Hide and Seek – Interesting uses of forensics and covert channels Tonimir Kišasondi, mag.inf., EUCIP
Nov 01, 2014
Hide and Seek – Interesting uses of forensics and covert channels
Tonimir Kišasondi, mag.inf., EUCIP
$ whois tkisason
Junior researcher @ foi.hr
Likes: Security Crypto Gnu/Linux Interesting security problems
e-mail: [email protected]
skype: tkisason
$ topic of this talk
A quick overview of some interesting: Forensics methods
Memory imaging Memory carving
Covert channels Detecting conventional channels Creating useful covert channels
$ forensics for non law enforcement uses?
Useful for data recovery
You can protect your files, but you can't
protect your RAM
1. Dig deep
2. Find interesting problems
3. ???
4. Profit!
$ memory imaging
/dev/mem is restricted on newer versions of the
Linux kernel
Alternatives: Reboot the system with a imager PCI imagers Insert a kernel module that can access the address space
/dev/fmem: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz
Simply dd /dev/fmem or grep -a
$ memory secrets leakage
Pidgin's passwords stored in 5 places 00 00 1E 00 00 00 00 00 00 00 Plaintexted in ~/.pidgin also
• Various pieces of plaintext / passwords can be obtained from memory
• ASLR - YMMW• Cryptographic algorithms can be identified
S-boxes and P-boxes, seeds, structures Initialization vectors https://github.com/fwhacking/bfcrypt
$ memory carving
tony@blackbox:~/0drive$ sudo photorec /d recovery bbox-memory.img
[sudo] password for tony:PhotoRec 6.11, Data Recovery Utility, April 2009
tony@blackbox:~/0drive$ ls recovery* | wc -l620
$ file/mem carving
Use scalpel:
http://www.digitalforensicssolutions.com/Scalpel/
/etc/scalpel/scalpel.conf is frugal at start
Uncomment file headers
Good thing is we can add aditional
signatures...
$ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.blackbox-mem.img: 100.0% |
*************************************************************************************************************| 3.2 GB 00:00 ETA
Allocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 filesjpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 filespng with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files...Carving files from image.Image file pass 2/2.
$ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.blackbox-mem.img: 100.0% |
*************************************************************************************************************| 3.2 GB 00:00 ETA
Allocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 filesjpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 filespng with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files...Carving files from image.Image file pass 2/2.
$ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.blackbox-mem.img: 100.0% |
*************************************************************************************************************| 3.2 GB 00:00 ETA
Allocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 filesjpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 filespng with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files...Carving files from image.Image file pass 2/2.
$ memory carving
tony@blackbox:~/0drive$ sudo scalpel -o recovery/ blackbox-mem.img Scalpel version 1.60Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/home/tony/0drive/blackbox-mem.img"
Image file pass 1/2.blackbox-mem.img: 100.0% |
*************************************************************************************************************| 3.2 GB 00:00 ETA
Allocating work queues...Work queues allocation complete. Building carve lists...Carve lists built. Workload:...gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 855 filesjpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 2459 filespng with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 3176 files...Carving files from image.Image file pass 2/2.
$ runtime extraction of RSA/DSA keys
tony@blackbox:~$ sudo ./passe-partout 729
Target has pid 729
=> 0x7f8e0ba5c000 0x7f8e0ba68000 r-xp 00000000 08:01 3416607
=> 0x7f8e0ba68000 0x7f8e0bc67000 ---p 0000c000 08:01 3416607
...
found RSA key @ 0x7f8e0fad7e20
[X] Key saved to file id_rsa-1.key
done for pid 729
apache, openssh, openvpn
$ grep is your friend
grep -a is really useful. Try some of the following:
-----BEGIN RSA
-----BEGIN PGP
-----BEGIN OpenVPN Static
ssh-rsa
ssh-dsa
usernames
$ grep is your friend
grep -a is really useful. Try some of the following:
-----BEGIN RSA
-----BEGIN PGP
-----BEGIN OpenVPN Static
ssh-rsa
ssh-dsa
usernames
$ covert channels?
Opposite from forensics :)
Data hiding: Files, protocols
"A adversary can always transmit one bit at a time"
Tony's rule 183: Any structure in a covert channel
destroys it's covertness.
Some interesting covert channels:
TCSteg
OutGuess
$ TCSteg -> http://keyj.s2000.at/?p=458
$ Truecryptish problems
File mod 256 == 0
Filesize > 16Kb
H(File) ~ 7.5
Header != /usr/share/misc/magic
Yes, a filesystem in a encrypted volume CAN be carved :)
TC = relatively OK
LUKS leaks... = LUKS\xba\xbe
File in file embedding leaks magic bytes
Outguess and similar known stego tools can be easily detected
$ interesting channels
Most formats that have strict footers can be
"injected" – bmp for one example
Injecting data in FLV? - why not!
In short: Any structure leaks possible data.
Perfect randomness "leaks" encryption.
$ interesting channels
A typical flv/video file is highly random:
In [27]: entropy(cat)
Out[27]: 7.8086139822740126
Always map data into same character range.
Avoid distrupting changes that increase entropy
Avoid magic bytes and known patterns
Youtube/You**** is so common, that you simply
hide the data in the mass traffic.
$ interesting channels
Filesystem fragmentation– No structure
• http://goo.gl/dfhfR
Distributed covert channels?– On my github soon :)
$ :)
$ :)
$ :)
$ :)
$ Knowledge is power with biliteral cipher
$ questions?
$ Thank you
You can find the most updated version of this slides on my slideshare (tkisason).