-
Posts
80 -
Joined
-
Last visited
Posts posted by Tcstool
-
-
For anyone who is interested, I have uploaded a non-U3 version of this and put the link on the wiki. All you have to do is copy the contents of the folder inside the ZIP to a non-U3 drive and run the forrensicsstart.vbs script.
Jen, you still have me lost. Send me some more info over PM.
-
So when i plug it into a computer, it'll run automatically, right?
Edit: just tested, anyway to fix no drive error because of the multimedia drives? also, anyway to hide the cmd cause it's showing
Yes, should run automatically on an XP/2000 machine. I'm not sure what you're referring to with the no drive error. The cmd could be hidden, but if I'm conducting an investigation I would prefer to see what's being run and if anything errors out. This really isn't a tool designed to be stealthy.
-
Thats the only problem I see with a pay load. I can do most of what i want with Metasploit. I think opening ports in the firewall, enabling telnet and installing wget is more then enough, then all I have to do is get on an unsecured wireless network and host a fileserver to download the keylogger and edit reg settings from cmd. I have used the hasksaw in the past and thought i would be nice to try and add something since i have taken something
I just think it would be awesome to have your reverse shell you're throwing back be Meterpreter! Plus being able to do the encoding to trick the AV isn't bad either.
-
Added my suggestion above to export 'Error' from System logging. (Note /V is detailed description). Didnt see a point in doing Warnings as Im mainly concerned with issues that dont function.
REM Grab Sytem Error Log for Review (Error ONLY) cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System >> %1\output\%computername%\syslog-%computername%.txt REM Grab Application Error Logs for Review cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application >> %1\output\%computername%\syslog-%computername%.txt
Hey that's not half bad! Definitely going in the next release!
-
I can see the new layout however after running I have a few questions:
Should the new layout only output four files?
1-localaccts
2-osmd5
3-sysinfo
4-localnet
Also I was unable to find any of the registry queries in the sysinfo file.
Yes, only 4 output files (for now).
Hm...I see now that the registry queries are generating "access denied" errors! However, as the user, I can run them from the command line. We need to determine the context U3 is executing under. I'll work on that.
EDIT: Thank you very much, awesome Windows security. It seems from the context the VBScript runs in, I can't query the registry key values, but I can export them and look at them. You can download the amended version 1.6.1 from the link on the wiki (not for sure when it will be posted to the mirror) , or simply modify the code as follows:
inside forensicsstart.bat, replace this:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt
With:
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKLMrun.reg reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKLMrunonce.reg reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %1\output\%computername%\HKCUrun.reg reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %1\output\%computername%\HKCUrunonce.reg
-
Umm. the wiki download still shows reference to the "go" files in both the archive as well as the ISO..
Yeah sorry about that...I don't have control over that server and I don't think he got the new version uploaded until a couple of minutes ago!
EDIT: Verified it's OK now
-
http://www.irongeek.com/i.php?page=videos/...with-metasploit
Check that stuff out, it might be helpful in this project.
-
Guys,
I have version 1.6 of the payload posted below. Wiki page ()http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade) has also been updated accordingly.
Revisions:
- Added list of all the groups on the system
- Added list of user accounts that are members of the administrators group
- Added a randomly generated number as a signature to the bottom of each output file
- Added enumeration of which services are running out of which process
- No longer exports the entire registry into .REG files; Instread uses STDOUT To enumerate HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,RUNONCE and same values under HKCU into the sysinfo output file
- Removed file tree enumeration to speed things up
- Renamed go.bat and go.vbs to forensicsstart.bat and forensicsstart.vbs to prevent AV issues.
As far as some of the other ideas proposed...As far as downloading the tools on the fly, I feel this is providing too much insight for an attacker into our investigation...If an attacker is on a machine watching the network traffic, he gets too much of an opportunity to see what we're downloading and can start covering his tracks. A process quickly running and dying gives a much smaller window of opportunity for the integrity of our investigation to be compromised. I haven't found a good way of listing restore points from the command prompt yet but really want to get this going. Likewise for event logs...I can do it, but the formatting is sloppy right now. Working on it though and hopefully will be able to incorporate this stuff in the next version.
REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts, local groups, currently logged on users, and members of the administrators group echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt net localgroup >> %1\output\%computername%\localaccts-%computername%.txt net localgroup administrators >> %1\output\%computername%\localaccts-%computername%.txt echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\localnet-%computername%.txt REM Grab a list of installed software and running processes echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Enumerate services running out of each process tasklist /svc >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab group policies applied to the machine gpresult >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab drivers in use on the machine driverquery >> %1\output\%computername%\sysinfo-%computername%.txt REM grab system variables set >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> sysinfo-%computername%.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> sysinfo-%computername%.txt echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\sysinfo-%computername%.txt REM calculate MD5 hashes of the system directory echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt echo FILE SIGNATURE %random%%random%%random% >> %1\output\%computername%\osmd5-%computername%.txt
-
I like all of those, the only problem i see is Can&Abel getting caught by virus scan. I really like punching a hole in the FW, i really didnt wat to disable it completely.
Also I am going to use your idea of the .dat file in the root directory, but instead i want to contaminate the recovery partition, that way even if they do reinstall the payload will remain there... im still working on this part. But what it will probably look for is a file specific to the recovery partition.
I'm not saying we upload Cain & Abel to the local machine. You asked if it could be decrypted easily, and I was saying we could use it to work on our data back at our evil hacker lair after we've run the payload ;)
It will be hard to contaminate the recovery partitions because all the different PC vendors handle that partition differently. Maybe we should target Dells??? :-)
-
Some quick thoughts (I'm short on time so we can delve into specifics via PM if you want):
* We can stop security center, but instead of modifying the registry why not use the netsh commands to disable the firewall? fewer fingerprints on the system and less likely to be caught by AV/antispyware. Even better, why not just punch a hole in the firewall with netsh for our listener?
* We can use the net user command to add the user to system/administrators group, then use the REG command to modify the keys as needed, as opposed to creating files on the machine. Fewer fingerprints!
* we can dump the users with the net users command instead of dumping the registry key. Again, trying to leave fewer fingerprints and engage in less suspicious activity likely to be caught by AV/host based IDS type progs.
*Cain and Abel is pretty good at decrypting the LSA secrets.
-
Hey all sorry for the lack of updates and versions. I'm working on testing some of the latest ideas you guys have, but unfortunately the stuff I have to do to pay my bills (i.e. work) has taken over the better portion of my time lately. I'll have a new version out by the weekend hopefully. Thanks for being patient!
-
Some awesome ideas there man. I'll be happy to chip in too as soon as I get caught up.
-
@paradizelost: I agree, I have an 8G stick that I'm using for file storage right now, I just haven't taken the time to run the new setup to get a custom ISO put on it currently. And what's wrong with being cheap? ;)
@TCStool: I was wondering that myself, not only from altering the format, but if a registry dump messed with the time stamps that police/others might want to see. That's one of the reasons I initially suggested copying the raw hive files, to keep all time stamps and formatting like they are originally. As to the actual format of the data, I'd say it wouldn't hurt, as long as they can still see all the data they need to see. Otherwise, when an investigator had to use a Linux tool to pull info from a Windows box, that'd change the format of the data, but it still works for their purposes.
As far as the rest of the tools, I can't see much problem with most of them, as they are all built into Windows, and just report data back without changing it. I'm not sure how the PS tools work, probably just WMI calls, so still mainly Windows built-in functionality, and those are even supported by Microsoft now. The only one that kind of might be a problem would be MD5Sums. Since it has to open each file to calculate the MD5 of them, that'll screw with time stamps on last accessed, but hopefully the last modified date and created dates will be of more value than that one.
Best thing to do, when doing this, is to document everything you do, in great detail. That way, if questions regarding your steps arise, you can always show your logs of what was done, when, and why.
Hey I"m not going to bash ANYONE for being cheap, given I did my PhreakNIC presentation of this from a 1 GB U3 drive!
I think that copying the raw hive files isn't a bad idea. The only thing I'm leery of is having to manipulate the machine too much to accomplish this (i.e. by having to start services etc.) WMI makes me nervous too; Working for several MSPs I've seen way too many issues with DCOM permissions, WMI permissions, services being disabled etc. I don't think pstools is utilizing WMI, but I want to check and be sure.
I was dumping the entire registry with the thought of it being possible to import them to a VM later for analysis. But that may be stepping outside the lines of incident response and more along the lines of malware and code analysis. Probably paring this down to the autorun keys etc. would be sufficient, if nobody has any objections.
The file tree structure I've only tested on Vista, and it was quite fast. Not sure about an XP box or a larger hard drive so we need to do some more benchmarking on this.
mleo2003 makes a good point about md5sums. Perhaps this needs to be implemented with a prompt before it runs, offering the user the chance NOT to run it and mess with the time/date stamps.
-
I too experienced a very large dump of information. I was testing it with a 32 MB jump drive, and it filled up fast. It was mainly the Registry Dump, HKLM if I remember correctly. I commented those out, and it finished everything else just fine.
VBS scripts wouldn't be too bad, and would allow us to format the output from them the way we needed.
Fair enough; The registry dumps and their value need to be re-examined. Let's discuss.
Well that brings up a question I've wondered...If we are using this in an investigation, or something where authorities potentially need to be involved, how much does altering the format of the data damage the integrity of your evidence? The only other concern I have with using VBScript is I've found that AV/antispyware programs are more picky about lauching VBScript then batch script.
-
Ok, so I decided to run the tool on my own pc. It took several minutes and I ended up with 200MB of information. Hmm, a bit large.
I saw the issue with redistributing 3rd party tools one solution which I've been adapting is the here:
http://episteme.arstechnica.com/eve/forums.../m/429006588831
It will download the tools on the fly when run. So, we could instruct folks to run the "setup" batch file before creating their iso
Otherwise I can do all this with WMI and vbs scripting like I said before, but I know your trying to stay away from that since you don't want have to work around an overzealous sysadmin whose blocked vbs files, but the initial autorun is vbs ;)
So, I can do formatting of the batch file output in batch but it's very painful.
Although it's not as easy we could compile the .vbs to exe but from what I've found in the past some programs just wrap the vbs in a exe.
That's really odd. I have yet to wind up with more than 1 MB of information. Was the bulk of the output in the registry export?
-
Another slightly modified version:
- Consolidated some of the output to generate fewer files to sort through
- Added date and time stamps to the start and end of each output file generated
Adding to wiki as version 1.51.
REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt REM Grab a list of installed software and running processes echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab group policies applied to the machine gpresult >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab drivers in use on the machine driverquery >> %1\output\%computername%\sysinfo-%computername%.txt REM grab system variables set >> %1\output\%computername%\sysinfo-%computername%.txt REM Get entire file system structure tree /F /A %systemdrive%\ >> %1\output\%computername%\sysinfo-%computerame%.txt echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt
-
MLeo2003 and I are on the same page. Since some of our goal is to capture behavior on the machine as it is happening, a live boot environment doesn't help us much. Plus, Helix is already much better at that than anything we could come up with ;) Remember, we're going for grabbing information for analysis to help us make our remediation decisions; We don't have to go too deep down the rabbit hole to get started with that.
-
that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner.
Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here.
-
Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t.
Some other useful programs are:
autoruns
handles
promiscdetect
tasklist /svc
cmdline
eldump
NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :)
Yeah you're right. I had actually been meaning to put date/time stamps in but got a little overwhelmed with requests after the release of the interview and completely forgot about it. Good call. As far as volatility goes, my theory has always been that if you're skilled enough, it's just as easy to add a registry value as it is to create a user account or start a process on a machine. Really all of it is volatile; There's very little we're collecting here that can't be changed with a single command. I think run order is worth discussing further though. Right now everything is sort of grouped by general category the information falls under, which may not be the best way.
So let's think about these other tools and look for redudancies...any thoughts?
autoruns-Really this information can be gleaned from the registry exports...adding this would be a matter of convenience. I don't think it's that bad examining the .REG files, but if enough people think this would be more convenient I'll add it.
handles-I looked at this one but it has weird issues sometimes and the output isn't as clean, which is why I went with pslist instead.
promiscdetect-I played around with this one but it got blown up by a couple of enterprise AV programs so I left it out. It wouldn't be a bad idea to find something like this we can use though.
tasklist /svc-This information is already collected by pslist and the sc query command.
cmdline-More info please.
eldump-I'm on the fence about this one. I'm not sure if this is worth the extra overhead, because it's so much easier to review the event logs from the machine itself and they can also be easily accessed remotely, or if it's good to have it captured from an evidence perspective. Definitely worth discussing.
However, before we start adding a bunch of third party tools, paradizelost makes a good point:
matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.I really would love to eliminate as many of the third party tools as possible and do as much with creative command line fu for this very reason. The only places in this where I did opt for third party tools is where the output they gave was much cleaner, or there was functionality that couldn't be accomplished using included tools with Windows. Does anyone know what the licensing for PSTools is? Pre-Microsoft buying them, it was total freeware and able to be redistributed. MD5sums is redistributable I think , based on the licensing info on their website. They seem like nice enough guys, I may shoot them an email. I have privately emailed out a few of the packages with the tools included, but before we do any kind of mass distribution, I want to pare this down to things that are totall redistributable, or do everything with Windows built in functionality (which could mean we need some clever people who can actually write code unlike me to clean up the output a bit!)
-
So here's the latest version of what I have. I've incorporated a lot of the changes suggested. Everyone had great ideas!!! Some of them were redundant of other information that was already being collected, so I selected the solution that I felt had the most valuable or clearest output. Keep those ideas coming!
REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt gpresult >> %1\output\%computername%\%computername%_GPO.txt driverquery >> %1\output\%computername%\%computername%_drivers.txt set >> %1\output\%computername%\%computername%_variables.txt tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt REM Grab a list of installed software and running processes psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt
-
Things need to be kept in a batch file for making changes on the fly and to keep things simple. In addition, before adding the printer script , I checked SEVERAL machines and prnmngr.vbs lived in C:\windows\system32, not the path you have in the script. I'm also not sure about running all tasks in parallel like that. I agree that it improves the performance of the script, but also makes it much harder to see if any errors occur while it's running; Nothing in there really takes very long to run, and trying to dumpe the registry keys or calculate the MD5 hashes in parallel really beats up the machine pretty badly. I'm also not sure about the value of using the print migration tool for restoring printers. This is strictly an information gathering and first responder tool in the event of an incident, and I don't think you gain more value than just dumping the printer information itself.
I do however like the change you made to the output and some of the commands you added. Good job. I'm about to post a new version of the script that incorporates some of it.
-
That's a good idea, but I don't think it really suits the purpose of this tool, which is to collect evidence in the event of an intrusion. It might be a good idea to build a second version of this with remediation options?
-
+1. db_autopwn is GREAT...It's really cool to actually have the data inside a DB to and be able to generate reports for clients.
-
So yeah, if memory serves, that's a thin AP...Won't do much good without the controller. You don't have the chips to do routing and such, so it's doubtful an openwrt/DD-wrt is going to work on it...I'd sell it off.
U3 Incident Response Payload
in USB Hacks
Posted
Yeah I'm not for sure either. I've not seen the kind of error you are talking about. Realistically, if the error is with the VBScript, all it is doing is searching for the location of the u3ir.dat file, and then passing that location as a parameter in the batch file execution. You could just run the batch file followed by the drive letter of where you want to store the data if you're having problems getting the VBScript going.