Sunday, May 31, 2020

Tips on Using RegRipper v3.0

With the "new" release, I thought it would be good to share a couple of tips as to how you can get the most out of RegRipper v3.0. I should note that for the most part, all of these tips are the same things I've recommended for using RegRipper v2.8, as well.

The "Kitchen Sink" Approach
When you take the "kitchen sink" approach and run every available plugin against a hive file, you're going to get a great deal of info back, some of which may not make sense or even apply to the case on which you're working.  As such, you're likely going to have questions about some of what you see, and whether it can be applied to the case you're working on.  I provided the GUI tool to operate in exactly this manner, because according to many, this is the primary use case, and how RegRipper is most often used. However, what follows are some tips that might be helpful, particularly if you do not want to use this approach.

Check The References
If you have a question about a plugin, feel free to open the plugin in Notepad (I use Notepad++ or UltraEdit) and take a look at the contents, particularly the "header".  If you're not sure what a "header" is, it's all the stuff commented out (preceded by '#') at the top of the plugin.  If you're using something like Notepad++, the header may appear in a different color, such as green, thanks to syntax highlighting.  Very often, the header will contain reference information or URLs that provide insight as to why the plugin was written and how the information returned by the plugin may be applied to specific use cases.

Finding a Plugin
Sometimes, you might want to check and see if there's a plugin that gets some information you're interested in, as it may be helpful to your case.  There is no online reference for the plugins; the v2.8 distro contains 386 plugins, and the v3.0 distro contains 248 plugins, so keeping a reference or wiki of some kind is still going to require searching.  Further, not all of the plugins look for specific values, but instead get all or most of the values beneath a key, so if you're looking for a specific value name, or some element that may be included in the data, you may not find it.

In order to see if there's a plugin that looks for a particular key or value name, I use the following command:

C:\perl\rr3\plugins>findstr /C:"UseLogonCredential" /i *.pl

...or to find any plugins that reference blog posts from PenTestLabs (hint: there are two), I use the following command:

C:\perl\rr3\plugins>findstr /C:"pentestlab" /i *.pl

If you don't find what you're looking for, ask.  Yep, it's that easy.  Just ask.  Sure, you can go on social media and say, "hey, RegRipper doesn't have a plugin that does this...", and that may very well be true.  However, RegRipper was originally designed to be a community-supported project; if you don't find a plugin that does something you need, either write one (Corey Harrell did a lot of that, starting off with simply copy-paste...), or share a request along with some data so that it can be written.  In most cases, I've turned a plugin around in an hour or so, with limited data for testing. As time goes on and more data becomes available, the testing improves, and the there may be corresponding improvements in the plugins, as well.

A final note on that thought...when looking for a plugin, spelling helps.  Tremendously.  You don't even know.

Building Profiles
I know that some folks are of the opinion that the RegRipper GUI doesn't allow you to modify the available profiles, but that is simply NOT the case.  In fact, all you need to do to create your own profiles is find the double-secret-monkey-stuff Windows tool called "Notepad".  ;-)  Really, it's that easy.

A "profile" is a list of plugins that are run by rip.exe, via the "-f" switch.  You can use rip to run individual plugins, but if you have a series of plugins that you want to run against a hive, the easiest way, and one that is self-documenting, is to use a profile.  To create a profile, just create a text file with no extension, and add the plugins you want to run, one on each line.  For example, to build out a profile that lets me check the Software hive for information related to connected USB devices, I'd create a file called "USB-Software" (again, no file extension), and then add the following plugins:

emdmgmt
portdev
volinfocache

That's all it takes. As new information is developed and new plugins become available, I might add some of those plugins to the profile. 

RegRipper v2.8
As a final note and just a reminder, I'm no longer supporting RegRipper v2.8.  I'll leave the repo up for the time being, but I'll be removing the repo before too long (date TBD).

I hope that someone finds this information useful.

11 comments:

Obi_Juanb8b said...

Hey Harlan,

I've noticed some plugins were around in v2.8, but not in v3. Was some cleanup done? Example- tsclient and rdphint. tsclient is still there, which pulled or read simliar data as rdphint did in v2.8. You mentioned the number of plugins went down to 248. Will the 'old' ones still work?

I'm also one of those people that run individual plugins from the command line, vs GUI.

H. Carvey said...

The old ones will still work, yes, but the output, specifically the date format, will be different.

Anonymous said...

BUT WTF IS REGRIPPER?? ARE YOU GOING TO EVER mention it clearly on GitHub!! You just have a repositiory and it doesn;t even explain what it is in the Readme file.

Anonymous said...

I downloaded regripper 3.0 in kali linux and do not see the plugin for lastwrite. Is there a replacement? I'm trying to use a registry file to figure out the last command run for a CTF challenge.

H. Carvey said...

Anonymous...

What do you mean by "the plugin for lastwrite"?

Anonymous said...

I was given this - ./rip.pl -r HKEY_CURRENT_USER.reg.xml -p lastwrite - to run s part of the challenge and linux returns that what it calls the lastwrite.pl is not available.

H. Carvey said...

RegRipper doesn't parse XML files...at least, not the one I wrote and maintain.

Also, I don't think I ever wrote a "lastwrite" plugin.

Maybe go back to whomever gave you that command line and ask them...I honestly have no idea where that command line came from.

Anonymous said...

Additional information I was provided: Use RegRipper to analyze the provided registry file as follows:

./rip.pl -r HKEY_CURRENT_USER.reg.xml -p lastwrite

Note: This command instructs RegRipper to analyze the "HKEY_CURRENT_USER.reg.xml" file and extract information related to the "lastwrite" time, which can provide insights into the last actions performed in the registry.

Anonymous said...

I see, thank you so much. I appreciate the quick response and clarification! Thought I was going in circles and that explains why.

H. Carvey said...

Again, go back to whomever provided that to you...it doesn't seem legit.

The RegRipper I wrote does NOT parse XML files, and I never write a "lastwrite" plugin.

H. Carvey said...

Happy to help.

I'm sorry you were given bad information.