If you use Windows 8 x64 and when you launch the Cisco VPN Client adapter and you see the following error:
Reason 442: Failed To Enable Virtual Adapter Here’s how to fix it.
Open your command prompt in Administrator mode by right clicking at the left lower corner of the screen and going to “Command Prompt (Administrator)”. You will have to log in as an administrator. Launch registry editor by typing “regedit.exe”. Browse to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA“. In the DisplayName key, you will see something like @oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter. Edit that to just say Cisco Systems VPN Adapter. Try to connect again by launching the VPN Client. It should work!

This week I got the CREA certification to add to my list of CISSP, CEPT, Visa QSA. This certification required a good practical and conceptual knowledge of reverse engineering. The certification requires a good working knowledge of components such as IA-32 assembly language, malware reversing, expert level knowledge of IDA Pro, OllyDbg, HiEW, Dumpbin etc., PE File header, repairing packed and compacted binaries, using system level reversing etc. The exam was good and tested on the concepts of the reverse engineer.

If you encounter the following error, the issue is pcaprub uses a hardcoded path for Winpcap.  I downloaded winpcap v4.1.3 and downloaded the dev kit for Winpcap and put it in c:\WpdPack.   Additionally, since I use an x64 machine I had to copy the file C:\WpdPack\Lib\x64\*.lib into C:\WpdPack\Lib and then the compilation worked.

You need pcaprub for things like msf.

C:\dev\kit>gem install pcaprub
Temporarily enhancing PATH for MSYS/MINGW...
Building native extensions. This could take a while...
ERROR: Error installing pcaprub:
ERROR: Failed to build gem native extension.

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
C:/Ruby24-x64/bin/ruby.exe -r ./siteconf20181112-2628-1wqgu6f.rb extconf.rb

[*] Running checks for pcaprub_c code...
platform is x64-mingw32
checking for -lws2_32... yes
checking for -liphlpapi... yes
checking for windows.h... yes
checking for winsock2.h... yes
checking for iphlpapi.h... yes
checking for ruby/thread.h... yes
checking for rb_thread_blocking_region()... no
checking for rb_thread_call_without_gvl()... yes
checking for pcap_open_live() in -lwpcap... no
checking for pcap_setnonblock() in -lwpcap... no
creating Makefile

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
make "DESTDIR=" clean

current directory: C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0/ext/pcaprub_c
make "DESTDIR="
generating pcaprub_c-x64-mingw32.def
compiling pcaprub.c
In file included from C:/WpdPack/include/pcap/pcap.h:41,
from C:/WpdPack/include/pcap.h:45,
from pcaprub.c:11:
C:/WpdPack/include/pcap-stdinc.h:64: warning: "snprintf" redefined
#define snprintf _snprintf

In file included from C:/Ruby24-x64/include/ruby-2.4.0/ruby/ruby.h:2429,
from C:/Ruby24-x64/include/ruby-2.4.0/ruby.h:33,
from pcaprub.c:1:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/subst.h:6: note: this is the location of the previous definition
#define snprintf ruby_snprintf

In file included from C:/WpdPack/include/pcap/pcap.h:41,
from C:/WpdPack/include/pcap.h:45,
from pcaprub.c:11:
C:/WpdPack/include/pcap-stdinc.h:65: warning: "vsnprintf" redefined
#define vsnprintf _vsnprintf

In file included from C:/Ruby24-x64/include/ruby-2.4.0/ruby/ruby.h:2429,
from C:/Ruby24-x64/include/ruby-2.4.0/ruby.h:33,
from pcaprub.c:1:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/subst.h:7: note: this is the location of the previous definition
#define vsnprintf ruby_vsnprintf

pcaprub.c: In function 'rbpcap_each_data':
pcaprub.c:992:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c:992:7: warning: assignment to 'HANDLE' {aka 'void *'} from 'int' makes pointer from integer without a cast [-W
int-conversion]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c: In function 'rbpcap_each_packet':
pcaprub.c:1034:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c:1034:7: warning: assignment to 'HANDLE' {aka 'void *'} from 'int' makes pointer from integer without a cast [-
Wint-conversion]
fno = (int)pcap_getevent(rbp->pd);
^
pcaprub.c: In function 'rbpcap_thread_wait_handle':
pcaprub.c:1274:7: warning: passing argument 1 of 'rb_thread_call_without_gvl' from incompatible pointer type [-Wincompat
ible-pointer-types]
rbpcap_thread_wait_handle_blocking,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from pcaprub.c:4:
C:/Ruby24-x64/include/ruby-2.4.0/ruby/thread.h:28:7: note: expected 'void * (*)(void *)' but argument is of type 'VALUE
(*)(void *)' {aka 'long long unsigned int (*)(void *)'}
void *rb_thread_call_without_gvl(void *(*func)(void *), void *data1,
^~~~~~~~~~~~~~~~~~~~~~~~~~
linking shared-object pcaprub_c.so
pcaprub.o:pcaprub.c:(.text+0x1a0): undefined reference to `pcap_lib_version'
pcaprub.o:pcaprub.c:(.text+0x1e0): undefined reference to `pcap_findalldevs'
pcaprub.o:pcaprub.c:(.text+0x2b8): undefined reference to `pcap_freealldevs'
pcaprub.o:pcaprub.c:(.text+0x32f): undefined reference to `pcap_lookupnet'
pcaprub.o:pcaprub.c:(.text+0x43d): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0x45a): undefined reference to `pcap_dump_close'
pcaprub.o:pcaprub.c:(.text+0x67c): undefined reference to `pcap_set_timeout'
pcaprub.o:pcaprub.c:(.text+0x6ce): undefined reference to `pcap_list_datalinks'
pcaprub.o:pcaprub.c:(.text+0x707): undefined reference to `pcap_datalink_val_to_name'
pcaprub.o:pcaprub.c:(.text+0x76d): undefined reference to `pcap_free_datalinks'
pcaprub.o:pcaprub.c:(.text+0x782): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x828): undefined reference to `pcap_datalink_name_to_val'
pcaprub.o:pcaprub.c:(.text+0x895): undefined reference to `pcap_set_datalink'
pcaprub.o:pcaprub.c:(.text+0x8b3): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x93f): undefined reference to `pcap_set_snaplen'
pcaprub.o:pcaprub.c:(.text+0x9d4): undefined reference to `pcap_set_promisc'
pcaprub.o:pcaprub.c:(.text+0xae1): undefined reference to `pcap_lookupnet'
pcaprub.o:pcaprub.c:(.text+0xb57): undefined reference to `pcap_compile'
pcaprub.o:pcaprub.c:(.text+0xb6d): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xb9f): undefined reference to `pcap_setfilter'
pcaprub.o:pcaprub.c:(.text+0xbaf): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xbc1): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xbe9): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xc62): undefined reference to `pcap_compile'
pcaprub.o:pcaprub.c:(.text+0xc75): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0xc9d): undefined reference to `pcap_freecode'
pcaprub.o:pcaprub.c:(.text+0xccf): undefined reference to `pcap_activate'
pcaprub.o:pcaprub.c:(.text+0xd33): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0xe0b): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0xe43): undefined reference to `pcap_create'
pcaprub.o:pcaprub.c:(.text+0x109e): undefined reference to `pcap_close'
pcaprub.o:pcaprub.c:(.text+0x110d): undefined reference to `pcap_open_live'
pcaprub.o:pcaprub.c:(.text+0x129f): undefined reference to `pcap_open_offline'
pcaprub.o:pcaprub.c:(.text+0x1419): undefined reference to `pcap_open_dead'
pcaprub.o:pcaprub.c:(.text+0x1532): undefined reference to `pcap_dump_open'
pcaprub.o:pcaprub.c:(.text+0x15d9): undefined reference to `pcap_dump_close'
pcaprub.o:pcaprub.c:(.text+0x171e): undefined reference to `pcap_dump'
pcaprub.o:pcaprub.c:(.text+0x17e7): undefined reference to `pcap_sendpacket'
pcaprub.o:pcaprub.c:(.text+0x17fa): undefined reference to `pcap_geterr'
pcaprub.o:pcaprub.c:(.text+0x18ea): undefined reference to `pcap_setnonblock'
pcaprub.o:pcaprub.c:(.text+0x1912): undefined reference to `pcap_dispatch'
pcaprub.o:pcaprub.c:(.text+0x19fd): undefined reference to `pcap_setnonblock'
pcaprub.o:pcaprub.c:(.text+0x1a25): undefined reference to `pcap_dispatch'
pcaprub.o:pcaprub.c:(.text+0x1b35): undefined reference to `pcap_getevent'
pcaprub.o:pcaprub.c:(.text+0x1be3): undefined reference to `pcap_getevent'
pcaprub.o:pcaprub.c:(.text+0x1c91): undefined reference to `pcap_datalink'
pcaprub.o:pcaprub.c:(.text+0x1cdc): undefined reference to `pcap_major_version'
pcaprub.o:pcaprub.c:(.text+0x1d27): undefined reference to `pcap_minor_version'
pcaprub.o:pcaprub.c:(.text+0x1d72): undefined reference to `pcap_snapshot'
pcaprub.o:pcaprub.c:(.text+0x1dca): undefined reference to `pcap_stats'
collect2.exe: error: ld returned 1 exit status
make: *** [Makefile:259: pcaprub_c.so] Error 1

make failed, exit code 2

Gem files will remain installed in C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/pcaprub-0.13.0 for inspection.
Results logged to C:/Ruby24-x64/lib/ruby/gems/2.4.0/extensions/x64-mingw32/2.4.0/pcaprub-0.13.0/gem_make.out

I recently got a Sansa e260 4 GB MP3 player just for kicks to check it out. Seems like the hardware runs a stripped down Windows install having FAT32 file system on it. What was interesting was, that somehow my files got corrupted and had to format the drive (My Computer -> eSansa(G:) -> Right click to “Format..”). All the folders disappeared and when I restarted they reappeared. What seemed to crash it was the presence of a few folders that I created not realizing that Sansa did not support folders as the HelpDesk person told me. Makes me wonder what kind of unstable condition would a folder creation have caused. I think I’ll need to further research this error.

In the capitalist world, it is said that the companies survive on the hyper-consumerism of the people. The highly competitive economical scenario results in an environment where (as they say) consumer is the winner, but not without a fight.
A few weeks back, my Compaq Presario Laptop 2575us went bad. Well, the laptop is 2 yrs old and it has already been serviced twice so I guess my patience thresholds have diminished over a period of time. But this time around a person with even immense patience could have lost his mind. So here’s what happened. My laptop’s S-video port had been dysfunctional since the time I can recall but I never had so much time to let my laptop go out of my hands. This time when I sent it for repairs my laptop almost disappeared from the face of the earth for almost 25 days. And when they returned it to me to a wrong address I had a premonition of difficult times. The “repaired” laptop even failed to start.
This really infuriated me coz my 25 day wait had gone down the drain. So I called up the customer care and they asked me to ship the laptop to service center yet again. But this time around they wanted me to wait for 3 days before I could FedEx it to them. It was completely unacceptable to me. So I spoke to the supervisor and became as adamant as a stone. I continued to ask him for next day shipping and he continued to repeat that he could not do that. A 2hr45min sparring continued on the phone and it resulted in him being the loser as he disconnected the phone. He kept saying that this discussion is going nowhere as we cannot reach an agreement and I kept insisting that the call had multiple destinations : 1. To the HP supervisors and 2. To the BBB .
This guy called himself Nick and he also refused to give me his employee number. I knew very well (because of past experience that Compaq uses words like “You have no proof for your requests” etc.) so this time I needed some real strong evidence of my conversation. So I requested the permission from this Nick guy to allow me to record the conversation. I think this made him a little wary of my intentions. But still he did not give me his details. I think he was really scared because he felt that my wrath could result in him facing the music from his bosses in Palo Alto, CA. There were a few interesting discussions, for example, he said “I am Nick and you can identify me with this name alone.” to which I retorted by saying “Well…I know that Nick is a common name in U.S and you guys might as well redirect my call to NY Knicks judging by the way things are going.”.
So the next day I called up the HP Customer Care Service Manager’s Line at 1-877-917-4380 , code 94 option 1. This time I spoke to a guy called Douglas Gilmore who was equally tough with me (if not more). He refused to acknowledge any of my concerns initially. But later as the conversation progressed, it went on from being just a plain discussion to a heated argument. However, I did not utter even a single foul word because I knew that he could use my language as a pretext to disconnect my call which I was not willing to risk at all. So throughout the discussion I kept my head cool and tried to explain the things to him. But after going through the history of the whole thing, he realized that I had suffered a lot because of this laptop and that the attitude of the Customer care was rather cold. So he finally agreed to give me a replacement after much requests. This was probably my best argument till date and I think that it was some good thinking on my part as well as some codial behavior on the part of the managers that I could get what I truly deserved: a replacement to my defective laptop.
-Rajat.
Japanese art forms

The New Year brings in interesting things (or so we hope). My friend came up to me with an “infected” computer with a fantastic piece of malware installed. The malware was presented the user with a completely different HTML page when something was searched on Google. Browser Helper Objects (BHOs) are Dynamic Link Libraries (DLLs) that are installed in Internet Explorer (IE) and have a complete access to the DOM tree of the browser window. The name of the DLL was xyusx.dll (or something like that). This DLL was packed so that it wouldn’t permit a clean disassembly. The usual tricks seemed to work and I was able to unpack the DLL.

The procedure is simple. Open the DLL in OllyDbg. Search for the PUSHAD instruction (this instruction stores all the registers on the top of the stack) and set a breakpoint (F2 key in OllyDbg) on that instruction.

Press F9 to continue the debugging. Press F8 to execute the instruction, and then set a hardware breakpoint on the top of the stack in the Dump Window as shown in the image. You can do this easily by right clicking on the ESP register and clicking on “Follow in Dump”.
Once you reach the POPAD instruction or the hardware breakpoint is activated, this shows that the registers that were saved on the stack are now going to be restored in the respective registers. This indicates that the program has now finished extracting itself and is ready to execute the instructions.
I used OllyDump to dump out the contents of this DLL and then used LordPE to repair the import table. This process, however, needs more work due to the nature of the automated import address table repairing as some things can be missed.
Once this repairing was finished, I opened the file in IDA Pro to disassemble the unpacked DLL. This did give me a lot of information about this DLL, however, I’m still in the process of completing a good disassembly of this DLL.
As for now, I can say that this DLL installed a bunch of spyware CLSIDs into the system.
Some of the CLSIDs (out of the 45 that it uses) by this malware are listed below:

{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
{1557B435-8242-4686-9AA3-9265BF7525A4}
{55DB983C-BDBF-426f-86F0-187B02DDA39B}
{A24B57F8-505D-4fc5-9960-740E304D1ABA}
{4B646AFB-9341-4330-8FD1-C32485AEE619}
{CD3447D4-CA39-4377-8084-30E86331D74C}
{DEBEB52F-CFA6-4647-971F-3EDB75B63AFA}
{8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8}
{92A444D2-F945-4dd9-89A1-896A6C2D8D22}
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
{1126271C-A8C3-438c-B951-7C94B453B16B}
{938A8A03-A938-4019-B764-03FF8D167D79}
{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}

This DLL also seemed to communicate to :

89.188.16.10
89.188.16.16
65.243.103.56
65.243.103.60
65.243.103.62

Whatever you do to these servers is upto you. Some google searches allude that this is a “Vundo infection”. I’m also not sure what solutions people are posting to this problem but I’d not feel safe if this malware was on my computer and I’d definitely format my Windows install, patch it and change my passwords! I’m not completely dne with the disassembly and reversing of this malware yet, but I’m sure I’ll post more when I delve into this disassembled code deeper.

So the other day I was on a pen test and I got hold of the hashes. Since my laptop got fried I needed a new version of SMBProxy. There were a few issues that I had with the compilation though. I got a few errors in the file crypto.c.
Moreover, SMBProxy ues crypto library libdes written by Eric Young available here.
I give here a guide to compiling SMBProxy that worked for me.

First, compile and install libdes

1. Download libdes 4.01
2. tar zxvf libdes-4.01.tar.gz
3. cd libdes
4. make gcc
5. sudo make install

Now, you’ll find that the file libdes.a is now in /usr/local/lib.
Second, compile and install SMBProxy. Now here there were a couple of compilation errors that I had to deal with.
Here’s the diff output for crypto.c

trance@z0n3:~/Desktop$ diff smbproxy/crypto.c smbproxy-orig-src/crypto.c
40,41c40
< #include
< #define MD4_SIGNATURE_SIZE 16 --- >
46c45
<> static u_char Get7Bits(UCHAR *input, int startBit) {
58c57
<> static void MakeKey(UCHAR *key, UCHAR *des_key) {
74c73
<> void DesEncrypt(UCHAR *clear, UCHAR *key, UCHAR *cipher) {
85c84
<> void mkResponse(UCHAR **ntlmhash, UCHAR hash[MD4_SIGNATURE_SIZE], UCHAR* challenge) {
88c87
<> UCHAR ntlm_response[24];

Having done this there were still a few issues with the make comand.
The Makefile can be generated by running the following command:

trance@z0n3:~/Desktop/smbproxy-orig-src$ ./configure

Here’s the diff output of the Makefile:

trance@z0n3:~/Desktop$ diff smbproxy/Makefile smbproxy-orig-src/Makefile
10,11c10,11
< smbbf_include =" -Iinclude">
< libs ="">
—
> SMBBF_INCLUDE = -Iinclude
> LIBS = des
31c31
< $(LIBDES) $(LIBS)
—
> $(LIBDES)

The following libraries are required: openssl, openssl-dev, libdes for successfully compiling SMBProxy.

apt-get install openssl openssl-dev