Planet SecuraBit

HacKid Conference

2010-07-28T10:42:11+00:00

I was at SecurityBSides Boston talking to Bill Brenner and his two sons about Lego's when Chris Hoff shared a brilliant idea on twitter. A hacking/security conference for kids and their parents. Soon after Hackid was born and the dates for the first conference were set.
So put aside the weekend of October 9-10, 2010. The first conference will be held at the Microsoft New England Research & Development (NERD) Center in Cambridge, MA. The community driven content is shaping up on the wiki. The advisory board is sorting through the details now and more information for attendees and volunteers will soon be available. It is the hope of the organizers that this will become the template that can be used at other locations and dates.I think I share a lot of others sentiment when I say this is going to rock!

Book Review: Revised Edition of Dissecting the Hack – The F0rb1dd3n Network

2010-07-27T19:48:06+00:00

Last year, I reviewed Jayson Street’s Dissecting The Hack: The F0rb1dd3n Network, uncovering a massive amount of plagiarism that resulted in the book getting pulled, pending a revision. Here are the posts that chronicle those events:

The original review – …before I realized the extent of the plagiarism. To summarize: I enjoyed the book’s fictional section, despite some flaws. I had far more complaints with the “Security Threats Are Real” (STAR) section, which seemed very disjointed and unfocused.
Amending My F0rb1dd3n Network Review – …upon a closer look, it became apparent that readers (and reviewers) were misled. The vast majority of the STAR section (comprising of all but 120 pages of the book’s total of 400) turned out to be plagiarized from various sources (primarily Wikipedia). I documented it and made this post to warn potential readers. The authors responded, pointing to the technical editor as the cause.
Syngress Response to Plagiarism in Dissecting the Hack: The F0rb1dd3n Network – Syngress released a statement confirming the authors’ take on what happened, and announced that there would be a revised release of the book.

On July 15th, a revised edition was released, and I requested a review copy so that I could see what had changed, and provide this new review.

What do you get?

The book has the same basic appearance as the previous version, with the addition of a third author, Brian Baskin, on the cover. On the title page, Marcus Carey is added (in a smaller font) as an author, and Dustin D. Trammell is listed as the new technical editor. Apart from “Revised Edition”, there is no discussion or acknowledgment of the book’s past.

The book has gone on a bit of a diet, roughly 70 pages. This is a good thing, however, as the old STAR section was mostly irrelevant filler. The fiction remains, virtually untouched from the previous version, at about 120 pages of the book’s 330 page. The new STAR section is original content now, which is, of course, a dramatic improvement.

The Fiction

My comments from my first review mostly stand here. The fictional F0rb1dd3n Network story was always an original creation of Jayson and Kent’s. I am a big fan of the concept of “hacker fiction”, the likes of which you’ll find in another Syngress series, Stealing the Network. I am definitely supportive of any attempts at writing new material in this genre.

As a story, I enjoyed this section of the book, but found it to be very short. The plot is very much what one would expect out of a techno-thriller TV show (perhaps an episode of Leverage) and you get about the same degree of character development. Unlike the Stealing The Network series, explanations of the attacks are saved for the STAR section, rather than given in-character in the story. While I can see that this helps moves the story along, I think it makes the fiction seem quite short. When it ends, you’re left wondering about some things that probably could have been wrapped up within this story, particularly an incident of “dark-grey-hat” hacking the protagonists vow to atone for, but that is never revisited. It may be something that’s saved for a sequel, but it reads like the authors simply forgot about it by the end of the story.

I’m being critical here, but I really did like the story, as a whole, and I hope that there is an opportunity for the authors to continue it. If you liked Stealing the Network, you’ll definitely enjoy it. It ranks right up there with the best writing in that series.

(As an aside, if you want some awesome hacker fiction, check out Daniel Suarez’ Daemon and its sequel Freedom(TM))

While one of the selling points of the book is that all of the attacks discussed in the fiction are real and documented in greater detail in STAR, there are some minor quibbles with that. There are times in the story where it seems as though the authors have hit the limits of their own experience with attacks, on more difficult topics like reverse engineering and exploit development. In the handful of times this comes up, artistic license is taken, hands are waved, meaningless phrases are thrown around (“pop the sled on that buffer”) and the story moves on without one of those STAR references. Only once does a technical error directly impact the story, and honestly it’s not something even most security professionals would have caught. These are small issues, though I would have liked it if some outside help would have been brought in to lend some authenticity to those points and document them in STAR.

The “Security Threats Are Real” (STAR) section

The STAR section is greatly improved. Gone are the page-chewing screenshots of blogs and descriptions of unrelated tools. There is a greater focus on describing the attacks that are in the story than in the previous edition. Overall, it reads as being much more professional.

It’s a good first-read for people interested in computer security. There are some technical issues and organizational issues (some topics don’t really fit with the phase of attack they’re classified in), but it’s good for someone who’s gauging their potential interest in security. Experienced readers might be slightly disappointed. There is a lot of material on hacker culture that is heavily skewed to the authors’ experiences with various events, people, and conferences, which the uninitiated might take as gospel for the entire scene. I think that a lot of this could have been trimmed down (perhaps placed on the website) to give a more in-depth and complete coverage of the attacks in the fiction section.

Should you buy it?

I believe that most of the regular readers of this site are the more technical members of the security community: penetration testers, folk who do forensics and incident response. Readers in these are similar areas that are already “in” security will get a fun read out of this book (and it’s worth it for that, especially if you’re pining for more Stealing the Network) but are not likely to pick up any new skills.

If you’re new to this stuff, or if you’re testing the waters to see if security even catches your interest in the first place, this book might be an entertaining way to learn some basic concepts. You’ll pick up a few simple skills, and you’ll have some points at which you can start researching something that interests you. While I don’t see this book as keeping the attention of non-technical people that wish to stay non-technical, if you’re a motivated learner, it’s a decent place to start.

Overall: It’s a great book for the audience it should be marketed to. Good work and congratulations to Jayson, Kent, Brian, Marcus, and Dustin Trammell for fixing up the book and seeing it through to the end.

http://www.mcgrewsecurity.com/2009/10/12/book-review-dissecting-the-hack-the-f0rb1dd3n-network/

Only You Can Prevent Forest Fires - A Smokey The Bear Approach to Security

2010-07-27T12:19:48+00:00

A few weeks back Larry Pesce from PaulDotCom posed the following question on Twitter:

"Hmm. If you had to deploy ONE security technology in your organization, what would it be? What is the risk reduction vs, total effort?"

Many people quickly replied. Some answers included: a comprehensive patch management solution (my pick), Security Information Management (SIM) system, network based firewall, Intrusion Prevention System (IPS), incident response plan, and my personal favorite "a very large dog..." . Larry quickly followed up asking what would the second technology be and why?

I struggled with that question. After all it is a "no win" situation. A proper incident response plan would certainly be needed but is reactive. Network defenses would be beneficial but do not take in account a mobile workforce. I finally settled on some sort of central system that would facilitate the system hardening of the end nodes. The reasoning for my answer is the result of experiences I had early in my information systems career.

During my time as a desktop support tech, I spent most days putting out fires. The lack of centralized patch management, host based firewalls, build procedures, and asset management was the source of chaos for the desktop and systems administration teams. Worm outbreaks, improper configuration, and end users running with local administrator rights were the norm not the exception. Consequently, the team was too busy chasing their tail around to be proactive. Those experiences resonated heavily with me and ever since I have insisted in being proactive whenever possible.

Would have proper incident response or a SIM solution have helped my former employer? Maybe. Incident Response procedures and SIM's are important parts of any defense infrastructure but they are reactive, not preventative. Consequently, I would certainly place them in my top five but only after implementing the basics of defense.

While Larry's hypothetical situation is enough to give any security practitioner nightmares, I found it to be a great source of self reflection. Larry discusses the replies in more detail during Episode 172 of PaulDotCom Security Weekly, so check it out when you get a chance. I'm interested to know what you would choose and how fast you would update your resume if you found yourself in the same situation.

Pcapline.py and the Ann’s Aurora network forensics challenge

2010-07-09T20:12:37+00:00

The results are in for the sixth Network Forensics Puzzle contest, and I won first place! You can see my writeup, along with many of the other winner’s entries, at the forensicscontest.com blog:

Puzzle 6 Winners

Big thanks to everyone who put this contest together, as well as the prize sponsors for making it well worth my time to put in an entry.

I wrote a tool for my entry, pcapline.py, which generates an HTML report for a pcap file that an investigator can use to navigate around the various conversations and inspect the data being sent back and forth. Here are some of the features I describe in my writeup:

HTML reports that allow for easy navigation/importing into a larger report
Generates a summary of flows between hosts on the network
Flows are broken up by segments representing parts of the conversation
Segments are dissected, carved, hashed. Currently, Pcapline supports HTTP GET requests and responses and the malware file transfers seen in challenge #6

While pcapline is developed and tuned for answering the questions from this challenge, it’s still a very useful starting point for examining other packet data as well. You can view the report generated by pcapline here:

(NOTE: Files and data are carved out that some signature-based IPS will detect as being malicious. I observed this on one computer where Sophos blocked access to this site on that computer after clicking the wrong link in this report. You’re not likely in any danger, as pcapline renames things in such a way that they shouldn’t be executed or viewed in their native formats, but do take care)

Sample Report

Here’s the script itself. It’s a slightly newer version than the one on forensicscontest.com . I fixed a couple of places where it was generating terrible HTML that non-firefox browsers choked on.

pcapline.py

Enjoy!

Attrition.org on The Art of War

2010-07-03T01:41:07+00:00

I really enjoy reading non-infosec books, audiobooks, articles and the like, consuming them with a mental exercise: finding out what lessons could be learned and applied to security. My specific interests are in forensics, penetration testing, vulnerability analysis, exploit development, and profiling attackers. Currently, as an occasional escape from technical material, I’m looking at some of Paul Ekman’s books on deception, with an eye for how it applies to topics like social engineering engagements, and even interactions with others in the infosec community. Even with the controversy surrounding the research, there are some lessons to be learned, tricks to pick up, and things to think about.

As much as infosec professionals quote Sun Tzu’s The Art of War, I thought that I ought to check it out. I downloaded a translation of it onto my iPod Touch and read through it in my spare time. I felt as though I must have missed something, as I really didn’t see how most of it applied to security in anything more than a superficial way.

Now, at least I know that if I missed something, attrition.org missed it too. They’ve posted a very well-reasoned analysis of the use of Sun Tzu’s work in infosec, pointing out all the places that it really doesn’t make sense. Many of these are sticking points I also had when I tried to make the connection myself. I especially agree with a fundamental point that the Attrition.org folk make: Defenders in infosec are strictly defenders, with their hands tied behind their backs when it comes to attacking the other side. This is kind of a buzzkill for much of Tzu’s advice.

As with most Attrition.org articles, they pull no punches and call out people specifically. This makes some readers uncomfortable, though I do think that it’s a fair and honest assessment. Give it a shot if you’re looking for a good (and very different) read.

Attrition.org : InfoSec, Sun Tzu, and the Art of Whore

(Disclaimer: I have cooperated with the attrition.org guys on a couple of their writeups (though nothing compared to their original research), and I am pretty partial towards them and many of their views. I just hope that if I ever stray into the danger zone of their “charlatan” list that I’ll have earned some kind of warning first ;) )

Bookmarks for June 26th through June 30th

2010-07-01T03:00:06+00:00

These are my links for June 26th through June 30th:

UATester Alpha – A number of high-profile sites (twitter, facebook, google, and even Microsoft) offer mobile versions of their sites and functionality. Normally this wouldn’t be something you’d care about, but as a penetration tester or security researcher, you need to make sure you’re covering all the bases and getting full coverage when looking at web applications.
HolisticInfoSec.org: CSRF flaws that pack a punch –
infond: tutorial SQL injection – LampSecurity CTF 6 –
Infosec Events – Covering the Information Security Economy –
Adding Bookmarklets on iPad and iPhone –
Forensic Control – Computer misuse and dispute specialists – The table below lists a selection of free software which may be of use to professional computer forensic practitioners. It is the end user's responsibility to check the licensing agreements of each one before use.
andiparos – Project Hosting on Google Code – Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc. 
 
The advantage of Andiparos is mainly the support of Client Certificates on Smartcards. Moreover it has several small interface enhancements, making the life easier for penetration testers…

Firefox Addon-ons FTW!

2010-06-29T23:03:34+00:00

Just a quick post on passwords saved in the browser. After my post on credentials stored in the Windows 7 Vault, I started to think about browser passwords and the risks that lurk there. Chris Gates had a similar thought which he posted about yesterday, and Larry Pesce wrote up a detailed analysis last September.

I personally disable this feature in Firefox but a strong master password would certainly be advisable if you do save passwords within Firefox. While I do not use this feature, I do use a lot of Firefox add-on's. Gmail Notifier, Xmarks Bookmarks, and Echofon Twitter add-on's to name a few. So I naturally turned my attention to those.

I pondered where these add-on's were storing saved credentials. The answer is in same place Firefox stores them. What a more ironic way to verify this than to use a Firefox add-on (SQLLite Manager) to query the signons.sqlite database.

As previously covered by Gates and Pesce, conversion of the encrypted passwords is trivial as long as you also have access to the key3.db and there is no master password configured. If you are interested in the details of this, I suggest checking out the documentation here and tool available here.

While this may have been obvious to others, it was not to me. That is one of the many reasons I love this field.

Bookmarks for June 10th through June 23rd

2010-06-23T20:00:24+00:00

These are my links for June 10th through June 23rd:

FoxAnalysis – Firefox 3 Forensics – FoxAnalysis is a software tool enabling analysis of internet history data generated using Mozilla Firefox 3. This tool was developed to assist in forensic examinations.
neXCSer – DigiNinja – neXCSer was originally going to be a way to allow multiple auditors to merge their Nessus results into a single file that could then be parsed through by hand or in a spreadsheet to help with further testing or report writing, however once I started writing it I realised that it could help more than that by allowing different sections of the results file to be broken down into their own parts.
ICCIDs IMSIs and iPads, Oh My! « Chris Paget’s Blog – A few days ago Apple suffered a security breach – the ICCIDs and email adresses for 114,000 iPad users were hacked, leading to widespread press coverage and speculation. The general consensus seems to be that the ICCID (being the serial number that’s printed onto the SIM card) has no real security consequences to its disclosure, and that the bigger problem is the associated email addresses. The consensus is badly wrong – here’s why.
Spsa – Cryptolife – Here you can find the Snorby preconfigured security applications, this make effortless for anyone to use Snorby, the new and modern Snort IDS front-end. With (SPSA) Snorby Preconfigured Security Applications, it is possible to get Snorby and Snort up and running out of the box within a few minutes. Feedbacks and info are welcome by email at:
Uninformed – vol 10 article 3 – Exploiting Tomorrow’s Internet Today Penetration Testing with IPv6 – Exploiting Tomorrow's Internet Today Penetration Testing with IPv6
Social engineering techniques: 4 ways criminal outsiders get inside – Your security plan goes from locked down to wide open when a social engineer pulls off these techniques to gain insider access
StorefrontBacktalk » Blog Archive » Complying With Visa’s July 1 PA-DSS Mandate – PA-DSS applies to third-party applications that store, process or transmit cardholder data as part of the authorization and settlement process. Importantly, this definition includes both standalone applications and payment modules of larger enterprise resource planning (ERP) systems. In all cases, though, you license and host these applications internally.

Post Exploitation Pivoting with the Windows 7 Vault

2010-06-22T20:28:39+00:00

I have been poking around with the updated version of Credential Manager in Windows 7 which has been commonly referred to as "Stored User Names and Passwords" in previous version of Windows. Much like its predecessors, the current version of Credential Manager still uses Data Protection API (DPAPI), but Windows 7 now stores saved credentials within the Windows Vault. Such credentials can include; user names and passwords used to log on to network shares, websites that use Windows Integrated Authentication, Terminal Services, and many third party applications such as Google Talk .

Credential Manager and DPAPI has been under scrutiny in the past. Cain & Able has had a decoder for some time. More recently, researchers from Standford University presented at Black Hat DC 2010 about their DPAPI research.

While breaking the crypto associated with this feature might be useful (i.e. if credentials are re-used elsewhere), it is not always necessary. The purpose of the Credential Manager is to pass saved credentials to resources commonly accessed by the user. Once you have gained access to a host as the unprivileged user (take you pick of code execution bugs, Adobe pdf's seem to be popular these days), then you can certainly leverage this feature to pivot to resources referenced within the Windows Vault. Keeping a low forensics profile would be preferred, so I attempted to find existing command line tools that were already available on the host. After poking at Windows 7 for a while, I found an undocumented utility called vaultcmd.exe in the System32 folder that appeared useful. The following is the output of the supported switches for vaultcmd;

The /list switch allows us to view all Windows Vaults available on the host for the current authenticated user.

It appears in this example, the two default Vaults are the only ones that exist on this host. Also note that since the user is already authenticated, the vaults are in an unlocked state. Running the /listproperties switch against each vault lists some more details, including the number of credentials saved in each location.

Finally, the /listcreds switch gives us our newly found targets.

It appears, our unprivileged user has stored domain administrator credentials for two domain controllers. While this is certainly more secure than running as domain administrator locally, DPAPI adds no added security in this scenario since local access to this host has been gained. Now that we have completed our reconnaissance, we can pivot and access the servers by simply using the installed tools at our disposal. In the following example, I use psexec and the SET command to verify I have domain administrator access to DC-01 without having to specify a user name and password.

I was also able to access the the domain controller's Admin shares via the NET USE command using stored credentials within the Windows Vault.

net use P: \\dc-01\C$

In addition, since the Windows Server Administrator tools were also already installed on the host, I also verified that the Windows Vault was passing these credentials to Active Directory Users and Computers and the Remote Desktops Client.

I attempted to change some of the default settings for the vault using the /setproperties switch. For Example; it appears that vaultcmd has the ability to set a password on a vault;

vaultcmd /setproperties:"Windows Vault" /set:AddProtection /value:Password
vaultcmd /setproperties:"Windows Vault" /set:DefaultProtection /value:Password

But any attempt I made was met with the error; "The request is not supported.". So I would be interested to see if anyone can find additional documentation on this utility or the Windows Vault. I have not been successful in finding anything to date.

Some have suggested that any password management tool that hooks into the browser or operating system is more of a risk than a stand alone application that requires additional authentication mechanisms. While I generally agree with this, the emerging capabilities of attack and forensic tools that acquire volatile memory from a host (and consequently decrypted credentials), only require a bit more patience. Of course such tools, must be loaded on the compromised host increasing the forensic footprint the intruder leaves behind.

Happy Hunting!

Flag Question From My Dad

2010-06-11T01:00:51+00:00

My Dad wrote an email asking the following:

Dear Folks,

Does anyone know the position of a second flag on a common halyard?
I fly the US flag on top and the POW MIA flag beneath.
A few years back, I wrote a letter to the Flag Code organization in Pittsburgh and did not get an answer.
I have heard various comments relative to that positioning. I can not find it in my code booklet.
I heard originally that it should be a flag height break between flags. I also heard that the flag below the US flag should not be touched by the hanging US flag. I cannot find anything in print with either of those comments.
I was also told that you were not to fly any other flag with the US flag. I know that is bogus according to the flag code. All I could find in the code is that the US flag flies on the top. It just does not seem to specify details of separation. That is what I am looking for!

Bookmarks for May 28th through June 9th

2010-06-09T20:00:14+00:00

These are my links for May 28th through June 9th:

Tactical Web Application Security: Zone-H Defacement Statistics Report for Q1 2010 – Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in websites. Unfortunately, most people focus too much on the impact or outcome of these attacks (the defacement) rather than the fact that their web applications are vulnerable to this level of exploitation. People are forgetting the standard Risk equation - 
 
RISK = THREAT x VULNERABILITY x IMPACT 
 
The resulting risk of a web defacement might be low because the the impact may not be deemed a high enough severity for particular organizations. What most people are missing, however, is that the threat and vulnerability components of the equation still exist. What happens if the defacers decided to not simply alter some homepage content and instead decided to do something more damaging such as adding malicious code to infect clients?
NFI Defraser | Download NFI Defraser software for free at SourceForge.net – Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial audio/video files in datastreams (for instance, unallocated diskspace)
Penetration Testing and Vulnerability Analysis – Careers – Information Security Careers Cheatsheet – These are my views on careers in information security careers based on the experience I've had and your mileage may vary. The information below will be most appropriate if you live in New York City, you're interested in application security, pentesting, or reversing, and you are early on in your career in information security.
WMIC for incident response – Earlier this week, I posted about using psexec during incident response. I mentioned at the end of that post that I’ve been using WMIC in place of psexec and that I’d have more on that later. This post, is a follow up to the psexec post.
The Digital Standard: Crack-a-Lacka – OK…so you may have heard that’s it pretty easy to crack SAM hives using tools like Cain & Able or Ophcrack, but, you have never done it before, you don’t know where to start looking, and you feel like a dolt. No worries my friend, I am here to help.
Groundspeed :: Add-ons for Firefox – Groundspeed is an add-on that allows security testers to manipulate the application user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration tests.
SIPVicious: New tool in the works: TFTPTheft – Most sysadmins just love the idea of switching on a box that just works automatically. In the case of IP phones that is typically possible by setting up the right DHCP config and a TFTP server hosting firmware and configuration.

Forensics Analysis: Windows Shadow Copies

2010-06-09T11:11:15+00:00

Microsoft Windows Vista and 7 includes the Volume Shadow Copy Service (VSS) which are leveraged by System Restore and Windows Backup features of the Operating System. By default, this service is turned on and the amount of backups stored depends on the disk size and settings. There is a potential wealth of forensic evidence available within Shadow Copies and even though I am not the first to write about leveraging Shadow Copies for forensic purposes, I thought it was worth writing a quick post here.

Vssadmin is a command line tool that can be used to display current VSS backups. To do so, use the syntax;

vssadmin list shadows /for=c: (where c: is the volume your working with).

Here is an example of the output;

Make sure to note the Shadow Copy Volume you want to analyze and use it with Mklink to create a symbolic link to the backup. For example;

mklink /d C:\shadow_copy1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ (note: the trailing back slash as it is needed).

Once created you can browse the symbolic link as you would any folder and restore files of interest by copying them out.

Happy Hunting.

References:
MSDN Blog: A Simple Way to Access Shadow Copies in Vista

Reversing an Electronik Tribulation Army PHP IRC Bot

2010-06-05T16:17:42+00:00

Introduction

I was contacted a few days ago by a person who had knowledge of a small Electronik Tribulation Army botnet. You might remember these guys as being GhostExodus’ old group. The contact sent me the source code of a PHP bot that connects to an IRC command & control. The source was was obfuscated using the Free Online PHP Obfuscator. To find the C&C server, I went through a process of stripping away the obfuscator’s layers of encoding, which I’m documenting here. This information might be useful if you’re doing similar reverse-engineering work on this PHP obfuscator (or others).

Note: At each stage, I have stripped the “<?php” tags to prevent the code from running accidentally. If you are following along, you’ll need to re-insert them (and preferably do so within a sandbox environment).

Stage 1

Here’s the original chunk of code:

original.txt

On the first line, a variable is being set to a string that’s being represented by a mix of hexadecimal (‘\x’) and octal (‘\’) escape sequences. This obfuscator makes extensive use of this technique. Python uses the same escapes as PHP for hex and octal, so it’s easy to use my always-open python shell to see a “normalized” ascii representation of these strings:

>>> "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65"
'base64_decode'

PHP allows strings to be used as function names with a very easy syntax, so the variable $v539ded4bc2c gets set to “base64_decode”, which is then called with a large string of base64-encoded code. The decoded string of code then gets passed to eval() to execute. We’d rather just see what the decoded string is, so the easiest thing to do is replace the eval() with a print(). Then we can dump out the next stage:

hacbooknano:php_reverse wesley$ php original_print.txt > stage2_1.txt

Stage 2

Here’s what we have now:

stage2_1.txt

The lack of line breaks is annoying, so a little dirty python code to split that up:

#!/usr/bin/python
import sys 

fp = open(sys.argv[1])
data = fp.read()
fp.close()

for i in data:
   sys.stdout.write(i)
   if i == ';':
      sys.stdout.write('\n')

Running this:

hacbooknano:php_reverse wesley$ ./breaklines.py stage2_1.txt > stage2_2_linebreaks.txt

We now have this:

stage2_2_linebreaks.txt

The first 133 lines set up obfuscated names for the rest of the code in this stage. It builds them a character at a time, interleaving them.

We can decode these names by copying those assignments out to another file, and printing the obfuscated names out at the end:

stage2_3_displaynames.txt

hacbooknano:php_reverse wesley$ php stage2_3_displaynames.txt
x24b0884a06dee76da986eb65ba2940d = base64_decode
t104a34fab793aa8acc27101aa69e16d = ereg_replace
f28748ed1b08d4ce5faba4c5bbe478a2 = file_get_contents
sba02b7a6e9217c818bda90209467b6b = gzinflate
k9c9e40dc7cf4574c577417cdc8ae8a4 = md5
fafd3e80e124e1f5d45522b2e31e3eab = ob_end_clean
n8ad08ea0791139ed748c49d82092979 = ob_end_flush
v077b05ec0999fba76a979f188a32e32 = ob_get_contents
gb6e4eb13daf014a331ffe0376f2357b = ob_start
ff29e8f9567141dfd9b4c31c83a38d63 = str_replace
gb4ceeb3708efd3539d845de0b7fd52e = str_rot13
g52eba32e62d0a481f8e5efd196b27b8 = strpos
n8af683210c35ad36253a33d28a3fbde = strtok

Now, you can take this and go back to stage2_2_linebreaks to rename all the functions to their more readable names. I did this manually with search-and-replace in TextMate, since I wanted to see what was being replaced and when. I also normalized the strings as I did in stage 1. You wind up with the following code:

stage2_4_clean.txt

There’s what appears to be a tamper check, though I didn’t really play with it much since there’s no reason to. All we’re interested in at this point is the body of that “if” clause. A chunk of encoded text is ROT-13′d, base64 decoded, gunzipped, and finally eval()’d. If we chop out the tamper check, and replace the eval() with a print() again, we get to move on.

Stage 3

Here’s what we have now:

stage3_1.txt

This is close to the original code. The obfuscator has encoded the strings, done away with whitespace, and randomized variable names. We can normalize the strings, as above, and reformat the code. For variable names, that’s where we have to do some more human-eyes analysis. By looking at what the variables are set to, what functions they are being passed into, and other contextual information, we can give most variables much more reader-friendly names.

I only partially went through this process with this file, as I found what I needed, and had a good idea of the rest of the file. The partial cleanup is here:

stage3_2_cleanup.txt

Here’s where it’s assigns the botnet C&C server settings:

error_reporting(0);
set_time_limit(0);
$filename = "./a73v9.php";
$current_dir = "./";
$channel = "#nobotshere";
$host = "complexity.razorhack.org";
$port = 65000;

The system, at the time, had been compromised by the ETA member, MR^E, giving shoutouts to the other ETA members:

(Real smart, defacing your own botnet C&C)

Conclusions

I’d like to thank my twitter followers for being very rapid in getting back-channels in-gear to get the C&C hosting and domain taken out. While they’re back to much more typical skiddie activities (as opposed to backdooring hospital HVAC systems), it’s obvious that these guys haven’t learned much of a lesson. One can only hope that one day they’ll realize that they can build on the skills they’re using to run nets like this to get a start in legitimate security work, before it’s too late and they manage to burn their bridges and/or get busted.

Hopefully this will help some folk get a start in reversing PHP (and other interpreted language) de-obfuscation as well. It’s pretty easy, and I think that files like this would serve as a good introduction for students to the concepts involved in reverse engineering in general. After a few baby-steps like this we can move them up to compiled code :).

Update: Looks like the original author of the bot code found out about this post, and decided to post the original source, along with a rant about how I “pick on retards”:

http://buffer0verflow.com/?p=77

PaulDotCom EP200: The Hackers for Charity Podcast-a-Thon

2010-06-03T14:36:44+00:00

Tomorrow I will be trekking south the hang with the PaulDotCom crew for the 8 hour recording of Episode 200. They will be streaming live and it looks like they are pulling out all the stops for this episode. There will be interviews, tech segments, and appearances from HD Moore, Johnny Long, Lenny Zeltzer, Ron Gula, Jack Daniel, and a couple of surprise guests.

The show is dedicated to raising awareness and money for Johnny Long's Hackers for Charity. If you are not familiar with the work Johnny is doing with HFC, take a look! Donations can be made via the donate button on the PaulDotCom website or via the HFC Get Involved Page. So help out with a donation and listen live tomorrow!

Bookmarks for May 20th through May 27th

2010-05-28T00:00:07+00:00

These are my links for May 20th through May 27th:

WebCruiser – Web Security – WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools. 
 
It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!
Stealing a photo from remote webcam | nullpointer.dk – Ever wanted to capture a photo from a remote webcam? Like from one of your friends perhaps. Probably if you've a little hacker in your belly.. This is another demonstration of the use of Metasploit like I did in my previous article Exploiting SMB on Windows. Therefore, I won't talk about installing the framework and running the supplied program msfconsole.
PaulDotCom: Archives – Metasploit has A LOT of exploits, but from time to time you will very likely need to use exploits that are not part of the framework. Whether it is an exploit from www.exploit-db.com that spawns a shell or a netcat listener you can still use the framework to control the host. As long as you have a shell bound to a TCP port you can use metasploit to interact with that victim. What's more, you can upgrade that shell to a meterpreter session so you can benefit from the full power of the framework.
Tenable Network Security: Common Platform Enumeration (CPE) with Nessus – Recently a Nessus plugin (and associated library) was developed that includes CPE information about supported targets. If no entry exists in the CPE database, the plugin will attempt to create one and apply all of the appropriate information in the CPE defined format. I ran a scan against my test network and then filtered for CPE entries:
security.crudtastic.com » Test Lab Version 1.0 –
Dailymotion – Practical Exploitation – Null Session Enum – a College video – 3 tools that do enumeration using null sessions
SkullSecurity » Blog Archive » Defeating expensive lockdowns with cheap shellscripts – Recently, I was given the opportunity to work with an embedded Linux OS that was locked down to prevent unauthorized access. I was able to obtain a shell fairly quickly, but then I ran into a number of security mechanisms. Fortunately, I found creative ways to overcome each of them.

The Security Bloggers Network

2010-05-24T21:50:39+00:00

Rich Mogull of Securosis recently published a blog post entitled Is Twitter Making Us Dumb? Bloggers, Please Come Back. Rich summarizes his experience starting a blog and shares his perspective on the diminishing amount of blogging. Alan Shimel who runs the Security Blogger Network quickly followed up with his own post.

I too have noticed that my RSS reader is not nearly as full as it once was. Many of the resources I have today in my RSS Reader came from the Security Bloggers Network after stumbling upon it several years ago. The blogs I was introduced to through the SBN opened up a new world for me. I was introduced to thoughts and opinions from every corner of the security community. Many of which I had never considered.

When I started my own blog about a year ago, it never occurred to me to even join. In retrospect, it may have been lack of confidence, as I was not sure what I was going to write about. I just knew that there were some thoughts I needed to rant about and blogging seemed like a logical medium. But I quickly found blogging to be an rewarding experience and I am currently backlogged with so many ideas for posts, I have enough material for the remainder of the year.

So I am proud to announce, I am a new member of the Security Bloggers Network. If you have a blog, I recommend you consider joining. If you do not have a blog I ask you to consider starting one, as it can be a rewarding experience to both the author and the reader, alike.

Bookmarks for April 19th through May 19th

2010-05-20T03:00:11+00:00

These are my links for April 19th through May 19th:

Dasient Blog: Q1’10 web-based malware data and trends – Each quarter we pull together data for web-based malware attacks from across the web. Our proprietary malware analysis platform allows us to monitor millions of websites and draw results from a wealth of data which we summarize in this blog. What we continue to see is that the web malware threat continues to grow significantly. Hackers are becoming increasingly sophisticated and bold in their attacks, which means that legitimate websites are more threatened than ever. Putting web site security best practices in place such as malware monitoring and containment is becoming an absolute must if businesses do not want to expose themselves and their customers to these attacks. A particularly interesting observation has been an increase in 'malvertising' attacks in which hackers plant malicious ads on high-profile ad networks and websites
SkullSecurity » Blog Archive » Taking apart the Energizer trojan – Part 1: setup – As most of you know, a Trojan was recently discovered in the software for Energizer's USB battery charger. Following its release, I wrote an Nmap probe to detect the Trojan and HDMoore wrote a Metasploit module to exploit it. 
 
I mentioned in my last post that it was a nice sample to study and learn from. The author made absolutely no attempt to conceal its purpose, once installed, besides a weak XOR encoding for communication. Some conspiracy theorists even think this may have been legitimate management software gone wrong — and who knows, really? In any case, I offered to write a tutorial on how I wrote the Nmap probe, and had a lot of positive feedback, so here it is! 
 
Just be sure to take this for what it is. This is *not* intended to show any new methods or techniques or anything like that. It's a reverse engineering guide targeted, as much as I could, for people who've never opened IDA or Windbg in their lives. I'd love to hear your comments!
Security Breach Notification Laws – Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
YouTube – Bogota Review –
YouTube – CUSTOM BOGATA LOCKPICKING INSTRUCTIONAL VIDEO – CUSTOM BOGATA LOCKPICKING INSTRUCTIONAL VIDEO: 
this is a reference instructional video 
on my custom-made bogata rakes, 
made for the "tutorials" thread @ www.keypicking.com 
in this video i use a Titanium-shackle Wison-Bohannan,a 45mm Guard,& a 50mm Garrison,as picking subjects 
NOTE: these custom rakes are entirely hand-made, and do occasionally become available through me.
MySQL Security Best Practices (Hardening MySQL Tips) | GreenSQL – The MySQL database has become the world's most popular open source database because of its consistent fast performance, high reliability and ease of use. MySQL is used on every continent – yes, even in Antarctica! – by individuals, Web developers, as well as many of the world's largest and fastest-growing organizations such as industry leaders Yahoo!, Alcatel-Lucent, Google, Nokia, YouTube and others to save time and money powering their high-volume websites, business-critical systems, and packaged software. 
 
As most products do, MySQL comes "ready-to-work" out of the box. Usually, security is not a major consideration when installing this kind of product. Often, the most important issue is to get it up and running as quickly as possible so that the organization can benefit. This document is intended as a quick security manual to help you bring an installed MySQL database server into conformity with best security practices.
PANscan – SecurityMetrics – PANscan simplifies the testing process by enabling non-technical merchants to quickly find prohibited credit card data on their systems. It will: 
 
* Search the local system for cardholder data. 
* Triple-check all threats to ensure they are valid. 
* Run 10 times faster than a normal disk scan. 
* Report summary results immediately. 
* Allow scans to be performed as frequently as desired on any number of merchant machines. 
 
Free downloads available in May

GhostExodus Pleads Guilty

2010-05-15T01:36:48+00:00

Today, the US Attorney’s Office announced that Jesse “GhostExodus” McGraw, has entered a guilty plea on two charges of transmitting a malicious code. Jesse had compromised more than 14 computers at the Carrell Clinic in Dallas, Texas, where he worked as a night-shift security guard. This included the system running the HMI (Human Machine Interface) for the hospital’s HVAC system. To the best of my knowledge this is the only arrest and conviction of a hacker involved in a control systems/SCADA incident in the United States.

This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI. Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents. I am also very happy with this outcome. This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.

The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:

Security guard pleads guilty to hacking his employer - Bob McMillian, IDG News Service
Hacker Known as “GhostExodus,” Who Broke Into Carrell Clinic Computers, Pleads Guilty – Robert Wilonsky, Dallas Observer (This article has the complete text of the DOJ press release)
Arlington man pleads guilty to hacking medical clinic’s computers – Nathaniel Jones, Star Telegram

I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea. The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case. I’m looking forward to going through them again.

Live Hacking CD vs. Backtrack 4

2010-05-10T14:03:59+00:00

The idea for doing this comparison came to me after seeing some back-and-forth on twitter between @attritionorg and @dralijahangiri about the Live Hacking CD. After @attritionorg called the point of the Live Hacking CD into question (when Backtrack 4 is already available), Dr. Ali Jahangiri made claims that “Live Hacking CD is much easier than BackTrack and its tools are updated”, and that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”. Dr. Jahangiri followed this up with an example that there are “old” tools in Backtrack: Kismet.

I had not used the Live Hacking CD before, so I figured that testing out these claims and comparing the two distributions might be worth doing. I’m always interested in new live CDs, both for my own use, and as recommendations for students and others new to infosec. Backtrack 4 is the current pentest-distro-of-choice around here. It’s to the point now that a BT4 install is about as good as anything I’d roll myself for a pen-testing Linux install, and it’s also something I can recommend to the students for lab exercises, and our end-of-semester CTF.

One might ask, why would the Live Hacking folks want to re-invent the wheel? If you are just a user of Backtrack, it may not have occurred to you, but there is a business rationale for competition in the pen-test Live CD arena. The BT4 maintainers, Offensive Security, offer some very well-liked and technical training classes that use Backtrack in a classroom setting. Live Hacking also holds workshops that teach similar material. It would make sense, then, that one training company would not want to have students spending much of their time in class staring at an advertising vehicle for another company.

So, the Live Hacking CD makes sense for the Live Hacking training. They don’t have students sitting and looking at their competitor’s logos throughout class. They can load it up with the specific tools that they teach in the class and update it along with their material. At the NFTC, we’ll likely soon be doing something similar with a forensics live distro, so I definitely “get it”.

The question is: if I am not currently in the Live Hacking training, is their Live CD something that is useful independent of the class? The answer for Backtrack 4, with the new features for cleanly installing and package management, is a resounding “yes”. Backtrack serves as a tough competitor, but Dr. Jahangiri seems to compare the Live Hacking CD favorably to BT4, so let’s take it to task:

Tools

I considered building a table that compared the two sets of tools, but there’s honestly no point. Backtrack 4 is a DVD distribution, giving it a huge advantage over Live Hacking’s CD in this category. You can view a list of tools that are on the Live Hacking CD here, though I am not aware of a list for Backtrack 4 (there is a Backtrack 3 list here, though it’s not quite accurate for BT4).

While Backtrack 4 has all but a few of the tools from Live Hacking (Relay Scanner, for example), there are some interesting omissions from Live Hacking. The Live Hacking CD seems to focus on reconnaissance, spoofing, and wireless tools. It’s missing a lot of vulnerability finding and exploitation tools. For example, it’s very surprising to me to see a live CD meant for penetration testing that does not include the Metasploit framework. I don’t see any web application tools, either.

I’m sure there’s good reason for this on the Live Hacking CD side of things. If you’re building a CD to go along with exercises for a class, there’s no reason to put a tool on the disc that isn’t used in an exercise. This doesn’t make for a good pen-testing disc for general use, though, and I’d have to say that Backtrack 4 wins hands-down on this.

Updates

There was a claim that the tools on the Live Hacking CD are “updated”. I’ll take that as an opportunity to look at how they both handle updates. This cuts to the very nature of each disc, really illustrating how they’re meant for very different purposes.

The Live Hacking CD is heavily based on the Ubuntu Desktop 9.10 ISO. So much so, that VMWare Workstation detects the ISO as being Ubuntu 9.10 and offers to do a quick install. If you check the sources.list, you will find that it even uses Ubuntu’s repositories. Many of the pen-testing tools are installed from Ubuntu’s repositories, and have recent version numbers. If a tool were to be updated in the 9.10 repositories, you would be able to update it in LHCD easily.

Other tools that aren’t in the Ubuntu repos (such as metoscan) or haven’t been updated in a while (Kismet) appear to have been installed manually. To use Dr. Jahangiri’s example, Kismet in LHCD is from the January 2010 release (found by running ’strings’ on the kismet_server binary). On Backtrack 4, Kismet was built from SVN in July of 2009.

So, Kismet is newer on LHCD than on the Backtrack 4 DVD. On Backtrack, however, Kismet is a package maintained by the BT4 developers. Backtrack, like LHCD, is based on Ubuntu, but unlike LHCD, the Backtrack developers have put a lot of work into setting up their own repositories and providing updates and tools independently of Ubuntu. Because of this, the BT4 developers could, at any time, rebuild Kismet from SVN and you would be able to apt-get it in. If the LHCD maintainers were to update Kismet, it would likely require a new version of the disc.

So, while the Live Hacking CD might have slightly newer versions of some tools, Backtrack 4 has a better framework for keeping those tools up to date.

Ease of Use

I’m not sure how to measure this claim, but I hesitate to say that either one is “much easier” to use than the other. Both are a collection of tools and you either know how to use them, or you don’t. Backtrack 4 is a more popular distro than Live Hacking, and therefore you may be able to find help with problems on Google easier, but there’s not anything inherently easier about one over the other.

A claim was made that “BackTrack is a great Distro but it has tons of tools that you do not use it frequently in PenTest”. If this is part of the argument that LHCD is easier, I would have to disagree. There are many tools in BT4 that I don’t use, but they don’t get in my way, or reduce the ease at which I use the others.

Conclusions

If it weren’t for the claims made about the Live Hacking CD comparing it to Backtrack 4, I probably wouldn’t have looked at the two together or posted about it. It really isn’t anything resembling a close-call. They are two very different beasts.

The Live Hacking CD is a disc designed as a companion to a class, and I’m sure it fits that purpose well. There are good reasons for developing custom live CD’s for classes. It does, however, have limited use outside of the class.

Outside of the classroom, Backtrack 4 is a much better choice, in my opinion. It has a much more comprehensive set of tools, a system for updating them, and a team of developers that are committed to keeping it relevant. Unless you have a very specific need for something else, BT4 is as good as it gets for pen-testing Live CDs.

Why Hackers make the Best IT Support Professionals

2010-05-03T21:33:02+00:00

This is a thought that I have had brewing for some time and I will attempt to not rant too much. Throughout my IT career, I have been watching many IT Support professionals immediately go for a quick fix to technology issues. This is not to say a quick fix isn’t always warranted. The constant barrage of support issues, end users broad siding you as you attempt to grab lunch, and evolving technology is indeed a challenge. I feel your pain. I've been there, I've done that, and I still do it on a daily basis. The beating support people take can cause even the most saintly to lose his/her patience.

However, I feel the trend of the quick fix, seems to be worsening. In InfoSec, the quick fix is often used in conjunction with FUD (fear, uncertainly, and doubt) to sell those magical products with blinking lights that are going to make the latest attack vectors just magically disappear. The problem with this concept is the same in all subsets of Information Technology, however. How many of us have told colleagues, friends, and family to reboot as a solution to an issue? How many of us have told them to do so more than once for the same issue? See the quick fix is not really a fix at all, it is procrastination.

I like to think that we as IT Professionals, whether desktop support, enterprise architects, coders, or InfoSec pursued our career because we all had the common love of technology. Many of us have the inquisitive nature that would rival any scientist. This makes us all brothers and sisters alike. The inquisitive nature that I felt when powering on my TI99-4A in 1981 is still with me today. This is why I chose this career.

Some of the most inquisitive people I have met while working in IT have been those who have self dubbed themselves "hackers". These are not the "hackers" the media would have you believe are hijacking your wireless and stealing your digital valuables. These are self proclaimed geeks who love computers. They are not always InfoSec professionals. They may work on a helpdesk, as a systems administrator, or at the local Radio Shack. They enjoy taking things apart and putting them back together in ways that improve the technology. See hackers understand the concepts of efficiency and availability. These concepts are the foundation of supporting any business. It is what our employee’s pay us our salaries for, regardless of the subset of IT we may fall under.

Efficiency and availability is not about reboots and resets. It is about getting to the root of an issue, learning from it, and improving the system(s) from what you have learned. So take the time to understand the technology issues you come across. It can be fun and productive. If you are not feeling the love for your technology career of choice, then ask the hacker working at the local Radio Shack if he or she is willing to trade careers with you. I suspect they would jump at the chance.

More Experiments with Master File Table Timestamps

2010-05-03T21:29:18+00:00

I had an anonymous comment on my Tampering with Master File Table Records post referencing the Timestomp utility available in Metasploit. Timestomp is an anti-forensics utility used to change the date/time metadata stored in the $Standard_Information Attribute of the Master File Table. I experimented with the utility prior to the previous post but had some issues getting it to run properly on Windows 7. Moreover, Timestomp does not edit the $File_Name Attribute (MACE) values. The commenter does point out and interesting workaround noted on the Timestomp wiki however.

Moving a file post manipulation with Timestomp copies all four of the $Standard_Information Attribute time values to the $File_Name Attribute Attribute values. Once moved, you must change the SI attribute values again. Staying with using the existing tools available on Windows 7, I tested using the Move-Item Cmdlet.

CD C:\Windows\System32
New-Item malicious.dll -type file
(get-item malicious.dll).creationtime=$(Get-Date "02/11/10 07:30")
(get-item malicious.dll).lastwritetime=$(Get-Date "02/11/10 07:30")
(get-item malicious.dll).lastaccesstime=$(Get-Date "02/11/10 07:30")
set-date -date 02/11/10
set-date -date 07:30:00
rename-item malicious.dll notmalicious.txt
Move-Item notmalicious.txt C:\Users\Public\
CD C:\Users\Public\
(get-item notmalicious.txt).creationtime=$(Get-Date "02/11/10 07:30")
(get-item notmalicious.txt).lastwritetime=$(Get-Date "02/11/10 07:30")
(get-item notmalicious.txt).lastaccesstime=$(Get-Date "02/11/10 07:30")

I verified again by carving the $MFT out and using analyzeMFT to parse the contents. The following is the output of the $MFT record for our malicious file verifying that all eight date values have been edited;

Rob T. Lee also recently posted some research he has been doing on Windows 7 $MFT timestamp entries. His findings to date seem to support the aforementioned behavior. It will be interesting to see what additional behavior he finds. Keep the comments coming!

Tampering with Master File Table Records

2010-05-03T13:54:57+00:00

I have been spending some time reading File System Forensic Analysis by Brian Carrier which is considered by many to be the primary resource on the subject of file system forensics. Consequently, I began thinking of ways to tamper with the metadata stored within the Master File Table (MFT) of NTFS formatted drives. In NTFS everything is a file and the MFT stores information on these files. Analyzing the MFT is one way of establishing a forensic timeline of all file and folder changes on the system being investigated.

The MFT file contains a unique record for each file or folder which includes several attributes such as the $Standard_Information Attribute and $File_Name Attribute. Each attribute contains metadata on every file and folder ever created, modified, accessed, or removed within NTFS.

The $Standard_Information Attribute contains metadata which includes the Date/Time values that are commonly referenced by the operating system. These are the values one would see when viewing the properties of a file within explorer.exe on a Windows system. The values are sometimes referred to as M.A.C.E. and include;

Modified Time: Time the folder or file was last modified
Accessed Time: Time the folder or file was last accessed
Creation Time: Time the folder or file was created
Entry Modified Time: Time the MFT entry of a folder or file was last modified (note: cannot be viewed from Windows explorer)

The $File_Name Attribute contains the name of the file. In Windows there will usually be entries in both the 8.3 DOS and Win32 naming format. The $File_Name Attribute also contains similar date/time (MACE) values as those found in the Standard Information Attribute. These values often reflect the creation time of the file or folder and do not change frequently. There are exceptions to this which I discuss later in this post.

Since the attribute values stored within the MFT are commonly used for generating a timeline during the analysis of Windows NTFS file systems, I started playing around with manipulating the metadata within it. If one wanted to cover one's tracks by doing so, it would be useful to use tools already available on the operating system. Such tools would ideally not track or log the commands run on the system. Irony is, the Windows PowerShell fits this description and has these capabilities. Dave Hull has noted this on his blog here.

By leveraging the Get-Item cmdlet in PowerShell, one can change some of the metadata within the $Standard_Information attribute and consequently the values shown in the properties of the file. For example;

(get-item malicious.dll).creationtime=$(Get-Date "02/11/10 07:30")
(get-item malicious.dll).lastwritetime=$(Get-Date "02/11/10 07:30")
(get-item malicious.dll).lastaccesstime=$(Get-Date "02/11/10 07:30")

To verify this change within the MFT, I used FTK Imager Lite to export the $MFT and AnalyzeMFT to parse and export the contents into CSV format. AnalyzeMFT is a free tool based on a commercial tool called MFT Ripper by Mark Menz. Once exported, the CSV file can be opened in your favorite spreadsheet program for easy filtering. The following screen shot shows the MFT record for the malicious.dll after I using the Get-Item cmdlet to change the dates (note the dates are stored in UTC format).

As you can see from the export, the problem with this tactic is the Std Info Entry Date (MFT Entry Modified Time) remains unchanged. Moreover, the FN Info ($File_Name Attribute) Dates also remain unchanged. Interesting enough, renaming the file will change both these values but doing so will change them to the current system time. The only real option I have been able to find is to change the system time prior to renaming. This can be accomplished by using the set-date cmdlet in Power Shell.

set-date -date 02/11/10
set-date -date 07:30:00
rename-item malicious.dll notmalicious.dll

Now we have the following export from the MFT.

Unfortunately, this approach is far from perfect. The MFT Entry Modified Date within the $File_Name Attribute remains unscathed (I have not been able to figure out how to change this). Moreover, by default, a System Informational Event is logged within the Windows Event log of a change to the system time. Note the the date of the event however. There is a similar event logged for the time change.

Log Name:      System
Source:        Microsoft-Windows-Kernel-General
Date:          2/10/2010 12:00:00 AM
Event ID:      1
Task Category: None
Level:         Information
Keywords:      Time
User:          User
Computer:      CompromisedHost
Description:
The system time has changed to ?2010?-?02?-?11T04:00:00.000000000Z from ?2010?-?04?-?07T18:49:38.251360400Z.

Other considerations, include .lnk files being stored within the MFT due to the "Recent Document History" feature being turned on by default within Windows. This feature would create a malicious.dll.lnk file in the C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent folder on Windows Vista and 7 and consequently create an MFT entry for this file with metadata. This certainly would also be a red flag for the forensic investigator. Thus an attacker may want to turn this feature off prior to performing any tasks on the host. With PowerShell this can be accomplished by using the New-ItemProperty cmdlet to create the appropriate registry values and then by using Stop-Process cmdlet to force the reload of the explorer.exe shell for the current user.

mkdir HKCU:\software\microsoft\windows\currentversion\policies\explorer
New-ItemProperty HKCU:\software\microsoft\windows\currentversion\policies\explorer -name norecentdocshistory -propertytype DWord -value 1
Stop-Process -name explorer -force

The explorer process reloading will also generate an information event log.

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          2/11/2010 7:34:12 AM
Event ID:      1002
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      CompromisedHost
Description:
The shell stopped unexpectedly and explorer.exe was restarted.

Stopping the eventlog service prior to actions being taken on the compromised host may be prudent, but I will save the manipulation of other forensic timeline sources for a later post.

What’s on your (ideal) border?

2010-05-01T22:27:02+00:00

If you had a beefy Linux box with plenty of storage hanging on to your border router that can see all of your network’s ingress/egress traffic, what would you put on it? Why?

Let me know in the comments or via twitter!

I’m thinking some sort of netflow collector, maybe a layer 7 re-assembler. Full packet capture/logging perhaps?