The much delayed part 2 is finally here and the topic of the day is poking the system. This is much like poking a bear but hopefully less painfull. The purpose of poking the system is to go about showing how to interact with with the underlying OS of choice.

Getting Started :


First of you need to have some basic powershell skills , my original post can be found here. Its pretty simple and follows on the video so you dont have to read to much if you dont want to.

Grab the script for this post from here. Unlike the previous post I wont be explaining line by line , rather function by function.

Get-Users :


This is a rather simple but interesting example of working with WMI , it points out 2 things.

  1. That you can get interesting system data via WMI

    • We are able to get all the users in the system via WMI and while I am not familiar with using the normal windows shell to get this info , it can not be easier than this.

    • The other fact that is not obvious is that you can use this on a remote system to get simliar results without much changes to the code

  2. Also how you would get started using WMI

    • It shows the basic syntax for making a WMI call, if it was not apprent you simply call gwmi with the name of the class you want data from. In this case the class is win32_useraccount. To get a list of classes that you can use gwmi -list.

Get-Applications :


This is a bit of a simpler example which just returns a list of applications installed on the users machine. It can be expanded alot more to do things such as simpler searching or even calling the untinstall method on a application of choice.

Get-FirewallRules:


This takes what we have learnt up until now a little further. First of all it takes in a parameter of the users choice, but it also provides a default option so that if the user does not provide one the function will not crash.

Also this functions shows you how to work with com objects in powershell. The reason we do this is because there is no simple public WMI interface and the com interface is alot simpler to work with. The function also shows how you do inline filtering by using the powershell where command ( either ? or where will work )

Get-ADComputers :


This uses a little more complex functionality , but its nothing that would not have been covered in the previous functions. The 2 major differences between the previous functions is :

  1. That the function casts the string “objectcategory=computer” to a Active Directory Searcher object. The searcher is a little bit complex for this post so I wont go into detail about how it works. For now just know that it allows you to performa AD searches via the commmandline and more specifically powershell.

  2. How to loop over each object that the search returns, if you are a coder with previous experiance then the loop is the equivalent to a foreach loop. If it hasnt become apprent already this is the loop %{([adsi]$_.path).cn + $_.properties.operatingsystemversion} . You can use either % or ForEach-Object , what ever is between the {} is executed on each step. If you need access to the object that is being access you need to use the $_ variable.

Get-LocalOsVersion :


This method does nothing new really except that it specifies which columns need to be returned since the default data can be a bit much. Use this when a object has properties that you need access to.

While I hope that covers the script a bit more in depth than what I managed to talk about in the video. If there is anything that has not been covered in enough detail or has been covered incorrectly please let me know so what I can correct it.

One of the many things that has interested me in the past is binary reverse engineering. Whether your reasons are nefarious or not its always fun to see how things work in the back ground.

First of you will not be learning how to crack anything so if that is what you wanted you can leave now. Secondly if you are doing the 0x41414141.com challenges on your own then first give them a try yourself before getting the answer here.

A spoiler of the first challenge can be found here (thanks z0nbi) if you havent already completed it. Its a interesting challenge and what got me started on this whole thing.

So first of grab the binary for the challenge from the site by completing the first part of the challenge (the spoiler is above). Next grab the free version of OllDbg from the site.

At this point in a bigger project I would normally check the exe for string resources. But since the app is a whole 2Kb I am going to jump straight into debugging the app.

Start of by launching Olly, next load up the exe (File -> Open). Lets get into this ,hit F9 or Debug -> Run. This will start the app in debug mode and pause the at the first piece of code that will be executed. If you have some C experience this is your main() function, i.e. the entry point for the application.

I am not going to be explaining every single asm function and what ever piece of code does because I have no idea how long this post will end up running. So if you dont understand something or think I have done something wrong feel free to correct me.

If you have done everything as I have stated , you should be at 00401020 (check this in the extreme right column). At the same time you should see a text string telling you that the return value of the function is the email address for the next challenge.

With this in mind you have 2 option , you can take the quick route and run to the point after the function call and then check the eax register Or you can step into the function and see what it is doing. I personally prefer to step into the function so that I can get a understanding of what is going on , it doesnt speed up anything it just help me to understand the app.

So hit F8 6 times to get just past the function call , at this point if you look at the eax register it should read 0007AB00. This is the return value from the function, the reason we can check the register so easily is because its up to the main function to handle the cleaning up of the registers.

The alternate option is to add a breakpoint at 00401035 (click on the line and hit F2) then hit F9 to run to the code. You can at this point re examine the register and get the value from the function.

As you may have guess the email address for the challenge is 0x0007AB00@therest.com Replace the rest .com with the address from the first challenge. You will know you got the right address if you get a reply with the source code for the application that you are working on.

Update : @z0nbi has posted a follow up to this article , if you feel that you are still new to RE please vist this site to get extra information that will clear up quite a few things (also he has pretty pictures)

I have recently started using django alot more and must say that I am really enjoying it. As such I thought I should share some info that I have come across while learning the basics.

One of the first addons that you should install for djano is the South plugin. Doing this is pretty simple (all examples are for ubuntu).

Simply run the following command :

	sudo easy_install South
	

Next edit your settings.py and add ‘South’ to your installed apps list.

Finally run a ./manage syncdb and you should be ready to go. As to the basics of using South there isnt really much to it.

Run the following commands to get started :

	./manage schemamigration <yourappname> --initial
	./manage migrate <yourappname>
	

That will crete the inital migration file and as long as you havent created the tables manually it will setup the tables in your DB.

Anytime that you change something in your models.py simply run :

	./manage schemamigration <yourappname> --auto 
	

This sets up the the migration changes but does not apply them yet. To apply the changes run the migrate command again :

	./manage migrate <yourappname>
	

Thats as simple as it gets , there is alot more information and advanced things that South can do , to get more info go to http://south.aeracode.org/docs/

Getting back to blogging has been something that I have wanted to do for ages. But the numerous excuses that keep on coming up have slowed me down for long enough.

On of them was that because I am always trying out new tech or moving server or in general just fiddling with stuff. As such my blog was never really stable. I have backed it up in the past but that never really helped since restoring was such a chore through and each restart of my blog was a new chapter for me both personally and technically.

So with this new blog you should know what is coming. Yes you guessed it a new start. While I am not going to announce it till next month ,I can say that you will once again start seeing some interesting content on here soon.

BTW the title has little relevance to the post(read into it what you will) but do stick around for what is to come.