This paper is available online at www.oocities.org/floydian_99 and securit.iquebec.com
This paper can be freely distributed and reproduced, as long as correct credentials are maintained, and that no modifications are made to this file. For corrections, suggestions or comments, please send me an e-mail.
The goal of this paper is to present a new Perl tool that I made to monitor DOS sessions on Windows NT/2K (should also work on XP, but cannot try it). This tool can be used by administrator to keep a history of commands typed in the DOS command prompt and the associated output, for example on an IIS server. This can help admins to figure out what the attacker has done after compromising the machine via one of the numerous vulnerabilities this software present. Of course, like any keylogger out there, it can also be use for malicious purpose, but I think other programs out there make better spying tools.
Preface
I started writing about my own experiences in the security field after reading Lance Spitzner's whitepapers, way back before the HoneyNet Project grew into the multi-disciplinary team that has now joined him and make the project as we know it today. I also wanted to inspire myself of what was being done on the UNIX platform (making your own tools when they don't exists) to transpose it in the Windows world, where I am more comfortable. This paper follows these traditions, as the idea for it came to me while reading the HoneyNet Project recent book, Know your ennemy. In the book, one passage relate to how the HoneyNet is designed to sniff all the traffic that passes into it since all of this traffic is suspicious by nature. This worked great for capturing what the attackers were doing on the systems, up to the day when someone was using cryptcat to hide his session. To circumvent this problem, the team made a modification in the source code of bash to log the session and recompiled it for the next attack. However, the book says, since we can not do the same with Microsoft code, they didn't bother to make an equivalent solution for Windows. ComLog fills that gap.
Special thanks to Lance Spitzner for his comments and ideas during the improvement of the pre-release.
This document is presented to anyone who has interests in computer security, honeynets, trojan horse, keyloggers, network administration and computing in general.