TheInterW3bs.com

Just another guy griping on his blog

Archive for category Windows

wmic not working

Mar 5

Posted by nick in Windows

I ran across a machine today that wasn’t letting me run wmic commands on it. I was getting a few different errors

Description = The RPC server is unavailable.
Facility = Win32
Parsing Mof File: C:\WINDOWS\System32\wbem\Cli.mof(Phase Error - 3)

After a good deal of fiddling I got it to work by doing the following

Stop winmgmt and it’s needed dependencies
goto \\remotemachine\c$\windows\system32\wbem
rename the Repository directory to something else
start winmgmt on the remotemachine
open cmd window via psexec on the remote machine and add a hkcu key

sc \\remotemachine stop winmgmt and it's needed deps
rename remotemachine's c:\windows\system32\wbem\repository
sc \\remotemachine start winmgmt
psexec \\remotemachine cmd.exe
reg add "hkcu\Environment" /v PROCESSOR_ARCHITECTURE /t REG_SZ /d x86

Then while still in the remote cmd window try wmic and it should work

wmic process list brief
No Comments

Kludge – a simple analysis script

Mar 1

Posted by nick in Forensics, Windows

Kludge – Kludge-2.9.zip

Whenever I needed to investigate a machine for whatever the reason is, whether an AV alert, IDS sensor alert, user call-in or whatever, I like to use some standard and simple repeatable steps. A while back, I put together a horribly coded batch script that is basically a wrapper to run a collection of different commands and tools that perform a handful of simple analysis steps. The script writes out the results into an awkward html report and after that it’s up to you to analyze the results. Of course these checks aren’t fool-proof investigative steps and there are a million ways to thwart detection but these checks are a decent start.

The script is broken down into a bat file and a vbs file and depending on what level of analysis you want you can choose how verbose you want the output. I could probably make a better script and perhaps just one script using nothing but vbscript but vbscript isn’t my cup of tea. I tried to make the script as non-intrusive to the user as possible so the user probably won’t notice.

Script Features
Can be run remotely without user interaction/knowledge

Gathers System Information – environment variables, OS info, path, drive info, partition info, user accounts, scheduled tasks, logged on users, shares, USB Device History, Installed Hotfixes and Service Packs

Network info – TCP/UDP Connections, Cached DNS, IP and route info, firewall info, hosts file contents, NetBios Connections, NetBios over TCP Connections, Cache and Resolution, NetBios Session Information

Process Information – lists all running processes, list all processes using wsock32.dll, Startup Apps, Services, Dlls, Open Handles

File Information – dumps IE and FF browser history, outputs contents of Program Files, Documents and Settings and Windows directories, searches for ADS files, md5 hashes of Windows and Docs&Settings directories, outputs event logs, outputs Flash version, Acrobat versions, Java Versions and lists version used by browser, Firefox version, outputs each user’s recyclebin contents, copies all user’s Flash Cookies, outputs any unsigned executables in the sys32 directory

Registry Information – outputs installed BHO’s, outputs a bunch of common reg keys, dumps HKLM, HKCU, HKCR, HKU, HKCC, copies Sam, Sam.log, Sam.sav, Security, Security.log, Security.sav, Software, Software.log, Software.sav, System, System.alt, System.log, System.sav, Default, Default.log, Default.sav, Userdiff, Userdiff.log, Ntuser.dat.log and each user’s NTUSER.DAT.  Outputs RegRipper plugins against each hive file, outputs RegSlack against each hive, outputs Regscan

AV – currently dumps McAfee logs and Symantec logs (XP and Vista), outputs quarantine folder contents, runs rootkit scans

Memory Analysis – dumps memory, dumps individual process memory, Virtual and Physical memory process analysis

Running the Script
There are a two different ways to run the script:  The bat file is for running locally.  The vbs file is for running remotely.  No matter what version you run when the script is done it cleans itself up and zips up the report.  Output detail levels are the same for both running remotely or locally.
The levels are the following
- 1 - short analysis
- 2 – detailed analysis
- 3 – detailed analysis includes all checks, md5 hashes, ads files output and full memory dumping along with individual process dumps.

Locally running the script
For locally running the script, use kludge.bat or use cscript to call the kludge.vbs file via the cmdline.
To run locally, unzip kludge.zip and place all the needed tools into a directory with kludge.bat/vbs.  Then to run the kludge.bat with a detail level of ’2′ do -
# kludge.bat 2

Remotely running the script
For running remotely use the kludge.vbs. The kludge.vbs will suppress the output on the user’s end, so the user will be unaware.
When you run the script you can use the following syntax.  Where ’2′ is the detail level.

kludge.vbs 2

To run remotely
# As Admin goto \\RemoteMachine\c$
# Copy the kludge folder containing all the tools and the 2 scripts to the remote machine’s (for example to c:\)
# Then as an Admin open a Command Prompt on your machine
# Change directories to wherever you keep psexec.exe and run the following picking 1, 2 or 3 for your output detail level

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 2

# Then copy the report to your machine

I also added a couple extra arguments in case you wanted to keep track of what machines you ran the script against and determine if you have run the script before against the same machine. To do this you could setup a share somewhere on the network and create a csv file on the share. Then execute the script like the following

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 3 123456 nick

Where ’3′ is the detail level, “12345″ could be a possible ticket number and “nick” is the analyst’s name. This info could be written to the remote share’s csv file and you could have the script search the csv file for any previous occurrences involving this machine and report on them.
I did not add the needed code for the csv write/read to the kludge.bat file since not everyone will use this, so to take advantage of this edit the bat file and add something like this near the top of the bat file.

echo ^Analysis Ran last on^ >> Report-%COMPUTERNAME%.html
echo ^ >> Report-%COMPUTERNAME%.html
grep %computername% \\192.168.1.1\Reports\reports.csv >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> \\192.168.1.1\Reports\reports.csv

echo ^ >> Report-%COMPUTERNAME%.html

Getting the tools -
In order to run the script you will need to download some tools and since I can’t distribute them here are the links to them.
KludgeKludge-2.9.zip
Listdlls.exehttp://technet.microsoft.com/en-us/sysinternals/bb896656.aspx
handle.exehttp://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Psinfo.exehttp://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
psloggedon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
streams.exehttp://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
tcpvcon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
vmmap.exehttp://technet.microsoft.com/en-us/sysinternals/dd535533.aspx
autorunsc.exehttp://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
SigCheck.exehttp://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
procdump.exehttp://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

7za.exe – 7-Zip Command Line Version – http://www.7-zip.org/download.html
grep.exe, uniq.exe, cut.exehttp://sourceforge.net/projects/unxutils/
md5deep.exehttp://md5deep.sourceforge.net/
mdd.exe – physical memory acquisition tool – http://sourceforge.net/projects/mdd/files/
mbr.exe – GMER mbr rootkit scanner – http://www2.gmer.net/mbr/
sarcli.dll, sar1.dll, sar2.dll, sar3.dll, sar4.dll, sar5.dll, sar6.dll, MEMSWEEP.sys, helper.exe – Sophos sarcli.exe – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
catchme.exe – rootkit/stealth malware scanner – http://www2.gmer.net/catchme.htm
rifiuti.exe, cygwin1.dllhttp://www.foundstone.com/us/resources/proddesc/rifiuti.htm
rip.exe, regscan.exe, regslack.exe, p2x588.dll and the plugins directory from regripperhttp://www.regripper.net/
HoboCopy.exehttp://sourceforge.net/projects/wangdera/files/HoboCopy/

I was asked to use some Windows binaries from a trusted source in case the machine I am analyzing has tainted exe’s so I set the script to call the following from the same folder as the script. You will need to copy the following exe’s into the same folder or simply edit the script removing the .\ from the command.

Arp.exe – native Windows command. Copy the binary from trusted box
At.exe – native Windows command. Copy the binary from trusted box
ipconfig.exe – native Windows command. Copy the binary from trusted box
nbtstat.exe – native Windows command. Copy the binary from trusted box
net.exe – native Windows command. Copy the binary from trusted box
netsh.exe – native Windows command. Copy the binary from trusted box
netstat.exe – native Windows command. Copy the binary from trusted box
route.exe – native Windows command. Copy the binary from trusted box
schtasks.exe – native Windows command. Copy the binary from trusted box

Please let me know if you have any suggestions, issues, modifications and/or comments.

No Comments

Kludge update

Feb 24

Posted by nick in Forensics, Windows

The script/post has been updated please refer to the following post for updated instructions

No Comments