some ideas, roadmap cleanup, and ugly jokes..

[Marco Polo <titjow () hotmail com>]

Hi everybody!

here is some request features, info about some bugs and questions about the roadmap.


1) About the stealthy script i made a proposition for:

I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename 
each logs files to $file.evt(x).old. 
Renaming them doesn't change the mace time.
Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the mace 
time but we can change them again,
plus it'll leave no new event in the log.

Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD 
licence that will allow us to convert them
to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending 
of the version you're using..
But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the file 
:)


Informations needed for it:
---------------------------

files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx
files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt

file format under 2000 / NT = .evt
file format under xp / 2003 = .evt
file format under vista/seven/server 2008 = .evtx

vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx


2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter"

Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321

I mean, you guys accomplished more things that you want to tell us ;)

3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the 
existence of a file/dir"

As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see:

http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter"
http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support"

I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. 
Maybe create a ticket for the PHP
meterpreter would help?

4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee"

Well... lots of mail in the mailing list about that atm :)

In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was mistaken 
as i couldnt find it. Neither my
google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and compairing 
them) allowed me to find such a key..

So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of 
installed software (already done in a script),
then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in 
video's and some mails in the mailing list:
search related services, disable them, then kill exe's ?

Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions so 
diferents folders name.. But once in a 
while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...)


As usual, sorry for the long time taken reading this and for my typos

Thx again for bringing us this wonderful tool :)

M.P.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework