Blog | Security Whole: Recent Comments

Comment on Finding Meterpreter

Ryan M. Ferris — Wed, 21 Jul 2010 01:37:06 GMT

Thanks for this post. I extended your post some. I found this PS code of interest:
$findMM=foreach ($id in ( Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"} )) {write $id.MainModule}
$findMM | Select Modulename,FileName,ModuleMemorySize,Size,EntryPointAddress,BaseAddress,Description,Company | ft -auto

Comment on Finding Old or Unused Accounts with Powershell v2

Tim Medin — Mon, 29 Mar 2010 04:37:03 GMT

The property you need is called whenChanged.
Just add this line:
$searcher.PropertiesToLoad.Add("whenChanged") | out-null

Comment on Finding Old or Unused Accounts with Powershell v2

Chris — Sun, 28 Mar 2010 21:03:53 GMT

Thanks for the pagesize fix.

I'm trying to add another property, modificationdate, but aren't having much luck. I tried replacing one of your properties as a test as I thought it would be simple, but nope :(

Can you point me in the right direction please?

Comment on Finding Old or Unused Accounts with Powershell v2

Tim Medin — Wed, 24 Mar 2010 16:04:00 GMT

An Active Directory search, by default, returns only 1000 items. To around the issue you have to use the PageSize property.

$searcher.PageSize = 1000

"The way to get around that issue is to assign a value to the PageSize property. When you do that, your search script will return (in this case) the first 1,000 items, pause for a split second, then return the next 1,000. This process will continue until all the items meeting the search criteria have been returned." from http://www.microsoft.com/technet/scriptcenter/topics/winpsh/searchad.mspx

Comment on Finding Old or Unused Accounts with Powershell v2

Chris — Wed, 24 Mar 2010 03:57:15 GMT

Any reason it's only doing 1000 users?

Comment on Finding Meterpreter

Tim Medin — Mon, 15 Feb 2010 03:40:44 GMT

Interesting idea. I would imagine would difficult to implement with reasonable accuracy.

And great post.

Comment on Finding Meterpreter

jah — Sat, 13 Feb 2010 02:18:15 GMT

I know that when you migrate meterpreter to a different process, you can see the change in that processes memory usage (private bytes, working set, etc). I bet if you did enough measuring, you could come up with a ballpark size as a signature for meterpreter. The problem with this approach is that you would need a baseline for the memory usage of each process on the machine.

This was a very interesting article and showed some nice techniques. I was recently doing some experimentation with metasploit and wrote a blog entry on my findings. If you're interested, the url is: http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html

Comment on Getting registry last write time with PowerShell

Tim Medin — Thu, 11 Feb 2010 16:38:13 GMT

The problem is each value does not have a timestamp, just the key. That means that you can't get the detail you want. It just isn't a feature that Windows provides.

To get the LastWriteTime of the Devices Key run the command at one key higher.

Get-RegTimestamp.ps1 HKCU "Software\Microsoft\Windows NT\CurrentVersion"

Key        LastWriteTime
---        -------------
...
Devices    2/11/2010 1:31:22 PM
...

Comment on Getting registry last write time with PowerShell

Paul — Thu, 11 Feb 2010 11:46:06 GMT

Hello,

I`m trying to find out the date on which a network printer was installed on the workstation. I`m using the registry keys in "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\" to find this out. Unfortunately the above command does not return the information needed. all i get is " .\Get-RegKeyLastWriteTime.ps1
HKCU Software\Microsoft\Windows NT\CurrentVersion\Devices

Key LastWriteTime
--- -------------
CurrentVersion 27.01.2010 13:54:08
Shell 06.01.2010 14:18:47
ShellNoRoam 06.01.2010 15:02:40

Comment on Finding Meterpreter

Tim Medin — Mon, 01 Feb 2010 15:00:22 GMT

You would not be able to find it with this method since explorer already loads these dll's.