Sunday, October 30, 2011

Set Up to More Memory Forensics!

I -really- wanted to make this a cheesy video, but in the interest of time and saving what internet respect I have left I decided screen shots and a storyline would suffice:

 
 Monday 9am. I log onto my computer ready to face the day. I check some e-mails, I read some news sites, look at pictures of cute baby animals... you know important things. It was all going fine until...




I see this text file appear on my desktop... its called 'pwned'. What does -that- mean? I didn't put it there!
I have never seen anything like it before... so I click on it


  







"Gotcha'. I did not know I was playing tag?? What does that mean? Have I been hacked? Oh my goodness if my company finds out I am in so much trouble, what after the Christmas party debauchery last year....






Luckily my cube buddy is a bit savvy on computer so she comes over to take a dabble. "Have you been browsing the internet lately?" she asked inquisitively. "No, I do not do that on company time", I lied meekly, "I only checked my mail and visited some links... I don't trust that internet." I think she was impressed by my response because she stared at me for a while (in respect I am sure).


The commands she ran and subsequent output are here:


>netstat -ano > victim_Netstat.txt
 >WMIC /OUTPUT:C:\victimProcessList.txt PROCESS get Caption, Commandline, Processid
 
Caption CommandLine ProcessId
System Idle 0
System
4
smss.exe \SystemRoot\System32\smss.exe 548
csrss.exe C:\WINDOWS\system32\csrss.exe 608
winlogon.exe winlogon.exe 632
services.exe C:\WINDOWS\system32\services.exe 676
lsass.exe C:\WINDOWS\system32\lsass.exe 688
vmacthlp.exe C:\Program Files\VMware\VMware Tools\vmacthlp.exe 848
svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch 896
svchost.exe C:\WINDOWS\system32\svchost -k rpcss 980
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs 1072
svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService 1140
svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService 1304
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe 1512
explorer.exe C:\WINDOWS\Explorer.EXE 1600
VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe 2020
VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe 2032
VMwareService.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe 1712
alg.exe C:\WINDOWS\System32\alg.exe 736
wscntfy.exe C:\WINDOWS\system32\wscntfy.exe 1020
cmd.exe C:\WINDOWS\system32\cmd.exe 1412
taskmgr.exe C:\WINDOWS\system32\taskmgr.exe 1108
cmd.exe C:\WINDOWS\system32\cmd.exe 1324
wmic.exe wmic 364
wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe 1316

>net start
These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Error Reporting Service
   Event Log
   Fast User Switching Compatibility
   Help and Support
   IPSEC Services
   Logical Disk Manager
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Print Spooler
   Protected Storage
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   SSDP Discovery Service
   System Event Notification
   System Restore Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   Terminal Services
   Themes
   VMware Physical Disk Helper Service
   VMware Tools Service
   WebClient
   Windows Audio
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Image Acquisition (WIA)
   Windows Management Instrumentation
   Windows Time
   Wireless Zero Configuration
   Workstation


"So, what I did was see what connection you have to your machine, what processes you have running, and what services you have started," my co-worker explained. "And besides the connection to port 4444 I do not see anything weird going on, but I do not see anything with the process ID either so that makes me worried..." 

"Look all I did was turn on my machine and look at some puppies. I didn't start any services or whatever you said." I was starting to get annoyed now because she was getting into my coffee break time. 

"Let me just do a memory dump and take a closer look, I am sure we will get to the bottom of this.... and then you can get your coffee."

See how I did that? I will use my video to mimic the investigation based on what we learned from the command line outputs. Classic. 

Not today though, I have many other things to do today. I am picking up my Learning Perl book again in hopes to getting thru Chapter 5 (hashes), doing a bit more German learning on Rosetta Stone, and then maybe starting to go thru "Digital Forensics with Open Source Tools" written by Harlan Carvey and Cory Altheide. The book I hope will expose me to a ton more tools (which are free) and give me a better understanding of what can be accomplished through them. Sometimes those new shiny tools just don't work and you have to have something to fall back on :)

If you haven't gone to Harlan or Cory's blog I definitely suggest you do, these guys are great sources of new tools and processes out in the field. I also want to thank Harlan for giving me credit on his blog, I was totally shocked to see someone I have looked up to for his continuing work taking an interest in my work-- its a good feeling and I hope not to disappoint :)

Before I head off into the void, if anyone out there is curious about the (uber wonderful) world of Linux for forensics/IR I suggest you go to Girl,Unallocated and look for her "Crossing the River Linux" posts. Plus I love her sense of humor, and if she really does live in Utah I am insanely jealous (one reason is this).

Ok time to make spooky cupcakes... enjoy your Sunday everyone!
Posted by at Sunday, October 30, 2011 2 comments
Labels: , , , ,

Friday, October 28, 2011

Facebook Attachment Mayhem

Nathan Power has posted in his blog an easy way to send executable attachments via facebook.This was basically altering a POST request to the server by adding a space with the filename.So if you want to send 'puppies.exe' what you need to do is alter your POST request to be 'puppies.exe '. (Note the space!)

So it has now been an unreasonable amount of time I have had paros up as a proxy between me and the interwebs.I have not been able to find this illustrious POST request with the line Nathan speaks of. I have seen the filename, but in repsonses, and the corresponding request bore no fruit.

So, this leads me to wonder. Although Facebook said 'NBD' to the whole fiasco, did they change the post request? Or (more likely) am I doing something wrong?

So in anger, I tried a lame thing, I changed 'puppies.exe' to 'puppies.exe.txt' and kablam! It sent! Is FB just looking at extensions or the last character? Very interesting.... I wonder if you can create a payload in metasploit and bind it to a txt/doc/pdf and then send it thru FB. Yet another way to transfer viruses? I guess that would not be such a big deal... and that was not really the point of this blog....

nevermind.

Wrap-up: Although I did not find the string < Dr. Evil voice > Mr. Powers < / Dr. Evil voice> blogged about, I at least got Paros up and running and playing around with some of its features, and even manipulating some requests. If you see something out there being blogged about and you wonder "Are you serious?"... the best way to find out is to try it yourself. And do not be afraid to ask questions! You gotta start somewhere eh? (That being said if someone was able to do this and could walk me thru it...brilliant!)
Posted by at Friday, October 28, 2011 2 comments
Labels: , , , , ,

Thursday, October 27, 2011

Partition Tables Revisited

I bet you all forgot about the poor ol Partition Table blog I did a week back or so... its OK, I kind of did too. However whilst doing something completely unrelated (I think I was cooking) I remembered to go back and see my submissions....

And the winner is :: drumroll:: J. Rajewski!

So for all you people who got a bit wrong or were just too lazy to submit (this is fine I am not offended, as long as you are learning!), the answers are below:

4 partitions....

Partition One:
  • not bootable
  • Type: 0x12 (configuration/diagnostics)
  • Size: ~4GB
  • Notes: Hilariously I did not even know about this drive. It is a Windows Recovery (WinRE) partition which is included in my MSI wind. I think this is because there are no CD/DVD drives to insert recovery disks when your OS goes south (remember that CD? The one you got with your system but you were too excited to care and probably threw it out with the bubble wrap? Yeah THAT CD.)
Partition Two:
  • bootable (0x08)
  • Type: 0x07 (NTFS)
  • Size: ~ 42GB
  • Notes: This is my OS install
Partition Three:
  • not bootable
  • Type: NTFS
  • Size: ~93 GB
  • Notes: This is my data drive for Windows
Partition Four
  • not bootable
  • Type: extended DOS partition
  • Size: ~20GB
  • Notes: did you notice that my C and D drive amount to roughly 130GB? This 20GB partition is where the extra space went. It is a Linux Partition (which is actually broken down into 2 more partitions) and Windows does not recognize Linux partitions. So.. that answers the bonus question!
Below is a look at my drive thru Windows Management:


Now I am not 100% sure why we have some discrepancies in the Windows Partitions based on the above and Partition Table. I think when I got the machine I only really had 146 GB to play with, Windows just told me I had more....

I feel so cheated. :)



Posted by at Thursday, October 27, 2011 0 comments

Wednesday, October 26, 2011

Cracking Passwords with Volatility and John: Now With 34.3% Better Video!

Note: After viewing the video myself I find it of horrible quality, it has to be played in fullview mode and it is still fuzzy.  When I uploaded to YouTube the video was much better--- hooray!


As promised I have an  (awesome) video showing how to use Volatility to extract NTLM Windows passwords which can then be cracked by John the Ripper. Please be kind and understanding as this is my first (of many takes) video so I can only get better.. hopefully.

This is nothing new and has been around for, well, a long time. However I just wanted to provide a quick taste of how powerful memory can truly be. I will hopefully show better examples in later videos.

John the Ripper and Volatility are free downloads. Check my previous posting for documentation on how to install Volatility on a Windows system. The site which talks about the Volatility Commands available is here (if you are confused watch the video I mention it there).






Posted by at Wednesday, October 26, 2011 1 comments
Labels: , , , ,

Saturday, October 22, 2011

Volatility on Windows

Volatilityyyyyyy!! 
Sometimes dedication pays off. You get such a great feeling when (finally) whatever you were trying to do suddenly works. That apple pie recipe your grandma gave you that you have ruined x+1 times.That time you have never been able to beat for a 5k. Getting volatility to work (with plugins) in a Windows environment.

Today. My friends, is the day we are victorious!

This installation guide will be your bible for the next 30-45minutes.Follow it to the letter and you will succeed. The only change I did was for Distorm3 I download 'distorm3-1.0.win32.exe' instead of the zip file. Just execute the file, chose the Python version you are using, and let it go!

Now for the plugins, there is a great list on the Forensic Wiki.Gleeda also just released some plugins for assisting in timeline analysis, eventlogs, and more.You can see her blog post about it here.

So after installing Volatility, I should not have to tell you the importance of reading instructions. The same goes for plugins, some require dependencies. Be sure to read up on them to help stop the tears later.

I had the standalone volatility, but decided (in the long run) its better to do it this way. So the videos will be up and coming shortly!






Posted by at Saturday, October 22, 2011 2 comments
Labels: , , ,

Friday, October 21, 2011

Full of Sound and Fury...

With the release of the new 'hot malware' Duqu report by Symantec (read the PDF analysis here), which according to Symantec is the child of Stuxnet, the big bad malware which shivered the timber of SCADA systems everywhere. McAfee, the lead rival to Symantec, differs with them on a few points. You can read McAfee's explanation of the Duqu malware here.

Regardless of its true intent (or who you want to follow), the fact of the matter is that the thing which worries people most about Stuxnet and now possibly Duqu... SCADA systems are really no more secure than when Stuxnet first kept us awake at night.

According to the article SCADA compromises two systems- Human Machine Interface (HMI) and Programmable Logic Controllers (PLC). Most of the exploit we have seen seeing in the public are the ones involved HMI, however the real bump-in-the-night vulnerabilities are still in the PLC. These systems will be running (vulnerable) for years before they get upgraded, and even when they do get upgraded there is no 'security baked in'....

From the article:

Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said. [...] In many cases anyone with logical access to a control system can upload firmware on it without authentication, he said. Passwords are often hardcoded into systems many have administrative backdoors, and very basic buffer overflow errors.

So, half the time I feel like we are always playing catch up, we need to get to the ROOT of the problem and figure out how to fix it. If we keep doing what we are doing, we will always be reactive. 

I am not saying I know how to fix the problem, but I am sure there are some super smart people who have the ability to bring the deal makers together to make a decision... do we really want the electricity of water systems to go down?


Think of it like this, if you have an infected computer, do you only fix that one or do you check your entire system to ensure your a completely protected? Do you only secure your outer perimeter and leave your OSes completely vulnerable?

In other fun news-- I am hoping to make a couple of videos about volatility. Just to show how powerful memory forensics can be. I did a first run today-- I would not put you guys thru that torture ('Now just hit enter and ... oh that didn't work'). Stay tuned!
Posted by at Friday, October 21, 2011 0 comments
Labels: , , ,

Tuesday, October 18, 2011

Examining Partition Tables

Now I would not call partition tables sexy by any means of the imagination (however the MBR can be involved in malware), but one of the things I learned is: the best way to learn something is to do it. This goes for pretty much anything. So anyways I was watching a video on SecurityTube and the gentleman was delving into partition tables and I decided to take a look at my own hard drive and see it all for myself.

First off, I downloaded a hex editor (my poor netbook is choking on programs now, its almost time for a refresh). I used WinHex, because its free and I got fed up with CNET giving me a bad download.

Anywhoo... I started small first, use a thumb drive! So I booted up WinHex and navigated to Tools>Open Disk and chose my little 2GB thumb drive.

So our partition table starts at the 446 byte within our 512 bytes MBR. In hex that is 0x01BE. No I didn't just know that I used the handy dandy calculator to figure that out, hex conversions can be covered elsewhere. Each partition is allotted 16 bytes, so I highlight the first 16 below:



Ok, let me give the breakdown along with my example:
  • Byte 0 : Flag for if the drive is bootable. 0x80 means bootable while 0x00 means its not. My drive is not bootable
  • Bytes 1-3 : Starting CHS (Cylinder Head Sector) address. We don't really use this anymore thanks to Logical Block Addressing, but still good to know. The first hex value is for head, which is my case is 0x00 (so, mine starts at 0). The second hex is actually broken down, with the first 6 bytes reserved for the sectors and the last two for the cylinder number. Mine is easy with the second hex value at 0x01, so my starting sector for my partition is 1. Finally the 3rd hex value is for cylinder, which is also 0x01.
  • Byte 4: Partition Type.  This shows the partition format type. You can find an extensive list here.Looking up my value 0x0b reveals I have a FAT32 partition type. 
  • Bytes 5-7: Ending CHS Address: This is broken down the same way as the starting address. We still have an ending head of 0, however our sectors and cylinders have changed a bit and now we have to break our hex down into binaray. I will not bore you with how to do that but here are the results:
    • 0x41 : 10000010
    • 0xF:    11011111
Now remember we gotta save the first two bits of 0x41 for the cylinder. So that leaves sad binary  10, which in decimal is 2. My ending sector is 2. My ending cylinder is 1011011111, which in decimal is 735.
I am not going to claim I did the CHS sector right, if I am wrong and someone can explain to me my error I would be happy. Like I said we have mostly switched to LBA since our drives have been getting bigger and bigger....
  • Bytes 8-11: Logical Block Address (ending) 
  • Bytes 12-15: Size in Sectors (little endian). So our last 4 hex values are as follows: 80 F0 3A 00. What does little endian means? Basically it means the littlest byte (in this case 00) heads to the front. Who was it that said "The first shall become last?"
Anyways, so after doing that we have the new value: 00 3A F0 80. What is that in decimal? Handy calculator says its: 3862656. Thats how many sectors we have, but for petes sake what does that mean? Well! Do you remember how many bytes I said were in a sector? 512! So just multiply the two numbers together and....

1977679872 B
That is an awfully large number, and who really reads in bytes anyways? So you could use a handy dandy online bit calculator to figure it out or if you know how many bytes (roughly) in a GB (answer: roughly a billion and move that decimal over you get...

1.97 GB

That seems a bit more like it... and just to check:


Whoo hoo! It says on the drive itself 2GB, we are pretty close! So even if the CHS is a bit FUBAR you can use the last 4 bytes to determine the size (which seems much easier)

Another quick one:

  • This one is bootable, as the first hex value is 0x08
  • PartitionType is FAT32, LBA mapped (hex value 0x0C)
  • Size is 4 GB (thanks to the last 4 bytes) 
  How about an actual hard drive? Well mine is 150 GB, so lets see what is going on:

Whoa, my poor netbook! I leave this to you guys as a 'challenge', sorry I am not rich enough to give prizes, but maybe your name will be posted on the blog! whoo-hoo!

Questions to be answered:
  1. How many partitions are there?
  2. For each partition, what is its type?
  3. For each parition, what is its size?
  4. Does this equal 150GB? (give or take)
  5. BONUS:
Now to throw a 'monkey' in the mix: This is what I see when I look in Windows Explorer:

OS_Install is ~40GB, so adding the two drives does not equal 150G. What do you think a reason could be for this?

Email your answers to: icanhazblog[at]gmail[dot]com

Thanks!
--------------------------------------------------------------------------
More Fun Links
Posted by at Tuesday, October 18, 2011 2 comments
Labels: , , ,
Subscribe to: Posts (Atom)