Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20060625

windump - finding the pcap device mapping

Looking at windump,( yeah.. for some reason I am currently sniffing in a windows enviroment) I was having a tough time locating the correct procedures for finding the capture device. I know that the devices can be located via the drop selection in Ethereal (WireShark June '06), but finding it from the command line provided to be difficult, especially via remote executions.

Why not use "windump -D", well.. I wanted to know the mappings of Local Area Connection. This script also allows for you parse its output encase you wanted to use it in conjunction with other remote execution methods such as wmic!

I have a quick vbs script that can read the registry and I've located a fairly easy lookup method.

Finding the Device from Regedit:
  1. HKLM\SYSTEM\CurrentControlSet\Control\Network\
  2. Identify the Key set with the Value "{Default}" containing Data "Network Adapters "
  3. Search the listed Adapter for the Value Name containing the Data "Local Area Connection"
  4. The Key value that contains "Local Area Connection" is the reference to the physical device identifier
  5. Pre-append "\Device\NPF_" to the Key
    1. Example: \Device\NPF_{95007697-9E3B-41C0-9732-19063EBA4376}
    2. From this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} \{95007697-9E3B-41C0-9732-19063EBA4376}
  6. This can be customized for running from any named connection identified from
    1. ipconfig /all
Download pcap_adapter.vbs

Example Comparision using search for "local"
C:\>cscript pcap_adapter.vbs "local" localhost -w test.txt
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Local Area Connection {EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C}

1 matches returned.
Finished writing to file. Results saved to test.txt

C:\>windump -D
1.\Device\NPF_GenericDialupAdapter (Generic dialup adapter)
2.\Device\NPF_{5A28A595-2DF1-4B68-84ED-9472E2B623C1} (Intel(R) PRO/Wireless 2915ABG Network Connection (Microsoft's Packet Scheduler) )
3.\Device\NPF_{EE878E44-6F4F-4CEB-93D3-3C9F8BB6B75C} (Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )
4.\Device\NPF_{768194C6-D64E-4C01-B933-1C1724B7DA9E} (VMware Virtual Ethernet Adapter)
5.\Device\NPF_{8941359A-87BF-4EDA-A287-A3A5B2AFF1B3} (VMware Virtual Ethernet Adapter)
Posted by shadowbq at 20:08 2 comments
Labels: , , ,

20060510

When {Puffy} Meets ^RedDevil^: Monkey tricks: Extracting Viruses/Worms

When {Puffy} Meets ^RedDevil^: Monkey tricks: Extracting Viruses/Worms

This is an extraordinary good point of reference for something I've been trying do with numerous tools. Though most of the time I end up rebuilding binary files from scratch using hexworkshop and ethereal / packetyzer... This is great!
Posted by shadowbq at 00:55 0 comments
Labels:

20060427

More work..

Built fpg(a false positive generator) from FLop to test an IDS the other day. Pretty nice. I know there are others called stik.. & something else. Might even send the picture post card to the addy in the INSTALL.

Busy as a bee building interfaces for sguil and the IDS fleet. Wrote a bunch of VBS scripts as well that can interface fairly nicely with wmic and AD.. hey at least the MCSE comes in handy in that respect. blah. Hopefully I will find a place once the server is up to post this garbage.
Posted by shadowbq at 20:30 0 comments
Labels: , ,

20060426

Tail -f Unix through JAVA

I've been wandering around the internet looking for a good way to implement the tail -f unix within java. If your unfamiliar with tail, well.. shame.

Tail -f Unix

This tutorial is actually really nice.. If you look around you will notice

Tail-f Unix across a client-server relationship
Posted by shadowbq at 14:06 0 comments

20060418

Mind Movement

Visual Basic Scripting, mainly Active Directory, has been taking a large portion of my life recently. I've been nose deep in vbs / cscritpting cli's and bring forth my powers of tcl.tk to bear as well. Who knows maybe somebody will eventually like my code.. blah!

I dont understand why microsoft doesnt more easily disimenate information about included files and stuctures.. thats really annoying to me.

"~:\Program Files\Microsoft Office\OFFICE11\1033\VBSCRIP5.CHM"

Thats an fairly good start especially if your looking at :

"mk:@MSITStore:~:\Program%20Files\Microsoft%20Office\OFFICE11\1033 /\VBSCRIP5.CHM::/html/vsgrpFeatures.htm"

I ended up with some great code from http://www.kouti.com/scripts.htm

With that as a base.. I've made some really great cli/pipeable tools to replace all the crap of dsget.exe.

Other Active Directory and Services are pestering my mind as well..

  • Numerous general tools such as ADfind and SVCutil are big help

Additional kung-fu from WMIC interfaces

Posted by shadowbq at 19:38 0 comments
Subscribe to: Posts (Atom)