Thursday, February 25, 2010

SANS Orlando Track 508



I will be teaching the 508 GIAC Certified Forensic Analyst (GCFA) class in Orlando the week of March 8th with Rob Lee. If anyone has training dollars in their budget, this is going to be a really good class!

As this will be my first class, I will be Rob's TA, but I am eager to get my feet wet and start teaching 508 on my own! When I was in the Army, I was a certified instructor and taught Computer Network Defense (CND), and Computer Network Attack (CNA). I am excited to see how teaching at SANS compares.

Monday, February 22, 2010

Analyzing RAM Dumps

After talking to several colleagues about RAM dump analysis, I found that it's not quite as common as I thought it was. So, I will give y'all the down and dirty on analyzing RAM dumps with Mandiant's Memoryze and Audit Viewer.

First, you have to download an install Python for Windows. Once you have that, go to the Mandiant page, and download both Memoryze and Audit Viewer. Install Memoryze, and then create a directory for Audit Viewer. This tool is stand alone and does not require installation.

Now, provided you have a RAM dump...which can be obtained using a variety of tools...here are a few:

MDD (although no londer supported)
FTK Lite v2.6.1
HBGary's FastDump Pro
dcfldd
kntdd
WinDD
*Memoryze will also dump RAM but you have to install it on the target machine

OK...now that you have a RAM dump, and your analysis tools installed, here is the short version of how you launch Memoryze. Note...there is a full readme file that comes with Memoryze, and I highly recommend reading it. What I am providing here is a quick how to.

From the cmd line, navigate to the Memoryze directory...

process.bat -input -handles true -strings true -imports true -exports true -sections true -ports true -injected true -output

This will chug for quite a while depending on the s
ize of the RAM dump, how many processes were running on the target host, and how much data in there to process. Once it finishes, it will create a file in the output path called, "Audits". In there, you will find a second file with the date, and in there, a third file with your username. This file contains the .xml output of Memoryze.

Now, to open and view the audit file, you...no kidding...use Audit Viewer. Simply double click on the Audit Viewer icon, and select "open existing results". From there, you Browse to the folder containing the .xml output, and click Next and then Finish. This will process for a few minutes as all of the data is read. When it finishes you will get so
mething that looks like this...



To review the information about any give process, simply double click on that process name in the left hand column.

So...now you have your RAM dump open and you are ready to analyze the data. What are you looking for? That my friends, will be discussed in my next post. Until then, enjoy using Memoryze and Audit Viewer...GREAT tools...thanks Mandiant!

Thursday, February 4, 2010

The Mole Hill

One of the great things about having a pentesting background is that when forensic casework is light, I can snatch up some pentests from the SpiderLabs network pentest team .

In the pentest I am currently working on, I was reminded how attackers can turn a mole hill into a mountain. After scanning the network looking for hosts listening on ports 139 and 445 - since we all know that means they are more than likely windows boxes - I generated a list of all those boxen. Next, I began arp spoofing the default gateway in search of valid usernames, and generated a second list. Then, I used a tool called Medusa with my two files and bada boom, I got a hit. A single hit, on a single box. I had more than 200 potential targets, and more than 300 valild usernames, but all it took was one. My mole hill.

Now, to turn it into a mountain, I tried to gain command shell access to that host from my jump box...bingo...first time go. Then I opened a second shell and used smbmount to gain FTP-like access and put a tool on the target to dump the NTLM hashes. After dumping and extracting those, I ran them through Cain and BAM...I went from a single ID to more than 10...to include an ID in the Domain Administrators group!

To make my mountain even bigger, I used that ID to do the same thing I JUST did on the initial target, but this time, I targeted the Domain Controller. Using the poor DomAmin guy's account, I was able to dump the NTLM hashes from the DC and increase my list of usernames and passwords from 1 to 10 to 45! I now can be whomever I want to be, and explore, the network at my leasure...they have been p0wn3ed!

So now, there are a few things we can take away here:

1. This was not a sophisticated attack...I simply exploited a weak password. Once that was done, I was quickly was able to turn that 1 compromised ID into many many more.

2. It was not a sophisticated attck becasue it didn't have to be! Harlan and I harp if Occam's Razor not because we like to say it, but becasue it's true. The easiest answer IS usually the right one.

3. All it takes to own a network is one weak password...just one...not a sophisticated 0day, not a uber hax0r with m@d skillz...just a bad password.

Mole hill into mountain in under an hour...not bad for a days work...wonder what goodies I will find today!?