Showing posts with label Forensics. Show all posts

Saturday 18 April 2020

Steagnography

(Steganography: Lesson 1)

{ Using Quick Stego to Embed Secret Messages Into Pictures }

Section 0: Background Information

What is the story?
- Have you ever heard those sci-fi stories where spies or whomever hide secret messages inside of pictures? Well, this lesson actually illustrates how easy it is to actually hide secret messages inside of a picture.
What is Steganography
- Steganography is the science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message.
What is QuickStego
- QuickStego lets you hide text in pictures so that only other users of QuickStego can retrieve and read the hidden secret messages. Once text is hidden in an image the saved picture is still a 'picture', it will load just like any other image and appear as it did before. The image can be saved, emailed, uploaded to the web (, the only difference will be that it contains hidden text.
- http://quickcrypto.com/free-steganography-software.html
What is MD5SUMS?
- MD5sums calculates the MD5 message digest for one or more files (includes a percent done display for large files). By comparing the MD5 digest of a file to a value supplied by the original sender, you can make sure that files you download are free from damage and tampering.
- http://www.pc-tools.net/win32/md5sums/
Pre-Requisite
- Damn Vulnerable Windows XP: Lesson 1: How to create a Damn Vulnerable Windows XP Machine
Lab Notes
- In this lab we will do the following:
  1. Power on Damn Vulnerable WXP-SP2
  2. Install Quick Stego
  3. Install MD5SUMS
  4. Hide Message
  5. View Byte Size of files
  6. View MD5 checksum of the files
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2013 No content replication of any kind is allowed without express written permission.

Section 1: Log into Damn Vulnerable WXP-SP2

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Edit Virtual Machine Settings
- Note:
  - Before beginning a lesson it is necessary to check the following VM settings.
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click on the radio button "Bridged: Connected directly to the physical network".
  3. Click the OK Button
Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Start Up your VMware Player
  2. Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Administrator
  2. Password: Supply Password
    - (See Note)
  3. Press <Enter> or Click the Arrow
- Note(FYI):
  1. Password was created in (Lab 1, Section 1, Step 8)
Open the Command Prompt
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
  2. Record Your IP Address
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.

Section 2: Download Quick Stego

Open Firefox
- Instructions:
  1. Click the Start Button
  2. All Programs --> Mozilla Firefox
Download Stego
- Instructions:
  1. Place the following address in your Firefox browser.
    - http://quickcrypto.com/products/QS12Setup.zip
    - Click here if link is dead.
  2. Select the Save File radio button
  3. Click the OK button
Select Download Directory
- Instructions:
  1. Navigate to the below directory
    - Desktop --> My Documents --> Downloads
    - Click here if link is dead.
  2. Click the Save button

Section 3: Install Quick Stego

Open Containing Folder
- Instructions:
  1. Tools --> Downloads
  2. Right Click on QS12Setup.zip
  3. Click on Open Containing Folder
Open Stego Zip File
- Instructions:
  1. Right Click on QS12Setup.zip
  2. Click on Open
Open Stego Executable
- Instructions:
  1. Right Click on QS12Setup.exe
  2. Click on Open
File Download - Security Warning
- Instructions:
  1. Click the Run Button
Setup - Quick Stego
- Instructions:
  1. Click on the Next button
License Agreement
- Instructions:
  1. Select I accept the agreement radio button
  2. Click on the Next button
Select a Destination
- Instructions:
  1. Accept the Default Destination Location
  2. Click on the Next button
Select Additional Tasks
- Instructions:
  1. Check the Create a Desktop Icon checkbox
  2. Check the Create a Quick Launch Icon checkbox
  3. Click on the Next Button
Ready to Install
- Instructions:
  1. Click the Install Button
Complete Installation
- Instructions:
  1. Click the Finish Button

Section 4: Create STEGO Directory

Open the Command Prompt
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Command Prompt
Create STEGO Directory
- Instructions:
  1. mkdir "C:\STEGO"
  2. dir "C:\" | findstr STEGO
- Note(FYI):
  1. mkdir, make a directory. In this case, create a STEGO directory directly under the C Drive.
  2. dir "C:\", list all the directories and files directly under the C Drive. Then use findstr to list only files and/or directories that contain the string STEGO.

Section 5: Download MD5SUMS-1.2

Download md5sums-1.2
- Instructions:
  1. Navigate to the following URL.
    - http://www.pc-tools.net/files/win32/freeware/md5sums-1.2.zip
  2. Click the Save File Radio Button
  3. Click the OK Button
Choose Destination Location
- Instructions:
  1. Navigate to the the following destination directory
    - C:\STEGO
  2. Click the Save Button
Open Containing Folder
- Instructions:
  1. Tools --> Download
  2. Right Click on md5sums-1.2.zip
  3. Click on Open Containing Folder
Extract md5sums-1.2.zip
- Instructions:
  1. Right Click on md5sums-1.2.zip
  2. Select 7-Zip --> Extract Here
View Results
- Instructions:
  1. You should see md5sums.exe in the C:\STEGO directory
- Note(FYI):
  1. We will use md5sums.exe later on in the lesson to compare two images that are exactly alike, except one of the images will have a hidden message.

Section 6: Download Picture

Download Trojan Horse Picture
- Instructions:
  1. Place the following address in your Firefox browser
    - http://www.computersecuritystudent.com/FORENSICS/Steganography/lesson1/index.44.jpg
  2. Right Click on the picture
  3. Select Save Image As...
Save As horse.jpg
- Instructions:
  1. Navigate to the following directory
    - C:\STEGO
  2. Name the file "horse.jpg"
    - Make sure you add the .jpg extension.
  3. Click the Save button.

Section 7: Run Quick Stego

Run Quick Stego
- Instructions:
  1. Click the Start Button
  2. All Programs --> Quick Stego
Open Image
- Instructions:
  1. Click on the Open Image button
Open Horse Image
- Instructions:
  1. Navigate to the C:\STEGO Directory
  2. Select the horse.jpg image
  3. Click the Open button
Hide Text
- Instructions:
  1. Supply your Hidden Message. My hidden message is below. (See Picture)
    - Will the Houston Texans ever play in a SuperBowl?
  2. Click the Hide Text Button
  3. Notice the message stating "The text message is now hidden in the image".
Save Image
- Instructions:
  1. Click the Save Image button
  2. Navigate to the C:\STEGO directory
  3. File name: horse_secret.jpg
    - Make sure you include the .jpg extension.
  4. Click the Save button

Section 8: Proof of Lab

Open the Command Prompt
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Command Prompt
Proof of Lab
- Instructions:
  1. cd C:\STEGO
  2. dir *.jpg
    - Notice that horse_secret.jpg is 800,000+ bytes larger than horse.jpg.
  3. md5sums.exe *.jpg
    - Notice that the picture look the exact same, their MD5 hashes are different.
  4. date /t
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Press the <Ctrl> and <Alt> key at the same time.
  2. Press the <PrtScn> key.
  3. Paste into a word document
  4. Upload to Moodle

PE

(ProcExp: Process Explorer)

{ Viewing Parent and Child Processes }

0. Background Information

http://technet.microsoft.com/en-us/sysinternals/bb896653
- The Process Explorer display consists of two sub-windows.
- The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
- Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
- The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

1. Prerequisite

Login to your Instructor VM, as username Administrator
- For those of you that are not part of this class, this is a Windows XP machines.
From your Instructor VM, open your Windows Explorer Web Browser.
- Paste in the below link into your web browser.
- http://download.sysinternals.com/Files/ProcessExplorer.zip
Click Save
Save to C:\tools\ProcExp
Select Open Folder
Right Click on ProcessExplorer, Extract All
Click Next
Click Next
Click Finished

2. Running ProcessExplorer

Navigate to C:\tools\ProcExp\ProcessExplorer
- Double Click on procexp.exe
Click Run
Click Agree
Next you will see a screen that looks very similar to the below.
Notice the Parent / Child Process Tree Structure

3. Viewing Process Properties

Scroll Down to lsass.exe
- Right click on lsass.exe
- Click on Properties
As you can see lsass.exe is responsible for Net Login
- From the Services tab, you have the ability to:
  - Stop, Restart and Pause the Process
  - Also you can see who has Permission to Full Control, Read, and Write.
- Click on Permissions Button.
For each user
- Make sure only the Administrator User have Full Control, Read, and Write Permission.
- All other user should only have Read Access, and perhaps special permissions.
- Goal: We are verifying that only the administrator users have Full Control.

5. Creating a dump

Highlight lsass.exe
- Right Click on lsass.exe --> Create Dump --> Create Full Dump
Navigate to C:\tools\ProcExp\ProcessExplorer (See Below)
- Save File as lsass-YYYYMMDD.dmp, where YYYYMMDD is a date field.
Using Windows Explorer, Navigate to C:\tools\ProcExp\ProcessExplorer
- Proof of Lab: Highlight lsass-YYYYMMDD.dmp, Do a screen print, Paste into word doc, Upload to Moodle.
Special Note (Not required for this lab), for dumping all memory processes.
- You would highlight System --> Create Dump --> Create Full Dump
- From a forensics point of view, you would want to capture everything.