Category Archives: Windows

A taste of memory forensics

As hacking techniques evolve more and more, hacks are being done without the malicious programs touching the hard drive. All of these processes reside inside the memory of the victim computer. When this happens memory forensics becomes necessary. In this post I’m going to show a few of the volatility modules that can be used to find running processes, unknown network connections, and the DLLs associated with each process that are found inside of computer memory.

First I’m going to make sure I’m in the directory that has my memory images

I navigated to the directory where I have my memory images and I used the ls command to list them.
I navigated to the directory where I have my memory images and I used the ls command to list them.

Once I know I have the right images to analyze I use the volatility framework to analyze the memory files. Volatility is a free open source suite of software that is used for advanced memory forensics. It is supported by the Volatility Foundation. The website for the volatility foundation can be found at: http://www.volatilityfoundation.org/

First I’m going to check for open network connections.

This is the command that is used to see the open network connections at the time the memory image was taken
This is the command that is used to see the open network connections at the time the memory image was taken. The timeliner module is going to be used
I used the grep command to narrow down the results to just network connections that are active or "established".
I used the grep command to narrow down the results to just network connections that are active or “established”.

This is odd because this computer should not have any active network connections at all. So this is the first indication that something is wrong.

Next I dig a little deeper and I use volatility to display a list of all the running processes. The pslist module is used to do this.

The command for viewing the running processes
The command for viewing the running processes
Notice that you see an FTKimager.exe process. This is the imaging software that I used to capture the memory image
Notice that you see an FTKimager.exe process. This is the imaging software that I used to capture the memory image

In windows each executable (.exe) has dynamic link libraries (DLLs) associated with it. These are located inside of the .exe file. Volatility can be used to see each DLL that is inside of an executable. The dlllist module is used for this task.

The command to get the DLLs from the executables.
The command to get the DLLs from the executables.
The dlllidt module lists all of the DLLs associated with the EXEs. The modle also lists the command line syntax that is used to run each executable. The process ID for each EXE is also listed.
The dlllist module lists all of the DLLs associated with the EXEs. The module also lists the command line syntax that is used to run each executable. The process ID for each EXE is also listed.

I found an interest DLL in one of the executables. I decided to Google it to see if it was something odd.

After searching Google for this I found out that this DLL is the Microsoft Visual C Run Time Library. It is a normal process that runs in Windows.
After searching Google for this I found out that this DLL is the Microsoft Visual C Run Time Library. It is a normal process that runs in Windows.

This is a small taste of what memory forensics is. It is a growing field and the more complex hacking attacks get the more rouge processes may be located in memory. Thanks for reading!

A few ways to find out if you’re compromised

With computing many programs and processes run in the background. Unless you’re a savvy computer user you may not be aware of these processes. Hackers sometimes use these processes to hide themselves inside victim computers.

In this post I’ll be using two of my virtual machines to demonstrate how a hack happens, one way a hacker can hide in a system, and how it can be found on the victim.

NOTE: These two machines are both under a host only network. Meaning that the hacking attempts shown in this demo cannot get out into the open internet. Even though this demo involves hacking I do not in any way support the illegal hacking of any computing device.

First I start off with setting my two virtual machines in a host only network sand boxed within my host system.

I had to make sure on both machine that they were set on VMNet1. This Virtual network is configured as host only so any communications that happen between these two machine will not get out into the open internet. Therefore I can safely hack the victim.
I had to make sure on both machine that they were set on VMnet1. This Virtual network is configured as host only so any communications that happen between these two machines will not get out into the open internet. Therefore I can safely hack the victim.

After confirming that the two VMs are configured correctly I boot them and disabled any firewalls, AV software, and other programs that would detect the hack on the victim. The purpose of this test is not to bypass all of these programs but to get a piece of malicious software on the machine and to show some ways that it can be found.

After the two computers are connected I had the VMs ping each other to make sure they can communicate. After that I used zenmap on my hacking platform to scan for open ports on the victim VM.

This program sends network packets to ports on the target computer and returns data based on if the ports are open or not. "Open" ports are gateways into other computer. These ports are listening for a connection from another computer.
This program sends network packets to ports on the target computer and returns data based on if the ports are open or not. “Open” ports are gateways into other computer. These ports are listening for a connection from another computer.

I already know which attack vector I want to use on the victim. It requires port 445 to be open. After checking the Zenmap report I found that port 445 is open. From there I start Metasploit and configure it to attack the victim.

Before hacking the victim I start a calculator on the victim and ran the tasklist command in the command line. What this command does is it shows all of the currently running processes on the computer and how much memory each process is using.

normal runnning calc.exe process
Notice how much memory the calc.exe (the calculator) is using: 9,752 KB

After the configuring of Metasploit is finished I ran the exploit with the meterpreter payload. What this does is it gives me a shell (a text user interface) to interact with the victim computer. Using this shell I can gather information on the victim computer. Examples are password hashes, OS version, user account names, and processes that are running on the victim.

This shows that Metaspolit was successful in exploiting or hacking the target.
This shows that Metaspolit was successful in exploiting or hacking the target.

Right know the rouge program should be sitting in memory. This can be found pretty easily by a savvy system administrator. Next I take the rouge process and hide it in a process that is running on the victim.

On the hacking platform I used Meterpreter to hide the rouge program inside of the calculator that is currently running on the victim. After the migration I ran tasklist on the victim to see hos much memory the calc.exe process was using. It shot up by 3,816K. This was because extra memory was need to accommodate the malicious code.
On the hacking platform I used Meterpreter to hide the rouge program inside of the calculator that is currently running on the victim. After the migration I ran tasklist on the victim to see how much memory the calc.exe process was using. It shot up by 3,816K. This was because extra memory was need to accommodate the malicious code.

If the system admin knows roughly how much memory each process is taking when they run then this should raise a red flag. This is one way that can be used to see if a computer has been compromised. But more evidence is needed in order to make a clear determination if the computer was hacked.

Now that I know something is amiss I check which connections are currently open or “Established”. I used the netstat command on the command line to do this.

I used the -n, -a, and -o options with netstat. The -n option displays active TCP connections. The -a option shows all active TCP and UDP connections and  the -o option displays active connections and show the process ID for each connection.  From here I found one connection that is strange. I should not have a connection with a computer with this IP address. Again this requires further investigation.
I used the -n, -a, and -o options with netstat.
The -n option displays active TCP connections.
The -a option shows all active TCP and UDP connections.
The -o option displays active connections and show the process ID for each connection.
I filtered netstat’s output through the find command. I was only looking for “EST” or established connections. From here I found one connection that is strange. I should not have a connection with a computer with this IP address. Again this requires further investigation. Know thy system. The only way to know if you’re compromised is to know what processes and network connections that are supposed to be running on your system.

After I found the strange connection I decided to check the event logs. First I checked the security logs.

I found a special login in the logs. (Event # 4672) This should not have happened. So far it's shaping up that this computer has been compromised. Note the time it happened. This is the exact time when the hack hit the victim computer.
I found a special logon in the logs. (Event # 4672). This should not have happened. So far it’s shaping up that this computer has been compromised. Note the time it happened. This is the exact time when the hack hit the victim computer. This time is in system time by the way. Unless you’re viewing the logs on another computer across time zones, then the times would adjust to your local time. This event happened on 2/3/15 5:17:06 PM system time.

After finding that event in the security logs I check the system logs to see if anything was installed on the computer. I use the time of the first event to search the system logs.

I made a discovery that a service was installed on the system 2/3/15 at 5:17:07 PM only one second after the unauthorized log on. Upon futhur examination of the log entry I found that the name of the service is a random character string. This is very odd. From this point I would say that this computer is compromised and step would have to be taken to isolate this machine and eliminate the infection.
I made a discovery that a service was installed on the system 2/3/15 at 5:17:07 PM only one second after the unauthorized log on. Upon futhur examination of the log entry I found that the name of the service is a random character string. This is very odd. From this point I would say that this computer is compromised and steps would have to be taken to isolate this machine and eliminate the infection.

In this demo I have used the netstat command on the command line, memory usage of running processes, and the security and system event logs to discover that something odd was happening on this system. These are just a few of the ways that can be used to find out if a computer was compromised. The most important fact to note is that you have to know what is running on your system. If you don’t then you not have a reference to find out if something is wrong. I hope you enjoyed this post. For the next post I’ll be running memory analysis to show what processes are running on a computer. Thanks for reading!

Windows User Accounts: How to build your first line of defense against hacking

Imagine yourself at a Bestbuy or other electronics store, you’re looking at a brand new computer tower that has Windows on it and your heart is set on buying it. After you get it home you go through the setup of the machine and the user account(s).  After a few months of using the computer BAM!!!! Everything starts acting odd and you do not know why. All you did was browse the web and install a program on the computer. In the background without you knowing it the program you installed downloaded and installed additional programs on the computer. How did it do this without you knowing it?

Everyday many people use their home computers for many things: email, homework, writing, blog posts and banking or other sensitive activities. Your files have to be protected from unauthorized access and the first step to this is to not allow a malicious person to have access to an administrator account. Well this new computer you setup in the story had you setup an administrator account as the one you use for regular usage.

What is an administrator account? First I have to talk about the concept of privileges. With Windows there are different types of user accounts. The important types are: standard user and administrator. An administrator account has the ability or “privileges” to make changes to the system. Some of these changes include:  installing and uninstalling programs, deleting certain files, changing security settings, and modifying the network settings. Standard user accounts do not have the privileges that administrator accounts have. This type of account can create files like documents and spreadsheets; they can also delete the files they create. However these accounts cannot make any changes to the system or access any file that does not belong to them. When a user logged into a standard user account tries to make system changes Windows will prompt the user for the administrator’s password (if there is one). Unless this password is put in correctly the system change will not take place. This feature is called user account control (UAC) and its primary purpose is to make sure unwanted system changes do not take place.

For regular computer usage an administrator account should never be used because you don’t want changes to be made to the computer by mistake. Also if a hacker gains control of your user account and it’s an administrator account then the hacker has complete control of your computer. Another reason to separate the user and administrator accounts is because if a user is logged into an administrator account and they click on a link that contains a malicious program then the program will install itself without the user realizing it. But if the same thing was done by a standard user account then the user account control will be triggered alerting the user that a program is trying to install itself. This is one way to stop programs from installing without you wanting them to.

For more information on how user account control works check out the Microsoft page that describes the User account control technology: http://windows.microsoft.com/en-us/windows7/products/features/user-account-control

Some of you may think that it’s inconvenient to have to type in a password every time you want to install a program on your computer. Think of it this way: you’re trading a little convenience for security. With airports getting to the gates can take a while because of airport security. Computer security is the same way; if you can put up with inputting a password every time you want to make a system change then you will have a layer of defense not only against attackers but also against user error and programs installing themselves without you knowing about it.

Setting up a separate user and admin accounts can sound like it’s hard but it is not. This can be done using one of two ways: The Windows GUI (Graphical User Interface) and the CLI (Command Line Interface). Personally I prefer the command line due to its simplicity and speed. But with the command line you need to know certain commands and syntax in order create the accounts. I’ll cover the GUI first:

  1. Start off by making sure the account you are using is an administrator account
    1. This is required because the admins are the only accounts that can make changes to a system. This includes creating user accounts.
    2. Click start -> control panel -> user accounts and family safety -> User accounts
Click on the start menu then click control panel
Click on the start menu then click control panel
Click on user accounts and family safety
Click on user accounts and family safety
Click on User accounts
Click on User accounts
User account screen
User account screen. On the top right hand corner of the Window you will see your account picture, account type, and if the account is password protected. Make sure your account type says “Administrator”

After you confirm that the account you are logged into is an administrator account the next step is to create a second administrator account that you know the username and password to. This account will take over the administrator privileges that your daily usage account will no longer have.

Click start -> control panel -> User Accounts and family safety -> click add or remove user accounts

Click add or remove user accounts
Click add or remove user accounts
Click create new account
Click create new account
Select a username for the new account and make sure to click administrator then click create account
Select a username for the new account and make sure to click administrator then click create account
Your newly created account will then sow up on the manage accounts screen. Next you need to set a password for this new account. Click on the new account's icon.
Your newly created account will then show up on the manage accounts screen. Next you need to set a password for this new account. Click on the new account’s icon.
Then click create a password.
Then click create a password.
Select a password for the new administrator account. Make sure it is strong, You can also make up a password hint if you wish.
Select a password for the new administrator account. Make sure it is strong, You can also make up a password hint if you wish.

After the setup of the new admin account is complete you can proceed to downgrade your regular usage account to a standard user account.

Close the currently open windows and click start -> control panel -> User accounts and family safety -> User accounts

Click standard account then change account type
Click change your account type, UAC will not trigger (already admin). Click standard user then change account type. After this in the user accounts window it should say “Standard”

Log out of the changed account then log back in for the changes to take place.

As an additional measure I alter my User account control settings. I make it more sensitive.

Click on User account control settings
Click on change User Account Control settings
This screen will pop up. These are the default settings for UAC
This screen will pop up. These are the default settings for UAC. Personally I don’t like the fact that Windows does not inform me about when I make changes to the system. I make mistakes and I would like Windows to double check and make sure that I want to make changes to the system.
This is the UAC setting I recommend. I may be annoying that UAC will always trigger but I prefer  it. This will stop any unknown software from installing itself in the background.
This is the UAC setting I recommend. It may be annoying that UAC will always trigger but I prefer it. This will stop any unknown software from installing itself in the background.

For the more advanced user the command line can be used to change user account types. Each account in Windows belongs to a group. Examples of groups are: the user group and the administrator group.

  1. Open an administrator command line prompt. Click start -> type cmd -> right click on the cmd icon -> click run as administrator
Click start -> then type cmd into the search box -> then right click the command prompt icon and click run as administrator. After that click yes and this should show up.
Click start -> then type cmd into the search box -> then right click the command prompt icon and click run as administrator. After that click yes and this should show up. Make sure that the top of the prompt reads: Administrator  Another indicator that the command prompt is an administrator prompt is the current working directory is C:\Windows\System32
  1. Confirm that the account you want to remove is an administrator by listing the accounts that have administrator level access
    1. Syntax: net localgroup administrators
Typing the command: net localgroup administrators will show which users accounts are admins on the system. Make sure the user account you want to downgrade is in this list. If it is not then your work is already done.
Typing the command: net localgroup administrators will show which users accounts are admins on the system. Make sure the user account you want to downgrade is in this list. If it is not then your work is already done.
Type the command: user localgroup administrators (accountName) /del (account name is the name of the account you want to downgrade to a standard user) This command will not delete the user nor delete the administrators group. This command removes the user account you selected from this group. Making it a standard account.
Type the command: user localgroup administrators (accountName) /del (account name is the name of the account you want to downgrade to a standard user) This command will not delete the user nor delete the administrators group. This command removes the user account you selected from this group. Making it a standard account.
Type the command: net localgroup admnistrators agaiin the check if the account you wanted to downgrade is removed from the group. If it is the your work is down. Congratulations you have successfully downgraded an account from administrator to a standard user using the command line.
Type the command: net localgroup admnistrators again and check if the account you wanted to downgrade is removed from the group. If it is then your work is down. Congratulations you have successfully downgraded an account from administrator to a standard user using the command line.

Log out of the account and log back in to have the changes take place

After separating these accounts out make sure they are both protected with strong passwords. A strong password should be long and contain several different types of alphanumeric and special characters. In a later post I will be covering how quick common passwords can be broken, tools that can make and store passwords, passphrases, and how to make a strong password that is easy to remember.

I hope you have enjoyed and learned from this post. If you have any comments or concerns please feel free to use the comment box below.