Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about how to use Gargamel tools. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Gargamel

Gargamel is an information security forensics tool developed based on Rust. The majority of researchers can use Gargamel to complete daily information forensics tasks.

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Git clone https://github.com/Lifars/gargamel.git project compilation

Assuming that you have installed and configured Rust v1.41programs on your local device, open a terminal window, change to the project directory, and type the following command to compile the project:

Cargo build-release

We can compile and debug the build using the following command:

Cargo build

The compiled executable can be found under the target/release/gargamel.exe or target/debug/gargamel.exe path.

Set log level

We can modify the logging level of the tool in the following ways:

Open src/main.rs

In lines 42 and 43, change LevelFilter::Info to LevelFilter::Trace to view more detailed log information

Note that LevelFilter::Trace will record everything, including passwords

User's Guid

Currently, the application only supports running on Windows systems, and the target device must be a Windows or Linux system. You also need to make sure that the following programs are stored in the same directory as Gargamel:

Psexec: [download]

Paexec: [download]

Winpmem: [download]

Plink and pscp: [download]

SharpRDP: [download]

WMImplant: [download]

Exe: [download]

The use of Gargamel

Gargamel needs to be started in a terminal with advanced permissions to fully function. Currently, it does not support UAC dialogs, nor does it support any type of notification when running with limited permissions. When running with limited user privileges, some operations, such as target memory dumps, will not work.

Basic use

Suppose you want to connect to a computer with the following parameters:

Address: 192.168.42.47

User name: Jano

Password: nbusr123

The following command will use the PsExec method to obtain the firewall status, network status, login user, running process, active network connection, registry, system & application event log. The forensics information obtained will be stored in the testResults directory of Gargamel:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-o testResults

Gargamel will ask for the password of the remote user. Our password here is nbusr123. Note that the password is hidden during input.

We can also specify the user name and password directly in the command line parameters:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-p nbusr123-o testResults domain use

Suppose you want to connect to a computer in the domain with the following parameters:

Domain: WORKSPACE

Computer name: JanovPC

User name: Jano

Password: nbusr123

The following command uses the PsExec method to obtain the firewall status, network status, login user, running process, active network connection, registry, system & application event log:

Gargamel.exe-c JanovPC-u Jano-d WORKSPACE-- psexec-o testResults

Alternatively, specify the target device information directly in the command line parameters:

Gargamel.exe-c JanovPC-u Jano-d WORKSPACE-- psexec-p nbusr123-o testResults other connection methods

PsExec is one of the supported connection methods, and we can replace-- psexec with the following options:

-- psexec

-- psrem

-- rdp

-- wmi

-- ssh

We can also use multiple methods at one time. For example, use both PsExec and RDP:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-- rdp-o testResults acquires memory

To get the memory pilot dump, you can add the-m option directly after the parameter:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-o testResults-m

If you only need to get the memory dump and do not need other forensic information, you can use the following command directly:

Gargamel.exe-c 192.168.42.47-u Jano-psexec-o testResults-m-no-events-search-- no-evidence-search-- no-registry-search

This feature currently supports only hosts targeted at Windows systems.

Run a custom command

Gargamel can run custom Windows CMD or Linux Shell commands on a remote host.

We need to create an custom-commands.txt file with the following:

# Will be run using any methodipconfig# Will run only when launching with at least one of-all,-psexec,-wmi methods:psexec:wmi ipconfig-all

Next, we can use the-e option to run the above command:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-o testResults-e custom-commands.txt download the customization file

Gargamel can download remote files. First, we need to create a custom-files.txt file with the following:

C:\ Users\ Public\ sss*C:\ Users\ Jano\ danove.pdf# This line and the next one will be ignored# C:\ Users\ Jano\ somBajecny.pptx

Next, we can use the-s option to run the above command:

Gargamel.exe-c 192.168.42.47-u Jano-- psexec-o testResults-s custom-files.txt all options USAGE: gargamel.exe [FLAGS] [OPTIONS]-- user FLAGS:-- a,-all Acquire evidence from Windows machine using all supported methods (PsExec, PsRemote, WMI, RDP). -- no-events-search Disables Windows event logs acquisition. No-evidence-search Disables acquisition of evidence that can be usually downloaded quickly (like ipconfig, firewall status etc..)-- no-registry-search Disables target registry acquisition. -h,-- help Prints help information-m,-- mem-image Optional: Memory dump of a target Windows machine. -- local Acquire evidence from local machine. Nla Optional: Use network level authentication when using RDP. (Windows targets only)-no-7z Optional: Disable 7zip compression for registry & memory images.This will significantly decrease the running time, but WMI and RDP connections will probably not work properly. (Windows targets only)-psexec Acquire evidence from Windows machine using PsExec. Requires both PsExec64.exe and paexec.exe in the current directory or in the path. -- psrem Acquire evidence from Windows machine using PowerShell. Requires both PsExec64.exe and paexec.exe in the current directory or in the path. -- rdp Acquire evidence from Windows machine using RDP. Requires SharpRDP.exe in the current directory or in the path. -- ssh Acquire evidence from Linux machine using SSH. Requires both plink.exe and pscp.exe in the current directory or in the path. -V,-- version Prints version information-- wmi Acquire evidence from Windows machine using WMI. Requires WMImplant.ps1 in the current directory or in the path and PowerShell 3.0 + on the host machine.Note: It is necessary to disable Windows Defender real-time protection (other AVs not tested). OPTIONS:-c,-- computer Remote computer address/name. [default: 127.0.0.1]-u,-- user Remote user name-d,-- domain Optional: Remote Windows domain-o,-- output Name of local directory to store the evidence [default: evidence-output]-p,-- password Optional: Remote user password. Skipping this option will prompt a possibility to put a password in hidden way.To specify an empty password use `- p ""`-- redownload Optional: Download and DELETE specified file from target computer. Use this in case of previous failed partially completed operation. For just downloading a file (without deleting it) please use a `search` switch. If you specify a 7zip chunk (.7z. [chunk-number], e.g. 7z.004), then it will also automatically try to download subsequent chunks.Use also with-- psexec-- psrem,-- rdp,-- wmi,-- all-r,-- remote-storage Name of remote directory to be used as a temporary storage. (Windows targets only) [default: C:\ Users\ Public]-e,-- commands Optional: File with custom commands to execute on remote computer-s,-- search Optional: File with files names to be searched on remote computer. File names supports also `* `and`? `wildcards on file names (but not yet parent directories). Key Optional: Name/path of SSH private key file. (Linux target only)-timeout Optional: Timeout in seconds for long running operations.This option is a workaround for a bug in WMImplant.ps1 amd SharpRDP.exe where finishing of a long running operation cannot sometimes properly close the connection leaving the Gargamel in seemingly frozen state or executing the next operation with the previous one unfinished on target site.Increasing this timeout may solve issues when acquiring registry or memory image from target machine. [default: 300] problems

WMI cannot write the output to the path / file name that contains the "_" symbol.

The above is the editor for you to share how to use Gargamel tools, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.