Category Archives: Tutorials

Windows Search Hang

I recently found my Windows Search functionality just stopped dead in its tracks. I’m still investigating the exact cause of this (haven’t ruled out malware just yet) but it would appear this is a problem with the Windows Search registry entries.

Symptoms:
Opening Windows Search, clicking “Search now” and the explorer process hangs / freezes.

Fix: (queue eyebrow-raising solution)
If you download ProcMon and filter for explorer.exe, you’ll see it is trying to open the same file again and again. For me, this was a zip file containing icons for a web project I’m working on.

To make the search feature work again, rename the file it is getting stuck on and restart explorer. You should find everything is operational.

If anything is unclear and you think this problem might be affecting you, leave a comment and I’ll have a look.

Emulating *nix Shell with Windows Command Prompt

Ever tried to ls or rm under Windows?

With just a few minor adjustments the Windows Command Prompt (cmd.exe) can emulate the behaviour of your favourite *nix shell. Please note, this isn’t a full emulation method – the existing Windows commands are being manipulated to appear as their *nix shell counterparts.

Note: This is for systems where unauthorized software is not permitted. If you administrate your own system, I highly recommend checking the GnuWin32, in particular the CoreUtils package.
Continue reading Emulating *nix Shell with Windows Command Prompt

Installing PHP 5.3.0rc2 for XAMPP (Windows)

Having been unable to find a definitive guide to upgrading the XAMPP PHP version to PHP 5.3.0rc2, I decided to improvise on a guide for installing the PHP 5.3 alpha.

My guide will describe how to upgrade the current XAMPP PHP version to the second release candidate of version 5.3. It is expected that this method will also work for the third release candidate when it is released later this month.
Continue reading Installing PHP 5.3.0rc2 for XAMPP (Windows)

Repairing broken USB partition tables

While trying to use my 16GB USB flash drive as a raw-disk for VMware, I managed to corrupt the partition table. This rendered the drive useless for data storage. As none of the information contained on the drive was useful, it seemed that the best solution was a straightforward partition table wipe and rebuild. This can be difficult on Windows as Control Panel->Administrative Tools->Disk Management does not allow the deletion of the primary partition.

Many Googl’d solutions involved rebooting with one repair/installation disk or another, however I’ve found a quicker way…
Continue reading Repairing broken USB partition tables

Partial RAR extraction using WinRAR

WinRAR allows users to split file archives into smaller pieces (a feature present in most major archiving software these days). It is sometimes the case that one or more of these pieces are missing, and as such the archive cannot be completely reassembled. This tutorial shows how to partially recover files from a RAR that does not have all pieces present.
Continue reading Partial RAR extraction using WinRAR

EXIF and PHP exploitation – The Truth

Introduction

After reading through a couple of tutorials describing the ease with which PHP can be included directly from the EXIF data within a JPEG image, I became suspicious. Surely my eyes deceive me? Is this a late April Fools’? My first point of call was Google – which provided me with a wealth of information on EXIF functions from within PHP, but very little regarding this particular vulnerability.

There was nothing for it… time to jump in and see what the fuss was about!
Continue reading EXIF and PHP exploitation – The Truth

‘Hiding’ information using ADS

Introduction

This tutorial will explore the potential for using ‘Alternate Data Streams’ (ADS) to store information on an NTFS partition. All of the steps detailed below can be accomplished directly from within Windows.

Theory

Files act as pointers to physical data on a storage medium; they are a convenience, a way of managing information on a computer as discrete units. It should be this fantastically simple – one pointer for one file – but it seems Microsoft had other ideas…
Macintosh computers use a different file system to Windows computers. It was decided that NTFS should be able to emulate some aspects of the Mac file system to improve file compatibility. As a result, it is possible to ‘attach’ data to a file in a way that is not visible to users (oh dear!).

Getting your hands dirty

  1. Load up a command-prompt Window (Start->Run->’cmd’).
  2. Create a file to run this demonstration on. In the console type: echo Hello, World! > test.txt.
    (The file ‘test.txt’ now contains 16 bytes of information. This is the default data stream)
  3. In the console, enter type test.txt to show the information in ‘test.txt’.
  4. Let’s hide some data! In the console type echo I am hidden! > test.txt:hidden.txt. Notice the colon (:) – this is very important!
  5. If you repeat step 3, you should only see ‘Hello, World!’ printed to the console. Check the properties of the file using Windows Explorer and you’ll arrive at the same conclusion, the file still contains only 16 bytes. You could even enter in type test.txt:hidden.txt to try and see the text in ‘hidden.txt’, but it will return an error. Where is the hell has the information you just entered gone?
  6. To reveal the contents of ‘hidden.txt’, type more < test.txt:hidden.txt in the console, et voila – the magically disappearing information has made a miraculous reappearance!
  7. The file ‘hidden.txt’ is now linked with ‘test.txt’. You could say that ‘test.txt’ is acting as a pointer to two data streams. Furthermore, if you copy ‘test.txt’ to another folder – ‘hidden.txt’ is copied with it!

Conclusion

The above is a basic demonstration of how ADS can be used to store hidden information. The article at governmentsecurity.org goes on to explore how an executable could be hidden within a file too. I’ve written a small batch file that attaches a user-defined message to itself (using ADS) and presents it using notepad. To remove the hidden file, you can either try the method suggested at gov.sec. or just delete the batch file itself!

Download files

ads_demo.rar – extract and run.

Write console text to a file (Windows cmd.exe)

Writing directly from the Windows command line to a file might not be something you need to do very often. The famous black and white console is better suited to serving system commands and file operations than being a stand-in for notepad. However, it is sometimes useful to have the option of writing multiple lines of text to a file directly from the trusty prompt.

Method One

This is suitable for creating/overwriting a file with multiple lines of text.

copy con SOME_FILE.txt
Type your text here
You can even have multiple lines!

When finished, press CTRL+Z to confirm your action (or CTRL+C to cancel) and ENTER.

If you want to append some text instead of overwriting it completely, follow as above but using:

copy SOME_FILE.txt + con

Method Two

Open up the command prompt and type:

echo SOME TEXT > SOME_FILE.txt

This method creates/overwrites SOME_FILE.txt with the text you entered before the >. It is only suitable for entering a single line of text into a file.

As with method one, it possible to append text using >> instead of > in the command.

Spoof your network adapter MAC address under Windows

Overriding (or spoofing) your NIC / network adapter MAC address can be immensely useful for a number of reasons when using your PC on a large network. In essence you’re creating a new identity for your box and any limitations associated with your previous MAC will no longer affect you! This tutorial will introduce some of the currently existing programs that can automate MAC address spoofing for you, as well as the necessary registry modifications to perform the task manually.

I came across MadMACs some time ago and it has become an invaluable part of my portable network security. Recently I’ve been looking to see what else is out there and found Mac MakeUp which provides a number of advanced features (integration with Wireshark, IP networking options, etc.) and has a straightforward graphical interface.

Both programs have been tested thoroughly and work a treat, but if you feel the only way to do a job properly is to do it yourself, then here is the step by step to DIY MAC spoofage:

  1. Click Start->Run and enter ‘regedt32’ (no ‘ marks) to start up the registry editor.
  2. Find the key:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    Class{4D36E972-E325-11CE-BFC1-08002bE10318}

    and you should have a list of 4 digit subkeys (0000, 0001, 0002 etc.)
  3. Leaving the registry editor window open, go to Start->Run and enter ‘cmd /k net config rdr’ (no ‘ marks).
  4. The console should list your PC and network details. Right click the start of the text next to NetBT_tcpip (the bit that looks like: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}) and right click->select ‘Mark’. Drag over the whole text (as shown in the brackets previously) and then press CTRL+C to copy to the clipboard.
  5. Go back to the registry editor and click on the first subkey (i.e. 0000).
  6. Click menu Edit->Find (or press CTRL+F). Paste in the text from the console and click ‘Find next’.
  7. It should return a result very quickly (if not – you’ve done something wrong!).
  8. Right click anywhere on the right hand side pane apart from on one of the listed items and choose ‘New->String’. Give the value the name ‘NetworkAddress’ (case sensitive, no ‘ marks) then simply double click it and enter a new MAC address!
  9. Reboot your machine and enjoy!

For more information, check this Wikipedia article on MAC addresses.