Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by Tcstool

  1. Should be working now. Power was out at the house. Also mirrors should all be updated. I have some more revisions coming that were submitted in the last couple of days.
  2. Guys, After a 6-7 month hiatus, I FINALLY have gotten around to updating the U3 incident response tool. The latest build can be found here: http://rnbserve.no-ip.com/u3ir.zip Be sure to check the wiki to see all the latest changes here: http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade PM me with problems or questions or add notes to the sticky thread at the top.
  3. That script has been HEAVILY modified to fit the U3 switchblade. You will probably want to use the original source by cyber_flash found here: http://www.codeproject.com/KB/vbscript/Int...plorer_Spy.aspx
  4. Yes. It's free....IF you work in law enforcement. I have a friend who works for the Sherriff's department here and acquired one...I'm not a fan. It is very difficult to tell what's happening as you're running your forensics, it takes a VERY VERY VERY VERY VERY long time to run, and it sends some information across the wire to Microsoft. I like my stuff better for investigations :D
  5. Good thoughts. I'll mess around with autorunssc and InjectDLL and see if I can get them worked in. The goal is to have a totally automated tool, and while I agree it's not rocket science, it's not within the goals of what we're developing here. This is after all a first responder tool (see Hak5 PhreakNIC epside :-) ). I will look into the volatility issue and see what we can do there.
  6. Thanks for the feedback: It does check for autoruns in some places, like the Run and RunOnce keys in the registry. Myself and HarshReality have been working on a way to enumerate this without using 3rd party tools (we're trying to eliminate all of them to avoid redistribution issues), hence the hesitance to add additional ones. It might not be a bad idea for now though (If we're distributing one we might as well distribute 100 right?). However, the ones listed don't run silently and use a GUI. Order of data collection is on my personal list to work on; I was trying to round out the data we want collected first. I'd really like to get some feedback on what you think the best order would be. Definitely an easy fix and a nice addtion. Great thought!!! The original concept behind the tool was to be completely non-interactive, so any user could run it at a remote site or whatever. This is why there are no options presented. Something simple like that might not be a bad addition though. It may be we need to fork off this project into another branch for IR professionals vs. this one geared for remote users and system admins. All in all, really good thoughts. we'll definitely work some of this stuff in.
  7. Absolutely. Check out Honeywall for a great free, easy to install honeypot: https://projects.honeynet.org/honeywall/ Just make sure to keep this in a DMZ or separate Internet connection to keep it TOTALLY off your home network.
  8. That would work. You could also use FGDump to dump the local system hashes into a text file if her computer doesn't have the resources to do hardcore password cracking.
  9. I had a chance to review the white paper as well...This is great stuff, and will be really easy to add!!!! I will definitely make this a feature. Thanks for the suggestion!
  10. You know I had this tested and sorted out to add. I was on the brink of adding security log dumps but man the security logs on windows machines get SO MESSY!
  11. I'm surprised you guys are having problems finding them. They're more than plentiful down here in Tennessee at any Wal-Mart or Staple's.
  12. Not being rude, but no: You seem to be the only one having a problem with the drive error, so I see no need to rework the entire thing It is important to see the command window so you can see the status of your evidence collection
  13. Thanks to some snow and a day off work, version 1.7 is now posted to the wiki: http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade Only the slow link is up to date as of right now so download from there. Changes in this version: Capture of the Firefox and IE history files for all users on the machine Capture of the Application and System error event log items (Thanks HarshReality!) Added labels to each section of output (Because I've added so much stuff when I used htis on a job site the other day I couldn't remember what was what!) Enjoy,and throw me feedback out there. HarshReality, still waiting on that HTML output! ;)
  14. That's not a bad idea. I have a nice VBScript for this, but it occasionally will hang up on certain systems, so I'm working the kinks out.
  15. I'm thinking we may be able to pull it off with pushd and popd...I've gotta get more research done into this but I'm hoping to put up a revised version on Sunday. Stay tuned.
  16. That would work but we have to do it last. If we cd out of the execution directory it's going to kill off the rest of the script because the rest of the tools won't be in path anymore.
  17. Just using the windows dir command
  18. I feel the need to respond to this in a more specific manner, to clarify what's alredy included so the discussion doesn't get pointed in the wrong direction. Also, bear in mind this is not an attack tool, but a tool for responding to potential attacks and penetration: - Recycle Bin of each profile Can do, will be included in next release - Verify anti-virus logs for e.g. trojans received through e-mail Too specific to each AV vendor to do in an automated fashion - Use PestPatrol to find known backdoor software on the system This is more of a remediation than investigation app - Verify the service pack level to assess known vulnerabilities (CSDVersion key in the registry) Already documented with PSInfo - Check the registry to obtain SIDs for those systems to which the current user has logged on. Users will only have the SID of a remote domain in their Profile list if they have successfully logged onto the domain in the past. Not always accurate, questionable value - rasusers – obtain all users connected through RAS Only applies to servers, maybe we need to build a separate version of this for servers? - net start – obtain a list of all running services Already enumerated with tasklist /svc and sc query commands - at – verify scheduled jobs with, especially for listening shells scheduled to start at certain times This is a good idea, going into the next release - netstat -anp – verify listening processes Already enumerated with netstat -ano - fport – Already enumerated with netstat -ano - listDLLs – show command line arguments for each process running I don't see that it shows command line arguments, but that's useful stuff nonetheless. Will be included in next version until we can figure out a way to do away with Sysinternals tools. - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Does not exist on XP? - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Run Already done - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Already done - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesDoes not exist on XP? - HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceDoes not exist on XP? Installed software(LINK for a vbs that does this)http://www.appdeploy.com/tips/detail.asp?id=128 Already enumerated by PSinfo - HKCU & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall This takes a while to dump and can be quite large 3. Dump file list of Startup folder Having issue running this from the U3 context - Boot.ini and MBR Better done with something like Helix - Event log Coming in next release - Page file for later analysis (win386.swp/pagefile.sys) WAY too big! All good thoughts, will definitely use some of this.
  19. It executes, just one line doesn't run. I think it was dir C:\Documents and Settings\All Users\Start Menu\Programs\Startup. Anyways it was trying to run a directory listing of a startup folder, and I could run myself (I have local admin rights on the machine), but when the script executed from the U3 context, I got access denied errors.
  20. Many of the things DingleBerries suggested are lready included, so definitely make sure to check the latest version. The issue with checking AV logs is the log file paths vary between AV vendors and this needs to be as vendor neutral as possible. Some things I have been working on myself, but I have a weird issue happening...I can run the command from the command line myself, but when it is executed from the U3 image, there are permissions issues.
  21. HAHA...Hey if you do just the HTML output that would be great. I can handle adding other features, but would love to see what you come up with for HTML output! I think the toolset is pretty solid right now, let's work on that.
  22. Yeah I'm not for sure either. I've not seen the kind of error you are talking about. Realistically, if the error is with the VBScript, all it is doing is searching for the location of the u3ir.dat file, and then passing that location as a parameter in the batch file execution. You could just run the batch file followed by the drive letter of where you want to store the data if you're having problems getting the VBScript going.
  23. For anyone who is interested, I have uploaded a non-U3 version of this and put the link on the wiki. All you have to do is copy the contents of the folder inside the ZIP to a non-U3 drive and run the forrensicsstart.vbs script. Jen, you still have me lost. Send me some more info over PM.
  24. Yes, should run automatically on an XP/2000 machine. I'm not sure what you're referring to with the no drive error. The cmd could be hidden, but if I'm conducting an investigation I would prefer to see what's being run and if anything errors out. This really isn't a tool designed to be stealthy.
  25. I just think it would be awesome to have your reverse shell you're throwing back be Meterpreter! Plus being able to do the encoding to trick the AV isn't bad either.
  • Create New...