Skip to content

Instantly share code, notes, and snippets.

@adricnet

adricnet/portproxy-evidence.md

Last active February 9, 2017 00:39
Show Gist options
  • Save adricnet/c15986106d45afb6fe1f66a4047d012b to your computer and use it in GitHub Desktop.
Save adricnet/c15986106d45afb6fe1f66a4047d012b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
portproxy-evidence.md

Created a portproxy with netsh on archie, Win10 x64 to send traffic out to another host,port. Tested with netcat chat. Also made one in the seven VM, and the dumped memory variously.

netsh>add v4tov4 listenport=3333 connectaddress=192.168.0.8 connectport=8888 listenaddress=0.0.0.0

PS C:\malware> netsh interface portproxy show all

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
0.0.0.0         3333        192.168.0.8     8888

And it can be seen in running processes, with netstat -naobp TCP :

TCP    192.168.0.15:3333      192.168.0.15:16047     ESTABLISHED     1572   iphlpsvc

Volatile capture with winpmem2, write raw for volatility

PS> winpmem-2.1.post4.exe -o archie.aff4
PS> rekal.exe imagecopy -f .\archie.aff4 -O archie.raw

Nosing about to find memory that references the port proxy...

  • netsh may not have been runnign at time of w10 mem capture
  • Yarascan for the port number as string: rekal.exe -f .\archie.aff4 yarascan --string '3333'
    • many results that dont' look related, probably too broad a key
  • ibid for the IP address .. left running for a couple hours
  • another try for 'ProxyPort' gets at least one hit
archie> rekal.exe -f .\archie.aff4 yarascan --string 'PortProxy'
2017-02-08 18:50:24,236:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
2017-02-08 18:50:24,237:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
Owner    Rule        Offset                                  HexDump                              Symbol
----- ---------- -------------- ----------------------------------------------------------------- ------
-     r1         0x8202038bd448 50 6f 72 74 50 72 6f 78 79 00 00 05 20 00 00 00  PortProxy.......
                                a8 ff ff ff 6e 6b 20 00 02 d9 44 a6 97 3f d2 01  ....nk....D..?..
                                03 00 00 00 28 b1 4d 00 01 00 00 00 00 00 00 00  ....(.M.........
                                10 4b 5e 00 ff ff ff ff 0b 00 00 00 28 45 5e 00  .K^.........(E^.

Win10 netsh depreciation notice refers us to Powershell. Some trial and error with thsoe modules did not uncover the portproxy settings.

In future versions of Windows, Microsoft might remove the Netsh functionality
for TCP/IP.

Microsoft recommends that you transition to Windows PowerShell if you currently
use netsh to configure and manage TCP/IP.

Type Get-Command -Module NetTCPIP at the Windows PowerShell prompt to view
a list of commands to manage TCP/IP.

Visit http://go.microsoft.com/fwlink/?LinkId=217627 for additional information
about PowerShell commands for TCP/IP.

Guessing the storage is Registry, trying RegShot in the live VM shows it clearly:

HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp\0.0.0.0/4444: "192.168.0.15/8080"
HKLM\SYSTEM\CurrentControlSet\services\PortProxy\v4tov4\tcp\0.0.0.0/4444: "192.168.0.15/8080"

And now we can look with EG printkey on the memory dump(s)...

It's included in output of

PS> rekal.exe -f .\archie.aff4 printkey -r -k "\ControlSet001\Services" > archie-rekall-services.txt

Registry: Unnamed @ 0x82020323e000
Key name: PortProxy (S) @ 0x8202038bd3fc
Last updated: 2017-02-08 15:14:52Z

Subkeys:

Values:

but I'm having trouble pinning it down with Rekall or Vol26. Printkey is always so fiesty...

PS C:\malware> C:\tools\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe -f .\seven-memdump.mem --pro
file Win7SP1x86_23418 printkey -K "services"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

The requested key could not be found in the hive(s) searched
PS C:\malware> C:\tools\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe -f .\seven-memdump.mem --pro
file Win7SP1x86_23418 printkey -K "ControlSet001"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ControlSet001 (S)
Last updated: 2013-10-23 16:16:25 UTC+0000

Subkeys:
  (S) Control
  (S) Enum
  (S) Hardware Profiles
  (S) Policies
  (S) services

Values:
PS C:\malware> C:\tools\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe -f .\seven-memdump.mem --pro
file Win7SP1x86_23418 printkey -K "ControlSet001"

And despite being in the services folder in the registry keys, it doesn't show in svcscan -V output as ProxyPort, but instead as "IP Helper".

Offset: 0x7bb828
Order: 127
Start: SERVICE_AUTO_START
Process ID: 876
Service Name: iphlpsvc
Display Name: IP Helper
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs
ServiceDll: %SystemRoot%\System32\iphlpsvc.dll
ImagePath: %SystemRoot%\System32\svchost.exe -k NetSvcs
FailureCommand:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment