Tuesday, May 08, 2012

How not to get p0wned by RR v2.5

I recently provided a minor update to the RegRipper tools, moving to v2.5.  As there was no modification to how the tools would interact with the plugins, I only provided the tools themselves, including both the Perl scripts (source code) and Windows executables, compiled via Perl2Exe.  I did not include the contents of the plugins directory along with the distribution, as I figured folks who were using the tool would just copy the files over their current installation.

Since the release of the updates, I've received a couple of comments about the RegRipper GUI not working properly.  Some folks are finding that "Plugins File" drop-down box will not be populated, and the assumption appears to be that the tool isn't reading the plugins directory, even though the "plugins" directory exists and contains plugins.  When you launch the GUI, one of the things that happens is that the GUI will look in the "plugins" directory for any files that do NOT contain an extension, and assume that these are profiles.  What appears to be happening is that while the directory contains plugins, it does not contain profiles...these are the files that tell RegRipper which plugins to run.  By default, those profiles are "ntuser", "sam", "security", "software" and "system", all without any extension (by that, I mean that the file does not end with '.txt' or anything else).

What I think may be happening is that folks are creating fresh installations of the tool; they're downloading the new version and putting it into it's own directory, and then getting the plugins archive file from here; this archive does not contain the profiles. 

What you can do in that case is copy the profiles over from your RR v2.02 install, or simply create your own profile.  A really easy way to do that is to go to your RR v2.5 install directory, open a command prompt, and type:

rip -c -l > plugins.csv

Open the resulting file in Excel and sort the rows, based on the hive column.  Another way to do this for individual hive files is to use a command such as the following:

rip -l -c | find ",Software,"

This will list just the plugins that are intended to be run against the Software hive, their versions, etc. 

3 comments:

francesco picasso said...

I think you're right in the troubleshooting. I remember the day I prepared the first RegRipperPlugins package on googlecode, and I asked to myself: should or should not provide plugins files? I decided to not include them, since they are quite personal: everybody (I think) have their personal list and, moreover, the personal order. So I thought it would have been easier for users to unzip the last package in the plugins directory, overwriting only plugins and not *their personal* plugins-lists. Was I wrong?

Keydet89 said...

Well, first off, I don't think that most users have their own "personal" profiles...I think that most of those who use RR simply run it the way it is when they download it. This means that there are very likely a number of files that haven't been included in the profiles for each hive, which simply aren't run.

Also, the latest archive of plugins doesn't appear to contain profiles.

francesco picasso said...

Probably it's due to my "bias", but it's difficult for me thinking at DFIR RR users that haven't their profiles. Being said that, your post make me reason about this point: I'll do a check with maintainers, but possibly and idea it's to add to RRPlugins packages profiles like "ntuser-all", "sam-all", "security-all", "software-all". Thank you Harlan.