Re: NT Compromise

From: H C (keydet89at_private)
Date: Thu Dec 20 2001 - 04:57:08 PST

Next message: Paulo Braga: "Re: NT Compromise"

Previous message: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
In reply to: Eric Hines: "NT Compromise"
Next in thread: Paulo Braga: "Re: NT Compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I am responding to several compromised NT boxes and
> am trying to find a
> utility that will allow you to see what program is
> bound to a particular
> port. 

I saw several references to inzider and tools
available from SysInternals, but of all the responses
that showed up in my inbox, I did not see a single
response that mentioned FoundStone's fport.exe.  

The reason I mention this tool isn't b/c it's
necessarily 'better' than than the others, but b/c I
also teach an NT/2K incident response course...and in
order to get volatile data (like network connections,
etc) off of the box, the best way to do so w/o making
a lot of changes to the victim system itself is to use
CLI tools and pipe the output through a socket to
another system.  Netcat and cryptcat are good for
this, but neither one returns when the app itself has
finished executing.  I've been working on another tool
for this purpose.

> I think I've seen one that shows what ports
> are bound to
> command.com, but need something similar for other
> programs/trojans/etc.

Eric, I have to admit...this makes no sense to me. 
But I could simply be misunderstanding...could you
elaborate on this a bit?

> Is there something available? Has anyone seen a
> compromised NT box with
> port 6667 open that does not seem to be running an
> IRCD? Check out the
> below snippit from netstat. I've tried connecting to
> the 6667 port with
> MiRC.. Nothing at all! 

Did you try telnet or netcat?  

> On this note, can anyone recommend
> a good forensics
> toolkit for Windows to be used on compromised
> machines?

Are you looking for an incident response toolkit?  Or
do you want forensics?  Making an image w/ SafeBack is
a good idea, then copy that image or make another w/
EnCase, if you want to do full forensics.  However, if
you just want to collect volatile data from the
system, plus get some other things, send me an email
and I'll compile a list of tools and procedures...I
don't want to inundate the list w/ info that no one
else wants.



__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paulo Braga: "Re: NT Compromise"
Previous message: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
In reply to: Eric Hines: "NT Compromise"
Next in thread: Paulo Braga: "Re: NT Compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 08:39:51 PST