Blog | Security Whole: Recent Comments

Comment on Finding Meterpreter

2010-07-21T01:37:06Z

Thanks for this post. I extended your post some. I found this PS code of interest:
$findMM=foreach ($id in ( Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"} )) {write $id.MainModule}
$findMM | Select Modulename,FileName,ModuleMemorySize,Size,EntryPointAddress,BaseAddress,Description,Company | ft -auto

Comment on Finding Old or Unused Accounts with Powershell v2

2010-03-29T04:37:03Z

The property you need is called whenChanged.
Just add this line:
$searcher.PropertiesToLoad.Add("whenChanged") | out-null

Comment on Finding Old or Unused Accounts with Powershell v2

2010-03-28T21:03:53Z

Thanks for the pagesize fix.

I'm trying to add another property, modificationdate, but aren't having much luck. I tried replacing one of your properties as a test as I thought it would be simple, but nope :(

Can you point me in the right direction please?

Comment on Finding Old or Unused Accounts with Powershell v2

2010-03-24T16:04:00Z

An Active Directory search, by default, returns only 1000 items. To around the issue you have to use the PageSize property.

$searcher.PageSize = 1000

"The way to get around that issue is to assign a value to the PageSize property. When you do that, your search script will return (in this case) the first 1,000 items, pause for a split second, then return the next 1,000. This process will continue until all the items meeting the search criteria have been returned." from http://www.microsoft.com/technet/scriptcenter/topics/winpsh/searchad.mspx

Comment on Finding Old or Unused Accounts with Powershell v2

2010-03-24T03:57:15Z

Any reason it's only doing 1000 users?

Comment on Finding Meterpreter

2010-02-15T03:40:44Z

Interesting idea. I would imagine would difficult to implement with reasonable accuracy.

And great post.

Comment on Finding Meterpreter

2010-02-13T02:18:15Z

I know that when you migrate meterpreter to a different process, you can see the change in that processes memory usage (private bytes, working set, etc). I bet if you did enough measuring, you could come up with a ballpark size as a signature for meterpreter. The problem with this approach is that you would need a baseline for the memory usage of each process on the machine.

This was a very interesting article and showed some nice techniques. I was recently doing some experimentation with metasploit and wrote a blog entry on my findings. If you're interested, the url is: http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html

Comment on Getting registry last write time with PowerShell

2010-02-11T16:38:13Z

The problem is each value does not have a timestamp, just the key. That means that you can't get the detail you want. It just isn't a feature that Windows provides.

To get the LastWriteTime of the Devices Key run the command at one key higher.

Get-RegTimestamp.ps1 HKCU "Software\Microsoft\Windows NT\CurrentVersion"

Key        LastWriteTime
---        -------------
...
Devices    2/11/2010 1:31:22 PM
...

Comment on Getting registry last write time with PowerShell

2010-02-11T11:46:06Z

Hello,

I`m trying to find out the date on which a network printer was installed on the workstation. I`m using the registry keys in "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\" to find this out. Unfortunately the above command does not return the information needed. all i get is " .\Get-RegKeyLastWriteTime.ps1
HKCU Software\Microsoft\Windows NT\CurrentVersion\Devices

Key LastWriteTime
--- -------------
CurrentVersion 27.01.2010 13:54:08
Shell 06.01.2010 14:18:47
ShellNoRoam 06.01.2010 15:02:40

Comment on Finding Meterpreter

2010-02-01T15:00:22Z

You would not be able to find it with this method since explorer already loads these dll's.