In the event that your Windows machine has been compromised or for any other reason, this Penetration Testing Cheat Sheet is intended to help.

This Penetration Testing Cheat Sheet article is for Windows Administrators and security personnel to better execute a thorough examination of their framework (inside and out) keeping in mind the end goal is to search for indications of compromise.

Apart From this You can Read Many Penetration testing Articles Here .

Also Read –   Become Master in Cyber Security with Complete Advance Level Security Course Bundle

1.Unusual Log Entries:

Check your logs for suspicious events, such as:

  • “Event log service was stopped.”
  • “Windows File Protection is not active on this system.”
  • “The protected System file [file name] was not restored to its original, valid version because of the Windows File Protection…”
  • “The MS Telnet Service has started successfully.”
  • Look for a large number of failed logon attempts or locked out accounts.

Penetration Testing Cheat Sheet To do this using the GUI, run the Windows event viewer:

C:> eventvwr.msc

Using the command prompt:

C:> eventquery.vbs | more

Or, to focus on a particular event log:

C:> eventquery.vbs /L security

Also Read:   Google : Microsoft is putting Windows 7 and 8.1 users in danger By only patching Windows 10

2.Unusual Processes and Services:

Look for unusual/unexpected processes, and focus on processes with User Name “SYSTEM” or “Administrator” (or users in the Administrators’ group). You need to be familiar with normal processes and services and search for deviations.

Using the GUI, run Task Manager:

C:> taskmgr.exe

Using the command prompt:

C:> tasklist
C:> wmic process list full

Also look for unusual services.

Using the GUI:
C:> services.msc

Using the command prompt:

C:> net start
C:> sc query

For a list of services associated with each process:

C:> tasklist /svc

3 Complete Advance Level  Security Course Bundle for just $59

3.Unusual Files and Registry Keys

Check file space usage to look for sudden major decreases in free space, using the GUI (right-click on a partition), or type:

C:> dir c:

Look for unusually big files:

Start–> Search–>For Files of Folders… Search Options–>Size–>At Least 10000KB

Look for strange programs referred to in registry keys associated with system start up:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce 

HKLMSoftwareMicrosoftWindowsCurrentVersionRunonceEx

Note that you should also check the HKCU counterparts (replace HKLM with HKCU above).
Using the GUI:

C:> regedit

Using the command prompt:

C:> reg query <reg key>

4.Penetration Testing Cheat Sheet for Unusual Network Usage

Look at file shares, and make sure each has a defined business purpose:

C:> net view \127.0.0.1

Look at who has an open session with the machine:

C:> net session

Look at which sessions this machine has opened with other systems:

C:> net use

Look at NetBIOS over TCP/IP activity:

C:> nbtstat –S

Look for unusual listening TCP and UDP ports:

C:> netstat –na

For continuously updated and scrolling output of this command every 5 seconds:

C:> netstat –na 5

The –o flag shows the owning process id:

C:> netstat –nao 5

The –b flag shows the executable name and the DLLs loaded for the network connection.

C:> netstat –naob 5

Note that the –b flag uses excessive CPU resources.
Again, you need to understand normal port usage for the system and look for deviations.

Also, check Windows Firewall configuration:

C:> netsh firewall show config

5.Unusual Scheduled Tasks

Look for unusually scheduled tasks, especially those that run as a user in the Administrators group, as SYSTEM, or with a blank user name.

Using the GUI, run Task Scheduler:

Start–>Programs–>Accessories–>System Tools–>Scheduled Tasks

Using the command prompt:

C:> schtasks

Check other autostart items as well for unexpected entries, remembering to check user autostart directories and registry keys.

Using the GUI, run msconfig and look at the Startup tab:

Start –> Run, msconfig.exe

Using the command prompt:

C:> wmic startup list full

6.Unusual Accounts

Look for new, unexpected accounts in the Administrators group:

C:> lusrmgr.msc

Click on Groups, Double Click on Administrators, then check members of this group.
This can also be done at the command prompt:

C:> net user
C:> net localgroup administrators

7.Other Unusual Items

Look for unusually sluggish performance and a single unusual process hogging the CPU:

Task Manager –> Process and Performance tabs

Look for unusual system crashes, beyond the normal level for the given system.

On a periodic basis (daily, weekly, or each time you logon to a system you manage,) run through these quick steps to look for anomalous behavior that might be caused by a computer intrusion. Each of these commands runs locally on a system.

 

 

The article originally appeared on:

facebook-link-spoofing

While scrolling on Facebook how you decide which link/article should be clicked or opened?

Facebook timeline and Messenger display title, description, thumbnail image and URL of every shared-link, and this information are enough to decide if the content is of your interest or not.

Since Facebook is full of spam, clickbait and fake news articles these days, most users do not click every second link served to them.

But yes, the possibility of opening an article is much higher when the content of your interest comes from a legitimate and authoritative website, like YouTube or Instagram.

However, what if a link shared from a legitimate website lands you into trouble?

Even before links shared on Facebook could not be edited, but to stop the spread of misinformation and false news, the social media giant also removed the ability for Pages to edit title, description, thumbnail image of a link in July 2017.However, it turns out that—spammers can spoof URLs of the shared-links to trick users into visiting pages they do not expect, redirecting them to phishing or fake news websites with malware or malicious content.

Discovered by 24-year-old security researcher Barak Tawily, a simple trick could allow anyone to spoof URLs by exploiting the way Facebook fetch link previews.

In brief, Facebook scans shared-link for Open Graph meta tags to determine page properties, specifically ‘og:url’, ‘og:image’ and ‘og:title’ to fetch its URL, thumbnail image and title respectively.

facebook security

Interestingly, Tawily found that Facebook does not validate if the link mentioned in ‘og:url’ meta tag is same as the page URL, allowing spammers to spread malicious web pages on Facebook with spoofed URLs by just adding legitimate URLs in ‘og:url’ Open Graph meta tag on their websites.

“In my opinion, all Facebook users think that preview data shown by Facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click,” Tawily told The Hacker News.

Tawily reported the issue to Facebook, but the social media giant refused to recognise it as a security flaw and referred that Facebook uses “Linkshim” to protect against such attacks.

If you are unaware, every time a link is clicked on Facebook, a system called “Linkshim” checks that URL against the company’s own blacklist of malicious links to avoid phishing and malicious websites.This means if an attacker is using a new domain for generating spoofed links, it would not be easy for Linkshim system to identify if it is malicious.

Although Linkshim also uses machine learning to identify never-seen-before malicious pages by scanning its content, Tawily found that the protection mechanism could be bypassed by serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.

Tawily has also provided a demo video to show the attack in action. You can watch the video above.

Since there is no way to check the actual URL behind a shared link on Facebook without opening it, there is a little user can do to protect themselves except being vigilant.

Article appeared on:

Project taken from:

https://www.hackster.io/shiva-siddharth/simultaneously-run-alexa-and-google-assistant-on-pi-12e8df

 

This summer Chinese authorities deepened a crackdown on virtual private networks (VPNs)—tools that help internet users inside the mainland access the open, uncensored web. While not a blanket ban, the new restrictions are shifting the services out of their legal grey area and further toward a black one. In July alone, one popular made-in-China VPN abruptly ceased operations, Apple removed dozens of VPN apps from its China-facing app store, and some international hotels stopped offering VPN services as part of their in-house wifi.

Yet the government was targeting VPN usage well before the latest push. Ever since president Xi Jinping took office in 2012, activating a VPN in China has been a constant headache—speeds are slow, and connectivity frequently lapses. Especially before major political events (like this year’s upcoming party congress in October), it’s not uncommon for connections to drop immediately, or not even form at all.

In response to these difficulties, China’s tech-savvy programmers have been relying on another, lesser-known tool to access the open internet. It’s called Shadowsocks, and it’s an open-source proxy built for the specific purpose of jumping China’s Great Firewall. While the government has made efforts to curb its spread, it’s likely to remain difficult to suppress.

How is Shadowsocks different from a VPN?

To understand how Shadowsocks works, we’ll have to get a bit into the cyberweeds. Shadowsocks is based on a technique called proxying. Proxying grew popular in China during the early days of the Great Firewall—before it was truly “great.” In this setup, before connecting to the wider internet, you first connect to a computer other than your own. This other computer is called a “proxy server.” When you use a proxy, all your traffic is routed first through the proxy server, which could be located anywhere. So even if you’re in China, your proxy server in Australia can freely connect to Google, Facebook, and the like.

But the Great Firewall has since grown more powerful. Nowadays, even if you have a proxy server in Australia, the Great Firewall can identify and block traffic it doesn’t like from that server. It still knows you are requesting packets from Google—you’re just using a bit of an odd route for it. That’s where Shadowsocks comes in. It creates an encrypted connection between the Shadowsocks client on your local computer and the one running on your proxy server, using an open-source internet protocol called SOCKS5.

How is this different from a VPN? VPNs also work by rerouting and encrypting data. But most people who use them in China use one of a few large service providers. That makes it easy for the government to identify those providers and then block traffic from them. And VPNs usually rely on one of a few popular internet protocols, which tell computers how to talk to each other over the web. Chinese censors have been able to use machine learning to find “fingerprints” that identify traffic from VPNs using these protocols. These tactics don’t work so well on Shadowsocks, since it is a less centralized system.

 “Each person can configure it to look like their own thing. That way everybody’s not using the same protocol.” 

Each Shadowsocks user creates his own proxy connection, and so each looks a little different from the outside. As a result, identifying this traffic is more difficult for the Great Firewall—that is to say, through Shadowsocks, it’s very hard for the firewall to distinguish traffic heading to an innocuous music video or a financial news article from traffic heading to Google or some other site blocked in China.

Leo Weese, a Hong Kong-based privacy advocate, likens VPNs to a professional freight forwarder, and Shadowsocks to having a package shipped to a friend who then re-addresses the item to the real intended recipient before putting it back in the mail. The former method is more lucrative as a business, but easier for authorities to detect and shut down. The latter is makeshift, but way more discreet.

What’s more, tech-savvy Shadowsocks users often customize their settings, making it even harder for the Great Firewall to detect them wholesale.

“People use VPNs to set up inter-company links, to set up a secure network. It wasn’t designed for the circumvention of censorship,” says Larry Salibra, a Hong Kong-based privacy advocate. With Shadowsocks, he adds, “Each person can configure it to look like their own thing. That way everybody’s not using the same protocol.”

Calling all coders

If you’re a luddite, you’ll probably have a hard time setting up Shadowsocks. One common method to use it requires renting out a virtual private server (VPS) located outside of China and capable of running Shadowsocks. Then users must log in to the server using their computer’s terminal, and enter the Shadowsocks code. Next, using a Shadowsocks client app (there are many, both free and paid), users input the server location and password and access the server. After that, they can browse the internet freely.

Shadowsocks is often difficult to set up because it originated as a for-coders, by-coders tool. The software first reached the public in 2012 via Github, when a developer using the pseudonym “Clowwindy” uploaded it to the code repository. Word-of-mouth spread among other Chinese developers, as well as on Twitter, which has long been a hub for anti-firewall Chinese programmers. A community formed around Shadowsocks. Employees at some of the world’s largest tech companies—both Chinese and international—work together in their free time to maintain the software’s code. Developers have built third-party apps to run it, each touting various custom features.

 “Shadowsocks is a great invention… Until now, there’s still no evidence that it can be identified and get stopped by the Great Firewall.” 

One such developer is the creator behind Potatso, a Shadowsocks client for iOS. Based in Suzhou and employed at a US-based software company, he grew frustrated at the firewall’s block on Google and Github (the latter is blocked intermittently), both of which he relied on to code for work. He built Potatso during nights and weekends out of frustration with other Shadowsocks clients, and eventually put it in the app store.

“Shadowsocks is a great invention,” he says, asking to remain anonymous. “Until now, there’s still no evidence that it can be identified and get stopped by the Great Firewall.”

Not quite underground, not quite above ground

It’s difficult to know how many people use Shadowsocks. The developers for Potatso and Surge, another iOS client, separately told Quartz their paid apps have gathered enough downloads to make for a lucrative hobby on top of other work. But neither could estimate the popularity of the core Shadowsocks software.

Still, anecdotes suggest that the software has reached at least some people in China who aren’t professional developers. One Shadowsocks user Quartz spoke to says he relies on it to watch videos on Vimeo and YouTube. Both sites are blocked in China, but he visits regularly for his job at a production company.

Another Shadowsocks user, 25-year-old Steffie Chao, told Quartz she began using the software four years ago. While preparing to study abroad, she used a VPN to access YouTube and watch university lectures. When her VPN stopped working, she searched for an alternative and discovered Shadowsocks on a Chinese-language internet forum. She ran it on her computer using some rudimentary coding skills she picked up in a class.

At the very least, Shadowsocks is widespread enough that Chinese authorities are aware of its existence. The government has made some attempts to clip its wings. In 2015, around the time of a parade in China celebrating the 70th anniversary of WWII, Clowwindy posted a messageon Github announcing he had been visited by the police, and would have to stop working on Shadowsocks. And when Apple removed dozensof firewall-jumping apps from its Chinese-facing app store, it didn’t just target VPNs—several Shadowsocks apps were removed as well, including Potatso.

Yet Shadowsocks will continue to live on. That’s in part because the code is open-source, meaning that anyone can maintain, alter it, and release it in a different form (the source code remains on Github, it’s simply more difficult to find there than it was previously).

Should Shadowsocks give us hope for freedom on China’s internet? Yes and no.

On the one hand, it’s unlikely that any Shadowsocks app will ever become as widespread as brand-name VPNs, like VyperVPN or AnchorFree. According to Weese, the privacy advocate, Shadowsocks’s underlying technology is difficult to “scale” business-wise compared to a VPN. That means that even though Shadowsocks might be a better tool for jumping the Great Firewall, VPNs will have an advantage when it comes to reaching consumers.

Not that there’s a lot of incentive for an enterprising Chinese coder to build and promote a “mainstream,” easy-to-use Shadowsocks app. After all, if it gets popular enough in China, authorities could take notice, and there could be serious consequences (link in Chinese)—or more government effort towards figuring out how to detect and block users.

Shadowsocks might not be the “perfect weapon” to defeat the Great Firewall once and for all. But it will likely lurk in the dark for some time.

 

Available on GitHub to download:

https://github.com/shadowsocks/shadowsocks-windows