Foresinc Investiagtion: Extract Volatile Data (Manally)

In this article, we will run a couple of CLI commands that helps a forensic investigator to gather volatile data from the system as much as possible. The commands which we use in this post are not the whole list of commands, but these are most commonly used once.

As per forensic investigator, create a folder on the desktop name “case” and inside create another subfolder named as “case01” and then use an empty document “volatile.txt” to save the output which you will extract.

Here I have saved all the output inside /SKS19/prac/notes.txt which help us creating investigation report.

Table of Content

·         What is Volatile Data?

·         System Information

·         Currently available network connections

·         Routing Configuration

·         Date and Time

·         System Variables

·         Task List

·         Task List with Modules

·         Task List with Service

·         Workstation Information

·         MAC Address save in system ARP Cache

·         System User Details

·         DNS configuration

·         System network shares

·         Network configuration

What is Volatile Data?

There are two types of data collected in Computer Forensics Persistent data and Volatile data. Persistent data is that data that is stored on a local hard drive and it is preserved when the computer is OFF. Volatile data is any kind of data that is stored in memory, which will be lost when computer power or OFF.

Volatile data resides in the registry's cache and random access memory (RAM). This investigation of the volatile data is called “live forensics”.

System Information

It is a system profiler included with Microsoft Windows that displays diagnostic and troubleshooting information related to the operating system, hardware, and software.

We can collect this volatile data with the help of commands. All we need is to type this command.

systeminfo >> notes.txt

It will save all the data in this text file. We check whether this file is created or not by [ dir ] command.

Now, go to this location to see the results of this command. Where it will show all the system information about our system software and hardware.

Currently Available Network Connections

Network connectivity describes the extensive process of connecting various parts of a network. With the help of routers, switches, and gateways.

We can check all the currently available network connections through the command line.

netstat -nao >> notes.txt

we can check whether it is created or not with the help of [dir] command.

Now, open that text file to see all active connections in the system right now. It will also provide us some extra details like state, pid, address, protocol.

Routing Configuration

It specifies the correct IP addresses and router settings. Host configuration: sets up a network connection on a host computer or laptop by logging the default network settings, such as IP address, proxy, network name, and ID/password.

To know the Router configuration in our network follows this command.

route print >> notes.txt

We can check the file with [dir] command.

Open the txt file to evaluate the results of this command. Like the Router table and its settings.

Date and Time

To know the date and time of the system we can follow this command. We can also check the file is created or not with the help of [dir] command.

echo %date% %time% > notes.txt

dir

Open that file to see the data gathered with the command.

System Variables

A System variable is a dynamic named value that can affect the way running processes will behave on the computer. They are part of the system in which processes are running. For Example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files.

We can check all system variable set in a system with a single command.

set >> notes.txt

We can check whether the file is created or not with [dir] command.

dir

Now, open the text file to see set system variables in the system.

Task List

A Task list is a menu that appears in Microsoft Windows, It will provide a list of running applications in the system. To get the task list of the system along with its process id and memory usage follow this command.

tasklist >> notes.txt

we can also check whether the text file is created or not with [dir] command.

Open the text file to evaluate the details.

Task List with Modules

With the help of task list modules, we can see the working of modules in terms of the particular task. We can see that results in our investigation with the help of the following command.

tasklist /m >> notes.txt

we can check whether our result file is created or not with the help of [dir] command.

Open the text file to evaluate the command results.

Task List with Services

It will showcase all the services taken by a particular task to operate its action. We get these results in our Forensic report by using this command.

tasklist /svc >> notes.txt

we check whether the text file is created or not with the help [dir] command.

Open this text file to evaluate the results. It will showcase the services used by each task.

Workstation Information

A workstation is known as a special computer designed for technical or scientific applications intended primarily to be used by one person at a time. They are commonly connected to a LAN and run multi-user operating systems. Follow these commands to get our workstation details.

net config workstation >> notes.txt

to check whether the file is created or not use [dir] command.

Now, open the text file to see the investigation results.

MAC Address saved in System ARP Cache

There are two types of ARP entries- static and dynamic. Most of the time, we will use the dynamic ARP entries. This means that the ARP entries kept on a device for some period of time, as long as it is being used.

The opposite of a dynamic, if ARP entry is the static entry we need to enter a manual link between the Ethernet MAC Address and IP Address. Because of management headaches and the lack of significant negatives. We use dynamic most of the time. To get that details in the investigation follow this command.

arp -a >> notes.txt

we can whether the text file is created or not with [dir]  command.

Now, open the text file to see the investigation report.

System User Details

A user is a person who is utilizing a computer or network service. Users of computer systems and software products generally lack the technical expertise required to fully understand how they work. To get that user details to follow this command.

net user %username% >> notes.txt

we can use [dir] command to check the file is created or not.

Now, open a text file to see the investigation report.

DNS Configuration

DNS is the internet system for converting alphabetic names into the numeric IP address. When a web address is typed into the browser, DNS servers return the IP address of the webserver associated with that name. To know the system DNS configuration follow this command.

ipconfig /displaydns >> notes.txt

we can see the text report is created or not with [dir] command.

Now open the text file to see the text report.

System network shares

A shared network would mean a common Wi-Fi or LAN connection. The same is possible for another folder on the system. By turning on network sharing and allowing certain or restricted rights, these folders can be viewed by other users/computers on the same network services. We can see these details by following this command.

net share >> notes.txt

we can also check the file it is created or not with [dir] command.

Now, open that text file to see the investigation report.

Network configuration

Network configuration is the process of setting a network’s controls, flow, and operation to support the network communication of an organization and/or network owner. This term incorporates the multiple configurations and steps up processes on network hardware, software, and other supporting devices and components. To get the network details follow these commands.

ipconfig /all >> notes.txt

As usual, we can check the file is created or not with [dir] commands.

Now, open the text file to see the investigation report.

As we said earlier these are one of few commands which are commonly used. There are plenty of commands left in the Forensic Investigator’s arsenal.

Multiple Ways to Banner Grabbing

Grabbing a banner is the first and apparently the most important phase in both the offensive and defensive penetration testing environments. In this article, we'll take a tour to "Banner Grabbing" and learn how the different command line tools and web interfaces help us to grab the banner of a webserver and its running services.

Table of Content

·         Introduction

·         Why Banner Grabbing?

·         Types of Banner Grabbing

·         Banner grabbing using Kali Linux

o   whatweb

o   cURL

o   wget

o   telnet

o   netcat

o   nikto

o   Nmap

o   Dmitry

·         Banner grabbing over Burpsuite

·         Banner grabbing using Netcraft

·         Banner grabbing through Browser Extensions.

o   Wappalyzer

o   HTTP Header Live

·         Banner grabbing using ID Serve

Introduction

“Banner Grabbing” is often termed as “Service Fingerprinting”.

Banner refers to a text message received from the host, usually it includes information about the open ports and services with their version numbers.

Why Banner Grabbing?

Banner Grabbing allows an attacker to discover network hosts and running services with their versions on the open ports and moreover operating systems so that he can exploit the remote host server.

Banner Disclosure is the most common vulnerability with a “CWE-200 i.e. Exposure of Sensitive Information to an Unauthorized Actor” and a “CVSS Score of 5.0 with the Risk factor as Medium.”

In order to clear the vision, we’ll consider an attack scenario:

As we all know that Microsoft Windows 7 are exploitable by Eternal Blue (CVE-2017-0143) directly with SMBv1 service. In order to enumerate this server, the attacker needs to grabs a service banner which displays whether the SMB service with a vulnerable version is running over it or not. If running, he/she can easily exploit the Microsoft server directly with the Eternal Blue attack. You can learn more about this attack from here.

Types of Banner Grabbing

1.       Active Banner grabbing –In this, the attacker craft or modify his/her own packets and send them to the remote host server and analyses the response data in order to get the operating system information and the services running with their versions.

2.       Passive Banner grabbing –Here the attacker collecting data about our target using publically available information i.e. by analyzing the server either with the help of “Error Messages” or by “Sniffing up the Network Traffic”.

Up till now, you might have gained a lot of information about what is Banner Grabbing and why it is used?

Let’s continue this journey by exploring the most aggressive and direct methods of grabbing a service banner.

Banner grabbing using Kali Linux

Whatweb

“WhatWeb” recognizes websites, which helps us to grab the web-application’s banner by disclosing the server information with its version, the IP address, the webpage Title and running operating system.

Type the following command in order to capture the essentials.

whatweb

whatweb http://192.168.0.11

cURL

The cURL command includes the functionality for retrieving the banner details from HTTP servers. Just execute the following command, and discover what we grab:

curl –s –I 192.168.0.11

However to fetch a clean result, we are using the -s flag to prevent the progress or the error messages from being displayed, and the -I flag to simply print out the header information of all requested pages.

Wget

We will be using the wget command to capture the HTTP banner of the remote server.

wget –q –S 192.168.0.11

The –q flag will cover-up the progress of our output, while the -S flag will print out the header information of all requested pages.

Telnet

We will be using the Telnet protocol in order to interact with services to grab their banners.

Type following command to grab the FTP banner of the remote server.

telnet 192.168.0.11 21

As a result it will dumb “220 (vsFTPd 3.0.3)”

Netcat

Netcat is a network utility that will again help us to grab the FTP banner of the remote host server.

nc  192.168.0.11 21

From the above image you can check that it dumbs up “220 (vsFTPd 3.0.3)”

Nikto

Nikto is an open-source web-application scanner, which we’ll be using to grab a banner of a website running on an Ubuntu server.

Type the following command in order to capture the installed web server - its version, the configuration index files, the HTTP server options and a list of other useful details.

nikto –h http://192.168.0.11

The –h flag is used to specify the host.

NMAP

We’ll use Nmap as a simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within a couple of seconds

Type following command which will grab banner for the SSH service running on port 22 in remote host.

nmap -sV –p22 192.168.0.11

The -sV flag prints out the version of the running service.

From the above screenshot, you can read the SSH service and its version, fetched by NMAP as “OpenSSH 7.6p1 Ubuntu 4ubuntu0.3”

Dmitry

Dmitry (Deepmagic Information Gathering Tool) has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and many more.

The –pb flag is used to grab the banner for all the open-ports of the remote host.

 Fire the following command to grab the banners of the running services.

dmitry –pb 192.168.0.11

Banner Grabbing over Burpsuite

While performing an attack or a penetration test, we all use burp suite somewhere or the other, but does it help us to identify the target’s web server?

Yes, we can simply grab the server’s information through the response generated by the repeater.

From the below screenshot you can see that I've send the interpreted request into the repeater. As soon as I hit the send button, the response will be executed and on the right-hand side you will get the captured server details as Apache/2.4.29 (Ubuntu)

Banner Grabbing using Netcraft

Netcraft is one of the most operateable information gathering web-interface which help us to check the technologies and the infrastructure of the web-applications.

So I’ll be using a demo website over Netcraft in order to grab some service banners and capture all the possible information.

From the above image you can see that I have grabbed the Hosting History of testphp.vulnweb.com, which shows up the IP addresses, the operating systems and the webservers along with their last seen. 

Banner Grabbing through Browser Extensions

Sometimes it’s a bit time consuming while grabbing banners of multiple web applications. Thus in order to make our work faster, we will be setting up some brower extensions that will help us to capture the server information with their version numbers, the running operating systems and the other frameworks that drives up the web applications.

Wappalyzer

Wappalyzer is a free browser extension available for both Mozilla Firefox and Google Chrome. It helps us to check the technologies of the web-application, majorly the server with its version and the framework running on it. You can add this extension in your browser from here.

From the above image you can see that, we have easily captured “Apache 2.2.0” as the server, “PHP 5.3.10” as the programming language and “Ubuntu and Fedora” as the running operating systems.

HTTP Header Live

This extension gives us the power to capture the ongoing HTTP Requests before they are send to the server.

Therefore we are going to garb some server banners through this HTTP Header extension. You can add it in your browser from here.

From the below image you can see that, as soon as I capture the HTTP request, I was presented with the target’s information containing the server and the operating system banners i.e. Apache/2.4.29 (Ubuntu)

Banner Grabbing using ID Serve

ID Server is a free and a general purpose Internet server identification utility which help us to grab the banner of a remote host. You can download the tool from here.

Just enter the target’s website URL and hit the “Query This Server” button. And there it go, it dumps everything it could, including the IP addresses, open ports, cookie and the server information.

Tre:1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Tre:1”. It is made by SunCSR team difficulty level of this machine is intermediate level. And for this machine goal is to read the root shell.

Download it from here: https://www.vulnhub.com/entry/tre-1,483/

Table of Content

Recon

●        Netdiscover

●        Nmap

●        dirb

Exploitation

●        Adminer exploit

●        ssh login

●        Exploitable writable file

Privilege Escalation

●        Abusing /etc/passwd

Walkthrough

Recon

Let’s start recon for this machine using Netdiscover, It is used for identifying the IP address of the various machines in our network work It works as traceroute.

netdiscover

As we got our target IP address for the machine (192.168.1.104), Next, we use nmap for the port scanning and further information gathering on the target host.

nmap  -A 192.168.1.104

Since port 80 is open, Let’s explore the domain or webpage on this target IP address using web browser.

We will also perform fuzzing to find the endpoints using the dirbuster tool with the big.txt wordlist which can be located inside /usr/share/wordlists directory using some extensions like php,html.

dirb http://192.168.1.104/ /usr/share/wordlists/dirb/big.txt -X .html,.php,.txt

We got some extensions like adminer.php, index.html, info.php. After checking all the extensions we got login page on the http://192.168.1.104/adminer.php

In the above login page, we need to escalate for the credentials. I have tried many login bypasses that didn’t work for this page. Now again we will try to brute force directories in hope of config file for this login page.

dirb http://192.168.1.104/ /usr/share/wordlists/dirb/big.txt

After scanning and checking all the directories we got one directory /mantisbt/config in which will check for the credentials.

we got the credentials for the login page in the a.txt which was present in the directory /mantisbt/config.

Got the credentials that we want to use for the login of adminer login page.

username: mantissuser

password: password@123AS

database: mantis

Using the above credentials, we got logged in.

 Exploitation

We fill out all the information that we found earlier in the a.txt file and using those credentials we are successfully inside the panel.  Then we try to read the data of the table mantis_user_table and found 2 users here and with their hash password.

We tried to login with the first user admin panel but was not able to upload any file. Now if we focus on the second user "tre" and the real name looks like giving us a hint towards ssh login, so we used the tre as username and Tr3@123456A! as password.

First of all, we checked for the user privileges using the command sudo -l.

ssh tre@192.168.1.104

Password: Tr3@123456A!

sudo -l

As per sudo permission the user can run showdown command as privilege user. Further we download the linEnum script to check for further enumeration.

Now let’s run linEnum script binary output on the other terminal.

We did check the permissions of the /usr/bin/check-system.

ls -la check-system

As the above file is having the permissions of the read write as a user, edited this file using nano editor. And given SUID permissions for the nano file to execute as a root but /usr/bin/check-system will update the changes when the systems will reboot.

chmod +s /usr/bin/nano

In the above step we changed the privileges for the nano file. Now will use the /sbin/shutdown.

sudo shutdown -r now

Here -r flag is used for the restart of the host system. Again will check for the permission of the nano file system and notice the SUID permission is enabled now. J

Hence, now I can try to modify the passwd file for privilege Escaltion.

ls -la /usr/bin/nano

Privilege Escalation

In a new terminal, we are using OpenSSL to make a new salted combined username and password in MD5 algorithm. For this the command used is

openssl passwd -1 -salt user3 pass123

Now using nono /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username: Salted Value of username and password:0:0:root:/root:/bin/bash, we have saved this new user by using: wq command.

Now we simply check if the user has been successfully added or not, so as to find them. For this, we have used su -raj command and in the password, we have given the password for this user which is pass123.

tail -n 2 /etc/passwd

su raj

Password: pass123

cd /root

ls

cat root.txt

Here we got our root.txt… That explains it all. So that’s for now. See you next time.

HAPPY HACKING!! 😊