(IEHistoryView)
{ Viewing Past URL Web History }
| Section 0. Background Information |
- IEHistoryView extracts information from the
history file (index.dat) of Internet Explorer.
- This history information includes the URLs that user visited, the Web site title, The number of times that this URL was visited (Hits column), and the last date/time that the Web site visit occurred.
- The history file also contains a list of local files that the user opened with Internet Explorer (Usually .html and image files).
-
Lab Notes
- In this lab we will do the following:
- Download IEHistoryView
- Create Web History
- Retrieve Web History with IEHistoryView
- In this lab we will do the following:
- Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.
| Section 1: Play Virtual Machine |
- Start Up Damn Vulnerable WXP-SP2.
- Instructions:
- Click on Damn Vulnerable WXP-SP2
- Click on Edit virtual machine Settings
- Note(FYI):
- For those of you not part of my class, this is a Windows XP machine running SP2.
- Instructions:
- Edit Virtual Machine Settings
- Instructions:
- Click on Network Adapter
- Click on the Bridged Radio button
- Click on the OK Button
- Instructions:
- Play Virtual Machine
- Instructions:
- Click on Damn Vulnerable WXP-SP2
- Click on Play virtual machine
- Instructions:
- Logging into Damn Vulnerable WXP-SP2.
- Instructions:
- Username: administrator
- Password: Use the Class Password or whatever you set it.
- Instructions:
- Open a Command Prompt
- Instructions:
- Start --> All Programs --> Accessories --> Command Prompt
- Instructions:
- Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
- ipconfig
- Note(FYI):
- In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
- This is the IP Address of the Victim Machine that will be attacked by Metasploit.
- Record your Damn Vulnerable WXP-SP2's IP Address.
- Instructions:
| Section 2: Download and Install |
- Start your Internet Explorer Web Browser
- Instructions:
- Start --> All Programs --> Internet Explorer
- Instructions:
- Download IEHistoryView
- Instructions:
- Place http://www.nirsoft.net/utils/iehv.zip in the Address Box and hit enter.
- Click Save
- Instructions:
- Save As
- Instructions:
- Navigate to C:\tools
- If the tools folder does not exist, then create it.
- Click the Save Button
- Navigate to C:\tools
- Instructions:
- Click Open Folder
- Instructions:
- Click Open Folder
- Instructions:
- Extract iehv.zip
- Instructions:
- Right Click on iehv.zip
- Select Extract All...
- Instructions:
- Select Next
- Instructions:
- Click Next
- Instructions:
- Select Next
- Instructions:
- Click Next
- Instructions:
- Click Finished
- Instructions:
- Click Finished
- Instructions:
| Section 3: Create Some Web History. |
- Open Up Internet Explorer.
- Instructions:
- Start --> All Programs --> Internet Explorer
- Instructions:
- Create Metasploit Web History
- Instructions:
- Go to http://www.metasploit.com
- Instructions:
- Create Nmap Web History
- Instructions:
- Go To http://nmap.org
- Instructions:
| Section 4: IEHistoryView |
- Open My Computer
- Instructions:
- Start --> All Programs --> My Computer
- Instructions:
- Start iehv.exe
- Instructions:
- Navigate to C:\tools\iehv
- Right Click on iehv.exe
- Click Open
- Click Run
- IEHistoryView
- Note(FYI):
- IEHistoryView shows a simplistic view of URL, Title, Hits, Modified Date, Expiration Date, Username.
- You can see WHO viewed WHAT WHEN.
- Let's do a simply search
- Instructions:
- Select Edit --> Find History Item
- Enter Search String
- Instructions:
- Find What: metasploit
- Note(FYI):
- This search string is limited to the name of the website and not a content search.
- Results
- Note(FYI):
- Noticed that http://www.metasploit.com is highlighted.
-
| Section 5: Proof of Lab |
- Select All URLs
- Instructions:
- Click on the very first URL
- Press and Hold the Shift Button
- Click on the very last URL link
- Instructions:
- Select Highlighted Items
- Instructions:
- Edit --> Select Highlighted Items
- Instructions:
- Copy Selected Items
- Instructions:
- Edit --> Copy Select Items (Tab Delimited)
- Instructions:
- Open Notepad
- Instructions:
- Start --> All Programs --> Accessories --> Notepad
- Instructions:
- Paste URL's
- Instructions:
- Edit --> Paste
- Instructions:
- Save URL's
- Instructions:
- File --> Save As...
- Navigate to
C:\Evidence
- If you do not have an Evidence Folder, then please create it.
- File name: IE-YYYYMMDD.csv
- YYYY - Represents the Year
- MM - Represents the Month
- DD - Represents the Day
- In my case, I named the file IE-20121215.csv
- Click Save
- Instructions:
- Open a Command Prompt
- Instructions:
- Start --> All Programs --> Accessories --> Command Prompt
- Instructions:
-
Proof of Lab
- Instructions:
- cd C:\Evidence
- dir | findstr IE-20121215.csv
- Remember, the file name IE-20121215.csv might be differently named according to the today's date.
- type IE-20121215.csv | findstr metasploit
- date /t
- echo "Your Name"
- This should be your actual name.
- e.g., echo "John Gray"
-
Proof of Lab Instructions
- Press both the <Ctrl> and <Alt> keys at the same time.
- Do a <PrtScn>
- Paste into a word document
- Upload to Moodle
- Instructions:
