This year's Holiday Hack Challenge was just as invigorating and challenging event as usual. Santa and the Elves decided that due to all the cyber shenanigans which have occurred over the years that holding a hacking conference would be a great way to keep everyone safe. The name of this conference is KringleCon and it involved an entire virtual world, complete with a virtual character who can move around and interact with CranberryPi terminals, as well as ventilation shafts, kiosks and door code panels (Figure 1). This challenge was tough as it required knowledge of a vast spectrum of knowledge in computer administration, web services, code cracking, and web servers. Additionally, skills in programming and debugging in languages such as JavaScript, PowerShell, Python, shell scripting, and data analysis. While I have decent amount of knowledge with many of these skills, I wasn't going to be able to complete the challenge in time to submit a report to the Counter Hack team by January 14, 2019 due to a later start than last year. So I recruited a good friend of mine whom I've worked with in the past, who is probably one of the most skilled computer experts and programmers I know. My friend and I worked over the last few days to finish the last four challenges/objectives to submit a report before the deadline. The result is approximately 81 pages (a few typos and errors but nothing serious) for our report describing how to finish the 2018 SANS Holiday Hack Challenge. Below is our report embedded for review. Overall, I found the competition very different from the 2017 version and as it was more of an open-world one the flow of the contest was a bit confusing until I spent a good chunk of time (about an hour) of really exploring and understanding the world, and how we could really navigate around and interact in any order a competitor chooses. This proved to be a really fantastic choice by the Counter Hack team, and upon completing the competition with a solid tying together, I'm pleased to say this was an even better experience than last year. I'm continuously humbled by the organization, skills, and efforts of Ed Skoudis and his team. As usual it was a fun experience and the team did a phenomenal job. I'd like to extend a personal acknowledgement to Jevan Gray for his ability to quickly understand and dissect code and assemble solutions. I doubt I could have accomplished this before the deadline without his knowledge and expertise. Thank you again Jevan!
0 Comments
In my own words, Computer Forensics is the scientific method of obtaining digital evidence from computing devices while maintaining their integrity and authenticity to ensure digital evidence may be accepted in a court of law. I recently completed a Masters course in Computer Forensics at the University of San Diego after having performed previous computer forensic mentor work with high school students for the Air Force Association's CyberPatriot program and Cal Poly's 2018 California Cyber Innovation Challenge. This field is vast, constantly changing, and much more tedious than any movie or television program portrays. However, working as a computer forensic analyst and discovering a clear and consistent timeline of activities or artifacts which tell a story, makes a lot of the labor worthwhile. This is the exciting part.
Computers and the Internet are tools. Tools can be used as they are intended, or they can be abused. Unfortunately, there's a lot of abuse which occurs which is aided by the use of computers and the Internet. Child exploitation, human traffic, terrorism, financial crimes, or even just plain human rights violations leading to murder, prison or torture. The field of Computer Forensics attempts to aide companies and Governments to provide evidence of these serious crimes by analyzing those systems involved. Some wonderful resources I have found for computer forensics include the following in no particular order:
In 2008 Flo Rida had a song "Low" featuring T-Pain with a line "Boots with da fur" which my family loved belting out whenever we heard this song on the radio. This blog article has nothing to do with getting your club on. Rather, DFIR (Digital Forensics and Incident Response) pronounced Dee-FUR just reminded me of it. DFIR has a significant place in competitions for cybersecurity. Many of the California and National competitions are composed of a large portion of digital forensics, so having the right tools for the job makes all the difference. Some bright students I've been mentoring have asked, "What OS do you recommend for DFIR?" My default response is typically Kali Linux, but I wanted to take a deeper look into SANS' SIFT workstation.
If you found yourself accidentally, or intentionally, reading my earlier blog postings, you'll note that many of these high school and middle school competitions require that the competitors use Open Source and freely available software. This was another reason why this was a great opportunity to revisit and try out SANS' SIFT Workstation. This Ubuntu distribution based on Debian Linux was developed, and is maintained, by a formidable training group, SANS,' very own Rob T Lee. It features automatic updates, and a plethora of free and often updated tools one can use for Digital Forensics and Incident Response. Learning to use these tools is for other blog postings, this blog discusses getting the most recent version of a great DFIR tool installed and working on this OS build. There are a lot of DFIR tools and Operating Systems available for use A small sampling of them includes Linux
Get your SIFTv3 workstation image/installation and update/upgrade it I'll assume you're familiar with obtaining a virtual image of SIFT and getting it installed. I'll use VirtualBox for my blog, as it's free and feature-rich. You can download a pre-configured SIFT workstation as a Virtual Machine in OVA format at https://digital-forensics.sans.org/community/downloads under the section "Download SIFT Workstation VM Appliance". After you get your workstation up and running (there are other tutorials for that) then update it through it's built in update or open a shell/terminal window and type sudo apt-get update && upgrade to get the build to update. After this, there are only a few other steps to install the required Java version to support TSK and Autopsy 4+. Installing testdisk for photorec functionality Note that I did not find this necessary for versions 4.6 or 4.7 of autopsy, however, it can't hurt for you to test. Enter into a shell the command: sudo apt-get install testdisk Installing Java to support TSK/Autopsy 4+ After you've updated the Operating System and verified that you have installed testdisk, check to see if Java's version is 1.8 or higher by typing in the shell/terminal: javac -version Your output should show something like javac 1.8.0_171 . Ensure it starts with at least version 1.8.0. If not, then add Java's repository to update sources by typing the command: sudo add-apt-repository ppa:webupd8team/java then update your local repository with command: sudo apt-get update and finally install the Java 8 installer with the command: sudo apt-get install oracle-java8-installer When installation completes (it may take one-five minutes or more) then check your Java version again with command and copy the installation path that appears next to Java version 1.8. javac -version Often times you'll have more than one version of Java installed, so another command is required to check which version is the primary one and also show us the file path where it is located. Check this with the command sudo update-alternatives --config java to show a list of Java installations on the system. Check that 1.8 shows the default/primary version with an * in it's row and copy down the path to Java 1.8 as you'll need to add that path to your environmental variables. Type the command sudo nano /etc/environment to open up the nano text editor, and add the JAVA_HOME line below (with your path) as a new line in the /etc/environment file. *Note that you only need to include the path up to /java-8/oracle. JAVA_HOME="/usr/lib/jvm/java-8-oracle" Press CTRL+X to exit, and when asked save the changes. Reload your environmental variables with command source /etc/environment then verify the variable shows the correct path by running the command echo $JAVA_HOME. *Note: These installation instructions comes from the article https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343 which you can visit for more details. Getting and Installing the latest version of The Sleuth Kit and Autopsy Visit https://github.com/sleuthkit/sleuthkit/releases and download the latest version of the .deb package, typically named something like sleuthkit-java_4.6.1-1_amd64.deb. Then install this Debian package of sleuth kit by running the command sudo apt install ./sleuthkit-java_4.6.1-1_amd64.deb. Now that we have the latest version of The Sleuth Kit, go download the latest version of Autopsy. It will typically be released in a zip file at https://github.com/sleuthkit/autopsy/releases and be named something like autopsy-4.7.0.zip. Create a directory for Autopsy wherever you prefer mkdir autopsy-4.7.0 and then unzip the file you downloaded there unzip autopsy-4.7.0.zip Finally, run the setup script in that directory sudo sh unix_setup.sh If everything is in order, you'll have a working version of Autopsy and The Sleuth Kit. You may run Autopsy by changing to the ‘bin’ directory in the autopsy folder you created and then typing the command ./autopsy Summary With a recent working version of The Sleuth Kit and Autopsy on SIFTv3 you have many of the tools competitions require for DFIR tasks. There are many things you won't be able to do without additional work, for example extracting specific registry keys and values from forensic images or other tasks. Fortunately Autopsy includes a modular framework which supports both Java and Python, and the community has created many of these tools for us check these out at https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules Today's digital forensic investigators benefit greatly by the ease with which the tools and maintenance of them can be done by an opearting system such as SANS' SIFT Workstation. Combined with great open source tools like The Sleuth Kit and Autopsy the hardest part is now learning how to investigate. For example discovering where you need to look, and what information you need to look for as well as how to get it. I found one great resource shared by a student at Cal Poly's California Cyber Innovation Challenge website which discusses analyzing Windows 7-10 and Android operating systems. The papers here contain great tutorials and basic training. Visit the Cal Poly California Cyber Innovation Challenge site and review their awesome site and the downloadable material at https://cci.calpoly.edu/events/ccichttps://cci.calpoly.edu/events/ccic/2018-df-downloads Happy hunting and many thanks to Cal Poly, The Sleuth Kit and Autopsy developers and SANS Digital Forensics! Introduction
Recently I volunteered and became a CyberPatriot mentor. In this program I work with local area high school students interested in cyber security who compete in cyber security competitions. Side note: If you work in cyber security, please consider being a mentor; there are perks and we need more STEM/cyber interest, especially from young women. One of the more challenging aspects of competitions for these groups, and most administrators, is discovering how a system you are given may be incorrectly configured. Some examples include discovering if telnet is running, no firewall enabled, a blank password on an administrator account, or a root/root username/password on Linux. In most cases, the competitions use a plethora of operating systems very much like most organizations (e.g. Windows 7, Windows 10, Ubuntu 14, Ubuntu 16, OSX) The Challenge In my previous experience, there are a lot of programs out there that automate this process. I began researching products I use, or know of and have used before to share and demonstrate. This is when I learned, that over the past 5 years the automated vulnerability configuration landscape has drastically changed from an open and free one, to a cloud-based, payed one. This proved to be more of a challenge than I anticipated requiring much more time than I allotted. I had to adjust my requirements for products which are here:
I scoured NIST's Computer Resource Security Center (CRSC) website to find products which were Security Content Automation Protocol (SCAP) compliant. SCAP is a method for using standards to automate system configuration checks/compliance. Cyber security software providers want to be SCAP compliant for Government compliance. It also helps in the private sector too. SCAP compliance uses the former OVAL-based standards or the newer XCCDF checklist format to assess system configurations. A tool that is SCAP compliant is going to be easier for students to learn how to use. Unfortunately, as you'll see, I didn't find a single tool. Tools, not a tool In this case, students take a recommended configuration checklist using XML-based evaluation standards (OVAL, XCCDF) and use the file/list with an evaluation tool/program which outputs results showing the difference. The problem is a lot of the tools out there are either no longer free, or, they only work for specific operating systems. This means now having to use not one tool, but two. Note: OpenVAS is a good tool for this, but it is complicated and difficult to learn and use as it has many more features outside of configuration analysis. The Tools I ended up choosing were
As the tools above show, I did find some tools. But there is not one tool. I ended up discovering there were many available but that there wasn't a single inexpensive, or free tool which could help these students assessments during cyber security competitions. I think as young persons learning cyber security, the industry is doing a disservice by not providing readily available tools for them to practice with and to learn to use. Cyber security is tough. There is a lot of overwhelming content, vulnerabilities, system specific caveats, configuration data, network knowledge, and programming information a person has to learn while also trying to do it easily. I hoped there would be an easy way for these students learn I have is that an automated way to review hundreds or thousands of configuration settings Here I present the top 30 passwords taken from Troy Hunts haveibeenpwned.com/passwords website where he provides a great tool and resource to verify if your password is in a breach disclosed to Have I Been Pwned. He also released the SHA-1 hashes of over half a billion disclosed passwords to be downloaded for our own pleasure. From this I did a quick analysis.
Note, Troy did not release the plaintext passwords as some had sensitive materials; thus there was a little searching to convert these, but fortunately for us, or unfortunately depending on how you look at it, these were easy to Google/convert (e.g. put the hash into Google and find a match). It's no surprise that number sequences and keyboard patterns make up the bulk of the list. One outlier was "myspace1" which was identified 707,334 times in breach disclosures. This is likely due to the breach of passwords from the website myspace.com and users using "myspace1" to meet minimum password requirements. The infamous "password", "password1", "iloveyou", "monkey", and "dragon" appear in the top 30. People love password monkey dragons! Enjoy! In this document I analyze the Windows NT Architecture and it's implementation of the Security Reference Monitor model. It identifies gaps and strengths in the implementation from Windows 2000 through Windows 10 and Windows Server 2012R2. The bottom line is, Windows NT is a complex, flexible, robust system, however, it also supports so many capabilities that a simple security model and implementing basic security reference model principles hinder true secure operations. The Operating System can, of course, be hardened, however, the basic structure presents challenges which would need many other systems to provide compensating security controls as well as mitigations and detective controls. I'll still use Windows, however, a complete redesign of their security reference monitor implementation may be required to provide a secure, auditable, and tamper-resistant operating system. This document was created for an assignment in my Cyber Security Operations and Leadership program at the University of San Diego. Below I present my report on the 2017 Holiday Hack Challenge. It's in PDF, because, well I put a lot of effort into the report to make it pretty and readable for the SANS folks. The challenge was a lot of fun, and I highly encourage anyone even remotely interested to give it a crack, it will always keep you learning. Happy Hacking and best wishes! What could be better than hacking on the holidays, legally! Not much if you're an aspiring cyber security junkie. SANS's Holiday Hack Challenge is a newer tradition in the hacker circles where we get to learn, play, and practice our trade in a safe, legal, and entertaining way. SANS is known for quality cyber security training, academic work, certifications (GIAC, etc.), and much more. Led by an instructor of penetration testing and hacker extraordinaire Ed Skoudis and a team of dedicated writers, administrators, and skilled technicians, they create a holiday themed story line, websites, twitter accounts, custom games, and systems all for our learning entertainment. They also give out prizes to categories of participants, so get in there!
A few years ago working in a Security Operations role, a good friend of mine, Jevan, asked me if I was doing the Holiday Hack Challenge. I had no idea what it was but I watched him play it during his free time, and I was intrigued and intimidated. Fear, kept me from participating in 2015/2016, in what has become a truly enjoyable sport of hacking and Linux administration in 2017. This year I took the plunged, registered, logged in, and began practicing. Despite my rusty penetration testing skills (after sloughing through thousands of pages of cyber security policy, performing incident response and log management, and reviewing code for bugs over the last few years) I've made pretty decent progress in this years challenge. Fortunately, there is plenty of help as these are not supposed to be impossible, they're learning experiences. The creators and other fellow participants won't outright give you the solution (frowny face on that), but they are more than willing to nudge, bump, and prod you toward a blog, website, or other resource where you can learn how to solve a particular challenge. I would not recommend you dive into this if you have beginner level system administration or Linux skills, although with enough reading and practice you also can still learn something new. Lucky for me, there are dozens of hints (in the game, game chat, Twitter, Instagram, and on SANS blogs from the team who created the challenge). So whether you're kinda new to the cyber security realm, or you're trying to polish your skills, or you just want to teach new people by sharing your process in a blog (after the challenge ends, of course), then come join this years SANS's Holiday Hack Challenge! Again you can find the challenge here: https://holidayhackchallenge.com/2017/ and happy hacking! Also, thank you to the SANS team and SANS for their dedication and resources they provide to the hacking community to improve our security posture. Keep up the good work! |
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|