Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sarahhaydock
New Today: 2
New Yesterday: 2
Overall: 29713

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 With the drizzle, a round of crescent
 the sunset kisses the Western Hills
 eSoftTools Excel Password Unlocker
 Ceiling suppliers
 Red Raspberry Extract Wholesale

Computer Forensics World Forums


Pages Served
We received
62097268
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Strange startup traffic
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Strange startup traffic

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
pimp
Newbie
Newbie


Joined: Sep 20, 2014
Posts: 8

PostPosted: Sat Sep 20, 2014 10:24 pm    Post subject: Strange startup traffic Reply with quote

I have detected an inusual network traffic in PC's startup. With a wireshark capture you see after the user introduces his password, the Windows XP Client connecting to remote registry of the domain controller and trying to set or query some registry keys related to terminal services. In brief,

Client->Domain Controler: Open Query HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server\DeafultConfiguration

and followed by the secuence:

Client->Domain Controller: QueryValue request fInheritAutologon
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritResetBroken
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritReconnectSame
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritInitialProgram
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritCallBack
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritCallBackNumber
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritShadow
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxSessionTime
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxDesconectionTime
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxIdleTime
Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritAutoclient
Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fInheritSecurity
Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fInheritColorDepth
Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fpromptforpassword
Domain controller-Client: QueryValue response


and there are more keys being consulted . Another hive that is consulted in the same trace is useroverride\Control Panel\Desktop with other keys. This traffic is produced after the default domain policy is applied but we donīt have any configuration for terminal server in this policy. Until I know this
is not normal because PC clients in a domain donīt try to configure the terminal service. We only have the execution of kixstart.exe in netlogon folder to map three server folder (department documents, public and user) and certain policies that after are applied. I have seen this traffic in certain PCs but in others are different. Do you think that someone has changed the
default policy and is applying for certain PCs? Is some type of malware? Is a driver service installed by someone? I am lost with this problem but the user has to wait a lot of time to have the Pc opperative in the startup.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sat Sep 20, 2014 11:53 pm    Post subject: Reply with quote

I would have to see the actual tcpdump to even guess what is going on. Looking at an obviously highly edited dump doesn't help.
Back to top
View user's profile
pimp
Newbie
Newbie


Joined: Sep 20, 2014
Posts: 8

PostPosted: Mon Sep 22, 2014 6:47 am    Post subject: Startup Traffic Reply with quote

Hello Cybercop,

Thanks a lot for your answers. How can I send you the cap to you in private?

Best Regards.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Mon Sep 22, 2014 7:27 am    Post subject: Reply with quote

Pimp, I emailed you.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops Đ 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. Đ 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.