Covert Post-Exploitation Forensics With Metasploit: Tools and Examples

Video thumbnail (Frame 0) Video thumbnail (Frame 2157) Video thumbnail (Frame 3214) Video thumbnail (Frame 7646) Video thumbnail (Frame 8889) Video thumbnail (Frame 11967) Video thumbnail (Frame 12958) Video thumbnail (Frame 17808) Video thumbnail (Frame 20913) Video thumbnail (Frame 24737) Video thumbnail (Frame 26896) Video thumbnail (Frame 29964) Video thumbnail (Frame 34885) Video thumbnail (Frame 39046) Video thumbnail (Frame 41565) Video thumbnail (Frame 43062) Video thumbnail (Frame 45084) Video thumbnail (Frame 46947) Video thumbnail (Frame 48075) Video thumbnail (Frame 48951) Video thumbnail (Frame 49878) Video thumbnail (Frame 51237) Video thumbnail (Frame 52087) Video thumbnail (Frame 53070) Video thumbnail (Frame 53918) Video thumbnail (Frame 54950) Video thumbnail (Frame 55824) Video thumbnail (Frame 56695) Video thumbnail (Frame 57528) Video thumbnail (Frame 58666) Video thumbnail (Frame 59823) Video thumbnail (Frame 60643) Video thumbnail (Frame 61482) Video thumbnail (Frame 62815)
Video in TIB AV-Portal: Covert Post-Exploitation Forensics With Metasploit: Tools and Examples

Formal Metadata

Covert Post-Exploitation Forensics With Metasploit: Tools and Examples
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Abstract In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the "subject' (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit. In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools. Wesley McGrew is currently a lecturer and researcher at the National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community. Twitter: @mcgrewsecurity

Related Material

Digitizing Multiplication sign Bit Computer Twitter Wave packet Process (computing) Computer crime Internet service provider Software testing Quicksort Office suite Freeware Information security Vulnerability (computing)
Computer file 1 (number) Serializability Computer Binary file Pi Hacker (term) Different (Kate Ryan album) Operator (mathematics) File system Gastropod shell Energy level Software testing Local ring Information security Metropolitan area network Physical system Scaling (geometry) File format Interactive television Basis <Mathematik> Bit System call Exploit (computer security) Peer-to-peer Type theory Interpreter (computing) Website Normal (geometry) Backdoor (computing) Abstraction
Point (geometry) Service (economics) State of matter 1 (number) Set (mathematics) Mathematical analysis Information privacy Computer Event horizon Wave packet Goodness of fit Software testing Squeeze theorem Software framework Proxy server Physical system Software development kit Module (mathematics) Operations research Email Information Surface Mathematical analysis Exploit (computer security) Uniform resource locator Penetrationstest Personal digital assistant Auditory masking Charge carrier Quicksort Standortproblem Local ring Row (database)
Sensitivity analysis Multiplication sign Source code Mereology Computer programming Medical imaging Computer network File system Personal identification number (Denmark) Physical system Social class Vulnerability (computing) Scripting language Email Block (periodic table) Regulärer Ausdruck <Textverarbeitung> Sequence Electronic signature Process (computing) Order (biology) Website Self-organization MiniDisc Quicksort Freeware Physical system Identifiability Open source Computer file Control flow Computer Metadata Wave packet Number Revision control Frequency Operating system Software testing Software development kit Addition Multiplication Information Mathematical analysis Plastikkarte System call Uniform resource locator Word Penetrationstest Personal digital assistant Revision control Statement (computer science) Software protection dongle Local ring
Point (geometry) Computer file Firewall (computing) Workstation <Musikinstrument> Virtual machine Computer IP address Computer programming Medical imaging Sign (mathematics) Different (Kate Ryan album) Semiconductor memory Software Computer hardware Touch typing Gastropod shell Website Proxy server Physical system Vulnerability (computing) Module (mathematics) Enterprise architecture Dependent and independent variables Block (periodic table) Physicalism Volume (thermodynamics) Exploit (computer security) Uniform resource locator Process (computing) Medical imaging Integrated development environment Software Personal digital assistant Computer hardware Website Quicksort Remote procedure call Block (periodic table) Window
Computer file Open source Real number Set (mathematics) Process capability index Student's t-test Parameter (computer programming) Goodness of fit File system Energy level Software testing Traffic reporting Information security Game theory Physical system Social class Standard deviation Scaling (geometry) Digitizing Projective plane Physical law Bit Exploit (computer security) Software Personal digital assistant Universe (mathematics) Charge carrier Normal (geometry) Game theory Abstraction Resultant
Group action State of matter Multiplication sign Execution unit File format 1 (number) Set (mathematics) Raster graphics Mereology Information privacy Computer programming Medical imaging Different (Kate Ryan album) Semiconductor memory File system Series (mathematics) Stability theory Physical system File format Computer file Hecke operator Bit Electronic signature Type theory Buffer solution Hard disk drive MiniDisc Quicksort Spacetime Row (database) Slide rule Computer file Gene cluster Web browser Vector potential Binary file Revision control Frequency Operating system Boundary value problem Spacetime MiniDisc Booting Address space Installable File System Default (computer science) Information Mathematical analysis Content (media) Exploit (computer security) Pointer (computer programming) Medical imaging Personal digital assistant Password HTTP cookie Window
Point (geometry) Module (mathematics) Scripting language Functional (mathematics) Structural load Multiplication sign Interior (topology) Infinity Exploit (computer security) System call Term (mathematics) File system Gastropod shell Interpreter (computing) MiniDisc Physical law Quicksort Extension (kinesiology) Local ring Window Resultant Physical system
Point (geometry) Server (computing) Computer file Block (periodic table) Computer-generated imagery 1 (number) Physicalism Volume (thermodynamics) Mereology Telephone number mapping Medical imaging Heegaard splitting Medical imaging Logic Hash function Logic MiniDisc Normal (geometry) Modul <Datentyp> Quicksort Block (periodic table) MiniDisc Table (information) Window
Source code Turbo-Code Server (computing) Open source Code Block (periodic table) Negative Binomialverteilung Device driver Computer network Negative Binomialverteilung Sic Internetworking Blog Interpreter (computing) MiniDisc Directed set Diagram Gastropod shell Block (periodic table) Remote Access Service Communications protocol Local ring Window Software development kit
Point (geometry) Slide rule Dependent and independent variables Implementation Block (periodic table) Code Virtual machine Device driver Computer network Bit Line (geometry) SCSI Negative Binomialverteilung Goodness of fit Software Blog Computing platform MiniDisc Communications protocol Implementation Communications protocol Window
Building Demo (music) Real number System programming Software testing Right angle Physical system
Service Pack Uniformer Raum Demo (music) Software Virtual machine Convex hull Window Newton's law of universal gravitation
Execution unit Multiplication sign Zoom lens Virtual machine Analogy Menu (computing) Bit IP address Exploit (computer security) Medical imaging Duality (mathematics) Goodness of fit Right angle Window Computer worm
Object-oriented programming Online help Interpreter (computing) Structural load Interpreter (computing) Computer worm Right angle Remote procedure call Complete metric space Daylight saving time Scalable Coherent Interface Chi-squared distribution
Ratsche <Physik> Online help Modal logic Lemma (mathematics) Demo (music) Exploit (computer security) Computer worm Freeware Substitute good Window Daylight saving time Vulnerability (computing)
Ratsche <Physik> Optical disc drive Multiplication Server (computing) Block (periodic table) MiniDisc Physicalism Client (computing) Computer worm Window
Server (computing) Online help Gastropod shell Client (computing) Physical system
Point (geometry) Weight Moment (mathematics) Exploit (computer security) Client (computing) Root MiniDisc Normal (geometry) Computer worm Booting Partition (number theory) Daylight saving time Row (database)
Turbo-Code Information Online help Set (mathematics)
Rule of inference Inclusion map Execution unit Flip-flop (electronics) Simultaneous localization and mapping Lemma (mathematics) Pattern language Convex hull Physical system Software development kit Annulus (mathematics)
Object-oriented programming Twin prime Moment (mathematics) Squeeze theorem Web browser Compilation album Design of experiments Mach's principle
Inclusion map Enterprise architecture Execution unit Mapping Computer file Maxima and minima Division (mathematics) Convex hull Window
Execution unit Link (knot theory) Service (economics) Maxima and minima Menu (computing) output Surjective function Chi-squared distribution
Inclusion map Email Medical imaging Execution unit Block (periodic table) Menu (computing) Infinity IP address Bookmark (World Wide Web) Connected space
Point (geometry) Link (knot theory) Computer file Multiplication sign Virtual machine Maxima and minima Physicalism Annulus (mathematics) Medical imaging Interpreter (computing) MiniDisc Quicksort Gamma function Communications protocol
Execution unit Moment of inertia Multiplication sign Conditional-access module
Scripting language Execution unit Email Convex hull Spacetime
so my name is Wesley McGrew and to give you a little bit of background on why I might be giving this talk I'm going to tell you a little bit about the different hats that I wear so my day job currently is at Mississippi State University where I've been for some time now where I teach at the National forensics training center we develop course material and give provide free training to anyone affiliated with law enforcement also wounded veterans that are coming back from Iraq and Afghanistan to give them skills that are needed to join the workforce in processing digital digital evidence and computer crime and child pornography and things like that so in that in that aspect of my job I write about forensics I teach forensics we experiment with forensics in our lab we have very nice lab in Starkville Mississippi for this but then after hours whenever I go home kick up my feet in the home office I break things so operate mcgroove security com I'm grew security on Twitter and and one of my favorite things to do is to find vulnerabilities and things break things penetration testing that sort of thing so with this talk I'm sort of being informed by both sides of those things and wanted to provide something for both the forensics geeks and the penetration testing geeks that are in here so what inspired this
talk was a actually straight out of the DEF CON 19 call for papers one of the first ones on the kind of talks they were looking for is a James Bond man from uncle type spy stuff which is right up my alley I love any kind of spy movie I love any kind of pie smoothie basically anything where somebody steals something I'm completely cool that very entertaining stuff so so that really called out to me and I'm really happy to see that there's a really huge Spy vs spy theme to this conference it's a lot of fun so so with that I figured okay let's get sneaky with forensics and penetration testing and that's what we're going to do right here in this talk so to break it down when we talk
about covert post exploitation forensics by covert we mean without the suspects knowledge of the subjects knowledge whoever the target of this forensic says we want them to be able to to just go about their business as normal without really knowing that we're going after them so as we'll talk about here in a little bit the the whole idea with with traditional forensics is somebody comes and takes your stuff they kick down your door they haul you off and they take your stuff with that you know you're not going to continue your activities you're not going to continue to to steal things and SQL inject folks and stuff like that so we want to be able to have the capability of performing forensics without the suspect knowing about it so so that brings up some interesting issues which I'll discuss by post post exploitation we mean that took it to accomplish this covert goal we want to do this after we've compromised the system remotely or by some local back door anyway we can get them interpreter shell up and going works for this and by forensics for the folks who are not the forensics geeks in the audience we are reconstructing data above and beyond what the subject anticipates so the subject may be anybody from standard barely computer literate user who's downloading and trading child pornography over peer-to-peer sites all the way up to you know your leet hackers and stuff that that take lots of operational security into account but uh between on the scale from that from the lowest to the highest skill there's essentially misunderstandings there as to how data is stored what's recoverable what's really deleted and what's really gone and what can be reconstructed after the fact by a good examining and it's all about layers of abstraction so so most computer users see you know files on their desktop files and their documents files in their downloads they know that when they put something into recycling bin they realize they can probably still go and get that back until they empty out their recycling bin but that's the that's the level of abstraction that they're looking at four for their system then they're they're not shown anything else underneath that to to reveal you know how this all really works and how it's all really implemented and why it's so darn fast to delete a one gig file so so as you get more skilled with the stuff and especially if you're into forensics and follow it or our practice it you begin to realize that the way file systems are implemented is perhaps a bit different than how you see it in interact with it on a daily basis so when you delete files they may not necessarily be gone when you format a file system that data still might be there so basically by taking advantage of the subjects lack of knowledge of how everything works underneath there we can pull back things that they thought that they had already gotten rid of so with
that you know we've got the peanut butter and jelly sandwich here of forensics and penetration testing and this is supposed to be something for both sides so for the forensic side we're introducing the aspect of being able to do this remotely and covertly without having to be on scene or about having to to make the subject aware and for the penetration testing side of things we want to make this a tactic vigorous our post exploitation skill that can be leveraged to to gather more information out of every system so we want to be able to for every system that we break into that a company we want to be able to extract more data out of it more personally identifiable information that may have previously been deleted more information old emails and things like that that may get us into other systems so on the forensics geeks I'd
thing so the implications of this is that we may run into a situation where it's no subject location no problem so for for the guys that you see running around here with the guy fawkes masks on and things like that they're like good luck i'm behind 7 proxies well perhaps if you might want to be very careful about the things that you run from here on out and anything because something like this may give you away it may allow people to do forensics on your drives and anything without without you knowing about it this allows for a surface acquisition and analysis and so the obvious question here is a privacy concerns and and in the legal ability for our government federal agents and local agents & state agents and things like that to to perform this kind of analysis the way it stands right now is is there exists surreptitious entry warrants to in some situations so the federal investigators can go in service Lee and and and examine things or place things it's been used at least once that I know of to place keystroke recorders on a computer believe has scarfo or something that's a mafia organized crime case so the legal framework may be there I'm not I'm not a lawyer I'm not I'm not I'm barely what you might even consider a fat federally funded so so so I don't know all the details of how to do that but it's sort of a solution looking for the problem there but the main thing for the forensics geeks for for being able to perform forensics on these remote systems like this is that we can use these familiar tools so people go to long training events for things like ftk and in case and things like that either that or there are very familiar with brian carriers work and they'll use sleuth kit and there's no point in having you know a new set of modules for doing post exploitation forensics that doesn't work anything like the old ones it's best if we can just leverage all that old train so we can use those familiar tools
sleuth kit the commercial tools like the ftk and in case there's a really good free tool that access data who puts out at forensics tool kit it publishes called ftk imager and as originally intended is just a way to have a license free program on a USB drive that can image drives for you so that you can take it out in the field or use it on as many computers you want you don't have to worry about having your USB dongle for ftk with it well it's actually kind of grown in capability and groaning capability it turns out you can do some pretty cool stuff with just ftk imager and it's available free from their website access data comm on the other
side of things if if if you're a penetration testing geek if you'd like to break things or hey maybe even if you're a criminal who knows we'll call it penetration testing for this side of things for you might get more value out of the systems that you break into you may want to you may be able to get more important data out of every compromised system did you break into by using tactics like this if you suspect that that might be the case there's always a situation for for companies and organizations and individual systems that process sensitive data they may need it for a short period of time to verify something or to log it and send it off to some other location to encrypt it and back it up and everything like that but there's always do you know the statement there that we don't keep that kind of data we don't keep sensitive data on this particular system or we don't keep this part of the data we throw it out and anything we save the stuff that's not sensitive or we encrypt that and then back it up over here so what this will allow you to do is we can take advantage of weaknesses and how they go about that process in order to recover remnants of that sensitive data that that didn't get deleted it quite as well as they thought it would we may be able to find multiple revisions of files old data that sort of thing any kind of remnants of old source code or anything like that say if you built a program on a system installed it and then remove the source code from it well maybe we can go back and pull that back a big thing that we cover in our in our and our forensics training center classes is the concept of data carving if if all else is lost if everything if it file has been deleted and all the filesystem metadata that points to it is gone there's still a good chance that there are portions or even whole files out there that aren't even pointed to by the by the operating system so by doing signature analysis with the headers basically we know you know what what sequence of bytes a JPEG header starts with gif images word documents things like that if we know that then we can set up a tool to go through every 512 bytes sector of that image file or disk and then look for those old files that aren't being pointed to anymore one nice thing about the tools that I'm going to discuss him is since we're developing tools that essentially we map the victims block devices to our local block devices since where we have the capability of doing that in addition to running off the shelf commercial or open source forensics tools we can also just write our own scripts to manage things so so if you have a script that will go through a file system looking for personally identifiable information with regular expressions for Social Security numbers or credit card numbers or anything like that then you can take those scripts that you would run on your local file system and just run it directly against the file system that you've mounted off of a victim system and all this is relatively stealthy with some caveats that we'll discuss but but overall unless unless the victim is sharp then then it's going to go go about pretty smoothly so the typical
forensic examination scenarios that you have right now our hardware seizure you get a warrant and you go out and you take their stuff basically in commercial environments in enterprise environments you may have a situation where you have authorised software agents on the endpoint computer so if I'm a forensic examiner or forensic investigator for a large company that has you know hundreds of machines are thousands of machines each of those machines may have an incase agent or F an F response agent on it that allows me to connect to it remotely from my examiner workstation and do some of the same things that we're talking about here where we're able to we're able to look at the block devices directly recover files basically perform examinations remotely the difference in this is that we don't have to have that agent anymore so remote forensics without having to have the agent without having to have the click-through or sign on on user agreement saying yo yes I agree that I may be investigated at any point most forensic examinations if they're not done by taking your stuff then they're done on-site there are tools for forensic previews drives can be quickly hooked up via right blockers and to allow for hooked up via right blockers to allow the examiner on site to see if there's enough evidence there to warrant you know taking it with you and going further with it sometimes consent is given by the by the subject and law enforcement are really good about convincing people to give consent so so a lot of people consent to being searched on their digital evidence and you can quickly be looked at there but in all these cases the suspect or the subject is aware that they're being investigated so here we have a situation where that may not necessarily be the case and take that as you will as being informed so with the covert remote
forensics we have an unaware subject as long as it's a vulnerability and metasploit are something that you can write a Metasploit module for two to exploit this system and it doesn't you know do crazy things that are desktop while it's doing it which is you know the case with most of the stuff it all works just perfectly fine the you you're in you get the meterpreter shell the meterpreter shell itself has a very low footprint on the system and I'm not sure that it touches any files at all as a small memory footprint it probably depends on the actual vulnerability being used as to as to the footprint but in this case if there's no known physical location it's not a deal killer anymore you usually if you if you're going to get a Warren you want to perform an investigation of search and seizure then you need to be able to say where that person is but there may be situations where people are good at anonymizing themselves or coming in over or borrowed wireless and things like that where you may not necessarily know where they physically are and if you can make the case that that I edit there at this IP address and we can get them with this then then we can figure out their location once we get on through their system and start looking at their data that they have on that system so in that case you may have some sort of remote exploits if you haven't if you have an IP address or you may do some sort of client-side thing and then whenever it phones home to you it's like oh oh there there there's the IP address right now once it calls back to you so that gets you know all around all seven of those firewalls or proxies we can have remote imaging so the capabilities that this these tools will allow you to have now are broken up into a few different things we have three different tools one's just for enumerate Ngila ms simply just a remote imaging solution just just the same thing as you would have for a handheld imager or an imaging program like DD on a local computer this allows you to do essentially the DD process over the network through meterpreter but what's really cool is we have remote block device access so remote physical drives and remote volumes on the victim Windows computers right now right now just windows remote devices on those computers we can map those two local devices that that we can run any till we want to on so this is
good for folks who are in intelligence and don't really have to worry about the whole warrant thing if the NSA wants to talk to me later they can feel free here they're here hiring there's penetration testers that are trying to up their post exploitation game so if you're a penetration tester and you want to be able to branch out from your systems more you want to be able to say in your report we pulled out more data than then you normally pull out this can this can help you out here as far as compliance good as it could be that and I'm not very familiar with with PCI and HIPAA and things like that but if those standards and in other compliance standards if those standards require the secure deletion of data then this these techniques will help you verify that because if you're simply looking at the file system through the normal meterpreter LS and getting files and things like that you're looking at that very high level of abstraction that uh that keeps you keeps you from seeing whether or not something was securely deleted so we can verify if things have been wiped or not and finally a criminals can use this much like anything that's presented here if crime is your thing then then then that's the case if if you don't want crime being done against you then then this will inform you that you know maybe people might use it against you so so for the
forensic side of things here for the penetration testers you know we instantly state university we have semester long classes in digital forensics so they we teach them all about file system forensic analysis we use Bryan carriers file system forensic analysis book as the textbook and we covered them with them all the technical details of forensics we talked we talked to them about imaging and and in some of the legal aspects and things we keep we get law law professors from Ole Miss to come help out with that and it's a semester-long class they they have a project where they create cases mont cases based on the set of parameters we give them and midway through the class they swap up and investigate those cases and we usually have a mock trial at the end with with real judges and attorneys and we put them on the stand through cross-examination and all that it's a lot of fun that's that's forensics on the long in the scale of things semester long class for law enforcement and veterans we have more intense week long classes that try to get them up to speed for are doing simple examinations and giving them some information so that they can branch out from there or take some of our more advanced courses like the network forensics and some of the workshops that we're holding on commercial and open source tools well we break those up into the week long chunks now for here at Def Con for penetration testers we have you know one hour less than one hour actually so so so to teach all about forensics is a little bit different now I would say that most of our law enforcement and veterans are a little bit more motivated to learn than most of our undergraduate students so I would like to think that the penetration testers who want to make more money off of their penetration tests and want to make have better results would would be very attentive and willing to do some personal research to get caught up on this so with file system forensic
analysis we have a whole set of capabilities that are added on then aren't necessarily there with normal tools for looking at file systems like like the LS and get and things like that that are built into most exploitation tools so of course we can get out allocated files and really that's where it stops with most post exploitation tools where we can grab allocated files and we can do things like that like forensics on their cookies and their browser history and in grab a copy of their documents folder and things like that but there's a lot more out there there's deleted files so if we delete a file on a file system then the typically either on ntfs that that file record is simply marked as bad all the information in the file record is still there all the data that's out on the disk is still there if we delete a file on the fat32 file systems nowadays mostly used on USB drives and things like that if we do that then it simply changes the first character of the file name to market is being deleted but all the information about where that is on the disk is still out there there's a really interesting concept of slack space where we can essentially grab the the bits and little bits and pieces of old files that are kind of sealed in time sort of like the mosquitoes and amber from Jurassic Park we can we can grab out some data on that I'm going to talk a little bit more detail about that on the next slide there's completely unallocated space so eventually windows may reuse one of those file records that was marked as deleted as it will tend to do after some time a surprisingly long time usually but once that file record is reused or the disc is reformatted or the or are there's a partial wipe or something like that and then then the data of the file is perhaps still out there on the clusters in the sectors of the disk and simply nothing's pointing to it so we're down to data carving we look for it by signatures frequency analysis that sort of thing and most people have a misunderstanding about the differences between a deleting and formatting and wiping essentially if it didn't take very long for you to do it then it didn't do it very securely so it takes time to wipe a file it takes time to to reformat a disc with full wifing and you take a better part of a day usually and in most file systems don't do this by default and they don't do it by default because one it's very slow and it puts wear and tear on the drives and things like that and microsoft takes enough flat for windows being slow already and they're not going to introduce more slowness by forcing the by forcing the users sit there and wait while every file its deleted is being wiped off the disk we've ever written zeros and ones and things then finally we can we can add the concept of imaging there so getting one for one copy of the target drive so with the tools that we're going to show off here we have the ability to to ooh image a remote drive and if we can do it while the system is relatively calm if we can get the system in a fairly stable state heck we could just take that image and boot it back up and VMware and have our own very own local copy of the system to work with cool so for slack spades
typically when we have a file its allocated a set of clusters and the clusters was essentially the way the operating system divides up the sectors of the disk every normal hard drive has 512 bytes per sector and that's the the smallest addressable unit of data that you can kind of pull off at a time you cross data sectors or groups of sectors at a time the operating system will do one further on that and gather those sectors up into clusters and it does that so they can keep a bitmap of which clusters are allocated which coasters aren't and it can keep logical pointers to those clusters that it uses to say okay this files in this series of clusters this series of clusters and so on and so forth well with this type of system there is some space wasted at the end of files if you have a file that does not end on a cluster boundary then the rest of that cluster is wasted essentially it's it's sitting there it doesn't um it can't be used by the operating system to to to give it to another file or anything like that it's just simply out there so we have what's called slack space there and that slack space will contain whatever data was in that those sectors of that cluster before that file was allocated to it so old files that have been deleted and in and then brought back files that have been resized so you'll see this quite frequently with like info two files and recycling bins those info two files that mark what files have been deleted will grow and shrink and so you'll see the old contents of a nympho to in the slack space of the current one in this case we have two different kinds of slack here there's the RAM slack which is the remainder of data up until the next sector boundary which is probably zero doubt if you're looking at any Window System past windows 95 be that's going to be zeroed out because that was historically was containing data from Ram so there would be a 512 byte buffer in ram that would get written out to disk and if you're only writing 20 bytes out you could only put 20 bytes in there then who knows what's in that rest of that 512 byte buffer passwords and crazy stuff from programs in memory that being a serious privacy concern Microsoft and most of other modern operating systems have it rigged up to 20 that out the remaining sectors in that cluster have the potential goodies that's that's old contents of files that are in there either either contents of another version of this file or contents from some other file that was on the disk before so the question is is can't we do
all this on exploited systems already and it's true you can but it may require loading your forensics tools onto the victim system which would probably work but there's a problem here is any time we mess with the file system any time we load our forensics tools on to these things we impact it we may be overriding deleted data we're not that stealthy at that point we're have a huge footprint on disk and it's a little less elegant than what I'm proposing here so with
metasploit with meterpreter the the shell that you get whenever you're or if you use the meterpreter payloads the show that you get with meterpreter there's a function or some functionality built in term interpreter called railgun which really makes this stuff very easy railguns by a guy who goes by the name patrick heve dropping trying to drop docks on them and anything I can't find anything else about them i don't know i guess i could send them an email and tell them thanks but it's if any of you know patrick hve and anybody here Patrick hp5 hands okay so so if you're out there massive thanks for making this dead easy so Patrick HP has an extension from interpreter Ruby and basically on your local attacker post exploitation scripts or post modules you can make Windows API calls to the victims host and get your data right back in your the return values right back in your in your in your local Ruby script so basically we can make all sorts of arbitrary windows API calls locally and just have the results just piped right back to us so it's awesome for this if we can call
the windows api remotely we can access the disks like windows does we can access physical and logical logical block devices directly as long as we have permissions to do so which means we can read arbitrary sectors from the disk and literally that from that point on that's all you need to do forensics if we can say i want that sector i want that sector then then we're good we can start traversing out the master file tables and things like that and get at it so why not make this really dead easy and map those remote block devices to local ones so we have three tools for
that enum drives which simply lists out the physical drives and volume so you know what you're playing with there's an imager that does bite for bite imaging hashing split images also sorts of things that you would expect out of a normal forensics tools for imaging DD image masters and in n talons and things like that all of your handheld amateurs it can do all this sort of stuff but the coolest part of this is NBD server RB
now all of this stuff should be in the medicine svn right now it was supposed to be in there a couple days ago for my black cat talk I've been kind of avoiding the internet around here so so somebody else can verify this for me but if you do an svn update along with all the back doors that the guys here injecting you might get these tools as well if not then i'll make sure that they're available with NBD server you can run your forensics tools locally on local block devices they're mapped to remote block devices the way we do this is through a dirty dirty hack I didn't feel like implementing my own block device drivers or anything like that but there's a protocol in Linux called NBD which is a really dead easy protocol all to get programmatic blog devices so you can implement your own block device in code and just have it listening over TCP be locally or remotely or whatever you want to do really so of NBD we can we can map these things to local block devices that we can then do reading with and the way this code works the way it works has distributed there's only read only act there's only read only access so essentially we're right blocking too so we don't we have a minimal impact on the host so now we can have direct access with open so open source tools and Linux
so this is essentially a diagram of how it all works out we have the disk meterpreter talks to it through the win API metasploit talks from interpreter and locally we have railgun making those railgun calls through the windows api we map Devon be d0 through NBD to that disks on the target and we run our forensics tools on this works good for Linux tools because as NBD escorted in linux and anything and so this is good for sleuth kit nom but for windows I was
a bit i was kind of stumped I was like well I'm gonna have to write a windows block device driver or something like that to get this working in there and a couple of weeks ago preparing our my slides for this talk and aim up with with a good stupid protocol trick to get this working in windows very well and that stupid protocol trick is to use I scuzzy so I scuzzy a little bit more complex of a protocol for blog devices but as it turns out if I get an MV d block device in Linux I can then map that as a I scuzzy target in Linux and then have a windows machine connect to that and treat it as a blog device so we have this stupid protocol trip we're going over I scuzzy NBD meterpreter windows API and straight back from there to the disk so the
problems here you're going over a network so your mileage may vary if it's a around the world and over you know a phone line or something like that then it's going to be slow and and on the other hand if it's a very fast network that you're doing this over you may be able to get a lot of response out of it but you may not be so stuffy at that point because you're you know pushing gigs of traffic over this thing you may actually want to modify the code of this to try to throttle it it if that's a problem on this uh it's possible there's a good cleaner cross-platform implementation to this maybe instead of using NBD directly in Ruby we make our own Ruby I scuzzy target that we can use how hard could it be for the conclusions
for this if your pen tester go out there and ring some more data out of the systems that you break into if your criminal you know get caught but from this we can build capability for forensic zamindars and penetration testers and we can encourage people to do use more secure wiping for their data
and from that now we're going to roll into our demos real quick right like right here we're going to see how much of this we can get through we're going to see if all three of my VMS will behave if not then i'll just go back to
the ferret all right you'll have to
forgive me I have some notes here on exactly how my demo guys to introduce you to the actors in this demo we have we have our art victim over here running
unpatched windows XP service pack 3 i'm not on the wireless network right now so don't even try the thing is is vulnerable to that probably who knows
how many things in metasploit we have our attacker here get out of my way
forensics machine we have our attacker here running metasploit which we're going to point at this thing metasploit here has was updated 18 days
ago metasploit for is out I didn't want
to update on here and for fear of breaking my demo and over here we have a forensics machine running windows seven
we have access data after km and you're on so the first thing I'm going to do is
when I make sure my victim didn't hop IP addresses on me and we should be good
yep still sitting there right where I
left it thankfully no the little suck images up on it or anything that's good
alright so we're going to use you know one of my favorite exploits of all time you ever have a favorite exploit that you know just always works ms 08 06 seven that's run that's one right there alright and we're going to set our payload let's zoom in a bit here windows
interpreter buying TCP the tab
completion sometimes takes a little while alright so we set up a load up
we're going to set our remote host oops
993 that 155 right where I left it and
we're going to hit it and big surprise
not quite zero day and we have success
alright so we're in now any
vulnerability would work for this any NEX boy you got some zero day to drop into metasploit feel free substitutes necessary I'm keeping all my zero today so for this we're going to run some of
these post modules here we're going to
run the
post windows gather gather Inu drives
and that's going to list out the one
physical drive that's on that vm a 40 gig physical drive as well as the logical drives that are there so if that drive is partitioned out into multiple drive letters then it tells us about it also tells us the discs that are inserted that's that's actually i think the DEF CON CD that's in the DVD drive
there and now we map it to a block
device so we were in the NBD server and we tell it we want the C Drive so now for this we have the backslashes window
style you can do that in the meterpreter shell but you have to escape them the forward slashes work just as well and you don't have to escape them so much
easier to do that so now we have an NBD server listening and over here we can
take a look that we can connect that NBD
server so we run NBD client localhost
running on port ten thousand five and we want to map it to dev NBD zero so we've got that mapped and now we can just take a look at it very quickly and verify that we are indeed looking at an NTFS
disk here so there's your partition Boot Record and the net for my next trick
we're going to mount that device
directly so now we can mount read-only that device to a little mount point that i have here for my victim and it takes it a moment to do that so a lot of the
stuff that you're doing with the remote
forensics like this isn't the fastest stuff in the world that's not nearly as responsive as working over a normal SATA cable some things take longer than
others this mount command took a while
and try to embarrass me during my black cat talk
but with that we can go into our victim and go into his documents and settings victim is his username even he wasn't very holding out very high hopes we can go to his desktop folder and there is a document full of personally identifiable
information we can how do I know that there you go and if you're you know
won't take cell phone pictures and stuff don't bother it's all from fake name
generator calm alright so now we can run
tools all on this device as well so we can unmount that now we can run forensic tools like ntfs delete undelete which is
you know normally you'd want to use something like sleuth kit for this but
this is kind of built-in and quick and easy so we can undelete any let's delete
something first see if it work actually let's just try on deleting CSB's i did
delete a csv that was on here and we'll see if it finds and if it doesn't we'll just move on while that's working because that's going to take a moment
we're going to start up a new tab here and start showing you the I scuzzy
capabilities here so we've I scuzzy we have etc IET I ETD comp and we have a oops sudu make me a sandwich attacker so here we have this thing this
vlog device map to a nice cozy target on
the windows side of things okay so it didn't find any deleted files there so that's fine that will move on on the
windows side of things we can load up
the ice cozy initiator which is a buggy piece of crap but it does work I would
hate to use this for anything other than leet hacked because relying on this for enterprise stuff would probably really suck let's a 93 163 is my attacker so
quick connect to that and cross your fingers guys and hit this works oh I
need to start dice guzzi service that would help needy I scuzzy start all right now we should now we should be
cooking with gas 168 dot 931 63
come on
connection failed let's start that up
again we'll give it one more chance here and then we'll call it a wash make sure
my IP address haven't popped over here Oh 164 you little bastard sneaky just a
moving target there so here we are we're connected so now we have a block device
that we can use in ftk imager or any any of your favorite forensics tools at this
point file add evidence item and you can
image these things you can mount the images and use them in virtual machines that sort of stuff so we'll do it as a physical drive and point it to physical drive one which is the virtual disk over I scuzzy moving over interpreter moving ever million other protocols and it takes this dandy time loading up but it's a miracle it even works
and so speed improvements of this would be beneficial we might implement some
not chaining I scuzzy and NBD would probably help matters oh good if cams
are not responding now oh here comes
back just had to take its time so now we have the physical drive here we can
navigate around this thing we can look at unallocated space we can run it various and sundry undelete tools and and any kind of scripts you have and get
all the nice emails that they deleted so with that that basically concludes my talk we're going to be moving over to the question-and-answer room to which is approximately four or five miles around this whole thing and I'll answer any questions there thank you