Saturday, May 29, 2010

Some more stuff...

Registry
I've been working on a book on forensic analysis of the Windows Registry, and I was adding something to my outline the other day when I ran across Chris's blog post on how to crack passwords using files from an acquired image. Nothing quite like freeware to get the job done, eh? I guess one of the issues is that there's a "cost" associated with everything...you either pay a lot of $$ for a commercial package, or you "pay" by having to learn something that doesn't include pushing the "find all evidence" button. Kind of makes me wish for Forensicator Pro! ;-)

This is pretty cool stuff, particularly when you use it in conjunction with the samparse plugin, and this information about User Account Analysis. I know I keep referring back to that post, but hey...there are a LOT of analysts out there who think that the "Password Not Required" flag in the SAM means that the account doesn't have a password, and that's not the case at all.

Two things about this: first, some things (like this) bear repeating...again and again. Second, this is why we need to engage and be part of the larger community. Sitting in an office somewhere with no interaction with others in the community leads to misconceptions and bad assumptions.

Contacts and Sharing
Speaking of communities and sharing, Grayson had an interesting post that caught my eye, with respect to sharing. Evidently, he recently found out about a group that meets in Helena to discuss security, hacking, etc. This is a great way to network professionally, share information...and apparently, to just get out and have a sandwich!

Speaking Engagements
I've blogged recently about some upcoming speaking engagements, conferences where I and others will be speaking or presenting. My next two presentations (TSK/Open Source and the SANS Forensic Summit) will cover creating timelines, and using them for forensic analysis. The content of these presentations will be slightly different, due to time available, audience, etc. However, they both address timelines in forensic analysis because I really feel that they're important, and I'm just not seeing them being used often enough, particularly where it's glaringly obvious that a timeline would be an immensely powerful solution.

Yes, I know of folks who are using SIFT and log2timeline...I've seen a number of comments over in the Win4n6 Yahoo group. That's some real awesome sauce. I've written articles for Hakin9, including this one, which walks the reader through using my tools to create a timeline. I've done analysis of SQL injection attacks where a timeline consisting of the web server logs and the file system metadata basically gave me a .bash_history file with time stamps. I've created and used timelines to map activity across multiple systems and time zones, and found answers to questions that could only be seen in a timeline.

So, at this point, for those of you who are not creating timelines regularly, what is the biggest impediment or obstacle for you? Is it lack of knowledge, lack of access to tools...what?

Podcasts
Speaking of speaking engagements...I'm scheduled to be on with the guys from the Securabit podcast on 2 June. I'm a big fan of Ovie and Bret's CyberSpeak podcast and these kinds of things are always interesting. Most recently, I listened to the interview that included Dr. Eric Cole...whom I once worked with when he was at Teligent (I was with a consulting firm), albeit only for a couple of weeks.

I've also been on Lee Whitfield's Forensic4Cast podcast. Lee and Simon are swinging the Forensic4Cast Awards 2010, which they started last year...if you're planning to be at the SANS Forensic Summit this July (and even if you're not), be sure to enter a nomination and vote. You can view the 2009 awards here.

CaseNotes
There's an updated version of CaseNotes available...you do keep case notes, right? Chris blogged on it, as well as the importance of keeping case notes.

2 comments:

Jimmy_Weg said...

>Nothing quite like freeware to
>get the job done, eh?
ophcrack does indeed work very well and provides a couple of free tables. They often work within a minute. However, the complete set of ophcrack tables is about $1,000. I've had about a 20% success rate with the free set.

Concerning the other blog, ophcrack accepts a hash set as LM:NTLM, so I suspect that's what Chris meant in his description when he referred to his NTLM hash. The NTLM hash actually is the second hash, which follows the colon. In Vista+, the LM is not used.

One also can generate his or her own tables, using a free tool like Winrtgen. http://www.oxid.it/projects.html

Tables aside, there are some incredible (free) tools that mount a brute force attack with amazing speeds. I use these after a table attack fails and often achieve results, albeit over several hours or a couple of days. Sometimes it's a matter of minutes. Most of these tools run on GPUs on NVIDIA CUDA or ATI cards. Some employ CPUs in additon or alone. I can usually run 100 to 500 million P/S, and a high end card ($350 - $650) can hit >1 billion on at least certain hash types. I suspect that you'll crack the average dictionary-crackable password faster than a well known name brand tool that's $$$. Moreover, you'll readily crack certain passwords that the $$$ tool likely will not crack within a reasonable time frame, if ever.

Jimmy_Weg said...

>there are a LOT of analysts out
>there who think that
>the "Password Not Required" flag >in the SAM means that the account
>doesn't have a password . .

Oops, forgot to comment. This is a widely held misconception, but the wording used by the tools to describe the output could stand a little adjustment. I'm also unsure of exactly what the MS explanation means. For example, I have an account that has a password, which must be entered to log on to Win 7. No minimum length is set (0), and complexity is not enabled. Registry Viewer reports "Password required=true," and RR does not report the "Password not required" remark.

Maybe some testing is in order using different systems. Would it be better to phrase the output as "Password policy (not) in effect"? I also would assume that one could set a minimum length without complexity, but not the converse.