Sunday, January 31, 2010

Finding Meterpreter

In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:

Windows command line:
C:\> tasklist /FI "modules eq metsrv.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }
In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\IPHLPAPI.DLL
We can look for processes that have these two dll's loaded using either of these two commands.

Windows command line:
C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"}
The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:
explorer.exe
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe
If IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
It is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
If we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*" -and
"explorer","iexplore","lsass","svchost","winlogon" -notcontains  $_.ProcessName }

ProcessName
-----------
calc
Icecast2

In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.

While this isn't a perfect way to find meterpreter it is better than nothing.

UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.


rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]

Monday, January 18, 2010

PowerShell IIS Log Objectifier

This script will read the W3C Extended Log File Format with the default logging options. If you add or remove columns from your log then you will have to modify this script.

################################################################
# Description: IIS Log Importer
# Version: 1.0
# Author: Tim Medin
# Email: TimMedin A@T securitywhole D.O.T com
# Note: This script will read the W3C Extended Log File Format
# with the default logging options. If you add or remove columns
# from your log then you will have to modify this script.
################################################################

param
(
  [
string] $Path
)

[
regex]$regex = '\s*(?<date>\S+)\s+(?<time>\S+)\s+(?<sitename>\S+)\s+(?<computername>\S+)\s+(?<ip>\S+)\s+(?<method>\S+)\s+(?<uristem>\S+)\s+(?<uriquery>\S+)\s+(?<port>\S+)\s+(?<username>\S+)\s+(?<sourceip>\S+)\s+(?<UserAgent>\S+)\s+(?<status>\S+)\s+(?<substatus>\S+)\s+(?<win32status>\S*)'

Get-Content
$Path | Select-String -Pattern "^[^#]" | % {
  if ($_ -match $regex) {
    $log = "" | Select TimeStamp, SiteName, ComputerName, IP, Method, UriStem, UriQuery, Port, Username, SourceIp, UserAgent, Status, SubStatus, Win32Status
    $log.TimeStamp = Get-Date "$($matches.Date) $($matches.Time)"
    $log.Sitename = $matches.Sitename
    $log.Computername = $matches.Computername
    $log.Ip = $matches.Ip
    $log.Method = $matches.Method
    $log.UriStem = $matches.UriStem
    $log.UriQuery = $matches.UriQuery
    $log.Port = $matches.Port
    $log.Username = $matches.Username
    $log.SourceIp = $matches.SourceIp
    $log.UserAgent = $matches.UserAgent
    $log.Status = $matches.Status
    $log.SubStatus = $matches.SubStatus
    $log.Win32Status = $matches.Win32Status
    $log
  }
}