30 April 2014

Community-ness in Malaysia at its last breath?

It has been almost close to 5 years that I have set my foot on the Malaysian soil. Came over to Malaysia in July, 2009 with the aim of studying a bachelor, and now that I have completed, the journey in Malaysia is almost coming to an end in 2 months.

I have moved around quite a bit, so, it's pretty easy to not give much thoughts when leaving. But Malaysia is one which I spent the better half of my teenage years, and the one where I got into free & open source software (more of the ideology and appreciation, than contributing) and volunteering at events.

I have worked/volunteer for/with notable communities in Malaysia in the span of the last 3 or so years. I even helped grow a community with Beard-0 (the notable Cyber Security & Forensics Club of A.P.U ) I helped make Fedora Users' and Developers Conference APAC happen in Malaysia, along with Izhar, as the main event owner and many other volunteers. And I helped organise a few Fedora events in Kuala Lumpur and at my previous university. Also, me, Beard-0, naavinm and KE started a Capture The Flag (CTF) team called, GliderSwirley. We still try to play most CTF(s) that we could (please pardon the 0xn00bness, if you see us on CTFTime :P ). I also volunteer at Hack In The Box Security Conference and manage most of HackWEEKDAY (Hopefully, the sponsors and participants were happy about it).

Being a part of these communities have been the best extracurricular activities I could ask for. I know there are others like music, martial arts and whatever clubs in the university, but they don't align with my real interests. :P

The problem(s) I find in the way communities are running (not in any particular order);
  • the community leaders are >mid 20s-30s, they have full time jobs,
  • needs to be backed by a larger corp
  • not much passion for knowledge sharing (they just want to suck us dry :P )
When you look at communities like Python Malaysia, Fedora Malaysia and others, the real notable faces of the community have full time jobs. Although, they are pretty active at different events and theirs, there is no other person, especially from college/university students, to take over the leadership or just helping out at organizing events. I try to help most free and open source software (FOSS) communities because look at almost all the software(s) that we use, it's somehow based on FOSS, one way or another.

I find that college/university students like being a part of communities that are backed by larger corps (I will not name them here, don't want to offend anyone). I can't blame them though, they get good SWAG(s)!! like all the time. I'm not exactly sure if every other communities need to start distributing swag(s) just to attract more members? It's something I have not figure out yet. Or is it that there is no monetary rewards involved and students are not motivated because of that? :(

I have done quite a bit of workshops at CSFC, especially python. Because I find that the programming classes in the uni isn't on par with making students actually want to program and I find that python is easier to teach to/learn for beginners. Also, since a lot of security software(s)/scripts are based on python, I hopped that would kill 2 birds with 1 stone, by helping students learn a (new) programming language as well as be able to extend the security software(s), if they find lacking in features. Obviously, I did not have a full-on course figured out like how most classes are, the workshop(s) are aimed more towards motivating the members to start learning programming language(s) and understand how software(s) work, and are mostly 1session/week. I have only recently found out you could get funding from the Python Software Foundation, but now I have other adventures away from Malaysia. :(

It so happens that students just want to learn the stuff they learn at workshop, go back home and come back the next time without much thoughts about it. Although, some are really talented/works hard and comes up with questions/errors that I have not come across. Whenever a discussion takes place on a particular problem, not many wants to chime in with their ideas, they like to just keep quiet or agree to it. Not sure if the agreeing part is for the sake of agreeing or they're just afraid to voice out their opinions?

Also, I guess most students visioned that coming to CSFC means we will teach them which buttons to click on vulnerability/exploit finding software(s) and they can start being 1337 H4x0rs. But the sad reality of life is that being good at something doesn't just come from learning to click buttons and knowing how to use a mouse. I, myself, is not a security professional, there are a ton of knowledge I need to gather too, but I am pretty sure it doesn't always just involve clicking buttons and moving your mouse here and there.

So, after being a part of various communities in Malaysia for awhile, I have come to believe and decided (after thinking hard about it for the past ~4months, having discussed various times with Beard-0 and having talked to a few folks) that the community-ness in Malaysia is certainly at its last breath, don't want to call it dead though. Maybe some still believes it is still growing strong. But to me, it's at its last breath. I'd be lucky to attend/help out a few more community events in June (I know there is one in planning for Fedora Malaysia, if you're interested, please have a look at the agenda - https://fedoraproject.org/wiki/Ambassadors/MalaysianTeam/Events/Fedora_Malaysia_Planning_Meeting_2014, we're still getting the date/venue sorted)

Although, my inner voice do hope that someone from the "younger/college/university" group in the community step-up and rekindle that community-ness fire in Malaysia. But I know that if I ever need to take a vacation in Malaysia and wants to meet the community folks, I can always find the Fedora/Python/Mozilla Malaysia, Code Equality (they're AWESOME!) and some of the HITB folks. :)

So long and thanks for all the fish!

30 January 2014

[Nullcon HackIM 2014] Forensics 2 Writeup

Points: 200
Description: There was a zip file on the desktop. I can't remember the password for it.
We saw a zip file named: "null password.zip" on the desktop. When opened, there are 2 files which are encrypted. So it was clear that we needed to crack the zip.


First we looked at some hints from the challenge creator ;)
So, Beard-0 (https://twitter.com/Maxthatsme) looked at a freshly booted VM of the image (since I was lazy + forgot to save the initial snapshot and was already working on another Forensic challenge) and looked at the Temp folder in AppData/Local, there he found a folder name Rar$DI99.160 inside which had one of the file "Null final1.pdf". From this we looked at known attacks on zip files and found https://en.wikipedia.org/wiki/Known-plaintext_attack

We zipped the "Null final1.pdf" into a zip. Installed the evaluation edition of Ultimate Zip Cracker - http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html

 Selected the "Plaintext attack" recovery method.

Chose the "Null final1.pdf" zip file as plaintext file.

  And finally we had the unzip'd archive.

27 January 2014

[Nullcon HackIM 2014] Forensics 5 Writeup

I play security competitions called Capture The Flag (CTF) with a group called Glider Swirley
Points: 500
Description: The client says that the system was compromise. 
There was no evidence found for the same. The client claims 
that some anti-forensics tool was used to remove the evidences. 
Our investigator agrees to it. Can you find out what was the command 
that was executed and at what time it was done?

There was a hint for it by one of the organizers.
Since all the forensics challenges were based on 1 VM image, it was already known that the image is Windows 7 SP1 x86, thus the profile to use for volatility - https://code.google.com/p/volatility/ was Win7SP1x86. So I acquired the memory dump of the system (MEMORY.DMP)

As this was the first time we (me & Beard-0 - https://twitter.com/Maxthatsme) had to use volatility, I tried to get familiar with it by looking at the process list. Issued with:


[nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 pslist

Showed a few processes. But clearly by that I knew it wasn't show me anything about a command being executed or a process crashing. Beard-0 looked through a few usage of volatility and found cmdscan. So I tried it out.

[nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 cmdscan 

Volatility Foundation Volatility Framework 2.3.1

**************************************************

CommandProcess: conhost.exe Pid: 2200

CommandHistory: 0x292a70 Application: TPAutoConnect.exe Flags: Allocated

CommandCount: 0 LastAdded: -1 LastDisplayed: -1

FirstCommand: 0 CommandCountMax: 50

ProcessHandle: 0x58

**************************************************

CommandProcess: conhost.exe Pid: 2996

CommandHistory: 0x5f04f8 Application: cmd.exe Flags: Allocated, Reset

CommandCount: 2 LastAdded: 1 LastDisplayed: 1

FirstCommand: 0 CommandCountMax: 50

ProcessHandle: 0x58

Cmd #0 @ 0x5ed400: cd desktop

Cmd #1 @ 0x5f4730: sdelete -c -z c:

Cmd #36 @ 0x5c00c4: ^?_?\???\

Cmd #37 @ 0x5ed108: _?\????

**************************************************

CommandProcess: conhost.exe Pid: 2996

CommandHistory: 0x5f0698 Application: sdelete.exe Flags: Allocated

CommandCount: 0 LastAdded: -1 LastDisplayed: -1

FirstCommand: 0 CommandCountMax: 50

ProcessHandle: 0x50

So it seems the process we want is sdelete -c -z c:, but the flag format requires, the command and the time. So definitely it seems, we need a screenshot of when the process crashed. Now does volatility have a screenshot feature? Well, since it's so awesome it does.

[nullcon-2014] >>> % vol.py -f MEMORY.DMP --profile=Win7SP1x86 screenshot --dump-dir shots/

It just needs a directory to dump the screenshots and voila, one of the screenshots shows up:


12 November 2013

Zeromutarts CTF Crypto Challenges

The magic of rsa (100)

You were able to hear some whispering on the last crypto party! *whisper* d is 35181901. Keep it secret or we are doomed!
We were given 2 files for the challenge.

1) rsa.py

#!/usr/bin/env python

import sys

n= 65354147
e = 13

d = ??

f = open( sys.argv[1] , "r" )
for line in f: 
    line = int(line.strip())
    # you'll have to insert the decrypt function for each line(number) here!
    #dec = ...
    print chr(dec)

2) rsa.txt

32588732
56947340
16730166
16529146
17037091
9958499
18895626
49410873
58063242
16529146
18895626
30273022
58063242
30273022
60194095
9956852
58063242
44337129
16730166
5059543
40999214
39158796
5059543
58063242
54302449
9958499
58063242
8646641
16730166
51307370
16730166
57845836
16730166
34996934
32762958

If you read up about RSA decryption[0] on Wikipedia, it's pretty simple and straightforward to solve this challenge. You need C = ciphertext (we got loads of it there in rsa.txt, just need to use one by one), d = private key exponent (we got that as well), n = modulus for both private and public keys. Thus, M (plaintext) = Cd mod n

Here, I used sagemath[1] cloud application to solve it as follows. You could actually save the following into a python script and run it.

n = 65354147
d = 35181901
ctuple = [32588732,56947340,16730166,16529146,17037091,9958499,18895626,49410873,
58063242,16529146,18895626,30273022,58063242,30273022,60194095,9956852,58063242,4
4337129,16730166,5059543,40999214,39158796,5059543,58063242,54302449,9958499,5806
3242,8646641,16730166,51307370,16730166,57845836,16730166,34996934,32762958]
result = ""

for i in ctuple:
    lol = pow(i, d, n)
    result += chr(lol)
print "Result for http://zeromutarts.de/task/rsa_magic : " + result

rivest-shamir-adleman (250)

This one is important, we have no clue how to decrypt the secret message! Can you help us?
We were given 2 files for this challenge as well.

1) rivest.py

#!/usr/bin/env python

import sys

n= 80646413
e = 5

# You'll have to find the d yourself..
d = unknown

f = open( sys.argv[1] , "r" )
for line in f: 
    line = int(line.strip())
    # you'll have to insert the decrypt function for each line(number) here!
    #dec = ...
    print chr(dec)

# might come handy
def xgcd(a,b):
    """Extended GCD:
    Returns (gcd, x, y) where gcd is the greatest common divisor of a and b
    with the sign of b if b is nonzero, and with the sign of a if b is 0.
    The numbers x,y are such that gcd = ax+by."""
    prevx, x = 1, 0;  prevy, y = 0, 1
    while b:
        q, r = divmod(a,b)
        x, prevx = prevx - q*x, x
        y, prevy = prevy - q*y, y
        a, b = b, r
    return a, prevx, prevy

def modinv(a, m):
    """Modular multiplicative inverse, i.e. a^-1 = 1 (mod m)"""
    a, u, v = xgcd(a, m)
    if a <> 1:
        raise Exception('No inverse: %d (mod %d)' % (a, m))
    return u

2) rivest.txt

72895864
15633602
38820479
60303684
7458706
60299530
20682371
54642689
26066811
32615038
35349196
76400140
38820479
56463813
80491201
76400140
35349196
69567074
26066811
76400140
74270178
76127647
76127647
15633602
76400140
60303684
38820479
56463813
60303684
76400140
72844764
76127647
69302434
15633602
80491201
76400140
6809712
26066811
76400140
42498798
60299530
76127647
69302434
80491201
33234011

This time we seriously need sagemath to solve it. :) Since we don't know the d to decrypt the messages for this challenge, we first need to find the p & q to get d. The most straightforward way to get that is to use Fermat's Factorization method[2].

I used the formula from here: http://facthacks.cr.yp.to/fermat.html to get p & q.

n = 80646413
e = 5
ctuple = [72895864,15633602,38820479,60303684,7458706,60299530,20682371,54642689,
26066811,32615038,35349196,76400140,38820479,56463813,80491201,76400140,35349196,
69567074,26066811,76400140,74270178,76127647,76127647,15633602,76400140,60303684,
38820479,56463813,60303684,76400140,72844764,76127647,69302434,15633602,80491201,
76400140,6809712,26066811,76400140,42498798,60299530,76127647,69302434,80491201,3
3234011]
def fermatfactor(N):
       if N <= 0: return [N]
       if is_even(N): return [2,N/2]
       a = ceil(sqrt(N))
       while not is_square(a^2-N):
         a = a + 1
       b = sqrt(a^2-N)
       return [a - b,a + b]
p, q = fermatfactor(n)

phi=(p-1)*(q-1)
d=pow(e,-1,phi)

result = ""
for i in ctuple:
    lol=pow(i,d,n)
    result+=chr(lol)
print "Result for result http://zeromutarts.de/task/rivest-shamir-adleman : " + result

[0]: https://en.wikipedia.org/wiki/RSA_(algorithm)#Decryption
[1]: https://cloud.sagemath.com
[2]: https://en.wikipedia.org/wiki/Fermat's_factorization_method

26 September 2013

Analysis of iWebSpace Android Application

If you follow me enough on twitter (@mavjs), read my home page or follows my Fedora Ambassador wiki page, you'll probably know that I study at the Asia Pacific University of Technology and Innovation[0], Malaysia. This is my account of the n00b analysis done in my free time on the university's android application.

iWebSpace android application[1] is, as quoted from its non-working Google Play page, "The Asia Pacific University APP provides convenient access to important information and to most of our services in your hand" - pretty cool and convenient for most students.

The only thing in my mind was to do an analysis before actually using it and mostly because this is the first time the university's Center of Technology and Innovation (CTI)[2] - a R&D department, produced a mobile application. They have both an iPhone version and an android version. Since I don't own a Macbook, I couldn't do any analysis on the former version. And android was easier to read as I'm more familiar with Java. That being said about the app, let's see my n00b findings.

1) I acquired the .apk from a friend. (I think it's verion 1.0 and also I don't own an android)
2) Used dex2jar[3] to convert .apk to .jar.
3) Used JD-GUI[4] to open and read the .jar file.

First thing on my mind after opening the .jar file with JD-GUI was to see how the application was authentication the students. So, I scrolled through the code and found a Login class. Inside that Login class, it has a doLogin() method that logs you into the system, once you've your student ID and password supplied. I took a closer look at it and guess what I found?


Yup, HTTP. Awesome. No comments there. Let's move along. Assuming, the majority of the students don't care about their student ID and password, this is pretty much fine, I guess. :P

The app has functions to show the students, their pending/paid fees, attendance, timetable and exam timetables. Pretty cool and convenient, definitely. So, I did further look at those functions. Firstly, let's look at Fee function. The Fee class has an onCreate() function, that sets up the view. Further look at it suggests that, it uses a md5 string + student ID to query the Fee status of a particular student. Have a look.


So, I took a closer look at the md5 string. The developers from CTI loves to keep their variable naming short (i, j, k, m, str1, str2). What does str1 actually md5-ing?

int i is getting the YEAR
int j is getting the MONTH
int k is getting the DATE , which is day of the month
int m is getting the HOUR_OF_DAY

From the above, if you reconstruct the md5 string with the current datetime on my system (26-09-2013 15:00:00), you get the following:

md5(26 + 9 + 'Student ID' + 2013 + 15) = '1640a3e25cc45123c5e234606aefbeb2'

This is the same for the attendance function. The timetable and exam schedule functions aren't that interesting, so I'll not write about it here. When reported about the above, the only reply was that they will secure the web services. Does that mean they will keep sending the student ID and password over plain HTTP? I've no idea. :D I looked at the Google Play store page for the app and found that it couldn't be found. What's up?



But the most interesting part about the whole app is the ActiveWebspace class. It seems to register the device using the application to the server so that they can see what's the count of devices using the app and to send push notifications to them. The server is registered with some unique regId, name and email to a web application residing at the following:


Once I found that URL, the only logical thing for me to do was to go one directory up, and see if I could find anything. And I did. This is what I found;


There was no authentication or whatsoever needed to access that, although they've 403'd the service after some hour that I reported about it. The reply they sent me was accordingly;


Cool story - "illustration purpose". But it seems the message box can be used to send push notification from the look of the JavaScript function they were using:


Hey, at least this isn't as bad as the iMessage Chat for android where it could possibly download malicious[5] stuff, right? :P

I think I'll probably only use those services via web. Maybe some other day when I'm free, I'll try looking at the iPhone version and see what kind of stuff they coded in. XD

On another note, this was all done on a Fedora 19[6] laptop. Ciao!

[0]: http://apu.edu.my/
[1]: https://play.google.com/store/apps/details?id=edu.my.apiit.iWebSpace
[2]: http://www.apu.edu.my/cti
[3]: https://code.google.com/p/dex2jar/
[4]: http://jd.benow.ca/
[5]: http://grahamcluley.com/2013/09/imessage-android-trust/
[6]: https://fedoraproject.org/

14 September 2013

Steam fail to start


Last night I was playing some games on Steam and closed it after I finished playing. Then I browsed around the Humble Bundle and bought the 'Humble Indie Bundle 9' since I wanted 'Mark of the Ninja', so to redeem it I switched on Steam. But it wasn't starting up. So, opened it from terminal and got some errors, but those were there since ages and doesn't actually affected the start up last time.

So, this morning, I was talking to a friend on IRC about it and he mentioned that you could just do /usr/bin/steam --reset to reinstall and start again..and voilĂ  it was indeed working again. :)

[Note]: Another friend suggested to restart the router, not sure how effective that would have been though. :P

10 July 2012

Introduction to Grok web application framework @ UCTI

Hey folks, we, the Fedora Malaysia community in conjunction with UCTI Free & Open Source Software SIG, have planned for an introductory workshop on Grok, a web application framework. It uses the Zope Toolkit (ZTK).

This session is aimed towards finding more python as well as zope/plone/FOSS developers  in Malaysia. The session is mentored by our very own Fedora Ambassador, Izhar a.k.a KageSenshi, who works at a local Plone support and service company called Inigo Consulting.

Following are the details of the session:
Date: Sun 15th July, 2012
Time: 11:00-18:00
Venue: Level-2 Room-5 (L2-5), UCTI (Google Maps: http://goo.gl/maps/dI7h)
Fee: Free Of Charge ;)

Folks coming to the session, (that's you!), should bring along their own laptops (obviously!) and do not necessarily need to know Python, but need to have programming knowledge. Learning/knowing Python can be enhanced later on. Also need to know basic/intermediate HTML/CSS/JS.

Although, we prefer Unix/Linux systems like Fedora, users are welcome to use any platform that they wish, provided that they know how to install Grok or any other software packages and troubleshoot problems if they arise.

We might be passing around some Fedora 17 if we happen to not finish them off at Malaysia OpenSource Conference. :P So, if you happen to know how to use *nix system and just need to boot it up to it, you can use a virtual machine to boot into a *nix system using the CDs/DVDs passed around or you can also ask me, for an ISO image before the session, if you need one. :)

See you all there!

Links:
Zope/Plone User Group Malaysia G+: http://goo.gl/HcM7n
Zope/Plone User Group Malaysia Maliling List: http://groups.google.com/group/zplug-my

4 July 2012

Zsh Autocomplete Function to change and auto complete directories' name

About some weeks ago, I was trying to find a way to alias my favourite directory (~/Programming/Pythons) in zsh, and it should show me the directories contained inside it. But aliasing doesn't work, except to `cd` me to that directory. Or a function can help me get into the directories inside ~/Programming/Pythons but I'd have to type out the directories' name manually. That wasn't an option either.

So I turned to "Uncle Google" :P for it. Also what I remembered from Zsh is that it's auto completion is really awesome. So I searched for "zsh autocomplete function" and read some stackoverflow examples and stuff. But I had some errors if I was using oh-my-zsh's functions.zsh to store/write my zsh auto complete function in it.

What I did was, instead of writing that auto complete function inside oh-my-zsh's functions.zsh, I wrote it directly inside .zshrc, like this;

function prog() { cd ~/Programming/Pythons/$1; }
_prog() { _files -W ~/Programming/Pythons; }
compdef _prog prog


What this code actually does is that when you type prog after sourcing your .zshrc file, it expands the defined directory, in here; '~/Programming/Pythons/' and the argument $1 is based on whatever directory you selected from the expansion of the directory from the function  _prog(), like this;
Zsh Auto Complete Function
This exactly did what I needed. If you got awesome auto complete functions written, do share it at the comments. :)

source [0]: http://zsh.sourceforge.net/Guide/zshguide06.html
source [1]: http://stackoverflow.com/questions/10700012/zsh-autocomplete-function-based-on-2-arguments
source [2]: https://wiki.archlinux.org/index.php/Zsh#Command_Completion

25 April 2012

Spreading Fedora Love - One At A Time

Disclaimer: This post is actually abit overdue. Was supposed to be up by Tuesday, but some stuff caught up.

Event Details
* Time: 10:00 - 16:00
* Date: 23rd April, 2012
* Venue: UCTI
* Aim: Sharing knowledge/Teaching about GNU/Linux operating system(s).

This event was organized by rebelk0de and I, Maverick. I have been contributing to Fedora Malaysia for about ~5-7months now, while rebelk0de has long since contributed/helped Fedora MY.

It was aimed at sparkling the GNU/Linux and FOSS enthusiasm in UCTI, the event venue for FUDCon KL. Since UCTI had thousands of students, we had to start off with something smaller. So, we look for a small group of technical folks among the students, and we found the UCTI Technical Assistants (TAs). TAs work in the UCTI computer labs to maintain approimately 300 computers running Windows operating system, daily.

And as recently, I, together with rebelk0de (as advisor) and a small group of 4 people, have been working hard to get UCTI Free & Open Source Software Special Interest Group (FOSS SIG) back into shape and in official status. Therefore, as a recruitment drive, to share knowledge about FOSS & GNU/Linux and to promote & expand the "Fedora Love" to the folks here in UCTI, I was there at the date of the event.

The event's objective was to get Fedora and Ubuntu running with little or no headaches involved for beginners. And to understand abit about getting the installed operating system up and running with things the users needed getting installed on a as needed basis, so, mainly it was about teaching them how to make use of the "yum" and "apt-get" package management utilities.

The event started around 11:00 and was headed by rebelk0de. I was the assistant ;), mainly to help out when folks couldn't catch up or something went wrong with their Fedora installs. I mainly shared my knowledge about "things to watch out for when installing Fedora", especially, the different types of installation processes and some tips & tricks for beginners. I also distributed some leftover Fedora 16 CDs that I had from this year's FAD, almost all of the folks that showed up got it.

We took off the event by installing "Fedora" on the virtualboxes which took approximately 30mins. The installation environments were inside virtualbox on Windows hosts. The reason to take this approach was that we would have needed a lot of extra precious hard disks for this one event, the machines retains their changes after reboot (so it was easier to use virtualboxes) and most of the folks who showed up have never installed/used either Fedora or Ubunt and GNU/Linux in general. Most of the time was taken on explanining the installation process and post installation configurations such as "adding their users to the sudoers if they forgot to add it" and about using the vi text editor.

Most of the tutorial/hands-on were done on Fedora. Ubuntu was just used to show how to use the package management utilities. We all had a lunch break around 14:00-15:00. And we wrapped up the event by 16:00.

rebelk0de and I have promised the folks to have more continuous classes for them in the future, and they have agreed. So, on with more classes/events then! :D

P.S. Will share the event photos after getting uploaded to Fedora My's Albums. ;)

Edit: Here is the photos from the event: GNU/Linux Intro Class at UCTI

23 April 2012

Getting Python Libraries Installed The Normal Way on Windows

I've been using GNU/Linux distributions for almost 2 years and with Fedora for about ~7-8 months.

Every single day I do some experiments with python, and every single time it makes me feel comfortable using Fedora to write scripts. It removes headaches from happening because I don't have to figure out ways to install python libraries you need. I can just go forward with concentrating on coding.

There's a little script I wrote called; ucti-timetable. It's used to download timetables from my university and store them locally. But since a large user base from my university are windows users, I had to make it work on windows as well. Well, to be honest it works, but only one thing:

PAIN!!

It's so painful to install a python library on windows. It fails most of the time...why is that?, you ask me..

Well, it's because the python executable path is not in your $PATH. dafuq, right? So, yeah, this is how you do it (based on Windows 7):
Right click -> My Computer -> Properties -> 
Advanced System Settings -> Advanced tab ->
Environment Variables -> System Variables
after that find
PATH
and append this or equivalent (depending on where your python gets installed):

C:\Python27\


Only after you do this you could install BeautifulSoup the "normal" way.
    python setup.py install


Insane, right?