15 12 2013
Build your own NSRL Server
It’s been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn’t let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year.
This post will cover how to get your own NSRL server running so you can perform hash checks while you are out on IR engagements, or whatever the “case” may be.
What you need to get started:
- http://www.nsrl.nist.gov/RDS/rds_2.41/rds_241m.zip -> NSRL Hashes (or you’re own)
- **REMnux: http://sourceforge.net/projects/remnux/files/version4/
- http://rjhansen.github.io/nsrllookup/ -> nsrllokup 32bit and/or 64bit.
- https://github.com/rjhansen/nsrllookup/tree/master/src -> master.zip
**I’m sure you can use another Linux distro, but I already had REMnux installed and configured.
remnux@remnux:~/$sudo ./configure –with-nsrl=rds_241m.zip
remnux@remnux:~/$sudo make install
Check if the process is running. It should be quite large as it will load all of the hashes into memory for better performance.
remnux@remnux:~/$ ps aux |grep nsrl
remnux 6984 0.4 62.5 2139288 1938472 ? Ssl 02:03 0:22 nsrlsvr
You’re done. Simple, huh?
On a pretty much fresh install of Windows XP SP3 and filtering by “unknown” only you should get something like this. Note that most of those are VMWare Workstation related, which is newer version from when the last time the NSRL hashes were posted.
md5deep.exe -o e -s C:\Windows\System32\* | nsrllookup.exe -s 192.168.1.13
NOTE: I only hashed executable files (-o e). By default nsrllokup.exe will use the -u (unknown) flag, which is most likely what you’re going to be using. If you wanted to filter by -k (known) you could use nsrllookup.exe -k -s <ip>. -u is default so you don’t have to specify it.
You can customize your list of hashes if you want and pass the -f <location_to_your_set> when starting up nsrlsvr. I used NSRL because everyone knows about them. If anyone knows of a more up-to-date or better list of hashes put it in the comments so everyone can use it. I use a combination of NSRL and custom hashes.
Here are the options from nsrlsvr:
remnux@remnux:~$ nsrlsvr -h
Usage: nsrlsvr [-vbhsSo -f FILE -p PORT -t TIMEOUT]
-v : print version information
-b : get information on reporting bugs
-f : specify an alternate RDS (default: /usr/local/share/nsrlsvr/NSRLFile.txt)
-s : allow clients to query server status (default: disabled)
-S : run as a normal process (do not run as a daemon)
-o : only support old (1.0) nsrlsvr protocol
-h : show this help message
-p : listen on PORT, between 1024 and 65535 (default: 9120)
-t : stop after TIMEOUT seconds of inactivity (default: disabled)
Organizations that use a standard baseline should be able automate and leverage this pretty easily within their environment.
Props to RJHansen for writing this tool! Thanks.
Enjoy. Let me know if you need any help. I honestly don’t know if I had any depends already installed on my REMnux box, which made my install very easy. Hopefully it comes out of the box like this. I didn’t have time to go back and check. I’m writing this from my wifi cell connection so i’m unable to re-download REMnux and try it out.