Time
10 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
15

Video Description

Enumerating Keys This lab-based lesson offers participants step by step instructions in how to use a num key function to enumerate keys. Participants learn to gather information to get the log name then run it to create the log and gather useful data such as user account, active connections and aliases.

Video Transcription

00:04
So we've
00:06
seen that there are things in the key that we've chosen or in the sub key that we've chosen.
00:11
Now we have to actually get information out of them.
00:14
So what we're gonna do with that the way we're going to go about doing that Rather
00:19
is fairly straightforward. We're tryingto enumerates keys.
00:23
So we're going to use the function.
00:26
New monkey.
00:28
There you go. And it's a key and an index. The index is which key you're gonna receive.
00:34
So is you met as I showed you. Why delete character that window? But it returned one sub key.
00:40
So there's an easy way to do that
00:43
for any python loop. Obviously, we can just do four I in
00:47
sub keys,
00:50
print in New Monkey
00:56
Key, handle
00:59
I.
01:00
And then there's a similar function. Cold.
01:03
The new value,
01:04
which again is exactly what it sounds like.
01:07
Works pretty much exactly the same way.
01:11
Distinction between these is that numb values are
01:15
some keys or data fields within a registry key, which actually contained information.
01:19
As you see,
01:22
enough value returns A to pull that you name value data data type.
01:26
So we're just going to check out about you name it. Value data for right now
01:32
be named
01:34
be data and then just
01:37
d type, which we're going to throw away and ignore
01:40
equals in noon value.
01:47
He handled
01:52
okay, nice and easy.
01:53
And then for that will do Prince
01:57
percent s
02:01
name
02:04
the data,
02:06
and we run
02:07
group. And it freaked out at us,
02:09
so Oh, right.
02:10
So these air imagers. So it should actually be for I and range from sub keys and fry and ranged on values.
02:16
That's my bet.
02:22
And there you go.
02:23
It's not We're seeing some information Not very cleanly formatted. I admit
02:28
what we're seeing information. So we see
02:30
one sub key followed by 37 values.
02:35
And we can clean that up just little bit
02:37
pretty easily.
02:53
Keys
03:06
and values. And this is just so we can more easily differentiate
03:08
differentiate. Overseeing
03:10
big sub keys values.
03:15
Um,
03:20
so these values all tell windows something different. Color table 0001
03:25
etcetera, etcetera.
03:28
Cursor size. All of these things can be used to make changes if you need to.
03:32
Specifically, this is for the console. So if we were to make changes, this registry key, we could actually change what we're seeing, and you can feel free to do that to yours. I am not a huge fan of missing registry keys
03:43
because it's an easy way to break things.
03:46
There you go. Some keys values nice and easy.
03:52
At that point, we've
03:53
pretty effectively not actually downloaded. But we've pretty effectively checked all of the registry keys
04:00
so we could move on to the next function.
04:02
Next function is going to be downloading a file. Nice thing is,
04:05
we're gonna go easy on this one, and you're downloading of a file isn't going to be using C types and tracking the file through the entire drive. It's just gonna be a pretty straightforward
04:15
F equals open file name.
04:18
This again is included primarily just for methodology rather than for how you go about doing this. This is just because this is an important function to have in any script like this
04:31
partner.
04:33
So we're gonna open it for reading to do
04:38
for now, we'll print that read.
04:41
Richard.
04:45
Next function a little bit more interesting function, I think
04:49
is gather information,
04:53
gathering information is this huge slew of things I've shown you up here
04:58
and for gather information. You can see I included. Log name is argument.
05:01
It is possible to just send all of the data directly on the socket.
05:06
We want to avoid that. We want to write logs so that we can more safely
05:12
keep track of that data. As I mentioned before,
05:14
the way we're implanting download file is actually just gonna print it out on the client. It's just gonna print it to the screen.
05:19
But
05:20
for example, if you were to use your old file transfer the the FDP tool that we wrote in the other lab,
05:28
then you would want to make sure that you're downloading an actual proper log.
05:32
So
05:33
gather information is going to consist of 123456 79 commands and pretty much all of them are gonna be done through P open.
05:44
That's the upswing.
05:45
Um,
05:46
so we can do this in a couple ways. The best way to do it we're going to do it is to do,
05:51
uh, multi dimensional list. So we're going to do command's list.
05:57
That's going to be I p config.
06:01
Well, actually, it's going to live.
06:03
Does it mention its multi dimensional?
06:05
The reason for that is because again, are you generally wanted to be a list
06:13
p config
06:15
in quotes
06:19
slash old.
06:27
And even if you don't have anything to populate a full list, it's not a terrible idea to just make a list for syntactical clarity
06:33
Nets that.
06:40
Sure, you get all the compass you need in here.
06:42
There will be a few extra
06:44
and then the Net sweet
06:49
accounts
07:03
file
07:09
local group
07:14
session
07:19
share
07:26
user
07:28
and a riveting stuff, folks, riveting stuff
07:30
and view. There we go.
07:40
So now we've got our dimensional or are multi dimensional list of commands. These were the things that were going to pass to be open
07:46
in order to
07:47
execute. Essentially. So we're going to
07:54
log equals
07:56
open
07:58
log name, and we're gonna open log name
08:01
for writing.
08:03
We're not opening for a pending. We're gonna overwrite any old logs, so keep that in mind whenever you start deciding log names.
08:09
So he opened We right,
08:11
we open. We're going to that right
08:16
through. Be open.
08:18
So for I in command list
08:22
sub process dot p open
08:28
I because again, now we're giving it a list.
08:31
I and then we can reopen
08:39
p a p open so that we can now
08:41
double check and make sure you got all the right things for it.
08:48
There you go.
08:48
So first thing is our eggs. First thing is ours. That buff sized, inexcusable standard in
08:56
standard out. We want to be logged
08:58
and
09:00
we make standard error log just to be safe.
09:05
And then when it's done,
09:07
we'll just print
09:09
log created.
09:16
So gather information.
09:22
Log name is going to be
09:28
info, log
09:28
dot text
09:31
and sock. It'll just be easier over there
09:39
and let's run,
09:43
says Log. Created batch file can be found on a board.
09:46
Ignore that
09:46
info log nine. Killer right file.
09:50
Look at all the data we gathered.
09:52
That's a lot of information that we could make you. So
09:54
the user accounts, we see active connections,
10:01
aliases. We see all sorts of information,
10:05
most of what I showed you
10:07
in the other court. Most of the detail was the information
10:11
we just kind of
10:11
grabbed all at once.
10:13
For those of you who are curious, really, for those of you who aren't curious and say it either way,
10:22
it's worth going through an understanding exactly what each of these air doing and why they're worth grabbing the information. So accounts
10:31
quick summary
10:33
password data. It tells you what the rules are for this system. That way you're able to keep track of
10:39
one. You'll be able to know how easily cracked it is or how you
10:43
strong their password system is. I say this is, ah, computer that I use for teaching these courses.
10:48
It's not really very heavily secured.
10:52
Next one we have on there is no file.
10:56
That's not anything right now because it's not doing anything. That file are currently open shared files, so Net file is for something. Say, you're running my computer. A lot of times I run a movie server
11:09
for my entire house, where we just all of the movies. I started my hard drive, and then we could just watch him wherever the House Net file. If any of those folders were open, would report that.
11:20
So when you're gathering information, that file could be used to say Okay,
11:24
I know what folders this guy sharing out. I know where to store some stuff. If I wanted to go everywhere or where to avoid. If I don't want people to see it,
11:30
that local group
11:31
just tells you what groups are on this machine?
11:35
Net session
11:37
again. Nothing useful here
11:39
that describes currents communications going on with other machines. It can be used to terminate, which is handy.
11:46
That share
11:48
see with machines sharing out. See, this has got a default share on C and E as well as a
11:52
default road, admitted the fault ABC. This committee has not been hardened. You could pretty easily target this machine
12:00
with a lot of old attacks, which is handy to know
12:03
times that was net
12:05
share. Then you get in that user, which obviously you guys have seen plenty of a list of users and Net view,
12:11
which takes a minute. And that's just the other machines that are currently active on the network that your computer knows about.
12:18
So those were the commands over. And then, of course, there is the I. P. Config all
12:24
in that stuff.
12:26
Those were the commands, though, that
12:30
you just wrote a script to Ron. And the intent of those commands I mentioned is pretty straightforward. It's just decided together as much information as quickly as possible.
12:37
Nice and easy.
12:39
The next we're going to do is execute command.
12:41
Execute Command is a little bit different for everything else we've done in that it executes an arbitrary command.
12:48
So rather than executing, you know, a specific list, it's just whatever you throw at it, it's gonna run.
12:54
And you're gonna run into a specific issue with that in certain cases. And I'm gonna show you one of those cases now
13:01
process, Stop, You open
13:05
command
13:07
zero None.
13:11
None.
13:13
And we'll do
13:16
blood.
13:26
We'll have a lot here just for safety's sake.
13:30
So you can see how all this works
13:31
and we'll do F
13:48
first thing we pass is a command that we're gonna pass this tree.
13:50
That was the dramatic looking command I gave earlier.
13:54
Second command or secondary, We're gonna pass Gonna be the log name. We're just going to do tree log
14:00
if you get it. I hope you get it.
14:01
Tree logged out text and we run
14:03
and we got a Windows air system cannot buy this file specified.
14:07
So reading this it would seem logical that it can't find tree log, got text, but what it actually can't find
14:15
is treat.
14:16
The reason for that is because tree isn't in execute a ble.
14:18
Some process that p open looks for this command, assuming it's inexcusable, but it's not
14:24
so there are a few ways you can fix this. The hack that I mentioned, we're going to do that.
14:28
Some people really won't like and others will think it's fantastic
14:43
commands.
14:48
What we're gonna do is our command isn't found because it says, Oh, that's not a file
14:54
that we know.
14:56
What we can do is just
14:58
tell you what kind of fire we're looking for.
15:01
Um,
15:01
the distinction is, if we pass it a list of arguments,
15:05
for example, if we were to pass it
15:07
A, that would be an issue.
15:11
So you do want to pass it a proper list,
15:18
but not necessarily going to be able to.
15:22
So this is not a smart fix on the reason that that's going to be able to, because your users
15:28
major send you a string of text, which is actually what happens for the client for this.
15:31
So this is This is a very kind of dumb fix. It doesn't solve everything,
15:37
but it's a good sort of hacking work around, which is what we're working on it discuss what we're learning in this class,
15:43
so that's what we're going to do here just a work around
15:48
which is designed to work in about
15:50
90% of cases, and they're going to obviously be cases where it doesn't work.
15:54
Just roll with the punches. Everything's gonna be just fine.
15:58
Some process up you open command
16:02
dot com and let's try that
16:03
open. It says
16:06
it's not expected to be except
16:14
president You to continue looks promising.
16:15
And we've got a tree log
16:18
and we took a tree log of a pretty terrible area. But
16:22
there you go.
16:23
So there are obviously ways that we go about fixing that If we did change it, if we did cause the user to only send good in good input
16:37
what we could do, that is.
16:53
And now we're taking a much better
16:56
method.
17:00
Uh,
17:08
gotta make sure we don't escape things we shouldn't be escaping.
17:12
Entry log got text.
17:15
And there you go.
17:15
So
17:17
if we can
17:18
create a protocol, we can create a system by which are you there has to give us a list arguments
17:22
than awesome. Weaken much more cleanly. Take care of it.
17:26
What we're doing right now and what the clients actually going to send is a string because I kind of want to drive home the point that
17:33
sometimes things aren't perfect. And sometimes they you just kinda have to cheat your way through
17:38
Which, by the way,
17:41
if you're trying to become a hacker and anyone tells you you cheated, all that actually means is you did it right.
17:47
So there we go. We finished cheating on execute command, and now we move on to the last little tidbit function before we go about making this thing into a big
17:55
networking
17:56
monstrosity of awesomeness.
17:59
Get data. Actually,
18:00
when you get this code will just be included. But these two functions
18:03
but get data is just a
18:07
the second function that I built our third function a built in
18:10
for the specific cases. When you're sending, when you're requesting commands for whatever purpose
18:15
and it receives sock and stir descend all it doesn't send data
18:19
zahk stir
18:22
to send,
18:25
and then it returns
18:26
what it receives.
18:30
Um, this may not seem particularly necessary to create a function to cover what's effectively, what two lines of code.
18:37
I'll tell you it is a lifesaver because you write that those two lines of code about
18:45
30 times. If you don't do that.
18:48
It's okay.
18:48
Now that we've gone through a major, all of our separate functions work.
18:52
The new step
18:53
is creating a networking device. Making this thing capable of actually talking
18:59
over the Web or over the wire
19:00
with another computer with a client so that it can send this information somewhere rather than simply printing it to the screen
19:07
you're putting into the screen is pretty. It doesn't actually do that much for us.
19:11
So time to network.
19:14
So ready to sock equals Suck it, Suck it
19:18
socket.
19:21
If I know,
19:23
Suck it. Not suck
19:27
stream.
19:30
And this is our
19:33
server. So we need to do a socket out mind?
19:36
No, but
19:37
buying on every port we have pardoned me
19:38
are on every interface
19:41
we have on port 12345
19:44
But
19:45
socket out. Listen,
19:47
we're only gonna listen for one customer because we only want to serve
19:51
the one person which is obviously going to be our client. Connecting to this. We don't want any rain. A person to be able to connect,
19:56
socked out except
20:07
con sock
20:08
con
20:11
info.
20:15
And now we get into the menu and all of that dress. Oh, the menu for this obviously is going to be a series of commands. Now, what I did for it to make things a little bit easier on both sides is that
20:25
it's a It's a series of two or three letter commands, which we're just gonna steal from the client
20:30
Morrow from the play. We're not gonna take it.
20:33
Um,
20:34
which just kind of simplifies the process of sending receiving command
20:38
easier to type is what it really amounts to.
20:41
So we're going to do
20:44
while true, because it's going to be a consistently running server.
20:48
Yeah,
20:49
or we can do well.
20:52
Con sock equals invalid. Whatever the invalid code is for a socket. But we're going to do the easy way we're going to do well, Troop.
21:02
First thing we're gonna do is we're going to do a send
21:04
data.
21:07
I'm sorry. Get data
21:11
on Con Sock
21:14
and the Sturgis end is going to be
21:17
command
21:22
and seeing the evils get data
21:29
CMD
21:32
and this is where and see you would have a case, a switch case table. They could actually go through. And just
21:37
you write a specific case for each item.
21:40
Fortunately, Python doesn't implement that. So we've got a hand. Shame it the hard way.
21:42
C M D s C U
21:45
See you translates to create user.
21:48
We need a name password on the log file for that.
21:52
The log file. As I mentioned, we're not actually going to be doing so. We really need is a name and password.
21:57
Create user
22:02
get data
22:18
and get data for password.
22:30
You
22:32
all right?
22:33
So obviously, we're going to have to do a bit of a change here. So for creating
22:37
user, we've got log file.
22:41
If something goes wrong, we write it to a log file.
22:44
Now, if we're reading this and limits, we could actually just replace log, pile with sock
22:48
and put things in socket. Now,
22:51
unfortunately, we can't do that for various reasons.
22:53
It's what we're going to do instead is we're going to create
22:57
a global
22:59
for error logging only. So we're not going to take standard out. We're only going to take standard air because if something comes to standard out,
23:06
then we can assume that it was a proper success and everything worked out. All right,
23:11
so we're going to do error. Log
23:14
equals open
23:18
log
23:21
W
23:32
and create user rather than putting log file here. This is standard outward, but none
23:37
for this life. I'll we're going to put
23:40
error logs.
23:45
Get rid of that.
23:47
That
23:48
that
23:48
that
23:51
and Rose is gonna get rid of data. So now create user just became silent.
23:55
Other than in the case, Obviously of errors, something goes wrong is going to write to airlock. Otherwise it's just gonna run.
24:02
Um,
24:03
obviously, there are ways that we can go about checking to make sure things were working right.
24:07
We can just
24:08
if we're on the machine And if we have execute command capabilities, we can simply
24:12
run a command and see
24:15
Hey, are you actually sending my stuff correctly?
24:18
Yeah.
24:19
Another's create user and create user actually receives from across the network now, so that's done.
24:26
So we move on to
24:26
he lifts cmd equals equals to you, which is delete, user,
24:30
and we're gonna make some of the same changes to delete user
24:48
delete user is going to get rid of
24:49
this log pile. Just turned that to none
24:59
and that
25:00
that that and that
25:03
There you go. So now we've cleaned up, creating delete user a little bit, which is kind of nice but we've also
25:10
made them quieter.
25:11
So there are potentials for it returns that aren't necessarily errors that don't go to see under there that we don't necessarily want.
25:18
That's sort of the trade off that you're always gonna have in this. I personally advocate the quieter it is, the better, and you can do your own checks. But whatever works for you, if you prefer to have a log file of every single thing you do
25:30
totally an option.
25:37
So now we've called two functions and move on to our third. Our third function is going to be the download register. Keep a little bit more involved.
25:45
The RK
25:49
registry key.
25:56
Get data
26:00
and those things register. Key needs are going to be route.
26:04
What
26:06
gonna be route, path and suck. So route, as you may remember, is not
26:12
an actual string. It's a pound defined, So we're gonna have to do something about that
26:17
in just a second.
26:26
Popes
26:36
and consort
26:38
for sending data back across.
26:41
So what we're gonna do here
26:42
in the download register keys we're going to create a dictionary
26:47
on the dictionary is going to be is going to map the defined values to the actual strings for root.
26:52
So we'll call it root dicked,
26:55
and it's going to be
26:57
beautiful.
27:03
And we're gonna bring up Bridget over here again so we could make sure writing the right red streaky names
27:08
H G classes route
27:11
drawing a map, too.
27:14
Exactly. It sounds like
27:26
and unfortunately, this is kind of the part where it gets into a little bit of busywork. I'm gonna need you to bear with me
27:33
H key, current user.
27:42
Keep local machine
28:11
and each key current big. There we go.
28:15
All right.
28:15
We made it through together, folks,
28:18
and then
28:19
to make life easy so we don't have to go through Injun, you bunch of code. All we're gonna do is fruit equals
28:26
route dicked
28:27
onward.
28:30
I was gonna change the value to be whatever the define is for the string that we received.
28:36
There we go.
28:37
So now it gets it on sock,
28:38
and we actually want to send the data back on the socket
28:42
rather than doing a print. For all of these things were going to do,
28:47
send
28:49
sent data specifically
28:52
zahk,
28:59
and I'm not actually sure I'm curious myself as to whether or not
29:03
formatting this in this manner will work. So we're gonna find out. I think it will, but I'm not positive.
29:10
So we're gonna be in for a ride together
29:11
in a little bit.
29:47
There we go. So now we downloaded the register key. Nice and quick. Nice and easy.
29:52
Next one,
29:53
he lives. CMD equals equals
29:56
dollar file.
30:00
We're going to
30:02
little file.
30:03
Gonna take the area. It's a file name
30:15
and the socket.
30:22
And we can look at this download file to make sure it's
30:25
Yeah. So instead of print F,
30:26
we're going to just do ascend
30:29
data
30:33
Sokka freed
30:37
and then f clothes
30:41
to Melanie files
30:42
much easier in this than we were using. C types,
30:47
gather information, gather information. We actually take a log name because with something with this much data,
30:52
we want to write it to a log and then just send the log across through download file.
30:57
Um, the reason for that is because if we were actually collecting the state and the best thing to do would be destroyed in a log and then to exfiltrate the log itself
31:03
through the FDA he tool or something like that. In this case, we're doing it because it's easier to story that way for the purpose of sending it later. We don't run into memory errors is often
31:15
because when you start dealing with
31:18
nine K outputs for one function,
31:21
if you start trying to send too many of those across the network quickly, you're gonna start breaking things. And rather than try and build an incredibly robust program,
31:29
we are, as always, going to cheat.
31:32
To be equals equals
31:34
I for gather information
31:41
data
31:51
starting a minute takes is sucking
31:57
and the last argument
31:59
they're blessed
32:00
Command. Rather, CMD equals equals
32:02
easy
32:05
execute command.
32:23
And there is a log name option.
32:25
And that's again just because writing the data back across the network in this case is kind of challenging
32:31
simply because of Windows doesn't actually use sockets as file descriptors. Where's Lenox? Does so in linens You could actually pass socket is that log name, And it would let you do that
32:43
here. Not so much.
32:51
There you go. Now I've got a server and the info client. You see, it's got a Nell so we don't have to worry about it's sending us data that isn't
32:59
on this list
33:00
makes life a little bit easier for us.

Up Next

Python for Security Professionals

This is the archived version of our new Python course! If you would like to view our newly updated course, scroll to the bottom, and click the link.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor