How to get the IP and the lease time from registry key

(Just for my references)

On digital forensics, sometimes you need to find out what IPs that the laptop got and when was the time it has these IPs.

Suppose you have a Windows 10 DD image, and you want to find out the IP addresses that were assigned to it and the lease time, so you can use it to search the logs (firewall, AD etc.) to find out the relevant events.

The information could be found on the registry key (Below screenshots were from a Windows 10 DD Image).

 

If the IP was permanently assigned, it could be found on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Parameters\Tcpip.

If it was DHCP, it could be found on 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx } 

or even easier, search “dhcpipaddress” to find the IPs.

 

There were 2 keys: LeaseObtainedTime and LeaseTerminatesTime. They were using Epoch time format.

 

You can use python3 to convert them:

matrix@matrix ~ % python3

Python 3.9.1 (default, Jan  8 2021, 17:17:43) 

[Clang 12.0.0 (clang-1200.0.32.28)] on darwin

Type "help", "copyright", "credits" or "license" for more information.

>>> from datetime import datetime

>>> datetime.fromtimestamp(1614085226).isoformat()

'2021-02-23T08:00:26'

>>> datetime.fromtimestamp(1614161347).isoformat()

'2021-02-24T05:09:07'

>>> datetime.fromtimestamp(1614123286).isoformat()

'2021-02-23T18:34:46'

>>> datetime.fromtimestamp(1614151831).isoformat()

'2021-02-24T02:30:31'

>>> 

There are 2 other keys (T1 and T2) that related to time stamps and also have Epoch time format. They stores the time that the interface acquired the lease on its IP address.

 

The client attempts to renew its lease when the value of T1 expires and, if necessary, attempts again when the value of T2 expires. By default, T1 is equal to half of the value of Lease and T2 is equal to 7/8 (87.5%) of the value of Lease.
.

Reverse SSH usage example 1

(Just for my reference) 

Scenario: 

1. Server 10.0.0.18, 10.0.0.19, 10.0.0.20 are behind firewall. 10.0.0.18 has full access to the other servers. 
2. Server 10.0.0.18 has a public IP x.x.x.x 
3. Laptop 192.168.1.16 can only ssh connect to x.x.x.x on port 22 with certificate myCert

Requests: 

1. The Laptop need to access Server 10.0.0.18 on https port 8834 (https://x.x.x.x:8834 won't work because only port 22 is opened to the Internet). 
2. The Laptop need to access other servers on https port 443 

Steps: 

1. On Laptop run "sudo ssh -D 1081 -i myCert root@x.x.x.x. 
2. Setup Firefox proxy: use socket 4, localhost, port 1081 
3. Open Firefox, browse https://localhost:8834
4. Browse https://10.0.0.18
5. Browse https://10.0.0.19

Office 365 Forensics (1)

(Just for my reference)

When an attacker gets the office 365 portal admin access, the first thing he is going to delegate a user to get full access to the user’s account, contact and calendar etc.

To get the full access of another user’s account, Login to https://outlook.office365.com/ecp/,

Select “recipients” -> “Mailboxes”.

Double click the user that need to be full access, on the “Edit User Mailbox” window, Under “Full Access”, add the compromised email account.

Then the attacker can open the user’s mailbox through File -> Open -> Other User’s Folder

To see if someone access your mailbox, Login to https://outlook.office365.com/ecp/, select “compliance management” -> “auditing” -> “Run a non-owner mailbox access report”

On the popup window, select start day and end date, on “Search for access by” dropdown list, select “All non-owners”, click “Search”.