LiME and Volatility

I have gotten to take a small break from pentesting and return to some forensics. The question of the week, did someone drop malware on a system? This of course required a return to one of my favorite tools Volatility!

As part of this task, I wanted to pull memory from a production RHEL web server without rebooting and affecting normal operation of the system. In steps LiME. I had heard of LiME before, but haven't had much of a chance to really use it. Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM) that allows you make a copy of the running memory of a linux system in a format that Volatility understands.

LiME is very simple to get running. Download the source code from the github link above. Copy the source to the system you want to pull memory from, in my case a RHEL 6.5 VM. Run "make" from the source directory. Now you have the kernel mode built and ready to use. It should be the ".ko" file in your source folder. In order to run LiME you need to load the module with a few parameters - the name of the file/where to dump memory and the format. You do this using "insmod".

 
insmod lime-2.6.32-431.el6.x86_64.ko "path=mem.lime format=lime"

This will dump all the current running memory to the file mem.lime in the "lime" format. You could also create a raw dump, however what is nice about the lime format is Volatility already understands how to handle it with no modifications. Another cool feature of LiME is it allows you to dump the memory to a network socket and therefore copy the memory directly off. In order to accomplish this first tell lime to send the memory to a port.

 
insmod lime-2.6.32-431.el6.x86_64.ko "path=tcp:8080 format=lime"

Then connect to that port from your receiving machine using netcat and save the output to a file.

 
nc limeMachineIP 8080> mem.lime

This will dump all the memory to the receiving box on port 8080 to the file mem.lime. Now all you need is to build a profile for Volatility and you can analyze your new memory image. I covered how todo this in an early post, so I won't go through it all again, however I will mention doing this on RHEL it took me a few tries to find the right "elf" package needed to compile "dwarfdump." Anyone needing it I had to install "elfutils-devel.x86_64" in order to get "dwarfdump" to compile. With my profile built I was able to use all the Volatiilty plugins smoothly by using the syntax below.

 
./volatility_2.4_x64 --plugins=profiles/ --profile=LinuxRHEL-6_5_x86_64x64 linux_pslist -f test.lime 

Hope this was helpful, feel free to comment or contact me with any questions. I will do my best to respond.

Veil Evasion

This was a post I have been intending to write for several months now, however a fellow hacker recently asked me for advice on this topic. So I decided why not share.

Anti-Virus can be a real pain to a pentester. However like everything else in the computer security world, for every defensive measure, there is a more impressive hack. In steps the Veil Framework. Veil as a whole is a very awesome framework, but for our purposes, we will focus on one component, called Veil Evasion. This tool is developed solely with the purpose of bypassing your favorite AV software. I will pick on McAfee, but make no mistake, this is not a flaw in McAfee. This will work on most AVs.

Veil can be installed from the github link above. If you are using Kali, it is very simple, just run the setup.sh script and you shouldn't have any major issues. Veil provides a very simple to use command line interface. From the first screen, you can use the "list" command to see the payloads that Veil offers. Currently there are 33 payloads to choose from.

Most of my experience has been utilizing payloads 17 and 24. For this discussion I will be using 24. I have found the need for an executable greater than any other type during my testing. From this screen you can type "use 24" to select the python meterpreter reverse https payload. Depending on your use case, it is worth noting this is not a staged payload. The following screen will have a metasploit feel to it and is just as simple to use. Use "set" to configure your LHOST and LPORT options. Since we want to create an exe, we will leave the "compile_to_exe" option to "Y". If you change this to "no" it will produce python scripts. Useful for some use cases. Also take note at the "use_pyherion" option. This option will encrypt your payload. For the first run, lets try this left as "N". We will come back to this later. The following screens wants you to name the payload. Once you do, you will be presented with 3 other options on how to compile the payload, as shown below.

These options are very important. In alot of cases the first option will work very well, hence the default. Lets try option 1 with McAfee. Once you make your selection, Veil will compile your payload. Your payload will be dropped in your home directory under a "veil-output" folder. You will also notice it creates a metasploit resource file, which is really nice for making sure you setup the correct handler for you payload. With AV there is two types of testing which needs to be bypassed, static and run time. I have a Windows 7 64 bit VM configured with the latest version of McAfee Enterprise. To test static detection I will drop the binary on the system, and tell McAfee to scan the file.

Before I can even, tell McAfee to scan the file, my payload is detected and deleted. Epic Fail. McAfee was even aware that Veil was used to create this payload. Don't worry not all hope is lost. Remember the two other options I made note of? First is pyherion, which will encrypt your payload. If you rebuild your binary with this option, you will be pleased to know you will be able to staticly scan your payload without detection. Victory! right!? Don't forget, the second test. Even though your payload will pass static detection in this case, as soon as you run it McAfee will throw a fit, and remove it. Great, McAfee 2 - Redbutt 0. Lets look at the other compile option, labeled "Pwnstaller (obfuscated Pyinstaller loader)" or option 2. This option will also obfuscate the run time loader used to run your payload. Let's see how McAfee likes this option. Static test?

Sweet, first test passed! Now lets try and run it.

No alarms! Did we get a meterpreter session?

Success! What is even better about this option, is you do not need to use pyherion as well. This compile option will take care of both static and run time detection IN THIS INSTANCE. It is important to note that this does not mean it will work for every version of AV. Each AV should be tested independently. You can also add your Veil payload to Metasploit using the "set EXE::Custom \path\to\veil.exe" option. Thats Veil Evasion in a nut shell with a basic scenario. Feel free to comment or message me with questions or other experiences.

OSCP Review

The last several months have been extremely busy, mainly thanks to me taking the OSCP Certification. Good news, I have passed! Many people have asked me about the course and would I recommend it? I decided I would put my thoughts here.
TL;DR - Awesome Course, take it, you won't be upset.

To understand my point of view you first need to know I have a degree in Computer Security and have been working in pentesting for about 5 years. I signed up for the 90 days of lab time with the exam. You are provided a book, video lessons, and a VPN access to a virtual lab with somewhere near 65 different machines on 3 different networks. My approach was to go through the book with the videos, complete all the exercises and then move onto the labs. This is Offsec's recommended approach.

At first I was actually disappointed. I kept hoping the book would go into more detail, however I found it extremely basic and the exercises not very challenging. The book and videos do a good job at showing you the basics of the concepts and giving you and introduction to a lot of different areas, however someone with my experience level did not gain very much from this material.

Due to life and lack of motivation it took me about 60 days to complete the book and all the exercises. Which left me about 30 days for the labs. In retrospect this was a mistake. The labs were awesome and I regret not leaving more time for them. The labs provided a great challenge for all levels and truly tested not only your skills, but your motivation to keep trying. This is where I learned a great deal and was able to improve my skills. For anyone who has done the Kioptrix challenges, the labs are like a bunch of Kioptrix challenges that are connected. In 30 days, I was able to get root on 22 of the systems with working an average of 3-6 hrs a day on the challenges.

Several people has asked me, "How do you know when your ready for the Exam? Should you get root on all the boxes first?"

Its hard to say when your ready for the exam. My advice would be make sure you have firm understanding of all the concepts in the book and how to perform all of the attacks. You don't need to get every single box, however I would suggesting getting a variety of boxes. If you only went after the MS08-67 boxes in the lab, you will not be prepared. If you only worked on the Web boxes, you will not be prepared. Offsec does a good job at providing boxes for every area of pentesting, If you are comfortable performing each area MANUALLY, you will be fine.

The exam is all about preparation and time management. Offsec imposes many restrictions on what tools are allowed. Most automated too, such as vulnerability scanners and most metasploit functionality is not allowed. I took the time to precompile a wide variety of windows exploits for both remote and local attacks. I also created python scripts to help automate my recon. I organized my notes of things I found useful from the labs, and included reference links. I found all of these very useful during the exam. In the end, it took me 8 hrs to obtain the required 70 points to pass. I enjoyed taking the Offensive Security course, and plan to take some of their other courses in the future.