Dark Reading: DIY security lab

As I’m currently setting up and playing with my home research lab this article from Dark Reading caught my attention. The article doesn’t provide too much ‘new’ material to those that have researched security labs even in minimal depths, but it does focus on how security labs can provide cheap training to keep your skills sharp during the current economic current. I don’t want to paraphrase the article as it is all fairly self-explanatory, for those considering how to use a proposed or existing lab John Sawyers’ article suggests the following possibilities:
Before everyone signs off on the security testing lab, however, you need to answer several questions to determine the design and purpose of the lab. They include:

  • Is the lab just for testing new security tools and exploits in a controlled environment?
  • Will the lab be home to staged cyberwarfare, where multiple staff members are involved as either attackers or defenders?
  • What about mock incident-response scenarios, where one team member “hacks” a system or pretends to be a disgruntled employee while the others are left trying to put the pieces back together?

The article does go on to suggest different hardware and systems for various flavours of labs but nothing particularly mindbending (VMWare for basics, more hardware required for larger labs, etc.)

Andrew Waite

Sec610 Reverse Engineering Malware Demo

I spent a very interesting hour with Lenny Zeltser (and others) around a week ago with a live demo of part of Lenny’s Sec610 course. For those interested in taking the course, or malware in general, then I’d suggest that if the demo is a representative sample of the course then you’re likely to really enjoy it. If you’re interested the webcast session was recorded; I’m not going to provide the link here as I do not know if it is intended for public consumption, but I’m sure if you contact SANS they’ll be able to hook you up.

I don’t want to give to much away but the demo session focused on reversing an unfamiliar binary that was a dummy MSN application for password harvesting. A lot of the overall tools and theory would have been fairly straightforward for anyone with knowledge in this area, basic RE tools (VMWare, OllyDbg & Wireshark etc.) were covered as related. The demo also focused on some more specialised and less well known (at least to me) tools. Mostly these were system monitoring utils and snapshot status gathering tools to get a better feel for what the malware was up to.

The main utilities that caught my attention were fakeDNS and MailPot, these tools are designed to fake standard systems to allow the malware to communicate with external sources in a safe environment. These come part of the Malcode Analysis Pack that is distributed by iDefense. Until this point I have been using fully blown (virtual) servers to run sandboxed DNS, SMTP, etc. services for malware anaylsis, I’m hoping these utilities should reduce the implementation time required for specific analysis, leaving more time and resources available to focus on the malware itself.
Andrew Waite

BBC, Botnet, Ethical, Legal?

New story seems to be everywhere at the moment. It appears that the BBC has ‘investigated’ the impact of botnets by hiring a 22,000 strong herd and ‘testing’ on there systems, but still utilising 22,000 compromised, private machines. Original BBC article is here.

There have been many sites (The Register and The Guardian) have asked the question as to whether this is legal. The BBC article claims that:
‘If this exercise had been done with criminal intent it would be breaking the law.’

Although several places have pointed out that criminal intent is not required for a criminal act (IANAL so please don’t quote me on that).

The ‘ethical’ botnet/virus/trojan/etc. has been debated for many years (discussed in Aggressive Network Self-Defense and debated by the Tipping Point team during their analysis of Kraken). Personally I think it speaks volumes that the technical experts stop short the actions taken by the BBC, but the journalists blow through without compunction.

Will be interesting to see how this plays out.
Andrew Waite

Example PCAP files

Just a quick one this time around, as it is mostly a reminder to take a closer look once I get some free time….
Included in Dave Hull’s recent blog post on the SANS forensic blog (well worth a read in it’s own right) Dave links to part of the Network Miner Sourcefire site that contains many links to publicly accessible .pcap files for training, analysis and general packet-fu fun. Direct link here.
This should provide a wealth of real-world packet captures for some realistic training and analysis. If you can spare the time, take a look.
Andrew Waite

dd, netcat and system recovery

Simple scenario
a linux server (Debian in this case) has run out of hard-disk capacity (4GB) and needs to be migrated to a larger capacity hard drive (6GB). Should be simple, vmware even provides a nice method to merely expand the virtual hard disk capacity. However, I’m doing this for the purposes of practice and training with various tools; as such I’m going to assume we’re working with physical hardware and this option isn’t available (despite the fact the machines being used are virtuals within my lab, I know….)

(*N.B. if following these steps on your own hardware substitute all IP addresses, device and filepaths as relevent to your environment. This is just the process that worked in my scenario, if working with your own equipment ensure that you know the impact of each command before running anything, your mileage may vary. If unsure contact an expert for further advice)

Servers involved

  • Debian Server: 10.0.0.8
  • Acquisition Server: 10.0.0.211

Data Acquisition
To transfer the data from the original server I used only free and freely available tools. To start the Debian server was booted from CD with Knoppix (note: nearly any Linux live CD would have been suitable for this task, previously I would have used Helix, but this is unfortunately no longer free).

Once booted, an image was collected via the venerable dd and transferred to the acquisition server via the equally venerable netcat.
Debian $ dd if=/dev/sda1 | nc 10.0.0.211 2000
Acquisition $ nc -lp 2000 | dd of=/mnt/sda1/debian-sda1.dd

I always name my images with the device or mount point that was captured. It is easy to forget further down the line whether you had imaged a partition or entire block-level device, this is the best way I have found to document what is contained in the image.

Depending on your connection speeds and hard disk capacities this transfer can take a long time, in my case the initial image capture took a little under 30 minutes. This can be unnerving the first few times through the process (especially if you are working under time constraints) is that the nc/dd combination does not provide any progress status.

One tip I’ll share is to ensure the netcat sessions are initiated via console sessions. In previous scenarios I have been remotely SSH’d to one of the servers and initiated the image transfer, only to have my remote session timeout and kill the dd/nc processes 🙁 not a nice thing to experience…

Once the image transfer completes you can verify the integrity of the acquired image by hashing; as people of started discovering issues with some hashing algorithms it is worth hashing with several algorithms for complete peace of mind. In this scenario I used the utilities md5sum and sha1sum as forensic integrity isn’t an issue in this scenario.

Prepare new drive
At this point I powered down the Debian server, deleted the original hard drive, created a new drive with larger capacity and rebooted, again with Knoppix. The drive was partitioned with fdisk, I’ll not go into specific as there are plenty of great tutorials regarding partition available elsewhere.

Replicate Data
Next task is to copy the data back from the acquisition server, this is basically a reverse of the initial dd/nc commands:
Debian $ nc -lp 2000 | dd of=/dev/sda1
Acquisition $ dd if=/mnt/sda1/debian-sda1.dd | nc 10.0.0.8 2000

Configure server to use new hard disk
At this point the re-migrated data can be mounted and utilised, is currently not bootable and it’s filesystem will not take advantage of the additional storage capacity. The latter of these issues is easily dealt with, again from within a Knoppix boot running the below command will expand the file system to it’s capacity:
$ resize2fs /dev/sda1

To allow the system to boot from the new drive grub was re-installed with the below command:
$ grub-install –root-directory=/mnt/sda1/ /dev/sda/
And with that the system boots as before, but with additional capacity required to continue operating in a useful manner.
Andrew Waite

Glad I'm not a BT customer

Once again I’m glad I don’t do business with BT(with the exception of line rental). First Phorm: now this

BT has begun transforming its commercial customers’ Business Hubs into OpenZone hotspots for any passing Tom, Dick or Harry to share, and leaving businesses to figure out how to opt out of the scheme after the fact.

…snip…
“Free BT public wi-fi hotspot for every business broadband customer” claims the release, proudly suggesting that “Hub owners buy BT Openzone access vouchers … and can choose to pass the vouchers to their customers or resell the prime business service and add revenue”, so you can either screw visitors to your office by selling them vouchers, or pay BT twice for the same bandwidth by giving them away.

Full info can be found here. BT keep managing to setting the bar lower and lower….
Andrew Waite

Windows Right-Click context menus

Whilst doing some research on reverse engineering I came across a useful tip on the Tipping Point MindshaRE blogs. The post details the (simple) steps required to add IDA Pro‘s disassembly to Window’s right-click context menu.

This is definitely simpler than I had expected it to be,although admittedly not something I had investigated before. Judging from the comments to that post the world and his dog already knows how to do this, but I didn’t so I thought I’d share in case anyone else finds this useful aswell. (And it will give me an easy place to find the information again should I forget 😉 )

Instructions, courtesy of Tipping Point:

  1. Open “regedit.exe”
  2. Open the key “HKEY_CLASSES_ROOT”
  3. Locate the file extension class you want.* (“dllfile” and “exefile”)
  4. Open the sub key “shell”, it the key does not exist create it
  5. Create a new key
  6. Give it the text label you want displayed when you right click the file type
  7. Create another key under the label and name it “command”
  8. Open the “(Default)” key under the newly created label key
  9. Add the path to your installation of IDA Pro’s idag.exe binary in double quotes followed by “%1”
  10. Repeat for any other file extensions you want
  11. Close “regedit.exe”

Edited Registry:

Right click in action:
Andrew Waite

Aggressive Network Self-defense

I’m a fan of ‘case study’ type research and analysis, so I think I hit pay-dirt when I found this book. I’ve had the book on my shelf for a couple of years now and keep coming back to it and re-reading whenever I’m looking for inspiration (or just a good read).

The basis of the book is explained in part two of the book, basically methods and techniques for the ‘good guys’ to fight back against the ‘bad guys’. The line is far too blurred and ambiguous in these cases for me to recommend anyone trying these techniques in the real world, at least not without a very good understanding of all of the relevant laws.
In real-world examples so far I’ve seen researches err on the side of caution and not fight back. A real world example and debate of the possibility can be read with Tipping Point’s blogs regarding the research of Kraken, article in question can be found here although I’d recommend reading all of their posts regarding the Kraken research as it is still interesting, even after nearly twelve months.
In the first part of the book each chapter (8 in part one) focuses on a different topic and scenario, and is written by a different author (including Johnny Long and Dan Kaminsky, with all authors being recognisable from their own fields). Topics range from modifying network games to trap and identify a system intruder, to a blow by blow account of an intruder and sys admin fighting to gain/maintain control of the corporate net.
The book doesn’t go into enough depth regarding any of the attacks, exploits or techniques to allow you to replicate what you read, however it does instil a desire to go out to learn and play with new ideas, the only problem I found was deciding where to start…
Andrew Waite

First Lab Victim

I’ve spent the last couple of hours installing my next victim machine for lab, thought I’d share the process if for nothing else it’ll be a useful reminder next time I delete the wrong file and need to re-do tonight’s work.
Target in this case is a Windows XP install, patched to service pack 2. I’m intending to use this VM for dual purposes, for exploit development (both MS native and third party apps) and for malware analysis. As a result I’m going to make extensive use of VMWare’s snapshotting capabilities, allowing me to have multiple states of essentially the same machine depending on what I’m working on at any point in time.
For resource allocation the VM has a 4GB HDD and 512MB of RAM, the RAM may get expanded depending on performance if I’m working on the VM (during malware analysis) rather than just exploiting it.
There is a NIC configured (not connected at power on) to the WAN network to allow access to the web for tool downloads etc. Permenant NIC has access to a ‘malicious’ ESXi vLAN which has not outside access. Once the OS was installed it was connected to the outside world to allow the OS to allow it to phone home and authenticate. At this point the VM was snapshotted to provide a ‘clean’ base incase I need to start from scratch without having to re-install.
Following this I changed the desktop wall paper, so I can tell if I’m in a VM or my real machine, hopefully should help prevent ‘accidents’. Basic tools were installed at this point, before I final generic snapshot:

I’m fully expecting this list of tools to expand as I gain experience, but for now this should provide a workable environment. Just need to go and exploit something now…
Andrew Waite

Satellite Hacking

Just read an interesting article on El Reg about Adam Laurie, who has supposedly been ‘hacking’ satellite feeds. Unless I’m missing something it appears to be more a case of sniffing unencrypted communication coming from and going to satellites, but it is interesting in any case.
One of the parts of the article I liked was the comment on the UK’s Privacy laws:

A resident in the UK, Laurie says he’s careful to obey the country’s privacy laws. While he is able to identify certain traffic as email, for instance, he doesn’t actually read the contents of the message. Still, he says it isn’t always easy to follow the letter of such laws because they prohibit people from receiving a message if they aren’t the intended recipient.

“It’s a bit of a quandary,” Laurie says. “You can’t tell you’re not supposed to see that data until after you see it. I can’t unsee what I’m not supposed to have seen.”
Whilst I’ll agree that some of the privacy laws are ‘strange’ the actions Laurie took was looking for traffic in which he wasn’t the intended recipient for any of it, as someone pointed out: if you’re concerned you might be breaking the law you can stop looking.
Andrew Waite