Friday, February 26, 2010

First Python Script - Simple Windows Query Tool

Decided to take up Python based on rave reviews from all the programmers I work with. For my first go at it, I wrote a simple little program that will remotely grab information off of remote Windows machines as part of investigations. This was written in Python 3.x so I can't guarantee compatibility with Python 2.x.

The program makes calls to the PSTools suite as well as Nmap so make sure that both are installed and listed in your environmental variable path.

When run, the program will scan the remote target using Nmap looking for well known Windows ports. If it sees the remote workstation online, it will continue to grab a wealth of information from the target and store that information into individual text files.

Author: Skid Rock 02.26.2010
Target Users: Individuals Conducting Windows Machine Investigations
Target System: Remote Windows Workstations
Syntax: <enter>

version = 0.1

import sys,os,string,time

machine = input('\nPlease Enter Workstation IP Address:')
os.system("nmap -sS " + machine + " -p 135,139,445 > scan.txt")

for line in open("scan.txt"):
if "Host is up" in line:
print ("\nHost " + machine + " appears to be online, grabbing information...\n")
os.system("psinfo -sc \\\\" + machine + " >" + machine + ".info.txt")
os.system("pslist \\\\" + machine + " >" + machine + ".list.txt")
os.system("psloggedon \\\\" + machine + " >" + machine + ".loggedon.txt")
os.system("psfile \\\\" + machine + " >" + machine + ".file.txt")
os.system("psloglist \\\\" + machine + " -d 7 -s Security >" + machine + ".eventlog.txt")
os.system("psexec \\\\" + machine + " netstat -bnv >" + machine + ".netstat.txt")
print ("\n\nCommand Completed Successfully...\n")
if "Host seems down." in line:
print ("\n\nHost " + machine + " appears down, or is not a Windows based OS, exiting...\n")

Wednesday, February 24, 2010

Xplico - Network Forensics

Finally had a chance to play with Xplico, recently updated to version 0.5.5. For those not familiar with Xplico, please visit the development page here.
In short, Xplico is an open source tool designed to aid in dissecting large network captures in .pcap format. It can also do live captures and report on sessions as they get discovered. Installing Xplico is not trivial, and required some trial and error on my part so here are the cliff notes based on an Ubuntu 9.10 installation.
apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode libmysqlclient15-dev

mkdir xplico_install
cd xplico_install
tar zxvf xplico-0.5.x.tgz
tar zxvf GeoIP-1.4.6.tar.gz
cd GeoIP-1.4.6
makecd ..
rm -f GeoIP-1.4.6.tar.gzcd xplico-0.5.5
gzip -d GeoLiteCity.dat.gz
rm -f GeoLiteCity.dat.gz
cd ..
tar jxvf ghostpdl-8.70.tar.bz2
rm -f ghostpdl-8.70.tar.bz2
cd ghostpdl-8.70make (this will take some time so go get coffee or something)
cd ..
cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.5
rm -rf ghostpdl-8.70
cd xplico-0.5.5
make install
cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

- Edit this file by adding as follows /etc/apache2/ports.conf
# xplico Host port
NameVirtualHost *:9876
Listen 9876

- You will also have to edit the php.ini file located here /etc/php5/apache2/php.ini.
Find and modify both of these lines:post_max_size = 200M
upload_max_filesize = 100M

a2enmod rewrite
/etc/init.d/apache2 restart

Once you get this laundry list complete, simply fire up Firefox and launch URL (if on local box) or http://(ip address):9876 if accessing remotely. Version 0.5.5 has a default username/password combination of xplico/xplico.

The first thing you'll want to do after logging in is create a new case. Xplico uses cases as top level and session as bottom level for all investigations. The screenshot below shows a session named example with multiple .pcap files uploaded and decoded by Xplico.

Navigating around the interface is fairly self explanatory but I've found it does a great job with decoding specific high level applications such as HTTP and FTP. Others may find value in its ability to decode Facebook chat and various types of email.

To reconstruct HTTP sessions, set Firefox's proxy settings to Xplico (below is a screenshot assuming Xplico is being run on localhost).

Click on the Web menu item and select what you want to view. In this case, I am looking at HTML. Select the HTTP conversation you want to inspect and click on the URL recorded by Xplico. It will reconstruct the HTTP session and display the session in a new window.

Future posts will go into more depth on Xplico as I have an opportunity to use it in real-world investigations. Kudos to the Xplico development team on a very promising tool...

Monday, February 22, 2010

Beginner's Setup Guide - Scrutinizer Netflow Analyzer

Scrutinizer is a Netflow repository tool created by Plixer. It provides a very intuitive GUI front-end that allows network administrators to quickly use collected Netflow data for auditing, troubleshooting, and reporting purposes.

There are two versions of Scrutinizer, both a free and paid version. Note that the free version dumps the database every day at midnight so you are limited in long term analysis capabilities.

The following text assumes that you have a working knowledge of Netflow.

Scrutinizer “listens”; it does not poll network devices. This means that the configuration is very simple and is very common for Cisco devices. Listed below are very basic commands used to enable Netflow exportation on a Cisco 6500 device. Some of these commands are unique to the 6500 platform and will not be required on an ISR router, for example. Those unique platform commands are bolded below.

ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 9996
ip flow ingress layer2-switched vlan 10-11
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
mls nde sender version 5
mls aging long 64
mls aging normal 64
interface Vlan10
ip route-cache flow
interface Vlan11
ip route-cache flow
access-list 10 remark SNMP-access-list RO
access-list 10 permit
snmp-server community snmpread RO 10

Further information on setting up Netflow can be found here and here.

Setting up your Scrutinizer installation to be accessible remotely is as simple as finding the configuration file located in the "*\scrutinizer\apache2\conf\httpd.conf" file and replacing "ServerName localhost:8080" to something of your liking such as "Servername". Once completed, you can log in via a web browser (just remember to include the port of 8080 after the URL).

This will get your base installation completed, in future posts I'll go over how to configure Scrutinizer so you can get started with the Netflow analysis.

Wednesday, February 17, 2010

Impressions of CISSP

The CISSP is a certification governed by ISC2. It's an industry certification focusing on a variety of information security topics. In most cases I've seen, prospective employers either require it, or hold the certification in high esteem.

After going through the studying and taking of the test, here are some brief facts:

  • The test consists of 250 multiple choice questions.
  • Test taker has six hours to complete the test.
  • Test consists of a booklet (containing questions) and Scantron with number two pencils for the answers (yes, the same Scantron sheets used in grade school in the 80s and 90s.
  • Test costs $600 to take.
I found some very odd things concerning the test taking procedure. For example, this is a six hour test that you're expected to finish in one seating. There was no coffee, or sugar provided so you need to be on top of your game for an awfully long time. As far as I could tell, food and drink was permitted however there was no literature provided recommending that candidates do so. Now any test would be difficult to remain sharp for over that length of time but when you're filling out multiple choice questions over a six hour period any brain will begin to fatigue as the letters all blend into one another.

ISC2 is a non-profit organization so why am I paying $600 for a pencil and Scantron test? Where exactly does my money go? Also, for a security test I did not get searched for any electronic devices so if I had a cheat sheet on my phone then it wouldn't be hard to put it in my lap if I chose to do so. If the proctor was in fact watching, I could simply excuse myself to the restroom as that was permitted as well...

My biggest complaint is the actual content of the test though. There are ten domains that the prospective CISSP candidate is expected to master yet the test was a farce when compared to the daily experiences of a security professional. I actually had one question where the correctness of the answer simply came down to whether I knew the difference between the words "objectivity" and "subjectivity". How in the world does that make me equipped to handle real world incident response?

All in all, I think the CISSP should consider some serious revamping to bring the level of value one would expect from someone who carries the credentials.

Oh, and don't think you will get results of the test in any short time frame - took me nearly two months to find out I passed.

Monday, February 15, 2010


If you are like me, you have A.D.D. I hate commercials with a passion, and I hate terrestrial radio nearly as much...

Long car rides can flare up my A.D.D. so I came up with a solution that made a recent four hour car ride bearable.

Stopped off at the local Apple store and purchased an auxiliary cable which allows the iPhone to plug into compatible car stereos. I watched as the clerk scanned my debit card with a wireless scanner (that drove me mental but I'll save that for another day).

Plugged my iPhone into the car stereo, and configured my own Pandora station and had commercial free music for four straight hours...