29 May 2015

Virtual Address Space

Paged system

Pay Attention at 'Page Table'. This is how the translation from virtual address to physical address.

1) http://wiki.osdev.org/Paging

26 May 2015

volatility tips

to omit profile and memory_dump location

$ export VOLATILITY_LOCATION=file:///path/to/MEMORY.DMP

$ python vol.py imageinfo

Connections/conscan/sockets/sockscan are for Windows XP/2003 only.
netscan plugin for anything Vista/2008/Win7

ref : 
1) http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&cad=rja&uact=8&ved=0CFUQFjAO&url=http%3A%2F%2Fkromer.pl%2Fmalware-analysis%2Fmemory-forensics-using-volatility-toolkit-to-extract-malware-samples-from-memory-dump%2F&ei=rEFkVa6xJsytuQSn0IHIBg&usg=AFQjCNEeYqBZ6ya72XwBSQ5NAoe7oGuELw&bvm=bv.93990622,d.c2E

22 May 2015

ARP Broadcast: how ipscan gather all ip n mac address

ARP Broadcast

ARP Broadcast

To send packet to an IP,

  • Get MAC address of the destination
    • Through ARP Broadcast
  • MAC and IP sender is included in the arp broadcast packet.

IPScan will receive all arp broadcast in the segment, and keep the list.
If there are any unregistered MAC address, it will spoof the IP own by the MAC Address.

19 May 2015



Launch an interactive command prompt on \\workstation64, the CMD prompt window will appear locally:
psexec \\workstation64 cmd
Execute a program that is already installed on the remote system:
psexec \\workstation64 "c:\Program Files\test.exe"
Connect to workstation64 and run IPCONFIG to display the remote PC's IP address:
psexec \\workstation64 ipconfig
Connect to workstation64 and list a directory:
psexec \\workstation64 -s cmd /c dir c:\work
Connect to workstation64 and copy a file from another server:
psexec \\workstation64 -s cmd /c copy \\server21\share45\file.ext c:\localpath
Execute IpConfig on the remote system, and display the output locally:
psexec \\workstation64 ipconfig /all
Copy the program test.exe to the remote system and execute it interactively, running under the account DannyGlover:
psexec \\workstation64 -c test.exe -u DannyGlover -p Pa55w0rd
Run Internet Explorer on the local machine but with limited-user privileges:
psexec -l -d "c:\program files\internet explorer\iexplore.exe"
Run Regedit on the local machine with SYSTEM privileges:
psexec -s -i regedit.exe
From PowerShell, run a VBscript on a remote workstation and pass some parameters:
PS C:> $script='C:\Program Files\demo.vbs'
PS C:> $args = "some more text"
PS C:> psexec -s \\workstation64 c:\windows\system32\cscript.exe $script $args

ref -> http://ss64.com/nt/psexec.html