Category: Software

BitCoin miner investigation and removal

Post author By admin
Post date 2017-11-30

This thread is from 2014 but is one of the more technical exploration threads on the forums. With the recent surge of browser bitcoin miners, I figure a re-look at botnet miners makes for good reading.

Botnet Removal Overview

This thread is an overview on how to detect, identify and remove a botnet infection. This is merely one example of such an infection. Honestly the main reason I was able to detect it (before it was added to malware definition databases), is because of it’s aggressive processor use. Bitcoin miners are extremely intense processes, to 98% CPU usage stood out like a sore thumb.

This will be a 5-step & thread process on how I went about checking around and figuring out how this bitcoin miner was operating. There are various ways to go about the same methods, but I am sharing mine, in hopes it helps someone remove similar trash in the future. I will make a post in this thread for each process, to help describe the methods used, and hopefully do so in a clear manner.

Steps used:

As for any infection, you have to be formidably sure you completely removed the infection, otherwise you are waiting for more damage down the road. Do you wish to reinstall the OS, or do you feel confident the exploit has been removed? This question is especially relevant in the business environment. Luckily I saw this on my personal machine, so I could afford more time to debug what was happening and log it.

The attached picture should make more sense as you read each progressive step.

Sample Bitcoin Miner

Suspect and Detect

Tools used:

Process Explorer by (MS SysInternals)
XVI Hex Editor
Command Line netstat and tasklist. Also taskkill

This is a Windows 7 Ultimate platform, but all versions should have the commands I listed. You will want to download the XVI and Process Explorer utilities, since they are 3rd party applications.

You can use the GUI Task Manager, but some processes can hide from that display. Also be sure to check “show processes from all users” on the Process tab, if using the GUI list. Sorting by CPU and / or Memory usage is a quick means to find anything with a big footprint. Look for anything you do not recognize. If you are not familiar with standard processes on your machine, search online to find what each process is normally used for. However do not simply assume all standard sounding services and processes are legit.

In this case, MSDT.exe was running. Typically this is a Microsoft diagnostic tool, however that was not the case this time. Using 98% CPU, this program was actually a bitcoin miner and was not an actual microsoft utility. Trying not to jump ahead too much, verifying the path this was running from, validated my suspicion.

C:\Windows\Service\Profiles\Local\Service\AppData\Roaming\Microsoft\Windows\Templates

In the GUI (Graphical User Interface) Task List, you can right click a process and say Open Location This is where I found this executable, as well as 2 other related files.

atieclx.vbs (Service spawning vbs code)
aticlx.exe (Command and control server, from what I could tell of hex edit)
RAVClp86.exe (Communications portion associated with Command and Control server)
Network TrafficThis step what a 2-fold operation.Step 01:Closing all web browsers, email clients and the like, I ran the following command.
```
netstat -o > C:\2014-06-08_PortList.log
```
Everything on the left of the “>” operator displays the open ports in a command window. The “>” operator and file path, saved the results to the filename located on the root of my C: drive. This works with many to all DOS / command line commands and is advised for archiving sake. Open the text file for your results. Look for funky results.

In this case, I found the following IP (replace letter ‘o’ with number 0 for the IP address. 2o8.94.24o.162:4768

After the ‘:’ would be the port it was running on. A PID will also display for open ports in the netstat output.

Step 02:

Checking Process Explorer for processes running open network traffic. Since I had my Suspect process list of 4, I went to right-clicking one of them and clicking the TCP/IP Tab. Please notice the other 2 items appeared to be spawned via a wscript.exe process. Note that RavClp86.exe was still there as well.

(Process Explorer image attached to this post)

Process Details via ProcessExplorer

PID to Process Explorer mapping

Similar to the above Netstat command, I wanted to log my running processes to a flat-file for archiving and review.
```
tasklist > C:\2014-06-08_ProcessList.log
```
Of particular relevance is the ‘Image name’ and ‘PID’ (Process ID). The PID is going to be used in correlation to your Process Explorer investigation. When using Taskkill, you will also know if a process restarted, by it having a new PID. Speaking of TaskKill, here is how you run that command, by entering said PID for the program in question.
```
taskkill /pid 3916
```
3916 being the PID for the process explorer screenshot in my prior post. You need to substitute this with the relevant PID on your local machine.

However, simply killing the processes is not enough. As I will cover in the next post.

Service, Payload and Command and Control targeting

OK. So far we have a list of 4 deviant processes, but not much clearly established on how they are operating. This point (or actually earlier as well) is a great time to get XVI going. We want to peek at the flagged executables to see if anything telling is occurring.

(XVI Hex Edit of RavCLP86.exe pictured)

Hex Display 03

In this image, we see some Port communications in a seemingly innocuous local file name. Considering this is running in a profile folder, it is indeed not innocent a process at all. From what I can tell, this (in conjunction with Aticlx.exe) process is the Command and Control portion of this application. It also handles being spawned from the .vbs file in the same folder. When any of the other files are removed, this process will re-write them back out and reload them into a running state.

Here are the contents of the aticlx.vbs. This (Aticlx.exe) would be a normal process… if I owned an ATI graphics card, and if it were not running from the shady profile folder. That is until we see what this file is doing.

Hex Display 04
```
Set objSh = CreateObject("WScript.Shell")objSh.Run "C:\Windows\Service\Profiles\Local\Service\AppData\Roaming\Microsoft\Windows\Templates\atieclx.exe", 0
```
So this Service runs to keep Aticlx.exe running. This is the core C&C of the exploit. Respawning the sub-processes as described above. The Service mode running enables the executable to restart, upon termination. Helpful in the event of a user killing the process, and also if there is a code update via the infection botnet. They would want it to be remotely killed, updated and restarted in some instances.

Potential Removal

Notice the Potential wording. This will be a case by case basis, where you assume to have tracked down all sub-threads and related infection vectors. If someone had access to your machine, it is a very good assumption that another possible infection method was added. So explore heavily.

In this case, I would TaskKill, use Process Explorer, and monitor the output folder of these programs. In the case of TaskKill and deleting the infected files, they just came right back. Continuing, I played around until I noticed what .exe respawned the purged files. Aticlx.exe, IIRC.

To temporary mitigate this, I made a blank text file, then renamed it as the target file. Once the service spawner was prevented from making it’s related protective .exe files, I was then able to stop and prevent the main process from spawning new copies.

For historic reporting, I renamed the original files to a non-exe filename. Thus preventing them from running, yet keeping a copy for detection and analysis. As I said, this is why you have to judge heavily if you indeed removed the infection. In my case, I was able to run a benchmark to see vastly improved performance. Slower system performance was the tip of the hat, that lead me to investigate this in the first place.

RATs (Remote Access Trojans) have a nearly invisible footprint compared to a Bitcoin miner, so you will be vastly looking harder for those level infections. I have heard the command line Tasklist shows hidden processes that can be masked in your task manager, but nothing is foolproof. The effort to remove malware and exploits from a machine will always be an uphill battle. Hopefully this guide made enough sense to help anyone new to removing these infections. Also it would be nice if it helped any veterans remove these infections as well, since some of this process may not be traditional malware removal.

Most of all, let this show you how limited signature based detection systems are. MalwareBytes did start finding this infection (PUP.optional.PrimeMiner) sometime around January 2014 or so. However I am not so sure it also removes the subsequent processes associated with it.

Software

Desktop Window Managers

Post author By admin
Post date 2017-10-17

I enjoy using multiple operating systems. I love Linux for performance but I have to say most of the window managers are nowhere near Windows or OS X in terms of control and keyboard shortcut operations. This is very rant filled of an opinion, as I do quite a bot of text editing work and am a huge user of Ctrl+Tab and Ctrl+Shift+Tab to navigate between multiple open windows. If may seem minor, but when editing multiple bash scripts, having to select your other window with the mouse instead of jumping tabs by keyboard… is clunky.

I guess the burden of choice also leads to an inconsistent UX in Linux distros. I would say we should step back and know that this is a limiting factor to having people fully switch from Windows or Mac OS. That stuff really matters over time on your day-to-day computer usage. Personally, I tend to manage my Linux installs over SSH from a Windows box, or occasionally a Mac as well. Hopefully this comes to become a little cleaner an operation on some Nix ditros, but as I mentioned, it’s difficult to get everyone to agree. One person’s issue is another person’s workflow to it working as intended.

This rant came up encoding videos, where my bash scripts were not simply a Ctrl+Tab, followed by a Ctrl+R to replace strings for the next output. When you are grinding out the repetitious stuff, shortcuts are helpful and can lead to better automation too. Depends on what you are up to, but the emphasis on a clean UX, is what gets people to invest (mentally and emotionally) to your platform.

Hardware Software

Pi-Hole config guide

Post author By admin
Post date 2017-09-20

Pi Rasperry Pi-Hole config quide:
Howdy and welcome to another thread. I have a history of not being a fan of advertisements and do not run those banners on this site. Besides a security concern, I think advertisement gets really creepy online.
Pi-Hole is an Operating System with dns capabilties and use of adblocking lists. The added benefit of the request being denied even without plugin-based web browsing, is pretty handy.

Before you install, be sure if you are using a RaspberryPi or whatever device, that your user password is one of your own. You do not want to go default with your LAN traffic. If you wanna log a fun time, you can use one of these for short-term logging a little CTF monitoring style. Logs are configured to purge after a few days on your standard Pi-Hole install. Please be sure to update your OS image with latest patches via said package manager. In my case I set the primary network connection to a static address. I have the service connection IP address details to use the actual router as DNS server. Since all your other network DNS will be set to the fixed IP Address you bound to your Pi-Hole installed device.
SSH is likely disabled. I like to administer my SSH session by serial to usb in the case of my Raspberry Pi installs.

Follow the install guide and advisory on their site about the bash | pipe install. Quick comes at a trade off when you do not review the install process part for part. If you go for the easy install and read the disclaimer, you can run the single line install:

curl -sSL https://install.pi-hole.net | bash

This thread is for administering and keeping yours updated, as with my configuration I ran into update issues using just the one connection. Details ahead cover enabling a second connection to fetch updates, since you will have the primary network connection with a set IP address that handles DNS requests handed off from your router / main DNS device on your network.

To do updates to the OS and Pi-Hole local web services device / OS, I disable the service network connection to resolve conflicts of web requests to get out locally. All the LAN clients will be fine getting pages. In this case, I suspect the localhost calls in the Pi-Hole logs relate to my network layout and the device being bound to serve back to itself. When logged into the [deviceIP]/admin configuration page I would also get failures to resolve list update servers.

Having plugged in a second USB NIC or using Wireless as an update connection, I ran the following commands to handle my network adapters. Turning off the static address service NIC. In most cases likely eth0 as shown below

sudo ifconfig eth0 down

Do some pings and the like to see they should now resolve. Do your updates etc for the OS. In my case, Raspbian on a Pi 3.

Once those finish, load up the Web Admin panel for your Pi-hole install. Get your ip address for the active network connection with:

ifconfig

Connect to that IP address in a web browser and add ‘/admin’ into the address bar at the end of the IP Address without the quotes around the path.

Login with your admin password to the admin panel and you should now be able to see updates are pending. You need to start with the FTL update. To do this, return to your SSH session. As I mentioned I am working with serial over USB, but you can enable SSH over network if you so desire. One more service for a network heavy component, so choose of your own accord in concern to security to conveinence.
On that SSH console, run:

pihole -up

Wait for the updater to get and deploy the new FTL version. You will likely also be treated to the Web Interface and Pi-Hole version also being to current revisions. Great! Almost updated and running live AdBlocking again.
Still on your console, seeing the update completed you want to turn back on the main network connection we disabled for updating.

sudo ifconfig eth0 up

Overviewing network setup above:
Main Internet router will be your DNS server on the Pi-Hole device. Manually set client DNS or change your DHCP server to set client DNS to the static address of your Pi-Hole install. (192.168.0.1 default-ish router) Check your current IP config to get details if you do not know current network base configuration.
On the Pi-Hole install, set the primary network adapter to an address in that subnet (say 192.168.0.10) Make sure DHCP server /or/ router will not also try to assign that address in it’s pool. The Pi-Hole DNS primary will be set to your local router (as above default-ish router 192.168.0.1)

I hope to have avoided huge gaps or inflected confusion in this thread. Jolly adblocking. Even if you like making money from it, you have to know it is a vulnerable vector and kind of a shaky market. I’m not here to tell you what to do, I’m sharing details to help block them on places that run them without respect to visitors.

Software

Technolust save file

Post author By admin
Post date 2017-08-23

I have been playing VR games and decided to take a plunge into Technolust. Some of the reviews were hit or miss, but if you actually explore around the game and appreciate all the options and content, you may enjoy it nearly as much as I have and continue to do. I wanted to start noting how much I enjoy it, as this is why I jumped into repairing a save issue I had.

You can save in the game but I had an issue where each time I loaded the game back up, it looped me to the intro portion, instead of the MURC teleport menu you should see, after having saved your game. I shared some of this info on the Oculus forums and Steam once I got a fresh file to work with saving. Quoted below.

Quote

Checking my save file, located at:

C:\Users\[username]\AppData\LocalLow\IRIS VIRTUAL REALITY\Technolust 0_9_9_9
I was seeing my save file has a modified date last from Tuesday the 15th, despite my playing later in the week and saving at payphones (and seeing it say saved on the map screen).
In the “save.txt”. Viewing it seems to be largely plain-text. I’ll move it and see if the game making a new copy resolves the save issue.

The contents of my save file look accurate with areas I have been, but I’m confused why it fails to load. It’s almost like there is a borked character in the save file or something. Here is line 01:
ý~Hilltop Score string

Also of note (but not related to the crash) there are some registry values too. These appear to match from my game play.
Computer\HKEY_CURRENT_USER\Software\IRIS VIRTUAL REALITY\Technolust 0.9.9.9

I moved the flat save file and let the game make a new one. New file does not have the ý at the start of file. In-game saving also worked after doing this. Registry still has my high scores from the arcade. Game loads to teleport MURC menu instead of intro now.

In this case, I moved a copy of my stuck save file, as it was not working due to that 1st character of ‘ý’ in the save.txt. Using various text editors showed me varied results in the save.txt. ConText editor showed me mostly blank space and some of the item strings; Notepad seemed to show everything, but without formatting, and Notepad++ showed me a dump of each parameter and their set flags.
Here are some screen caps from each editor showing the same file, along with the registry keys.

ConText Editor

Notepad (Windows standard text editor)

Notepad++

Registry Keys

Most all of this information is overkill, since I was only a couple of hours in. To resolve the save issue I copied the broken save file to another folder and deleted it from the save folder. Once the game made a new file, I was able to save without issue onward. I had fun checking the save file for stuff I missed but didn’t successfully change any flags for stuff I did not find in-game. For conversations sake, the registry values match my arcade high scores. When my new save file was made, simply playing the games I won again, without beating my prior high score, toggled back to my high score, once I interacted with them on the fresh save.
You can migrate your save.txt and registry info to another machine, as I did on my laptop to test that I got all the save data.

If there is any take away from the thread, be sure to check files in multiple editors. I also messaged the gave dev to say thanks for a rad game. He noted that encrypting the save file seemed like it would have been contrary to the concept of the game. Thanks for not doing that, because it was also fun to splunk through the save data and see how it applied to in-game content I encountered. I’ll recap the start of the thread by saying I really enjoy this game. Hell it was so good, I was concerned enough to figure out the intro looping issue. Hopefully you don’t have the same issue, but if you do, it’s relatively easy to fix.

Software

SMB levels and services

Post author By admin
Post date 2017-08-07

Especially over the last few months, the public face of SMBv1 and how it is quite vulnerable, has become a solid talking point. If you have poked around on some Windows Servers and also some Nix file servers, you may have noticed these legacy-era protocols still running. Even if you have a more recent Windows Server Deployment, they tend to have SMB 1 enabled by default.

Oh Lordy. If you have done any nmap scans you may have also noticed there have been notifications about SMB1 for a loooong time. Lucky for us, I would like to think by disabling SMB1, all your existing systems would work. Please note the optimism, because that’s all it is if you do not confirm things still work, after having turned off SMBv1 or for that matter, any service.

Microsoft has a guide using powershell to manage these. Before you go wild, do make sure to note that SMB 2 and 3 are related and enable relevant network features too.

If you still have XP devices connecting to servers (gods save you), you will lose communication when you turn off SMB v1. Another fine reason to finally push and accomplish getting rid of those things. I think cryptolockers scared non-security people enough this year, to give your pitch some viability.

Looking at the PowerShell syntax, Windows 8 and Server 2012 have some really clean powershell cmdlets. On Windows 7, Server 2008, etc, you are essentially changing a registry key on the command line / by script. If you are rolling an Active Directory domain, you can push the SMB 1 disable out over group policy. Once again, pausing to make sure stuff works after you do this, and it would not hurt to test this in waves, as to not cause a huge problem in one fell swoop.

You can also have fun diving into some PCAPs to get a feel for SMB levels in use. You can apply filters to weed out noise from your scan. Keep good notes. I don’t know about you, but when I tell people I’m doing security maintenance, some folks like to come up with some fantasy stories of things they say worked prior. Typically stuff that never worked or something that way decommissioned months prior, not the week of your rollout.

Jolly August. Fall is creeping up :)

Just bumping as a reminder that SMB 1 natively is enabled up to and including Server 2016 test builds. Running the below may shock you in seeing that EnableSMB1Protocol is by default, set to True.

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

On the Windows 2012 or greater machines, you don’t have to reboot after the change, unlike the older server and workstation machines. To disable SMB1, do up the following, then re-run the check above to verify it’s off.

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Hardware Software

Oculus Rift VR

Post author By admin
Post date 2017-07-17

Jack in, it’s cyber-time. Seriously though if you are still reading, I squeezed on the Rift $399 bundle with touch that went active last week. I want to describe the experience of moving through a virtual environment and seeing your hands map in that realm, as to in reality, but it’s really something you have to try to get full appreciation of. I’m going to overview the hours I spent in so far, using Oculus software, enabling SteamVR and also some games and titles.

2017-08-17 Edit:
I wanted to mention Oculus Tray Tool and setting Super Sampling. I have since upgraded my GPU to a 1080 Ti and am running Super Sampling @ 1.5. Oculus Tray Toll will also let you disable USB auto power save in one click and also give you access to Visual HUD Overlays / debugging options. The super sampling really cleans up the image quality to try and mitigate screen door effect / seeing pixels obviously.
/edit

Primer here. You need a computer of comparable performance to drive the display of your Rift headset. I see a recommended spec of an Intel i5-45xx series processor / CPU and Nvidia 970 or higher for your video card / GPU. I recently built up an i7-7700k w/ 980 GTX build and it has performed extremely well in VR, without frame rate slowdown.
Your VR headset uses 1 HDMI and 1 USB connection, with the HDMI going directly into your video card. In my case, I already had my external display on DisplayPort. As the 980 GTX (and most recent cards from what I have seen) have 1 HDMI and the rest of ports are DisplayPort, you want to make sure your primary monitor is not using that HDMI output on the GPU / Video Card.

Additional hardware setup will be calibrating your spacial sensors, syncing any controllers and of course installing the Oculus software. Fair warning that Windows 8.1 seems to be the baseline and there are some games that require Windows 10. I’m on Windows 10 and wanted to warn you in advance, especially if you are still main-lining Windows 7. Most important of all, you need physical space to play the Rift.
There are a few sitting compatible games I have found, but the more explorational titles are going to need you to have at least a 3 x 3 foot area clear. From the center of your area, you will need to fully extend your arms to the side without being restricted. Movement depth is less relevant but also important. Some titles actually need you to be able to move back significantly far (as in around 7 feel away from the sensors). I have so far tested in a 3 x 3 area, as I would need to use the living room for the deeper dimensions. Since I picked up the Rift and Touch combo, I have 2 physical sensors installed. 1 came with the Oculus headset and the other came with the touch sensors.

I mentioned some of the contents but what you can expect to unbox are:

1x Oculus Rift headset
1x Sensor bar. It looks like a small camera. I suspect it works off Infrared similar to the Wii and Kinect devices.
1x Xbox One gamepad, USB dongle and extension cable.
1x Oculus remote.
2x AA batteries for the Xbox gamepad.

2x Oculus Touch controllers.
2x AA batteries. 1 for each Touch controller.
1x Oculus sensor

Once you clean up a space for you to move in VR without falling IRL, your first step after trying the tutorials (FYI: you can repeat these @ any time by clicking them in the desktop Oculus application, under your Library tab.), will be to get used to recalibrating center. This will be most appropriate when changing from standing or sitting play. In Steam you will get to the system menu by Right controller Menu button. There you will see a re-center calibration. If you are sitting, set your height to approx where your head is from the ground. I find 42 inches (3 ft 6 inches) works well for sitting. Some of this will need you to interact with Windows desktop for the height adjustment.
If you load SteamVR and are below the ground, you need to change your height settings.
Similarly in Oculus VR, the Right controller Menu button gives you a similar option to re-calibrate center. For height adjustment in Oculus, you’ll want to go to Settings | Devices | Configure Rift to change your height. You should be able to pick the re-center option without taking your VR goggles off, as with Steam as well.

Next post will cover some applications run in VR.

Most of these are on both the Steam Store and Oculus Store. I started in the Oculus store, until I was able to get SteamVR ruining. To get SteamVR to work you need to click the Gear icon for Settings on the desktop program, then click General. On this screen, enable the button for Unknown Sources. Once you do this, SteamVR will be able to interact with the Oculus gear, as before setting this option, Steam will say it cannot find your headset and accessories.

You will need to load SteamVR from your desktop, until or unless you enable the following mod to create a steam icon. In that guide, you are downloading a VR film, replacing the executable with a batch modified exe that loads SteamVR and also replacing some image files to show the tile in VR. Hack fun hacking up some custom icons with the info from that guide. It’s fairly easy to follow and you will then be able to launch SteamVR from within the Oculus VR environment.

I’m starting a little backwards describing my exploration but one of my main objectives was to interact with my desktop OS in VR. Steam handles this by selecting Desktop when you press the left menu button on a Touch pad. This will get you back to your actual (likely Windows) OS. I was browsing the twitter and reading email in VR. It’s a wild way to have a huge super desktop, while also letting you interact with VR games that launch from Desktop. Steam has a few of these but I have not encountered any in Oculus VR yet.
Kickass. Speaking of interacting with my desktop, I also wanted to try to see if I can open and manage files in a 3D realm. I can indeed open images, movies and music by using AVOlight.Space (Multi-Screen Media Player). The free download lets you load one screen and puts a watermark on each additional screen you load. This can be removed by buying the $9.99 DLC content to unlock the program. Seeing how it worked made it a no-question for me. This app has slideshow support, music and video controls, image rounding options along with depth perception to toggle zoom and placement of your displays. If you want to view some files in multiple windows, this is the jam.

Google Earth VR is a free download that allows you to browse Google Maps in 3D. If you ever switched visual modes and saw the tracking of depth for images, you will certainly see how the landscape is mapped as a rendered world with relative height and depth. This is pretty impressive to zoom and fly around in, granted I was moderate in controlling well the little I played in it. There are also area tours you can load up and enjoy, in the event you do not have any good ideas on where to search and visit. I wonder how restricted areas map. I’ll let you know on that one, since they are normally blurred out. Hopefully it doesn’t clip us out of the map. In this case, I was using the touch controllers as my primary input. Sitting compatible.

Lucky’s Tale. Included platformer game with some good level design. Graphics are cutesy like a Spiro-like game. You have height obstacles world maps that surround you. I was playing with the Touch controllers but this one appears to be designed for the gamepad / Xbox controller.

Oculus First Contact. This is likely the demo you play upon configuring your Rift. A very immersive interactive demo. I was mind blown in there and immediately suggested someone else try it too. Great demonstration and interactive guide on using Rift and Oculus. This is also listed in Tutorials as Touch Tutorial Complete.

Oculus Dream Deck. A video demo of a few oculus applications. Be sure to spin around and enjoy the world map, as the case with anything else you play.

Makebox. A slick pixel editor. I watched a video of someone giving a tutorial and was sold. I have to try and make some dank pixel art as well.

Darkness Rollercoaster. Sitting rollercoaster ride. Cool immersion and depth objects used.

Rick and Morty: Virtual Rick-ality. Very cool game that is a little difficult but rewarding. The VR design and implementation is quite good. You may find yourself restricted in a 3×3 foot space but can re-calibrate center to accommodate this. Crude humor and interesting use of environments. I have been playing this for a few hours and it is a standing title, as you are doing quite a bit of exploring and reaching down. I bought it on Steam, largely to test streaming functionality. I can say the streaming rooms do work in SteamVR. I finished this tonight in about 5 hours of playtime.
Be warned this game is designed for a Roomscale setup. That being a deeper area to walk around in.

Oculus Medium. Very robust image editing and world tool. You can save and export materials. Fun object creation and manipulation or a clay-like substance.

Mission ISS. This is a VR space simulator. You can pivot around the spaceship and enjoy the view.

Blocks by Google. Another image editor in a 3D space. Easel is your right hand where your drawing tool is the left one.

Preta: Vendetta Vising. This is a dungeon crawler game with multiplayer either coming or available after you complete the chapter 1 missions. I have an hour or two into this game. There are 3 character classes to pick from at start and some tutorials that keep you in a level environment. I was reserved on the quality of until I got to see some of the actual dungeons. The level design layering and depth is pretty impressive. Town is pretty close to most MMO-like RPGs. Quest NPC in Town, Skill up trainer, shops, etc. You get a bonus for early pre-release stuff but there is also a RMT item system. That’s a flag for performance down the line on growth. In other words, it may get very grindy of a game to encourage buying into currency boosts.

Sketchbox. VR prototyping platform. Really cool for prototyping a 3D environment. I’m going to try and import some 3D videos and do a mock-up environment. Especially if you want to make a VR application, mock it up in here on the swift.

EVE: Valkyrie . This is a flying space game. The controls seemed tight but it was fun for a space shooter.

Sports Bar VR. Standing game that I played last night. Darts, Air Hockey and Pool are available. I only played single player but it does feature online and lobbies.

The Climb. Standing game that I played about 2 minutes of due to sitting at the time of night when I tried it.

I will add more info about the last 2 games when I play them in a standing mode. This is what I got to explore so far. Some content is free and steam also appears to have some demos on there, I purchased the following or got them in a sale promo:

Rick and Morty: Virtual Rick-ality: $30
AVOlight.Space. Free single display. Unlock multiple for $10
EVE: Valkyrie. Free with Summer of Rift Promo. Typically $40
Makebox. $10
Preta: Vendetta Rising. $35
Darkness Rollercoaster. $2
Oculus Adventure Pack: Includes for $70
The Climb
Raw Data
SportsBar VR
I Expect You To Die
Lucky’s Tale. Included with your Rift purchase.I also decided to pickup a 3rd sensor for better tracking when playing roomscale games. This is especially relevant when turning around and away from your desktop / front sensors. Adding the 3rd sensor will wrap you completely in motion tracking. I saw this when playing Rick and Morty and mitigated it using the recalibrate center steam menu option (that also is in the Rift menu).
I forgot to mention I got the $399 bundle by going to a Best Buy store and getting the Rift and Touch packages. When rung up at the register, it will be at the Promo rate and you’ll get the Oculus store coupon for your free copy of EVE: Valkyrie on the receipt. I have heard and seen that Amazon is pending more inventory, so head to a store and grab a kit if you don’t want to wait. Make sure they actually have ’em in stock, as I got the next-to-last headset last Saturday at a local store.

I did not see anywhere with the stand-alone sensors in stock so I ordered one from Amazon. They are also out of stock with no indicated restock date. I’m looking forward to setting up roomscale with 3 sensors to cover me when I turn around.

I have about 20 hours in VR so far and I am really enjoying it. I have been scouring the app stores for interesting free apps to check out too. Plenty of movies and some games to be found. Largely you have Oculus store, SteamVR store. Also a good resource is the Oculus Reddit page.
If you turn on Spectator mode in Rick and Morty but forget how to disable it, you need to do it from the in-game menu. Open the entertainment center right cabinet and toggle the switch. :)

These are items included with your equipment purchase. EVE being an add-in for the Summer promo.
- Lucky’s Tale
- Medium
- Toybox
- Quill
- Dead and Buried
- Dragon Front
- Robo Recall
- Eve: Valkyrie
There are some good threads for applications and games on the Oculus forums. Medium has some real quality artwork and posts in there to explore. Lots of artwork to enjoy in this thread.

I turned off the tracking grid shortly after getting used to how much physical gaming space I had. Seeing the block grid was wrecking my immersion. You can turn off the floor grid indicator as well. You can do these in Oculus VR from the right touch controller settings menu. I’m guessing this is what people mean by ‘screen door effect’?

I should have a 3rd sensor hooked up early next week. 2 should be fine for most everything, but if you are playing a roomscale heavy game like Rick and Morty. I’ll be following this Oculus guide for configuring and placing sensors for roomscale. Edit with 3 sensors hooked up. It will have you re-run the configuration wizard and welcome tutorial when the 3rd sensor is plugged in. You really want all 3 of these sensors at the same level height. Otherwise your FOV will be highly skewed to the highest sensor.
Recalibrate your height to confirm your standing height (or change it to your head from ground while sitting (42 inches / 3 foot 6 inches in my case)). The avatar editor has a background with a ruler, if you take a selfie from the customize screen.
To change your standing or sitting height, in the Oculus desktop software, click the Gear | Settings. Along the left you will see Devices | Configure Rift | Floor Position. If you are playing a sitting or gamepad game, this may be helpful it adjust your field of vision.

Respect to the Overclockers.com.au community for tipping me off to running Oculus Tray Tool. ASW mode will help with performance and you can also disable power-saving for the usb ports to keep your tracking active while playing. There are some Virtual HUD overlays that are helpful for debugging and performance monitoring.

Also of note from the forums is that switching to the Beta version of Oculus Home, it will detect your SteamVR titles on launch and add them into the Oculus app. So you don’t have to side-hack an icon for SteamVR using this method. Once you load the Steam title, it will pop into your Oculus applications menu.

Your headset has a microphone and it is on by default. If you wish to disable this as I did, jump into your Control Panel | Sound. In your list of Recording devices, right-click on the Rift Audio microphone and select Disable. If you want to turn it back on, be sure to check the ‘Show disabled devices‘ option so you can see the microphone to re-enable it.

Speaking of Steam, The Lab is a 15GB or so VR platform you can give a try to. I played around with it briefly in the lab and some of the other mini-games. Pause to note your standing height absolutely matters for this, so if you have your Room Config in steam set to a sitting height, you need to change that to your standing height. This varies from game to game, but is especially dominant on steam from when going from a standing to sitting game. Oculus seems to better accommodate sitting or standing, without needing to re-adjust your height, but by using the ‘reset app position’ from the main oculus home menu.

Stand-out applications have to be Google Earth VR. It’s really wild to see the area topography and be able to fly around in spectator-like mode around the world.
Dactyl Nightmare has been re-made into Polygon Nightmare. This is a re-creation that is pretty wild and fun as a single-player bot deathmatch. You may get ill from the movement, but I played for about 40 frags, enjoying the strafing with my upper body to move around the map. Both Google Earth VR and Dactyl Nightmare are free apps.
I have put some hours into Chronos as well. It’s a good exploration / puzzle game that keeps me drawn in. The leveling mechanic is interesting and has me getting a little angry when I die for sloppy reasons. The level exploration is really rewarding in 3D. Worth the $40 if you ask me.

In respect to demo’ing VR, people really need to wear the headset. If you watch the on LCD output, it will be super bland without the depth. I had my GF try a few things and so far the immersion hit hard with Google Earth VR. She was off exploring the world, juggling views and continents.

I have also dabbled in Rock Band VR as a local store had one of the Xbox One guitars in the back. Apparently those things are going for $90 on Amazon, despite being $40 new if you can find one in stock. I did chuckle at having to flash the guitar firmware for it to work with RB VR. It did indeed work and when playing, I was reminded that I am not a rhythmic person. I only got an hour or two into that game so far. Considering the price of game ($50) and the Guitar ($40 with Xbox One Rivals Rock Band pack), this is a more costly game to get into. I have to say the use of the touch and the add-on mount that came with your controllers, is pretty cool with showing the Guitar on your person in VR and the crowd around you.

Darknet is a puzzle game about hacking computer networks. It uses a cluster honeycomb design where you pick insertion points for various vulnerabilities to spread to nodes, allowing you to seize the network and obtain root. Really cool graphical design and addictive gameplay. A good score for the $10 asking price.

Thanks for the feedback on your time with it. I wear glasses of 1.25 or so prescription so that may play a factor in my not being as bothered by the pixelation. I don’t wear my glasses in VR. Glad to hear you were able to work a refund out too.

I saw some people are bumping up the image quality using super sampling (via Oculus Tray Tool), similar to playing FFXI with better looking textures. A few of the VR games I played have some native graphic options, namely Chronos. Bumping up that IQ makes a huge difference, as the default in that is definitely a pixel show when you get close to your character.

I forgot to mention you are right about the length of games for VR. Many of them seem to be a few hours. Hopefully the surge of headsets gets more content out there. I think a big part of the challenge will be quality to performance cost, as top-end video cards and most other PC components to go with the headset, will make the barrier of entry even higher.

2017-08-04 edit:
I installed these sensor wall mounts in my play area and the floor and 360 coverage is MUCH better than when I had them on the included posts at desk height. The linked 3D print, I had to file the diameter wider for the IR camera to fit in, but other than that it works great. I used the double-sided tape mounts from 3M, as to not wreck the drywall in my apartment.
Sensors are mounted roughly 6.5 ft from the floor, aiming downward. This helped full 360 rotation and ground coverage quite well. My crude diagram of camera placement is:
_______________________
|         <- 02            <- 01 |
|                                        |
|                                        |
|                                        |
|<- Sensor 03                  |
_______________________

Sensor 01 is along the wall where my desk is in the corner.
Sensor 02 is about 5 feet away from the corner sensor.
Sensor 03 is about 10 feet from the back wall where 01 and 02 are installed and about 6 feet from sensor 2 to the corner of the adjoining wall.
I have the front 2 sensors lightly at inward angles to the area I stand, with sensor 3 pointing, basically back to my monitor between sensor 01 and 02. This also passed my Rick and Morty floor grab test, vastly better than the prior desk height mounts.

I just received my prescription WIDMOvr lenses last night and have been playing every other night on average. The glasses insert is excellent. Great quality lenses that match my glasses prescription, the frame insert fits well into the stock Rift face guard and the elastic for the rift cover also helps keep the lenses in place. There is room between the rift lenses and the inserted prescription so you do not have to worry about scratching. I tried using the rift with my normal glasses but did not go that route because of tight removal and scratch threat. I can still see but my clarity is better with my prescription, for point of reference.

I also picked up a 3 ft usb and hdmi extension cables. The HDMi cable is an Insignia brand extension from a local BestBuy, that I found in the television section. I went with an Amazon basics 3 foot usb3 extension as many people referenced it for working well. I had some issues getting audio to play consistently over the extensions on my desktop, but then I added an Inateck Superspeed 4 Ports PCI-E to USB 3.0 Expansion Card as I saw some Oculus folks on reddit talk about the sensors and headset eating up much of the USB bus bandwidth. I do have to say, my extension issue went away installing this card and putting 2 of my 3 sensors on it, with the Rift HMD hooked to the USB on my motherboard.

Besides hardware I have been playing some games. Also a fun program is Bigscreen. It’s comparable to Desktop mode when running Steam but I think it has better touch button binds. I find it very nice for interacting with my desktop windows, while still in VR. Right-click, Left-click, mouse cursor and scrolling are all done on either hand. You can hat-press to remove the login screen when you load the program up.

Face Your Fears is a free program that has 2 doors to cinematic experiences. The city door is pretty intense, while the haunted house door… is pretty damn freaky. I was suggested to check this out by a friend and we were both scared af by the haunted house. Lol, you might not want to let kids try this one, because it’s damn creepy or I’m just a pansy. :p Sitting or standing experience, granted you are really just spectating and adjusting your head to view the area you are in.

Batman Arkham VR gets review beef for being a short experience, but take note is is also a great one. The quality of graphics, tools and interaction is top notch. If you want to see a viable peek into what a full VR game done with high production value looks like, this is one to buy. It has replay content for re-doing the story and I was well embracing the story it presented and some of the easter egg content. It’s $20 but looking at the extent of the content, I feel it is worth the asking price. If you enjoyed previous RockSteady Batman titles, this will show you the new shit coming down the pipes. This supports sitting and standing play, but lends better to standing play.

Technolust: Extended Format is a game you can blast through but you will certainly miss most of the relevant story and not have explored the world or options. I got 20+ hours out of this easily. It has mini-games too, but the interactions and narrative that go with the in-world are what are to be best enjoyed. This is an older game (haha so that means 2016 in VR terms) that has touch support added. Most of your aiming is actually done with your head instead of the gamepad / touch controllers. I’m on board with any more content released by this team. Easily one of my best purchases. Works well for sitting or standing exploration.

Windlands is something I saw mentioned as a game to try. It also has a ‘Buy it on steam and you will get an Oculus key’ feature through their website. I want to pause and say between the 2 stores, if you have an oculus, play the Oculus store version. The controller config is more likely to be optimized for that platform, as is the case with Wildlands on Steam being configured for a Vive and the Oculus Home version being configured for touch. There is an option for some games on Steam to ‘launch in home mode’, but this is not the current standard.
Back to this game, it is an exploration via grappling hook traversal. The areas are well done to have you figure out what route currently looks viable and how you are going to use your grappling hooks and jumping to obtain the objects on the world map. Very solid and good looking game. Plenty of control options between sitting and standing play.

Nature Treks VR is a collection of area environments. Woods, underwater and other outdoor areas. This experience is pretty demanding on your computer, since it renders the entire stage area and surrounding creatures. Looks very cool to relax in and explore. You can use locomotion or teleport transportation. You can plant extra trees and stuff too.

Serious Sam: The Last Hope is a stationary shooter. If you played the other games, the enemies and stages will look familiar. Main take-away being you stay in place and shoot away hordes of monsters until you get to the world boss fight.

Rez: Infinite is a VR shooter with music note and scoring to your attacks. It’s a fairly short adventure but it’s done well and has some extra modes as well. The presentation and levels to boss fights are done well. $20 for this game. Both standing and sitting supported, as you move by controller and look by head rotation.

Mountain Goat Mountain is a free game that is simple but fun. Kind of like a Q-bert game to traverse the map, eat food and score coins.

I’m looking forward to jumping into some more VR stuff this weekend. I played a little more Preta: Vendetta Rising after they dropped the price and removed some of the RMT content. I am currently on mission 5 on chapter 1 but I’m not riveted by it so far.
I picked up a puzzle game called Dimensional for $5. One can only play so many gun shooters, both regular and VR wise. I am also going to try out Karnage Chronicles this weekend. It sounds like an impressive hack-n-slash game. I grabbed it on Steam, since it’s not yet on the Oculus store. checking the steam forums, it should detect and work with the oculus fine / find the controllers as touch instead of the vive wands.

Nov 14th:
I took a break from VR, largely due to playing Nintendo Switch games. I also played Karnage Chronicles and got really VR sick, like terrible headaches and all. I know some people claim to be immune to vr / motion sickness, but wow, hacking and slashing in a dungeon wrecked me with locomotion controls.

I visited my friend and his kids a few weeks ago and did a VR demo. They loved it, especially the older teen, as he is a huge pc gamer. I’m going to hook my gear back up this week and jump back in. I still have some ideas I want to try for creating some content, but in the mean time I’m also excited to try Obduction, from the Myst creator team. I also started Edge of Nowhere and should continue that tomb raider-like platformer.
Windlands is actually pretty fun but I got stuck within maybe an hour. Short of the issue of knowing where to proceed, it is quite fun grappling around the world map.

I may pickup Doom VFR but I want to see how it is received and if it gets actual oculus support. I’m thinking I’ll pickup Skyrim again but on the Switch, since it’s a huge game and being able to play it in tablet mode will make it more accessible over time. According to steam, I dropped 202 hours on the PC edition (Level 37 and surely some idle time with the game running). It looks like I played the Dawnguard expansion too.

Jumping back to VR, I played .Hack in BigScreen. Wild with the giant screen and the map being in the top right of my full view pane.

If you recently have terrible tracking jank or lag with your head movement tracking, may I suggest updating nvidia drivers. Especially 388.13 in my case. I do note that I had a 3D vision driver installed as well, that I removed before upgrading to 388.31 edition drivers.

Since I do not use the 3D capabilities I try to uncheck the install via Custom Installation. I’m not a user of Nvidia Experience either and manually put new ones (drivers) in fairly often. I was going raw on troubleshooting by switching cables and distributing across USB controllers, but the driver conditions above fixed me back up.

My issue was especially visible on the Oculus home menu. My tracking sensor locations were similar to prior sessions this week. I was happy to weed it down to a driver factor after a little ghost hunting on the troubleshooting.

If you think Windows 10 is noisy, you should enjoy the connections your PC will make to graph.oculus.com. I Blacklisted that for a few minutes to notice none of the store content displayed. I could still view and load my library though.

Hardware Software

Corsair Hydro Coolers and Fan Headers

Post author By admin
Post date 2017-07-12

This is kind of an odd issue, as the documentation for Corsair Hydro coolers will tell you to plug the power into the CPU header on your motherboard. Having build a new machine recently, I see newer Asus board have a dedicated Pump header. I like these coolers as they work well and cost less than custom copper water blocks. The point of this thread however, is for older boards like the Asus Hero VII I had prior.

You want to disable the Q-fan options in your BIOS, as otherwise it will limit the pump output and not cool properly. For the Windows users, there is a Corsair Link application that will show you the pump rpm. In the case of a H80i cooler, this is typically running at 3200 rpm when set to the Performance preset.
Default will be around 1900 rpm with the balanced setting. So long as you are not running in an extremely hot room, that preset should be fine.
In your BIOS, check the following tree: Monitor | Fan Speed Monitoring | Fan Speed Control.
Set those to disabled and you should be good to go. Also under those settings, disabling the fan controls can prevent the CPU fan error on boot.

For item’s sake, I am using a H115i on this i7-7700k and was previously using an H80i with the i5-4690k. On the i5-4690k setup after a BIOS flash, the fan settings were reverted and I was feeling significant heat buildup in the top tube coming off the CPU back to the radiator. Temps were also quite high. Fixing the Qfan settings resolved the nasty temps on the rebuild.

Software

KB3201860 Adobe Flash?

Post author By admin
Post date 2016-10-28

So I did not install Adobe Flash, it is not in my add remove programs, nor is it any active plugin for my installed web browsers.

On this machine, I have Windows 8.1, the Flash options in control panel, but no Add/Remove for flash. I was legit baffled seeing this update pop up, as I didn’t install the software, because I feel it is more harm than good, as a security exploit vector.

KB3201860 details @ Microsoft. I am still digging around but I am really concerned how something I didn’t install is on here. I guess it will be an interesting weekend, finding this and gutting it out of this system. I also see no Adobe windows services installed.

I have heard and seen Google Chrome has it’s own version of Flash. But it adds extra concern it’s escaping the Chrome ‘sandbox’ because if you can make a call to it, it can be exploited. IMO and all of that.

Oh wow, the plot thickens. Thanks to adobe’s link, it is rolled in with Windows 8.
Checking with this Installed Flash web tool, Chrome of course has Flash baked in, as it’s baked into Chrome. My installed Mozilla based browsers fail the test (yay). IE 11 on Windows 8.1 also has it’s baked in Flash. It looks like that is what this update is for. Now of course, is the quest to eviscerate it from being able to execute or be invoked.

… So then I checked again and saw Shockwave Flash Object in Internet Explorer Add-onsand was able to disable the plugin, then the ‘Is this installed’ check failed.

Software

Firewall Log Fun

Post author By admin
Post date 2016-10-22

This thread is ongoing, but let me start with the results I have from a year worth of dropped firewall connections.

228376
January 2016
253698
February 2016
244374
March 2016
494842
April 2016
611021
May 2016
259013
June 2016
529243
July 2016
406937
August 2016
2096766
September
264421
October

Let’s jump back a minute. I am importing firewall logs for dropped connections into a MS SQL Database. September as you can see is a fun month with 2,096,766 records.
Since my firewall is a Zyxel device, I gave a look at the .csv delimited log output. Easily enough you can use a Data Import Wizard to spin the logs into some tables. Rough table to log structure is as such:

CREATE TABLE zy_2016-09 (
  time VARCHAR(50) NULL,
  source VARCHAR(50) NULL,
  destination VARCHAR(50) NULL,
  priority VARCHAR(50) NULL,
  category VARCHAR(50) NULL,
  note VARCHAR(50) NULL,
  sour_interface VARCHAR(50) NULL,
  dest_interface VARCHAR(50) NULL,
  protocol VARCHAR(50) NULL,
  message VARCHAR(250) NULL,
  col00 VARCHAR(250) NULL,

I am having fun crawling some output. Typically it’s some sort of fancy OpSec to not say your type of network gear, but this is meant to be informative and hopefully helpful.
So let’s crawl some queries and output in the next post.

I am in the middle of crunching data at the moment. Since we have some records, I am starting with the gigantic table for obvious trends in the dropped connections.

I didn’t have good criteria yet, so I went with ordering the output by Source, in Descending order. Giving the old scroll observation, I saw quite a few connections on port :7759.

Quote

2016-09-19 16:21:36 99.98.xx.xx:7759 xxx.xxx.xxx.xxx:7759 notice firewall ACCESS BLOCK wan1 udp Match default rule DROP

I figured I’ll filter the IP result for the moment, with the xxx.xxx address being to my web IP at the time. Yay it was dropped. So that’s a nice log to see.

Jumping back, I started with normal phishing ports but they were not yet as interesting as the following query.

SELECT * FROM [dbo].[zy2016-09]
WHERE [source] like '%:7759'
ORDER BY [source] desc

975340 rows returned. Out of 2096766 rows. That was a big old flag for just looking into the 99.xx range by a output sort.

I’m going back to reviewing results and trending them. I did skip some details for procuring the logs from your device, setting the firewall up to log to a USB device, and so on. Manually reviewing logs sucks and being able to do queries with COUNT(*) for total, is nice to know what you might be dealing with. Always remember the internet is being port scanned, so trying to log some of it hitting you, let’s you see the weather online.

Jolly Weekend on the upcoming Halloween season. :yar:

Let’s get some Python involved. Manually writing queries is going to be a pain and take a ton of time.

#Dump Queries with start to end port range

import sys

pstartNum = int(input("Source Port number start: "))
q1 = "SELECT COUNT(*) AS Port_"
q2 = "FROM [dbo].[zy2016-09]"
qWat = "WHERE [Column 1] like '%:"
qClose = "'"
for x in range(100):
    sys.stdout.write("%s%s %s \n" % (q1, pstartNum, q2));
    sys.stdout.write("%s%s%s \n" % (qWat, pstartNum, qClose));
    print("GO")
    print()
    pstartNum = pstartNum - 1
exit

While I’m not a python wizard, this code works. What it does is start from a user-inputted port number and runs a loop 100 times, subtracting 1 for each iteration.

Taking a description of why I am using sys.stdout.write, is to control the spacing on string output, so I have functional SQL queries. If you try to do this with the print() operator, you will get spaces in your output that will break your SQL Query.

I was trying to find a way to handle this in print, but I was fighting against how string interpolation and output control in Python works. Ending this part with what a pair from the 100 loop looks like

Output:

SELECT COUNT(*) AS Port_8888 FROM [dbo].[zy2016-09] 
WHERE [Column 1] like '%:8888' 
GO

SELECT COUNT(*) AS Port_8887 FROM [dbo].[zy2016-09] 
WHERE [Column 1] like '%:8887' 
GO

I defined the q variables as parts of the SQL query, instead of kludging together a nasty looking sys.stdout.write line, while keeping it more easy to edit and maintain.

By adding ‘GO’ to the 3rd line, I can have the other queries run instead of not getting results until all 100 queries complete. For some samples of SQL code, check out this MS SQL usage thread I have up here.

Debugging the SQL, here is the breakdown of the output above.

Quote

SELECT COUNT(*) AS Port_8887 FROM [dbo].[zy2016-09]

WHERE [Column 1] like ‘%:8887’

GO

SELECT COUNT(*) AS Port_8887

This does a count for the matched records and displays it to your results. If you want to see the record results, replace COUNT(*) with *

FROM [dbo].[zy2016-09]

Here is the name of the table you imported from your firewall log. In my case, it’s the name I gave to the exported firewall logs.

WHERE [Column 1] like ‘%:8887’

This is the search criteria for the entire table. In this case, :8887 represents the port number for [Columm 1]. Or as I defined in the 1st post source ip address.

Ending with this line, says run these individually, instead of waiting for all 100 of your queries to finish.

Running this in Microsoft SQL Server Management Studio, from a New Query window, you will get similar output to below image.

I am showing 2 example outputs, but the python script is doing 100 iterations.

Jumping back to source Log files.

Depending on your device, check the top of the file. You will likely have some column headers, and in my case I had a line of ‘======’ characters. I find it easier to remove the header and 2nd line, then save the modified file as a new file.

Example log file header for Zyxel firewall:

Quote

Time ,Source ,Destination ,Priority ,Category ,Note ,Source Interface ,Destination Interface ,Protocol ,Message

========================================================================================================================================================================================================================================================================================

To save hassle on the import, I saved the modified files as zy(Year)-(Month) (IE: zy2016-09) as seen in the SQL code examples. These became my table names when I imported them into my database. By deleting the top two lines, the new file works as a clean csv to import.

What is the python doing?

I read a few books for python and read the online manual, but trying to format string output was driving me crazy. To save you some rage, my observations are that using print(“text”,variable,”rest of query line 1″) will always force a space to be inserted. This will not fly in SQL queries and you don’t want that hassle.

Trying to avoid vomit inducing code and searching around, I found that using stdout.write, lets you define the output spacing, followed by your variable values. It took me vastly longer than I would have liked to have figured this out, but considering generating database scripts was the main goal I had for learning python, I’m pretty excited this works. :)

The running python code is higher in the thread, but below I explain each line, with a # comment under each line.

Line for line breakdown to build the SQL Queries:

import sys
# import sys so we can use sys.stdout.write

pstartNum = int(input("Source Port number start: "))
# Asking to have the user (You) enter a start number.

q1 = "SELECT COUNT(*) AS Port_"
# Start of SQL Query, in this case we are getting a count, instead of a display of the values matching the query.

q2 = "FROM [dbo].[zy2016-09]"
# From portion of a SQL Query

qWat = "WHERE [Column 1] like '%:"
# Query for your search criteria.

qClose = "'"
# Close the SQL Query for the like string.

for x in range(100):
# Run this loop 100 times.

    sys.stdout.write("%s%s %s \n" % (q1, pstartNum, q2));
# The left side with %s placement, says grab the 1st part of the Select variable, Current iteration of loop, with a space added for the variable for 'FROM (tablename)'.

    sys.stdout.write("%s%s%s \n" % (qWat, pstartNum, qClose));
# Here the %s triple string placement is to have no spaces.  We call the Query, current iteration of the start number from the loop, and close the line with a "'".

    print("GO")
# Execute each query instead of waiting for all of them to complete.
    
    print()
# prints a blank line.  I saw some crazy code to do this by other means, but since all I want is a blank line, this is way easier and fits the bill.

    pstartNum = pstartNum - 1
# Once the 1st loop finishes, subtract 1 from the starting port number.  Do this for each iteration, by sayin that variable is equal to -1 from it's current state. (Please note you will error if you start with a port number less than 100.)

exit
# stops the 100 loop, so I can copy and paste this into my SQL query window and get results.

Remember this is a breakdown of the source code from the above 3rd post.

If you want this to run for 1000 iterations, change the for x in range(100) to for x in range(1000) or whatever works for you.

If you are not already doing this on your own equipment, you may anger some server admin with resource utilization. Or in the case of using Amazon Web Services or other hosting, your bill might get nasty expensive.

Table structure and Imports revisited

In the case of dealing with Zyxel logs, we are better off leaving the 1st line for headers, but removing the line of ‘=’ as shown in post #5. Once this line is removed, save the .log file and we can import the records into a table using MS SQL Import Wizard. This way, we know everything imported ok, and if it fails, most often it’s because your input column has more characters than your Column defined in the new database table.

In the case of a Zyxel firewall log, this table structure should match the log format and import without error. Here are the columns to a supported character import length:

[Time]   varchar(50)
[Source]   varchar(50)
[Destination]   varchar(50)
[Priority]   varchar(50)
[Category]   varchar(50)
[Note]   varchar(250)
[Source Interface]   varchar(50)
[Destination Interface]   varchar(50)
[Protocol]   varchar(50)
[Message]   varchar(450)

There would be some spaces padded into the inserted column names, but at least it would be consistent to what your source data is. You can edit the Design of the table after the import, since changing the column names will not break the data sets. In queries the spaces on the end seem to be ignored, so edit at your preference.
When doing the import, you can click advanced on the Flat File Source portion of the import and in Advanced, you can edit the OutputColumnWidth to match the listed VarChar parameters.

Hardware Software

Forensic talk slides

Post author By admin
Post date 2016-09-26

Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.

If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. :)

For fun, you can run exiftool on this ppt, exported from LibreOffice.

For accessibility and ease of access, I added the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. :p

Text from slides below:

|+| Slide 01

Forensication

A data backup and verification chat.

Backing up and ripping data, making test beds and using equipment.

This fire talk will cover:

Write-blockers (hardware), dd, sha256sum, exiftool.

|+| Slide 02

Disclaimer (01 of 02)

Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.

Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example – thumbs.db folder indexers) versus manually viewed files.

|+| Slide 03

Disclaimer (02 of 02)

This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding ‘the needle in the haystack’ tremendously easier to find patterns.

Testing with the tools will give you the comfort to provide services for others.

|+| Slide 04

Backstory

Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.

After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

|+| Slide 05

Tool usage

There are plenty of tools and applications with forms you can use. However they can be quite expensive.

Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I’m being asked to do or recover.

|+| Slide 06

Write Blocker Imaging

Using a hardware write-blocker is an assured way to not modify the contents of the source drive.

They are around $300 USD, so you have some cheaper options to do software write blocking… but if you forget to turn it on, you can contaminate your data source.

(Such as browsing a folder, having windows make new thumbs.db files)

|+| Slide 07

[Picture of write blocker source drive, and output drive]

|+| Slide 08

Imaging Drives

[console]

sudo dd if=/dev/sdf of=/dev/sdg bs=16384k

[/console]

For a 500 GB HDD, it took about 3 hours. (results below)

[output_example]

29808+1 records in

29808+1 records out

500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s

[/output_example]

So how do you come up with the device names?

[console]

ls /dev/sd*

[/console]

[output_example]

/dev/sda

/dev/sda1

/dev/sda2

/dev/sdb

/dev/sdb1

[/output_example]

|+| Slide 09

Verifying disk image

Now that your drive is imaged, let’s start verifying with the source drive, hooked up to the write-blocker.

This is for the source drive.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

Unhooking the source drive, plug in the target / copied drive and run the same command.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.

Boom! It’s a match :)

|+| Slide 10

Cryptographic Checksums

There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.

Signature based anti-virus seems to have some clashes in the MD5 space.

Tools to get a checksum for a file are:

md5sum

sha1sum

sha256sum

|+| Slide 11

Checksum examples

Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).

Making a new file called ‘sampleChecksum.txt’ with the contents of ‘Hello checksum’ and saving it.

[console]

nano sampleChecksum.txt

[/console]

Obtaining the checksum of said file:

[console]

sha256sum sampleChecksum.txt

[/console]

[output_example]

9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt

[/output_example]

Making a second file with a single character change, I calculated that hash. New file called ‘sample02Checksum.txt’ with the contents of ‘Hello Checksum’ and saving it.

[console]

sha256sum sample02Checksum.txt

[/console]

[output_example]

65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt

[/output_example]

File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.

|+| Slide 12

Other checksum examples

ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.

[console]

md5sum sampleChecksum.txt

[/console]

[output_example]

9938b398bc883db337fb41431545955b sampleChecksum.txt

[/output_example]

[console]

md5sum sample02Checksum.txt

[/console]

[output_example]

65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt

[/output_example]

sha1sum displays a similar but unique output for each file. Slightly more ( 8) characters a return value than md5sum.

|+| Slide 13

(Duplicate slide of slide 12)

Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.

|+| Slide 14

BONUS ROUND – exiftool

Here I am grabbing the logo image from my site, then checking the image metadata for extra details.

[console]

wget https://funtimebliss.com/pathToASiteLogo/ftb-logo.png

[/console]

|+| Slide 15

Exiftool (continued)

Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.

[console]

exiftool ftb-logo.png

[/console]

[output_example]

ExifTool Version Number : 10.26

File Name : ftb-logo.png

Directory : .

File Size : 29 kB

File Modification Date/Time : 2013:05:29 11:45:14-04:00

File Access Date/Time : 2016:09:26 12:20:58-04:00

File Inode Change Date/Time : 2016:09:22 14:26:31-04:00

File Permissions : rw-r–r–

File Type : PNG

File Type Extension : png

MIME Type : image/png

Image Width : 465

Image Height : 100

Bit Depth : 8

Color Type : RGB with Alpha

Compression : Deflate/Inflate

Filter : Adaptive

Interlace : Noninterlaced

SRGB Rendering : Perceptual

Background Color : 255 255 255

Pixels Per Unit X : 2835

Pixels Per Unit Y : 2835

Pixel Units : meters

Modify Date : 2009:10:13 17:45:32

Comment : Created with GIMP

Image Size : 465×100

Megapixels : 0.046

[/output_example]

|+| Slide 16

Exiftool conclusion

Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.

Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option

Looking at the File Modification Date/Time that is consistent to when I uploaded that file into WordPress for my front page of the site.

There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!