paradizelost Posted November 8, 2008 Share Posted November 8, 2008 Here's an updated piece of code that incorporates a lot of the info gathering ideas that were put forth. The changes are as follows: uses the START command to run many commands in parallel rather than all in series. This shortens the amount of time that this takes to run considerably, at a performance hit on the machines while running. Creates a folder output\%computername% to put the files in, rather than cluttering up one output directory, useful if running on an entire network. xcopy's the contents of %windir%\system32\drivers\etc uses microsoft's print server migration tool from http://tinyurl.com/2ab4lz to save all printers, ports, and drivers from the system to a cab file. this can be restored later. Simply download the printmig.exe from MS and put in the U3ir Folder on the thumbdrive. NOTE: PRINTMIG.exe does not work on vista. fixed the %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs pointing to just %windir%\system32 used the dos TREE command to save an output of non-hidden, non-system files to a text file. used the SET command and exported the entirety of system variables to a text file. REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status START ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt START ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt START arp -a >> %1\output\%computername%\localnet-%computername%.txt START netstat -ano >> %1\output\%computername%\localnet-%computername%.txt START route print >> %1\output\%computername%\localnet-%computername%.txt START type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt START netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt START netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt START net use >> %1\output\%computername%\localnet-%computername%.txt START gpresult >> %1\output\%computername%\%computername%_GPO.txt START driverquery >> %1\output\%computername%\%computername%_drivers.txt START netsh show alias >> %1\output\%computername%\%computername%_alias.txt START netsh show helper >> %1\output\%computername%\%computername%_helper.txt START systeminfo /FO LIST >> %1\output\%computername%\%computername%_systeminfo.txt START tasklist /FO LIST >> %1\output\%computername%\%computername%_tasklist.txt set >> %1\output\%computername%\%computername%_variables.txt tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt START printmig.exe -b %1\output\%computername%\%computername_printers.cab MD %1\output\%computername%\etc START xcopy /q /e %windir%\system32\drivers\etc %1\output\%computername%\etc REM Grab a list of installed software and running processes START psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt START pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine START sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE START reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER START reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT START reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS START reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG START reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory START md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt START md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt START md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt Let me know if you see any issues. Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 8, 2008 Share Posted November 8, 2008 Can you complie the code to a Zip? would make things more organized ;) Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 8, 2008 Share Posted November 8, 2008 The issue there is that some of the software would require redistribution licenses. and a .bat file is easy enough to copy/paste Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 8, 2008 Author Share Posted November 8, 2008 Things need to be kept in a batch file for making changes on the fly and to keep things simple. In addition, before adding the printer script , I checked SEVERAL machines and prnmngr.vbs lived in C:\windows\system32, not the path you have in the script. I'm also not sure about running all tasks in parallel like that. I agree that it improves the performance of the script, but also makes it much harder to see if any errors occur while it's running; Nothing in there really takes very long to run, and trying to dumpe the registry keys or calculate the MD5 hashes in parallel really beats up the machine pretty badly. I'm also not sure about the value of using the print migration tool for restoring printers. This is strictly an information gathering and first responder tool in the event of an incident, and I don't think you gain more value than just dumping the printer information itself. I do however like the change you made to the output and some of the commands you added. Good job. I'm about to post a new version of the script that incorporates some of it. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 8, 2008 Author Share Posted November 8, 2008 So here's the latest version of what I have. I've incorporated a lot of the changes suggested. Everyone had great ideas!!! Some of them were redundant of other information that was already being collected, so I selected the solution that I felt had the most valuable or clearest output. Keep those ideas coming! REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt gpresult >> %1\output\%computername%\%computername%_GPO.txt driverquery >> %1\output\%computername%\%computername%_drivers.txt set >> %1\output\%computername%\%computername%_variables.txt tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt REM Grab a list of installed software and running processes psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt Quote Link to comment Share on other sites More sharing options...
subop Posted November 8, 2008 Share Posted November 8, 2008 Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t. Some other useful programs are: autoruns handles promiscdetect tasklist /svc cmdline eldump NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :) Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted November 8, 2008 Share Posted November 8, 2008 There has been a lot of development on this project so I thought it might be time to add it to the wiki. http://wiki.hak5.org/wiki/U3_Incident_Response_Switchblade Russell, you can use the Hak5 package hosting at http://www.hak5.org/packages/ Oh yeah, and I took the liberty of creating a logo, just cause I'm a photoshop fiend. Hope that's cool. :) Quote Link to comment Share on other sites More sharing options...
Matessim Posted November 8, 2008 Share Posted November 8, 2008 well, can we somehow pack it together without the tolls? so we will have a folder which tools needs to be put in too, that would make it easy'er for newbies, just need to download the zip, extract, and download tools to folder. btw, installed it on my USB, very nice Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 8, 2008 Share Posted November 8, 2008 matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 9, 2008 Author Share Posted November 9, 2008 Looks good man. I have a few suggestions though. What about collecting the data in the order of volatility? Also it's generally a good idea to include the start and end time with date /t and time /t. Some other useful programs are: autoruns handles promiscdetect tasklist /svc cmdline eldump NirSoft has a lot of other useful incident response tools. I like your IR kit, it has a lot of potential. Thanks for sharing your work. :) Yeah you're right. I had actually been meaning to put date/time stamps in but got a little overwhelmed with requests after the release of the interview and completely forgot about it. Good call. As far as volatility goes, my theory has always been that if you're skilled enough, it's just as easy to add a registry value as it is to create a user account or start a process on a machine. Really all of it is volatile; There's very little we're collecting here that can't be changed with a single command. I think run order is worth discussing further though. Right now everything is sort of grouped by general category the information falls under, which may not be the best way. So let's think about these other tools and look for redudancies...any thoughts? autoruns-Really this information can be gleaned from the registry exports...adding this would be a matter of convenience. I don't think it's that bad examining the .REG files, but if enough people think this would be more convenient I'll add it. handles-I looked at this one but it has weird issues sometimes and the output isn't as clean, which is why I went with pslist instead. promiscdetect-I played around with this one but it got blown up by a couple of enterprise AV programs so I left it out. It wouldn't be a bad idea to find something like this we can use though. tasklist /svc-This information is already collected by pslist and the sc query command. cmdline-More info please. eldump-I'm on the fence about this one. I'm not sure if this is worth the extra overhead, because it's so much easier to review the event logs from the machine itself and they can also be easily accessed remotely, or if it's good to have it captured from an evidence perspective. Definitely worth discussing. However, before we start adding a bunch of third party tools, paradizelost makes a good point: matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself. I really would love to eliminate as many of the third party tools as possible and do as much with creative command line fu for this very reason. The only places in this where I did opt for third party tools is where the output they gave was much cleaner, or there was functionality that couldn't be accomplished using included tools with Windows. Does anyone know what the licensing for PSTools is? Pre-Microsoft buying them, it was total freeware and able to be redistributed. MD5sums is redistributable I think , based on the licensing info on their website. They seem like nice enough guys, I may shoot them an email. I have privately emailed out a few of the packages with the tools included, but before we do any kind of mass distribution, I want to pare this down to things that are totall redistributable, or do everything with Windows built in functionality (which could mean we need some clever people who can actually write code unlike me to clean up the output a bit!) Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 9, 2008 Share Posted November 9, 2008 Most of the information gathered by the 3rd party tools is gathered via WMI i would guess. If there are some creative scripters out there, we could write our own WMI scripts to pull a lot of the information ourselves. as far as the licensing goes, from the sysinternals website: Q: May I distribute Sysinternals utilities in my software, on my website, or with my magazine? A: No. We are not offering any distribution licenses, even if the 3rd party is distributing them for free. We encourage people to download the utilities from our download center where they can be assured to get the most recent version of the utility. Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 9, 2008 Share Posted November 9, 2008 The other option may be, as this wouldn't TECHNICALLY be distribution: Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>. You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com. Quote Link to comment Share on other sites More sharing options...
mleo2003 Posted November 9, 2008 Share Posted November 9, 2008 I'm sure that, if some problems arise with licensing, I'm sure some members of the forums would be willing to help you by making programs that emulate the features you want. I know I'd be willing to make a few free programs to help with this. To everyone suggesting normal SwitchBlade things to add to this, keep in mind that this tool wasn't designed to steal anything from someone, but be a first response action in the event of an forensics investigation. The necessary information for this is very different than just a dump and go that we are used to. Just try to keep that in mind when suggesting things. As for my suggestion, the Autoruns program would probably be a very good idea, as it would also go through the Startup folder for users and show what is listed there to startup, as well as the registry, and I can see both lists being needed in this kind of information. Also, as to the registry, there is a trick using the Shadow Copy service to get a copy of each actual hive, which would include hidden info that the regular export may not get. I have some information on it, if your interested. Only problem is it requires that service to be on to actually work, so it might be a good secondary measure if possible. Just my recent thoughts on this. Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 9, 2008 Share Posted November 9, 2008 that could be accomplished by doing a NET START VSS first, assuming you have admin rights on the machine you are running this on. Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 9, 2008 Share Posted November 9, 2008 Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 9, 2008 Share Posted November 9, 2008 Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch. isnt tasklist only available in XP pro? Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 9, 2008 Share Posted November 9, 2008 i would imagine that in most cases where this is intended for use, would be business environments, that most likely will be running pro, however i have no home machines to test on. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 10, 2008 Author Share Posted November 10, 2008 that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner. Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here. Quote Link to comment Share on other sites More sharing options...
paradizelost Posted November 10, 2008 Share Posted November 10, 2008 Let me throw this possibility at you. One issue with running any of these tools from within a running windows installation is that it some of the rootkits and etc... can prevent you from seeing the files that it has modified or installed. This is however not possible if you boot to the thumb drive and run the utilities from a USB Live environment. One could create a modified BART environment or Ubuntu environment etc... to back up the necessary registry .DAT files and do a check on the system, etc... without any active windows processes. This would allow one to get a more complete and more accurate configuration, however some of the utilities would need to be figured out how to run to get the info from a non-running system. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted November 10, 2008 Share Posted November 10, 2008 Moonlit posted a really good windows PE, maybe work with that, or barts PE. Maybe dump the MBR as well, Ive seen rootkits that write them selfs there as well.. So far though this is great. Quote Link to comment Share on other sites More sharing options...
mleo2003 Posted November 10, 2008 Share Posted November 10, 2008 that is correct, tasklist is only available with XP Pro. The main reason I prefer pslist is that it has a nice tree view showing which processes spawned which subprocesses. I just find the output to be cleaner. Autoruns is a pretty good idea, but can it run silently from the command line? I haven't played with it much. I prefer that over trying to use the VSS service and shadow copy registry components. That would seem to me to be a more in depth investigation tactic then what we're going for here. I'm not sure about Autoruns either. Looking on their website, there are options for the program to save output to files, as CSV and XML, so that might be an option. As to the VSS, it is a little more in-depth than the normal dump, but it would record hidden data, as well as preserve time stamps that those hives might contain. It might be a good follow up technique, but this tool is designed to be a first response in a forensics investigation. I'd say the MBR dump, and bootable environment were also secondary techniques, not to be done right off the bat. As for a good environment to use, instead of making one, try the Helix project, it was designed to do a lot of this on its own. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 10, 2008 Author Share Posted November 10, 2008 MLeo2003 and I are on the same page. Since some of our goal is to capture behavior on the machine as it is happening, a live boot environment doesn't help us much. Plus, Helix is already much better at that than anything we could come up with ;) Remember, we're going for grabbing information for analysis to help us make our remediation decisions; We don't have to go too deep down the rabbit hole to get started with that. Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 11, 2008 Author Share Posted November 11, 2008 Another slightly modified version: Consolidated some of the output to generate fewer files to sort through Added date and time stamps to the start and end of each output file generated Adding to wiki as version 1.51. REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt echo %date% %time% >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt arp -a >> %1\output\%computername%\localnet-%computername%.txt netstat -ano >> %1\output\%computername%\localnet-%computername%.txt route print >> %1\output\%computername%\localnet-%computername%.txt type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt net use >> %1\output\%computername%\localnet-%computername%.txt echo %date% %time% >> %1\output\%computername%\localnet-%computername%.txt REM Grab a list of installed software and running processes echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab group policies applied to the machine gpresult >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab drivers in use on the machine driverquery >> %1\output\%computername%\sysinfo-%computername%.txt REM grab system variables set >> %1\output\%computername%\sysinfo-%computername%.txt REM Get entire file system structure tree /F /A %systemdrive%\ >> %1\output\%computername%\sysinfo-%computerame%.txt echo %date% %time% >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt echo %date% %time% >> %1\output\%computername%\osmd5-%computername%.txt Quote Link to comment Share on other sites More sharing options...
beakmyn Posted November 13, 2008 Share Posted November 13, 2008 Ok, so I decided to run the tool on my own pc. It took several minutes and I ended up with 200MB of information. Hmm, a bit large. I saw the issue with redistributing 3rd party tools one solution which I've been adapting is the here: http://episteme.arstechnica.com/eve/forums.../m/429006588831 It will download the tools on the fly when run. So, we could instruct folks to run the "setup" batch file before creating their iso Otherwise I can do all this with WMI and vbs scripting like I said before, but I know your trying to stay away from that since you don't want have to work around an overzealous sysadmin whose blocked vbs files, but the initial autorun is vbs ;) So, I can do formatting of the batch file output in batch but it's very painful. Although it's not as easy we could compile the .vbs to exe but from what I've found in the past some programs just wrap the vbs in a exe. Quote Link to comment Share on other sites More sharing options...
jdogherman Posted November 13, 2008 Share Posted November 13, 2008 So is there any way to export the Machine S/N make and model? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.