BackTrack Forensics

Exclusive offer: get 50% off this eBook here
BackTrack 5 Cookbook

BackTrack 5 Cookbook — Save 50%

Over 80 recipes to execute many of the best known and little known penetration testing aspects of BackTrack 5 book and ebook.

$26.99    $13.50
by David De Smet Willie L. Pritchett | March 2013 | Cookbooks Networking & Telephony Open Source

Computer forensics involves using various means to analyze, report, and recover information from computers or digital storage media, generally for legal purposes. The outcome in general is to provide the information gathered in such a way that it is useful for the person requesting the information. This includes the recovery of passwords, analyzing computer break-ins or attempts, recovering data from a hard drive after it's been "erased", and so on. In the article by Willie Pritchett and David De Smet authors of BackTrack 5 Cookbook we will examine how BackTrack can be utilized for forensic purposes.

In this article, we will cover:

  • Intrusion detection and log analysis

  • Recursive directory encryption/decryption

  • Scanning for signs of rootkits

  • Recovering data from a problematic source

  • Retrieving a Windows password

  • Resetting a Windows password

  • Looking at the Windows registry entries

(For more resources related to this topic, see here.)

Intrusion detection and log analysis

Intrusion detection is a method used to monitor malicious activity on a computer network or system. It's generally referred to as an intrusion detection system (IDS) because it's the system that actually performs the task of monitoring activity based upon a set of predefined rules. An IDS adds an additional layer of security to a network by analyzing information from various points and determining if an actual or possible security breach has occurred, or to locate if a vulnerability is present that will allow for a possible breach.

In this recipe, we will examine the Snort tool for the purposes of intrusion detection and log analysis. Snort was developed by Sourcefire, and is an open source tool that has the capabilities of acting as both an intrusion detection system and an intrusion prevention system. One of the advantages of Snort is that it allows you to analyze network traffic in real time, and make faster responses should security breaches occur.

Remember, running Snort on our network and utilizing it for intrusion detection does not stop exploits from occurring. It just gives us the ability to see what is going on in our network.

Getting ready

A connection to the Internet or intranet is required to complete this task.

It is assumed that you have visited http://snort.org/start/rules and downloaded the Sourcefire Vulnerability Research Team (VRT) Certified Rules. A valid ruleset must be maintained in order to use Snort for detection. If you do not have an account already, you may sign up at https://www.snort.org/signup.

How to do it...

Let's begin by starting Snort:

  1. Start the Snort service:

  2. Now that the Snort service has been initiated, we will start the application from a terminal window. We are going to pass a few options that are described as follows:

    • -q: This option tells Snort to run in inline mode.

    • -v: This command allows us to view a printout of TCP/IP headers on the screen. This is also called the "sniffer mode" setting.

    • -c: This option allows us to select our configuration file. In this case, its location is /etc/snort/snort.conf.

    • -i: This option allows you to specify your interface.

    Using these options, let's execute the following command:

    snort -q -v -i eth1 -c /etc/snort/snort.conf

  3. To stop Snort from monitoring, press Ctrl + X.

How it works...

In this recipe, we started the Snort service and launched Snort in order to view the log data.

There's more…

Before we can adequately use Snort for our purposes, we need to make alterations to its configuration file.

  1. Open a terminal window and locate the Snort configuration file:

    locate snort.conf

  2. Now we will edit the configuration file using nano:

    nano /etc/snort/snort.conf

  3. Look for the line that reads var HOME_NET any. We would like to change this to our internal network (the devices we would like to have monitored). Each situation is going to be unique. You may want to only monitor one device and you can do so simply by entering its IP address (var HOME_NET 192.168.10.10). You may also want to monitor an IP range (var HOME_NET 192.168.10.0/24), or you may want to specify multiple ranges (var HOME_NET 192.168.10.0/24,10.0.2.0/24). In our case, we will look at just our local network:

    var HOME_NET 192.168.10.0/24

  4. Likewise, we need to specify what is considered the external network. For most purposes, we want any IP address that is not a part of our specified home network to be considered as external. So we will place a comment on the line that reads var EXTERNAL_NET any and uncomment the line that says var EXTERNAL_NET !$HOME_NET:

    #var EXTERNAL_NET any var External_NET !$HOME_NET

    The screenshot represents the two lines that you need to alter to match the changes mentioned in this step.

  5. To view an extended list of Snort commands, please visit the Snort Users Manual at http://www.snort.org/assets/166/ snort_manual.pdf.

Recursive directory encryption/decryption

Encryption is a method of transforming data into a format that cannot be read by other users. Decryption is the method of transforming data back into a format that is readable. The benefit of encrypting your data is that even if the data is stolen, without the correct decryptor, it's unusable by the stealing party. You have the ability, depending on the program that you use, to encrypt individual files, folders, or entire hard drives.

In this recipe, we will use gpgdir to perform recursive directory encryption and decryption. An advantage of using gpgdir is that it has the ability to not only encrypt a folder, but also all subfolders and files contained within our main folder. This will save you a lot of time and effort!

Getting ready

To complete this recipe, you must have gpgdir installed on your BackTrack version.

How to do it...

In order to use gpgdir, you must have it installed. If you have not installed it before, use the following instructions to install it:

  1. Open a terminal window and make a new directory under the root filesystem:

    mkdir /sourcecode

  2. Change your directory to the sourcecode directory:

    cd /sourcecode

  3. Next, we will use Wget to download the gpgdir application and its public key:

    wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2

  4. Next we download the signature file:

    wget http://cipherdyne.org/gpgdir/download/gpgdir- 1.9.5.tar.bz2.asc

  5. Next we download the public key file:

  6. Now we need to verify the package:

    gpg --import public_key gpg --verify gpgdir-1.9.5.tar.bz2.asc

  7. Next we untar gpgdir, switch to its directory, and complete the installation:

    tar xfj gpgdir-1.9.5.tar.bz2 cd gpgdir-1.9.5 ./install.pl

  8. The first time you run gpgdir, a new file will be created in your root directory (assuming root is the user you are using under BackTrack). The file is called ./ gpgdirrc. To start the creation of the file, type the following command:

    gpgdir

  9. Finally, we need to edit the gpgdirrc file and remove the comments from the default_key variable:

    vi /root/.gpgdirrc

Now that you have gpgdir installed, let's use it to perform recursive directory encryption and decryption:

  1. Open a terminal window and create a directory for us to encrypt:

    mkdir /encrypted_directory

  2. Add files to the directory. You can add as many files as you would like using the Linux copy command cp.

  3. Now, we will use gpgdir to encrypt the directory:

    gpgdir -e /encrypted_directory

  4. At the prompt, enter your password. This is the password associated with your key file.

  5. To decrypt the directory with gpgdir, type the following command:

    gpgdir -d /encrypted_directory

How it works…

In this recipe, we used gpgdir to recursively encrypt a directory and to subsequently decrypt it. We began the recipe by installing gpgdir and editing its configuration file. Once gpgdir has been installed, we have the ability to encrypt and decrypt directories.

For more information on gpgdir, please visit its documentation website at http://cipherdyne.org/gpgdir/docs/.

Scanning for signs of rootkits

A rootkit is a malicious program designed to hide suspicious processes from detection and allow continued, often remote, access to a computer system. Rootkits can be installed using various methods including hiding executable code within web page links, downloaded software programs, or on media files and documents. In this recipe, we will utilize chkrootkit to search for rootkits on our Windows or Linux system.

Getting ready

In order to scan for a rootkit, you can either use your BackTrack installation, log in to a compromised virtual machine remotely, or mount the BackTrack 5 R3 DVD on a computer system to which you have physical access.

How to do it...

Let's begin exploring chkrootkit by navigating to it from the BackTrack menu:

  1. Navigate to Applications | BackTrack | Forensics | Anti-Virus Forensics Tools | chkrootkit:

  2. Alternatively, you can enter the following commands to run chkrootkit:

    cd /pentest/forensics/chkrootkit ./chkrootkit

    chkrootkit will begin execution immediately, and you will be provided with an output on your screen as the checks are processed:

How it works…

In this recipe, we used chkrootkit to check for malware, Trojans, and rootkits on our localhost. chkrookit is a very effective scanner that can be used to determine if our system has been attacked. It's also useful when BackTrack is loaded as a live DVD and used to scan a computer you think is infected by rootkits.

There's more...

Alternatively, you can run Rootkit Hunter (rkhunter) to find rootkits on your system:

  1. Open a terminal window and run the following command to launch rkhunter:

    rkhunter --check

  2. At the end of the process, you will receive a summary listing the checks performed and their statistics:

Useful alternative command options for chkrootkit

The following is a list of useful commands to select when running chkrootkit:

  • -h: Displays the help file

  • -V: Displays the current running version of chkrootkit

  • -l: Displays a list of available tests

Useful alternative command options for rkhunter

The following is a list of useful commands to select when running rkhunter:

  • --update: Allows you to update the rkhunter database

    rkhunter --update

  • --list: Displays a list of Perl modules, rootkits available for checking, and tests that will be performed

    rkhunter --list

  • --sk: Allows you to skip pressing the Enter key after each test runs

    rkhunter --check --sk

  • Entering rkhunter at a terminal window will display the help file:

    rkhunter

BackTrack 5 Cookbook Over 80 recipes to execute many of the best known and little known penetration testing aspects of BackTrack 5 book and ebook.
Published: December 2012
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Recovering data from a problematic source

In this recipe we will use Fatback to recover files from a problematic source. Fatback is a forensic security tool that is used for file carving purposes. File carving involves searching for data on a drive based upon content. It's an excellent source for recovering data from a damaged USB or hard drive.

Getting ready

To complete this recipe, access to a drive that contains files that you would like to recover is required.

How to do it...

Let's begin the process of recovering data from a problematic source by running fdisk from a terminal window:

  1. Run fdisk to locate the drive we would like to access. We use the -l option in order to list all of our available drives:

    fdisk -l

  2. In the list, we locate the drive we would like to access. In this case, we choose the flash drive at /dev/sdb1:

  3. Next, we need to create a directory to store our recovered files. We will create a directory called /fatback/thumbdrivefiles:

    mkdir /fatback mkdir /fatback/thumbdrivefiles

  4. When Fatback runs, it will create a log file. Because of this, we will switch our directory to the fatback folder and store the actual files inside the thumbdrivefiles folder:

    cd /fatback

  5. Now we need to launch Fatback. Navigate to Applications | BackTrack |Forensics | Forensic Carving Tools | fatback:

  6. Fatback will launch its help file:

  7. We now execute Fatback using the following variables:

    • -a: This option allows Fatback to run in automatic mode.

    • -o: This option allows us to specify our output file location. In this case we choose /fatback/thumbdrivefiles.

    We also set the location where the files that need to be recovered reside. In this case we choose /dev/sdb1:

    fatback /dev/sdb1 -o /fatback/thumbdrivefiles -a

  8. Fatback will run and recover all deleted files and place them in our target location. We will first list the files in the directory using the ls command to see that there is a log file placed in our fatback directory. When we go into our thumbdrivefiles directory, we see a list of files that were recovered.

    ls cd thumbdrivefiles ls

How it works...

In this recipe, we used Fatback to recover files deleted from a USB drive. We began the recipe by executing Fatback and running it against our target drive; a USB stick. Fatback was able to recover the files and output them to our target location. Fatback is highly effective in recovering information off of a drive from which the user thought they had deleted files. In many cases, when a file is deleted off of a drive from, the file is only "flagged" for deletion by the operating system. This means that the file sector in which the file is located could be overwritten if the operating system needs space. Fatback locates those "flagged" files and recovers them for use.

There's more...

Fatback can also recover files from a hard drive. If your hard drive has more than one partition, you must run Fatback against each partition individually.

For information on file carving, go to http://www.forensicswiki.org/wiki/File_Carving.

Retrieving a Windows password

In this recipe, we will explore a process to retrieve a Windows password using Ophcrack. Ophcrack is one of the best tools available to recover lost Windows passwords. The program uses rainbow tables to apply brute force to Windows 7, Vista, and XP passwords.

Getting ready

The following requirements need to be fulfilled:

  • A Windows computer to which you have physical access

  • BackTrack 5 loaded on a USB drive or a CD/DVD

  • An additional USB drive to use as an extra hard drive

How to do it...

Let's begin by downloading a rainbow table from the Ophcrack website to use:

  1. Open your web browser and navigate to http://ophcrack.sourceforge.net/tables.php.

  2. Select your desired file and download it. It is a good idea, if you have the space, to download each of them now because you will never know when you will need them. Once downloaded, unzip the files and place them in the folder of your choice.

  3. Once the file has been downloaded, open Ophcrack and click on Tables from the main menu:

  4. Click on the Install button.

  5. Navigate to your file folder (do not click inside the folder) and click on OK. Your rainbow table is now installed.

  6. From the Start menu select Applications | BackTrack | Privilege Escalation | Password Attacks | Offline Attacks | Ophcrack-GUI.

  7. Next we need to select a rainbow table to try and recover the Windows password. If this is your first time using Ophcrack or if you want to use a table that you have not previously installed, you will need to install it (refer to steps 3 to 5 of this recipe).

  8. Next, we need to load our SAM file. Click on the Load button and then search your filesystem for the encrypted SAM file:

  9. Finally, we begin the crack. Click on the Crack button:

How it works...

In this recipe, we used Ophcrack and its rainbow table to crack a Windows password. Rainbow tables work by brute forcing password hashes in order to find the correct password.

BackTrack 5 Cookbook Over 80 recipes to execute many of the best known and little known penetration testing aspects of BackTrack 5 book and ebook.
Published: December 2012
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Resetting a Windows password

For this recipe, we will utilize the chntpw program to reset the Windows password. By default, Windows protects its SAM and SYSTEM files located in the C:\Windows\System32\Config directory by locking and keeping them from being assessed when Windows starts. To get around these security features, we will reset the password by having physical access to the Windows computer. If you cannot obtain physical access to the PC, then obtaining access by exploiting security holes in the system will allow you to follow along with the steps performed in this recipe.

Getting ready

You will need access to a SAM file. For this recipe, we will assume that you have gained access to a Windows host machine.

How to do it...

Let's begin the process of resetting a Windows password from an open terminal window:

  1. Check for the hard drive you wish to mount:

    fdisk -l

  2. Mount the hard drive and set target as its mount point:

    mount /dev/sda1 /target/

  3. Change directories to the location of the Windows SAM file:

    cd /target/windows/system32/config

  4. List all the contents of the directory:

    ls -al

  5. Change directories to the location of chntpw:

    cd /pentest/passwords/chntpw

  6. Run chntpw in interactive mode:

    ./chntpw -i /target/windows/system32/config/SAM

  7. In the What to Do? area, choose option 1 to edit user passwords:

    1

  8. In resetting a password, we generally want to utilize an account with the highest set of privileges. So in this case we will choose the administrator account:

    1

  9. The final step asks us what we would like to do next. In this case, we choose to make the password blank. This will allow us to make changes to it later.

    1

Looking at the Windows registry entries

There are several reasons we would like to view registry entries using BackTrack. There are times when there will be issues with the Windows registry that will cause Windows not to start, or you may have a virus that has written itself to the registry. Whatever maybe your reason, BackTrack has a great source of tools to view the registry entries. In this recipe, we will use BackTrack to view the Windows registry with chntpw.

Getting ready

The following requirements need to be fulfilled:

  • A Windows machine to which we have physical access

  • BackTrack 5 running on either a USB key or CD/DVD

How to do it...

Let's begin the process of looking at the Windows registry from an open terminal window:

  1. Check for the hard drive you wish to mount:

    fdisk -l

  2. Mount the hard drive and set target as its mount point:

    mount /dev/sda1 /target/

  3. Change directories to the location of the Windows SAM file:

    cd /target/windows/system32/config

  4. List all the contents of the directory:

    ls -al

  5. Change directories to the location of chntpw:

    cd /pentest/passwords/chntpw

  6. Run chntpw in interactive mode. In this case, you would want to choose which type of registry you would like to edit:

    ./chntpw -i /target/windows/system32/config

  7. In the What to Do? area, choose option 9 to to edit user passwords:

    9

  8. Now that we have access to the Windows registry, we can look around it by using the ls command to list its contents and the cd command to change directories:

    ls cd

How it works...

In this recipe, we used chntpw's registry editor to view the Windows registry. chntpw is extremely useful for recovering Windows passwords from a SAM file and also, as in this case, editing the Windows registry. This tool comes in handy if you have a registry error and are unable to load your Windows operating system.

Summary

This article examined tools used to recover data and encryption.

Resources for Article :


Further resources on this subject:


About the Author :


David De Smet

David De Smet has worked in the software industry since 2007 and is the founder and CEO of iSoftDev Co., where he is responsible for many varying tasks, including but not limited to consultant, customer requirements specification analysis, software design, software implementation, software testing, software maintenance, database development, and web design. He is so passionate about what he does that he spends inordinate amounts of time in the software development area. He also has a keen interest in the hacking and network security field and provides network security assessments to several companies.

Willie L. Pritchett

Willie L. Pritchett has a Master's in Business Administration. He is a seasoned developer and security enthusiast who has over 20 years of experience in the IT field. He is currently the Chief Executive at Mega Input Data Services, Inc., a full service database management firm specializing in secure, data-driven, application development, and staffing services. He has worked with state and local government agencies as well as helping many small businesses reach their goals through technology. Willie has several industry certifications and currently trains students on various topics including ethical hacking and penetration testing.

Books From Packt


Elgg Social Networking
Elgg Social Networking

Raspberry Pi Networking Cookbook
Raspberry Pi Networking Cookbook

 Joomla! Social Networking with JomSocial
Joomla! Social Networking with JomSocial

HMetasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook

 Instant Netcat Starter [Instant]
Instant Netcat Starter [Instant]

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

 BackTrack 4: Assuring Security by Penetration Testing
BackTrack 4: Assuring Security by Penetration Testing

BackTrack 5 Wireless Penetration Testing Beginner’s Guide
BackTrack 5 Wireless Penetration Testing Beginner’s Guide


Your rating: None Average: 4 (1 vote)

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
P
a
b
M
r
j
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software