Comments for McGrewSecurity

Comment on - msramdmp by jeandez

jeandez — Thu, 01 Mar 2012 14:41:57 +0000

hi ,
i just want to know if there is a command to capture Random memory ? i try with : strings /proc/kcore
but i don’t know how to see the passwords, and whether there is a rootkit. The real problem is that, i installed a rootkit (LKM) on my computer (ubuntu 10.04), and i want to detect it in random memory.
thank you for your help !!!!!

Comment on Man-in-the-middle Fake DNS for Metasploit by SiriServer – polished and done | Going on my way…

SiriServer – polished and done | Going on my way… — Thu, 05 Jan 2012 11:44:23 +0000

[...] It uses this stuff: -metasploit fakeDNS server – enhanced version by Wesley McGrew, modified to work with the latest Metasploit, http://www.mcgrewsecurity.com/2008/08/04/man-in-the-middle-fake-dns-for-metasploit/ [...]

Comment on Defcon/Blackhat Slides, Whitepaper, Tools by koreaUNI_forensic_center

koreaUNI_forensic_center — Wed, 16 Nov 2011 05:36:38 +0000

executing “run modules/post/windows/gather/enum_drives.rb(imager, listdevices)” on meterpreter does not show any output why?..syntax error…..

Comment on - Hacking U3 USB Drives by iiiears

iiiears — Wed, 26 Oct 2011 15:40:31 +0000

usbsniff /that is all

Comment on Geohot Antagonizing Sony's Forensic Examiners? by Skippy

Skippy — Fri, 21 Oct 2011 14:16:17 +0000

The statement that the hard drives were encrypted is interesting. Likely the hard drives were locked through the BIOS, requiring a hard drive password to access the drives. Sony is known for using this technology. The password is stored within a process that hard codes the password to the system. You remove the hdd from the computer and you cannot image it. ( I’ve tried.) Removing the controller card and replacing with an identical one could bypass this protection allowing access to the data which is technically not encrypted just protected. Changing the boards could have been an attempt to bypass this protection, or changing them with the wrong board could prevent the examiner from replacing the controller card with the correct one, thus preventing the examiner from imaging the drive, since the examiner would then not be able to match the controller board. The other option either some kind of container encryption or something like bit locker could not be bypassed through controller card replacement.

Comment on Defcon/Blackhat Slides, Whitepaper, Tools by Anon

Anon — Thu, 08 Sep 2011 23:48:58 +0000

the path for the enum_drives module is post/windows/gather/forensics/enum_drives

Comment on - Hacking U3 USB Drives by andy

andy — Wed, 07 Sep 2011 18:05:39 +0000

Is there a way to get U3 on a normal flash. i have been looking in to it and the CDFS partition contains the U3 code which emulates the CD drive, or is it hard ware as in another chip emulating the CD drive. i think it could be done from a normal flash chip it would just have to be reprogrammed. (would copying the drive by sector to another drive emulate the CD drive or would the flash chip have to be re imaged to put in another sector with emulation code?)
thanks any help would be greatly appreciate (need to recreate CD emulation on flash drives) if it is hardware is it possible to get a MSP430 to do it?

Comment on Amending my F0rb1dd3n Network Review by Plagiarism and the State of Infosec Publishing | InfoSec Reviews Blog

Plagiarism and the State of Infosec Publishing | InfoSec Reviews Blog — Mon, 22 Aug 2011 13:14:21 +0000

[...] ‘This was an honest mistake and I sincerely apologize for any miscommunication. I hope that the correct and proper citations can be added soon and that all questions regarding copyright and plagiarism issues can be resolved. I hope the book can still be enjoyed as a valuable contribution to the information security community and I hope it will go on to fulfill its objective in reaching anyone who desires to learn more about hacking and security. I want to specifically apologize to Jayson, Kent, Syngress, Rachel, Angelina, all the readers, reviewers, and others who have taken offense. I want to fix this and I sincerely appreciate everyone’s positive support!’ (http://www.mcgrewsecurity.com/2009/10/16/amending-my-f0rb1dd3n-network-review/). [...]

Comment on Defcon/Blackhat Slides, Whitepaper, Tools by Wesley McGrew

Wesley McGrew — Mon, 22 Aug 2011 12:51:49 +0000

I’ll give this a shot on my test VMs when I get back home today, or earlier if I get the time to set it up here today.

Comment on Defcon/Blackhat Slides, Whitepaper, Tools by ebros

ebros — Mon, 22 Aug 2011 10:20:14 +0000

After svn update in bt5, executing “run modules/post/windows/gather/enum_drives.rb” on meterpreter does not show any output. Anybody successfully tested this?