Friday, December 19, 2008

Windows Physical Memory Roundup

I put together a comprehensive list of Windows physical memory tools that's posted over at the SANS Computer Forensics Blog. The list includes acquisition and analysis tools along with a brief description, whether it is free or commercial and screenshots if available. Take a look if you have an interest in Windows memory analysis.

Windows Physical Memory: Finding the Right Tool for the Job

Friday, December 12, 2008

Weaponizing USB Flash Drives with the Addonics NAS Adapter

It's kind of interesting how I start out to write something and it ends up being totally different from what I was planning. Today's post at Dark Reading was like that. My original intent was to focus on data sprawl due to proliferation of physically small, large storage capacity flash drives. What I ended up with was a bad ass idea of weaponizing the Addonics NAS Adapter into a MitM attack tool for scarfing up network data including VoIP calls.

Take a trip down the rabbit hole with "USB Flash Drive Network Weaponization."

BTW, here's a link to the PDF of Larry Pesce's "Rogue APs for Penetration Testers" presentation. He's my inspiration for hiding small electronic devices in obscure places.

Mini Wish List

Here's a quick wish list for anyone who is still stumped on what to get me. I did put down gift certificates for two of the sites, but that's because it would be impossible to list all the little items from each site I'm interested in like a Super TV-B-Gone kit,
DIY Design Electronics Kit, Mousebot Kit, Blinkybug Kit, Tiny Cylon Kit, USB7 6 Digit LED Display Kit, Solarspeeder Kit, Learn to Solder Kit, Maker Bundle #1, Bare Bones Aduino Board Kit,

Wednesday, November 05, 2008

iPod Touch

I've had my new iPod for a week now and am loving it. Email is great and now I'm testing out a blogging app that seems to work well so far. My favorite app so far is ByLine that syncs my Google Reader RSS feeds so I can read them offline making it easy to stay on top of them. Ok, test over. More cool memory forensic stuff to come.

Tuesday, November 04, 2008

Encase, Physical Memory and E01s

Short disclaimer: This post is primarily for the sake of posterity and keeping track of some of the stuff I had laying around to get where I am in the research I'm doing right now. I've done a lot more testing with physical memory acquisition using winen, mdd, win32dd, and Encase both locally on live systems and on remote systems using F-Response in an effort to see the compatibility of the different outputs with Encase memory analysis Enscripts, Volatility Framework and Memoryze.

I don't remember which version of Encase added physical and process memory support but it was the 6.11 release that included winen.exe, a standalone utility to create an image/dump of physical memory. The resulting file was, of course, in the EWF/E01 format. The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip. Here's a screenshot.
How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing.
It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.
ewfinfo 20080609 (libewf 20080609, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: RAM
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Note: Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this:
ewfinfo 20081013 (libewf 20081013, libuna 20081011, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: unknown (0x10)
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the "Add Device" dialog in Encase.

Documentation on EWF (E01) File Format

Monday, November 03, 2008

Cold Boot Memory Attack on TV Show "My Own Worst Enemy"

I'm checking out the new series "My Own Worst Enemy" with Christian Slater. In episode two around the 40 minute mark, they are being briefed on how they are going to infiltrate the enemy's headquarters. Someone mentions that the computers will be encrypted and a geeky dude says no problem, this can right here will freeze the memory so you can extract the encryption keys. Amazing!

When they get in, one of the guys is seen opening the side of a computer, briefly spraying the can into the machine, pulling out a RAM chip with tweezers and putting it into some sort of small circuit board that is then analyzed by a small subnotebook.

Pretty cool stuff. I'm very impressed, at lease after seeing all the technological crap the show "24" has butchered.

Tuesday, October 28, 2008

MS06-040 & MS08-067 Similarities

People reversing the vulnerable code have discovered that the new MS08-067 vulnerability was present right next to the MS06-040 vulnerable code but was never noticed. Interesting. Are we really supposed to believe that noone noticed this sooner other than the recent malware being blamed for it being outed? Alright, enough conspiracy theory.

There's an exploit for MS08-067 recently posted at Milw0rm that I was testing out tonight. Out of sheer curiosity, I uploaded the precompiled binary to VirusTotal and it had already been uploaded so there was an analysis waiting on me. The previous analysis showed 8 out 36 AV engines detecting it. Now, there's 9.

What I thought was most interesting is this:
eTrust-Vet 31.6.6176 2008.10.28 Win32/MS06-040!exploit
That seems pretty darn close to me. Since the source is available for the exploit, I'll leave it to someone to dig up the old source of exploits for MS06-040 and see if there was some code sharing between the two or if the similarity of the vulnerability is causing eTrust to identify it this way.

Monday, September 22, 2008

Shellcode Testing

I was working on an exploit last week that was having a problem. At one point, I thought it might have been the shellcode I was using so I started looking for some old C code I had for testing to make sure shellcode actually ran. Nowhere to be found, I turned to Google and found the following blog that had C code and an interesting usage for it to analyze shellcode seen in malicious websites. The author extracted the shellcode from the page and put it in this C code, compiled it and ran it through Ollydbg for analysis. SIDE NOTE: Immunity has released an updated, more powerful version of Olly as the free Immunity Debugger.

While the author did all this on Windows, the C code works fine on other operating systems. For example, I was working with it on FreeBSD and had no problems.

Tuesday, August 19, 2008

A new obsession?

At DefCon 16, I finally got to see some of the other things going on other than CTF. I didn't see much but the thing that really left its mark was the Hardware Hacking Village. Greg and I went up there and I saw about 30 geeks or more going at it with soldering irons, miscellaneous computer scraps and DC16 badges. It was a cool site.

Greg had already been up there before and soldered a USB port onto his badge. I'd tried soldering a couple of times in my lifetime and failed pretty badly. This time, I was careful, asked for advice from experienced hardware hackers and was able to successfully solder on a working USB port.

What a rush! I'm totally hooked and have bought a couple of soldering irons (electric and butane) to work on modding all of my badges (DC 14-16). I've got a JTAG programmer at the office somewhere that I'm going to have to dig up to work on the previous badges, I think.

The thing I really want to build is a RFID cloner. The simplest, but most effective one I've found so far is the one from Chris Paget of IOActive but his BlackHat presentation with info on building it was squashed. :-( Oh well, I'll keep searching for something that will work. It may come down to having a separate reader and transmitter/writer. I don't really care too much as long as it is portable so I can use it during physical pentests.

As if I needed another obsession.

DefCon 16 retrospective

I won't bother going into any detail about the Capture the Flag competition here. You can read my blog entry over at Dark Reading or @tlas' blog for more information about our 3rd place finish and sk3wl 0f r00t's well-deserved victory. I did have an awesome time as I've had in the previous years when we won, learned a great deal from all aspects of the CTF experience and truly enjoyed spending time with my friends and teammates from the 1@stplace.

What else did I do while in Vegas for DefCon?

Thurs night, I finally met Tim and Kelly from Dark Reading in person for a fantastic time chatting and eating at the Mesa Grill in Caesar's Palace. They've been my editors for a year, now, and I'd never actually met them. We really had a great time. Afterwards, Kelly and I went by the Core Security party where we met their new CEO, Mark Hatton, Ivan Arce, Matt Hines, several other Core employees along with Rich Mogull and Mike Rothman. I picked up a couple of their Core Exploit "Black Hat Edition" card game but haven't had a chance to play it yet. Afterwards, Kelly tried to get me into the Microsoft party....FAIL.

Friday...CTF...then Plato's room to work on CTF stuff until 2:30am.

Saturday...CTF...then Plato's room to work on CTF stuff until 2:30am.

(Note: if you talk to any of my teammates, they'll tell you I did take a couple small naps during the late nights and won the "quickest to fall asleep" award along with answering a few questions while sleeping...questions that weren't asked to me.)

Sunday...CTF...but, then, I went to the Hardware Hacking Village and soldered on a USB port so I could so some badge hacking after I returned home. Next, I went to the first presentation I've ever seen at a DefCon conference. Why the first one you ask? Because CTF takes up the entire weekend! So, the presentation was "Stealing the Internet: An Internet-Scale Man in the Middle Attack." It was pretty cool. I admit that I don't know much about BGP so I probably thought this was way cooler than some other people but the room was packed. The sweetest part of the presentation was that they had hijacked the DefCon network at the Riviera and had been routing through and collecting all the passing traffic through their colocation company in NY. Wicked!

Sunday night...the DC16 Awards Ceremony was so packed and I knew we didn't win that I decided to head off to dinner with Greg. We ate at an awesome Koren BBQ restaurant and headed down the strip to relax. We wound up at Casa Fuente where we had a few mojitos and smoked some nice Ashton cigars. Afterwards, we walked the strip and made our way back to the Riviera where Greg had to get a little gambling out of his system.

Monday...I spent the day in airports and on airplanes heading home.

DefCon 16 rocked! Thank you to all my friends that I was able to see again, my brothers-in-arms from 1@stplace, Kenshoto for a great game and the DC16 organizers. See you next year!!

I'll post my pics soon.

Tuesday, May 20, 2008

exe2hex.rb: old school pwnage

I figured I'd better put this up before I keep having more ideas of how to improve it and never end up posting it.

What is it? Just over a month ago, a buddy (who's recently begun working for a BIG company that just happens to do some pentesting) was telling me about a pentest where they weren't allowed to upload software so he had to write something in a batch file. While we were chatting, I began telling him of the different ways I've seen attackers put files on Windows systems: tftp, ftp (with & without scripts), wget-like VBscript and echo.

While echo was integral in most of the above techniques (ftp script & VBscript), I'd seen a handful of hacks back in 2005 where an attacker used echo and pasted hex into a file. When the file was complete, he ran "debug < 123.hex". Renamed the resulting file to end with ".exe" and his tool was complete.

After digging through some really old incidents I'd investigated, I found some real world examples of the technique used during compromises. A little bit of Google-ing revealed these two links to a forum post describing the technique in 2004 and mention in a Phrack article.

After sitting in on part of Ed Skoudis' new Security 560 Penetration Testing class, I saw that his class didn't mention this technique but it covered just about all the others above. Since I would one day like to be efficient at writing ruby, I wrote exe2hex.rb based on the C code from Riftor.

Currently, due to a limitation in Microsoft's debug.exe, files must be smaller than 65,280 bytes. My next version will automatically split up files to be under the correct size and convert each one to hex. Once echo'd and converted on the target host, the individual files can be joined with "copy file1+file2+file3 /b dest /b" (or at least it should work that way...need to do more testing).

Where does this tool come in handy...I have some ideas but they'll have to wait. I need to pack things up here in the lab and head home.

Tuesday, January 15, 2008

Storm <3's You!

Storm (Nuwar, CME711, etc) just reminded me that Valentine's is less than a month away. I've gotten four recycled e-mails looking to spread some love. When I first got the copies, only two AV vendors (NOD32v2 & Webwasher-Gateway) on VirusTotal.com were detecting it as malicious.

Subject: Our Love is Free
Body: When Love Comes Knocking http://69.212.48.3/

Subject: I Love Thee
Body: Words in my Heart http://24.1.116.187/

Subject: A Is For Attitude
Body: A Dream is a Wish http://222.107.37.211/

Subject: Eternity of Your Love
Body: The Moon & Stars http://68.57.210.178/

The webpage contains some URL encoded text that links to "with_love.exe"

'%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A'