Jump to content

laker8133

Active Members
  • Posts

    6
  • Joined

  • Last visited

Everything posted by laker8133

  1. The number 1 rule in Forensics is... Anyone know? Ya I didn't think you did. Make a statically compiled toolkit . Then when you run your ls and check for mac times, you know right off the bat it telling the truth. Altho the rootkit may give you back false postives :S . How does this work? it's because your not invoking commands off of the host system and just off of the cd. I want to mount it like mount -ro /img.img /mnt/disk. Didn't give me the option. The stuff that normally screws me up is the sytax, that was the whole reason for asking for help. And the first 2 years of this course we examinged pwdump and things like that so we know what is going on exactly with the automated suites.The reason I know there is a rootkit on the image is: Logs have been deleted or marked for deletion, while doing mac times noticed the ./ which means hidden directories, also noticed the suspect installed stuff in the /usr directory and has since deleted it. I did figure out why that image I was trying to check wasn't workin in Penguin Sleuthkit live cd. Which is what I was using. I also called the teacher over while trying to mount it. He said try it via source. So that' what I'm goign to try next. Encase is sweet , but it crashes must have been by the devils workshop. :S Exams are coming up...
  2. I've mounted it with the mount -0 loop disk.img /mnt/disk. I have run a ./chkrootkit , on the system while mounted and it turned up nothing. While there is a person in class that says Autopsy should pick it up. That step I have done. What the teacher loves to do is get you to use your tools based on a linux 2.6 system and then for a major test he will switch it up for a 2.4 system. As for the last comment I'm a bit confused. And he has taught us how to use some tools, 1 way and then your expected to know how to learn to use them the other way. Plus having this stuff in a VM image instead of a actual live computer throws me off totally. Do you have any suggestions on getting FTK to work with the .img file. Or do you think I need to save it as a .iso to get it to work. Thanks Paul
  3. Hi guys I'm currently working on a Linux VM image and we as a class are suppose to analize this thing and do a dead and a live investigation. Now with this. I'm looking for live cds or any other type of linux distros that will help us analze a image with using kff ( know file filtering). What I have done is dd if = /dev/sda2 | nc 192.168..... 2222 ( set up a nc on the other computer) and that's how I got the image of the vmware session. We are suppose to be using autopsy, in this course. If any of you guys can help me load a .img file into it that would be great . Thanks.
  4. You can copy out the sam file directly, It's saved under Windows / system32 /restore. That a back up incase the one the current one has issues. Anyways just trying to get some ideas, bascially, Pentesting is cool and all I just wish I could go automatically. I will try some things you guys talk about Monday as it will be a Fun time to try it :D Thanks for the advice. All advice is welcomed
  5. Basically the targets are pretty simple Win 2k boxes and 1 linux box. Again suppose to crack the password. Metaspoilt lsass exploit and win_reverse or win_reverse_vnc_inject works. That much I know. Well any how to guides, or any points in the right direction would be nice. I have the memorex u3 travel drive and I'm willing to experiment. Thanks Paul
  6. I am currently taking Computer Security and Investigations at Fleming College. We have a pentration course in which you have to hack into a remote machine and crack the Sam file. With the help of nmap we are able to find the computers on the lab and metaspoilt helps us exploit them. We normally use Backtrack, Auditor. My question to you guys is , with the USB hacksaw stuff coming out locally cracking a host machine. Would it be possible with using nmap as well modifiying the hacksaw so that you can get the all the sam files in the sam subnet? I do realize that there are versions of Nmap for the U3 as well as Metasploit framework is made for Windows as well. Thanks for taking the time to answer my question Paul
×
×
  • Create New...