Ethical Hacker Community Forums

Even after Microsoft bought Mark Russinovich and Bryce Cogswell's company, we still love these tools. Now they're available online, and you can run them directly from a CLI. This should make for some very interesting scripts. Imagine running some of these tools on an 0wned system without ever having to copy files to the victim's machine. One other idea of what to do once you've got a shell. Hmmmmmmmmmmmm...


Here's the contents of http://live.sysinternals.com/About_This_Site.txt


http://live.sysinternals.com

Offer up your own thoughts,
Don

This is really cool.

I just tried it on my IE and DOS prompt and its working perfectly. Need to explore more on the available tools.

If you are not sure of the tools and want to have a list, open your internet explorer and type in


You get the list of EXE's and the associated files (including help files)

This is really gonna bring in new dimensions to our thoughts on hacks.

Hmmmm... seems cool but I am not sure I want all my activity logged by Microsoft.  Although it does give me an idea about maybe setting up my own web server for the same purpose.

This is indeed a fascinating feature.  And, while I applaud Microsoft's desire to "test an alternate distribution mechanism for our utilities," I'm very concerned about the security issues this opens up.

First off, by typing \\[machine]\[share] at a cmd.exe, you are causing your machine to make an SMB session with Microsoft, across the Internet.  Theoretically, Microsoft thus could capture the challenge/response interaction (LM Challenge/Response, NTLMv1, or NTLMv2, depending on how you are configured), and crack your passwords, a la the Cain tool.  However, you might think that's not a big deal, because, well, Microsoft already owns you, since the first time you installed Windows 3.1.

But the issue goes beyond that.  In essence, Microsoft, in distributing tools this way, is teaching people that doing LM C/R, NTLMv1, or NTLMv2 exchanges with people across the Internet is ok.  Even if users don't think of it in those terms, this action by Microsoft will lull people into complacency regarding such interactions. 

Furthermore, someone on the network between the machine running the commands and Microsoft could intercept the traffic and crack the credentials.  Or, bad guys could merely observe the traffic to determine who allows outbound SMB access from a target environment (it's a good idea to block such outbound traffic on TCP ports 135-139 and 445). Such leaked info is very useful for bad guys.  And, what's to say that Microsoft itself won't be compromised, with attackers capturing and cracking the challenge/response.  And, finally, with DNS cache poisoning, the bad guy could become  live.sysinternals.com, at least as far as your network is concerned.  Thus, you'd be sending credentials to the evil cache-poisoning dude, and then running executables he sends back to you.

Neat idea... terrifying security ramifications.  IMHO.

--Ed Skoudis.

This site should only be used as a download site. Using it to run the commands live on a regular basis is ludicrous.

Nice... I'll have to check that out. I like a number of the sysintneral tools.  Running them remotely via a web connection might be nifty..

Nifty enough to get you canned. I like the idea, but the implementation needs some work. Stuff like this could keep us all busier than we would like.

Nifty enough to get you canned?  Eh?

I don't know if it will keep us any busier persay.  It allows you to run things without having to install anything on a box, which is useful.  Granted, a hacker could do that... but they're more likely going to be wanting to actually install something anyway.  Mabey nmap for more host discovery, nessus, and some exploit packages.   I like the tools since it will make it so I don't have to have the sysinternal progs on a thumbdrive.  I'll just use the web.