Backtrack Manual Part4

Project ReportProject Report

onon

Project by - Nutan Kumar Panda

Technology Evangelist ISEH

R&D - ATL Guwahati

Project By: Nutan Kumar Panda

AIR - Automated Image and Restore

AIR (Automated Image and Restore) is a GUI front-end to dd/dc3dd designed for easily creating forensic images.

Features: auto-detection of IDE and SCSI drives, CD-ROMs, and tape drives

choice of using either dd or dc3dd

image verification between source and copy via MD5 or SHA1/256/384/512

image compression/decompression via gzip/bzip2

image over a TCP/IP network via netcat/cryptcat

supports SCSI tape drives

wiping (zeroing) drives or partitions

splitting images into multiple segments. detailed logging with date/times and complete command-line used


What is Automated Image & Restore

Automated Image & Restore (AIR) is an open source application that provides a GUI front

end to the dd/dcfldd (Dataset Definition (dd)) command. AIR is designed to easily create

forensic disk/partition images. It supports MD5/SHAx hashes, SCSI tape drives, imaging

over a TCP/IP network, splitting images, and detailed session logging. To date, the AIR

utility has only been developed for use on Linux distributions. In its simplest form, AIR

provides a convenient interface to execute the dd set of commands. It eliminates the risk of

"fat fingering" an error in the shell terminal and ultimately makes using the dd command

more user-friendly for those who are not as experienced. Please note that using the AIR

front end still requires some basic knowledge of how the dd (or dcfldd) commands work.

The dd command has been around for quite a while. It is well known throughout the

Unix/Linux community, well documented, and as I can only imagine extensively used. A dd

image is a bit by bit image of a source device or file. The uses for dd range from creating

and maintaining system backups and restore images to the forensic application of imaging

evidence that will be returned to the lab and examined.

This tutorial is not designed to teach the use of the dd command; this is well documented

and a simple internet search will yield a plethora of results. Instead, the intent of this mini

"how-to" is to introduce users to the AIR front end application, increase overall awareness

of the utility, and provide a brief example of creating a dd image using this tool.

Setting up AIR

The first thing you will want to do is download and install the latest version of the AIR

application. The AIR application is available for download at

www.sourceforge.net/projects/air-imager.

Once you have downloaded the files to your system, decompress, extract, and install the

application. [In this example, I have downloaded the .tar.gz package and will display the

commands related to this particular file type]


-- Make sure you are in a root shell

sudo -s

-- Check your current directory to make sure you are in the right location to access the

package you downloaded

pwd

-- Decompress and extract ("untar") the AIR files

tar -zxvf /path/air-1.2.8.tar.gz

-- If you desire, this is a good time to read the README.txt file

-- Switch to your AIR directory

cd /path/air-1.2.8

-- Run the install script

./install-air-1.2.8

The AIR GUI

Note that AIR does not work on all Linux distributions. Refer to the project information on

sourceforge.net and the README.txt file for a list of known supported distibutions - I am

using Ubuntu which is not among the list. Ubuntu can still run AIR, however, some

functionality is unavailable. Now that you have successfully downloaded and installed the

application, run AIR in root shell by typing "air" in the terminal. AIR will run through a

series of checks and the GUI will launch automatically.


Take a moment to familiarize yourself with the AIR GUI. Note how the buttons and options

relate to various dd commands that can be used in the terminal.

Creating a dd Image Using AIR

For this exercise, we will create a dd image of a .jpg in the root folder and copy it to a CD-

ROM. AIR will run the commands behind the scenes that will create the image and copy it

to the CD-ROM. (In a real scenario, this .jpg could very easily represent a compromised

hard drive or other piece of evidence).


The OllyDbg debugger is a machine level debugger created by Oleh Yuschuk for

the 80x86. This machine-level debugger works with a variety of different assemblers

including HLA, MASM, TASM, FASM, and NASM.


http://img.a4apphack.com/ollydbg-refscreen.png

VoIPER is a VoIP security testing toolkit incorporating several VoIP fuzzers and auxilliary tools to assist the auditor. It can currently generate over 200,000 SIP tests and H.323/IAX modules are in development. The primary goal of VoIPER is to create a toolkit with allrequired testing functionality built in and to minimise the amount of effort an auditorhas to put into testing the security of a VoIP code base.

Run `python fuzzer.py -h` to get an explanation of any of the command line options. To get a

list of valid fuzzer names run `python fuzzer.py -l` and for information on what a particular

fuzzer does run `python fuzzer.py -l FUZZERNAME`


http://img.a4apphack.com/ollydbg-1a-searchrefstringsmenu.png

Versions 0.06 and under have an issue with protocol based crash detection (-c 1 or -c 2). As

a result you have the following options if you don't want to be plagued with false positives:

Use level 0, (-c 0). This turns off crash detection and leaves it up to you to check

what request killed the device if a crash occurs.

Use level 1, (-c 1). This uses the same type of inband, protocol based crash detection

as level 2 but instead of pausing the fuzzer it just logs the crash details when a crash

occurs and keeps fuzzing. This avoids you having to restart the fuzzer when a false

positive occurs but it also means the fuzzer won't be paused when an actual crash

occurs. This will result in every request that is sent to a dead target being logged (so

basically thousands of crash log files). You can discern which caused the actual crash

as it will be the earliest request logged in the continuous linear sequence of crash

log files.

Use level 3, (-c 3). This is what I always use if possible. It uses out of band, process

based crash detection and is not susceptible to false positives. On the down side it

requires you to set up crash detection script running on the target computer but

that is just a case of running a single command and passing a few extra paramaters

to VoIPER.

This issue is resolved in version 0.07 but some VoIP applications have an annoying

habit of not responding as they should while being fuzzed. As a result, it is

recommended to use process based crash detection (-c 3) when at all possible.

Macchanger - MAC Changer

Synopsismacchanger [options] device

Descriptionmacchanger is a Linux utility for viewing/manipulating the MAC address for network interfaces.

Optionsmacchanger accepts the following options:

-h, --help Show summary of options.

-V, --version


Show version of program.

-e, --endding

Don't change the vendor bytes.

-a, --another

Set random vendor MAC of the same kind.

-A Set random vendor MAC of any kind.

-r, --random

Set fully random MAC.

-l, --list[=keyword] Print known vendors (with keyword in the vendor's description string)

-m, --mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX

Examplemacchanger -A eth1

Wireshark Wireshark is the network analyzer. This very powerful tool provides network and upper layer protocols informations about data captured in a network.Like a lot of other network programs, Wireshark uses the pcap network library to capture packets.

The Wireshark strength comes from:- its easiness to install.- the simplicity of use of its GUI interface.- the very high number of functionality available.

Wireshark was called Ethereal until 2006 when the main developer decided to change its name because of copyright reasons with the Ethereal name, which was registered by the company he decided to leave in 2006. Install everything that it comes with. WinPcap is a driver that Wireshark needs in order to run. It will be automatically installed when you install wireshark. You can find more information about WinPcap at winpcap.polito.it.

Now that we have Wireshark installed lets open it up, so I can show you how to use it. Wireshark should have made a folder somewhere in your start menu called Wireshark. Go ahead and run Wireshark.


http://winpcap.polito.it/install/default.htm

Wireshark lets you

"see" the data that is traveling across your network.

You can "see" what ports a program is using.

You can basically see all the traffic on your network.

You can see what comes in and what is going out of your router.

You can see so much that it becomes a problem. You end up getting too much data. To fix this Wireshark comes with two very useful filters that we will go over here. The filters

allow you to sort the traffic that you have captured making it much easier to read. Well lets start by clicking the Capture link at the top of your screen. Then click Options in the menu

that drops down.


http://portforward.com/networking/wireshark.htm


This is the window that allows you to define how to start capturing data with Wireshark. You can use the Interface drop down box to select which network card to capture data from. There will only be one option here, if you only have one ethernet card. Later on we will modify this page a bit. Now we need to tell Wireshark what to capture. Click on the Capture Filter button.




Put First Capture Filter into the Filter Name box. I want you to enter host followed by your ip address into the Filter String box. If you ip address is 192.168.1.2, the Filter String box would contain the following.host 192.168.1.2

We are telling Wireshark to capture everything coming from and going to your ip address. So we will get a log of all the traffic that is coming from or going to your computer. When you have finished those two changes click the Ok button at the bottom of this page.



You should now be back at the Capture Options window. Then click the Start button at the bottom of the screen.


You are now see packets as they are being sent to and from your computer. You might see a lot of traffic or just a little traffic depending upon how much is going on on your network. If you do not see any packets, try opening up a web page. If you still do not see captured data, then you probably have the wrong Interface selected on the Capture options window. When you have a couple packets, click the Capture option at the top of the screen and then Stop option in the menu that drops down.

Wireshark has captured some data as you can see on your screen. There are three frames here. I have labeled them as Frame 1, Frame 2, and Frame 3 in the picture above. Frame 1 shows you an overview of what packets came in and when out of your network. Frame 2 shows more detailed information about a selected packet. Frame 3 shows the hex data of the packet. We only really care about frame 1.

The source column tells us where the data was coming from and the destination column tells us where the data was going to. Both of these columns will always have ip addresses in them. The protocol column tells us what protocol that packet was sent with. Which is useful when trying to figure out what ports/procotols a program uses. The info box contains the information that we really need. The info box lists specific requests made over the network. It also lists what ports the data traveled on.


Notice that every time a port is listed it is listed as a pair of ports. Data always travels on ports. It is send out of the source ip address on a port, and then received on the destination ip address on a port. These ports are rarely the same. Keeping that in mind, it is easy to see why there are two ports listed in the info box. The first port is the source port. Notice the > which you can think of as the word to.

From the first port > to the second port. I hope that I have explained enough to give you a general feel for the program. Check out the help section of the program for more capture filter options. Notice that there is also a filter box above the data you have captured. This is the dISPlay filter. It works like the capture filter, but allows you to filter data that has already been captured. Click the help button in the dISPlay filter window for examples of how to use it.

Snort(IDS/IPS) is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) capable of performing packet logging and real-time traffic analysis on IP networks. Snort was written by Martin Roesch and is now developed by Sourcefire, of which Roesch is the founder and CTO. Integrated enterprise versions with purpose built hardware and commercial support services are sold by Sourcefire.

Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort can be combined with other free software such as sguil, OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data.


Konqueror is a web browser and file manager that provides file-viewer functionality to a wide variety of things: local files, files on a remote ftp server and files in a disk image. It is designed as a core part of the KDE desktop environment. It is developed by volunteers and can run on most Unix-like operating systems and on Windows systems, too. Konqueror, along with the rest of the components in the KDEBase package, is licensed and distributed under the GNU General Public License version 2.

The name "Konqueror" is a reference to the two primary competitors at the time of the browser's first release: "first comes the Navigator, then Explorer, and then the Konqueror". It also follows the KDE naming convention: the names of most KDE programs begin with the letter K.


Konqueror came with the version 2 of KDE, released on October 23, 2000. It replaces its predecessor, KFM (KDE file manager).

Konqueror uses a very capable HTML rendering engine called KHTML. This engine is implemented as a KPart and as such, it can be easily used by other KDE programs. KHTML is also used by the Apple browser Safari.

Features of the HTML rendering component in KDE 3.4:

1. HTML 4.01 compliance.2. ECMAscript 262 support (JavaScript). Notice that ECMAscript can still give problems

because websites can detect browsers and choose to ignore Konqueror. Spoofing as another browser will often make sites work anyway.

3. Ability to house Java applets.4. Cascading Style Sheets:

o CSS 1: supportedo CSS 2.1: supported (paged media only partially supported)o CSS 3 Selectors: supportedo CSS 3 (other): Details about the visual media support can be found here.

5. DOM1, DOM2 and partially DOM3 support in ECMAScript and native C++ bindings.6. Full support for bidirectional scripts (arabic and hebrew).7. SSL support (requires OpenSSL).

Konqueror provides all the functionalities one will expect from a modern file manager, including navigation of the filesystem, file/folder copying, renaming, deletion and creation and application launching.

It is also able to display graphic image files and generate an image gallery web page from them. In addition. Konqueror is a standards-compliant web-browser and is perfectly capable of browsing the WWW on the Internet - just enter the website to go to in the Konqueror location bar.

The most obvious advantage of Konqueror (for people using KDE) is the great integration with the rest of KDE.

And the article you mentioned isn't really that convincing. Of course, KHTML does support XHTML. And the rant about Konqueror being not only a browser but "a file manager, a web browser, a universal document viewer and a fully customizable application" is pretty flawed as the first comment points out. Konqueror is actually just a shell for various KParts (comparable to plugins). Those KParts have specific tasks (e.g. there's the KHTML part which renders HTML, there's the file manager part, there are multiple document viewer parts, etc.) and this makes Konqueror a lightweight but still very versatile application.


Backtrack Manual Part4

Technology

Transcript of Backtrack Manual Part4