Tip: Cygwin for RAR Archives

Archive for the ‘Systems Engineering’ Category

Tip: Cygwin for RAR Archives

Posted by Wolf Goerlich

WinRAR archiver uses RAR files as its native format. Other freeware and nagware archiving tools support RAR, too. The archiving format is becoming increasingly popular. Like the Gzip format, I personally would prefer not having to install yet another software component that wants to be my primary archiving tool. Below are some notes on how I configured Cygwin for cli access to working with RAR files. Please note these steps assume you have already installed Cygwin with gcc, make, and makedepend.

Download the source files for RAR 3.80 to your source folder (/usr/src or C:\cygwin\usr\src). Extract the source files, and remove the download.

$ cd /usr/src
$ gzip -d rarlinux-3.8.0.tar.gz
$ tar -xvf rarlinux-3.8.0.tar
$ rm rarlinux-3.8.0.tar

Compile the RAR source files using make. Once done. move the unrar.exe file to your binaries folder (/bin or C:\cygwin\bin).

$ cd /usr/src/rar
$ make -f makefile.cygmin
$ mv unrar.exe /bin/

That is it. From there on out, you can use the unrar command to extract any archives.

$ unrar e YourArchiveHere.rar

Enjoy,

Wolfgang
Edit 2012-03/11: The makefile for Cygwin is no longer included. Please download the UnRAR source for 4.1.4 and follow these steps.

$ cd /usr/src/
$ gzip -d unrarsrc-4.1.4.tar.gz
$ tar -xvf unrarsrc-4.1.4.tar
$ cd unrar
$ make -f makefile.unix
$ mv unrar.exe /bin
$ unrar e YourArchiveHere.rar

Tip: Cygwin for Steganography in Sounds (.wav)

Posted by Wolf Goerlich

Cygwin can be used for hiding data in sound files.

First, run setup and select the “steghide: A steganography hiding tool” package under the Security category. You may also be prompted to install libjpeg7 and mhash. Complete the installation.

Second, copy your hidden file and cover file to the home folder (C:\cygwin\home\Administrator). For example, suppose we use “hidden.msg” and “applause.wav” to embed a text message inside a file of folks clapping. Let’s use the word “secret” as the passphrase.

$ steghide –embed –embedfile hidden.msg –coverfile applause.wav –passphrase secret –stegofile output.wav

embedding “hidden.msg” in “applause.wav”… done
writing stego file “output.wav”… done

The resulting “output.wav” file now contains the message. To extract, we use steghide with the passphrase.

$ steghide –extract –stegofile output.wav –passphrase secret –extractfile output.msg

wrote extracted data to “output.msg”.

That is how to use steghide in Cygwin to embed and extract files from sound files (.wav).

SQL Server Tip: Shrink Database

Posted by Wolf Goerlich

This tip works on SQL Server 2000 and SQL Server 2005. To shrink the db, use the logical name. You have to put it into simple recovery mode to get the disk space back. The command I have been running is:

Alter Database MYDBName Set Recovery SIMPLE

DBCC Shrinkfile (MYDBName_Log)

Alter Database MYDBName Set Recovery FULL

I should note that this is for emergency purposes only. It will impact performance by increasing fragmentation within the file and causing a write penalty later when the logs grow.

Tip: Cygwin for Bzip2 (.bz2)

Posted by Wolf Goerlich

I find the Windows shareware and nagware tools for Gzip and Bzip2 files lacking. Some of it is adding unnecessary clutter to my OS. Part of it is compatibility with 64-bit Windows Server 2003. I also do not want to pay for a feature that I rarely use. Since I run Cygwin, it is easy enough to drop into the Bash shell to unzip and untar.

Copy the file to the Cygwin home folder (C:\cygwin\home\Administrator). Then start Cygwin and run the commands to unzip and untar. Extract (x) with the verbose details (v) from a file (f). Use the j switch for Bzip2 (.bz2) and the z switch for Gzip (.gz).

$ tar xvfj file.tar.bz2

$ tar xvfz file.tar.gz

The expanded files will then be in a folder called C:\cygwin\home\Administrator\file.

Preventing Hosts and LMHosts Tampering

Posted by Wolf Goerlich

Some forms of malware and some attackers will modify the DNS resolution file (hosts) and the Windows resolution file (lmhosts). Basically, this would allow someone to enter www.jwgoerlich.us into their browser but be redirected to the attacker’s IP address. A simple way to prevent this tactic is to turn off the hosts and lmhosts files.

You can find the files by looking in the registry.

Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
Value: DataBasePath
Data:%SystemRoot%\system32\drivers\etc

Browse to the folder specified, and right-click, set permissions. The service account (NT AUTHORITY\NETWORK SERVICE) must have read access to the folder in order to parse the files and process the name-address mappings. Set explicit permissions and deny access to the service account (NT AUTHORITY\NETWORK SERVICE). Reboot.

From then on, regardless of who modifies the hosts and lmhosts file, the DNS and Windows resolution will be protected.

Tip: Cygwin for Gzips (.gz) and Tarballs (.tar)

Posted by Wolf Goerlich

I find the Windows shareware and nagware tools for Gzip and Tarball files lacking. Some of it is adding unnecessary clutter to my OS. Part of it is compatibility with 64-bit Windows Server 2003. I also do not want to pay for a feature that I rarely use. Since I run Cygwin, it is easy enough to drop into the Bash shell to unzip and untar.

Copy the file to the Cygwin home folder (C:\cygwin\home\Administrator). Then start Cygwin and run the commands to unzip and untar.

$ gzip –d file.tar.gz

$ tar –xvf file.tar

The expanded files will then be in a folder called C:\cygwin\home\Administrator\file.

SQL Server Tip: Find and Change File Locations

Posted by Wolf Goerlich

Here is a quick tip on finding the location of a database files and on updating that location. This tip works on SQL Server 2000 and SQL Server 2005.

 

— Get the file location for the data (mdf), index (idx), and logs (ldf)

Use MYDBName

Select name, physical_name

From sys.database_files

 

— Set the file location for a particular mdf, idx, or ldf file

Use MYDBName

Alter Database MYDBName modify file

(name=MYDBName,filename=’E:\SqlData\MYDBName.mdf’)

 

This comes in handy if the file name has been changed, or if the folders containing the database are being changed.

Prevent the computer screensaver from locking the console

Posted by Wolf Goerlich

A “clean screen” policy is a common control. The risk is of people gaining unauthorized access to systems and information by shoulder surfing or popping onto a computer that someone left logged in. To mitigate, a screensaver can be set to lock the computer after so many minutes of inactivity. Ideally, people work on the computer and the screensaver does not kick in. They stop, the computer locks, and the screen is clean.

The challenge for employees is that the screensaver may come on at inopportune times. For example, when giving presentations or when watching a training video. During these situations the person is using their computer but not actually causing activity.

Not surprisingly, people have started finding hacks to prevent the screensaver from coming on. WiebeTech, for instance, sells a Mouse Jiggler. “Prevents a computer from going to sleep while you work or play. Constant mouse activity prevents sleep mode and screen savers (and their password prompts).”

The workaround for the workaround is to disable device drivers. But this requires configuration management software that may be beyond the budget of many IT/InfoSe teams.

Anyone have other ideas of how to mitigate Mouse Jiggler?

Wolfgang

PS: Also, check out WiebeTech’s HotPlug. This allows someone to switch a running PC or server from a power outlet to a battery pack. They pitch it for forensics as a way to confiscate a running computer. “We created this product for our Government/Forensic customers … allows hot seizure and removal of computers from the field to anywhere else on the planet.”

Tip: Bash scripting in Cygwin without \r syntax errors

Posted by Wolf Goerlich

The standard conventions when Bash scripting apply in the Windows Cygwin environment. If you are like me, you will find it much easier to edit your .sh scripts in Notepad or Notepad++ rather than vi or nano. However, you will likely run into the following problem:

./script.sh: line 1: syntax error near unexpected token ‘$’do\r”

Or …

./script.sh: line 1: $’\r’: command not found

The cause is easy to see. The script is choking on \r, which is the carriage return character (0x0D or 13). Windows and Windows editors rely upon the double return of the linefeed (\n or 0x0A or 10) plus the carriage return. Macs only use the carriage return (\r). Unix? It only uses the linefeed (\n).

The resolution is to strip out the extra carriage return at the end of every script line. Cygwin provides an easy tool to accomplish this. The dos2unix.exe command will set all linefeeds to the single (\n) character.

$ dos2unix.exe script.sh
dos2unix: converting file script.sh to Unix format …

 

Done.

Winlogon and the protection ring

Posted by Wolf Goerlich

Windows typically divides up processes into kernel mode (ring 0) and user model (ring 3). See Wikipedia for more information on ring modes and security. In general, kernel mode is protected while user mode is not.

Winlogon and the GINA (Graphical identification and authentication) process does not actually run in either kernel mode or user mode. Instead, the GINA runs in a protected area known as LSA mode, which is in the LSA’s process space (Local security authority). You can see this in Task Manager or Process Explorer as lsass.exe. If lsass.exe is compromised or halted, the process watchdog immediately blue screens the computer.

I found this while working on an unresponsive server. The server becomes unresponsive to all requesst requiring authentication. The IP stack is still working; I can ping it and a port scan shows that services are still listening. On the console, the Winlogon desktop is active but the Gina does not appear. RPC calls via MMCs fail to connect to the server.  I have left the computer in this state for as long as 16 hours. It never blue screens or stops responding all together. The only way to recover is power cycling. The problem ended up being hardware related and was resolved by replacing the server and restoring the OS.