PE

(ProcExp: Process Explorer)

{ Viewing Parent and Child Processes }

---

0. Background Information

1. http://technet.microsoft.com/en-us/sysinternals/bb896653
   • The Process Explorer display consists of two sub-windows.
   
   
   • The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
   
   
   • Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
   
   
   • The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. 

1. Prerequisite

1. Login to your Instructor VM, as username Administrator
   • For those of you that are not part of this class, this is a Windows XP machines.
2. From your Instructor VM, open your Windows Explorer Web Browser.
   • Paste in the below link into your web browser.
   • http://download.sysinternals.com/Files/ProcessExplorer.zip
3. Click Save
   • 
4. Save to C:\tools\ProcExp
   • 
5. Select Open Folder
   • 
6. Right Click on ProcessExplorer, Extract All
   • 
7. Click Next
   • 
8. Click Next
   • 
9. Click Finished
   • 

2. Running ProcessExplorer

1. Navigate to C:\tools\ProcExp\ProcessExplorer
   • Double Click on procexp.exe
   • 
2. Click Run
   • 
3. Click Agree
   • 
4. Next you will see a screen that looks very similar to the below.
   • 
5. Notice the Parent / Child Process Tree Structure
   • 

3. Viewing Process Properties

1. Scroll Down to lsass.exe
   • Right click on lsass.exe
   • Click on Properties
   • 
2. As you can see lsass.exe is responsible for Net Login
   • From the Services tab, you have the ability to:
     • Stop, Restart and Pause the Process
     • Also you can see who has Permission to Full Control, Read, and Write.
   • Click on Permissions Button.
   • 
3. For each user
   • Make sure only the Administrator User have Full Control, Read, and Write Permission.
   • All other user should only have Read Access, and perhaps special permissions.
   • Goal: We are verifying that only the administrator users have Full Control.
   • 

5. Creating a dump

1. Highlight lsass.exe
   • Right Click on lsass.exe --> Create Dump --> Create Full Dump
   • 
2. Navigate to C:\tools\ProcExp\ProcessExplorer (See Below)
   • Save File as lsass-YYYYMMDD.dmp, where YYYYMMDD is a date field.
   • 
3. Using Windows Explorer, Navigate to C:\tools\ProcExp\ProcessExplorer
   • Proof of Lab: Highlight lsass-YYYYMMDD.dmp, Do a screen print, Paste into word doc, Upload to Moodle.
   • 
4. Special Note (Not required for this lab), for dumping all memory processes.
   • You would highlight System --> Create Dump --> Create Full Dump
   • From a forensics point of view, you would want to capture everything.
   • 

Proof of Lab

1. Cut and Paste a screen shot that looks similar to Step #3 in Section 5 into a word document and upload to Moodle.

(Knoppix) { Getting Started } Section 0. Background Information Knoppix is a GNU/Linux distribution that boots and runs completely from CD or DVD and can be used to read and write Windows and other partitions (among other clever tricks) The Knoppix CD and DVD include recent Linux software and desktop environments. The DVD includes programs such as OpenOffice.org, Abiword, The Gimp, Konqueror, Mozilla, Apache, PHP, MySQL and hundreds of other quality open source programs. Section 1. Downloading Knoppix Go To http://archive.cs.stedwards.edu/knoppix/ If this website is dead then go to http://www.knoppix.net Select a file that ends with ".iso" Note: EN stands for English Saving the ISO Command:  Click Save Saving ISO to a location Instruction: It's up to you were you want to save the file.  In my case, I will save the ISO to H:\BOOT ISO Section 2. Configure the Windows Virtual Machine to boot up knoppix Edit the WindowsVulnerable01 virtual machine. (See Below) Note: For those of you that don't have access to class material, this can be Windows XP, 2000, 2003 and 7. Configure Windows to boot off Knoppix Instructions:  Select CD/DVD (IDE) Select the Use ISO image file Browse to where you saved the knoppix iso. Note:  In my case, I save it in the following location: H:\BOOT ISO\KNOPPIX_V6.4.4CD-2011-01-30-EN.iso Configure Knoppix to use Linux VMware setting. Instructions:  Select the Options tab Select Linux for the Guest operating system Select Ubuntu for the Guest operating system version. Select OK. Play the Virtual Machine Select Play Virtual Machine Section 3. Start Up Knoppix Knoppix Start Instructions:  Let knoppix boot it, it will takes 30 seconds to 1 minute. Click on the KNOPPIX Folder Mounting your hard drive Instructions: Click on sda1 (This is your hard drive) Click on Documents and Settings Navigate to Favorites Instructions: Click on Administrator Click on Favorite Section 4. Start Up Terminal Window Start up a Terminal Windows Command:  Click on the Black Terminal Window (See Below) View the file system structure using Knoppix Command:  df -k (See Below) Note: /dev/sda1 is your hard drive /media/sda1 is the mount point of your hard drive. Navigate to your hard drive Command:  cd /media/sda (See Below) Command:  ls Navigate to Favorites Instructions: cd Documents\ and\ Settings Press the TAB key after typing "D" cd Administrator Press the TAB key after typing "A" cd Favorites Press the TAB key after typing "A" ls -l date Proof of Lab: Do a screen print, cut in paste into a word document, and upload to Moodle. Section: Proof of Lab5 Cut and Paste a screen shot found in Section 4, Step 4 in a word and upload to Moodle.

Data Hiding

(Data Hiding: Lesson 1) { Hiding Data in Slack Space using bmap } Section 0. Background Information What is the scenario? Have you ever heard of Cyber Espionage where a spy was able to hide data and go virtually un-noticed?  The following lesson demonstrates how easy it is for a person to hide data in a file's slack space. bmap  Bmap is a data hiding tool that can utilize slack space in blocks to hide data. It can perform lots of functions interesting to the computer forensics community and the computer security community. Slack Space Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Lab Notes In this lab we will do the following: Download bmap Compile bmap Hide a secret message into a file that contains slack space Legal Disclaimer As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices. In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability." In addition, this is a teaching website that does not condone malicious behavior of any kind. You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law. © 2013 No content replication of any kind is allowed without express written permission. Section 1: Start Up the BackTrack5R1 VM Start Up VMWare Player Instructions: Click the Start Button Type Vmplayer in the search box Click on Vmplayer Open a Virtual Machine Instructions: Click on Open a Virtual Machine Open the BackTrack5R1 VM Instructions: Navigate to where the BackTrack5R1 VM is located Click on on the BackTrack5R1 VM Click on the Open Button Edit the BackTrack5R1 VM Instructions: Select BackTrack5R1 VM Click Edit virtual machine settings Edit Virtual Machine Settings Instructions: Click on Network Adapter Click on the Bridged Radio button Click on the OK Button Play the BackTrack5R1 VM Instructions: Click on the BackTrack5R1 VM Click on Play virtual machine Login to BackTrack Instructions: Login: root Password: toor or <whatever you changed it to>. Bring up the GNOME Instructions: Type startx Start up a terminal window Instructions: Click on the Terminal Window Obtain the IP Address Instructions: ifconfig -a Record your IP Address (See Picture) Note(FYI): My IP address 192.168.1.139. In your case, it will probably be different. This is the machine that will be use to attack the victim machine (Metasploitable). Section 2: Download bmap Create bmp folder Instructions: cd /opt mkdir bmap cd bmap Open Firefox Web Browser Instructions: Applications --> Internet --> Firefox Web Browser Navigate to bmap Instructions: In your Firefox browser navigate to the following address http://dl.packetstormsecurity.net/linux/security/bmap-1.0.17.tar.gz Select the Save File Radio Button Click the OK Button Save bmap Instructions: Click on File System Navigate to /opt/bmap Click Save Unzip and Untar bmap Instructions: cd /opt/bmap ls -l gunzip bmap-1.0.17.tar.gz tar xovf bmap-1.0.17.tar make bmap Instructions: cd /opt/bmap/bmap-1.0.17 make The purpose of the make utility is to determine automatically which pieces of a large program need to be recompiled, and issue the commands to recompile them. Note(FYI): You will see a lot of warnings.  However, make will compile bmap. make bmap Instructions: ln -s /opt/bmap/bmap-1.0.17/bmap /sbin/bmap "ln -s", makes a link to the bmap command in the /sbin. /sbin is typically a default directory found in the $PATH variable. which bmap bmap -help Section 3: Create Test File Create Test File Instructions: cd /var/tmp echo "This is a test file" > test.txt cat test.txt Section 4: Using bmap to hide text in slack space Show Slack Space Instructions: bmap --mode slack test.txt ls -l test.txt Note(FYI): The test.txt file is using 20 bytes of disk space. The test.txt file has 4076 bytes of "unused" slack space. Hide Data in Slack Space Instructions: echo "Top Secret Data Goes Here" | bmap --mode putslack test.txt ls -l test Notice the 20 byte size did not change after test was added to its slack space. cat test.txt Notice the secret message is not present. strings test.txt Not even strings can reach into the slack space of test.txt. Section 5: Proof of Lab Proof of Lab Note(FYI): The following commands will be placed in the lower terminal window. Instructions rm test.txt ls -l test.txt echo "This is a test file" > test.txt bmap --mode slack test.txt Notice the secret message was still present after the file was deleted and re-created. echo "Your Name" Replace the string "Your Name" with your actual name. e.g., echo "John Gray" Proof Of Lab Instructions: Do a PrtScn of the below commands Paste into a word document Upload to Moodle