tools – DiabloHorn

Introduction to analysing full disk encryption solutions

I’ve written a couple of times on the subject of boot loaders and full disk encryption, but I haven’t really explored it in more detail. With this blog post I hope to dive a bit deeper into how to actually start performing these type of analysis and why they are useful to perform. I’ll start with the usefulness first and then go into the part on how to do it, but will not be fully reversing a disk encryption boot loader. I won’t be doing a lot of hard-core reversing like finding vulnerabilities within the cryptographic operations or reversing custom filesystem implementations, but hopefully provide enough information to get started in the area of reversing unknown boot loaders.

The type of products with which you can use the approaches and techniques described in this blog post are the most useful when applied to full disk encryption (FDE) solutions that are configured to not require pre-boot authentication. The reason being, that you then could potentially obtain the disk decryption key. If the solution requires pre-boot authentication, the information that you can obtain, might be reduced to meta-data or ‘deleted’ files. Which brings us to the whole, why are these type of analysis useful?

The reason of why this is useful, I didn’t fully realise until a couple of years ago when a colleague introduced me to the wonders of all the (hidden) information that FDE solutions may contain. Let’s look at the type of information that you may encounter while investigating these solutions:

(encrypted) Hidden file systems
(obfuscated) Encryption keys
Usernames
(hashed/encrypted) Passwords
Windows domain credentials
Configuration information of the FDE solution
Files marked for deletion
Finding 0days and bypassing encryption

Based on the above list of items we can pretty much conclude that analysing FDE solutions is useful from an offensive as well as from a defensive point of view. It can either help us to breach a target network or obtain sensitive information as well as collect forensic evidence or aid us into understanding the specific cryptographic implementation to enable us to decrypt the disk and analyse it. The helper tools I’ve used in this blog post can be found here. Keep on reading if you want to know the rest of all the details and the process I usually follow. I’ll try to describe the following steps:

Creating a (partial) copy of the disk
Analysing the disk
Static & dynamic boot analysis

Since I don’t have easy access to disk encryption software with the exact features I’d like to analyse I’ll be using DiskCryptor as an example product.

For some reason it seems that the products with the most interesting features to reverse engineer have a horrendous ‘request trial’ process as well as not providing trials to a random researcher on the internet :( sad panda :(

The other reason to use DiskCryptor is the fact that it is open source, thus enabling people that want to get started with type of stuff to more easily understand difficult snippets of assembly. My personal approach to a lot of reversing challenges usually revolves around finding a similar open source variant first or finding the open source components used in the proprietary solution if applicable. Reason being that it makes your life a lot easier to understand not only general concepts, but also specific code quirks. A very nice explanation on finding as much information as possible before your start reversing is given by Alex Ionescu in his offensive con keynote ‘Reversing without reversing’.

Oh and there is no specific goal, besides just explaining my general thought process. As a side note I am no reverse engineering expert, so feel free to correct me :-)

Continue reading “Introduction to analysing full disk encryption solutions”

Remote NTLM relaying through meterpreter on Windows port 445

The hijacking of port 445 to perform relay attacks or hash capturing attacks has been a recurring topic for a while now. When you infect a target with meterpreter, how do you listen on port 445? A few weeks ago this topic resurfaced again in part due to Dirk-jan (@_dirkjan) that saw this question flying by in the #bloodhoundgang slack channel and asked me to look into it. This sounded like fun to figure out and he promised that if it worked, he’d document a working setup that would be able to perform SMB relay attacks through meterpreter. Turns out, this is an already solved problem with readily available tools out there, but not a lot of people are aware about the solution.

We will explain how you can leverage these tools to perform relay attacks on a target on which you have a meterpreter session. The added benefit of this approach is the fact that you don’t need python2exe or a whole python stack on the infected host, just a simple driver and a meterpreter infection will do the trick.

The first part of this blog will focus on the thought process of being able to hijack port 445 and the second part of this entry will focus on making it usable for relay attacks. If you want to skip the thought process and relay setup you can also skip directly to the already available solution:

https://github.com/Arno0x/DivertTCPconn

The rest of this entry is divided into the following sections:

Who is the owner of port 445?
Hijacking and redirecting port 445
The full SMB relay setup through meterpreter

Please note that we took the easy route while writing this blog post and just put all the files on the disk. If you want to avoid that we suggest that you use a ram disk solution or expand the current meterpreter in-memory execution functionality to support something similar to this.

In addition there is a high probability that you either have to recompile the source of the solution statically to ensure you won’t be needing additional DDL files or you’ll have to bundle those DLL files. All this is however left as an exercise to the reader ;)
Continue reading “Remote NTLM relaying through meterpreter on Windows port 445”

Creating a ram disk through meterpreter

The magical ‘in memory execution‘ option of meterpreter is of course one of the better options that we as attackers love to use. However if you want to store ‘random files’ in memory or need to execute more complex applications which contain dependencies on other files, there is no ‘in memory’ option for that as far as i know. To be more specific, on Linux you can do it with build in commands, on Windows you need to install third party software (list of ram drive software). I decided to dig into it and see if I could achieve this through a meterpreter session. The reasons for wanting a ram disk are multiple, if you are still wondering:

store stolen data in memory only, until you can move it
execute applications which require multiple files
running multiple legitimate files from memory

You might be asking, why not use it to bypass AV? This is of course possible, but you would need to modify the driver for this to work and ask Microsoft to sign it. To bypass AV there are enough methods available in my opinion, I sometimes just want to be able to store multiple files in memory.

Where to start? I decided to start with the ImDisk utility for two reason:

It is open source
It has a signed driver

The first reason allows me to better understand the under the hood stuff, the second reason allows me to use it on Windows versions that require a signed driver. First thing I tried is to use the bundled tools, but it seems that the command line interface has a dependency on the control panel dll file. I tried a quick recompile, but then I thought, why not code my own version? The original version includes, amongst other things, the ability to load and save the ram disk as an image file and for the moment I won’t be needing that functionality. So i decided to code my own reduced functionality version of the original client. It would have been easier to just use the original client, but this was more fun and thought me a thing or two about driver communication.

The original source code was very very clear, which made it a breeze to hack together some code to talk to the driver. I still need to add way more error handling, but for now it does the job and you can use it through meterpreter. Be aware of the fact that it still leaves traces on the regular hard disk, like explained in this blog. A short overview of the traces left behind:

The dropped driver
The registry modifications to load the driver
- The driver loading does not use a service, thus there is no evidence of a service creation
The mounted ram disk
Traces of files executed or placed on the ram disk

For me the benefits of having an easy way to execute multiple files from memory outweigh the above mentioned forensic artefacts. In addition it becomes more difficult to retrieve the original files, unless the incident response team creates a memory image or has access to a pre-installed host agent which retrieves the files from the ram disk. Let’s get practical, here is how to use it through a meterpreter session (I won’t go into details on how to obtain the meterpreter session):

Continue reading “Creating a ram disk through meterpreter”

MySQL UDF Shells

Nostalgic feelings all over the place. Just found this baby :) ugly code but when I needed it it sure did it’s job. I even seem to have implemented some kind of rudimentary “social engineering’. When the wrong password is supplied to the bind shell it will respond with “FTP ACCESS DENIED”. Intention was to have people think it was some kind of FTP daemon, so if they attempted a brute force it would be wrong from the beginning.

The command execution shell

http://pastebin.com/f22735864

The bind shell

http://pastebin.com/f611f0ba2

The reverse shell

http://pastebin.com/f5e167b65

Web Request Maker

Another old tool :)

DOWNLOAD.

Process Memory Dumper

Another old tool :)

DOWNLOAD

Copy File Time

Another old tool.

DOWNLOAD

Google sub domain indexer

Actually I called it GDNS but well…that would be to cryptic as a blog item title. This is also from the KD-Team archives. Enjoy. All it does is *TRY* and find all sub domains for a given domain with the use of google.

http://pastebin.com/f720c4036

SniffDoor

Some sources from the old KD-Team website. This time it’s a connect back shell which gets activated when a certain keyword is seen in passing traffic. The advantage of this, is that you can activate your shell without raising to much suspicion. One thing though…it’s buggy. I made this back in the day and never bothered to fix some things. AFAIK it works under windows XP SP2 if it doesn’t well…try and fix it. I haven’t tested it since a long while.

here

[POC] RFI Scanner

Well it certainly is true, why not? That question never has a correct answer imo. It is the same question I asked myself yesterday. I was like thinking what to write on my blog (I was bored and thought that blog writing could help) after a while I just gave up (so lesson learned: only write when you actually have something to write). So today I fired up my browser(for the ones wondering, this is a personal opinion, I use: Opera {FTW!}, IE {nice}, FF {sucks}, I use them depending on what I need) and the first things I saw was this. Which is funny since it’s just a couple of days ago since I posted about python and now I see a nice and small python script to do funky stuff.

Continue reading “[POC] RFI Scanner”

Old Rootkit Detection

Well in my quest to move my old kd-team.com tools and papers to my new blog here is another one from the old website. Two ways to detect rootkits, one of them doesn’t work anymore (assuming all rootkits hook the function used back then) the other one I don’t know haven’t tested it latley. Here are the readme’s and the source codes.

Continue reading “Old Rootkit Detection”

ICMP spoof

Here is some sourcecode of an old kd-team post. Sending a ICMP packet where you can specify all you want yourself. This source can be used for a variaty of stuff and well…just use your imagination.

The .c

Continue reading “ICMP spoof”