Monday, October 4, 2010

Cracking Cleanersoft Free Hide Folder Security

Introduction

Cleanersoft Free Hide Folder is a "security" tool used to hide your folders. The program uses a simple interface that is protected by a password that lets you hides and unhides selected folders. Our target objectives here will be to find where it is hiding the information about what folders are hidden and recover the password.

Finding where the folder information is stored

Well, We will use the easiest approach, see what files and registry keys the program (fhide.exe) writes to using Process Monitor while hiding a folder (in this case C:\test). This should show us where it is writing to and it seems this approach worked out well.


Well, What have we here. We see a file operation on my C:\test folder, it renamed the folder "CHKDSK.100ÿÿ" and that is followed by a registry key creation at "HKCU\Software\Microsoft\Windows\CurrentVersion\Namespace\getPrefix0".

First let's confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... It's right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100ÿÿ". Looks like we can.

Okay, Let's see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".

Well We are off a bad start for security. But how do we know where these are hidden if we didn't hide them? How can we find them? Well lets check out that registry key. Okay. Let's take a look at the keys here.
  • getPrefix0 = E
  • Declaration0 = X:*XSPWHP.377ÿÿ
  • Javax0 = X:*gvhg
Hmmm.... Declaration0 and Javax0 both start with X:*, interesting. well. Lets make another hidden folder called C:\test123 which becomes CHKDSK.101ÿÿ. Well, now we have 3 new keys. they are the same names as above but instead we have a one at the end instead of zero.
  • getPrefix1 = E
  • Declaration1 = X:*XSPWHP.373ÿÿ
  • Javax1 = X:*gvhg321
Okay, Starting to see a pattern. It looks like Declaration is for the new hidden file name. Javax is for what it's unhidden name. getPrefix stayed the same. It appears to be a simple substitution cipher. The easy way to figure it out? Well, Let make a folder called C:\abcdefghijklmnopqrstuvwxyz1234567890 and put it side by side with encrypted value and we have a key chart ;-).
  • C:\abcdefghijklmnopqrstuvwxyz1234567890
  • X:*zyxwvutsrqponmlkjihgfedcba3215894067
Looks like the alphabet is just backwards. "/" becomes "*". The only thing different is the numbers but not that big of a deal, since we now see the key above anyways. So now we can decrypt the Declaration and Javax keys. they point to the folders, both hidden and unhidden names, just as we thought.

The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So I'd Say we have this down now.

Finding The Password

Last thing to attack is the password for the program (in this case it is "Password"). Let's check more into the registry. There is one more key here:
  • BAR - Kzhhdliw
Surprise. my password and this key are both the same length. the 3rd and 4th characters repeat. Let's just try to decrypt it with our key chart above and... yep, that's our password... So with this information I was able to code a little tool that can exploit this to prove concept for academic reasons (And to only be used for that). I call the tool "Free Unhide Folder" (original huh?).



Resources

Monday, June 7, 2010

8 Firefox Add-ons to help manage the web


This one is a must! block annoying ads, avoid tracking cookies, and save your self some bandwidth (helps speed things up for everyone by not downloading ad images). This ad blocker also uses an anti-virus like subscription list which updates to avoid new ad servers all together. if it fails to block an ad. you can block it yourself; By frame, single image, or even the server (and supports wildcards like *).



NoScript

Noscript Allows you to disable javascript and select which sites can run javascript on your browser. This help protect against IFRAMES and other XSS attacks..



leetkey

Leetkey allows you to convert strings to other encoding and vice versa. binary, Hex, Base64, l33t, Rot13, Reverse, and even morse code. It also has a encryption module on it to encrypt and decrypt strings. Below are a few examples of these things encoded with leetkey.

Normal String: This is a test string

Reverse String: gnirts tset a si sihT

leet: 7h15 15 4 7357 57r1n6

Binary: 01010100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01100001 00100000 01110100 01100101 01110011 01110100 00100000 01110011 01110100 01110010 01101001 01101110 01100111

Hex: 54 68 69 73 20 69 73 20 61 20 74 65 73 74 20 73 74 72 69 6e 67

Rot13: Guvf vf n grfg fgevat

URL Encoding: This+is+a+test+string

Morse Code: - .... .. ... .. ... .- - . ... - ... - .-. .. -. --.

DES encrypted with password test: olZule+WVI7q4HtjQ90td/TiLFgBALW0GJmr0oMB958=




ShowIP

This shows you the IP address of server you are connected to in your status bar and always you to run whois, netcraft, Whoishostingthis.com, and ip2country. Good for security. If your at a wifi Hotspot and it shows your web-mail log-in page IP address is in the same LAN subnet, you are probably the victim of DNS Poisoning or a man-in-the-middle attack my friend. It might be worth your time to investigate the IP or move to a less hostile network.



Fireshot

This tool allows you to capture an entire web page from the browser top to bottom or just a section or what is visible or the entire window and has a built in editor for cropping.



FireBug and Firecookie

These two work together. Firebug can help you, in real time, debug a web page, highlights the code section on the page. also allows you to edit the code and then update it in real time (great for modifying web forms ;-] ). Firecookie allows you to look at your site cookie in real-time and edit and delete values in real time. All this is nicely done at the bottom of the browser! A MUST FOR WEB DEVELOPERS AND HACKERS ALIKE!




This tool allows you to right click and quickly craft advanced google searches based on the information on the web page using google operators like intitle: site: etc. Good tool for digging into a site using google ;-) if your unfamiliar with all this I suggest you read a book called "Google Hacking for penetration testers"




Saturday, March 20, 2010

Not getting Sound in flash in Ubuntu? Try this! Worked for me!

Found this at http://ubuntuforums.org/showthread.php?t=204022

This is awesome.Flash looks for /usr/lib/libesd.so.1 and expects /tmp/.esd/socket to exist. By using these 3 commands, you can create them and flash will work. you will have to restart firefox if that is what lead you here ;-)

the commands are as follows:
sudo ln -s /usr/lib/libesd.so.0 /usr/lib/libesd.so.1
sudo mkdir -p /tmp/.esd/
sudo touch /tmp/.esd/socket


This worked for me, so I share it with you in hopes it helps. Because now I can listen to the portal "Still alive" theme XD

Tuesday, January 19, 2010

How to Disable Vibrant Ads.

On any browser with cookies enabled, click on the following link.

http://www.vibrantmedia.com/whatisIntelliTXT.asp?ipid=7540&cc=us&server=business.msnbc.us.intellitxt.com

Click on the disable tab. Then Click the link to disable the ads and your done! How kind of them to leave it up to the user to choice to see the ads or not.

Friday, January 8, 2010

Creating hidden accounts on a XP Box

Others want to log in to XP under your name?
Need to have an account under the radar?

Whatever the need, note it can be done!

The problem is that user accounts always show up on the welcome screen on XP. Our goal is to hide them from there using a simple Windows registry tweak. This tweak requires an existing account, so use one thats already there or create a new one. I would recommend the later!

Now go into the Registry (click on "start" > "Run" and type "Regedit" (without quotes) and hit enter).

Now go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Now right-click on the pane on the right and create a new DWORD. Make the name from "New Value #1" to the same as the AccountName you wish to hide. Example: if I wanted to hide an Account called StealthyMoFo, the DWORD Name would be StealthyMoFo.

Now double-click on the name and set the data value:

0 to hide it
1 to make it visible

Now exit the registry and reboot the machine for this to take effect.

To logon using this new account, when you see the welcome screen, hold down "ctrl+alt" and hit delete twice. this should take you to a normal username\password prompt like Windows 2000. Enter the name and password of the hidden account to log on.


Two Side Notes:

  • This can be used to also force the Administrator account to show up on the welcome screen as it does in safe mode.
  • Your hidden account will still have a folder under Documents and Settings. So if someone see's it, they might suspect something. Try to use something that sounds like it might belong there like "RemoteService" or "DotNet" or "Admin". Most people wouldn't rise an eyebrow as those would seem like normal application/User accounts.

Monday, January 4, 2010

fun with Explorer.exe running under SYSTEM account.

In windows xp it is possible to obtain an process of explorer.exe running as the SYSTEM account.

--==[ Obtaining Explorer.exe Running as SYSTEM ]==--

To obtain our shell we will use the command line and the "at" command. Once you have the shell open type the following command:

at {Time_in_military_format_plus_one_min} /interactive cmd.exe


Example if time were 5:45 PM: at 17:46 /interactive cmd.exe


This will give us a command prompt in one min. The interesting thing about this command prompt is the title. The title should read something like "C:\windows\system32\svchost.exe". That allow is interesting! Check your taskmanager, This process of CMD.EXE will be running under the user SYSTEM!

With That being said, anything spawned via this shell should run under the context of the SYSTEM account. Try it out, run notepad.exe from under that shell and check your taskmanager.

Now it's time to get that Explorer Running under SYSTEM. Use the task manager to kill the process of explorer.exe that is running under your account and then run explorer.exe in the command shell that is running as system, It's that easy!

With our Explorer running as SYSTEM anything that you launch with a double-click runs as SYSTEM as well. Now the fun starts. What to do? What to do?

--==[ Abusing Explorer.exe as SYSTEM ]==--

I'm sure there are more things then listed here. But here are the two I like ;-).

1) Ignore local file permissions. Even with a users Documents and Settings set as private, as SYSTEM you can still travel through it. I used to use this when looking through a hard drive that was pulled from another PC and the user needed files from under there documents and settings.

2) Change the password on a local account without knowing the old password! How cool is that! that includes local admin accounts!

Now have fun, figure out what else you can do with it and don't use this for anything illegal.