System Forensics

All your artifacts are belong to us.

Build your own NSRL Server

It’s been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn’t let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year.

This post will cover how to get your own NSRL server running so you can perform hash checks while you are out on IR engagements, or whatever the “case” may be.

What you need to get started:

  1. http://www.nsrl.nist.gov/RDS/rds_2.41/rds_241m.zip -> NSRL Hashes (or you’re own)
  2. **REMnux: http://sourceforge.net/projects/remnux/files/version4/
  3. http://rjhansen.github.io/nsrllookup/ -> nsrllokup 32bit and/or 64bit.
  4. https://github.com/rjhansen/nsrllookup/tree/master/src -> master.zip

**I’m sure you can use another Linux distro, but I already had REMnux installed and configured.

On REMnux:

remnux@remnux:~/$unzip master.zip

remnux@remnux:~/$sudo ./configure –with-nsrl=rds_241m.zip

remnux@remnux:~/$sudo make install

remnux@remnux:~/$nsrlsvr

Check if the process is running. It should be quite large as it will load all of the hashes into memory for better performance.

remnux@remnux:~/$ ps aux |grep nsrl
remnux 6984 0.4 62.5 2139288 1938472 ? Ssl 02:03 0:22 nsrlsvr

You’re done. Simple, huh?

On Windows:

On a pretty much fresh install of Windows XP SP3 and filtering by “unknown” only you should get something like this. Note that most of those are VMWare Workstation related, which is newer version from when the last time the NSRL hashes were posted.

md5deep.exe -o e -s C:\Windows\System32\* | nsrllookup.exe -s 192.168.1.13

2ce150705bbeb30e6c8059cc530043aa C:\Windows\System32\Packet.dll
f8dea29db6acd5e0cdf826f61c57422f C:\Windows\System32\tprdpw32.dll
d553ed83f09c35d5bfb6d2195b76f491 C:\Windows\System32\TPSvc.dll
12d82f9b89b41ed2ead173d2843599cd C:\Windows\System32\TPVMMon.dll
c6bdfd9f093fb16fcc7da5c978defd5a C:\Windows\System32\TPVMMondeu.dll
ef3d6aa91b07e980db537592d75a1f94 C:\Windows\System32\TPVMMonjpn.dll
e5d6bda8319a3a8807cdc4c02fb32a1c C:\Windows\System32\TPVMMonUI.dll
e256cd358572eba41f05ffb1503b79c5 C:\Windows\System32\TPVMMonUIdeu.dll
b1a817677372f1d0646193ef5aa97136 C:\Windows\System32\TPVMMonUIjpn.dll
cb2df5c410ac9bb9f522259bbc13c710 C:\Windows\System32\TPVMW32.dll
b609f11ae55ee952b49a04bfdb141288 C:\Windows\System32\vmGuestLib.dll
8db91bbc5060d91d9f23adee24f4c1bd C:\Windows\System32\vmGuestLibJava.dll
8821ebee901b208239fe6ee3414eb062 C:\Windows\System32\vmhgfs.dll
d2aa64cb308cdbc6034744503d6ee66b C:\Windows\System32\vmwogl32.dll
28380e517b6ab25c3f1e61a42dc19b1e C:\Windows\System32\vmx_fb.dll
d053547c06d55a4100b7bf84e9818370 C:\Windows\System32\vmx_mode.dll
5c68ef9d3a8e424dc404de6430663c02 C:\Windows\System32\vsocklib.dll
4633b298d57014627831ccac89a2c50b C:\Windows\System32\wpcap.dll

NOTE: I only hashed executable files (-o e). By default nsrllokup.exe will use the -u (unknown) flag, which is most likely what you’re going to be using. If you wanted to filter by -k (known) you could use nsrllookup.exe -k -s <ip>. -u is default so you don’t have to specify it.

You can customize your list of hashes if you want and pass the -f <location_to_your_set> when starting up nsrlsvr. I used NSRL because everyone knows about them. If anyone knows of a more up-to-date or better list of hashes put it in the comments so everyone can use it. I use a combination of NSRL and custom hashes.

Here are the options from nsrlsvr:

remnux@remnux:~$ nsrlsvr -h
Usage: nsrlsvr [-vbhsSo -f FILE -p PORT -t TIMEOUT]
-v : print version information
-b : get information on reporting bugs
-f : specify an alternate RDS (default: /usr/local/share/nsrlsvr/NSRLFile.txt)
-s : allow clients to query server status (default: disabled)
-S : run as a normal process (do not run as a daemon)
-o : only support old (1.0) nsrlsvr protocol
-h : show this help message
-p : listen on PORT, between 1024 and 65535 (default: 9120)
-t : stop after TIMEOUT seconds of inactivity (default: disabled)

Organizations that use a standard baseline should be able automate and leverage this pretty easily within their environment.

Props to RJHansen for writing this tool! Thanks.

Enjoy. Let me know if you need any help. I honestly don’t know if I had any depends already installed on my REMnux box, which made my install very easy. Hopefully it comes out of the box like this. I didn’t have time to go back and check. I’m writing this from my wifi cell connection so i’m unable to re-download REMnux and try it out.

, ,

Comments are currently closed.