What is FLV

FLV is a "Flash Live Video" file. It is a format that is designed for web playback, offering high rates of compression. Several products output in FLV format, including Sorenson Squeeze (The term "movie" often refers to common Flash source files (.FLA) and deployed files (.SWF) and is not synonymous with "video").


The Flash Player browser plugin can play an FLV, but that FLV, must be either embedded in or linked to a SWF. That is, you can't just put the actual FLV on an HTML page. You can however reference the FLV file using action script and SWF

Flash Media server and RTMP Streaming -- Its been around for about 9 years now. In this system, a Flash application communicates through the RTMP Server. Usually these applications enable person-to-person communication (one-to-many, or many-to-many). Flash may also be used for machine-human communication, such as real-time data transmission and notification.
Even though the browser can play the file while connected to the server, there is no operating system player for the Flash FLV file format, so the file cannot be played locally. Given the connection to the MX server however, it allows the user to play the movie directly in their chosen browser. Flash MX Media server can also administer time spent and pending usage as previously purchased by the user.


Highlights of the Flash MX Server include the ability to provide your end users with the best possible experience via a seamlessly integrated client that lets you brand your broadcast the way you want to, with any devices containing the Flash Player being capable of delivering movies when connected to the MX Communications server or Media Server
Real Time Collaboration is a powerful programming model that will allow many multiple connected users to share data and user interfaces in real time, coupled with client and server data storage capabilities. Support for off-line usage in addition to on-line usage allows the creation of robust applications that can be used offline, and then synchronized automatically when the user goes back online.


The Flash Communication Server has functions for server-side scripts that may disconnect users, authenticate, and control. Applications can be developed for moderators or administrators to perform custom maintenance and monitoring.


The Macromedia Flash Communication Server works with multiple network adapters on the server machine. This allows the server to be built for maximum network throughput. In addition, "virtual hosts" may be configured on each adapter. Virtual hosts can be used to isolate different server users, allowing each server user to add applications freely while keeping their programs separate from others.


A Fantastic File Format
The file format used in this process is Flash FLV or Flash Live Video, and it plays in a Flash Player. While traditional methods of media delivery include some kind of download to the user's computer, either in a pre-loader or through temporary Internet files, Flash MX Communications server and a Flash FLV Player connect in a completely different manner. Simply put, it's a new connection to the file each time the user uses the controls in the player. This means that in the background it's a "start here" ? "stop here" ? "start again here" style of play, with no downloads or caching.


The Top Ten Reasons to Stream Video Using Flash

1. FLV format file sizes after conversion are up to 60% smaller, saving server storage costs.
2. FLV's start - stop connection style saves on bandwidth (which is as much as 60% less per month).
3. FLV format has no local player in operating systems, so file sharing is virtually nullified.
4. FLV format plays directly in more browsers than Windows Media, Real Player or QuickTime.
5. FLV server can authenticate clients, and control users as you wish.
6. FLV players can be completely customized for logos, branding and embedded links.
7. FLV players can play files from a programmable database, and simple administration area.
8. FLV players can be programmed to integrate with databases for free previews, time, users.
9. FLV encoding can include user information for content tracking, misuse, or DRM.
10. Flash Communications servers are easier to maintain than others, and less prone to security hacks.

Definitions

• Bandwidth: The total amount of data a network connection is capable of sending through its system per second. This determines the length of time it will take to transmit data.

Example: a file that takes 10 minutes to transmit across a modem with a speed of 28,800 bits per second (bps) might take only one minute to transmit over a DSL line because the DSL line has a larger bandwidth capability, which can pass more bits through per second.

• Buffering: Media players assimilate the incoming data and present it to the viewer, as audio and/or video. During network congestion, this data is not sufficient for the media player to continue playback and therefore, the player must pause to receive more data before resuming playback. This process is called "rebuffering". To help avoid "rebuffering," the media players buffer a certain amount of data on reserve in the beginning before playing the clip. Flash Communication (Media 2) Server eliminates this "buffer" time.
• Caching / Cache: Data that is frequently accessed is often stored in the computer's memory so that it may be re-accessed at a quicker rate than if this data was stored on the computer's hard disk drive. The process of storing this data is called caching. The type of memory that stores this data is called the cache.
• Digital Rights Management: Refers to qualifying the end-user prior to allowing the end-user to view or listen to the media file. It is a term usually referring to the software that enables Internet 'Pay-Per-View'.
• Digitizing and Encoding: Digitizing refers to the process of capturing original media (film, video, sound recordings, etc.) into a digital format onto your computer. Encoding refers to the process of converting this digitized file into a streaming format.
• ISP: Internet Service Provider. Companies that offer access to the Internet to subscribers.
• Latency: This is the delay of transmission of data. Refers to the time it takes for a router, upon receiving the data, to determine which router to forward the data to next.
• Load-Balanced: A single computer is only able to transmit a fixed amount of data. If the server receives too many requests for data at the same time, a bottleneck forms causing a delay in transmission of data. Load balancing refers to the process of grouping multiple servers together to act as one single system This will minimize the risk of this type of delay.
• MP3: Digital format specifically designed for music.
• Network Congestion: Situation that occurs when the amount of data being transmitted exceeds the capacity of the network. This results in data transmission delays and possibly lost data. If a router becomes overloaded, it will discard data as a last resort to manage the volume of data transmission.
• Peering: An agreement between Internet backbone carriers to exchange equal amounts of data at specified points along the Internet. Peering agreements enable competing companies to utilize cable laid by one another, thus reducing costs and duplication of cable routes. As the data is exchanged freely between the carriers, there is no economic incentive for one carrier to manage the incoming data of another carrier. Should one carrier submit data in excess of the "peering" agreement, the other carrier will usually discard the excess data. Peering connections on the Internet have often been associated with bottlenecks of Internet data transmission.
• QuickTime: Digital media software created by Apple Computers.
• RealPlayer: Streaming media software created by RealNetworks for the Internet.
• Redundancy: Systematic approach to eliminating single points-of-failure in a network or data storage system.
• Router: A Router is a hardware device used throughout a network that receives incoming data and determines the route for that data to travel in order to reach its intended destination. A router is a switch with built-in capabilities than enhance its functions and performance.
• Scalability: The ability to expand capacity of an existing data storage system or network without requiring replacement.
• Streaming Media: Like television and radio for the computer, streaming media technology converts other mediums (audio and video) to digital formats that can be played back instantly by computers. It is comparable to the process that enables one to turn on a TV set and instantly see a program, or turn on a radio and instantly receive sound. The general term Streaming Media incorporates all the formats created specifically for transmitting audio, video and multimedia over the Internet.
• Webcast: media file distributed over the Internet using streaming media technology. A webcast may either be distributed live or on demand.
• Windows Media: Streaming media software created by Microsoft. We do not offer Windows server space at the current time.
• Macromedia Flash Websites: Video support in Macromedia Flash has continued to evolve since its introduction in Flash MX and Flash Player 6. Flash Player 7 greatly improves video quality, supports higher frame rates, and provides additional opportunities for loading dynamic media at runtime.

At the core of Flash video is the Flash for Video (FLV) file format. FLV files contain encoded audio and video data that is highly optimized (through the use of Sorenson's Spark codec) for delivery through the Flash Player. This keeps the Flash Player footprint as small as possible by using a single video rendering format.


Edited video content is encoded into the FLV format as it is imported into the Flash authoring environment (or encoded into FLV format from third party applications via the Flash Video Exporter plugin). Once imported into the Flash authoring environment, FLV files can be converted to movie clips and can benefit from all of the programmatic manipulations ActionScript has to offer, or exported back out as standalone FLV files that can be invoked and streamed by the Flash player.


On the delivery side, developers can choose from a variety of options for embedding video into Flash movies or options for streaming external video files at runtime, or options for exporting Flash video to other formats. Developers need to carefully consider the types of video content, bandwidth, length, and the level of user interaction needed before choosing a suitable delivery mechanism.


Video capabilities in Flash MX With the introduction of the Flash MX? platform, support for video has improved with the addition of many new capabilities to the authoring and runtime environment, giving developers more options for delivering embedded video and progressive and streaming files. In short, developers have many new choices to tailor the delivery method to best match the nature of differing video content and ultimately to deliver the best possible user experience.

• Video Import Wizard
  The wizard adds many new choices for encoding imported audio and video as well as providing basic clip scaling, cropping functions and contrast and brightness controls.
• Media Components
  a set of authoring components that enable connections to external video files and connections to Macromedia's Flash Communication Server (available separately), and a new set of Behavior actions that work with Slides to accelerate and simplify the creation of advanced interactive video presentations.
• Flash Video Exporter
  a new plug-in for use with third party applications that enables users to export Flash encoded audio and video directly from a third party authoring environment.

Flash Websites There are several alternative approaches to using video with a Macromedia Flash-based website. The overriding factor in choosing the optimum method for delivery is performance, which developers can best address by matching the appropriate delivery mechanism with the actual content. For example, approaches that work for short video clips embedded into a Flash movie will not work with large video files that require external streaming. Likewise it is not efficient to architect, code, deploy, and maintain an elaborate client-server delivery mechanism when presenting short, highly-compressed and optimized clips.


Embedded SWF Embedded SWF video is a straightforward method of delivering short video clips and has been around since Flash Player 6. It is an easy to use, timeline based technique and gives quick results. Video clips can be imported and encoded into the Flash authoring environment. Playback is limited to simple play and stop commands, and the video framerate must match that of the host movie, an important consideration that will require authoring for the lowest-common-denominator download speed.


For web delivery, content must be completely downloaded and must fit into available memory on the user's machine before playback can begin. The biggest limitations to embedded video are movies having a maximum of 16,000 frames and audio sync cannot be maintained beyond about two minutes. The entire video clip must be published each time the movie is tested or previewed, which can lead to lengthy authoring sessions.


Progressive FLV Flash Player 7 introduced progressive download, a technique where external FLV files are cached on the user's local hard drive and played through the host SWF at runtime with no limitation to the file's size or duration. Audio and video stays in sync and the frame rate is completely independent from that of the movie host, enabling developers to create several versions of content optimized for different download speeds. Since an external FLV is published separately from the host FLA , authoring time is more efficient. For lengthy audio/video content that requires fairly straightforward delivery, external progressive FLVs can be a good choice.
The Flash MX Professional 2004 authoring environment contains Media Components that can be used to quickly add FLV or audio MP3 playback control to a Flash project. Media Components provide support for both progressive and streaming FLV files.


Streaming FLV Streaming FLV files have many of the same properties of Progressive FLV files but are remotely served from Macromedia's Flash Communication Server (available as a separate product). This approach provides the most efficient delivery of FLV and audio MP3 files by streaming data to the host SWF file and requires the least hard disk and memory resources on the client end. Since data is not cached locally on a user's hard disk, this technique also provides the most secure method of delivering media.


Macromedia's Flash Communication (Media 2) Server has the ability to deliver multiple simultaneous real-time communications, provides smarter delivery of content by adjusting to the client's connection speed, and has advanced monitoring of traffic and throughput. For media projects that require the greatest flexibility in efficiently handling the most complex data streams, this is the best choice for delivery.


Exported FLV & QuickTime Flash Tracks Flash can export movies to other formats such as Apple's QuickTime or Microsoft AVI. Flash can also export image sequences to a variety of formats, such as GIF, PNG, JPG, AI and EPS.


Note: AVI export is only available in Flash for Windows.


QuickTime video can be imported into Flash where Flash tracks can be added and exported back out as QuickTime and played with the QuickTime player or plugin. This provides much of the Flash feature set, especially navigational overlays and sprites, directly into a separate track within a QuickTime movie. Another use is to use Flash to ?translate? graphics formats not supported by QuickTime into QuickTime movies.


Note: QuickTime support for Flash is usually based on the next-to-latest version of Flash. The current version of the QuickTime Player? supports playback of Flash Player 5 SWF files. This is because Apple's development of QuickTime is not synchronous with Macromedia's latest Flash Player development. Also, it is up to the software developer to decide how much of the Flash player feature set to include in its own players, so it is likely that not all of the Flash player functionality will be present in all software titles. This can limit the scope of ActionScript that can be carried out on these titles. For details see Apple's Developer Center article on QuickTime 6 support for Flash.


The Flash Media Handler inside the QuickTime player supports an optimized case for the alpha channel graphics mode, allowing a Flash track to be cleanly composited over other tracks. QuickTime allows the SWF file format to execute any of the standard Flash movieclip actions.

Passwords Are Like Underwear. . .

. . . you shouldn't leave them out where people can see them.  You should change them regularly.  And you shouldn't loan them out to strangers.

Install Backtrack 3 in OSX Paralels

Create a new virtual machine

New
Select an operating system installation mode: Typical > Next
OS Type: Linux
OS Version: Other Linux kernel 2.6 > Next
Specify a name for the virtual machine: BackTrack 3 > Next
Optimize for better performance of: Virtual machine > Next
More Options > ISO image > Choose > bt3-final.iso > Open > Finish

Machine will start to boot.
BT3 Graphics mode (VESA KDE) > enter

Create partitions

bt ~ # fdisk /dev/hda

Command (m for help): n [enter]
Command action
  e  extended
  p  primary partition (1-4)
p [enter]
Partition number (1-4): 1 [enter]
First cylinder (1-4079, default 1): [enter]
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-4079, default 4079): +50M [enter] 

Command (m for help): n [enter]
Command action
  e  extended
  p  primary partition (1-4)
p [enter]
Partition number (1-4): 2 [enter]
First cylinder (8-4079, default 8): [enter]
Using default value 8
Last cylinder or +size or +sizeM or +sizeK (8-4079, default 4079): +256M [enter] 

Command (m for help): n [enter]
Command action
  e  extended
  p  primary partition (1-4)
p [enter]
Partition number (1-4): 3 [enter]
First cylinder (40-4079, default 40): [enter]
Using default value 40
Last cylinder or +size or +sizeM or +sizeK (40-4079, default 4079): [enter]
Using default value 4079 

Command (m for help): a [enter]
Partition number (1-4): 1 [enter]
Command (m for help): t [enter]
Partition number (1-4): 2 [enter]
Hex code (type L to list codes): 82 [enter]
Changed system type of partition 2 to 82 (Linux swap)

Command (m for help): p [enter]
Disk /dev/hda: 33.5 GB, 33554497536 bytes
255 heads, 63 sectors/track, 4079 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device  Boot     Start        End      Blocks   Id    System
/dev/hda1    *          1          7       56196   83    Linux
/dev/hda2               8         39      257040   82    Linux swap
/dev/hda3              40       4079    32451300   83    Linux

Command (m for help): w [enter] 
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Format partitions

bt ~ # mkfs.ext3 /dev/hda1
bt ~ # mkfs.ext3 /dev/hda3
bt ~ # mkswap /dev/hda2
bt ~ # swapon /dev/hda2

Copy files

bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/hda3 /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/boot/
bt ~ # mount /dev/hda1 /mnt/backtrack/boot/
bt ~ # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/

bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
bt ~ # mount -t proc proc /mnt/backtrack/proc/
bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot/

lilo

bt ~ # chroot /mnt/backtrack/ /bin/bash
bt ~ # nano /etc/lilo.conf

lba32
boot = /dev/hda
prompt
timeout = 60
change-rules
reset
vga = 791
image = /boot/vmlinuz
root = /dev/hda3
label = BackTrack
read-only

Press ctrl+x to exit.
Press y to save.
Press  to overwrite the file.

bt ~ # lilo -v
bt / ~ exit

Finish

K menu > Log Out > Turn Off Computer
When you see "Please reboot your computer with Ctrl+Alt+Delete" > Stop > Yes

Edit > Virtual Machine
CD/DVD-ROM > Emulation: Use CD/DVD-ROM
OK
Play

That’s it.  Enjoy.

Forensic Log Parsing with Microsoft's LogParser

Investigating a web-based intrusion can be a daunting task, especially when you have no information other than knowing it was web-based. It is easy to waste precious time digging through megabytes, perhaps even gigabytes, of log files trying to locate suspicious activity. Often this search turns up little useful evidence.

Consider this scenario: an e-commerce site receives several reports from customers about unauthorized orders on their accounts. They suspect that someone has compromised their web-based ordering system so they gather the log files from several different IIS web servers. They have the dates and times of the orders, but the corresponding IP addresses in the log files turn out to be anonymous proxies used by the suspect. Searching for activity from those IP addresses in the log files turns up nothing. Browsing through the raw log files for those dates also turns up nothing. Somehow, someone found a flaw in the ordering system but he or she could have discovered the flaw months before exploiting it. Tracking down the flaw and IP addresses used by the suspect seems impossible. But there are techniques that can facilitate log file forensics. The purpose of this article is to demonstrate log file forensics of IIS logs using SQL queries with Microsoft's LogParser tool.

IIS Log Fields

The first step is to prepare for security incidents by logging as much information as possible. IIS can log a significant amount of information about each web request, but many of the available log fields are not enabled by default. To enable full logging, open the Internet Services Manager and edit the Extended Logging Properties to include all available log fields. Much of this information has some forensics value as shown in Table 1.

Table 1: IIS Log Fields

Field Name	Description	Uses
Date (date)	The date of the request.	Event correlation.
Time (time)	The UTC time of the request.	Event correlation, determine time zone, identify scanning scripts.
Client IP Address (c-ip)	The IP address of the client or proxy that sent the request.	Identify user or proxy server.
User Name (cs-username)	The user name used to authenticate to the resource.	Identify compromised user passwords.
Service Name (s-sitename)	The W3SVC instance number of the site accessed.	Can verify the site accessed if the log files are later moved from the system.
Server Name (s-computername)	The Windows host name assigned to the system that generated the log entry.	Can verify the server accessed if the log files are later moved from the system.
Server IP Address (s-ip)	The IP address that received the request.	Can verify the IP address accessed if the log files are later moved from the system or if the server is moved to a new location.
Server Port (s-port)	The TCP port that received the request.	To verify the port when correlating with other types of log files.
Method (cs-method)	The HTTP method used by the client.	Can help track down abuse of scripts or executables.
URI Stem (cs-uri-stem)	The resource accessed on the server.	Can identify attack vectors.
URI Query (cs-uri-query)	The contents of the query string portion of the URI.	Can identify injection of malicious data.
Protocol Status (sc-status)	The result code sent to the client.	Can identify CGI scans, SQL injection and other intrusions.
Win32 Status (sc-win32-status)	The Win32 error code produced by the request.	Can help identify script abuse.
Bytes Sent (sc-bytes)	The number of bytes sent to the client.	Can help identify unusual traffic from a single script.
Bytes Received (cs-bytes)	The number of bytes received from the client.	Can help identify unusual traffic to a single script.
Time Taken (time-taken)	The amount of server time, in milliseconds, taken to process the request.	Can identify unusual activity from a single script.
Protocol Version (cs-version)	The HTTP protocol version supplied by the client.	Can help identify older scripts or browsers.
Host (cs-host)	The contents of the HTTP Host header sent by the client.	Can determine if the user browsed to the site by IP address or host name.
User Agent (cs(User-Agent))	The contents of the HTTP User-Agent header sent by the client.	Can help uniquely identify users or attack scripts.
Cookie (cs(Cookie))	The contents of the HTTP Cookie header sent by the client.	Can help uniquely identify users.
Referer (cs(Referer))	The contents of the HTTP Referer header sent by the client.	Can help identify the source of an attack or see if an attacker is using search engines to find vulnerable sites.

While I normally recommend logging all fields, the actual fields you choose to log should be based on a balance between forensics capabilities and disk space.

Custom Logging

IIS does provide many log fields, but there may be other fields you wish to record. For example, if the request comes from a proxy server, you may want to see if the proxy server sends the client's real IP address through other HTTP headers. For example, some proxy servers add the "X-Forwarded-For" header containing the client's real IP address.

IIS has a limited capability to log custom fields through the Response.AppendToLog method. The limitation, however, is that a new field is not created in the log files, but this data is appended to the URI Query field. To distinguish the two values, you can separate them with a character such as the pipe ("|"). Below is example ASP code to log additional proxy headers:

Note that other common proxy headers are Forwarded, Client_IP, Remote_Addr, Remote_Host, Forwarded, VIA, HTTP_From, Remote_Host_Wp, Xonnection, Xroxy_Connection, and X_Locking.

Microsoft's LogParser Tool

Digging through logs requires that you have some common interface to perform queries across hundreds of individual log files. One method is to dump all the logs into an SQL database. Another solution is Microsoft's LogParser tool. This robust tool provides an SQL interface to a variety of log file formats and is fast enough for log file analysis of most web sites. I won't go into detail here about how to use LogParser, but the document included with the package is very helpful to get started. Because LogParser is a command-line tool, I have found it useful to either to copy the file to the C:\Windows directory or to add the LogParser directory to your PATH variable.

You can download Microsoft's LogParser 2.0 here, but the IIS 6 Resource Kit includes LogParser 2.1, which has some new features. Although LogParser 2.1 runs fine on a Win2k system, you cannot install the IIS 6 resource kit on Win2k. However, you can manually extract the resource kit files using the command: iis60rkt.exe /V/a.

It is important to note that when doing any log file processing, be sure to work on copies of the logs to help preserve the integrity of the original files (see Maintaining Credible Logfiles). I also find it helpful to only copy those logs for the time period I want to analyze to reduce the size of the query results.

This article will demonstrate many of the forensic capabilities of LogParser. Keep in mind that I wrote each of these example queries for a typical configuration, therefore you may need to adjust them for your particular site. Not all queries listed here will be effective for you, depending on your site configuration and traffic level.

Finding the Intrusion

If you do not know anything about the intruder or the nature of the intrusion, you must first do some high-level queries to know where to start your hunt. Most attacks leave some kind of trail or have some side-effect on your server. The trick is finding them.

Trojan Files

Before we dig in to the actual log files, it may be useful to do a quick check of the newest files on the web site. If the intruder was able to create or modify files within the web content directories, he or she may have uploaded Trojan ASP scripts or executables. You might just get lucky and find these files. The following query lists the 20 newest files on the web site:

C:\>logparser -i:FS "SELECT TOP 20 Path, CreationTime from c:\inetpub\wwwroot\*.* ORDER BY CreationTime DESC" -rtp:-1

Path CreationTime

----------------------------------------------------------- ------------------
c:\inetpub\wwwroot\Default.asp                              6/22/2007 6:00:01
c:\inetpub\wwwroot\About.asp                                6/22/2007 6:00:00
c:\inetpub\wwwroot\global.asa                               6/22/2007 6:00:00
c:\inetpub\wwwroot\Products.asp                             6/22/2007 6:00:00
...

And this query lists the 20 most recently modified files:

C:\>logparser -i:FS "SELECT TOP 20 Path, LastWriteTime from c:\inetpub\wwwroot\*.* ORDER BY LastWriteTime DESC" -rtp:-1

Path LastWriteTime

----------------------------------------------------------- ------------------
c:\inetpub\wwwroot\Default.asp                              6/22/2007 14:00:01
c:\inetpub\wwwroot\About.asp                                6/22/2007 14:00:00
c:\inetpub\wwwroot\global.asa                               6/22/2007 6:00:00
c:\inetpub\wwwroot\Products.asp                             6/22/2007 6:00:00
...

But suppose the attacker was careful and deleted all Trojan files when finished. In that case, the files will not be exist but there will be log entries showing successful requests for those files. To identify these log entries you must make a list of all files on your site that have resulted in 200 HTTP status codes. From your log files directory, execute the following query:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM ex*.log WHERE sc-status=200 GROUP BY URL ORDER BY URL" -rtp:-1

URL Hits

---------------------------------------- -----
/About.asp                               122
/Default.asp                             9823
/downloads/setup.exe                     701
/files.zip                               1
/Products.asp                            8341
/robots.txt                              2830
...

Carefully review this list and make sure that each item listed is part of your web application. In particular, watch for files such as nc.exe, tini.exe, root.exe, cmd.exe, upload.asp, aspexec.asp, etc.

Script Abuse

If searching for new or modified files turns up nothing, it is time to check out your scripts and executables. Any script or executable that accepts user input is a potential attack vector. Before starting, you should identify which executable file extensions you use in your web content areas. The following query will give you a report of all file extensions that exist within your web content (adjust the path names as necessary):

C:\>logparser -i:fs "SELECT TO_LOWERCASE(SUBSTR(Name, LAST_INDEX_OF(Name,'.'), STRLEN(Name))) AS Extension, Count(*) as Files from c:\inetpub\wwwroot\*.*, c:\inetpub\scripts\*.* WHERE Attributes NOT LIKE 'D%' GROUP BY Extension ORDER BY Files DESC" -rtp:-1

Extension Files

--------- -----
.gif      704
.asp      180
.jpg      44
.css      43
.htm      28
.txt      21
.html     6
.dll      5
.zip      4

According to this list, the site contains several file extensions that may be of concern to us: .asp and .dll. Therefore, all the example queries from this point on will specifically look for ASP and DLL files. You will likely need to adjust this depending on which executable extensions you use on your web site.

One way to detect script abuse is to see if any one script has an unusually high number of hits. Since web-based attacks often require some trial and error, you should expect to see noticeable statistical variances, unless of course your web site gets millions of hits a day. Nevertheless, it is sometimes useful to see if any single day produced unusually high traffic.

The following query will show the number of hits for each day for each ASP and DLL file. From your log files directory, type the following:

C:\Windows\System32\LogFiles\W3SVC1>LogParser "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, COUNT(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1

Day cs-uri-stem Total

---------- ------------------- -----
2007-04-01 /Default.asp        127
2007-04-02 /Default.asp        121
2007-04-03 /Default.asp        132
2007-04-04 /Default.asp        116
2007-04-05 /Default.asp        107
2007-04-06 /Default.asp        144
2007-04-07 /Default.asp        466
2007-04-08 /Default.asp        174
2007-04-09 /Default.asp        118
...

In the sample results above the number of hits on 2008-04-07 is suspiciously high and should be investigated further.

Another good attack indicator is the number of errors per hour. The following script returns the dates and hours that had more than 25 error codes returned. This value will likely need adjusting depending on how much traffic your site receives:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM ex03*.log WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Errors DESC" -rtp:-1

date hour sc-status Errors

---------- -------- --------- ------
2007-06-22 22:00:00 404       110
2007-04-21 13:00:00 404       36
2007-04-19 23:00:00 404       36
2007-04-19 13:00:00 404       27
...

Further investigation of the dates listed above may show that the high number of 404 errors are CGI scans looking for vulnerable scripts on your site. The 404 errors themselves are not as much as a concern as are the 200 results during that same time that may indicate a successful attack. This query will return all valid requests from any IP address that also had a 404 error on 2007-06-22:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT c-ip, cs-uri-stem, Count(*) as Hits FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) NOT LIKE '%.gif' AND TO_LOWERCASE(cs-uri-stem) NOT LIKE '%.jpg%' AND c-ip IN (SELECT c-ip FROM ex030622.log WHERE sc-status=404) AND sc-status=200 GROUP BY c-ip, cs-uri-stem" -rtp:-1

c-ip cs-uri-stem Hits

--------------- ------------------- ----------------
199.154.189.199 /Default.asp        3
199.154.189.199 /main.css           3
199.154.189.199 /Products.asp       7
199.154.189.199 /About.asp          1
63.54.202.2     /Products.asp       18
63.54.202.2     /main.css           1
81.112.9.62     /Default.asp        1
...

Looking at these results, you can see two IP addresses that had an unusual number of hits on Products.asp. It could be that these were two different attackers or the same attacker who used two different proxies to conceal his or her IP address. One way to find out if they are likely the same person is to check the User-Agent header for the two different IP addresses:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT DISTINCT c-ip, cs(User-Agent) FROM ex030622.log WHERE c-ip='198.54.202.2' or c-ip='62.135.71.223'" -rtp:-1

c-ip cs(User-Agent)

---------------- -------------------------------------------------------------
63.54.202.2      Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312461;+.NET+CLR+1.0.3705
199.154.189.199  Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312461;+.NET+CLR+1.0.3705)

This proves that those two IP addresses are either the same user or two different users with the exact same OS, browser, service pack level, installed hotfixes, and .NET installation. It is not a perfect indicator but it is significant. To support this evidence, you could go through your logs and discover when each of the IP addresses first hit your web site. When a user visits a web site for the first time, the browser downloads the page and any graphics and stores it all in the browser's temporary cache. This is so that subsequent visits to the page will not require downloading all the graphics again. However, the browser does check to see if the graphics have been modified before using the cached versions. If the graphic has not been modified, the server will return a 304 HTTP status code. Therefore, if you create a query for a specific IP address with a status code of 200 for any particular graphic, that log entry will be the user's first visit, providing they have not cleared their cache. So if a user switches to a different proxy server, the file will still be cached and therefore there will never be a first visit from one of the IP addresses. If one of the two IP addresses mentioned above turns up not having a first visit, chances are that they first visited the site from the other IP address. If neither IP address shows a 200 result, then there are more IP addresses left to discover.

SQL Injection

If you read this paper (PDF) from NGSSoftware you will see that attacks such as SQL injection are based on sending faulty requests to a server and interpreting the error messages. Some of the indicators of this type of attack are:

• Numerous sequential hits from the same IP address to the same URL;
• High numbers of 500 HTTP status codes or other errors;
• GET requests to ASP pages that normally only receive POST requests; and
• Other clusters of anomalous web site activity.

It may also be useful to see an unusually high number of hits on a single page from a single IP address. The following query shows any IP address that hit the same page more than 50 times in a single day:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT DISTINCT date, cs-uri-stem, c-ip, Count(*) AS Hits FROM ex*.log GROUP BY date, c-ip, cs-uri-stem HAVING Hits>50 ORDER BY Hits Desc" -rtp:-1

date cs-uri-stem c-ip Hits

---------- ----------------------------------- --------------- ----
2007-05-19 /Products.asp                       203.195.18.24   281
2007-06-22 /Products.asp                       210.230.200.54  98
2007-06-05 /Products.asp                       203.195.18.24   91
2007-05-07 /Default.asp                        198.132.116.174 74
...

Looking at these results, it is immediately obvious that one IP address hit the same page 281 times one day and 91 times another day, which is obviously suspicious.

Another useful technique is to view exactly what ASP errors IIS encountered while serving requests. Most attempts at breaking into a web site will inevitably result in some kind of error. The following query will return a list of every ASP error recorded in the log files:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-query, Count(*) AS Total FROM ex*.log WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC " -rtp:-1

cs-uri-query Total

------------------------------------------------------------------------- ----------
Out-of-process+ISAPI+extension+request+failed.                            18
|55|8000ffff|Catastrophic_failure__                                       8
|49|8000ffff|Catastrophic_failure__                                       6
|74|800a01c2|Wrong_number_of_arguments_or_invalid_property_assignment     1
...

If you find any errors that are interesting, you could write another query to drill down to the specific error. In particular, you want to watch for ODBC and ADO errors, indicating a possible attempt at SQL injection.

Another way to identify errors is to look at the status codes returned by the server. If you want to see a detail of what status codes IIS returned for each page, try the following query:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1

cs-uri-stem sc-status Total

--------------------------------------------- --------- -----
/Default.asp                                  200       9258
/Default.asp                                  500       3
/MSOffice/cltreq.asp                          404       12
/MailResult.asp                               404       1
/asp/aspmail.asp                              302       86
/asp/aspmail.asp                              500       28
/autocomplete.asp                             404       2
/awards.asp                                   404       4
...

Also of interest are the Win32 Status codes, which may be attack indicators:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) as Error, Count(*) AS Total FROM ex*.log WHERE sc-win32-status>0 and (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1

cs-uri-stem Error Total

------------------------ ------------------------------------ -----
/Default.asp             The RPC server is unavailable.       2
/Default.asp             The remote procedure call failed     1
/asp/aspmail.asp         The RPC server is unavailable.       12
/download/Default.asp    The RPC server is unavailable.       3
...

Some ASP pages should only accept form input from previous pages. If, for example, you may have a page such as checkout1.asp that sends a POST request to checkout2.asp, then anything other than a POST request to checkout2.asp may be suspicious. This query will show what HTTP methods were sent to each page:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1

cs-uri-stem cs-method Total

------------------------------------ --------- -----
/Default.asp                         GET       9136
/Default.asp                         HEAD      125
/asp/aspmail.asp                     GET       3
/asp/aspmail.asp                     POST      111
/awards/Default.asp                  GET       269
/compare/Default.asp                 GET       437
/compare/Default.asp                 HEAD      3
/download/Default.asp                GET       5018
/download/Default.asp                HEAD      436
/download/default.asp                GET       727
/download/default.asp                HEAD      1
/orders/Default.asp                  GET       1420
/orders/Default.asp                  POST      3
...

You may also want to write a query that checks the HTTP referer header to make sure the traffic is coming from where you expect it to be coming from.

Digging Deeper

At this point, you should begin to see patterns emerge. You should be able to narrow down the attack to specific dates and URL's. If you still have not found any apparent patterns, you may need to dig deeper. Sometimes an attack will involve sending a large amount of information back to the attacker. The following query will report some statistics for the number of bytes sent to the client

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(sc-bytes) AS Avg, Max(sc-bytes) AS Max, Min(sc-bytes) AS Min, Sum(sc-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total

------------------------ ----- ------ ------- ---- --------
/Default.asp             9261  18321  19920   145  16967359
/MSOffice/cltreq.asp     12    227    269     221  2724
/MailResult.asp          1     221    221     221  221
/asp/aspmail.asp         114   545    704     218  62232
/complete.asp            2     230    240     221  461
/orders/Default.asp      269   6998   7625    6692 1882463
...

And this one will report on bytes sent from the client:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(cs-bytes) AS Avg, Max(cs-bytes) AS Max, Min(cs-bytes) AS Min, Sum(cs-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total

--------------------------- ----- ---- ---- --- -------
/Default.asp                9261  435  1544 49  4037788
/MSOffice/cltreq.asp        12    369  482  276 4430
/MailResult.asp             1     313  313  313 313
/asp/aspmail.asp            114   1418 2383 153 161685
/complete.asp               2     172  191  154 345
/orders/Default.asp         269   441  1062 118 118766
...

Another indicator may be how much time the server spent processing the request. It is not uncommon for exploits to take an unusually large amount of time or even timeout completely. The following query reports on time taken:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(time-taken) AS Avg, Max(time-taken) AS Max, Min(time-taken) AS Min, Sum(time-taken) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total

------------------------- ----- ------ ------- --- ---------
/Default.asp              9261  8      312     0   75228
/MSOffice/cltreq.asp      12    4      16      0   48
/MailResult.asp           1     0      0       0   0
/asp/aspmail.asp          114   699    31719   0   79765
/complete.asp             2     7      15      0   15
/orders/Default.asp       269   4      32      0   1206
...

User Logins

If your site is mostly unauthenticated anonymous access, then any user login may be suspicious. To see what users have authenticated to the site, try the following query:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT cs-username, Count(*) AS Hits from ex*.log WHERE cs-username IS NOT NULL GROUP BY cs-username ORDER BY Hits Desc" -rtp:-1

User-Agents

Sometimes it is possible to identify an attack script by looking at the HTTP User-Agent header sent by the client. You can get a list of non-standard User-Agent strings with this query:

C:\Windows\System32\LogFiles\W3SVC1>logparser "SELECT DISTINCT cs(User-Agent) FROM ex*.log WHERE TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%mozilla%' AND TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%opera%' ORDER BY cs(User-Agent)" -rtp:-1

Closing In

Following these same patterns, you will eventually close in on the source of the intrusion or identify unknown intrusions. With each query, try to add more criteria and more detail to identify the specific log evidence to identify the attacker or type of attack. LogParser is a very powerful tool, but the real power comes when you learn how to use these and other queries to quickly bring information to your fingertips.

Windows Diskpart Command

Diskpart is a Recovery Console command used to create or delete partitions on hard drives.

Diskpart Command Syntax

diskpart /add
/add = The /add option will create a new partition on the specified hard drive.
diskpart /delete
/delete = This option will remove a specified partition on a specified hard drive.

Diskpart Command Examples:

diskpart /add \Device\HardDisk0 10000

In the above example, the diskpart command creates a 10,000 MB partition on the hard drive located at \Device\HardDisk0.

diskpart /delete \Device\HardDisk0\Partition1

In the above example, the diskpart command will remove the Partition1 partition located on the hard drive \Device\HardDisk0.

diskpart /delete E:

In the above example, the diskpart command will remove the partition currently assigned the drive letter E.

Note:

The diskpart command is only available from within the Recovery Console in Windows 2000 and Windows XP.

Diskpart Related Commands

Bootcfg | Fixboot | Fixmbr

Windows Fixmbr Command

Fixmbr is a Recovery Console command that writes a new master boot record to the hard disk drive that you specify.

Fixmbr Command Syntax

fixmbr (device_name)
device_name = This is where you designate the exact drive location that a master boot record will be written to. If no device is specified, the master boot record will be written to the primary boot drive.

Fixmbr Command Examples:

fixmbr \Device\HardDisk0

In the above example, the master boot record is written to the drive located at \Device\HardDisk0.

fixmbr

In this example, the master boot record is written to the device that your primary system is loaded onto. If you have a single installation of Windows installed, which is normally the case, running the fixmbr command in this way is usually the right way to go.

Note:
The fixmbr command is only available from within the Recovery Console in Windows 2000 and Windows XP.

Fixmbr Related Commands

Bootcfg | Diskpart | Fixboot

Windows Fixboot Command

Fixboot is a Recovery Console command that writes a new partition boot sector to the system partition that you specify.

Fixboot Command Syntax

fixboot (drive)
drive = This is the drive that a boot sector will be written to and will replace the system partition that you're currently logged on to. If no drive is specified, the boot sector will be written to the system partition that you're currently logged on to.

Fixboot Command Examples

fixboot c:

In the above example, the boot sector is written to the partition that's currently labeled as the C: drive - most likely the partition you are currently logged on to. If that is the case, this command could be run without the c: option.

The fixboot command is only available from within the Recovery Console in Windows 2000 and Windows XP.

Fixboot Related Commands

Bootcfg | Diskpart | Fixmbr

Bootcfg Command in Windows 7, Vista, 2008

Bootcfg is a Recovery Console command used to build or modify the boot.ini file.

Bootcfg Command Syntax:

bootcfg /list
/list = This option will list every entry in the boot list in the boot.ini file.

bootcfg /scan
/scan = Using this option will instruct bootcfg to scan all drives for installations of Windows and then display the results.

bootcfg /rebuild
/rebuild = This option will step you through the process of rebuilding the boot.ini file.

bootcfg /default
/default = the /default switch sets the default boot entry in the boot.ini file.

bootcfg /add
/add = This option allows for the manual entry of a Windows installation in the boot.ini boot list.

Bootcfg Command Examples:

bootcfg /rebuild

In the above example, the bootcfg command scans all drives for any Windows installations, displays the results, and steps you through building the boot.ini file.

Note:

The bootcfg command is only available from within the Recovery Console in Windows 2000 and Windows XP.

Bootcfg Related Commands

Diskpart | Fixboot | Fixmbr

Linux WPA Cracking Tutorial Video

BT4 Install: Simplest way to install BackTrack4

Remote-exploit and BackTrack released the public Beta of BackTrack 4 the second week of February. As soon as this news came out, all sorts of people were on its download spree.  Within 5 days the download count reached 49,000+ for ISO and 17,000+ for the VMWare image.

As BT4 is still in its (pre release) Beta phase a lot of packages are missing, especially VoIP and Services sections. So you will need to manually start and control the services like sshd, vnc etc.  One more prominent change you should note is DHCP configurations and dhcp client (dhcpcd) are deliberately removed from startup script. BackTrack 4 starts in runlevel 2 where networking is disabled.

For BackTrack 4 the team introduced a new shell called “Debian Almquist Shell (Dash)” and /bin/sh is now a symlink to /bin/dash. It looks like “dash” shell does not support most of the semantics of legacy bash shell. As per wikipedia – Dash is a direct descendant of the NetBSD version of the Almquist Shell (ash).

Installing BackTrack needs at least 4 GB of free space on Hard drive. BT4 Beta has foot print of 856 MB without having voip packages. It could easily reach 1 GB mark in the future. So Make sure you have enough hard disk space before starting installation.

Go to the PowerCram HowTo: Backtrack 4 (Pre Release) Hard Drive Installation or BackTrack 4 Beta Hard Disk Install.

BackTrack links

• BackTrack 4 Beta Hard Disk Install
• HowTo: Crack WPA with Backtrack 3
• HowTo: Crack WEP with BackTrack 3
• How To Install Backtrack4 Using Grub On Ubuntu
• How to install BT4 dualboot xp on your HDD without vmware or dvd disks
• Backtrack 4 – USB/Nessus Boot with Persistent Changes
• How to make Backtrack 4 boot from USB
• Installing Backtrack 3 to a harddrive
• HowTo: Backtrack 4 (Pre Release) Hard Drive Installation
• Installing Backtrack 3 to a harddrive