Let's move on.
Using F-Response and SANS SIFT, we are able to grab a copy and or mount the hard drive and or memory of a remote device. This allows us to interact (as in mount) and or make a copy of the remote device's hard drive and or memory.
For this post, our SANS SIFT which will be our initiator is at IP address 10.0.0.101 as shown below:
$ ifconfig enp0s17 enp0s17 Link encap:Ethernet HWaddr 08:00:27:33:65:f2 inet addr:10.0.0.101 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::d517:64f0:2a5b:8de0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:585830 errors:0 dropped:0 overruns:0 frame:0 TX packets:262057 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:499362677 (499.3 MB) TX bytes:15961094 (15.9 MB)
Our remote machine, which is called the target, is a Windows 10 (Build 16299) computer at IP 10.0.0.103 as shown below:
C:\>ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::a049:348c:1e6b:6497%4 IPv4 Address. . . . . . . . . . . : 10.0.0.103 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
To get started, let's start the iSCSI dameon on our initiator (SANS SIFT)
$ sudo systemctl start iscsid
Verifying the status of the iSCSI dameon
$ sudo systemctl status iscsid ● iscsid.service - iSCSI initiator daemon (iscsid) Loaded: loaded (/lib/systemd/system/iscsid.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2018-06-02 16:56:42 UTC; 2h 11min ago Docs: man:iscsid(8) Main PID: 1242 (iscsid) Tasks: 2 Memory: 1.8M CPU: 1.710s CGroup: /system.slice/iscsid.service ├─1241 /sbin/iscsid └─1242 /sbin/iscsid Jun 02 16:56:42 forensics systemd[1]: Starting iSCSI initiator daemon (iscsid)... Jun 02 16:56:42 forensics iscsid[1239]: iSCSI logger with pid=1241 started! Jun 02 16:56:42 forensics systemd[1]: Started iSCSI initiator daemon (iscsid). Jun 02 16:56:42 forensics iscsid[1241]: iSCSI daemon with pid=1242 started! Jun 02 19:06:35 siftworkstation systemd[1]: Started iSCSI initiator daemon (iscsid).
From above we see the session is "active (running)". We see additional information related to the service which can be helpful.
Next up, because our iSCSI target (Windows 10) device requires authentication, we need to configure our "iscsid.conf" file with the credentials information.
$ sudo vi /etc/iscsi/iscsid.conf
In this file, we will modify the section which is within the "CHAP Settings" stanza. Specifically, we will un-comment the line:
#node.session.auth.authmethod = CHAP
Changing it to:
node.session.auth.authmethod = CHAP
Next we un-comment the following two lines:
node.session.auth.username = username node.session.auth.password = password
Changing them to:
node.session.auth.username = securitynik node.session.auth.password = Testing123456
Next up, we need to enable authentication configuration for the discovery mode. As a result, we need to un-comment:
#discovery.sendtargets.auth.authmethod = CHAP
changing it to
discovery.sendtargets.auth.authmethod = CHAP
Similarly, we un-comment the following lines:
#discovery.sendtargets.auth.authmethod = CHAP #discovery.sendtargets.auth.username = username #discovery.sendtargets.auth.password = password
and providing the username and password to be used:
discovery.sendtargets.auth.authmethod = CHAP discovery.sendtargets.auth.username = securitynik discovery.sendtargets.auth.password = Testing123456
Once those changes have been completed, we write and save our changes.
Now that we have our configuration in place, let's now attempt to discover the our Windows 10 target.
Running a node check before we start our discovery process, we get:
$ iscsiadm -m node iscsiadm: No records found
Now running our discovery in debug mode 7, so that we can see the messages which are triggered during the connection, we get:
$ sudo iscsiadm --mode discovery --type sendtargets --portal 10.0.0.103 --debug 7 ........ iscsiadm: authentication setup complete... iscsiadm: sendtargets discovery to 10.0.0.103:3260 using isid 0x00023d000000 iscsiadm: resolved 10.0.0.103 to 10.0.0.103 iscsiadm: discovery timeouts: login 15, reopen_cnt 6, auth 45. iscsiadm: connecting to 10.0.0.103:3260 iscsiadm: connected local port 56976 to 10.0.0.103:3260 iscsiadm: connected to discovery address 10.0.0.103 iscsiadm: discovery session to 10.0.0.103:3260 starting iSCSI login iscsiadm: sending login PDU with current stage 0, next stage 1, transit 0x80, isid 0x00023d000000 exp_statsn 0 iscsiadm: > InitiatorName=iqn.1993-08.org.debian:01:3cd8a599b830 iscsiadm: > InitiatorAlias=forensics iscsiadm: > SessionType=Discovery iscsiadm: > AuthMethod=CHAP,None iscsiadm: wrote 48 bytes of PDU header iscsiadm: wrote 124 bytes of PDU data iscsiadm: read 48 bytes of PDU header iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 39, data 0x56054a3194c0, max 32768 iscsiadm: read 39 bytes of PDU data iscsiadm: read 1 pad bytes iscsiadm: finished reading login PDU, 48 hdr, 0 ah, 39 data, 1 pad iscsiadm: login current stage 0, next stage 0, transit 0x0 iscsiadm: > AuthMethod=CHAP iscsiadm: > TargetPortalGroupTag=1 iscsiadm: login response status 0000 iscsiadm: sending login PDU with current stage 0, next stage 0, transit 0x0, isid 0x00023d000000 exp_statsn 1 iscsiadm: > CHAP_A=5 iscsiadm: wrote 48 bytes of PDU header iscsiadm: wrote 12 bytes of PDU data iscsiadm: read 48 bytes of PDU header iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 60, data 0x56054a3194c0, max 32768 iscsiadm: read 60 bytes of PDU data iscsiadm: finished reading login PDU, 48 hdr, 0 ah, 60 data, 0 pad iscsiadm: login current stage 0, next stage 0, transit 0x0 iscsiadm: > CHAP_A=5 iscsiadm: > CHAP_I=5 iscsiadm: > CHAP_C=0xb9751cd011bda258bbb0670e284e4d49 iscsiadm: login response status 0000 iscsiadm: sending login PDU with current stage 0, next stage 1, transit 0x80, isid 0x00023d000000 exp_statsn 2 iscsiadm: > CHAP_N=securitynik iscsiadm: > CHAP_R=0xd27b71c4cd9b0c8bde64daa4333a666e iscsiadm: wrote 48 bytes of PDU header iscsiadm: wrote 64 bytes of PDU data iscsiadm: read 48 bytes of PDU header iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 0, data 0x56054a3194c0, max 32768 iscsiadm: login response status 0000 iscsiadm: sending login PDU with current stage 1, next stage 3, transit 0x80, isid 0x00023d000000 exp_statsn 3 iscsiadm: > HeaderDigest=None iscsiadm: > DataDigest=None iscsiadm: > DefaultTime2Wait=2 iscsiadm: > DefaultTime2Retain=0 iscsiadm: > IFMarker=No iscsiadm: > OFMarker=No iscsiadm: > ErrorRecoveryLevel=0 iscsiadm: > MaxRecvDataSegmentLength=32768 iscsiadm: wrote 48 bytes of PDU header iscsiadm: wrote 152 bytes of PDU data iscsiadm: read 48 bytes of PDU header iscsiadm: read 48 PDU header bytes, opcode 0x23, dlength 150, data 0x56054a3194c0, max 32768 iscsiadm: read 150 bytes of PDU data iscsiadm: read 2 pad bytes iscsiadm: finished reading login PDU, 48 hdr, 0 ah, 150 data, 2 pad iscsiadm: login current stage 1, next stage 3, transit 0x80 iscsiadm: > HeaderDigest=None iscsiadm: > DataDigest=None iscsiadm: > DefaultTime2Wait=2 iscsiadm: > DefaultTime2Retain=0 iscsiadm: > IFMarker=No iscsiadm: > OFMarker=No iscsiadm: > ErrorRecoveryLevel=0 iscsiadm: > MaxRecvDataSegmentLength=32768 iscsiadm: login response status 0000 iscsiadm: discovery login success to 10.0.0.103 iscsiadm: sending text pdu with CmdSN 1, exp_statsn 1 iscsiadm: > SendTargets=All iscsiadm: wrote 48 bytes of PDU header iscsiadm: wrote 16 bytes of PDU data iscsiadm: discovery process 10.0.0.103:3260 polling fd 3, timeout in 30.000000 seconds iscsiadm: read 48 bytes of PDU header iscsiadm: read 48 PDU header bytes, opcode 0x24, dlength 276, data 0x56054a3194c0, max 32768 iscsiadm: read 276 bytes of PDU data iscsiadm: finished reading text PDU, 48 hdr, 0 ah, 276 data, 0 pad iscsiadm: > TargetName=iqn.2008-02.com.f-response.securitynik-win:disk-0 iscsiadm: > TargetAddress=10.0.0.103:3260,1 iscsiadm: > TargetName=iqn.2008-02.com.f-response.securitynik-win:vol-c iscsiadm: > TargetAddress=10.0.0.103:3260,1 iscsiadm: > TargetName=iqn.2008-02.com.f-response.securitynik-win:pmem iscsiadm: > TargetAddress=10.0.0.103:3260,1 iscsiadm: discovery session to 10.0.0.103:3260 received text response, 276 data bytes, ttt 0xffffffff, final 0x80 iscsiadm: updating defaults from '/etc/iscsi/iscsid.conf' iscsiadm: updating defaults from '/etc/iscsi/iscsid.conf' iscsiadm: updating defaults from '/etc/iscsi/iscsid.conf' iscsiadm: discovery process to 10.0.0.103:3260 exiting iscsiadm: disconnecting conn 0x56054a3120e0, fd 3 iscsiadm: searching iqn.2008-02.com.f-response.securitynik-win:disk-0 iscsiadm: found 10.0.0.103,3260,1 iscsiadm: iface iter found default. iscsiadm: match session [iqn.2008-02.com.f-response.securitynik-win:disk-0,10.0.0.103,3260][default tcp,,]:0 iscsiadm: to [iqn.2008-02.com.f-response.securitynik-win:disk-0,10.0.0.103,3260][default tcp,,]:0 iscsiadm: searching iqn.2008-02.com.f-response.securitynik-win:vol-c iscsiadm: found 10.0.0.103,3260,1 iscsiadm: iface iter found default. iscsiadm: match session [iqn.2008-02.com.f-response.securitynik-win:vol-c,10.0.0.103,3260][default tcp,,]:0 iscsiadm: to [iqn.2008-02.com.f-response.securitynik-win:disk-0,10.0.0.103,3260][default tcp,,]:0 iscsiadm: match session [iqn.2008-02.com.f-response.securitynik-win:vol-c,10.0.0.103,3260][default tcp,,]:0 iscsiadm: to [iqn.2008-02.com.f-response.securitynik-win:vol-c,10.0.0.103,3260][default tcp,,]:0 iscsiadm: searching iqn.2008-02.com.f-response.securitynik-win:pmem iscsiadm: found 10.0.0.103,3260,1 ........ iscsiadm: Looking for config file /etc/iscsi/nodes/iqn.2008-02.com.f-response.securitynik-win:pmem/10.0.0.103,3260 10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:disk-0 10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:vol-c 10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:pmem
Note, I've chosen to use "--debug 7" above, because I was having some initial issues with connectivity and authentication. By looking at the debug, I was able to solve this problem.
From below, we see we have access to "securitynik-win:disk-0", "securitynik-win:vol-c" and the physical memory "securitynik-win:pmem
".
10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:disk-0 10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:vol-c 10.0.0.103:3260,1 iqn.2008-02.com.f-response.securitynik-win:pmem
Next step is for us to connect/attach to our target images. To attach we need to ensure we login.
Let's first connect to "disk-0".
$ sudo iscsiadm --mode node --targetname iqn.2008-02.com.f-response.securitynik-win:disk-0 --login Logging in to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:disk-0, portal: 10.0.0.103,3260] (multiple) Login to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:disk-0, portal: 10.0.0.103,3260] successful.
This is then followed by "vol-c"
$ sudo iscsiadm --mode node --targetname iqn.2008-02.com.f-response.securitynik-win:vol-c --login Logging in to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:vol-c, portal: 10.0.0.103,3260] (multiple) Login to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:vol-c, portal: 10.0.0.103,3260] successful.
Finally physical memory "pmen".
$ sudo iscsiadm --mode node --targetname iqn.2008-02.com.f-response.securitynik-win:pmem --login Logging in to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:pmem, portal: 10.0.0.103,3260] (multiple) Login to [iface: default, target: iqn.2008-02.com.f-response.securitynik-win:pmem, portal: 10.0.0.103,3260] successful.
Looking at our "dmesg" output below, we see we have 3 drives which have been attached. These are "sdb", "sdc" and "sdd"
$ dmesg [43564.318175] scsi host33: iSCSI Initiator over TCP/IP [43565.346490] scsi 33:0:0:0: Direct-Access FRES securitynik-win 0 PQ: 0 ANSI: 3 [43565.347334] sd 33:0:0:0: Attached scsi generic sg2 type 0 [43565.348464] sd 33:0:0:0: [sdb] 62914560 512-byte logical blocks: (32.2 GB/30.0 GiB) [43565.348792] sd 33:0:0:0: [sdb] Write Protect is off [43565.348795] sd 33:0:0:0: [sdb] Mode Sense: 0e 00 00 08 [43565.349815] sd 33:0:0:0: [sdb] Incomplete mode parameter data [43565.349819] sd 33:0:0:0: [sdb] Assuming drive cache: write through [43565.356721] sdb: sdb1 sdb2 [43565.360763] sd 33:0:0:0: [sdb] Attached SCSI disk [43755.214676] scsi host34: iSCSI Initiator over TCP/IP [43756.256567] scsi 34:0:0:0: Direct-Access FRES securitynik-win 0 PQ: 0 ANSI: 3 [43756.258681] sd 34:0:0:0: Attached scsi generic sg3 type 0 [43756.258726] sd 34:0:0:0: [sdc] 61786112 512-byte logical blocks: (31.6 GB/29.5 GiB) [43756.259473] sd 34:0:0:0: [sdc] Write Protect is off [43756.259478] sd 34:0:0:0: [sdc] Mode Sense: 0e 00 00 08 [43756.261317] sd 34:0:0:0: [sdc] Incomplete mode parameter data [43756.261323] sd 34:0:0:0: [sdc] Assuming drive cache: write through [43756.351324] sd 34:0:0:0: [sdc] Attached SCSI disk [43756.351547] sd 34:0:0:0: [sdc] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK [43756.351553] sd 34:0:0:0: [sdc] tag#0 CDB: Read(10) 28 00 03 ae c7 f8 00 00 08 00 [43756.351555] blk_update_request: I/O error, dev sdc, sector 61786104 [43756.351691] connection2:0: detected conn error (1020) [43760.170090] sd 34:0:0:0: [sdc] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK [43760.170105] sd 34:0:0:0: [sdc] tag#0 CDB: Read(10) 28 00 03 ae c7 f8 00 00 08 00 [43760.170112] blk_update_request: I/O error, dev sdc, sector 61786104 [43760.170119] Buffer I/O error on dev sdc, logical block 7723263, async page read [43760.170229] connection2:0: detected conn error (1020) [43786.323143] scsi host35: iSCSI Initiator over TCP/IP [43787.351029] scsi 35:0:0:0: Direct-Access FRES securitynik-win 0 PQ: 0 ANSI: 3 [43787.353378] sd 35:0:0:0: Attached scsi generic sg4 type 0 [43787.354844] sd 35:0:0:0: [sdd] 524272 4096-byte logical blocks: (2.15 GB/2.00 GiB) [43787.355045] sd 35:0:0:0: [sdd] Write Protect is off [43787.355048] sd 35:0:0:0: [sdd] Mode Sense: 0e 00 00 08 [43787.355445] sd 35:0:0:0: [sdd] Incomplete mode parameter data [43787.355449] sd 35:0:0:0: [sdd] Assuming drive cache: write through [43787.363032] sd 35:0:0:0: [sdd] Attached SCSI disk
Looking at our "fdisk --list" result, we have:
$ sudo fdisk --list /dev/sdb /dev/sdc /dev/sdd Disk /dev/sdb: 30 GiB, 32212254720 bytes, 62914560 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x8bfd5be0 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 2048 1126399 1124352 549M 7 HPFS/NTFS/exFAT /dev/sdb2 1126400 62912511 61786112 29.5G 7 HPFS/NTFS/exFAT Disk /dev/sdc: 29.5 GiB, 31634489344 bytes, 61786112 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x73736572 Device Boot Start End Sectors Size Id Type /dev/sdc1 1920221984 3736432267 1816210284 866G 72 unknown /dev/sdc2 1936028192 3889681299 1953653108 931.6G 6c unknown /dev/sdc3 0 0 0 0B 0 Empty /dev/sdc4 27722122 27722568 447 223.5K 0 Empty Partition table entries are not in disk order. Disk /dev/sdd: 2 GiB, 2147418112 bytes, 524272 sectors Units: sectors of 1 * 4096 = 4096 bytes Sector size (logical/physical): 4096 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Now that we are able to see our drives. Let's take a copy of "securitynik-win:disk-0" which is can be seen as drive "Disk /dev/sdb: 30 GiB" using the information we learned in thist post on "DC3dd - Creating a Forensic Image of a USB"
$ sudo dc3dd if=/dev/sdb hof=/cases/securitynik-win10-disk0.img hash=md5 hash=sha256 log=/cases/securitynik-win10-disk0.log verb=on ssz=512 dc3dd 7.2.641 started at 2018-06-03 15:07:23 +0000 compiled options: command line: dc3dd if=/dev/sdb hof=/cases/securitynik-win10-disk0.img hash=md5 hash=sha256 log=/cases/securitynik-win10-disk0.log verb=on ssz=512 device size: 62914560 sectors (probed), 32,212,254,720 bytes sector size: 512 bytes (set) 32212254720 bytes ( 30 G ) copied ( 100% ), 1721 s, 18 M/s 32212254720 bytes ( 30 G ) hashed ( 100% ), 242 s, 127 M/s input results for device `/dev/sdb': 62914560 sectors in 0 bad sectors replaced by zeros 7805b0c1b12f82134d32a87bff928e8f (md5) d085187ff29cdcafdc8d0e346ecbf8058b05564ab0d7681e4bfcdf45e0102199 (sha256) output results for file `/cases/securitynik-win10-disk0.img': 62914560 sectors out [ok] 7805b0c1b12f82134d32a87bff928e8f (md5) [ok] d085187ff29cdcafdc8d0e346ecbf8058b05564ab0d7681e4bfcdf45e0102199 (sha256) dc3dd completed at 2018-06-03 15:36:03 +0000
Note, above I choose to use the full disk image rather than "securitynik-win:vol-c". I did this as volume C is part of the disk0. By taking disk0, I'm capturing the entire drive.
Now that we have a copy of the disk, let's take a copy of the memory at "securitynik-win:pmem" which is mapped to "Disk /dev/sdd: 2 GiB"
$ sudo dc3dd if=/dev/sdd hof=/cases/securitynik-win10-pmem.img hash=md5 hash=sha256 log=/cases/securitynik-win10-pmem.log verb=on ssz=4096 dc3dd 7.2.641 started at 2018-06-03 15:38:41 +0000 compiled options: command line: dc3dd if=/dev/sdd hof=/cases/securitynik-win10-pmem.img hash=md5 hash=sha256 log=/cases/securitynik-win10-pmem.log verb=on ssz=4096 device size: 524272 sectors (probed), 2,147,418,112 bytes sector size: 4096 bytes (set) 2147418112 bytes ( 2 G ) copied ( 100% ), 91 s, 22 M/s 2147418112 bytes ( 2 G ) hashed ( 100% ), 25 s, 81 M/s input results for device `/dev/sdd': 524272 sectors in 0 bad sectors replaced by zeros 681d714897777cd5b1a81f298ef246bb (md5) 042e901cab714bf9f694b688af363a91fcc009307d39822ce0769446a9432b5d (sha256) output results for file `/cases/securitynik-win10-pmem.img': 524272 sectors out [ok] 681d714897777cd5b1a81f298ef246bb (md5) [ok] 042e901cab714bf9f694b688af363a91fcc009307d39822ce0769446a9432b5d (sha256) dc3dd completed at 2018-06-03 15:40:13 +0000
These images can be used later for other offline forensic activities, which we will perform as we go along.
References:
https://f-response.com/blog/accessing-f-response-using-linux
https://www.f-response.com/assets/pdfs/F-ResponseManual.pdf
https://www.f-response.com/software/ee
https://linux.die.net/man/8/iscsiadm
https://wiki.archlinux.org/index.php/ISCSI_Initiator
SecurityNik creating a forensic image of a USB
No comments:
Post a Comment