Gathering More Data: SNMP

So let's say we run Nessus (a vulnerability scanner available in BT) against some machines and we see SNMP running. Now lets say Nessus comes back with "SNMP Agent Default Community Name".. you just got yourself another treasure trove of information :)

Hang on, what is SNMP anyways? SNMP is Simple Network Management Protocol. This is used to help monitor network devices, including routers, switches, workstations (pretty much anything which can get SNMP installed on it) From Microsoft:

You can use SNMP in environments that include large networks with hundreds or thousands of nodes that would otherwise be difficult and costly to monitor. SNMP allows monitoring of network devices such as servers, workstations, printers, routers, bridges, and hubs, as well as services such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS).

So it definitely is useful in a network environment, however when in the wrong hands and not locked down properly, it can be used against you.  Maybe its better to show you what I mean :) To the Backtrack cave!

I will show you two tools on BT5 which we can use to enumerate devices on the network via SNMP.  The first one is SNMPEnum. Its parameters are:

snmpenum.pl

Well if Nessus returned telling us SNMP is running with default community name, we know that is 'public' (Nessus tells you that too, but so would Google). The tool comes with three config files: cisco.txt, windows.txt and linux.txt, choose whichever device you are scanning. Let's fire up wireshark and see what is going across the wire....This will fire up a lot of traffic. Lets focus on the first two packets.

How I Ran the command

SNMP packets are also called PDUs (Protocol Data Units)

What the heck are those numbers?! Those are object identifiers (OID), which is used to call an object in a predefined structure, which in this case is called Management Information Base (MIB). You can do a search of OID's here. So what is this one? Well lets follow it on the website. The first number (top level) is 1... which is ISO (International Organization for Standardization). Ok, click that... next number is:

• 3 - ISO Identified Organization
• 6 - US Department of Defense
• 1 - Internet 
• 2 - Management Section
• 1 - MIB 2 (not the movie)
• 25 - Host Resources

Blast we ran out of lookups, luckily, this site lists all the OIDs in the MIB-2 schema. Which a quick ctrl-f gives us: hrSWInstalledName.... all of that to get the name of installed software :) Or we could have looked at the windows.txt file too, which lays it out in plain english for us (phew).

Windows config file

Luckily the get-response is a bit easier to decipher than the request:

Part of the SNMP Response

So we see here we have 10 responses in this packet. We have our base number (1.3.6.1.2.1.25.6.3.1.2.n, where n is 1 and is incremented with every answer for that question. We also see the answers are in readable text (well wireshark converts them from hex for us). Here is a screen shot of te UDP stream for us, the RED is our BT instance (request) and BLUE is the intended victim (response).

UDP Stream in Raw

I know slightly confusing, just think of it as a very complicated way (for us) of checking whats running on machines  :)

SNMPenum shows us the following:

• running processess
• installed software
• system info
• hostname
• domain
• uptime
• users
• shares
• disks
• services
• listening TCP ports
• listening UDP ports

Pretty awesome considering we have not even pwned the box yet!  All of this for free-- and can be used to increase your attacks on a machine.

SNMPwalk is similar to SNMPenum, however its output is much more verbose and not formatted to look pretty like SNMPenum. However this one is a bit better if you are trying to follow the requests/responses in wireshark. For example, I was confused when I looked at the PDU why it went up to n=108, there definitely are not 108 programs installed on my machine. However looking at the output of SNMPWalk showed me it was returning multiple attributes of the installed software, such as installed dates, what type of software it is, etc. If you want generalities, go for SNMPenum- you want as much information as possible? SNMPwalk. The basic usage is:

snmpwalk -c   -v

If you know the OID you want to look up (like the one above), SNMPwalk can only run that one.  Below is a quick screenshot of snmpwalk in action.

SNMPwalk output snippet

I should also say here that SNMP version 3 does not have its community name in the clear, so unless you know (or *cough* bruteforce *cough*) the community name these will not work. You should also not be able to do this from outside the internal network.... should.

You can do a whole lotta stuff with SNMP, check out  SecurityProNews for more information.Its especially good if you find a router, as seen with Viveks videos.

I will post my findings from snmpenum on pastebin (here it is!) so you see what output can look like, but I suggest you guys go out there and try it yourselves! How do you think this could be used against the victim?

Creation of Database in Metasploit

So sometimes you gotta whole lotta hosts you need to run a scan against. Its hard to keep track of them all, so I have created a video showing how to create tables in Metasploit on Backtrack 5. 

A few notes about the video:

• I tried using the xvid codec and it would not work... still tweaking the recording on my test machine so apologies about the sound quality. 
• I go off on a tangent around minute 8 (read: so if all you care about is the database you can switch it off) about a script I wrote which grabs tables from the database and outputs each table to a file for you. The point of this script was to have something (not in XML) which I could view the information in (ie a spreadhseet program). It is still a work in progress, so it still does not output super pretty like I want it too (especially db_vulns) but I think its a step in the right direction! I also realized I think my method of search/replace would have worked had I clicked 'Match Entire Cell Contents' in Excel... oh well. 
• I am still interested in getting Dradis to work so if anyone has had any luck getting it on BT5 to import the Metasploit database please let me know! Doing some Googling it seemed like issues with Ruby?
• I would be remiss here if I did not talk about Vivek's Metasploit Megaprimer over at Securitytube.net. It is an amazing collection of videos. I hope my blog does not follow his videos too closely, as I will be focusing on finding exploits and vulnerabilities, while his focuses on the amazing power of Metasploit (ie what you do AFTER you pwned someone). Very cool, very worth a watch! Also the metasploit unleashed I discussed earlier is also pretty good at explaning the capabilities of metasploit.

Girl, Unallocated made me aware of Forensic4cast Awards are going on. Now there are a lot of good guys and gals out there with some awesome blogs,books, and podcasts. This is your way of telling the world just how awesome they really are. There are a bunch of different catagories to choose from, so vote for your favs!

For something completely different, I am running a half marathon (I know right) in April and have started training for it. Please bear with me as I am now trying to do work (the thing I get paid for), train, and blog (which helps me in my job but still kinda need to do in my off hours).

Next post I will stick with Metasploit and research services for potential vulnerabilities and exploits. The I will move onto web sites and applications. Stay tuned!

Banner Grabbing: Whats Running!

So--- let me output the result of some ICMP, TCP, and UDP scans of my victim. I am using Nmap here, but you can use whichever scanning tool you are comfortable with.

If you just type nmap on the console you will get a pretty detailed help with all the switched nmap can run. Lets first start with a ICMP Echo scan... -PE, we are adding -sn , which disables port scanning for now.

ICMP Echo Scans

So we scan our network and discover ourselves (192.168.0.5) and another host 192.168.0.10. We have to be wary of ICMP scans, and ICMP is generally quite restricted on networks, especially when scanning from outside the network. Let's see if we can do a TCP port scan to see what TCP ports are open on our potential victim. Let's go with the TCP Syn Scan (-sS).

TCP SYN Scan

Oh wow what a find! Nmap says we have FTP, SMTP (mail), web, SMB (port 445) AND an MSSQL server! Apparently this user never though of breaking up server functions onto different machines... lucky for us :-)

So now we should figure out what versions those services are running if we can. This was we can research and determine if they are running exploitable versions.  So before I show you a way with nmap, I am going to quickly go to an old friend of mine, netcat. So netcat is a great tool which I highly recommend having in your arsenal, it can be used to scan for hosts, set up connections (valid and not so valid) between two machines, allows a remote shell to be shoveled to you from your victim, and even grabs banners for you :) If you want to do all this over a encrypted connection, well there is cryptcat.

Ok so lets do a banner grab for port 25, the SMTP mail service.

NetCat

So the command is quite easy here... the '-v' stands for verbose (I am being EXTRA verbose, using double v's). Then I enter the IP and the port I am querying. As you can see, we found a Microsoft ESMTP MAIL service, Version 6.0.2600.5512, which according to wikipedia, is Exchange 2000. A quick google search takes me to a  Securiteam wepage, showing the exploits in Version 6 of ESMTP.

Lets see what wireshark says:

Wireshark Output of Netcat Banner Grab

So we see out three way handshake being established and then our potential victim responding with an SMTP packet and what version it is running. You can actually set this up so the version is not displayed, giving you a little buffer protection from script kiddies. I should also point out that not every port will respond with things like this when you establish a connection, it is only certain protocols and software.

One more for fun, lets try port 80. For this one we need to interact with the prompt to get output, but its quite easy. So first we connect:

NetCat - Port 80

As you can see, we have a prompt waiting for input, so we type in 'GET HTTP', which should get us the information we are looking for.

NetCat - Querying Port 80

So this gives us our Web Server, IIS 5.1. Again, a quick google search reveals a few candidates we could try against this web server. This is looking promising!

Ok now onto something a tad more automated,nmap again has a switch for service detection (-sV). Lets run that on our host and see what it returns:

Nmap -sV parameter

So, as you can see, life is just a tad easier with that little command, here is our banner grabs done automatically for us! Hooray! It even guessed based on responses what OS we are running! If you want nmap to cull deeper in OS detection, try -O on your command line. Nmap uses a lot of the header packet fields to make a guess as to the OS, for more information, check out the namp website.

So, thats all well and good, but what if you have multiple hosts (read more than 3 or 4)? Then what shall we do? Never fear for metasploit has thought of that too :) I will actually make this part a video. Sorry, I can't be asked to type anymore! I am currently trying to get Dradis to play nicely so it will be posted later!

Script to Collect System Information

Here it is folks, I have decided to try and give something back to the community via this script. I would not call it groundbreaking in the slightest-- but if it makes someone's job out there a tad easier than I am happy :)

This was tested on Windows 7 and 2008. I assume it would work on Vista too, please let me know if it doesnt! Also if you guys would want to see any additions or make any suggestions just email me at icanhazblog[at]gmail[dot]com and I can see what I can do. Like I said I am new to the Powershell world and was blown away at its capabilities so I am sure I am missing some cool tricks.

So now I know there are some blatant issues with this, its using your own system tools which could have been subverted by whatever badness is on the machine. Plus there could be a rootkit which hooks these System Calls so you are not getting correct information--- these have been taken into consideration and I will figure something out :)


You can grab the script code from my Pastebin page, just put into your own ps1 file on your machine.

-- About the Tool --

How to Run: Just invoke from a Powershell was running as Admin.
.
More Info: Each section is put into its own txt file in a folder called ‘output’ located in the directory where the script is ran. You need to be administrator to run some of the scripts on this, and you need to modify your security settings to run it on your system  (try ‘Set-ExecutionPolicy unrestricted’ ....just make sure you switch it back when done to be safe! To see what it is first type 'Get-ExecutionPolicy)

Upcoming Additions: I would like to add dumping the contents of the recyclebin too, just trying to figure out how to add it nicely.

What its Grabbing:

--FILE LOCATIONS --

TEMP (as directed in SystemEnvironment Variables)

C:\TEMP

C:\WINDOWS\Temp

Application Data Directory

System32 (dll, sys, and exe files)

C:\ (exe files)

Prefetch files

--INTERNET FILES --

Internet Explorer

Mozilla (I only detect if it exists, need to view via another program for now)

--SYSTEM INFO --

Services (sorted by State)

Tasklist (processes associated with a service)

Tasklist (dlls associated with a process)

--REGISTRY--

hklm\software\microsoft\windows\currentversion\run

hklm\software\microsoft\windows\currentversion\runonce

hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\run

hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce

hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (migrated systems only)

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run  (migrated systems only)

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

--NETWORK INFO --

DNS cache

Netstat -anob

Scanning Redux: TCP and UDP

So we wrap up the blog postings on scanning with TCP and UDP scans. Now again I stress that there are other types of scans out there, I just want to highlight some of them.

TCP

TCP stands for Transfer Control Protocol. This is the powerhouse of protocols, many applications ride this bad boy straight to your computer. Example-- this web page! Also your email clients and file transfer programs also use TCP. Why? Because TCP is reliable, it sets up a connection between two hosts... making sure both know what is going on (who is sending? who is receiving? did you receive that? Hey I received the packet, keep sending.. Oh fizzle sticks I never received this one packet, please resend! K, thx bai!) 

How does TCP do this? Well with the ever classic 3-way handshake. You can definitely check out the WIKI page for the official description. I liken the 3-way handshake to the best relationship ever, before speaking to his/her mate, the one partner will get the others attention (SYN), the other will then look at him/her to confirm they heard them (SYN-ACK), and then once he/she has their attention, will start to speak (ACK).

I am going to assume people understand TCP enough to go thru the scanning options, if not check out the documentation on there on the interwebs.I will post up from the SANS Cheat Sheet I talked about last post the TCP packet header. You can grab the whole cheat sheet here.

TCP Header

The Flag Byte of the TCP Header

TCP Syn Scan: This is when you start the 3 way handshake described earlier, except you never get past the 2nd step.  Nmap here shows the scanning machine sending a RST, cancelling the connection setup (else the port could be sitting there for while waiting for the ACK... what a waste!)

TCP Syn Scan - 192.168.0.10 responded with a SYN-ACK, we have an open port!

Let's take a closer look at the flag bit...

Flag Bits of a TCP SYN Packet

So for those who count in binary we see this byte is 00000010, which is decimal 2. Cool, so when that bit is 'flipped' (or switched to '1') what does that mean? Looking at the SANS cheat sheet, we see that the 'SYN' bit is set to the 2nd bit... or 00000010. Wait, that's what it says! It must mean the SYN flag is on! Hoorah!

So riddle this Mr./Miss Smarty Pants, what would a SYN-ACK flag bit be set to? Well lets go back to the sheet- it says the ACK flag is set on the 5th bit. So if we flipped both SYN and ACK on, it would be 00010010, which is what in decimal? Whip out those calculators or pencils! The answer is 18 in decimal, ah but we are in hex mode here- which is the power of 16! Whaa this is getting complicated! Here go here for an example. Ok so dividing by 16 ::hours pass:: so that gets us the hex value of 0x12! And just to prove it, here is the flag byte of a SYN-ACK packet.

Flag Bits of a TCP SYN-ACK  packet

TCP Connect Scan: This is exactly what is sounds like, the full 3 way handshake is done to determine open ports. This scan is slower than the TCP Syn scan (this makes sense, sometimes you have wait ages to get your partner to listen and then start to speak!), and now you have a full connection, it has a better chance of being logged somewhere on the victim network. Not good if you are going for stealth. However, if you are being hampered by firewalls, this could be the way to go, as many devices could be between you and your intended victim, hampering your results.

TCP Christmas Scan: Sounds festive right? This scan flips the FIN, PUSH, and URG flags ("lighting up like a Christmas tree").This is effective against Linux hosts but not Windows machines (remember how I said different OS respond to packets differently?) This is going off RFC 793, Page 65:

“if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.”

 So these are a bit sneaky and can evade some firewalls and routers, but like I said, with Linux boxes only. Microsoft by default responds to these types of packets with a 'RST ACK' regardless of if its open or not.This is seen below, using the two hosts we used in the above example.

It was open on the other scan.... Bah humbug!

UDP

UDP is User Datagram Protocol. This is a connectionless protocol. Its like an assault on a port. There is no connection set up like TCP, and it doesn't care too much if some packets get dropped along the way. However, if you stream anything across the internets (like I am right now with internet radio), chances are pretty good you are using UDP.  DNS also uses UDP for name resolution, and DHCP is over UDP as well. Because there is no error checking or connection set up, packets move faster and sent to multiple hosts in a quicker fashion. Rock on UDP! 

UDP Scan: So as we said before there are many services that use UDP, such as DNS (which is a pretty juicy target!) This scan shows UDP port 124  responding back to our scanner with an ICMP unreachable sign, indicating the port is closed.

Sorry, we are closed!

This is what my nmap output is for that scan, and it is what is should be, port 124 is closed:

nmap result from nmap -sU scan

As people posted in the comments, there are tons of tools out there you can use. Nmap is just one of many. The key is to find the one you like and trust. Nping, which someone mentioned earlier, allows for much more fine tuning of your packets that you send out. p0f does passive host identification. All these other scans I have shown are active-- we are interacting in some way with the intended target. p0f simply listens to network traffic and based on the traffic it sees regarding the target determines the OS, which is the stealthiest you can get, as you are simply observing (well there is always a catch, still its pretty slick). And like Jon said... a new version is coming out!

I did not talk about the multiple states that nmap can report back to the user, a good explanation is here on their website. Heck, I recommend the whole reference guide.

Next we get onto the fingerprinting/version detection... well I may post my powershell script first. That will probably go on Pastebin. Like I said its no where near perfect and always looking for more ways to make scripting better, faster, and more kick ass (because lets face it... we are lazy and want something else to do the grunt work)

 

 

A Bit of Fun... Musical Selection

Amazing photo of David Guetta by ehlo

So when we were setting up for MFIRE in Abu Dhabi, we had to listen to music while setting up. Not just any music, 'hacking' music as we called it. Do you guys listen to a certain type of music when you are doing pen tests/forensics/coding? Just for fun I will post my favourite podcasts/stations/songs I listen to when working, feel free to share.... you may find your new fav groove!

Back to the regular blog postings soon! :) In the meantime, crank it up!

• Sunshine Radio: German electronic radio station, also good for me to try and keep up on my German :)
• TATW: Trance Around the World, thanks to SecurityBananas for introducing me to it!
• Energy98: Dance radio station
• Hackers OST: Hack the Planet!!
• Anything David Guetta
• A Beautiful Mind OST: And now for something completely different...

Beginning Web Pen Testing: ICMP Scans

Even Trinity has to Scan...

Got Hacme Shipping VM up and running, and the link I posted last post about the setup made life so much easier. In addition to the steps in the tutorial, make sure you also install the .NET Framework 2.0, which can be grabbed here. And there is a typo in the tutorial, if you need to access the ColdFusion via the web-broswer yourself, go to:

 http://127.0.0.1/CFIDE/administrator/index.cfm

Oh and make sure you have enough space on your VM, you can expand the space of your VM via the command line vdiskmanager. 15 GB should suffice, 8GB is not enough (I found out the hard way).

So these next few posts will be about scans.I know I know scanning is so -boring- right?! However, what did I say before? If you do not understand the basics and the versatility of your toolkit, you are missing data. Also, it never looks good when someone asks "Why did you try that?" and your response is "Because it was the example in the book and I thought that was good enough." Sorry guys, but you gotta start at the beginning :) I also do not know who my audience is out there in the interwebs, so I figure start small and work my way up to more fun things (its always good for a refresher right?)

Different operating systems respond to scans differently, when Windows XP says 'open' Windows 7 may say filtered. The key is understanding the scan you are running, and then examining the results to determine what it means. The way a machine responds to scan probes is also another way of determining the OS of the host you are scanning against (also known as fingerprinting).  That being said, I am not going to go thru all the scans nmap has to offer nor will I break each packet down to every bit and byte, try them on your own networks and see what works!

ICMP Scanning

ICMP stands for Internet Control Message Protocol. This is generally what you run in your internal network when troubleshooting connectivity problems. This is also why you should never allow ICMP responses going outside your network, as it helps an attacker determine your internal network. Let's see a simple example of ICMP ECHO Request, the most common ICMP packet.

ICMP ECHO command

 An ICMP Echo request packet  is known as 'Type 8' and a reply is Type '0'. This can be seen in the ICMP packet via wireshark or any handy packet sniffer program.

ICMP Request - Type 8 is highlighted

ICMP Reply - Type 0 is highlighted

Ok so lets go back to our command output, we see a TTL field. What is that? Well TTL stand for Time To Live, and it is required for ICMP packets. What it is is a number which gets decremented by 1 every time the packet goes thru a router (known as a 'hop') to get to its destination. The default TTL for Windows XP is 128  (many OS are different, see here for a list). Our TTL is... 128, so that means the packet did not have to go thru any router to get somewhere, it went straight to the destination (so we are definitely on the same network!). By the way, the TTL is another method to help determine the Operating System.

Let's look at a more 'legitimate' ping.

So here we have an ICMP packet going to www.google.com. As you can see, this took a bit longer then our first request, but more importantly, look at the TTL, its definitely no where near 128! TTL becomes more interesting when trying to map for firewall, internet gateways, and routers as it shows you how packets are routed to hosts on a network (using utilities like tracert).

I am going to briefly touch on ICMP broadcast messages. If you are doing an internal network assessment of a company and you send an ICMP broadcast packet to the broadcast address, what do you do if  nothing comes up? Pack up and leave? No! Again, different OS respond differently to different requests. For example Windows by default does not respond to ICMP broadcast requests, however Solaris on a whole does respond. So again, you can't just do one scan and expect to grab everything.

So before I wrap up for today, I am going to touch on a few other ICMP scans:

TimeStampRequest (Type 13) and TimeStamp Reply (Type14): Asks the machine for its current time (based on milliseconds from midnight GMT). If it responds... well you know it is alive AND you know roughly where in the world the IP is. So on my backtrack5 box I ran the following command:

ping -T tsonly 192.168.0.9

The '-T' switch  specifies the timestamp option, and all I want is timestamps. This gave me the following answer:

64 bytes from 192.168.0.9: icmp_seq=1 ttl=128 time=1.50 ms
TS:     74834377 absolute

If you take 74834377 milliseconds and do some maths on it, that gets you the time of about 2047 or 8:47pm, which is what time it is now in GMT :)

AddressMaskRequest (Type 17) and Reply (Type 18): Used when asking for the subnet mask of an interface. Again if it responds, you got a live host (and now know the broadcast address if you didn't already).

So how to get these scans going in nmap? If you just type 'nmap' on the command line you should get a list of all its parameters. However here are the ones I discussed today. 

-PE (ICMP Echo), -PP (ICMP Timestamp) and -PM (ICMP Netmask Discovery)

So get out there, fire up you favourite scanning tool and start playing with the different Host Discovery Scans. What can you see? Do some scan miss some things that others pick up on? Why do you think that is? Get wireshark going and look at the packets... the more you know!

Additional Links:

• TTL Defaults: Up to WindowsXP 
• If you want a great reference of packet headers, SANS has a wonderful one which I have seen adorned on many a nerds cubicle.
• Change your TTL on Win2008 Server and Vista: Just for fun :) XP is here.
• ICMP Usage In Scanning by Ofir Arkin - PDF- Bet you never thought ICMP was this robust?

A Whole New World... Web External Pen Testing

Scene from Disney's Aladdin - Image From Fransisca's Portfolio

Ever tried doing an  scan of your own network (or one you had permission to?) Awesome... here is some service versions, open ports, operating systems, etc. However, what do you do with that data when you are done with it? Well this is what I am now endeavoring to find out...

I have been doing an external web assessment for work and let me tell you, I have a lot to learn.  Luckily for us, there are a ton of resources out there to help someone learn how to do this!

First assumption to throw out the window: it has to be a complicated hack to gain access :)

So how to start? Well there are tons of 'exploitable' systems out there which can be used. Metasploitable seem like a great one to learn from and it even has some tutorial/howtos on the left to which you can throw against your new vulnerable image. I will probably start here (taking notes as I go!). There is also a free tool from McAfee Foundstone called Hacme Shipping which "demonstrate common web application hacking techniques such as SQL Injection, Cross Site Scripting and Escalation of Privileges as well as Authentication and Authorization flaws and how they are manifested in the code". This sounds impressive, but it requires a bit more setup than Metasploitable (which is a VM). However, there is a guide to setting it all up courtesy of pingtrip.com

OK, we got the victim, now what tools do we use to analyze and hopefully pwn our poor little web services? OWASP has a Security Framework on top of a web browser called Mantra, which looks pretty slick. Like Backtrack, it has Information Gathering tools, editors (which means you can edit inline), tools for pentesting, etc, except its focus is on web based offense/defense. You can get a list of all the tools here. Heck Mantra is actually in Backtrack 5.... so Backtrack would be a good bet!

In addition, I found some other fun websites which may prove useful later on:

• SQLcourse.com - exactly what it sounds like, even has an SQL interpreter
• exploit-db.com - again exactly what is sounds like....
• HTML Code/Text Obfuscator - why not use it with JS as well?

This is (of course) serves a dual purpose... I can look at logs after I pwned my service to see what it looks like, so if I ever encounter a similar log in the field then I have a better idea what it is and how a site was subverted. Learning the pen testing will then make me a better network forensic investigator... score :)

Anyone have any additional hints/pointers/sites/tutorials? I would love to hear them!

P.S. I am working on a Powershell script which will grab a ton of artifacts in Vista/XP (read Temp Internet Files, AutoRun registry settings, Temp directories) where badness generally resides. I sent it to my team for a pass to make sure it works and make any adjustments/comments, then I plan on sharing to the community. I am sure it isn't the best tool, but its flexible and can be added upon as needed. If anything it shows how kickass and powerful Powershell can be.