.

Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Tue May 11, 2010 12:30 pm

Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Timestomp - First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

http://metasploit.com/projects/antiforensics/timestomp.exe

Slacker - First ever tool that allows you to hide files within the slack space of the NTFS file system.

http://metasploit.com/projects/antiforensics/slacker.exe

Sam Juicer - A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk.

http://metasploit.com/projects/antiforensics/SamJuicer.zip
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue May 11, 2010 1:51 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

That's nothing that Samhain or any other HIDS can't protect against. As for anti-forensics on *nix, you don't need to introduce foreign programs which can trigger alarms, you can simply use the touch command to modify access, modification times. The issue with most antiforensic software it the cost increases as the analysis takes longer. However, antiforensics also conveys the sense that someone didn't quite know how to get in and out undetected so they instead tried to sabotage the entire system. "Evidence becomes so circumstantial, so difficult to have confidence in, that it's useless. " (http://tinyurl.com/CSOAntiForensics)

Countering with say Aide, Samhain, etc. with logs being written to another machine makes antiforensics useless as one can go back and recreate what's what. I started writing a program years back to counter a lot of this including the potential of hash collisions: http://www.infiltrated.net/scripts/saki.html I quickly got bored with the concept when I at the same time - wrote a heuristic based backdoor for Linux to counter myself and all of my hashing based on poisoning.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 11, 2010 10:45 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

I can tell you that modifying timestamps definitely affects a forensics investigation.  Much of what goes on is based on assembling a trail of activities.  This often relies on the MACE times of files and folders.  Forensics investigators find tampered times very annoying.  It's definitely not a game killer though.
~~~~~~~~~~~~~~
Ketchup
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Tue May 11, 2010 11:36 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

These tools are really for an insider threat or an attacker that has been on your system for a while and want to make life a real mess. I don't see a normal attacker deploying these tools. Why would they bother?

I've reported dozens of infected and attack jump points to the correct authorities and most times there's no response. In the end, we black list their IP address ranges. The site just moves on to attack others.

If you read the recent Apache attack, the bad guys never had time to even clean up their attack paths before being discovered. Similar stories of attackers messing up systems, from honey pot projects, display a willfulness to break stuff, somewhat like a dis-affected teen having a hissy fit ;-)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed May 12, 2010 3:51 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

i see your point, but part of the "owning the box" is, after infecting it, cleaning up. so it is a part of the process, even though often overlooked due to various factors (time is one of them). thanks for sharing!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 12, 2010 7:22 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

What90, what's a normal attacker?  The entire point here is secrecy, and not getting caught.  Proficient hackers will definitely take measures to hide their presence on your system.  For every attacker that gets caught, I would assume that there is one that doesn't. 
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed May 12, 2010 8:29 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Ketchup wrote:For every attacker that gets caught, I would assume that there is one that doesn't. 


I agree with Ketchup, except that I'd bet the ratio is even higher...  For instance, on any given day, if I put my linux box in the DMZ, and watch my log files, the amount of login attempts, alone, is high, from various different services, IP's etc.  It's never as quiet as it seems...  I your box is vulnerable, there's a high probability that a large number of attackers have 'touched' it, and cleared traces of themselves already.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed May 12, 2010 10:25 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

What90 wrote:These tools are really for an insider threat or an attacker that has been on your system for a while and want to make life a real mess. I don't see a normal attacker deploying these tools. Why would they bother?


I don't know how you interpret these tools to be for an insider or an attacker that has been around for a while. Quite the contrary if someone has been on your machine for some time. They DON'T want to sound off alarms or raise any red flags so the chances of them "stooping this low" would be viewed in my opinion as amateur.

Borrowing from the overhyped Google (APT), Aurora attacks... The attackers took very cautious steps and remained inside of systems (supposedly) for quite some time undetected. I can assure you they didn't run around changing any time stamps.

As Ketchup stated, changing the time stamps in fact in my opinion leads an investigator to stop relying solely on automated tools (EnCase, FTK, etc.) and actually perform more in-depth tasks to determine what occurred. There is a little known slash little talked about portion of many investigators who've often solely relied on the output from their automated tools only to come back getting burned because they overlooked something. Checksumming is key here and for those who haven't done any form of HIDS, I suggest getting familiar with doing so with writing output to an extremely protected box. It makes things *THAT* much simpler to recreate.

Now from my POV... The part that would cripple any forensics investigation would be the use of crypto. Sure one can try the bruteforce approach but in the recent case of an attacker who encrypted data and held it for ransom (http://www.healthleadersmedia.com/conte ... ansom.html) this poses a huge dent for anyone doing incident response, forensics, etc. There is little to be done other than hope you have as recent as possible a backup. Outside of rubber hose crypto (http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis) you're hit.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 12, 2010 11:10 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Crypto is definitely an issue.  EnCase now has a module that can decrypt some of the common encryption methods, but you still need the key.  One of the coolest anti-forensics tricks is an encrypted partition inside an encrypted partition. 
~~~~~~~~~~~~~~
Ketchup
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed May 12, 2010 6:01 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

All - most of the attacks/intrusions I'm able to detect fit into the 80% of using tools or techniques which have been written by smarter folk, not the current user. That's what I'm basing my "normal" attacker profile on, the lower end of the scale.

I was attempting to say these tools would mainly be used attackers looking to make a mess of systems to thwart the non-forensics IT pro or just make it hell in the clean up. Guess that didn't come across to clearly ;-)

To qualify my comment about the insider, I've seen two recent incidents where internal staff attempting to cover their tracks by Googling how to do this. In both cases they actually brought attention on to them by running these tools and causing a real, very obvious mess.

Above average attackers probably have more skills, practice and treads much more lightly avoid some many alerts and don't raise as many of the warning flags.

I happily bow to others knowledge and skills in forensics, but respectfully disagree with hayabusa comment that most attackers clean up after themselves. I tend to find quite a bit of obvious tell-tail signs of attackers progress, especially if you have a defense in depth approach. Sure you may compromise the web server, but what about the log shipping, IDS, firewall and other monitoring systems? These give a wealth of info about what actually happened and when.

I hope to take Rob Lee's SANS 508 class sometime in the next year or so to get a better and more rounded knowledge on this area. So much to learn and so little time!
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed May 12, 2010 7:55 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

@What90 - I'm not suggesting that ALL hackers cleanup after themselves.  In fact, the ones who are in a hurry, and really don't care, probably don't even think about covering their tracks.  If they just want quickie data extraction / gathering, they may not care. 

However, the point I was making is that, more often than not, if you truly have vulnerable systems, then yes, you have the ones that don't cover their tracks, but in all honesty, there's a high probability that you've had more than enough visits by those who have covered them.  I'd argue, and I'm certain others here would agree, that if you have data of any value, the really good hackers, who have successfully gotten your data, once, are going to want to be able to do it again, and therefore, will hide traces of their activity, so they can return, and harvest more of your data, later on.

Even IF that isn't the case on your network, or with your data, it should be the mindset you should have, regardless, so as to better protect and monitor your systems, in the end.  That is why, at least in every class I've taken for pentesting / offensive security, etc, they specifically teach you to cover your tracks, because it IS intended to be a realistic evaluation of what a hacker can / will do!  It's fact.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 12, 2010 8:26 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

I think that what we are seeing in the logs is activity from ones that aren't skilled or don't care.  How would you know if you were hacked by someone if they complete hid their tracks?  I have always thought that the really skilled and impressive attacks are the ones you will never know about.  As far as the statistics on this, I don't know how we would ever be able to compile them.
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed May 12, 2010 8:34 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Agreed, Ketchup.  You'll never truly have the stats, because the good ones won't leave anything obvious enough, behind, to yield a stat...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed May 12, 2010 11:54 pm

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

These are the conversation I really enjoy as it makes me think about defenses and mindsets.


@Ketchup 
In my mind the main reason you'll never see stats on hacks comes down to businesses refusing to report them from the fear it will have on their share prices. However, having looked over a number of the major court cases in the stats where convictions have been handed out, even the very smart bad guys have been caught out eventually. I know these folks covered their tracks, but have been caught and are now serving jail time. With the US slowly change their approach to disclosure I think we'll start to see more and more of what the smart attackers are really up to and can do.

@hayabusa
I completely agree that sensible, well trained attacker would hid their tracks, but tampering with logs, accounts, creating backdoors and files time stamps is the easiest way to get caught. If you have good security practices in place and staff skilled in understanding what they are seeing making changes to productions boxes is a red flag.

I'm just don't believe there are that many ninjas out there. Plenty of people dressing as as one, but the real one are far and few between. If you leave a commonly exploitable box open to the public, then you'd need your head examined. That's just asking for a good kicking!

From the 300-400 registered attacks per second I see on our logs, 95% of them are bots, scripts, loonies or the very seriously confused. Yes, I do get to see some serious probes, but they are 1-2% of the total. The ones I'm most concerned are the one that don't register on the logs. Catch 22 applies here ;-)

The hope is that other measures and procedures will detect anomalies and give me time to react. Again to cite the recent Apache attack, the attackers were smart, skilled and well motivated but got caught out. They didn't have the time or get far enough to start hiding their tracks.

Back to the point I've failed to make clearly (twice now :-)) is the tools from Metasploit make it easy for anyone with little skill to change details and hide files, but all of that makes noise - that noise increases the chances of me knowing and bring in help to track down what's happened.
The unskilled, malicious or those will little understanding use these tools with default setting are the majority. We see enough requests here on "how do I break in to x, to get revenge for x" to know that good security practices will keep the majority of my systems safe from ankle biters.
The "but" is I have to keep up to date and avoid resting on my laurels, thinking that I'm fine.

Slap me around if you don't think that's the case :D
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu May 13, 2010 7:11 am

Re: Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

@What90 - I think that, in general, we agree (as does Ketchup)  The logs you refer to, with regards to bots, etc, are exactly that, logs referring to bots and attempts.  The ones I concern myself with are NOT the bots, but rather, the attacks that not only got past the perimeter, but got to data.

Overall, I do understand your thoughts, and agree with them.  Just that IMHO, with regards to those that actually 'get in,' there's a probability that those who left tracks after getting in are likely much lower a percentage of the overall attack count as you might believe.

Simply stated, I understand your points, and am not disputing the validity, thereof.  Just stating that, if you truly are concerned with data security, making a broad statement that there are few who actually 'practice pentesting ninjutsu,' isn't as accurate, as some might believe, and that process leaves you very open to the MANY who do, and have likely been on your boxes, already, if you're vulnerable.  (And I completely agree that, if you're sitting on vulnerable boxes, and don't do your best to remedy as much as you can, then yes, you should be kicked.)

I agree with you, with regards to the noise from Metasploit, etc.  It's for that very reason that I don't think the REAL hackers are using it to get to your boxes, and rather, are using either their own attack vectors, or some other means.  Not saying the script kiddies that get a hold of it, aren't using it, and being VERY noisy with it, just as they probably are very noisy with their nmap scans, etc.  Just that, a general statement that 'tools from Metasploit make it easy for anyone with little skill to change details and hide files, but all of that makes noise - that noise increases the chances of me knowing and bring in help to track down what's happened.'  I agree with it, for the unskilled hackers.  But the unskilled hackers are NOT the ones I'm ultimately as worried about, for that very reason.  I can see what they are doing.  I'm more concerned with those whom I cannot see.

This is why I truly try to follow the thinking of Sun Tzu, as stated in my signature.  If you KNOW your enemy, it's easy to fight against them.  If you don't, well, you're likely to lose.  You can know your own systems like the back of your hand, but if you don't anticipate and understand the 'real' attackers, then if you don't catch them with your logs, you're a sitting duck.

But again, I agree with you, about 99%, with regards to these posts.  Just not on the statistical pieces.  The ones you see in those logs from bots, etc, are usually 'attempts.'  They don't adequately reflect the 'successes,' nor can they, if any percentage of the successes are from anyone with skills.
Last edited by hayabusa on Thu May 13, 2010 7:15 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software