SANS SEC575 Mobile Device Security and Ethical Hacking Review

IMG_1654I recently attended the SANS SEC575 Mobile Device Security and Ethical Hacking class in Las Vegas and I wanted to post some of my thoughts on the course.

Day One: Architecture and Management

Day one started off with a quick overview of mobile device issues that would be addressed in the course and a lab which has the students extract sensitive data from a network capture file with mobile device traffic. After that there are four “what you need to know” sections about iOS, Android, Blackberry and Windows Phone devices. The sections cover technical specifications, key points, protection mechanisms etc. These sections are well done and provide a solid foundation for the rest of the class.

The next section in the book covers building your own lab using devices, emulators and simulators. There are two exercises where you configure an Android emulator and interact with it using ADB commands. The labs throughout the entire course were very well done and helped reinforce the topics being taught.

The next portion of the book discussed Mobile Device Management (MDM) systems used for enforcing device policy settings. This section included an exercise that had you take a policy for a company and create a profile enforcing the rules of that policy using the iPhone Configuration Utility.

Mobile Malware was next up and we started off covering some basics, progressed to examining specific historical malware attacks and finished by discussing preventative measures to protect your devices. That concluded the class portion of day one but the day one book also has an Appendix on policies and practices as well as a section on miscellaneous topics.

Day Two: Security Controls and Platform Access

Day two begins with a lengthy section on mitigating the threat from stolen devices and includes an exercise where the students recover the swipe pattern from a locked Android. Backups, fingerprints and passcodes were all discussed as well.

Next up was a section on unlocking, rooting and jailbreaking iOS and Android devices. The section started off with general topics and then covered a specific iOS jailbreak and a root for an Android Nexus 7.

The next section was small but packed with great information on data storage and filesystems. Plist, SQLite and XML were all covered as were locations within the filesystem which could contain sensitive data. This section concluded with a lab where the students searched an iPhone backup to look for key pieces of information.

Most of the remainder of day two was spent covering capturing and analyzing mobile application network activity using tools such as Burp Suite, NetworkMiner and Wireshark. There were two well-done exercises in the afternoon which gave the students a chance to utilize these tools.

Tacked on to the end of the day two book was a section on Blackberry classic PIN cracking and backup access as well as a few other miscellaneous topics.

Day Three: Application Analysis

Day three brought 280 pages of hardcore application analysis and I loved every minute of it. Before I give an overview of the day’s content I would like to state that a majority of the class had little to no programming experience and still got a lot out of this section. You don’t need to be a programmer to go through the exercises you just need to understand the concepts taught and use analytical thinking.

The first section is on static application analysis (Android and iOS) and ends with an exercise analyzing an Android application.

The next section is on automating app analysis and has a lab where the student analyzes a piece of Android malware and then another where the student finds a vulnerability in an Android application that can be exploited.

Next up was a lengthy section on manipulating an application’s behavior which includes a lab on modifying Android applications.

The day ends with a short but awesome “App Analysis Walkthrough” where the author goes through the steps he took each day on a near real world analysis of an iOS application and a small section on filesystem monitoring.

By the end of the day your brain is cooked but you’ve learned quite a bit about analyzing mobile device applications in different ways.

Day Four: Penetration Testing Mobile – Part 1

Day’s four and five of this course are really interesting. Day’s one through three covered topics that were largely mobile device related but there is obviously a lot of crossover between mobile device hacking and traditional hacking and that is where day’s 4 and 5 come in.

Day four is a one day mini primer on Wireless hacking and it is FANTASTIC. It starts off with a section on wireless network scanning where it discusses topics like using monitor mode on Linux, Windows and OS X and intros a few basic tools. The first section ends with a lab where students use Kismet to figure out the SSID of a network which is hiding it.

Next up is a short but sweet section on mapping probe requests which includes a lab where the students generate a visual graph of client probe requests.

The next few sections progress through the different levels of encryption.

• On an open network with a captive portal? You’ll cover ways around it.
• On a WEP encrypted network? You’ll crack it in a lab.
• On a WPA-PSK encrypted network? You’ll discusses your options and you’ll crack one in a lab.
• Facing a WPA Enterprise network? You’ll discuss setting up your own modified RADIUS server to grab login credentials.

The day ends with a section and lab on mobile device fingerprinting.

I seriously couldn’t imagine a better one day walkthrough of wireless topics. For the small number of students who had attended the SANS SEC617 wireless or other in depth wireless courses it was a nice refresher but for everyone else it was a fantastic mini wireless course hidden within a course on Mobile Device Security.

Day Five: Penetration Testing Mobile – Part 2

What day four was to wireless day five was to web application type attacks. Day five covers network manipulation attacks like ARP spoofing, sidejacking attacks, SSL/TLS attacks, client side injection attacks, HTTP parameter tampering, XSS attacks and SQL injection.

While the tools the students use are web application testing standards like Burp Suite and SQLmap the labs have you attacking the transactions and infrastructure for mobile device applications you’re running in emulators.

Just like day four they did a fantastic job of boiling down what would have been a week’s worth of content into a day worth great overviews and hands on experience.

Day Six: Hand-on Mobile Security Event (Capture The Flag)

The CTF for day 6 of the 575 course uses the Netwars scoring engine and is very well done. Every student in class got a chance to practice the skills they had been exposed to over the past five days and it really seemed to help add to the learning process. There were the moments of frustration found in any CTF but everyone seemed to really enjoy the day.

Summary

The 575 was a very enjoyable class. There were some topics which I was already a little bit familiar with but now have a much better understanding of after a week of hands on learning and instruction from a world class expert.

The class was taught by Chris Crowley who did a great job teaching and entertaining. He seemed sincerely interested in helping students get what they wanted out of the class, had many sidebar conversations with students at break and after hours and spent the better part of one lunch period going over the previous day’s labs for a few students who wanted to see a walk through. I would take a class from Chris again in a heartbeat.

Giveway #2 Winner and Upcoming SANS course review

netwars-logoCongratulations to James Lieu for winning the paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Last week I attended the SANS SEC575 Mobile Device Security and Ethical Hacking course at Network Security 2014 in Las Vegas. It was an enjoyable class and I just finished the first draft of my index (the book for day #3 is close to 300 pages!). I plan on writing up a review of the course in the next few days.

In addition to the class I was able to spend time with some great people and participate in both nights of Core Netwars. Netwars would be fun no matter what but it was made even better by sitting with friendly and knowledgeable people. I ended up getting about half a dozen questions into level 3 and finished 14th on the alumni scoreboard. While I always feel like I could have done better Netwars is a great way to see the progress that I’ve made from year to year and I felt a lot more comfortable than I have in previous years.

Book Giveaway #2

hackingExposed7Congratulations to book giveaway #1 winner Matt Williams (@mattwilliams31) who won a paperback copy of Richard Bejtlich’s “The Practice of Network Security Monitoring: Understanding Incident Detection and Response“.

Book Giveaway #2 is for a paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Once again I’m limiting the book giveaways to U.S. residents only to keep the shipping costs down but I will do a giveaway later this year that will be open to everyone.

The drawing is open until 10/26/2014 so good luck!

a Rafflecopter giveaway

Book Review: Blue Team Handbook: Incident Response Edition

blueTeamHandbookEarlier this year I wrote an extremely short post discussing the Red Team Field Manual (RTFM) book. I’m currently on my third copy of the book (I’ve given the first two away) and I have a copy in my backpack at all times. I recently saw some traffic on a SANS mailing list about similar book geared towards blue teamers and had to check it out.

Like the RTFM, “Blue Team Handbook: Incident Response Edition” is small, affordable and is more of a collection of steps and command examples than a traditional book meant to be read from start to finish. The Blue Team Handbook covers topics such as Windows and Linux volatile data system investigation, network traffic analysis techniques, suspicious network traffic patterns and Snort configuration and usage. Amazon now lists an updated version 2.0 of the book with 20 new pages including information on database incident response.

The book is currently listed for under $14 on amazon and is perfect to keep with the RTFM in my backpack. If having a printed collection of incident response methodology and commands is something you’d like to have the Blue Team Handbook is worth checking out. When I inevitably give my current copy away I’ll have an excuse to get the new version with the database coverage 🙂

Blackhat and Defcon Article Posted on EthicalHacker.net and Book Giveaway #1

pnsm_cover_WEBMy “A First-Timer’s Experience at Black Hat and DEFCON” article I talked about in my last post is now live on the front page of ethicalhacker.net along with a picture of Kevin Mitnick and I. When the article went live earlier this week I couldn’t help inserting a mental caption of “A hacker & a hack” when I saw the picture 🙂

Even though it wasn’t a technical article I’m still quite honored to have an article on the front page of ethicalhacker.net and it’s a nice reminder of the progress I’ve made over the past two and a half years. To spread around a little of the good fortune I’m going to give away some books that I already had copies of but got additional copies of at Blackhat.

I’m limiting the book giveaways to U.S. residents only to keep the shipping costs down but after all the book’s are given away I’ll think of a small giveaway that I’ll open up for everyone.

Giveaway #1 is for one paperback copy of “The Practice of Network Security Monitoring” by Richard Bejtlich. It’s a phenomenal book that I’m sure the winner will enjoy. I’ve set this giveaway up to run between 9/21 and 10/11 so good luck to all.

a Rafflecopter giveaway

Pentesteracademy.com x86 Assembly Language and Shellcoding on Linux Course Review

Most people interested in information security have likely visited SecurityTube.net before but for those who haven’t it’s a great aggregator for videos of tutorials, demonstrations and conferences. The site’s owner Vivek Ramachandran has produced a ton of free content and a few paid courses. Late last year he transitioned all of his premium courses to a new site at pentesteracademy.com where you can access all of his courses for a monthly $39 fee.

I recently finished going through his “x86 Assembly Language and Shellcoding on Linux” course and wanted to share my thoughts on it. Before watching his videos I knew almost nothing about Assembly language or shellcode but I did know that I needed to have a good understanding of both in order to be any good at reverse engineering and exploit development.

The first seven or so videos cover a lot of system architecture and explain what the different registers are and how they’re used. This is a very tricky section because he’s explaining things that you’ll need to know for the rest of the course but they’re hard to visualize since he hasn’t started the demonstrations yet. I never felt lost during his explanations but once the demonstrations started in videos eight and nine you start applying the information from the first section of slides and it all falls into place.

Videos 8 through 21 walk the student through assembly language concepts like understanding and using the stack, loops, math, strings etc. At the end of those videos I wouldn’t say I was “good” at assembly language but I was at least getting comfortable with it. Before I started I would have looked at assembly language and had no clue what I was looking at. Now I can look at it and while I may not understand what the code is accomplishing I understand each of the little pieces and what they’re doing. Now when I look at the reverse engineering book I’m getting ready to read I don’t feel like I’m reading Klingon.

There is plenty of assembly in videos 22 through 37 but the main focus is on shellcode. Vivek explains what shellcode is, what changes you need to make in your assembly in order for your shellcode to work and writes some hello world shellcode using different techniques like JMP-CALL-POP. Once again I didn’t feel like an expert but I sure understand a lot more. Vivek then covers InfoSec specific content like encoders (both using others and making your own) and polymorphism. The series ends with a look at analyzing other’s shellcode and writing custom crypters.

I’ve gone through several of Vivek’s other videos but this is the first time I’ve gone through one of his courses start to finish. The course is exactly what I needed and I’ve already recommended to a friend who is working on learning reverse engineering but would like a better understanding of assembly. If you’re like me and hitting a point in your InfoSec studies where you realize that you need to understand some of the low level material in order to learn advanced topics this is a great resource. He really does start from square one so no prior knowledge is expected.

One of the reasons I initially signed up for pentesteracademy.com was that I was a big fan of Vivek’s word on securitytube and wanted to support his efforts. I also seem to learn a lot better from video explanations and demonstrations that I do from books. I paid $99 for the first month and $39 a month after that but he occasionally runs specials where the first month is $39. He’s been adding a lot of new content to ongoing courses and coming up with new courses so I don’t think it’s possible to go through everything unless watching videos is your full time job. I think his web app hacking course alone is up to almost 70 videos and still going.

While I was in the arsenal room at Blackhat last month I looked over and saw Vivek checking things out. I went over to him and introduced myself, thanked him for everything he taught me and had a nice conversation with him. He was incredibly friendly, gracious and humble and thanked me for my support. I saw him again at Defcon and he approached me, said “Hi Matt” and asked how I was enjoying the conference. He is a genuinely nice guy.

Even with no bonus points for being a nice guy his site is an amazing training value. He has several free videos in each series so you can get a feel for his teaching style. He just started a free “Make Your Own Hacker Gadget” series that I’m going to follow along with.

If you like video instructionals and have things like “Learn assembly”, “Learn to write exploits” and “Improve my Python” on your to-do list then pentesteracademy.com is well worth your time to check out.

On a completely unrelated topic, I had an absolute blast at Blackhat and Defcon and have already reserved a room at the Defcon site for next year. I did a write up on my experiences as a first timer which should appear on ethicalhacker.net soon. I also grabbed several signed books there which I had already purchased copies of so I’ll probably do a giveaway here for my unsigned copies of those once the article hits.

Vegas Here I Come!

In a serious contender for the  “my favorite email of the year” award I was recently contacted by Don from ethicalhacker.net and asked if I was interested in a free briefings pass for Black Hat this year. I’ve never been to Black Hat or Defcon so I jumped at the chance.

I’ll be attending Black Hat and Defcon so if anyone has any tips for a first-timer please let me know. The only thing I’m sure of so far is that I’ll keep my Wi-Fi off the entire time 🙂

I haven’t had a ton of time to study recently but what time I have had I’ve used on C and assembly language. I went through a small book on C programming to get more familiar with the language and am currently watching SecurityTube’s “x86 Assembly Language and Shellcoding on Linux” course.

I’m halfway through the course and Vivek has done an outstanding job of explaining and demonstrating the concepts of assembly language in a way that has made it easy for me to learn. I’ll probably do a more in depth review after I’ve watched more videos but I can say that at $39 a month pentesteracademy.com is a great value for learning resources.

My Reluctant New Hobby of Bitcoin Mining

As I discussed in my previous post I recently started playing with GPU password cracking. After some modifications to my desktop system my machine was cracking passwords at a rate I was quite pleased with. After I put it through its paces on a few passwords I wondered how it would perform mining crypto-currency. I had zero experience in that area so I did some internet research to help me get started.

One of the first themes I started seeing was that if your main motivation for mining crypto-currency was profit than you should likely run away. The consensus was that if you were interested in crypto, alternative currencies or other similar topics then this maybe a nice hobby for you but if your main interest in crypto-currency was money then you would be better off spending your money buying them directly rather than mining them.

One of the next things I found out was that I was not going to be able to mine for Bitcoins using my new graphics card. When bitcoin mining was just starting people were using their computer’s CPUs for mining. The next step in the evolution was bitcoin mining using graphics cards. Just like with password cracking GPUs offer a huge speed advantaged compared to CPUs. Unfortunately for GPU miners there was one more evolution: the transition to application-specific integrated circuit, or ASICs. ASICs are specially made devices that can crack a specific algorithm at a much higher rate than a GPU and usually with much lower power consumption. The downside is that when the ASICs are no longer cost efficient to use for mining purposes they have none of the other uses that a video card has.

When I started doing research into this area I almost bought a Bitmain AntMiner S1 Asic which mines SHA256 (the algorithm used by Bitcoins) at a rate of 180 GHs which is FAR faster than even multiple GPUs can mine. When I crunched the numbers a month and a half ago the price was $240 and they would mine about $5 worth of bitcoin a day. I just checked at the price hasn’t come down but due to crypto currency’s getting harder to mine as they age (by design) the devices now mine about $3.20 worth of bitcoin each day. After you account for the cost of power it’s going to be a while before the cost is recouped.

While Bitcoin is by far the biggest of the crypto-currencies there are other currencies which are often referred to as “alt-coins”. Most of these coins use algorithms other than SHA256. Some of the most common are:

Scrypt (Used by popular alt-coins such as Litecoin and Dogecoin): Within the past two months Scrypt ASICs have been released which makes GPU mining for Scrypt based crypto-currencies inefficient.

N-Scrypt (Used by Vertcoin and a few other alt-coins): There are currently no ASICs for the N-Scrypt algorithm and the developers say that if any N-Scrypt ASICs are ever developed they will fork the algorithm to render them useless.

X-11, X-13 & X-15 (Used by a larger number of alt-coins including Darkcoin and Cryptocoin): X-11 and X-13 are very GPU friendly (low temperature and high efficiency) algorithms used by a larger number of recent alt-coins. As I type this a new algorithm (X-15) is just emerging.

Since I already had a good graphics card and wanted Bitcoins the logical choice seemed to be using my GPU to mine other crypto currencies and trade those for Bitcoins. With a full time job and other obligations I don’t have a lot of time to track trends, trade currencies etc. so my best option was to join a multi-pool where a large number of individuals work together to mine crypto-currencies which are automatically exchanged for bitcoins. I found exactly what I was looking for at trademybit.com. The owner of the pool charges .05% to mine there but the pool automatically switches between whatever currency offers the best effort/value ratio for your algorithm of choice. For an extra 2% the pool will also automatically exchange all of the alt-coins you mine into bitcoins. I personally find the fees well worth the cost. The amount I earn every day can vary greatly and it’s definitely been slow lately but in the past month and a half I’ve earned around $40 worth of bitcoins. I’m not sure how much additional power I’m using by having the computer on when I otherwise wouldn’t but since I already had the equipment and I find the whole field interesting I’m more than happy with my results so far.

 

Getting started with GPU Password Cracking

Last year I decided to buy a desktop computer to keep in my home office to run VMs and eventually set up to crack passwords. I didn’t want to spend too much but I was able to find a new dell XPS on eBay with an i7 processor, 16GB of ram and 2TB of hard drive space for $700. I had used john the ripper to crack password hashes quite a few times but hadn’t messed with using a GPU to crack passwords.

A few weeks ago I decided to finally get the machine setup to use the GPU to crack passwords. I knew that ATI graphics cards tended to perform better than NVIDA cards but I had hoped that since the machine was a XPS the NVIDA graphics card in it would at least do a passable job. As I started doing some research I quickly realized that the NVIDA GX 620 currently in the machine wasn’t going to be able to crack passwords at a rate anywhere near that found in higher end cards so an upgrade was in order.

I did a little bit of reading and the ATI 7950 ($230 with a $20 rebate at newegg.com) seemed like a good option for the price. Unfortunately I knew the card would be quite a bit larger and need more power than the stock card so a new case and power supply were in order as well. I ended up grabbing an Azza 9000 case and 600 watt Corsair power supply. The total cost for the graphics card, case and power supply were just under $500 and hopefully I get back the $50 in rebates I sent off.

When the video card arrived it was instantly obvious that I made the right call by getting the bigger case as the 7950 dwarfed the gx 620.

gpu_pics

If I thought the video card was a big increase in size that was nothing compared to the monster that was the Azza 9000 case that arrived the next day. I wasn’t sure if that thing would fit through the door. I spent a few hours transferring the motherboard and installing all of the components into the new case but the process was relatively painless. When everything was said and done this is how it looked.

new_case

Once it was up and running I updated the video card drivers and installed the latest version of the password cracking program hashcat. I ran hashcat in benchmark mode to see what speeds I could expect for different password hash formats and was quite pleased with the results. AES and RIPEMD-160 TrueCrypt passwords were just under 78,000 guess a second and WPA/WPA2 handshake captures were cracked at a rate of 111,000 guesses a second. I tested a few different files and the real world results were very close to the listed benchmarks.

hashcat_speed

I’ll probably do a more in depth post on hashcat usage in the near future but right now I’m using the 15GB wordlist from crackstation (https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm). Hashcat also has some brute force and hybrid options.

If I had to do it all over again the only change I would make is getting a bigger power supply. The one I have now is perfect for the setup I have but if I ever decide to expand to a multi GPU motherboard in the future I’ll need more then 600 watts.

One unexpected side effect to this upgrade was that I backdoored myself into a new hobby. As soon as I was done testing the password cracking capabilities and the machine was sitting idle I wondered how it would perform mining crypto currencies. I’ve had a lot of fun researching the topic and trying different things and will probably write about that in my next post.

Some Basic Options When Dealing with TrueCrypt (aka Finally a Forensics Post)

I’ve recently been working on a presentation I’ll be giving in a few weeks on the topic of memory forensics. I’ve learned a ton while working on it and the old adage of “The best way to understand something is to teach in to others” has proven extremely beneficial to me.

One of the topics that required me to do some digging was on the subject of memory analysis as it relates to TrueCrypt. A few years ago I was asked to examine a system within an extremely short time frame. I looked at the software installed on the system and saw TrueCrypt. I didn’t know a ton back then but I knew enough to know that there was nothing quick about dealing with TrueCrypt.

I’m writing the post that I wish I would have had on that day a few years back. If you see TrueCrypt installed on a system and aren’t quite sure what to do with that bit of information, hopefully this quick overview and some of the resources I’ll mention help. I’m not going to cover using artifacts like prefetch files to determine if TrueCrypt is installed and how frequently it’s been used, we’ll just cover hunting for and dealing with the containers.

Locating TrueCrypt:

One of the things that makes locating TrueCrypt files difficult is their lack of a standard file signature that one would normally use to locate all of a particular file format. There is a free tool called “TCHunt” that will scan a drive or directory and look for files that may be TrueCrypt containers. TCHunt looks for miles that meet specific size requirements (file size divisible by 512 and at least a minimum size), doesn’t have the file header of a known common type and appears to contain a higher than average randomness of data which is a key indicator that the contents may be encrypted.

tchunt

 

 

 

For everything that TCHunt does it’s also amazingly quick. I ran it against a 750GB Hard drive which had over 500GB of data and the complete scan took around three minutes. The tool correctly identified all four TrueCrypt containers on the drive.

Cracking TrueCrypt:

Using Memory:

Ideally you have a memory dump which was acquired while the TrueCrypt container was mounted. In lieu of that the hiberfil.sys may have been written while the container was mounted. TrueCrypt no longer stores it’s password in memory but it does store encryption keys in memory while the container is mounted so the password doesn’t need to be re-entered every time a file is accessed. These keys can be located using tools like bulk extractor and are the key to unlocking the container.

Michael Hale Ligh wrote a great blog post on Volatility Labs earlier this year discussing identifying and acquiring these keys. In the post he references a 2011 blog post by Michael Weissbacher  where he outlines patching TrueCrypt to allow an examiner to use acquired AES keys to mount a TrueCrypt container without knowing the password. There are commercial tools such as passware and elcomsoft which will also allow an examiner to access a TrueCrypt container using keys acquired from a memory dump.

Without Memory:

If no useable memory dump is available and you still want to access a locked TrueCrypt container you’re hoping for quite a few things.

• The user used a short password
• The user stuck to the default settings (RIPEMD-160 and AES) when creating the TrueCrypt container
• You have access to a system with a powerful graphics card

Modern graphics cards (GPUs) can crack passwords at a MUCH faster rate than a computer processor (CPU) can. I recently upgraded to an ATI 7950 3GB model ($230 at Newegg) and I’m able to crack passwords on a TrueCrypt container created with default settings at a rate of 77,000 guesses per second. That sounds like a lot and it’s great for wordlists (I can go through the entire 14,000,000 word rockyou list in under three minutes) but when you start crunching the numbers on a brute forcing attempt you’ll quickly become discouraged.

If standard wordlists don’t crack the password there could be multiple causes. The user could have changed the default settings when creating the container or could have used a password not in your word lists. You could try generating custom wordlists or using your wordlists with different encryption options.

I threw one of the TrueCrypt containers TCHunt found at oclHashcat to try to crack the password. oclHashcat has multiple TrueCrypt encryption options but I tried the default RipeMD160 and AES option first.

hashcat1

It turns out that the password (123mango) was in the rockyou wordlist I was using so the password was cracked in under a minute.

hashcat2

 

 

 

 

 

 

I can’t overstate the value of having some good wordlists for times like these. Brute forcing a password 8 characters or longer is a road nobody wants to go down.

I’ve been using john the ripper for a few years but am just now starting to seriously delve into GPU password cracking so I’d love to hear any tips, techniques or stories you have on these topics.