Below are what the options mean.

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

The first line is simply us executing the malware. Lines 2 – 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 – 13 is where the malware is setting registry values. It appears that lines 6 – 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 – 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 – 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 – 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 – 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks. Hopefully this helped and as always if you have any feedback I’d love to hear it.

1. Direct feed ($1,200 per year)
2. Registered feed (free but plugins were 7 days old)

Come the end of July they will switch to a different model,

1. Professional feed = Direct feed
2. Home feed (only personal plugins, whatever that means?)

The press release was some what cryptic and I couldn’t decipher what exactly this “Home feed” will be. It could be all the plugins minus the compliance stuff but the proof is in the pudding.

So it’s a sad day but I guess we all knew this was coming. In fact I’m all for Tenable getting paid for their valuable service I just hope they don’t go the next step and raise the price of the plugins feed to something outrageous. I think $1,200 is a reasonable price especially is you’re an independent contractor like I used to be. Let’s just hope the “Professional feed” remains a reasonable price. Tenable could always introduce a 3rd tier geared towards large organizations to get even more capital, but maybe that won’t be necessary with their new model. If for some reason the 2 tier model doesn’t work I hope they will entertain the 3 tier model, I can only hope (cross fingers). They could be shooting themselves in the foot with this move, which is essentially shooting their user base in the foot as well.

I’m not a hater, I like love Nessus and think it’s bottom line the best vulnerability scanner on the market period. I remember not too long ago (~ 4 years?) when Nessus had around 1,000 plugins, now there are over 21,000 so they have definitely grown over the years. I hope this move will help them to keep growing, just don’t forget the little guy.

On Error Resume Next
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strPassword = ""
Set colAccounts = GetObject("WinNT://" & strComputer)
colAccounts.Filter = Array("user")
For Each objUser In colAccounts
    objUser.ChangePassword strPassword, strPassword
    If Err = 0 or Err = -2147023569 Then
        Wscript.Echo objUser.Name & " is using a blank password."
    End If
    Err.Clear
Next

I can’t take credit for this script, the “Scripting Guy” has a nice article better explaining this script here. This simple script will let you find blank administrator passwords just like those expensive commercial scanners. The commercial scanners on the market may not use this exact script but do use the same principle when scanning for blank administrator passwords. Now that you have found PC’s with blank administrator passwords you will need to verify the findings of your script by connecting to that PC. The steps laid out below for connecting to a machine may seem simplistic but there are numerous users out there that aren’t familiar with this process. If they were they wouldn’t have blank administrator passwords now would they.

You could just map to a drive on that machine and browse files that are on that drive. When mapping to a drive it needs to be in the form “\\computer name\drive letter”. For example if I was trying to connect to drive C: on a computer named “Pam” it would look like Figure 1 below.

Figure 1: Map to drive on PC with blank admin password

Once you hit finish it will try and connect using your username or the username you are currently logged in with by default. If the username does not exist it will prompt you for a username and password. For a blank administrator password just enter administrator as the username and nothing for the password.

Figure 2: Username and password prompt

You should now see the contents of the C: drive on the computer named “Pam”. You could also enter the IP address instead of the computer name, either way works. This connection can also be made via the “net use” command. This command can be seen in Figure 3.

Figure 3: Connect to PC with blank admin password via command line

The asterisk after the username “administrator” will trigger a prompt for the password, which in this case you will just hit enter because the password is blank. Verification of these types of vulnerabilities will show others within your organization the seriousness of users not having strong passwords. Especially when you include screen shots showing the local hard drive of another user on the network. So just because you don’t have a fancy commercial scanner doesn’t mean you can’t periodically review your network. Running this type of script would also be a great way to correlate some of your findings with other tools that you may have at your disposal. Happy hunting on your network.

]]> http://travisaltman.com/scan-for-blank-admin-passwords-without-commercial-software/feed/ 7 http://travisaltman.com/im-back/ http://travisaltman.com/im-back/#comments Thu, 12 Jul 2007 10:20:25 +0000 travis I started this journey back in October of 2006 but took a break because of several reasons. New job, new town, new hosting provider, and last but not least my first child. Just about everything in my life has changed, but its all been for the better. I’m still getting paid to break information systems so that part hasn’t changed. I’ll repost some of my older articles and hopefully future posts will be chock full of hackery and more frequent.