Tuesday, 25 March 2014

Brute Forcing...With Precision!


ATTACK OF THE PERMUTATION !

Today we're going to be looking at brute forcing. Why would we need to brute force? Well, let's pretend that we have examined a suspect's machine and found a *.rar file which a user has created but refused to give up the password. The file may contain indecent images and we need to get that rar file open and see what the suspect was hiding, or on the flipside, our client forgot the password and is being accused of IP theft, so we need to get this file cracked and prove his innocence.

Normally, you would use a program like JTR, Hydra etc and get hold of a wordlist, which could be 50gb+ and leave your computer to bruteforce the password. The thing is....having 50gb wordlists isn't always practical. It takes a long time and the password may not even be in there. Now, the latter is still an issue, no wordlist can promise to give you the password, but what you can do, is use RSMangler to help make your wordlist more unique and specific.

RSMangler was, I believe, written by Robin Wood (aka DigiNinja) for security company Random Storm. What RSMangler does, is create a wordlist based on words that you provide. So, in order to speed up the process, if you fire up Kali Linux and download my shell script here - I've automated some of the process for you.

Download my shell script above and fire up your terminal. Use: 'chmod a+x getRSM' without quotes and then type in: 'sh getRSM'. Your screen should look something like the one below:


then:



 The script will download and unpack RSMangler for you. CD into the RSMangler folder and type in: 'nano si.txt' (call the text file whatever you wish). Type in around 4 words, each on a separate line that are related to the person in question.



hit ctrl+o and then enter to save your work, then ctrl+x to exit nano. So now, inside your rsmangler folder, you should have the txt file you have just created. Now for the fun part!

As rsmangler is written in Ruby, you'll need to type in the following: 'ruby rsmangler.rb --file si.txt > siDictionary.txt'

Essentially, what you're doing here is calling the ruby script to look at the --file si.txt, which we created earlier and redirect the output to siDictionary.txt. Give it a short while to generate all the combinations, and once done, you can open the file (if you have a slower PC, be wary of this, as it may crash or hang). See screenshot below:



So there you have it! Within just a few short, simple steps, you have created a wordlist which can be used for a permutation attack, which is essentially brute forcing with (potentially) more accurate passwords.

RSManger does support switches and unfortunately, they are all on by default. So this means you have to turn them off if you don't require them. So for example, you could use:

ruby rsmangler.rb --capital --ing --leet --upper -ed --perms --file si.txt > siDictionary.txt

Bear in mind your word list will dramatically vary in size depending on how many switches you do or don't use.

You can find RSMangler's source code here.
You can find the full list of switches at RandomStorm's website by clicking here.


Thanks for reading! I take no responsibility for how you use (or mis-use) this information! Please put your white-hat on :)

Saturday, 15 March 2014

How I Spent My Friday Night - 0x80070490

Whilst most people are gearing up for a night on the town; ladies putting on thick make-up in an attempt to impress men who have went overboard with cologne, ordering taxis, laughing and joking - I wasn't partaking in any of those events, instead, I was sat indoors hunched over my new laptop like the geek I am.

I'd just purchased a HP Pavilion 15-n098ea laptop with Windows 8 pre-installed. Of course, having used Windows 8, I was eager to move to Windows 8.1 for the (few) benefits it brings. I was getting an error when I was trying to update apps: 0x80070490. After a bit of searching, I landed on the following Microsoft support/knowledge-base page: http://support.microsoft.com/kb/958044

According to Microsoft, this error is shown when "the Component-Based Servicing (CBS) manifest is corrupted." After scratching my head and wondering what exactly the CBS manifest is, I looked around for some more info. I had websites telling me that they had experienced that particular error message when "the hard drive is on the way out". But it's a new laptop!!! Well, there's something I didn't admit earlier. It's not a 'new' laptop - it's a refurb. Underneath the laptop there is a sticker which says: 'This laptop is a refurb, it may contain used parts'. Great...

Click here for more info about manifest files. Essentially, manifest files are XML files which contain instructions and tell Windows what to do. The CBS or Component-Based Servicing manifest is a set of files that is required for Windows to be serviced, or as it's better known - updated. You can read more about the CBS at Microsoft's TechNet website by clicking here. So ultimately, I found out that Windows Vista and Server 2008 and newer OS's use CBS Manifests to update files.

For those who may not know, automatic updates are recorded in the following location: "C:\Windows\SoftwareDistribution\Download" - This meant that in theory, I could go to that location, delete all references and begin the automatic updates again. (Please research before deleting the contents of this folder, some people suggest you leave it alone.) No luck.

By pure coincidence, I found that the action centre in Windows 8.1 (and maybe 8, I don't know) has a Troubleshooting section which specifically says: "Fix problems with Windows Update". It's almost as if they know you will have problems, isn't it? :-) Well I ran the troubleshooter and it did confirm that the CBS Manifest was corrupt. By now, I'd spent 1-2 hours reading and working on it - I was getting pretty bored. The troubleshooter said it had fixed the issue, but the problem remained: I couldn't download updates.

There is an option in Windows 8.1 under the Restore settings called "Refresh your PC without affecting your files". It was a last resort, but from what I could gather, I had exhausted most options I had. I opted for the refresh and after about 30 mins, I was faced with a brand new installation of Windows 8. Automatic updates finally worked and at the time of writing, I am using Windows 8.1 with all the latest updates.

TLDR: Windows update was broken due to an error involving the CBS Manifest file. After many attempts to fix it, the only thing that ended up working was a 'refresh' (re-install) of Windows 8. Updates now download fine.

So, that was Friday night for me. I hope yours went better than mine did.







Sunday, 2 March 2014

Future Projects...


Windows Phone 8 Forensics



Having spent the last 6-12 months developing forensic software in Python, i'm due to present the near-completed product in the coming months and after graduation, I will be looking to take on a new project. I wanted to do something that nobody has really looked at yet, or at least something that few people have looked at.

With smartphones becoming the 'must-have' item of recent years, I wanted to look at mobile phone forensics, the obvious choice being an Android or iOS device. The problem with Android and iOS is that they have been out for a long time, people have researched them and people have released books about them.

But what about Windows Phone 8? The market-share isn't as good as Android or iOS devices, but it wont be, it's a relatively new mobile OS and it's based on Windows 8, so in theory, it should be similar to analysing a Windows desktop OS. I'm pretty certain that Windows Phone 8 must have been analysed by somebody, so in order to make the research more obscure, what about if the phone was wiped remotely before a forensic examination was performed?

Like Android and iOS, Windows Phone has the ability to remotely wipe the device, lock the device and ring the device. What I want to know is: how secure is the wipe? Would someone determined be able to recover any data? What data remains on the device, if any? There are quite a few questions I have before attempting the project and i'm sure more questions would arise as the project begins.

If you can think of any projects, or questions you have about Windows Phone forensics, let me know in the comment section below.

Thanks for reading.