An Overview of Real World Account Hacking Strategies

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC99n6Ei2bimNgq8igV3oQ89haDa4oa8mZbP6dxN9rzUf9xJ5392rkHE4K53EDJfCWyNBnDm8Z-tQjV0zQLKl3i1iz2FDsVyLfS8ktInF1EKkkeI4GBJRxSYiyTE7_jFq5JGBZcUYonLI/s1600/hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC99n6Ei2bimNgq8igV3oQ89haDa4oa8mZbP6dxN9rzUf9xJ5392rkHE4K53EDJfCWyNBnDm8Z-tQjV0zQLKl3i1iz2FDsVyLfS8ktInF1EKkkeI4GBJRxSYiyTE7_jFq5JGBZcUYonLI/s320/hacked.jpg" width="320" /></a></div><br />I often get sick and tired of reading comments underneath a white-hat hacking tutorial, asking “<a href="http://www.rafayhackingarticles.net/2009/08/how-to-hack-gmail.html"><b>how do I hack a Gmail</b></a>”, “<a href="http://www.rafayhackingarticles.net/2009/07/how-to-hack-facebook-account.html"><b>How to hack Facebook account</b></a>”, etc by people that don't really understand the fundamentals of what they are asking. Then there are the RATters, bot masters, and others spreading Trojans with their back-doored, fake Facebook-Hacking programs, that prey on the ignorant people who downloads them.<br /><br />While the “Master Hack” would be to find some insane Zero Day in the web application front end of the website's own servers, attacking them directly and pwning their massive database. That's just not going to happen. Surely not by anyone who has to ask “<b>how to</b>”. I'll tell you why. Google, Yahoo, Facebook (ANY of the big wheels in the cyber world) have entire teams of security specialists, constantly upgrading, monitoring, and researching their entire internal network infrastructure. Nothing connected to a network is ever 100% Secure, though, so I guess if you're a noob you may still have something like a 0.00000001% chance of accidentally finding a way in, before it is found and patched. They also have all the money in the world to ensure they are not running outdated or unsafe SQL versions or rules. Then we come to brute-forcing.. A semi direct attack. Anyone who has (in the last SEVERAL Years) tried guessing a password to an account on any of the big sites more than a few times and locked down the account after so many wrong guesses can quickly ascertain why it wouldn't be wise to throw 50 wrong guesses per second at one.<br /><br /><a name='more'></a><br />I could go on and on about impractical theories and misconceptions, but let's get to the fun part. I will go over how accounts are actually getting hacked into in the real world. This isn't a tutorial. Just an overview of various real world strategies, that don't take much technical know-how. It is more of a cleverness skill-set than a programing one, most of the time.<br /><br />The majority of hacked accounts happen via simply stealing passwords to accounts. Once the attacker has the credentials, there are still often hurdles to overcome, in today's world. Most having to do with the security settings of the website and account, itself.. The attacker may be in a different country, and then the account may automatically lock down and require verification (via SMS, alternate email, etc). Not always, but I promise it does happen quite often. In this case he would have to be careful to use a proxy or vpn that matches the same location as the victim, or perhaps find a tor exit node via AdvOR that is of the same location. But the problem with using freely available proxies, vpns, and exit nodes are that they quickly become blacklisted by spammer usage and get flagged by the website. Also, many of the free proxies have very limited bandwith or restrictions. Most of this can be worked around for a few bucks, though.<br /><br />The methods for stealing creds are far and wide, local and remote, and ever evolving in a war with the ever evolving security industry. The same industry that funds research into hacking their own systems and teaching the world how to break into them, in order to funnel more importance and money into their cause. But the economics and politics are a whole other subject.<br /><h4>PHISHING</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjU6H0U9QEOlsGiK-UxS6ovlCg7rAodpEmjpyXfLGBCZoNU1J6GDVhIfgdrKEyFPu47Jg5fCk5nmQF95OW63VbUD-ZXC84DeDoWcHNVEmPzEiEq0zhUydxYqT4EEhYRvH6KVIp0CjTmpE/s1600/phishing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjU6H0U9QEOlsGiK-UxS6ovlCg7rAodpEmjpyXfLGBCZoNU1J6GDVhIfgdrKEyFPu47Jg5fCk5nmQF95OW63VbUD-ZXC84DeDoWcHNVEmPzEiEq0zhUydxYqT4EEhYRvH6KVIp0CjTmpE/s320/phishing.jpg" width="320" /></a></div><div><br /></div>In this method, the attacker attempts to direct unwary users to a fake login page, usually by spamming the url. Spam urls used to be most prevalently done via massive email lists, but is quickly being replaced by fake accounts on social media sites. Anyone can make a fake account of a pretty girl and get circles of thousands of friends very quickly. Sometimes the victim has malware or a network intrusion that is redirecting them to the malicious page. But either way, the point is, the victim is tricked into visiting a fake page that looks like the real one and if the victim fills out the username and password fields, a php script writes the values to a log on the attacker's server.<br /><br />The usual step-by-step for this technique is by uploading the fake, modified webpage, the script, and log to a web-hosting provider. But they are on the watch for that, these days and most phishing pages are actually being run on an apache server on the attacker's own box, with port 80 forwarded to it from the router and the obfuscated url actually pointing straight to their external ip (I know. Sad but true.), there are others hosted from a paid bullet-proof hosting service.<br /><h4>RATs, Keyloggers, Botnets, Stealers, and Other Trojans</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSr3dsR_GcLR3xTehSPULEO8TZ47r1PaOe6ro40fUevxrNrJsXEnulXPkAd5N-J63IVkxgCZMrqS6Z4qPnrpYiQxRwX8DyMMcKtJf6JM4mbKt9l44MiPf_RJ-mAG8-okKMLhYJeOPkdAI/s1600/How-to-Remove-TrojanWin32BeeVry.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSr3dsR_GcLR3xTehSPULEO8TZ47r1PaOe6ro40fUevxrNrJsXEnulXPkAd5N-J63IVkxgCZMrqS6Z4qPnrpYiQxRwX8DyMMcKtJf6JM4mbKt9l44MiPf_RJ-mAG8-okKMLhYJeOPkdAI/s320/How-to-Remove-TrojanWin32BeeVry.jpg" width="320" /></a></div><div><br /></div>These days, trojans come far and wide with easy to use client interfaces. Most, such as RATs, Consist of a client and a server builder. The server is the malicious exe that will report back to the client via reverse tcp (usually), through the port specified. The server exe can be crypted, have icons, various install options, as well as persistence, process and default browser injection... In other words they can be hard to get rid of for the average user. Once crypted and tested, the server exe is usually binded to some software or the file extension is spoofed with charmap to reverse the characters to make it look like a jpg, then a real jpg is converted to a .ico and used as the icon. They are spread in warez, malicious urls hosting a jdb (Java Drive-By) that tries to execute the code through the browser, and sometimes via a direct client-side attack with an exploit kit or metasploit that attempts to execute the malicious exe via a vulnerability in a program on the victim's box.<br /><br />Once an attacker has r00t, or even user privilege on the victim's machine, the server will report to the client what functions it was designed to do, this can (AND WILL) include keystrokes, screenshots, control of processes on the victim computer, remote desktop, and spy features, such as webcam and mic control (He can watch you and listen to you and save all of it!!!!).<br /><br />Keyloggers, file-stealers, and password-stealers are pretty self explanatory. Usually the malicious exe is built to deliver to an ftp. Sometimes smtp. Botnets are usually specified for only specific functions and are geared more toward mass infection. The client side of a botnet is a builder executable and a control panel run on a local (or remote hosted) server and accessed via a web interface with a common browser.<br /><h4>MITM (Man in the Middle) Attack</h4><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4M-e_ewb9OZKY0c3FzkzFj9EIYZzv54L1IUooRyWpcaKUoKIk7zS72DsbtcK7fyat-TBTszrLgf5lh0h7MyxalDnQyVpZvQ2dIJVCGikVfukxFeClRDRs_8gVJSnFkhEgG7ffULdIt54/s1600/maninthemiddleattack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4M-e_ewb9OZKY0c3FzkzFj9EIYZzv54L1IUooRyWpcaKUoKIk7zS72DsbtcK7fyat-TBTszrLgf5lh0h7MyxalDnQyVpZvQ2dIJVCGikVfukxFeClRDRs_8gVJSnFkhEgG7ffULdIt54/s1600/maninthemiddleattack.jpg" /></a></div><div><br /></div>These attacks are not really geared toward mass-victim hacks... But that is what makes it more scary. I would much rather an attacker have my creds buried among 100,000 others that he has, than someone sitting across the room spending hours reading packets to have me and 3 others' credentials. It is usually more focused on the victim and specified. This is not a rule. It is just how it usually occurs in the real world.<br /><br />In a MITM attack, the attacker is usually running an automated script  that spoofs his MAC address, blocks usage of SSL encryption (via sslstrip, etc), and captures packets between machines. The attacker machine will basically tell the victim machine that he is the router and tell the router that he is the victim machine, and it will then pass along the packets to the destination device, like he was never there. SSL is usually blocked by a script that enforces http only, thus leaving creds passed along the network in plain text. Sometimes a favicon is even added that looks like a lock, so that it gives the impression of a safe, encrypted network protocol. <br /><br />There are many variations to local network attacks. Some try to inject malicious iframes into the victim's browser or other client side attacks. Some don't capture creds or block SSL, but just capture the session cookie, losing access as soon as the victim logs out or it expires. Some even broadcast a fake access point. Most are done in public wifi networks. Some are corporate espionage type attacks, but by far, most are coffee shop/parking lot attacks by bored teenagers running automated scripts on a backtrack or kali linux machine.<br /><h4>The Local Attack </h4>These are typically done by stalkers or nosy friends that find portable, easy to use forensic programs online, put them on a USB stick and play with someone's computer. They look for lots of things, including deleted files. But for this discussion, they look for account passwords saved by the browser of a naive user who doesn't clear his  history, saved form data, passwords, etc.<br /><h4>Guessing</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKMGbqWKION34ts5Ht1JkIUl6KPNwEa1NTKLScV8akNRsw22otNI8tmZsQ45m59Pfq-8Z-5rJbiIArc8dSG7PQZ5WvsnbjRFZd_fUg2UqmaHkO7m3Vw4w_3k-8UyGBImzAppBtFdvrxo/s1600/300_231539.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKMGbqWKION34ts5Ht1JkIUl6KPNwEa1NTKLScV8akNRsw22otNI8tmZsQ45m59Pfq-8Z-5rJbiIArc8dSG7PQZ5WvsnbjRFZd_fUg2UqmaHkO7m3Vw4w_3k-8UyGBImzAppBtFdvrxo/s1600/300_231539.jpg" /></a></div><div><br /></div>Hey I know it sounds crazy, but many a social engineer has found answers to security questions in someone's email on social networks, or just asked them in conversations or knew them already, and then reset the passwords to their accounts. Never know.<br /><br />I didn't get into <a href="http://www.rafayhackingarticles.net/search/label/sql%20injection">SQL injection</a> or other hacking on smaller sites and trying the same Creds you find there, onto the big sites, but it happens, too.<br /><br />That concludes my overview of attack strategies that are common-place in the real world. Yes, there are many ways to get into things and many more will evolve. Some of these may be obsolete, in the future. But for the purposes of this discussion, this is how it is actually being done.<br /><br />GJL</div><h4>About the Author</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN9r95rgc1OEDmb1CLZh5KzU6G0cvYKxdquI2w1FtylyLNgYRjOR0SKXce9rVXiw2MQAqgC1ORiUR28yCe-H_WmNCCC8leVkV1RdruCdI6LiwPoSeKVb5n-apTw2ZbwepoIlt5xpgHTeE/s1600/954433_240088456157351_1866033370_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN9r95rgc1OEDmb1CLZh5KzU6G0cvYKxdquI2w1FtylyLNgYRjOR0SKXce9rVXiw2MQAqgC1ORiUR28yCe-H_WmNCCC8leVkV1RdruCdI6LiwPoSeKVb5n-apTw2ZbwepoIlt5xpgHTeE/s320/954433_240088456157351_1866033370_n.jpg" width="226" /></a></div>I'm Gary. Though I have many names in many places, this is my true one. I am honored to have been invited by the <b>RHA</b> InfoSec to create content. I can't really go all the way into my experience, suffice to say my greatest teachers have been hours upon hours of trial, effort, information and second opinions.<br /><br />My skill-set is wide and varied and I am more a "Jack of all trades", rather than a specialist in any one category. I stay pretty busy with various projects (not all is computer related), but I will do my best to lend my time, effort, and knowledge. If I am busy or unable to answer any of your inquiries or handle your requests, for whatever reason, then I am sure Rafay, or Preston or any of the others can when they are able. Last but not least. I (PERSONALLY) do not want your likes, recognition, attention, traffic, or friends. Please save all of that for Rafay and the <a href="http://facebook.com/rafayhackingarticles" rel="nofollow" target="_blank">RHA Page</a>. These guys have put this together, for you and deserve all recognition for it. Thank you.</div>

An Overview of Real World Account Hacking Strategies

I often get sick and tired of reading comments underneath a white-hat hacking tutorial, asking “ how do I hack a Gmail ”, “ How to hack Face...

+ Read more »

phpThumb Server Side Request Forgery

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiei_lPFPhk43RcLJl08e_gbCbrg4hJ2XHZuQSFabJbkoad0GYYruzQWM9UJrnm40J_wx46gwyKEfMldUnQGGT2FXsk_MkKHeWiHl1havuJ0DWcDgJdWbxpgeR7d78CFqbwOy6Wjg0tIaM/s1600/blackhat_hackers.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiei_lPFPhk43RcLJl08e_gbCbrg4hJ2XHZuQSFabJbkoad0GYYruzQWM9UJrnm40J_wx46gwyKEfMldUnQGGT2FXsk_MkKHeWiHl1havuJ0DWcDgJdWbxpgeR7d78CFqbwOy6Wjg0tIaM/s1600/blackhat_hackers.jpg" /></a></div><br />Recently me along with my friend "<b>Deepankar Arora</b>" discovered a server side request forgery vulnerability inside of the phpThumb's latest version. The vulnerability is not inside the script itself, bit it occurs due to the fact that the webmasters do not configure phpThumb properly and also due to the fact that the high security settings were not turned on by default until now, before we talk about the details, let us briefly introduce the readers to SSRF vulnerability.<br /><a name='more'></a><br /><h4>What is a Server Side Request Forgery?</h4>A server side request forgery is not a single vulnerability, however it represents different classes of vulnerability which includes attacks such as XXE, http response splitting etc. In a server side request forgery an attacker creates forged packets to communicate with the intra/internet by using the vulnerable server as a pivot point. Several other different attacks can be performed, however we will keep it at a basic level so that they can be understood easily.<br /><h4>Explanation</h4><br />The debug mode in phpThumb was introduced for trouble shooting purposes, however the debug mode when turned can result in a server side request forgery. By exploiting it a SSRF vulnerability an attacker may be able to scan local or remote ports, fingerprint services etc.<br /><br />Let's take a look at the piece of code responsible for fetching an external image:<br /><blockquote class="tr_bq">if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout,<br />$phpThumb->config_http_follow_redirect)) {<br />        $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' :<br />''), __FILE__, __LINE__);<br />        $phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);<br />        $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));<br />    } else {<br />        $phpThumb->ErrorImage($error);<br />    }<br />}<br /> if ($rawImageData = phpthumb_functions::SafeURLread($_GET['<b>src'</b>], $error, $phpThumb->config_http_fopen_timeout,<br />$phpThumb->config_http_follow_redirect)) {<br />            $md5s = md5($rawImageData);<br />        }</blockquote><br />The above code is responsible for fetching an external image file with the "src" parameter. The code doesn't checks if the image retrieved is actually a valid image i.e. .jpg, .png, .gif etc. Therefore, under debug mode set to "<b>True</b>" it would display the error message received from the lower layer network sockets which would enable an attacker to launch a server side request forgery attack.<br /><br />Furthermore, I noticed that there was a validation being performed for protocols such as <b>file://</b>.<br /><br /><b>if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {</b><br /><br />However, this doesn't prevent this attack completely, as an attacker may be able to leverage other protocols such as gopher://, dict:// etc in order to exploit this vulnerability.<br /><div><br /></div>Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the server errors are turned on, there would be a distinct response by probing open ports vs closed ports.<br /><br /><h4>Proof of Concept</h4><br /><b>http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:22</span>&phpThumbDebug=9 </b>// Open Port  <br /><br /><b>http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:80</span>&phpThumbDebug=9</b> // Open port  <br /><br /><b>http://site.com/phpthumb/phpThumb.php?</b><br /><b>h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:1337</span>&phpThumbDebug=9 </b>// Closed port<br /><br /><b><u>Probing For Open-Port 80</u></b><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUGOULWpFoBCGxLZarHdM2BMVkmj0EYJCz_lWMBGrwAsh-NSrw9EMZpo5ns3kJo_YHugzmatt-XKKQcH00OpVFJCvOotM4m94rCupIh8bgj8vXIj-oxLJhpMFomTPirS2vzoPZml59aw/s1600/openport2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUGOULWpFoBCGxLZarHdM2BMVkmj0EYJCz_lWMBGrwAsh-NSrw9EMZpo5ns3kJo_YHugzmatt-XKKQcH00OpVFJCvOotM4m94rCupIh8bgj8vXIj-oxLJhpMFomTPirS2vzoPZml59aw/s640/openport2.png" width="577" /></a><b><u></u></b><br /><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u>Probing For An Open-Port 22</u></b>  <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxz1x3XLPIW-CzOzF9P6krdtY9CqpGmsfDIX4JgWNegHXIdNNRofd80keqCvD4j-g1VWObX9ulopOuen0pUd_7z3LCmuxml2pS2qNtto6eLa6aZY24PpolyuetNEHQyb5ynPnUZ6zsOQ/s1600/openport.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxz1x3XLPIW-CzOzF9P6krdtY9CqpGmsfDIX4JgWNegHXIdNNRofd80keqCvD4j-g1VWObX9ulopOuen0pUd_7z3LCmuxml2pS2qNtto6eLa6aZY24PpolyuetNEHQyb5ynPnUZ6zsOQ/s640/openport.png" width="577" /></a><br /><br /><br /><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><u>Probing For a Closed-Port 1337</u></b><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8AfaeeAivWQZJ41VtrmLs_ZA99cwGa3XcYrjnYQLH3cPobZ7-LWRGJz59ciJbl7eBz7vPGzYqqqbLXiWkg3Hbt-A13qPvN6JqxM8q6TNOgF3XYPqBM5nJKzokll5hhH-lPn1213k8FPk/s1600/closedport.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8AfaeeAivWQZJ41VtrmLs_ZA99cwGa3XcYrjnYQLH3cPobZ7-LWRGJz59ciJbl7eBz7vPGzYqqqbLXiWkg3Hbt-A13qPvN6JqxM8q6TNOgF3XYPqBM5nJKzokll5hhH-lPn1213k8FPk/s640/closedport.png" width="577" /></a><br /><b>SSRF Inside-Out</b><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In the similar manner an attacker may be able to leverage this attack to scan ports for the intranet. Following are the most common hosts found on the intranet that is worth looking for. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>1)</b> intranet</div><div class="separator" style="clear: both; text-align: left;"><b>2) </b>webmail</div><div class="separator" style="clear: both; text-align: left;"><b>3)</b> jira</div><div class="separator" style="clear: both; text-align: left;"><b>4)</b> helpdesk</div><div class="separator" style="clear: both; text-align: left;"><b>5)</b> bugzilla</div><div class="separator" style="clear: both; text-align: left;"><b>6)</b> localhost</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In case where the debug mode is disabled, the attacker would receive the following error message:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQAmlRYCgSwOhVOFfGY92qTGONQykuYlXtE1V7W4QyVDW9NWzy3v91tFHD0KrXmph8CphZTsZDgVZqX7IHcB9NVpAtCSShzdR2otpR6BRAiTIwD3h7JW4K39gbauLr-qKUf8wf3D5T2w/s1600/phpThumb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQAmlRYCgSwOhVOFfGY92qTGONQykuYlXtE1V7W4QyVDW9NWzy3v91tFHD0KrXmph8CphZTsZDgVZqX7IHcB9NVpAtCSShzdR2otpR6BRAiTIwD3h7JW4K39gbauLr-qKUf8wf3D5T2w/s640/phpThumb.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>Recommendations</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both;">It is recommended to turn off the "debug" mode. The debug mode can be modifying by changing the following lines inside the PHP code. </div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>"$PHPTHUMB_CONFIG['disable_debug']= <span style="color: red;">false</span>;" </b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">With: </div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"><b>"$PHPTHUMB_CONFIG['disable_debug']= <span style="color: red;">true</span>;".</b></div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"></div><h4>Fix</h4><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>1)</b> The authors explicitly disabled all other protocols then http/https/ftp protocols. This minimizes few of the attack vectors.</div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"><b>https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0</b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"></div><div class="separator" style="clear: both;"><b>2) </b>The debug_mode has been disabled and the "High Security Mode" has been enabled by default in version phpThumb 1.7.12. Take a look at the author's note:</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rC533MtAQYQiwLNF6sehjTiiU0RssgZTZh5S4MWz1msi4sgQfMR2eG4wbTRgiR5ViDVMlNsGpMvaiTtdZlcyAdLRqEEpP3oBQbamSUpDSjJkd4IjHGrF2TMdCxzXEd5f1av8xwCzLGY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rC533MtAQYQiwLNF6sehjTiiU0RssgZTZh5S4MWz1msi4sgQfMR2eG4wbTRgiR5ViDVMlNsGpMvaiTtdZlcyAdLRqEEpP3oBQbamSUpDSjJkd4IjHGrF2TMdCxzXEd5f1av8xwCzLGY/s640/1.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHeS9c8YSXggfMvaO-CGGJYXMzLGDl-k_sUeU2FDRqfZKdi5lprjQKJ066LPoFtZcrAxVS_Dx5UfMbY5wMMvwBw744i_GwEFl0Io2lxcPEu9uloGwSfvCk9XHCFTSqpmcLvBvL0gaME8M/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHeS9c8YSXggfMvaO-CGGJYXMzLGDl-k_sUeU2FDRqfZKdi5lprjQKJ066LPoFtZcrAxVS_Dx5UfMbY5wMMvwBw744i_GwEFl0Io2lxcPEu9uloGwSfvCk9XHCFTSqpmcLvBvL0gaME8M/s1600/2.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both;"><b>3)</b> Further security improvements are to be done in the future versions.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">Special thanks to "<b>David Vieira-Kurz</b>" from Majorsecurity for his advice on this issue. </div></div>

phpThumb Server Side Request Forgery

Recently me along with my friend " Deepankar Arora " discovered a server side request forgery vulnerability inside of the phpThumb...

+ Read more »

XPATH Injection Tutorial

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;">XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.<br /><br />We are gonna learn using simple example. Download code from <a href="http://www.4shared.com/zip/SleYPtv8/xpath.html" target="_blank">here</a> & put it in your local server directory.(Code is created by <a href="https://twitter.com/amolnaik4" target="_blank">Amol Naik </a>)<br /><br />Sample XML Document which we gonna use:-<br /><br /><Employees> <br /><!-- Employees Database --> <br />  <Employee ID="1"> <br />    <FirstName>Johnny</FirstName> <br />    <LastName>Bravo</LastName> <br />    <UserName>jbravo</UserName> <br />    <Password>test123</Password> <br />    <Type>Admin</Type> <br />  </Employee> <br />  <Employee ID="2"> <br />    <FirstName>Mark</FirstName> <br />    <LastName>Brown</LastName> <br />    <UserName>mbrown</UserName> <br />    <Password>demopass</Password> <br />    <Type>User</Type> <br />  </Employee> <br />  <Employee ID="3"> <br />    <FirstName>William</FirstName> <br />    <LastName>Gates</LastName> <br />    <UserName>wgates</UserName> <br />    <Password>MSRocks!</Password> <br />    <Type>User</Type> <br />  </Employee> <br />  <Employee ID="4"> <br />    <FirstName>Chris</FirstName> <br />    <LastName>Dawes</LastName> <br />    <UserName>cdawes</UserName> <br />    <Password>letmein</Password> <br />    <Type>User</Type> <br />  </Employee> <br /></Employees> <br /><br /></div><h3 style="text-align: left;">Bypass Authentication:-</h3><div style="text-align: left;"><br />Browse to the login.php page; here we can see simple login form.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8sxBj2S55WlPZ4mVuBs-Diw_um4SRfFKyWrsXO801LcrukgFkMt1RDQTKWD2vu0R-8p1kRSJ669oOdj-Dp62NlCEVtyAFcwQ8KMn34zUAHHlcHbG1tyJABLHOHEjDkY_B_-o63SiTesx/s1600/login.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypass Authentication" border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8sxBj2S55WlPZ4mVuBs-Diw_um4SRfFKyWrsXO801LcrukgFkMt1RDQTKWD2vu0R-8p1kRSJ669oOdj-Dp62NlCEVtyAFcwQ8KMn34zUAHHlcHbG1tyJABLHOHEjDkY_B_-o63SiTesx/s320/login.PNG" title="Bypass Authentication" width="320" /></a></div><br />If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:<br /><br />Username: ' or '1' = '1<br />Password:  ' or '1' = '1<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxz-G_O96__WMxFJnBetfZYT93ojXfkljZpKTd6OfGWXYuTleCilK8fsBqadrEGriYo7o84GPVMe6KdxfIG7s7EisWvygsiTZZSJey-Mcwhj6M3fFxBjMRiwC4Bc7qNVm2_7nnhkYCoe3/s1600/Bypass-Login.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypass Authentication using XPATH injection" border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxz-G_O96__WMxFJnBetfZYT93ojXfkljZpKTd6OfGWXYuTleCilK8fsBqadrEGriYo7o84GPVMe6KdxfIG7s7EisWvygsiTZZSJey-Mcwhj6M3fFxBjMRiwC4Bc7qNVm2_7nnhkYCoe3/s320/Bypass-Login.PNG" title="Bypass Authentication using XPATH injection" width="320" /></a></div><div style="text-align: left;"></div><a name='more'></a>Looks quite familiar, doesn't it? Using these parameters, the query becomes:<br /><br />string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())<br /><br />As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.<br /><br /><br /><h3 style="text-align: left;">Blind Xpath Injection:-</h3><div style="text-align: left;"><br />If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.<br /><br />Browse to the search.php page. Enter any number, When you provide number it will display FirstName related to their ID.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimUmUyiKaedrIwmbWspYIh8BCJ6VQNKIt4Io9Zsic6cj5xXIMtH-OcMt3chI_7hOdMV8Ib-XM2M6zlrxdfVE7diYG2nnERc4yEx_HHNdoCI729mMuaLkQZ-UnICAF3an4A7WKiVZh2rl4k/s1600/search-first-name.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimUmUyiKaedrIwmbWspYIh8BCJ6VQNKIt4Io9Zsic6cj5xXIMtH-OcMt3chI_7hOdMV8Ib-XM2M6zlrxdfVE7diYG2nnERc4yEx_HHNdoCI729mMuaLkQZ-UnICAF3an4A7WKiVZh2rl4k/s320/search-first-name.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibHQDQ9IrJHS_97o_3mScbNjlwBSFMZu7LeeYkH_O_TgzgFv570vGE-42IPvXkXzTP0v5k2nXdxdQBFswSL3uUBmWK_u-C74djb6ckoV0wmxavA9HjIKi7_QlWpBjzFZ2cVtlzoC7GMBL/s1600/Bypass.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibHQDQ9IrJHS_97o_3mScbNjlwBSFMZu7LeeYkH_O_TgzgFv570vGE-42IPvXkXzTP0v5k2nXdxdQBFswSL3uUBmWK_u-C74djb6ckoV0wmxavA9HjIKi7_QlWpBjzFZ2cVtlzoC7GMBL/s320/Bypass.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.</div><h3 style="text-align: left;">Guessing of parent node:-</h3><div style="text-align: left;"><br />Supply following query to application & observe result.<br /><br />' or substring(name(parent::*[position()=1]),1,1)='a<br /><br />Nothing append , we don`t get FirstName of users.<b>It means first letter of parent node is not "a"</b>. Now supply following query<br /><br />' or substring(name(parent::*[position()=1]),1,1)='E</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgag6vkFjcDMjaQ_o5TPXoulIoDCenU0gMFP4DkrXRu5vRdRUVSe5yf3ZyVl7bKfCbLUHkOuTnugAXuSD0-65jMrJsIHH7l7XveyvT2PtZYsE3obILgNIFSYRMJrc9L9CEPbcsIzeMEqs6P/s1600/Blind-xpath.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgag6vkFjcDMjaQ_o5TPXoulIoDCenU0gMFP4DkrXRu5vRdRUVSe5yf3ZyVl7bKfCbLUHkOuTnugAXuSD0-65jMrJsIHH7l7XveyvT2PtZYsE3obILgNIFSYRMJrc9L9CEPbcsIzeMEqs6P/s320/Blind-xpath.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">You get result , <b>It means first letter of parent node is "E"</b></div><div style="text-align: left;"><br />To guess second letter of parent node supply following query<br /><br />' or substring(name(parent::*[position()=1]),2,1)='m<br /><br />Following the same procedure, we can extract the full name of the parent node, which was found to be '<b>Employee</b>'. </div><div style="text-align: left;"><br />We can also get child node. Browse to the xpath.php page & enter following query.<br /><br />//Employee[position()=3]/child::node()[position()=4]/text()</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJEM1ahTwbtTKf2aitReGTfnS1fW2dUCo9JeuUVlTpFNNhcvMHt0gt5NRhv4wAEgiZTRk8XwP7yTc5s4YQWqiRfpNMHYG4PxtT0DWA8WAERahFgXMrXW1Bo-oZq-mB3unaB3f9GDGyUmF6/s1600/Retriev+DATA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="get-child-node" border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJEM1ahTwbtTKf2aitReGTfnS1fW2dUCo9JeuUVlTpFNNhcvMHt0gt5NRhv4wAEgiZTRk8XwP7yTc5s4YQWqiRfpNMHYG4PxtT0DWA8WAERahFgXMrXW1Bo-oZq-mB3unaB3f9GDGyUmF6/s320/Retriev+DATA.PNG" title="get-child-node" width="320" /></a></div><div style="text-align: left;">You got output from parent node Employee id 3 & child node whose position is 2.</div><div style="text-align: left;"><br />To get whole document put following query.<br /><br />//Employee</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRqdtsM7sW2Z9HaUofBPk_OgzmP8zYFcJY85ZZPw7Clq_wOjpnjlWmlxg8eHYjh0Vq6z-ZHeKI-D5eMJ05__JV-Z1SCai3MWpIRAWKWO5DsF4M1tVMlimb1joVYKqirK1HKI_09o0mmX2S/s1600/GET-DATA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind Xpath injection" border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRqdtsM7sW2Z9HaUofBPk_OgzmP8zYFcJY85ZZPw7Clq_wOjpnjlWmlxg8eHYjh0Vq6z-ZHeKI-D5eMJ05__JV-Z1SCai3MWpIRAWKWO5DsF4M1tVMlimb1joVYKqirK1HKI_09o0mmX2S/s320/GET-DATA.PNG" title="Blind Xpath injection" width="320" /></a></div><div style="text-align: left;">It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:</div><div style="text-align: left;"><br /></div><ul style="text-align: left;"><li>count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.</li><li> string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.</li></ul><div style="text-align: left;">I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUDKa1rQBEt5SE5OtaoR6kNmq1y07Gw99jMMI3FnfMmEF_oMjN8446O6UOMC3tq5ciXoiRdX3NtZ4e8A3z_srd4GElAEu1KzxtpMsU49JZkAhOwkUHKKSSPnjYAbiY_0DlGIwoAXydo2_/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="xapth-bruteforcer" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUDKa1rQBEt5SE5OtaoR6kNmq1y07Gw99jMMI3FnfMmEF_oMjN8446O6UOMC3tq5ciXoiRdX3NtZ4e8A3z_srd4GElAEu1KzxtpMsU49JZkAhOwkUHKKSSPnjYAbiY_0DlGIwoAXydo2_/s320/Screenshot.png" title="xapth-bruteforcer" width="320" /></a></div><br />Useful Links & Blind XPATH injection Tools:-<br /><br /><a href="https://www.owasp.org/index.php/XPATH_Injection">https://www.owasp.org/index.php/XPATH_Injection</a><br /><a href="http://www.blogger.com/goog_913170007"><br /></a><a href="https://www.owasp.org/index.php/Blind_XPath_Injection">https://www.owasp.org/index.php/Blind_XPath_Injection</a><br /><br />XPATH BLIND EXPLORER:-  <a href="http://code.google.com/p/xpath-blind-explorer/downloads/list">http://code.google.com/p/xpath-blind-explorer/downloads/list</a><br /><br />XCAT:-  <a href="https://github.com/orf/xcat">https://github.com/orf/xcat</a></div></div>

XPATH Injection Tutorial

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attack...

+ Read more »

eLearnSecurity Web Application Penetration Testing (WAPT) - Course Review

<div dir="ltr" style="text-align: left;" trbidi="on"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpyzCsXCguA3n7ExZf2_RJWWz7Nqw0_8EjxNx0cNjrO4jzGaVnSitk2IPKMUz8rB8k5Sl-HAAJceRQPnsVTmcWY6htfCyQkZ8HrBsaO27-qTWQiOcXc8ta6kFVPl5ySdXtDGLI9fliAas/s1600/WAPT_sm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpyzCsXCguA3n7ExZf2_RJWWz7Nqw0_8EjxNx0cNjrO4jzGaVnSitk2IPKMUz8rB8k5Sl-HAAJceRQPnsVTmcWY6htfCyQkZ8HrBsaO27-qTWQiOcXc8ta6kFVPl5ySdXtDGLI9fliAas/s1600/WAPT_sm.png" /></a>As years passed by, we have seen an upward progression in the layer of insecurity starting from the physical layer attacks (Layer 1)  towards Application layer attacks (Layer 7) inside of the OSI model. Application layer attacks are where we are at right now, and frankly speaking from my experience i find application layer attacks more easy to learn and exploit as compared with network layer attacks. The defenses are more easy to break and there are lots of attack vectors involved. All you need is right tools to be able to automatically scan and exploit application layer vulnerabilities, talking about bug bounty programs for an instance this is exactly the same what's happening, i have literally seen people with absolutely zero security knowledge finding/reporting bugs and getting listed in hall of fames and making money. The question arises, If it's that easy to exploit applications, what if they could use the knowledge for a negative cause. However, That's a different story which we are not gonna talk about today.<br /><br />It's super easy to download a vulnerability scanner such as netsparker, acunetix, netstalker and start scanning websites and reporting vulnerabilities, however what separates an actual penetration tester from some one who takes on bug bounty program as a hobby is the ability to understand the underlying technologies, and frankly speaking, it's what is the fundamental of all the penetration testing, the more better you understand the application and it's underlying technology, the more chances are that you would find critical bugs within it. With that being said there are certain restrictions to what a scanner can do and cannot, for example A scanner cannot find logical bugs, second order sql injections etc since it doesn't knows the context, therefore i only use for them  for quality assurance or for pointing out an interesting part of the webapplication, which i could look furthur.<br /><a name='more'></a><br />To keep up with the knowlege and the trend, i regularly take new courses on penetration testing. Recently i got a chance to  take the elearnsecurity's "<b>Web Application Penetration Testing course</b>" and it turned out to be an amazing experience.<br /><h4>Introduction</h4>The elearnsecurity's WAPT was specifically designed for beginners who have just came into the field of web application penetration testing and security and want to take their knowledge to the next level. The authors of this course have done a great job of putting all covering most of the aspects of web application penetration testing.<br /><h4>Course Contents</h4>The course is divided into several modules and personally i feel that every module is covered in extensive depth and does it's job of being clear and self-explanatory to the readers. Following are modules that you would come up, i would talk briefly about what's inside of them.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmeU9nH49DT8k9HqHLGXSmw03DK65mSpr00liCQPwanVOajdH9k7jf-rYtwxfPcsCnnD3bOfjLMYPEevmtDr3t_3UX7Ab4dwVQ5hS9Yuww2Kivai-SyjKfnVqfzix4MutJ318gDgJqL0/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmeU9nH49DT8k9HqHLGXSmw03DK65mSpr00liCQPwanVOajdH9k7jf-rYtwxfPcsCnnD3bOfjLMYPEevmtDr3t_3UX7Ab4dwVQ5hS9Yuww2Kivai-SyjKfnVqfzix4MutJ318gDgJqL0/s640/2.png" width="577" /></a></div><br /><br /><b>Introduction</b><br /><br />This module introduces the readers to the fundamentals of web security, it talks about some of the important concepts in security such as same origin policy and other stuff necessary for understanding the rest of the course.<br /><b><br /></b><b>Penetration </b><br /><b><br /></b>This particular module is what i find it missing inside most of the courses of web application security, penetration testing is not only about finding the vulnerabilities and exploiting them, it's about learning the art of the reporting which turns out to the most important step of a penetration test, if your report such, you suck. You might argue by saying that "<b>Did they hire a web designer or a penetration tester to do the job?</b>", however it's true that clients do take your reports seriously and this is what this chapter aims at explaining, the art of of reporting. I would have liked this module more, if they had given up a sample penetration testing report to the readers so that they can exactly figure out how the actual report looks.<br /><b><br /></b><b>Testing Information Gathering </b><br /><br />This particular module talks about enumerating web applications, things such as subdomains, backend services, backend databases etc. Once again the author do a great job of explaining things in a very simple manner.<br /><br /><b>Cross-Site Scripting </b><br /><br />This module talks about various types of cross site scripting attacks and how to end up detecting them inside of real application, for me this module was a bit basic as i was expecting an extensive coverage of things such as DOM XSS and WAF Byapss. Nevertheless, the module is perfect from a beginners perspective.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid1zio7OkggRjbsD26qKjl2uVLUUFPtzc6zjEpBI0QFGCVMePL6zmwlHrm1GV_vr_000i1EjNnIoG5y6RZA2-3EGxGrm166fxsA4uRveHdaGI4pKwS_p44Afz_jlDNck4owTBxWPRhlHI/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid1zio7OkggRjbsD26qKjl2uVLUUFPtzc6zjEpBI0QFGCVMePL6zmwlHrm1GV_vr_000i1EjNnIoG5y6RZA2-3EGxGrm166fxsA4uRveHdaGI4pKwS_p44Afz_jlDNck4owTBxWPRhlHI/s640/1.png" width="577" /></a></div><br /><br /><b>SQL Injections </b><br /><b><br /></b>I personally really liked this module, since it talks about most of the types of sql injection attacks. The best part of this module is that it talks about the concepts and how things are done manually, instead of talking about tools such as havij, sqlmap to exploit the vulnerabilities in an automated fashion.<br /><br /><b>Session </b><b>Security </b><br /><br />This module talks about wide variety of session attacks such as session id prediction, session fixation etc, to quote them "<b>Session related vulnerabilities will be the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and .NET At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications</b>".<br /><br /><b>Flash Security and Attacks </b><br /><br />Flash although has been taken over by HTML 5, it is still present on lots of websites and it's not going away anytime soon. This module first talks about flash security models and then talks about how to go about attacking flash based files, which in my opinion is a great approach.<br /><br /><b>Authentication </b><br /><b><br /></b>This module talks about wide variety of authentication based attacks, to quote them "<b>During this module the student will learn the most common authentication mechanisms, their weaknesses and the related attacks. From Inadequate password policies to weaknesses in the implementation of common features</b>".<br /><b><br /></b><b>HTML5 and New Frontiers </b><br /><br />This module is the main essence of the course, with the arrival of html 5 and things such as local storage, web storage etc lots of new attack vectors have been introduced, this module talks about wide variety of html 5 based attack vectors in detail.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglvsDnA5kC7SmCD8s9ZkdB7KgtVhcDGAYGs5KT71SmLDhYfQ_VNLoGscVv6c59Jm3BcjqBNfWyx4aItPBa_TGuQqwAcuvtrWyzGkQgGpTInSJtKUTn7Jo1GfYzvlQ-vb6kwPx7a-K-cRA/s1600/123.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglvsDnA5kC7SmCD8s9ZkdB7KgtVhcDGAYGs5KT71SmLDhYfQ_VNLoGscVv6c59Jm3BcjqBNfWyx4aItPBa_TGuQqwAcuvtrWyzGkQgGpTInSJtKUTn7Jo1GfYzvlQ-vb6kwPx7a-K-cRA/s640/123.png" width="577" /></a></div><br /><br /><b>Common Vulnerabilities </b><br /><br />This module talks about less publicized vulnerabilities such as clickjacking, RFI, LFI, http response splitting etc.<br /><br /><b>Web Services </b><br /><br />This module talks about pentesting webservices such as webservices, rest api etc. As their growing popularity has brought us new attack vectors.<br /><br /><b>XPath Injection</b><br /><b><br /></b>I don't really know why they needed a different module to cover xpath injection, they might had created a module called "Injection Attacks" and would had included all the types of injection attacks under that module. Anyways, this module talks about xml structure first and then talks about xml injection and how to go about exploiting it.<br /><br /><b> VA and Exploitation Tools</b><br /><b><br /></b>This module talks about popularly used vulnerability assessment tools such as acunetix, netsparker etc to effectively scan for vulnerabilities, this module also talks about using these tools to actually exploit some of the vulnerabilities.<br /><h4>Coliseum Lab</h4>The course comes up with coliseum lab, which itself is divided into two types of labs, guided labs and unguided labs which are actual challenges. The labs are built into the cloud and destroyed after a certain time by default. The labs allow you to practice what you learned through out the course.<br /><h4>Examination</h4>After you have completed the course, you can schedule the examination. You would be provided a web application and your objective would be to gain administrative access to the web application and document all high risk vulnerabilities. The total time frame for the exam is 7 days and after that you would given given more 7 days to document the report and submit your findings. It was a fun and a challenging exam, it took me 2 days to complete the challenge, it might have been even faster if it were not for my slow internet connection.<br /><h4>Areas for Improvement</h4>The overall course is good, but it certainly has some areas it should be worked on:<br /><ul style="text-align: left;"><li>Recently due to the increase in the use of client side javascripts, we have seen rise in security issues such as DOM based XSS. I didn't see any in-depth coverage of this attack, it was taught at a very basic level. </li><li>Web Application firewalls are very common now a days, the course didn't cover the art of bypassing web application firewalls or common techniques that could be use to evade them. </li></ul><div><br /></div><div>Overall,  i would rate the course <b>8/10</b> as from a beginners perspective it's a must to do course, the best is that they don't only teach you how to find vulnerabilities, but they also teach you how to document them.<br /><b><br /></b><b>For more information, please visit the official website - <a href="http://www.elearnsecurity.com/course/web_application_penetration_testing/enroll.php" rel="nofollow" target="_blank">elearnsecurity.com/</a></b></div></div>

eLearnSecurity Web Application Penetration Testing (WAPT) - Course Review

As years passed by, we have seen an upward progression in the layer of insecurity starting from the physical layer attacks (Layer 1)  toward...

+ Read more »

Memory Forensics, Analysis And Techniques PART 2

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn6MQcyKUeGDUL3Jp-BUWLJurOELGnR67uBsvSn19rxtaUbB-Ja0BCIugYsOUPZ3QJtCurp-DAuTVtJlLgyJxxTdopGG61hXQcS3O2AG8yCHHpSZnVvsmXt-TPGxEnfnvW3TdlBWHuCbg/s1600/home_forensics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn6MQcyKUeGDUL3Jp-BUWLJurOELGnR67uBsvSn19rxtaUbB-Ja0BCIugYsOUPZ3QJtCurp-DAuTVtJlLgyJxxTdopGG61hXQcS3O2AG8yCHHpSZnVvsmXt-TPGxEnfnvW3TdlBWHuCbg/s640/home_forensics.jpg" width="577" /></a></div><h3>INTRODUCTION</h3>Volatility is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of samples of digital artifacts from volatile memory (RAM).<br /><a name='more'></a><b><br /></b><b>Note: Before reading this post, i'd recommend you to go ahead and read the part 1 - <a href="http://www.rafayhackingarticles.net/2013/11/Memory-Forensics-Analysis-And-Techniques-Part-1.html">Memory Forensics, Analysis And Techniques PART 1</a></b><br /><h4>STEP TO STEP</h4>The tool supports a variety of formats "dump", performs some automatic conversion between formats and can be used on any platform that supports Python. Installation and use are simple, simply unzip the package supplied by Systems Volatility in a system where Python already installed.<br />C:\Volatility>python volatility<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiJEEuidxN-zrwucpWktoaEW-qJorhHwYwhTdRtF0dXxVwPfhvAaIi638mJdzq7_6_Dux-_-6JraOsdBm1v7HMU67XrlErVML4rNYu8Gn_KtjJde-kcIsyoBwQudP2UvGkClENU3VrvYLr/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiJEEuidxN-zrwucpWktoaEW-qJorhHwYwhTdRtF0dXxVwPfhvAaIi638mJdzq7_6_Dux-_-6JraOsdBm1v7HMU67XrlErVML4rNYu8Gn_KtjJde-kcIsyoBwQudP2UvGkClENU3VrvYLr/s1600/untitled1.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 1)</b> Supported Internel Comands.<br /><br /><b>Example:</b> volatility pslist -f /path/to/my/file<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCPrVEZlt7qQ8UIB9u2F8FXnsvl7M59GtMjwFkYeWQH-018pZ-FCWKOUD3ORrlC_JVQIEThvM3yXZr7gV9rhPtvnEq9-KuAPr5zIoSu1kcCvtMvRgqYfuRzxhAjvR9xJQ_jH94qY4LMpfk/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCPrVEZlt7qQ8UIB9u2F8FXnsvl7M59GtMjwFkYeWQH-018pZ-FCWKOUD3ORrlC_JVQIEThvM3yXZr7gV9rhPtvnEq9-KuAPr5zIoSu1kcCvtMvRgqYfuRzxhAjvR9xJQ_jH94qY4LMpfk/s1600/untitled2.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 2)</b> Use the command volatility<br /><br />The image 3 shows the use of the command "ident", which can be used to identify the date and time the image was collected, as well as providing information about the operating system on which the dump was generated:<br /><br /><b>C:\Volatility>python volatility ident –f C:\memorytest_rafael_fontes.dmp</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbAKYcht1NCsm7sXV5mV71V8nGnpo6M4S-Ny6S0Ku1jsbUn5xZFy8KYVvnWec_-4_XzdF3E5T07Km6isnmOA2EfqcC-YTlkfaAWRALI6qzFTZOQaksI0zyP0v4tqinCG5B3IHmHRcebTOy/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbAKYcht1NCsm7sXV5mV71V8nGnpo6M4S-Ny6S0Ku1jsbUn5xZFy8KYVvnWec_-4_XzdF3E5T07Km6isnmOA2EfqcC-YTlkfaAWRALI6qzFTZOQaksI0zyP0v4tqinCG5B3IHmHRcebTOy/s1600/untitled3.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 3)</b> Command ident.<br />You can use the --help option with any command to get help:<br /><br /><b>C:\Volatility>python volatility ident –-help</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSKuG85KFT8NxqQkGHttQHjNI_LTC1mTExkhN9NOZQA__gP8ayd1fVyYH4gZlXDbpP51XuJuiCImclF5P_uBx-I2I2CI-zrdHG9gPh4qQMtEWrLcmAuhXzRiEafTSKfCtH23D2z7TMFC0/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSKuG85KFT8NxqQkGHttQHjNI_LTC1mTExkhN9NOZQA__gP8ayd1fVyYH4gZlXDbpP51XuJuiCImclF5P_uBx-I2I2CI-zrdHG9gPh4qQMtEWrLcmAuhXzRiEafTSKfCtH23D2z7TMFC0/s1600/untitled4.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 4)</b> Option Volatility help tool.<br /><br />To list the processes that were running at the time it was generated dump can use the "pslist." As can be seen below, the output will contain the name of the process, its identifier (Pid) and father process ID (PPID) beyond the time when it was started and other useful information.<br /><br /><b>C:\Volatility>python volatility pslist –f C:\memorytest_rafael_fontes.dmp</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitGA7kTlTPtkBmAc4Ya_BMdb6Oyiqx5tQy-R2sn_rfTNyKXkZDUWaYFaOAZUj7k_g1y3lnaVU8gHBwYvkVThNm2yGvAuoViizdMPfUI5DMmH74I0OsS5h4Pjlg12VHYr-QTp24psjlz0pw/s1600/untitled5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitGA7kTlTPtkBmAc4Ya_BMdb6Oyiqx5tQy-R2sn_rfTNyKXkZDUWaYFaOAZUj7k_g1y3lnaVU8gHBwYvkVThNm2yGvAuoViizdMPfUI5DMmH74I0OsS5h4Pjlg12VHYr-QTp24psjlz0pw/s1600/untitled5.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 5)</b> Use the command pslist.<br /><br />The "<b>connscan</b>" provides information about the network connections that were active at the time the data were collected memory. Already the "sockets" displays the open sockets at the time the dump was generated. The command "files" displays open files for each process. You can specify the case number on the command line to display only those files opened by a particular process.<br />C:\Volatility>python volatility files –p 1740 –f C:\ memorytest_rafael_fontes.dmp<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigJap7c41D6Blf_xKdODYnBfbh-3kg5lPganXOK9ywrx7LffaammuCVe0oeeSFiy4MMjcGjn6sU5Xuvg7AtpFJj_-Y1-R2Y9_uVAcMm8LdZg0wCL2OVUl9azFBNhmN8hSIf22yBmjbd92C/s1600/untitled6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigJap7c41D6Blf_xKdODYnBfbh-3kg5lPganXOK9ywrx7LffaammuCVe0oeeSFiy4MMjcGjn6sU5Xuvg7AtpFJj_-Y1-R2Y9_uVAcMm8LdZg0wCL2OVUl9azFBNhmN8hSIf22yBmjbd92C/s1600/untitled6.JPG" /></a></div><b>Figure 6)</b> Use the command files.<br /><br />The command "dlllist" displays a list of DLLs loaded for each process, and the command "regobjkeys" displays a list of registry keys opened by each process.<br />C:\Volatility>python volatility dlllist –p 1740 –f C:\memorytest_rafael_fontes.dmp<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnAxMDdg5yMDqXBCxn1UGFPrgO3wtwwghhoBfw6s7hHzZba50lWxLo10cRbyLaZeJsjnanVFRbl2nl1XQD3y8mj_wXfD30rqaBhgHUdN4SpXxsu3QCyz57Rw-2HUtx-d0Gn9NSqTIX8rkZ/s1600/untitled7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnAxMDdg5yMDqXBCxn1UGFPrgO3wtwwghhoBfw6s7hHzZba50lWxLo10cRbyLaZeJsjnanVFRbl2nl1XQD3y8mj_wXfD30rqaBhgHUdN4SpXxsu3QCyz57Rw-2HUtx-d0Gn9NSqTIX8rkZ/s1600/untitled7.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 7)</b> Use the command dlllist<br />C:\Volatility>python volatility regobjkeys –p 1740 –f C:\memorytest_rafael_fontes.dmp<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_pCzO2ccAp8pb_x5d8AdM-tXtEDHxGf5h15Ei-ZT0IbIV7vT9pgyKRt3e2N_W9f8D5XMIL8MFPXEBlxkygSQXOirPStt_czhct-5zsBKFSHZhbauiZ3auJH0r-WDXsG9pT6uh4h6_qJdE/s1600/untitled8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_pCzO2ccAp8pb_x5d8AdM-tXtEDHxGf5h15Ei-ZT0IbIV7vT9pgyKRt3e2N_W9f8D5XMIL8MFPXEBlxkygSQXOirPStt_czhct-5zsBKFSHZhbauiZ3auJH0r-WDXsG9pT6uh4h6_qJdE/s1600/untitled8.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 8)</b> Use the command regobjkeys.<br /><br />It is possible, through command "procdump" extracting executable from the dump of memory, allowing access to the code that was running on the machine, and thus better understand their behavior.<br />C:\Volatility>python volatility procdump –p 1740 –f C:\ memorytest_rafael_fontes.dmp<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuxRNy1_Wgk7oViyUgi8cHtXBPtC-_v8KiETXS5wxmA6bMS0rqvzJp9Juv7Rs58ikANzqY199upy7C3z3PZiMRw5xzYOLrB6al8QYXpRGimbsczwyXdUtx9xOhFmo2PAW4T-FYHOeQ68ow/s1600/untitled9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuxRNy1_Wgk7oViyUgi8cHtXBPtC-_v8KiETXS5wxmA6bMS0rqvzJp9Juv7Rs58ikANzqY199upy7C3z3PZiMRw5xzYOLrB6al8QYXpRGimbsczwyXdUtx9xOhFmo2PAW4T-FYHOeQ68ow/s640/untitled9.JPG" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 9)</b> Use the command procdump.<br /><br />It was possible to observe the generation of executable "<b>executable.1740.exe</b>" and the occurrence of informational messages like "<b>Memory Not Accessible</b>" after using the command "<b>ProcDump</b>". This is because not all the virtual memory addresses are accessible on the image because it may have been, for example, paged to disk. Thus, these messages provide an audit log so that you can determine which parts of the executable generated were successfully retrieved.<br /><br />Practical examples,to determine the date and time of the image, for example, one can use the following command:<br /><br /><b>>>> Python volatility datetime -f target-2013-10-10.img</b><br /><b><br /></b>    Image Local date and time: Mon Oct 10 16:20:12 2013<br />The command pslist, in turn, determines the procedures that were running at the time the image was captured:<br /><b><br /></b><b> >>> Python volatility pslist -f target-2013-10-10.img</b><br /><br /><b>Name Pid PPID THDs HNDs Time</b><br />lsass.exe 536 480 20 369 Mon Oct 10 16:22:18 2013<br /> To determine which system ports were open, one can employ the command "socks". For the system under analysis, it is possible to detect, for example, the process LSASS.exe listening on port 4500.<br /><br /><b>>>> Python volatility sockets -f target-2013-10-10.img</b><br /><br /><h3>Forensic Memory for Linux distributions:        </h3><h4>S.M.A.R.T Linux  <a href="http://smartlinux.sourceforge.net/" rel="nofollow" target="_blank">http://smartlinux.sourceforge.net/</a>                                                                                      </h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgledSETiH-Ea2AgzGcahyphenhyphenv1xT5ShI-06CG0n3VgYEJ6nO76omBJs45wA1d45uVkKx4GZv2gSWZPeOKJZYXZVXYhYj_IF3lVOKr1CW3-F7grF50f2bNEdS9tERh0W_2_60hw56Tu0hOLw90/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgledSETiH-Ea2AgzGcahyphenhyphenv1xT5ShI-06CG0n3VgYEJ6nO76omBJs45wA1d45uVkKx4GZv2gSWZPeOKJZYXZVXYhYj_IF3lVOKr1CW3-F7grF50f2bNEdS9tERh0W_2_60hw56Tu0hOLw90/s1600/untitled1.JPG" /></a></div>  <br /><b>Figure 1)</b> S.M.AR.T. Linux.<br />S.M.A.R.T. Linux is a bootable floppy distribution containing tool (smartmontools) for monitoring IDE/SCSI hard disks (using <a href="http://smartlinux.sourceforge.net/smart/" rel="nofollow" target="_blank">Self-Monitoring, Analysis and Reporting Technology</a>). Why floppy? Probably because all other distributions containing this useful utility are CD versions [and not everybody has a CD-ROM ;)]. It's going to be free, small, helpful and easy to use. Current version is based on <a href="http://smartlinux.sourceforge.net/kernel.config" rel="nofollow" target="_blank">Kernel 2.4.26</a>, uClibc 0.9.24 and <a href="http://smartlinux.sourceforge.net/busybox.config" rel="nofollow" target="_blank">BusyBox 1.00 official release</a>. Built on <a href="http://www.slackware.com/" rel="nofollow" target="_blank">Slackware 10.0</a>.<br />The Sleuth Kit and Autopsy <a href="http://www.sleuthkit.org/" rel="nofollow" target="_blank">http://www.sleuthkit.org/</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfKjk2XuS014GT2V77zD26QOQN6pQMYzX4UBvHAff5YsW5zQ5y2NLo5ZfIQBdqV5ibGqWuqfmmg-w2DLsxjmLRuAxfgDloCsAWg62b8NSPTLMFeUly4NZ47r4pUoXZ2YF_dOnE9bhV1XN8/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfKjk2XuS014GT2V77zD26QOQN6pQMYzX4UBvHAff5YsW5zQ5y2NLo5ZfIQBdqV5ibGqWuqfmmg-w2DLsxjmLRuAxfgDloCsAWg62b8NSPTLMFeUly4NZ47r4pUoXZ2YF_dOnE9bhV1XN8/s400/untitled2.JPG" width="400" /></a></div><b>Figure 2)</b> Autopsy.                                                                                     <br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_m1Kg1X05B5Wd4HCZUMiesaRCp33w8VwOVhzzE_7odN1O26UvTQKpoQF5gyYEzYtgigiV0grnLkbAE6yK5sTjSeIPhHSgV3-780dW45UI3gFRMrHuEEA8n0H3tBFnp_CW2r9AuHEUTU0U/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="367" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_m1Kg1X05B5Wd4HCZUMiesaRCp33w8VwOVhzzE_7odN1O26UvTQKpoQF5gyYEzYtgigiV0grnLkbAE6yK5sTjSeIPhHSgV3-780dW45UI3gFRMrHuEEA8n0H3tBFnp_CW2r9AuHEUTU0U/s400/untitled3.JPG" width="400" /></a></div><br /><b>Figure 3)</b> The Sleuth Kit.<br /><br /><a href="http://www.sleuthkit.org/autopsy/" rel="nofollow" target="_blank">Autopsy™</a> and <a href="http://www.sleuthkit.org/sleuthkit/" rel="nofollow" target="_blank">The Sleuth Kit™</a> are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.<br />CAINE (Computer Aided Investigative Environment)  http://www.caine-live.net/<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj013VDsLJZcSsTBs56uHURhxbZQbJ2DPk__J1izj5dX7MeLVvY93nltUaQhTmf-LIUjg4X_ppFlqE1jrb0arCIsb04xxH-DNw9JNW-PvrxvGoFF10uAQIPw_z6rjlLVqJWtAc9JAqzdPRP/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj013VDsLJZcSsTBs56uHURhxbZQbJ2DPk__J1izj5dX7MeLVvY93nltUaQhTmf-LIUjg4X_ppFlqE1jrb0arCIsb04xxH-DNw9JNW-PvrxvGoFF10uAQIPw_z6rjlLVqJWtAc9JAqzdPRP/s1600/untitled4.JPG" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Figure 4)</b> C.A.I.N.E.<br /><br />CAINE(Italian GNU/Linux live distribution created as a project of Digital Forensics) offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.<br />The main design objectives that CAINE aims to guarantee are the following:<br />• An interoperable environment that supports the digital investigator during the four phases of the digital investigation.<br />• A user friendly graphical interface.<br />• A semi-automated compilation of the final report.<br /><br /><h3>For MAC OS X</h3>Below are some tools that can be used for forensic analysis on computers with <b>Mac OS X</b>.<br /><h4><u>Mac OS X Forensics Imager:</u> http://www.appleexaminer.com/Utils/Downloads.html</h4><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBntF-6XWzDm5v-Opc4pIaRH1mJqEiQBnd7tcvfFCzdVCeD11tKM48yfiMUekgEFLXxUlvtSIUpD_vSU1k3quC3r-dLj4oLsJVTO2pJpfthkIepDZmT4WJzKuoelEWckdvN04wHFOb-TK/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBntF-6XWzDm5v-Opc4pIaRH1mJqEiQBnd7tcvfFCzdVCeD11tKM48yfiMUekgEFLXxUlvtSIUpD_vSU1k3quC3r-dLj4oLsJVTO2pJpfthkIepDZmT4WJzKuoelEWckdvN04wHFOb-TK/s1600/untitled1.JPG" /></a></div><b>Figure 1)</b> Mac OS X Forensics Imager.<br /><br />Tool for imaging disk byte by byte format Encase or FTK for later forensic analysis in these tools.<br /><br />Metadata Extractor<br />Application to extract meta-data files for a specific folder in Mac Displays location on google maps in case there are geo-location information in the file.<br /><br /><b>File Juicer:</b> http://echoone.com/filejuicer/<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5j4ELZ5qjnhNUrNYyqlUVky1JUIBaqAoC-0mTn87eyl-KYdzmaWIyGdYWHu9HnK7ElnwzDPo0-yCPTYOYtLshusXmxU6t3mWvw_LbOsGwfrkpHC01mTcXRT7ADZBl74B6j_Thlavw3Yye/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5j4ELZ5qjnhNUrNYyqlUVky1JUIBaqAoC-0mTn87eyl-KYdzmaWIyGdYWHu9HnK7ElnwzDPo0-yCPTYOYtLshusXmxU6t3mWvw_LbOsGwfrkpHC01mTcXRT7ADZBl74B6j_Thlavw3Yye/s400/untitled2.JPG" width="400" /></a></div><b>Figure 2)</b> File Juicer 1.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9vdf3PjVvMDST08MeN8Ur9t3MEuxcee4ZtBnrtZ-kgP-lHB6PfdFnN_94n66sbTIAMYstKnZ4l1-0A9pHxX5MVrElOfmj7b7jZkzmhc8tWfmkHIvXBr7XhpyL-xdKa4XyP7ftrNJ69vH/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9vdf3PjVvMDST08MeN8Ur9t3MEuxcee4ZtBnrtZ-kgP-lHB6PfdFnN_94n66sbTIAMYstKnZ4l1-0A9pHxX5MVrElOfmj7b7jZkzmhc8tWfmkHIvXBr7XhpyL-xdKa4XyP7ftrNJ69vH/s400/untitled3.JPG" width="400" /></a></div><br /><b>Figure 3)</b> File Juicer 2.<br /><br />Commercial software that enables the extraction of images and texts from any file. Ignores format, and scans files byte by byte for identifying the data supported. Among other features, there are the following, which find application in forensic analysis:<br /><br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Extract images from PowerPoint presentations and PDFs<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Recover deleted pictures and videos from memory cards<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Recover text from corrupt<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Extract images and html files from the cache of Safari<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Extract attachments from email archives<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Generate Word document from simple PDFs<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Recover photos from iPods in TIFF<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Convert ZIP files which are in. EXE<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Extract JPEG images in RAW format (Canon & Nikon)<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Extracting data from different types of cache file<br />·<span class="Apple-tab-span" style="white-space: pre;"> </span>Find and extract file in general data in JPEG, JP2, PNG, GIF, PDF, BMP, WMF, EMF, PICT, TIFF, Flash, Zip, HTML, WAV, MP3, AVI, MOV, MPG, WMV, MP4, AU, AIFF or text.<br /><h4>CONCLUSION</h4>There are several trends that are revolutionizing the Forensic Memory. The process to do the analysis in memory forensics also walks for a better solution and refinement of the technique, it is an approach increasingly relevant in the context of Computer Forensics. In certain cases the popularity and use of tools for encrypting volumes as TrueCrypt, or creating malware residing only in volatile memory, raise the difficulty of analyzing the data stored in these devices.<br /><br />However, it is interesting to note that the Forensic Memory is best seen as a complement to other approaches. An example of this is the procedure in which an investigation after the image capture of volatile memory, it uses the "Analysis of Living Systems" as a way to determine the next step in solving the case. Later, in the laboratory, we use the "Memory Forensics" as a complement to traditional forensics, giving greater agility and precision to the process.<br /><br />I hope my article has helped computational experts and specialists in information security.<br /><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s1600/desouze.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" width="188" /></a>This is a guest post written by , <b>RAFAEL FONTES SOUZA</b>. He is the maintainer of the “<b>Project Backtrack Team Brazilian</b>”, He works at <a href="http://services.rafayhackingarticles.net/" target="_blank">RHAinfosec </a>as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. </div></div>

Memory Forensics, Analysis And Techniques PART 2

INTRODUCTION Volatility is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extrac...

+ Read more »

Memory Forensics, Analysis And Techniques Part 1

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><u><strike></strike></u><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrDyY2uOPl-S89971n-GuzmPx83oABzsp2fBOl8w9m23w1qGorFlt_k2INQNw8yD_oL5ZkcFXTxc2KwUZf6nlUwQsK4-R9MAkeLmr0iCKHzTERuMTk1b_k2ifVDspW79OjSVdGTz8pXHg/s1600/logo_forensics.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><strike><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrDyY2uOPl-S89971n-GuzmPx83oABzsp2fBOl8w9m23w1qGorFlt_k2INQNw8yD_oL5ZkcFXTxc2KwUZf6nlUwQsK4-R9MAkeLmr0iCKHzTERuMTk1b_k2ifVDspW79OjSVdGTz8pXHg/s400/logo_forensics.jpg" width="400" /></strike></a></div><h4 style="text-align: left;">ABSTRACT</h4>Due to the increased number of cases of cyber-crimes and intrusions, along with the storage capacity of hard disks and devices, it was necessary to extend the techniques of computer forensics, currently works consist in collection and analysis of static data stored hard drives, seeking to acquire evidence related to the occurrence of malicious activities in computer systems after its occurrence.<br />With the evolution of technological resources and the popularity of the Internet, it has become impractical to maintain only the traditional approach, due to the large volume of information to be analyzed and the growth of digital attacks. In this context, the analysis of data stored in volatile memory comes up with new techniques, it is necessary to check the processes that were running, established connections, or even access keys encrypted volumes, without causing the loss of sensitive information to the investigation, thus allowing the recovery of important data to the computer forensics.<br /><a name='more'></a><br /><h4 style="text-align: left;">CONCEPT</h4>Memory forensics is a promising technique that involves the process of capturing and analyzing data stored in volatile memory. Since, by volatile memory, which means that data can be lost on system shutdown, or can be rewritten in the normal functioning of the same. This characteristic of constant flux, the data in memory are usually less structured and predictable.<br /><h4 style="text-align: left;">DATA CONTAINED IN THE MEMORY</h4>The overview of the information stored in memory, everything is running on a computer is stored temporarily in memory, either in volatile memory, the paging file is related to virtual memory. By extracting an image of memory known as 'dump' memory is possible to identify the relationship of the running processes, it is possible to establish a relationship between the processes in order to identify which processes have started other processes, likewise, is feasible to identify which files, libraries, registry keys and sockets that were in use by each process. In summary, it is possible to map how the system was being used when generating the 'dump' memory and also recover executable programs stored in memory.<br /><h4 style="text-align: left;">MORE INFORMATION ABOUT “DUMPS”</h4>This is the method currently used by the experts in computer forensics to acquire the contents of RAM.<br />There are several programs that help the image acquisition memory system, this work. These tools make reading memory bit-by-bit and copy its contents to a file, the "dump" of memory. This file will have the same physical memory size of the system.<br /><br />What should be taken into account, regardless of the tool being used, is that, as shown by the "Locard Exchange Principle", when an acquisition program dump is executed, it must be loaded into memory, meaning it will traces, and that some of the memory space that could contain valuable information will be used, and can even lead to changes in the area occupied by processes to paging files. Furthermore, while the tool is reading the contents of the memory, the status of the system is not frozen, which means that while some pages are being copied, and others may be changed if the process is that use is still running, for example. What will define the time spent to collect the image are factors such as processor speed, bus fees and operations in and out of the disc.<br /><h3 style="text-align: left;">CREATING "Forensic Image" WITH FTK IMAGER</h3><h4 style="text-align: left;">INTRODUCTION</h4>FTK Imager is a free tool provided by Access to Data acquiring forensic images. The tool allows you to create, mainly disk images…Besides creating forensic disk images, we can perform memory dumps and even perform a forensic analysis on the small image created. There are many other fucionalidades you will discover when you are working with it. The FTK Imager was created by the company AccessData and is free.<br /><h4 style="text-align: left;">STEP TO STEP</h4>Well, I'm looking for a simple and practical way to demonstrate these concepts. Let's click on the "File" menu and click the "Create Disk Image" and choose which disk or partition, or we will make the image. To choose the option to perform a forensic image of the disc, we will on the "Physical Drive”, if we want to make the image of a partition, let the option "Logical Drive". Look the pictures below:<br /><br /><b>Figure 1)</b> FTK Imager.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkpMJk2d8D7kyrds9g8kVv_By3EEqt-xuF8azk3oU-sGMm62AcOBtGYxlfBc1_yBA5vAg6jG05HQFCoP_lX-cbywzvNC0Z0g-yYChkA1wbYBmflnjx3r3JDN75jEaOahTjBDZW_cLogP0h/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkpMJk2d8D7kyrds9g8kVv_By3EEqt-xuF8azk3oU-sGMm62AcOBtGYxlfBc1_yBA5vAg6jG05HQFCoP_lX-cbywzvNC0Z0g-yYChkA1wbYBmflnjx3r3JDN75jEaOahTjBDZW_cLogP0h/s400/untitled1.JPG" width="400" /></a></div><br /><b>Figure 2)</b> Logical Drive.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBKvR1Bf_yHQ2OwY6XPBwd0uSvY7wywMnEpq1eWommfP0F1fOTET9DxolQZSeQp-NJk9Exh4sA9RDl4PCuIzWaBRTCGEPKdbITKR1-ZS0vOLHMJdsph16xxFcpfoGpLKpp9zfhH27jvXX/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBKvR1Bf_yHQ2OwY6XPBwd0uSvY7wywMnEpq1eWommfP0F1fOTET9DxolQZSeQp-NJk9Exh4sA9RDl4PCuIzWaBRTCGEPKdbITKR1-ZS0vOLHMJdsph16xxFcpfoGpLKpp9zfhH27jvXX/s400/untitled2.JPG" width="400" /></a></div><br /><b>Figure 3)</b> Physical Drive.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhQsuIVeYV8fC9riMsWsEogqeaj4QuGqW3SChyphenhyphennR566S5Lhm5vS4y8V_ywY7xhZ6sd15_N25Ezh1lCCCZRuatGQONqqzAEK1qvrxWKbJLDKQk1q4CEMimJ3_zvbDFpOiMyAU4UrlGEGe7e/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhQsuIVeYV8fC9riMsWsEogqeaj4QuGqW3SChyphenhyphennR566S5Lhm5vS4y8V_ywY7xhZ6sd15_N25Ezh1lCCCZRuatGQONqqzAEK1qvrxWKbJLDKQk1q4CEMimJ3_zvbDFpOiMyAU4UrlGEGe7e/s400/untitled3.JPG" width="400" /></a></div><br />Then I'll do the forensic image of a USB stick plugged into my machine, and also choose the option "Physical Drive ". Can I choose which device I want to make the image and then I click on the "Finish" button.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx29zD5IZ0XsqYXNzzlr9Vl_ERtc_FXNaIkjNKOMIzkLoa2LZCplLYW1qPuGFSAGcHoGzWH26_lDTOzm90LOWuc0HGS6_A5arG_dpQXoCkjvdnrP5q2bNlDDiEB3qASDMRY-mJsqIwdROR/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx29zD5IZ0XsqYXNzzlr9Vl_ERtc_FXNaIkjNKOMIzkLoa2LZCplLYW1qPuGFSAGcHoGzWH26_lDTOzm90LOWuc0HGS6_A5arG_dpQXoCkjvdnrP5q2bNlDDiEB3qASDMRY-mJsqIwdROR/s400/untitled4.JPG" width="400" /></a><span style="text-align: left;"> </span></div><b>Figure 4)</b> Select Drive.<br /><br />Now click on "checkbox Verify images after area They created". With this option selected, the tool will calculate the "hash" MD5 and SHA1 image created after that, click the "ADD" button.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpiKNsVhZHyQFVuOx4RfG9lfeC8hrehSSYi8GxzsoA8JCRay49uBmIVKdl1_dvu76T-h5u3d-36B7hklZWqoR04UJB393Q0BmwOUPz4rshV_bgqiAxO17TiS6WbGs7tCmIV8NWeCjgrCkt/s1600/untitled5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpiKNsVhZHyQFVuOx4RfG9lfeC8hrehSSYi8GxzsoA8JCRay49uBmIVKdl1_dvu76T-h5u3d-36B7hklZWqoR04UJB393Q0BmwOUPz4rshV_bgqiAxO17TiS6WbGs7tCmIV8NWeCjgrCkt/s400/untitled5.JPG" width="400" /></a></div><b>Figure 5)</b> Create Image.<br /><br />Let's select "RAW", to perform forensic image format which is the tool of "DD" and click "Next".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW3-eriPI0OKa8aSECVcjxvGOrVmHYUVGaIE8ik5CZ9WhO-_rZnq-qcUs1QsmSHWujnDec_OgqU5IGRSiHCPqdoNIJOYeLntJo6RW9NYaXhXXALe8-z0NOpoPePAb4Fa-gK_EecX1zdLaw/s1600/untitled6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW3-eriPI0OKa8aSECVcjxvGOrVmHYUVGaIE8ik5CZ9WhO-_rZnq-qcUs1QsmSHWujnDec_OgqU5IGRSiHCPqdoNIJOYeLntJo6RW9NYaXhXXALe8-z0NOpoPePAb4Fa-gK_EecX1zdLaw/s400/untitled6.JPG" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><b>Figure 6)</b> Select RAW.<br /><br />Will request some information on evidência. We can fill these information . After that, click on "Next".<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheEXRS_86StNLhHTcRnxQbYaSof_05kKRnQYF__V3T7npzHDPXHVrogmfueQdU-PKjSCtcjxE2SL5fVKqBxG_7x9iUMeKVf-uEyuxVOPComFG7sOSMvDUUgtPxvKnu-XkVT-HhyQOyEAu4/s1600/untitled7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheEXRS_86StNLhHTcRnxQbYaSof_05kKRnQYF__V3T7npzHDPXHVrogmfueQdU-PKjSCtcjxE2SL5fVKqBxG_7x9iUMeKVf-uEyuxVOPComFG7sOSMvDUUgtPxvKnu-XkVT-HhyQOyEAu4/s400/untitled7.JPG" width="400" /></a></div><b>Figure 7)</b> Evidence Item Information.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT-onVdExOwKxJIQrmkTLHdMewzdhyphenhyphenrRwkyMAfRyLBMWHpUmrfhhAShnsqf0ROAuGywlLtibWrFWykFSQMgBAVScEdNvHRYajZyYNa3_3bsdVCQSh3k91MzlxjlgpcVIvb05pdkn9NqUK7/s1600/untitled8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT-onVdExOwKxJIQrmkTLHdMewzdhyphenhyphenrRwkyMAfRyLBMWHpUmrfhhAShnsqf0ROAuGywlLtibWrFWykFSQMgBAVScEdNvHRYajZyYNa3_3bsdVCQSh3k91MzlxjlgpcVIvb05pdkn9NqUK7/s400/untitled8.JPG" width="400" /></a></div><b>Figure 8)</b> Select Image Destination.<br /><br />We will choose the output directory (where the forensic image is saved). "Image Filename" is where you must enter the filename of my image. In the "Image Fragment Size" I can put zero because I do not want my fragmented image. If I wanted to break into pieces, I put this field size in MB that every piece of my image would have. After that , just click on the "Finish" button.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHsIqI3JoReT6XtXdCRC7WRCJtoaHA2Sjetl4unqkdkyxmdLJcg5MC43JzLrx6CtG4Ai2C2O-QqJxlD986j6vjBXV007omxy6YEtMqWnsr1z7zejiy8sBnuaWOEjxRzzVNJqN-uVMOpIX/s1600/untitled9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHsIqI3JoReT6XtXdCRC7WRCJtoaHA2Sjetl4unqkdkyxmdLJcg5MC43JzLrx6CtG4Ai2C2O-QqJxlD986j6vjBXV007omxy6YEtMqWnsr1z7zejiy8sBnuaWOEjxRzzVNJqN-uVMOpIX/s400/untitled9.JPG" width="400" /></a></div><b>Figure 9)</b> The output directory.<br /><br />Just click on the "Start" button.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEillAxzM2rRdmPpu9EFd3IEdxsVAzHqf99s8abr7JTe0AYRzsW_Eiuhyr13z9YW3XQp8qBk2DnphiSd2go16vnCFBhN-bFOa1inDLcJEzWJNQFyaH_eaXUop9gFsoK8yBmJ4XYJ-CUFG2eG/s1600/untitled10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEillAxzM2rRdmPpu9EFd3IEdxsVAzHqf99s8abr7JTe0AYRzsW_Eiuhyr13z9YW3XQp8qBk2DnphiSd2go16vnCFBhN-bFOa1inDLcJEzWJNQFyaH_eaXUop9gFsoK8yBmJ4XYJ-CUFG2eG/s400/untitled10.JPG" width="400" /></a></div><b>Figure 10)</b> Create Image.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1WQwPJ2ybWkkaOu1LrmJpNSDIRusq7gUTH8Yvj_nawPsOFg9xu0lFytyiHH9_ydXvhnrsMDz_-yUQ4JGhvYcYz_EjXnUvYfXc8BrsrTNw2xtiB7dafSatQFT25wFyFqPzyMsl_qFZREm2/s1600/untitled11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1WQwPJ2ybWkkaOu1LrmJpNSDIRusq7gUTH8Yvj_nawPsOFg9xu0lFytyiHH9_ydXvhnrsMDz_-yUQ4JGhvYcYz_EjXnUvYfXc8BrsrTNw2xtiB7dafSatQFT25wFyFqPzyMsl_qFZREm2/s400/untitled11.JPG" width="400" /></a></div><b>Figure 11)</b> Image Summary.<br /><br /><br />When the process of image acquisition forensics has finished , we can display a summary with various information.In the same directory where the image was stored was created a “txt”, which is like a log , which has the same summary information.<br /><br />In the part 2, we will take a look at some more techniques for memory forensics, Stay Tuned!<br /><br /><b>Update: Part 2 has been published - <a href="http://www.rafayhackingarticles.net/2013/11/Memory-Forensics-Analysis-And-Techniques-PART-2.html" target="_blank">Memory Forensics, Analysis And Techniques Part 2</a></b><br /><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s1600/desouze.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" width="188" /></a>This is a guest post written by , <b>RAFAEL FONTES SOUZA</b>. He is the maintainer of the “<b>Project Backtrack Team Brazilian</b>”, He works at <a href="http://services.rafayhackingarticles.net/" target="_blank">RHAinfosec </a>as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. </div></div>

Memory Forensics, Analysis And Techniques Part 1

ABSTRACT Due to the increased number of cases of cyber-crimes and intrusions, along with the storage capacity of hard disks and devices, it ...

+ Read more »