Jump to content

Paper Tiger

Active Members
  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

880 profile views

Paper Tiger's Achievements


Newbie (1/14)

  1. I can't believe I forgot about Mimikatz!!!! How could I forget how that worked??? !!! Thanks guys! Senior moment I guess.
  2. Would Chron's Disease be when your computer suffers from the inability to follow a simple scheduled?
  3. Ok sooo....... How to proceed without sounding like a nut? I just moved to DC a month ago from Norther VA so I'm not new to this area and used to the military industrial complex. the other day I was walking my dog and swear I caught a laser in my right eye when I turned around, it was bright and that sucker HURT!!!! my eye has been hurting for a number of days now and I'm fairly sure It was a laser since I have been hit in the eye with a high powered one before, and even experience the same resulting pain. I thought nothing of it except it wasn't your normal laser and it seemed to hit me right in the eye and no where else. no laser trails like it was from a gun or laser pen. Well..... I went out walking my dog a few days later and when I was in the exact same location (give or take 5 feet) the same thing happened!!!!! First I got blasted in my right eye again, then I turned to look at my dog and saw the laser hit his dog tag with 100% accuracy about 20 times. It was a blinking circle of red about the size of a quarter. This wasn't a hand operated laser pen, this is something else!!! At first I thought I was crazy, but after I saw that I was convinced that it was in fact a laser I was hit in the eye with. There aren't many locations this laser could be located at, but I think this device is either being used by the parking enforcement or located in a row house nearby. I would like to setup some type of device that will help me locate the source of this laser so I can put a stop to is or sue someone for injuring my eye. It's been a week and my right eye kills, plus I just has Lasik only 7 months ago and this has affected my eye negatively. Can anyone point me in the right direction? even if I have to build the device myself I'm determined to locate this laser and put a stop the the chicanery. For all I know it could be some NUTTER doing target practice and I don't want to be any part of that. Please help!
  4. AHAHAHAHA - no big bucks here. I just found out I made less than 32K last year.... half of what my contract said. :( I'm about to start doing magic on the street, I love magic a lot more and it pays well during the warm months.)
  5. To answer your question, not at the moment but I have gotten the go ahead to build a lab for testing things like this. it should be up by the end of the month. Unfortunately even-though I'm taking more of a security role I'm still required to take calls from the helpdesk and that makes is really hard to stay focused on reading crashes and doing investigations like this.
  6. my thoughts exactly, I'm glad we're on the same page. It's probably setup to attack anyone it can, I have no reason to think this would be targeted. I'm going to pay that PC a visit and see if I can locate any web history from the rough time of the DMP to get more info. I was able to use this data to get management to actual listen when I say "Flash is BAD and shouldn't be installed by default and only if it's absolutely needed." currently they have it on every single box. They've been scratching their heads why IE crashes for about a month. I've been checked out because of lack of sleep and debt. I did find out good news though, presenting this actually qualifies me for some money if they impalement my idea. Too bad It's nothing like the reward for catching a 0-day.
  7. The game is a foot! ......no, actually it's a game. I've been doing some sleuthing and thought this might be fun to share. I have a few crashes on my user base's PC's and it looks to me like exploitation attempts. I'm also hoping some of you my be able to help me focus on the right stuff. I'm not 100% sure what I'm looking at, but I know this isn't the usual DMP output because I see Jscript in my crash dump stack! For this post I will be analyzing crashdump files from the C:\users\%username%\appdata\local\crashdumps In the past month the performance monitoring software we use is showing IE crashes. most of the IE crashes are usually simple fixes, but as you will see below some are getting crashes from Jscript running. Usually I also see a reference to Flash OCX in the dmp. Is this what I think it is? can you offer any further enlightenment on the situation or potential solutions? Jscript Cannot be disabled because I work for lawyers so everything is mine mine mine now now now...... The following crash dump is slightly different from the ones I saw last week, but are still very close in nature. oh one more thing, if any of you know how I can get symbols paths to fix the first three ERRORS in the dump output I'd really appreciate it. I can't get a straight answer from anyone on the web, and I'm starting to think I'm the only one doing this these days. kind of like how I'm the only person I've ever met that actually read the 9/11 commission report (HINT, that report said we should attack Iraq and nothing about what happened on 9/11, and to secure the northern border because obviously we have a problem here in America with undocumented Canadians are poll vaulting across the boarder.) I digress..... ************************************************************ ******************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for EMET.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for HooksCore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for Flash32_20_0_0_228.ocx - FAULTING_IP: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0a5b4e21 (jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0x0000000c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000001 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 8542d2a7 Attempt to read from address 8542d2a7 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=8542d233 ebx=042eb170 ecx=8542d233 edx=34600120 esi=0a646e75 edi=34600120 eip=0a5b4e21 esp=042ea848 ebp=042ea85c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286 jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc: 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] ds:002b:8542d2a7=???????? DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: iexplore.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 8542d2a7 READ_ADDRESS: 8542d2a7 FOLLOWUP_IP: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: iexplore.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre FAULTING_THREAD: 00001348 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 0a5b4cc2 to 0a5b4e21 STACK_TEXT: 042ea85c 0a5b4cc2 34600120 042ea8e0 042ea8ac jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc 042ea86c 0a5b4c8d 34600120 042ea8e0 042ea8e0 jscript9!ThreadContext::IsNativeAddress+0x22 042ea880 0a5b4cf7 00000001 042ea8e0 00000000 jscript9!Js::JavascriptStackWalker::CheckJavascriptFrame+0x3e 042ea890 0a5b4d85 042ea8e0 042ea8e0 042ea8e0 jscript9!Js::JavascriptStackWalker::UpdateFrame+0xc 042ea8a0 0a5b4da5 042ea954 042ea8c4 0a5b5a77 jscript9!Js::JavascriptStackWalker::Walk+0x35 042ea8ac 0a5b5a77 042ea954 042ea8d0 042ea930 jscript9!Js::JavascriptStackWalker::GetCaller+0xf 042ea8c4 0a5b5d5e 042ea954 ba7ed600 3ffc7de0 jscript9!Js::JavascriptStackWalker::GetNonLibraryCodeCaller+0x15 042ea968 0a5b538d 3ffc7de0 042ea990 0000000a jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContextInternal+0x15c 042ea994 0a5b52d0 3ffc7de0 0000000a 00000000 jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContext+0x20 042ea9e0 0a6a5782 00000001 00000001 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObjectInternal+0x6c 042ea9f4 0a629620 00000001 00000000 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObject+0x12 042eaa20 0a609c8d 14f10470 14f10470 042eab08 jscript9!Js::JavascriptExceptionOperators::Throw+0x7d 042eaa48 0a5ee9b7 00000000 00000000 00000000 jscript9!Js::JavascriptError::ThrowError+0x55 042eaa64 0a60a3c4 00000000 00000000 00000000 jscript9!Js::JavascriptError::MapAndThrowError+0x34 042eaa88 0a60a397 227089c0 80070005 22708a00 jscript9!Js::JavascriptError::MapAndThrowError+0x27 042eaab4 0a60a363 042eab08 042eab2c 0a6559f5 jscript9!HostDispatch::HandleDispatchError+0x4d 042eaac0 0a6559f5 80070005 042eab08 042eabd0 jscript9!HostDispatch::HandleDispatchError+0x1c 042eab2c 0a518bc7 002dc789 042eabd0 22708a00 jscript9!HostDispatch::GetValueByDispId+0xf8 042eab44 0a518b6c 0a892e04 042eabd0 0a518ae0 jscript9!HostDispatch::GetValue+0x2a 042eab6c 0a486a06 22708a00 000000d4 042eabd0 jscript9!HostDispatch::GetProperty+0x88 042eaba0 0a4c063d 000000d4 042eabd0 14f10470 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x64 042eabec 0a50a70d 14f10470 042eb170 042eb170 jscript9!Js::JavascriptOperators::TypeofFld_Internal<0>+0x5b 042eae8c 0a50aa8f ba7ed1ac 042eb170 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x6222 042eaec4 0a50aaee 042eb15c 20e70d8e 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 042eb168 0a48d749 20e70da0 34600120 20e70d80 jscript9!Js::InterpreterStackFrame::Process+0x49a8 042eb29c 170114c9 042eb2b0 042eb558 0a489b13 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 042eb2a8 0a489b13 31923520 02000002 37abf800 0x170114c9 042eb558 0a48d749 3de922d6 34601000 3de91d90 jscript9!Js::InterpreterStackFrame::Process+0x2040 042eb6dc 170114e9 042eb6f0 042eb998 0a48d3e1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042eb6e8 0a48d3e1 31923500 10000002 1620e3c0 0x170114e9 042eb998 0a48d749 3de352ea 3da70d80 3de35010 jscript9!Js::InterpreterStackFrame::Process+0x1e62 042ebb1c 17011559 042ebb30 042ebb78 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042ebb28 0a48671a 25d4de60 10000003 1620e3c0 0x17011559 042ebb78 0a48a394 10000003 042ec1f4 042ec100 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 042ebe1c 0a50aa8f ba7ec13c 042ec100 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x3a10 042ebe54 0a50aaee 042ec0ec 1f33d6fa 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 042ec0f8 0a48d749 1f33d72e 25d4f120 1f33d680 jscript9!Js::InterpreterStackFrame::Process+0x49a8 042ec26c 17011561 042ec280 042ec2bc 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042ec278 0a48671a 25d4de80 00000000 00000000 0x17011561 042ec2bc 0a486d28 00000000 00000000 ba7ebc58 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 042ec330 0a486c5d 14f10470 00000000 00000000 jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 042ec378 0a486bf0 042ec3a4 00000000 00000000 jscript9!ScriptSite::CallRootFunction+0x42 042ec3c4 0a59207b 25d4de80 042ec408 00000000 jscript9!ScriptSite::Execute+0xd2 042ec44c 0a591247 042ec6d8 042ec6f8 ba7ebb88 jscript9!ScriptEngine::ExecutePendingScripts+0x1c6 042ec4e0 0a5928da 3d093a58 09f763b4 1611dd24 jscript9!ScriptEngine::ParseScriptTextCore+0x300 042ec530 04a2f434 14f056c0 3d093a58 09f763b4 jscript9!ScriptEngine::ParseScriptText+0x5a 042ec568 04568438 3d093a58 00000000 00000000 mshtml!CActiveScriptHolder::ParseScriptText+0x51 042ec5c0 0499515b 3d093a58 00000000 00000000 mshtml!CJScript9Holder::ParseScriptText+0x5f 042ec630 0456896e 00000000 14208a00 3c782200 mshtml!CScriptCollection::ParseScriptText+0x175 042ec71c 04568fd9 00000000 00000000 00000000 mshtml!CScriptData::CommitCode+0x31e 042ec798 04938751 049386f0 042ec7c8 05780000 mshtml!CScriptData::Execute+0x232 042ec7b8 0437d2cb 1611dca4 00000000 00000001 mshtml!CScriptData::AsyncExecute+0x67 042ec800 0437cbf4 b873d32c 00000000 0437bf20 mshtml!GlobalWndOnMethodCall+0x17b 042ec854 759162fa 00080b9e 00008002 00000000 mshtml!GlobalWndProc+0x103 042ec880 75916d3a 0437bf20 00080b9e 00008002 user32!InternalCallWinProc+0x23 042ec8f8 759177d3 00000000 0437bf20 00080b9e user32!UserCallWinProcCheckWow+0x109 042ec95c 7591789a 0437bf20 00000000 042efb3c user32!DispatchMessageWorker+0x3cb 042ec96c 0f59a7ac 042ec9ac 02efe9b8 00614fe0 user32!DispatchMessageW+0xf 042efb3c 0f5d3158 042efc08 0f5d2dd0 0024afc8 ieframe!CTabWindow::_TabWindowThreadProc+0x464 042efbfc 7757ebec 02efe9b8 042efc20 0f621f00 ieframe!LCIETab_ThreadProc+0x3e7 042efc14 60c13a31 0024afc8 00000000 00000000 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 042efc4c 75d8338a 005dc8c0 042efc98 77b99882 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 042efc58 77b99882 005dc8c0 7295cad2 00000000 kernel32!BaseThreadInitThunk+0xe 042efc98 77b99855 60c139a0 005dc8c0 00000000 ntdll!__RtlUserThreadStart+0x70 042efcb0 00000000 60c139a0 005dc8c0 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~6s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c FOLLOWUP_NAME: MachineOwner MODULE_NAME: jscript9 IMAGE_NAME: jscript9.dll DEBUG_FLR_IMAGE_TIMESTAMP: 566c54b7 FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_jscript9.dll!NativeCodeGenerator::IsNativeFunctionAddr BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_jscript9.dll!nativecodegenerator::isnativefunctionaddr FAILURE_ID_HASH: {f79b47ef-ea32-0b27-5ba9-8a665e65198e} Followup: MachineOwner
  8. I know right I love this detective stuff. Too bad Management took the PC and turned it over to an outside vendor before I could complete the decryption process and use bootable tools. :( However they did tell me that they're going to pay for my OSCP to get more of this going on in house. OSCP is a good start.... Scanning didn't show anything, and carbon black was ineffective too. the only way we knew the box was compromised was from insider threat software setting off an alarm from a time when the user was out of the office. I scanned that PC with a bunch of free tools and didn't find anything.
  9. AHAHAHAHAHAHA - Syrup or jelly? Thanks for laying it out for me like that, I really appreciate it!
  10. My understanding is that windows always stores passwords in SAM files on the disk. Got any good links to show me how to implement what's your referring to?
  11. long story short: I had a box at work get compromised at and I pulled it off the network then initiated a forensic investigation. When the vendor came back with the report one section showed a memory dump of all the accounts on the box. All except one account showed their passwords encrypted, that last account showed the password in clear text in memory. What can I start looking up to understand how or why this would happen? I figured this would be a good place to ask this question. The PC is windows 7 and the account that had it's PW in clear text in the memory dump was domain admin.
  12. Not sure what's up, Maybe it is my post count. I just tried replacing the avatar in IE and Chrome to no avail. I'm fairly familiar IP.boards so I'm not sure the issue. My first pic was 960x960 pixels then I busted it down to 250x250 once I click ok the arrows spin but the change is never made.
  • Create New...