Sign in to follow this  
Followers 0
solid332

System-state change utility

9 posts in this topic

I'm working on a project that involves exposing a vulnerable Windows XP SP1 box on the internet. This box will be missing a ton of MS updates including MS04-11 and MS05-17. The purpose it to analyze how long it takes for the box to be hacked. My hypothosis is 10 minutes.

In order to achieve my goal, I require a utility that will will take a picture of my system's files, folders and registry, then alert me if anything has changed.

Do you guys know of a good app?

0

Share this post


Link to post
Share on other sites

well, i dont know of an app but I would just back-up all of the files on to a separate hd or a couple of discs and put them on another system, and compare them once your little hack perod is over with, even though its a terrible idea

0

Share this post


Link to post
Share on other sites

Hmm...seems like a lot of work. I was hoping for something more automated. As soon as something changes on the file-system or registry, It alerts me. I swear I've heard of something that does this... I just can't remember then name of the tool.

Why would my idea be a bad one? The system is going to be on it's own internet connection, not connected to my personal lan. It will have it's own separate unique (external) IP address. The system also has a Ghost Image. As soon it becomes corrupt, I can re-ghost it back to it's original state.

0

Share this post


Link to post
Share on other sites

no i was saying that my idea was a bad one, not yours... sry for the confusion...

i type akward sometimes so just call me a newb and ask wut i meant when i do... :)

0

Share this post


Link to post
Share on other sites

while i cant name any from the top of my head, there are apps that watch registry/filesystem and report any changes.. but if your box gets owned, those apps could get owned aswell...

windows is not the ideal system for a honeypot

0

Share this post


Link to post
Share on other sites

I was thinking of using the Auditor Live CD. It has three honeypots including an IIS emulator. The only problem is, I want to test certain vulnerabilities at certain times.

For instance, the LSASS vulnerability. I want to play with it...embrace it, you know ;)

When I'm done playing with LSASS, maybe I'll move on to MS05-017.

For this, I will require a full customizable Windows Box.

A few more questions:

Any comments on Auditor Live CD and their Honeypots?

Anyone here of a windows based Live Distro, Like Knoppix? (I doubt it..)

Can someone name a program that reports reg/file changes in windows?

Thanks!

0

Share this post


Link to post
Share on other sites

Thanks Teabag. Great link. That's the distro I was thinking of. I just couldn't remember the name.

As for the File Integrity Checkers, using an amazing tool called "Google", I was able to come up with the following freeware/trial based utils:

GFILanGuard - http://www.gfi.com/lansim/lansimfeatures.htm

Sentinal (30 Day Trial) - http://www.runtimeware.com/?page=p_sentinel2

SnapShot - http://www.snapfiles.com/get/whatchanged.html

WhatChanged - http://www.prismmicrosys.com/whatchanged/index.htm

Using BartPE and Sentinal, I believe I can created an online tool (call it a honeypot if you want) that I can use to analyze attacks as they happen.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0