Monday, November 5, 2012

Portless File transfer by using Hping

PC1: Server that will receive file.
PC2: Host that will send file to PC2

On PC1, you should execute the command below;

Hping3 PC1_IP_Address  --listen fire --icmp -I eth0 > received_file.txt

Parameters that is using in command.

--icmp: Protocol 
  • -d: FileSize(Excluding Heading Information)
  • --sign: Word that will trigger file transfer
  • --file: File_Name

  • -c: Number of Packet
  • -I: Network Interface
  • --listen: Listening Mode

  • Because of trigger word "fire" ,While sending the packet we are losing 4 bytes data. It means when you want to send 35byte file, you will send 39 byte totaly.

    On PC2, you should execute the command below;

    Hping3 PC1_IP_Address --icmp -d 73 --sign fire  --file sendingfile.txt -c 1 –I eth0


    Thursday, November 1, 2012

    Check if file has been downloaded from Internet

    To check this we are using Alternate Data Stream properties of a file.

    If file has been downloaded from internet or untrusted zone, windows is adding zone.identifer:$DATA ADS to file.

    You can check ADS in files by using dir command or sysinternal streams.exe tool.

    dir /r c:\

    streams.exe -s c:\users\etanirer

    Output Example;

    Streams v1.56 - Enumerate alternate NTFS data streams
    Copyright (C) 1999-2007 Mark Russinovich
    Sysinternals -
       :Zone.Identifier:$DATA       26
       :Zone.Identifier:$DATA       26
       :Zone.Identifier:$DATA       26
    c:\users\etanirer\desktop\IPhone45111\Yeni klas÷r\iPhone3,
       :Zone.Identifier:$DATA       26


    Volatile source of Forensic Evidences on windows based Systems.

    When collecting evidence you should proceed from the volatile to the
       less volatile.  Here is an example order of volatility for a typical

          -  registers, cache

          -  routing table, arp cache, process table, kernel statistics,

          -  temporary file systems

          -  disk

          -  remote logging and monitoring data that is relevant to the
             system in question

          -  physical configuration, network topology

          -  archival media

    Resetting Password on Macintosh that is using OS X

    If you will do a forensic investigate a Macintosh that is running OS X and you need to access a program on a booted forensic copy of the subject’s drive,and if you do not known the password. Follow the steps  below;
     If you have any version of the Macintosh OS X boot CD or DVD, place that in the examination system and hold
    down the C key to boot from the CD/DVD drive.Then the system asks if you want to install/reinstall OS X, choose the Password Reset Utility from the drop-down menus at the top of the screen. You will be shown a list of users and you can pick one or all of them and change the password of the accounts to something you know.
    Resource: The Official CHFI Study Guide (Exam 312-49) for Computer Hacking Forensic Investigators  Copyright © 2007 by Elsevier, Inc.


    Wednesday, October 31, 2012

    There was an error uploading the file Symantec DLP

    If you are getting "There was an error uploading the file" while trying to upgrade your DLP to newer version from Systems-->Overview-->Upgrade menu by using .jar file try the steps below. It's worked for me.

    1) Create a folder named enforceupgrade under c:\Vontu\Protect\Updates
    2) Extract the jar file by using winrar or winzip into this folder.
    3) Run the start_upgrade_wizard.bat
    4) Wait approximately 60 seconds for Tomcat to initialize properly
    5) Open web browser and go to the URL https://yourenforceipadderss:8300
    6) Log in by using administrator credentials and start the upgrade process.

    Tuesday, October 30, 2012

    Enable Syslogging on Vmware ESX 3.5

    To log events from an ESX host to a remote syslog server:
    1. Log in to the ESX host as root using an SSH client.
    2. Open the /etc/syslog.conf file using a text editor.
    3. Add this entry at the end of the file:
      *.* @
      For example:
      *.* @

               to open file "vi  /etc/syslog.conf"
               add line
               press esc
               type :wq and press enter
               type service syslog restart  press enter

    Enable Syslogging on ESXi 4.x

    Connect to your ESXi host by using Vsphere Client.

    1) Open Configuration Tab and choose Advanced Settings under the Software part from left.
    2)Find syslog from the tree view. Enter your syslog server IP number and port number to the right pane.
    3) Connect your ESXi host by using SSH and login as root
    4) type "ps | grep syslog"  press enter without quotas. Note the PID number
    5) type "kill -HUP PIDNumber"  press enter.
    6) Your host will begin to send syslog messages to your syslog server


    Enable SSH on ESXi 4x

    ) At the console of the ESXi host, press ALT-F1 to access the console window.
    2) Enter unsupported in the console and then press Enter. You will not see the text you type in.
    3) If you typed in unsupported correctly, you will see the Tech Support Mode warning and a password prompt. Enter the password for the root login.
    4) You should then see the prompt of ~ #. Edit the file inetd.conf (enter the command vi /etc/inetd.conf).
    5) Find the lines that begins with #ssh and remove the #. Then save the file. If you're new to using vi, then move the cursor down to #ssh line and then press the Insert key. Move the cursor over one space and then hit backspace to delete the #. Then press ESC and type in :wq to save the file and exit vi. If you make a mistake, you can press the ESC key and then type it :q! to quit vi without saving the file.

    Note: there are two lines for SSH with ESXi 4.x now - one for regular IP and the other for IPv6. You should the line appropriate to the protocol you'll use to access your host.

    6) Once you've closed the vi editor, you can either restart the host or restart the inetd process. To restart inetd run ps | grep inetd to determine the process ID for the inetd process. The output of the command will be something like 4399 4399 busybox inetd, and the process ID is 4399. Then run kill -HUP (kill -HUP 4399) and you'll then be able to access the host via SSH.

    Monday, October 29, 2012

    SYMANTEC VONTU "TableSpace is almost full"

    To enter SQLPlus, open a command prompt on the machine with Oracle installed.

     1. Enter "sqlplus /nolog" followed by enter.
     2. To login, type the command: connect sys/password@protect as sysdba

     [where password is the current protect password to the database]

     3. Check how many LOB0*.DBF files you files you have in the \ORACLE\ORADATA\PROTECT\ directory where '*' denotes the number of that file.

     So you will need to add another file with the name/number incremented by 1 so if you have 3 already you will need to add a the next one called LOB04.DBF like so:

      ON NEXT 10240K MAXSIZE 32767M;

     You should get a result of "Tablespace altered" if successful.
     Type Exit; to logout.

    Tuesday, October 23, 2012

    Photo or Image Forensic "type of camera used to take the image"

    You can free software named Xnview to view which device was used to take photo, which software(photoshop etc.) or which scanner used to convert it to digital format ?

    XnView provides a listing of directories in the left pane, and shows what images are in a particular directory in the upper-right pane.When you select an image, it appears in the lower Preview pane. In addition to this, clicking on the Properties tab will display information on a particular image, including its file format, timestamps, size,compression used, and other attributes. By clicking on the EXIF tab, you can display extra information, which could include the type of camera used to take the image, the exposure, the date the picture was taken, and other facts.

    Monday, October 15, 2012

    Catalyst 3750 Series Switches in the stack do not boot with the new image after a software upgrade.

    I faced with this issue after upgrading IOSs on my 3750 series switches stack. Stack consists of 4 catalyst 3750 series. After I have copied anf setting new IOS file as a boot file on has failed to boot and I got "Switch is not usable" error.

    My solution.

    • I have removed stack cables from the switch that has failed to boot
    • I have set the new IOS with boot sytem .... command.
    • I ensured that the switch booted up with new IOS
    • I have powered off the switch.
    • I have connected stack cables and power on the switch.


    List domain user's folder access permissions

    Download to tool from link.  Install it to your computer,

    Go to the folder that you install subinacl from command prompt and execute the command.

    subinacl /testmode /noverbose /outputlog=c:\permission.TXT /subdirectories=directoriesonly h:\*.* /findsid=domain\username

    Sunday, October 7, 2012

    MS SQL Server DB Security Auditing

    You can use the command below for ISO 27001 requirements checking.

    MS SQL Server Version

    SELECT @@version

    List of Databases on MS SQL Server

    select * from sys.databases

    List of All Users on MS SQL Server

    SELECT * FROM sysusers where islogin = 1

    List of Users that have DBA authorization

    sp_helprolemember db_owner

    List of Users that have authorization beyond Select command

    SELECT a.*, b.* ,*
    FROM sys.database_principals a
    INNER JOIN sys.database_permissions b ON b.grantee_principal_id = a.principal_id
    WHERE b.permission_name not like '%SELECT%'
    List of users that their passwords are empty

    select name
    from sys.sql_logins
    where pwdcompare('', password_hash) = 1
    Check if password and expiration policy is applying to users
    select name ,is_expiration_checked,is_policy_checked ,*
    from sys.sql_logins where is_expiration_checked = 0 or is_policy_checked= 0
    List of SYNONYMs
    If you create public synonyms all users can read tables, so synonyms usement is not suitable for data secuirity.
    select * from sysobjects where xtype = 'SN'


    Friday, October 5, 2012

    Enable SSH and disable Telnet on Cisco Catalyst series switches

    Enable SSH and disable Telnet on Cisco Catalyst series switches

    Conf t
    aaa new model
    username cisco password yourpassword
    ip domain name
    crypto key generate rsa
    (you can choose size of key modules from 360 to 2048)
    line vty 0 4
    transport input ssh

    to prevent telnet access to switch

    access-list 110 permit tcp any host switch ip)  eq 22
    access-list 110 deny tcp any host
    access-list 110 permit tcp any any
    interface range  gigabitethernet1/0/1-24
    ip access-group 110 in
    copy run start


    Cisco Catalyst 3750 IOS Upgrade

    Cisco Catalyst 3750 IOS Upgrade Steps (by using TFTP)

    1. Download suitable ios image file from CISCO web site.(do not forget to Check the DRAM and flash memory requirements)
    2. Copy releated file to flash memory by using copy tftp:filename flash:  command

    copy tftp:c3750-ipbasek9-mz.122-55.SE6.bin flash

    3) if you havent got enough free space in flash memory you should delete the old boot file by using;

    delete /f /r flash:filename command before copying new one.


    delete /f /r flash:c3750-ipbase-mz.122-50.SE5.bin

    4) Verify the MD5 checksum of a file by using verify /md5 flash:filename command


    verifiy /md5 flash: c3750-ipbasek9-mz.122-55.SE6.bin

    5) set the new file as boot file;

    conf t
    boot system switch all flash:c3750-ipbasek9-mz.122-55.SE6.bin
    write memory


    Error reading flash (is a directory)

    This error means that the file you want to copy from flash to tftp is under a directory.

    Follow the steps below

    • execute sh flash command
    CiscoSw#sh flash
    Directory of flash:/c3750-ipbase-mz.122-50.SE5/
        5  drwx        4608   Mar 1 1993 03:09:56 +03:00  html
      424  -rwx     9574343   Mar 1 1993 03:13:20 +03:00  c3750-ipbase-mz.122-50.SE5
      425  -rwx         643   Mar 1 1993 03:13:20 +03:00  info
    15998976 bytes total (3625472 bytes free)

    • execute command cd
    • execute dir
    Directory of flash:/c3750-ipbase-mz.122-50.SE5/
        5  drwx        4608   Mar 1 1993 03:09:56 +03:00  html
      424  -rwx     9574343   Mar 1 1993 03:13:20 +03:00  c3750-ipbase-mz.122-50.SE5.bin
      425  -rwx         643   Mar 1 1993 03:13:20 +03:00  info

    • then you can copy ios file to tftp by usinf copy flash tftp command as stated below;
    CiscoSw#copy flash:c3750-ipbase-mz.122-50.SE5.bin tftp:
    Address or name of remote host []?
    Destination filename [c3750-ipbase-mz.122-50.SE5.bin]?
    9574343 bytes copied in 36.054 secs (265556 bytes/sec)


    Tuesday, October 2, 2012

    Creating Cisco command aliases

    You can use command aliases as a shortcut in Cisco Network Devices.


    alias exec save copy run start
    alias configuration save copy run start
    alias interface save copy run start
    alias line save copy run start

    After executing command above. You can use save command instead of copy run start command on exec, configuration, interface and line levels.

    Wednesday, September 26, 2012

    MapiExceptionTooManyMountedDatabases: Unable to mount database.

    for MS Exchange Server 2010

    Cause: Using trial version of Exchange Server 2010


    Cause : Using Exchange Server 2010 Standard Edition

    both of them support only 5 online mounted database.

    Tuesday, September 25, 2012

    Windows Server 2012 Active Directory Installation by using PowerShell Commands.

    We will Configure our server as the first Active Directory domain controller in a new forest.
    The new domain name is "". This is also the name of the new forest.
    The NetBIOS name of the domain: 2012TEST
    Forest Functional Level: Windows Server 2012
    Domain Functional Level: Windows Server 2012
    Additional Options:
      Global catalog: Yes
      DNS Server: Yes
      Create DNS Delegation: No
    Database folder: C:\Windows\NTDS
    Log file folder: C:\Windows\NTDS
    SYSVOL folder: C:\Windows\SYSVOL

    PowerShell Script

    Import-Module ADDSDeployment
    Install-ADDSForest `
    -CreateDnsDelegation:$false `
    -DatabasePath "C:\Windows\NTDS" `
    -DomainMode "Win2012" `
    -DomainName "" `
    -DomainNetbiosName "2012TEST" `
    -ForestMode "Win2012" `
    -InstallDns:$true `
    -LogPath "C:\Windows\NTDS" `
    -NoRebootOnCompletion:$false `
    -SysvolPath "C:\Windows\SYSVOL" `

    Monday, September 24, 2012

    View IP address of host connected to Cisco Switch

    First you should identify releated device mac address by using "sh mac-address-table" and then you can match mac and ip address by using sh arp or sh ip arp command.

    Monday, September 10, 2012

    Enabling CIFS Auditing on NetApp

    Connect NetApp by using SSH or Telnet as a root and execute the command below on each controller;

    options cifs.audit.enable on

    options cifs.audit.liveview.enable on 

     (When Live View is enabled, an Access Logging Facility (ALF) daemon runs once a minute, flushing audit events from memory to the internal log file
    /etc/log/cifsaudit.alf on disk. The ALF daemon also attempts to save and convert
    ALF records to EVT records that can be viewed by Event Viewer. It does so
    either once every minute, or when the .alf file becomes 75 percent full)

    Wednesday, September 5, 2012

    Stenography using Alternate Data Stream (ADS)

    1) Embbeding secret.txt file into test.txt file

    • In the command prompt execute the command "notepad.exe test.txt:secret.txt" (without quotas) and press enter. You will see a popup that wants you to confirm of creating new file, press yes.
    • You will not be able to see your new file even if you enable showing hiden files option. You will just see test.txt file.
    • Execute notepad.exe test.txt:secret.txt to open your secret.txt file and write anything and save.
    • You will see that the size of test.txt file will not increase even if you type millions of characters in secret.txt file. (It is really important bug in NTFS file system.)

    2) Command below will embed anyfile.exe to calc.exe. And when you execute calc.exe, anyfile.exe will execute in the background and you will not be able to see anyfile.exe process in the Task manager.

    type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe

    3) Command below will embed hacker.exe into a test.txt file.
    C:\type c:\hacker.exe > test.txt:hacker.exe


    Create type textfile > visible.txt:hidden.txt
    View more < visible.txt:hidden.txt

    Freeware programs like lads.exe by Frank Heyne ( and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.

    This program lists all alternate data streams of an NTFS directory including the ADS of encrypted files
    Other Programs that can reveal ADS files.



    Visual ADS Detector


    Embedding secret file or program into a Picture File

    Put the all the files (Innocent picture file, secret file) into a folder. Compress the secret file by using winrar.

    Open command prompt and navigate the folder.

    Execute the command below;

    copy /b Innocentpicture.jpg+secret.rar  noninnocentpicture.jpg

    After executing the command new file named noninnocentpicture.jpg will be created on the same folder with new size.

    You can see your secret.rar file by opening noninnocentpicture.jpg using WINRAR.


    Tuesday, September 4, 2012

    Enable IPv6 support on Catalyst Switches (3750)

    Switch1#config t
    Switch1(config)#sdm prefer dual-ipv4-and-ipv6 default

    You should reload the device in order for changes to take effects.

    you can check ipv6 support by using "show sdm  prefer" command.

    After this you can configure ipv6 addresses and ACLs features on Catalyst 3750 series switches.

    How to Enable IPv6 on Juniper ScreenOS devices.

    Use the command below;

    set envar ipv6=yes

    After executing command you should reset the device.

    After reloading of device has been completed,

    You can check ipv6 support by using "get envar" command.

    Assigning static IPv6 addresses on Windows XP

    You should first install IPv6 protocol support by using

    "netsh interface ipv6 install"    command.

    You can not assign ipv6 address on Windows XP by using graphical interface. You should use netsh command.


    netsh interface ipv6 set address “Local Area Connection” 2001:db8:2:1::1


    Friday, August 31, 2012

    Configuring Windows Server 2008R2 as a Router and Default Gateway for IPv6 Networks

    You can configure your  Windows Server 2008 as a default gateway for your LAN by installing Routing and Remote Access Services Role service in Network Policy and Access Servicess Role.

    After the installation process has finished Configure and Enable Routing and Remote Access by choosing Custom Configuration and LAN routing option.  Right Click Routing and Remote Access and check the Ipv6 Router box on General tab(screenshot.1) and check the Enable IPv6 forwarding and Enable Default Route Advertisement boxes on IPv6 tab(screenshot.2).

    Lastly we should exceute command below on our server to let itself to advertise as default gateway to clients.

    netsh interface ipv6 set interface "Internal" forwarding=en advertise=en advertisedefaultroute=en



    IPv6 DNS and Default Gateway Settings for DHCPv6 on Windows Server 2008R2

    for DNS settings, you can use "DNS Recursive Name Server IPv6 Address List" option in Server or Scope options on Wnidows DHCP server management console.

    Windows DHCPv6 server does not have option for setting Default Gateway. Instead you can use logon script by using the command below; does not include the words in brackets.

    netsh interface ipv6 add dnsserver "Local Area Connection"(Interface Name) 2001:db8::99:4acd::8(Gateway IPv6 Address)

    Monday, August 13, 2012

    Command rejected: ........ is a dynamic port

    On Cisco Catalyst series switch Port security feature can only be configured on static access ports or trunk ports. So you should set the interface switchport mode as access by using

    "switchport mode access" interface configuration command.

    Friday, August 10, 2012

    Juniper SSG Prevent Brute Force and Dictionary Attack

    Open Management Console

    Under Configuration --> Admin --> Management

    Configure the "Max Login Attempts" value.

    Thursday, August 9, 2012

    Disable SID Filtering

    If you have established trust(s) between your domains and you will migrate users, preserve their SIDs and give them them security rights for resources you should disable SID filtering mechanism.

    To disable SID filter quarantining for the trusting domain

    Open a Command Prompt.
    At the command prompt, type the following command, and then press ENTER:

    Netdom trust  /domain: 
    /quarantine:No /userD: /passwordD:

    netdom trust  otkn.local /domain:otkn.arg /quarantine:No /UserD:otkn.local\cad /passwordD:caduserpassword


    Wednesday, August 1, 2012

    Securing the Cisco IOS image file

    You can hide the your Routers Cisco IOS by using Cisco IOS Resilient Configuration. Users can not view IOS information by using after "Show flash" command after this configuration.  By using this property you can hide the IOS and These secure files cannot be removed by the user. No extra space is required to secure the primary Cisco IOS image file.

    The Cisco IOS Resilient Configuration feature is mainly intended to speed up the recovery process.

    In Global Configuration Mode, use the commands below;

     secure boot-image    'Enables Cisco IOS image resilience
     secure boot-config    'Stores a secure copy of the primary bootset in persistent storage.


     show secure bootset ' Displays the status of configuration resilience and the primary bootset filename

    Note: This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. There must be enough space on the storage device to accommodate at least one Cisco IOS image (two for upgrades) and a copy of the running configuration.


    Tuesday, July 31, 2012

    SET(Social Engineering Toolkit) ile Gmail Hesap Bilgilerinin Ele Gecirilmesi

    Social Engineering ToolKit Gmail Hacking.
    This video has been prepared for to inform users about this type of attack and direct them to take care about this attacks. Do not use  this method to steal somebodys account information or personal informations. 
    SET kullanılarak Phishing yontemi ile gmail hesap bilgilerinin ele gecirilmesi.


    Friday, July 13, 2012

    View Last Logon time of user on Exchange Server 2010

    In order to view the last logon time of user on Exchange Server 2010 use the command on EMS;

    GetMailboxStatistics -identity username

    Friday, July 6, 2012

    Test Mail Flow latency on Exchange Server 2010

    Our mailbox servername is SrvMb1

    Execute the command below on EMS.

    Test-MailFlow SrvMb1 -TargetMailboxServer SrvMb1(If you have more than one mailbox server you can type its name)

    Tuesday, July 3, 2012

    Prevent User from permanently deleting his email messages from mailbox.

    Set-Mailbox User1 -LitigationHoldEnabled $True

    You need to ensure that users can log on to OWA without speciifying domain name ...

    Set-OWAVirtualDirectory -Identity "owa (default web site)" -LogonFormat username

    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      If you are getting this error while moving Mailbox from Exc2007 to Exc2010 you should change the securtiy settings on related account from ADUC.
    1.Run the Active Directory Users and Computers snap-in and locate the user account.
    2.Bring up the properties of the user account and go to the Security tab. If you don’t see the Security tab, choose View / Advanced Features.
    3.On the Security tab, click the Advanced button.
    4.Checked the Allow inheritable permission from the....(Win2003) or Include inheritable permissions from..... box.
    5.Try the moving mailbox again.

    Friday, June 29, 2012

    Slow Relay between Exchange 2007 and Exchange 2010

    Problem is Shadow Redundancy feature on Exchange 2010.

    Exchange 2010 Receive Connector has a MaxAcknowledgementDelay setting, which default to 30 seconds.

    To disable this, use the command below;

     Set-ReceiveConnector "Your Connector Name" -MaxAcknowledgementDelay 0

    Wednesday, June 27, 2012

    Exchange 2010 sends attachments as winmail.dat

    From EMC on Hub Transport Server open

    Organization configuration - Hub Transport - Remote Domains - Double Click default - message format tab - Exchange Rich Format to Never Use

    An Active Manager operation failed. Error: The database action failed. Error:

    An Active Manager operation failed. Error: The database action failed. Error:
      Operation failed with message: MapiExceptionNotFound: Unable to mount

    If you have a multiple(trusted ) domains in your forest you can see this error while mounting new database on Exchange Server.

    To solve this issue yould indicate your preferred server by using the command below in EMS.

    Set-ADServerSettings –PreferredServer DCFQDNName


    The Active Directory Schema is not up-to-date and Ldifde.exe is not installed on this computer

    Before deploying new Exchange Organization you must first install the Active Directory management tools on the Windows Server 2008 before preparing the schema or domains:

    To do this, run the following command: ServerManagerCmd -i RSAT-ADDS


    Thursday, April 16, 2009530 5.7.1 Client was not authenticated Exchange 2010

    After new installation of Exchange 2010, you will be able to sent mail out of to your domain but not able to receive emails from internet.

    To solve this issue you should give permission to anonymous user on Default Receive Connector.

    Sunday, April 1, 2012

    Testing MS12-020

    Testing MS12-020 on Windows 7 + Up-to-date SEP.

    This video has been prepared for to inform users about this type of attack and direct them to take care about this attacks. Do not use this method to damage any systems.


    Monday, February 6, 2012

    Metasploit & MS08_067

    This video has been prepared for to inform users about this type of attack and direct them to take care about this attacks. Do not use this method to steal somebodys account information,  personal informations or damage systems.

    Bu video, Sadece antivirus kullanımının yeterli olmadığı, bilgisayarlarımız üzerinde güvenliğinin sağlanması için kişisel güvenlik duvarı kullanılması gerektiğini ve tüm işletim sistemi ve yazılımların güncellemelerinin yapılması gerektiği konusunda bilgilendirmek için hazırlanmıştır.
    span.fullpost {display:none;}