Tcstool Posted November 3, 2008 Share Posted November 3, 2008 So this leans more towards the white hat side of things, but I thought I would share the code from my U3 incident response payload I presented at PhreakNIC. It does require 4 third party tools to run: PSInfo-http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx PSList-http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx PSLoggedon-http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx MD5sums-http://www.pc-tools.net/win32/md5sums/ Everything else is command line fu. It's been a great asset to me when I've had to work with malware analysis or go investigate a machine that's been owned. Hope you enjoy and hit me up if you have questions First the go.vbs to determine where to locate the data; This file should be launched from autorun.inf (Based off Gonz0r's solution): Set objFSO = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("Wscript.shell") Set colDrives = objFSO.Drives For Each objDrive in colDrives If objFSO.FileExists(objDrive.DriveLetter & ":\u3ir.dat") Then strPath = objDrive.DriveLetter & ":" objShell.Run ".\u3ir\go.bat " & strPath End If Next Now the batch script: REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status ipconfig /all >> %1\output\localnet-%computername%.txt ipconfig /displaydns >> %1\output\localnet-%computername%.txt arp -a >> %1\output\localnet-%computername%.txt netstat -ano >> %1\output\localnet-%computername%.txt route print >> %1\output\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\localnet-%computername%.txt netsh firewall show state >> %1\output\localnet-%computername%.txt netsh firewall show service >> %1\output\localnet-%computername%.txt net use >> %1\output\localnet-%computername%.txt REM Grab a list of installed software and running processes psinfo /accepteula /h /s >> %1\output\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %systemroot%\system32\prnmngr.vbs -l >> %1\output\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory md5sums %systemroot% >> %1\output\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\osmd5-%computername%.txt So what does all this wonderful code gather you from your target machine? All the user accounts The users currently logged on and what time they logged on The IP configuration of all the NICs The contents of the DNS cache The ARP table entries The TCP port states, and the process ID that is using that port The routing table The HOSTS file contents The status of the Windows firewall and the rules it is operating by All mapped network drives All installed programs and Windows updates All the running processes on a machine in tree view so you can see which process spawned which subprocess The state of all the services on the machine A complete export of the machine registry The md5 values of all the files in the windows directory, the windows\system directory, and the windows\system32 directory. Hope this helps somebody out. Again hit me up if you have any questions. Quote Link to comment Share on other sites More sharing options...
Jen Posted November 3, 2008 Share Posted November 3, 2008 how long does it take to run? Quote Link to comment Share on other sites More sharing options...
HarshReality Posted November 3, 2008 Share Posted November 3, 2008 Jesus, now from a recent refresh I did for a client.. the only thing your missing is a list of installed printers and properties for them LOL Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 4, 2008 Author Share Posted November 4, 2008 Actually it runs really fast. On a 1st generation P4 with 512 MB of RAM it takes around 3 minutes. On a modern Athlon with 1 GB of RAM it took a little over a minute. The slowest parts are the registry export and the MD5 calculations. I think to be able to gather that much evidence in an incident, that's not too shabby, particularly considering your can write all your data to your device. Pretty nice little portable investigative tool I think. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 4, 2008 Share Posted November 4, 2008 I concur. But this could also be used for less than legal purposes. I wouldnt need the md5 hash's though. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 4, 2008 Author Share Posted November 4, 2008 I concur. But this could also be used for less than legal purposes. I wouldnt need the md5 hash's though. I agree 100%, but really that could be said of any information gathering tool. As far as not needing one piece of information or the other, that's what I like the use of batch files in this. You can just knock the lines out on the fly and rebuild your ISO image. Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 4, 2008 Share Posted November 4, 2008 Good job Tcstool! I think it would be great to add this at the wiki... You're not responsible if the final user is using it in a white hat way or not, but I found it useful. As HarshReality said a list of installed printers and properties from them will be very useful too. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 4, 2008 Author Share Posted November 4, 2008 Ask and you shall receive! I have added under the local machine status section a command to enumerate the printers on the machine, their ports, and certain other properties. Thanks for the suggestions! Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 4, 2008 Share Posted November 4, 2008 A fast work implementing the idea from HarshReality and a good work it all. Now we can add this to our payloads (yeepeyaaaaa!!!!) So... look, you're pinned! Quote Link to comment Share on other sites More sharing options...
Jen Posted November 4, 2008 Share Posted November 4, 2008 btw, can anyon eprovide a t on how to put tis into our payload? Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 4, 2008 Share Posted November 4, 2008 btw, can anyon eprovide a t on how to put tis into our payload? This can be easyly implemented into everyone's payload but if the idea is doing it into the Leapo's Pocket Knife it will be very easy, of course. Maybe Leapo will do it or if he wants, I'll write (with Tcstool permission ;)) the code to run from Leapo's Pocket Knife for his next release! The only you have to do is to add the apps to the SYSTEM folder and modify the >> %1\output\... to the Leapo's output log file. But in this stuff I think that there is some things as MD5SUM or exporting the entire Registry in Leapo's will not be very useful (not as in other payloads oriented to security audits) Leapo: What about it? Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 4, 2008 Author Share Posted November 4, 2008 This can be easyly implemented into everyone's payload but if the idea is doing it into the Leapo's Pocket Knife it will be very easy, of course. Maybe Leapo will do it or if he wants, I'll write (with Tcstool permission ;)) the code to run from Leapo's Pocket Knife for his next release! The only you have to do is to add the apps to the SYSTEM folder and modify the >> %1\output\... to the Leapo's output log file. But in this stuff I think that there is some things as MD5SUM or exporting the entire Registry in Leapo's will not be very useful (not as in other payloads oriented to security audits) Leapo: What about it? Permission granted! I would love to see this idea evolve. Since Microsoft has made COFEE only available to law enforcement, I think having a portable, self-contained audit and incident response tool like this could grow into a really nice open source project. Quote Link to comment Share on other sites More sharing options...
Chris Gerling Posted November 4, 2008 Share Posted November 4, 2008 I'd like to take this and turn it into a segment if I have your permission. Really awesome work man! Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 4, 2008 Author Share Posted November 4, 2008 I'd like to take this and turn it into a segment if I have your permission. Really awesome work man! Sure man, Darren and I did a quick interview about it at PhreakNIC since this is what my presentation was about, but I really just hit the high points during that interview and didn't get into the nuts and bolts of it. You are more than welcome to dig into the technical side of it and do a presentation about it. Quote Link to comment Share on other sites More sharing options...
Jen Posted November 5, 2008 Share Posted November 5, 2008 So tut plox? Quote Link to comment Share on other sites More sharing options...
OldDragon Posted November 6, 2008 Share Posted November 6, 2008 Instead of having the vbs script, you can use %~d0 to find out what drive the batch file is being run from. That would work in anything from Windows 2000 forward I believe. That way you would just have one file instead of two. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 6, 2008 Author Share Posted November 6, 2008 Instead of having the vbs script, you can use %~d0 to find out what drive the batch file is being run from. That would work in anything from Windows 2000 forward I believe. That way you would just have one file instead of two. That's true, but the VBScript is not for finidng out which drive the batch file is executing from. You're locating the writeable partition of your U3 drive, so you still need the VB script to loop through your drives and find the u3ir.dat file. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 6, 2008 Share Posted November 6, 2008 what is the difference between: REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\hklm-%computername%.reg and regedit /e export.txt Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 6, 2008 Share Posted November 6, 2008 I was looking at some other things that could be thrown in, just because... I am no bat expert so please dont point out all the flaws. gpresult >> "%computername%_ID.txt" driverquery >> "%computername%_ID.txt" getmac >> %computername%\%computername%_NetInfo.txt netsh show mode >> %computername%\mode.txt netsh show alais >> %computername%\mode.txt netsh show helper >> %computername%\mode.txt mkdir %computername% cd %computername%\ mkdir ect XCOPY "C:\WINDOWS\system32\drivers\etc" "C:\Documents and Settings\Administrator\Desktop\WINDOWS-38QGJLY\ect" cd .. tasklist >> %computername%\%computername%_FireWall.txt Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 6, 2008 Author Share Posted November 6, 2008 what is the difference between: REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\hklm-%computername%.reg and regedit /e export.txt I was looking at some other things that could be thrown in, just because... I am no bat expert so please dont point out all the flaws. gpresult >> "%computername%_ID.txt" driverquery >> "%computername%_ID.txt" getmac >> %computername%\%computername%_NetInfo.txt netsh show mode >> %computername%\mode.txt netsh show alais >> %computername%\mode.txt netsh show helper >> %computername%\mode.txt mkdir %computername% cd %computername%\ mkdir ect XCOPY "C:\WINDOWS\system32\drivers\etc" "C:\Documents and Settings\Administrator\Desktop\WINDOWS-38QGJLY\ect" cd .. tasklist >> %computername%\%computername%_FireWall.txt Good stuff. So let's start from the top (and these are only my opinions and I think worth discussing alternate approaches such as this): The registry export command you used is similar and a good way to do a backup of the entire registry. I like to export the individual keys for more granular analysis, being able to import into a VM,etc. gpresult is a good one. Driverquery is pretty good too but I'm not sure how much insight it gives you into the behavior of the machine. Although with this day and age of driver exploits, that's probably not a bad idea. The MAC addresses of the network interfaces are already listed in the ipconfig /all. netsh show mode isn't valid but I know what you were trying to accomplish. I can buy show helper though. Could be useful. We're already dumping the output of the hosts file. I'm sketchy on the value of the other files in c:\windows\system32\drivers\etc....Anyone have any thoughts? Quote Link to comment Share on other sites More sharing options...
Xakep Posted November 7, 2008 Share Posted November 7, 2008 Tcstool, This is a Great tool ,but you know what will make it better? You should add the switchblade antidote to it. Just in case you or someone you know gets pwned so you can help them out. I think that will make it even better! Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 7, 2008 Author Share Posted November 7, 2008 That's a good idea, but I don't think it really suits the purpose of this tool, which is to collect evidence in the event of an intrusion. It might be a good idea to build a second version of this with remediation options? Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 7, 2008 Share Posted November 7, 2008 I really want to find a good way to dump the contents of the ram... that way when you take the machine off line, you can go over that image. Ive been playing with dd.exe, but running windows in vm isnt that fun :/ Also, you said in your presentation that they can snail mail you the usb disk, have you thought of adding encryption to the folders? Ive been playing with a few low end crypto programs that are strictly command line. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 7, 2008 Share Posted November 7, 2008 Also, sorry for the double post.. But, I can take a USB to FireWire Adapter and plug a thumb drive right? Quote Link to comment Share on other sites More sharing options...
Chris Gerling Posted November 7, 2008 Share Posted November 7, 2008 One of the better ways to capture what's in RAM is with Helix. :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.