Blog | Security Whole: Recent Comments

Comment on Finding Meterpreter

Tim Medin — Mon, 15 Feb 2010 03:40:44 GMT

Interesting idea. I would imagine would difficult to implement with reasonable accuracy.

And great post.

Comment on Finding Meterpreter

jah — Sat, 13 Feb 2010 02:18:15 GMT

I know that when you migrate meterpreter to a different process, you can see the change in that processes memory usage (private bytes, working set, etc). I bet if you did enough measuring, you could come up with a ballpark size as a signature for meterpreter. The problem with this approach is that you would need a baseline for the memory usage of each process on the machine.

This was a very interesting article and showed some nice techniques. I was recently doing some experimentation with metasploit and wrote a blog entry on my findings. If you're interested, the url is: http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html

Comment on Getting registry last write time with PowerShell

Tim Medin — Thu, 11 Feb 2010 16:38:13 GMT

The problem is each value does not have a timestamp, just the key. That means that you can't get the detail you want. It just isn't a feature that Windows provides.

To get the LastWriteTime of the Devices Key run the command at one key higher.

Get-RegTimestamp.ps1 HKCU "Software\Microsoft\Windows NT\CurrentVersion"

Key        LastWriteTime
---        -------------
...
Devices    2/11/2010 1:31:22 PM
...

Comment on Getting registry last write time with PowerShell

Paul — Thu, 11 Feb 2010 11:46:06 GMT

Hello,

I`m trying to find out the date on which a network printer was installed on the workstation. I`m using the registry keys in "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\" to find this out. Unfortunately the above command does not return the information needed. all i get is " .\Get-RegKeyLastWriteTime.ps1
HKCU Software\Microsoft\Windows NT\CurrentVersion\Devices

Key LastWriteTime
--- -------------
CurrentVersion 27.01.2010 13:54:08
Shell 06.01.2010 14:18:47
ShellNoRoam 06.01.2010 15:02:40

Comment on Finding Meterpreter

Tim Medin — Mon, 01 Feb 2010 15:00:22 GMT

You would not be able to find it with this method since explorer already loads these dll's.

Comment on Finding Meterpreter

CG — Mon, 01 Feb 2010 14:19:54 GMT

if you migrate into explorer.exe to you see that same results?

Comment on Rickroll Meterpreter Script

Thorin — Thu, 08 Oct 2009 14:04:55 GMT

Thanks Tim!

Comment on Rickroll Meterpreter Script

Tim Medin — Thu, 08 Oct 2009 02:10:48 GMT

Just a typo, fixed.

Comment on Rickroll Meterpreter Script

Thorin — Mon, 05 Oct 2009 13:34:49 GMT

I'm confused about the -e option "Disable Keyboard & Keyboard" .....

See a lot of systems with dual keyboards?

Comment on www.microsoft.com and hosts file wierdness. Why?

Tim Medin — Thu, 01 Oct 2009 13:05:14 GMT

That is what I decided too, but I thought it was odd that I couldn't find any documentation on it.