Saturday, April 21, 2012

All startup methods in windows

Registry Autostart Locations

1.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
All values in this key are executed.

2.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.

3.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
All values in this key are executed as services.

4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
All values in this key are executed as services, and then their autostart reference is deleted.

5.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
All values in this key are executed.

6.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.

7.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
Used only by Setup. Displays a progress dialog box as the keys are run one at a time.

8.HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\
Similar to the Run key from HKEY_CURRENT_USER.

9.HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Similar to the RunOnce key from HKEY_CURRENT_USER.

10.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" value is monitored. This value is executed after you log in.

11.HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey.

12.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey.

13.HKEY_CURRENT_USER\Control Panel\Desktop
The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates.

14.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts.

15.HKEY_CLASSES_ROOT\vbsfile\shell\open\command\
Executed whenever a .VBS file (Visual Basic Script) is run.

16.HKEY_CLASSES_ROOT\vbefile\shell\open\command\
Executed whenever a .VBE file (Encoded Visual Basic Script) is run.

17.HKEY_CLASSES_ROOT\jsfile\shell\open\command\
Executed whenever a .JS file (Javascript) is run.

18.HKEY_CLASSES_ROOT\jsefile\shell\open\command\
Executed whenever a .JSE file (Encoded Javascript) is run.

19.HKEY_CLASSES_ROOT\wshfile\shell\open\command\
Executed whenever a .WSH file (Windows Scripting Host) is run.

20.HKEY_CLASSES_ROOT\wsffile\shell\open\command\
Executed whenever a .WSF file (Windows Scripting File) is run.

21.HKEY_CLASSES_ROOT\exefile\shell\open\command\
Executed whenever a .EXE file (Executable) is run.

22.HKEY_CLASSES_ROOT\comfile\shell\open\command\
Executed whenever a .COM file (Command) is run.

23.HKEY_CLASSES_ROOT\batfile\shell\open\command\
Executed whenever a .BAT file (Batch Command) is run.

24.HKEY_CLASSES_ROOT\scrfile\shell\open\command\
Executed whenever a .SCR file (Screen Saver) is run.

25.HKEY_CLASSES_ROOT\piffile\shell\open\command\
Executed whenever a .PIF file (Portable Interchange Format) is run.

26.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
Services marked to startup automatically are executed before user login.

27.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_Entries\
Layered Service Providers, executed before user login.

28.HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline
Executed when a 16-bit Windows executable is executed.

29.HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline
Executed when a 16-bit DOS application is executed.

30.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Executed when a user logs in.

31.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Executed by explorer.exe as soon as it has loaded.

32.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Executed when the user logs in.

33.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Executed when the user logs in.

34.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.

35.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.


Folder Autostart Locations

1. windir\Start Menu\Programs\Startup\
2. User\Startup\
3. All Users\Startup\
4. windir\system\iosubsys\
5. windir\system\vmm32\
6. windir\Tasks\


File Autostart Locations

1. c:\explorer.exe
2. c:\autoexec.bat
3. c:\config.sys
4. windir\wininit.ini
5. windir\winstart.bat
6. windir\win.ini - [windows] "load"
7. windir\win.ini - [windows] "run"
8. windir\system.ini - [boot] "shell"
9. windir\system.ini - [boot] "scrnsave.exe"
10. windir\dosstart.bat
11. windir\system\autoexec.nt
12. windir\system\config.nt
Posted by at No comments:
Labels:

Friday, April 13, 2012

NetBIOS Hacking


NetBIOS stands for "Network Basic Input Output System".

By default it runs on port 139.
NetBIOS gives the various information of the computers on a network, which includes computer name, username, domain, group, and many others.....!

The NBTSTAT Command :-
NBTSTAT is the command for manually interact with NetBIOS Over TCP/IP.
All the attributes (switches) used with nbtstat command and their usage can be viewed.
At the command prompt type-

C:\Windows>nbtstat




















Sample NBTSTAT Response :-

C:\>nbtstat -A 117.200.160.174

NetBIOS Remote Machine Name Table

Name TypeStatus
----------------------------------------------
PRASANNA<00>UNIQUERegistered
INSECURE LAB<00>GROUPRegistered
PRASANNA<03>UNIQUERegistered
PRASANNA<20>UNIQUERegistered
INSECURE LAB<1E>GROUPRegistered

MAC Address = 86-95-55-50-00-00


An intruder could use the output from an nbtstat against your machines to begin gathering information about them.

"<03> in above table is nothing but the username of that system."

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command.
Here is an example of the Net View command-

C:\>net view \\117.200.160.174
Shared resources at \\117.200.160.174

Sharename  Type  Comment
----------------------------------------
CDiskDrive C:\
MySoftsDiskMy Softwares Collection
EDiskDrive E:\

The command was completed successfully.


This information would give the intruder a list of shares which he would then use in conjunction with the Net Use command, a command used to enable a computer to map a share to it\92s local drive, below is an example of how an intruder would map the C Share to a local G: drive, which he could then browse...!

C:\>net use G: \\117.200.160.174\C
The command was completed successfully.

C:\>G:

G:\>
Posted by at No comments:
Labels:

Sunday, April 1, 2012

Windows 8 keyboard shortcuts

Windows 8 keyboard shortcuts
  • Windows key – Brings up the Metro start screen. You can start typing to search for an app, just like the Win7 start menu.
  • Windows key + B – Switch to the (classic) Windows desktop and select the tray notification area.
  • Windows key + C – Brings up the Charms menu, where you can search, share, and change settings.
  • Windows key + D – Brings up the old Windows desktop.
  • Windows key + E – Launch Windows Explorer with Computer view displayed.
  • Windows key + F – Brings up the Metro File search screen.
  • Windows key + H – Opens the Metro Share panel.
  • Windows key + I – Opens the Settings panel, where you can change settings for the current app, change volume, wireless networks, shut down, or adjust the brightness.
  • Windows key + J – Switches focus between snapped Metro applications.
  • Windows key + K – Opens the Devices panel (for connecting to a projector or some other device)
  • Windows key + L – Lock PC and return to Lock screen.
  • Windows key + M - Minimize all Windows on the desktop
  • Windows key + O – Locks device orientation.
  • Windows key + P - Choose between available displays.
  • Windows key + Q – Brings up the Metro App Search screen.
  • Windows key + R – Switch to the (classic) Windows desktop and display the Run box.
  • Windows key + U – Switch to the (classic) Windows desktop and launch the Ease of Access Center.
  • Windows key + V – Cycles through toasts.
  • Windows key + W – Brings up the Metro Settings search screen.
  • Windows key + X – Launch Start Menu.
  • Windows key + Y – Temporarily peek at the desktop.
  • Windows key + Z – Opens the App Bar for the current Metro application.
  • Windows key + Page Up / Down – Moves tiles to the left / right.
  • Windows key + Tab – Opens the Metro application switcher menu, switches between applications.
  • Windows key + , (comma) – Aero Peek at the desktop.
  • Windows key + . (period) – Snaps the current Metro application to one side of the screen. (Right side)
  • Windows key + Shift + . (period) – Snaps the current Metro application to the other side of the screen. (Left side)
  • Windows key + Space – Switch input language and keyboard layout.
  • Windows key + Shift + V – Cycles through toasts in reverse order.
  • Windows key + Enter – Launches Narrator
  • Windows key + Arrow Keys – Switch to the (classic) Windows desktop and enable Aero Snap
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)