Using Regshot

When you are using security tools like metasploit and want to analyse malware it can be helpful to have a tool that that quickly show you what changes a program (either good or bad) has made to your system.

There are plenty of tools that will do this for both windows or Linux (and Mac too).  I will look at one for the windows platform.  Specifically regshot.

The program can be downloaded from sourceforge at the following address : http://sourceforge.net/projects/regshot/

Once the program has been downloaded, extract it using your favorite file extractor such as winrar, winzip or 7zip.  Then launch the regshot.exe file to open the program.

You can choose to save the output file as either a text file or HTML.  HTML is a bit easier to read, so I'll use that.  Then decide where you want to save the file. I'll put mine in "My Documents"

Once that is done you can take your first "shot" which records the state of the machine prior to installing anything as the first screen shot shows (choose "shot", instead of "shot and save").

Once you have saved your first shot, install some software (I installed audacity - an audio editor for this demo) as the next screen shows.

Finally, take your 2nd shot after the software has completed installing (again using "shot and save")

When that is complete the "compare" button which was previously greyed out should now be available.  The resulting window should look something like this:

As you can see from the output Regshot will show you exactly what files were added to the machine, what registry entries were added and what values were added to those keys, as well as how many changes total there were.

This tool can be very handy if you want to examine malware (hopefully in a VM) and want to know what changes it has made to your system.

Python Program to Scan IP's and Ports

Here is a program I wrote in Python to scan a range of IP's and a chosen port :

I started with this code first from class :

**************

Here's the code we started with:
import socket
IPRange = raw_input('Enter an IP Address: ')
Port = input('Enter the Port Number: ')
a, b, c, d = IPRange.split('.')
for x in range(1, 254):
    ip = a + '.' + b + '.' + c + '.' + str(x)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        s.connect((ip, Port))
    except socket.error:
        print '%s: Port Closed' % ip
        continue
    print '%s: Port Open' % ip


****************


import socket
IPRange = raw_input('Enter an IP Address: ')
UserInput = raw_input('Enter IP Class to scan (A/B/C): ')
Port = input('Enter the Port Number: ')
a, b, c, d = IPRange.split('.')

if UserInput == 'C':
    for x in range(1, 254):
        ip = str(a) + '.' + str(b) + '.' + str(c) + '.' + str(x)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        try:
            s.connect((ip, Port))
        except socket.error:
            print '%s: Port Closed' % ip
            continue
        print '%s: Port Open' % ip
elif UserInput == 'B':
    for y in range(1, 254):
        for x in range(1,254):
            ip = str(a) + '.' + str(b) + '.' + str(y) + '.' + str(x)
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            try:
                s.connect((ip, Port))
            except socket.error:
                print '%s: Port Closed' % ip
                continue
            print '%s: Port Open' % ip
elif UserInput == 'A':
    for z in range(1, 254):
        for y in range(1,254):
            for x in range(1,254):
                ip = str(a) + '.' + str(z) + '.' + str(y) + '.' + str(x)
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                try:
                    s.connect((ip, Port))
                except socket.error:
                    print '%s: Port Closed' % ip
                    continue
                print '%s: Port Open' % ip
else:
    print '%s: Input Error try again'

The above screenshot shows how the program works.  It prompts you first for an ip address, then class and finally a port number (this would fail as the ip that I entered is not a web server).

Although I can see how this is useful to be able to write some apps using python, I much prefer using some prebuilt apps like Nmap which is far more flexible and powerful to be able to scan a range or ip's and ports.