Year: 2015

Under the Wire v2

I just posted v2 of Under to Wire which contains an additional 5 levels to Century. V2 can be found at the link on the right-hand side of the screen or here.

This release will be the last one containing Century and the next variation that the team and I will be working on will be called Cyborg. It will still have the same feel as Century but will be focused primarily on Active Directory, DNS, DHCP and few other random areas that will total somewhere around 20 to 25 levels (like Century).

I hope you enjoy the additional 5 levels of Century and stay tuned for the release of Cyborg within Under the Wire.

Traffic Generators

These tools will generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

• Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)

• Cat Karat is an easy packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing. (Windows)

• D-ITG (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, …).

• epb (ethernet package bombardier) is a simple CLI tool for generating/converting ethernet packets from plain text/pcap/netmon/snoop files. (BSD like, Linux/Unix)

• Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.

(more…)

Unzip a file that is zipped many times

This script is used for unzipping zipped files inside of a zipped file. The zipped files are password protected. I developed this because it seems like every capture the flag I do, there is a scenario where this could be used.

This Bash script can be found in my script repo on the right-hand side of the screen.

PowerShell Web Server for Raw Text Transmission

This script will create a temporary web server on the local system and will listen on the host IP and specified port. You will then be able to post some raw data that will be accessible on the network. When running the script you will be asked what port to listen on and what raw data to post. This script does not supporting the posting of files or folders.

The raw data can be accessed one of three ways.

Option 1: PowerShell — Using the below syntax to view it on the screen. It will be in
the raw content section.
Invoke-WebRequest http://<IP_Address>:<port>/default

Option 2: PowerShell — Using the below syntax to save the data to a local file
Invoke-WebRequest http://:/default -OutFile downloaded_data.txt

Option 2: Internet browser — Using the below syntax to view it in the browser
http://:/default

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Web Server for File Transmission

This script will deploy a temporary web server on the local system and will listen on the port of your choice. Once it is listening, you will be able to transfer .txt and .html files from the directory in which the script is ran from (not located). The web server will continue to run as long as the script is running.

To execute, run the script and when prompted, input a port to listen on. To access the system and the data in the directory that the script ran from, use the below syntax from another system.

Invoke-WebRequest http:/:/file_in_dir.txt -OutFile downloaded_data.txt

Example: “Invoke-WebRequest http:/192.168.1.1:8001/passwords.txt -OutFile passwords.txt”

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Network Connection Monitor Script

This script displays the current TCP/IP connections for a local or remote system to include the PID, process name, port, and its current running state (listening, established, etc..). If the port is not yet established, the port number is shown as an asterisk (*). It will also take the initial output and save it to old_state.txt and then sleep for a period of time of your choosing before running again and outputting to new_state.txt. It will then compare the two files and print the output to the screen. Both files will be saved to the directory in which the script was ran from (not located). It will continue to do this process until the script is stopped.

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Remote Process Termination

Ever remotely executed a program on another system but the process failed to exit which lead it to being an active process on the users system? No matter the cause or what your purpose on the system is, that is never a good thing. We can quickly fix the issue with PowerShell. To do so, we can use a script in which we supply it with the hostname or IP along with the process name of the process.

This PowerShell script can be found in my script repo on the right-hand side of the screen.

Disconnect… Making the Internet Safer and More Private One Connection at a Time

Have you ever been browsing the web for a good or service and notice that a totally unrelated site suggests the very same or similar items you were previously searching for? What about browsing the web and it taking forever to load a page? Did you know that some websites not only see what you are doing, but also where your physical location is? What about that some ads contain malware? If you are like most people, you may have answered no to all or some of those questions but now that you know, now what? Well the open-source Disconnect plug-in available in Google Chrome and Mozilla Firefox could help you tremendously in stopping the aforementioned from occurring. Disconnect prides itself on making the Internet safe and private while increasing browsing speeds.

So how does it work? Well, after installation, a Disconnect icon will be visible in your toolbar. Clicking on it will bring up the menu as shown below.

Disconnect_1

(more…)

Detecting Alternate Data Streams with PowerShell and DOS

Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.

The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.

The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.

If you just executed these commands, you probably noticed how a number of the files might have popped up matching the (more…)

WMI on Linux

WMI is a great way to query Windows systems without being so intrusive. As of late, I have been dealing with it more and more. Typically, I use a Windows system to query another Windows system but the lack of speed inherit to the Windows OS always has me searching for better ways to complete simple tasks. I quickly turned to Linux as its speed one of many great features of the OS. Using WMI within Linux is achievable although many may not know it. Getting started is pretty simple, to do so check out the below.

1. Install the repo (CentOS 6 or newer).
[nando@localhost home]$ rpm -Uvh http://www6.atomicorp.com/channels/atomic/centos/6/x86_64/RPMS/atomic-release-1.0-19.el6.art.noarch.rpm

2. Install WMIC from the repository.
[nando@localhost home]$ yum –y install wmi

Some common queries and what the grab are below.
wmic -U admin%admin1234 //192.168.2.2 “SELECT CommandLine,Name,ProcessId FROM Win32_Process”

wmic -U admin%admin1234 //192.168.2.2 “SELECT * FROM Win32_ComputerSystem”

Under the Wire… Windows Shell War Gaming

My boss and I had a conversation a few months ago regarding Over the Wire, a Linux war gaming server. The conversation revolved around how it was a great tool for those trying to build strength in Linux. From that conversation, we had a thought of why there wasn’t a variant on Windows focusing on the command line and from that thought came Under the Wire.

Under the Wire is a Windows Server 2008R2 Core system. The war game focuses on the Windows command line and the hope is that it helps people hone their skills or gain a better understanding for some of the things that can be done with a Windows shell.

It’s not expected for anyone to know everything they will encounter in this game, so please don’t panic, as the purpose of the game is to learn.

The object of the game is to use the hints for each level to find the password for the following level. For example, the password for level 2 is somewhere in level 1 and the password for level 3 is somewhere in level 2. That is the case for all levels, with level 20 being the last one. Once you have successfully logged into level 20, you have successfully completed the game.

The VM, instructions, and change log can be found here -> Under the Wire

General Notes:
• All passwords are lowercase regardless of how they may appear on the screen.

• The username for logging in will be century plus the corresponding level number. For example, the username for level 1 is century1 and for level 2, it would be century2 and so forth.

• The default shell is Powershell but you can switch to command line if you want. You can easily switch back and forth by typing cmd or powershell in the shell. If you wish to have multiple shells open, you can achieve that by doing the below.
1.Type taskmgr in the shell
2. Hit file > New Task (run…)
3. Type powershell or cmd

• You may find that while trying to accomplish a level using one shell it may render an access denied error. If that is the case, please just use the other shell. During testing, at least one of the shells worked for every level.

• You may be warned that this isn’t a genuine copy of windows. That alert is due to not having a product key and the trial period expiring. It does not hinder the game in any way other than the warning popping up. If it appears, simply exit out of it and continue on.

• Some things that may help you in the game are below.
– The Internet
– Get-help
– /?
– The Tab key will help with finishing out commands

Pushpin… Taking Reconnaissance to Another Level

If you are on the offensive side, part of your strategy encompasses reconnaissance at some point. If you are on the defensive side, there is still reconnaissance to be done in order to see what is available about you. Well, a great tool to add to your tool bag is Recon-ng as it makes the recon process simple and seamless. An awesome feature of the program is Pushpin. Pushpin allows you to utilize APIs and grid coordinates in order to display any postings within a designated area. This capability is incredible and could be used for a number of reasons. In any case, a list of the currently released APIs can be found at https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide. In most cases, you will have to register with the site in which you are trying to get an API for. Some of the APIs include Twitter, YouTube, LinkedIn, and Instagram. Also, the program has a Metasploit type feel so if you are comfortable with that, you will do just fine. The source code can be found at https://bitbucket.org/LaNMaSteR53/recon-ng/src.

To give you a feel for how simple it is, I’ll walk through running the program with Twitter APIs and we will use the Georgia Dome in Atlanta as our area of interest. We will start at the point following installation.
(more…)

Shipping Windows logs to Logstash via Nxlog

In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light on the system and not a pain to setup. Below are the steps to get you going. I will be shipping the logs using the json format. There are many formats available, one just has to do research on which one satisfies their needs. The configuration we will use transports the logs over port 3515, so you will need to ensure that the port is open.

1. Navigate to http://nxlog.org/products/nxlog-community-edition/download and download the .msi version for Windows.

2. Install the downloaded .msi using the default options.

3. After installation is complete, open the configuration file located at C:\program files (x86)\nxlog\conf\nxlog.conf.

4. Replace the contents of the file with the below. The only thing you need to change IP address 111.111.111.111 with the IP of your Logstash server.
(more…)

ELK, the free alternative to Splunk

Installation of ELK is not too bad. There are a few guides online that walk through the processes but you will be hard pressed to find one to covers it all the way through. Some great links to help with this endeavor are:

https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-ubuntu-14-04

https://www.ddreier.com/setting-up-elasticsearch-kibana-and-logstash/

http://www.networkassassin.com/elk-stack-for-network-operations-reloaded/

https://www.elastic.co

For those who are inclined to install ELK in Windows, these sites are pretty useful.

https://community.ulyaoth.net/threads/how-to-install-logstash-on-a-windows-server-with-kibana-in-iis.17/

http://girl-germs.com/?p=438

ELK stack, what is that?

In a previous post I did a comparison of ELK and Splunk. I will take a few minutes here to kind of explain what ELK is. ELK stack (Elasticsearch, Logstash, Kibana) is simply amazing. Each program making up ELK brings their own uniqueness and are vital parts to making the thing work. Elasticsearch provides the search capability for Kibana. Logstash is the receiver of all the logs being ingested into ELK. Kibana is the visual portion of the stack allowing for the searching, correlation, and dashboards. The picture below brings it all together for us.

ELK Pic

Bare Monkey (Volatility)

I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates a tarball and a MD5 hash. The README and code can be found on my github at www.github.com/wiredpulse/BareMonkey.

You will have to change the extension to .sh and chmod 755.

Some of the benefits of the program are that Volatility will no longer be needed after the program runs, you can analyze the output with a text editor, and grep through the data rather quickly.

Splunk vs. ELK Stack

When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion. Through my research and hands-on experience with the two, I’ve formulated the below thoughts and comparison.

 

Cost (Monetarily):

Splunk: Free up to 500MB a day. The paid version has unlimited indexing per day.

ELK: Free. There is a newer paid version that comes with support.

 

Cost (Time):

Splunk: One could have it up and running rather quickly. The amount of time already spent on (more…)

Converting a DD image into a VM – pt. 2

This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on.

1. Copy the target_image from your linux forensics system to your Windows forensics system

2. To convert the raw file into a virtual machine using Live View, change the extension of the targetimage raw file to .dd

3. Create a folder on the desktop of your Windows forensics system for which we will put the VM after conversion.

4. Open Live View 0.8 short cut on desktop

5. When the program opens, make the following changes. Once complete, your screen should look like the below.

– Ram size: 1024 (default is 512)

– Operating system: Linux

(more…)

Converting a DD image into a VM – pt. 1

 

A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is.

One may be wondering why what is the need for all of this? Well, let’s say you are inspecting a suspected or known compromised system. Good practice is to not do anything (or at least as little as possible) to the system in question. In order for one to preserve the system and get an image to work off of, we can make a DD (binary) image. From there, we can use LiveView and convert the DD image into a working virtual machine. From there, one can get a memory capture and/or begin any other forensics on the system yet not affect the original hard drive. LiveView can be found at http://www.cert.org/digital-intelligence/tools/liveview.cfm. You will need to install it on your Windows forensics system prior to continuing.

 

Below are the instructions on using the software that my buddy made.

1. Access the target from the forensics system (linux) using SSH

2. Elevate privileges

(more…)

Collaboration with Elog

Elog is a great program used for collaboration in a LAN or WAN environment. Its very simple to use and easily customizable. This program is ideal for sharing notes or analyzing data and ensuring everyone else knows what is going on. There is an email function as well and the ability to export and import notes/data if desired. The program can be downloaded here: https://midas.psi.ch/elog/index.html. Below are some of the things I did for customization

Alter the look of the program, it’s a .css written in html — /usr/local/elog/themes/default/default.css

Removed the word ‘demo’ from the URL and from the page and changed it to something else — /usr/local/elog/elogd.cfg

Add/adjust the fields of the form — config option listed on the menu bar of the program

Log transcript — /usr/local/elog/logbooks

After you adjust any of these, you are going to restart the elogd service and reload apache.

Splitting up a Large VM for Easier Transmission

Here is the scenario: you have a VM that you want to transfer to another system over the Internet. The VM, in its entirety, is too big to transfer as is. So what do we do? Well, we could convert the .vmx into an .ova and then split it into a few manageable sizes for transport. Once on the distant end, we can easily put it all back together. Using the steps outlined here: https://communities.vmware.com/message/2244209, we can do this. Below are very generic steps to achieve this.

1. Convert the VM’s .vmx to ova in terminal

2. Use the ‘split’ commands to breakdown the ova into manageable sizes (I usually do mine in 550 MB (550000000 bytes)). In this case the command would be ‘split -b 550000000 your_vm.ova vm_brokedown

3. Transfer the smaller files to the destination

4. In terminal on the distant end, type cat vm_brokedown* > your_vm.ova

5. Import the ova into the Hypervisor of your choice.

Renaming a Linux NIC interface

You may be wondering why this is even a topic of discussion. Well, certain Linux distros such as CentOS come with the main interface as eth0. For me, it’s not as big of a deal. The concern comes in when I am developing baselines and distributing them back into the community. The more I can do to ensure that things look the same across the distros, the better. In order to rename the interface, one can do the below.

1. Open a terminal and ensure you are Root.

2. Get the MAC and current listing of the interface. Be sure to make note of the MAC for a future step.

(more…)

Memory Capture with FTK Imager

I previously wrote about using DumpIt for Windows memory captures. If all you need from a system is to capture memory, it fits the bill rather well. There have been some times where it’s given me some issue grabbing memory over 8GB. Nonetheless, what if you need to do more? Let’s say you need to get a binary image also, DumpIt can’t help you there. FTK Imager will do both and more. Today I’ll speak on the memory capture piece and will visit the binary image capture at a later time. To get a capture, follow the below very simple directions.

1. Download FTK Imager from their official site at http://accessdata.com/product-download.

2. Once downloaded and installed, open the program.

3. Click ‘File’ and select ‘Capture Memory’ as depicted in the below picture.

ftk-1

(more…)