About Ushecking Gui

Posted : admin On 8/22/2021

Creates and manages windows and controls. Such windows can be used as data entry forms or custom user interfaces.

Download hecking gui v2. Hecking GUI V2 is new so expect bugs Report anything in the discord. Please understand why we use a URL shortener (because were poor). How to Unblock Websites at School, Work, Home or Anywhere. Internet Censorship has grown drastically over the past few years with countries like China, Pakistan, Saudi Arabia, Iran taking the lead over other governments in extending internet censorship to almost all sources of free unbiased information. The Origins of the GUI “What I saw in the Xerox PARC technology was the caveman interface, you point and you grunt. A massive winding down, regressing away from language, in order to address the. Hi, I’m Adam Wright, founder of the LifeHacker Guy. I’d love to tell you a bit about my backstory, and why I started this blog (Little Disclaimer: This page is long and probably boring.Read at your own risk).

The SubCommand, Value1, Value2 and Value3 parameters are dependent upon each other and their usage is described below.

Here is the list of top 5 hacking apps for PC, that are used by Hackers. But before that have a look on what is Hacking. Hacking is an endeavor to misuse a computer system or a private network.

Table of Contents

  • Options for a Control (Gui Add)
  • Window Events: GuiClose GuiEscape GuiSize GuiContextMenu GuiDropFiles


For SubCommand, specify one of the following:

  • New[v1.1.04+]: Creates a new window.
  • Add: Creates a control such as text, button, or checkbox.
  • Show: Displays the window. It can also minimize, maximize, or move the window.
  • Submit: Saves the user's input and optionally hides the window.
  • Cancel / Hide: Hides the window.
  • Destroy: Deletes the window.
  • Font: Sets the typeface, size, style, and text color for subsequently created controls.
  • Color: Sets the background color for the window and/or its controls.
  • Margin: Sets the margin/spacing used whenever no explicit position has been specified for a control.
  • Options and styles for a window: Sets various options for the appearance and behavior of the window.
  • Menu: Adds or removes a menu bar.
  • Minimize / Maximize / Restore: Performs the indicated operation on the window.
  • Flash: Blinks the window and its taskbar button.
  • Default: Changes the current thread's default GUI window name.

New [v1.1.04+]

Creates a new window and sets it as the default for the current thread.

If GuiName is specified, a new GUI will be created, destroying any existing GUI with that name. Otherwise, a new unnamed and unnumbered GUI will be created.

Options can contain any of the options supported by the main GUI command.

If Title is omitted, the script's file name is used.

This sub-command comes with the following caveats:

  • In most cases the window is created automatically on demand, so it is usually unnecessary to call Gui New.
  • Although the new window is set as the default for the current thread, non-GUI threads still default to GUI number 1.
  • If the GUI has no name and is not the default GUI, it must be identified by its HWND. Use the +HwndGuiHwnd option to store the HWND of the new window in GuiHwnd. Gui, %GuiHwnd%:Default can be used to make the other Gui commands operate on it by default.

On the positive side:

  • Calling Gui New ensures that the script is creating a new GUI, not modifying an existing one. It might also make the script's purpose clearer to other people who read your code (or future you).
  • Gui New eliminates the need to pick a unique name or number for each GUI. This can be especially useful if the script needs to create more than one GUI, or is intended to be included in other scripts.
  • Sometimes it is more intuitive to set the window's title when the GUI is created instead of when it is shown.

If no name is given, the following applies:

  • Special labels such as GuiClose have the default 'Gui' prefix unless overridden by +LabelPrefix in the options.
  • Whenever the GUI launches a new thread, A_Gui contains a HWND instead of a name.

Note: Prior to [v1.1.08], this sub-command did not set the default Gui if a name was specified.


Adds a control to a GUI window (first creating the GUI window itself, if necessary).

ControlType is one of the following:

  • Text, Edit, UpDown, Picture
  • Button, Checkbox, Radio
  • DropDownList, ComboBox
  • ListBox, ListView, TreeView
  • Link, Hotkey, DateTime, MonthCal
  • Slider, Progress
  • GroupBox, Tab, StatusBar
  • ActiveX (e.g. Internet Explorer Control)

Options is a string of zero or more options, as described in the following sections:

For example:


Unless otherwise specified in Options, this sub-command makes the window visible, unminimizes it (if necessary), activates it, and sets its title.

If Title is omitted, the previous title is retained (or if none, the script's file name is used).

Omit the X, Y, W, and H options below to have the window retain its previous size and position. If there is no previous position, the window will be auto-centered in one or both dimensions if the X and/or Y options mentioned below are absent. If there is no previous size, the window will be auto-sized according to the size and positions of the controls it contains.

Zero or more of the following strings may be present in Options (specify each number as decimal, not hexadecimal):

Wn: Specify for n the width (in pixels) of the window's client area (the client area excludes the window's borders, title bar, and menu bar).

Hn: Specify for n the height of the window's client area, in pixels.

Xn: Specify for n the window's X-position on the screen, in pixels. Position 0 is the leftmost column of pixels visible on the screen.

Yn: Specify for n the window's Y-position on the screen, in pixels. Position 0 is the topmost row of pixels visible on the screen.

Center: Centers the window horizontally and vertically on the screen.

xCenter: Centers the window horizontally on the screen. For example: Gui, Show, xCenter y0.

yCenter: Centers the window vertically on the screen.

AutoSize: Resizes the window to accommodate only its currently visible controls. This is useful to resize the window after new controls are added, or existing controls are resized, hidden, or unhidden. For example: Gui, Show, AutoSize Center.

Minimize: Minimizes the window and activates the one beneath it.

Maximize: Maximizes and activates the window.

Restore: Unminimizes or unmaximizes the window, if necessary. The window is also shown and activated, if necessary.

NoActivate: Unminimizes or unmaximizes the window, if necessary. The window is also shown without activating it.

NA: Shows the window without activating it. If the window is minimized, it will stay that way but will probably rise higher in the z-order (which is the order seen in the alt-tab selector). If the window was previously hidden, this will probably cause it to appear on top of the active window even though the active window is not deactivated.

Hide: Hides the window and activates the one beneath it. This is identical in function to Gui Cancel except that it allows a hidden window to be moved, resized, or given a new title without showing it. For example: Gui, Show, Hide x55 y66 w300 h200, New Title.


Saves the contents of each control to its associated variable (if any) and hides the window unless the NoHide option is present.

For controls that produce multiple fields of output, such as a multi-select ListBox, the output uses the window's current delimiter. If the window does not exist -- perhaps due to having been destroyed via Gui Destroy -- this sub-command has no effect.

Hides the window without saving the controls' contents to their associated variables.

If the window does not exist -- perhaps due to having been destroyed via Gui Destroy -- this sub-command has no effect.


Removes the window (if it exists) and all its controls, freeing the corresponding memory and system resources.

If the script later recreates the window, all of the window's properties such as color and font will start off at their defaults (as though the window never existed). If this sub-command is not used, all GUI windows are automatically destroyed when the script exits.


Sets the font typeface, size, style, and/or color for controls added to the window from this point onward.

For example:

Omit the last two parameters to restore the font to the system's default GUI typeface, size, and color.

FontName may be the name of any font, such as one from the font table. If FontName is omitted or does not exist on the system, the previous font's typeface will be used (or if none, the system's default GUI typeface). This behavior is useful to make a GUI window have a similar font on multiple systems, even if some of those systems lack the preferred font. For example, by using the following commands in order, Verdana will be given preference over Arial, which in turn is given preference over MS Sans Serif:

If the Options parameter is blank, the previous font's attributes will be used. Otherwise, specify one or more of the following option letters as substitutes:

C: Color name (see color chart) or RGB value -- or specify the word Default to return to the system's default color (black on most systems). Example values: cRed, cFFFFAA, cDefault. Note: Buttons do not obey custom colors. Also, an individual control can be created with a font color other than the current one by including the C option. For example: Gui, Add, Text, cRed, My Text.

S: Size (in points). For example: s12 (specify decimal, not hexadecimal)

W: Weight (boldness), which is a number between 1 and 1000 (400 is normal and 700 is bold). For example: w600 (specify decimal, not hexadecimal)

The following words are also supported: bold, italic, strike, underline, and norm. Norm returns the font to normal weight/boldness and turns off italic, strike, and underline (but it retains the existing color and size). It is possible to use norm to turn off all attributes and then selectively turn on others. For example, specifying norm italic would set the font to normal then to italic.

To specify more than one option, include a space between each. For example: cBlue s12 bold.

If a script creates multiple GUI windows, each window remembers its own 'current font' for the purpose of creating more controls.

On a related note, the operating system offers standard dialog boxes that prompt the user to pick a font, color, or icon. These dialogs can be displayed via DllCall() as demonstrated at GitHub.

Q: [AHK_L 19+]: Text rendering quality. For example: q3. Q should be followed by a number from the following table:

0 = DEFAULT_QUALITYAppearance of the font does not matter.
1 = DRAFT_QUALITYAppearance of the font is less important than when the PROOF_QUALITY value is used.
2 = PROOF_QUALITYCharacter quality of the font is more important than exact matching of the logical-font attributes.
3 = NONANTIALIASED_QUALITYFont is never antialiased, that is, font smoothing is not done.
4 = ANTIALIASED_QUALITYFont is antialiased, or smoothed, if the font supports it and the size of the font is not too small or too large.
5 = CLEARTYPE_QUALITYWindows XP and later: If set, text is rendered (when possible) using ClearType antialiasing method.

For more details of what these values mean, see MSDN: CreateFont.

Since the highest quality setting is usually the default, this feature is more typically used to disable anti-aliasing in specific cases where doing so makes the text clearer.


Sets the background color of the window and/or its controls.

WindowColor is used as the background for the GUI window itself. ControlColor is applied to all present and future controls in the window (though some types of controls do not support a custom color). Although ControlColor is initially obeyed by ListViews and TreeViews, subsequent changes to ControlColor do not affect them. In such cases, use GuiControl +BackgroundFF9977, MyListView to explicitly change the color.

Leave either parameter blank to retain the current color. Otherwise, specify one of the 16 primary HTML color names or a 6-digit RGB color value (the 0x prefix is optional), or specify the word Default to return either to its default color. Example values: Silver, FFFFAA, 0xFFFFAA, Default.

By default, the window's background color is the system's color for the face of buttons, and the controls' background color is the system's default window color (usually white).

The color of the menu bar and its submenus can be changed as in this example: Menu, MyMenuBar, Color, White.

To make the background transparent, use WinSet TransColor. However, if you do this without first having assigned a custom window color via Gui Color, buttons will also become transparent. To prevent this, first assign a custom color and then make that color transparent. For example:

To additionally remove the border and title bar from a window with a transparent background, use the following after the window has been made transparent:

To illustrate the above, there is an example of an on-screen display (OSD) near the bottom of this page.


Sets the number of pixels of space to leave at the left/right and top/bottom sides of the window when auto-positioning any control that lacks an explicit X or Y coordinate.

Also, the margins are used to determine the vertical and horizontal distance that separates auto-positioned controls from each other. Finally, the margins are taken into account by the first use of Gui Show to calculate the window's size (when no explicit size is specified).

Gui, Margin affects only the default window, while Gui, Name:Margin affects only the named window. If this command is not used, when the first control is added to a window, the window acquires a default margin on all sides proportional to the size of the currently selected font (0.75 times font-height for top & bottom, and 1.25 times font-height for left & right).

Although the margin may be changed during the course of adding controls, the change will affect only controls added in the future, not ones that already exist. Finally, either X or Y may be blank to leave the corresponding margin unchanged.

Options and styles for a window

One or more options may be specified immediately after the GUI command.

For performance reasons, it is better to set all options in a single line, and to do so before creating the window (that is, before any use of other sub-commands such as Gui Add).

The effect of this command is cumulative; that is, it alters only those settings that are explicitly specified, leaving all the others unchanged.

Specify a plus sign to add the option and a minus sign to remove it. For example:

AlwaysOnTop: Makes the window stay on top of all other windows, which is the same effect as WinSet AlwaysOnTop.

Border: Provides a thin-line border around the window. This is not common.

Caption (present by default): Provides a title bar and a thick window border/edge. When removing the caption from a window that will use WinSet TransColor, remove it only after setting the TransColor.

Delimiter: Specifies that the window should use a field separator other than pipe ( ) whenever controls' contents are added via Gui Add, modified via GuiControl, or retrieved via Gui Submit or GuiControlGet. Specify a single character immediately after the word Delimiter. For example, Gui +Delimiter`n would use a linefeed character, which might be especially appropriate with continuation sections. Similarly, Gui +Delimiter would revert to the default delimiter. To use space or tab, specify Gui +DelimiterSpace or Gui +DelimiterTab. Once the delimiter is changed, it affects all existing and subsequent threads that operate on this particular window.

Disabled: Disables the window, which prevents the user from interacting with its controls. This is often used on a window that owns other windows (see Owner).

DPIScale[v1.1.11+]: Use Gui -DPIScale to disable DPI scaling, which is enabled by default. If DPI scaling is enabled on a system with a non-standard DPI setting, the Gui sub-commands automatically scale coordinates and sizes to give controls roughly the same apparent size (but higher resolution). For example, with a DPI of 144 (150%), Gui Show, w100 would make the Gui 150 pixels wide, but A_GuiWidth would still return 100. A_ScreenDPI contains the system's current DPI.

DPI scaling only applies to Gui sub-commands, so coordinates coming directly from other sources such as ControlGetPos or WinGetPos will not work. There are a number of ways to deal with this:

  • Avoid using hard-coded coordinates wherever possible. For example, use the xp, xs, xm and x+m options for positioning controls and specify height in rows of text instead of pixels.
  • Enable (Gui +DPIScale) and disable (Gui -DPIScale) scaling on the fly, as needed. Changing the setting does not affect positions or sizes which have already been set.
  • Manually scale the coordinates. For example, x*(A_ScreenDPI/96) converts x from logical/Gui coordinates to physical/non-Gui coordinates.

HwndOutputVar[v1.1.04+]: This option stores the window handle (HWND) of the GUI in OutputVar. For example: Gui +HwndMyGuiHwnd. When within a function, MyGuiHwnd is treated as a function dynamic variable. A GUI's HWND is often used with PostMessage, SendMessage, and DllCall(). It can also be used directly as an ahk_id WinTitle or in place of a GUI name; for example, Gui %MyGuiHwnd%:Destroy.

Label[v1.0.44.09+]: Sets custom names for this window's special labels. For example, Gui MyGui:+LabelMyGui_On would use the labels MyGui_OnClose and MyGui_OnSize (if they exist) instead of MyGuiGuiClose and MyGuiGuiSize. In other words, the string 'MyGuiGui' is replaced by 'MyGui_On' in the names of all special labels. This can also be used to make multiple windows share the same set of labels (in which case the script may consult A_Gui to determine which window launched the subroutine).

LastFound: Sets the window to be the last found window (though this is unnecessary in a Gui thread because it is done automatically), which allows commands such as WinSet to operate on it even if it is hidden (that is, DetectHiddenWindows is not necessary). This is especially useful for changing the properties of the window before showing it. For example:

LastFoundExist[v1.0.43.09+]: Unlike other options, LastFoundExist is recognized only when no other options appear on the same line. +LastFoundExist is the same as +LastFound except that the window is not created if it does not already exist. The main use for this is to detect whether a particular GUI window exists. For example:

MaximizeBox: Enables the maximize button in the title bar. This is also included as part of Resize below.

MinimizeBox (present by default): Enables the minimize button in the title bar.

MinSize and MaxSize[v1.0.44.13+]: Determines the minimum and/or maximum size of the window, such as when the user drags its edges to resize it. Specify the word MinSize and/or MaxSize with no suffix to use the window's current size as the limit (if the window has no current size, it will use the size from the first use of Gui Show). Alternatively, append the width, followed by an X, followed by the height; for example: Gui +Resize +MinSize640x480. The dimensions are in pixels, and they specify the size of the window's client area (which excludes borders, title bar, and menu bar). Specify each number as decimal, not hexadecimal.

Either the width or the height may be omitted to leave it unchanged (e.g. +MinSize640x or +MinSizex480). Furthermore, Min/MaxSize can be specified more than once to use the window's current size for one dimension and an explicit size for the other. For example, +MinSize +MinSize640x would use the window's current size for the height and 640 for the width.

If MinSize and MaxSize are never used, the operating system's defaults are used (similarly, Gui -MinSize -MaxSize can be used to return to the defaults).

Note: the window must have +Resize to allow resizing by the user.

OwnDialogs: Gui +OwnDialogs should be specified in each thread (such as a ButtonOK subroutine) for which subsequently displayed MsgBox, InputBox, FileSelectFile, and FileSelectFolder dialogs should be owned by the window. Such dialogs become modal, meaning that the user cannot interact with the GUI window until dismissing the dialog. By contrast, ToolTip, Progress, and SplashImage windows do not become modal even though they become owned; they will merely stay always on top of their owner. In either case, any owned dialog or window is automatically destroyed when its GUI window is destroyed.

There is typically no need to turn this setting back off because it does not affect other threads. However, if a thread needs to display both owned and unowned dialogs, it may turn off this setting via Gui -OwnDialogs.

If no window name prefix is specified -- such as using Gui +OwnDialogs rather than Gui MyGui:+OwnDialogs -- the thread's default window will own the dialogs.

Owner: Use +Owner to make the window owned by another. An owned window has no taskbar button by default, and when visible it is always on top of its owner. It is also automatically destroyed when its owner is destroyed. +Owner must be used after the window's owner is created, but [v1.1.05] and later allow it to be used before or after the owned window is created. There are two ways to use +Owner as shown in these examples:

[v1.1.03+]:+Owner can be immediately followed by the name or number of an existing Gui or the HWND of any top-level window.

Compatibility note: In [v1.1.03] and later, +Owner removes the WS_CHILD style and sets the WS_POPUP style. To set the parent window of a Gui, scripts must either use the +Parent option, or override the appropriate styles after the +Owner option.

To prevent the user from interacting with the owner while one of its owned window is visible, disable the owner via Gui +Disabled. Later (when the time comes to cancel or destroy the owned window), re-enable the owner via Gui -Disabled. Do this prior to cancel/destroy so that the owner will be reactivated automatically.

Parent[v1.1.03+]: Use +Parent immediately followed by the name or number of an existing Gui or the HWND of any window or control to use it as the parent of this window. To convert the Gui back into a top-level window, use -Parent. This option works even after the window is created.

Resize: Makes the window resizable and enables its maximize button in the title bar. To avoid enabling the maximize button, specify +Resize -MaximizeBox.

SysMenu (present by default): Specify -SysMenu (minus SysMenu) to omit the system menu and icon in the window's upper left corner. This will also omit the minimize, maximize, and close buttons in the title bar.

Theme: By specifying -Theme, all subsequently created controls in the window will have Classic Theme appearance on Windows XP and beyond. To later create additional controls that obey the current theme, turn it back on via +Theme.

Note: The Theme option has no effect on operating systems older than Windows XP, nor does it have any effect on XP itself if the Classic Theme is in effect.

Finally, this setting may be changed for an individual control by specifying +Theme or -Theme in its options when it is created.

ToolWindow: Provides a narrower title bar but the window will have no taskbar button. This always hides the maximize and minimize buttons, regardless of whether the WS_MAXIMIZEBOX and WS_MINIMIZEBOX styles are present.

(Unnamed Style): Specify a plus or minus sign followed immediately by a decimal or hexadecimal style number.

(Unnamed ExStyle): Specify a plus or minus sign followed immediately by the letter E and a decimal or hexadecimal extended style number. For example, +E0x40000 would add the WS_EX_APPWINDOW style, which provides a taskbar button for a window that would otherwise lack one. Although the other extended styles are not documented here (since they are rarely used), they can be discovered by searching for WS_EX_APPWINDOW at www.microsoft.com.


Attaches a menu bar to the window.

Use the Menu command to create an ordinary menu for this purpose. For example:

In the first line above, notice that &Open is followed by Ctrl+O (with a tab character in between). This indicates a keyboard shortcut that the user may press instead of selecting the menu item. [v1.1.04+]: If the shortcut uses only the standard modifier key names Ctrl, Alt and Shift, it is automatically registered as a keyboard accelerator for the GUI. Single-character accelerators with no modifiers are case-sensitive and can be triggered by unusual means such as IME or Alt+NNNN.

If a particular key combination does not work automatically, the use of a context-sensitive hotkey may be required. However, such hotkeys typically cannot be triggered by Send and are more likely to interfere with other scripts than a standard keyboard accelerator.

To remove a window's current menu bar, use Gui Menu (that is, omit the last parameter).

Once a menu has been used as a menu bar, it should not be used as a popup menu or a submenu. This is because menu bars internally require a different format (however, this restriction applies only to the menu bar itself, not its submenus). If you need to work around this, create one menu to use as the menu bar and another identical menu to use for everything else.

The use of certain destructive menu sub-commands such as Delete and DeleteAll against a menu that is currently being used as a menu bar (and in some cases, its submenus) is not supported and will cause an error dialog to be displayed (unless UseErrorLevel is in effect). Use the following steps to make such changes: 1) detach the menu bar via Gui Menu (that is, omit MenuName); 2) make the changes; 3) reattach the menu bar via Gui, Menu, MyMenuBar.

Unhides the window (if necessary) then perform the indicated operation on it.

If the window does not exist -- perhaps due to having been destroyed via Gui Destroy -- this sub-command has no effect.


Blinks the window's button in the taskbar.

This is done by inverting the color of the window's title bar and/or taskbar button (if it has one). The optional word OFF causes the title bar and taskbar button to return to their original colors (but the actual behavior might vary depending on OS version). In the below example, the window will blink three times because each pair of flashes inverts then restores its appearance:


Changes the current thread's default GUI window name.

About Ushecking Gui

This is used whenever a window name is not specified for GuiControl, GuiControlGet, and the Gui command itself. In the following example, the default window name is changed to 'MyGui': Gui MyGui:Default. See thread's default window for more information about the default window.

[v1.1.03+]:GuiName can be the HWND of one of the script's GUI windows. If the window has a name, it becomes the default name and remains so even after the window itself is destroyed. If the window has no name, the default name reverts to 1 when the window is destroyed.

[v1.1.23+]: The built-in variable A_DefaultGui contains the name or number of the default GUI.

Options for a Control (Gui Add)

Positioning and Sizing of Controls

Note: Although the options described in this section are suitable for simple layouts, you may find it easier to use Rajat's SmartGUI Creator because it's entirely visual; that is, 'what you see is what you get'. SmartGUI Creator is free and can be downloaded from www.autohotkey.com/docs/SmartGUI/

If some dimensions and/or coordinates are omitted from Options, the control will be positioned relative to the previous control and/or sized automatically according to its nature and contents.

The following options are supported:

R: Rows of text (can contain a floating point number such as R2.5). R is often preferable to specifying H (Height). If both the R and H options are present, R will take precedence. For a GroupBox, this setting is the number of controls for which to reserve space inside the box. For DropDownLists, ComboBoxes, and ListBoxes, it is the number of items visible at one time inside the list portion of the control (but on Windows XP or later, it is often desirable to omit both the R and H options for DropDownList and ComboBox, which makes the popup list automatically take advantage of the available height of the user's desktop). For other control types, R is the number of rows of text that can visibly fit inside the control.

W: Width, in pixels. If omitted, the width is calculated automatically for some control types based on their contents. The other controls types have the following default widths:
Tab controls: 30 times the current font size, plus 3 times the X-margin.
Vertical Progress Bars: Two times the current font size.
Horizontal Progress Bars, horizontal Sliders, DropDownLists, ComboBoxes, ListBoxes, GroupBoxes, Edits, and Hotkeys: 15 times the current font size (except GroupBoxes, which multiply by 18 to provide room inside for margins).

H: Height, in pixels. If both the H and R options are absent, DropDownLists, ComboBoxes, ListBoxes, and empty multi-line Edit controls default to 3 rows; GroupBoxes default to 2 rows; vertical Sliders and Progress Bars default to 5 rows; horizontal Sliders default to 30 pixels (except if a thickness has been specified); horizontal Progress Bars default to 2 times the current font size; Hotkey controls default to 1 row; and Tab controls default to 10 rows. For the other control types, the height is calculated automatically based on their contents. Note that for DropDownLists and ComboBoxes, H is the combined height of the control's always-visible portion and its list portion (but even if the height is set too low, at least one item will always be visible in the list). Also, for all types of controls, specifying the number of rows via the R option is usually preferable to using H because it prevents a control from showing partial/incomplete rows of text.

wp+n, hp+n, wp-n, hp-n (where n is any number) can be used to set the width and/or height of a control equal to the previously added control's width or height, with an optional plus or minus adjustment. For example, wp would set a control's width to that of the previous control, and wp-50 would set it equal to 50 less than that of the previous control.

X: X-position. For example, specifying x0 y0 would position the control in the upper left corner of the window's client area, which is the area beneath the title bar and menu bar (if any). If X is omitted but not Y, the control will be positioned to the right of all previously added controls, which can be thought of as starting a new 'column'.

Y: Y-position. If Y is omitted but not X, the control will be positioned beneath all previously added controls, which can be thought of as starting a new 'row'.

Omitting either X, Y or both is useful to make a GUI layout automatically adjust to any future changes you might make to the size of controls or font. By contrast, specifying an absolute position for every control might require you to manually shift the position of all controls that lie beneath and/or to the right of a control that is being enlarged or reduced.

If both X and Y are omitted, the control will be positioned beneath the previous control using a standard padding distance.

For X and Y, an optional plus sign can be included to position a control relative to the right or bottom edge (respectively) of the control that was previously added. For example, specifying Y+10 would position the control 10 pixels beneath the bottom of the previous control rather than using the standard padding distance. Similarly, specifying X+10 would position the control 10 pixels to the right of the previous control's right edge. Since negative numbers such as X-10 are reserved for absolute positioning, to use a negative offset, include a plus sign in front of it. For example: X+-10.

[v1.1.16+]: For X+ and Y+, the letter M can be used as a substitute for the window's current margin. For example, x+m uses the right edge of the previous control plus the standard padding distance. xp y+m positions a control below the previous control, whereas specifying an X coordinate on its own would normally imply yp by default.

xp+n, yp+n, xp-n, yp-n (where n is any number) can be used to position controls relative to the previous control's upper left corner, which is often useful for enclosing controls in a GroupBox.

xm and ym can be used to position a control at the leftmost and topmost margins of the window, respectively (these two may also be followed by a plus/minus sign and a number). By specifying ym without any x-position at all, the control will be positioned at the top margin but to the right of all previously added controls, which can be thought of as starting a new 'column'. The converse is also true.

xs and ys: these are similar to xm and ym except that they refer to coordinates that were saved by having previously added a control with the word Section in its options (the first control of the window always starts a new section, even if that word isn't specified in its options). By specifying ys without any x-position at all, the control will be positioned at the previously saved y-position, but to the right of all controls that have been added since the most recent use of the word Section; this can be thought of as starting a new column within the section. For example:

The converse of the above (specifying xs but omitting the y-position) is also true.

xs and ys may optionally be followed by a plus/minus sign and a number. Also, it is possible to specify both the word Section and xs/ys in a control's options; this uses the previous section for itself but establishes a new section for subsequent controls.

Storing and Responding to User Input

V: Variable. Associates a variable with a control. Immediately after the letter V, specify the name of a global variable (or a ByRef local that points to a global, or [in v1.0.46.01+] a static variable). For example, specifying vMyEdit would store the control's contents in the variable MyEdit whenever the Gui Submit command is used. If a control is not input-capable -- such as a Text control or GroupBox -- associating a variable with it can still be helpful since that variable's name serves as the control's unique identifier for use with GuiControl, GuiControlGet, and A_GuiControl.

Note: Gui Submit does not change the contents of variables of non-input-capable controls (such as Text and GroupBox), nor certain others as documented in their sections (such as ListView and TreeView).

G: Gosub (g-label). Launches a subroutine or function automatically when the user clicks or changes a control. Immediately after the letter G, specify the name of the label to execute. gCancel may be specified to perform an implicit Gui Cancel (but if a label named 'Cancel' exists in the script, it will be executed instead). The subroutine may consult the following built-in variables: A_Gui, A_GuiControl, A_GuiEvent, and A_EventInfo.

[v1.1.20+]: If not a valid label name, a function name can be used instead. Alternatively, the GuiControl command can be used to associate a function object with the control. The function can optionally accept the following parameters (where gCtrlEvent sets the function):

The meanings of the parameters depends on the type of control. Note that if the fourth parameter is declared without a default value, the function will only be called by events which supply four parameters.

Controls: Common Styles and Other Options

Note: In the absence of a preceding sign, a plus sign is assumed; for example, Wrap is the same as +Wrap. By contrast, -Wrap would remove the word-wrapping property.

AltSubmit: Uses alternate submit method. For DropDownList, ComboBox, and ListBox this causes the Gui Submit command to store the position of the selected item rather than its text. If no item is selected, a ComboBox will still store the text in its edit field; similarly, a DropDownList or ListBox will still make its output variable blank. Note: AltSubmit also affects the behavior of GuiControlGet when retrieves the contents of such a control.

C: Color of text (has no effect on buttons). Specify the letter C followed immediately by a color name (see color chart) or RGB value (the 0x prefix is optional). Examples: cRed, cFF2211, c0xFF2211, cDefault.

Choose: Pre-select a single item in a ComboBox, DateTime, DropDownList, ListBox or Tab control. Specify the word Choose followed immediately by the number of an item. For example: Choose2

Disabled: Makes an input-capable control appear in a disabled state, which prevents the user from focusing or modifying its contents. Use GuiControl Enable to enable it later. Note: To make an Edit control read-only, specify the string ReadOnly instead. Also, the word Disabled may optionally be followed immediately by a 0 or 1 to indicate the starting state (0 for enabled and 1 for disabled). In other words, Disabled and Disabled%VarContainingOne% are the same.

Hidden: The control is initially invisible. Use GuiControl Show to show it later. The word Hidden may optionally be followed immediately by a 0 or 1 to indicate the starting state (0 for visible and 1 for hidden). In other words, Hidden and Hidden%VarContainingOne% are the same.

Left: Left-justifies the control's text within its available width. This option affects the following controls: Text, Edit, Button, Checkbox, Radio, UpDown, Slider, Tab, Tab2, GroupBox, DateTime.

Right: Right-justifies the control's text within its available width. For checkboxes and radio buttons, this also puts the box itself on the right side of the control rather than the left. This option affects the following controls: Text, Edit, Button, Checkbox, Radio, UpDown, Slider, Tab, Tab2, GroupBox, DateTime, Link.

Center: Centers the control's text within its available width. This option affects the following controls: Text, Edit, Button, Checkbox, Radio, Slider, GroupBox.

Section: Starts a new section and saves this control's position for later use with the xs and ys positioning options described above.

Tabstop: Use -Tabstop (i.e. minus Tabstop) to have an input-capable control skipped over when the user presses the Tab key to navigate.

Wrap: Enables word-wrapping of the control's contents within its available width. Since nearly all control types start off with word-wrapping enabled, use -Wrap to disable word-wrapping.

VScroll: Provides a vertical scroll bar if appropriate for this type of control.

HScroll: Provides a horizontal scroll bar if appropriate for this type of control. The rest of this paragraph applies to ListBox only. The horizontal scrolling width defaults to 3 times the width of the ListBox. To specify a different scrolling width, include a number immediately after the word HScroll. For example, HScroll500 would allow 500 pixels of scrolling inside the ListBox. However, if the specified scrolling width is smaller than the width of the ListBox, no scroll bar will be shown (though the mere presence of HScroll makes it possible for the horizontal scroll bar to be added later via GuiControl, +HScroll500, MyScrollBar, which is otherwise impossible).

Controls: Uncommon Styles and Options

BackgroundTrans: Uses a transparent background, which allows any control that lies behind a Text, Picture, or GroupBox control to show through. For example, a transparent Text control displayed on top of a Picture control would make the text appear to be part of the picture. Use GuiControl +Background to remove this option later. See Picture control's AltSubmit section for more information about transparent images. Known limitation: BackgroundTrans might not work properly for controls inside a Tab control that contains a ListView.

-Background (i.e. minus Background): Uses the standard background color rather than the one set by the Gui Color command. This is most often used to make a Tab control have its standard color rather than the window color. Use GuiControl +Background to remove this option later.

Border: Provides a thin-line border around the control. Most controls do not need this because they already have a type-specific border. When adding a border to an existing control, it might be necessary to increase the control's width and height by 1 pixel.

HwndOutputVar[v1.0.46.01+]: When used with Gui Add, this option stores the window handle (HWND) of the newly created control in OutputVar. For example: Gui, Add, Edit, vMyEdit HwndMyEditHwnd. When within a function, MyEditHwnd is treated as a function dynamic variable. A control's HWND is often used with PostMessage, SendMessage, and DllCall(). It can also be used directly as an ahk_id WinTitle (this also works on hidden controls even when DetectHiddenWindows is Off) or [in v1.1.04+] with GuiControl and GuiControlGet as the ControlID parameter. On a related note, a parent window's HWND can be retrieved via Gui MyGui:+HwndOutputVar.

Theme: This option can be used to override the window's current theme setting for the newly created control. It has no effect when used on an existing control; however, this may change in a future version. See Gui +/-Theme for details.

(Unnamed Style): Specify a plus or minus sign followed immediately by a decimal or hexadecimal style number. If the sign is omitted, a plus sign is assumed.

(Unnamed ExStyle): Specify a plus or minus sign followed immediately by the letter E and a decimal or hexadecimal extended style number. If the sign is omitted, a plus sign is assumed. For example, E0x200 would add the WS_EX_CLIENTEDGE style, which provides a border with a sunken edge that might be appropriate for pictures and other controls. Although the other extended styles are not documented here (since they are rarely used), they can be discovered by searching for WS_EX_CLIENTEDGE at www.microsoft.com.

Window Events

The following labels (subroutines) will be automatically associated with a GUI window if they exist in the script:

[v1.1.20+]: If a label does not exist for a given event, a function with that name can be called instead. The function can optionally receive the HWND of the GUI as its first parameter. Some events have additional parameters.

For windows other than number 1, the window's name or number (if it has one) is used as a prefix for the special labels mentioned above; for example, 2GuiEscape and 2GuiClose would be the default labels for window number 2, while MyGuiGuiEscape and MyGuiGuiClose would be the default labels for MyGui. To set a custom prefix, use Gui +Label.


Launched when the window is closed by any of the following: pressing its X button in the title bar, selecting 'Close' from its system menu, or closing it with WinClose. If this label is absent, closing the window simply hides it, which is the same effect as Gui Cancel. One of the most common actions to take in response to GuiClose is ExitApp; for example:

[v1.1.20+]: If GuiClose is a function, the GUI is hidden by default. The function can prevent this by returning a non-zero integer, as in the example below:


Launched when the user presses Escape while the GUI window is active. If this label is absent, pressing Escape has no effect. Known limitation: If the first control in the window is disabled (possibly depending on control type), the GuiEscape label will not be launched. There may be other circumstances that produce this effect.


Launched when the window is resized, minimized, maximized, or restored. The built-in variables A_GuiWidth and A_GuiHeight contain the new width and height of the window's client area, which is the area excluding title bar, menu bar, and borders. In addition, A_EventInfo and ErrorLevel will both contain one of the following digits:

0: The window has been restored, or resized normally such as by dragging its edges.
1: The window has been minimized.
2: The window has been maximized.

A script may use GuiSize to reposition and resize controls in response to the user's resizing of the window. This process can be made easier by using AutoXYWH() by tmplinshi and toralf.

When the window is resized (even by the script), GuiSize might not be called immediately. As with other window events, if the current thread is uninterruptible, GuiSize won't be called until the thread becomes interruptible. If the script has just resized the window, follow this example to ensure GuiSize is called immediately:

[v1.1.22.05+]:Gui Show automatically does a Sleep -1, so it is generally not necessary to call Sleep in that case.

[v1.1.20+]: If GuiSize is a function, its parameters are as follows:


Launched whenever the user right-clicks anywhere in the window except the title bar and menu bar. It is also launched in response to pressing the Menu key or Shift+F10. Unlike most other GUI labels, GuiContextMenu can have more than one concurrent thread. The following built-in variables are available within GuiContextMenu:

  1. A_GuiControl, which contains the text or variable name of the control that received the event (blank if none).
  2. A_EventInfo: When a ListBox, ListView, or TreeView is the target of the context menu (as determined by A_GuiControl above), A_EventInfo specifies which of the control's items is the target:
    ListBox or ListView: A_EventInfo contains the number of the currently focused row (0 if none).
    TreeView: For right-clicks, A_EventInfo contains the clicked item's ID number (or 0 if the user clicked somewhere other than an item). For the Menu key and Shift+F10, A_EventInfo contains the selected item's ID number.
  3. A_GuiX and A_GuiY, which contain the X and Y coordinates of where the script should display the menu (e.g. Menu, MyContext, Show, %A_GuiX%, %A_GuiY%). Coordinates are relative to the upper-left corner of the window.
  4. A_GuiEvent, which contains the word RightClick if the user right-clicked, or Normal if the menu was triggered by the Menu key or Shift+F10.

Note: Since Edit and MonthCal controls have their own context menu, a right-click in one of them will not launch GuiContextMenu.

[v1.1.20+]: If GuiContextMenu is a function, its parameters are as follows:

CtrlHwnd is blank if the event was not received by a control. IsRightClick is true if A_GuiEvent is RightClick.


Launched whenever files/folders are dropped onto the window as part of a drag-and-drop operation (but if the label is already running, drop events are ignored). The following built-in variables are available within GuiDropFiles:

  1. A_GuiControl, which contains the text or variable name of the control upon which the files were dropped (blank if none).
  2. A_EventInfo and ErrorLevel, which both contain the number of files dropped.
  3. A_GuiX and A_GuiY, which contain the X and Y coordinates of where the files were dropped (relative to the window's upper left corner).
  4. A_GuiEvent, which contains the names of the files that were dropped, with each filename except the last terminated by a linefeed (`n).

To extract the individual files, use a parsing loop as shown below:

To temporarily disable drag-and-drop for a window, remove the WS_EX_ACCEPTFILES style via Gui -E0x10. To re-enable it later, use Gui +E0x10.

[v1.1.20+]: If GuiDropFiles is a function, the parameters are as shown in the example below. CtrlHwnd is blank if files were dropped on the GUI itself. FileArray is an array (object) of filenames, where FileArray[1] is the first file and FileArray.MaxIndex() returns the number of files. A for-loop can be used to iterate through the files:

Other Events

Other types of GUI events can be detected and acted upon via OnMessage(). For example, a script can display context-sensitive help via ToolTip whenever the user moves the mouse over particular controls in the window. This is demonstrated in the GUI ToolTip example.

Creating Multiple GUI Windows

To operate upon a window other than the default, include its name or number (or [in v1.1.03+] its HWND) followed by a colon in front of the sub-command, as in these examples:

Gui MyGui:Default can be used to avoid the need for the 'MyGui:' prefix above. In addition, the prefix is not necessary inside a GUI thread that operates upon the same window that launched the thread.

[v1.1.03+]: Gui names must conform to the same rules as variable names. Any number which is either not between 1 and 99 or is longer than two characters (such as 0x01) must be the HWND of an existing Gui, or the command will fail. The number of windows that can be created is limited only by available system resources.

[v1.1.04+]: Any number of unnamed GUI windows can be created using Gui, New.

GUI Events, Threads, and Subroutines

A GUI thread is defined as any thread launched as a result of a GUI action. GUI actions include selecting an item from a GUI window's menu bar, or triggering one of its g-labels (such as by pressing a button).

The default window name for a GUI thread is that of the window that launched the thread. Non-GUI threads use 1 as their default.

Whenever a GUI thread is launched, that thread's last found window starts off as the GUI window itself. This allows commands for windows and controls -- such as WinMove, WinHide, WinSet, WinSetTitle, and ControlGetFocus -- to omit WinTitle and WinText when operating upon the GUI window itself (even if it is hidden).

Clicking on a control while its g-label is already running from a prior click will have no effect and the event is discarded. To prevent this, use Critical as the subroutine's first line (however, this will also buffer/defer other threads such as the press of a hotkey).

The built-in variables A_Gui and A_GuiControl contain the window name and Control ID that launched the current thread. For details see A_Gui and A_GuiControl.

To have multiple events perform the same subroutine, specify their labels consecutively above the subroutine. For example:

All GUI threads start off fresh with the default values for settings such as SendMode. These defaults can be changed in the auto-execute section.

Keyboard Navigation

A GUI window may be navigated via the Tab key, which moves keyboard focus to the next input-capable control (controls from which the Tabstop style has been removed are skipped). The order of navigation is determined by the order in which the controls were originally added. When the window is shown for the first time, the first input-capable control that has the Tabstop style (which most control types have by default) will have keyboard focus.

Certain controls may contain an ampersand (&) to create a keyboard shortcut, which might be displayed in the control's text as an underlined character (depending on system settings). A user activates the shortcut by holding down the Alt key then typing the corresponding character. For buttons, checkboxes, and radio buttons, pressing the shortcut is the same as clicking the control. For GroupBoxes and Text controls, pressing the shortcut causes keyboard focus to jump to the first input-capable tabstop control that was created after it. However, if more than one control has the same shortcut key, pressing the shortcut will alternate keyboard focus among all controls with the same shortcut.

To display a literal ampersand inside the control types mentioned above, specify two consecutive ampersands as in this example: Gui, Add, Button, Save && Exit.

Window Appearance

For its icon, a GUI window uses the tray icon that was in effect at the time the window was created. Thus, to have a different icon, change the tray icon before creating the window. For example: Menu, Tray, Icon, MyIcon.ico. It is also possible to have a different large icon for a window than its small icon (the large icon is displayed in the alt-tab task switcher). This can be done via LoadPicture() and SendMessage; for example:

Due to OS limitations, Checkboxes, Radio buttons, and GroupBoxes for which a non-default text color was specified will take on Classic Theme appearance on Windows XP and beyond.

Related topic: window's margin.

General Remarks

Use GuiControl and GuiControlGet to operate upon individual controls in a GUI window.

Each GUI window may have up to 11,000 controls. However, use caution when creating more than 5000 controls because system instability may occur for certain control types.

Any script that uses the GUI command anywhere is automatically persistent (even if the GUI command is never actually executed). It is also single-instance unless the #SingleInstance directive has been used to override that.


GuiControl, GuiControlGet, Menu, Control Types, ListView, TreeView, Control, ControlGet, SplashImage, MsgBox, FileSelectFile, FileSelectFolder


#1: Achieves an effect similar to SplashTextOn:

#2: A simple input-box that asks for the first and last name:

#3: Creates a tab control with multiple tabs, each containing different controls to interact with:

#4: Creates a ListBox control containing files in a directory:

#5: Displays a context-sensitive help (via ToolTip) whenever the user moves the mouse over a particular control:

#6: Creates an On-screen display (OSD) via transparent window:

#7: A moving progress bar overlayed on a background image:

#9: A simple text editor with menu bar:

This Appendix will provide you with a quick, yet comprehensive, review of the most important concepts covered in this book.

Chapter 1 Introduction to Open Source Security

Using the GNU General Public License

0 The GPL protects the software code, not a corporation or an individual.

0 Protecting code rather than individuals is a radical change, because it allows code to be improved upon without being made completely proprietary.

0 Open source code does not necessarily have to be free. For example, companies such as Red Hat and Caldera sell their products, which are based on the open source Linux kernel.

Soft Skills: Coping with Open Source Quirks

0 As you use open source code, remember that this code may represent a work in progress.

0 Sometimes, open source code changes radically, forcing you to retrain users. You may find that updates happen irregularly, and that it is sometimes more challenging to update open source code. Furthermore, once you upgrade the code, you may be presented with an application that behaves very differently, or has a radically different interface.

0 Before installing open source software, make sure that your operating system contains all of the necessary supporting applications and libraries.

Should I Use an RPM or Tarballs?

0 RPMs sometimes offer convenience. However, precompiled RPMs often do not have all of the features necessary to implement a truly useful product.

0 Tarballs often require editing of a special file called a makefile. However, this is not necessarily all that difficult. It simply requires that you know where your supporting applications and libraries are. Also, most open source software will contain instructions concerning how to edit the makefile. Most well-known operating systems, such as Red Hat Linux and Slackware, do not require makefile modification.

0 RPMs often contain useful startup scripts that are not found elsewhere.

Sometimes, it is useful to install the RPM, then the tarball version, and then combine elements from the two for a complete solution.

Obtaining Open Source Software

0 Sites such as SourceForge (www.sourceforge.com), RPMFind

(www.rpmfind.net), and SecurityFocus (www.securityfocus.com) are valuable software sources.

0 Be especially careful when downloading any source code, regardless of format. Digital signatures can help you determine the author of a package, as well as whether a package has been altered.

0 The Gnu Privacy Guard (GPG) and Pretty Good Privacy (PGP) packages are available to help you verify signatures. They do not stop the execution of malicious code, however.They simply inform you about the nature of the code's author, and of any changes that may have occurred to the code.

A Brief Encryption Review

0 Symmetric encryption is the use of one key to encrypt and decrypt information. If a malicious user is able to intercept the key, he or she can then use it to decrypt your secret messages.

0 Asymmetric encryption uses a mathematically related key pair to encrypt and decrypt information. This type of encryption is commonly used on the Internet and on LANs, because it reduces the likelihood that the key can be learned by a malicious user, and aids in authentication.

0 One-way encryption is the use of an algorithm to encrypt information so that it is, mathematically speaking, impossible to unencrypt. One-way encryption is also used to read a file and then create a hash of that file.The resulting hash value is said to be mathematically unrecoverable. Hash code is often used to compare one value to another during the login process: the person logging in enters a username and password, and the authentication mechanism creates a hash of these two values and compares it to the hash values generated from the /etc/passwd and /etc/shadow databases. If the values match, access is allowed.

Chapter 1 Continued

Public Key and Trust Relationships

0 You must generate a key pair to begin using your public key to authenticate yourself or to encrypt network transmissions.

0 Establishing a trust relationship involves exchanging public keys. Sometimes, individual users must give public keys. At other times, public keys are exchanged between network hosts.

0 Never reveal your private key. If your private key is made available to a third party, this person will be able to read all of your encrypted files.

Auditing Procedures

0 As an auditor, your job is to lock down your network, which means that you must consider the security of each host using tools that allow you to determine changes in files and directories, and who has scanned and accessed your system.You must also monitor network transmission and configure your firewall to establish an effective network perimeter that separates your network from all others.

0 An Intrusion Detection System (IDS) acts as an auditing host or series of auditing hosts that allow you to monitor and secure data as it passes across the network.

0 Protecting the network perimeter involves proper firewall and proxy server configuration, logging, and monitoring.

a ❖ Chapter 2 Hardening the Operating System

Updating the Operating Systems

0 Operating system releases usually contain software bugs and security vulnerabilities.

0 Operating system vendors or organizations offer fixes, corrections, and updates to the system. For example, Red Hat offers this material at its Web site, which includes Update Service Packages and the Red Hat Network.

0 You should always ensure your system has the latest necessary upgrades.

Many errata and Update Service Packages are not required for every system. You should always read the associated documentation to determine if you need to install it.

Handling Maintenance Issues

0 After your system goes live, you must always maintain it by making sure the most current patches and errata are installed, which include the fixes, corrections, and updates to the system, as well as the applications running on it.

0 You should always check the Red Hat site at www.redhat.com/apps/ support/updates.html for the latest errata news.

0 For example, Red Hat security advisories provide updates that eliminate security vulnerabilities on the system. Red Hat recommends that all administrators download and install the security upgrades to avoid denial-of-service (DoS) and intrusion attacks that can result from these weaknesses.

Manually Disabling Unnecessary Services and Ports

0 You should always disable vulnerable services and ports on your system that are not used.You are removing risk when you remove unnecessary services.

0 The /etc/xinetd.d directory makes it simple to disable services that your system is not using. For example, you can disable the FTP and Telnet services by commenting out the FTP and Telnet entries in the respective file and restarting the service. If the service is commented out, it will not restart.

Locking Down Ports

0 When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services.

0 To block TCP/UDP services in Linux, you must disable the service that uses the specific port.

Chapter 2 Continued

Hardening the System with Bastille

0 The Bastille program facilitates the hardening of a Linux system. It saves administrators time from configuring each individual file and program throughout the operating system.

0 Administrators answer a series of 'Yes' and 'No' questions through an interactive text-based interface.The program automatically implements the administrators' preferences based on the answers to the questions.

0 Bastille can download and install RPM updates, apply restrictive permissions on administrator utilities, disable unnecessary services and ports, and much more. more.

Controlling and Auditing Root Access with Sudo

0 Sudo (Superuser Do) allows an administrator to give specific users or groups the ability to run certain commands as root or as another user.

0 Sudo features command logging, command restrictions, centralized administration of multiple systems, and much more.

0 The sudo command is used to execute a command as a superuser or another user. In order to use the sudo command, the user must supply a username and password. If a user attempts to run the command via sudo and that user is not entered in the sudoers file, an e-mail is automatically sent to the administrator, indicating that an unauthorized user is accessing the system.

Managing Your Log Files

0 Logging allows administrators to see who and what has accessed their system. Many helpful Linux log files are located in the /var/log directory.

0 Linux offers commands that allow administrators to access useful log files. Two commands of interest are last and lastlog. The message file also offers useful data for determining possible security breaches on your system.

0 The Linux logs should be checked frequently to determine if any security violations have occurred on your system. Logs do not offer solutions, so you must analyze the data and decide how to counteract the attack.

0 Logging enhancers are tools that simplify logging by allowing logging information to be filtered and often displaying logs in simplified formats.

0 Viewing text-based files with hundreds or thousands of entries can be burdensome, especially if you are only looking for one specific error entry.

0 Three popular logging services used by administrators are SWATCH, scanlogd, and the next generation of syslogd (syslogd-ng).

❖ Chapter 3 System Scanning and Probing


Scanning for Viruses Using the AntiVir Antivirus Application

About Us Hacking Gui Pastebin

0 Virus scanners will perform the following tasks: check the system's boot record; search directories and subdirectories; automatically delete infected files; save scans into a log file; use an internal scheduler, or an external scheduler, such as at or cron; scan NFS-mounted drives; delete infected files; and move infected files to a central, 'quarantine' area of your own choosing.

0 The AntiVir for Servers binary is a truly impressive command-line virus scanner sold by H+BDEV. It is capable of searching for and deleting macro viruses, boot sector viruses, e-mail viruses, and DDoS daemons.

0 An antivirus application is only as useful as its virus definition file.Your application should provide you with frequent updates.

Using Logging Enhancers

Chapter 3 Continued

Scanning Systems for DDoS Attack Software Using a Zombie Zapper

0 Attackers wage denial of service (DoS) attacks by first finding and hacking into insecure systems on the Internet. Then, they install programs such as Tribe Flood Network 2000 (Tfn2k), stacheldraht, and others.The compromised systems now have illicit programs installed on them called zombies.

0 Once a zombie is commanded to attack a victim, it will generally continue the attack until it is forced to stop. If you notice large amounts of unknown traffic when you monitor your network or network perimeter, you can use a zombie zapper against the host or hosts generating this traffic.

0 Limitations of a zombie zapper can include the following: they are programmed to shut down only certain DDoS servers; it may be blocked by a firewall; the malicious user may have changed the password of the illicit server; or the attack server may have spoofed packets.

Scanning System Ports Using the Gnome Service Scan Port Scanner

0 Systems administrators find port scanners useful when auditing their own systems. Although a simple port scanner such as GSS does not actually test for flaws in binaries and Web applications, a good port scanner can help you isolate which ports are open, and then take any action that is necessary.

0 Port scanning a machine may set off an alarm for the system's administrator, who might take a dim view of your actions. Unless you have explicit (sometimes, even written) permission from the system administrator, you may cause a serious violation of your security policy.

Using Nmap

0 Nmap is an advanced Unix-based port scanner. It can be used to audit your network, test your router and switch configurations, test your firewall configurations, and identify the nature of suspicious remote systems.

Chapter 3 Continued

0 You can use Nmap as a basic port scanner for a system on your internal network, or you can have it identify the operating system version of a remote system on another firewall-protected network. Nmap is capable of manipulating aspects of TCP to hide its scans from firewalls.

0 Nmap's 'interactive mode' allows you to do two things that you should be aware of as a systems administrator: It can conduct multiple Nmap sessions, and it can disguise the fact that it is running on your system.

Using Nmapfe as a Graphical Front End

0 The Nmap Front End (NmapFE) provides a well-written, stable GUI that allows you to control almost every aspect of Nmap.

0 Note that this interface is somewhat unstable, and given to faults that lead to complete crashes (core dumps). This is especially the case in systems that have been upgraded (say, from Red Hat version 7.0 to 7.1).

Using Remote Nmap as a Central Scanning Device

0 Remote Nmap (Rnmap) enables a client system to connect to a central Nmap server. It is currently in beta, but both the client and the server are quite strong.

0 Rnmap has the following features: user authentication, a command-line and GUI client, and available encryption (still in beta form). Rnmap is written in the Python scripting language, which means that your Linux system must have Python installed.

Deploying Cheops to Monitor Your Network

0 Billed as a graphical network neighborhood, Cheops is related to applications such as HP OpenView. Both Cheops and HP OpenView allow you to create a graphical map of the network, and then manage any host on that map. Although Cheops is not nearly as sophisticated, it still allows you to quickly learn which hosts are up on a particular network segment.

Chapter 3 Continued

0 Cheops issues network broadcasts, and then processes these replies to discover remote hosts. Some older versions of Cheops use an application called Queso to read the replies of remote systems. Queso is similar to Nmap, although not as sophisticated or as recent. As with Nmap, Queso does use stack fingerprinting to guess the operating system of a remote server.

0 Cheops is capable of two types of monitoring. First, it can have your Linux system issue simple ping requests to see if a remote host is up. Second, instead of relying on a crude ping request, Cheops allows you to pick a specific service offered by the remote host.

Deploying Nessus to Test Daemon Security

0 Using vulnerability detection software, you can find out exactly what specific application is listening on that port. A good hacker is well informed concerning the popular servers on the Internet, and can quickly take advantage of a specific daemon that has a security problem. Nessus allows you to proactively scan your system to determine its weaknesses.

0 The Nessus client allows you to connect to the Nessus daemon, which is usually on a remote server. Several different clients exist, including those for Windows, Macintosh, and Unix/Linux systems.

0 The Nessus project has been quite active, and has a good record for providing regular plug-in updates.

0 When you launch the client for the first time, it will take some time to create a public key pair, which will be used to authenticate with any Nessus daemon.

0 The compilation option allows the client to 'remember' past sessions and to configure a nessus daemon to conduct a scan all by itself. These capabilities are respectively called differential and detached scanning.The ability to save sessions allows you to begin sessions that have been interrupted.

❖ Chapter 4 Implementing an Intrusion Detection System

Understanding IDS Strategies and Types

0 An Intrusion Detection System (IDS) is any system or set of systems that has the ability to detect a change in the status of your system or network. Because an IDS can contain multiple hosts and applications, this chapter will often use the term IDS application to refer to a specific IDS element.

0 Two general strategies are used when it comes to detecting intrusions, rule-based IDS applications (also called signature-based) and anomaly-based IDS applications.

0 IDS applications do their work either continuously in real-time, or at certain intervals (interval-based intrusion detection).

0 Two different types of IDS applications exist: host-based and network-based.

0 In many cases, an effective IDS application requires a great deal of processor time in order to work well. Log files require a great deal of hard drive space, especially in busy networks. Thus, simply for the sake of performance, consider using multiple systems to gather, store, and analyze information.

0 Most network-based IDS applications do not work properly in a switched network.

0 An IDS stores its information in several places: System logs, simple text files and directories, and databases.

0 An IDS can act as a supplement to a firewall, because it can help you monitor traffic on the internal network. Sometimes it may be useful to place an IDS application outside the firewall, or in the DMZ so that you can learn more about the attacks waged against the firewall itself.

Installing Tripwire to Detect File Changes

0 Tripwire is one of the most popular applications for determining when a file or directory has been altered. It scans your system's hard drive and creates a database. After its database has been created, Tripwire can conduct regular scans of your hard drive and inform you (via e-mail or a log file) about any changes.

Chapter 4 Continued

Updating Tripwire to Account for Legitimate Changes in the OS

0 Eventually, legitimate changes will occur to your operating system.These changes will keep appearing in reports unless you update your database. Database update mode allows you to update the database so that it no longer recognizes any differences between itself and the operating system.

0 Updating the policy is different than updating the database. It is sometimes necessary to update your policy. If, for example, you install a new application, you may want to ensure that these files are protected by Tripwire.

Configuring Tripwire to Inform You Concerning Changes

0 As with any Linux/Unix application, you will have to do quite a bit of 'tweaking' to make Tripwire suit your needs. Refer back to the Installing Tripwire, Securing the Tripwire Database, and Using Cron to Run Tripwire Automatically Exercises for more information on how to install and use Tripwire.

Deploying PortSentry to Act as a Host-Based IDS

0 PortSentry is a host-based IDS application that monitors all open ports. It is an effective tool if you wish to detect TCP and/or UDP port scans, and if you wish to have your host reconfigure itself in case of a port scan.

0 PortSentry will compile on any standard Linux system that has TCPWrapper and Ipchains or Ipfw support.

0 All of the PortSentry files are located off of the /usr/local/psionic/

portsentry/ directory. All files are owned by root, and the program must be started as root, because it places your NIC into promiscuous mode.

Configuring PortSentry to Block Users

0 The Advanced Stealth Scan Detection Options determine the port numbers that PortSentry will monitor when you use the -step option to start PortSentry. By default, PortSentry listens only to ports up to 1023.

0 The Dropping Routes section allows you to determine how PortSentry will deny connections.The KILL_ROUTE options allow you to configure various system tools to actually do the work of denying hosts.

Optimizing PortSentry to Sense Attack Types

0 You can start PortSentry in various ways, depending upon the types of attacks you wish to detect. Customize each system that you have depending upon its function and place in your network.

Installing and Configuring Snort

0 Snort, available at www.snort.org, is best-suited to detailed log analysis. Like PortSentry, it places your NIC into promiscuous mode. It captures all traffic on your network segment, as opposed to traffic destined for just one host.

0 Snort can log its findings into remote or local databases. Snort's analysis feature is able to read the contents of the captured packets and then inform you about any attacks waged against your network.

0 Snort is able to automatically detect attacks based solely upon the rules it uses

0 You can use several detection plug-ins. Sometimes, plug-ins do not require additional arguments. At other times, they require you to specify additional parameters.

Running Snort as a Network-Based IDS

0 However, the snort.conf file gives you the ability to use Snort as a true IDS because it has Snort use rules and plug-ins.You can also specify more sophisticated home network and logging methods. After you begin using the rules and plug-ins found in snort.conf, it will begin selectively logging traffic.

Chapter 4 Continued

Configuring Snort to Log to a Database

0 On busy networks, it is necessary to configure Snort to log less information.

Certain command-line options help you control how much your IDS will log.

0 Additional configuration options are available, including the ability to configure Snort to send alerts to Windows systems that have the Server service running.

Identifying Snort Add-Ons

0 SnortSnarf is a collection of Perl scripts designed to read the Snort alert file (/var/log/snort/alert) and then generate HTML output.The program is available from www.silicondefense.com/software/snortsnarf.

❖ Chapter 5 Troubleshooting the Network with Sniffers

Understanding Packet Analysis and TCP Handshakes

0 Analyzing TCP traffic is one of the most important tasks for a security administrator. It can tell you a great deal about your network connections, as well as identify many denial-of-service (DoS) attacks and man-in-the-middle, or hijacking, attacks.

0 A TCP handshake must occur whenever two hosts establish a connection on a TCP/IP network.This handshake consists of rules that the two hosts must follow.

0 Special mechanisms, called flags, are used to establish and terminate a TCP connection. Flags are included in the TCP header, and each flag completes a different function in the TCP handshake.The flags used are SYN, FIN, RST, PSH,ACK, and URG.

Creating Filters Using Tcpdump

0 Tcpdump captures packets on a given interface, or on all interfaces on a system, for analysis. It is a command-line tool, which can make it difficult to read.

0 Tcpdump options allow you to filter the packets that are captured. For example, you can limit the capture to ARP packets or display only IP addresses (not host names).

0 Tcpdump expressions allow you to specify the hosts from which you will capture packets. For example, an expression will ensure that only the data you require, such as the traffic between your interface and a specific host, will be printed.

Configuring Ethereal to Capture Network Packets

0 Ethereal provides a GUI environment for capturing network packets, which makes it easier for many administrators to use.

0 Ethereal and tcpdump capture packets using the pcap library (libpcap). Since they both use the pcap library (libpcap) syntax, they can share many of the same commands, such as filtering options and primitives.

0 You can easily save Ethereal filters and access them as needed for each packet capture you make.You can have multiple filters from which to choose for different needs.

Viewing Network Traffic between Hosts Using EtherApe

0 EtherApe is a GUI that displays networking activity graphically by identifying hosts and the links that exist between the hosts. It displays real-time traffic, as well as traffic saved to a file.

0 EtherApe also uses the pcap library (libpcap), the library for packet capturing and filtering, which is similar to tcpdump and Ethereal.

0 EtherApe uses options to specify the capture information, such as the interface, link colors, or whether names or numbers will be used.

❖ Chapter 6 Network

Authentication and Encryption

Understanding Network Authentication

0 Even if employees remain behind the firewall, many system services allow clear text authentication, including Telnet, File Transfer Protocol (FTP), and standard Network Information Service (NIS). Even though transmissions can be encrypted, many tools exist that help hackers wage a sniffing attack to capture encrypted information.

0 After the packets containing the encrypted passwords are captured, hackers use cracking applications such as LOphtCrack, which are designed to both capture and crack sniffed encrypted passwords.

Creating Authentication and Encryption Solutions

0 To authenticate safely, you have two options: Find a way to authenticate without sending passwords across the network, or find a way to discard any password that is sent across the network. The accepted phrase for this strategy is one-time passwords (OTP).

0 Kerberos has the added ability to encrypt transmissions after authentication occurs. The use of OTP, however, does not encrypt subsequent transmissions. OTP is usually much easier to implement than Kerberos, however.

0 Other encrypting solutions include Secure Sockets Layer (SSL), Secure Shell (SSH), and IPSec.

Implementing One-Time Passwords (OTP and OPIE)

0 In the Linux world, the most universal way to implement one-time password (OTP) support in your Linux systems is to install the One-Time Passwords in Everything (OPIE) application. OPIE supports the Message Digest 5 (MD5) algorithm.

0 By default, OPIE does not enforce OTP whenever you log in interactively. Any user is given the choice of using OTP or the standard login procedure.

0 Using opiepasswd to create OPIE users. As soon as the opiepasswd command is used against a user, it is then possible for that user to use OTP to log in.The opiekey command generates responses.

0 When the systems administrator creates an OTP password list, the user can use the opieinfo command to generate a list of passwords for later use.

Implementing Kerberos Version 5

0 Kerberos v5 is a revolutionary step in network authentication, because it allows you to establish a domain that authenticates not only individual hosts and users, but individual daemons, as well. Using Kerberos, you can centrally control which hosts and users can access the daemons on your network.

0 After Kerberos is established on a network, passwords do not ever cross the network, not even in encrypted form.You can configure Kerberos to encrypt ensuring communications between authenticated hosts.

0 A principal is the name for any host, service, or user that is allowed to authenticate on a Kerberos network. A principal consists of a primary (also known as a 'root'), an instance, and a realm.

0 The kadmin application, also found in the /usr/kerberos/sbin/ directory, is designed to add principals to the Kerberos database.The kadmin command also lists, modifies, and deletes principals. It is also used to populate and update the Key table files for each Kerberos host.

Using kadmin and Creating Kerberos Client Passwords

0 Standard principal policy settings include policy name, minimum password life (in seconds), maximum password life (in seconds), and minimum password length.

0 You can create a policy by using the addpol command from within kadmin.

622 Appendix B • Hack Proofing Linux Fast Track Chapter 6 Continued

0 The kinit command allows a user to obtain a ticket granting ticket (TGT) from the Key Distribution Center (KDC). Issuing the kinit command has the Kerberos client contact the KDC and obtain a TGT.

0 After you run kinit, the cache will contain only the TGT. Additional credentials, such as actual tickets to access a daemon such as FTP, will be added only after you access the remote host.

Establishing Kerberos Client Trust Relationships with kadmin

0 The only way to establish a trust relationship on the Kerberos client host is to use the kadmin command.

0 The administrator must use the kadmin -ktadd command on each Kerberos client that wishes to participate in the Kerberos realm. The kadmin ktadd -k command gives each client the ability to prove that it has the public keys of the services used.

Logging On to a Kerberos Host Daemon

About Us Hacking Gui Hack

0 Client A, the Kerberized client, first uses its TGT to request a session ticket. The Kerberos KDC checks to see if Client B has a host principal entry, then also checks to see if Client B has a host daemon entry for FTP.Then, the KDC determines that Client A has the proper host and host daemon keys for client B. If all of these credentials match, then client A can connect to client B's FTP server.

0 When you try to administer Kerberos using kadmin, it is important to realize that if you make significant changes to the database concerning a user, you will have to use kdestroy and then kinit to obtain new credentials.

0 You must configure your Kerberos client hosts to use only Kerberized clients. In order to use Kerberos properly, no other client applications or server daemons should be used on the network, unless they use OTP, encryption, or a similarly secure protocol.

Chapter 7 Avoiding Sniffing Attacks through Encryption

Understanding Network Encryption

0 Network encryption is used for any data transfer that requires confidentiality. Encryption ensures that data sent across a network from one host to another is unreadable to a third party.

0 Rlogin, remote shell (rsh), and Telnet are three notoriously unsafe protocols. They do not use encryption for remote logins or any type of data transmission. If a malicious hacker captured this traffic, it would display the data, such as usernames or any passwords, in clear text.

About Us Hacking Gui Commands

Unencrypted Network Traffic

0 You can capture packets during a Telnet login session using the open source packet sniffer Ethereal. Once the session is captured, you can locate the Telnet data packet that includes the data: password field.

0 Another way to discover the Telnet password is to follow the TCP stream.To do this, simply select any packet involved in this Telnet connection, then select the Tools menu, and select Follow TCP Stream in Ethereal.The username and password are displayed in clear text.

0 OpenSSH encrypts all traffic between two hosts using Secure Shell (SSH). It is a secure replacement for common Internet programs used for remote connectivity, such as Telnet, rlogin, and rsh.

0 It features strong encryption using Triple Data Encryption Standard (3DES) and Blowfish, as well as strong authentication using public keys, one-time passwords (OTPs), and Kerberos Authentication.

Using OpenSSH to Encrypt Network Traffic between Two Hosts

Chapter 7 Continued

Installing and Configuring Secure Shell on Two Network Hosts

OpenSSH implementations are significantly different between operating sys-tems.The OpenSSH Portability Team uses the OpenBSD OpenSSH code to develop portable versions for other operating systems.You must make sure a specific version exists for your operating system at www.openssh.org.

The method for implementing SSH combines similar r-command concepts with a private and public key method.

SSH can create a DSA private/public key pair for a user by using the ssh-keygen -d command. In SSH 2.0, the private DSA key is placed in the $HOME/.ssh/id_dsa file.The public key is placed in the $HOME/.ssh/ id_dsa.pub file.The public key should be renamed and copied to the $HOME/.ssh/authorized_keys2 file on the remote system.

Implementing SSH to Secure Data Transmissions over an Insecure Network

0 Both hosts must have SSH installed to transmit data securely, such as the SSH implementation.

0 You must first use ssh-keygen to create a private and public key on each host using either RSA or DSA authentication. Then, distribute the public key to the host with which you wish to communicate, and vice versa.

0 To establish the connection using SSH, the ssh command is used in the format ssh remotehost. Remotehost is the name of the host you will connect to using SSH.

Capturing and Analyzing Encrypted Network Traffic

0 You can capture packets between two hosts using an SSH session to determine if the data is secure. For example, you can attempt to identify any login data, as well as any session data.

0 Using Ethereal, or any packet-capturing program, you will find that all

Application layer data is encrypted. No passwords, usernames, or usable data

is displayed. Following a TCP stream is fruitless. Only the TCP ports are displayed in the capture.

❖ Chapter 8 Creating Virtual Private Networks

Secure Tunneling with VPNs

0 VPNs provide a private data network over public telecommunication infrastructures, such as the Internet, by providing authentication and encryption through a data 'tunnel' between devices. All data transmitted between the devices through the tunnel is secure, regardless of what programs the devices are running.

0 Telecommuter, router-to-router, and host-to-host are three the basic types of VPN solutions. The solution you choose will depend on your specific needs.

0 Tunneling protocols are responsible for encapsulating a data packet before a host transmits it. The data is encapsulated and sent over the network to its destination. Upon arrival, the capsule is removed and the data is processed by the destination host. IP tunneling protocols are powerful because they can transmit foreign protocols over the Internet.

Explaining the IP Security Architecture

0 IPSec is an Internet Engineering Task Force (IETF) security protocol that is becoming a standard component of VPN tunneling protocols.

0 IPSec secures all packets at Layer 3 (the network layer) of the OSI model by providing secure authentication and encryption over a network. Layer 3 security ensures that everything on the network is secure, such as IP addressing and routing over the Internet, as well as all application data.

Creating a VPN by Using FreeS/WAN

0 FreeS/WAN is a Linux VPN implementation that uses IPSec and IKE.

0 IKE is a key management protocol standard that enhances IPSec. It provides enhancements such as simplifying IPSec configuration and adding flexibility

Chapter 8 Continued and more features. It is not required for IPSec, but is often used in conjunction with it. FreeS/WAN uses Pluto, which is an IKE daemon.

0 The Authentication Header (AH) performs authentication at the packet level in IPSec. The Encapsulating Security Payload (ESP) performs encryption as well as authentication. FreeS/WAN uses the Kernel IPSec (KLIPS) to perform AH and ESP functions. Useful linksmr. p's classroom activities.

❖ Chapter 9 Implementing a Firewall with Ipchains and Iptables

Understanding the Need for a Firewall

0 Linux natively supports the ability to route and/or filter packets. Modern Linux systems use either Ipchains or Iptables to do this. Ipchains supports Linux kernel versions up to 2.2. If you are using any kernel newer than 2.2, you must use Iptables. The Iptables package supports packet masquerading and filtering functionality as found in the 2.3 kernel and later. This functionality is known as netfilter.Therefore, in order to use Iptables, you must recompile the kernel so that netfilter is installed, and you must install the Iptables package.

0 Ipchains and Iptables also allow you to configure your Linux router to masquerade traffic (i.e., to rewrite IP headers so that a packet appears to originate from a certain host), and/or to examine and block traffic. The practice of examining and blocking traffic is often called packet filtering.

0 The primary difference between a packet-filtering router (e.g., one created by using Ipchains or Iptables) and a proxy server (e.g., one enabled by Squid) is that a packet-filtering router does not inspect network packets as deeply as a proxy server does. However, proxy servers require more system resources in order to process network packets.

0 Watch for bug reports concerning Ipchains, Iptables, and the Linux kernel. Keeping current about such changes can help you quickly upgrade your system in case a problem is discovered.

Deploying IP Forwarding and Masquerading

0 IP forwarding is the ability for a Linux system to act as a router.

0 A Linux system with simple IP forwarding enabled can route any network address to another. If you are allotted a range of IP addresses from a local or regional Internet registry, you can use a multihomed Linux system to route this set of addresses to another network.

0 In order to allow private network addresses to reach the Internet, you need to invoke Ipchains/Iptables-based IP masquerading.

0 In a Linux router, you can use either Ipchains or Iptables to forward and/or alter the IP headers of packets originating from private-IP address networks to pass through Internet routers. Both Ipchains and Iptables do this by processing IP packets through the Linux kernel.You should note that this option is not necessarily secure—IP masquerading leaves all client hosts wide open to attack.

0 Masquerading is when your Linux system rewrites the IP headers of a network packet so that the packet appears to originate from a different host.The practice of rewriting IP packets is colloquially known as packet mangling. Masquerading is useful because you can use it to invoke network address translation (NAT), where one IP address can stand in for several.

0 Translating the private to routable Internet address is accomplished by a database stored on the Ipchains/Iptables-based Linux router.The Linux masquerading router keeps this database so that it knows how to 'untrans-late,' as it were, the packets that have been mangled so that they can then be addressed to the local, private network.

Configuring Your Firewall to Filter Network Packets

0 To create packet-filtering rules for outgoing traffic, configure your Linux firewall to deny all outgoing traffic unless explicitly allowed.Where incoming traffic is concerned, you have many options, including to forbid all incoming traffic unless it is part of an already established session, and to disable all forwarding except for networks that require it.

Chapter 9 Continued

0 Most Linux operating systems, such as Red Hat, Slackware, SuSE, and Caldera, support IP forwarding, masquerading, and firewalling by default. However, you may have to reconfigure your kernel in order to provide full functionality.

Understanding Tables and Chains in a Linux Firewall

0 Iptables derives its name from the three default tables it uses: filter, nat, and mangle. Each interface on your system can have its packets managed and modified by the chains contained in each of these tables.

0 A chain is a series of actions to take on a packet.Whenever you use Ipchains or Iptables to configure a firewall, the proper perspective to adopt is to view all packets from the firewall itself.

0 If you are using the filter table, each interface on your network has three different default chains: INPUT, FORWARD, and OUTPUT.

0 Ipchains and Iptables use built-in targets to specify the destination of a packet. By far, the common most built-in targets are DROP and ACCEPT.

Logging Packets at the Firewall

0 The Iptables -l option allows you to log matching packets.You can insert -l into any rule, as long as you do not interrupt a particular option. Iptables allows you to log packets in a more sophisticated way because it uses the LOG target, which you specify just like DROP or ACCEPT.

0 By default, Iptables will limit logging of packets.The default limit rate is three logging instances an hour. This behavior is meant to ensure that log files do not get too large.

0 An example used in this section uses Ipchains and Iptables commands to add and remove packet-filtering rules, prohibiting every service from entering your firewall, except for Secure Shell (SSH), which uses port 22.This would not allow any user interactively logged in to the system to check e-mail or any other Internet-based service—the rule is restrictive, but is designed to lock down the firewall as much as possible.

0 With Iptables, you can reject specific ICMP types.

0 Port redirection in Ipchains and Iptables is where a packet destined for a certain port (say, port 80) is received by an interface, and is then sent to another port, using the REDIRECT target. Redirecting ports is common in networks that use proxy servers.

Configuring a Firewall

0 Regardless of whether you are using Ipchains or Iptables, the first thing you will have to do for your firewall is to flush all existing rules using the -F option.Then, you need to use the -P option to set the firewall policies to deny all connections by default.The subsequent rules you create will then allow the protocols you really want. Then, use the necessary commands to enable forwarding and masquerading.Without this foundation, you will not be able to forward packets at all, and thus firewalling them would be superfluous.

0 Many times, a hacker will try to use your firewall as a default gateway and try to spoof internal packets. If a firewall's 'Internet interface' (i.e., the one that is responsible for addressing packets to the Internet) is not configured to explicitly deny packets from the network, then you are susceptible to this attack.

0 The example describing allowing inbound and outbound TCP connections illustrates that with Ipchains and Iptables, the ! character reverses the meaning of anything that is in front of it.

0 Creating the ideal packet-filtering rules requires some trial and error, as well as research specific to your own situation.

Counting Bandwidth Usage

0 A Linux firewall can inform you about the number of packets it has processed, in addition to blocking and logging attacks. The process of counting packets is often called packet accounting.

0 Many routers, including Linux routers using Ipchains or Iptables, are capable of shaping traffic as it passes through. The IP header for all packets has a spe-

Chapter 9 Continued cial field called the Type of Service (ToS) field, which allows you to prioritize traffic as it passes through the router.

0 The main reason why you would set the ToS field in network traffic is to cut down on network congestion, especially in networks that have high amounts of traffic.

Using and Obtaining Automated Firewall Scripts and Graphical Firewall Utilities

0 Several attempts have been made to automate the process of creating a firewall in Linux. Many of these utilities are quite useful, although they are mostly effective in beginning your firewall configuration; you will likely have to customize the rules these applications generate.

0 Most of these applications are still in beta form, so remember that they often provide limited functionality.

0 Firestarter is a fairly sophisticated graphical tool that supports both Ipchains and Iptables. It can be used to create a personal firewall, but also supports multihomed systems.

0 Mason is designed to first listen in on traffic passing through your firewall, and then generate Ipchains or ipfwadm (the precursor to ipchains and Iptables) rules.

0 Firewall Builder is in many ways the most ambitious open source GUI tool. It allows you to create rules for multiple interfaces, networks, and hosts.

I ❖ Chapter 10 Deploying the

Squid Web Proxy Cache Server

Benefits of Proxy Server Implementation

0 A Web proxy cache server can cache Web pages and FTP files for proxy clients. They can also cache Web sites for load balancing.

0 Caching increases the performance of the network by decreasing the amount of data transferred from outside of the local network.

0 Web proxy caching reduces bandwidth costs, increases network performance during normal traffic and spikes, performs load balancing, caches aborted requests, and functions even when a network's Internet connection fails.

Differentiating between a Packet Filter and a Proxy Server

0 Packet filters analyze traffic at the Network (Layer 3) and Transport layers (Layer 4) of the OSI model. A packet filter can determine whether it will allow a certain IP address or IP address range to pass through, or filter traffic by service, or port number.

0 A proxy server analyzes packets at the Application layer (Layer 7) of the OSI model.This feature provides flexibility because the traffic within one service, such as port 80 (HTTP) traffic, can be filtered.

Implementing the Squid Web Proxy Cache Server

0 The Squid Web Proxy Cache server allows administrators to set up a Web proxy caching service, add access controls (rules), and cache DNS lookups.

0 Client protocols supported by Squid must be sent as a proxy request in HTTP format, and include FTP, HTTP, SSL,WAIS, and Gopher.

Prison Life Hacking Gui

0 Squid is configured using the /etc/squid/squid.conf file, which defines configurations such as the HTTP port number on which Squid listens for HTTP requests, incoming and outgoing requests, timeout information, and firewall access data.

0 Each configuration option in squid.conf is identified as a tag.The http_port tag configures the HTTP port on which Squid listens for proxy clients. The cache_dir tag specifies where the cached data is stored. The acl tag allows you to define an access list. The http_access tag permits or denies access to Squid. Squid will not function until you make changes to the squid.conf file.

Chapter 10 Continued

Configuring Proxy Clients

0 Firewalls can be configured to forward all port 80 traffic leaving the network to the Web proxy cache server—clients do not need manual configuration. In other cases, proxy clients automatically detect the proxy server information on the network and use it for all Internet access.

0 All manual proxy client configurations are completed within the browser application, and it's just a matter of specifying the address of the Web proxy cache server.

❖ Chapter 11 Maintaining Firewalls

Testing Firewalls

0 To disallow IP spoofing, your firewall should not allow any packets to pass from outside the network into your internal network if the source address is the same as any host in your internal network. If you are using private IP addresses, no system outside of the firewall should ever be able to assume this IP address and access your internal network's ephemeral ports.

0 Disable all unused services and configure the used ones keeping security in mind. If you are running Squid or another proxy server on the firewall, make sure that only this port is open. Daemons such as Telnet, File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and others should be shut down in almost all situations. In many situations, it is best to allow only interactive logins at your firewall.

0 Monitor your system hard drives, RAM, and processors.You may need to cut back on your log settings. Standard Linux tools that can help you determine if your system is becoming overburdened are vmstat and top.

0 Use the who and last commands to learn about who has logged in to the firewall.

0 Check the rules database. Determine if any unauthorized changes have been made to your database. Use the diff command to compare the two files to see if any changes have occurred.You may also use md5 to generate fingerprints of the configuration files to see whether any unauthorized changes have been made to them. If you have Tripwire installed, you will then be informed of massive changes to the hard drive.

0 Verify connectivity with company management and end users, and remain informed concerning the operating system.

0 The introduction of log analysis software such as Firelogd and Fwlogdaemon have made it possible to detect and block port scans, all the while sending an alert to the systems administrator. Most adjunct software, such as Fwlogwatch, provides ways to exclude trusted hosts from being blocked.

Using Telnet, Ipchains, Netcat, and SendIP to Probe Your Firewall

0 Although Iptables does not support rule checking, the ipchains -C command allows you to check how your existing rule set operates. It will return information as to whether the packet is dropped or accepted. It is up to you to act on this information.This tool is handy if you are logged in to the same system as you are testing, and you are becoming familiar with the existing rules and wish to send out packets that test how the rules are working.

0 A simple port scan can help you determine which ports are open on your firewall. Using applications such as Telnet and Netcat, you can then determine what daemon is listening behind that port.

0 If you have logged in to the firewall interactively, it is often useful to open two terminals.You can use the first terminal to issue the telnet command, and you can use the second terminal to view the results in the /var/log/messages file.

0 When compiled properly, Netcat can also spoof IP addresses. If you have set a firewall rule to deny a particular source port, you can test it with Netcat. Because Netcat is so versatile, it can also be used against you to open a back door on your system. Therefore, if possible, you should install this application only on a client system, rather than on the router.

0 Although Netcat does have the ability to create some packets in certain instances, it is not a true packet generator. SendIP is designed to allow you to create packets of your own design to test whether your firewall rules are working properly.

Chapter 11 Continued

0 SendIP allows you to forge any part of a Transmission Control Protocol (TCP) session, as well as any element of an IP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packet. SendIP also allows you to forge all elements of IPv6 addresses, and also allows you to forge Routing Information Protocol (RIP) packets.This tool is useful in regard to firewalls because it allows you to simulate any situation.

Understanding Firewall Logging, Blocking, and Alert Options

0 Third-party logging applications such as Firewall Log Daemon (Firelogd) and FwLogwatch are available to help you sort and act on the information gathered by the firewall.

0 Firelogd, which supports both Ipchains and Iptables, can be run either as an application, or as a daemon. It reads the kernel log entries generated by either Ipchains or Iptables and passes them into a 'first in, first out' (FIFO) pipe, which Firelogd can then process. Once its buffer is full, it e-mails a report of suspicious traffic to an account of your choosing.You can have it mailed to a local account, or to a remote system of your choice.

0 Fwlogwatch is a logging and reporting mechanism, similar to Firelogd but far more versatile, that allows you to automatically block all traffic that is identified as an attack. Used in conjunction with Firelogd, it helps create a system that continuously keeps you informed concerning port scans and other network events that surpass the thresholds you set.

0 The most intriguing feature of Fwlogwatch is its ability to automatically configure Ipchains/Iptables and issue alerts.The best way to do this is to edit the three configuration files to suit your needs: /etc/fwlogwatch.config (or whatever you rename it to), /usr/sbin/fwlw_notify, and /usr/sbin/fwlw_respond.

Obtaining Additional Firewall Logging Tools

0 Additional firewall logging tools include Ipchains logger, LogGrep, Open Correlation, Fwlogsum, IP Firewall Accounting (IPFA), Appsend, Ipmeter, Mrtg, and Ntop.

0 Ipchains logger is a logging enhancer similar to Fwlogd, but limited to

About Ushecking Guilt

Ipchains. It is especially strong in its ability to log masqueraded connections.

0 The LogGrep daemon uses the grep utility to read and sort log files. It is limited, as of this writing, to Ipchains. With this utility, you can sort protocol, date, IP port firewall log entries to generate custom log files. Currently, it can also discover port scans, and generates HTML pages.

0 Ntop is a powerful tool that allows you to identify the nature of all egress and ingress traffic. It is much like the standard top application, in that it gathers information about hosts, and then places the most active hosts at the top of the display. It can be run on a terminal just like the standard top application; you can run it in Web server mode, or as a Web server. This mode supports authentication, thus allowing you to easily limit access to only specific users.

About Ushecking Guidance

Continue reading here: Index

About Us Hacking Gui Generator

Was this article helpful?