Wednesday, May 23, 2012

Update to MESMER.py

MESMER.py (MEmoryze String MappER) is a tool I wrote a few weeks ago. Since then I've used it in every forensic investigation that involved memory analysis.  When I first wrote the tool, I was still learning and understanding the SQLite database schema that Memoryze creates; because of which I wrote a disclaimer.  Since then I am now confident that my process returns the exact same data you would get if you went through the results with the Auditviewer GUI.

Anyhow, using this tool so often, I started to get frustrated and want more information on the pid itself. I just updated the code on git (https://github.com/JC-SoCal/MESMER) to offer more details on the pid.

Below is a screenshot from a case I'm working with the new version.  Let me know what you think and if there is a feature you want me to add to this.  I think I'm going to put a flag for IP address in there next.

MESMER.py searching av.db for "devil1"

Friday, May 11, 2012

Inline passive network tapping on a budget.


Recently I’ve had a need to actually sit between a host and its network connection to watch its traffic because I wasn’t able to interfere with the host.  I had quite a few challenges in doing this and was surprised that a lot of people that used taps didn’t actually understand how to use them. 

For the most part there are two types of taps, active and passive.  When you have an active tap, you have the ability to alter traffic in real time.  This is great for MITM (Man in the Middle).  A passive tap will give you just a copy of the data and you cannot modify any data.  There is also a bunch of other names vendors will use like breakout, aggregating, etc.  I will only be discussing a passive tap, not active.

Things you will need:
  • A Physical network tap.
  • A linux computer (I used Debian 6.0.4 i386)
  • At LEAST 2 network cards (3 if you want a management network)

For passive taps there are a lot of options.  However the thing that will determine how much you will pay depends on if you want 10/100 or gigabit.

Gigabit requires power and the devices will range around the $1,000 dollar mark, like this one by Black Box: http://www.blackbox.com/Store/Detail.aspx/10-100-1000-Copper-Tap/TS250A

If you don’t mind dropping the connection down to 10/100, Michael Ossmann (@michaelossmann) created the Throwing Star LAN tap which you can buy for $14.99 from the awesome folks at Hak5: http://hakshop.myshopify.com/products/throwing-star-lan-tap

He has also recently created the PRO version, which at $39.99 adds more professionalism and durability but is essentially the same: http://hakshop.myshopify.com/products/throwing-star-lan-tap-pro

It is important to note that Mike has installed two capacitors on his taps which force the host to negotiate down to 10/100.  This isn’t a horrible thing unless you’re trying to monitor high speed traffic that requires that gigabit throughput.

No matter which tap you bought, the tap has 4 ports. Looking at the graphic below, you'll see two ports will be used to connect from the source host to the target host.  The other 2 will go into the linux box to receive the transmit and receive signals.


Basic Wiring of a Passive Network Tap
Image from: http://www.altsec.info/pnt-sensor-data.html


This is a problem since it only gives us one side of the story.  This is where our Linux box comes in.  It is going to aggregated the two interfaces (this is the reason for two open NICs) into what’s called a bonded interface.

To setup our Debian Linux box, I used the stock distro and added the following:

    sudo apt-get install ifenslave

I then wrote a bash script to do the following for me, but you can just type the commands in one line at a time:

    sudo modprobe bonding
    sudo ifconfig eth0 promisc up
    sudo ifconfig eth1 promisc up
    sudo ifconfig bond0 promisc up
    sudo ifenslave bond0 eth0 eth1

That’s it!  Fire up wireshark and use bond0 as your interface to listen to. 

In order to test to make sure both transmit and receive ports of your tap are working, from either the host machine or another machine on the network, ping something.  You should see both reply and requests inside wireshark (ensure that ICMP is allowed or else your results will be wrong).