Windows 8 Open Source Memory Analysis Fail

Wow, spent a lot of time yesterday trying to do some memory analysis on Windows 8 with a couple open source tools…

And completely failed.

I wanted to analyze a suspended Win8 virtual machine’s memory and see what information could be pulled from it. I know VMWare has a “vmss2core” utility that will do the trick. Of course I had Windows 8 in a Virtualbox VM. No problem, I exported and imported to VMWare Workstation with no problems. Okay, it hung up on first boot in VMWare, but a hard reset and everything was right as rain on the next boot.

Next I suspended the VM, grabbed the .vmem and the .vmss suspension files and tried to run it through vmss2core:

C:\VM>vmss2core.exe -W windows8.vmem windows8.vmss
vmss2core version 812388 Copyright (C) 1998-2012 VMware, Inc. All rights reserved.

Unrecognized .vmss file (magic f000ff53).

Unrecognized .vmss file… Okay, not to be deterred, I rebooted the Windows 8 VM and took a snapshot. Vmss2core also works with snapshots!

Same error.

I actually read the help features for Vmss2core and realized that it has a “-W8” command for Windows 8! Doh!

Used that… Same error…

Okay, bothered now, but still undeterred, I figured I would just boot the system up and run MoonSols DumpIt command to get a copy of the active RAM. Then I can use the memory dump output and feed it into Volatility!

Or so I thought…

DumpIt works great for grabbing a full copy of your active RAM so you can analyze it for artifacts. Simply Download the file, and place it where you want it – USB drive, hard drive etc. Then just run the command, and the full active memory of the system will be saved in the same directory.

I ran DumpIt in Windows 8 and it worked flawlessly:

Yeah! Now all I need to do is take the .raw memory dump file and feed it into the memory analysis program Volatility. And I should be able to see tons of information and artifacts including network connections, users, services and other goodies!  🙂

I started out by using the imageinfo command. This command returns the exact operating system level to Volatility so that it correctly maps memory locations with services when you use the more advanced commands.

(I created a whole series on using volatility to perform analysis on Windows 7 last year)

When I ran Volatility, it was unable to determine the OS level. I was using the latest version that just came out this month. A quick search on their website and it looks like Wind0ws 8 functionality will not be out for several more months…

Well, that was the final brick wall for me. I had other things to do and had to walk away from it at that point.

Anyone have any ideas or know of any other open source memory analysis tools like Volatility that will work with Windows 8?

Israel creating Digital “Iron Dome” to Combat Constant Cyber Assault

(Photo: Reuters)

Israel is facing daily electronic attacks against critical systems, and the attacks are on the increase. To counter the rising cyber storm, they are in the process of creating a digital “Iron Dome”. Which according to Prime Minister Benjamin Netanyahu, will help block the attacks and “protect Israel from cyber terror“.

Israel has been in a battle to survive ever since the nation was re-formed. They have been under constant threat by Islamic nations that simply do not want the country to exist. Now, along with the possibility of physical and even possible nuclear attack, electronic attacks have been rapidly on the rise. All together, Netanyahu recently said that these are “the greatest security-related challenges Israel has faced since its inception”.

Israel has not been sedentary in preparing for these threats. They have put their best and brightest minds at work creating defenses against the unique threats that they face, sometimes on a daily occurrence. For example, the Trophy Active Protection System by Rafael  was created in response to militant RPG attacks against their military vehicles:

(It is interesting to note that the US looked into using the same technology on it’s deployed tanks, but it was turned down due to the possibility of collateral damage.)

The “Iron Dome” system was also created to help protect whole cities against militant rocket launches. Also created by Rafael, Iron Dome is an integrated mobile air defense system that detects, tracks and intercepts incoming short range rocket and artillery shells. Since it has been deployed, it has shot down 90% of the rockets launched from Gaza (over 90!).

Now that Iran has created a 100 man cyber team, ostensibly to attack US and Israeli systems, it sounds like Israel is looking to use the same concept and create a “digital Iron Dome”:

“Just as we have an Iron Dome missile interceptor to protect against missiles, and a border fence to prevent infiltrators and terrorists from entering, we will also have a similar defense against cyberattacks.

For this purpose, I established the National Cyber Directorate a year ago and it has been working to block these attempts by developing what I would call a ‘digital Iron Dome’ to protect Israel from cyberwarfare,” Netanyahu said Sunday at a weekly cabinet meeting.

Though the system is classified and no details have been publicly released, it could not come at a better time.

Windows 8 Security in Action: Part 3

(This is the third and final part of my Windows 8 Security in Action article featured in last month’s Hakin9 magazine. Part One was a general introduction to the new look of Windows 8. In Part Two we looked at some of the new security features, and saw how it responds to basic Java attacks. In this last section we continue to analyze how Windows 8 responds to online and local attacks.)

SET PowerShell Attack

I next tried the SET PowerShell attack2. This attack has worked in all previous versions of Windows that I have tested, including Windows 7. SET creates a PowerShell command that includes an encrypted shell. Once the script is executed in PowerShell on the target system, it connects out to the remote system.

I ran the program creating the PowerShell script, and started the listener service on the Backtrack system. I then ran the script and… Nothing!

The Backtrack system did not detect any connection attempts and the Windows 8 PowerShell threw out a “Program has stopped running” error and closed. The PowerShell script that SET creates runs in a hidden Window so you can’t see what it is doing. When I ran the shell again with the hidden feature turned off, I got this screen of errors in PowerShell (Figure 15):

Figure 15 – PowerShell remote Shell attack stopped by Windows 8

“Arithmetic operation resulted in an overflow.” – Windows 8 did not allow the malicious code to connect out to the attacker system completely thwarting the attack.

So far, Windows 8 is batting a thousand; none of the attacks have been successful!

Windows 8 against the latest Flash Threats

Recently a Computerworld article3 stated that Windows 8 was vulnerable to a new Flash exploit that was just discovered, and apparently will not be patched until October due to the way that Flash is integrated into the new Internet Explorer.

Just today (September 12th) Computerworld announced that Microsoft changed their minds and will release a security patch right away:

“In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers,” Yunsun Wee, director of the company’s Trustworthy Computing Group, said in a Tuesday statement. “This update will be available shortly.”

I actually tried a couple of the earlier Flash attacks against Windows 8. Not the one mentioned in the Computerworld article, but one that was only a few weeks old (Mid-August). Windows Defender caught it and stopped it. (Figure 16)

Figure 16 –Windows Defender showing Attacks that were stopped

Overall the new Windows seems very good at standing up to common online script based attacks.

Credential Harvesting Attacks

Next I ran credential harvesting attacks against the Windows 8 machine. This creates a bogus website that looks like a regular webpage, like G-Mail or Facebook. Then when someone tries to enter their credentials it takes and stores the user’s login information and forwards them to the real page.

Windows 8 was able to block all of the Java based harvesters that I tried.

But on a harvesting page that did not use Java, it worked flawlessly and I was able to recover any credentials that were typed into the bogus webpage.

Though not really a security fault of Windows 8’s – the user is entering their credentials on a bogus webpage – but with the tight integration of Windows 8 with Microsoft Account numbers and Live E-mail, this could be an issue.

Man-in-the-Middle Attacks

I tried running a Man-in-the-Middle (MitM) attack against the system. A MitM attack goes after the underlying TCP/IP communication stack and modifies the target’s ARP table. The Address Resolution Protocol table simply maps IP Addresses to network card physical MAC addresses. A system running the MitM attack inserts itself into the communication path between a system and the gateway/ router by telling the target system that it is the gateway and the gateway that it is the target system. Any information transferred in or out of the system can be monitored and stored.

Surprisingly the MitM attack I attempted worked flawlessly. I was able to watch what websites the Windows 8 system went to from my attacking system and was able to view communication data.

I thought this type of attack would be addressed in Windows 8, but as in Windows 7 and previous versions, this still seems to work.

Physical Attacks

As mentioned earlier, Windows 8 now comes with a new boot method, called Unified Extensible Firmware Interface (UEFI). This helps protect against malware boot attacks and root kits, and some other common attempts at modifying the boot process. This is a huge improvement over previous versions of Windows.

But it is not perfect, let me explain.

Even Windows 7 included a feature that recovers system files that are changed while the computer is running. So if you tried to change certain system files, it would revert back the next time the system rebooted.

But there is a file modification process that has been around a very long time that attacks the system files by booting from another OS, like Linux. This file modification attack allows a System level command prompt that can be opened at the login screen. The System level credential is the highest level of authority on a Windows box. It is higher than the “Administrator” user and is similar to Root access on a Unix/Linux box.

And this system level terminal runs without anyone physically logged onto the machine! This entire process was actually explained on a Microsoft TechNet Forum on Windows Server back in 2009 as a way to get into your server if you lost the Admin login credentials:

http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/11facbbf-d7c5-4507-89ae-d828d11eaa73

But what has been allowed to remain in Windows (it works in all versions of Windows including Desktops), could also be used by a bad guy in a physical attack.

It only takes a few seconds to perform this attack using a Linux boot disk. Basically you boot the Windows box with a Linux Boot disk, modify a couple executable files in the system32 directory and reboot. Then on reboot, at the main login screen, you hit a key combination and up pops a System level command prompt!

Figure 17 –System level Command Prompt at Login Screen

At this point you can run any system commands, including adding users or whatever you want to do. In the image below I just created a user named “Fred” with the ultra-secure password of “fred” (no one would ever guess that!).

Figure 18 –Adding a new User at Login Screen

I then reboot and we now have two users on this system:

Figure 19 –User added from Login Command Prompt Shows up in Login Screen

And of course I can now login to the system with our new user Fred.

Don’t get me wrong, this isn’t some high level hack. It is a valid way to legitimately get access to a system where someone has forgotten the password.

We have used it in a corporate environment before where users have left and did not leave their current password. The systems were not network attached and unfortunately an administrator did not create an account on them. And of course the systems had data on them so the machines could not be wiped.

But as I mentioned before, malicious users could also use the same tactic if they have physical access to the machine.

Conclusion

Again, I just used standard testing tools in the creation of this article. There are several ways to bypass anti-virus on older versions of Windows by modifying the payloads in Metasploit. I did not do this; I just wanted to test it using some of the most common security techniques that are in use today.

My intent on writing this article was not to show how to bypass Window 8 security, but how the out-of-the-box features stood up to average internet attacks , which it did extremely well.

I was able to get an initial remote shell with the Alphanumeric shell attack. And though it was not completely functional, a version could possibly be made in the future to bypass Windows 8 security features. Flash vulnerabilities still seem to be a concern according to the Computerworld article. One credential harvesting attack also worked, and so did the physical login prompt trick.

Hopefully this article demonstrates to you that Windows 8 security is indeed better than Windows 7. But user training about online threats and phishing defense needs to remain in place. The standard advice of not running unknown or unsolicited attachments, or visiting suspicious websites, and all the normal Social Engineering defense training remains the same.

Running a script blocker program like FireFox’s “NoScript” is still highly recommended to stop scripts from automatically running.

Also physical security of systems is still very important. Keep important servers and workstations in a secured area. Do not allow other people to access your system. Always verify the identity of service personal who want to perform maintenance on your system.

Will Windows 8 sweep the enterprise world by swarm? I am not sure. The security features (especially the increased memory protection) are a big boost and are needed. But the switch to the new interface may be a turn off to many overtaxed IT departments that do not have the time to help users through the learning curve of a new desktop.

Many corporate users still are using Windows XP believe it or not. Will they switch to Windows 7 or jump to the more secure Windows 8?

Only time will tell.

References

1 –Microsoft’s Secure Password FAQ – http://www.microsoft.com/security/online-privacy/passwords-create.aspx

2 – PowerShell Attack – https://cyberarms.wordpress.com/2012/08/02/social-engineering-toolkit-bypassing-anti-virus-using-powershell/

3 – “Adobe confirms Windows 8 users vulnerable to active Flash exploits” -http://www.computerworld.com/s/article/9231076/Adobe_confirms_Windows_8_users_vulnerable_to_active_Flash_exploits

4 – “Microsoft backpedals, promises to patch Windows 8’s Flash ‘shortly’” http://www.computerworld.com/s/article/9231185/Microsoft_backpedals_promises_to_patch_Windows_8_s_Flash_shortly_

Did Israel Hack Unmanned Helicopter that Entered their Airspace?

Several news agencies have been giving Israel some grief over the interception of an Unmanned Aerial Vehicle or UAV that penetrated it’s airspace on October 6th. Many are wondering why the UAV was not intercepted as it crossed the Mediterranean Sea, but instead was allowed to linger for an additional half hour before the Israeli Air Force shot it down. One possible solution is that Israel had hacked into the UAV and had partial control.

Israel was one of the first countries to use Drones. Early models were simple R/C planes with cameras attached. The technology has jumped leaps and bounds since then, with the US even using Stealth Drones like the RQ-170. An RQ-170 made headlines news when one crashed in Iran from mechanical failure, even though Iran claimed that it was downed via cyber attack.

According to reports an Iranian made unmanned helicopter took off from Lebanon and flew what appeared to be a reconnaissance mission over Israel:

“The drone was apparently launched by Iran or one of its allies to test the IDF’s detection and interception capabilities, and perhaps even to search for specific targets in south Israel. The drone apparently began its flight in Lebanon and then headed in the direction of Gaza’s coastline after flying over the Mediterranean Sea. This route was chosen not only because it utilized the depth of the sea’s airspace, but also because Israeli UAVs regularly hover above Gaza.”

The UAV was tracked and then downed when it was over a forest (in case it contained explosives) by a pair of Israel F-16 fighter jets using Israeli made Python air-to-air missiles.

So as it would seem an Iranian UAV, possible Hezbollah backed, flew into Israel airspace and was shot down. But this may not be the whole story. According to Debkafiles an Israeli cyber warfare unit wrestled with foreign operators over control of the drone:

“Debkafile’s military sources report exclusively that for 30 minutes, as the helicopter flew over southern Israel, control swung back and forth between Israeli cyber operators and unknown agents.

The battle was finally resolved by an Israel decision to scramble four F-16 fighters to shoot the trespasser down, the while Israeli cyber experts tried to identify its satellite controller.

Very interesting indeed. If they could gain partial control, then maybe they could also intercept and track the controlling signal. And if Israel’s recent military maneuvers over South Lebanon are any indication, it would seem that the drone did in fact come from Lebanon.