Forensics Challenge for CSIRT Team – Part 2 Solution
The goal of the tutorial is to provide a solution to the forensic challenge game that I created for testing forensic skills of CSIRT team. Please be careful and run a suspicious binary file located inside a provided virtual machine only in a secured environment in order to avoid unwanted damage or loss.
As you can notice, some files are being encrypted right after boot of a virtual machine. All these files have suffix .enc001. You can easily located them with the command:
$ find / -name "*.enc001" -type f 2>/dev/null
There is also a file named encryption_warning.txt located in a home directory of an actual user and it contains a following warning message.
*** Your files have been encrypted! ***
*** To decrypt them, run '/usr/local/bin/ls %1a%your_decryption_key ***
Without any doubts a utility ls is not a cryptography tool so it is a good place where we can start our investigation. The command /usr/local/bin/ls -la shows files in a actual directory.
ubuntu@ubuntu:~$ /usr/local/bin/ls -la
Picture 1 - Content of Actual Directory
The output looks good. But what does happen if we display a non-existing file kdkdkdkdk?
ubuntu@ubuntu:~$ /usr/local/bin/ls kdkdkdkdk
Picture 2 - Two Error Messages
They are two interesting facts shown in the output of the command /usr/local/bin/ls . Firstly, two Continue reading
Forensics Challenge for CSIRT Team – Part 1 Assignment
I have created a virtual machine that you can use to test your forensics analysis skills. Please, download the VM, solve an assignment below and share solutions with us.
1. Assignment
Your are a member of elite CSIRT team which is responsible for dealing with computer security incidents in your jurisdiction. You are asked to investigate a server that was previously administered by disgruntled administrator Mr. Abdullah Khan who was fired up. Although login credentials for server were changed after Khan's sacking from the company, it is believed he might insert malicious software into server before change of credentials. Your task is to ensure that a sever does not contain any malicious software and user data stored on the server are not compromised. You also need to prove your professional forensic skills and analyze a suspicious file in case you find it on the server. Based on your investigation you should find out how malware work and create detailed report for your boss.
The server is running Ubuntu 16.04.1 and it is primary used as a file server with configured SSH access. Unfortunately the backup of user files is damaged and cannot be used in case of data are lost during your investigation. The login/password is Continue reading
Forensic Lab Game Zero – Level 2 Results
Below are my solutions to the level 2 of the forensics lab game zero. The solutions to the level 1 of the game are posted here.
1. Find way to reset root's account password and retrieve flag from /root/flag.txt
Reboot the VM and press 'e ' edit inside the Grub menu screen. Add command init=/bin/bash at the end of the line starting with linux and press F10. Thne mount file system as read-write.
root@(none):/# mount -n -o remount,rw /
Change password for user root.
root@(none):/# passwd
root@(none):/# cat /root/flag.txt
8d55761dfafe912daa2fa6c38e05435093f7f636
root@(none):/# echo -n '8d55761dfafe912daa2fa6c38e05435093f7f636' | sha1sum
0166bc38c1165d0ba783ea722b84ed3a0d2547f8
Restart the virtual machine and switch to the root account.
2. There is a memory dump of the windows machine is stored in file /root/memdump.mem. Find the flag among commands executed on that machine
Find info about our memory dump with imageinfo plugin.
root@debian1989:/home/kassad# python /opt/tools/volatility-2.4/vol.py imageinfo -f /root/memdump.mem | grep Profile
Volatility Foundation Volatility Framework 2.4
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
To avoid typing chosen profile --profile=Win7SP1x86 every time vol.py is called, export the profile.
root@debian1989:/home/kassad# export VOLATILITY_PROFILE=Win7SP1x86
To avoid typing path to memory dump file, export memory dump location so you do not need to add argument -f Continue reading
Forensic Lab Game Zero – Level 1 Results
The goal of the post is to provide solutions for the first level of the game for "hackers" created by forensic lab of CESNET association. With this game CESNET introduces a work of forensic analysts and test your knowledge of Linux OS. They are several assignments and practical tasks included inside Debian image which is available for download here. The question / answer sheet is located inside the home directory of user kassad.
Picture 1 - Answer Sheet
1. In the Linux image, which username is logged in automatically on boot?
Check the desktop environment.
kassad@debian1989:~$ echo $DESKOP_SESSION
gnome-fallback
Check if automated login is enabled for Gnome desktop.
kassad@debian1989:~$ grep 'AutomaticLogin' /etc/gdm3/daemon.conf
AutomaticLoginEnable = true
AutomaticLogin = kassad
The automated login is enabled for the user kassad. Now we need to compute the sha1 hash for the result.
kassad@debian1989:~$ echo -n 'kassad' | sha1sum
fb1216c760d6c0996991108886d1797d8bd4ca27
2. On the provided Linux image, what is the “ls” command aliased to for user from question 1 ?
kassad@debian1989:~$ type ls
ls is aliased to `ls --color=auto'
We can get the result also by checking the content of the file /home/kassad/.bashrc.
kassad@debian1989:~$ grep 'alias ls' /home/kassad/.bashrc
alias ls='ls --color=auto'
kassad@debian1989:~$ echo -n 'ls --color=auto' Continue reading
Slovakia Wins Cyber Exercise Locked Shields 2016
Tallinn, April 22, 2016 - The team from Slovakia won Locked Shields 2016, the world’s largest and most advanced international live-fire cyber defence exercise. They were closely followed by the NCIRC team from NATO and Finland.
Read more here.
BASH Script for Dictionary Attack Against SSH Server
Although they are several dictionary password attack tools available for Linux such as Hydra, Ncrack, I have decided to practice BASH scripting and write a script getsshpass.sh that can perform dictionary attack against SSH server. The script reads usernames and passwords from dictionaries (the one for usernames and the one for passwords) and uses them one-by-one during its login attempt to remote SSH server. Once correct username and password are found, the script save them to the file result.txt and displays them on the desktop. Then it exits.
The script can be started either in a serial mode that opens only single SSH session to SSH server or in a parallel mode which allows multipe SSH sessions to be opened at the same time. Below are parameters of the script.
Picture 1 - Script Parameters
All parameters are self-explanatory. If a parameter -l is not entered the script is started in a default serial mode. In case of parallel mode is used (-l parameter) it is recommended to use -l parameter together with -n parameter. The -n parameter slows down generating SSH sessions by inserting fixed number of seconds before a new SSH session is generated. This helps the attack to be successful. According to my findings during Continue reading
Collecting MAC and IP Adresses of Hosts Connected to Cisco Switches Using SNMP
The goal of this article is to introduce a script that automates a process of collecting MAC and IP address of hosts connected to Cisco switches using Simple Network Management Protocol (SNMP). We will configure SNMP version 2c and 3 on Cisco switches and create a BASH script that collects required data for us. For this purpose I have created a test network lab using GNS3. The topology consists of three Cisco virtual switch appliances running vIOS-L2 and one network management station (NMS) based on Kali Linux. Network hosts are simulated by Core Linux appliances connected to Cisco vIOS-l2 switches.
1. GNS3 Lab
1.1 List of software used for creating GNS3 lab
- Host OS
x86-64 Linux Fedora with installed GNS3 1.3.11 and Qemu1.4.0 - Network Management Station
Linux Kali 3.18.0-kali3-amd64 - Swiches
Cisco vIOS l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2
Cisco Catalyst 3550 (C3550-IPSERVICESK9-M), Version 12.2(55)SE9 - Network Host (End device)
Linux Core 3.16.6-tinycore64
1.2 Network Topology Description
All virtual network and host devices are running inside GNS3 project and they are emulated by Qemu emulator and virtualizer. The only exception is a Cisco Catalyst 3550 switch that is connected to topology via GNS3 network Continue reading
GRE over IPSec Tunnel Between Cisco and VyOS
The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.
The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).
Picture 1 - Topology
Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.
1. R3 Configuration
R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip Continue reading
GRE Tunnel Between Cisco and Linux
Generic Routing Encapsulation - GRE is a tunneling protocol originally developed by Cisco that encapsulates various network protocols inside virtual point-to-point tunnel. It transports multicast traffic via GRE tunnel so it allows passing of routing information between connected networks. As it lacks of security it is very often used in conjunction IP SEC VPN that on the other hand is not capable to pass multicast traffic.
The goal of the tutorial it to show configuration of GRE tunnel on a Cisco router and a device with OS Linux. I have created GNS3 lab consisting of two local networks - 192.168.1.0/24 and 192.168.2.0/24 connected via GRE tunnel. GRE tunnel interface is configured on router R1 (Cisco 7206VXR) and Core Router (Core Linux with Quagga routing daemon installed). The both routers have their outside interfaces connected to a router R3 that is located in the "Internet". To prove that GRE tunnel is working and transporting multicast traffic, the OSPF routing protocol is started on R1 and Core routers and configured on tunnel interfaces and interfaces pointing to local networks.
Note: The Core Linux vmdk image is available for download here.
Picture 1 - Topology
1. Initial Configuration
First we assign hostnames and Continue reading
Linux Core 6.3 as Routing and Switching VMware Appliance
Two weeks ago I finished creating a network host based on Linux Core 6.3 installed on WMware x86-64 virtual machine. I loaded Core Linux with several network extensions that allows host to generate, measure, route network traffic and scan networks. I also wrote a short article that contains a list of loaded extension.
Then I went further with the project and my goal was to build L3 switch and router based on Core Linux 6.3 loaded with Open vSwitch, Quagga, Bird and Keepalived extension. Those are the right extensions that turned the network host to routing and switching appliance. Furthermore the routing daemons Quagga and Bird and multilayer switch Open vSwitch are used in many large production networks.
The R&S appliance I built can be used for learning networking on Linux, routing and switching. It is available for download in Download section. For those who are interested in installation steps the whole process of extension installation is described in this article.
The virtual VMware appliance is based on Linux Core network host image and it contains all the extensions listed here plus the following extensions:
openvswitch - 2.4.90
quagga - 0.99.24.1
bird - 1.5.0
keepalived - 1.2.19
Note Continue reading
Linux Core 6.3 as Network Host on VMware Disk
The Core Linux is a small modular Linux distribution that provides only a command line interface and tools that allows you to build your own application extensions. Thanks to these extensions you can easily turn your Core installation to a custom appliance such as network host, router, switch, server. Moreover choosing the Core Linux as an operating system for your appliance significantly reduces the size of the appliance.
Two weeks ago I started to build a network host that can handle network traffic. I installed the latest 64 bit Linux Core 6.3 on VMware virtual disk and loaded Core with extensions that can generate traffic, measure bandwidth, route, forward and filter traffic. A list of the extensions, their purpose and configuration changes is mentioned here.
I share my own network host VMware disk in Linux Core download section. You can create a new virtual machine (VirtualBox, VMware Workstation/Player, Qemu) with the disk attached and use it in your GNS3 labs in order to simulate network host. The disk contains the following tcz extensions:
bash - 4.3.39(1) with patches up to 39
bash-completion - 2.1
d-itg - 2.8.1-r1023
hping3 - 3.0.0-alpha-1
iperf3 - 3.1b3
iproute2 - 3.14.0
iptables Continue reading
Cloning Remote Linux Machines
Recently, I have been asked to find a way how to clone Linux machines running in a remote virtual lab. The machines have single disks, they all are accessible over SSH and configured with the same login credentials. The goal is to make identical copies of their disks, download the disks and rebuild machines locally in the virtual lab.
On Linux based systems, utility 'dd' is very often used to make identical copy of a disk. I have used this command together with 'ssh' and 'gzip' commands to copy and compress remote disks and send them on the fly to a local disk over SSH connection. For instance, the command below issued on a local machine copies a disk /dev/sda of a remote Linux machine with IP address 10.10.10.11 to a local disk:
$ ssh [email protected] "/bin/dd if=/dev/sda | gzip -c" | dd of=disk.raw.gz
Explanation:
/dev/sda - disk located on remote machine
disk.raw.gz - gzip compressed copy of disk /dev/sda on local machine
gzip -c - send compressed file to stdout
I wrote a BASH script backup-images-1.0.sh that automates process of cloning disks of remote Linux machines. The script reads IP addresses from Continue reading
Public Key Authentication on Cisco IOS
Have you ever been in that situation that you needed to apply the same configuration quickly on multiple Cisco routers? If yes, you probably wrote a script that connected to routers and sent appropriate IOS commands. One problem that you certainly had to solved was forcing your script to enter login credentials such as username and password. Moreover if you secure an access to privileged user mode of routers with an enable secret command you had to tell the script how to enter that password as well.
All the issues I have mentioned above can be easily solved with Expect scripting language. Expect sends commands via telnet or ssh session as the human would. However encapsulating IOS commands to syntax recognized by Expect language every time you need to change routers' configuration seems to be not very comfortable. That is why public key authentication for Cisco routers can be handy.
Public key authentication allows you to log in to your routers using RSA key instead of a password. But firstly key-pair - public and private key must be generated and a public key copied into a config file of the router. Then you can connect to the router with your private key. A private key is the key that should Continue reading
Decapsulation ERSPAN Traffic With Open Source Tools
Cisco Encapsulated Remote SPAN (ERSPAN) feature allows to monitor traffic on one or more ports and send the monitored traffic to one or more destination ports. Traffic is encapsulated into GRE tunnel and routed via network to ERSPAN destination. Any device that supports ERSPAN can be used as ERSPAN destination. It might be another Cisco device or Linux with installed software that can decapsulate GRE traffic.
The goal of this article is to show methods and tools for decapsulation of ERSPAN traffic. For this purpose I have built simple lab that consists of a Cisco CSR 1000v router and two Linux boxes. Core Linux represents a network host and generates network traffic (ICMP) that is going to be monitored. It is connected to the port GigabitEthernet1 of the Cisco router. The router is configured to monitor traffic on the port Gi1 and it sends traffic encapsulated in GRE tunneling protocol to IP address 10.230.10.1. It is the IP address of the ERSPAN destination configured on Linux Security Union. Security Onion is a unique Linux distro for intrusion detection, network security monitoring, and log management based on Ubuntu however any other Linux distro can be used.
Picture 1 - ERSPAN Lab Topology
Below is an example of ERSPAN Continue reading
Qemu ASAv Appliance as Personal Firewall on Linux
The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux and any mysterious hacks is needed anymore.
Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.
Software Requirements
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - Qemu image asav932-200.qcow2 or later
HardwareRequirements
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine Continue reading
PfSense VirtualBox Appliance as Personal Firewall on Linux
The tutorial explains how to set up pfSense VirtualBox appliance in order to use it as a personal firewall on Linux. It shows Linux network configuration to support this scenario and provides an installation script that automatically builds a VirtualBox virtual machine ready for pfSense installation. It also describes pfSense installation and shows minimal web configuration needed for successful connection to the Internet.
pfSense Live CD ISO disk can be downloaded from here.
1. Linux Network Configuration
We are going to install pfSsense from live CD ISO image on a VirtualBox virtual machine. To do so we must reconfigure an existing network interface, create a new one and configure new static default routes. A network topology consists of Linux Fedora with installed VirtualBox virtualizer. is shown below.
Picture 1 - Network Topology
A wireless network card is installed in Linux and presented as an interface wlp3s0. The interface wlp3s0 is the interface that connects Pfsense virtual machine to the outside world. This interface will be bridged with a first network adapter (em0) of the Pfsense virtual machine. Bridging host adapter wlp3s0 with the guest adapter em0 (WAN interface of Pfsense) will be done using vboxmanage utility and shown later in the tutorial.
As the Pfsense appliance is Continue reading
How to configure GNS3 installed on Linux to support more than 8 NIC for Qemu Instances
Recently I have read a question on GNS3 forum asking whether Qemu supports more than 8 network adapters. According to Google search, maximum number of adapters for Qemu virtual machines can be configured with a parameter #define MAX_NICS 8 in a file ./include/net/net.h under Qemu source tree. After you set desirable value you must compile and install Qemu from source.
However I have noticed that changing the integer value in the line #define MAX_NICS has no effect on the maximum number of NIC allowed for Qemu VMs. I notice that I can start Core Linux Qemu machine with 18 network adapters even Qemu 2.2.0 was compiled with parameter #define MAX_NICS set to 1.
Now we know that Qemu itself does not limit the maximum network adapters to 8. We will go ahead and investigate GNS3. Navigate to Edit -> Preferences -> QEMU VMs and click on existing Qemu VM. Click on Edit button for this VM and navigate to Network tab. Increase the number of Adapters to 9.
The GNS3 1.2.1 allows to add maximum 8 NICs for a particular Qemu virtual machine. To avoid this limitation we have edit GNS3 source files and recompile GNS3 GUI and server. Here are the the steps for Linux.
1. Download and extract GNS3 1.2.1 Linux Continue reading
Alcatel-Lucent Virtualized Simulator on GNS3
The Alcatel-Lucent virtualized Simulator (vSim) is a virtualization-ready version of SR OS called SR OS-VM. This new operating system is designed to run in a virtual machine (VM) on a generic Intel x86 server. In control and management plane aspects, the vSim is functionally and operationally equivalent to an Alcatel-Lucent hardware-based SR OS router.The vSim is intended to be used as a laboratory tool to fully simulate the control and management plane of an SR OS node. The vSim is not intended to be used in a production network environment and the forwarding plane is limited to 250 pps per interface. Furthermore, without a license file it will run for 1 hour before reloading.
Host Software and Hardware Requirements
- Linux x86-64
- Qemu emulator version 2.1.2 (qemu-system-x86_64 or i386)
- GNS3 version 1.2 or later
- RAM - at least 4 GB
- CPU with hardware virtualization support (VT-x or AMD-V)
Virtual Machines Software and Hardware Requirements
- TiMOS-B-12.0.R6 ALCATEL SR 7750, TiMOS-SR-12.0.R6-vm.zip
- RAM 2048 MB, CPU x86-32
- Qemu additional parameters: -nographic -enable-kvm
1. Installation Steps
Extract image from the zip file.
$ unzip TiMOS-SR-12.0.R6-vm.zip
$ cd vm/7xxx-i386/
Now a virtual disk sros-vm.qcow2 is extracted. To start Qemu virtual Continue reading
ExtremeXOS, Arista and Cisco vIOS-Layer2 Virtual GNS3 Lab
ExtremeXOS is a network operating system used in Extreme Networks network switches. Virtualized version of ExtremeXOS - EXOS virtual machine vmdk image can be used to build virtual lab without need to use hardware switches. Although ExtremeXOS virtual machine can be downloaded for free only certain features are known to work. For this reason software should not be used for testing any actual networking setups or performance tests.
The tutorial consist of two parts. The part one explains how to configure Qemu emulator to run ExtremeXOS virtual machine. In part two, ExtremeXOS VM is connected to virtual lab run by GNS3 software. In this lab, features such as VLANs, 802.1q trunks and OSPF routing protocol are tested between multilayer switches from different vendors - Cisco, Arista and Extreme Networks.
Host Software and Hardware Requirements
- Linux x86-64,
- Qemu emulator version 2.1.2 (qemu-system-x86_64, qemu-system-i386 ) or later,
- GNS3 version 1.1 or later,
- RAM - at least 4 GB,
- CPU with hardware virtualization support (VT-x or AMD-V)
Virtual Machines Software and Hardware Requirements
- ExtremeXOS VM 15.3.2, exosvm.vmdk,
RAM 256 MB ,CPU x86-64
Qemu additional parameters: -nographic -enable-kvm - Vios_l2-ADVENTERPRISEK9-M), Version 15.0, vIOS-L2.vmdk,
RAM 512MB, Continue reading
Arista vEOS on GNS3
EOS (Extensible Operating System) is Linux-based network operating system developed by Arista Networks that runs on all Arista switches. Virtual EOS (vEOS) is single image and can be run in a virtual machine. The article describes how to set up vEOS virtual machine and connects it to GNS3 in order to test EOS functionality.
Host Requirements
Linux x86-64
Qemu or VirtualBox installed
Virtual Machine Requirements
1024 MB RAM
IDE CD-ROM drive with mounted Aboot-veos-serial-2.0.8.iso
2GB flash IDE disk - vEOS-4.14.2F.vmdk
NICs e1000 type
1. Download Bootloader and Virtual EOS
Clik the link to create a new account. The guest account (when no corporate email is used for registration e.g. gmail.com) is sufficient to download vEOS software. Click the link and login with the credentials you entered during the registration. You have to accept License Agreement in order to download vEOS software.
Download the bootloader and a virtual disk:
Aboot-veos-serial-2.0.8.iso
vEOS-4.14.2F.vmdk
2. Arista Switch First Boot on Qemu
Use Qemu to boot Arista switch virtual machine for the first time.
$ /usr/local/bin/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom ./Aboot-veos-serial-2.0.8.iso -boot d vEOS-4.14.2F.vmdk -serial telnet::3355,server,nowait
Connect to the Continue reading