[TUTORIAL] Creating Wifi Hotspot in Windows 8.1

So, I heard some people having some difficulties in creating a wifi hotspot in Windows 8.1. Well, let's fire up the very first post for this blog with "How to create a wifi hotspot in Windows 8.1". This tutorial is applicable for Windows 7 and Windows 8 too. *yay!*

Since Windows 7, it is called as the Hosted Network which is a new feature to enable to a single wireless adapter to be able to create a another virtual adapter out of itself and broadcasting the software access point (SoftAP). In another words, a single hardware wireless adapter is having two drivers. One is used for connecting to the cloud, while another one is act as an access point. *Again, yay!*

Before we start our tutorial, let's make sure our wireless adapter's drivers is able to do so. Now, let's fire up our command prompt and get our hands dirty. A great improvement since Windows 8 which I favored a lot is the shortcut key to start our command prompt. *Please be aware that, we will need to do this in Command Prompt as an Administrator.*

By pressing the "Windows + X" button, we will see a menu list as below:

In the shortcut menu list, we can easily access to other utilities in our pc. However, in our case we would like to fire up our Command Prompt with Administrator privilege. So, press the button "A" followed up and we got our command prompt with admin privilege as shown in the picture. You will found this shortcut key very useful once you get used to it.

The next thing is, we want to check whether our wireless adapter able to create a hosted network.

netsh wlan show drivers

So, after confirmed our wireless adapter able to support hosted network feature. Without any further delay, copy and paste the code below and paste into the command prompt.

netsh wlan set hostednetwork mode=allow ssid="SSIDNAME" key="WIFI@KEY" keyUsage=persistent

Replace the SSIDNAME to your desired SSID and WIFI@KEY to your desired wireless key. The wireless key need to be at least 8 characters. The recommended one are the combinations of numbers, alphabets and special symbols with at least 8 characters in overall.

At this stage, we have successfully created our hostednetwork. You will see an extra network adapter appear out of nowhere in your Network Connections place.

Next, let's start the hostednetwork to be visible to the other clients.

netsh wlan start hostednetwork

Connect your client to the SSID created few seconds ago and input the wireless key. But still, we do not have internet connection for this adapter. So, we will be going to use the Internet Connection Sharing feature by Microsoft and share the internet connection from the current adapter which is connecting to the internet.

Right Click (on the adapter with internet connection) > Properties > Sharing Tab > Tick (Allow other network users to connect... ) > Select your virtual adapter created just now.

Voila! Your client should be able to connect to the internet by connecting to your SoftAP with SSID "SSIDNAME" now.

Note: If your client is having difficulty in obtaining IP address, I will suggest to set static IP to your devices by following the configuration as below:

IP Address: 192.168.137.x --- "x" can be any numbers range from 2-254, e.g.: 192.168.137.100
Subnet Mask: 255.255.255.0
Gateway: 192.168.137.1
DNS 1: 8.8.8.8
DNS 2: 8.8.4.4

[TUTORIAL] Windows Forensics: Incident Response - Am I Hacked??

[TUTORIAL] Windows Forensics: Incident Response - Am I Hacked??

Last week, I received a message from a friend asking whether is it he got hacked as he found out his laptop is behaving strangely obviously and slow. Other symptoms of being hacked might be but not limited to, such as the programs close on itself, cursor moves on itself, CD-ROM open and close on itself, etc. If you have noticed, the keyword here is "itself" which the windows operation is performing on its own without your consent.

Normally these will be blackhat hackers, if you don't know what does blackhat hacker means. It simply means the hacker which is bad guy. Yeah! You heard it right, hackers do have bad and good, even a grey one! These hackers hack for reasons, they zombified your pc and do as they said. Some might use as a botnet to DDOS their target, some might use as a better anonymity by attacking (stealing information etc) other victims through your pc, some might use as a server to distribute materials, some might use to threaten you for ransom by locking up your pc.... the reasons behind these are wayyyy too much and it up to your imaginations and ideas.

Alright! Let's cut it short and dive in to start our forensics straightaway. I prefer to use the old school way where perform the forensics using windows utilities as I believe start from the basic is always the best way to learn. Of course there are some new school GUI utilities released by microsoft, which I will share later. Today, I will just use the Netstat, a old school DOS program in windows.

netstat /?

Here show a snapshot for the netstat utility in windows xp. The netstat in windows xp might lack of few features that is present in latest windows version. But it will not affect our forensics operation today. ;) As we will only use the -a -n -o in today. The -a trigger shows all the connections included TCP and UDP connections. The -a trigger shows all the connection including TCP and UDP. The -n trigger displays all the address and ports in numerical form, which will be ease up our task later in identifying. The -o displays the process ID which we will use to kill the connection later.

netstat -ano

Protocol: This column displays whether the connections is using TCP or UDP type of connections.
Local Address: This column displays the hostname or IP address of local connections, followed by the port number.
Foreign Address: This column displays the hostname or IP address of the remote connections, followed by the port number.
State: This column shows the state of the program's connection. These states are:

ESTABLISHED - An active connection between local and remote address.
LISTENING - A connection waiting for remote address to connect.
CLOSE_WAIT - A connection closed by the remote host.
TIME_WAIT - A connection closed by the local host.

PID: This column shows the process ID for the connections.

The things you need to alert is the "LISTENING" and "ESTABLISHED" state, where your pc might be infected by trojans which will connect your pc back to the attacker. In my XP box, the current netstat shows a very simple and short lists, where only port 135, 445, 1030, and 139. The best way to identify the port whether is malicious or not is by using Google.

Or else, the next thing you can do it by identify the process by looking up the PID using tasklist utility. Let's say we want to identify the program that is running on port 1030 with the respective PID 1892.

e.g.: tasklist /FI "PID eq 1892"

We can see it's a programming named alg.exe running on our pc. Assume that we do not know what is alg.exe. Simply google it up! Or try with this link http://www.fileresearchcenter.com/

And we found out it is the "Application Layer Gateway Service". But, what if I found a malicious port with running processes. OK! I will demo by running Poison Ivy in my XP box.

Here we see a strange port running on port 3460 and port 1044, where both of them belongs to PID 1912. So let's find out what is process 1912.

Obviously! It is our Poison Ivy! XD

So, let's just kill it!

And, the process has been killed and terminated. It is still best to scan your pc with virus scanner as the trojan might auto start up during the next boot. All the procedures above are only best to prove you're infected and you're able to kill the trojan process for the moment. And it is best to identify those trojans which are still actively developed and unable to detected by AV.

Alternatively, you might try on TCPView, Process Monitor and Process Explorer with the GUI options.

[TUTORIAL] How To Change Your MAC Address In Windows?

There are several methods in changing/spoofing your MAC address in Windows.

Method 1: This is the easiest way as someone already come up with a software for this purpose, Technitium MAC Address Changer. Technitium MAC Address Changer allows you to change (spoof) Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. However, I could not comment more on this as I personally have not try before.

Method 2: This might not works well on all adapter. But, this prolly can be done on Ethernet adapter settings. As simple as 3 steps only taken.

Method 3: Unfortunately, we do not see any Network Address in the Wi-Fi adapter configuration. However, there are always a way for it. This time we will do it through the Registry Editor, but I would like to warn you that I do not be hold of any responsibility if you damage your pc in any way. If you're ready to move on, continue to read on ...

Opening up the Registry Editor:

Navigate to the following path:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\

And now, you will see a lot of sub-folder named with 0000, 0001, 0002 and so on. Look through each of the numbered folder (0000 - 00XX) and check for the Driver Description to see which folder is matching your current wireless adapter.

In my case, it will be the first folder with numbered 0000! Right click on the right panel and create a new string value with the name "NetworkAddress" if it does not exist.

Double click on the newly created "NetworkAddress", and fill in your desired MAC address.

NOTE: Windows only allowed MAC Address with "2", "6", "A" or "B" for the second octet in MAC address. So replace the "X" value to one of the options available above.

Last step to do is to reboot your computer OR just simply disable and enable your Wireless adapter.

To ease things up, I actually write a small program on my own in C++. Please do note that the program needs to be run as admin privilege as it involve changes in registry.

Let's check on my original MAC Address value:

Now start my little program to generate a new MAC address:

Verify the changes on MAC Address using "ipconfig /all":

I have included my source code together and you are free to download the utility tool and use right away in HERE!