Jump to content


Photo
- - - - -

System-state change utility


  • Please log in to reply
8 replies to this topic

#1 solid332

solid332

    DDP Fan club member

  • Members
  • 46 posts

Posted 16 May 2005 - 01:59 PM

I'm working on a project that involves exposing a vulnerable Windows XP SP1 box on the internet. This box will be missing a ton of MS updates including MS04-11 and MS05-17. The purpose it to analyze how long it takes for the box to be hacked. My hypothosis is 10 minutes.

In order to achieve my goal, I require a utility that will will take a picture of my system's files, folders and registry, then alert me if anything has changed.

Do you guys know of a good app?

#2 HavocRains

HavocRains

    Gibson Hacker

  • Members
  • 89 posts

Posted 16 May 2005 - 02:01 PM

well, i dont know of an app but I would just back-up all of the files on to a separate hd or a couple of discs and put them on another system, and compare them once your little hack perod is over with, even though its a terrible idea

#3 solid332

solid332

    DDP Fan club member

  • Members
  • 46 posts

Posted 16 May 2005 - 02:15 PM

Hmm...seems like a lot of work. I was hoping for something more automated. As soon as something changes on the file-system or registry, It alerts me. I swear I've heard of something that does this... I just can't remember then name of the tool.

Why would my idea be a bad one? The system is going to be on it's own internet connection, not connected to my personal lan. It will have it's own separate unique (external) IP address. The system also has a Ghost Image. As soon it becomes corrupt, I can re-ghost it back to it's original state.

#4 HavocRains

HavocRains

    Gibson Hacker

  • Members
  • 89 posts

Posted 16 May 2005 - 02:18 PM

no i was saying that my idea was a bad one, not yours... sry for the confusion...


i type akward sometimes so just call me a newb and ask wut i meant when i do... :)

#5 solid332

solid332

    DDP Fan club member

  • Members
  • 46 posts

Posted 16 May 2005 - 02:25 PM

LOL. No problem...

#6 Aali

Aali

    DDP Fan club member

  • Members
  • 50 posts

Posted 16 May 2005 - 04:52 PM

while i cant name any from the top of my head, there are apps that watch registry/filesystem and report any changes.. but if your box gets owned, those apps could get owned aswell...
windows is not the ideal system for a honeypot

#7 solid332

solid332

    DDP Fan club member

  • Members
  • 46 posts

Posted 16 May 2005 - 05:36 PM

I was thinking of using the Auditor Live CD. It has three honeypots including an IIS emulator. The only problem is, I want to test certain vulnerabilities at certain times.

For instance, the LSASS vulnerability. I want to play with it...embrace it, you know ;)

When I'm done playing with LSASS, maybe I'll move on to MS05-017.

For this, I will require a full customizable Windows Box.

A few more questions:

Any comments on Auditor Live CD and their Honeypots?
Anyone here of a windows based Live Distro, Like Knoppix? (I doubt it..)
Can someone name a program that reports reg/file changes in windows?

Thanks!

#8 teabag

teabag

    Gibson Hacker

  • Members
  • 83 posts

Posted 16 May 2005 - 06:42 PM

Anyone here of a windows based Live Distro, Like Knoppix? (I doubt it..)

http://www.nu2.nu/pebuilder/

#9 solid332

solid332

    DDP Fan club member

  • Members
  • 46 posts

Posted 17 May 2005 - 07:44 AM

Thanks Teabag. Great link. That's the distro I was thinking of. I just couldn't remember the name.

As for the File Integrity Checkers, using an amazing tool called "Google", I was able to come up with the following freeware/trial based utils:

GFILanGuard - http://www.gfi.com/l...simfeatures.htm
Sentinal (30 Day Trial) - http://www.runtimewa...age=p_sentinel2
SnapShot - http://www.snapfiles...hatchanged.html
WhatChanged - http://www.prismmicr...anged/index.htm

Using BartPE and Sentinal, I believe I can created an online tool (call it a honeypot if you want) that I can use to analyze attacks as they happen.




BinRev is hosted by the great people at Lunarpages!