As hacking techniques evolve more and more, hacks are being done without the malicious programs touching the hard drive. All of these processes reside inside the memory of the victim computer. When this happens memory forensics becomes necessary. In this post I’m going to show a few of the volatility modules that can be used to find running processes, unknown network connections, and the DLLs associated with each process that are found inside of computer memory.
First I’m going to make sure I’m in the directory that has my memory images
Once I know I have the right images to analyze I use the volatility framework to analyze the memory files. Volatility is a free open source suite of software that is used for advanced memory forensics. It is supported by the Volatility Foundation. The website for the volatility foundation can be found at: http://www.volatilityfoundation.org/
First I’m going to check for open network connections.
This is odd because this computer should not have any active network connections at all. So this is the first indication that something is wrong.
Next I dig a little deeper and I use volatility to display a list of all the running processes. The pslist module is used to do this.
In windows each executable (.exe) has dynamic link libraries (DLLs) associated with it. These are located inside of the .exe file. Volatility can be used to see each DLL that is inside of an executable. The dlllist module is used for this task.
I found an interest DLL in one of the executables. I decided to Google it to see if it was something odd.
This is a small taste of what memory forensics is. It is a growing field and the more complex hacking attacks get the more rouge processes may be located in memory. Thanks for reading!
With computing many programs and processes run in the background. Unless you’re a savvy computer user you may not be aware of these processes. Hackers sometimes use these processes to hide themselves inside victim computers.
In this post I’ll be using two of my virtual machines to demonstrate how a hack happens, one way a hacker can hide in a system, and how it can be found on the victim.
NOTE: These two machines are both under a host only network. Meaning that the hacking attempts shown in this demo cannot get out into the open internet. Even though this demo involves hacking I do not in any way support the illegal hacking of any computing device.
First I start off with setting my two virtual machines in a host only network sand boxed within my host system.
After confirming that the two VMs are configured correctly I boot them and disabled any firewalls, AV software, and other programs that would detect the hack on the victim. The purpose of this test is not to bypass all of these programs but to get a piece of malicious software on the machine and to show some ways that it can be found.
After the two computers are connected I had the VMs ping each other to make sure they can communicate. After that I used zenmap on my hacking platform to scan for open ports on the victim VM.
I already know which attack vector I want to use on the victim. It requires port 445 to be open. After checking the Zenmap report I found that port 445 is open. From there I start Metasploit and configure it to attack the victim.
Before hacking the victim I start a calculator on the victim and ran the tasklist command in the command line. What this command does is it shows all of the currently running processes on the computer and how much memory each process is using.
After the configuring of Metasploit is finished I ran the exploit with the meterpreter payload. What this does is it gives me a shell (a text user interface) to interact with the victim computer. Using this shell I can gather information on the victim computer. Examples are password hashes, OS version, user account names, and processes that are running on the victim.
Right know the rouge program should be sitting in memory. This can be found pretty easily by a savvy system administrator. Next I take the rouge process and hide it in a process that is running on the victim.
If the system admin knows roughly how much memory each process is taking when they run then this should raise a red flag. This is one way that can be used to see if a computer has been compromised. But more evidence is needed in order to make a clear determination if the computer was hacked.
Now that I know something is amiss I check which connections are currently open or “Established”. I used the netstat command on the command line to do this.
After I found the strange connection I decided to check the event logs. First I checked the security logs.
After finding that event in the security logs I check the system logs to see if anything was installed on the computer. I use the time of the first event to search the system logs.
In this demo I have used the netstat command on the command line, memory usage of running processes, and the security and system event logs to discover that something odd was happening on this system. These are just a few of the ways that can be used to find out if a computer was compromised. The most important fact to note is that you have to know what is running on your system. If you don’t then you not have a reference to find out if something is wrong. I hope you enjoyed this post. For the next post I’ll be running memory analysis to show what processes are running on a computer. Thanks for reading!
Imagine yourself at a Bestbuy or other electronics store, you’re looking at a brand new computer tower that has Windows on it and your heart is set on buying it. After you get it home you go through the setup of the machine and the user account(s). After a few months of using the computer BAM!!!! Everything starts acting odd and you do not know why. All you did was browse the web and install a program on the computer. In the background without you knowing it the program you installed downloaded and installed additional programs on the computer. How did it do this without you knowing it?
Everyday many people use their home computers for many things: email, homework, writing, blog posts and banking or other sensitive activities. Your files have to be protected from unauthorized access and the first step to this is to not allow a malicious person to have access to an administrator account. Well this new computer you setup in the story had you setup an administrator account as the one you use for regular usage.
What is an administrator account? First I have to talk about the concept of privileges. With Windows there are different types of user accounts. The important types are: standard user and administrator. An administrator account has the ability or “privileges” to make changes to the system. Some of these changes include: installing and uninstalling programs, deleting certain files, changing security settings, and modifying the network settings. Standard user accounts do not have the privileges that administrator accounts have. This type of account can create files like documents and spreadsheets; they can also delete the files they create. However these accounts cannot make any changes to the system or access any file that does not belong to them. When a user logged into a standard user account tries to make system changes Windows will prompt the user for the administrator’s password (if there is one). Unless this password is put in correctly the system change will not take place. This feature is called user account control (UAC) and its primary purpose is to make sure unwanted system changes do not take place.
For regular computer usage an administrator account should never be used because you don’t want changes to be made to the computer by mistake. Also if a hacker gains control of your user account and it’s an administrator account then the hacker has complete control of your computer. Another reason to separate the user and administrator accounts is because if a user is logged into an administrator account and they click on a link that contains a malicious program then the program will install itself without the user realizing it. But if the same thing was done by a standard user account then the user account control will be triggered alerting the user that a program is trying to install itself. This is one way to stop programs from installing without you wanting them to.
Some of you may think that it’s inconvenient to have to type in a password every time you want to install a program on your computer. Think of it this way: you’re trading a little convenience for security. With airports getting to the gates can take a while because of airport security. Computer security is the same way; if you can put up with inputting a password every time you want to make a system change then you will have a layer of defense not only against attackers but also against user error and programs installing themselves without you knowing about it.
Setting up a separate user and admin accounts can sound like it’s hard but it is not. This can be done using one of two ways: The Windows GUI (Graphical User Interface) and the CLI (Command Line Interface). Personally I prefer the command line due to its simplicity and speed. But with the command line you need to know certain commands and syntax in order create the accounts. I’ll cover the GUI first:
Start off by making sure the account you are using is an administrator account
This is required because the admins are the only accounts that can make changes to a system. This includes creating user accounts.
Click start -> control panel -> user accounts and family safety -> User accounts
After you confirm that the account you are logged into is an administrator account the next step is to create a second administrator account that you know the username and password to. This account will take over the administrator privileges that your daily usage account will no longer have.
Click start -> control panel -> User Accounts and family safety -> click add or remove user accounts
After the setup of the new admin account is complete you can proceed to downgrade your regular usage account to a standard user account.
Close the currently open windows and click start -> control panel -> User accounts and family safety -> User accounts
Log out of the changed account then log back in for the changes to take place.
As an additional measure I alter my User account control settings. I make it more sensitive.
For the more advanced user the command line can be used to change user account types. Each account in Windows belongs to a group. Examples of groups are: the user group and the administrator group.
Open an administrator command line prompt. Click start -> type cmd -> right click on the cmd icon -> click run as administrator
Confirm that the account you want to remove is an administrator by listing the accounts that have administrator level access
Syntax: net localgroup administrators
Log out of the account and log back in to have the changes take place
After separating these accounts out make sure they are both protected with strong passwords. A strong password should be long and contain several different types of alphanumeric and special characters. In a later post I will be covering how quick common passwords can be broken, tools that can make and store passwords, passphrases, and how to make a strong password that is easy to remember.
I hope you have enjoyed and learned from this post. If you have any comments or concerns please feel free to use the comment box below.
Teaching the computing world how to protect themselves against hackers.