Monday, October 1, 2012

Password extraction fun

Extraction of passwords whether remotely or by gaining physical access to a computer is always an area of interest for my clients.  If you can acquire the Windows password this can be very useful, users often consider their OS to need a very strong password, not realising that they are very easy to crack.  The average number of passwords used by a person tends to not exceed 3, or derivatives of 3.  If you get the Windows password it tends to be the 'strong' one that they use and so applying it to their Paypal, Gmail etc you might be successful.

Generally the way to grab the password is to dump the LM/NT hashes either by grabbing the SAM or from a RAM dump and then use Rainbow tables (or a dictionary or brute force attack) to decrypt the plain text.  This is not terribly hard but requires some knowledge and there is always the possibility of the crack not coming through for you.

Somehow I had missed the release of a tool called Mimikatz written by a chap with an extraordinary ability to undermine security holes within Microsoft (and has a penchant for writing everything in French, tres bien).  If you would like to know how his technique works then please take the time our to read his cracking Powerpoint click here (Thankfully not in French!). Thanks to my friend Jon Evans who mentioned it to me last week.

Mimikatz can achieve a number of things but the most useful to me is its claim to extract plain text user passwords.  Guess what - it works!

Here's what to do.

Download Mimikatz

Run the 32bit or 64bit version as administrator (please dont make me explain how you would know which!!) and you are presented with a console environment.

Next get into debug mode with the command:-

Next simply dump the passwords by running:-
sekurlsa::logonPasswords full
Job done!

Username - nickfx
Password - 123

Easy eh!

This is an extremely useful addition to any first responder toolkit and I highly recommend having a go for 10 minutes.

Monday, September 24, 2012

Volatility - cmdscan buggy?

I tweeted last week that I was impressed with a new command in Volatility called cmdscan.  The command is designed to extract command shell history.  I had run it on a variety of new and old RAM dumps and appeared to get slightly random results, often interspersed with obviously correct history.

In my tweet I made the comment that the command was good but a bit buggy. 

An example of my issues are in the image below:-

You can see that the upper part of the results seem to display erroneous results whereas the lower portion is very obviously a series of recovered commands. 

To my pleasant surprise Michael Ligh himself dropped me a line asking for more details which I duly provided only to discover that I should have not been such an ass but have checked the code before making the comment,  Turns out it is doing exactly what it should.  I thank Mike for his gracious response and explanation which I re-print here:-

MHL in short, cmdscan is to consoles as psscan is to pslist. In other words, the consoles plugin (not sure if you tried that one) will find active/running console sessions (like pslist will only find active processes) and not only print command history but full input/output buffers. The cmdscan plugin, on the other hand, will scan through memory using pattern matching and try to brute force with sanity checks etc - the advantage being that it can not only find histories from active/running processes but also closed consoles that have been partially deallocated or overwritten (similar to how psscan carves and finds terminated processes).

If you take a look at the command history structure:

You'll see there's a CommandBucket member which is an array of pointers (to command structures). The CommandCount member tells you how many pointers in the CommandBucket are valid. However, if the command history structs belong to closed/terminated processes, then we cannot rely on CommandCount. It could be 0 although there are still valid pointers in the CommandBucket array. Or vice versa - it could be 40 although there are only 10 valid pointers in the array - not even continuous, it could be slots 0, 4, 5, 10, 11, 12, 18, etc.

So cmdscan ignores the CommandCount member and treats CommandBucket as an array of 50 pointers, because 50 is the max history on most systems. If a pointer points to a valid location (i.e. somewhere allocated and not paged) and looks like it might be at lest some unicode characters, then its printed to the terminal.

If you look at your "Screen Shot 2012-09-21 at 15.27.59.png" image, it says CommandCount is 15. You see slots 0-14 are are valid but it goes on to print slot 18, 25, 32, 39, and 46 anyway just in case CommandCount isn't accurate. The consoles command would trust CommandCount and only print slots 0-14.

After looking at the screen shots, I'd say the plugin is working as expected. So if you do get a chance to look over the code, its pretty well commented and you should be able to figure out why it seemed buggy.

Thanks again to MHL and the Volatility team for such a useful toolset.

Monday, September 17, 2012

Advanced Open Source Intelligence Gathering

 The Internet contains a vast amount of information about people that may be of interest to us.  Police and other Agencies may want to know more about a suspect, a company may want to research the background of a senior candidate or understand the ‘exposure’ of their company or key employees.  Much can be gathered if you know how to exploit online resources.
This course focuses on the investigators ability to gather information on people, groups or companies from the Internet in a truly advanced manner.  Rather than just using ‘advanced’ Google searches and other web sites we will be leveraging the tools available to look ‘under the surface’ of the internet, accessing data gleaned by understanding database API’s used by the likes of Twitter, Facebook and others, ‘dark net’ data collection methods and other areas rarely taught.  
The 4 day course is completely hands-on and will teach a range of skills from staying anonymous, bouncing data around the world, setting up false online identities, extracting data using API's, using Patervas awesome Maltego and graphing and visualizing data both historical and in real-time.
We have already begun seeding the Internet with the false identities of subjects that we will be investigating on the course.  The final exam will pit your new skills against the online world as you work to discover all you can about a person, their friends and what they are planning to do!
Other Open Source courses are available, but not like this!
The course will include a 6 month license for Maltego Case File, 6 months VPN access, an encrypted 
hard drive, a large number of software tools and course manual.
The 4 day course is £1800 + VAT 
Nick Furneaux (me!) teaches Law Enforcement agencies all over the world and this is the first time that corporate students have been accepted.
To inquire further please contact me here


Day 1
Understanding the law – what can you do?
Setting up your tool kit
            Encryption of data
            To cache or not to cache
            Benefits of using Virtual Machines
            Adding magic to Firefox
Bouncing anonymously round the world – Proxies and VPN’s
Setting up your own false identities

Day 2
Maltego Case File usage
Aggressive searching – only search the part of the web you need to
            Lots of useful sites to bookmark and try
Searching through maps
            Using social media to ‘see’ an area
What can a web site tell us?
            Who owns it and where are they?
            Blowing a web site apart – mapping a web site in real time
            What did it used to say? - Finding deleted data on the Internet
            Finding hidden links
            Finding documents
            The wonder of Metadata!
Maltego V3!
Google Hacking 101

Understanding email – identification and tracking

Day 3

Finding forums, blogs, websites, IRC entries

            Working with IRC clients

Are you or you organization leaking?

            Using your skills to understand your own vulnerabilities

            Checking if hackers have released your/corporate information

Exploiting Social Networking

Mapping Social Networking accounts and followers

Following the network – don’t forget the family!

Extracting data from Twitter via API

Extracting data from Facebook via API

Facebook ‘naughtyness’

Graphing Twitter data LIVE

Day 4

Geo location possibilities (Where are they, or are they where they say they are?)

EXIF data extraction

Plane and Ship mapping

Enumerating Geo-Coordinates using API

Finding people using public records

Being a bit more aggressive to get IP’s

101 Social Networking – why not just call and ask what you want to know!

Final exam – Full online search and enumeration of a named subject.  Course grade based on details located. (Open book)
Course certificated and graded.

TOTAL COST - £1850 + VAT

Wednesday, June 20, 2012

Firewire fun with Thunderbolt

Since 2006 when Adam Boileau released his research on exploiting machines using Firewire, we have had fun unlocking locked computers and imaging RAM from the same.  With the release of Thunderbolt (TB) I wondered if the same issues surrounding Direct Memory Access (DMA) exists with that implementation.  Turns out it does.  The interesting thing about this is that allowing DMA provides much of the cool functionality that TB provides however this also provides an attack vector for physical access in the same way as Firewire.  As this is due to an implementation in the hardware layer the OS remains blissfully unaware of whats going on.

Reading a blog on the subject this week there were many comments about it being a lame duck attack as physical access is needed, however, many in our community know that gaining access to a machine is often possible.

If a computer is dead then file level access is simple, however a Windows or Mac that is booted but password locked has always been a problem, however with TB now appearing on all Macs this could be rather a useful technique.  It is notable that Lion appears to turn off DMA in certain circumstances but more work needs to be done to understand this fully.

Enter 'Inception', a very nice proof of concept tool from the Break n Enter blog.  Some work has been done in this area and it seems to work pretty well in certain situations. I won't bother re-blogging everything, but I strongly recommend reading the page I linked to above and also the video which shows the extraction of RAM and the pwning of the FileVault password (loving the music too).  Big shout out to them for the tool and the work.

I'll try and spend some time on this in the next few weeks and let you know how I get on.

Sunday, April 29, 2012

Skype IP addresses - in the clear

The security forums and blogosphere have been buzzing for the past few days with an 'undocumented feature' of Skype, the ability to discover the internal and external IP addresses of any Skype account currently logged in.  I don't mean people on your buddy list - I mean ANYONE!

Knowledge of this is critical if you use Skype in any situations where your location needs to remain secure or simply if you are interested in personal privacy.

I've tested this and it does what it says on the tin.  I was able to extract the external and internal IP's of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road.  More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype's global address book.

The details seem to have come initially from Russian hackers and appeared on PasteBin on April 26th but there is a site which will do it all for you.  I won't copy the whole thing as there is a perl script to assist with parsing the logs but here is the gist:-

1. Downloading this patched version of Skype 5.5:

2. Turn on debug-log file creation via adding a few registry keys.

3. Make "add a Skype contact" action, but not send add request, just click on user, to view his vcard(general info about user). This will be enough.

4. Take look in the log of the desired skypename.
The record will be like this for real user ip: -r195.100.213.25:31101
And like this for user internal network card ip: -l172.10.5.17

21:16:45.818 T # 3668 PresenceManager: aїљ noticing skypetestuser1 0x3e54a539a91a19fc-s-s65.55.223.23 :40013-r195 .100.213.25:31101-l172 .10.5.17:22960 23d23109 82f328ff

5. Catch user via whois service.

This is help you to get info about skype user: City, Country, Internet provider and internal user ip-address. 
I don't want to overstate this, but this is a big deal.

There is also a web site now if you don't want to bother with the log route -, just type in your targets Skype name and bingo, the IP's are even helpfully linked to!  If they are not currently online it does not seem to provide the last known address, only if they are currently online.  Please be cautious with this URL, I have not tested it for a browser payload etc and wouldn't be surprised if something nasty awaits!  However, using it on a VM would be advisable.

Also if you are going to try the patched Skype be 'super' cautious and also some users have reported having their Skype accounts terminated.

I appreciate that Skype is both free and P2P meaning that IP's are often visible when in a conversation, file transfer etc but at least you are in a conversation with a 'known' person.  This technique can be used by and against, anyone with a Skype account, regardless of whether they are a buddy.

I hope that Skype take a serious look at this, simply proxying contact requests would likely solve it which wouldn't be awfully hard for them.  I for one really appreciate the Skype service and use it daily, however, I live in nice, reasonably safe England, not one of the many Countries where it is used for secure comms, free from Government intervention.  For them alone, this needs to be solved.

Wednesday, February 15, 2012

Visualizing Online Investigations - LIVE

This is my 3rd blog post on data visualization, its becoming a bit of a hobby if Im honest.  Its really good fun!  Aside from fun, I am beginning to believe that there is a significant future in enabling investigators and juries alike to be able to ‘see’ data in a way that is meaningful and useful.  In my last post I outlined how Facebook chat was graphed for an abuse case and I had many interesting emails on the subject.

There is a lot of work to do but I decided to move on to a more challenging area, visualizing online data in a LIVE setting.  It seemed that there were 2 areas worth looking at, Twitter and investigating web sites.

For both of the examples below I used the free graphing tool Gephi with a variety of plugins.


I'm sure no one reading this needs to have an explanation of Twitter, however, there are areas where an investigator may want to use Twitter to understand how an event was panning out live.  An example would be the Police monitoring the ring leaders of a riot or a journalist looking for the movers and shakers in the development of a news event. 

An example of the latter came up when I was playing early on with live mapping of Twitter feeds.  I had set a filter to intercept all #syria hashtags during the bombardment of the Syrian city of Homs.  As the tweets hit 3000 a pattern began to exist in the spherical graph, a cluster of someone who was a tweeter being heavily retweeted.  Zooming into the graph gave me his username.  A bit of research indicated that this guy was IN homs at the time tweeting what he was seeing in real time.  If I was a journalist, I would be wanting to talk to this guy.

Using Gephi with a plugin written specifically for Twitter data I started working with different filters and displays.  The plugin taps into the global Twitter feed and applies the filter to decide what to capture.  Eventually, I got it sorted and I have posted a slightly less serious example on Youtube with ‘appropriate’ music.  I was working on it when I heard that Whitney Houston had sadly died.  I quickly started a Twitter capture with hashtags associated with the singer and started a video screen capture.  It is fascinating to watch the Tweets arrive and clusters begin to take shape.  Initially the busy tweeters were the news outlets such as CNN, but these were quickly replaced with ‘people’, some of which were very popular to retweet.

This is definitely a capability that many investigators should examine.  Check out the Whitney video or watch it on YouTube -

Internet Investigations

For any investigator, whether it be Police, Corporate investigator, Social Engineer or Journalist the ability to understand the web presence of their subject can be invaluable.  Being able to simply browse to their targets web site and see what links exist, what services are in use, who handles their credit cards, whether they use analytics, so many different aspects.

Again using Gephi along with an http plugin I set Firefox up to proxy through the plugin and started recording.  Using Firefox I then browsed to the web site of and navigated through its pages.  The results can be seen (with appropriate music again!) below or at YouTube -

Forensic visualization is probably best used to see data in a clearer way from results gleaned from a disk or RAM dump etc.  However, these live feeds provide a fascinating view of the world or an investigation tool that should not be overlooked.