This shows you the differences between two versions of the page.
isc:labs:10 [2019/04/25 08:54] mihai.chiroiu [02. TOR] |
isc:labs:10 [2024/05/14 12:30] (current) florin.stancu [04. Audio Visualization] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Lab 10 - Privacy Technologies====== | + | ====== Lab 10 - Forensics ====== |
===== Overview ===== | ===== Overview ===== | ||
- | Privacy is a usually included in the larger security landscape, but it deals with aspects that concern people more that technologies and tries to answer a very tough question: "How to access/compute data without the owner know who you are?". While, like everything, is a sword with two blades, it tries to allow people own their data in the digital world and to provide anonymity while browsing the Internet. | + | Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. |
+ | <hidden> | ||
===== [BONUS] Completare formular de feedback ===== | ===== [BONUS] Completare formular de feedback ===== | ||
- | Vă invităm să evaluați activitatea echipei de ISC și să precizați punctele tari, punctele slabe și sugestiile voastre de îmbunătățire a materiei. Feedback-ul vostru este foarte important pentru noi să creștem calitatea materiei în anii următori și să îmbunătățim materiile pe care le veți face în continuare. | + | Vă invităm de asemenea să evaluați, dacă este posibil, activitatea echipei de ISC și să precizați punctele tari, punctele slabe și sugestiile voastre de îmbunătățire a materiei. Feedback-ul vostru este foarte important pentru noi să creștem calitatea materiei în anii următori și să îmbunătățim materiile pe care le veți face în continuare. |
- | [[https://acs.curs.pub.ro/2018/mod/feedback/view.php?id=2010|Găsiți formularul de feedback aici]]. | + | [[https://curs.upb.ro/mod/feedbackadm/view.php?id=26590|Găsiți formularul de feedback aici]]. |
Vă mulțumim! | Vă mulțumim! | ||
+ | |||
-------- | -------- | ||
\\ | \\ | ||
+ | </hidden> | ||
===== Exercises ===== | ===== Exercises ===== | ||
- | ==== 00 [0p]. Users ==== | + | You are a private investigator and you have 2h to solve 9 crimes. At the end of every crime you will find a flag that looks like **ISC{...}**. \\ |
+ | Are you up to the task? \\ \\ | ||
+ | {{:isc:labs:ISC-lab09.zip|Here}} is your data.\\ \\ | ||
+ | All exercises can be solved on the local Linux machine. | ||
- | Create the following users: **//red//**, **//green//** and **//blue//**. | + | ==== 00. Capture 1 ==== |
- | <hidden> | + | This is traffic capture of a suspect that we've been following for a long time. Can you find anything interesting like login credentials? |
- | <code> | + | <spoiler Hint1> |
- | sudo adduser red | + | Use wireshark to analyse the pcap. |
- | sudo adduser green | + | </spoiler> |
- | sudo adduser blue | + | <spoiler Hint2> |
- | </code> | + | Check the ports at statistics/conversations/tcp. |
- | </hidden> | + | </spoiler> |
+ | \\ | ||
+ | ==== 01. Unknown File Type ==== | ||
- | ==== 01 [50p]. Pretty Good Privacy==== | + | We've found this file on a confiscated machine, but we can't figure what it is. Can you help us? |
+ | <spoiler Hint1> | ||
+ | Today is not your lucky day. No hints for you. | ||
+ | </spoiler> | ||
+ | \\ | ||
+ | ==== 02. Hidden Flag ==== | ||
- | Pretty Good Privacy (PGP) is an encryption standard that can be used to authenticate in a distributed manner. GNU Privacy Guard (GPG) is an open-source implementation of the PGP standards. In this exercise you are required to send one file encrypted from one user to the other. | + | There is something uncanny about this image. Is it trying to give us a hint? |
- | * Generate a private/public key using the gpg tool for each of the three users previously created. Don't forget to list all the keys and save their IDs. | + | \\ |
- | <note> The description of fields is available [[https://github.com/gpg/gnupg/blob/master/doc/DETAILS#field-1---type-of-record|here]]. </note> | + | ==== 03. Corrupted File ==== |
- | <hidden> | + | |
- | <code> | + | |
- | su - blue | + | |
- | gpg --gen-key | + | |
- | su - red | + | |
- | gpg --gen-key | + | |
- | su - green | + | |
- | gpg --gen-key | + | |
- | </code> | + | |
- | </hidden> | + | |
- | * First, we are going to send **//red//**'s public key to **//green//**. Export it into an ASCII file format and import it into **//green//**'s account. | + | |
- | <note> After importing the key you should list it and double check that it was stored in the public ring. At this moment the key is not trusted yet, we will do this in a future step. </note> | + | |
- | <hidden> | + | |
- | <code> | + | |
- | student@isc:~$sudo cp /home/red/pub_red.asc /home/green/. | + | |
- | [sudo] password for student: | + | |
- | student@isc:~$ sudo chown green:green /home/green/pub_red.asc | + | |
- | green@isc:~$ gpg --list-keys | + | |
- | /home/green/.gnupg/pubring.gpg | + | |
- | ------------------------------ | + | |
- | pub 2048R/13C73580 2019-04-23 | + | |
- | uid green <green@cs.pub.ro> | + | |
- | sub 2048R/F1C1FF9A 2019-04-23 | + | |
- | pub 2048R/860244A1 2019-04-23 | + | During a transmission, one of our files got corrupted. Take a look and see if you can do something about it. |
- | uid red-student <red@cs.pub.ro> | + | <spoiler Hint1> |
- | sub 2048R/E7626ADD 2019-04-23 | + | Maybe there is something wrong with the header. |
- | </code> | + | </spoiler> |
- | </hidden> | + | \\ |
- | * Now, **//green//** can use **//red//**'s public key to authenticate him and send an encrypted file. Create a file containing a secret message, encrypt it and send it to the other party. | + | ==== 04. Audio Visualization ==== |
- | <hidden> | + | |
- | <code> | + | |
- | green@isc:~$ echo "this is a secret message" > secret_file.txt | + | |
- | green@isc:~$ gpg --encrypt --recipient red@cs.pub.ro secret_file.txt | + | |
- | gpg: E7626ADD: There is no assurance this key belongs to the named user | + | |
- | pub 2048R/E7626ADD 2019-04-23 red-student <red@cs.pub.ro> | + | We have intercepted an alien transmission, but there is no way to understand what is it saying. Maybe we should look at it. |
- | Primary key fingerprint: 950D 2356 F2DB B4D7 F4FC 9BB2 EB86 5C35 8602 44A1 | + | <spoiler Hint1> |
- | Subkey fingerprint: F07B EFBB 284A 99F3 10BF D964 517A 10DE E762 6ADD | + | FFT! Can you SEE it? |
+ | Check Audacity. | ||
+ | </spoiler> | ||
+ | \\ | ||
+ | ==== 05. Hidden File ==== | ||
- | It is NOT certain that the key belongs to the person named | + | There is something wrong with the size of this image. Is there anything else there? |
- | in the user ID. If you *really* know what you are doing, | + | <spoiler Hint1> |
- | you may answer the next question with yes. | + | Use Binwalk. "-e" option is buggy sometimes. |
+ | </spoiler> | ||
+ | \\ | ||
+ | ==== 06. Censored ==== | ||
- | Use this key anyway? (y/N) y | + | We've found a letter in the trash can of a suspect, but some of the info is censored. Do some magic and find what is underneath the black box. |
- | green@isc:~$ ls | + | <spoiler Hint1> |
- | pub_red.asc secret_file.txt secret_file.txt.gpg | + | Use Google. |
- | </code> | + | </spoiler> |
- | </hidden> | + | \\ |
- | * Send the encrypted file back to **//red//** and decrypt it. | + | ==== 07. Waiting for eternity ==== |
- | <hidden> | + | |
- | <code> | + | |
- | student@isc:~$ sudo cp /home/green/secret_file.txt.gpg /home/red/. | + | |
- | student@isc:~$ sudo chown red:red /home/red/secret_file.txt.gpg | + | |
- | student@isc:~$ su - red | + | |
- | Password: | + | |
- | red@isc:~$ ls | + | |
- | pub_red.asc secret_file.txt.gpg | + | |
- | red@isc:~$ gpg --decrypt secret_file.txt.gpg | + | |
- | gpg: encrypted with 2048-bit RSA key, ID E7626ADD, created 2019-04-23 | + | |
- | "red-student <red@cs.pub.ro>" | + | |
- | this is a secret message | + | |
- | </code> | + | |
- | </hidden> | + | |
- | * The next step is to create a trust channel between **//blue//** and **//red//** using **//green//** as a trusted party. To do so, **//green//** must firstly sign **//red//**'s key and export both his key and **//red//**'s to **//blue//**. Move the exported files into **//blue//**'s directory and import them. After the import was done, list the keys available to **//blue//**. | + | |
- | <note> The signing process typically involves manually verifying the fingerprint of the key </note> | + | |
- | <hidden> | + | |
- | <code> | + | |
- | green@isc:~$ gpg --sign-key red@cs.pub.ro | + | |
- | green@isc:~$ gpg --export -a green@cs.pub.ro > pub_green.asc | + | |
- | green@isc:~$ gpg --export -a red@cs.pub.ro > pub_red_signed_by_green.asc | + | |
- | green@isc:~$ exit | + | |
- | logout | + | |
- | student@isc:~$ sudo cp /home/green/pub_green.asc /home/blue/ | + | |
- | student@isc:~$ sudo cp /home/green/pub_red_signed_by_green.asc /home/blue/ | + | |
- | student@isc:~$ su - blue | + | |
- | blue@isc:~$ gpg --import pub_green.asc | + | |
- | blue@isc:~$ gpg --import pub_red_signed_by_green.asc | + | |
- | blue@isc:~$ gpg --list-key | + | |
- | /home/blue/.gnupg/pubring.gpg | + | |
- | ----------------------------- | + | |
- | pub 2048R/C1CD918F 2019-04-23 | + | |
- | uid blue-student <blue@cs.pub.ro> | + | |
- | sub 2048R/0F45CB72 2019-04-23 | + | |
- | pub 2048R/13C73580 2019-04-23 | + | We stared at this gif for the last hour but nothing is happening. Would you like to join us and stare at it for the next hour? |
- | uid green <green@cs.pub.ro> | + | \\ |
- | sub 2048R/F1C1FF9A 2019-04-23 | + | ==== 08. Capture 2 ==== |
+ | |||
+ | This is an USB capture of a device connected to a suspect's machine. Can you find what he's been typing? | ||
+ | <spoiler Hint1> | ||
+ | [[https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf|USB Documentation]] | ||
+ | </spoiler> | ||
+ | \\ | ||
+ | ===== Resources ===== | ||
+ | * Hex Editor | ||
+ | * Wireshark | ||
+ | * Binwalk | ||
+ | * Audacity | ||
+ | * Image extractor | ||
+ | * USB documentation | ||
- | pub 2048R/860244A1 2019-04-23 | ||
- | uid red-student <red@cs.pub.ro> | ||
- | sub 2048R/E7626ADD 2019-04-23 | ||
- | </code> | ||
- | </hidden> | ||
- | * Now, **//blue//** should mark **//green//**'s key as trusted (by signing it). After this, as the **//red//** user, create a file with an important message and sign it (do not encrypt it for this step). Transfer the file to **//blue//**, read the file and verify the signature. | ||
- | <hidden> | ||
- | <code> | ||
- | red@isc:~$ echo "this is an important message" > important_file.txt | ||
- | red@isc:~$ gpg --sign important_file.txt | ||
- | red@isc:~$ exit | ||
- | student@isc:~$ sudo cp /home/red/important_file.txt.gpg /home/blue/ | ||
- | student@isc:~$ sudo chown blue:blue /home/blue/important_file.txt.gpg | ||
- | student@isc:~$ su - blue | ||
- | Password: | ||
- | blue@isc:~$ ls | ||
- | important_file.txt.gpg pub_green.asc pub_red_signed_by_green.asc | ||
- | blue@mihai-isc:~$ gpg important_file.txt.gpg | ||
- | gpg: Signature made Tue 23 Apr 2019 02:25:50 PM UTC using RSA key ID 860244A1 | ||
- | gpg: Good signature from "red-student <red@cs.pub.ro>" | ||
- | gpg: WARNING: This key is not certified with a trusted signature! | ||
- | gpg: There is no indication that the signature belongs to the owner. | ||
- | Primary key fingerprint: 950D 2356 F2DB B4D7 F4FC 9BB2 EB86 5C35 8602 44A1 | ||
- | blue@isc:~$ cat important_file.txt | ||
- | this is an important message | ||
- | </code> | ||
- | </hidden> | ||
- | * In the default setup mode, the last step should have given a warning stating that the key is not trusted while still being valid ("Good signature"). This is because GPG uses a more complex trusted model. As a last step, login as the **//blue//** user and change the trust level for **//green//**'s key to "I trust ultimately". After this verify the previous file signature again. | ||
- | <note> The web of trust allows a more elaborate algorithm to be used to validate a key. A more flexible algorithm can now be used: a key K is considered valid if it meets two conditions: \\ 1. it is signed by enough valid keys, meaning \\ a. you have signed it personally, \\ b. it has been signed by one fully trusted key, or \\ c. it has been signed by three marginally trusted keys; and \\ 2. the path of signed keys leading from K back to your own key is five steps or shorter. [[https://www.gnupg.org/gph/en/manual.html#AEN335|ref]]</note> | ||
<hidden> | <hidden> | ||
- | <code> | ||
- | blue@isc:~$ gpg --edit-key green@cs.pub.ro | ||
- | gpg> trust | ||
- | Please decide how far you trust this user to correctly verify other users' keys | + | ====== STUFF FROM SUMMER 2016 ====== |
- | (by looking at passports, checking fingerprints from different sources, etc.) | + | |
- | 1 = I don't know or won't say | ||
- | 2 = I do NOT trust | ||
- | 3 = I trust marginally | ||
- | 4 = I trust fully | ||
- | 5 = I trust ultimately | ||
- | m = back to the main menu | ||
- | Your decision? 5 | ||
- | Do you really want to set this key to ultimate trust? (y/N) y | ||
- | gpg> quit | + | TODO!!!! |
- | blue@isc:~$ gpg -v --verify-files important_file.txt.gpg | + | SCHIMBAT IP MASINA VIRTUALA SI MODIFICAT IN DOCUMENT |
- | gpg: original file name='important_file.txt' | + | |
- | gpg: Signature made Tue 23 Apr 2019 02:44:00 PM UTC using RSA key ID 860244A1 | + | |
- | gpg: using PGP trust model | + | |
- | gpg: checking the trustdb | + | |
- | gpg: 3 keys cached (8 signatures) | + | |
- | gpg: 3 keys processed (3 validity counts cleared) | + | |
- | gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model | + | |
- | gpg: depth: 0 valid: 2 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 2u | + | |
- | gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u | + | |
- | gpg: Good signature from "red-student <red@cs.pub.ro>" | + | |
- | gpg: binary signature, digest algorithm SHA1 | + | |
- | </code> | + | |
- | </hidden> | + | |
+ | Sa caute ultimul fisier modificat din filesystem | ||
+ | locatie in QR | ||
+ | | ||
+ | Adaugat ceva de mobile?? | ||
+ | | ||
- | ==== 02. TOR ==== | + | |
+ | ===== Resources ===== | ||
+ | |||
+ | *[[http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf|Volatility Cheatsheet]] | ||
+ | |||
+ | |||
+ | ===== Overview ===== | ||
+ | |||
+ | *You are a forensic detective hired to investigate the recent attack on our database server. Fortunately, the security team detected the intrusion in time and the hacker had to run quickly, leaving his laptop in the server room. Using a cold boot attack, we managed to obtain a dump of his ram. Your job is to gather as much intel as you can. | ||
+ | |||
+ | |||
+ | <note> | ||
+ | Volatility usage: | ||
+ | |||
+ | volatility-2.5.standalone.exe -f <dump> imageinfo; Look at the suggested profile | ||
+ | |||
+ | volatility-2.5.standalone.exe -f <dump> --profile=<profile> kdbgscan; Look at the Offset (V) | ||
+ | |||
+ | volatility-2.5.standalone.exe -f <dump> --profile=<profile> --kdbg=<offset> COMMAND | ||
+ | </note> | ||
+ | |||
+ | |||
+ | <note tip>You should look for processes, commands, files, history, connections and network traffic.</note> | ||
+ | |||
+ | |||
+ | |||
+ | ==== Solution: ==== | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp imageinfo | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 kdbgscan | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 pslist > ps.txt | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 cmdline | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 consoles | ||
+ | |||
+ | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 dumpfiles -D file > dump.txt | ||
+ | |||
+ | file: file.3640.0x86a44318 | ||
+ | |||
+ | find: "search" | ||
+ | |||
+ | http://www.bing.com/search?q=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME%2Fedit%3Fusp%3Dsharing&qs=n&form=QBLH&pq=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1kahxjgit_8ex0ga5ngzsz0a-pzcvbzixm1nktqclvme%2Fedit%3Fusp%3Dsharing&sc=0-96&sp=-1&sk=&cvid=32A3046F740B479DA10E524ABD27DB70 | ||
+ | |||
+ | https://docs.google.com/document/d/1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME/edit | ||
+ | |||
+ | user besthacker | ||
+ | |||
+ | WW91ciBwYXNzd2QgaXM6IENGVFVJQkRMRlM= BASE64decode | ||
+ | |||
+ | Your passwd is: CFTUIBDLFS | ||
+ | |||
+ | ssh besthacker@..... | ||
- | The Tor (The Onion Routing) project is an implementation of the more generic "onion routing" idea that allows a user to gain network anonymity while surfing the Internet. The mechanism that allows for a private surfing is based on re-encryption and "randomly" routing of the packet at the level of each router within the network, allowing each router to only know the previous and the next router in the route (not the source/destination of the packet) [[https://www.torproject.org/about/history/|ref]]. Accessing the Tor network can be done either through a local proxy of via a Browser pre-configured with the proxy server. | ||
- | * The Tor proxy has already been deployed and configured (line 18 & 28 from /etc/tor/torrc) on the virtual machine. Verify that it is listening on an IPv4 port and write it down. | ||
- | <note> Tor only supports TCP traffic, some make sure your DNS queries are done over TCP.</note> | ||
- | <hidden> | ||
- | <code> | ||
- | root@isc:/etc/tor# netstat -nltp | ||
- | Active Internet connections (only servers) | ||
- | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
- | tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1276/mysqld | ||
- | tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 25926/sshd | ||
- | tcp 0 0 0.0.0.0:9050 0.0.0.0:* LISTEN 1414/tor | ||
- | tcp6 0 0 :::80 :::* LISTEN 3280/apache2 | ||
- | tcp6 0 0 :::22 :::* LISTEN 25926/sshd | ||
- | </code> | ||
- | </hidden> | ||
- | * //torsocks// is a tool that forces any opened program to use the Tor network for connectivity. Open a shell and find out your real IP address. Now, open a shell using //torsocks// and find out the IP address via the Tor network. Restart the **tor** service and discovery your newly allocated IP address. | ||
- | <note tip><code>dig TXT +tcp +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'</code></note> | ||
- | <hidden> | ||
- | <code> | ||
- | root@isc:/etc/tor# torsocks --shell | ||
- | /usr/bin/torsocks: New torified shell coming right up... | ||
- | root@isc:/etc/tor# dig TXT +tcp +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}' | ||
- | 199.249.230.72 | ||
- | root@isc:/etc/tor# exit | ||
- | exit | ||
- | root@isc:/etc/tor# dig TXT +tcp +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}' | ||
- | 141.85.241.165 | ||
- | </code> | ||
- | </hidden> | ||
- | * You are going to configure your local Firefox browser to use the Tor proxy on the VM. First, edit the "Security Group Rules" from OpenStack and make sure that connections to Tor port (via TCP) are allowed. Next, change the **Firefox** Network Settings to use Socks5 proxy using the IP address and port from your VM. You can verify that your browser is using Tor by accessing the following [[https://check.torproject.org/|website]]. | ||
- | <hidden> | ||
- | [[https://1.bp.blogspot.com/-b-MahPstRzA/WvgwatvGq5I/AAAAAAAAQiA/e1rJp8RGKU08O-tV5W0oUA9kDGY5tEq5gCLcBGAs/s1600/proxy.png|Firefox Settings]] | ||
</hidden> | </hidden> | ||
- | * | + | ==== 11. [10p] Feedback ==== |
- | ==== 02. Bitcoin==== | + | |
+ | Please take a minute to fill in the [[https://forms.gle/5Lu1mFa63zptk2ox9|feedback form]] for this lab. | ||