Paul Cimino https://paulcimino.com My story behind the scenes in IT Mon, 19 Oct 2020 19:41:52 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://i0.wp.com/paulcimino.com/wp-content/uploads/2020/04/cropped-LockIO_Security_App_Lock_HD_Icon.jpg?fit=32%2C32&ssl=1 Paul Cimino https://paulcimino.com 32 32 148657413 Customizing Wireshark for malware analysis https://paulcimino.com/customizing-wireshark-for-malware-analysis/ Sun, 18 Oct 2020 16:34:35 +0000 https://paulcimino.com/?p=343 I recently watched a series of really good videos from Brad Duncan, the man behind malware-traffic-analysis.net, and my initial takeaway was that setting up Wireshark properly will lead to a much better experience and greater success when hunting for malware traffic. In this post I will cover some of the most useful settings I discovered and how I setup Wireshark. A lot of these settings can be found on his website as well.

  1. Creating a custom profile
  2. Column settings
  3. Exporting a profile
  4. Saving filters

Create a custom profile

Since we are going to be making several customizations to the packet list window, we can create a new profile to save these so the default view remains intact. This is a completely optional step since most people work with a single profile and editing the default is perfectly fine. If you want to setup different profiles, then these are the steps to accomplish that. If you choose not to do this, you can skip ahead to the Column Settings section.

To get started, click on View > Configuration Profiles

Wireshark configuration profile

We want to make a copy of the default profile and name it something meaningful. Highlight Default and then click the right button that shows two small squares. This is the copy button. Click OK when done.

Wireshark copy profile

You will notice in the bottom right corner of the window, it has changed the profile name to the new one you just created. If you click on this you can change profiles easily, but for now, leave it set to the new one you just created.

Wireshark view current profile

Column Settings

The default columns in Wireshark are great to get you started, but you will find they are lacking useful information rather quickly. To solve this I removed several columns and added some that I needed. Here is what we are starting from:

Wireshark default columns

I remove No., Protocol, and Length columns and hide the Source column. I hide the source column because I am typically analyzing traffic from a single computer so I already know the source. If it is ever needed I can always unhide the column. To achieve this, right click on the column heading and either select Remove Column or uncheck the column to hide it.

Wireshark hide and remove columns

Now we need to fix the Time column because the number of seconds since capture is not really helpful. In forensics everything is set to UTC so I use that as my default. Go to View > Time Display Format > and select UTC Date and Time of Day. One more thing you need to do while you are here is to change automatic to seconds, otherwise it will show you the second accuracy to about 8 decimal places. Again, not really useful and takes up space we will need later.

Wireshark change time format

Next, let’s add our Destination Port number. I don’t need Wireshark to tell me the protocol, I would rather see the port number being used. To do that, right click on any column heading and select Column Preferences. Next, click the + symbol at the bottom left to add a column. Double click on the Title field and enter Dest Port, then double click on the Type field and click the drop down. Select Dest Port (unresolved) so we see the port number and not the resolved protocol. Now to put these in the correct order, click and drag our new Port column and drop it under the Destination column. Click OK.

Wireshark add column

It looks better, but the port number is right justified and everything else is left. Let’s fix that. Right click the column heading again and select Align Left at the top. Your column layout should look like this now.

Custom layout view

Now for the most challenging part. I want to add the HTTP host name and the HTTPS Server name. But I will only ever see one or the other so I want to put them both in the same column. One great thing about Wireshark is that you can right click any field in the Packet Details pane and add it as a column which is what we are going to do. First, let’s add a filter for http.request. Find an http packed and in the packet details window, expand Hypertext Transfer Protocol and find the Host line. Right click on that and select Apply as Column.

Wireshark apply as column

Next, change your filter to tls.handshake.type==1 and select any packet with a destination port of 443, which should be all of them. Next, expand Transport Layer Security > Handshake Protocol > Extension: server_name > Server Name Indication extension and right click on Server Name and select Add as Column again.

Wireshark add HTTPS server name

Now let’s combine those two into a single column. To do that, again right click a column heading and select Column Preferences. You can now see the two new columns we added and they have a type of custom with our filter in the Fields column. We want to combine those two filters, using OR, into one field and then deselect the other so it is no longer visible. Double click on the Server Name fields section and copy that text. Now double click on the fields section of Host and change it to http.request || tls.handshake.extensions_server_name. Finally, uncheck the box next to Server Name.

Update: I have recently changed this to also include the DNS name. I know it appears in the Info column, but I like seeing all of my host names in one place so I have changed this to: http.request || tls.handshake.extensions_server_name || dns.qry.name

Wireshark custom column fields

Almost done. One final field I like to add and save as hidden since it is not always used, is the kerberos.cnamestring field. Using the above steps, go ahead and add that as a hidden column. If you run into problems, feel free to reach out and I can help. You can also add the Src Port (unresolved) as another hidden column if you might find that useful.

Exporting a Profile

Now that we have customized our profile, let’s export it so we can use it elsewhere and so we have a backup of it. This is a quick and easy process. Go to Edit > Configuration Profiles to open up our window. At the bottom, select Export > all personal profiles. This will save the configuration into a zip file. To import it, do the same steps, just select Import > from zip file.

Wireshark export profile
Wireshark import profile

Saving filters

Our last section is going to show how to create some custom filters and save them so they are quickly accessible. You can do this with any filters that you find yourself applying repeatedly or that you use frequently.

The first filter we will save is a basic http and https filter, but we also want to ignore the SSDP (Simple Service Discovery Protocol) traffic. Since SSDP is considered HTTP traffic, we need to exclude it. A couple of things before we get started. We need to include OR, AND, and NOT in these and they can be written different ways. How you do this is a personal preference. I’ll show my way, but feel free to do it any way you wish.

  • AND = and or &&
  • OR = or or ||
  • NOT = !(xxx)
  • Don’t forget to include parenthesis to group filters together

The filter looks like this (http.request OR tls.handshake.type==1) AND !(ssdp). Once that is entered, click the plus symbol at the end of the filter bar and enter Basic as the label name and click OK. It should now appear on the far right of your filter bar.

Wireshark save filter

Now let’s build upon this basic filter and include SYN packets. Those have a TCP:Flags setting of 0x0002, so let’s add that as an OR to our previous filter. It should now look like this: (http.request OR tls.handshake.type == 1 OR tcp.flags eq 0x0002) AND !(ssdp). Save that as Basic+.

Building upon this further, let’s add in DNS traffic. That filter looks like this: (http.request OR tls.handshake.type == 1 OR tcp.flags eq 0x0002 OR dns) AND !(ssdp). Save this one as Basic+DNS.

A couple more I use are:

  • TLS Cert – tls.handshake.type == 11
  • FTP – ftp.request.command OR ftp-data
  • SMTP – smtp

You can see these are now quickly accessible and can easily be customized to how you use Wireshark.

Wireshark custom configuration

Conclusion

Setting up Wireshark this way has been a game changer for me and has really sped up my processes. I couldn’t have done this without Brad’s help and I have liberally applied his ideas throughout this post. I hope this helps you as much as it has helped me. Reach out to me on Twitter and let me know if you have any customizations that you have added.

]]>
343
2020 Trace Labs OSINT CTF for missing persons https://paulcimino.com/2020-trace-labs-osint-ctf-for-missing-persons/ Thu, 16 Apr 2020 17:00:00 +0000 https://paulcimino.com/?p=266

Every 40 seconds, a child goes missing in the United States of America.

https://www.factretriever.com/missing-people-facts

I need to start off by thanking @TraceLabs, all of their volunteers, and the judges for creating and running this event. Up until a month ago I had never heard of them or this CTF and feel they need to get more exposure for the great things they do. Go check out their website and support them. #OSINTforGood

About Trace Labs

This global capture the flag event took place on April 11, 2020 and is a bunch of hackers using their unique skills to find information and leads on missing persons around the world. Teams of up to four people compete against each other and the clock for points with the top three teams winning some pretty sweet prizes. All of the information collected is then compiled and turned over to law enforcement.

The Event

This year had 174 teams and over 550 people participating in the six hour event. My team, Super Sleuthers, was comprised of me, @KH, @edm0nd, and @loopbandit. My mindset going into this was primarily to help law enforcement. Having fun and learning a few things was second. Getting points and winning was a distant third. With so many teams signed up, I didn’t have high expectations on how we would place anyway, plus three of us were new to this. We had a variety of backgrounds and experience levels, so at least we had that going for us.

Points are achieved based on the category of the information we found. We had to give the URL to the data, what it was, why we felt it was relevant, and other optional things like screenshots, pictures, or files. Points were valued starting at 10 for friends up to 5000 for information on their current location.

Categories for the CTF

We had no idea who our subjects would be until the event started with one exception this year. With the popularity of the Tiger King documentary, they included Carol Baskin’s husband Don Lewis who has been missing for almost 23 years. The event started right on time, we logged into the CTF website, and we were able to see our 15 subjects selected for the event. I scanned the list and surprisingly they were all from the US this year. I was happy about that because doing OSINT on people outside the US is exponentially more difficult.

The Process

We had decided ahead of time to use a Slack channel to share resources and communicate during the event. Our plan was to pick a subject, work on it for an hour, and then switch to another subject. This way we could cover everyone, and if we got stuck we knew someone else could pick up where we left off and maybe find a new lead. That is where the mind map software coggle.it came into play. I created a base diagram and we filled in information as we found it. When we switched, we could see what had already been found, links to that info, and what still needed to be researched.

All four of us dove in and it was pretty quite for about the first 45 minutes. Once everyone found their groove we started chatting more, asking questions, and offering help. I think we came together as a team within that first hour. Time was going by very quickly. So fast that I didn’t switch to a new subject after an hour because the one I picked had so many good leads. I had already submitted eight flags and all but one had been accepted.

The Unexpected

After about 3 hours I needed a break just to decompress a bit. This is a good time to bring up one important thing that I was not prepared for, and that is the emotional aspect of this. We hear about missing people all the time in the news, online, and in social media. Probably to the point that a lot of us are desensitized to it. Spending hours on end digging through the social media posts of a devastated family that has lost a child or a close family member takes its toll on you. One of my subjects was a 15 year old girl that had taken her phone and laptop, walked out the door, and was never seen or heard from again. That was 3 years ago. Her phone was never turned on, her laptop had never connected to the Internet, she just vanished. A ghost. From what I could tell, law enforcement had no leads. I found her mother’s Facebook account and it consisted of non-stop posts looking for her daughter. I read through every comment, looked at every picture, and watched every video looking for clues and it was gut wrenching. You could feel the desperation in her posts as time went by, just begging and pleading for her to come home. The county sheriff had several posts and videos asking her to come home, come to the sheriff’s office, reach out to anyone and let them know she was ok. That was tough.

The Struggle

After a short break to clear my head and refocus I got back into it. We had periodically checked the main scoreboard to see how we were doing as a team. Surprisingly we had peaked as high as 20th place during the first half, but we were slipping back now. It didn’t take long for the frustration to return. I felt like I kept hitting dead ends, I couldn’t find new leads, my lack of experience was showing, and I kept getting stuck. I would stare at the screen not knowing what to do, what to try, how to proceed. I kept telling myself this was just caused by inexperience. Go back to the basics. What did I miss? What did I learn in the OSINT class that I hadn’t tried yet? I switched to a new subject to mix it up and started finding clues and submitting flags. I got my groove back.

The Finish

The event only lasted six hours and it was flying by. It was close to midnight and I couldn’t believe we had been at this for almost six straight hours already. We were cheering each other on, helping each other, and submitting everything we could find right up until the last second.

Wow, that was exhilarating. We chatted in the Slack channel while we watched the scoreboard jump around. Wow, we are in 15th place. How the hell did that happen? Then we dropped to 16th….then 17th… An hour after the event ended, I was beat and told my team I was signing off. I didn’t know how long it would be before the final results were in, so I went to bed exhausted.

The Results

I woke up about five hours later. My eyes felt like I had sand in them from lack of sleep, but I had to know. I jumped on my laptop to see if the final results were posted. I rubbed my eyes as I focused on the scoreboard. Is that right? That can’t be right. Holy shit, that is right!

12th place. Made the top 20 the first time, less than 200 points from making the top 10. Wow, total disbelief. But more than that, the four of us had managed 116 submissions that had been accepted by the judges that were going to hopefully benefit some of these families. Not bad for a bunch of newbs.

The Conclusion

This was a really fun event and pushed me well outside my comfort zone. I am so glad I made the choice to do this and would do it again in a heartbeat. Trace Labs has ongoing monthly challenges on their Trello board where you can continue searching for information on newly selected subjects, honing those skills. They also have an active Slack channel to hang out with other OSINT hackers. As you can see from the image above, there is a ton of information that will be delivered to law enforcement. I hope it does some good and returns a loved one.

Next year team Super Sleuthers will be back, and this time we’re going to make the top 10. Just watch us.

]]>
266
Security Blue Team Intro to OSINT Review https://paulcimino.com/security-blue-team-intro-to-osint-review/ Sun, 05 Apr 2020 15:36:00 +0000 https://paulcimino.com/?p=245 I recently completed the Security Blue Team course An Introduction to Open-Source Intelligence. If you read my previous post on Review of the Intro to People OSINT Course, you might be wondering, why take two introductory courses? They might be similar in title, but they were very different courses. To be honest, I was on an OSINT kick and took both of the courses within a 5 day period. But I do things like that sometimes (ok, a lot), just jump in with both feet and learn as much as I can.

Who reads code like this?  Anyone?
Who reads code like this? Photo by Markus Spiske on Unsplash

The course looked interesting and the price was right, only £20, which at the time was about $26US. The outline of the course topics was varied and interesting and it ended with a challenge. Cool, and not bad for the very affordable price. I found Security Blue Team on Twitter a few months ago when they started promoting their Threat Hunting course and I signed up to be notified when their Blue Team Level 1 Certification launched. They had just announced the OSINT course so I thought this would be an inexpensive way of taking one of their courses to see if I liked their style before spending a lot more on the full certification course.

Purchasing the course was as easy as using the PayPal checkout and creating my account. I received 3 emails as soon as I paid. The odd thing was, there wasn’t a link to the course in any of them. Just an order placed, order paid, and PayPal’s receipt. Hmm, guess I just go to the site and sign in with the credentials I created.

Once I logged in and found my way to the course it was time to get started. I knew going into this that there weren’t any videos, it was all reading content on their website and I was fine with that. Each lesson covered a single tool or topic, like theHarvester, Google dorks, Maltego, the OSINT framework, etc. I read through each one, practiced the exercises on my own, read any and all links they provided, and at the end there was a quiz with several questions to answer, some multiple choice, but a lot were text fields that you entered the command to get the desired response. You can take the quizzes as many times as you like, but you have to get 70% to pass to the next section. This was one thing that became frustrating, I would enter the command that had just worked in reality in the real tool or website, but it was marked as wrong on the quiz. I learned that the format is very important to be marked correct. Apparently there is some string matching going on when grading the answers =) I got the hang of it, it was just frustrating because as we all know in IT, there are 100 different ways to do anything.

Note: As of this writing the Maltego section is not completed (they said soon so I’m really looking forward to it) and wasn’t available. This was disappointing because the course was already launched and being advertised. Once it has been released I’ll update this post.

Damn, getting their mileage out of this picture! Photo by National Cancer Institute on Unsplash

The course wraps up with a challenge. I took a break before starting this because I was hoping it wasn’t going to be another exercise in fighting the quiz grading process. I jumped on their discord channel, which is great btw, and read up in the OSINT channel to see if I was only one fighting the quizzes. I wasn’t but the admins were very helpful and guided us in the right direction. They are extremely responsive on there, so kudos to them for constantly monitoring this. That made up for the quizzes.

I’m not going to cover anything about the challenge, I will just say that it was the best part and was so much fun! They spent some time creating this part and it showed. I had to take a break in the middle because I got stuck and was going down too many rabbit holes. If there is one thing I have learned in IT over the years, it’s to walk away if you get stuck and come back to it. That has always worked for me. I grabbed something to eat and went for a walk. It must have cleared my head because I was able to fly through the rest of the tasks when I got back. It really was fun and challenging.

For this final part, you need an 80% to pass. Once I submitted my answers and passed, I was done. The next day I had my certificate waiting for me in an email.

Certificate of completion. Photo by Mitchell Luo on Unsplash

Overall, this was a really good course. Even though there were a couple of things they could do better, the content was thorough and well written. It’s not easy, but that’s the best way to learn. Push outside your comfort zone. The challenge at the end? Well take the course and experience it for yourself. You won’t be disappointed.

]]>
245
Review of the Intro to People OSINT course https://paulcimino.com/review-of-the-intro-to-people-osint-course/ Fri, 03 Apr 2020 23:40:53 +0000 https://paulcimino.com/?p=194 OSINT Course
Not my hands. Photo by Thomas Lefebvre on Unsplash

I just took the course Intro to People OSINT/Missing People OSINT from Joe Gray and this is my impression of the course and the value I took from it.

Prior to taking this course I had completed the short Intro to OSINT course from Security Blue Team, so I didn’t go into this course with zero experience. I had some familiarity with several tools as well as knowledge of Google dorks and since I’ve been in IT for 25 years, I feel my Google fu is pretty good (more on that later). Even with that knowledge going into this course I still learned a lot, and you absolutely do not need to know any of that before taking it.

The reason I signed up for this course was two-fold. First, OSINT is very interesting to me and I wanted to learn more about it from people that actually know what they are talking about. I saw Joe a few years ago at DerbyCon when he won the inaugural SECTF, so I knew that he knew his $hit. The second reason I took it was I wanted to do another CTF and someone told me about the Trace Labs Global Missing People CTF that was coming up quickly. The final challenge in the SBT course was a ton of fun and I was hooked. I wanted more. I wanted to push myself to learn. Why not do it for a good cause? Reading up on the CTF it mentioned that Joe had a course that would help prepare you for it. I was sold and bought the course, signing up for the one taking place just 2 days later.

Signing up was of course very easy. I used the discount code you can find all over the place, got the meeting invitation from GoToTraining right away, and I was all set. Looking for the code? Some basic OSINT skills will point you to it. Good luck!

infosec training
Not Joe teaching. Photo by NeONBRAND on Unsplash

The day arrived and I joined the meeting and was greeted by everyone. Joe had obviously done this before and got everyone situated and jumped right into it after a quick intro. The course is broken down into two parts. The first is slides and discussion that lasted about 2 hours, we took a break, and then came back for part two that was a live demo of some of the tools and then we all joined him in doing a search for a missing person from Georgia.

The discussion and slide part was interactive with Joe asking us questions as he went along to keep us engaged and a lot of info was given out in what felt like a short period of time. It went by really fast! Some of the tools I had seen and used before, but like every good infosec person you can always pick up something new. So pay attention and ask questions. A lot of this is geared towards the CTF so there is a ton of content about how it works, how to submit flags, and how to get into that “investigative mindset”. To me, that was a key takeaway. How to get into that mindset of tracking down all of your leads and seeing where they take you. But also, how to not get lost down a rabbit hole and waste time. In fact, I asked Joe that exact question, how do you not end up down a path that will lead nowhere? How do you know when enough is enough, you’ve exhausted that lead, move on to something else. He had a great answer for it and I won’t give it away here. You’ll have to take the course.

OSINT investigation
Not me struggling to….read stock prices? Photo by Adam Nowakowski on Unsplash

Part two was the best part for me. I’m a visual learner so I tend to watch a lot of training videos or do in-person training almost exclusively. I have a hard time reading a book and getting anything out of it. Joe demonstrated a few of the tools, how they are used, and what to use them for. Most of those demos went well, so he must have paid the demo gods before the class.

From there he showed us the missing person that would be our subject for the next hour or so. We dove into Google searches, social media searches, and many websites we could use to gather specific information about our subject. I was furiously taking notes during this part and doing my own searches on the side to help find other information. It is difficult to do both and not get lost though. I would probably just stick with what Joe is doing on screen and helping through that rather than jumping back and forth. I feel you would miss things that way.

After finding a ton of info on our subject we had come to the end of our time and Joe opened it up to questions. I and several others were positing them in the chat and he got to every one of them. We wrapped it up with a quick view of new things Joe is currently working on and then we were done.

Overall, this was a very good course that I felt got me motivated and prepared for the CTF coming up in a week. Joe is a great instructor and took the time to answer everyone’s questions and would ask us questions if our engagement started dropping. To me, that’s the sign of someone that has experience teaching. A lot of people say those that teach cannot do, but in this case Joe can do both. If I had to pick something that could be better I would say maybe providing us a list of the websites he used during the demo. I think wrote them all down during the demos, but I’m not 100% sure.

If you are looking for OSINT training and want to take part in the Trace Labs CTF, I highly recommend Joe’s course.

]]>
194
How to disassemble a Word document with embedded macros https://paulcimino.com/how-to-disassemble-a-word-document-with-embedded-macros/ Sat, 24 Mar 2018 02:37:25 +0000 http://paulcimino.com//?p=1 In this how-to we will go through the steps to create a macro-embedded Word document, extract the files, and then analyze them for malicious content.  In the wild, this is a common way to distribute malware.

To start we will create an embedded macro that will run when the document is opened and download an image from the Internet.

Create a new Word document

Alt + F11 to open the VBA editor

Copy and paste the below code substituting the URL to your image or file and your local path.

Sub Document_Open()

Dim myURL As String
myURL = “<Full URL to your image or file>”

Dim WinHttpReq As Object
Set WinHttpReq = CreateObject(“Microsoft.XMLHTTP”)
WinHttpReq.Open “GET”, myURL
WinHttpReq.send

If WinHttpReq.Status = 200 Then
Set oStream = CreateObject(“ADODB.Stream”)
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile “C:\<Complete path>\logo.png”, 2 ‘ 1 = no     overwrite, 2 = overwrite
oStream.Close
End If

End Sub

Save the file as a macro enabled document (.docm)

To extract the individual files that make up an Office document, like the xml and bin files, simply rename your file extension to .zip and then extract the files with your favorite archive utility.

You should see something similar to this:

The docProps folder has some interesting files that contain valuable info when analyzing potentially harmful files, especially the app.xml file.  It contains things such as the total editing time, pages, words, characters, etc.  A large file with very little content should be examined carefully.

We are after the vbaProject.bin file, which is located in the word folder.  This file contains the vba code that is our macro.  To view the content of the bin file and analyze it, we need to use a tool such as olevba which is part of oletools.

I am using REMnux in a locked down VM to analyze the file.  Running olevba.py -c vbaProject.bin, you can see that olevba easily extracted and showed us the embedded vba code.

Further analysis of the bin file using olevba.py -a vbaProject.bin shows us that it has correctly identified the suspicious content.

Typically the macro code is heavily obfuscated and must be further analyzed to determine the full extent of the code and what it is doing.

Hopefully this quick intro to extracting and analyzing embedded Word macros with oletools helped.  If you have any questions or comments please ask.

]]>
1