Showing posts with label Jean. Show all posts
Showing posts with label Jean. Show all posts

Tuesday, 27 December 2011

Using SIFT to Crack a Windows (XP) Password from a Forensic Image

In the previous post, we focused on retrieving Windows login passwords from a memory dump using Volatility.

But what happens if you don't have a memory dump / only have a forensic image of the hard drive?

Well, Rob Lee has kindly provided the tools in the SANS SIFT (V2.12) workstation and Irongeek has previously posted a how-to-guide. Additional information is also available in "Windows Registry Forensics" by Harlan Carvey (p 95) which describes other tools that can be used to crack Windows passwords (eg pwdump7, Cain, ophcrack).

For this exercise, we will be using the M57 Jean image (mounted as before) and seeing if we can extract any Windows passwords.
Windows (XP) uses a "bootkey" to encrypt the SAM password hashes so we need to determine this (using bkhive) first. We can then retrieve the unencrypted password hashes (using samdump2) and crack them using John The Ripper.

Note: With this knowledge comes great responsibility - seriously, please don't abuse it.

At a terminal command prompt:
1. Type "bkhive /mnt/m57jean/WINDOWS/system32/config/system saved-system-key.txt"

which should give the following output:

bkhive 1.1.1 by Objectif Securite
original author:

Root Key : $$$PROTO.HIV
Default ControlSet: 001
Bootkey: 02d709efb8514a2fc7474b28a30e0180

The "saved-system-key.txt" file now contains the bootkey

2. Type "samdump2 /mnt/m57jean/WINDOWS/system32/config/SAM saved-system-key.txt > jean-passwords.txt" to extract the hashes and store them in "jean-passwords.txt".

The screen output looks something like:

samdump2 1.1.1 by Objectif Securite
original author:

Root Key : SAM

And we can view the contents of "jean-passwords.txt" by typing "more jean-passwords.txt":


Note: looking at the first hash group ("aad3b435b51404eeaad3b435b51404ee")  for each login suggests that they all have the same password except for "HelpAssistant".

3. Type "john jean-passwords.txt" to brute force the password hashes. You might need to copy the "john.conf" to the local directory if you haven't already done this (see the previous post exercise's step 8).

The output should be something similar to:

Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
guesses: 0  time: 0:00:00:35 (3)  c/s: 9522K  trying: JD43877 - JD43804
guesses: 0  time: 0:00:01:36 (3)  c/s: 12533K  trying: MDLIDL - MDLA39
guesses: 0  time: 0:00:01:48 (3)  c/s: 12610K  trying: H2OUB1$ - H2OUGY!
guesses: 0  time: 0:00:13:20 (3)  c/s: 15198K  trying: EL3CFR9 - EL3CFSU
guesses: 0  time: 0:00:19:48 (3)  c/s: 15325K  trying: VWATIBN - VWATLA.
guesses: 0  time: 0:00:27:03 (3)  c/s: 15364K  trying: 4VA1RWW - 4VA1TA4
guesses: 0  time: 0:00:27:09 (3)  c/s: 15367K  trying: R318IP8 - R318I2T
guesses: 0  time: 0:00:37:19 (3)  c/s: 15617K  trying: 3LP7VNZ - 3LP7V40
2KPLRCM          (HelpAssistant:2)
guesses: 1  time: 0:00:39:55 (3)  c/s: 15300K  trying: KMX1MP1 - KMX1MCS
guesses: 1  time: 0:00:48:17 (3)  c/s: 14007K  trying: GMEL-1D - GMEN315
guesses: 1  time: 0:01:00:39 (3)  c/s: 12784K  trying: IEH;G F - IEHKIQN
guesses: 1  time: 0:01:07:02 (3)  c/s: 12274K  trying: HX0RW8F - HX0RJE0
guesses: 1  time: 0:01:16:48 (3)  c/s: 11733K  trying: J SJF5Y - J SJFP5
guesses: 1  time: 0:01:26:37 (3)  c/s: 11303K  trying: LL*MKH0 - LL*MKT2
guesses: 1  time: 0:01:30:49 (3)  c/s: 11166K  trying: MKGU97X - MKGU90L
guesses: 1  time: 0:02:03:45 (3)  c/s: 10335K  trying: LT8HFGI - LT8HFMG
guesses: 1  time: 0:02:21:02 (3)  c/s: 10011K  trying: K_)LILG - K_)LLS&
guesses: 1  time: 0:02:22:42 (3)  c/s: 9970K  trying: ZW6RCD@ - ZW6RB5Z

and if you keep waiting .... eventually (several hours later on my VM)

LL@1WI8          (HelpAssistant:1)

4. Typing "john -show jean-passwords.txt" will show the results in full:


11 password hashes cracked, 0 left

So we can conclude that there was only one set password ("LL@1WI82KPLRCM" for "HelpAssistant"). It appears that all other logins did not use a password - Oh The Horror!
We can then infer that access to the Windows system is/was effectively uncontrolled and anyone could have access. Thus planting some seeds of doubt when trying to attribute a user's activities.

A quicker password cracking method would be to use ophcrack (also provided on SIFT) and download the XP rainbow table(s). The rainbow table contains pre-calculated results to compare the hashes to so the process should run much quicker.
Looking at the ophcrack tables info page shows that we would need to use the XP Special (7.5 Gb) table to handle the special "@" character in the "HelpAssistant" password.
This table is not free so thats where I'll choose to end this exercise (cheap b@stard!). The smaller free tables only handle upper and lower case letters and numbers - no special characters. Just for completeness, I'll probably do a future post about ophcrack using the hashed SAM passwords from the Volatility post - none of those passwords use special characters.

Saturday, 19 November 2011 Practice Investigation (Pt 3 - Final)


Welcome to the M57 entry where I present what I learnt during this investigation. Due to its ongoing use, I have removed my results/analysis section. I have also removed any comments mentioning any tools/strategies.

Learning Outcomes:

I spent several days on this - the briefing PDF mentions spending "until lunch" using EnCase (LOL!).
This investigation took a lot longer than I estimated - part of it was learning about/setting up the tools, part of it was discovering Windows places of interest (eg Registry artefacts), part of it was the snoopy factor ("What has this user been up to?") and part of it was just repeating commands so I could document the results more comprehensively. I am still not 100% sure that someone from the company was NOT involved with the bogus email but I can't seem to find anything to support it.

In the future, I should pay more attention to documenting my progress as I investigate. I was using a old fashioned notebook and pen - maybe I should be using a text file / word document? It would certainly make capturing the command lines / paths much easier.
By learning on the fly/diving in and not having a set process to follow, I don't think I was maximising my efficiency either. Still, I guess you have to walk before you run etc.
Also, all details from the client brief should be confirmed/verified before starting - I spent quite some time searching for a .xlsx file as stated in the PDF brief only to find it was a .xls file.

'Nother practice scenario which might interest y'all (see, I can speak like a Southerner too!) is:
In this scenario, possessing more than 9 Rhino pictures has been declared illegal in New Orleans (those dirty Rhinos!). You've been tasked to find as much evidence as you can from 3 tcpdumps and a 256 Mb USB key dd image. This is good for gaining experience using the WireShark network analyser (also included on SANS SIFT) and "foremost". And they have kindly supplied the answers too!

Monday, 14 November 2011 Practice Investigation


The first image my study partner ( ) and I decided on is located here:

Its an investigation into how a spreadsheet was exfiltrated from a laptop. The laptop image is contained on 2 EnCase .E0 files (3 Gb total) which you can look at using a similar methodology to whats listed in "Digital Forensics with Open Source Tools" by Altheide & Carvey (the "Simon and Simon" of Computer Forensics, if I might be so bold / old).

Note: the case briefing pdf lists a different filename / filetype for the spreadsheet. I tried doing a "m57plan.xlsx" keyword search but didn't find it - using FTK Imager I found it as "m57plan.xls". Double-DOH! Live and learn ... take client briefings with a grain of salt?

We have both installed VMware Player 3 thru which we use the SANS SIFT Ubuntu virtual workstation (1.8 Gb download).
The SIFT workstation already contains several of the tools mentioned in Altheide & Carvey plus more. There's unallocated file carving, email extraction from PST files, RegRipper, FTK Imager just to name a few and all for FREE!
Be sure to download the VM "Distro version" ZIP file and not the bootable ISO image. SANS have set it up so you can unzip that file and then use VMWare Player 3 to open the "SIFT Workstation 2.1.vmx" file (via File, Open a New VM and then select the .vmx file). Keep the ZIP file after extracting it so that after each case you can delete the SIFT VM in VMWare player and start again fresh. Anyhow, once you've told VMWare Player where to find the .vmx file you just "play it" by double clicking on it. Everything should be automatic from then on and hopefully you get the login window.

Ubuntu will probably run a bit slower via VMware than if installed seperately but I found it OK using a circa 2003 single core Athlon64 with 2 Gb RAM running WinXP. And this way, I didn't need to spend time reformatting or dual booting the sucker and/or if I stuff up the SIFT, I can easily reset to a known good state. There's a pretty helpful forum at if you have Ubuntu issues.

Tools Used:

VMWare Player 3.1.5 ( ) - you might have to sign up first (for free)
SANS SIFT Workstation ( ) - requires a SANS login (free)
Forensic Corpora Jean Encase Image ( )


To find out:
- When did Jean create this spreadsheet?
- How did it get from her computer?
- Who else from the company is involved?

Setup Method:

A. Install SANS SIFT Virtual machine under VMWare Player 3 (as described earlier).

B. Download/Copy Jean's Encase files (.E01 & .E02) to the SANS SIFT VM "/cases" directory.
I used Windows File Explorer to copy the 2 EnCase files to the "cases" folder on the SIFTWorkstation in the SANS workgroup but you could also download it directly to the SIFT using the SIFT Firefox browser.

C. Read-only Mount the Encase image such that we can see them from the Ubuntu OS
Tthis blog describes how to do it (more or less):

The SIFT 2.1 VM has most of the software/tools mentioned in the blog already installed / configured.
And pp 20-22 of "Digital Forensics with Open Source Tools" (Altheide & Carvey) details a similar process.
But there is one complication - the SIFT VM doesn't seem to recognise the HPFS (High Performance File System) / NTFS filesystem of the given EnCase files. The blog example doesn't mention this as a problem but I couldn't follow the blog/book procedures without getting errors.
I ended up using the Ubuntu Synaptic Manager (from the System, Control Center, Synaptic Package Manager menu) to install the "ntfs-config" package/software and Ubuntu then recognised/mounted the image. Not 100% sure why, but it seems to work ...
The Synaptic Package Manager is a GUI for installing Ubuntu software packages. Its kinda like the App store for iPhones. However, unlike iPhones you can also download source code seperately and compile/build it on your Ubuntu system. eg if its not available in a package.

So here's the full procedure I ended up performing:
  1. Boot up SIFT VM and login as sansforensics (password is "forensics" ... shhh! )
  2. At a terminal window, use the command "sudo su -" to login as root so we can issue commands with the appropriate privileges i.e. make data accessible/mount stuff.
  3. Use the command " /cases/nps-2008-jean.E* /mnt/ewf/" to combine the two evidence files into a single Unix style image file called "/mnt/ewf/nps-2008-jean" (note: we use the "nps-2008-jean.E*" argument so it picks up all EnCase parts). Afterwards, there will also be a text file containing the MD5 hash as originally calculated by EnCase. You can then use the command "md5sum /mnt/ewf/nps-2008-jean" to calculate a local MD5 hash for comparison with EnCase but it took a few minutes on my VM.
  4. Install the "ntfs-config" package using the Synaptic Manager.
  5. Use "losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean" to map the image file to a loop device (ensuring you specify the offset 32256 so the loop device is mapped to the Filesystem and not the beginning of the disk image. Blog/book has more info).
  6. Use "mkdir /mnt/m57jean" to create a mountpoint directory that we can use later.
  7. Use "mount /dev/loop0 /mnt/m57jean/ -o loop,ro" so we can map the loop device to a read only directory.
  8. As a test, use "ls -al /mnt/m57jean" to list the contents of the filesystem. You should see your typical Windows XP folder structure eg Documents and Settings, Program Files etc.
So to summarise, we've combined the 2 EnCase image files into one large image file and then mapped it to a read only directory called "/mnt/m57jean".

This article also has more information on read-only mounts for SIFT:

Some other potentially useful information:
Between steps 4-7 above, you can also use "fdisk -lu /mnt/ewf/nps-2008-jean" to show the filesystem type info (ie HPFS / NTFS).
If you need to unmount a directory, use "umount /mnt/m57jean" for example.
If you need to reset the loopback device, you can use the "losetup -d /dev/loop0" command.
If you restart the SIFT, it will lose all the mounting stuff and you'll have to do it all over. Can be helpful if you make a mistake and can't figure out how to recover.

You can also load up FTK Imager to preview the .E01 file directly from "/cases" but while you can browse the files thru FTK Imager, the other SIFT tools won't be able to read the EnCase format.
You can also browse the "/mnt/m57jean" folder using the Ubutu file explorer - just double click on one of the folders on the left hand side of the desktop and navigate to "/mnt/m57jean" (after completing steps 1-7).

I'll stop here and post my method(s) of investigation in the next post - just in case you want to figure out the next part yourself...