29 May 2015

Virtual Address Space

Paged system



Pay Attention at 'Page Table'. This is how the translation from virtual address to physical address.



ref:
1) http://wiki.osdev.org/Paging
Posted by at No comments:
Labels:

26 May 2015

volatility tips

to omit profile and memory_dump location

1)
$ export VOLATILITY_PROFILE=Win7SP1x64
$ export VOLATILITY_LOCATION=file:///path/to/MEMORY.DMP


$ python vol.py imageinfo










Connections/conscan/sockets/sockscan are for Windows XP/2003 only.


netscan plugin for anything Vista/2008/Win7














ref : 


1) http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&cad=rja&uact=8&ved=0CFUQFjAO&url=http%3A%2F%2Fkromer.pl%2Fmalware-analysis%2Fmemory-forensics-using-volatility-toolkit-to-extract-malware-samples-from-memory-dump%2F&ei=rEFkVa6xJsytuQSn0IHIBg&usg=AFQjCNEeYqBZ6ya72XwBSQ5NAoe7oGuELw&bvm=bv.93990622,d.c2E




















Posted by



at





No comments:
  


















Labels:

















          

        

          

        

22 May 2015


          

        










ARP Broadcast: how ipscan gather all ip n mac address












ARP Broadcast










ARP Broadcast







To send packet to an IP,




    

  • Get MAC address of the destination
    • 

      

    • Through ARP Broadcast
      • 

    

  • MAC and IP sender is included in the arp broadcast packet.
    • 






IPScan will receive all arp broadcast in the segment, and keep the list.

If there are any unregistered MAC address, it will spoof the IP own by the MAC Address.












Posted by



at





No comments:
  


















Labels:

















          

        

          

        

19 May 2015


          

        









psexec














Examples:

Launch an interactive command prompt on \\workstation64, the CMD prompt window will appear locally:



psexec \\workstation64 cmd



Execute a program that is already installed on the remote system:



psexec \\workstation64 "c:\Program Files\test.exe"



Connect to workstation64 and run IPCONFIG to display the remote PC's IP address:



psexec \\workstation64 ipconfig



Connect to workstation64 and list a directory:



psexec \\workstation64 -s cmd /c dir c:\work



Connect to workstation64 and copy a file from another server:



psexec \\workstation64 -s cmd /c copy \\server21\share45\file.ext c:\localpath



Execute IpConfig on the remote system, and display the output locally:



psexec \\workstation64 ipconfig /all



Copy the program test.exe to the remote system and execute it interactively, running under the account DannyGlover:



psexec \\workstation64 -c test.exe -u DannyGlover -p Pa55w0rd



Run Internet Explorer on the local machine but with limited-user privileges:



psexec -l -d "c:\program files\internet explorer\iexplore.exe"



Run Regedit on the local machine with SYSTEM privileges:



psexec -s -i regedit.exe



From PowerShell, run a VBscript on a remote workstation and pass some parameters:



PS C:> $script='C:\Program Files\demo.vbs'
PS C:> $args = "some more text"
PS C:> psexec -s \\workstation64 c:\windows\system32\cscript.exe $script $args





ref -> http://ss64.com/nt/psexec.html










Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)