On Thursday of this week I was fortunate enough to work along side a colleague of mine as we were conducting a forensic investigation. We had retrieved a active laptop and wanted to conduct a live memory dump of the system. Unfortunately there was a password on the screen saver and we didn’t want to compromise the data in anyway. His solution to achieve our goals was to utilize a program called winexe on a *nix system.
Winexe allows a person to connect to the IPC$ share of an active host. Now you might say “whats the point”. Take a moment and look at it from a corporate investigative standpoint. If you have a system that you possess a local admin account for (perhaps a standard one utilized by the company help desk) you can utilize this to access that IPC$ share.
Now winexe will open winexesvc control named or “ahexe.” After a successful connection it passess optional parameters (ex. –runas, –system) and the command itself to winexesvc process via the pipe.
Then winexesvc creates two pipes: ahexec_stdio%08X, and ahexec_stderr%08X (where %08X is replaced by unique number) and runs command with I/O redirected to those pipes.
Now we create a Netcat reverse shell and we are into the system from the Linux console. Completing a nifty little memory dump. Viola active memory secured on a password protected system.
I will have future posts on utilizing Netcat and tools and tricks for capturing the active memory.
You can find this great tool at http://eol.ovh.org/winexe/
July 13, 2008 at 8:29 am
it’s make everything easy
August 15, 2008 at 12:18 pm
Winexe is a handy tool but this is nothing truly groundbreaking. Psexec \\computername cmd.exe will do the same.
August 18, 2008 at 2:42 pm
Shme,
You hit it on the head not groundbreaking but very handy.