Executables and Shared Libraries
So i’ve known about Windows DLL’s and shared objects in Linux/Unix but hadn’t realized that the concept exists in MacOS also. I haven’t owned any Apple products, so clearly i have poor insight into the OS
Terminology:
- Windows -> DLL’s (Dynamic Link Libraries)
- Linux -> .so files (Shared Objects)
- MacOS -> Dylib’s (Dynamic libraries) and Frameworks
They seem to serve the same purpose in general, but I suppose each has their own particular intricacies tied to the way the OS uses executables.
On DLL Hijacking:
Unexpected loading DLL’s from expected/ unexpected locations
- Using web locations
- Hijacking DLL loading order
- Hijacking paths
If you control the binary, you can control the DLL’s.
You can still control the DLL’s, even if you don’t control the binary, if the binary does not enforce / check the paths or the signatures of the DLL’s.
Current solutions:
- DLL signing
- Binary/Executable Signing
References:
https://superuser.com/questions/228309/macos-dll-equivalent
https://stackoverflow.com/questions/1212477/creating-a-dll-on-a-mac-dylib-or-framework
https://attack.mitre.org/techniques/T1038/
https://attack.mitre.org/techniques/T1157/
Windows Common Processes
Conhost.exe – Console Window Host process (Remember: Not ‘connection’)
Taskhost.exe – Task Host (Host for DLL based services)
svchost.exe – Services Host Process
ceip.exe – Customer Experience Improvement Program
RuntimeBroker.exe – Runtime Service Broker
Werfault.exe – Windows Error Reporting
wmic.exe – Windows Management Instrumentation Command-line-utility
Sources:
https://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/
https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
https://www.howtogeek.com/268240/what-is-runtime-broker-and-why-is-it-running-on-my-pc/
https://www.groovypost.com/howto/groovytip/what-is-taskhost-exe-and-should-it-be-running/
https://support.microsoft.com/en-gb/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li
Windows CMD / Powershell / DOS command -fu
Operating System related Information
- View OS / System information:
CMD:
systeminfo wmic qfe
- Is there anything interesting in the Environment Variables:
CMD:
set
Powershell:
Get-ChildItem Env: | ft Key,Value
- Are there any connected drives (Network or Local):
CMD:
net use wmic logicaldisk get caption,description,providername
Powershell:
Lots of other DOS/Powershell wmic.exe related commands:
Get Manufacturer
wmic baseboard get product,manufacturer
Get Bios and Version
wmic bios get name
Get software, services, process information
wmic product list brief
wmic service list brief
wmic process list brief
wmic startup list brief
Put services in a HTML document
wmic service get /format:hform > c:\folder\services.html
Uninstall:
wmic product get name
wmic product where name=”Product name exactly as appears in above command” call uninstall
Kill a process:
wmic process where name=”iexplore.exe” call terminate
Change a process’s priority:
wmic process where name=”notepad.exe” call setpriority 64
Run commands on a remote node:
wmic /node:steve-pc service list brief
References:
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows Command line – CMD – fu : Notes
So i haven’t used the Windows Command (DOS) Prompt for many things until I realized that Android / Android Studio / Android SDK and the emulator (with the HAXM driver) work pretty well on Windows.
Long story short, there seems to be a lot of powerful things in this “predecessor” to Powershell.
Viewing and Saving Command History:
One of the things i wanted to do was to view my command line history. This can be easily done by pressing F7 and lo and behold a smaller dialog within the cmd
window will appear with the command history.
Now, the F7
trick doesn’t really allow you to save the history, nor to copy-paste it, so i needed another solution. The command below provides this solution.
doskey /history > history.txt
Essentially, this copies (redirects) the cmd
history of only the current session into a text file named history.txt
or whatever you’d like to name your text file .
Sources:
[1]. http://www.computerhope.com/tips/tip189.htm
[2]. http://serverfault.com/questions/95404/is-there-a-global-persistent-cmd-history
[3]. http://www.howtogeek.com/119386/5-windows-command-prompt-tricks-you-probably-dont-know/
Android Process Memory Dumps with memfetch – Android 4.4.2 (on Ubuntu 16.04)
I used 2 different C code scripts to achieve the same goal of achieving the process memory dump. The specific code scripts are referred to as Memfetch (by Michal Zalewski – found on his blog) and Memdump (by Tal Aloni – found on StackExchange)
Update [2017-01-16]: I’m not sure whether this will work for Android on both x86 and ARM architectures. I tested it on an ARM architecture (physical device), and it worked. I’m yet to test it on an x86 architecture. Will update after testing.
Memfetch:
Find the code from the author’s webpage here – http://lcamtuf.coredump.cx/soft/memfetch.tgz
Unzip/Extract the code from the TarGZ archive
tar -xvf memfetch.tgz
Get into the directory:
cd memfetch
Use the ls
command to list the files. The files should be listed as below:
COPYING Makefile memfetch.c mffind.pl README
Now install the gcc compiler for Android on ARM (not sure if this is what it’s described as):
sudo apt-get install gcc-arm-linux-android-eabi
(some instructions say use the gcc-arm-linux-gnueabi
but this didn’t work for me )
Edit the Makefile
Normally at this point you should be able to run the make
command and compiling should work, however in Ubuntu the Canonical developers seem to have moved some key .h
source files around causing problems. The first file that might cause problems if you run the make
command will probably be this is because Ubuntu has moved them from the original location of
/usr/include/asm
to be in the kernel source files /usr/src/linux-headers-[your-specific-kernel]/include/asm-generic
Make sure you’ve installed build-essential
for this path to be existent
sudo apt-get install build-essential
You can get to the correct path with:
cd /usr/src/linux-headers-$(uname -r)/include/asm-generic
Once you locate the asm-generic
folder check that the page.h
file is present.
Now the best way to solve this problem is to create a symbolic link (symlink) in /usr/include/
called asm
that links to /usr/src/linux-headers-[your-specific-kernel]/include/asm-generic/
. This is done with the following command:
sudo ln -s /usr/src/linux-headers-$(uname -r)/include/asm-generic /usr/include/asm
Even with this, there will still be some problems because there are some .h
files in asm-generic
that will be looking for asm-generic
in /usr/include/
where the folder doesn’t actually have those header files. So an extra include (-I
) directive will need to be added in the Makefile
The beginning of your make file should look like this:
FILE = memfetch CFLAGS = -Wall -O9 -static CC = arm-linux-androideabi-gcc
NB: its a capital ‘O’ not a zero, and it’s a 9 (nine), not a ‘g’. The “O” “9” directive is some optimization thing (i don’t know if it’s necessary or not)
Run make
at this point. If it works, then great, you should get a memfetch
executable file in your memfetch
directory if not, follow on.
If you run make
and you still get errors of missing .h
files, what i did was to just copy the files from /usr/src/linux-headers-$(uname -r)/include/asm-generic
to /usr/include/
e.g:
sudo cp /usr/src/linux-headers-$(uname -r)/include/asm-generic/memory_model.h /usr/include/asm-generic/memory_model.h
The following files were missing …
getorder.h
/linux/compiler.h
/linux/log2.h
/linux/bitops.h
/linux/irqflags.h
/linux/typecheck.h
At this point i got more files in /bitops that were missing, so i decided to copy the entire directory :
cd /usr/include/asm-generic
sudo mkdir bitops
sudo cp /usr/src/linux-headers-$(uname -r)/include/asm-generic/bitops/* /usr/include/asm-generic/bitops/
At this point i finally ran the make
command in the the memfetch
directory and an executable was created. There were a couple of warnings, but no errors and the executable worked when I pushed into onto the Android device.
Pushing to the Android Device and Executing “Memfetch”:
NB: We are assuming that the device is properly rooted, and the setting for giving adb shell
root permissions has been set in your “Super User” management app.
Go to the adb
executable location, which might be /home/Android/Sdk/platform-tools
it could also be elsewhere … depending on where you installed it
cd /home/Android/Sdk/platform-tools
The best location to push the executable is /data/local/tmp
. Let’s create a directory in this location and use the adb push
command to push the executable here
./adb shell su root cd /data/local/tmp mkdir mem_dump_tools exit exit
We exited first all the way out so that we can run the ./adb push
command
./adb push ~/Desktop/memfetch/memfetch /data/local/tmp/mem_dump_tools/
Verify that the memfetch
executable has been pushed to the right location:
./adb shell su root cd /data/local/tmp/mem_dump_tools ls -al
The memfetch
executable should be in place however it cannot be executed because it does not have execute permissions. We can give it execute permissions with the following command (assuming we are still the root
user)
chmod 755 memfetch
(As a side note: chmod u+x memfetch
should also work.)
Verify that the Execute permissions have been applied
ls -al
You should see rwx
against the name of the memfetch executable. (The x
being the important thing)
Now if we run a particular app and search this process’ ID we can dump the process memory. Pick an app e.g. Google Chrome and fire it. Browse to some page
On the adb shell:
ps | grep chrome
You should get 1-3 processes with Chrome (one with sandboxed
and another with privileged
attached to the process name). Pick the process ID of the process that is plain com.android.chrome
Now we can run memfetch
./memfetch
e.g: ./memfetch 2314
if the process id is “2314”
You should now get some output to screen showing that the memory-mapped regions are being copied. The result is that for each address range (block) from the /proc//mem
folder there is a sub folder called map
that contains the mappings. These mappings result in an individual “region dump” per file (with a .bin
extension) and each region dump filename is appended into a single file with a /lst
extension containing all the filenames of all the regions dumped. So the end result is a lot of .bin
files and a single .lst
file.
NB: If at this point when you try to run memfetch
and all you get is a listing of the available options/directives, and nothing else, then you need to comment out some section of the code in memfetch.c
and recompile. I don’t know why this is the case, but someone on StackExchange [2] figured this out and it also worked for me.
The lines to comment out are:
while ((opt=getopt(argc,(void*)argv, "+samwS:h"))!=EOF) switch(opt) case 's': waitsig=1; break; case 'a': skipmap=1; break; case 'w': textout=1; break; case 'm': avoid_mmap=1; break; case 'S': if (sscanf(optarg,"%x",&onlyseg)!=1) fatal("Incorrect -S syntax (hex address expected).\n"); break; default: usage(argv[0]); }
With that, everything should work.
This blog post has become too long, so i’ll do memdump
in the next one …
Sources:
[1]. http://lcamtuf.coredump.cx/memfetch.tgz
[2]. http://stackoverflow.com/questions/18372120/memfetch-with-android-samsung-galaxy-nexus
Android FileSystem – Notes
App Locations:
/system/apps
– Pre-installed bloatware apps/system/priv-apps
– Privileged apps (mounted read-only to prevent changes)/data/app
– Normal apps in internal memory/mnt/sdcard/.android_secure
– Apps stored on external memory go into an encrypted container/mnt/asec
– These apps need to be decrypted to run, so during runtime they are found as a decrypted copy on atmpfs
here- This
.android_secure
container cannot be opened directly from the Android device, however if you plug the SD Card into another computer through a card reader, the.apk
files now have the extension.asec
connected to the same files on/mnt/asec
- Nxt
App Data:
/data/data/<package_name>
– Default location for application data on internal storage./mnt/sdcard/Android/data/<package_name>
– Default location for application data on external storage (if the developer sticks to the rules outlined on the Android Developer Documentation here)
Binary Executable Test Locations:
/data/local/tmp
– Location where you can put executables (NDK compiled / Linux ARM built)
Accessing the SDCard on the Emulator:
First make sure you’ve indicated that you want an SD Card for your Android Virtual Device in the AVD Manager while creating
- You can find the path of your sd card with
cat /proc/mounts
anddf -h
- It should be at
/mnt/media_rw/<8-Character-Serial-Number>
- e.g.
/mnt/media_rw/1CEF-2AB1
- e.g.
Sources:
[1]. http://android.stackexchange.com/questions/3002/where-in-the-file-system-are-applications-installed
DNS Tunneling Dataset (Notes)
A: Tunneled Traffic over DNS:
Total Samples size:
- HTTP:
- Static: 50 Samples
- Websites that seem to maintain the same appearance (images, text) over a few hours and more
- Dynamic: 50 Samples
- Websites who’s visual contents (images. text, ads) seem to change within the hour, or even randomly
- Static: 50 Samples
- FTP:
- FTP Downloads: 50 Samples
- FTP Uploads: 50 Samples
- HTTPS:
- Static: 50 Samples
- Websites that seem to maintain the same appearance (images, text) over a few hours and more
- Dynamic: 50 Samples
- Websites who’s visual contents (images. text, ads) seem to change within the hour, or even randomly
- Static: 50 Samples
- POP3:
- Email Downloads: 50 Samples
B: Plain Traffic (Not tunneled over DNS):
(… not yet documented)
Using wget in interesting ways
Make a web request for a web-page and all its resources in order to display correctly, but delete everything immediately after being downloaded:
wget -H -p -e robots=off --delete-after http://www.google.com
-
-H [or] --span-hosts
-
-p [or] --page-requisites
-
-e robots=off [or] --execute
-
--delete-after
Other useful options
-
--no-dns-cache [...Turn off caching of DNS lookups]
-
--no-cache [...to disable server-side cache so as to always get the latest page]
If you want to store the pages then the -E and -K directives may be of use
wget -E -H -K -p -e robots=off http://www.google.com
-
-E [or] --adjust-extension
-
-K [or] --backup-converted
If the web-server that you are fetching pages from blocks automated web-requests based on the user-agent, you can fool it with the following directive:
-
-U [or] --user-agent=""
If you don’t want to use the –user-agent option you can create a .wgetrc file in the home directory such that wget will always use the pre-configured user-agent
Example ./wgetrc
### Sample Wget initialization file .wgetrc by http://www.askapache.com ## Local settings (for a user to set in his $HOME/.wgetrc). It is ## *highly* undesirable to put these settings in the global file, since ## they are potentially dangerous to &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot;normal&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;quot; users. ## ## Even when setting up your own ~/.wgetrc, you should know what you ## are doing before doing so. header = Accept-Language: en-us,en;q=0.5 header = Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header = Connection: keep-alive user_agent = Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 referer = / robots = off&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;/pre&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;
References:
- http://superuser.com/questions/55040/save-a-single-web-page-with-background-images-with-wget
- http://www.askapache.com/linux/wget-header-trick.html
- http://stackoverflow.com/questions/17182553/sites-not-accepting-wget-user-agent-header
- http://www.delorie.com/gnu/docs/wget/wget_9.html
- http://serverfault.com/questions/73163/making-wget-not-save-the-page
- http://manpages.ubuntu.com/manpages/wily/en/man1/wget.1.html
- https://www.gnu.org/software/wget/manual/wget.html
- https://www.gnu.org/software/wget/manual/html_node/Advanced-Usage.html#Advanced-Usage
- https://www.gnu.org/software/wget/manual/html_node/HTTP-Options.html
- http://www.labnol.org/software/wget-command-examples/28750/
- http://serverfault.com/questions/25779/how-do-i-pipe-a-downloaded-file-to-standard-output-in-bash
- https://curl.haxx.se/docs/httpscripting.html
- https://daniel.haxx.se/docs/curl-vs-wget.html
Installing devstack (Openstack for developers) on Ubuntu 14.04
Step 1: Install git
sudo apt-get install git
Step 2: Clone the latest devstack repository (Grizzly, Icehouse, Juno, Kilo, etc …)
For Icehouse
git clone -b stable/icehouse https://github.com/openstack-dev/devstack.git
or, for Grizzly
git clone -b stable/grizzly https://github.com/openstack-dev/devstack.git
A folder in your home directory with the name devstack should have been created
Step 3: Change directory to the devstack directory
cd /devstack/userDir/devstack
Step 4: Install devstack using the stack.sh installation script
./stack.sh
You will first be presented with at least 5 dialogs asking for passwords for various services. The norm is to use the same password – for easy use while doing development and testing(Great security, right? not really, but it’s for convenience – i.e “Principle of Psychological acceptability”). Read the dialogs carefully and if you chose to put in more secure passwords (longer than 8 characters, alphanumeric, special characters) perhaps note them down somewhere – it may save you a great big headache later.
After these dialogs, the script will run and download stuff from the internet to install (Make sure your internet connection is working). The script runs for at least 20min, if it goes through the entire procedure and works.
At the end of the installation script (which may take at least 20min, so get a coffee, or do something else) you will be presented with the URL where the Openstack dashboard (horizon) can be found, as well as the username and password to log into the dashboard. The default usernames are “admin” and “demo”. The password will be what you set among the dialogs at the beginning, or if you just pressed enter to skip the dialogs, then devstack will choose a random long password for you (which it will show you at this point)
Generally if something went wrong and you want to stop the devstack platform as a whole, i.e. stopping all the services running you can use:
./unstack.sh
If you want to remove everything (well almost everything) that devstack installed on the machine:
./clean.sh
(NB: i’ve had varying success in ensuring that it removes everything. Sometimes you might have to run extra commands like apt-get remove –purge , apt-get autoremove and/or apt-get autoclean among others in order to clean out the devstack installation)
Step by step Guide to using LiME – The Linux Memory Extractor
I’m no expert on dumping RAM memory from Linux machines, i’m just trying to explain the steps that i used to get it working – because it was not as intuitive for a n00b like me )
Note: The best way (and possibly the most forensically sound way) is to have the LiME source compiled (?) earlier on another Linux machine, then you transfer the resulting files (in this case a “.ko” file ) onto a USB drive that you will use to plug into the “suspect” Linux machine and dump the memory onto the USB disk (Make sure you have a large enough USB disk to dump the memory).
- Download the LiME source code from the Google Code repository ( https://code.google.com/p/lime-forensics/ )
- Compile it using the Linux “make” command. It looked something like this for me:
user1@UbuntuMachine: /media/USBDriveName/lime-forensics-1.1-r17/src$ make
- The result was that it created a “.ko” file in the current directory:
lime-3.2.0-59-generic.ko
- Now move the USB to the suspect machine. In this case an Ubuntu 32-bit machine. Plug the USB extraction drive into the machine (assuming that it mounts successfully, otherwise you have to mount it yourself. This isn’t very forensically sound, but there’s not much choice here).
- Run the command:
suspect@UbuntuSuspectMachine: /media/USBDriveName/lime-forensics-1.1-r17/src$ sudo insmod lime-3.2.0-59-generic.ko "path=/media/USBDriveName/myRAMDump.lime format=raw"
It is important that you put both the path parameter and the format parameter in the command, otherwise you’ll get the “-1 invalid parameters” error. The documentation also says that for Ubuntu you’ll need the quotes around the path and format parameters, while in other distributions like CentOS and RedHat you won’t need them.
NB: I compiled it directly on a USB drive and used it as is on the same USB
More about the LiME Linux Memory Extractor can be found in their documentation at the Google Code repository. There’s a PDF with the documentation that you can download (https://code.google.com/p/lime-forensics/downloads/list)