digip : sailing the high seas of the internet

Been a while since I posted. Sounds so cliché. Been working on several projects for my clients and am finally wrapping them up this week. Come Friday, I will be offline for a few weeks. My wife is having major surgery this and wont be able to do much for a while. My health insurance runs out this month as well, so its kind of ironic she had to do this now.

Still looking for a full time job, just nothing out there right now that will start me even remotely close to what we need to get by on. I may just have to take a minimum wage job so we can get health benefits again, but not sure what will happen to us at that point. We are barely getting by now on what I’m brining in, so if I cut that income by a third we’ll pretty much go bankrupt, but at least well have our health .

On the Business front:
I’m looking into how much it will cost to start advertising in our local area. One of my ideas is to try and get us on the little place-mats they use at restaurants like Denny’s and such. They always have ads for local businesses, and this would probably help 10 fold with getting our name out there. Just have to shift focus now. We started out as a PC Repair shop, making house calls, and remote help desk type of services with Web and Graphic Design on the side, but it seems the Web and Graphic design end of things are what has really kept us afloat at this point. No one seems to need PC repair and if they do, they seem to be dumb enough to take their machine to Best Buy.

Why for the life of me I cant understand people would do this, other than it still being under warranty, but Best Buy isn’t going to even try to recover your files for you. In 99% of the cases they will either replace your HDD and reinstall windows, or just format your old one and reinstall windows. They charge like $300 to both destroy your data, and then sell you a new HDD you didn’t need in the process. They have no concern for preservation of your systems files or important data. Don’t expect to get all your photos and music back when you take it in to them or your important business documents. Hell, if your one of the unlucky ones, they just might turn around and sell your HDD, while telling you the old one was bad. Don’t belive me? Ask this guy how he feels. Not fun.

Speaking of not fun, went and visited a friend in the hospital. He had his prostate removed because of an enlargement and they found cancer cells in it. Really not fun. Turns out, statistics are showing that 80% of all men will end up with some form of prostate cancer later in life. Guess there isn’t much hope for men. Better screw your brains out now and make all the babies you can. No telling how long your prostate has left. (I’m kidding)

Return-Path:
X-Original-To: xxxxxxxxxxxxxxxxxxxx
Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Received: from anew-energy.com (mail.anew-energy.com [116.228.65.117])
by xxxxxxxxxxxxxxxxxx (Postfix) with SMTP id xxxxxxxxxxxxxxx
for ; Thu, 13 May 2010 00:03:28 -0700 (PDT)
Received: from User ([173.234.16.90])
(envelope-sender )
by 192.168.0.20 with ESMTP
for ; Thu, 13 May 2010 14:56:53 +0800
Reply-To:
From: “Ben Mark”
To: benmakkk0009@rediffmail.com
Subject: Second Notice
Date: Thu, 13 May 2010 01:55:32 -0500
MIME-Version: 1.0

Greetings,

I understand that through Internet is not the best way to link up with you because of the confidentiality which my proposal demands.

However, I have already sent you this same letter one month ago,but I am not sure if it did get to you since I have not heard from you, hence i am constrain to reach you through the Internet which has been abused over the years.

I wish to notify you again that You were listed as a Heir to the total sum of (Three Million Six Hundred Thousand British Pounds) in the codicil and last testament of the deceased.(Name now withheld since this is our second letter to you). We contacted you because you bear the surname identity and therefore can present you as the Heir to the inheritance funds.

Please indicate your interest immediately for us to proceed. I shall feed you with full details of this transaction upon receipt of your reply towards this proposal.

All the legal papers will be processed in your acceptance. In your acceptance of this deal, we request that you kindly forward to us your letter of acceptance; your current telephone and fax numbers and a forwarding address to enable us file necessary documents at our high court probate division for the release of this sum of money.

I look forward to hearing from you.

Mr. Ben Mark (Barrister)
Private Telephone +4470111 83445

What a crock of shit. Feel free to call and claim my money…

Wow! Today was a busy day for attackers visiting my site.

“Command shell attack: Generic Attempt to remote include command shell”

K, thnx, by!

Well, Ive been testing Windows 7 for a few weeks and have built myself a new workstation in preparation for a MCSE lab and Offsec lab environment. The new machine now has 16GB of Ram, 2.8GHz AMD II X2 processor with 1 320GB SATA and 2 additional 500GB SATA drives. I have most of the system migration done from my last machine and have managed to recover all of my work so far but here and there are a few minor issues.

For startes, I have had Photoshop working in 7 on 2 other machines. Then when I finally moved it to this machine for its final home, it raised an ugly bug not being able to start. How I got around this issue was to set Photoshop to run as administrator. Not really a big deal, since I am the admin to begin with, but if there comes some sort of 0-day for Photoshop that would have been thwarted by not running as admin, well, I just set myself up for fail.

As you can see above, this is a generic error. I for the life of me couldnt find what executable it was reffering to as being blocked and this was the first time since using 7 that I have encountered this issue using Photoshop. To fix this sort I went to the programs folder, right click Photosop and brought up the properties. Then on the compatibility tab, there is an option you can check to enable “run this program as administrator”. Once I did that, the error went away, but I still cant see why it does it now, after testing on multiple machines using the same OS.

Some programs seem to work fine with this desktop, while on anothers the same program and same OS and updates had issues. For example, Notepad++ wouldnt run on my wifes computer without some messing with the compatibility settings. On my new machine, it worked fine without having to set anything at all, which is odd, because we are using the same identical files for the program.

Im not really too surprised to see the randomness in which 7 works with files and programs in general because 7 is still fairly new, but it is odd to see the same program on the same version of 7 on several machines all do something different and unique, yet they all have the same updates, settings and permissions as well as the same exe’s on all of them. This randomness is something that makes troubleshooting even harder for techs and I think will become a headache for helpdesk people in the long run.

Recovering Outlook Express 6 Accounts, Address Books and Old Messages from a failed Win XP system using Windows 7 (Minus Passwords though)

Step 1 – Backup all Local and External Data:

First thing you will want to do before making any changes to both your system and the external files is to backup all the data. Make sure to create a restore point as well and export your registry if you are as paranoid about editing the system registry as I am. Never hurts to have multiple backups and Windows Restore Points can flake out for whatever reason it wants, so be sure to have your stuff in a safe place.

Why are they still using Outlook Express? Isn’t it insecure? : Back in the day, Windows XP would ship with Outlook Express as its default email client when installed in combination with Internet Explorer 4 or later. Most systems bought from a store were shipped with it installed by default but today it is left as an optional component from most OEM’s. While you can use web-mail such as Yahoo, Gmail and Hotmail, there are still a lot of us who like to use an email client to download them from these websites, instead of having to log on to each site individually. For Office uses, you probably use Outlook as your main email client, but for the average home users they still use Outlook Express and for that reason you will need to know how to support it and recover these files.

Step 2 – Identify what you need to recover:

While it is important to recover the email messages and contacts for most users, you may or may not have a need to recover their accounts and passwords. The thing to understand is that some users may not remember all their passwords and will not be able to access their email servers without a way to recover the account login info and passwords.

These are files on the users hard drive you will need to access in order to recover all their settings and messages.

1 – \\Documents and Settings\”username”\NTUSER.DAT
where “username” is the account you need to recover files from. NTUSER.DAT is the registry hive for this user and will contain their login information, such
as Account ID’s and Passwords. You will need to mount this hive file using Regedit in order to access the key which contains their passwords.

2- “HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager”
where “HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager” is the registry key from the NTUSER.DAT hive file containing their account info.
We’ll get to this in a second.

3 – \\Documents and Settings\”username”\Application Data\Microsoft\Address Book\”username.wab”
where “username.wab” is the users address book of contacts to import

4- \\Documents and Settings\”username”\Local Settings\Application Data\Identities\”{long hash key}”\Microsoft\Outlook Express\*.dbx
where “{long hash key}” is a unique hash value based on the users account and *.dbx are all the folders and email files for the account.
The dbx files can be stored in a different location, but the user would have to had specified this using Outlook Express.

Step 3 – Tools you will need to recover these files

1 - Notepad

2 – Regedit

3 – Windows Live Mail

http://download.live.com/wlmail

Step 4 – Setup Live Mail and recover their files:

Now that you know what files to access, we can begin by installing Windows Live Mail. Windows Live Mail is basically a clone of Outlook Express with a few fancy GUI changes to update with the times. Windows Live Mail also has some new features, such as a Calendar and RSS Feeds built in. Once you get it installed, you will be prompted to add a user. You can cancel this and then go to the main interface. Hit the alt key to see the file menus or click the icon on the right side of the ribbon to select the show menu bar option.

Now that you can see the file menu options you can begin your imports. Everything except the accounts can easily be recovered at this point just by access the WAB and DBX files. On the file menu, select Go > Contacts. Once the contact window opens, hit the alt key and then File > Import >WAB files. This will add all the contacts to your address book from Outlook Express’s WAB file.

Note: Remember that it is located on the users drive in [Documents and Settings\"username"\Application Data\Microsoft\Address Book\"username.wab"]

Once you have added their contacts, you will want to import their messages and folder structure from their inbox. For this, we close the contact window and go back to the main screen. Click File > Import > Messages > Outlook Express 6 Messages. You will then point to their DBX files, located in [Documents and Settings\"username"\Local Settings\Application Data\Identities\"{long hash key}"\Microsoft\Outlook Express\].

At this point, you may be done. Depending on whether or not the user has their account names, passwords and servers documented, they may be able to handle setting up the rest. If not, now comes the fun part.

Step 5 – Mounting the Hive to Export their Account Details

NOTE: This is another reason you were asked to make a backup of your own as well as their files, in the event that a catastrophic failure happens at this point, you may not be able to recover your’s or their files.

If you need to recover their accounts, you will need to mount their Registry Hive file. Open Regedit and then select the “HKEY_LOCAL_MACHINE” tree. From the file menu, select File > Load Hive and point to the [Documents and Settings\"username"\NTUSER.DAT] file I mentioned above. Once you do this, you will be loading all their reg keys for that users sign-on. You will then want to navigate to the key ["HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager"] Double click this and you will see a folder called Accounts. Right click Accounts and then select Export. Save the file to your desktop as OutlookAccounts.reg.

Whatever you do at this point, DO NOT DOUBLE CLICK or MERGE this file with your registry! Once the export is done, you can unload the Hive file. THIS IS ALSO IMPORTANT! BE SURE TO SELECT ONLY THE FILE YOU LOADED! DO NOT UNLOAD ANY OTHER HIVES OR KEYS OR YOU COULD MESS UP YOUR CURRENT SYSTEM!

Now that you have this file on your desktop, you can open it in notepad.

[ Again, do not try to merge this with your system as the keys they point to are not in the same paths as your current machine and wont do you any good anyway! ]

For every line that says Account Name, there is an email account associated with it. There will be multiple sections depending on how may accounts the user had in their Outlook Express Client. You will also notice that there are plain text listings of the email addresses in each Account Name section, as well as their email servers POP and SMTP addresses.

ex:
“Account Name” Can be anything, but usually is their email address or ISP name.
“POP3 Server” ex: mail.server.com or pop3.server.com, etc..
“POP3 User Name” (Should be their email address but may be blank if they never set one up properly)
“SMTP Server” ex: smtp.server.com or mail.server.com, etc..

From here, you will have to document the email addresses and servers they are associated with. You can then add them manually to the new system through Windows Live Mail, but you still won’t have a password for these accounts.

Alternatively if you have a Virtual Machine with XP installed, you can create a new user, then overwrite their NTUSER.DAT file and then open Outlook Express to see the accounts. This will yield you the ability to see all the accounts within Outlook Express and then export them easily, but understand that their PASSWORDS WILL NOT WORK with this method. The password hashes in the NTUSER.DAT file are protected via a salt which is unique to the original operating systems SID. If this salt and hash combo aren’t able to be decrypted in the VM, then when you export the .iaf files the passwords will not be correct and will be set as the same field as your email address. Normally the .iaf file will contain the password for bringing these accounts to a new machine for migration, but since the hash cant be decoded from the VM, it is not able to store them for you.

Step 6 – Password Recovery Not Possible from NTUSER.DAT alone

At this point, you have all the information you need to get their accounts entered, but you won’t have any of their passwords. As far as I know, there isn’t a way to merge the reg file into Windows 7 or any other windows machine for that matter to yield you these passwords. Normally Under XP You could run a tool like Cain to dump the Protected Storage which contains the passwords for all your email accounts. Merging our exported hive key to any system would still not show you any results. The reason being is that your system creates a unique Identity, or a hash called a SID when you install windows. Because of that, our identity hash and sid are different for every system.

After a little research I found a tool that let syou retreived the passwords directly from the NTUSER.DAT files. This little tool does eactly what it says it does, but is not free. If you are PC Repair Technician, this is a great tool to add to your arsenal, even if only a paid for program since Microsoft does not seem to have a free tool for doing exactly that:

http://www.passcape.com/outlook_express_password_recovery

For the price of the tool, I think its probably worth having. If you happen to find a tool that works just as well, then please left me know and I can update this post with a link to the other tools. I have tried things like Nirsofts password recovery toold, but they dont seem to have a way to read a raw NTUSER.DAT file for recovering the keys, and only work from within a currently stable system, not from the files off a dead system.

Finished up my second A+ exam today. Now I just have to schedule my MCSA exams and I should be set. Still need to work on my Cisco though. A bit rusty with it since I don’t have any of the equipment or work in a place doing it everyday. I miss the Cisco stuff. It was a lot of fun to learn, and just made sense to me when doing it. Can’t say that about the Microsoft classes. I’m not 100% on the MSFT stuff either, but I figure, I need to start taking the exams to get an idea where I stand. Who knows? I may pass all of them just fine. Wouldn’t make me any more confident about it though, as I just need to get back to work so I can dig into this stuff now and put it to use.

Another class I am working towards is the Offensive Security Pentesting with Back|Track. http://www.offensive-security.com/blog/backtrack/pwb-v3-information-security-training-at-its-best/

I have been working on the intranet sites for the schools testing area as well as their main web site for a while now, and since I am nearly finished with my current school work, I want to start the PWB 3.0 course. I don’t have any background in IT Security, but I do like to mess around and see how things work, so this will be another great tool to add to my belt. I figure, if I can master the Back|Track stuff, I can be a better Server Administrator down the road, since that is one of my goals. As much as I like doing web sites and graphic art, I enjoy it more when its just for fun and freedom of expression than I do when its for a client. But then again, doing sites for clients has helped pay the bills, so I shouldn’t complain too much.

Well, off to bed. Been a long day and I’m pooped…

Well, I Passed my A+ 220-701 exam today. Was a lot easier than I thought it was going to be. I scored an 860 out of a possible 900, so I damn near aced the thing, or at least I I think… I got like 1 or 2 questions wrong, but I can’t be sure since each test question is weighted a different percentage point. While 1 question might be 10 points, another could be worth 1 or 20 points, so its difficult to gauge where you stand. Also, some questions are thrown out and won’t even count towards your score, so even if you answered it correctly, it may have appiled to something more specifc like Networking and nto pertained to the essentials curriculum.

I will take the 220-702 this Wednesday, and once I finish(and pass) I’m going to start taking my Microsoft Certs. I’m not sure if I am ready for the MS cert tests yet, but I at least want to know where I stand.

I may have to re-sit the Cisco CCNA course, as I haven’t touched any of the meterial or equipment since last July, so I forget damn near all of the Router and Switch setups. Although I could probably fumble my way through it on the job, I want to refresh everything so I can take my full CCNA cert exam . Then I can start work on the Cisco Voice classes.

So right now I have my Net+, CCENT, part of the A+ done, and have been through a CCNA class, A+ Class, Net+ Class, and MCSA class. I will probably need to re-sit the Micrsoft Exchange portion of the MCSA as well, because I was not that familiar with Exchange to begin with, and to be honest, I hate exchange so it made it that much harder for me to really dig into it. One nice thing though is, if I get my A+, I can apply that and my Net+ as an elective in the MCSA track, and can skip Exchange as the elective.

BFIR -verb, [beefer] abbr : Backup, Format, Install, Restore

BFIR, to define a “beefer” as the actions one takes to backup their system after a compromise, then one must pull out the dreaded install cd and do a format and clean install of their OS, and then restore their files and settings.

This is not to be compared with the fubar, commonly referred to as foobar, which is a term used in the Corporate IT environment for “ID-10 T” errors. This is when a technician tells the client, “Oh, your shit was fubared, so we wiped it with a new image.” When fubared, you lose everything, as you are “fucked up beyond all recognition”.

This is another IT Acronym you can add to your list of already absurd lists of IT Acronyms and in no way shape or form has anything to do with APT, PCI or any of those other letters you may have seen floating around the past few weeks.

Todays show was brought to you by the letters F and U and the numbers 1 and 0.

Hitler and Cloud Computing Security