The most important file in a NTFS filesystem
During a forensics analysis, after evidence acquisition, the investigation starts by doing a timeline analysis, that extract from the images all information on when files were modified, accessed, changed and created.
Useful in forensics analysis and incident response
After all, the BSOD is also a useful feature!
One of the findings is really interesting (and funny!):
WannaCry can infect machines that still run Windows XP, but XP is so unstable and crashes too much to correctly spread the infection
In their sandbox, the researchers has first manually executed the WannaCry on a Windows 2008 machine, then tested propagation via the ETERNALBLUE exploit and sended the payload on using DOUBLEPULSAR.
Here’s the result:
- Windows XP with Service Pack 2 — No infection
- Windows XP with Service Pack 3 — Random blue-screen of death (BSOD) but no infection
- Windows 7 64 bit with Service Pack 1 — Infected after multiple attempts
- Windows Server 2008 with Service Pack 1 — Could not replicate infection, but reported exploited
Take a look to the full report on Kryptos Logic’s blog:
Google Project Zero’s researchers have discovered another critical remote code execution vulnerability in Microsoft’s Windows, and it seems something truly bad!
Microsoft immediately releases a fix, and ProjectZero releases vulnerability details:
“the worst Windows remote code execution vulnerability in recent memory”
Attack works against a default install, don't need to be on the same LAN, and it's wormable. 🔥
— Tavis Ormandy (@taviso) May 6, 2017
The researchers did not provide any further details, as Google gives a 90-day security disclosure deadline to all software vendors to patch their products and disclose it to the public.
I will update the post as soon as more information is available …
…turn off your Windows computers for the weekend and go enjoy the nice weather!
Some graphical tools and two command line tips
Usually on Windows I use Notepad ++, that provides a convenient feature of ‘Search in files’, but this great tool has difficulty to open files larger than 2Gb.
However there are some other solutions on Windows:
- gVim: you need to be familiar with VI/ VIM commands to use it, and loads entire file into memory.
- 010Editor: Opens giant (think 5 GB) files in binary mode and allow you to edit and search the text
- Liquid XML Community Edition Opens and edits TB+ files instantly, supports UTF-8, Unicode etc
- SlickEdit: Useful IDE that can open very large files
- Emacs: Must be compiled in 64Bit mode: has a low maximum buffer size limit if compiled in 32-bit mode.
- glogg: Read only, allows search using regular expressions.
- PilotEdit: Loads entire file into memory first
- HxD: Hex editor, good for large files: portable version available
- LogExpert: opens smoothly log files greater than 6GB
- FileSeek: It can find text strings, or match regular expressions.
Furthermore, if you feel comfortable using the command line, there are some console solutions (built-in on Windows):
morecommand might be good enough:
Displays output one screen at a time.
MORE [/E [/C] [/P] [/S] [/Tn] [+n]] < [drive:][path]filename command-name | MORE [/E [/C] [/P] [/S] [/Tn] [+n]] MORE /E [/C] [/P] [/S] [/Tn] [+n] [files]
[drive:][path]filename Specifies a file to display one screen at a time.
command-name Specifies a command whose output will be displayed.
/E Enable extended features /C Clear screen before displaying page /P Expand FormFeed characters /S Squeeze multiple blank lines into a single line /Tn Expand tabs to n spaces (default 8)
Switches can be present in the MORE environment variable.
+n Start displaying the first file at line n
files List of files to be displayed. Files in the list are separated by blanks.
If extended features are enabled, the following commands are accepted at the — More — prompt:
P n Display next n lines S n Skip next n lines F Display next file Q Quit = Show line number ? Show help line <space> Display next page <ret> Display next line
There is also a Windows built-in program called
findstr.exe with which you can search within files:
Searches for strings in files.
FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P] [/F:file] [/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]] strings [[drive:][path]filename[ ...]]
/B Matches pattern if at the beginning of a line. /E Matches pattern if at the end of a line. /L Uses search strings literally. /R Uses search strings as regular expressions. /S Searches for matching files in the current directory and all subdirectories. /I Specifies that the search is not to be case-sensitive. /X Prints lines that match exactly. /V Prints only lines that do not contain a match. /N Prints the line number before each line that matches. /M Prints only the filename if a file contains a match. /O Prints character offset before each matching line. /P Skip files with non-printable characters. /OFF[LINE] Do not skip files with offline attribute set. /A:attr Specifies color attribute with two hex digits. See "color /?" /F:file Reads file list from the specified file(/ stands for console). /C:string Uses specified string as a literal search string. /G:file Gets search strings from the specified file(/ stands for console). /D:dir Search a semicolon delimited list of directories strings Text to be searched for. [drive:][path]filename Specifies a file or files to search.
Use spaces to separate multiple search strings unless the argument is prefixed with /C. For example, 'FINDSTR "hello there" x.y' searches for "hello" or "there" in file x.y. 'FINDSTR /C:"hello there" x.y' searches for "hello there" in file x.y.
Regular expression quick reference: . Wildcard: any character * Repeat: zero or more occurrences of previous character or class ^ Line position: beginning of line $ Line position: end of line [class] Character class: any one character in set [^class] Inverse class: any one character not in set [x-y] Range: any characters within the specified range x Escape: literal use of metacharacter x <xyz Word position: beginning of word xyz> Word position: end of word
For full information on FINDSTR regular expressions refer to the online Command Reference.
findstr /s "Login failed" *.txt
Do you know other tools? I accept tips!
You are insane!
The vulnerability ( CVE-2017–7269) is a bufferoverflow located into the webdav components of IIS:
A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application. According to the researchers who found this flaw, this vulnerability was exploited in the wild in July or August 2016. It was disclosed to the public on March 27.
What is WebDAV?
an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations.
This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.
A proof-of-concept exploit was published by Github user edwardz246003:
The python script exploits the vulnerability and sends a payload that only starts the calc.exe on remote machine, but
Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code.
IIS 6.0 was included with Windows Server 2003.
Unfortunately, Microsoft isn’t supporting and won’t be patching the old OS version anymore, unless you have access to a Custom Premium Support (yes, its really expensive!).
If you don’t have planned a Windows upgrade (newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability), you can mitigate the risk disabling the WebDAV service on the vulnerable IIS 6.0 installations.
More technical informations