Friday, April 30, 2010

Honeynet Forensics Contest

Challenge 3 of the Forensic Challenge 2010 - Banking Troubles

Synopsis:





The Challenge:


"Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation."


[source: https://www.honeynet.org/challenges/2010_3_banking_troubles]

1.  List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)

Using the volatility plugin pslist the processes, firefox.exe (Pid 888) or AcroRd32.exe (Pid 1752) are probable attack vectors.  Note that Pid 888 is the parent of Acrobat Reader Pid 1752.  The two Pids 644 and 880 highlighted in blue will be discussed later.

$ python volatility pslist -f Bob.vmem

Name                 Pid    PPid   Thds   Hnds   Time  
System               4      0      58     573    Thu Jan 01 00:00:00 1970  
smss.exe             548    4      3      21     Fri Feb 26 03:34:02 2010  
csrss.exe            612    548    12     423    Fri Feb 26 03:34:04 2010  
winlogon.exe         644    548    21     521    Fri Feb 26 03:34:04 2010  
services.exe         688    644    16     293    Fri Feb 26 03:34:05 2010  
lsass.exe            700    644    22     416    Fri Feb 26 03:34:06 2010  
vmacthlp.exe         852    688    1      35     Fri Feb 26 03:34:06 2010  
svchost.exe          880    688    28     340    Fri Feb 26 03:34:07 2010  
svchost.exe          948    688    10     276    Fri Feb 26 03:34:07 2010  
svchost.exe          1040   688    83     1515   Fri Feb 26 03:34:07 2010  
svchost.exe          1100   688    6      96     Fri Feb 26 03:34:07 2010  
svchost.exe          1244   688    19     239    Fri Feb 26 03:34:08 2010  
spoolsv.exe          1460   688    11     129    Fri Feb 26 03:34:10 2010  
vmtoolsd.exe         1628   688    5      220    Fri Feb 26 03:34:25 2010  
VMUpgradeHelper      1836   688    4      108    Fri Feb 26 03:34:34 2010  
alg.exe              2024   688    7      130    Fri Feb 26 03:34:35 2010  
explorer.exe         1756   1660   14     345    Fri Feb 26 03:34:38 2010  
VMwareTray.exe       1108   1756   1      59     Fri Feb 26 03:34:39 2010  
VMwareUser.exe       1116   1756   4      179    Fri Feb 26 03:34:39 2010  
wscntfy.exe          1132   1040   1      38     Fri Feb 26 03:34:40 2010  
msiexec.exe          244    688    5      181    Fri Feb 26 03:46:06 2010  
msiexec.exe          452    244    0      -1     Fri Feb 26 03:46:07 2010  
wuauclt.exe          440    1040   8      188    Sat Feb 27 19:48:49 2010  
wuauclt.exe          232    1040   4      136    Sat Feb 27 19:49:11 2010  
firefox.exe          888    1756   9      172    Sat Feb 27 20:11:53 2010  
AcroRd32.exe         1752   888    8      184    Sat Feb 27 20:12:23 2010  
svchost.exe          1384   688    9      101    Sat Feb 27 20:12:36 2010 

Using the 'dot' output feature of the psscan2 plugin it is possible to generate a visual tree view of the processes relationships. 

$ python volatility psscan2 -d -f Bob.vmem > output.dot
$ dot -Tpng:cairo:gd output.dot -o example.png



2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)

$ python volatility sockets -f Bob.vmem

Pid    Port   Proto  Create Time               
4      0      47     Fri Feb 26 03:35:00 2010  
1040   68     17     Sat Feb 27 20:12:35 2010  
880    1185   6      Sat Feb 27 20:12:36 2010  
4      1030   6      Fri Feb 26 03:35:00 2010  
700    500    17     Fri Feb 26 03:34:26 2010  
4      138    17     Sat Feb 27 19:48:57 2010  
1244   1189   6      Sat Feb 27 20:12:37 2010  
1040   1181   17     Sat Feb 27 20:12:35 2010  
1100   1047   17     Fri Feb 26 03:43:12 2010  
880    30301  6      Sat Feb 27 20:12:36 2010  
4      445    6      Fri Feb 26 03:34:02 2010  
1040   123    17     Sat Feb 27 19:48:57 2010  
948    135    6      Fri Feb 26 03:34:07 2010  
1752   1178   6      Sat Feb 27 20:12:32 2010  
888    1168   6      Sat Feb 27 20:11:53 2010  
1752   1177   17     Sat Feb 27 20:12:32 2010  
1244   2869   6      Sat Feb 27 20:12:37 2010  
1040   123    17     Sat Feb 27 19:48:57 2010  
888    1171   6      Sat Feb 27 20:11:53 2010  
700    0      255    Fri Feb 26 03:34:26 2010  
1100   1025   17     Fri Feb 26 03:34:34 2010  
1244   1900   17     Sat Feb 27 19:48:57 2010  
1040   1182   17     Sat Feb 27 20:12:35 2010  
4      139    6      Sat Feb 27 19:48:57 2010  
1040   1186   17     Sat Feb 27 20:12:36 2010  
2024   1026   6      Fri Feb 26 03:34:35 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1176   6      Sat Feb 27 20:12:28 2010  
1244   1900   17     Sat Feb 27 19:48:57 2010  
880    1184   6      Sat Feb 27 20:12:36 2010  
700    4500   17     Fri Feb 26 03:34:26 2010  
4      137    17     Sat Feb 27 19:48:57 2010  
4      445    17     Fri Feb 26 03:34:02 2010  
888    1169   6      Sat Feb 27 20:11:53 2010  


How about filtering by the suspicous Pids? 

$ python volatility sockets -f Bob.vmem > sockets.txt


Create a text file 'pids' listing 880, 888, 640, and 1752

$ grep -f pids sockets.txt

Pid    Port   Proto  Create Time
880    1185   6      Sat Feb 27 20:12:36 2010  
880    30301  6      Sat Feb 27 20:12:36 2010  
1752   1178   6      Sat Feb 27 20:12:32 2010  
888    1168   6      Sat Feb 27 20:11:53 2010  
1752   1177   17     Sat Feb 27 20:12:32 2010  
888    1171   6      Sat Feb 27 20:11:53 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1176   6      Sat Feb 27 20:12:28 2010  
880    1184   6      Sat Feb 27 20:12:36 2010  
888    1169   6      Sat Feb 27 20:11:53 2010  

Reorder by date/time:

Pid    Port   Proto  Create Time
888    1168   6      Sat Feb 27 20:11:53 2010
888    1171   6      Sat Feb 27 20:11:53 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1169   6      Sat Feb 27 20:11:53 2010
888    1176   6      Sat Feb 27 20:12:28 2010

1752   1178   6      Sat Feb 27 20:12:32 2010 
1752   1177   17     Sat Feb 27 20:12:32 2010 
880    1185   6      Sat Feb 27 20:12:36 2010  

880    30301  6      Sat Feb 27 20:12:36 2010  
880    1184   6      Sat Feb 27 20:12:36 2010

$ python volatility connections -f Bob.vmem

Local Address             Remote Address            Pid   
192.168.0.176:1176        212.150.164.203:80        888   
192.168.0.176:1184        193.104.22.71:80          880   
127.0.0.1:1168            127.0.0.1:1169            888   
127.0.0.1:1169            127.0.0.1:1168            888   
192.168.0.176:2869        192.168.0.1:30379         1244  
192.168.0.176:1178        212.150.164.203:80        1752  
192.168.0.176:1185        193.104.22.71:80          880   
192.168.0.176:1171        66.249.90.104:80          888   
192.168.0.176:2869        192.168.0.1:30380         4     
192.168.0.176:1189        192.168.0.1:9393          1244  
192.168.0.176:1172        66.249.91.104:80          888

Here is the condensed series of events:
  1. Firefox is running under Pid 888
  2. Adobe Reader opens a socket under Pid 1752
  3. Svchost.exe opens a socket under Pid 880

3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)

Volatility includes a perfect plugin "strings" to answer this, however the input required is a list of strings paired with the hexadecimal offset.  Using strings on my *nix machine failed to produce the input that Volatility desired.  Using strings.exe from Sysinternals as suggested in the Volatility README.txt worked as expected.

Generate strings output:

c:\strings.exe -a -o -n 5 Bob.vmem > Bob.vmem.strings

Use the Volatitliy plugin strings to associate particular URLs with a Pid:

$ python volatility strings -s Bob.vmem.strings -f Bob.vmem > output.strings

Pid 880 / svchost.exe / URLs:

/~produkt/983745213424/34650798253 HTTP/1.1
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php
POST /~produkt/9j856f_4m9y8urb.php HTTP/1.1
http://193.104.22.71/~produkt/69825439870/73846525#N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php&N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php

Pid 888 / firefox.exe / URLs (duplicates removed):

http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
GET /cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/favicon.ico

Pid 1752 / 
AcroRd32.exe / URLs:

http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=3
http://search-network-plus.com/load.php?a=a&st=Internet%20Explorer%206.0&e=2
http://www.oldversion.com/download/firefox1502.exe
Path: kontera.com/

Other suspect URLs found in the memory dump:

[kernel:8047dae8 ] http://kona.kontera.com/javascript/lib/KonaLibInline.js
[kernel:8047dde8 ] http://kona.kontera.com/javascript/lib/2010_02_24_2/KonaBase.js
[kernel:8047df68 ] http://kona5.kontera.com/KonaGet.js?u=1267155818664&p=116534&k=http%3A//www.oldversion.com/Acrobat-Reader.htmlIE&al=1&l=http%3A//www.oldversion.com/Acro
[1756:1265568 ] Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe

Domain Reputation

Not all of the URLs found in the memory dump were malicious.  Searching various IP reputation sources provided useful clues to identify the malware.  Some sites yeilded no results for a given domain/address while others identified malicious sites.  My research of each found that for reliable results at least three different sources should be used when checking a domain or IP address reputation.


A few recommended sites are...
  • http://google.com
  • http://www.trustedsource.org/query/
  • http://www.malwaredomainlist.com/mdl.php
  • http://www.mywot.com/
  • http://www.malwareurl.com/index.php
  • http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=microsoft.com

Domain: search-network-plus.com
Status: Confirmed Malicious - documented ZeuS botnet and PDF exploits


Domain/IP:  193.104.22.71
Status: Confirmed Malicious - documented ZeuS botnet


Domain: www.oldversion.com
Status: Reports of Malicious Content


Although the domain receives a respectable rating (somewhat questionable in itself) it is not without warning!



Domain: kona.kontera.com
Status: Confirmed Malicious

4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)

At this point it is clear that some processes are initiating connections to ZeuS botnet C&C servers.  With the confirmation that this is a bot produced by the ZeuS malware toolkit looking at Pid 644 (winlogon.exe) shows that this banking related URL is present:

$ grep -i bank pid.644.strings
360893288  [644:1312b68 ] Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)

Volatility again provides a plugin to show open files which lists tons of information.  Time for some data reduction!  Redirecting the output to a file then searching the file 'files' for keywords in a 'dirtywords' list for known bad files associated with ZeuS bots.

File dirtywords contains:

local.ds
user.ds
ntos.exe
oembios.exe
sdra64.exe
sysproc32.sys
sysproc86.sys
local.ds
user.ds
twext.exe
audio.dll
video.dll

Dump process files to a file:

$ volatility files -f Bob.vmem > files

Next step, grep for any of the dirtywords in the process file output.

$ grep -nif dirtywords files
41:File   \WINDOWS\system32\sdra64.exe            
44:File   \WINDOWS\system32\lowsec\user.ds        
177:File   \WINDOWS\system32\lowsec\local.ds       
267:File   \WINDOWS\system32\lowsec\user.ds.lll    

Positive hits... we are on the right track.

  • sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
  • user.ds  (stolen information stored here, child of winlogon.exe Pid 644)
  • local.ds (encrypted config, child of winlogon.exe Pid 644)
  • user.ds.lll (child of svchost.exe Pid 880)

Previously the banking URL was found in Pid 644 (winlogon.exe).  Malicious files associated with Pid 644 is new in this analysis, so far Pid 888, 880, and 1752 have been examined.

6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)

The initial process being acroread32.exe (Pid 1752) was exploited by a malicious PDF document.  To identify the technique used to exploit the host the document must be analyzed.  The PDF can be extracted manually or carved using formost.  The later approach was applied and produced 63 potential PDF documents. 

Configured foremost.conf to only search and extract PDF headers/footers:%PDF-  %EOF

./foremost -i Bob.vmem -c foremost.conf

foremost extracts 63 PDF documents to analyze.  Thankfully, a set of PDF parsing tools from
Didier Stevens make this an easy task.  The tool pdf-parser.py can search for terms embedded in the document.  Looking for keywords such as "javascript" is a good first step.

Using another for loop and searching through the directory of PDFs generated by foremost shows some interesting output... namely x86 noop filled the terminal which is a good indication that bad stuff is to follow.

for i in `ls -1 ./output/pdf/*.pdf`; do echo -n "File $i"; pdf-parser.py --search javascript $i; done


The PDF 00769000.pdf (MD5 32faa35102a6d56a86260b5535ba14d6) was found to contain this noop bounty.  Uploading to Virustotal shows that only Avast detects the presence of Zbot.



Looking for the shell code:

Browsing the binary PDF with xxd the start of a PE executable is visible.


Other fragments:


pdfid shows the following objects contained within this PDF.  No low hanging fruit like JavaScript or JBIG2Decode techniques.

$ pdfid.py 00769000.pdf
PDFiD 0.0.10 00769000.pdf
 PDF Header: %PDF-1.4
 obj                   77
 endobj                75
 stream                21
 endstream             21
 xref                   1
 trailer                1
 startxref              1
 /Page                  3
 /Encrypt               0
 /ObjStm                3
 /JS                    0
 /JavaScript            0
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Colors > 2^24         0

After hours of attempts, inflating the object streams proved fruitless.  Ideally, one of the Object Streams of type "file" would contain one or more payloads which may be further obfuscated.

7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)

From answer to question 5...

  • sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
  • user.ds  (stolen information stored here, child of winlogon.exe Pid 644)
  • local.ds (encrypted config, child of winlogon.exe Pid 644)
  • user.ds.lll (child of svchost.exe Pid 880)

An additional payload would include a banker/trojan malware which steals banking login information.

8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)

To complete this section the additional plugin malfind2 was installed along with it's dependencies.

Sample 1: The extracted binary malfind.644.a10000-a2cfff.dmp from process 644 is detected as Zbot:

$ volatility malfind2 -p 644 -d malware -f Bob.vmem



Sample 2: The extracted binary malfind.880.720000-73cfff.dmp from process 880 is detected as Zbot:

$ volatility malfind2 -p 880 -d malware -f Bob.vmem


The majority of AV scanners detect this malware.

9. Are there any related registry entries associated with the payload? (4pts)

This is a three step process.  First use the hivescan to enumerate all the memory offsets where registry hives can be found:

$ python volatility hivescan -f Bob.vmem

Offset          (hex)          
44658696        0x2a97008      
44686176        0x2a9db60      
48529416        0x2e48008      
55269896        0x34b5a08      
57399112        0x36bd748      
59082008        0x3858518      
70588752        0x4351950      
111029088       0x69e2b60      
114539360       0x6d3bb60      
121604960       0x73f8b60      
180321120       0xabf7b60      
191408992       0xb68ab60      
244959264       0xe99c820   
 

Volatility plugin hivelist will show the offsets needed for the SOFTWARE registry hive.  To quickly parse through all the offsets listed in the output above, save the hex offset values into a file (hive.offsets) and loop through them with the hivelist plugin.

$ for i in `cat hive.offsets`; do python volatility hivelist -f Bob.vmem -o $i; done

(output omitted for brevity)


$ python volatility hivelist -f Bob.vmem -o 0x36bd748

Address      Name
0xe151ea08   \WINDOWS\system32\config\SAM
0xe153e518   \WINDOWS\system32\config\SECURITY
0xe139d008   [no name]
0xe1035b60   \WINDOWS\system32\config\system
0xe102e008   [no name]
0xe1d6cb60   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1de0b60   \Documents and Settings\Administrator\NTUSER.DAT
0xe1769b60   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17deb60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1797b60   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17a3820   \Documents and Settings\NetworkService\NTUSER.DAT
0xe1526748   \WINDOWS\system32\config\software
0xe15a3950   \WINDOWS\system32\config\default

Display the values for key Winlogon:

$ python volatility printkey -o 0xe1526748 -f Bob.vmem "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"

Key name: Winlogon (Stable)
Last updated: Sat Feb 27 12:12:34 2010

Subkeys:
   GPExtensions (Stable)
   Notify (Stable)
   SpecialAccounts (Stable)
   GPExtensions (Stable)
   Notify (Stable)
   SpecialAccounts (Stable)

Values:
REG_DWORD AutoRestartShell : 1 (Stable)
REG_SZ    DefaultDomainName : BOB-DCADFEDC55C (Stable)
REG_SZ    DefaultUserName : Administrator (Stable)
REG_SZ    LegalNoticeCaption :  (Stable)
REG_SZ    LegalNoticeText :  (Stable)
REG_SZ    PowerdownAfterShutdown : 0 (Stable)
REG_SZ    ReportBootOk : 1 (Stable)
REG_SZ    Shell      : Explorer.exe (Stable)
REG_SZ    ShutdownWithoutLogon : 0 (Stable)
REG_SZ    System     :  (Stable)
REG_SZ    Userinit   : C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, (Stable)
REG_SZ    VmApplet   : rundll32 shell32,Control_RunDLL "sysdm.cpl" (Stable)
REG_DWORD SfcQuota   : 4294967295 (Stable)
REG_SZ    allocatecdroms : 0 (Stable)
REG_SZ    allocatedasd : 0 (Stable)
REG_SZ    allocatefloppies : 0 (Stable)
REG_SZ    cachedlogonscount : 10 (Stable)
REG_DWORD forceunlocklogon : 0 (Stable)
REG_DWORD passwordexpirywarning : 14 (Stable)
REG_SZ    scremoveoption : 0 (Stable)
REG_DWORD AllowMultipleTSSessions : 1 (Stable)
REG_EXPAND_SZ UIHost     : logonui.exe (Stable)
REG_DWORD LogonType  : 1 (Stable)
REG_SZ    Background : 0 0 0 (Stable)
REG_SZ    AutoAdminLogon : 0 (Stable)
REG_SZ    DebugServerCommand : no (Stable)
REG_DWORD SFCDisable : 0 (Stable)
REG_SZ    WinStationsDisabled : 0 (Stable)
REG_DWORD HibernationPreviouslyEnabled : 1 (Stable)
REG_DWORD ShowLogonOptions : 0 (Stable)
REG_SZ    AltDefaultUserName : Administrator (Stable)
REG_SZ    AltDefaultDomainName : BOB-DCADFEDC55C (Stable)

The malware persistence mechanism is highlighted in Red/Yellow above.

10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)

  1. The user is logged in with the Administrator permitting all sorts of promiscious behaviour
  2. JavaScript shellcode served to the browser as a PDF which is handled by Acrobat Reader
  3. See evidence of the Kernel interacting with JavaScript from the domain kontera.com
  4. Shell code is successfull in exploiting the Acrobat Reader flaw, a trojan downloader retrieves the bot and executes it
  5. Once the bot is executed it unpacks and decrypts itself into winlogon.exe, sets up persistance mechanism and spawns a process via services.exe -> svchost.exe to begin communicating with the C&C servers.

User searches for old versions of software, finds Acrobat Reader 6.0
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.msn.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Acrobat-Reader.html
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/acrobat60.exe
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Acrobat_Reader_6.0.html

Feb 26 03:34:04 2010, Source: Processes, Name: winlogon.exe ,Pid: 644 ,PPid: 548
Feb 26 03:34:05 2010, Source: Processes, Name: services.exe ,Pid: 688 ,PPid: 644

User again searches for old software, this time it's Firefox 1.5.0.2
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Mozilla-Firefox.html
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/firefox1502.exe
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html

Firefox started
Feb 27 20:11:53 2010, Source: Processes, Name: firefox.exe ,Pid: 888 ,PPid: 1756

Acrobat Reader started and is exploited
Feb 27 20:12:23 2010, Source: Processes, Name: AcroRd32.exe ,Pid: 1752 ,PPid: 888
Feb 27 20:12:28 2010, Source: Socket, PID: 888,Port: 1176, Protocol: 6
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1177, Protocol: 17
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1178, Protocol: 6

Feb 27 12:12:34 2010, Winlogon Registry Key Last Update Time (Note: Hour is off by -8, but the minutes and seconds are right in line with the chain of events.  The registry is recorded in UTC, the TimeZoneInformation registry value indicates EST.)

Svchost.exe opens three sockets and connects to C&C server
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1184, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1185, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 30301, Protocol: 6


Resources

Contest URL: https://www.honeynet.org/challenges/2010_3_banking_troubles
https://zeustracker.abuse.ch/faq.php
http://www.fortiguard.com/analysis/zeusanalysis.html

Disclaimer
These are my answers which have not been validated against the official results.  Updates/corrections will be made if necessary once the results are published.  Feedback and comments are always welcome.



Other interesting bits...

User appears to own a D-Link home router/firewall at 192.168.0.1 and a client at 192.168.0.176

Typed the search term "old software" into Google:

http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20sof&cp=7
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20soft&cp=8
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=

Time stamps found in the memdump:

:2010022720100228: Administrator@http://www.msn.com
:2010022720100228: Administrator@http://www.google.com
:2010022720100228: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
:2010022720100228: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
:2010022720100228: Administrator@http://www.oldversion.com
:2010022720100228: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
:2010022720100228: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
:2010022720100228: Administrator@http://www.oldversion.com/download/firefox1502.exe

:2010022520100226: Administrator@http://www.msn.com
:2010022520100226: Administrator@http://www.google.com
:2010022520100226: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
:2010022520100226: Administrator@http://www.oldversion.com
:2010022520100226: Administrator@http://www.oldversion.com/Acrobat-Reader.html
:2010022520100226: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
:2010022520100226: Administrator@http://www.oldversion.com/download/acrobat60.exe

Visited: Administrator@http://www.google.com
Visited: Administrator@http://www.msn.com
Visited: Administrator@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com
Visited: Administrator@http://www.oldversion.com/Acrobat-Reader.html
Visited: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Visited: Administrator@http://home.microsoft.com
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Visited: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=

Visited: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
Visited: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Visited: Administrator@http://www.oldversion.com/download/firefox1502.exe

User appears to have been presented with some HTML snips from Adds or Email containing the malicious URL:

Seems to be redirected to kontera domain from oldversions:

http://te.kontera.com/ContentLink/ContentLink?publisherId=116534&layout=adlinks&sId=142&cb=1267300209&creative=L&cn=us&pRfr=http%3A//www.oldversion.com/Mozilla-Firefox.html&pRfr=&keys=Mozilla%20Firefox;browser;Application;development&kids=45239;682919;461663;595008&iit=1;1;1;1&index=0&cbl=0&ab=1&onf=1&omk=1&resultNum=1&time=5500&dc_aff_id=&bt=1&mod=27&rId=116534_1267300209255_05828260058095254&prev_page=http%3A//www.oldversion.com/&ptv=&ur=1&sids=5544;7753;19447;-0-0-7753;6497;&tag=0



Friday, April 9, 2010

SANS Network Forensic Puzzle #4

Okay, it's overdue and I'm getting further and further behind my usual walk through of the SANS forensics puzzles (This may be the last as I'm loosing interest.).  So here it is!  Please feel free to contact me if you have any questions or corrections.

1. What was the IP address of Mr. X’s scanner?

Using Wireshark, navigate to Statistics and select IP Addresses... ignore the Filter dialog and just click Create Stat


In this sample we can easily identify the top talker...


Judging by the high count of packets being generated by 10.42.42.253 it is very likely the source of the scanning activity in this PCAP.

2. For the FIRST port scan that Mr. X conducted, what type of port scan was it?

(Note: the scan consisted of many thousands of packets.) Pick one:

* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST


This is where (in my humble opinion) a command line tool excels - to confirm what type of scan we need to systematically run throught the possibilities:

If you are unfamiliar with Wireshark/Tshark display filter syntax, a 1 indicates that the bit is set (true) and a 0 indicates that it is not set (false).  See references links at the end of this article to brush up on TCP flags and their values.

TCP SYN (0x02)- Search for segments containing only SYN flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags.cwr == 0 && tcp.flags.ecn == 0 && tcp.flags.urg == 0 && tcp.flags.ack == 0 && tcp.flags.push == 0 && tcp.flags.reset == 0 &&  tcp.flags.syn == 1 && tcp.flags.fin == 0" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

...that's a mess.  You could try something more straight forward using the hexadecimal value for the SYN bit:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x02" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 7414 matches - Not bad seems like this could be a SYN scan.


TCP ACK
(0x10)- Search for segments containing only ACK flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 11 matches - Compared to the previous result this is not likely the scan we are looking for.


UDP
- Search for large number of UDP packets from scanner

$ tshark -R "ip.src == 10.42.42.253 && udp" -Tfields -e frame -e ip.src -e ip.dst -e udp.dstport -r evidence04.pcap

Result: 8 matches - that's less than TCP ACK so the odds are not good that this is a UDP scan


TCP Connect
(0x10)- The attributes of a TCP Connect scan are similar to a SYN scan so we cannot simply look for the SYN packets.  Unlike the SYN scan, the TCP Connect scan will complete the 3-way TCP handshake by sending the ACK packet back to the target if it receives a SYN/ACK.  The results of searching for segments with ACK flag sent from the scanner could be misleading if there were an ACK scan in progress.  We need more data!  Inspecting the previous packet in the sequence (note the addition of tcp.stream in the tshark fields list) it is possible to associate it with a SYN/ACK from the target thus confirming the presence of a TCP Connect scan.

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap


Output:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap


Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 4389     10.42.42.253    10.42.42.50    135    0x10    2235
Frame 13531     10.42.42.253    10.42.42.50    135    0x10    7413
Frame 13532     10.42.42.253    10.42.42.50    139    0x10    7414
Frame 13543     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13547     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13593     10.42.42.253    10.42.42.56    1    0x10    7425
Frame 13594     10.42.42.253    10.42.42.25    1    0x10    7426
Frame 13606     10.42.42.253    10.42.42.50    135    0x10    7431
Frame 13610     10.42.42.253    10.42.42.50    1    0x10    7433
Frame 13622     10.42.42.253    10.42.42.56    1    0x10    7425

(Note: I like to include the frame number for ease of locating the packet in Wireshark.)



Result: 11 matches - not too many - if this were an ACK scan there would be hundreds or thousands of ACK packets coming from the scanner.  In the output above, let's look at the first TCP stream identified as 390:

$ tshark -R "tcp.stream eq 390" -Tfields  -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Frame 779     10.42.42.253    10.42.42.50    139    0x02    390
Frame 786     10.42.42.50    10.42.42.253    56257    0x12    390
Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 821     10.42.42.253    10.42.42.50    139    0x14    390

The sequence above confirms that this is *not* a SYN scan since the scanner responded to the clients SYN/ACK (flag 0x12) with an ACK (flag 0x10).  In addition the lack of ACK packets does not indicate an ACK scan.  Given the evidence above, it appears that this first scan is a TCP Connect scan.

To be thorough the XMAS and RST scans are examined next.

TCP XMAS
(0x31) - Search for FIN, PSH, and URG flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x31" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 0 matches


TCP RST
(0x04) - Search for RST segments from SRC

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x04" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 10 matches - the output of this contains one destination IP so it is not a host enumeration scan.


Side Note: Here is a little exercise that will extract the flag values and create a list counting the frequency of each type. 

Step 1: Extract SRC IP, DST IP, DST Port and TCP Flags field and save it to a CSV file:

$ tshark -R "ip.src == 10.42.42.253" -Tfields -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -E separator=, -r evidence04.pcap >> output.txt

Now, although you could just extract the header field above, I extracted additional fields so I can reuse it to analyze ports and target IPs.

So, now just need to pluck the TCP Flags from output.txt

$ cat output.txt | awk -F, '{print $4}' | sort -u > list.txt

Should look something like this:

$ cat  list.txt 

0x00
0x02
0x04
0x10
0x11
0x14
0x18
0x29
0x2b
0xc2

Step 2.  That give you a distinct list of all the TCP flag values in hexadecimal format.  Now let's generate a count of each with this Bash loop:

$ for i in `cat list.txt`; do echo -n "TCP Flag: $i, Count: " ; grep -c $i output.txt; done
TCP Flag: 0x00, Count: 1
TCP Flag: 0x02, Count: 7414
TCP Flag: 0x04, Count: 10
TCP Flag: 0x10, Count: 11
TCP Flag: 0x11, Count: 3
TCP Flag: 0x14, Count: 2
TCP Flag: 0x18, Count: 3
TCP Flag: 0x29, Count: 4
TCP Flag: 0x2b, Count: 1
TCP Flag: 0xc2, Count: 1

Using this information alone the answer to this challenge would be inaccurate.

3. What were the IP addresses of the targets Mr. X discovered?

With this command you can quickly find a distinct list of targets (DST IP)

tshark -R "ip.dst" -Tfields -e ip.dst -r evidence04.pcap | sort -t "." -k1,1 -k2,2 -k3,3 -k4,4 | sort -u
10.255.255.255
10.42.42.25
10.42.42.253
10.42.42.50
10.42.42.56

So throwing out the broadcast and the known source (scanner) you can identify the targets 10.42.42.25, 10.42.42.50, and 10.42.42.56.

4. What was the MAC address of the Apple system he found?

Borrowing the command line foo from Puzzle #3 the MAC OUI Vendors can be extracted like this:

$ for i in `tshark -R eth.src -Tfields -e eth.src -r evidence04.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done
00:16:cb:92:6e:dc OUI Vendor: AppleCompu
00:23:8b:82:1f:4a OUI Vendor: QuantaComp
00:26:22:cb:1e:79 OUI Vendor: CompalInfo
70:5a:b6:51:d7:b2 OUI Vendor: CompalInfo

5. What was the IP address of the Windows system he found?

By elimination, known IP addresses are:

10.255.255.255 - Broadcast
10.42.42.25 - Apple Macintosh
10.42.42.253 - Scanning System
10.42.42.50 - ?
10.42.42.56 - ?

Do either of these unidentified hosts respond to the SYN probes?  Wireshark display filter for SYN+ACK from specific SRC IP addresses can reveal what services responded... Well known Microsoft specific services can indicate that a Windows machine is responding to the probe.

Try either the .50 or .56 hosts in the 'ip.src==' filter below

ip.src == 10.42.42.50 && tcp.flags.ack ==1 && tcp.flags.syn == 1

Only .50 replys with both the SYN+ACK TCP flags set which reveals that the port is open and something acknowledged the SYN - presumably a windows service on this well known port (MS-RPC on port 135).

Curiously .50 is also talking to the Apple system on TCP/139 (NetBIOS/SMB - File and Printer Sharing) which the attacker also probed.



Answer: 10.42.42.50

6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)


TCP/135
TCP/139


X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

It's everyone's favorite scanner nmap of course! To do this answer justice it would be another week before I finish so I will just recommend reading this article (http://www.aldeid.com/index.php/Network-forensics/Puzzle4#Tools) which is extremely informative on the topic..


References:

0. Wikipedia http://en.wikipedia.o/wiki/Transmission_Control_Protocol#TCP_segment_structure
1. http://danielmiessler.com/study/tcpflags/
2. http://www.wireshark.org/docs/dfref/t/tcp.html
3. http://www.parkenet.com/apl/HexDecConverter.html

Monday, March 1, 2010

Netenum (dot sh)

This little script all started with a need to generate a list of target networks to scan belonging to a particular registrant.  I wanted to simply be able to search by organization name and generate a list of CIDR networks that can be feed into nmap or nessus.  The script is somewhat trivial but here is what is going on under the hood:

0. Args are "search term" and "output file" containing the networks

1. The work begins with a whois -h whois.arin.net (n [NAME]) from which the NET portion is extracted using some sed syntax

2. For each of the NETs another whois query is performed which then contains the information I am after: the network in CIDR notation

3. This output is appended to $OUTPUT and we're done!

4. Display some suggested nmap syntax



Example (No, I don't work for Starbucks):

mac$ netenum.sh "starbucks coffee*" networks.txt
64.14.140.192/26
64.14.141.80/28
65.102.167.24/29
199.233.178.0/23
204.238.150.0/24
63.226.236.24/29
12.144.131.0/25
12.17.135.0/24
12.104.77.120/29
12.104.80.32/29
12.104.90.0/26
98.96.0.0/14
12.18.140.16/28
12.18.169.88/29
12.18.141.0/25
12.18.169.64/29
12.22.22.192/29
12.40.197.248/29
12.162.215.160/29
12.104.137.16/29
12.158.165.144/29
12.29.122.208/29
12.232.230.224/27
12.19.194.200/29
12.19.194.192/29
12.238.255.240/29
12.163.246.64/29
12.165.41.160/29
12.181.208.96/29
12.173.177.168/29
12.191.157.56/29
99.145.144.32/29
99.182.106.176/29
63.241.138.184/29
63.241.138.96/28
63.241.135.88/29
63.241.155.128/29
76.210.220.232/29
69.229.78.32/29
99.140.26.112/29
99.15.108.40/29
Done searching WHOIS for records matching starbucks coffee*
If you don't like what you see run the command manually: whois -h whois.arin.net "n starbucks coffee*"
sudo nmap -sP -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10000 -T4 --source-port 53 -iL networks.txt -oA SCAN_REPORT

For this example the file networks.txt is generated containing all the networks printed to STDOUT while the script is run.  The example nmap command -iL above reads this file in as input.

Get it here: https://docs.google.com/leaf?id=0B3oC9uB5ETAbNTU0MDRlYmMtMzE2YS00Yzg0LWJlN2QtZjcxMzFhNWU5ZmNl&hl=en
May need to run through dos2unix after downloading from Google docs

Sunday, February 28, 2010

SANS Forensics Puzzle #3 - Ann’s AppleTV

SANS Network Forensic Puzzle #3

The contest strives for participants to create new tools to solve the challenge.  Rather than create yet another specialized tool, I took this an an opportunity to hone my tshark skills.  Never heard of tshark?  It's the terminal (i.e.) command line companion of Wireshark.  As a side note, this article contains some crazy awking and bash foo... just how I like it.  In the end, I searched high and low for something simple to extract PLIST key/values with and faced the question of learning python or just giving in to manually extracting the value from the "XML".  I chose the latter.

1. What is the MAC address of Ann’s AppleTV?


$ tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u
for i in `tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done

Output:
-------
00:23:69:ad:57:7b OUI Vendor: Cisco-Link
00:25:00:fe:07:c4 OUI Vendor: Apple

What's going on here?  If you are new to tshark, I recommend spending time with the man page.  In the above command the Read filter is pulling ethernet src frames and extracting the etherenet src field from evidence03.pcap.

The output is then sorted/uniqed and the first three octets are matched with a reference text file (wget standards.ieee.org/regauth/oui/oui.txt) containing all known manufacturers OUI.

The output shows the manufacturer of all the devices on the network - not just the AppleTV.

2. What User-Agent string did Ann’s AppleTV use in HTTP requests?


$ tshark -R http.user_agent -Tfields -e http.user_agent  -r evidence03.pcap  | sort -u

Output:
-------
AppleTV/2.4

3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?


$ tshark -R "http.request.uri contains search" -Tfields -e http.request.uri  -r evidence03.pcap | awk -F"=" '{print $NF}'

Output:
-------
h
ha
hac
hack
s
sn
sne
sneb
snea
sneak
i
ik
ikn
ikno
iknow
iknowy
iknowyo
iknowyou
iknowyour
iknowyoure
iknowyourew
iknowyourewa
iknowyourewat
iknowyourewatc
iknowyourewatch
iknowyourewatchi
iknowyourewatchin
iknowyourewatching
iknowyourewatchingm
iknowyourewatchingme

Wow... that was neat.  The tshark command goes way beyond the first search term but what what is going on here?  It looks like iTunes sends each keystroke across the wire to search in real time.  Reminds me of a keystroke logger.

4. What was the title of the first movie Ann clicked on?


$ tshark -R "http.request.uri contains viewMovie" -Tfields -e http.request.uri  -r evidence03.pcap

/WebObjects/MZStore.woa/wa/viewMovie?id=333441649&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D333441649%26s%3D143441
/WebObjects/MZStore.woa/wa/viewMovie?id=283963264&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Sneakers-Phil%20Alden%20Robinson-283963264&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D283963264%26s%3D143441

This tshark filter will display four URI's from the sample PCAP.  The first two are related to the first movie that Ann clicked on (Hackers) - The second to relate to the second movie (Sneakers).

5. What was the full URL to the movie trailer (defined by “preview-url”)?


The filter "xml.cdata contains preview-url" points to frame 312 which contains reassembled segments from frames 309, 310, and 312.

Preview URL: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v



Preview required!


6. What was the title of the second movie Ann clicked on?


(See answer to question 4.) Sneakers...

7. What was the price to buy it (defined by “price-display”)?


Wireshark lacks the ablitlity to programatically process PLIST files so I had to cheat on this answer and use a display filter "xml.cdata contains price-display" to find the two instances for each of the two movies.

Answer: $9.99






8. What was the last full term Ann searched for?

This is found in the answer to question 3. (iknowyourewatchingme)


Tuesday, January 5, 2010

SANS Network Forensic Puzzle #1 Howto

SANS Network Forensic Puzzle #1 Howto from pstutz on Vimeo. This is a quick demonstration of how I approached the first SANS Network Forensic Challenge. Tools used were Wireshark, Frhed, md5sum, Word 2007 Viewer, and Vim32. (Please play this demonstration in full screen mode for optimal viewing.)

Monday, January 4, 2010

NIST Forensic Challenge

A RegistryRipper Walk through...

This article illustrates how to use Harlan Carvey's powerful RegistryRipper tool set to answer the questions in the NIST sample Hacking Case (Ref. http://www.cfreds.nist.gov/Hacking_Case.html). Being a long time Linux user and now a Mac user I thought that this would be a great learning exercise to introduce some basic command line foo and forensic investigation by answering the questions presented by this challenge. These are my notes... I hope you can learn something from them.

Getting Started

Acquire the images and perform hashing/check sum on each as well as the assembled image. To download the images, I ran a FOR loop which took several hours to complete:
$ for i in {1..8}; do curl http://www.cfreds.nist.gov/images/hacking-dd/SCHARDT.00$i -o SCHARDT.00$i; done
Append the image parts into one large image for analysis:
$ for i in `ls SCHARDT.00*`; do cat $i >> SCHARDT.img; done
Generate MD5 check sums of all disk images:
$ for i in `ls SCHARDT.*`; do md5 $i >> $i.md5; done
At this point I have a working copy of the forensic image. To get started with RegistryRipper on OS X there are a few tweaks that I have implemented to make life easier.

Tweaks and Prerequisites

In the next series of steps a few prerequisite changes are made and then I describe the steps that I used to use rip.pl in a batch mode to process all the registry hives with their respective plugins. The output from each "rip" is then appended to a single report from which most of the questions in this challenge can be answered. Change the Perl interpreter path on the first line of rip.pl to /usr/bin/perl (being that this was developed on windows Mr. Carvey preference is Windows centric) Install the required Win32Registry module from CPAN
cpan> install Parse::Win32Registry
Generate a CSV of all the available plugins - take a few minutes to browse these and become familiar with their descriptions:
rip.pl -l -c > plugins.csv
Then generate a list of plugins by type, e.g. SECURITY, SYSTEM, SOFTWARE
awk -F, '{print $3, $1}' < plugins.csv | sort
Generate a distinct list of plugin Hive Types
awk '{print $1}' < plugins.sorted.txt | uniq
All
NTUSER.DAT
SAM
Security
Software
System
Generate a listing of plugins by type so that one can automate/script rip.pl plugins by hive type:
for i in `cat list`; do grep ^$i plugins.sorted.txt | awk '{print $2}' >> hive.plugin.$i; done
This results in the following files being created:
$ wc -l hive.plugin.*
1 hive.plugin.All
40 hive.plugin.NTUSER.DAT
1 hive.plugin.SAM
1 hive.plugin.Security
30 hive.plugin.Software
31 hive.plugin.System

Registry Parsing

On my mbp I review and then mount the image with the hdiutil command which places the volume under "/Volumes/Untitled\ 1":
hdiutil imageinfo SCHARDT.img
hdiutil attach -readonly SCHARDT.img
Copy all the registry hives from the image to the current working directory:
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/software .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/SECURITY .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/SAM .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/system .
$ cp /Volumes/Untitled\ 1/Documents\ and\ Settings/Mr.\ Evil/NTUSER.DAT .
Generate a massive report by concatenating rip.pl output for each hive. Here I have generated a wrapper script to call each 'for' loop for the respective plugin groups:
$ cat run.rip.sh
 
#!/bin/bash
for i in `cat hive.plugin.Software`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/software -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.Security`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/SECURITY -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.System`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/system -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.NTUSER.DAT`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/NTUSER.DAT -p $i>> report.regripper.txt;done
The result of the above is a file with over 3800 lines of rip.pl plugin output.

Questions and Answers

1. What is the image hash? Does the acquisition and verification hash match?

All the parts concatenated together result in one image with hashes
MD5 (SCHARDT.img) = aee4fcd9301c03b3b054623ca261959a
2. What operating system was used on the computer?

By visual inspection of the file system it appears to be Windows XP, but what version? RegRipper helps out here:
$ ./rip.pl -r /Volumes/Untitled/WINDOWS/system32/config/software -p winver
  Launching winver v.20081210
  ProductName = Microsoft Windows XP
  InstallDate = Thu Aug 19 22:48:27 2004
3. When was the install date?

Searching the report generated by the run.rip.sh script for keyword "install" or if you knew from experience that this can be found in the plugin winnt_cv then you would find the install date:
InstallDate = Thu Aug 19 22:48:27 2004
In EDT that would be Thu Aug 19 17:48:27 2004

4. What is the timezone settings?
$ ./rip.pl -r /Volumes/Untitled/WINDOWS/system32/config/system -p timezone
   Launching timezone v.20080324
   TimeZoneInformation key
   ControlSet001\Control\TimeZoneInformation
   LastWrite Time Thu Aug 19 17:20:02 2004 (UTC)
     DaylightName   -> Central Daylight Time
     StandardName   -> Central Standard Time
     Bias           -> 300 (6 hours)
     ActiveTimeBias -> 360 (5 hours)
5. Who is the registered owner?

The registry keys are:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\RegisteredOrganization
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\RegisteredOwner
The output from winnt_cv shows that a name "Greg Schardt" is registered as the owner

6. What is the computer account name?

Output from plugin compname reveals this:
ComputerName = N-1A9ODN6ZXK4LQ
7. What is the primary domain name?

Note, the answer I found differs from the answer published by NIST.
DefaultDomainName = N-1A9ODN6ZXK4LQ
8. When was the last recorded computer shutdown date/time?
ShutdownTime = Fri Aug 27 15:46:33 2004 (UTC), Fri Aug 27 10:46:33 (CST)
9. How many accounts are recorded (total number)?
$ rip.pl -r evidence/registry/SAM -p samparse | grep Username
   Launching samparse v.20080415
   Username        : Administrator [500]
   Username        : Guest [501]
   Username        : HelpAssistant [1000]
   Username        : SUPPORT_388945a0 [1002]
   Username        : Mr. Evil [1003]
So that would be 5 total.

10. What is the account name of the user who mostly uses the computer?

Mr. Evil

11. Who was the last user to logon to the computer?
Path      : %SystemDrive%\Documents and Settings\Mr. Evil
SID       : S-1-5-21-2000478354-688789844-1708537768-1003
LastWrite : Fri Aug 27 15:46:23 2004 (UTC)
LoadTime  : Fri Aug 27 15:08:24 2004 (UTC)

12. A search for the name of “Greg Schardt” reveals multiple hits. One of these proves that Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?

Looking at the mounted file system simply grepping for the name yields some results:
$ grep -ir "Greg Schardt" *
Program Files/Look@LAN/irunin.ini:%REGOWNER%=Greg Schardt
Program Files/Look@LAN/irunin.ini:%USERNAME%=Greg Schardt
WINDOWS/Look@LAN Setup Log.txt:Value data = Greg Schardt
Grep for "Greg Schardt" shows that the file irunin.ini matches twice and shows that the name "Greg Schardt" was entered as the Registered Owner and Username when installing the Look@LAN software

13. List the network cards used by this computer
plugin networkcards
NetworkCards
Microsoft\Windows NT\CurrentVersion\NetworkCards
 
Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)  [Thu Aug 19 17:07:19 2004]
Compaq WL110 Wireless LAN PC Card  [Fri Aug 27 15:31:44 2004]
14. This same file reports the IP address and MAC address of the computer. What are they?
%LANIP%=192.168.1.111 
%LANNIC%=0010a4933e09
15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN?

http://www.wireshark.org/tools/oui-lookup.html shows that 0010a4 is registered to 00:10:A4 Xircom.

16. Find 6 installed programs that may be used for hacking.

Looking at the contents of "Program Files" provides some insight:
1. Look@LAN
2. Cain
3. Network Stumbler
4. mIRC
5. Ethereal/Wireshark
6. 123WASP

17. What is the SMTP email address for Mr. Evil?
/Volumes/Untitled 1/Program Files/Agent/Data/AGENT.INI:SMTPUserName="whoknowsme@sbcglobal.net"
18. What are the NNTP (news server) settings for Mr. Evil?
NewsServer="news.dallas.sbcglobal.net"
Found using grep:
$ grep --color=auto -ir "News.dallas.sbcglobal.net" *
  
Binary file Documents and Settings/Mr. Evil/Local Settings/Application Data/Identities/{EF086998-1115-4ECD-9B13-9ADC067B4929}/Microsoft/Outlook Express/Folders.dbx matches
   Program Files/Agent/Data/AGENT.INI:NewsServer="news.dallas.sbcglobal.net"
19. What two installed programs show this information?

Forte Agent 1.9 Release
Outlook Express

20. List 5 newsgroups that Mr. Evil has subscribed to?

In the OE data folder for Mr. Evil we find:
/Volumes/Untitled/Documents and Settings/Mr. Evil/Local Settings/Application Data/Identities/{EF086998-1115-4ECD-9B13-9ADC067B4929}/Microsoft/Outlook Express

$ ls -al *.dbx | awk '{print $NF}'
Items.dbx
Folders.dbx
Inbox.dbx
Offline.dbx
Outbox.dbx
alt.2600.cardz.dbx
alt.2600.codez.dbx
alt.2600.crackz.dbx
alt.2600.dbx
alt.2600.hackerz.dbx
alt.2600.moderated.dbx
alt.2600.phreakz.dbx
alt.2600.programz.dbx
alt.binaries.hacking.beginner.dbx
alt.binaries.hacking.computers.dbx
alt.binaries.hacking.utilities.dbx
alt.binaries.hacking.websites.dbx
alt.dss.hack.dbx
alt.hacking.dbx
alt.nl.binaries.hack.dbx
alt.stupidity.hackers.malicious.dbx
free.binaries.hackers.malicious.dbx
free.binaries.hacking.beginner.dbx
free.binaries.hacking.computers.dbx
free.binaries.hacking.talentless.troll-haven.dbx
free.binaries.hacking.talentless.troll_haven.dbx
free.binaries.hacking.utilities.dbx
free.binaries.hacking.websites.dbx
Gives us a concise list of dbx files, obviously Items, Folders, Inbox, Offline, and Outbox are not valid News Group files. The remaining *.dbx files are plainly recognizable as News groups.

21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user settings that was shown when the user was online and in a chat channel?

mirc.ini section labeled [mirc] shows the following descriptive information that is created when mIRC is installed (line numbers added for reference):
166 [mirc]
167 user=Mini Me
168 email=none@of.ya
169 nick=Mr
170 anick=mrevilrulez
171 host=Undernet: US, CA, LosAngelesSERVER:losangeles.ca.us.undernet.org:6660GROUP:Undernet
22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of this computer accessed.

IRC chat logs are stored under directory 'logs' by default, the log files found on this image are:
#Chataholics.UnderNet.log
#CyberCafe.UnderNet.log
#Elite.Hackers.UnderNet.log
#ISO-WAREZ.EFnet.log
#LuxShell.UnderNet.log
#evilfork.EFnet.log
#funny.UnderNet.log
#houston.UnderNet.log
#mp3xserv.UnderNet.log
#thedarktower.AfterNET.log
#ushells.UnderNet.log
m5tar.UnderNet.log
23. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?
Location: /Volumes/Untitled 1/Documents and Settings/Mr. Evil
File: interception: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
24. Viewing the file in a text format reveals much information about who and what was intercepted. What type of wireless computer was the victim (person who had his internet surfing recorded) using?

From the command line tshark shows the following:
$ tshark -R http.user_agent -Tfields -e http.user_agent -r evidence/interception

Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)
...(truncated list)...
Viewing the HTTP headers in Wireshark shows the version number of Pocket PC:
UA-OS: Windows CE (Pocket PC) - Version 4.20
25. What websites was the victim accessing?

The following produces a sorted/unique list of sites visited in the pcap:
$ tshark -R http.host -Tfields -e http.host -r interception | sort -u

login.passport.com
login.passport.net
mobile.msn.com
www.passportimages.com
26. Search for the main users web based email address. What is it? The following reads the pcap and pipes the ASCII output to egrep looking for a pattern matching an email address:
$ tcpdump -r evidence/interception -A | egrep --color=auto "\w+([._-]\w)*@\w+([._-]\w)*\.\w{2,4}"

findme69@hotmail.com
However this turns out to be the incorrect answer when compared to the official solutions... searching the file system in a similar manner yields the correct answer:
$ egrep -rohI "\w+([._-]\w)*@\w+([._-]\w)*\.\w{2,4}" * >>  email.found.txt

wc -l email.found.txt
  81 email.found.txt
Create a distinct/sorted list of email addresses list.txt
$ cat email.found.txt | sort -u >> list.txt
Loop through the distinct list of email addresses and count the matches in the email.found.txt file. The resulting contains a line with the email address and the number of times it was found in the email.found.txt file.
$ for i in `cat list.txt`; do echo -n $i: >> email.counts.txt;  grep -ic $i email.found.txt >> email.counts.txt; done
Sort the email.counts.txt file in reverse order, by general numeric, use the ":" character to delimit fields, finally sort on the second field which is the address count. This will produce output of all the email address counts sorted in descending order.
$ cat email.counts.txt | sort -r -g -t: -k2
mrevilrulez@yahoo.com:12
info@mosnews.com:6
jim@mcmahon.cc:4
webmaster@2600.com:3
fred@wardriving.com:3
PASSCODE@HOTMAIL.COM:3
PASSADMINBOT@HOTMAIL.COM:3
HERE@HOTMAIL.COM:3
suckme@oyea.lick:2
slim532@hotmail.com:2
drudge@drudgereport.com:2
a30aac9@posting.goog:2
Rating@Mail.ru:2
DRUDGE@DRUDGEREPORT.COM:2
tmt3i0tnq18gm819ecv27r73vm6hnoddcn@4ax.com:1
teandson@aol.com:1
seabach@shaw.ca:1
president@whitehouse.gov:1
nightwolf@confine.com:1
mauddib@dune.com:1
mailbot@yahoo.com:1
logaritmo50@yahoo.com:1
logaritmo50@hotmail.com:1
jfoster3@ec.rr:1
img4i0lqhsh6n7hlqth96lfd5jd1acjrh9@4ax.com:1
hp01@mailadded.com:1
heyjude18@hotmail.com:1
hacked@2600.com:1
frisco@blackant.net:1
dqbug010mo29ufsbo4dq491vvihucqfh69@4ax.com:1
corenode01a@yahoo.remo:1
chris@splitinfinity.com:1
chillen@hoo.com:1
cathomas@msn.com:1
beatnik@mail.gr:1
T50admin@usa.net:1
LmT@marijuana.com:1
9a64i0p9vk73bpmnq4s40iq6asem5k80er@4ax.com:1
5_@_Warez.com_:1
123@123.com:1
10237466@twister.sout:1
mrevilrulez@yahoo.com appears 12 times... more than any of the other addresses found.

27. Yahoo mail, a popular web based email service, saves copies of the email under what file name?
launch[1].htm
28. How many executable files are in the recycle bin?
Dc1.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc2.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc3.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc4.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
29. Are these files really deleted?

No.

30. How many files are actually reported to be deleted by the file system?
$ ./recbin.pl /Volumes/Untitled\ 1/RECYCLER/S-1-5-21-2000478354-688789844-1708537768-1003/INFO2
   1    Wed Aug 25 16:18:25 2004     C:\Documents and Settings\Mr. Evil\Desktop\lalsetup250.exe
   2    Fri Aug 27 15:12:30 2004     C:\Documents and Settings\Mr. Evil\Desktop\netstumblerinstaller_0_4_0.exe
   3    Fri Aug 27 15:15:26 2004     C:\Documents and Settings\Mr. Evil\Desktop\WinPcap_3_01_a.exe
   4    Fri Aug 27 15:29:58 2004     C:\Documents and Settings\Mr. Evil\Desktop\ethereal-setup-0.10.6.exe
31. Perform a Anti-Virus check. Are there any viruses on the computer? I cheated and ran the mounted file system on another Windows VM running ClamAV (before I discovered http://www.clamxav.com/). Several nasty items found!
ClamAV reports:

   Scan Started Thu Oct 01 18:21:05 2009
   -------------------------------------------------------------------------------


   Y:\My Documents\COMMANDS\enum.exe: Hacktool.EnumPlus FOUND
   Y:\My Documents\COMMANDS\snitch.exe: Trojan.PSW.Snitch.11 FOUND
   Y:\My Documents\ENUMERATION\NT\enum\enum.tar.gz: Hacktool.EnumPlus FOUND
   Y:\My Documents\ENUMERATION\NT\enum\files\enum.exe: Hacktool.EnumPlus FOUND
   Y:\My Documents\ENUMERATION\NT\ntreskit.zip: W32.Nemo FOUND
   Y:\My Documents\EXPLOITATION\NT\Brutus\BrutusA2.exe: Virtool.Brutus FOUND
   Y:\My Documents\EXPLOITATION\NT\brutus.zip: Virtool.Brutus FOUND
   Y:\My Documents\EXPLOITATION\NT\Get Admin\GetAdmin.exe: Exploit.WinNT.GetAdmin.B FOUND
   Y:\My Documents\EXPLOITATION\NT\netbus\NetBus170.zip: Trojan.Netbus.KeyHook170 FOUND
   Y:\My Documents\EXPLOITATION\NT\sechole\SECHOLE.EXE: Trojan.W32.Sehole.A FOUND
   Y:\My Documents\EXPLOITATION\NT\sechole\sechole3.zip: Trojan.W32.Sehole.A FOUND
   ----------- SCAN SUMMARY -----------
   Known viruses: 625565
   Engine version: 0.95.2
   Scanned directories: 766
   Scanned files: 10879
   Infected files: 11

   Data scanned: 2240.21 MB
   Data read: 1710.52 MB (ratio 1.31:1)
   Time: 778.843 sec (12 m 58 s)
   --------------------------------------
   Completed
   --------------------------------------

Conclusion

What started out as an exercise in RegistryRipper (rip.pl) turns out to be a mixture of BASH command line foo and host/network forensics. The RegistryRipper tools and related plugins are very powerful utilities which enable the analyst to assess a registry hive on almost any platform. I hope this tutorial/how-to has been of some use... please feel free to contact me with any corrections or suggestions.