Thursday, 29 May 2014

How To Use SOPIA Suite



DuFF - Duplicate File Finder



FiBS - File Investigation Bite-size



 

SHIFT - Simon's Hash Info Finder Tool




SPIES - Simon's Portable iPhone Exif-extraction Software

SOPIA Suite Overview

An overview of SOPIA Suite

 


You can download/contribute to SOPIA Suite here

Wednesday, 28 May 2014

iPhone Backup Forensics - Manifest.mbdb



When I think of iPhones, I remember my own iPhone 3g, 3gs, 4 and whilst I didn't own a 5C or 5S, my girlfriend and my sister owned them respectively, so I have used them. I've used Ipad's and Macbooks and I understand why people love iPhones - so do I. I think they're much better phones than androids, however, when need to do forensics on an iPhone backup, it's slightly time consuming.

As ever, I like to speed up processes. I like scripting, I like automation, and iPhone backups are crying out for some sort of automation forensic-wise. But fear not! It exists! But, let me tell you why it's needed. An iPhone backup is stored in the following locations:


  • Windows XP: %HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}
  • Windows Vista/7/8: %HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID} 
  • OS X: ~/Library/Application Support/MobileSync/Backup/{UDID}


The UDID is a 'Unique Identifier' and having worked as an app tester, a developer can provide you with an app they're developing that will only work on your UDID - but the important thing to take away, is that it's unique. Looking inside an iPhone backup, you'll see that it is full of files with funny looking names. These names are SHA-1 hashes and don't make much sense on their own, however, included in the backup are four important files:


  • Info.plist 
  • Manifest.mbdb
  • Manifest.plist
  • Status.plist


The Manifest.mbdb file is of great importance. Essentially, this file lists every file included in the backup, in plain-text. The downside, is that you have to manually convert each line to a SHA-1 hash. For example: HomeDomain-Library/Safari/Bookmarks.db would become F0EC7DF5C552FCA6871EDA5621AB225CB5EFEDA4 as a SHA-1 hash. Then we'd have to look through the files, but do you see how that would get annoying? Having to get a string and SHA-1 hash it? I created a python script with a batch file to help quickly turn the string into a SHA-1, which works, but I still wanted the process to be faster. You can download my script here.https://github.com/smc13/otherTools and look for shaConverter.

As I mentioned, I wanted a quicker, more efficient way of getting all strings converted to a SHA-1 hash. As mentioned above, the Manifest.mbdb contains all the files in the backup. After a quick search, I found the following tool: 'iPhone Backup Browser'. This tool can be found here and is created by a guy called Rene. What we're interested in, is the mbdbdump.exe file.

Once you export the Manifest.mbdb file into the same directory as the mbdbdump.exe, all you need to do is run this simple command: mbdbdump.exe > mbdbDump.doc (or .txt, or .csv etc). Once this is done, you'll see data in the following format:

record 7 (mbdb offset 6)
  key    25f31bdb3de9bdead048a0090097d5c1091296d2
  domain CameraRollDomain
  path   Media/DCIM
  mode   dir (488)
  time   28/02/2013 10:04:26
  data   41E8 00000000 0000003F 000001F5 000001F5 512F2BAA 512F2BAA 50CE9157 0000000000000000 04 00

We can verify the hash if we want by taking the domain (CameraRollDomain) adding a '-' and then appending Media/DCIM on the end, so it looks like this: CameraRollDomain-Media/DCIM and you guessed it, we get the same SHA-1 hash (see picture below)


(The software being used in picture is called 'Text Checksum' by Benoit Ferace and can be downloaded from the Windows Store)


So there we have it. There's no need to look in the Manifest.mbdb file and manually convert every string, just export the file and dump its contents. Happy investigating!



Tuesday, 20 May 2014

Domain Extension + The 28th



Domain Extension!

As my 3 year University course finishes, I decided to take a quick look at where this blog started. At the time of writing, it has been 9 months since the blog started. I was debating whether to revert to hackingtheperimeter.blogspot.com or whether to extend the domain name for another year.

Whilst the cost of this site is very low, the domain name and whois charges cost approx $15 per year. Statistics seem to show that I get hits from the USA and UK mainly and if I was to hazard a guess, i'd say I have 100+ regular readers. If those 100 readers clubbed together $0.15 each, that would be another year's domain costs paid.

Now, this isn't a post to beg you for your cash - I've just paid for a years renewal, because when I started this blog, I wasn't expecting 1 regular reader. To have at least 100 is amazing and I was more than happy to pay for another year of Hacking The Perimeter.

28th Day

One or two readers have let me know that they would much prefer me to post on a specific date rather than whenever I feel like it. I know some of my readers use RSS feed, but some don't. Therefore, I am now going to post once a month, on the 28th day of that month.

So....you're telling us there's only going to be 12 posts a year?!? ......Yes.....from me. That's where YOU come in. I will be asking YOU to write a mid-month article on anything IT-related. It could be cloud-computing, green energy reducing IT equipment, forensics, security, hacking - whatever. Each month there will be an opportunity for a reader to make a post. That means each month there *could* be two posts.

Quality over quanity, folks, quality over quantity!

Thanks for reading. Here's to another year of HackingThePerimeter!




Saturday, 17 May 2014

Old Doesn't Mean Useless (Priv Escalation)

I have what you could describe as 'geeky' friends - so geeky, that one of them set me a challenge. I'm in the process of re-locating and as i'm without internet access, my friend offered me his - but only if I could beat his challenge. After making my way to his house, I was greeted at the door by a grin and a laptop. The laptop was running Windows 7 64-bit. My mission, should I choose to accept it, was to gain root access.

All I had was a standard user account called 'local' and an Administrator account called 'Simon' - but I didn't know the password for this (see screenshot below).



I checked the machine for any signs of Windows updates - and it looked as if the system was installed and no updates had been downloaded, though the Administrator had installed AVG anti-virus 2014 - which I thought would destroy any hopes of downloading code and executing it on the machine - or would it? Now i'd posed the question, I wanted to test my theory. For those of you who have a better memory than me, you'll remember CVE: 2010-3888 - which was a 0-day exploit. Apparently the Stuxnet worm was using this to elevate privileges.

I however, didn't remember it, however, after a few minutes of Google searching, I figured it would be worth a shot. My main worry, would be that AVG 2014 would detect it and my friend would laugh at my feeble attempt. So, I proceeded to download the code and take some screenshots along the way.

To my amazement, AVG 2014 didn't flag the file once it had downloaded onto the desktop. As you can see in the screenshot below, I used 'cscript <script>' to run the file and it ran through with no errors.


I then checked to see whether an administrator account had been created and it had.


More proof:


I scanned the file with AVG 2014 and it wasn't detected!


Now, this exploit is 4 years old at the time of writing - in the real world, most, if not all machines will be patched, but it brings up an important thing to note: having an anti-virus DOESN'T mean you're protected, even if the exploit is old. I personally use Vipre Anti-virus when i'm using a Windows machine and I did check, and Vipre does pick up this code. This isn't to say AVG 2014 is bad, lots of anti-virus software don't pick up this particular script (according to the results from VirusTotal, where just 17/52 AV's picked up this malicious code!).


Until next time...





Tuesday, 13 May 2014

Presentation Tips

Presentations can be tough, especially if you don't know your audience, haven't prepared, or are simply nervous. This post has came about because whilst i've been at University, I have taken part in several presentations and have picked up a fair amount of valuable information which I want to share so that you can have 3 years worth of experience handed over to you in a page worth of text.

The 3 P's: Prepare, prepare, prepare. It's no good thinking you can 'wing it'. A presentation requires you to know your subject and to articulate your thoughts into understandable sentences which capture the imagination of the audience and don't send them to sleep. Preparation doesn't stop there, though; in fact, preparation includes knowing your environment and audience.

At the time of writing, I have not long come out of a presentation which could have landed me with a job - so yes, this was an important presentation. I made a mistake by not knowing the environment I was presenting in. My laptop was set up with a powerpoint and two virtual machines - which I would be using for a live demonstration. Unbeknownst to me, the environment didn't support HDMI and I ended up having to remotely log into my laptop, which completely threw me off track and despite trying to regain composure, I didn't feel as if it worked. All this could have been avoided by knowing the environment and testing it prior to the presentation.

Know your audience. Are your audience technical? Are they non-technical? It's important to gage how well your audience understand the subject area, as this lets you know how technical you can afford to be. Now for some brief points you should think about before you go and do your presentation:

  • Have Eye Contact - Too many people avoid looking at the audience. I too have been guilty of it in the past. Whilst it may not be appropriate to glare at one of your guests all the way through, look at them, talk to them, it helps to invite them into your conversation.
  • Slow down! - I found that alot of people tend to talk fast, which may be due to nerves, but it's quite important to go at a slow and steady pace, rather than quick and risk losing your audience.
  • Know Your Speech - I always try my best to know what i'm going to say. I know lots of friends who use notes or write notes under their presentations - I've got nothing against it, but I don't like to try and memorize a set of notes too much, or the presentation risks looking a little un-natural and becoming robot-like. Have an idea what to say, but don't stick to the script TOO much.
  •  Have A Backup Plan! - After tonight's experience, I will never again go to a presentation without a solid backup plan. If something goes wrong, you need to have a plan. This could be having your powerpoint on 2x USB sticks, just incase one is lost, corrupt etc. In my case, I needed a pre-recorded video of my 'live-demo' so that I could have showed the audience my software if any technical issues meant that I couldn't hook up my laptop.

I don't proclaim to be perfect at presentations - far from it. I like doing presentations because I feel like there's alot to learn from each one. Each presentation offers a slightly new scenario and new challenges. These tips are just as much for you as they are for me. I will most certainly use these myself whenever I have a presentation in the future.

Remember one thing you should always do, without fail....enjoy your presentation!

Thanks for reading.

Thursday, 8 May 2014

The Art of Doxing



Doxing (or Doxxing) is an abbreviation of 'Document Tracing'. Tracing documents can be part of a penetration test, as you need to find out information about a target. Now, we're going to look at elements of doxing and how you can help yourself stay safe. Doxing usually begins with something small, such as an email address, a forum username or a name.

From here, doxers (is that a word? It is now!) can search for information about that person. Doxing differs slightly from information gathering, because information gathering usually aims to target a server or computer rather than doxing, which tends to use freely available information for the most part. So, I for the purpose of this post, I went onto Twitter and looked at one of the first names that I came across. I wont publish any private information about the person(s) involved such as real name etc.

So, Twitter allows a username in the format @UsernameHere and your name. Now, this person had used her real name as well as a username. So already, I had a username and real name to go on. A quick search on Pipl.com showed that Twitter mining websites had collected previous posts by the lady, lets call her 'Helen'. Helen had posted a photograph which unbeknownst to her, contained a piece of paper in the lower left of the image with her address on - although on her real twitter, it had been deleted. So, normally, that's about as far as you'd need to go with doxing, however, that was too easy, so I continued to dig a little deeper. The photographs posted by the woman showed the following:

  • A pet Labrador
  • Her at a Chelsea football match
  • Her at a Michael Mcintyre gig
  • Her at University (I wont mention which one)
  • Her at a Drake concert

Underneath the photograph of the pet labrador,  was the name of the dog. The text underneath the Chelsea football match had the date she went to the game and so on... The one that struck gold was a tweet saying what her favourite chocolate was. This was almost certainly going to be the secret word/phrase for her email account. And if not, I could have used the brute-force technique in one of my previous posts to attempt to gain access.

At this point - I'll admit, I was thrown off the trail. I almost gave in because I couldn't find any more information about this person.....until I found peekyou.com. Peekyou.com is similar to Pipl.com in the way it harvests information - and it's very scary from a security point of view.

Typing in the lady's twitter name brought up her profile from whenever she'd created her twitter, which told me what school she went to. From there, I could look on Facebook and filter by education - found her! (She wasn't showing up on any searches until I got her previous-education history.)

Helen's Facebook URL had been set to a custom name - different than her Twitter. appending @gmail.com to her custom Facebook URL gave her email address. From here, it was a case of going to Gmail.com and clicking 'forgot password' to confirm that the email address DID exist Someone with different motives than me could have attempted to gain access to her account by simply going back to the login screen and attempting to brute-force the account OR attempt to reset the password using the 'forgotten password' method.

Or, what about phishing? Now a potential attacker has a known email address to target...the options are almost endless. At this point, I told her how to secure her account and insisted she use two-factor auth; we've since had a laugh about it.

Conclusion


So, what can we learn from this? Whatever you put on the information can reveal all sorts of things about you, which can be used in a social-eng attack. Ensure you use complex passwords that aren't your pet names, favourite football club etc. Your password should not be found in the dictionary either.

Be extremely careful when naming your twitter or facebook profile and be careful what you upload. Uploading pictures and tweeting paints a picture of YOU. It allows a 'bad guy' to profile you. In this case, I was able to profile the lady and *probably* would have had some success in stealing her account if I was that way inclined. I would be inclined to hide your Facebook profile from public search and protect tweets so only selected followers can see them.

And finally - implement two-factor authentication. Many websites now allow you to add your mobile phone number to your account - so whenever you log in, you get a text-message with a number on - you simply type that number into the box on the website and you're logged in! This method means that a 3rd party wouldn't be able to access your account.


Stay safe online. Until next time!

Sunday, 4 May 2014

Ubuntu 14.04 - Booting up to a black screen




This post isn't the security post i'd promised - that will be this coming week. No, this issue is Ubuntu 14.04 LTS - again. It seems that every step Ubuntu takes forward, it takes several back. At the time of writing, the Ubuntu forums are filled with people having sound issues and graphics issues. I daren't check the networking forum, because I know how many wi-fi issues I was having with Ubuntu 14.04 LTS last week.

Today's issue was different. Ubuntu 14.04 LTS booted up to a black screen. At first, I pressed my brightness function key, because HP laptops are known for booting with low brightness, but that didn't fix it. At this point, I began to panic a little bit, because I knew I was looking at a possible re-install of Ubuntu.

I dropped to a shell and ran 'ls' which showed my files were all there, 'cat' showed that they were still in tact. This seemed to be a driver issue. Now, I hadn't done any fiddling with drivers, so there's absolutely no reason this should have happened. I looked around on the web and people were talking about re-installations until I found one guy who said he dropped into command line and removed lightdm and installed gdm.

Before I tell you how to do that, what is lightdm? "Lightdm is the most user visible aspect of the display manager is the login screen, however it also manages the X servers and facilitates remote logins using the XDMCP protocol. It was added as default display manager display manager in Ubuntu 11.10 (Oneric) replacing GDM which has been the display manager since the beginning." (Source - Wiki Ubuntu).

So essentially, GDM was replaced by lightdm. I followed the guys suggestions:


  • Boot into recovery mode (or you can actually just hit ctrl + alt + f1 to drop into a shell from your black screen, which is what I did)
  • type in: sudo apt-get remove lightdm
  • sudo apt-get install gdm
  • sudo shutdown -r 0
Your machine should now boot up with a different (and imho, better) login screen. You should now be able to login without seeing a black screen. I know what you're thinking: wouldn't it be better to boot into recovery, un-install lightdm....and re-install it? Yes - it probably would. But this is what was suggested and this is what worked for me.

Hope it helps someone out there.