Windows Forensics Tools : Densityscout

DensityScout is a tool used for finding (possibly unknown) malware on a potentially infected system. it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. This tool can be used to scan a desired file-system-path by calculating the density of each file to finally print out an accordingly descending list. Usually most Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where one can easily focus on.

Website :

How to Use

1. Download software from website :

2. Unzip the folder

3. Go to the folder directory where you unzip the files

4. Type cmd.exe on the explorer like below and click enter.

5. Type the command on the cmd promt
densityscout -pe -p 0.1 -o results.txt c:\Windows\System32
Using the above command you can scan system32 folder for any "suspicious" file

Output on the cmd promt

Densityscout scan the directory and give you the full result in text file in the folder and show the files which is less than the given density on the command prompt itself

5. You can scan the files using to check any malicious activity


CarbonBlack Protection : How to use Timed Policy Overrides on windows PC

Using Timed Policy Overrides

You might need to install new applications on a selected computer under High Enforcement Level protection. You can do this by temporarily giving the computer permission to execute any files that are not banned by putting to Local approval Policy

When a computer is disconnected from the network it cannot be controlled directly from the Cb Protection Server.By putting those computers in local approval mode, You can generate a special code that can be entered on a agent-managed computer to switch its Enforcement Level for a specified amount of time. The code is specific to one agent, and it can be used only once. .

While especially convenient for disconnected computers, a timed policy override may be used for a connected computer. The override procedures disconnects the agent during the override.

Note:  Use of timed overrides is not recommended for Windows computers that are currently connected to the Cb Protection Server.

To generate a code to place a computer in temporary local approval mode:

1.On the console menu, choose Assets > Computers.

2. Choose the desired computer from the list of computers and click on it.The Computer Details page for that system appears.

3.Click the Policy Override tab in the panel at the bottom of the page. 

4.In the Temporary Policy Override Code panel,leave the default choice for Temporary Enforcement, which is Local Approval.

5.In the Enforcement Level Active For box, enter the number of minutes (up to 500) you want the Enforcement Level change to last.

6.In the Key Valid For box, enter the length of time you want the override code to be valid. Your choice for this field should take into account how long it will take to get the key to the computer user who needs it and how quickly they will be able to enter it.

7.When you have entered all parameters, click the Generate Code button. A code with nine sets of letters separated by dashes appears in the box next to the button.

8.Copy and save the code from the box (and note the computer name) so that you can deliver it to the person who will be installing new software on the offline computer. The code is not saved on the Computer Details page, so you must record it.

The procedure for applying the override code on windows computer

On Windows computers, disconnecting the agent from Cb Protection Server is strongly recommended before initiating an override.

To use a Timed Policy Override code on a Windows computer:

1.On the offline computer, locate and run the program TimedOverride.exe, which is in the Cb Protection Agent installation directory. An authorization dialog box appears.

Note : In windows 7 you can find it under "C:\Program Files (x86)\Bit9\Parity Agent\TimedOverride.exe"

2.Enter the override code for this agent into the dialog box and click OK.

-If the code entered is invalid or expired, or if TimedOverride.exe is unable to communicate with the Cb Protection Agent for any reason, an error message will be displayed. After three invalid attempts, the program automatically closes.

-If a valid code is entered and the Enforcement Level transition is successful, no message is displayed but the dialog box closes.

3.If there was no error code and the dialog box is no longer displayed, you can begin installing the new software needed on this machine (assuming your override code was for Local Approval). The Enforcement Level will return to its original Enforcement Level after the time period configured when the code was generated.

Router Commands

 * To jump User mode to privilage mode  :-  Router>enable

 *To jump privilage mode to globel config mode :- Router#configure terminel OR conf t

 *To show ios version :- Router#show version

 *To show flash memory :- Router#Show flash

 *To show startup configuration :-Router#show startup-config

 *To show running configuration :- Router#show running-config

 *To copy running config to startup config :- Router#wr OR copy running-config startup-config

 *To set hostname :-Router(config)#hostname <name>

 *To set enable password :- Router(config)#enable password <word>

To set console password 

Router(config)#line console 0
 Router(config-line)#password <word>

To erase startup configuration :- write erase OR erase startup-config

To set auxilary password
Router(config)#line aux 0
Router(config-line)#password <word>

To set an ip address to an interface

Router(config)#interface  <interface name & no.>
Router(config-if)#ip address <ip address> <subnet mask>


 * Static routing

Router(config)#ip route <network addr.> <subnet mask> <nexthop ip addr or exit interface name>

 * Default routing

       Router(config)#ip route  <nexthop ip addr or exit interface name>

 * Dynamic routing (in the basis of routing protocols)

To configure telnet service
Router(config)#line vty 0 4
Router(config-line)#password <word>
Router(config)#enable password <word>


Standard ACL
creating std ACL  :- Router(config)#access-list <listno> <permit/deny> <source ip> <source wildcard mask>
apply ACL  :- Router(config)#interface <name & no>
                       Router(config-if)#ip access-group <listno> <in/out>
To avoid implicit deny statement :-  Router(config)#access-list <list no>  permit any

Extented ACL
creating extd acl :-
         Router(config)#access-list <listno> <permit/deny> <protocol> <sou.ip> <sou. WCM>  <dest ip ><dest WCM>  logic

apply an acl :- Router(config)#interface <interface name & no>
                            Router(config-if)#ip access-group <listno>  in/out

To avoid implict deny statement :- Router(config)#access-list <listno> permit ip any any

Named ACL
Router(config)#ip access-list standard/extented <name/list no.>
Router(config) #permit/deny <protocol> <source ip> <sou WCM> <dest ip> <dest WCM> logic
Router(config) #permit ip any any
Router(config) #ip access-group in/out


Static NAT
Router(config)#ip nat inside source static <private ip> <public ip>

Dynamic NAT
 Create a pool and assign no of public ip to pool :-                
Router(config)#ip nat pool <poolname> <start blockip> <end ip> netmask <subnetmask>
Assign pool to acl

 Router(config)#ip ant inside source list <listno> pool <pool name>

Assign customer and conditions to acl's

Router(config)#access-lists <listno> permit/deny <source ip> <source WCM>


Creating Eigrp :-

Router(config)#router eigrp <AS no>
Router(config-router)#network <connected network address>

To show neighbour table :- Router#show ip eigrp neighbours

To show topology table :- Router#show ip eigrp topology

To show eigrp routing table :- Router#show ip route eigrp


Create ospf :- Router(config)#Router ospf <process id>
                        Router(config-router)#network <network addr> <wild cardmask>area <area id>

To show ospf n/w time hello time dead and wait timer ;- Router#show ip ospf  interface <interface name & no.>

To show database table :- Router#show ip ospf database


Nexus 7700 License Installation

Below is the steps to install the license

1. Get license file from cisco
2. Copy license file to USB
3. Connect USB to N7K
4. Confirm the license file is issued to correct host-id.
5 .Copy lic file from usb to bootflash
6. Install the file

NOTE : Make sure that the host-id in N7K and license file is same or get new license file from cisco.License only install if they both are same

User Access Verification
SW1-AdminVDC login: admin
Password: *******

Check the current license
SW1-Admin-VDC# show license usage
Feature                      Ins  Lic   Status Expiry Date Comments
MPLS_PKG                      No    -   Unused             -
STORAGE-ENT                   No    -   Unused             -
VDC_LICENSES                  No    0   Unused             Grace expired
FCOE-N7K-F248XP               No    0   Unused             -
ENHANCED_LAYER2_PKG           No    -   Unused             -
TRANSPORT_SERVICES_PKG        No    -   Unused             -
LAN_ENTERPRISE_SERVICES_PKG   Yes   -   Unused Never       -
SW1-AdminVDC# dir usb1:
        393    Jan 08 11:56:54 2018
        298    Jan 08 04:08:32 2018  N7700201801080XXXXXXX.lic
       4096    Dec 31 11:20:48 2017  N7k run/

SW1-AdminVDC# sh file usb1:N7700201801080XXXXXXX.lic

SERVER this_host ANY
VENDOR cisco
INCREMENT VDC_LICENSES cisco 1.0 permanent 4 \
        NOTICE="<LicFileID>2018010804083XXX</LicFileID><LicLineID>1</LicLineID> \
        <PAK></PAK>" SIGN=DE7FC25XXXX8

SW1-AdminVDC# sh license host-id
License hostid: VDH=N77-C7710:JPGXXXXXXX

SW1-AdminVDC# copy usb1:N7700201801080XXXXXXX.lic bootflash://
Copy progress 100% 298B
Copy complete, now saving to disk (please wait)...

SW1-AdminVDC# install license bootflash:N7700201801080XXXXXXX.lic
Installing license ..............done

SW1-AdminVDC# sh license usage
Feature                      Ins  Lic   Status Expiry Date Comments
MPLS_PKG                      No    -   Unused             -
STORAGE-ENT                   No    -   Unused             -
VDC_LICENSES                  Yes   4   Unused Never       -
FCOE-N7K-F248XP               No    0   Unused             -
ENHANCED_LAYER2_PKG           No    -   Unused             -
TRANSPORT_SERVICES_PKG        No    -   Unused             -
LAN_ENTERPRISE_SERVICES_PKG   Yes   -   Unused Never       -


How to Remote port monitoring using Wireshark

Remote port monitoring using Wireshark
Step 1: Need to create RSPAN VLAN

SW1(config)# vlan 900
SW1(config-vlan)# remote span
SW1(config-vlan)# end
SW3(config)# vlan 900
SW3(config-vlan)# remote span
SW3(config-vlan)# end

-          The RSPAN Vlan needs to exist in the Vlan database of the source switch, the destination switch and all switches in the transit path between them. It also needs to be allowed on all Trunk ports between the source and destination switches.
-          The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved for Token Ring and FDDI VLANs).

Need to configure the following commands on the switch which has the Internet port:

#no monitor session 1
#monitor session 1 source interface fastethernet 0/1
#monitor session 1 destination remote vlan 900

The source interface above will be your Internet port that you need to monitor and the Vlan ID for the remote VLAN will be your newly created RSPAN Vlan.

Then on the destination switch, i.e. the one you have the host who needs to see the packets:

#no monitor session 1
#monitor session 1 source remote vlan 900
#monitor session 1 destination interface fastethernet 0/10

The source Vlan will be the RSPAN Vlan and the destination interface will be the port that you want to output your packets to.

#Show monitor 1