session window to your message recipient. On the upper portion of the chat window, you should be able to see a greyed out padlock icon. Clicking on this icon will send your public key to the message recipient, and vice versa.
7. At this time, both padlock icons on the sender and recipient message windows should appear to be colored green. Messages are now encrypted.

Here is a raw network capture from Wireshark (user1 and user2 are the example sender and recipient):

YMSG.............^.;5..user1..4..user2..252..Z/YAXR/gsD81TK//5AKdAQDlhLP/tA==..97..1..14..*** Encrypted :: Key: Prot NSS 1.0: Len 249:f/4NLoFOLHIPWvvhaZJjo9Ec5+kgGm8w,MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9JZlcgp8bW2THtnYFVAMzLThbRn53aYPoOJx+gcs+D1AsnO+s+hezzIqToMGjpm+kDitcuX6oHa/vB8dWR3YUWYXaqjqAAgIFuXan6QEMQdxl2S4f4Le9xmjxQM0pW5Ly5MB7eZjW0GEuywvFR6ZhJGX9JY+b4+Pg7GtE/Y6HsQIDAQAB..63..;0..64..0..

Tenable changes Nessus feed subscription packages

2008-05-15T20:21:00.000-07:00

The change in the subscription can be a cause of uncertainty or doubt for Corporate users.

However, looking at the bright side, it might be beneficial to the community, as users that are not on the professional feed, may need to create their own plugins.

This news might bring a good change to the Security community.

Interview with Ron Gula, CEO of Tenable:

http://media.libsyn.com/media/mckeay/nsp-RonGula-NessusLicense.mp3

Blackhat and Defcon videos for offline viewing

2008-04-12T18:53:00.000-07:00

It may be financially and geographically improbable for some people to attend Security Conferences that we'd like to attend to. Yes, it would be neat if we can all attend, but due to economic and work related factors, we may not have the opportunity to do so.

It's a good thing that the good folks at easynews have compiled this for the rest of us to view. The site hosts recent events of blackhat, defcon and other security conferences. The top domain also has mirrors of notable sites :)

Check the link out.

ftp://mirrors.easynews.com/blackhat&defcon/

Nifty nmap scanning options

2007-08-25T22:33:00.001-07:00

nmap -p for specifying the port to scan
nmap -O -v for remote OS fingerprinting
nmap -A -T4 -F for daemon version detection

Having an offsite backup for most people

2007-08-25T22:25:00.000-07:00

I got a huge collection of documentation(security, programming, networking, and other miscellaneous docs lying around in my disk). There is a huge possibility that i might be moving out of the Phillippines, to pursue greater goals in my life, so i better have backups of the tons of data i collected over the years :)

That's where gspace comes in handy. What this tool does is that it provides a UI for uploading and downloading files from gmail, using Mozilla Firefox. I can have mutliple accounts and juggle file uploads using gspace.

Try it out, it's quite handy for people who needs to have multiple backups as a necessity

http://www.getgspace.com/

Republishing netsh kung fu :)

2007-08-25T22:24:00.000-07:00

Blogger locked the blog, maybe because i wasn't updating the blog in a while, in any case here it is again:

Adding an IP address:

netsh interface ip set address "Local Area Connection" static _ip_ _netmask_ _gateway_ 1

netsh interface ip set dns "Local Area Connection" static _dns ip_