En
el siguiente módulo aprenderemos los conceptos básicos sobre el
desbordamiento de buffer sobre el stack. Analizaremos en un principio un
pequeño programa desarrollado en el lenguaje de programación C con el
debugger ollydbg.
Acá esta el exe para que se descarguen, el código es el siguiente.
La idea de éste ejercicio es lograr que el pequeño programa nos muestre el string ‘you win!’,
para eso, debemos lograr desbordar el buffer y escribir sobre la
cookie. Como es un ejercicio de ejemplo, ya tenemos hardcodeado el valor
de cookie (41424344)como así también los valores que tendremos que buscar en el debugguer cuando ejecutemos la aplicación.
Para el siguiente ejercicio es necesario que tengan instalado ollydbg. También nos será necesario un exploit para automatizar la explotación.
El siguiente ejemplo de exploit está hecho en python 2.6
Veamos entonces cómo terminar de armar nuestro exploit para lograr desbordar el buffer y obtener el string deseado.
1- Ejecutamos el .py y luego levantamos el olly atacheandonos al proceso del stack1.
Para attachear un proceso en el olly vamos a file -> attach se abre una ventana y elegimos el programa.
Una vez attacheados, click en la letra E del panel superior y elegimos nuevamente el stack1.
Hacemos click derecho sobre el panel principal sSearch for -> All referenced text string y buscamos el texto que tenemos como referencia que en éste caso es ‘you win!. ’Presionamos en play, vamos al programa hacemos click y volvemos al ollydbg para mirar los valores.
Como podemos visualizar en el panel derecho, el valor de EBX es 0022FEE0 y en el panel inferior derecho vemos que la posición posterior al return en kernel32 es 0022FF3C.
Entonces,
debemos levantar restar al valor más grande el valor más chico en
hexadecimal y así obtendremos el valor que debemos pasarle al buffer.
Vayamos
a nuestro exploit y modifiquemos un poco el payload, necesitaremos
importar la librería struct para poder pasar el valor que necesita
cookie para mostrarnos el string.
Las
92 A son las necesarias para desbordar el tamaño del buffer (es el
resultado de la cuenta que realizamos con los dos valores identificados
en el ollydbg, nos queda 5C y si lo pasamos a decimal nos queda ese
número). Luego llamamos el struct.pack, le indicamos que trabajaremos
con little endian y el segundo parámetro es el valor de cookie.
Probemos
entonces, cerremos todo, corremos nuevamente el .py, nos attacheamos
con olly, click en E para elegir el módulo con el cual trabajaremos,
presionamos play, vamos a la ventana donde se está ejecutando nuestro
exploit, hacemos click, volvemos al ollydbg y damos F8 hasta que explote
el payload y nos muestre el string la consola.
Ejercicios propuestos:
Intentar reproducir el ejercicio sin la guia.
Intenten
realizar los ejercicios y brindarnos un feedback, es la única forma que
tenemos de darnos cuenta si se entiende lo que vamos explicando, si
pueden hacer los ejercicios o si tenemos que modificar algunas cosas.
Como siempre, cualquier duda o consulta, estamos por aquí. Regards, @balderramaeric Fuente: http://www.sniferl4bs.com/2015/10/pentesting-con-kali-vi-buffer-overflow.html
Por vicisitudes de la vida me ha tocado enredar con el almacén de credenciales (Windows Credential Manager) en Microsoft Windows 7 - funciona igual en Windows 8, Windows 10 o Window Server 2012 -, todo gracias a ese preciado producto de Microsoft que es Outlook y su integración con Active Directory. Para lo que quiero hacer, Powershell es algo así como la herramienta definitiva ya que igual te vale para administrar los sistemas eficientemente como para hacer Pentesting con PowerShell en una red Windows. En el artículo de hoy, el uso de PowerShell podría decirse que su uso es para ambos fines, y que dependerá de cada uno el uso que se le quiera dar.
Figura 1: Obtener la contraseña de Lync con PowerShell
Para simplificar aún más las cosas voy a hacer uso del script Credman.ps1 del bello JimmyJoeBob Alooba que permite gestionar el almacén de credenciales de máquinas Windows, y que en este caso vamos a utilizar con la cuenta del propio usuario de la máquina - sin ser administrador del equipo -.
Acceso a datos de Windows Credential Manager
El funcionamiento es sencillo. Tras descargarlo, hay que firmar el script digitalmente, ya que tenemos aplicada la política AllSigned como forma de fortificación de ejecución de software en nuestros equipos Windows. En un primer intento, tras ejecutarlo y lista mis credenciales, sin sacar una contraseña alguna por el momento.
Figura 2: Listando credenciales almacenadas en Windows Credential Manager de Windows
Hay que comentar que en el almacén de credenciales de Microsoft no solo se guarda información permanente - lo que marcamos como "recordar contraseña" -, sino que también aparece información volátil y de sesión. Y aquí es donde entra en juego Microsoft Lync 2013.
Las credenciales de MS Lync (Skype for Business)
Supongo que si digo que actualmente se llama "Skype for Business" queda todo explicado sobre la idea de la herramienta. Una de las mejores posibilidades es la de integrarse en Active Directory e integrarse con líneas de telefonía dentro de la estrategia de Comunicaciones Unificadas que muchas empresas aplican. Además, se enlaza con Microsoft Outlook para obtener contactos, almacenar conversaciones, etcétera.
Una vez que se ha instalado en el equipo Microsoft Lync 2013 y se ha iniciado sesión, el comportamiento del script cambia. Si volvemos a lanzar exactamente el mismo script podemos ver que salen mis contraseñas de Microsoft Lync 2013 en texto claro.
Figura 3: Con Microsoft Lync con una sesión activa se muestran las credenciales
Si alguien es capaz de acceder durante unos instantes a mi sesión de escritorio y lanzar el script, en PowerShell podría robar mis credenciales para conectarse al correo electrónico, recursos de red, tal vez VPNs, etcétera. También podría hacer llamadas telefónicas a través de otra instancia de Microsoft Lync utilizando mi identidad y cargar todas las llamadas a mi cuenta.
Las credenciales de la cuenta de Microsoft Lync quedan ahí
mientras que la sesión está abierta e incluso pasado un buen rato
después de que se cierre la sesión se sigue mostrando Solo se borra
automáticamente si se vuelve a abrir Microsoft Lync con
otra cuenta o si reiniciamos la sesión. La explicación de por qué están
las credenciales ahí se debe a la integración del servicio con todos los
servicios. En algún momento necesitará autenticarse en otros servicios y
por eso recuerda la contraseña en la sesión, aunque tal vez debería
guardarla cifrada en el Windows Credential Manager.
Figura 4: En Windows Credential Manager se muestra que la cuenta tiene la contraseña guardada, pero no se ve.
Una última prueba que queda por hacer es ver si la GUI del administrador de credenciales también muestra la contraseña o no.
La ventaja de este sistema tan sencillo de usar el script para listar
las identidades frente a usar una herramienta más agresiva como Mimikatz o los volcados de memoria - para el caso de Microsoft Lync o cualquier otro sistema que almacene credenciales temporalmente sin cifrar - es que no es bloqueado por el sistema antimalware
del sistema ni necesitamos privilegios de administrador para acceder a
los datos. Al fin y al cabo no es más que utilizar herramientas del
propio sistema como PowerShell con los permisos de usuario.
Hello reader and welcome to part 2 from chapter 5 of the WiFi Security and Pentesting Series.
If you remember in the previous part, we learned Speeding up WPA/2 Cracking Using Pre-generated PMKs.
Which certainly uses CPU as the primary part for the calculations of
the PMKs. It surely gives us speed for cracking as while using PMKs for
cracking we are not performing actual calculations in real-time.
This brings us to some drawbacks of using PMKs, as follows:
SSID Specific. You cannot use PMKs generated for SSID, say “rootsh3ll” for another SSID like “Belkin“.
Case-Sensitive. Cannot be used even a single letter is up/lower case. Ex: Won’t work for “Rootsh3ll“ if PMKs are created for “rootsh3ll“.
Time used is the same. As processing power of CPU
is same in both cases, the time required for creating PMKs are equal
even if you crack using Aircrack or creating PMKs(with GenPMK).
Huge HD Space required. As we are pre-calculating
the PMKs and storing them on HD, it requires a lot of space on your HD
and that too for a specific SSID. Which is not an option all the time.
Less helpful in today’s scenario. Nowadays routers are being shipped with unique SSID. Ex: Belkin_04A2 for preventing routers from these kind of attacks or atleast delay the cracking duration.
You might be thinking now that If this is so, then why would I even consider PMKs for cracking ?
Well, as I said above this is Less helpful, that means in some cases.
Cases like:
Simple SSIDs. Ex: MTNL, Airtel, Linksys etc
Before trying any complex task to crack the PSK, if you have PMKs already stored. Give them a shot
Mobile numbers are still very common passwords.
Still, even if this gives us speed this method is a bit slow. You
don’t always have a friend ready to give you a pre-generated PMK file
for a specific SSID just when you have captured the handshake, right ?
yeah, it’s very rare!
Here is when you need to stop using your CPU and test the processing power of you GPU.
If you are not aware of using GPUs for cracking purposes let me tell
you, Yes GPUs can be used for cracking password hashes and are being
used now from a while.
There are plenty of tools which uses GPU to boost the cracking speed
and lets you crack in way much lesser time that your CPU would have the
job finished.
Tools like:
Pyrit
BarsWF
HashCat
igHashGPU
How ? Simple! Your CPU has 2,4,8 cores, means parallel computing units where GPUs have them in thousands, if not hundreds.
NOTE: My GeForce GT 525M have 296 cores, and it is pretty old Graphics card, Speed: ~6000 PMK/s. NVidia Titan X is the Best single graphics card with cracking speed up to 2,096,000 hashes/sec.
Using GPU for Cracking WPA/2 Passwords
Being in the scope of the series we will stick to WPA/2 cracking with
GPU in this chapter. For learning difference between CPU and GPU
cracking you can visit the following post I’d previously written on
FromDev.com. CPU vs. GPU Password Hash Cracking – FromDev.com
Tools described above are used for cracking various kinds of passwords.
There are 2 tools used for Cracking WPA/2-PSK using GPU from the above list
Pyrit
HashCat
As the post title suggests we will go with HashCat.
What is HashCat ?
Hashcat is a self-proclaimed command line based world’s fastest password cracker.
It is the world’s first and only GPGPU based rule engine and available for Linux, OSX, and Windows free-of-cost. It comes in 2 variants
CPU Based
GPU Based
There is no difference when passing commands to Hashcat because it
automatically uses the best method to crack passwords, either CPU or GPU
depending on the Graphics driver you have installed or not.
Hashcat is fast and extremely flexible- to writer made it in such a
way that allows distributed cracking. There are multiple version of
HashCat, each optimized and suited for different methods of cracking
(dictionary, single hash, distributed etc). I highly recommend Hashcat
over Pyrit for its flexibility.
Why use HashCat at first place ?
As already told above, because of it’s flexibility and vast support of algorithms.
But why Hashcat when I just want to crack WPA/2 most of the times ?
If you have used or haven’t used Pyrit yet, let me tell you one
thing. Pyrit is perhaps the fastest WPA/2 cracker available on the
internet but it uses dictionary or wordlist to crack the passwords even
if you use PMKs or directly run the cracker you need to have a large
amount of dictionaries to test the validity of the hash.
For storing hashes you need a lot of disk space. As you can see in
the image below, there is a few wordlists that almost take >25 GB on
the disk(Extracted), and it take more than 2-3 days to run through them
all even with GPU.
You can download some useful wordlists here.
But most of the times there are some pattern(default passwords) we like to test for validity. Patterns like:
Mobile number
Date of Birth
Default password patterns like “56324FHe“
10 digit default password by ISP
and so on
Here is when We have to leave Pyrit with it’s dictionaries and get our hands-on with HashCat.
HashCat have a brilliant feature called mask-attack, which allows us
to create user-defined patterns to test for password validity and you
know what the best thing is ? It requires 0 Bytes on your hard drive.
How ?
Before we go through this we need to understand that in some cases we need Wordlists.
Its only when we are 100% certain that it has some kind of pattern we
can use this type of attack. So of you know a certain ISP has 10 random
numbers and only a few letters, you could do it to save space on your
HD.
WPA/2 cracking is a tedious task and uses maximum power of the system
when we use Hashcat for the purpose and sometimes it needs to take down
the load from the system to switch tasks. hashcat stands best here for
it’s remarkable feature.
It supports pause/resume while cracking
Supports sessions and restore
We will see this feature in this tutorial. Keep reading.
Supported Attack types
Dictionary based attack
Brute-force/Mask attack
Hybrid dict + mask
Hybrid mask + dict
Permutation attack
Rule-based attack
Toggle-case attack
These are too name a few. Hashcat supports way too many algorithms to get your hash cracked.
NOTE: Traditional Brute-force attack is outdated and is
replaced by Mask attack in Hashcat. Wee will see later in this post in
details about this.
Variants
As told above Hashcat comes in 2 vaiants:
Hashcat -A CPU based password cracker
Oclhashcat/CudaHashcat – GPU accelerated tool
Setting up the Lab
Installing Graphics driver
You have basically 2 choices
Install graphics driver in Kali Linux directly, i.e your Pentesting distro.
Install graphics driver in Windows or OSX.
I have Kali Sana installed in my Virtual machine and unfortunately no
virtual machine supports using graphics card or GPU acceleration inside
the virtual OS. So I’ll be sticking with Hashcat on windows. You can
still do the same task with exact same commands on Kali Linux(or any
Linux OS) or OSX with properly installed proprietary drivers.
I haven’t written any article on how to install graphics drier in
Kali Linux as BlackmoreOps already have a great article on same. so you
can follow the links and try installing the same on your version of
Kali.
NVidia Users:
You can download Hashcat from it’s official website: http://hashcat.net/
File is highly compressed using 7z compression. So make sure you have atleast 1 GB before extracting the downloaded file.
You can use 7zip extractor to decompress the .7z file. Download it here: http://www.7-zip.org/download.html
P.S: It is free of use and better than WinRAR.
Cleanup your cap file using wpaclean
Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.
Here’s how to do it:
To convert your .cap files manually in Kali Linux, use the following command
1
wpaclean<out.cap><in.cap>
Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.
Convert .cap file to .hccap file
Now assuming that you have installed appropriate graphics driver for
the selected OS, moving on to the nest step. We need to convert the
previously captured handshake i.e .cap file to a format that hashcat
could understand and it is .hccap file format.
Nothing difficult or time taking. Command to convert .cap to .hccap goes like this
aircrack-ng -J <output.hccap> <path/to/.cap file>
Here output.hccap is the output filename with .hccap file format and input.cap is the handshake originally captured.
Log in to Kali Linux, open Terminal and type:
aircrack-ng -J “rootsh3ll-01.hccap” “rootsh3ll-01.cap”
Note: rootsh3ll-01.cap is located on Desktop. Check location of your .cap file.
Now we have .hccap file, installed graphics driver and downloaded hashcat. Let’s begin the cracking.
Cracking WPA/2 Passwords using Hashcat
We will cover the following topics:
WPA/2 Cracking with Dictionary attack using Hashcat.
WPA/2 Cracking with Mask attack using Hashcat.
WPA/2 Cracking with Hybrid attack using Hashcat.
WPA/2 Cracking Pause/resume in Hashcat (One of the best features)
WPA/2 Cracking save sessions and restore.
WPA/2 dictionary attack using Hashcat
Open cmd and direct it to Hashcat directory, copy .hccap file and wordlists and simply type in cmd
Here I have NVidia’s graphics card so I use CudaHashcat command
followed by 64, as I am using Windows 10 64-bit version. yours will
depend on graphics card you are using and Windows version(32/64). cudaHashcat64.exe – The program, In the same folder
theres a cudaHashcat32.exe for 32 bit OS and cudaHashcat32.bin /
cudaHashcat64.bin for Linux. oclHashcat*.exe for AMD graphics card. -m 2500 = The specific hashtype. 2500 means WPA/WPA2.
In case you forget the WPA2 code for Hashcat.
Windows CMD: cudaHashcat64.exe –help | find “WPA”
Linux Terminal:cudaHashcat64.bin –help | grep “WPA”
It will show you the line containing “WPA” and corresponding code.
Handshake-01.hccap = The converted *.cap file. wordlist.txt wordlist2.txt= The wordlists, you can
add as many wordlists as you want. To simplify it a bit, every wordlist
you make should be saved in the CudaHashcat folder.
After executing the command you should see a similar output:
Wait for Hashcat to finish the task. You can pass multiple wordlists
at once so that Hashcat will keep on testing next wordlist until the
password is matched.
WPA/2 Mask attack using Hashcat
As told earlier, Mask attack is a replacement of the traditional Brute-force attack in Hashcat for better and faster results.
let’s have a look at what Mask attack really is.
In Terminal/cmd type:
cudaHashcat64.exe -m 2500 <rootsh3ll-01.hccap> -a 3 ?d?l?u?d?d?d?u?d?s?a
-a 3 is the Attack mode, custom-character set (Mask attack) ?d?l?u?d?d?d?u?d?s?a is the character-set we passed to Hashcat. Let’s understand it in a bit of detail that
What is a character set in Hashcat ?
Why it is useful ?
What is a character set in Hashcat ?
?d ?l ?u ?d ?d ?d ?u ?d ?s ?a = 10 letters and digits long WPA key. Can be 8-63 char long.
The above text string is called the “Mask”. Every pair we used in the
above examples will translate into the corresponding character that can
be an Alphabet/Digit/Special character.
For remembering, just see the character used to describe the charset ?d: For digits ?s: For Special characters ?u: For Uppercase alphabets ?l: For Lowercase alphabets ?a: all of the above.
Simple! isn’t it ?
Here is the actual character set which tells exactly about what characters are included in the list:
1
2
3
4
5
?l=abcdefghijklmnopqrstuvwxyz
?u=ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d=0123456789
?s=«space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a=?l?u?d?s
Here are a few examples of how the PSK would look like when passed a specific Mask. PSK = ?d?l?u?d?d?d?u?d?s?a
0aC575G2/@
9zG432H0*K
8sA111W1$4
3wD001Q5+z
So now you should have a good understanding of the mask attack, right ?
Let’s dig a bit deeper now.
Mixing Mask attack with Custom characters.
Let’s say, we somehow came to know a part of the password. So, it
would be better if we put that part in the attack and randomize the
remaining part in Hashcat, isn’t it ?
Sure! it is very simple. Just put the desired characters in the place and rest with the Mask. He ?d ?l 123 ?d ?d ?u ?d C is
the custom Mask attack we have used. Here assuming that I know the
first 2 characters of the original password then setting the 2nd and
third character as digit and lowercase letter followed by “123” and then
“?d ?d ?u ?d” and finally ending with “C” as I knew already.
What we have actually done is that we have simply placed the
characters in the exact position we knew and Masked the unknown
characters, hence leaving it on to Hashcat to test further.
Here is one more example for the same:
Let’s say password is “Hi123World” and I just know the “Hi123” part
of the password, and remaining are lowercase letters. Assuming length of
password to be 10.
So I would simply use the command below
Where ?u will be replaced by lowercase letters, one by one till the password is matched or the possibilities are exhausted.
Moving on even further with Mask attack i.r the Hybrid attack.
In hybrid attack what we actually do is we don’t pass any specific
string to hashcat manually, but automate it by passing a wordlist to
Hashcat.
Hashcat picks up words one by one and test them to the every password possible by the Mask defined.
Example:
cudaHashcat64.exe -m 2500 handshake.hccap -a 1 password.txt ?d?l?d?l
-a 1 : The hybrid attack password.txt : wordlist ?d?l?d?l = Mask (4 letters and numbers)
The wordlist contains 4 words.
1
2
3
4
carlos
bigfoot
guest
onion
Now it will use the words and combine it with the defined Mask and output should be this:
carlos2e1c
bigfoot0h1d
guest5p4a
onion1h1h
It is cool that you can even reverse the order of the mask, means you
can simply put the mask before the text file. Hashcat will bruteforce
the passwords like this:
7a2ecarlos
8j3abigfoot
0t3wguest
6a5jonion
You getting the idea now, right ?
Using so many dictionary at one, using long Masks or Hybrid+Masks
takes a long time for the task to complete. It is not possible for
everyone every time to keep the system on and not use for personal work
and the Hashcat developers understands this problem very well. So, they
came up with a brilliant solution which no other password recovery tool
offers built-in at this moment. That is the Pause/Resume feature
WPA/2 Cracking Pause/resume in Hashcat (One of the best features)
This feature can be used anywhere in Hashcat. It isn’t just limited
to WPA/2 cracking. Even if you are cracking md5, SHA1, OSX, wordpress
hashes. As soon as the process is in running state you can pause/resume
the process at any moment.
Just press [p] to pause the execution and continue your work.
To resume press [r]. All the commands are just at the end of the output while task execution. See image below
You might sometimes feel this feature as a limitation as you still
have to keep the system awake, so that the process doesn’t gets cleared
away from the memory.
And we have a solution for that too. Create session!
WPA/2 Cracking save Sessions and Restore.
Creating and restoring sessions with hashcat is Extremely Easy.
Just ass –session at the end of the command you want to run followed by the session name.
Example:
cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla
Here I named the session “blabla”. You can see in the image below
that Hashcat has saved the session with the same name i.e blabla and
running.
Now you can simply press [q] close cmd, ShutDown System, comeback after a holiday and turn on the system and resume the session. That easy!
NOTE: Once execution is completed session will be deleted.
How to restore ?
Above command – “–restore”. Here it goes:
cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla –restore
Hashcat will now check in its working directory for any session previously created and simply resume the Cracking process.
Simple enough ? Yes it is.
This is all for Hashcat. Hope you understand it well and performed it
along. No need to be sad if you don’t have enough money to purchase
those expensive Graphics cards for this purpose you can still try cracking the passwords at high speeds using the clouds. You just have to pay accordingly.
Cloud for Cracking WPA/2-PSK
You can even leverage cloud for the same purpose. You just have to
pay for the service you use as it requires a lot of money, electricity
to keep the system up and running and keeping it fast at the same time.
A Website that provide the similar service is http://cloudcracker.com/.
They charge $17 for 300 Million words in 20 minutes. Which means 250,000 PMK/Second. Sounds nice! isnt it ?
Well this is a service so they surely have their part of profit. If
you are at a shortage of money you can try even cheaper service.
Don’t worry this cheap is actually better than the expensive if you are able to do it accordingly.
That is Amazon Elastic Computing 2(EC2)
or AWS (Amazon Web Services). Here you need to do all the things
manually after logging into the remote host that yo0u have purchased.
You have to install the tools and dependencies accordingly and give
commands to the master server to perform the cracking. You can aso
create upto 1000 instances to distribute the load and increase the
cracking speed. Price will change accordingly.
But in short let me tell you if you are willing to do this Super
Interesting stuff, it will cost you maximum of $1 an hour for even
greater speeds than cloudcracker.
Here is a video to help you understand better the concept of load
distribution and command the master server. Hope you are getting the
concept.
Here is one more for you to see the cracking process running on
Amazon EC2, It’s an old video but worth watch and understand the
concept.
Forgot to tell you one good news. Amazon EC2 is FREE for first month.
It will just ask you for the credit/debit card info as a validation
proof. But don’t worry no extra penny will be deducted until you extend
to new plan.
So I would encourage you to do some research on this specific topic
after getting over of Hashcat. It is the real Fun believe me!
If you love all this crazy stuff You will love that too.
Hope this was helpful enough!
Keep Learning. See you in the next chapter with the Aircrack Boost Script!
Microsoft released Windows 8 in 2012. With this new version,
Microsoft made a fundamental shift in Windows 8 as compare to older
versions of Windows. It does not only target netbooks, laptops and
traditional computers, instead they decided to use the same technology
in Windows 8 tablets. This is why Windows 8 operating system is far more
touch screen oriented for use on tablets as well as traditional PCs.
According to Microsoft, ‘In Windows 8, a Windows pointer device refers
to devices that support the pen, or touch, functionality. In the
context of a Windows Pointer Device, a pen is a single contact point
active stylus input, also known as tablet-pen that supports hovering.
Touch functionality refers to a single finger contact point or two or
more concurrent finger contacts.’ Windows pointer devices use HID
(Human Interface Device) protocol to communicate with Windows operating
system. Below snapshot shows the interface of the touch keyboard.
Fig 1-1
Why Touch Keyboard Forensics?
Number of touch screen devices is increasing exponentially. According
to a report from DisplayBank, shipments of touch screen equipped
notebooks increased by 51.8% in Q1 2013 to 4.57 million units. Looking
at the trend, it is quite obvious to expect more touch screen enabled
laptops, PCs, and tablets in forensic labs for examination. Though the
basic file structure remains same in Windows 8 as compare to its
predecessors, but the huge difference in user interface and addition of
new features and metro apps have introduced greater use of touch
technology in the form of virtual keyboard and other touch enabled apps.
Touch keyboard allows users to enter data on handwriting touch panel.
This data is stored in ISF format containing details of user’s input,
number of strokes etc. To understand it better, we can create an analogy
between ISF file and a piece of paper note found while conducting a
search for evidence. This might add another piece to the puzzle in
investigation or turn out to be an important clue for handwriting
analyst team. Thus, touch analysis deserves consideration in the field
of forensics.
ISFViewer
In Windows, the InkStore folder, located at
C:\Users\(username)\AppData\Local\Microsoft\InputPersonalization,
contains ISF Files. ISF stands for Input Serialized Format. It is a
Microsoft standard format to store written ink information. This format
is specially used to store data entered using stylus in devices like
mobile phones, tablet PCs, touch screen laptops, personal digital
assistants.
According to Wikipedia “An ink object is simply a
sequence of strokes, where each stroke is a sequence of points, and the
points are X, and Y coordinates. Many of the new mobile devices can also
provide information such as pressure, and angle. In addition can be
used to store custom information along with the ink data.“
ISFViewer is written in C# and available at https://github.com/cybercuffs/ISFViewer.
It takes a single ISF file or a folder with multiple ISF files as two
different input options and converts them into GIF image format. The
.gif file can later be viewed with Windows Photo Viewer or any other
image viewer.
Fig 1-2
Following screenshot depicts the output of the ISFViewer
Fig 1-3
Registry Artifacts
One can use the MS device manager in order to disable/enable the
touch screen functionality. Fig 1-4 shows the device manager view of
Windows 8 and 8.1. Note that in Windows 8, Microsoft labels all the
devices as HID – Compliant Device that makes it a hit and try effort to
turn the touch screen on/off. On the other hand Windows 8.1, adds the
device name like ‘touch screen’ in front of HID – compliant device.
Fig 1-4
Now look at the Fig 1-5 to see how the two registry entries IsTabletPC and DeviceKind is changed.
Fig 1-5
Formerly known as Internet Explorer and then as Project Spartan,
Microsoft Edge Browser has evolved a lot. From the User Interface to the
technology it’s built upon, the browser has completely changed in its
variant meant for Windows 10. This post will provide an insight into the
artifacts left behind on the local machine by the successor to
the Internet Explorer web browser. From the location, type and gathering
of these artifacts, this post explains and throws light on all aspects
of Edge Browser Forensics. However, you will discover that the
functioning and backend of Project Spartan aka Edge Browser is no
different from the Internet Explorer latest version. Let us take a look
at it.
Starting With Browser Forensics
Web browsers are the primary source of undertaking most offensive
activities online. Therefore, it also becomes the primary source of
information in any digital forensics investigation case as well. Many
open source applications can capably conduct forensic examination of
most web browsers. Nevertheless, these applications work on the
architecture of browsers and require working with them in order to
detect and interpret their data. Edge Browser And Its Forensics
Edge is the latest browser developed by Microsoft as a successor to
Internet Explorer. However, being built specifically for Windows 10 its
usage has all of a sudden risen due to the increasing number of the
latest OS users. Edge Browser also leaves behind artifacts on the user
machine in order to store browsing information.
Exploring Edge Storage: Moreover, compared to its
predecessor, Edge browser by Microsoft no longer stores the browser
related information like history, keyword searches, and
similar information in an Index.DAT file. Previously, this information
used to get stored within a file type with a .dat extension. On the
other hand, the file was replaced in Edge to an ESE database like the
one generated by Windows for storing information related to searches
conducted on Windows Explorer.
The file type is known as an Extensible Storage Engine database file.
Not just the browsing history, but also most of the other artifacts
generated by this browser are stored in this format only. This database
format is also popularly known as an EDB database or Jetblue, which is a
technology that corroborates the database for Microsoft Search, Edge
Browser and Cortana (a digital personal assistant developed Windows
mobile and desktops) as well.
Unearthing The Artifacts: Edge ESE Database
Settings for Edge browser are stored in an ESE database, which is located on a Windows machine at the following folder path:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
Even though the suspect might be using Edge browser, Windows 10 still
has a provision for Internet Explorer version 11. Surprisingly the
browsing history for both is stored at the same location, which is:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Cached file location would be in the following directory path: \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\#!001\MicrosoftEdge\Cache\ Examining The Artifacts: Search for Evidence
As discussed previously, there are plenty of open source utilities
available to offer a look inside the ESE Database on a standalone mode,
i.e. without external support required. However, this entirely depends
on the state in which the database is present. Being ESE database, in
case of a dirty shutdown of the machine, there is high possibility of
the extracted artifacts to be found in a dirty dismount state.
Therefore, in that case, the examiner would first have to process it
with Extensible Storage Engine Utilities provided by Microsoft Windows
in order to further parse it in search of evidence.
History being the most majorly important database has been used an
example for explaining the exploration of evidence in an ESE Database
using a viewer or open source ESE DB reader.
Below are the tables that can be found within a History ESE database of Edge Browser:
AppCache_n AppCacheEntry_n Container_n DependencyEntry_n HstsEntry_n LeakFiles MSysLocales MSysObjects MSysObjectsShadow MSysObjids Partitions Facts: Container_n tables store information
like cookie detail, websites visited, cache file entry, and more, which
is relevant and significant from investigative point of view. In
addition, the timestamp recorded by ESE database is in Google’s Chrome
Value format. In the local machine’s timezone, however, the information
can be decoded using a decode utility or even the esedbexport tool can
decode the value, if the examination is being performed with it.
What Complicates The Investigation? A Twist in the Examination!
There is something quite unusual about Edge browser. Suppose you have
logged onto your Windows 10 PC with a Microsoft Account and then later
on you use the same account to log into some other PC. What happens here
is that Microsoft chooses to synchronize your web browser’s history
details across the devices logged in with the account.
Therefore, the websites visited by a suspect can be portrayed as the
websites also visited by the victim at the very same time, making it
tricky to make out who is who. Thus, the investigation is complicated.
There is no certain method from a forensics standpoint to find out
the source machine for the captured details. This will resultantly make
it challenging to pin down a user to a specific machine and thus, the
root behind all the browsing history.
Edge-y Loophole: Private Browsing
The forensic examination of most web browsers has proven that they
don’t have a provision for storing the details of privately browsed web
sessions. Private browsing is provided for a purpose, i.e. privately
browsing the web, which is being delivered.
However, in the case of Microsoft Edge even the private browsing
isn’t as private as it seems. Previous investigations of the browser
have resulted in revealing that websites visited in private mode are
also stored in the browser’s WebCache file. NOTE: The Container_n table stores web history.
There a field named ‘Flag’ will be available. A website visited in the
private mode will have a flag value as ‘8’. Generally the purpose of
storing this information is to retrieve crashed private sessions.
Therefore any skilled investigator can easily spot the difference and
get concrete evidence against a person’s wrongdoings. Plenty of
artifacts are maintained by the browser, which makes examination quite
easy. However, there are stages where evidence is not so easy to find.
The not-so-private browsing featured by Edge makes its very purpose seem
to fail.
On the 29th of June, Microsoft announced the release of Windows 10, so it is time to have a deeper look at this new Operating System from the perspective of an Incident Responder. To make it easier for you to read the screenshots, I have chosen USERNAME and HOSTNAME as names for themselves.
The tool Process Hacker (http://processhacker.sourceforge.net) still functions in Windows 10 and shows well-known process names, parent-child relationships and familiar faces from former Windows Operating Systems. But the familiarity is short-lived. Some players are new and some players have changed their position on the playground.
System still has the PID 4 and is the parent of the Windows Session Manager. I will also mention that it still resides at %systemroot%\system32\. All services are started from executable files from their former locations, if not mentioned otherwise in this article.
There are still two Client Server Runtime Processes (csrss.exe), one of which has the same parent as wininit.exe from an ended smss.exe process. Every additional user on this host (either as a “Switched User” or via Remote Desktop Connection) has its own Client Server Runtime Process since Windows NT.
Process view on a Windows 10 virtual machine
Some old and new changes
The super-process winit.exe spawns services.exe, lsass.exe and the invisible lsm.exe process to start the Local Session Manager. Starting from Windows 8, lsm.exe is started inside a Service Host process from svchost.exe from the command line %systemroot\system32\svchost.exe -k DcomLaunch.
The Local Session Manager Service lsm.exe does not show up in your preferred Task Viewer any longer as its own entry, but in the Services console as an “unchangeable” service.
The Local Session Manager has moved under the hood of svchost.exe
The WinLogon Service, which is responsible for Interactive Logons on a Windows Operating System, remains where it has always been for Session 1 and is started for every interactive user session. The screenshot above shows only winlogon.exe, dwm.exe (the Desktop Window Manager) and one instance of explorer.exe per user session started. As was already changed between Windows 7 and Windows 8, the Desktop Window Manager no longer exists as a child of svchost.exe, executed with the credentials of the current user. In Windows 8 and 10 it is spawned from the Windows Logon process as user Window Manager\DWM-1 with the start of the Operating System. For every new user on the Host the digits count from DWM-2 and up.
Another new name for the Task Host
Renaming is another interesting topic. The Microsoft OneDrive Client Application called OneDrive.exe, started from %userprofile%\AppData\Local\Microsoft\OneDrive\OneDrive.exe, is a new starter on the playground of Windows for every new session. But why this is a 32-bit process on a 64-bit machine can only be answered by Microsoft. It must be a real secret; why shouldn’t it be possible to develop their Office 365 file sharing client in a 64-bit flavor? At least they renamed the client from Skydrive.exe to OneDrive.exe.
And Microsoft has renamed the Host Process for Windows Tasks again. In Windows 7 it was named taskhost.exe, in Windows 8 it was called taskhostex.exe and the new name is taskhostw.exe in Windows 10. A look at the name of the Taskhost process is sufficient to recognize the OS version from now on.
The primary purpose, serving as a generic “Host Process”, remains unchanged, as does the location in %systemroot%\system32\.
Surprise, Surprise
Let’s open some typical built-in applications and see what happens. In this case, I was executing cmd.exe from the “Run” dialog and started a Pathping against my own virtualized host machine. The Console Windows Host conhost.exe has been running as a child of cmd.exe since Windows 8, and not as a child of csrss.exe as it was in Windows 7. The executable file for Pathping is a child of cmd.exe in the same way conhost.exe is. There is no longer any separation of conhost.exe under the user’s own Client Server Runtime Service csrss.exe and the cmd.exe process under explorer.exe. If you open a second or third Command Prompt, Windows 10 opens a Console Window Host for each of them.
But you can have a whole new experience if you start the new Microsoft Edge web browser, the successor of Internet Explorer. Microsoft Edge starts four processes:
Two processes named MicrosoftEdgeCP.exe, started from C:\Windows\SystemApps\..\ with the permission of the current user. Microsoft Edge starts with two of them for the first visible tab inside the browser window. Both are child processes of RuntimeBroker.exe, which is a child of svchost.exe, the Host Process for Windows Services. Runtime Broker starts automatically with the Operating System. A new MicrosoftEdge process is started under the Runtime Broker Service for every new tab that is opened by the browser. Microsoft is also introducing the new path %systemroot%\SystemApps and starting a web browser as a sub-child of svchost.exe, which breaks traditions in the process design.
Directly spawned from svchost.exe is the process MicrosoftEdge.exe (without “CP” at the end of the file name). This is the main browser application process. And again, the executable file is saved in a subfolder of C:\Windows\SystemApps.
The Host Process svchost.exe starts a fourth executable file called browser_broker.exe. This time Microsoft is following its own design traditions and has stored the file in the well-known path %systemroot\system32\.
My personal Virtual Machine was a pre-release version, updated automatically to the RTM version of Windows 10. This might be the reason for the weird randomized-looking folder name for the Edge Browser.
A view of Edge and the corresponding processes
What is missing? Any process under the Explorer process. Despite MicrosoftEdge being a visible application on the Desktop, there are no processes spawned as a child of explorer.exe.
At first I thought there might be a problem with the Process Hacker tool I was using to enumerate the processes on this virtual Windows 10 machine. So I checked my findings locally on the virtualized host with Microsoft’s highly underestimated “Super Weapon”: WMIC.
My command was:
wmic process where “name like “%Edge%” OR name like “%broker%” OR ProcessID=”832″” get name,ProcessID,ParentProcessId
And this was the output:
In this case I queried for the PID 832 from svchost.exe to show you the relationship between all mentioned processes. If you follow all parent-child dependencies you can see the validation of the GUI-based output.
What does it look like if you use the Windows Task Manager?
MicrosoftEdge.exe, easily identified by the name of the executable file and the PID, shows up under “Apps” together with other foreground applications, despite it being started as a child of the svchost.exe process. As soon as you right click on this entry and check the properties for MicrosoftEdge.exe, a new dllhost.exe process called “COM Surrogate” is started from %systemroot%\system32\ with the permissions of the currently logged on user. Other user-specific services like csrss.exe are marked as Background processes.
The browser_broker process and the MicrosoftEdgeCP.exe instances are running under the tab “Background processes”, too. Since MicrosoftEdgeCP.exe and MicrosoftEdge.exe have the same shown description text and path from %systemroot%\SystemApps, they can only be identified on the Details pane by comparing the file names.
Conclusion
Microsoft maintains a lot of already known process structures, but has made some unusual decisions when it comes to the way their new web browser Edge is started. Hosting all related processes as a (sub-)child of an already shared Service Host instance doesn’t seem to be a logical decision. By introducing a new path for the stored executable files of Microsoft Edge under %systemroot%\SystemApps, the next needless confusion is created.
And confusion is a good topic to explore: renaming taskhost.exe to taskhostex.exe and then to taskhostw.exe is one example of something that makes it harder for Incident Responders to identify malware which tries to hide “in plain sight”. We can probably all hazard a guess at which names and similar-looking paths will be used in the near future by the creators of malware. But one thing did not change with the introduction of Windows 10: you need third-party tools to unveil what is really running on the Operating System.
Robin Brocks (GCFA, CISSP) is an IT Forensic Expert and Incident Responder He has been working in the field of IT Forensics for the last seven years and is an experienced IT Architect, Trainer and Consultant in the IT Business since 1998.
SQLite is a compact database engine highly
integrated with embedded devices and locally used applications in
various Operating Systems. Recent years have seen extensive usage of
portable devices like tablets, smartphones, etc. and this has given rise
to adaption of the SQLite application. It also amplifies the chances
for surfacing digital evidence using forensic analysis of SQLite
database files. Intentional deletion of crucial data from SQLite
databases, which are embedded within the applications, can rarely be
done by the average person. However, technically expert criminals can
perform such tactics to avoid being discovered. In order to perform the
deleted data recovery, it is important to understand some factors like
structure and architecture of SQLite databases, how the records are
stored in the pages of the databases, and how the databases align all
the elements. SQLite Database Structure
SQLite databases belonging to any application are structured with
many pages of fixed size and a fixed number of bytes, which can be 1024, 2048, 4096, 8192, 16384, 32768 or 65536.
The number of pages and size is declared in the header of the database.
Official documents state that header of the page is stored in the first
100 bytes of the first page, and rest of the page structure is
maintained. There are mainly 4 types of pages for SQLite databases, and
the type can be detected by the first byte of each page, which occurs
after the file header. The important row data of the database lies in a
“Leaf Table B-Tree” type of page. It takes the flag value as 0xD i.e. 13
decimal.
In order to carve an entire SQLite record, it is important to analyze
schema. If the page has overwritten the cell headers, the carving of
data from the database including the deleted data can be difficult.
However, when we perform the recovery on specific string content of the
page, it can be conveniently done. File signature, which is an important
element in any file format belonging to the SQLite file, is File Signature: ‘‘0x53 51 4c 69 74 65 20 66 6f 726d 61 74 20 33 00’’
This file signature can help you to identify the SQLite database, as
this file does not have any specific file extension. The header appears
in the beginning of the file, which also contains the signature. The
lower part will comprise of the schema table, which contains the table
information.
After the header portion, the page comprises of b-trees, which are
again separated into index b-tree and table b-tree. The data is stored
in the table b-tree in cells, which act as an elementary unit of store
operation. Cell structure and contents depend on the internal and leaf
pages. The internal page is available in the middle section of the tree
and the cells store the locators or pointers for locating the lower
page. The leaf page is present in the bottom.
The structure of the schema table is comprised of specific schema
names. The string, which appears after root page numbers, is SQL query.
When investigators want to recover the deleted records, the table
information has to be acquired using this SQL query associated with that
table. Information in the schema is: table name, field name-type, and
number of fields which are usually of four types; TEXT, NUMERIC,
INTEGER, & BLOB. SQLite Deleted Data Recovery from Journal Files
The transaction log file of the SQLite database serves as the best
source for acquiring deleted records from the database. However, this
process is valid and helpful only when the deleted records are available
in the transaction log files. SQLite database system has a different
management for the transaction log files and it creates a separate
journal file named as “\database file name[/\file extension[-journal’’
when a query is sent to the associated database. Thus, it saves the
history of inputs made and outcome results in the form of records before
the query is completed on the main database. Forensic analysis of these
journal files can bring out a lot of evidence if the records are still
available in the journal files. However, modern investigation theories
suggest that it is always better to perform the investigation on the
records recovered directly from parent databases instead of journal
files. How is Record Deletion Managed in Application Software?
The management of record deletion in application software depends on
the application and varies accordingly. The rules or directions for the
deletion can be classified as: “Overwritten with zero”, “Remove deleted
data”, or “Set as free”. Its recoverability methods and probability also
change accordingly.
The first rule, where record deletion prompts overwriting with zero,
is highly used in web-browsers like Safari, Chrome, Firefox, etc. In
this case, the recovery of data is not possible even if the deleted data
is identified.
The second rule is in the case of an iPhone, where the small sized
data is deleted. When this type of deletion occurs, the whole area is
deleted and then there is no way to trace the event of deletion.
The third rule is where the deleted data is set free and the data is
still available in the system. This case includes examples like deleted
messages in Skype messenger. When iPhone messages are deleted in bulk,
this rule is also followed. In this case, deleted data still remains in
the file and SQLite data recovery is possible if it is not overwritten.
Recovery Methodology
While performing recovery of deleted records from the SQLite
database, it is important to identify the number of fields in the schema
table and its type. Afterwards, the page can be scanned and the data
within the unallocated area can be viewed. There can be different cases
where the deleted data comprises of an independent record, more than two
records, or if the data is partially overwritten.
Considering all the factors and cases, it can be presumed that
recovery of SQLite databases depends on various aspects. Once the SQLite
database is acquired from the respective locations of Windows, iPhone,
Web Browsers, SmartPhones, Androids, etc. a python script can be
executed against this attained database. Working on the required
workstation with Python installed, users can easily perform this
recovery process using a script such as the sqlparse python script
developed by Mary DeGrazia.
These scripts can easily recover deleted cell records from the SQLite
database and help in investigations. The output results, i.e. recovered
deleted records, will then be saved in a text file. Conclusion
SQLite database engine is used in multiple application softwares for
saving data in databases. This includes Firefox, Chrome, Safari, iPhone
OS, Android OS, Windows OS, Mac OS, Skype, Whatsapp, TweetDeck, etc.
These databases can be of huge importance for forensic investigation as
data related to SMS, call logs, cache, history, searches, web cookies,
etc. is saved in these databases. In order to perform complete
investigation on these SQLite databases, deleted data recovery is
extremely important. The above-mentioned script can be helpful for
investigators in order to analyze the deleted data.
