Hide and seek - interesting uses of forensics and covert channels.

Notes:	Hide Notes

Slide 1: Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP Slide 2: $ whois tkisason Junior researcher @ foi.hr Likes:       Security Crypto Gnu/Linux Interesting security problems  e-mail: tonimir.kisasondi@foi.hr skype: tkisason  Slide 3: $ topic of this talk A quick overview of some interesting:  Forensics methods  Memory imaging  Memory carving  Covert channels  Detecting conventional channels  Creating useful covert channels  Slide 4: $ forensics for non law enforcement uses? Useful for data recovery You can protect your files, but you can't protect your RAM   1. Dig deep 2. Find interesting problems 3. ??? 4. Profit! Slide 5: $ memory imaging /dev/mem is restricted on newer versions of the Linux kernel      Alternatives: Reboot the system with a imager PCI imagers Insert a kernel module that can access the address space  /dev/fmem: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz Simply dd /dev/fmem or grep -a  Slide 6: $ memory secrets leakage Pidgin's passwords stored in 5 places  00 00 1E 00 00 00 00 00 00 00  Plaintexted in ~/.pidgin also  • • • Various pieces of plaintext / passwords can be obtained from memory ASLR - YMMW Cryptographic algorithms can be identified  S-boxes and P-boxes, seeds, structures  Initialization vectors  https://github.com/fwhacking/bfcrypt Slide 7: $ memory carving tony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img [sudo] password for tony: PhotoRec 6.11, Data Recovery Utility, April 2009 tony@blackbox:~/0drive$ ls recovery* \| wc -l 620 Slide 8: $ file/mem carving Use scalpel:  http://www.digitalforensicssolutions.com/Scalpel/  /etc/scalpel/scalpel.conf is frugal at start Uncomment file headers Good thing is we can add aditional signatures...   Slide 9: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% \| ******************************************************************************************* ************\| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2. Slide 10: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% \| ***************************************************************************************** ************\| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2. Slide 11: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% \| ***************************************************************************************** ************\| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2. Slide 12: $ memory carving tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/home/tony/0drive/blackbox-mem.img" Image file pass 1/2. blackbox-mem.img: 100.0% \| ***************************************************************************************** ************\| 3.2 GB 00:00 ETA Allocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: ... gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files ... Carving files from image. Image file pass 2/2. Slide 13: $ runtime extraction of RSA/DSA keys tony@blackbox:~$ sudo ./passe-partout 729 Target has pid 729 => 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607 => 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607 ... found RSA key @ 0x7f8e0fad7e20 [X] Key saved to file id_rsa-1.key done for pid 729 apache, openssh, openvpn Slide 14: $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames Slide 15: $ grep is your friend grep -a is really useful. Try some of the following: -----BEGIN RSA -----BEGIN PGP -----BEGIN OpenVPN Static ssh-rsa ssh-dsa usernames Slide 16: $ covert channels? Opposite from forensics :) Data hiding: Files, protocols "A adversary can always transmit one bit at a time" Tony's rule 183: Any structure in a covert channel destroys it's covertness.      Some interesting covert channels: TCSteg OutGuess   Slide 17: $ TCSteg -> http://keyj.s2000.at/?p=458 Slide 18: $ Truecryptish problems  File mod 256 == 0 Filesize > 16Kb H(File) ~ 7.5 Header != /usr/share/misc/magic     Yes, a filesystem in a encrypted volume CAN be carved :) TC = relatively OK LUKS leaks... = LUKS\xba\xbe File in file embedding leaks magic bytes Outguess and similar known stego tools can be easily detected     Slide 19: $ interesting channels Most formats that have strict footers can be "injected" – bmp for one example   Injecting data in FLV? - why not! In short: Any structure leaks possible data. Perfect randomness "leaks" encryption.   Slide 20: $ interesting channels A typical flv/video file is highly random:  In [27]: entropy(cat) Out[27]: 7.8086139822740126  Always map data into same character range. Avoid distrupting changes that increase entropy Avoid magic bytes and known patterns Youtube/You is so common, that you simply hide the data in the mass traffic.    Slide 21: $ interesting channels Filesystem fragmentation – No structure • http://goo.gl/dfhfR   Distributed covert channels? – On my github soon :) Slide 22: $ :) Slide 23: $ :) Slide 24: $ :) Slide 25: $ :) Slide 26: $ Knowledge is power with biliteral cipher Slide 27: $ questions? Slide 28**: $ Thank you You can find the most updated version of this slides on my slideshare (tkisason).