Tcstool

Hey that's not half bad! Definitely going in the next release!

Yes, only 4 output files (for now). Hm...I see now that the registry queries are generating "access denied" errors! However, as the user, I can run them from the command line. We need to determine the context U3 is executing under. I'll work on that. EDIT: Thank you very much, awesome Windows security. It seems from the context the VBScript runs in, I can't query the registry key values, but I can export them and look at them. You can download the amended version 1.6.1 from the link on the wiki (not for sure when it will be posted to the mirror) , or simply modify the code as follows: inside forensicsstart.bat, replace this: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt With: reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKLMrun.reg reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKLMrunonce.reg reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKCUrun.reg reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKCUrunonce.reg

Yeah sorry about that...I don't have control over that server and I don't think he got the new version uploaded until a couple of minutes ago! EDIT: Verified it's OK now

http://www.irongeek.com/i.php?page=videos/...with-metasploit Check that stuff out, it might be helpful in this project.

Guys, I have version 1.6 of the payload posted below. Wiki page ()http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade) has also been updated accordingly. Revisions: Added list of all the groups on the system Added list of user accounts that are members of the administrators group Added a randomly generated number as a signature to the bottom of each output file Added enumeration of which services are running out of which process No longer exports the entire registry into .REG files; Instread uses STDOUT To enumerate HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,RUNONCE and same values under HKCU into the sysinfo output file Removed file tree enumeration to speed things up Renamed go.bat and go.vbs to forensicsstart.bat and forensicsstart.vbs to prevent AV issues. As far as some of the other ideas proposed...As far as downloading the tools on the fly, I feel this is providing too much insight for an attacker into our investigation...If an attacker is on a machine watching the network traffic, he gets too much of an opportunity to see what we're downloading and can start covering his tracks. A process quickly running and dying gives a much smaller window of opportunity for the integrity of our investigation to be compromised. I haven't found a good way of listing restore points from the command prompt yet but really want to get this going. Likewise for event logs...I can do it, but the formatting is sloppy right now. Working on it though and hopefully will be able to incorporate this stuff in the next version. REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts, local groups, currently logged on users, and members of the administrators group echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt net localgroup >> %1\output\%computername%\localaccts-%computername%.txt net localgroup administrators >> %1\output\%computername%\localaccts-%computername%.txt echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localnet-%computername%.txt REM Grab a list of installed software and running processes echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Enumerate services running out of each process tasklist /svc >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab group policies applied to the machine gpresult >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab drivers in use on the machine driverquery >> %1\output\%computername%\sysinfo-%computername%.txt REM grab system variables set >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\sysinfo-%computername%.txt REM calculate MD5 hashes of the system directory echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\osmd5-%computername%.txt

I'm not saying we upload Cain & Abel to the local machine. You asked if it could be decrypted easily, and I was saying we could use it to work on our data back at our evil hacker lair after we've run the payload ;) It will be hard to contaminate the recovery partitions because all the different PC vendors handle that partition differently. Maybe we should target Dells??? :-)

Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want): * We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener? * We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints! * we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs. *Cain and Abel is pretty good at decrypting the LSA secrets.

Hey all sorry for the lack of updates and versions. I'm working on testing some of the latest ideas you guys have, but unfortunately the stuff I have to do to pay my bills (i.e. work) has taken over the better portion of my time lately. I'll have a new version out by the weekend hopefully. Thanks for being patient!

Some awesome ideas there man. I'll be happy to chip in too as soon as I get caught up.

Hey I"m not going to bash ANYONE for being cheap, given I did my PhreakNIC presentation of this from a 1 GB U3 drive! I think that copying the raw hive files isn't a bad idea. The only thing I'm leery of is having to manipulate the machine too much to accomplish this (i.e. by having to start services etc.) WMI makes me nervous too; Working for several MSPs I've seen way too many issues with DCOM permissions, WMI permissions, services being disabled etc. I don't think pstools is utilizing WMI, but I want to check and be sure. I was dumping the entire registry with the thought of it being possible to import them to a VM later for analysis. But that may be stepping outside the lines of incident response and more along the lines of malware and code analysis. Probably paring this down to the autorun keys etc. would be sufficient, if nobody has any objections. The file tree structure I've only tested on Vista, and it was quite fast. Not sure about an XP box or a larger hard drive so we need to do some more benchmarking on this. mleo2003 makes a good point about md5sums. Perhaps this needs to be implemented with a prompt before it runs, offering the user the chance NOT to run it and mess with the time/date stamps.

Fair enough; The registry dumps and their value need to be re-examined. Let's discuss. Well that brings up a question I've wondered...If we are using this in an investigation, or something where authorities potentially need to be involved, how much does altering the format of the data damage the integrity of your evidence? The only other concern I have with using VBScript is I've found that AV/antispyware programs are more picky about lauching VBScript then batch script.

That's really odd. I have yet to wind up with more than 1 MB of information. Was the bulk of the output in the registry export?

Another slightly modified version: Consolidated some of the output to generate fewer files to sort through Added date and time stamps to the start and end of each output file generated Adding to wiki as version 1.51. REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt REM Grab a list of installed software and running processes echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab group policies applied to the machine gpresult >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab drivers in use on the machine driverquery >> %1\output\%computername%\sysinfo-%computername%.txt REM grab system variables set >> %1\output\%computername%\sysinfo-%computername%.txt REM Get entire file system structure tree /F /A %systemdrive%\ >> %1\output\%computername%\sysinfo-%computerame%.txt echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt

MLeo2003 and I are on the same page. Since some of our goal is to capture behavior on the machine as it is happening, a live boot environment doesn't help us much. Plus, Helix is already much better at that than anything we could come up with ;) Remember, we're going for grabbing information for analysis to help us make our remediation decisions; We don't have to go too deep down the rabbit hole to get started with that.

that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner. Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.

Yeah you're right. I had actually been meaning to put date/time stamps in but got a little overwhelmed with requests after the release of the interview and completely forgot about it. Good call. As far as volatility goes, my theory has always been that if you're skilled enough, it's just as easy to add a registry value as it is to create a user account or start a process on a machine. Really all of it is volatile; There's very little we're collecting here that can't be changed with a single command. I think run order is worth discussing further though. Right now everything is sort of grouped by general category the information falls under, which may not be the best way. So let's think about these other tools and look for redudancies...any thoughts? autoruns-Really this information can be gleaned from the registry exports...adding this would be a matter of convenience. I don't think it's that bad examining the .REG files, but if enough people think this would be more convenient I'll add it. handles-I looked at this one but it has weird issues sometimes and the output isn't as clean, which is why I went with pslist instead. promiscdetect-I played around with this one but it got blown up by a couple of enterprise AV programs so I left it out. It wouldn't be a bad idea to find something like this we can use though. tasklist /svc-This information is already collected by pslist and the sc query command. cmdline-More info please. eldump-I'm on the fence about this one. I'm not sure if this is worth the extra overhead, because it's so much easier to review the event logs from the machine itself and they can also be easily accessed remotely, or if it's good to have it captured from an evidence perspective. Definitely worth discussing. However, before we start adding a bunch of third party tools, paradizelost makes a good point: I really would love to eliminate as many of the third party tools as possible and do as much with creative command line fu for this very reason. The only places in this where I did opt for third party tools is where the output they gave was much cleaner, or there was functionality that couldn't be accomplished using included tools with Windows. Does anyone know what the licensing for PSTools is? Pre-Microsoft buying them, it was total freeware and able to be redistributed. MD5sums is redistributable I think , based on the licensing info on their website. They seem like nice enough guys, I may shoot them an email. I have privately emailed out a few of the packages with the tools included, but before we do any kind of mass distribution, I want to pare this down to things that are totall redistributable, or do everything with Windows built in functionality (which could mean we need some clever people who can actually write code unlike me to clean up the output a bit!)

So here's the latest version of what I have. I've incorporated a lot of the changes suggested. Everyone had great ideas!!! Some of them were redundant of other information that was already being collected, so I selected the solution that I felt had the most valuable or clearest output. Keep those ideas coming! REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt gpresult >> %1\output\%computername%\%computername%_GPO.txt driverquery >> %1\output\%computername%\%computername%_drivers.txt set >> %1\output\%computername%\%computername%_variables.txt tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt REM Grab a list of installed software and running processes psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt

Things need to be kept in a batch file for making changes on the fly and to keep things simple. In addition, before adding the printer script , I checked SEVERAL machines and prnmngr.vbs lived in C:\windows\system32, not the path you have in the script. I'm also not sure about running all tasks in parallel like that. I agree that it improves the performance of the script, but also makes it much harder to see if any errors occur while it's running; Nothing in there really takes very long to run, and trying to dumpe the registry keys or calculate the MD5 hashes in parallel really beats up the machine pretty badly. I'm also not sure about the value of using the print migration tool for restoring printers. This is strictly an information gathering and first responder tool in the event of an incident, and I don't think you gain more value than just dumping the printer information itself. I do however like the change you made to the output and some of the commands you added. Good job. I'm about to post a new version of the script that incorporates some of it.

That's a good idea, but I don't think it really suits the purpose of this tool, which is to collect evidence in the event of an intrusion. It might be a good idea to build a second version of this with remediation options?

+1. db_autopwn is GREAT...It's really cool to actually have the data inside a DB to and be able to generate reports for clients.

So yeah, if memory serves, that's a thin AP...Won't do much good without the controller. You don't have the chips to do routing and such, so it's doubtful an openwrt/DD-wrt is going to work on it...I'd sell it off.

Good stuff. So let's start from the top (and these are only my opinions and I think worth discussing alternate approaches such as this): The registry export command you used is similar and a good way to do a backup of the entire registry. I like to export the individual keys for more granular analysis, being able to import into a VM,etc. gpresult is a good one. Driverquery is pretty good too but I'm not sure how much insight it gives you into the behavior of the machine. Although with this day and age of driver exploits, that's probably not a bad idea. The MAC addresses of the network interfaces are already listed in the ipconfig /all. netsh show mode isn't valid but I know what you were trying to accomplish. I can buy show helper though. Could be useful. We're already dumping the output of the hosts file. I'm sketchy on the value of the other files in c:\windows\system32\drivers\etc....Anyone have any thoughts?

That's true, but the VBScript is not for finidng out which drive the batch file is executing from. You're locating the writeable partition of your U3 drive, so you still need the VB script to loop through your drives and find the u3ir.dat file.

+1 for Cobian. Very useful and easy to maintain.

Not true Linux, I'm counting it since it was an open-source project at the time...BeOS!!!