Three lesser known security tools for your arsenal

Roadkil’s DHCP Find

A small and efficient, windows based, app to find rogue DHCP servers.  It works by simply sending out DHCP requests and logging all the servers that  reply.  Not much to it, but when you are tracking down DHCP servers, this will be extremely valuable. DHCP Find 1.2

Nast

Let’s face it, tools like tcpdump and nmap are unbelievably powerful,  but without a lot of patience and a lot of experience they can both be overwhelming. Enter “nast”.  Nast is like the swiss army knife you keep in your pocket.  Its a handy set of very useful tools for network troubleshooting (and mischief) all wrapped into one handy program.  It has increasingly become my “go to” tool when i just want to get a job done. Here is a sampling of its features:

  • Sniffing/Dumping packets in ascii, ascii hex, and tcpdump formats

  • Remote promiscuous mode checking - Who else is monitoring the network?

  • Host listing - build a quick list of available hosts using arp

  • Gateway discovery - Are there multiple ways out of your network?

  • Reset connection - Destroy a connection in progress.  This could be fun!

  • Port scanning -  A quick, half-open scan, noting possible firewall rules.  Again, this seems really speedy

See the nast homepage mirror, old homepage defunct for source code, full man page and contact information

SSLStrip

Curious about what is actually being sent back and forth in your https session?  Take a little peak with sslstrip. Unlike our previous tools, sslstrip requires a little upfront work to get going. You will need a linux box to do the work on.

  • Turn on forwarding: echo “1” > /proc/sys/net/ipv4/ip_forward

  • Set iptables to redirect to whatever port you want sslstrip to listen on: iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port

  • Start sslstrip sslstrip -w -l

  • In another screen tail -f output.log (if you want)

  • Now your box is ready to snoop on any forwarded ssl connections, lets send them our way. In another screen use the command arpspoof -i -t

With everything running, test out a few https webpages. You should see the contents of your http post appear in the logfile.  Check the options of sslstrip for more detailed logging and other features.

Sslstrip can be found at http://www.thoughtcrime.org/software/sslstrip/ .  Arpspoof is part of dnsiff, which can be found over here.

How dd, nc and fdisk saved my bacon

How do I get data off this thing?

Here’s the situation.  I’m trying to recover data for a client.  Their laptop will not boot into Windows and they need to get data off of it.  To add to the fun, I don’t have an IDE adaptor handy for the laptop harddrive and the laptop is a little crashy (motherboard shorting out?)

I could wait around until I can get my hands on an adaptor, but what fun would that be?

First things first, we need to get the data off of the drive.  Being a minimalist, I first thought of just doing a file copy.  Not knowing whether the file-system is any good, this probably isn’t a good idea.  In any forensics situation you always want to clone your source and then work with it.  i will be taking the same approach, treating the source as “read only” and only modifying the copies I make.  If it turns out the file-system is corrupt I can always clone to a known-good drive and use tools like “chkdsk” (for file-system corruption) or “partimage” (if things are really nasty).

So I have the “donor” machine booted up on a recent cd of Knoppix, connected via crossover cable to our tech station.  I have set ip addressed and tested connectivity between the machines.  Now it’s time for the magic to start.

Using the instructions found here I set my tech station as a netcat “server” and the dead laptop as a netcat “client”.  Score one for the simplicity of pipes, because dd will happily pipe bit for bit data across our netcat tunnel!

“Server”

nc -l -p 9000 | dd of=HarddriveImage.img

“Client”

dd if=/dev/sda | nc 192.168.1.220 9000

I also setup a terminal on the tech station running “watch” to keep an eye on the disk image size

watch -n 1 "du -hca *.img"

Now we wait…in my case 19 gigs…about one hour

We have the image, now what?

Next, I found a handy guide here wayback cache on what to actually do with the image once I got it.  I am familiar with loopback mounting of iso images, but never before have I tried to loopback mount an entire hard drive image.

So first things first, we need one more important piece of information off the dying computer.  We need to know how many cylinders the hard drive has.  This will come into play, later, in our calculations.

fdisk -l /dev/sda

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00050229

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          12       96358+  83  Linux
/dev/sda2              13         136      996030    5  Extended
/dev/sda3             137        1109     7815622+  83  Linux
/dev/sda4            1110       19457   147380310   83  Linux
/dev/sda5              13         136      995998+  82  Linux swap / Solaris

This is a different hard drive, so the cylinder count will vary from below.  The cylinder count for the disk we are using is 2432

Now that we know the cylinders we can try to get fdisk to read the image we cloned to see if it is intact

[email protected]:~/tmp$ fdisk -C 2432 DiskImage.img

The number of cylinders for this disk is set to 2432.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1               1           5       40131   de  Dell Utility
DiskImage.img2   *           6        2431    19486845    7  HPFS/NTFS

Well, everything looks good!  If you have trouble at this point, keep in mind that the disk may be beyond saving.  Try something like Spinrite and attempt this again.

We know that we want to mount partition 2 “DiskImage.img2” but we need to get the correct start and end blocks.

[email protected]:~/tmp$ fdisk -l -u -C 2432 DiskImage.img

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1              63       80324       40131   de  Dell Utility
DiskImage.img2   *       80325    39054014    19486845    7  HPFS/NTFS

Now all that is left is to calculate the offset so we can tell mount where to start mounting the loopback image.

Offset = StartNumber * 512

So we have 80325 * 512 = 41126400

No we issue the mount command as follows:

[email protected]:~/tmp$ sudo mount -o loop,offset=41126400 -t ntfs DiskImage.img /mnt/

That’s all she wrote

Well, we’ve been on a whirlwind tale of data recovery, but I am sure we have just scratched the surface of the different techniques that are out there.  So, what tricks have you used for data recovery before?  Any tips or tools you care to share?

Coming Soon...

It’s been a little few and far between lately, so I wanted to give everyone a taste of what is coming up.

Using Git as a “Poor Man’s” Time Machine - Part Two

Part two of our practical introduction of Git to those new to revision control

A Little Hacky System to Monitor Your Cron Jobs

We will get into a little Python / PHP action to create a very simple “dashboard” for your cronjobs

Erlang Weather Tracker

We are going to build a weather tracking node to nab data from NOAA as a gentle introduction to Erlang and functional programming

A Brief Description of a ZFS Based Backup System

I’m going to break down the different parts of the Helpful Hackers current backup system/scheme.  What’s good along with what can be improved