Re: framework Digest, Vol 32, Issue 34

[Carlos Perez <carlos_perez () darkoperator com>]

It has been implemented as a meterpreter script, I will close the ticket 

Cheers,
Carlos

On Sep 17, 2010, at 1:51 AM, cons0ul wrote:

> Hi list,
>
> This will sound naive but whatever
>
> Feature #390 -- Add a quick arp scanning function to Meterpreter
> Can somebody gives the status of above issue ?
> I mean is it implemented or still open ?
>
> Regards
> cons0ul
>
> On Fri, Sep 17, 2010 at 2:37 AM,
> <framework-request () spool metasploit com> wrote:
> > Send framework mailing list submissions to
> >        framework () spool metasploit com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >        https://mail.metasploit.com/mailman/listinfo/framework
> > or, via email, send a message with subject or body 'help' to
> >        framework-request () spool metasploit com
> >
> > You can reach the person managing the list at
> >        framework-owner () spool metasploit com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of framework digest..."
> >
> >
> > Today's Topics:
> >
> >   1. some ideas, roadmap cleanup, and ugly jokes.. (Marco Polo)
> >   2. Re: some ideas, roadmap cleanup, and ugly jokes.. (Carlos Perez)
> >   3. Re: some ideas, roadmap cleanup, and ugly jokes.. (Jonathan Cran)
> >   4. Re: some ideas, roadmap cleanup, and ugly jokes..
> >      (egypt () metasploit com)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 16 Sep 2010 20:12:56 +0000
> > From: Marco Polo <titjow () hotmail com>
> > To: <framework () spool metasploit com>
> > Subject: [framework] some ideas, roadmap cleanup, and ugly jokes..
> > Message-ID: <SNT136-w4142B824F8C27F04FF0D77D47A0 () phx gbl>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> >
> > Hi everybody!
> >
> > here is some request features, info about some bugs and questions about the roadmap.
> >
> >
> > 1) About the stealthy script i made a proposition for:
> >
> > I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will 
> > rename each logs files to $file.evt(x).old.
> > Renaming them doesn't change the mace time.
> > Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the 
> > mace time but we can change them again,
> > plus it'll leave no new event in the log.
> >
> > Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD 
> > licence that will allow us to convert them
> > to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain 
> > depending of the version you're using..
> > But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the 
> > file :)
> >
> >
> > Informations needed for it:
> > ---------------------------
> >
> > files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx
> > files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt
> >
> > file format under 2000 / NT = .evt
> > file format under xp / 2003 = .evt
> > file format under vista/seven/server 2008 = .evtx
> >
> > vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx
> >
> >
> > 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter"
> >
> > Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321
> >
> > I mean, you guys accomplished more things that you want to tell us ;)
> >
> > 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking 
> > the existence of a file/dir"
> >
> > As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see:
> >
> > http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter"
> > http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support"
> >
> > I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. 
> > Maybe create a ticket for the PHP
> > meterpreter would help?
> >
> > 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee"
> >
> > Well... lots of mail in the mailing list about that atm :)
> >
> > In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was 
> > mistaken as i couldnt find it. Neither my
> > google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and 
> > compairing them) allowed me to find such a key..
> >
> > So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of 
> > installed software (already done in a script),
> > then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in 
> > video's and some mails in the mailing list:
> > search related services, disable them, then kill exe's ?
> >
> > Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions 
> > so diferents folders name.. But once in a
> > while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...)
> >
> >
> > As usual, sorry for the long time taken reading this and for my typos
> >
> > Thx again for bringing us this wonderful tool :)
> >
> > M.P.
> >
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/bda40141/attachment-0001.html>
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 16 Sep 2010 16:33:43 -0400
> > From: Carlos Perez <carlos_perez () darkoperator com>
> > To: Marco Polo <titjow () hotmail com>
> > Cc: framework () spool metasploit com
> > Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes..
> > Message-ID: <C2812674-BE43-4A01-A64F-521884282341 () darkoperator com>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Thanks for pointing out those tickets that where left open. some things to consider:
> >
> > 1. The use of any system executable will increase the number of artifacts left by your presence in it, specially in 
> > the registry, prefetch ...etc
> > 2. if Monitoring system is present even do you rename the files it will be sent to the monitoring system like Event 
> > Collector in 2k8, WMI, SNMP ..etc you will have to take in to account that.
> > 3. Depending on the system you will require to first get the right privs, this venture might trigger HIPS, AV ..etc 
> > by it self.
> > 4. Each AV, HIPS vendor out there have their own protection methods, there is not a a one size fits all approach to 
> > disable this countermeasures, you will have to install each in a lab and work a process for each one.
> > 5. The use of Railgun will be a better approach since it does not interact with executables or writes to disk and 
> > only the DLL MACE is changed but this MACE is already changed by IR tools when they collect their volatile data off 
> > the system.
> > 6. a good IR guy will notice the gap in time since windows just by running it is generating logs, not all logs are 
> > there.
> >
> > Just a couple of observations for your project.
> >
> > Cheers,
> > Carlos
> >
> > On Sep 16, 2010, at 4:12 PM, Marco Polo wrote:
> >
> > > Hi everybody!
> > >
> > > here is some request features, info about some bugs and questions about the roadmap.
> > >
> > >
> > > 1) About the stealthy script i made a proposition for:
> > >
> > > I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will 
> > > rename each logs files to $file.evt(x).old.
> > > Renaming them doesn't change the mace time.
> > > Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the 
> > > mace time but we can change them again,
> > > plus it'll leave no new event in the log.
> > >
> > > Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD 
> > > licence that will allow us to convert them
> > > to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain 
> > > depending of the version you're using..
> > > But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the 
> > > file :)
> > >
> > >
> > > Informations needed for it:
> > > ---------------------------
> > >
> > > files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx
> > > files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt
> > >
> > > file format under 2000 / NT = .evt
> > > file format under xp / 2003 = .evt
> > > file format under vista/seven/server 2008 = .evtx
> > >
> > > vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx
> > >
> > >
> > > 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter"
> > >
> > > Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321
> > >
> > > I mean, you guys accomplished more things that you want to tell us ;)
> > >
> > > 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking 
> > > the existence of a file/dir"
> > >
> > > As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see:
> > >
> > > http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter"
> > > http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support"
> > >
> > > I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 
> > > 9393. Maybe create a ticket for the PHP
> > > meterpreter would help?
> > >
> > > 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee"
> > >
> > > Well... lots of mail in the mailing list about that atm :)
> > >
> > > In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was 
> > > mistaken as i couldnt find it. Neither my
> > > google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and 
> > > compairing them) allowed me to find such a key..
> > >
> > > So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of 
> > > installed software (already done in a script),
> > > then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in 
> > > video's and some mails in the mailing list:
> > > search related services, disable them, then kill exe's ?
> > >
> > > Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents 
> > > versions so diferents folders name.. But once in a
> > > while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...)
> > >
> > >
> > > As usual, sorry for the long time taken reading this and for my typos
> > >
> > > Thx again for bringing us this wonderful tool :)
> > >
> > > M.P.
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/86dde910/attachment-0001.html>
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Thu, 16 Sep 2010 17:03:12 -0400
> > From: Jonathan Cran <jcran () 0x0e org>
> > To: Carlos Perez <carlos_perez () darkoperator com>
> > Cc: framework () spool metasploit com
> > Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes..
> > Message-ID:
> >        <AANLkTikYFErSk3pntc25EffYnCAqnfegerBabyR4qw-Q () mail gmail com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > > 4. Each AV, HIPS vendor out there have their own protection methods, there
> > > is not a a one size fits all approach to disable this countermeasures, you
> > > will have to install each in a lab and work a process for each one.
> > > 5. The use of Railgun will be a better approach since it does not interact
> > > with executables or writes to disk and only the DLL MACE is changed but this
> > > MACE is already changed by IR tools when they collect their volatile data
> > > off the system.
> >
> > I'll echo Carlos, i've started working on disabling several of them -
> > symantec, trend, and mcafee, but found that railgun is the proper approach
> > to avoid both touching disk, and annoying / noisy commandshell popup
> > windows.
> >
> > jcran
> >
> > --
> > Jonathan Cran
> > jcran () 0x0e org
> > 515.890.0070
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://mail.metasploit.com/pipermail/framework/attachments/20100916/24b02730/attachment-0001.html>
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 16 Sep 2010 15:07:04 -0600
> > From: egypt () metasploit com
> > To: Marco Polo <titjow () hotmail com>
> > Cc: framework () spool metasploit com
> > Subject: Re: [framework] some ideas, roadmap cleanup, and ugly jokes..
> > Message-ID:
> >        <AANLkTimyJCvB10sRi6pRhTJX-5tkewz2VcrYzf0pZYb7 () mail gmail com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Ticket #608 is specifically referring to a particular API method that
> > isn't currently implemented in any meterpreter.
> >
> > egypt
> >
> > On Thu, Sep 16, 2010 at 2:12 PM, Marco Polo <titjow () hotmail com> wrote:
> > > Hi everybody!
> > >
> > > here is some request features, info about some bugs and questions about the
> > > roadmap.
> > >
> > >
> > > 1) About the stealthy script i made a proposition for:
> > >
> > > I thought it'd be great to add modifications to the "disable_audit.rb"
> > > script or making a new script that will rename each logs files to
> > > $file.evt(x).old.
> > > Renaming them doesn't change the mace time.
> > > Then for the roll back, just rename them to the original name so it'll
> > > overwrite the old files. It may change the mace time but we can change them
> > > again,
> > > plus it'll leave no new event in the log.
> > >
> > > Forget about editing them automatically atm: i wasn't able to find any OS'
> > > build in exe, scripts or tools under BSD licence that will allow us to
> > > convert them
> > > to an easily editable way (e.g: *.log , *.csv etc..) and running the event
> > > viewer under wine is a real pain depending of the version you're using..
> > > But maybe the simple way is just to edit the disable_audit.rb so it'll
> > > display help and an option to rollback the file :)
> > >
> > >
> > > Informations needed for it:
> > > ---------------------------
> > >
> > > files location under vista/seven/2008 =
> > > %SystemRoot%\System32\Winevt\Logs\*evtx
> > > files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt
> > >
> > > file format under 2000 / NT = .evt
> > > file format under xp / 2003 = .evt
> > > file format under vista/seven/server 2008 = .evtx
> > >
> > > vista/seven cli utility to convert logs' format: "wevtutil" (requires admin
> > > privileges) .evt <> .evtx
> > >
> > >
> > > 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for
> > > Meterpreter"
> > >
> > > Shouldn't it be closed? i thought it was done in r9733 and last modded in
> > > r10321
> > >
> > > I mean, you guys accomplished more things that you want to tell us ;)
> > >
> > > 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should
> > > support a filesystem API for checking the existence of a file/dir"
> > >
> > > As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or
> > > nearly? see:
> > >
> > > http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete
> > > support for the POSIX Meterpreter"
> > > http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support"
> > >
> > > I couldn't find a dedicated ticket for the php meterpreter but i don't think
> > > it support it as it's last rev is 9393. Maybe create a ticket for the PHP
> > > meterpreter would help?
> > >
> > > 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script
> > > fails to kill mcafee"
> > >
> > > Well... lots of mail in the mailing list about that atm :)
> > >
> > > In my last mail I made some propositions about the name of the A-V foundable
> > > in registry.. well it seems i was mistaken as i couldnt find it. Neither my
> > > google-fu nor my tests( extracting the registry before and after a-v
> > > installation (avg, avast & g-data) and compairing them) allowed me to find
> > > such a key..
> > >
> > > So the idea is instead of looking for a specific executable in the "ps"
> > > list, why not searching in the list of installed software (already done in a
> > > script),
> > > then search with the new extension or by cmd all .exe's name in the
> > > installation path and then do as suggested in video's and some mails in the
> > > mailing list:
> > > search related services, disable them, then kill exe's ?
> > >
> > > Instead of having a list of exe to find, it'd be a list of folders. But here
> > > again, some A-V have diferents versions so diferents folders name.. But once
> > > in a
> > > while the joker can be on the good side?..(sorry for this ugly joke but i
> > > felt like i have to...)
> > >
> > >
> > > As usual, sorry for the long time taken reading this and for my typos
> > >
> > > Thx again for bringing us this wonderful tool :)
> > >
> > > M.P.
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > framework mailing list
> > framework () spool metasploit com
> > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> > End of framework Digest, Vol 32, Issue 34
> > *****************************************
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework