Wednesday, September 9, 2020

Just a few days left to register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class and get a Free copy of "Hack and Detect" or "Mastering TShark Network Forensics"

 Get a Free copy of "Learning by Practicing - Mastering TShark Network Forensics: Moving From Zero to Hero" or "Learning By Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics" when you register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class


To learn more see: 

SEC582: Mastering TShark Packet Analysis

Beginning File System Forensics - Timeline analysis

Now that the drive has been mounted and the file metadata has been exported as seen in the previous post, let's poke at some files of "interest". The file of interest is related to my SANS SEC582 - Mastering TShark Packet Analysis class. 

Let's assume we have an indicator of compromise. That indicator being a suspicious file name. We can then use the "grep" utility to search the previously created "linux_mint_files_export.txt" to see if we get a hit. Let's try that. At the same time, let's pipe the results into "wc --lines" to see how many entries were returned.

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt | wc --lines
22

Above it looks like 22 results were returned. Taking a look at those entries. 

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf

As you may remember in the previous post, the columns above are organized as follow: last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

Considering the preceding, let's instead sort this from first creation date and time, to last creation date and time. We will put the most recent date at the top. To achieve this, we will use the previous output, in conjunction with "sort" using a "--field-separator" of pipe "|". We will also use fields 1 and 2 as our keys and then "--reverse" the output. This is how we are able to achieve our objective.

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Now that we have the above, we can make some assumptions thus allowing us to come to some conclusions.
1.  The activity surrounding the IoC for string "SEC582" started on May 13, 2020 around 08:31:58 
2. On May 13, 2020 at 08:31:58 local time the user root, created a file "SANS SEC582 - Labs and Challenges PDFs".
3. This file was then modified on the same date at 08:32:00

4. However, as we look closer, we see what seems like two sub directories "/Day 1" and "/Day 2" were created. Filtering these out so we can focus closer on the times, we see:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse | grep --invert-match --perl-regexp "\.pdf$"
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Paying closer attention to the time we see it seems like the two directories have an access date and time of  "05/12/2020|20:00:00.0000000000"  and "05/12/2020|20:00:00.0000000000" respectively. How could this be? How can the sub directories have a date and time earlier than the parent directory which has "05/13/2020|08:31:58.8300000000"? Could it be this parent folder was created and then the sub folders were copied to this destination?

5. Looking at the other 19 entries, we can say from a creation date the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
" was created on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was created on May 14, around 05:52. 

6. Looking at the other 19 entries, we can say from a modification date and time, the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 14, around 06:39.

7. Finally, I see the access times of all 19 files have May 13, 2020 at 20:00. Does the proximity with this timing help to reaffirm the conclusion that these files might have been copied? 

Arite!, I think that is enough for this post. 

Ohh and by the way, hope to see you in one of my SANS SEC582 Mastering TShark Packet Analysis class. :-) If you cannot make that one, come hang out with me in the SEC503 or SEC504 class. :-) :-)


References:




Beginning File System Forensics - mounting and learning about the drive

In the previous post, we learned about the disk and the Master Boot Record (MBR), let's now mount that disk, so that we can analyze its contents.

Before mounting, let's once again take a look at the drive to see where the partitions starts.

kali@securitynik:~/forensics$ sudo fdisk --list linux_mint_usb.raw
Disk linux_mint_usb.raw: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device              Boot Start      End  Sectors  Size Id Type
linux_mint_usb.raw1       2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

Above, we see one one partition, which has a "Start" sector 2048. To get the actual byte position, multiply 2048*512. 512 once again being the size of the sectors.

512*2048 = 1,048,576‬

Taking a look at this sector with XXD before mounting, we see:

kali@securitynik:~/forensics$ xxd --seek 1048576 --length 512 linux_mint_usb.raw | more
00100000: eb58 904d 5344 4f53 352e 3000 0220 e00a  .X.MSDOS5.0.. ..
00100010: 0200 0000 00f8 0000 3f00 ff00 0008 0000  ........?.......
00100020: 0070 a903 903a 0000 0000 0000 0200 0000  .p...:..........
00100030: 0100 0600 0000 0000 0000 0000 0000 0000  ................
00100040: 8000 2980 b481 fc4e 4f20 4e41 4d45 2020  ..)....NO NAME  
00100050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4    FAT32   3.....
00100060: 7b8e c18e d9bd 007c 8856 4088 4e02 8a56  {......|.V@.N..V
00100070: 40b4 41bb aa55 cd13 7210 81fb 55aa 750a  @.A..U..r...U.u.
00100080: f6c1 0174 05fe 4602 eb2d 8a56 40b4 08cd  ...t..F..-.V@...
00100090: 1373 05b9 ffff 8af1 660f b6c6 4066 0fb6  .s......f...@f..
001000a0: d180 e23f f7e2 86cd c0ed 0641 660f b7c9  ...?.......Af...
001000b0: 66f7 e166 8946 f883 7e16 0075 3983 7e2a  f..f.F..~..u9.~*
001000c0: 0077 3366 8b46 1c66 83c0 0cbb 0080 b901  .w3f.F.f........
001000d0: 00e8 2c00 e9a8 03a1 f87d 80c4 7c8b f0ac  ..,......}..|...
001000e0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb  ..t.<.t.........
001000f0: eea1 fa7d ebe4 a17d 80eb df98 cd16 cd19  ...}...}........
00100100: 6660 807e 0200 0f84 2000 666a 0066 5006  f`.~.... .fj.fP.
00100110: 5366 6810 0001 00b4 428a 5640 8bf4 cd13  Sfh.....B.V@....
00100120: 6658 6658 6658 6658 eb33 663b 46f8 7203  fXfXfXfX.3f;F.r.
00100130: f9eb 2a66 33d2 660f b74e 1866 f7f1 fec2  ..*f3.f..N.f....
00100140: 8aca 668b d066 c1ea 10f7 761a 86d6 8a56  ..f..f....v....V
00100150: 408a e8c0 e406 0acc b801 02cd 1366 610f  @............fa.
00100160: 8274 ff81 c300 0266 4049 7594 c342 4f4f  .t.....f@Iu..BOO
00100170: 544d 4752 2020 2020 0000 0000 0000 0000  TMGR    ........
00100180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00100190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001a0: 0000 0000 0000 0000 0000 0000 0d0a 4469  ..............Di
001001b0: 736b 2065 7272 6f72 ff0d 0a50 7265 7373  sk error...Press
001001c0: 2061 6e79 206b 6579 2074 6f20 7265 7374   any key to rest
001001d0: 6172 740d 0a00 0000 0000 0000 0000 0000  art.............
001001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001f0: 0000 0000 0000 0000 ac01 b901 0000 55aa  ..............U.

First create a directory which will be used as your mount target

kali@securitynik:~/forensics$ mkdir usb

Let's now mount the drive:
kali@securitynik:~/forensics$ sudo mount --read-only --verbose --options noatime,nodiratime,loop,offset=1048576 --source linux_mint_usb.raw --target usb/
mount: /dev/loop0 mounted on /home/kali/forensics/usb.

Here is what the above does
mount - mount the drive

--read-only - mount the drive as read only

--verbose - print the informational message, for each successful mount 

--options 
    noatime - Do not update the access timestamps when the file is read
    nodiratime -  Do not update the directory inode access times on this file system
    loop - sets up a loop device to correspond to the image file "linux_mint_usb.raw" and then mount that image to "--target usb/"

    We can confirm this loop device as follows:
  
 kali@securitynik:~/forensics$ df --human-readable --type vfat --print-type
    Filesystem     Type  Size  Used Avail Use% Mounted on
    /dev/loop0     vfat   30G   12G   19G  38% /home/kali/forensics/usb
 
    offset=1048576 - mount the drive at this offset 

--source linux_mint_usb.raw - The source image which was created.

--target usb/ - The location to which this drive will be mounted.

Now that we know the drive has been mounted, we can now verify we have access

kali@securitynik:~/forensics$ ls usb/
 Fido-Apr04_2020-1.pdf   LINUX   PortablApps                              'System Volume Information'
 Girls                   Nakia  'SANS SEC582 - Labs and Challenges PDFs'   tshark

Let's now export all the files, printing out information relating to the file's last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more

Here is a snapshot of what the output looks like.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more
12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|755|0|root|0|root|16384|
04/06/2020|13:58:31.2200000000|04/05/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|16384|System
 Volume Information
04/06/2020|13:58:31.2500000000|05/13/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|12|System Vo
lume Information/WPSettings.dat
04/06/2020|20:14:57.0700000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/ClientRecoveryPasswordRotation
04/06/2020|20:14:57.1400000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/AadRecoveryPasswordDelete
04/06/2020|20:14:57.4300000000|05/13/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|76|System Vo
lume Information/IndexerVolumeGuid
04/07/2020|20:39:36.0000000000|04/07/2020|20:00:00.0000000000|04/07/2020|20:39:36.0000000000|755|0|root|0|root|16384|Nakia
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|1387601|Naki
a/Nakia code dot org certificate.pdf
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|766251|Nakia
/Nakia_code-org-blank_certificate.png

....

Let's now redirect this output to a file for later analysis.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" > linux_mint_files_export.txt

Once the contents are all in the file, we can then check to see how many lines were written as follows:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | wc --lines
106191

Looks like we have about 106,191 entries. 

You can now take this file and open it with spreadsheet document or even a database to perform analysis.

From our exported results, let's find a file of interest to learn about its activities in the next post.

An important takeaway for above, is that the data which was retrieved was from "allocated" space. That means, files which might have been deleted, are more than likely not going to be seen within this output. Thus you may wish to use another tool such as Autopsy or the SleuthKit to get a better handle on the information on the disk. Keep these things in mind as you perform your file systems forensics.

P.S. Not sure if you noticed it but I changed disks from the previous posts. However, the concepts remain the same.




Beginning File System Forensics - Acquiring Disk Image

In this series, I am looking at file system forensics. For this post, I inserted a USB device which can be found at: "/dev/sdb"

Taking a quick look at the disk using "fdisk --list" before we make a copy of it, we see:

kali@securitynik:~$ sudo fdisk --list /dev/sdb
[sudo] password for kali: 
Disk /dev/sdb: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Disk model: USB DISK        
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

We will revisit this as we compare our cloned disk with the output above.

Let's now go ahead and create an image of the disk, so that we can perform our "dead" forensics.

kali@securitynik:~$ sudo dcfldd if=/dev/sdb of=linux_mint_usb.raw bs=512 errlog=linux_mint_err.log hash=md5,sha1,sha256 hashlog=linux_mint_usb_.hash status=on verifylog=linux_mint.verify hashwindow=100M

Specify the input file, which we know is the USB located at /dev/sdb
if=/dev/sdb 


Specify an output File
of=linux_mint_usb.raw 

Specify a block size of 512 bytes.
bs=512 

Send all errors to a log file, rather than writing to the screen
errlog=linux_mint_err.log 


Specify the hash algorithms to use. This ensure we can validate the integrity of the image as it is analyzed during the forensic process.
hash=md5,sha1,sha256 


Send the hash information to a log file
hashlog=linux_mint_usb_.hash 

Displays the status message
status=on 

Send the verified results to a log 
verifylog=linux_mint.verify 

Perform a hash on every 100 Megabytes
hashwindow=100M


Once completed, here is what the output looks like:

61440000 blocks (30000Mb) written.
61440000+0 records in
61440000+0 records out

Looks like the total records read in equals to the total records written out. 

and the created files

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify


Looking at the "linux_mint_err.log" file

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify

Looking at the "linux_mint_usb.hash" file 

kali@securitynik:~/forensics$ cat linux_mint_usb.hash | more
0 - 104857600: a833657ba6ffe7aecc9502474830d0e3
0 - 104857600: 9c1a801e95178826c4e49bb498fdae18389429fa
0 - 104857600: 74b7b3f871998cc0bd614dea1d345e5057f87f0ff3579e8f372226ec0ae9e1df
104857600 - 209715200: 8d6305573b4500f27dbcee6cd582e4a8
104857600 - 209715200: 25bb8f02271ede26bfad67d6350ae038ee88a9f5
104857600 - 209715200: 308e467ed64fc4efb36a3c7e520ea6406e360fa260c7d87f9810345ecd09abf4
209715200 - 314572800: ce08ffdb8612f95e4752539044daf1ee
209715200 - 314572800: 4ae41ba71b7c70c470eadc8fa351d78c863facae
209715200 - 314572800: 987da527a07d254d8448233673b81a3843a0aafd0607527df67f333ebec0b913
314572800 - 419430400: 36c76342755d6828990a480c0056d31a
...
31352422400 - 31457280000: 75a8749d0ad3734052147bfa16069060
31352422400 - 31457280000: 9675bdbe94ccb0cd25601e35687a235a2630768a
31352422400 - 31457280000: 90db0b4ccf1b539dfc5c28cca76fd1e3b43316622c9fe4fc1f274ac0cb94e380

Total (md5): e995c8773f355b895792fafdc24e80d4

Total (sha1): 1473fda5a96d0b286b6ffba2b9f2550c1b67ab93

Total (sha256): 998a16707ee4aec57987e2ef768764d652cc55d648fc0f30b295b56b417b4747

Looking at the file "linux_mint_usb.raw"

kali@securitynik:~/forensics$ file linux_mint_usb.raw 
linux_mint_usb.raw: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 61435904 sectors

Now that we have the image, let's mount and perform some basic analysis in the next post.

Post in this series:


Tuesday, August 11, 2020

Continuing mapping process - ProcDot

In this previous post and from content related to my book Hack and Detect, I demonstrated how you can map an attackers' TTPs from a visual perspective. This mapping immediately gives you visible insights into the attackers activity.

This post focuses on ProcDOT which was produced by the Austria Cert team.

The tool processes both Sysinternals Process Monitor log files along with PCAP files which are produced by tools such as Tcpdump, TShark, Wireshark, etc.

Without further ado let's get going. While there is both a Windows and a Linux version for this post, I will download and use the Windows.

Once we download and extract the file contents, I then executed Procdot by running "procdot.exe".

You are then asked to ensure the path of your plugins are properly configured. Specifically the website insists you read the "readme.txt". They asked nicely so you should ensure you read it. Once you read it you will see you need to have windump.exe and graphiviz on your system.




While I took the time to do that configuration above, it must be noted that I am unable to run Windump on my Windows 10 VM.

Let's now get logs from Process Monitor to see what we can learn about the process on our system.

In the interest of time and to keep it simple, I will focus on cmd.exe as the parent process. 

Upon opening Process Monitor, I then went to the "File" -> "Capture Events" to disabling the capturing of events before I cleared the screen.

Next up, I created a filter for "Process Name is cmd.exe"



Now that the filter is set I then went back to "File" -> "Capture Events" to begin the capturing of events.

After executing a few commands in "cmd.exe", I then stopped capturing events. Next up save the file for input to ProcDOT by going to "File" -> "Save".


Next we see ProcDOT produced some information for our cmd.exe process and the threads. We do not see the children this process spawned. This is more than likely due to the filter we used with Process Monitor. 



Let's now take a file where we have not set any specific filter and which was capturing for 1 minutes to see what we get. - 




Looks a lot more interesting. However, there is also lots more data for us to analyze. That is where your analysis skills now come in.



References:

Beginning password auditing with Domain Password Audit Tool (DPAT), NTDSUTIL and VSSADMIN

In this post, I am aiming to learn more about Domain Password Audit Tool (DPAT).

According to DPAT's GitHub page, this tool "is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking". 

Considering the above, we need to get the passwords from the domain controller and feed that to hashcat or in my example John The Ripper (JTR) before we can feed the output to DPAT. 

Well let's get going.

To gain access to the Windows NTDS.dit file, we will connect remotely to Windows Server 2019 via PSRemoting. PSRemoting is enabled by default on Windows Server. Alternatively, you may use "enable-psremoting" via Powershell to enable it.

From the Windows Domain Controller we can take advantage of Test-Wsman to verify PS-Remoting is enabled. WSMAN is short for Web Services Management Protocol.

PS C:\Users\Administrator> Test-WSMan -Verbose

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

That is cool but we want to access it remotely. Let's try this now from my Windows 10 device which is connected to the securitynik.local domain.

PS C:\users\SecurityNik> Test-WSMan -ComputerName secnik-2k19 -Authentication Default

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 10.0.17763 SP: 0.0 Stack: 3.0

Let's transition now to execute the "ntdsutil" command to grab a copy of AD database. We first use the "Enter-PSSession" command to connect to the remote server. Once connected, we execute "hostname" to confirm the host we have connected to, followed by "whoami" to confirm the user.

PS C:\users\SecurityNik> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> hostname
secnik-2k19
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> whoami
securitynik\securitynik

Now for "ntdsutil" let's find the database instances which currently exists.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "List Instances"
C:\Windows\system32\ntdsutil.exe: List Instances

Instance Name:         NTDS
LDAP Port:             389
SSL Port:              636
Install folder:        C:\Windows\NTDS
Database file:         C:\Windows\NTDS\ntds.dit
Log folder:            C:\Windows\NTDS
NTDS Mode    :         Active Directory Domain Controller Mode
C:\Windows\system32\ntdsutil.exe:
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>

Let's now activate the "NTDS" Instance.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS"
C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS
Active instance set to "NTDS".
C:\Windows\system32\ntdsutil.exe:

Next up, extend the existing command by leveraging the "ifm" command to create a full installation media of the NTDS instance and save it in a folder "c:\tmp" on the secnik-2k19 server.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" "ifm" "create full c:\tmp"
C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS
Active instance set to "NTDS".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\tmp
Creating snapshot...
Snapshot set {57102033-942a-43ef-841b-4b975fbe0c53} generated successfully.
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} mounted as C:\$SNAP_202008031318_VOLUMEC$\
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202008031318_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\tmp\Active Directory\ntds.dit

                  Defragmentation  Status (omplete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\tmp\registry\SYSTEM
Copying c:\tmp\registry\SECURITY
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} unmounted.
IFM media created successfully in c:\tmp
ifm: C:\Windows\system32\ntdsutil.exe:

Let's now confirm the contents of the "c:\tmp" directory.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\

    Directory: C:\tmp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry

Nice we got two folders. Let's now compress these into one archive file using the Powershell's "Compress-Archive" cmdlet.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Compress-Archive -Path c:\tmp\* -DestinationPath c:\tmp\ntds.zip -CompressionLevel Fast
est -Force -Verbose
VERBOSE: Preparing to compress...
VERBOSE: Performing the operation "Compress-Archive" on target "
C:\tmp\Active Directory
C:\tmp\registry".
VERBOSE: Adding 'C:\tmp\Active Directory\ntds.dit'.
VERBOSE: Adding 'C:\tmp\Active Directory\ntds.jfm'.
VERBOSE: Adding 'C:\tmp\registry\SECURITY'.
VERBOSE: Adding 'C:\tmp\registry\SYSTEM'.
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry

Confirming the file was successfully created.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ntds.zip

    Directory: C:\tmp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         8/3/2020   1:25 PM        5497917 ntds.zip

To get the "ntds.zip" file off off the system, let's use "net use" command to map a drive and copy the file. As we map the drive, we see this is reported as completed successfully.

D:\TOOLS>net use M: \\10.0.0.20\C$ /user:securitynik@securitynik.local
Enter the password for 'securitynik@securitynik.local' to connect to '10.0.0.20':
The command completed successfully.

We can further conform this by executing "net use" once again, without any additional arguments.

D:\TOOLS>net use
New connections will not be remembered.

Status       Local     Remote                    Network
-------------------------------------------------------------------------------
OK           M:        \\10.0.0.20\C$            Microsoft Windows Network
The command completed successfully.

Let's now copy the "ntds.zip" file unto our local system and confirm its existance. 

D:\TOOLS>copy M:\tmp\ntds.zip .
        1 file(s) copied.

D:\TOOLS>dir ntds.zip
 Volume in drive D is Tools
 Volume Serial Number is F617-3FDD

 Directory of D:\TOOLS

2020-08-03  04:25 PM         5,497,917 ntds.zip
               1 File(s)      5,497,917 bytes
               0 Dir(s)  108,181,012,480 bytes free

Good stuff!! At this point, we have access to the "ntds.dit" file which holds the AD credentials.

Let's now move on to un-ziping the "ntds.zip" file with the ultimate aim of obtaining the hashes. To make this task easier, let's leverage the Impacket suite of Python scripts.

kali@securitynik:~$ unzip ntds.zip -d ntds
Archive:  ntds.zip
warning:  ntds.zip appears to use backslashes as path separators
  inflating: ntds/Active Directory/ntds.dit  
  inflating: ntds/Active Directory/ntds.jfm  
  inflating: ntds/registry/SECURITY  
  inflating: ntds/registry/SYSTEM

After extraction, Impacket to the rescue.

kali@securitynik:~/ntds$ ~/impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds.hashes -history
kali@securitynik:~/ntds$cat ntds.hashes
Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0xd246c7f512f50bc6444d77d31b34ba98
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 21eb5b3777772c58c5e1bd65ad66e76b
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:b7b7c33ea8994be1ebd4f47202c3a9b6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:46ab1a2346b3ac6693d72b17691d5f77:::
securitynik.local\nik:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
securitynik.local\nakia:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
... <TRUNCATED FOR BREVITY> ...
securitynik.local\securitynik:des-cbc-md5:32450b15e026d6e9
SECURITYNIK-WIN$:aes256-cts-hmac-sha1-96:1e67390661aeb7fe7e7006a1002e98d8b1d9b67239a67c2d2de9e3ec85215632
SECURITYNIK-WIN$:aes128-cts-hmac-sha1-96:33e9b147797864ca6e5a8c94ebece17d
SECURITYNIK-WIN$:des-cbc-md5:613d9e34a468e343
[*] Cleaning up... 

Among the files the above creates, is "ntds.hashes.ntds". This  file with hashes can now be provided to our tool of choice. I will use John the Ripper. However, do note DPAT also supports Hashcat also.

kali@securitynik:~/ntds$ sudo john ntds.hashes.ntds --format=nt
Using default input encoding: UTF-8
Loaded 26 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 4 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
                 (Guest)
Testing1         (Administrator)
Testing1         (securitynik.local\nik)
Testing1         (securitynik.local\nakia)
Testing1         (securitynik.local\neysa)
Testing1         (securitynik.local\saadia)
Testing1         (securitynik.local\admin)
Testing1         (securitynik.local\securitynik)
Proceeding with incremental:ASCII
....

Upon executing "./dpat.py" with the relevant arguments, we get:

kali@securitynik:~/DPAT$ sudo ./dpat.py --ntdsfile ../ntds/ntds.hashes.ntds --crackfile john.pot 
The Report has been written to the "_DomainPasswordAuditReport.html" file in the "DPAT Report" directory
Would you like to open the report now? [Y/n]N

I selected "N" as I wanted to see what is in the "DPAT Report" directory. Below we see the contents which were available for my system.

kali@securitynik:~/DPAT/DPAT Report$ ls
 0length_usernames.html   3reuse_usernames.html             password_history.html        top_password_stats.html
 0reuse_usernames.html    4reuse_usernames.html             password_length_stats.html   users_only_cracked_through_lm.html
 1reuse_usernames.html   'all hashes.html'                  password_reuse_stats.html
 2reuse_usernames.html    _DomainPasswordAuditReport.html   report.css

Time to use Firefox to look at the "_DomainPasswordAuditReport.html" file.

kali@securitynik:~/DPAT/DPAT Report$ firefox _DomainPasswordAuditReport.html &



Above, we see the summary information.

If we can get details on the password hashes used by clicking "Details" besides the password hashes


Similarly, we can get information on top password use stats, etc. Feel free to click the "Details" to learn more.


Alternative way of getting passwords with VSSADMIN

We achieved our objective above. However, an alternate way of getting credentials is via the Volume Shadow Copy Service. This is how tools such as Metasploit dump the Active Directory hashes

PS C:\Tools> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>

Let's first use "vssadmin" to see if any shadow copies currently exists.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

Next let's list the volumes

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list volumes
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Volume path: \\?\Volume{fd091226-0000-0000-0000-100000000000}\
    Volume name: \\?\Volume{fd091226-0000-0000-0000-100000000000}\
Volume path: C:\

Taking a peak at the providers

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list providers
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Provider name: 'Microsoft File Share Shadow Copy provider'
   Provider type: Fileshare
   Provider Id: {89300202-3cec-4981-9171-19f59559e0f2}
   Version: 1.0.0.1

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Version: 1.0.0.7

At this point no copies exist that we can take advantage of. Guess we have to create our own.

Let's check the status of the "VSS" Service

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS

Status   Name               DisplayName
------   ----               -----------
Stopped  VSS                Volume Shadow Copy

We now have to start the "VSS" service, after which we verify it is running.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Start-Service vss
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS

Status   Name               DisplayName
------   ----               -----------
Running  VSS                Volume Shadow Copy

Now that the service is running, let's create a shadow copy.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3

Above, we see this is successful. Additionally, we can confirm this copy exists by listing the shadows as was done above.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {80bcd232-f7b0-4378-884d-8344436a3bd8}
   Contained 1 shadow copies at creation time: 8/6/2020 8:27:56 PM
      Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468}
         Original Volume: (C:)\\?\Volume{fd091226-0000-0000-0000-602200000000}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
         Originating Machine: secnik-2k19.securitynik.local
         Service Machine: secnik-2k19.securitynik.local
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

Now let's access the NTDS.dit file on the shadow copy by copying it to the "c:\tmp" folder.

[secnik-2k19.securitynik.local]: PS C:\tmp> cmd.exe /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\
NTDS\ntds.dit c:\tmp\ntds.dit"
        1 file(s) copied.
[secnik-2k19.securitynik.local]: PS C:\tmp> dir c:\tmp\


    Directory: C:\tmp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry
-a----         8/3/2020   1:04 PM       18874368 ntds.dit
-a----         8/3/2020   1:25 PM        5497917 ntds.zip

Now that the file is in the "c:\tmp" directory, we can access it as we did above. Before closing off, let's disable the VSS service.

[secnik-2k19.securitynik.local]: PS C:\tmp> Stop-Service vss
[secnik-2k19.securitynik.local]: PS C:\tmp> Get-Service vss

Status   Name               DisplayName
------   ----               -----------
Stopped  vss                Volume Shadow Copy

Let's now delete the shadow copy we created and verify no shadow copies exist.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin delete shadows /for=C: /quiet
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

Well that's it for this post.

References:

Beginning Proxychains - Keeping a low profile

As a defender, it is always recommended to NOT interact with a suspicious (threat actor) IP from your own network. However, since we need to investigate the threat actor's IP(s), to learn something about the threat and or the device from which the attack is occurring, what can we do? The reality is there are many things we can do. One of these is to use tools such as ProxyChains as we will do in this post. 

In this post, I am using Kali 2020.3. Proxychains is installed on Kali by default.

Here is my Kali version:

kali@securitynik:~$ lsb_release --all
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2020.3
Codename:       kali-rolling

Before we start using proxychains, let's first take a look at the  configuration. Specifically, I have changed the configuration from "strict_chain" to "random_chain". This was achieved by commenting "strict_chain" while uncommenting "random_chain". Here I use "grep" to show what the change looks like:

kali@securitynik:~$ cat /etc/proxychains.conf | grep --perl-regex "^# strict_chain|^random_chain"
# strict_chain
random_chain

Additionally, we look at the last 6 lines of the "/etc/proxychains.conf" file with a focus on the "[ProxyList]" section.

kali@securitynik:~$ cat /etc/proxychains.conf | tail --lines 6
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

We see above it is using 127.0.0.1 9050 and defaults to "tor". Let's see if tor is listening on port 9050. 

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process  

Above we see port 9050 is not listening. Let's verify if tor is installed.

kali@securitynik:~$ which tor
kali@securitynik:~$

Looks like tor is not installed. Let's install tor.

kali@securitynik:~$ sudo apt-get install tor
....

Once "tor" is installed, we look at the help.

kali@securitynik:~$ tor --help
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2020, The Tor Project, Inc.

tor -f <torrc> [args]
See man page for options, or https://www.torproject.org/ for documentation.

Let's now start tor

kali@securitynik:~$ tor
Jul 28 22:12:39.646 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.4.5.
Jul 28 22:12:39.647 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 28 22:12:39.647 [notice] Read configuration file "/etc/tor/torrc".
Jul 28 22:12:39.650 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.651 [notice] Opened Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 28 22:12:39.000 [notice] Bootstrapped 0% (starting): Starting
Jul 28 22:12:40.000 [notice] Starting with guard context "default"
Jul 28 22:12:40.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Jul 28 22:12:40.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 59% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:42.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Jul 28 22:12:43.000 [notice] Bootstrapped 100% (done): Done

Now that we see above the last line says "Done", let's run "ss" again, to see if port 9050 is now listening.

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process      
LISTEN      0            4096                   127.0.0.1:9050                  0.0.0.0:*                   

Let's now use "ncat" to make a request to "www.securitynik.com" on port 443. Here is what that looks like without proxy chains.

kali@securitynik:~$ ncat --verbose www.securitynik.com 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 172.217.2.115:443.

If we do a "ping" on "www.securitynik.com", we see it returns the address above. 

kali@securitynik:~$ ping www.securitynik.com
PING ghs.googlehosted.com (172.217.2.115) 56(84) bytes of data.

Let's now run that command one more time by prepending "proychains" to it.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Looks like both the DNS and HTTPS traffic has been proxied as seen by the "|R-chain|" above.

Let's run this one more time to see if the proxy changes as this was configured for "random".

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Above it seems a new IP.

Let's run this one final time.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 216.58.207.147
|R-chain|-<>-127.0.0.1:9050-<><>-216.58.207.147:443-<><>-OK
Ncat: Connected to 216.58.207.147:443.

Looks like each instance, we used a random IP address for our proxy chain.

Well hopefully the blog post above has made your job easier as a defender, as you look to learn about suspicious hosts.

References: