The reviewers at Black Hat have notified me that my submission has been accepted and I will be speaking at BlackHat USA 2011 in Las Vegas this year. As you can imagine, I’m thrilled, as I was not able to attend BlackHat or Defcon last year. I’m looking forward to being there as a speaker this time, interacting with all the great folks I met two years ago there, and anyone new I meet.

The title of my talk is “Covert Post-Exploitation Forensics With Metasploit”, which will be accompanied by the release of a set of meterpreter scripts and a white-paper that details how they can be used. The abstract of my work has been posted on the Briefings page at the USA 2011 site:

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.

 

In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

The associated scripts and more information will be released with the conference proceedings, and here on this site at the time of my talk (probably also a coordinated release into the Metasploit trunk, but I haven’t talked to those guys about it yet.).

At this point, you’ll have to take my word for it, but I assure you this isn’t a typical “Yet Another Metasploit Talk”. I would hope that the submission reviewers at Black Hat would not have accepted it if they felt this was the case. What I’m demonstrating is a way to use a whole suite of useful and mature tools in a penetration test (or other scenario) through Metasploit.

Assuming I’m not scheduled to present at the same time as Barnaby Jack, Dan Kaminsky, or the like, I’d definitely recommend showing up, as I think it’ll be a very fun talk and demonstration. See you at Caesars Palace!

 

Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

 

EDIT: I have found some clarification about the “controller cards”, seemingly confirming what I have posted, and have added thoughts to the end of this post

Today, on the Wired Threat Level blog, there is a story that covers Sony’s allegations that George Hotz (“geohot”), who they are suing for DMCA violations involving a PlayStation 3 jailbreak, sabotaged hard drives provided for discovery, and skipped town.

Skipping town to South America is not in my area of expertise, so I’m not commenting on whether or not that is happening, but forensic acquisition and analysis of hard drives happens to be my current bread-and-butter. The Wired article states that, regarding the hard drives, Sony claims that Hotz provided the hard drives in a non-functional state. This includes a link to a PDF from the case’s filings which includes the exact wording of Sony’s complaint on page 22:

Despite Judge Spero’s orders, Hotz continues to frustrate all attempts to complete jurisdictional discovery.  In yet another attempt to avoid his deposition and a limited inspection of his impounded hard drives, on March 17, 2011, Hotz filed a motion for protective order on issues already decided by Judge Spero.  (Docket No. 100.)  On the same day, TIG discovered that prior to delivery, Hotz had removed integral components from his impounded hard drives, rendering them completely non-functional.  Bricker Decl., ¶21, Exh. S.  When SCEA echoed TIG’s request that the components of the hard drives be delivered immediately, Hotz’s counsel responded that Hotz was in South America.

Hotz’s attorney’s quote to Wired in response to this was the following:

They didn’t have the controller card attached. That’s it

The attorney, I assume, does not have an extensive technical background, and likely gave this comment off the cuff (or as “off the cuff” as any attorney will allow themselves to be). Therefore, this is going to take some interpretation. The first question is what do they mean by “controller card”. When it comes to hard drives, two things come to my mind:

  • The interface between the chipset of the motherboard and the hard drive. For most motherboards the SATA or IDE interface is integrated into the board. If it’s an older computer that an end-user has added a SATA drive to, a SATA “controller card”, in the literal “card” sense, may be slotted into the motherboard to interface with the newer drive.
  • The circuit board attached to the drive that handles ATA commmunications on one side, and interacts with drive’s electrical and mechanical internals on the other side. To illustrate, it’s the part facing the camera in this image:

The Underside of a Hard Drive

The latter is what I assume is meant, for the following reasons:

  • It’s something that could be removed from a drive, as the filing states
  • Controller cards in the sense of a slotted card on a motherboard aren’t very common right now. Most computers have the interface they need on the motherboard.
  • Even if it was a SATA, IDE, or even SCSI controller card meant to be slotted into a motherboard, not providing this card would not render the drive unreadable to a well-outfitted forensics lab that TIG (the third party forensic examiner Sony is using) would have.

Now, I do not support Sony’s lawsuit against George Hotz, but it seems to me that if he did remove those controller boards from the drives, this is a case of needlessly antagonizing the opposing counsel, examiners, and the judge. I really don’t think it’s a good idea to intentionally do this when providing evidence under a court order.

Those boards don’t just fall off, and the absence of them is not something that is as easy to overcome as Hotz’s attorney implies. To read a drive that has had this board removed, you would need an identical board. Those who do data recovery in cases where this board has been damaged know that extreme care needs to be taken in finding a replacement. Even drives of the same model and capacity can have different revisions of these boards, and it’s crucial to get a match. Even a forensics firm such as TIG is not likely to maintain a stockpile of various controller boards from drives, as it would be prohibitively expensive to buy and file “one of everything”. The absence of the board (not just the failure of it) makes it even more difficult, as it may or may not be possible to determine the right revision of the board to use to replace it, without the original to compare.

While I disagree with the basis of the lawsuit and support the opening of electronic devices (all of my and my spouse’s Apple iPods, iPhones, and iPads are jailbroken), if this is the method being used to stall the plaintiff and case progress, I see that as being in bad form for Hotz, and a bigger issue than his attorney lets on. Hopefully not. Don’t make it hard for me to like you, geohot! Take the high road.

EDIT: I found the exhibit with the discussion of the missing hard drive parts at Groklaw:

This pretty much confirms the above with the following quotes from an examiner at TIG:

This controller card is  installed at the factory and not normally removed or handled by an end user.

We took the drives out of our evidence locker and the evidence bag to image them in their current encrypted state as stated in the order and agreed to on our phone call yesterday.   We have determined that the controller cards which are screwed onto the hard drives were removed prior to them being given to us.   Therefore we are unable to operate the hard drives in their current state.  Keep in mind that we need two days to image these drives as we have to image two 1TB drives.

It’s difficult to imagine a reason Hotz would have had to remove the circuit boards from the drives he was ordered to turn over. It will be very interesting to see why he did this. From my position, I can’t see this as being productive for anything other than antagonizing the opposing party and, more importantly, the judge.

 

Jesse William McGraw, who pleaded guilty to two counts of transmitting malicious code to systems at the hospital at which he worked (including a SCADA HVAC system’s HMI), was sentenced yesterday at the U.S. District Court for Northern Texas to 110 month of custody, followed by three years of supervised release. He has also been ordered to pay restitution in the amount of $31,881.75. This is according to the latest filing on his case on PACER:

He was facing a maximum of 10 years per count, which is higher than the usual 5 years per count due to the threat to public health and safety. At one point in the case last year, he had signed a plea agreement stating that he would plead guilty in exchange for a maximum sentence of 6 years. This fell through, however, when he reneged on the deal by pleading innocent on his next appearance in court. He was then re-indicted for 14 counts, which were dropped after he agreed to (and did) plead guilty to the original two counts, outside the scope of any agreement.

On a personal note, I feel that this is a fair sentence considering the circumstances. His actions jeopardized the safety of innocent people and attempted to destroy evidence and hinder the investigation after he was taken into custody. Even after he finally pleaded guilty, he continued to blame everyone but himself, as you can see in his “cross-site scripting tunneling” story he posted, or had someone post for him, from prison three months ago.  I originally felt very sorry for him, though it’s hard to have any sympathy for someone that has continually acted against his own best interests as long as he has.

The rest of the “Electronik Tribulation Army” have gone relatively quiet. Maybe this will be a wakeup call for them to get out of this game.

UPDATE: A good post on this from the folks at the Dallas Observer:

If you’re new to the site, these are the previous posts this is a followup to:

 

We currently have a job opening at the National Forensics Training Center for a full-time instructor/research associate.  This is at our Jackson, MS location (the Cyber Crime Fusion Center), which is about 2 hours away from the Starkville location where I work.  You would be responsible for managing our lab at the Jackson location, conducting our training classes, and working closely with us on developing new material.

I’m advertising this here, as I imagine some of the readers of this website have the interest and experience that would make for a candidate that we’d really like to work with.

You can find more information about the job and how to apply over at the NFTC site here:

 

Yesterday, with only hours to go, COPE and the Hash Puppies came to an agreement:  The Hash Puppies gave COPE all of the flags that they had captured that COPE already didn’t have, bringing COPE into a solid first place.  In return, COPE gave the Hash Puppies enough assistance to secure second place.  At first, I was skeptical that COPE would give the Hash Puppies good value for their trade, but it looks like it turned out well for both teams, to the dismay of SwaffleU, who held the lead prior to the deal.

The final scores are as follows:

  1. COPE – 30
  2. Hash Puppies – 27 (with a last submission time minutes prior to SwaffleU’s)
  3. SwaffleU – 27
  4. Wesley’s Unkempt Beard – 18
  5. BitBangers – 11
  6. Team 4 – 9

The game really came down to the wire, with the tie for second broken by time-of-last-submission.  This was probably the most competitive semester of CTF yet.

I had a blast running the game, and I hope that all of the participants had a good time too.  If you participated this semester, please email in any scripts/tools/notes that you wrote during the process of the game, so that we can review them in our post-mortem.  I already have copies of many of them, but I’d like to make sure that I have the final versions you had at the end of the game.

 

This is the last day of CTF for this semester.  At 3:30 PM, it’s all over but the crying.  We’ll have a countdown, likely set to “Eye of the Tiger”.

Yesterday when I arrived to make sure the VMs were still up and running, no teams were in the room.  I was feeling a bit mean, so I took this as an opportunity to power-cycle all of the attacker workstations in order to see how their scripts deal with a power blink.  I also used this moment as a chance to grab scripts and random files left laying around on the various workstations, locked and unlocked.  If you’re in the area, look forward to an upcoming talk: “Found Files of MSU CTF”.

SwaffleU has taken the lead, though COPE and Hash Puppies are not far behind.  It’s likely that one of the lower-ranked teams is quietly waiting for the last moments, as well.  The scores, as of 9AM:

  1. SwaffleU – 24
  2. COPE – 23
  3. Hash Puppies – 19
  4. Wesley’s Unkempt Beard – 9
  5. Team 4 – 8
  6. BitBangers – 7
 

I left early last night to have dinner and watch the new Harry Potter movie, so I neglected to post an update yesterday evening.  I normally make 8AM posts, but this is a Saturday, so you’ll just have to make do with an 11AM update.

COPE have taken the lead with 18 flags, and this represents the first time since the beginning of the game that the Hash Puppies have lost the lead.  I offered them the opportunity to post a flag before this update in order to take the lead back, but they declined.  The Hash Puppies seem to be quite happy in second place.

The best computer that I have seen in the competition so far is this 486, 66 MHz beast that a member of COPE set up:

It’s

  • missing a panel or two
  • has no branding whatsoever (the sticker on the bottom helpfully suggests that it’s a “Notebook Computer”)
  • has a broken keyboard (you can see the edge of the keyboard that’s plugged in on the left)
  • reports itself in some ancient version of Linux as having about 18 and a half megs of RAM (what?)

The current scores are:

  1. COPE – 18 (Last submission 8 hours and 22 minutes ahead of the Hash Puppies)
  2. Hash Puppies – 18
  3. SwaffleU – 10
  4. team4 – 8
  5. BitBangers – 7
  6. Wesley’s Unkempt Beard (previously known as Team 2) – 2

Flag: 4cbd40766a

 

Last night, while my wife had a girl’s night out with some friends, I had the opportunity to hang out in the lab and observe CTF until nearly 10 PM.  Teams were busy in the lab, hacking away the entire time, and I hear that even after I left, there were people in there at 1 AM, and possibly later.  The scores have moved a bit:

  1. Hash Puppies – 15
  2. COPE – 10
  3. SwaffleU – 6
  4. Team 4 – 3
  5. BitBangers – 2
  6. Team 2 – 1

Teams discuss strategy for holding onto flag submissions until the last minute, but often it’s too much to bear to see your team fall down in the current rankings.  A few points placed on the board by one team will often result in points posted by other teams.  I suppose they want to look good on the blog updates ;) .

 

Today has seen a lot of activity from SwaffleU, the Hash Puppies, and COPE (previously known as Team 5), though not a lot of movement in the points.  It remains to be seen how many of those 13 points the Hash Puppies put on the board were sniffed off the wire by other teams that are waiting for a safer opportunity to submit.  The scores, as of 5PM:

  1. Hash Puppies – 13
  2. COPE (formerly Team 5) – 6
  3. Team 4 – 3  (last submission time 1’27″ before SwaffleU)
  4. SwaffleU – 3
  5. BitBangers – 2
  6. Team 2 – 1

On the scoring server, I can see the table of submissions, and can verify that most of the flags submitted represent the “low hanging fruit” of the game.  It’s definitely the right thing to do, to go after these first, since the points are equal for all flags regardless of difficulty.  Hopefully soon though, we’ll see the teams get around to some of the more challenging flags.

Next update will be around 8AM tomorrow morning, or later tonight if something interesting happens.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha