Tuesday, November 22, 2011

Understanding APT and Counter Espionage

Thanks to Irongeek I have found the following talk at SkyDogCon.

This is a really good talk you have to watch if you want to understand APT beyond any FUD and if you want  learn how to defend your network against it.

Friday, November 11, 2011

Hiding The Toolkit On Linux With LUKS

The idea behind this post is making the Incident  Response a little bit more complicated during a pen-test, by hiding our tools in "hidden volumes".

Ideally,  when the hard drive has unpartitioned space, the attacker can create a new partition and encrypt it with LUKS to hide the tools. By doing so, the main file system remains unchanged (no new files are written/modified that can trigger an alert in the HIDS) and it is difficult to spot unless the defenders keep track of the logs that will point to new file systems being mounted.

The procedure would be pretty easy:
  • Mount the LUKS volume
  • Execute the tool in backround
  • Umount the LUKS volume in 'lazy mode'

Reading umount(8) , we can find the flag -l :
Lazy unmount. Detach the filesystem from the filesystem  hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore.  (Requires kernel 2.4.11 or later.)
The following script works under the same principle, but it creates a file instead of a partition. In this case, it creates a 300MB file named "volume"  that will contain a ext3 file system encrypted with AES 256.

#! /bin/sh

function find_device_name {
        losetup -j $1 | awk '{print $1}' | cut -f1 -d ":"

function create_raw_vol {
        dd if=/dev/zero of=${1} bs=1M count=$2 &> /dev/null

function create_luks_volfile {
        local raw_vol_dev=""
        raw_vol_dev=`losetup -f`
        create_raw_vol $1 $2
        losetup $raw_vol_dev $1
        echo $3 |cryptsetup  -c aes -s 256 luksFormat `find_device_name $1`  &> /dev/null
        losetup -d `find_device_name $1`

function mount_luks_volfile {
        local raw_vol_dev=""
        raw_vol_dev=`losetup -f`
        losetup $raw_vol_dev $1
        echo $3 |  cryptsetup luksOpen `find_device_name $1` $2 &> /dev/null

function umount_luks_volfile {
        cryptsetup luksClose ${2} &> /dev/null
        losetup -d `find_device_name $1`



create_luks_volfile $vol_name $vol_size $password
mount_luks_volfile $vol_name $mapper_name $password
mkfs.ext3 /dev/mapper/${mapper_name}
sleep 5
umount_luks_volfile $vol_name $mapper_name

Fetching the SAM and System Files Without Shutting Down Windows

Via securitybydefault [Spanish]

The linked blog post explains how to fetch the SAM and System files from a Windows computer without shutting down the system.

Since both files are locked by other processes, they cannot be read. Therefore, the standard procedure would be shutting down Windows and running a live distribution to obtain a copy.

The article points to a talk given by Tim Tomes and Mark Bagget in Hack3rcon II, where they introduce a script they wrote to extract the files  by creating Shadow Copies.