Monthly Archives: July 2013

Using cipher.exe on Windows to purge deleted files for good.

20 Saturday Jul 2013

Posted by in Security, Windows

4 Comments

Tags

,

It’s well known that when you delete files and folders in Windows they are not technically deleted.  When you delete a file, the disk space used by these files is tagged as available for use. This allows the files to be reconstituted using various free recovery utilities such as SoftPerfect’s File Recovery or Piriform’s Recuva. The blocks must be overwritten to actually eliminate them completely.

Windows has a native utility named cipher.exe that can wipe those pointers and make sure the data is actually purged. Cipher.exe can overwrite all free space on your disk thus insuring files you have deleted and actually gone.

This is a safe utility. I have run this command many times over the years. You can also setup a scheduled task and run weekly to keep your systems clean. Launch a command prompt as administrator (right-click cmd.exe and select Run as administrator) and type the following:

c:\cipher /w:X where X is the drive letter you want to clean.

You can run this on your c:\ drive without any issues. Also note that the larger your drive, the longer this will take. For reference, a 1TB drive 3/4’s full took about 3 hours.

Example (this is on Windows 7):

C:\Windows\system32> cipher /w:c

To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
………………………………………………………………………………………………………….
Writing 0xFF
…………………………………………………………………………………………………………..
Writing Random Numbers
…………………………………………………………………………………………………………..

C:\Windows\system32>

 

Further reading on cipher.exe options is available here:

http://technet.microsoft.com/en-us/library/cc771346(v=ws.10).aspx

Nessus now audits NetApp Data ONTAP

16 Tuesday Jul 2013

Posted by in Nessus, NetApp, Security

Leave a comment

Tags

,

From the Tenable blog post:

Nessus recently added capabilities to perform configuration and compliance audits in two major areas of the enterprise. First, Tenable added the ability to audit enterprise Cisco networking equipment, namely Cisco’s Nexus NX-OS. Then, we expanded and greatly enhanced support for auditing VMware vSphere and vCenter. Now, we’ve added support for auditing NetApp Data ONTAP storage devices. The new .audit is primarily based off the NetApp hardening guides (technical reports TR-3649 and TR-3996).

http://www.tenable.com/blog/nessus-now-secures-netapp-data-ontap

When all you have is ping.exe.

04 Thursday Jul 2013

Posted by in Windows

Leave a comment

Tags

So you are sitting at a command prompt on a Windows 7 PC and you need to enumerate live systems on your subnet. You don’t have your normal toolbox. What’s a poor ol’ Sysadmin to do?  Try this:

c:\for /L %V in (1 1 254) do PING -n 1 your.network.%V | FIND /I “Reply”

Example:

C:\Users\me> for /L %V in (1 1 254) do PING -n 1 10.10.10.%V | FIND /I “Reply”

The output is:

C:\Users\me>PING -n 1 10.10.10.1 | FIND /I “Reply”
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255

C:\Users\me>PING -n 1 10.10.10.2 | FIND /I “Reply”
Reply from 10.10.10.2: bytes=32 time=1ms TTL=128

C:\Users\me>PING -n 1 10.10.10.3 | FIND /I “Reply”
Reply from 10.10.10.3: bytes=32 time<1ms TTL=128

C:\Users\me>PING -n 1 10.10.10.4 | FIND /I “Reply”
Reply from 10.10.10.4: Destination host unreachable.

So what does this command mean. Can I break it down for you? Sure.

1) FOR /L %variable IN (start,step,end) DO command [command-parameters]

The set (in parenthesis) is a sequence of numbers from start to end, by step amount.
So (1 1 254) would generate the sequence 1 2 3 4 5 through 254 IP addresses in a /24 and (254,-1,1) would generate the sequence (5 4 3 2 1) in reverse.

2) PING -n 1

The count “Number” of echo requests to send. In this case its 1.

3) 10.10.10.%V

This is the network (/24) I am pinging. The %V variable is the for /L %V count 1, 2, 3, 4, 5, 6->254 as described in #1 above. Its pings 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, etc., all the way to 10.10.10.254.

4) | FIND /I “Reply”

This pipes “|” the output of the ping command to FIND, the /I tells find.exe to ignore case and “Reply” is the string you are searching for. This gives you the “Reply from” string to determine if the IP is in use for unreachable.