Tag: REMnux

Designing Internet Access for Compromised Systems

DFIR, DIY, Malware, USB

Virtual machines are a godsend when it comes to malware analysis. Granted there a many malware samples that may have capabilities to detect if they are operating in a virtualized environment and thus respond differently. Many, though not all of these, can be mitigated by patching the malware binary, or tricking it into a false result before needing to look at the sample on a bare-metal system.

When I’m looking at a piece of malware, I’ll run it through a number of environments, gradually permitting external access once I have an idea of what the malware’s capabilities look like. Initially when detonating samples, I’ll have the target endpoint and a REMnux virtual machine running inetsim operating on an isolated network. Rather than re-invent the wheel, here’s a solid article on setting up an isolated network on VMware ESXi.

At some point I want to enable access to the internet to observe command and control (C2) and any dropper activity. I don’t want there to be an avenue for the malware to be able to interact with any other assets whether on my lab network, or outside it. One way to solve this would be networking and introducing a router to broker the network access. It’s been a while since I had my CCNA and I had some hesitations about getting it right without impacting other services in a very internet dependent household. What I wound up going with instead is a completely separate internet connection for the malware network utilizing a LTE hot-spot.

I run my lab environment on ESXi environment using an Intel NUC. The model I have only has one onboard NIC. The easiest way to add another physical adapter was with a USB Gigabit Ethernet adapter for a measly $13 on amazon. ESXi will not detect this adapter out of the box. Follow the process on this article to configure the USB network adapter for ESXi. You will need to download the USB Network Native Driver for ESXi. Be sure to select the appropriate version to match the version of ESXi you’re running. I’m sure there’s an interesting story on why VMWare calls these ‘Flings’ but that knowledge escapes me.

If all goes as it should, and doesn’t it always, you should see second physical adapter (vusb0) in the ESXi console.

USB network adapter shown as vusb0

For the secondary internet access, I wound up going with a Netgear LM1200 LTE Hotspot. I like this device because you can configure it to use an LTE connection as a backup if your primary wired internet service is down. I may utilize that in the future but for now it’s only used on the malware network without any connection to the primary LAN. Based on my current cellular plan I was able to add the minimum hotspot plan for $10/mo. A worthy investment for me for the peace of mind that I’m (less likely) to compromise the rest of my network when experimenting with live malware. It will also (one would hope) keep my home IP off any watchlists for malware beacons, or anyone else tracking where different samples are detonated from. As Mr. Heller sagely said, “Just because you’re paranoid doesn’t mean they aren’t after you.”

The same setup could be very useful for responding to compromises in isolated enterprise or manufacturing environments. If you need to have the device access the internet (maybe to upload evidence to you Forensics Service Provider (FSP)), but don’t want to maintain a connection to the corporate LAN due to suspected compromise, this solution would work for that.

Once I had the hotspot up and running, the LAN connection on the hotpot gets connected to the USB ethernet adapter. Then go back to ESXi to the isolated network you created before, the one that you were warned “NO UPLINK”, and use the ‘Add uplink’ function and add the vusb0 device. You can adjust the settings on the LTE hotspot for DHCP if needed as long as the device is in Router (not Bridged) mode.

Malware network with external internet access

That’s it. Now when the infected computer needs to get to the internet, all traffic will go through the LTE connection and the infected systems remain isolated from the primary network.

Release the hounds and observe

If I’m in a situation where I absolutely need to run the malware on a bare-metal system I can connect using the LTE modem without threat to any of the other physical systems.

Adding SIFT and REMnux to your Windows Forensics environment

DFIR

I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve taken throughout my career. Recently, I’ve been using REMnux, another SANS Linux distribution, specifically for Volatility 3 for memory analysis and some of the other tools for malicious document examinations.

Through all these years of use, it was almost all leveraging virtual machine (VM) images. Often there was at least one machine in my home lab that had SIFT running as the native OS – for when I had something processor or memory intensive to run. The challenge with VM’s is that they’re competing with the host system for resources. As Moore’s Law has advanced so have the clock cycles at my disposal – but there’s still always going to be a trade-off, so scale your systems appropriately.

A little over a year ago, I started using the “packages only” or “server mode” of the SIFT distribution, running under Windows Subsystem for Linux (WSL) on a Windows 10 machine. The installation wasn’t always smooth but once it was running – good times. I now had all my favorite Linux forensics tools running side by side on my Windows system.

The SIFT distribution was recently updated with full support for the latest LTS version of Ubuntu (20.04). REMnux as a standalone has been on 20.04 for a while. What I’m going to walk you through here is how to install both SIFT and REMnux within WSL, and how to backup and share your customized install.

Prerequisite 1: Up to date Windows 10 system.

Prerequisite 2: Install Windows Subsystem for Linux (WSL) https://docs.microsoft.com/en-us/windows/wsl/install-win10

Once WSL is enabled and you’ve done the reboot if required, go the the Microsoft Store and install the latest version of Ubuntu. https://www.microsoft.com/en-us/p/ubuntu/9nblggh4msv6?activetab=pivot:overviewtab

Installing SIFT on WSL

On the first boot, Ubuntu will have you specify a username and password. Forensicator works for me and doesn’t present any OpSec issues if I have to include screenshots in reports (or intriguing blog posts).

Before installing SIFT, ensure the OS is up to date by running sudo apt update && sudo apt upgrade

Elevate to root to for the installation, otherwise there may be permissions issues during the install. sudo su

Follow the instructions here to install the SIFT CLI (Command Line Interface): https://github.com/teamdfir/sift-cli#installation

Install SIFT within WSL using the syntax sift install –mode=server

The process could take a while depending on both your hardware resources and internet speeds. Feel free to browse other posts here at Baker Street while you wait. Just make sure you come back as there’s more to do.

Adding REMnux to SIFT

Once the SIFT distribution is installed, we’re going to add the REMnux distribution over the top. Doing so will provide you the full toolset of both distributions, all running in one WSL instance.

We’ll use the process here to Add [REMnux] to an Existing System https://docs.remnux.org/install-distro/add-to-existing-system

Note: After the install, REMnux will suggest you reboot the pc. How do you reboot an Ubuntu instance in WSL? Open a PowerShell window as Administrator and type Get-Service LxssManager | Restart-Service

**update – If you’re running WSL 2, the command to ‘reboot’ WSL is 

wsl --shutdown

When you launch the instance the next time wsl will start.

Great! Now we’ve got the full tool stack from both – running within our Windows environment. I prefer using WSL over a VM when I have the opportunity as the overhead resources used to run the 2nd OS (Ubuntu) in WSL is less intensive than booting up a full VM.

Just one more step and we’ll be able to backup, copy and reload the customized build.

Exporting your SIFT-REMnux Distro

Exporting your build will enable a number of things. If your environment gets corrupted for any reason you can reload the build from a known good state. You can also use this format to share the installation with members of your team so you’re all working from the same toolset. This also works well to add this customized build to a system that may have restricted or limited internet access and cannot access all the necessary repositories to pull down the tools.

In a PowerShell window as Administrator, wsl -l will list the installed WSL distributions. In this case the only installation is the Ubuntu installation we just customized.

In this example I’m exporting the instance to a location on a D:\ drive with the filename of SIFT-REMnux.tar. The syntax is wsl –export [name of WSL instance] [export file path and file name]. Tar is the required format for backing up and restoring WSL instances.

Voila! You’ve now got a backup of your SIFT and REMnux WSL installation. On the last step I’ll show you have you can import the customized distro to another Windows 10 system.

Importing your SIFT-REMnux Distro

Note: the new system will need to have WSL enabled as discussed in the beginning of the post. The Ubuntu distro does NOT need to be installed.

To import the distro use the syntax wsl –import [desired name for distro] [file path where distro will live] [tar file being imported]. In this case I have the .tar file in C:\WSL and will be installing to C:\WSL\SIFT-Linux folder. Once again you want to use an elevated PowerShell session to perform the import.

That’s it. You’ve now added the customized SIFT-REMnux WSL instance to your system.

Once the process completes you can verify the distro was loaded using the wsl -l command

In this case I had a previous Ubuntu 18.04 instance, and now the new SIFT-REMnux instance is visible as well.

To invoke your SIFT-REMnux instance wsl –distribution SIFT-REMnux

To validate the running version numbers for SIFT and REMnux use sift -v and remnux -v respectively.

CHEERS!

Magnet Weekly CTF, Week 12 Solution Walk Through

CTF, DFIR

The final challenge (#12) – Part 1:

What is the PID of the application where you might learn “how hackers hack, and how to stop them”?

Format: #### Warning: Only 1 attempt allowed!

The first thing I did was open the memdump file in HxD Hex Editor. A quick search found several hits.

I considered mapping the Offset back to the process memory but before going down that road (anticipating it to be math heavy) I decided to drop the individual process memory instead. Looking at the text surrounding “How Hackers Hack…” it appears to be html code. Looking even closer I’d say that it was in response to a search request for “how to stop getting hacked over and over.” Based on that I knew I’d be looking for a browser process.

Running pslist in Volatility we see that there’s multiple browser processes running for both Chrome and Internet Explorer.

I decided to focus on the iexplore.exe processes for Internet Explorer first – for 2 reasons. 1 – there were less running than Chrome so it was a smaller set to work through first. 2 – I did happen to find a Parsed Search Query in Axiom for “how to stop getting hacked over and over.”

The URL indicates a search from Bing.com. Only a sociopath would use Bing to search within Chrome so Internet Explorer it is.

I used the memdump Volatility plugin to dump the process memory for both IE processes.

Next I ran strings against each dump file to see if there was a hit.

We see that in the second file 4480.dmp (associated with PID 4480) contains the content we’re looking for. What is the PID of the application where you might learn “how hackers hack, and how to stop them”? 4480 [Flag 1]

The final challenge (#12) – Part 2:

What is the product version of the application from Part 1?

Format: XX.XX.XXXX.XXXXX

OK, so we need to know what version of Internet Explorer was used for the Bing search. Off to the Google to find that the IE version information is stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer in the svcVersion value.

From here I mount the full memory image using MemprocFS.

Using the file structure to navigate to the registry key I open svcVersion.txt and verify that the IE version running is 11.0.9600.18860. Back to the scoreboard to submit the bittersweet ending to a very fun challenge and ….. WRONG.

Hmm, so everything I knew (which was limited to be honest) told me that I had the version right, but that wasn’t the right answer. Over on the Discord channel I saw I wasn’t the only one to have the same quandry.

I waited and lurked, waited and lurked – but wasn’t seeing any update to the question. The following day while meditating on the matter in the shower I was thinking about what other means existed to identify details like this.

I used the procdump Volatility plugin to dump the process executable for PID 4480.

Once I had executable.4480.exe I uploaded the file to Virus Total.

Scrolling down on the details tab we see that the exe is correctly identified as Internet Explorer and shows a File Version of 11.00.9600.18858. This is very similar to what we identified earlier (…58 vs …60).

Answer: 11.00.9600.18858 [Flag 2] CORRECT!

I’ll be very interested to learn how others who got the flag identified the correct version information. I suspect there’s additional artifacts that I didn’t explore that hold those clues but for the time being – it’s a mystery to me.

Who am I kidding? It’s gonna be killing me til I know the answer.