If there is suspician of activity, install a wiretap. Since you are protecting your network, there is legal precedent to use a wiretap. There must be “probable cause.”
Law enforcement, however, must have a supena.
Hackers will start out doing a
whois
lookup which gives information about primary network, mail exchange leading to internet cache, newsgroups, administrators asking questions leading to OS type, firewalls, etc.
packet 1776 has ftp data string. Filter on that.
tcp port == 24 shows putty
Set up forensics workstation to receive data via netcat
cd /images/unixforensics nc -l -p 31337 > vmware_memory_dump
Use the programs from the cd. Memdump output should be sent via netcat (nc).
mount /dev/cdrom cd /mnt/cdrom/Static-Binaries/linux_x86
./memdump | ./nc -vv 192.168.2.1 31337
Output can be sent via netcat (nc), just set up listener on forensics workstation.
./uptime ./uname -a ./date ./fdisk -l ./mount ./netstat -anp ./lsof -n ./ls -lit
on forensics workstation:
cd /images/unixforensics nc -vv -l -p 31337 > vmware_bodyfile/mac
on hacked machine:
mount /dev/cdrom cd /mnt/cdrom/Static-Binaries/linux_x86 ./mac-robber / | ./nc -vv 192.168.2.2 31337
on forensics workstation:
cd /images/unixforensics mactime -b vmware_bodyfile.mac > timeline-vmware.txt less timeline-vmware.txt * MACtime Evidence..46 * Volitile Information..47 * Creating a Timeline..48 * Creating your First Timeline..51 * **mac-robber** Usage..52 * **mactime**..53 * Searching the file system [timeline]..57
commands hacker initially used
w last add user jack changed password to jack -checks password sc secure copy rootkit netstat top ps creates /usr/sbin/mkxfs creates /dev/ida/.. /sl2 /dev/ida/.drag-on
commonly trojanized files
these files look odd because the c time is only modified
ifconfig ps netstat top
files with just a time have been accessed or executed.
logclear linsniffer .drag-on ..(space)
The modification times indicate that the innodes themselves werer changed (likely indicating that the files were decompressed). The c time shows that the files themselves were modified, which typically hpapens during installation.
lsof and netstat
set up nc listener
./lsof -n | ./nc 192.168.2.2 31337 ./netstat -nap | ./nc 192.168.2.2 31337
lsof is a process list of open files on the system listing even deleted files that are still in use.
mkxsf is probably a trojanized ssh
inodes are sequential on a newly installed system.
./ls -lit /usr/bin | ./sort | ./less
directories to look at are /usr/bin, /usr/sbin, /sbin
To look at all files:
./ls -litR
if files are modified, they will have sequential inode allocations also. Look for very high or vary low numbers
md5sum
./md5deep -r / | ./nc 192.168.2.2 31337 -w 3 * National Software Reference Library..76
dd if=INFILE of=OUTFILE
bs= block size
count=N
skip=N
conv=noerror,sync
ddfcl if=INFILE of=OUTFILE
hashwindow=0 (entire machine)
hashlog=drive.md5.txt
Host Protected Area
disk_stat /dev/hdb
removal (temporary)
disk_reset /dev/hdb
Before imaging nc these commands
mount fdisk -l
On Forensics workstation:
cd /images/unixforensics nc -l -p 31337 > vmware_dev_sda.img md5sum vmware_dev_sda.img
On hacked machine:
mount /dev/cdrom /mnt/cdrom cd /mnt/cdrom/Static_Binaries/linux_x86 fdisk -l mount ./ddfcl if=/dev/sda hashwindow=0 | ./nc 129.168.2.2 31337
mmls disk1.dd if mmls cannot determine the type, try
mmls -t dos disk1.dd
dd if=disk1.dd bs=512 skip=62 count 1028097 of=part1.dd
the first extened partition is numbered 5 and then not from there on.
do not normally extract extended partitions; they are just boundaries.
the first 512 bytes contains the MBR. At byte 446 is the start of the partition table. Each entry is 16 bytes long. The last 8 bytes are useful. The last four are the length of the partition and the four before that are the offset. Don't forget to add 63 for the partition boundary(?).
mount root then mount the other partitions in there.
mount -t ext2 -o ro,loop,noexec vmware_dev_sda6.img /mnt/hack/unixforenseics_mount mount -t ext2 -o ro,loop,noexec vmware_dev_sda1.img /mnt/hack/unixforenseics_mount/boot