Monday, September 24, 2012

Volatility - cmdscan buggy?

I tweeted last week that I was impressed with a new command in Volatility called cmdscan.  The command is designed to extract command shell history.  I had run it on a variety of new and old RAM dumps and appeared to get slightly random results, often interspersed with obviously correct history.

In my tweet I made the comment that the command was good but a bit buggy. 

An example of my issues are in the image below:-

You can see that the upper part of the results seem to display erroneous results whereas the lower portion is very obviously a series of recovered commands. 

To my pleasant surprise Michael Ligh himself dropped me a line asking for more details which I duly provided only to discover that I should have not been such an ass but have checked the code before making the comment,  Turns out it is doing exactly what it should.  I thank Mike for his gracious response and explanation which I re-print here:-

MHL in short, cmdscan is to consoles as psscan is to pslist. In other words, the consoles plugin (not sure if you tried that one) will find active/running console sessions (like pslist will only find active processes) and not only print command history but full input/output buffers. The cmdscan plugin, on the other hand, will scan through memory using pattern matching and try to brute force with sanity checks etc - the advantage being that it can not only find histories from active/running processes but also closed consoles that have been partially deallocated or overwritten (similar to how psscan carves and finds terminated processes).

If you take a look at the command history structure:

You'll see there's a CommandBucket member which is an array of pointers (to command structures). The CommandCount member tells you how many pointers in the CommandBucket are valid. However, if the command history structs belong to closed/terminated processes, then we cannot rely on CommandCount. It could be 0 although there are still valid pointers in the CommandBucket array. Or vice versa - it could be 40 although there are only 10 valid pointers in the array - not even continuous, it could be slots 0, 4, 5, 10, 11, 12, 18, etc.

So cmdscan ignores the CommandCount member and treats CommandBucket as an array of 50 pointers, because 50 is the max history on most systems. If a pointer points to a valid location (i.e. somewhere allocated and not paged) and looks like it might be at lest some unicode characters, then its printed to the terminal.

If you look at your "Screen Shot 2012-09-21 at 15.27.59.png" image, it says CommandCount is 15. You see slots 0-14 are are valid but it goes on to print slot 18, 25, 32, 39, and 46 anyway just in case CommandCount isn't accurate. The consoles command would trust CommandCount and only print slots 0-14.

After looking at the screen shots, I'd say the plugin is working as expected. So if you do get a chance to look over the code, its pretty well commented and you should be able to figure out why it seemed buggy.

Thanks again to MHL and the Volatility team for such a useful toolset.

Monday, September 17, 2012

Advanced Open Source Intelligence Gathering

 The Internet contains a vast amount of information about people that may be of interest to us.  Police and other Agencies may want to know more about a suspect, a company may want to research the background of a senior candidate or understand the ‘exposure’ of their company or key employees.  Much can be gathered if you know how to exploit online resources.
This course focuses on the investigators ability to gather information on people, groups or companies from the Internet in a truly advanced manner.  Rather than just using ‘advanced’ Google searches and other web sites we will be leveraging the tools available to look ‘under the surface’ of the internet, accessing data gleaned by understanding database API’s used by the likes of Twitter, Facebook and others, ‘dark net’ data collection methods and other areas rarely taught.  
The 4 day course is completely hands-on and will teach a range of skills from staying anonymous, bouncing data around the world, setting up false online identities, extracting data using API's, using Patervas awesome Maltego and graphing and visualizing data both historical and in real-time.
We have already begun seeding the Internet with the false identities of subjects that we will be investigating on the course.  The final exam will pit your new skills against the online world as you work to discover all you can about a person, their friends and what they are planning to do!
Other Open Source courses are available, but not like this!
The course will include a 6 month license for Maltego Case File, 6 months VPN access, an encrypted 
hard drive, a large number of software tools and course manual.
The 4 day course is £1800 + VAT 
Nick Furneaux (me!) teaches Law Enforcement agencies all over the world and this is the first time that corporate students have been accepted.
To inquire further please contact me here


Day 1
Understanding the law – what can you do?
Setting up your tool kit
            Encryption of data
            To cache or not to cache
            Benefits of using Virtual Machines
            Adding magic to Firefox
Bouncing anonymously round the world – Proxies and VPN’s
Setting up your own false identities

Day 2
Maltego Case File usage
Aggressive searching – only search the part of the web you need to
            Lots of useful sites to bookmark and try
Searching through maps
            Using social media to ‘see’ an area
What can a web site tell us?
            Who owns it and where are they?
            Blowing a web site apart – mapping a web site in real time
            What did it used to say? - Finding deleted data on the Internet
            Finding hidden links
            Finding documents
            The wonder of Metadata!
Maltego V3!
Google Hacking 101

Understanding email – identification and tracking

Day 3

Finding forums, blogs, websites, IRC entries

            Working with IRC clients

Are you or you organization leaking?

            Using your skills to understand your own vulnerabilities

            Checking if hackers have released your/corporate information

Exploiting Social Networking

Mapping Social Networking accounts and followers

Following the network – don’t forget the family!

Extracting data from Twitter via API

Extracting data from Facebook via API

Facebook ‘naughtyness’

Graphing Twitter data LIVE

Day 4

Geo location possibilities (Where are they, or are they where they say they are?)

EXIF data extraction

Plane and Ship mapping

Enumerating Geo-Coordinates using API

Finding people using public records

Being a bit more aggressive to get IP’s

101 Social Networking – why not just call and ask what you want to know!

Final exam – Full online search and enumeration of a named subject.  Course grade based on details located. (Open book)
Course certificated and graded.

TOTAL COST - £1850 + VAT