[Episode 4x10]

There must of been some missing footage. Kept getting switched to snubs skipping and being led down the back of a truck stop

or darren was drunk editing together the first interview

My assumption is I was probably picking my nose or engaged in some other typical male bad habit on camera...Plus I'd rather watch video of Shannon than me pretending to know what I'm talking about any day!

[U3 Incident Response Payload]

what is the difference between:

REM HKEY_LOCAL_MACHINE

reg export HKLM %1\output\hklm-%computername%.reg

and

regedit /e export.txt

I was looking at some other things that could be thrown in, just because... I am no bat expert so please dont point out all the flaws.

gpresult >> "%computername%_ID.txt"

driverquery >> "%computername%_ID.txt"

getmac >> %computername%\%computername%_NetInfo.txt

netsh show mode >> %computername%\mode.txt

netsh show alais >> %computername%\mode.txt

netsh show helper >> %computername%\mode.txt

mkdir %computername%

cd %computername%\

mkdir ect

XCOPY "C:\WINDOWS\system32\drivers\etc" "C:\Documents and

Settings\Administrator\Desktop\WINDOWS-38QGJLY\ect"

cd ..

tasklist >> %computername%\%computername%_FireWall.txt

Good stuff. So let's start from the top (and these are only my opinions and I think worth discussing alternate approaches such as this):

• The registry export command you used is similar and a good way to do a backup of the entire registry. I like to export the individual keys for more granular analysis, being able to import into a VM,etc.
• gpresult is a good one. Driverquery is pretty good too but I'm not sure how much insight it gives you into the behavior of the machine. Although with this day and age of driver exploits, that's probably not a bad idea.
• The MAC addresses of the network interfaces are already listed in the ipconfig /all.
• netsh show mode isn't valid but I know what you were trying to accomplish. I can buy show helper though. Could be useful.
• We're already dumping the output of the hosts file. I'm sketchy on the value of the other files in c:\windows\system32\drivers\etc....Anyone have any thoughts?

[U3 Incident Response Payload]

Instead of having the vbs script, you can use %~d0 to find out what drive the batch file is being run from. That would work in anything from Windows 2000 forward I believe. That way you would just have one file instead of two.

That's true, but the VBScript is not for finidng out which drive the batch file is executing from. You're locating the writeable partition of your U3 drive, so you still need the VB script to loop through your drives and find the u3ir.dat file.

[Good automated backup software?]

i prefere cobian, easy to use and operate

+1 for Cobian. Very useful and easy to maintain.

[what was your first linux distro?]

Not true Linux, I'm counting it since it was an open-source project at the time...BeOS!!!

[Print Server Software]

Definitely let me know. I'll play with this when I have a little time. I've got something Black Hat-ish I'm wanting to try with this.

[Is this card Realtek RTL8187 aircrack compatible?]

Yeah this card works fine, no worries.

[Print Server Software]

So here's what I'm looking for...Figured you guys might have some feedback:

I need some print server software that will keep copies of the documents sent to the hosted printers. My preference is Free/Open source software, but I can live with commercial software as long as it's cheap. Is anyone familiar anything out there that can accomplish this?

[U3 Incident Response Payload]

I'd like to take this and turn it into a segment if I have your permission.

Really awesome work man!

Sure man, Darren and I did a quick interview about it at PhreakNIC since this is what my presentation was about, but I really just hit the high points during that interview and didn't get into the nuts and bolts of it. You are more than welcome to dig into the technical side of it and do a presentation about it.

[U3 Incident Response Payload]

This can be easyly implemented into everyone's payload but if the idea is doing it into the Leapo's Pocket Knife it will be very easy, of course.

Maybe Leapo will do it or if he wants, I'll write (with Tcstool permission ;)) the code to run from Leapo's Pocket Knife for his next release!

The only you have to do is to add the apps to the SYSTEM folder and modify the

>> %1\output\...

to the Leapo's output log file.

But in this stuff I think that there is some things as MD5SUM or exporting the entire Registry in Leapo's will not be very useful (not as in other payloads oriented to security audits)

Leapo: What about it?

Permission granted! I would love to see this idea evolve. Since Microsoft has made COFEE only available to law enforcement, I think having a portable, self-contained audit and incident response tool like this could grow into a really nice open source project.

[U3 Incident Response Payload]

Ask and you shall receive! I have added under the local machine status section a command to enumerate the printers on the machine, their ports, and certain other properties. Thanks for the suggestions!

[U3 Incident Response Payload]

I concur. But this could also be used for less than legal purposes. I wouldnt need the md5 hash's though.

I agree 100%, but really that could be said of any information gathering tool. As far as not needing one piece of information or the other, that's what I like the use of batch files in this. You can just knock the lines out on the fly and rebuild your ISO image.

[U3 Incident Response Payload]

Actually it runs really fast. On a 1st generation P4 with 512 MB of RAM it takes around 3 minutes. On a modern Athlon with 1 GB of RAM it took a little over a minute. The slowest parts are the registry export and the MD5 calculations. I think to be able to gather that much evidence in an incident, that's not too shabby, particularly considering your can write all your data to your device. Pretty nice little portable investigative tool I think.

[U3 Incident Response Payload]

So this leans more towards the white hat side of things, but I thought I would share the code from my U3 incident response payload I presented at PhreakNIC. It does require 4 third party tools to run:

PSInfo-http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx

PSList-http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx

PSLoggedon-http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

MD5sums-http://www.pc-tools.net/win32/md5sums/

Everything else is command line fu. It's been a great asset to me when I've had to work with malware analysis or go investigate a machine that's been owned. Hope you enjoy and hit me up if you have questions

First the go.vbs to determine where to locate the data; This file should be launched from autorun.inf (Based off Gonz0r's solution):

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.shell")
Set colDrives = objFSO.Drives

For Each objDrive in colDrives
        If objFSO.FileExists(objDrive.DriveLetter & ":\u3ir.dat") Then
        strPath = objDrive.DriveLetter & ":"
        objShell.Run ".\u3ir\go.bat " & strPath
    End If
Next

Now the batch script:

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )

CD u3ir

REM enumerate local accounts and currently logged on users
net users >> %1\output\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
ipconfig /all >> %1\output\localnet-%computername%.txt
ipconfig /displaydns >> %1\output\localnet-%computername%.txt
arp -a >> %1\output\localnet-%computername%.txt
netstat -ano >> %1\output\localnet-%computername%.txt
route print >> %1\output\localnet-%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >> %1\output\localnet-%computername%.txt
netsh firewall show state >> %1\output\localnet-%computername%.txt
netsh firewall show service >> %1\output\localnet-%computername%.txt
net use >> %1\output\localnet-%computername%.txt

REM Grab a list of installed software and running processes
psinfo /accepteula /h /s >> %1\output\sysinfo-%computername%.txt
pslist -t /accepteula >> %1\output\sysinfo-%computername%.txt
REM Grab state of all services on the machine
sc query state= all >> %1\output\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript %systemroot%\system32\prnmngr.vbs -l >> %1\output\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
reg export HKLM %1\output\hklm-%computername%.reg
REM HKEY_CURRENT_USER
reg export HKCU %1\output\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
reg export HKCR %1\output\hkcr-%computername%.reg
REM HKEY_USERS
reg export HKU %1\output\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
reg export HKCC %1\output\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
md5sums %systemroot% >> %1\output\osmd5-%computername%.txt
md5sums %systemroot%\system >> %1\output\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %1\output\osmd5-%computername%.txt

So what does all this wonderful code gather you from your target machine?

• All the user accounts
• The users currently logged on and what time they logged on
• The IP configuration of all the NICs
• The contents of the DNS cache
• The ARP table entries
• The TCP port states, and the process ID that is using that port
• The routing table
• The HOSTS file contents
• The status of the Windows firewall and the rules it is operating by
• All mapped network drives
• All installed programs and Windows updates
• All the running processes on a machine in tree view so you can see which process spawned which subprocess
• The state of all the services on the machine
• A complete export of the machine registry
• The md5 values of all the files in the windows directory, the windows\system directory, and the windows\system32 directory.

Hope this helps somebody out. Again hit me up if you have any questions.

[Episode 4x09]

Since only like 6 people in the entire world own a Zune, this probably isn't a huge deal :-). But downloading the ep from the Zune marketplace, the vid gets screwed at 7:23 each time. Tried this on multiple PCs and multiple Zunes and the result is the same. Just thought you guys should know.

[Pentesting Distro]

I think it depends on what you are trying to accomplish. How many machines are you talking about emulating on your CD? Just one, or lots? Are you wanting to only simulate something to run exploits against, or are you wanting to simulate something which involves all the steps of the pentesting process? You might want to check out De-ICE live pentesting CDs for ideas.

[Windows Shutdown]

Agreed w/above. Pstools features a utility called psshutdown for remotely shutting machines off. It works very, very well.

[[Wifi] Airodump-ng mac address for AP 00:00:00:00:00:00!?]

I've seen that with some thin access points and Airodump-ng before. Not sure what exactly it is. I'll look into it and let you know what I figure out.

[Mubix's USB Goodies]

That's great stuff. I'm going to add to my toolkit. Thanks man!

[Murfreesboro, TN]

ah lol. he had a e before the z so thats probably why lol

good luck.

Hey man I'd love to help you out with this. I live down in Cookeville so we could easily set something up. Drop me a line.

[Phreaknic 12 (2008) Hacker Con]

Good video Irongeek! I really enjoyed the recap....even saw myself lurking in the background a couple of times!

[Darren speaking at Phreaknic]

I plan to post the videos for streaming for those speakers that said I could. Tcstool, what link should I use when I credit you work? Got a personal site?

Hey you can use http://tcstool.wordpress.com...I plan to get that going full swing after a shaky start. It's tough to run a blog with a new baby in your house!

[Darren speaking at Phreaknic]

If you are who i think you are, youre talk was out standing. Too bad you rushed it. I know a lot of people afterwards were really into your adaption of the haksaw.

Yeah that's me. I really hated the guy before me went over on time so much, but I felt what he was doing was important. I really wanted to get everyone out by 6 PM, so I screamed through it on purpose and still only got out 4 minutes before. I was actually sitting there dropping slides as it got later and later! I actually cut it from 28 to 14 in the middle of his presentation. Anyways, I'm glad you liked it. I distributed probably 50 copies total of my payload and the customizer so far.

[Darren speaking at Phreaknic]

One thing that's important to remember is that PhreakNIC broadcasts the talks on closed circuit TV accessible from all the rooms, so the number of people in the room isn't always reflective of the number of people watching the talk. A lot of folks will get their dinner or whatever and watch the talks from the comfort of their luxury rooms at the Days Inn by the Stadium :-p

Glad to post here finally. Long time lurker but first time poster. I had a great time talking to Darren and Shannon about my U3 incident response adaptation.