ProtonMail Artifacts from Memory Dump

•August 28, 2016 • Leave a Comment

“Physical Access = Total Access”. In this post we will take a quick look at pulling ProtonMail artifacts from a Windows 10 process memory dump.

It’s been a very long time since I have posted on my blog. I have been very busy with a couple new book writing projects, but I have missed doing regular blog posts. Ran into this today and thought it would be a good post to hopefully get back on the blogging horse. Let me say before we get started that I am a big ProtonMail fan, and highly recommend it. I am not breaking their encryption or anything fancy like that, just simply pulling artifacts that belong to a ProtonMail session out of the computer’s memory.

Last year I covered how to pull Word documents out of Windows memory using a remote Kali Linux shell.  Using the same techniques and tools covered in that article you can do the same to recover ProtonMail artifacts.

As a test I crafted an e-mail using text from the Boba Fett Wikipedia entry. I figured the word “Boba” would make a good canary, a word that would be easily found in the memory dump.

The test e-mail looked like this in ProtonMail:

Bobba Fett Test 1

I then performed a memory dump on the Firefox process:

  • The “tasklist” command returned the Firefox process ID
  • Then, “procdump64 -ma [Process ID or you can just use ‘firefox.exe’] mem_dump_filename
  • And then, “strings64 mem_dump_filename.dmp > Protonmail.txt

The procdump command copies memory in use by the Firefox process to a file. The resultant file is very large, so the strings command is used to pull text strings out of the dump and save them to a much smaller file called “Protonmail.txt”.

I then manually searched through the resultant .txt file for artifacts.

I found the source e-mail address, and the e-mail subject. A little farther down I found the entire e-mail text as seen below:

Bobba Fett Test 2Comparing the two images you can see that the entire e-mail text was recovered from the memory dump. I was also able to view the contents of every e-mail that was opened during the session (not shown) and most, if not all e-mail contacts that I have in ProtonMail.

This shows that if you have physical access to a system, you could recover ProtonMail artifacts including entire messages from a memory dump. The moral of this story, as a Linux guru once told me – “physical access equals total access”. If you have physical access (including remote access) to a system, you can recover many interesting things from system memory. That is why it is important to secure physical access to your systems.

If you enjoyed this article, check out my book, “Intermediate Security Testing with Kali Linux 2” which has an entire section on performing Forensics with Kali Linux.

 

 

DNS Spoofing with Nethunter, cSploit & Kali Linux

•May 28, 2016 • Leave a Comment

Kali Nethunter cSploit 1

How cool would it be as a pentester to walk around a target company, with only your smartphone, and divert individual systems surfing the web to an outside Kali Linux system you have setup that is just waiting for incoming connections. With Kali Nethunter you could!

Using Kali Nethunter & cSploit on your Android phone, you can fairly easily perform a Man-in-the-Middle attack on target systems. Of course you can do all the normal MitM type attacks but what is nice is that you can also do DNS spoofing. This would allow you to divert a system surfing the web (without ever physically touching the target) to a different website.

Well, what if that different website was a Kali Linux system running Social Engineering attacks?

Introduction

If you haven’t played with Nethunter yet, it is one of the coolest things since sliced bread. Nethunter is an adaptation of the most excellent Kali Linux penetration testing platform re-invented for use on smartphones.

As always, it is illegal to attempt to access or modify a system that you do not have express written permission to do so. Doing so could get you into serious legal trouble and you could end up in jail.

Though DNS spoofing attacks are not new, it is just so easy to do them with Nethunter. And as this could be easily misused, I will not show all the steps in this process, only show how the attack could be set up.

Also, I will not show how Nethunter is installed. If you install Nethunter on your phone, you do so at your own risk. Installing Nethunter involves wiping your phone, installing new and custom firmware and rooting it. As with modifying any smartphone, there is a possibility that the phone could be bricked in the process, turning your favorite phone into an expensive drink coaster.

Three systems will be used in this article – The smartphone running Nethunter, a test target system running Windows 7 and a third computer running Kali Linux.

Kali Nethunter cSploit 2

All right, enough talk, let’s get to it!

Using Nethunter

When Nethunter boots up it looks like any other Android phone, other than the epic Kali booting screen that is. Kali Nethunter installs multiple tools found in a regular Kali Linux install and presents you with a nice menu system under the “Nethunter” icon:

Kali Nethunter cSploit 3

There are some great tools here like “HID attacks”. This allows you to turn your phone into an evil USB keyboard that actually types commands on the target system when your phone is connected. There is also the MITM Framework which allows you to do more advanced MITM attacks than we will cover today. Of course you can also run Nmap scans, start Kali Services and several other things.

Don’t forget as well, that you have many of the Kali tools installed in the file system itself, so you can open a terminal and run them just as you would on a regular Kali system.

MitM DNS Spoofing with cSploit

Along with the Kali tools, Nethunter also installs several additional tools that are very helpful to a penetration tester including cSploit. cSploit is probably the fastest way on the phone to scan a connected network and perform basic attacks, including MitM.

Just tap the cSploit icon to start the application.  It will immediately perform an extremely quick scan of all systems connected to the network. You will then be shown a list of all the network devices along with their name, MAC & IP addresses along with how many ports were detected on each device.

Clicking an individual target will give you a list of scans and attacks that can be run against the target:

Nethunter Csploit

Trace and port scanner are self-explanatory. Service inspector runs an indepth scan with service detection. Once this is done, you can then click the “Exploit Finder” button to try to find exploit for any vulnerabilities found during the Service inspection.

Let’s take a look at the MITM attacks:

Nethunter Csploit 2

We can use the DNS spoofing button to redirect the target system to a system we control. Once you click the “DNS Spoofing” button you will be presented with an Ettercap config screen. Simply set the Domain name you want to the IP address that you want it to actually point to.

For example, if we want the target to go to our separate Kali Linux system that we have, we would just put in its IP address. As “microsoft.com” is already added in the config file as an example, we just need to modify the IP address. So if our Kali Linux system was running at 192.168.1.39 then we would modify the Ettercap config screen to look something like this:

 

Ettercap DNS config 1

When Finished:

  • Just click, “SAVE”
  • And then click, “START”

And that is it. cSploit will start the MITM attack and set the Microsoft DNS entry on that target system to point to our Kali Linux box.

On the Kali Linux system, start the Social Engineering Toolkit, and then step through the web attack menu having it clone the Microsoft website.

And then when the target system opens their internet browser and types in “microsoft.com”, they will indeed see this:

Microsoft webpage

But they will actually be connected to the Kali Linux system and be shown the cloned Microsoft website from the Social Engineering Toolkit.

If they click on any links they will get errors as SET does not clone the entire website. But the gist here is that we used our phone to redirect a user to a third system that could be hypothetically anywhere running a program that, when set up properly, could grab any text or credentials entered.

Conclusion

DNS spoofing will not work on all websites, and MitM attacks do not work at every location. But this could work out very well for a penetration tester in some circumstances. They could set up a cloned copy of a website (maybe the target system’s corporate website) on an offsite computer. Then just take their phone into the building, connecting to an open network port or the corporate Wi-Fi, and re-direct individual systems to the outside box for the win.

The best defense against Man-in-the-Middle attacks are to protect your physical network. Use complex passwords for your Wireless networks, disable or protect open & unused network ports, and segment your network when possible. DNS attacks will usually not work against websites using SSL (HTTPS), also they do not work well against websites that are hosted on a server that hosts multiple websites.

If you want to learn more about Kali Linux and Social Engineering attacks, check out my Kali Tutorial books on Amazon.com.

Shodan Search Reveals Open Cloud Control Panels

•April 24, 2016 • Leave a Comment

While researching web server frameworks, I ran across something that seemed very odd. I found what appeared to be unsecured Cloud Cluster controls. And using Shodan I could tell the difference between the ones that were using account login control and those that were surprisingly completely open to the public.

Twisted Web is a Python based web server used in many network applications. Over the years I have noticed that specific versions seem to be used for different tasks. I ran into one the other day that I do not remember seeing before.

An internet search using Shodan (the “search engine for Internet-connected devices”) for Twisted Web servers returned some odd results that I did not recognize. A specific version (10.2.0) returned what appeared to be some sort of cloud control interface on the internet.

If you go to the “Shodan.io” website and search for “twistedweb/10.2.0” it will list all of the systems in question, as seen below:

Shodan Cloud Security 1

There seem to be password protected ones and what appear to be completely unprotected ones. The difference being password protected ones contain a login.html file in the Shodan return, the completely open ones point to index.html.

So to have Shodan find all of the ones that appear completely open to the public, just search for “twistedweb/10.2.0 index.html” as seen below:

Shodan Cloud Security 2

As you can see there are more than 700 of them. They appear to be DataStax Enterprise Cluster Storage controls as seen in this picture from a DataStax YouTube demo:

Shodan Cloud Security 3

From the Datastax YouTube video it explains that you can completely control and monitor the Cluster storage from this interface. I was thinking this was something that really shouldn’t be completely open to the public on the internet. There must be a “require login” setting that people are just not using to secure them. As I wasn’t sure I ran the information by my friends at Evident.io.

“What you are seeing here is the failure to implement proper security controls around administrative interfaces of, in this case, Enterprise Cassandra NoSQL clusters. The unprotected administrative interface gives remote attackers the ability to connect to the cluster and perform administrative functions without authentication or resistance. This is often the result of business pressure to deploy technology to solve complex problems, but failure by the business to invest in time and resources to help those product teams protect the infrastructure and services themselves. A simple verification of security control deployment around this kind of technology would prevent this security incident from happening in the first place, and guarantee continued protection against mistakes that create unnecessary risk for the company,” said Tim Prendergast, co-founder and CEO of Evident.io.

There must be some way to protect these systems, or to notify cloud users of these issues.  Well, according to Prendergast, there is:

“Tools like the Evident Security Platform (ESP) help prevent these kinds of issues from being exploited by attackers by providing comprehensive visibility into the security controls deployed in your cloud, or alternatively you could build your own set of custom security controls through the custom signatures feature. Either way, nobody should operate their cloud environment without fast, accurate, and actionable information on these types of risks. The only way to protect your organization from suffering due to unprotected attack surfaces is to create a continuous, enforceable security practice around your cloud.”

As we have seen here, some improperly protected cloud controls across the world were found very easy using Shodan.  We could also easily differentiate between systems that had account login controls (I hope they used strong passwords) and those that didn’t. The advantages of using the cloud are obvious, but like any computing resource they must be protected properly from online threats.

About the Author

Daniel W. Dieterle is an internationally published author and computer security researcher with over 20 years’ experience in the IT field. His technical “How-To” articles have been featured in numerous computer magazines, and referenced by both industry websites and the media. He has also written three Ethical Hacking Security books based on Kali Linux, including latest book, “Basic Security Testing with Kali Linux 2” –  which contains a chapter on using Shodan.

 

 

How to install Bitdender’s free Ransomware Protection Tool

•March 29, 2016 • Leave a Comment

Bitdefender has just released a free tool that can protect against ransomeware viruses. Here is how to install it.

Hackers have been hitting everything from hospitals to police stations with Ransomeware viruses. Bitdefender has released a tool that could help fight it:

“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

Installation could not be easier

  1. Download the file:

https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/

  1. Run it:

Ransomeware Protection 1

 

3. Click Next, and then install:

Ransomeware Protection 2

  1. And then Finish

Ransomeware Protection 3

And that is it!

Ransomeware Protection 4

How easy was that?

If you want you can change the settings for the program. You may want to set it to “minimize on startup” and “minimize to tray on close”:

Ransomeware Protection 5

But it is pretty much an install and forget about it type app, no fuss, no muss.

Bitdefender has always been one of my favorite anti-virus programs, and this is a handy tool to have.

Check it out!