July 31, 2006

Windows Command-Line Kung Fu (1)

Everything started about 4 months ago, when Ed Skoudis posted an entry in the ISC Handler's Diary talking about how to improve your Windows infosec skills using the built-in WMIC command line tool.

I strongly encourage you to read this post (specially if you're a Unix techie) and enjoy the fun of managing a Windows box from the dark command prompt. After running a few wmic commands you won't know if you're in a bash or DOS shell!! ;-)

The list of Windows command-line kung-fu tools was extended with the famous netsh and the new tasklist and taskkill tools. All these tools (WMIC included) have been detailed through the previous ISC post, plus:
Ed Skoudis and Tom Listom started to research about these Windows capabilities and tools when analyzing industry-leading enterprise anti-spyware tools. As a result they also released a bening spyware-like tool, called Spycar. It is a free suite of tools (samples) that let you test your anti-spyware tool defenses.

During their research, they had to deal with a system full of all types of spy/malware where there was no GUI available. Besides, they tried to avoid an incident response based on the usage of external Windows tools, like the ones from Sysinternals that all us use for malware analysis, and... this is how this new set of tools came to light!

BTW, their initial concern about external and built-in tools is no longer valid, because last week Mark Russinovich announced that Microsoft has acquired Sysinternals. Oh my!! Did they drink the Kool-Aid? Only time will tell!!

In a future post I may point out some challenges based on these tools, so that you can practice your Windows command-line kung-fu!!

Trying to add some technical details, when using WMIC you need to test your specific OS version capabilities. For example, the Pauldotcom's challenge asked for two ways of enabling the DHCP capabilities of a Windows NIC using command-line tools. My response was:

1) Netsh:

C:\> netsh interface ip set address "Local Area Connection" dhcp

2) WMIC:

C:\> wmic nicconfig where index=1 call enabledhcp

The wmic command above works like a charm in Windows 2003 (no SP) although the "enabledhcp" call is not supported on Windows XP Pro SP2. So, watch out every OS WMIC capabilities when designing your Windows-based incident response processes!!

July 27, 2006

The birth of the RaDaJo security blog

One year after going through a 3-day intense live test to get the SANS/GIAC GSE certification in Washington, DC (30 July - 1 August 2005) we have found the time and energy to launch our own security blog. We had a great time during the certification process, the same we expect to have making this blog a valuable resource for the infosec community.

Who we are: We're three Spanish security professionals passionate about information security, called Raul Siles, David Perez and Jorge Ortiz, hence the blog name, RaDaJo. You can find more information about us in the links available on the blog sidebar.

This blog was born to publish interesting comments and research about what's going on in the information security field plus infosec things we've been playing with, mainly from a technical perspective. It pretends to provide at least a weekly post reflecting our own analysis, opinions and thoughts of cutting-edge security topics.

If you're interested on this blog, we recommend you to syndicate it using the RSS or XML buttons on the sidebar, so that you do not need to visit this page frequently. You can contact us at:
radajo@gmail.com