Metasploit mailing list archives
Re: framework Digest, Vol 32, Issue 34
From: Carlos Perez <carlos_perez () darkoperator com>
Date: Fri, 17 Sep 2010 07:53:08 -0400
It has been implemented as a meterpreter script, I will close the ticket Cheers, Carlos On Sep 17, 2010, at 1:51 AM, cons0ul wrote:
Hi list, This will sound naive but whatever Feature #390 -- Add a quick arp scanning function to Meterpreter Can somebody gives the status of above issue ? I mean is it implemented or still open ? Regards cons0ul On Fri, Sep 17, 2010 at 2:37 AM, <framework-request () spool metasploit com> wrote:Send framework mailing list submissions to framework () spool metasploit com To subscribe or unsubscribe via the World Wide Web, visit https://mail.metasploit.com/mailman/listinfo/framework or, via email, send a message with subject or body 'help' to framework-request () spool metasploit com You can reach the person managing the list at framework-owner () spool metasploit com When replying, please edit your Subject line so it is more specific than "Re: Contents of framework digest..." Today's Topics: 1. some ideas, roadmap cleanup, and ugly jokes.. (Marco Polo) 2. Re: some ideas, roadmap cleanup, and ugly jokes.. (Carlos Perez) 3. Re: some ideas, roadmap cleanup, and ugly jokes.. (Jonathan Cran) 4. Re: some ideas, roadmap cleanup, and ugly jokes.. (egypt () metasploit com) ---------------------------------------------------------------------- Message: 1 Date: Thu, 16 Sep 2010 20:12:56 +0000 From: Marco Polo <titjow () hotmail com> To: <framework () spool metasploit com> Subject: [framework] some ideas, roadmap cleanup, and ugly jokes.. Message-ID: <SNT136-w4142B824F8C27F04FF0D77D47A0 () phx gbl> Content-Type: text/plain; charset="iso-8859-1" Hi everybody! here is some request features, info about some bugs and questions about the roadmap. 1) About the stealthy script i made a proposition for: I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename each logs files to $file.evt(x).old. Renaming them doesn't change the mace time. Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the mace time but we can change them again, plus it'll leave no new event in the log. Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD licence that will allow us to convert them to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending of the version you're using.. But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the file :) Informations needed for it: --------------------------- files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt file format under 2000 / NT = .evt file format under xp / 2003 = .evt file format under vista/seven/server 2008 = .evtx vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter" Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321 I mean, you guys accomplished more things that you want to tell us ;) 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the existence of a file/dir" As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see: http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter" http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support" I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. Maybe create a ticket for the PHP meterpreter would help? 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee" Well... lots of mail in the mailing list about that atm :) In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was mistaken as i couldnt find it. Neither my google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and compairing them) allowed me to find such a key.. So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of installed software (already done in a script), then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in video's and some mails in the mailing list: search related services, disable them, then kill exe's ? Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions so diferents folders name.. But once in a while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...) As usual, sorry for the long time taken reading this and for my typos Thx again for bringing us this wonderful tool :) M.P. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/bda40141/attachment-0001.html> ------------------------------ Message: 2 Date: Thu, 16 Sep 2010 16:33:43 -0400 From: Carlos Perez <carlos_perez () darkoperator com> To: Marco Polo <titjow () hotmail com> Cc: framework () spool metasploit com Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes.. Message-ID: <C2812674-BE43-4A01-A64F-521884282341 () darkoperator com> Content-Type: text/plain; charset="us-ascii" Thanks for pointing out those tickets that where left open. some things to consider: 1. The use of any system executable will increase the number of artifacts left by your presence in it, specially in the registry, prefetch ...etc 2. if Monitoring system is present even do you rename the files it will be sent to the monitoring system like Event Collector in 2k8, WMI, SNMP ..etc you will have to take in to account that. 3. Depending on the system you will require to first get the right privs, this venture might trigger HIPS, AV ..etc by it self. 4. Each AV, HIPS vendor out there have their own protection methods, there is not a a one size fits all approach to disable this countermeasures, you will have to install each in a lab and work a process for each one. 5. The use of Railgun will be a better approach since it does not interact with executables or writes to disk and only the DLL MACE is changed but this MACE is already changed by IR tools when they collect their volatile data off the system. 6. a good IR guy will notice the gap in time since windows just by running it is generating logs, not all logs are there. Just a couple of observations for your project. Cheers, Carlos On Sep 16, 2010, at 4:12 PM, Marco Polo wrote:Hi everybody! here is some request features, info about some bugs and questions about the roadmap. 1) About the stealthy script i made a proposition for: I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename each logs files to $file.evt(x).old. Renaming them doesn't change the mace time. Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the mace time but we can change them again, plus it'll leave no new event in the log. Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD licence that will allow us to convert them to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending of the version you're using.. But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the file :) Informations needed for it: --------------------------- files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt file format under 2000 / NT = .evt file format under xp / 2003 = .evt file format under vista/seven/server 2008 = .evtx vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter" Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321 I mean, you guys accomplished more things that you want to tell us ;) 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the existence of a file/dir" As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see: http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter" http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support" I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. Maybe create a ticket for the PHP meterpreter would help? 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee" Well... lots of mail in the mailing list about that atm :) In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was mistaken as i couldnt find it. Neither my google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and compairing them) allowed me to find such a key.. So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of installed software (already done in a script), then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in video's and some mails in the mailing list: search related services, disable them, then kill exe's ? Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions so diferents folders name.. But once in a while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...) As usual, sorry for the long time taken reading this and for my typos Thx again for bringing us this wonderful tool :) M.P. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/86dde910/attachment-0001.html> ------------------------------ Message: 3 Date: Thu, 16 Sep 2010 17:03:12 -0400 From: Jonathan Cran <jcran () 0x0e org> To: Carlos Perez <carlos_perez () darkoperator com> Cc: framework () spool metasploit com Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes.. Message-ID: <AANLkTikYFErSk3pntc25EffYnCAqnfegerBabyR4qw-Q () mail gmail com> Content-Type: text/plain; charset="utf-8"4. Each AV, HIPS vendor out there have their own protection methods, there is not a a one size fits all approach to disable this countermeasures, you will have to install each in a lab and work a process for each one. 5. The use of Railgun will be a better approach since it does not interact with executables or writes to disk and only the DLL MACE is changed but this MACE is already changed by IR tools when they collect their volatile data off the system.I'll echo Carlos, i've started working on disabling several of them - symantec, trend, and mcafee, but found that railgun is the proper approach to avoid both touching disk, and annoying / noisy commandshell popup windows. jcran -- Jonathan Cran jcran () 0x0e org 515.890.0070 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/24b02730/attachment-0001.html> ------------------------------ Message: 4 Date: Thu, 16 Sep 2010 15:07:04 -0600 From: egypt () metasploit com To: Marco Polo <titjow () hotmail com> Cc: framework () spool metasploit com Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes.. Message-ID: <AANLkTimyJCvB10sRi6pRhTJX-5tkewz2VcrYzf0pZYb7 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Ticket #608 is specifically referring to a particular API method that isn't currently implemented in any meterpreter. egypt On Thu, Sep 16, 2010 at 2:12 PM, Marco Polo <titjow () hotmail com> wrote:Hi everybody! here is some request features, info about some bugs and questions about the roadmap. 1) About the stealthy script i made a proposition for: I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename each logs files to $file.evt(x).old. Renaming them doesn't change the mace time. Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the mace time but we can change them again, plus it'll leave no new event in the log. Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD licence that will allow us to convert them to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending of the version you're using.. But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the file :) Informations needed for it: --------------------------- files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt file format under 2000 / NT = .evt file format under xp / 2003 = .evt file format under vista/seven/server 2008 = .evtx vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter" Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321 I mean, you guys accomplished more things that you want to tell us ;) 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the existence of a file/dir" As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see: http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter" http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support" I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. Maybe create a ticket for the PHP meterpreter would help? 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee" Well... lots of mail in the mailing list about that atm :) In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was mistaken as i couldnt find it. Neither my google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and compairing them) allowed me to find such a key.. So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of installed software (already done in a script), then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in video's and some mails in the mailing list: search related services, disable them, then kill exe's ? Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions so diferents folders name.. But once in a while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...) As usual, sorry for the long time taken reading this and for my typos Thx again for bringing us this wonderful tool :) M.P. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 32, Issue 34 *****************************************_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: framework Digest, Vol 32, Issue 34 cons0ul (Sep 16)
- Re: framework Digest, Vol 32, Issue 34 Philip Sanderson (Sep 16)
- Re: framework Digest, Vol 32, Issue 34 Carlos Perez (Sep 17)