Friday, March 6, 2009

Detecting PWDump in log files

Helped a client recently to identify if PWDump was successfully run on a system. There's a million ways to do it, however, the easiest way is to see if the PWDump (randomized name) was successfully started and stopped. When PWDump executes, it injects a service, starts it, does its dirty work, and then stops it. This is all tracked in the event log. The following python code can be found on with a compiled binary as well as the source. This is something I whipped up in about 20 minutes so don't be to rough on the code :P Simply export the event log as a CSV, the parser reads in the event log, does some regex and flags if/when pwdump was run.

Source code below:

# import required python modules
import re,sys
print """
[-] PWDump Event Log Finder [-]
[-] Written by David Kennedy @ SecureState [-]
# define logfile name

This tool will search for instances of pwdump within the SYSTEM event log.

Simply enter the filename of the system event log, example: system.csv

*NOTE* Ensure that the event log was exported as a CSV.


Enter the filename for the SYSTEM log: """)
# used for unique report name
servername=raw_input("Enter the servername: ")
# open CSV log file
fileopen=file(eventlog, "r").readlines()
# throw error if filename not there
except IOError:
print "\n[-] Error [-] Filename was incorrect. Try again...."
# define report file
filewrite=file("%sfindingsreport.txt" % (servername),"w")
# set counter to 0
for line in fileopen:
# regex string for pwdump would look something like 23F423432-43AV-2323-FBEA-JSD23930292"The {........-....-....-....-............} service entered", line)
if match:
# flag counter if hit on regex
# write finding to file
# if counter hit and is above 0, define var, print it, and write it to file
if int(counter) > 0:

[-] W A R N I N G [-]


CHECK "%sfindingsreport.txt" FOR MORE INFORMATION.

[-] W A R N I N G [-]
""" % (servername)
print var1
# if no instances of pwdump write to report file that it wasn't found
if counter == 0:
print "\n[-] The system appears to not have executed PWDump [-]\n"
filewrite.write("PWDump was not detected on the system.")
# close write file
# pause before application exit
pause=raw_input("Press to exit the application.")
# except something unexpected and raise error and print it
except Exception, e:
print "Something went wrong, printing error: "+str(e)

No comments: