Friday 28 June 2013

Sawmill Log File Analyser on Ubuntu

Quick post. Today I was trying to get SawMill log file analyser working on Ubuntu and it kept failing to load due to missing library, error:

mac [ ~/Tools/sawmill ]$ ls
Extras  LICENSE  LogAnalysisInfo  README  sawmill
mac [ ~/Tools/sawmill ]$ ./sawmill
./sawmill: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
So I looked at the dependencies the script needed:


mac [ ~/Tools/sawmill ]$ ldd ./sawmill
linux-vdso.so.1 =>  (0x00007fffc07ff000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f515b72a000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f515b510000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f515b2f3000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f515b0dc000)
libcrypto.so.0.9.8 => not found
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f515aebe000)
libssl.so.0.9.8 => not found
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f515abbe000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f515a8c1000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f515a6ab000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f515a2ec000)
/lib64/ld-linux-x86-64.so.2 (0x00007f515b94a000)

There it is, packages libssl and libcrypto. Now I would have thought libssl-dev would have covered these, but no:

mac [ ~/Tools/sawmill ]$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree    
Reading state information... Done
libssl-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

A little Google search and the solution was:

sudo apt-get install libssl0.9.8
Reading package lists... Done
Building dependency tree    
Reading state information... Done
The following NEW packages will be installed
  libssl0.9.8
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 861 kB of archives.
After this operation, 2,391 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu/ precise-updates/universe libssl0.9.8 amd64 0.9.8o-7ubuntu3.1 [861 kB]
Fetched 861 kB in 0s (2,344 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libssl0.9.8.
(Reading database ... 242938 files and directories currently installed.)
Unpacking libssl0.9.8 (from .../libssl0.9.8_0.9.8o-7ubuntu3.1_amd64.deb) ...
Setting up libssl0.9.8 (0.9.8o-7ubuntu3.1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Winner, winner, chicken dinner!
mac [ ~/Tools/sawmill ]$ ./sawmill
Sawmill 8.6.2.1; Copyright (c) 1996-2013 Flowerfire, Inc.
Web server running; browse http://192.168.0.14:8988/ to use Sawmill.
To run on a different IP address, use "sawmill -sh ip-addr -ws t"


HTH

Posted by at No comments:
Labels: , , , ,

Tuesday 4 June 2013

Veritas Backup Exec Windows Remote File Access

Whilst on a client engagement today, I came across some Windows 2003 application server's using the Veritas Backup Exec client.

 The version in use was affected by a vulnerability highlighted in CVE-2005-2611.

 "VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server."

 Metasploit has a nice little module for downloading files and directories from the box, it located here:

 auxiliary/admin/backupexec/dump

 Its very straightforward to use.

 Set the path of the file you want to download, in my case I went for the C:\Windows\repair folder, to get the SYSTEM and SAM files.

 Then you need to set the port that the client is listening on, in my case the default port of 10000 was in use.

 Then run.

 The module download's the file or directory, but its format is MTF. 

 I did a little digging around and MTF is an acronym for Microsoft Tape Format, which is an old school compression format.

 The Metasploit module says the following:

 "This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash."

 and has the following references:

Well, the http://www.fpns.net/willy/msbksrc.lzh link, doesn't do a thing and the others are just vulnerability references.

More Googling found this mirror site:


And I download the following files:

        Friday, July 09, 2004  9:33 AM       123909 msbkdos.lzh
        Friday, July 09, 2004  9:33 AM       127385 msbklin.lzh
        Friday, July 09, 2004  9:34 AM       107354 msbksrc.lzh
        Friday, July 09, 2004  9:34 AM       121070 msbkwin.lzh
Now, I don't normally run files from any old site on my host, but this was a last straw for me and the only vulnerability in quite a tidy network. So I uploaded the 4 .lzh files to a windows virtual machine along with the .mtf file, produced by the Metasploit module, and disconnected the network adapter to the VM - just to be on the safe side!
I unpacked the msbkwin.lzh with 7zip and found a few files, the one to use is NTBKUP.exe and you want to use it like this:
c:\msbkwin\NTBKUP.EXE {metasploit_backup_exec_dump_module_file.mtf) -x
This extracted the contents of the C:\Windows\repair\ directory, that was downloaded from the 2003 server I exploited.
This worked for me, I got the local Administrator hash from the SYSTEM file, and used the Metasploit psexec module to login to the box. 
HTH

Posted by at No comments:
Labels: , , , , , , ,

Sunday 2 June 2013

Mounting Encase Images in Linux

So recently I've been solving some of the Digital Corpora, scenario based Forensic challenges. Image files are created using the commercial tool, EnCase. The tool takes an exact image of the disk and creates a file known as Expert Witness Format or the EnCase Image Format.

These images can be converted, without damaging the original file-system, to 'dd' format and browsed like any other file system in Linux.

For the example below, I am going to use two EnCase image files, used in the M57-Jean Forensic Scenario on the Digital Corpora web site.

This guide explains how to mount an EnCase image using 'xmount' and 'dd'.

$ sudo -s

# apt-get install ewf-tools xmount dd

'cd' to the directory where you have the EnCase image and use 'ewfinfo' to look at the EnCase image details.

# cd Forensic_Challenges

# ewfinfo nps-2008-jean.E01

mac [ ~/Forensic_Challenges ]$ ewfinfo nps-2008-jean.E01
ewfinfo 20100226 (libewf 20100226, libuna 20091031, libbfio 20091114, zlib 1.2.3.4, libcrypto 1.0.0, libuuid)

Acquiry information
Description: Jean's hard drive from the first M57 project
Examiner name: Donny
Evidence number: 2008-M57-Jean
Acquiry date: Mon Jan 31 21:38:29 2011
System date: Mon Jan 31 21:38:29 2011
Operating system used: Darwin
Software version used: 20101104
Password: N/A

EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression type: best compression
GUID: 5005a83f-a4db-a14b-b645-5c55e6b2bec8

Media information
Media type: fixed disk
Is physical: no
Bytes per sector: 512
Amount of sectors: 20971520
Media size: 10 GiB (10737418240 bytes)

Digest hash information
MD5: 78a52b5bac78f4e711607707ac0e3f93


Make a note of the MD5 sum of the image (highlighted above, in red).

Create a location to mount the EnCase image (You can name this directory as you wish, I'm a bit anal with directory names, I forget things easily, so name directories with obvious names).

# mkdir /mnt/temp_image_mount

It's always good to have a look at the man' page for a command before just randomly executing commands into your machine.

# man xmount

xmount(1)                                                      xmount                                                     xmount(1)

NAME
       xmount - Tool to crossmount between multiple input and output harddisk image files

SYNOPSIS
       xmount [[fopts] [mopts]] [ [...]]

DESCRIPTION
       xmount  allows  you  to  convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual
       file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual rep‐
       resentation  can  be  in  raw  DD,  VirtualBox's  virtual disk file format, Microsoft's Virtual Hard Disk Image format or in
       VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format)  or  AFF  (Advanced  Forensic
       Format)  files.  In  addition,  xmount  also supports virtual write access to the output files that is redirected to a cache
       file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.

OPTIONS
       fopts: (Options specific to FUSE)
         -d: Enable FUSE's and xmount's debug mode.
         -h: Display this help message.
         -s: Run single threaded.
         -o no_allow_other: Disable automatic addition of FUSE's allow_other option.
         -o :
           Specify fuse mount options. Will also disable automatic addition of FUSE's
           allow_other option!
         INFO: For VMDK emulation, you have to uncomment "user_allow_other" in
               /etc/fuse.conf or run xmount as root.
       mopts: (Options specific to xmount)
         --cache :
           Enable virtual write support and set cachefile to use.
         --in :
           Specify input image type. Type can be "dd" or "ewf".
         --info :
           Print out some infos about used compiler and libraries.
         --out :
           Specify output image type. Type can be "dd", "vdi", "vhd", "vmdk(s)".
         --owcache :
           Same as --cache but overwrites existing cache.
         --rw :
           Same as --cache.
         --version :
           Same as --info.
         INFO: Input and output image type defaults to "dd" if not specified.
       ifile:
         Input image file. If you use EWF files, you have to specify all image
         segments! (If your shell supports it, you can use .E?? as file
         extension to specify them files)
       mntp:
         Mount point where virtual files should be located.

BUGS
       Hopefully none. If you find any, please e-mail to .

EXAMPLE
       To xmount an EWF image from your acquired disk as a raw DD image under /mnt, use the following command:

         xmount --in ewf ./acquired_disk.E?? /mnt

So we can see how it works right here ^^, and mount it pretty easily. 'xmount' will be able to mount both E01 and E02 images as one .dd image. To tell it to do this we use '??':

# sudo xmount --in ewf xmount --in ewf nps-2008-jean.E?? /mnt/temp_image_mount

If all worked correctly, you should have created a 'dd' combining the images:

# ls -alth

mac [ /mnt/temp_image_mount ]$ ls -alth
total 4.0K
drwxr-xr-x 5 root root 4.0K May 31 18:28 ..
drwxrwxrwx 2 root root    0 Jan  1  1970 .
-r--r--r-- 1 root root  10G Jan  1  1970 nps-2008-jean.dd
-r--r--r-- 1 root root  334 Jan  1  1970 nps-2008-jean.inf

To ensure we haven't altered the original disk image, we can do a 'md5sum' of the 'dd' image and compare it to the original md5 calculation:

# md5sum nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ md5sum nps-2008-jean.dd 
78a52b5bac78f4e711607707ac0e3f93  nps-2008-jean.dd

Compare that MD5 string to that outputted in our original ewfinfo command, and if we have a match, we have a forensically sound, copy of the original image. This means we can analyse the 'dd' image without evr altering the original EnCase image.

To mount this 'dd' image we need a further bit of information and we can get this with the 'fdisk' command:

# fdisk -l nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ sudo fdisk -l nps-2008-jean.dd 

Disk nps-2008-jean.dd: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x39bf39be

Device                       Boot   Start         End              Blocks        Id  System
nps-2008-jean.dd1   *          63             20948759    10474348+   7   HPFS/NTFS/exFAT

So we can see that the volume is in NTFS format and we can see the starting sector. So to mount it with the linux 'mount' command, we need to specify the offset as well as the attribute in which we wish to mount it, we also need to create a directory to mount the dd image. 

# mkdir /mnt/nps-2008-jean

To calculate the offset we need to multiple the starting sector by 512, so in my case:

63 * 512 = 32256

(This assumes 63 sectors per track and 512 bytes per sector).

# mount -t ntfs -o ro,offset=32256 nps-2008-jean.dd /mnt/nps-2008-jean/

If everything worked as it should, you should be able to open your favourite file manager, and browse to /mnt/nps-2008-jean

# caja /mnt/nps-2008-jean/



HTH



Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)