Metasploit mailing list archives
Re: some ideas, roadmap cleanup, and ugly jokes..
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Thu, 16 Sep 2010 16:33:43 -0400
Thanks for pointing out those tickets that where left open. some things to consider: 1. The use of any system executable will increase the number of artifacts left by your presence in it, specially in the registry, prefetch ...etc 2. if Monitoring system is present even do you rename the files it will be sent to the monitoring system like Event Collector in 2k8, WMI, SNMP ..etc you will have to take in to account that. 3. Depending on the system you will require to first get the right privs, this venture might trigger HIPS, AV ..etc by it self. 4. Each AV, HIPS vendor out there have their own protection methods, there is not a a one size fits all approach to disable this countermeasures, you will have to install each in a lab and work a process for each one. 5. The use of Railgun will be a better approach since it does not interact with executables or writes to disk and only the DLL MACE is changed but this MACE is already changed by IR tools when they collect their volatile data off the system. 6. a good IR guy will notice the gap in time since windows just by running it is generating logs, not all logs are there. Just a couple of observations for your project. Cheers, Carlos On Sep 16, 2010, at 4:12 PM, Marco Polo wrote:
Hi everybody! here is some request features, info about some bugs and questions about the roadmap. 1) About the stealthy script i made a proposition for: I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename each logs files to $file.evt(x).old. Renaming them doesn't change the mace time. Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the mace time but we can change them again, plus it'll leave no new event in the log. Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD licence that will allow us to convert them to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending of the version you're using.. But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the file :) Informations needed for it: --------------------------- files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt file format under 2000 / NT = .evt file format under xp / 2003 = .evt file format under vista/seven/server 2008 = .evtx vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter" Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321 I mean, you guys accomplished more things that you want to tell us ;) 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the existence of a file/dir" As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see: http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter" http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support" I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. Maybe create a ticket for the PHP meterpreter would help? 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee" Well... lots of mail in the mailing list about that atm :) In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was mistaken as i couldnt find it. Neither my google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and compairing them) allowed me to find such a key.. So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of installed software (already done in a script), then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in video's and some mails in the mailing list: search related services, disable them, then kill exe's ? Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions so diferents folders name.. But once in a while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...) As usual, sorry for the long time taken reading this and for my typos Thx again for bringing us this wonderful tool :) M.P. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- some ideas, roadmap cleanup, and ugly jokes.. Marco Polo (Sep 16)
- Re: some ideas, roadmap cleanup, and ugly jokes.. Carlos Perez (Sep 16)
- Re: some ideas, roadmap cleanup, and ugly jokes.. Jonathan Cran (Sep 16)
- Re: some ideas, roadmap cleanup, and ugly jokes.. egypt (Sep 16)
- Re: some ideas, roadmap cleanup, and ugly jokes.. Carlos Perez (Sep 16)