Aurora vulnerability or how to exploit knowledge of physical processes

Trying to raise awareness of cybersecurity issues among my fellow process & control engineers is a challenging task. We’ve talked about it before, making it clear how the lack of the basic notions on ICT environments and procedures turn the risks and mechanisms of attack almost inconceivable for these engineers. I mean ‘inconceivable’ sensu stricto: not something with a very low assigned probability, but something you cannot even think about because you lack the cultural background and experience to do so.

The most common response is denial, built on several fallacies that often explain this sense of security. One is the confidence in the mechanisms laid to provide physical protection of equipment: i.e. safety interlocks by mechanical or electrical devices that operate autonomously without processing or communication capabilities and, therefore, are regarded as cyberattack-proof. Somehow, in a control engineer state of mind (myself included), these systems are regarded as the last line of defense, absolutely isolated and independent of processor-based systems malfunction (even when those processors are human) and are laid to avoid damage to physical equipment caused by improper process operation.

In my own experience, design of control systems has always relied on a two-fold strategy:

  • Deployment of a higher control level based on electronic instrumentation and processing algorithms which, by their very nature, allow for a finer tuning and higher efficiency. This is a processor-based level.
  • Deployment of a lower level based on relays and electrical and mechanical actuators that enable system operation in case of control system crash-down or severe malfunction. This level is not processor-based and, as has been stated above, prevents the physical system operation under improper conditions. It relies on built-in and hard-wired electromechanical equipment.

This second level supports the claims for the virtual impossibility of physical equipment suffering severe damage, even if a malicious individual or organization takes control of the system. However, there are two facts that undermine this security paradigm:

  • I have noticed that in many brand new control systems safety interlocks are implemented through digital instrumentation readings, communication networks and control network PLCs. The aim is twofold: first, lower costs in wiring and devices regarded as redundant and, secondly, a will to leverage the greater accuracy and adaptability of digital systems. I know of some epic fail cases which rank in the tens to hundreds of thousand Euros because of this practice.
  • Interlocks and protection systems are designed to prevent damage if the process runs beyond the allowable operating conditions. But since physical systems are not explained on a 1 and 0 basis (there is a continuum of intermediate states) one should always allow a regulation deadband to prevent annoying tripping of protection devices and to account for normal measurement variability. This is achieved by setting deadband controls, hysteresis loops, tripping delays, etc…

In the first case physical protection devices are seriously compromised by their being software and network dependant. But even in the latter case it is possible, in principle, to conduct an attack planned to take advantage of this design logic and aimed to force working conditions that result in damage to physical systems. Too complicated? Vain speculation? Not really. There is at least one documented case in which this strategy was used with spectacular results: The so called Aurora vulnerability.

This is an experiment conducted at the INL (Idaho National Laboratory) in 2007 and, as far as I can see, has fallen into that limbo that lies between professionals involved in control systems and those who are engaged in information and communication technologies security: after all, to get a full understanding of the attack one must have, so to speak, a foot in each half of the field. This could be the reason that explains why news of the experiment went almost unnoticed (beyond a video broadcast by CNN that, possibly because of its spectacular nature, triggered the typical reaction of denial in those who may be directly concerned). Even the veracity of the facts shown has been intensely questioned, suggesting that pyrotechnic devices were used to enhance the visual effect!

What is Aurora all about? To put it simply: Aurora is an attack designed specifically to cause damage to an electric power generator. The thing goes like this: all generator units are (or should be) protected to avoid out-of-synchronism connection to a power grid. This is achieved by checking the waveform being generated to asses that it matches that of the power grid (within certain limits). To do that voltage, frequency and phase are monitored. Why? Because connecting to a power grid in out-of-synchronism condition will cause the generator to synchronize almost instantaneously, resulting in an extraordinary mechanical torque at the shaft of the generator, stress this device is not designed to bear. Repetition of this anomalous operating condition will cause the equipment to fail. Let’s imagine someone willing to jump onboard a moving train: We can see him running along the tracks trying to match the train’ speed and then jumping inside. If he’s lucky enough he will get a soft landing on the wagon’s floor. An alternative but no advisable method is to stand beside the tracks and grab the ladder handrail as it passes right in front of you. It is easy to see that the resulting pull is something you don’t want to experience.

However, the protective relays allow for a certain delay between the out-of-syncronism condition recognition and the protection devices action, delay set to avoid annoyance tripping. This offers a window of opportunity to force undesirable mechanical stress in the generator without power grid disconnection. You can find a detailed technical analysis of the attack and possible mitigating measures.

True, for an attack of this kind to be successful a number of pre-conditions must be met: physical system knowledge, remote access to a series of devices, certain operating conditions of the electrical system, knowledge of existing protections and their settings … These are the arguments that will arise in the denial phase. But that’s not the point.

The point is: given the degree of exposure of industrial control systems to cyber attacks (owing to several reasons: historical, cultural, organizational and technical issues), the only thing needed to wreak havoc upon them is knowledge of physical systems and their control devices. Aurora Vulnerability is a very specific case. But it should be enough to show that confidence in physical protection of equipment has its limits, limits waiting to be discovered. Regarding them as our only line of defense is a risk that no one can afford.

Can we?

By the way, the original Aurora vulnerability video can be seen below:

VLAN Management Policy Server

Usually, when we have to do network segmentation using VLANs, we create the necessary networks either manually or automatically using protocols like Cisco VTP (VLAN Trunking Protocol). After that, we assign each one of the network devices to the different VLANs defined. This means that if I move tomorrow and change my laptop of network connection point, I will have to change the new network connection point so it belongs to the original VLAN I had.

One solution to this problem is the use of the VTP protocol together with the Cisco VMPS (VLAN Management Policy Server) service, which provides a first approximation to a solution of network access control such as the ones offered by manufacturers today. Among other features, VMPS allows to dynamically associate devices to VLANs based on MAC address (with the security issues this involves). This way, I can connect my laptop to any network point of the office and it will always belong to the same correct VLAN.

Any midrange Cisco switch supports VMPS as client. However, only the upper range (higher than 4000) support the server mode. Despite this, it is not necessary to have one of these devices to implement this solution because there are many tools, both free (some outdated) and commercial, that provide the VMPS server functionality we need. Among all them, we have selected vmpsd (, a little daemon for GNU/Linux that provides a VMPS server without installing too much software, as a management system database. To configure VMPS on our switch (the Cisco 2960 is the chosen device), we have to perform the following steps:

1) Configure VTP

Switch(config)#vtp  mode  server 
Switch(config)#vtp  domain s2

Switch#show  vtp  status 
          : running VTP2
Configuration Revision          : 1
Maximum VLANs supported locally : 255
Number of existing VLANs        : 14
VTP Operating Mode              : Server
VTP Domain Name                 : s2
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xC4 0xE8 0xDB 0x1A 0xF2 0x6B 0xC2 0x79 

2) Configure the switch device as a VMPS client

To perform this configuration, we use the IP address of the main VPMS server (we can have several).

Switch(config)# vmps retry 3
Switch(config)# vmps reconfirm 1
Switch(config)# vmps server primary
Switch#show  vmps 
VQP Client Status:
VMPS VQP Version:   1
Reconfirm Interval: 1 min
Server Retry Count: 3
VMPS domain server: (primary, current)
Reconfirmation status
VMPS Action:         No Dynamic Port

3) Create the VLANs

Switch(config)#vlan 21
Switch(config-vlan)#name MANAGMT
Switch(config)#vlan 22
Switch(config-vlan)#name USUARIOS
Switch(config)#vlan 23
Switch(config-vlan)#name GUESTS
Switch#show  vlan 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    
22   USUARIOS                         active    
23   GUESTS                           active   

4) Mark the interfaces that use VMPS

Switch(config)#interface  range  fastEthernet 0/10-20 
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan dynamic

Switch#show  interface fastEthernet 0/10 switchport 
Name: Fa0/10
Switchport: Enabled
Administrative Mode: dynamic access  ******
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: unassigned  *******
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

5) Configure the VMPS server (vlan.db)

vmps domain s2
vmps mode open
vmps fallback GUESTS
vmps no-domain-req deny

address 0023.8bd7.c2b3 vlan-name MANAGMT

In the configuration must take into account the following:

  • The domain must coincide with the one configured in VTP.
  • The “GUESTS” VLAN is used to redirect the MACs that are not authorized by the policy because we have configured the open mode. If we use the secure mode, the interface would be disabled.
  • We assign the MAC address of my laptop to the VLAN “MANAGMT”.

Once here, we start the daemon and launch a test query (we use the IP address, the VTP domain and MAC address)

perl  -s -v s2  -m 0023.8bd7.c2b3
MAC Address: 00238bd7c2b3 
Status: ALLOW

As we can see, the MAC address is authorized and it gets the VLAN “MANAGMT”. Reached this point, we just have to connect to the switch (we set the debug mode on with the command debug vqpc all) to do several tests:

Connect the laptop to one of the network connection points defined to use VMPS (fa0/13).

*Mar  1 02:23:09.070: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 02:23:11.075: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 02:23:12.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed 
                      state to up
*Mar  1 02:23:13.986: VQPC LEARN: 
*Mar  1 02:23:13.986: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.986: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 02:23:13.986: VQPC: allocating transID 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: xmt transaction ID = 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: sending query to VMPS
*Mar  1 02:23:13.986: VQPC PAK:  
*Mar  1 02:23:13.986: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:23:13.994: VQPC PAK: transaction ID = 0x00000471
*Mar  1 02:23:13.994: VQPC: rcvd response, transID = 0x00000471
*Mar  1 02:23:13.994: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:23:13.994: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:23:13.994: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:23:13.994: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:23:13.994: VQPC EVENT: changing Fa0/13 to vlan 21
*Mar  1 02:23:13.994: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13, type = 0x0001
*Mar  1 02:23:13.994: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.994: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13 to FORWARDING

As we can see, it assigns to the MAC address the VLAN 21 (“MANAGMT”):

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13
22   USUARIOS                         active   
23   GUESTS                           active    

Switch#show  interface fastEthernet  0/13 switchport 
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic access
Operational Mode: dynamic access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 21 (MANAGMT)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled

Now we disconnect it and connect it to other switch port (fa0/17):

*Mar  1 02:24:42.938: VQPC EVENT: -pm_port_vqp_start: port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: 
*Mar  1 02:24:44.650: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17, type = 0x0021
*Mar  1 02:24:44.650: VQPC: allocating transID 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: xmt transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: sending query to VMPS
*Mar  1 02:24:44.650: VQPC PAK:  
*Mar  1 02:24:44.650: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:24:44.650: VQPC PAK: transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC: rcvd response, transID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:24:44.650: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:24:44.650: VQPC EVENT: -set_hwidb_vlanid: port Fa0/17 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:24:44.650: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:24:44.650: VQPC EVENT: changing Fa0/17 to vlan 21
*Mar  1 02:24:44.658: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17, type = 0x0001
*Mar  1 02:24:44.658: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.658: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17 to FORWARDING
*Mar  1 02:24:44.943: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
*Mar  1 02:24:45.950: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, 
                      changed state to up

Switch#sh mac-address-table | inc DYNAMIC
  21    0023.8bd7.c2b3    DYNAMIC     Fa0/17

Switch#show  vlan                                    

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13, Fa0/17
22   USUARIOS                         active   
23   GUESTS                           active    

We see that the Fa0/13 interface is still assigned to the VLAN “MANAGMT”, so we connect other computer to that port:

*Mar  1 00:03:35.016: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: 
*Mar  1 00:03:36.887: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:03:36.887: VQPC: allocating transID 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: xmt transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: sending query to VMPS
*Mar  1 00:03:36.887: VQPC PAK:  
*Mar  1 00:03:36.887: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:03:36.887: VQPC PAK: transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC: rcvd response, transID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: VLAN name TLV, vlanName = GUESTS
*Mar  1 00:03:36.887: VQPC PAK: Cookie TLV, cookie = 0005.1b00.3f81, length = 6
*Mar  1 00:03:36.887: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 23, mac: 0005.1b00.3f81
*Mar  1 00:03:36.887: VQPC EVENT: saving 0005.1b00.3f81 from old vlan 0
*Mar  1 00:03:36.887: VQPC EVENT: changing Fa0/13 to vlan 23
*Mar  1 00:03:36.895: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 23, port Fa0/13, type = 0x0001
*Mar  1 00:03:36.895: VQPC LEARN: deleting mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.895: VQPC LEARN: changing mac 0005.1b00.3f81 on vlan 23, port Fa0/13 to FORWARDING
*Mar  1 00:03:37.021: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 00:03:38.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to up

As the MAC address is not authorized by the defined policy, it assigns dinamically the VLAN “GUESTS”.

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/17
22   USUARIOS                         active    Fa0/24
23   GUESTS                           active    Fa0/13

If we now change the policy to the secure mode and without a fallback VLAN we connect the same PC:

*Mar  1 00:12:57.019: VQPC LEARN: 
*Mar  1 00:12:57.019: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:12:57.019: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:12:57.019: VQPC: allocating transID 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: xmt transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: sending query to VMPS
*Mar  1 00:12:57.019: VQPC PAK:  
*Mar  1 00:12:57.019: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:12:57.019: VQPC PAK: transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC: rcvd response, transID = 0x00000151
*Mar  1 00:12:57.019: %VQPCLIENT-2-SHUTDOWN: Interface Fa0/13 shutdown by VMPS
*Mar  1 00:12:57.019: %PM-4-ERR_DISABLE: vmps error detected on Fa0/13, putting Fa0/13 in 
                      err-disable state
*Mar  1 00:12:57.019: VQPC EVENT: -pm_port_vqp_stop: port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: port Fa0/13, REMOVE dynamic access config
*Mar  1 00:12:57.019: VQPC EVENT: deleting all addresses on vlan 0,t Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: Deleted TCAM catch-all for port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 0, mac: NULL
*Mar  1 00:12:57.019: VQPC EVENT: changing Fa0/13 to vlan 0
*Mar  1 00:12:58.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to down
*Mar  1 00:12:59.024: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down

Switch#show interfaces fas 0/13 status 

Port      Name     Status       Vlan        Duplex  Speed Type
Fa0/13             err-disabled unassigned  auto    auto 10/100BaseTX

We can see as it has disconnected the interface from the switch and so it shows in the VPMS protocol stats:

Switch#show  vmps statistics
VMPS Client Statistics
VQP  Queries:               53
VQP  Responses:             20
VMPS Changes:               0
VQP  Shutdowns:             5
VQP  Denied:                0
VQP  Wrong Domain:          0
VQP  Wrong Version:         0
VQP  Insufficient Resource: 0

As shown, this solution provides more security than the usual solution, improving the mobility in our network. However, it has other security problems we will see in future posts.

New MFTParser plugin in the alpha version of Volatility

Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.

Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.

Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin mftparser –output=body
Volatile Systems Volatility Framework 2.3_alpha

Scanning for MFT entries and building directory, this can take a while
(FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(FN) 0x12d588|WINDOWS\Prefetch\|11727|---a-------I---|0|0|424|1353971273|
(FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0
(FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306|
(SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005|
(FN) 0x311000|WINDOWS\Prefetch\|11728|---a-------I---|0|0|480|1353971306|13
(FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435|
(SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493|

Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.

mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b  ENG-USTXHOU-148/body.txt >  

I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.

Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin connscan

Volatile Systems Volatility Framework 2.3_alpha
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850                        36569092
0x01ffa850          1024
0x0201f850         4
0x02084e68         628
0x020f8988         696
0x02201008         628
0x18615850         4
0x189e8850          1024
0x18a97008         628
0x18b8e850                        36569092
0x18dce988         696

mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > 
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt


Received: from d0793h ( [])
        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
        Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <>
To: <>, <>,
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at
The IS Department
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META content=3D"text/html; charset=3Diso-8859-1" =
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">

Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin iehistory

Volatile Systems Volatility Framework 2.3_alpha
Process: 284 explorer.exe
Cache type "URL " at 0x2895000
Record length: 0x100
Location: Visited: callb@
Last modified: 2012-11-26 23:01:53 
Last accessed: 2012-11-26 23:01:53 
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8

But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.

mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
Mon Nov 26 2012 23:01:54      472 mac. --------------- 0  0  10117    Documents and Settings\
                                                                       callb\Local Settings\Temp
                              352 macb ---a-------I--- 0  0  11721    System Volume Information\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\SYMANT~1.PF
                              584 mac. --------------- 0  0  3420     WINDOWS\system32\CatRoot2
                              824 .a.. --------------- 0  0  3432     WINDOWS\system32\CatRoot2\
                              344 mac. ---a----------- 0  0  6996     WINDOWS\system32\CatRoot2\
                              352 .a.. ---a----------- 0  0  8499     WINDOWS\system32\CatRoot2\
                              344 .ac. -h------------- 0  0  8610     WINDOWS\system32\6to4ex.dll
                              336 mac. ---a----------- 0  0  8611     WINDOWS\system32\CatRoot2\
                              472 mac. -----------I--- 0  0  8823     System Volume Information\
Mon Nov 26 2012 23:01:55      352 m.c. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              344 mac. ---a----------- 0  0  206      WINDOWS\system32\drivers\
                              416 .a.. ---a----------- 0  0  3438     WINDOWS\system32\CatRoot2\
                              416 .a.. ---a----------- 0  0  3439     WINDOWS\system32\CatRoot\
                              576 .a.. -h------------- 0  0  45       WINDOWS\inf
                              344 mac. ---a----------- 0  0  7161     WINDOWS\system32\wbem\Logs\
                              352 .a.. ---a----------- 0  0  8071     WINDOWS\inf\syssetup.inf
                              568 ..c. -hs--------I--- 0  0  8835     Documents and Settings\callb\
                              344 m.c. -hsa-------I--- 0  0  8836     Documents and Settings\callb\
                              344 .a.. --s------------ 0  0  9481     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              344 .a.. --s------------ 0  0  9482     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              472 .a.. --s------------ 0  0  9483     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
Mon Nov 26 2012 23:01:56      352 macb ---a-------I--- 0  0  10216    System Volume Information\
                              360 mac. ---a----------- 0  0  3355     WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59      352 .ac. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              352 macb ---a-------I--- 0  0  11705    System Volume Information\
                              936 mac. rhs------c----- 0  0  71       WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07      352 .a.. ---a----------- 0  0  23813    WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10      472 macb --------------- 0  0  7556     WINDOWS\webui
Mon Nov 26 2012 23:03:21      488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\
                              488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 .a.. ---a----------- 0  0  24145    WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55      376 mac. ---a----------- 0  0  3436     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:04:14      352 .a.. ---a----------- 0  0  23351    WINDOWS\system32\drivers\
Mon Nov 26 2012 23:04:24      336 mac. ---a----------- 0  0  9790     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:06:34      504 macb ---a----------- 0  0  11710    WINDOWS\ps.exe
                              472 m.c. --------------- 0  0  28       WINDOWS
Mon Nov 26 2012 23:06:35      504 m.c. ---a----------- 0  0  11710    WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47      416 macb ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48      416 mac. ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52      440 macb ---a----------- 0  0  11723    WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56      344 macb ---a----------- 0  0  11724    WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59      368 macb ---a----------- 0  0  11725    WINDOWS\webui\wc.exe
                              288 m... ---a----------- 0  0  11739    WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31      352 .a.. --------------- 0  0  11470    WINDOWS\system32\iertutil.dll
                              344 .a.. ---a----------- 0  0  11498    WINDOWS\system32\urlmon.dll
                              344 .a.. ---a----------- 0  0  11502    WINDOWS\system32\wininet.dll
                              488 mac. ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 macb ---a----------- 0  0  11726    WINDOWS\webui\netuse.dll

The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.

@Jackcr Forensics Challenge.

Introduction to PCI DSS: Payment Card Industry Data Security Standard

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

[Read more…]

Cybersecurity. The European Parliament is worried.

Anyone who carefully reads the report A7-0167/2012 of 05.16.2012 on the protection of critical information infrastructure of the European Commission will notice that the authors of the report, members of the Committee on Industry, Research and Energy, are very worried. We can also analyze the opinion of the Committee on Civil Liberties, Justice and Home Affairs of the EU with this report and see —you don’t need to read between the lines— that not only those with direct relation with the issue are concerned, but also commissions that aren’t apparently directly affected by issues related to cyber security of critical infrastructures.

If you also have the patience to study the recent report on cybersecurity and cyberdefense 2012/2096 (INI) of the Committee on Foreign Affairs, dated October 17th, 2012, you will realize that the concerns sometimes turn into “fear”, urging everyone to put to work enumerating countless reasons why we should do it (the “considerations” are impressive…).

The outlook is bleak because the “considerations” show many points that we should be working on and even though there is work done, they are not functional for many reasons, all of them logical. The fact is that everything that has to do with cyberthreats is moving very fast, too fast, and the European institutions very slow, too slow. As a society we should be prepared to take control of the situation but, unfortunately, this is one of those cases where I get the impression that the regulator is ahead of civil society because society is not aware of the magnitude of the threat.

This report on cybersecurity and cyberdefense literally says, “the danger posed by cyber-threats and cyber-attacks against government, administrative, military and international agencies is growing rapidly, both in the EU and in the world, and there are important concerns that state and non-state actors, especially terrorists and criminal organizations, can attack critical infrastructures of information and communication institutions and members of the EU, with the chance of causing significant damages including kinetic effects“, taking into account that most cyber incidents, as stated in the report, both in the public and private sector go unreported, urging the authorities to assess the possibility that a EU member state may suffer a cyberattack and talking about the possibility of implementation of the mutual defense clause (Article 42, paragraph 7 of the EU Treaty) without prejudice to the principle of proportionality. In this sense, could be a cyberattack considered a state-backed casus belli?

We leave the question open but in the case that the answer to the above question is yes, there are still other troubling statements in that report: It “notes that recent cyberattacks against European information networks and state information systems have caused extensive damage from the viewpoints of economic and security whose scope has not been adequately evaluated“.

Clearly cyber defense should be part of the common security and defense policy (CSDP) to, among others, to protect and preserve the lives of people, digital freedoms and respect for human rights online. However until June 2012, only 10 Member States have adopted a cybersecurity strategy, the first step to get to work. In Spain is under development.

In any case, both reports urge to develop strategies for cybersecurity and emergency plans for their own systems, asking explicitly to all institutions and agencies to address in their risk analysis the consequences of cyber crisis and emphasizing the importance of awareness. The members are encouraged to increase their investment in R&D in defense to 2% to make it one of the principal support of cybersecurity and cyberdefense.

This is alright, but they are nothing more than petitions done by the EU commission to the European Parliament through its reports and draft reports but… what happens in the meantime in the real world? Are we really doing our duties in this matter? Are we aware of the danger as a society? Are politicians who run our country aware of these risks? Yes? To what degree?

I have my own pinion. We see it in the work we do every day. And we will have to do an enormous effort to awareness society that this is a very important problem for all of us…

(1) Casus belli refers to the fact that is considered a cause or pretext for military action. The term appears in the context of international law of the late nineteenth century as a result of the ius in bello political doctrine. The casus belli, as part of the ius in bello or “law of war”, seeks to regulate the military actions of different countries, so a priori it prohibits the use of armed force to resolve conflicts, but allows the military power against another country under the principle of ultima ratio, ie as a last resort.

(2) In 2010 only a European member had reached 2% in research and development in defense, and thar year five countries had invested nothing.

Buster Sandbox Analyzer

(Today we have an interesting collaboration of Pedro Lopez, who describes Buster Sandbox Analyzer tool for those who do not already know it and invites anyone interested to collaborate with its development)

Buster Sandbox Analyzer is a tool designed to analyze the suspicious behavior of applications, ie those actions carried out typically by malware. Some examples of typical actions performed by malware are making a copy of itself elsewhere on the hard drive, modifying registry keys or adding files in the Windows installation directory among others.

However, when identifying an action as “dangerous”, the question is that some of the actions considered as suspicious are also usually performed by legitimate applications. It is thus very important to consider the overall context of the analyzed application: is it reasonable that the application we tested perform these actions?

[Read more…]

Memories of an Incident Handler: “email Man in the Middle”

Some time ago I had the chance to manage a fraud security incident using a technique based on the classic Man in the Middle, but the rare thing is that the attack was not carried in the network or transport layers but in the application layer, more specifically by email. The case was as follows …

The company “A” used to make major purchases of raw materials from suppliers established in other countries. To begin with the transaction, company “A” was asked a first payment and when the order was entirely at their facilities, before delivery, company “A” proceeded to pay the remaining amount.

All these transactions and arrangements were made by email, in which both parties comment the quantities requested, shipping status, prices and bank accounts to pay transfers. Notably, the company staff “A” was used to working in this way and managed dozens of orders with suppliers from various countries of the world.

In one of the email exchanges with one of the Asian suppliers and right in the middle of a thread of replies (the typical n+1 subject Re: email), the employee of the company “A” received an email from an address with the same user name to that he was used to email, but with a domain belonging to Yahoo! This address corresponded with That is:

The body of the mail addressed to the employee of “A” from contained the whole content of the previous conversation in emails, and urged him (the company “A” employee) to change the contact email from to The attacker alleged s/he had problems with corporate email and that he was forced to use his personal account.

This request did not raised any alarm, as s/he could see in the email the whole previous conversation, and that the person knew details of the activities and managements carried. Then the attacker requested a bank account change where company “A” had to make the bank transfer. The employee initially suspected, but finally he accepted and proceeded to transfer the remaining amount from the operation. This transfer was necessary in order to pick up the remaining material. When the company “A” employee asked the required paperwork to collect the material to the attacker, s/he not only agreed, but also asked the advanced payment of another order.

Shocked, the company “A” employee phoned the supplier and he discovered that he knew nothing of the e-mail from Yahoo!, or even that they had received made ​​any payments. Moreover, the provider showed him several emails sent from an address “”, which of course the employee “A” had not written. These emails showed that the provider had been also misleaded with the same trap: he had been suggested to use a new mail contact, thus completing a perfect man in the middle via email.

The attacker, who had access to the outsourced email server of the company “A”, looked for mailboxes, until s/he found one that had some responsibility in purchasing matters. At that point s/he just had to get in the way of the communication by telling the employee from “A” to use a new email controlled by him/her and the same to the provider. In this way, all emails that were not important to the attacker, were just forwarded, waiting to get to the billing and transfer phase, when he got in the middle, introducing their own bank account.

During the investigation it was found that the scammers used a kind-like TOR network located in Nigeria to consult Webmail their Yahoo! accounts created. We identified over 100 different IPs all geolocated in Lagos (Nigeria). Here is a little sample for you if you find them for your logs. I hope you don’t …

  • : Nigeria (Lagos)
  • Nigeria (Lagos)
  • : Nigeria (Lagos)
  • Nigeria (Lagos)
  • Nigeria (Lagos)
  • Nigeria (Lagos)
  • Nigeria (Lagos)
  • : Nigeria (Lagos)
  • Nigeria (Lagos)

We are aware that these scams are being made to other companies, so watch your mail server closely, especially if you have it outsourced in large service providers that offer incredibly cheap prices, but do not take seriously the security of the customer data.

Industrial Control Technologies Cybersecurity. Time to wake up.

Sometimes one has to make an effort to balance opposing feelings. This is the case since I work in cybersecurity issues. I have devoted much of my career to work on public infrastructures design and construction, mainly water treatment plants. As an engineer I was in charge of industrial processes and associated control systems design: physical processes, electrical system wiring diagrams (power and control), network architectures and control components, etc. In short, the process and associated SCADA systems. I‘d like to think I did a good job.

I have witnessed the evolution undergone by those systems in the last years, which could be exemplified in something iconic: the end of traditional control panels with their red and green lights and analog gauges. I remember when I saw, for the first time, one of those old fashioned panels replaced by a 42” screen, nearly as big as it could be those days: an amazing thing to see, for sure. Now, surrounded by computer engineers, it feels like swallowing the celebrated ‘The Matrix’ red pill. From my new assignment, I can see in new light those times in which we engineers adopted all that computer technology with a kind of ‘Victorian era’ faith in progress. It’s hard to explain how it feels as I realize that, in most cases, we’ve been building castles on sand foundations. I’m becoming aware of the situation as we find more and more equipment and control systems exposed to the Internet without minimal security measures. I’m not kidding you. I’ve seen them. It’s kind a terrific moment when you fully understand that you have in your hands the power to completely stop a factory’s manufacturing process from your very desk (real case). But who can be blamed for not stopping in a red light when one has never seen a traffic light?

Now it is time to wake up. The threat looming on thousands of systems is just too real and there are no excuses allowed. Nevertheless, in most cases, the first reaction is denial or disbelief. It is easy to understand since attack mechanisms are, in most cases, almost unthinkable for those in charge of these facilities. So, where to start? Here are some tips to my fellow engineers working on the field. May be repeated like a mantra every morning:

1. The risk is real. Yes, also to me.
2. Maybe I can’t think of any reason for an attacker to aim to us. Never mind. It’s not my reasons that matters, but his reasons.
3. The size of my organization or system won’t help me, and even less compared to others. If my system is attacked I will sustain 100% damage, irrespective of my size.
4. In these cases it is worth remembering the joke about the two guys running away from an angry bear. One of them puts on his footwear in order to run faster. The other guy regards it as useless, deeming impossible to outrun the animal. Then the first guy states: “I do not want to outrun the bear, but to outrun you.”. Our first goal is not to be the easiest target of the shooting range.
5. Asking questions is a good first step. Start with this: What is the current status of my system?
6. Finally, remember: we are all responsible, in varying degrees, of the cybersecurity of the systems we work on. Think of what you do, but also of what you don’t.

Don’t keep waiting for the first blow to come. In the words of Bob Marley: ‘Wake up, stand up …

Cybersecurity policy for digital homes

It sounds like something belonging to companies and executives, but no, not this time. This time we talk about the computer systems or technology that is growing in many of our homes. We are making some progress. Spain and European countries in general have a very high level of ICT penetration whilst many of latin countries, such as Colombia, Mexico, Chile or Perú among others, are advancing a lot.

Increasingly we have more sophisticated equipment at home, with dozens of IP devices (TVs, game consoles, computers, routers, tablets, smartphones, etc..) that take many time to maintain, protecting the assets of our homes that protect our information, our life. I have to take into account: my daughters’ Tuenti (note: Spanish most used social network among youngsters), my wife’s Facebook, my bank accounts, digital photos taken with my great reflex that now, not having to take them to a photo shop to reveal can have any kind of content, the list of friends of my daughter even with geotagged photos, the access to that little camera IP I installed to guard when I’m not at home, and a long list of additional systems that for us and our families are confidential personal information and and even family critical infrastructures…

If we go further, in a few years we will see video entry systems with advanced functions that integrate home automation and can, for example, turn off the lights remotely and even open the door without us physically at home.

Given this, the truth is that we parents have little help when protecting our homes against voayeurs, evildoers or evil people in general.

We find some partial recommendations: get an antivirus and keep it updated, do not use cracked programs, be careful with P2P, and set WAP encryption on your WIFI. WAwhat? All of this can become a hell for ordinary mortals. It is to me and I have work in ICT for many years…

In short, a situation clearly worrying that not only affects home systems but also, directly or indirectly jeopardize corporate networks because nowadays it is very difficult, if not impossible, separate professional and personal technological environments. Thus, technological threats at home can become security threats to the corporate environment so we must be ready to get a really safe digital society, because otherwise I fear that even with all the technology in the world protecting our corporate networks, it will be very complicated.

We return to the same problem over and over again. One of the most effective investments in the field of cybersecurity is training and awareness, but the one that works: practice. It is not the only thing we have to do, but at this point, I think it should be the first thing we must do because people don’t have a clear perception of risk. Yes they do with the physical risk and hired security companies services with monthly payments, but they do not have the same perception of risk in the virtual world.

I have no idea if someday those who dedicate to security (such as me) will be able to educate our fellows of the digital risks or even if we will be able to have a sufficiently attractive offer to make people contract digital security services such as they do with of phisycal guards.

Certainly, I don’t know. However, we are obliged to propose you to apply a basic cybersecurity policy for digital homes that we will try to develop in the following Decalogue and progressively over time and make it simple as possible. Take into account that applying these rules does not absolutely guarantee anything; it simply mitigates partially the risk, reducing directly the likelihood of an digital incident.

If you need professional help, contact with private specialized centers of digital security or public centers devoted to security incident response such as CERTS.

And now, let’s see some of these basic rules of the cybersecurity policy for digital homes:

  • Always change the router password. Never leave nor password nor user default. The “evin ones” know them.
  • Passwords should not be shared. Each member of the family unit must have its own user and their passwords with the privileges appropriate to each person by age and knowledge.
  • A password must be a real password. Potato is a tuber. JM are the initials of my name. “S2” the company where I work. None of them are passwords.
  • The administrator password of shared computers on the network family should be known by mother, father or the head of family and no one else.
  • All computers must have updated antivirus. Some are free for personal use that are great, such as AVG.
  • All computers must be updated. Updates are not an annoying task that take a long time. They are activities of Software manufacturers absolutely necessary for our security.
  • Access to the home wifi network must be protected with the MAC filter if possible. This is not a thing hard to do. It is part of the minimum knowledge that we have to have to manage the security of our home.
  • The wifi key should not be related in any sense with our usual passwords, especially if I’m going to let friends to connect to it (and thus provide them with the wifi key).
  • I don’t give my friends my computer’s password. If they need to access it I type the password without them looking at it. And the same goes for email, social networks, etc.
  • When a file is deleted with the delete key it really does not erase the file. It can be recovered. If you need a file to really disappear from a storage device you must use a secure erase tool (eraser for example)
  • If I have to access the corporate computer from home I always have to ask the IT department in order to do it safely.
  • The installation at home of P2P programs such as emule, Ares, torrent or similar involve many risks. Be very careful with this type of programas.
  • Hacking elements that connect to the network to play online or to download programs of any type introduces a very high risk. Do not break the protections of this type of systems and above all do not let our children surfing with hacked devices.
  • We do not disconnect the Windows firewall just because it is annoying. Try to find out the reason that prevents any program to operate. There are always ways to keep the firewall working and the programmes are correctly working.
  • And above all, use common sense. Most network risks can be controlled with a good dose of common sense and a bit of distrust.

Surely many of you have recommendations of this type that we could use extend the list above. Help us make this list more useful through their comments. We commit ourselves to analyze them and to incorporate them into a set of universal measures of security for our homes and our families, and to publish it in HD (, only in Spanish) and SAW ( so everybody can use it. They must be simple recommendations that can be applied to non-technical people that need to implement certain standards at their homes. They can be simply resources in the network or small useful applications.

Please, note that this is a post we publish in both HD ( and SAW ( In first case, we have included it because we have many readers, parents, who are concerned about the safety of their children and their homes in general. In the latter because I firmly believe that to improve the security of our corporations and businesses of all types and colors we have no choice but to promote training and safety awareness of people who are part of them and their environments common technology, including of course their homes. Let’s therefore get to work. Let’s work for a Digital Society safer for our businesses, our homes and our families.

Rcapd start meterpreter module

During the post-exploitation phase of an intrusion, after getting a shell on a computer, one of the steps to gain access to other computers or networking devices is thru traffic sniffing. Just listening to the traffic passing through the machine, even in a switched environment, can provide us with very useful information about the network topology or the potential vulnerabilities that can we exploit later: NetBIOS names, users / passwords in clear ARP, CDP, DHCP, HSRP, VRRP, etc..

To listen the traffic from a shell, however, we must make use of external tools that we need to download and run on the compromised computer. A good choice is rawcap which allows packet capturing without relying on packet capture drivers as WinPcap (libpcap library for Windows used by many traffic analysis tools).

Another option is to use Meterpreter from where we can rely on capture modules without using the compromised machine harddisk. To do so, Meterpreter sniffer has the sniffer extension o the packetrecorder module by @Carlos_Perez aka Darkoperator. Both can be used to generate and save the pcap file locally with the captured traffic.

As an alternative to these two options, I have created a small module (rpcapd_start) that activates the service rpcapd in order to capture traffic remotely. It is not uncommon to find user computers, even Windows servers, with WinPcap installed. So, what better way to get traffic than using this service remotely? As an additional benefit we won’t depend on the meterpreter session because once activated, we can capture traffic with any software that supports rpcap.

The WinPcap installation will create a new service called rpcapd disabled by default.

The module will just activate rpcapd, specifying the port and the operating mode (active or passive). We may also choose whether or not we want authentication.

Since it is likely that the computer will be NATed behind a router or firewall, in practice, the most useful will be the active mode, where the compromised machine will be the one connecting to us.

After starting the service and in the case of using a passive connection (as in the example) a new rule will be added in the Windows Firewall under the name “Windows Service” to allow incoming traffic.

Then we can connect to the machine from any tool that supports rpcap and start capturing traffic.

The module is already included in Metasploit so you just need to update it so simply for download.