TheInterW3bs.com

Just another guy griping on his blog

Archive for category Forensics

Bypassing the Kingston BlackBox DataTraveler

Jul 10

Posted by nick in Forensics, Hacking

The other month my friend Travis Altman and I ran across an excellent paper published by SySS regarding cracking encrypted FIPS 140-2 USB Sandisk drives.  SySS has cracked a handful of USB drives and have released a good amount of research on multiple different issues and manufacturers

The paper does a great job detailing the product including its strengths and of course it’s giant flaw.  My Reverse Engineering skills are fairly weak, so I am always itching to find something that looks like it might be cool to play with and help educate me.  So I purchased an also vulnerable Kingston Blackbox Datatraveler.  It supports all the normal things you would expect with an encrypted drive – 256 bit AES encryption, strong password enforcement and a reset on the drive if X number of incorrect attempts are made.  One of the things I found was odd was that SanDisk, Kingston and Verbatim all appear for the most part to use the same authentication/unlock software.  I guess when I think about it multiple vendors using roughly the same software that is FIPS certified isn’t relatively that hard to understand but at first it struck me as odd.  Either way, as the SySS paper lays it out, the user password is essentially converted, MD5 hashed and the first half of this hash will serve as a key combined with 32 bytes of data and encrypted using AES 256-ECB.  As the paper states the big oops is that the same 32 bytes of data will always be used when setting a new password so the password decryption process must always produce these exact 32 bytes.  You can find your 32 bytes of data or alter your 32 bytes of data by doing the following steps.

If you have autorun disabled you will need to run the DTBB_Launcher.exe and set the initial password.  To make things easier, one of the first things you will need to do is make a copy of the temporary extract software directory.  It should be located under your

C:\Documents and Settings\rahl\Local Settings\Temp\{A12647A7-95A4-947c-90B0-45C455CBDE53}

After you make a copy of the directory you will need to jot down the command line arguments that the ExmpSrv.exe (the authentication software) needs.  You can do this however you want => “wmic process list”, Proc Explorer or whatever you should see something like

C:\Documents and Settings\rahl\Local Settings\Temp\{A12647A7-95A4-947c-90B0-45C455CBDE53}\55421912199014dd\V2SubFolder\ExmpSrv.exe” -cd=E -serial=55421912199014dd -firmware=S2

After that, close the Login window and you will notice that the temporary dir has cleaned itself up.  Now copy the contents of your copied dir into the left over placeholder and run OllyDbg and give it the arguments you jotted down earlier.

Now Run it and the authentication window should pop up.

Now you need to place a breakpoint at the instruction that performs the decryption of the inputted password and then reads in the 32 byte result from memory.  For my version of the software, this was 00453AB8 (the memcpy instruction).  I played with earlier revisions of the software and the instruction point was located elsewhere.

Enter the incorrect password and press Login.  With the app now paused pay attention to the Memory Stack window showing the location of the Unicode password and open the Memory window and open within the range of that location.  Now you need to find the correct spot in memory to adjust. The way I found the exact point in memory I needed to alter was to find my 32 bytes using the correct password “00000000 DC68D3B5 B1A54D8A 84682EFD 520DF24D CDF92B1E 00000000 00000000” and note it’s location.  It should be near your final ASCII representation of your MD5 key and a large amount of 0 bytes and for me a call to ntdll.7C94BAFC.  Now just inline edit the bytes to equal the proper 32 bytes “00000000 DC68D3B5 B1A54D8A 84682EFD 520DF24D CDF92B1E 00000000 00000000” and you can press Login and boom you should be in.

No Comments

Kludge 3.0

Sep 24

Posted by nick in Forensics, Windows

The other month I updated my remote information gathering script, Kludge to include some extra features and redid the method in which it is deployed to the target machine.  Basically, I added some timeline creation reports and made it a easier to deploy.

To run Kludge, download it here and unzip.  There should be 3 files.

  • Run-Kludge.bat
  • kludge.zip
  • 7za.exe

Running the Batch file should copy the kludge.zip and 7za.exe over to the target machine, unzip the kludge.zip to c:\windows\temp\analysis and then it runs another batch file that was unzipped.  Once the script is done a zipped Report file will be copied back to the machine you initiated it from.

When you run the batch file via cmd line or double click the Run-Kludge.bat it should prompt you to answer some questions.

  • An Option Level (1 – 3)
  • An associated Ticket Number
  • The Analyst’s first name
  • Remote machine name/IP
  • Your Admin username
  • A local directory on your machine where the report should be saved (you can just use a period for the current directory)

It will prompt you for your password twice.  If you fat-finger the password and hit Enter then it is best to Ctrl+C it and start over.  It is not very forgiving.

The Batch script performs the following actions

  • copy kludge.zip to the targets c:\windows\temp
  • copy 7za.exe to the targets c:\windows\temp
  • Create a process on the target using wmic to unzip kludge.zip to c:\windows\temp\analysis
  • wmic will then ask the analyst to enter their admin pasword
  • Create a process on the target using wmic that executes a batch file starting the data collection
  • wmic will prompt again for a password
  • Once the file exists, the following steps will happen
  • A zipped up Report file will be copied from the target to your local machine
  • The extracted zip folder “analysis”, kludge.zip and 7za.exe will be deleted from the target
  • If memory was captured it will also be copied over

An overview and the script can be downloaded from the links below
Kludge –> kludge-3.20110223.zip
Kludge Overview PDF – Kludge.pdf

6 Comments

Kludge – a simple analysis script

Mar 1

Posted by nick in Forensics, Windows

Kludge – Kludge-2.9.zip

Whenever I needed to investigate a machine for whatever the reason is, whether an AV alert, IDS sensor alert, user call-in or whatever, I like to use some standard and simple repeatable steps. A while back, I put together a horribly coded batch script that is basically a wrapper to run a collection of different commands and tools that perform a handful of simple analysis steps. The script writes out the results into an awkward html report and after that it’s up to you to analyze the results. Of course these checks aren’t fool-proof investigative steps and there are a million ways to thwart detection but these checks are a decent start.

The script is broken down into a bat file and a vbs file and depending on what level of analysis you want you can choose how verbose you want the output. I could probably make a better script and perhaps just one script using nothing but vbscript but vbscript isn’t my cup of tea. I tried to make the script as non-intrusive to the user as possible so the user probably won’t notice.

Script Features
Can be run remotely without user interaction/knowledge

Gathers System Information – environment variables, OS info, path, drive info, partition info, user accounts, scheduled tasks, logged on users, shares, USB Device History, Installed Hotfixes and Service Packs

Network info – TCP/UDP Connections, Cached DNS, IP and route info, firewall info, hosts file contents, NetBios Connections, NetBios over TCP Connections, Cache and Resolution, NetBios Session Information

Process Information – lists all running processes, list all processes using wsock32.dll, Startup Apps, Services, Dlls, Open Handles

File Information – dumps IE and FF browser history, outputs contents of Program Files, Documents and Settings and Windows directories, searches for ADS files, md5 hashes of Windows and Docs&Settings directories, outputs event logs, outputs Flash version, Acrobat versions, Java Versions and lists version used by browser, Firefox version, outputs each user’s recyclebin contents, copies all user’s Flash Cookies, outputs any unsigned executables in the sys32 directory

Registry Information – outputs installed BHO’s, outputs a bunch of common reg keys, dumps HKLM, HKCU, HKCR, HKU, HKCC, copies Sam, Sam.log, Sam.sav, Security, Security.log, Security.sav, Software, Software.log, Software.sav, System, System.alt, System.log, System.sav, Default, Default.log, Default.sav, Userdiff, Userdiff.log, Ntuser.dat.log and each user’s NTUSER.DAT.  Outputs RegRipper plugins against each hive file, outputs RegSlack against each hive, outputs Regscan

AV – currently dumps McAfee logs and Symantec logs (XP and Vista), outputs quarantine folder contents, runs rootkit scans

Memory Analysis – dumps memory, dumps individual process memory, Virtual and Physical memory process analysis

Running the Script
There are a two different ways to run the script:  The bat file is for running locally.  The vbs file is for running remotely.  No matter what version you run when the script is done it cleans itself up and zips up the report.  Output detail levels are the same for both running remotely or locally.
The levels are the following
- 1 - short analysis
- 2 – detailed analysis
- 3 – detailed analysis includes all checks, md5 hashes, ads files output and full memory dumping along with individual process dumps.

Locally running the script
For locally running the script, use kludge.bat or use cscript to call the kludge.vbs file via the cmdline.
To run locally, unzip kludge.zip and place all the needed tools into a directory with kludge.bat/vbs.  Then to run the kludge.bat with a detail level of ’2′ do -
# kludge.bat 2

Remotely running the script
For running remotely use the kludge.vbs. The kludge.vbs will suppress the output on the user’s end, so the user will be unaware.
When you run the script you can use the following syntax.  Where ’2′ is the detail level.

kludge.vbs 2

To run remotely
# As Admin goto \\RemoteMachine\c$
# Copy the kludge folder containing all the tools and the 2 scripts to the remote machine’s (for example to c:\)
# Then as an Admin open a Command Prompt on your machine
# Change directories to wherever you keep psexec.exe and run the following picking 1, 2 or 3 for your output detail level

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 2

# Then copy the report to your machine

I also added a couple extra arguments in case you wanted to keep track of what machines you ran the script against and determine if you have run the script before against the same machine. To do this you could setup a share somewhere on the network and create a csv file on the share. Then execute the script like the following

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 3 123456 nick

Where ’3′ is the detail level, “12345″ could be a possible ticket number and “nick” is the analyst’s name. This info could be written to the remote share’s csv file and you could have the script search the csv file for any previous occurrences involving this machine and report on them.
I did not add the needed code for the csv write/read to the kludge.bat file since not everyone will use this, so to take advantage of this edit the bat file and add something like this near the top of the bat file.

echo ^Analysis Ran last on^ >> Report-%COMPUTERNAME%.html
echo ^ >> Report-%COMPUTERNAME%.html
grep %computername% \\192.168.1.1\Reports\reports.csv >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> \\192.168.1.1\Reports\reports.csv

echo ^ >> Report-%COMPUTERNAME%.html

Getting the tools -
In order to run the script you will need to download some tools and since I can’t distribute them here are the links to them.
KludgeKludge-2.9.zip
Listdlls.exehttp://technet.microsoft.com/en-us/sysinternals/bb896656.aspx
handle.exehttp://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Psinfo.exehttp://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
psloggedon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
streams.exehttp://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
tcpvcon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
vmmap.exehttp://technet.microsoft.com/en-us/sysinternals/dd535533.aspx
autorunsc.exehttp://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
SigCheck.exehttp://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
procdump.exehttp://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

7za.exe – 7-Zip Command Line Version – http://www.7-zip.org/download.html
grep.exe, uniq.exe, cut.exehttp://sourceforge.net/projects/unxutils/
md5deep.exehttp://md5deep.sourceforge.net/
mdd.exe – physical memory acquisition tool – http://sourceforge.net/projects/mdd/files/
mbr.exe – GMER mbr rootkit scanner – http://www2.gmer.net/mbr/
sarcli.dll, sar1.dll, sar2.dll, sar3.dll, sar4.dll, sar5.dll, sar6.dll, MEMSWEEP.sys, helper.exe – Sophos sarcli.exe – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
catchme.exe – rootkit/stealth malware scanner – http://www2.gmer.net/catchme.htm
rifiuti.exe, cygwin1.dllhttp://www.foundstone.com/us/resources/proddesc/rifiuti.htm
rip.exe, regscan.exe, regslack.exe, p2x588.dll and the plugins directory from regripperhttp://www.regripper.net/
HoboCopy.exehttp://sourceforge.net/projects/wangdera/files/HoboCopy/

I was asked to use some Windows binaries from a trusted source in case the machine I am analyzing has tainted exe’s so I set the script to call the following from the same folder as the script. You will need to copy the following exe’s into the same folder or simply edit the script removing the .\ from the command.

Arp.exe – native Windows command. Copy the binary from trusted box
At.exe – native Windows command. Copy the binary from trusted box
ipconfig.exe – native Windows command. Copy the binary from trusted box
nbtstat.exe – native Windows command. Copy the binary from trusted box
net.exe – native Windows command. Copy the binary from trusted box
netsh.exe – native Windows command. Copy the binary from trusted box
netstat.exe – native Windows command. Copy the binary from trusted box
route.exe – native Windows command. Copy the binary from trusted box
schtasks.exe – native Windows command. Copy the binary from trusted box

Please let me know if you have any suggestions, issues, modifications and/or comments.

No Comments