How to apply additional security measurements besides PCI DSS?

What do I need to know about PCI DSS?

  • PCI DSS and PCI SSC:
    PCI DSS

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Spear phishing:

PCI DSS

Spear phishing is mainly a type of attack underlined by the art of social engineering. In this type of phishing, few end users receive customized emails. This is in an attempt to get their private information in a fraudulent manner.

A philosophical question now to ask is this. If spear phishing describes the previously explained behavior; What is then the difference between normal phishing and spear phishing?

Whereas phishing targets a large group of people to send emails to them with no prior research expecting that a few number of people will send a response, spear phishing targets a specific group of people to send them customized emails. This occurs after concise research on such a group of people. They are targeted with the correct message in which they are expected to respond positively and get tricked subsequently.

Phishing attacks reach a significant number of people. However, they receive a very small success rate from the number of links their links receive. Nevertheless, spear phishing attacks do not have that large number of target group but around half of such group click on the sent links or open the attachments.

  • Tokenization

PCI DSS

Whenever sensitive data is dealt with, tokenization has to be mentioned. This is in order to ensure that such data is secured to a great extent. Fundamentally, such valuable information gets replaced with a token number which is of no actual use except for merely this process. A token number is a number which makes no sense for an attacker or even for whoever uses it. It gets mapped back to its valuable specific piece of information associated with it.

In this process, the need for a tokenization system is a must, where such tokens could be requested, generated, and detokenized back to get the data. Therefore, such data becomes secured to the maximum using this method. There is still one aspect which should be cared about; it is the security of the tokenization system in the first place. Such system has to get secured following best security practices such as standards of sensitive data protection, secure storage, audit, authentication, and authorization.

  • Jump Server

PCI DSS

It is essential to understand the concept of a jump server when talking about network and security and securing the data flow within it. Devices in a separate security zone could be managed through such jump server. One of the most commonly used example for such concept is the demilitarized zone (DMZ). It could be managed by trusted networks or computers through a jump server.

A jump server has to have specific administrators who have authorized credentials on it for the sake of gaining access to DMZ for instance. All other requested access attempts from non-authorized users have to get logged for next audit. This server could work as single audit point for traffic, securing the data inside DMZ to the maximum.

How to apply additional security measurements besides PCI DSS?

  1. An organization’s administration should recognize the potential of being breached at any instant of time in the first place. Security standards could be set very high, and they could be followed very strictly. Whereas still, any security incident could still occur. Well, what is the benefit of security controls then? They are mainly meant to get the number of such events as much minimal as possible. Besides, such controls make the probability of obtaining sensitive data very low. How is that? Imagine that an organization was breached, such restrictions shall play a significant role in identifying a risk or an attack before an attacker gets his desired information from the network.
  2. Highly sensitive data should no longer be saved or stored in the system. This is because as long as they are there, there is always a vulnerability in the system which could be exploited to get such valuable information. On the other hand, if an organization or a merchant is obliged to get such data saved. Then, tokenization is the perfect solution for this case, for not saving data on the system.
  3. Get any sensitive data isolated inside the network or the organization’s system. In this regard, approaches like of the model of Forrester’s “Zero Trust” or McGladrey Ultra Secure could be followed. This is to ensure a very high level of security on sensitive data.

    PCI DSS

  4. Another attractive solution is to minimize the number of authorized accesses to sensitive data. Accordingly, whenever an incident happens to occur, there should be a small focus group on which social engineering could be applied by information security responsible persons.
  5. A “jump box” or a “jump server” should be made use of in order to force users to log into such server first of all before getting any access to sensitive data. The cardholder data environment shall be restricted to those who have the capability to correctly log into the jump box. This could be further coupled through using different credentials required for the sake of gaining access to such data. All activity performed on the jump box could be also captured by adding in full instrumentation of the jump box. Subsequently, the jump box could be monitored for any suspicious accesses.
    PCI DSS
  1. Internet Protocol (IP) addresses should be limited to the people inside an organization. While all traffic using HTTP or HTTPS should still be open for all the business’ use to satisfy their needs, they cannot be though unrestricted to access any desired IP address or URL. The solution for this is to apply proper white or black list IP addresses. Accordingly, an attacker will not simply work from any IP address or URL to play around with the network.

References

https://pciguru.wordpress.com/2013/02/06/how-to-be-pci-compliant-and-still-be-breached/

https://usa.kaspersky.com/resource-center/definitions/spear-phishing

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

https://en.wikipedia.org/wiki/Tokenization_(data_security)

https://en.wikipedia.org/wiki/Jump_server

 

How does Amazon AWS deal with data encryption?

What is PCI DSS?
amazon aws

To begin with, the Payment Card Industry Data Security Standards (PCI-DSS) provides a checklist with which organizations dealing with online credit card payments have to comply. Such list ascertains organizations follow the appropriate security standards to prevent any breach cases from occurring. Otherwise, merchants who refuse to comply face with great financial penalties thereafter.

What is HIPAA?
amazon aws

Health Insurance Portability and Accountability Act (HIPAA) is legislation which is concerned with making the medical information as safe as possible through making sure of data privacy and other security provisions.

Cyber attacks and ransomware attacks deploy upon health insurance data including both insurers and providers of such service. Such attacks are of a great concern of HIPAA. HIPAA aims to protect such sensitive data from any potential breaches on contaminated systems.

Why Data Encryption at Rest?


amazon aws

An essential requirement which both PCI DSS and HIPAA enforces to be applied inside an organization’s system is to have the sensitive data either cardholder data or health insurance data respectively in an encrypted format.

Before we proceed on to this point, let’s get some more insight about the notion of data encryption. Encrypting data means having data in another form, or code. This is such that having access to the decryption key is a must to understand such stored data.

Almost all organizations depend on this technique since it has been extremely popular and effective in securing data. Getting into more details, there are two sorts of encryption commonly in use around the globe. These are asymmetric encryption or the public key encryption method, and the symmetric encryption.

Symmetric encryption has privilege over the asymmetric encryption due to its speed. During the process, an exchange of the encryption key occurs between the sender and recipient before decrypting it.

Accordingly, huge quantities of keys have to get distributed and managed by companies in order for them to be capable of utilizing such encryption method. Therefore, it has become usual for companies to use a symmetric algorithm to encrypt data. After this, we use an asymmetric algorithm for the sake of exchanging the secret key.

On the other hand, asymmetric encryption or public-key cryptography uses two different keys: one public and one private. At the same time when a public key is known and everyone can share it, the private key is highly protected for security purposes.

One of the most widely used encryption algorithms is Sharmir-Adleman (RSA) algorithm. One could secure sensitive data through such an algorithm which depends on the public key cryptography technique.  The insecure network just as the internet is a perfect place to harness such an algorithm.

The confidentiality, integrity, authenticity, and non-reputability of electronic communications and data are assured by the use of such algorithm which encrypts data using both the public and private keys before sending it to an insecure network. Digital signatures are used within such process as well.

What is AES?


AED

The Advanced Encryption Standard (AES) also known as Rijndael is a means of encrypting data. Originally, the U.S. National Institute of Standards and Technology created such specification back in 2001.

With the evolution of such standard, the Data Encryption Standard (DES) became superseded and not used anymore for any advanced encryption purposes in organizations seeking high levels of security. The US government also adopted AES and made use of it in data encryption.

The symmetric key encryption algorithm is adopted by such standard, which means that encrypting and decrypting the data both use the exact same key.

What does Amazon S3 offer in this regard?

amazon s3

Amazon Simple Storage Service is a service where collecting, storing, and analyzing data of different formats and sizes could be possible and easy. Through Amazon Web Services (AWS), one can store and retrieve back.

Sources of such data could vary from websites and mobile apps to corporate applications, and data from sensors or devices of the Internet of Things (IoT).  Media storage and distribution have the capability to depend on Amazon S3. This is such as the “data lake” for big data analytics. Even computation applications which are serverless can utilize Amazon S3.

Mobile device photos and videos or other captured data, backups of mobile or other devices, backups of a machine, log files generated by a machine, streams created by an IoT sensor and images which are of a high resolution could all efficiently make use of Amazon S3.

It is then possible to configure Buckets of Amazon S3 for server-side encryption (SSE) making use of AES-256 encryption.

What can Amazon EC2 offer for decryption?
amazon ec2

One could use instance storage on Amazon EC2. Such instance storage allows for data to become stored in a temporary period of time. Information that frequently changes, such as buffers, caches, and scratch data are the mostly stored on such instance storage but in an unencrypted format.

One could utilize Linux dm-crypt in this process. It is essentially a Linux kernel-level encryption mechanism. It is possible to mount an encrypted file system, making it available to the operating system. Then, applications can easily deal with all files in the file system with no more needed interactions.

Dm-crypt basically resides between the physical disk and the file system. Data becomes encrypted when writing it from the operating system into the disk as shown in the following figure.

Finally, it is important to note that an application never knows a thing about such encryption. That is due to the fact that applications use a specific mount point to store and retrieve files. In the meanwhile, encryption occurs on such data during storage in the disk. Therefore, there is no use of data if the hard disk becomes stolen or lost.

amazon aws
amazon aws

References

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/

http://searchhealthit.techtarget.com/definition/HIPAA

https://aws.amazon.com/s3/

https://digitalguardian.com/blog/what-data-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

 

How to Perform Physical Acquisition in Android Forensics?

Things you need to understand first:

  • Logical Storage:

    Data Acquisition

We need to grasp the idea of a logical disk fundamentally. I will try to explain such notion in a nutshell. Fundamentally, a logical disk is often referred to as a virtual disk as well. A virtual disk is a storage capacity which could utilize several physical disk drives’ storage.

A contiguous storage area is provided to the user following this concept of a logical storage. It is not, of course, a physical storage because it does not rely on only one disk and claim its capacity as its own. It has the capability of storing files on multiple physical units. Most modern operating systems offer logical volume management.

  • System partition & Data partition:

    Data Acquisition

The system partition is where the system root resides. In other words, the operating system folder is contained by such system partition. For instance, the root directory (/) mounts all operating system files for Linux platforms.

Data partition is basically the disk partition which contains all of the data which is stored by the user on the hard disk. It has nothing to do with the operating system since it is all related to the user in the first place.

There is another partition called the boot partition. It fundamentally has the bootloader which is utilized for the sake of making the operating system capable of booting. For instance, the directory of /boot/ mounts boot files (such as the kernel, initrd, and bootloader GRand Unified Bootloader (GRUB)).

  • Data Acquisition Methods:

    Data Acquisition

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

  1. Manual Acquisition:
    • A mobile device’s user interface is depended on in order to get through the investigation process.
    • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, the manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
  2. Physical Acquisition:
    • A bit-by-bit copy of the whole file system is created.
    • This seems so similar to physical acquisition process on standard digital forensics
    • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.
  • Logical Acquisition
    • The application programming interface of an equipment manufacturer is depended on in this process.
    • The phone’s contents get synchronized with a personal computer through such original interface.
    • This method has a plenty of free software tools available.
    • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.

How to image Android File System using dd?

In fact, there is plenty of free and commercial tools available to take an image of a specific partition. However, all of such tools require that the user should be the root of the device on the emulator. The device gets rooted temporarily even when using commercial tools before an image of a partition is taken through acquiring a physical dump.

Data Acquisition

In this regard, there is a tool called “dd” which is basically specified for getting an image of a rooted device.

  1. Get the device rooted if a real device is connected or on the emulator.
  2. Get to know that the tool of “dd” is located in the following directory “/system/bin” by default on Android system.
  3. Make use of the command “mount” which will familiarize us with the locations of partitions on the device from where we can know our desired partition’s location.

    Data Acquisition

  4. Analyzing the results, we got in the last image, it is apparent how the system partition has the following entry to it:

/dev/block/mtdblock0

  1. On the other hand, it is apparent how the data partition has the following entry to it:

/dev/block/mtdblock1

  1. It is also obvious though that the sd card pasd-cardn has the following entry to it:

/dev/block/vold/179:0

  1. It is essential to understand one point that taking an image of any of the aforementioned partitions will be of the same steps and methodology to accomplish the task properly. However, the data partition will be of our concern for this article.
  2. Extracting the data partition could be performed using the following command which relies on the “dd” tool:

dd if=/dev/block/mtdblock1 of=/mnt/sdcard/output.img

  1. Okay, well we need to get to know the idea of such command. While if means input file, of refers to the output file on the other hand. The position where the image should reside after the command is inside the sdcard, and its name is “output.img”
  2. There is still an option to get the block size customized through the option of “bs” with the “dd” tool.
  3. Pulling the file afterward is pretty straightforward using the command of “adb pull”. Using the upcoming command will result in getting the image file pulled out to our workstation:

adb pull /mnt/sdcard/output.img

The command in the very last line should be cared about because a new SD card destination has to be specified; otherwise, the image file will be overwritten on the same SD card partition of the device.

  1. Note that now the image should be existent on the local machine for investigation. However, the only pitfall of such method is that the use of SD card was a must; otherwise, we couldn’t have been able to proceed with this method.

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/getting-started-android-forensics/

How to perform a logical acquisition using Santoku Linux using adb?

Things you need to know first 

  • Data Acquisition Methods:

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

  1. Manual Acquisition:
    • A mobile device’s user interface is depended on in order to get through the investigation process.
    • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, the manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
  2. Physical Acquisition:
    • A bit-by-bit copy of the whole file system is created.
    • This seems so similar to physical acquisition process on standard digital forensics
    • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.
  • Logical Acquisition
    • The application programming interface of an equipment manufacturer is depended on in this process.
    • The phone’s contents get synchronized with a personal computer through such original interface.
    • This method has a plenty of free software tools available.
    • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.
  • Adb:

In order to master the field of Android forensics, there are some essential tools which have to be grasped very clearly. Among these tools is there what is referred to as Android Debug Bridge (adb).

Android SDK has essentially such tool pre-installed inside it, is located in the directory of “platform-tools”. There is no need for setting such tool up when using Santoku since it is already added to the folder of to “/usr/bin”

How to perform a logical acquisition using Santoku Linux using adb?

(Extracting the entire filesystem)

  1. First of all, we need to open the terminal window inside Santoku
  2. “adb shell” should be typed inside the terminal in order to get commands issued without entering the adb remote shell on the emulated device.
  3. Then, “mount” should be typed as the proceeding command to get the device’s filesystem attached to one file tree.

    santoku

  4. You can simply see that /dev/block/mtdblock1 is where the /data partition is located.
  5. “df” command could be utilized at this point for the sake of showing the available disk space on the partition. In fact, it will show the total space, the used one, and the available as well.
    santoku
  6. “exit” should be typed now as a command to get out of the adb shell.
    santoku
  7. A pull command offered by adb shall be used in order to get the file system extracted to the examiner’s computer. Opening files inside the file browser afterward is a logical acquisition.
  8. The used command in this regard is “adb pull” followed by the /name of the file followed by /destination. In this case, all user’s data is pre-assumed to be residing in /data/ partition. Accordingly, a command of “adb pull /data /path/to/store/files” typed on a new terminal window will definitely extract all user’s data partition.
  9. Now, you could double check the extracted files through the “ls /data” command.

    santoku

  10. The Operating System (OS) explorer could be depended on at this point to browse the pulled folders.
    santoku
  11. Inside the folder called data, there shall be another folder called “data” having all the installed applications inside it.
  12. A single application, however, could have been solely extracted through typing “adb pull” followed by “/data/data” then /the name of this certain package then /the path to it and then finally the package name.
  13. Now, a good suggestion is to have a list of all the installed packages. One way to do that is simply by typing “ls/data/data”, yet after typing “adb shell” first of all. This shall display a list of the installed packages as shown in the following image.

    santoku

  14. Again type “exit” in order to get out of the adb shell at the moment.

(Extracting certain files)

  1. Imagine now we need to only get the SMS extracted. How can we do that? We fundamentally need to get the package named “com.android.providers.telephony” extracted with no other packages. Consequently, the following command will work perfectly for our purpose: “adb pull /data/data/ com.android.providers.telephony /path/Telephony/”. You should note that “/path/Telephony” is the new location of such extracted data, and it is not, of course, a necessary condition to have such path. It could be altered to “/home/infosec/Telephony” for instance.
    santoku
  2. The pulled files inside their directories could be explored now through depending on the utilities existing in Santoku.
  3. In order for us to reach the most recently extracted directory, the File Manager PCManFM’s icon should be pressed now. Thereafter, the folder named “Telephony” should be opened through a simple double click on it.

    santoku

    santoku

  4. Inside the “databases” folder, a file name “mmssms.db” resides there, which could be opened through the utility named “Sqliteman” by a simple right click on the file before selecting such utility. This will contain all of the details of SMS/MMSas suggested by their tables name.
    santoku
    santoku
  5. The SMS table is up for querying and getting displayed by a simple double-click on the table. Inside it, all SMS could be found and further correlated with IDs through using some other tables and columns. A sample of the SMS table is shown in the following image.

    santoku

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

How to emulate “user data” taken from a real device?

Things you need to know first 

  • Android Emulator:

Here we have come to an exciting topic which is Android Emulator. What is meant by an emulator in the first place? It is mentioned when talking about a computer system which acts the same as another computer system. The first one is mainly called the host while the latter is the guest. In other words, if the guest system has any software or peripheral devices designed for it, the host system could run or use them accordingly.

To elaborate more, an emulation is to have a computer program running on an electronic device, mimicking another different electronic device or program.

The benefit of it all lies in the fact that an emulation process facilitates the development process of any new systems. Not only does it offer a place to run the software, but it provides an excellent means to detect, recreate and repair any flaws found in such software before building it in real. Design decisions are validated in this manner, that software is made sure to be one hundred percent accurate before even starting to implement it on hardware.

  • Santoku Linux:

data

Let’s now get into much more details about Santuko Linux. It is an open source platform which is utilized for mobile forensics. Santuko Linux could also be harnessed for analyzing and securing such devices thereafter.

It depends mainly on a Linux environment –which is bootable– where it is easy and simple to play around with various tools. Software development kits (SDKs) are configured in such an environment. Drivers and utilities are also pre-installed inside the operating system. Besides, Graphical User Interfaces (GUIs) are supported by the operating system to enable a user-friendly experience for the user. Any newly connected mobile devices are automatically recognized and setup.

Data could be correctly collected and analyzed through several methods. Multiple manufacturers have their firmware flashing tools inside the Santoku Linux. Forensics tools for some commercials are offered as free ones as well. Plenty of valuable scripts and utilities are also designed for mobile forensics and used for this purpose.

Mobile malware can be examined through mobile device emulators. Moreover, a dynamic analysis could be achieved by simulating network services, depending on several utilities in this regard. Databases of such malware could be accessed through Santoku’s different utilities.

Mobile applications could be tested for their security and assessed via tools which can make any disassembly or decompilation. Specific scripts could quickly discover common issues in a mobile application. Different scripts can get the binaries decrypted, the apps deployed, and app details enumerated.

  • AVD

Most probably if you are still new to the field, you had come across this term before or you used it without really getting to know much about it. An essential word to use in Android Forensics is Android Virtual Device (AVD).

Basically, inside the Android emulator which you create, one can specify the desired features and specifications of the simulated Android phone, tablet, Android Wear, or Android TV device.

Inside the AVD manager, a hardware profile, system image, storage area, skin which defines the appearance of the device, and other properties are contained by an AVD.

How to emulate “user data” taken from a real device:

  1. Imagine that we have created an emulator using Santoku, and now we are to find its location first of all. All the locations of existing AVDs could be found as shown in the following code.
    cd .android/avd
    ls
    The following will be shown:
    Suspect_device.avd
    Suspect_device.ini
  2. The folder of “suspect_device.avd” will be chosen in our case. We could furthermore display the files inside it through the “ls” command.
    cd suspect_device.avd/
    ls
    The following will be shown:
    Config.ini    userdata.img
  3. A file named “userdata.img” is basically formed at the instant a new emulator is created. The directory where it is located is shown in the above image.
  4. Make use of “rm” command to get the “userdata.img” get removed or deleted.
    Rm userdata.img
    Ls the following will be only shown:
    Config.ini
  5. Get the real device’s image –which resides inside “data partition”—copied and then pasted inside the same location where the dummy removed file originally existed. In order to copy, “cp” command is utilized. The file is named “image.img” and it is located inside the directory of “~/Desktop/files/”.
    Cp~/Desktop/files/image.img/home/infosec/.android/avd/suspect_device.avd/user/data.img
  6. Copying such image will require some amount of time because the image has a large size. When the process is done, the screen will look like the following code.
    Cp~/Desktop/files/image.img/home/infosec/.android/avd/suspect_device.avd/user/data.img
  7. It is very important to make sure that the location of “image.img” is the same as what “userdata.img” had before. Make sure that its name became “userdata.img” as well. Navigate to such directory and list its contained files to be sure about this aspect.
    Ls
    The following will appear:
    Config.ini    userdata.img
  8. Now, get “Android Virtual Device Manager” opened. And then get the modified emulator of “suspect_device” started now by pressing “Start”. Then click on “Launch” in order to actually get the VD launched.
  9. While the last step may take some time, we need to get assured ourselves that “data partition” became mounted without waiting for the “Android Home screen” to get displayed:
    1. First of all, make use of the command of “adb devices” which will show that the device is already up and attached to adb. The following shows the emulator is attached to adb which recognizes and discovers it.
      Adb devices
      Then it will display:
      List of devices attached
      Emulator-5554 device
    2. On the emulator, the directory of /data/data should be navigated to it now to make sure if the data partition is mounted. Get the listing of folders displayed now. From such listing, go through the names of applications and make sure that they are of the real device’s not the dummy created device. This way, we can be assured that the image got mounted accurately.

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

How to use Santoku in Android Forensics?

Things you need to know first 

  • Android Platforms:

It comes as no surprise that every single person on earth is familiar with the word Android and realizes that it is an operating system for mobile devices in the first place.

However, what we are interested more in is to find out the basics or fundamentals of such operating system; where does it come from and from which operating system was it originated? In fact, the Linux Kernel was where it all started for the sake of reaching a dependable operating system working well on mobile devices and tablets.

It has become now a very commonly effective operating system. There exists the Android Open Source Project (AOSP) which is basically an open project where several developers and geek guys cooperate to develop new features.

  • Digital Forensics:

Maybe you have heard of forensics in some field of science even if you are pretty new to the field of computer security. It is basically no different in concept from investigating and recovering the material found in digital devices. In fact, it includes all such devices that contain digital data stored or processed on them.

Although such notion of forensics is often referred to when talking about a crime or a similar incident, it is essential for corporates whether they are private or public organizations. During such process of forensics, data are captured and then analyzed in order to produce a report summarizing any detected attack or discovered evidence.

There are a plenty of sub-domains underlined by the digital forensics team. According to which type of devices are to be investigated or utilized, the sort of digital forensics specialized for it varies as well. There are those types which are called: computer forensics, network forensics, forensic data analysis and mobile device forensics. In this article, our main focus will essentially entitle the part of mobile forensics.

How to use Android Emulator in Santoku?

  1. Get logged in into your machine having Santoku.
  2. Choose “Santoku” from the displayed menu.
  3. Inside it, you should choose “Development Tools” from which you should select “Android SDK Manager”
  4. “Tools” should be selected afterward. Then “Manage AVDs”
  5. After pressing “Create”, a name for the Android Virtual Device should be typed. For instance, the name could be “AVD_Forensics” as shown in the screenshotted images.
  6. Select the preferred device next to the label “Device” and its operating system as well next to the label “Target”. For our case, it was “Nexus One” as a device name, while “Android 2.2 – API Level 8” was the operating system.
  7. Choose a suitable Read Only Memory (RAM) size, internal storage size, and external or Secure Digital (SD) Card size. We chose 512 MiB, 300 MiB, and 300 MiB respectively for them as illustrated more in the following image. Now “Ok” should be pressed.
  8. This newly created emulator should be chosen to run from AVD manager. Afterward, click on “Start”.
  9. When the next screen gets triggered, applicable options should be chosen and then “Launch” should be pressed.
  10. Now, the virtual device is ready for usage and doing any desired processes.

How could SMS/GSM Calls be simulated?

  1. “Telnet” shall be utilized for the sake of simulating calls or Short Message Service (SMS), which are the only two aspects lacking the emulator.
  2. Open a terminal window. This could be done through a simple shortcut of pressing (CTRl+ALT+T) simultaneously.
  3. The following command should be typed inside the terminal in order to get a port opened. “telnet localhost 5554” This will make the emulator open port number 5554.
    telnet localhost 5554
    The output is:
    Trying 127.0.0.1…
    Connected to localhost
    Escape character is '^]'..
    Android Console: type 'help' for a list of commands
    Ok
  4. The connection should now get established. In order for us to send an SMS, we shall use a command of the following format “SMS send” followed by any desired phone number of the sender –in fact, any number is acceptable–, then followed by the text message itself.
    Sms send 00212668559975 This is a test SMS for Abdroid Acquisition
    Ok
  5. We could furthermore play around with such incoming SMS and reply to it if we want to. We have simulated a device as if it is actual. Well, it has really become actual 😊
  6. Global System for Mobile (GSM) calls is also applicable to get simulated. How is that? Basically, inside the terminal, we could type a command of the format “gsm call” followed by the phone number of the calling. Any number is acceptable in this case as well.
  7. An interface of an actual incoming call is processed on the Android phone will be displayed.
    Gsm call 00212668559975
    Ok
  8. Now, we are left with three options when receiving such a call:
    1. It is either we need to accept the call and answer. Then, we shall type “gsm accept” followed by the phone number displayed.
    2. Or we need to get the outbound call to the phone number closed. Then we should type “gsm busy” followed by the phone number displayed. This will further switch the call’s state to the “busy”
    3. Or finally, we need to get an inbound or outbound phone call terminated from such phone number or towards it. Then, we shall type “gsm cancel” followed by the phone number displayed.
  9. In our case, we decided to take the call. So, we chose “accept” as our option in the command. A hang-up interface will then be displayed in place of the incoming call interface.
    Gsm accept 00212668559975
    Ok
  10. Canceling a call, on the other hand, will lead it to get listed as a missed call inside the displayed interface.
Gsm call 00212668559975
Ok
Gsm cancel 00212668559975
Ok
Gsm cancel 00212668559975
Ok

How to Create a Phone Book Entry?

  1. To create a contact on this device, we can simply navigate to “contacts” from the menu
  2. The emulator will simply have an empty phone book since it was created seconds ago.
  3. From the simulated keyboard, choose “Menu”. Afterward, click on “New Contact”. Now, fill in the boxes with whatever information to complete this contact creation process. When you are done, simply press “Done”

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

How to use Netcat to transfer Android file system image directly into a local machine?

Things you need to understand first about Netcat:

  • Netcat: Reading from and writing to a network connection through protocols like Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) are always considered a great step for both a security administrator or an attacker. Both of these categories of individuals utilize whatever data they get for a completely different purpose than the other.

Netcat provides an efficient means of investigating a network from the back-end side –servers– and further establish any new connection inside networks using the aforementioned protocols. It has the capability to be run on its own or through scripts or other programs.

A bunch of Netcat’s features are as follows:

  1. Establish or read any connection going through any ports as long as they are TCP or UDP.
  2. Connections can be established through other programs.
  3. Any port could be scanned in a randomized manner for being open to be exploited.
  4. All local source ports are up to be exploited or utilized for any purposes.
  5. A user has the ability to define a network tunneling mode and specify all the used/listening ports, source, and the remote host.
  6. Check Domain Name System (DNS) forward lookup and reverse as well. Warnings are shown thereafter.
  7. Even the source address which is configured inside a local network can be utilized
  8. Telnet options responder could be chosen as an option
  9. There is another built-in feature which allows for loose-source routing
  10. Standard inputs are recognized through command line arguments.
  11. There is another feature which specifies the frequency of lines sent per seconds. It is called Slow-send mode
  12. Transmitted and received data are displayed in a hexadecimal format via a feature called Hex dump
  • Adb:

In order to master the field of Android forensics, there are some essential tools which have to be grasped very clearly. Among these tools is there what is referred to as Android Debug Bridge (adb).

Android SDK has essentially such tool pre-installed inside it, is located in the directory of “platform-tools”. There is no need for setting such tool up when using Santoku since it is already added to the folder of to “/usr/bin”

How to use Netcat for transferring Android file system image directly into a local machine?

There are in fact several methods to take an image of the Android system –a partition of it—yet however, this method is one of the most efficient ones since it has the ability to get the image file transferred directly into the machine. Other methods usually depend on extracting the image of a specific partition through mounting it on the SD card for instance in prior. Following is the steps that could be followed relying on the Netcat Security tool.

  1. Log in into the device if a real device is connected or on the emulator.
  2. Get to know that the tool of Netcat is located in the following directory “~/Desktop/files/binaries” by default on Santoku operating system.
  3. In case the real device is used, then the following directory should be checked first of all “/system/bin” to make sure that the Netcat binary exists there; otherwise, it has got to get downloaded online.
    Cd Desktop/files/binaries/
    Ls nc
    The following will appear:
    nc
  4. We have to note the advantage of using netcat before we proceed on with this method. While SD card has to be used for most other tools to get the image mounted on it first then pulled to the local machine, Netcat, on the other hand, provides us with a means to have the image copied on the local machine in a very direct way.
  5. At this stage, the netcat binary has to get pushed into the following directory “/data/local/tmp” which exists on the device. the following command works the best for accomplishing such task: “adb push” as further illustrated by the next code.
    Adb push nc /data/local/tmp
  6. In order to make sure that such binary got pushed really, a shell has to get open now. In addition, the netcat binary has to be having executable permissions; this aspect has to get ascertained of as well.
    Adb shell
    Cd data/local/tmp
    Ls –l nc
    The following will appear:
    -rwxrwxrwx root    root      1120360 2017-07-29 07:41 nc
  7. Make use of the command “mount” which will familiarize us with the locations of partitions on the device from where we can know our desired partition’s location.
Mount
  • Analyzing the results, we got in the last image, it is apparent how the system partition has the following entry to it:
/dev/block/mtdblock0
  1. On the other hand, it is apparent how the data partition has the following entry to it:
/dev/block/mtdblock1
  1. It is also obvious though that the sdcard pasd cardn has the following entry to it:
/dev/block/vold/179:0
  1. It is very essential to understand one point that taking an image of any of the aforementioned partitions will be of the same steps and methodology to accomplish the task properly. However, the SD Card partition will be of our concern for this article.
  2. Local port 8888 has to get forwarded to remote port 8888 using the following command. “adb forward tcp: 8888 tcp: 8888”as shown in the following image. The actual meaning of such command is that when a connection gets established on port 8888 on the local machine, port 8888 on the Android device will receive the same connection redirected from the local machine’s port.
    Adb forward tcp:8888 tcp:8888
  3. Extracting the data partition could be performed using the following command which relies on the “dd” tool along with the netcat tool. This is illustrated in the following code.Dd if=/dev/block/void/179:0 | /data/local/tmp/nc –l –p 8888
  4. The past command means that the input file (if) is taken from the SD card partition defined by its entry. On the other side, this file gets piped into netcat on which port 8888 is utilized.
  5. Now the output of the command of “dd” has to get read and further stored as “sdcard.img”. This could be accomplished using the command inside the next code.
    Nc 127.0.0.1 8888 > sdcard.img
  6. This process will require some long time, and the screen will seem like the following screenshot until it gets done with reading and storing.
    Dd if=/dev/block/void/179:0 | /data/local/tmp/nc –l –p 8888
    Nc 127.0.0.1 8888 > sdcard.img
  7. The output shown in the following image should be the output got when the past process gets finished. Also, the created file named “sdcard.img” should be existent inside the current working directory of the local machine.
    1951744+0 records in
    1951744+0 records out
    999292928 bytes transferred in 1849.559 secs (527454 bytes/sec)

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/getting-started-android-forensics/

How to master Android Forensics?

How to perform a logical acquisition using Santoku Linux using AFLogical? Android

AFLogical is another method that extracts Android devices’ data besides adb. Content providers are used in this process, saving the extracted data into the device’s SD card. Such data contains contacts, call logs, SMS, Multimedia Messaging Service (MMS), MMS parts, and device info.

  1. Open the terminal window inside Santoku. Then, type the command “aflogical-ose”, where “OSE” abreviates Open Source Edition.
  2. Next, type the root password. If the password is correct, pressing Enter through your computer’s keyboard will pull /sdcard/forensics into ~/aflogical-data/
    Pull/sdcard/forensics into ~/aflogical/data/
  3. Select the desired data for extraction before eventually pressing “Capture” then “Ok” to confirm the completion of data extraction.
  4. In order to continue, press Enter using your computer’s keyboard.
  5. Now, the location of ~/aflogical-data has the pulled data from SDCard. All the pulled data which are recovered will be saved into that location from the emulator.
  6. In order to confirm the above, just open a terminal window to type the following command inside it: “cd ~/aflogical-data/” for the sake of changing the directory where the work is now to that location. The next step is to type “ls” for the sake of viewing the created file.
    cd ~/aflogical-data/
    ls
    the following will display
    20160213.0649
  7. One can now simply browse any extracted images –or files or data –. All such files containing contacts, call logs, MMS/SMS, and device info will be having an extension of .csv
  8. One could easily view the aforementioned SMS table, showing all SMS.
  9. Note that SQLite databases are the most common means of storing such valuable information or data. Throughout the very following lines, I will mention the file name and the path that stores some evidence.
    a. \data\data\com.android.providers.contacts\ databases\contacts2.db is where the phone book mainly resides

    1. We could easily extract such database for example through harnessing “adb pull” command.
      Adb pull 
      /data/data/com.android.providers.contacts/databases/contacts2.db/home/infosec/ContactDB/contacts.db
    2. In genereal, one could browse SQLite by making use of the Sqliteman utility. A command of “sqliteman” followed by the path where the database resides and then eventually the name of database.db.
      Sqliteman /home/infosec/ContactDB/contacts.db
    3. There are 20 tables inside such database like _sync_state and calls.
    4. Calls history or even any other valuable data could be simply be got after querying a specific table in a database. One can accomplish this through the next command: “select * from calls) for instance.

b. \data\data\com.android.providers.telephony\ databases\mmssms.db is where the SMS, MMS messages exist

c. \data\com.android.providers.calendar\databases\ calendar.db is where the Calendar lies.

d. \data\com.sec.android.provider.logsprovider\ databases\logs.db is the place where Log exists.

e. \data\system\users\accounts.db is the location of User’s data

f. Web browser data is essentially located in \data\data\com.android.browser\databases\ browser2.db

g. \data\user\comc.android.providers.userdictionary\ databases\user_dict.db is where Dictionary resides.

How to make sure that devices are connected?

  1. Open the terminal window and make use of the command “adb devices”
  2. This shall list all of the connected devices and then any created emulator should be considered as an attached running device.
  3. In case you cannot see the real device, you attached to the workstation –if you actually did so—then make sure that the phone enables USB debugging. If it doesn’t enable it, then one should enable to be able to see it there.
Adb devices
Then the output would be:
List of devices attached
Emulator-5554 device

How to get a shell using adb?

  1. Getting a shell is also pretty straightforward. Simply open the terminal and type the following command “adb shell”. The shell should open thereafter.
  2. If both an emulator and a real device are connected, then opening a shell on the emulator requires the following command instead “adb -e shell”
  3. While both an emulator and a real device are connected, then opening a shell on the real device requires the following command instead “adb -d shell”
  4. If several emulators and/or real devices are connected together, then opening a shell on a specific target requires the following command instead “adb -s” followed by the device’s name.

How to list the packages?

  1. Open the terminal and start a shell as shown in the last point in this article using “adb shell”
  2. Use the “pm” API which has the capability to display all the installed packages on the screen. For your information, pm stands for package manager in the first place. The command needed for this task is as follows “pm list packages”
Adb shell pm list packages

How to push files onto the device?

  1. Open the terminal then type a command of the following format: “adb push” followed by the name of the file existent on the local machine and then the location of such file on the device.
  2. In order to illustrate this point much clearer, create a file inside the current working directory. Make it as a text file and inside it, create a sample content as in the following code.
    echo "sample file" > test.txt
    cat test.txt
    then the output is
    sample file
  3. Move the file to the emulator using the push command adb push test.txt /data/local/tmp” where such directory is write-able on Android.
    Adb push test.txt /data/local/tmp

How to pull files from the device?

  1. Open the terminal and make use of the following command “adb pull” followed by the name of the file on the device.
  2. Delete the newly created text.txt from the current working directory
    Rm test.txt
    Cat test.txt
    The output is as follows:
    Cat: test.txt: No such file or directory
  3. Finally, pull the file inside the “/data/local/tmp” directory using this command: “adb pull /data/local/tmp/test.txt”. Now the file is pulled back to the current working directory.
Adb pull /data/local/tmp/test.txt
Cat test.txt
The output is:
Sample file

How to make an adb connection troubleshooting?

  1. One can face problems at any time while working with adb. Therefore, the ability to deal with such problems is a must.
  2. Examples of such problems are to have an emulator not recognized or discovered by adb while being running and up.
  3. One could utilize the following comand “adb kill-server” in order for the adb to recognize the devices again.
  4. Finally, try to list all the devices again using “adb devices”
    Adb kill-server
    Adb devices
    The output:
    List of devices attached
    * daemon not running. Starting it now on port 5037 *
    * daemon started successfully *
    Emulator-5554 device

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

How to Bypass PIN and Password Locks in Android?

What do I need to know? android

  • Santoku Linux:

bypass andrpid pin

First, let’s get into much more details about Santuko Linux. It is an open source platform which is utilized for the purpose of mobile forensics. Santuko Linux could also be harnessed for analyzing and securing such devices thereafter.

It depends mainly on a Linux environment –which is bootable– where it is easy and also simple to play around with various tools. Software development kits (SDKs) are configured in such environment. Drivers and utilities are also pre-installed inside the operating system. In addition, Graphical User Interfaces (GUIs) are supported by the operating system in order to enable a user-friendly experience for the user. Any newly connected mobile devices are automatically recognized and setup.

Data could be perfectly collected and analyzed through several methods. Multiple manufacturers have their firmware flashing tools inside the Santoku Linux. Forensics tools for some commercials are offered as free ones as well. A plenty of valuable scripts and utilities are also designed for mobile forensics and used for this purpose.

Mobile malware is able to be examined through mobile device emulators. Moreover, the dynamic analysis could be achieved by simulating network services, depending on several utilities in this regard. Databases of such malware could be accessed through Santoku’s different utilities.

Mobile applications could be tested for their security and also be assessed via tools which are able to make any disassembly or decompilation. Common issues in a mobile application could be easily discovered by certain scripts. Different scripts have the capability to get the binaries decrypted, the apps deployed, and also the app details enumerated.

  • Types of screen locks:

In fact, there are a plenty of screen lock types which are available to use on an Android device. Five main categories exist in this regard:

  1. None: this means for sure that there are not any screen locks on this device
  2. Slide: this means that a device could be simply unlocked by moving the slider
  3. Pattern: this means that a device could be unlocked by getting the dots connected to form the right pattern.
  4. PIN: this means that a device could be unlocked by getting the correct number inputted
  5. Password: this means that a device could be unlocked by getting the correct characters forming the password inputted.
    bypass andrpid pin

How to setup a PIN/Password lock?

The following are the steps for setting a Pin up for an Android emulator. For password, the steps are pretty similar.

  1. On the created Android emulator, “Settings” should be visited first of all. From there get into “Security” where the option of “screen lock” has to be chosen.
  2. A PIN could also be created by simply having chosen “PIN” instead of “Pattern”
  3. Choose the new Pin and type it now.
  4. This PIN has to be confirmed with the same PIN inputted again for the sake of making sure of such number.
  5. “OK” should be pressed at the moment and get out of the wizard through the back button on the emulator.
  6. The power key of the emulator has to be pressed in order to get the device locked right now.

bypass andrpid pin

How to get a password/PINlock bypassed using adb?

  1. Get logged in into the emulator as a root.
  2. Make sure that the real device enables USB debugging before getting to start the process.
  3. We need to get two files named “password.key” and “locksettings.db” and manipulate them in order to crack the password or the PIN code.
  4. First of all, the location of the hashed password is inside “/data/system” and the file inside which the hash exists is called “password.key”
  5. In the same location of “/data/system” exists another file named “locksettings.db” where a generated random salt gets stored. Both files of the hash and salt have to be utilized when attempting the brute force cracking method against the PIN code.
  6. First of all, we need to pull the two folders into the local machine, for this purpose we should go through three main steps:
    1. Change the working directory to become /data/system on the emulator:
       /data/system/password.key
      
       /data/system/locksettings.key
    2. Get the two files copied onto the SDcard using the following commands:
       # cp /data/system/password.key /mnt/sdcard/
      
       # cp /data/system/locksettings.db /mnt/sdcard/
    3. Get the files right then pulled from the SDcard to get mounted onto the local machine using the following commands:
       $ adb pull /mnt/sdcard/password.key
      
       $ adb pull /mnt/sdcard/locksettings.db
  1. Let’s have a look on the hash stored the file of “password.key”. This could be basically accomplished through the following command:
“cat password.key” 
  1. The file of “locksettings.db” could be as well opened yet with another command this time since it follows an SQLite database format. The command specified for this is as follows:
“sqlite3locksettings.db”.

The salt is got this way.

  1. It is apparent that “locksettings” is the table where the salt is contained. The following image shows how to query this specific table from the database using the following command of
    “select * from locksettings”
  2. Inside such table, the entry named “lockscreen.password_salt” is actually the one which has the salt.

12|lockscreen.password_salt|0|6305598215633793568

  1. After we have got the hash and salt, a Santoku’s tool has to get benefited from now. It is called
     “recover-android-pin.zip”.
  2. Such compressed folder could be found in the following location
    “~/Desktop/files/screenlock bypass/Password&Pin/”
  3. Now, we have to change the current directory to such directory and get the folder uncompressed with relying heavily on the “unzip” utility recognized inside Santoku.
    Ls –l recover-android-pin.zip
  4. Inside it, there exists a python code which is to crack the password using brute force method. The following command will actually take care of this aspect.
“Python BruteForceAndroidPin.py”

after which our hash should be typed then our salt which we extracted and finally we shall type the maximum length of a user PIN.

  1. We should at the moment get the PIN displayed on the screen.
  2. One last note is that this process may take some time depending on how complex the used PIN actually is.

References

http://resources.infosecinstitute.com/android-forensics-labs/

How to Bypass Pattern Locks in Android?

A very important concept to go through and know how to do it is bypassing an Android pattern screen lock. Not only is it important for those who are interested in Android forensics, yet it is essential for those who intend to hack an Android system and get access to some valuable data on it.

What do I need to know?

Definitely one has to be familiar with some topics or platforms without even starting any of our discussion on the topic. Among these topics are there:

  • Android Emulator:

bypass android lock

Here we have come to an exciting topic which is Android Emulator. What is meant by an emulator in the first place? Basically, it is mentioned when talking of a computer system which acts the same like another computer system. The first one is mainly called the host while the latter is the guest. In other words, if the guest system has any sort of software or peripheral devices designed for it, the host system could run or use them accordingly.

To elaborate more, an emulation is to have a computer program running on an electronic device, mimicking another different electronic device or program.

The benefit behind it all lies in the fact that an emulation process facilitates the development process of any new systems. Not only does it offer a place to run the software, but it offers a great means to detect, recreate and repair any flows found in such software before building it in real. Design decisions are validated in this manner, that a software is made sure to be one hundred percent accurate before even starting to implement it on hardware.

  • Types of screen locks:

In fact, there are a plenty of screen lock types which are available to use on an Android device. Five main categories exist in this regard:

  1. None: this means for sure that there are not any screen locks on this device
  2. Slide: this means that a device could be simply unlocked by moving the slider
  3. Pattern: this means that a device could be unlocked by getting the dots connected to form the right pattern.
  4. PIN: this means that a device could be unlocked by getting the correct number inputted
  5. Password: this means that a device could be unlocked by getting the correct characters forming the password inputted.

bypass android lock

How to setup a pattern lock?

  1. On the created Android emulator, “Settings” should be visited first of all. From there get into “Security” where the option of “screen lock” has to be chosen. The previously shown image should appear at this point.
  2. Get a pattern lock created through pressing “Pattern”.
  3. The next image should appear on the emulator. Inside such screen, enter the desired pattern to be set up.
  4. This pattern has to be confirmed with the same pattern inputted again for the sake of making sure of such pattern.
  5. “Confirm” should be pressed at the moment and get out of the wizard through the back button on the emulator.
  6. The power key of the emulator has to be pressed in order to get the device locked right now.

How to get a pattern lock bypassed using adb?

    1. Get logged in into the emulator as a root.
    2. Make sure that the real device enables USB debugging before getting to start the process.
    3. The following image shows how a pattern could be formed out of some dots displayed.

bypass android lock

  1. Such dots could be thought of as actual numbers really. The following image illustrates what I mean by this point.

    Android pattern lock

  2. Hence, if you really think of it this way, the shown pattern would become 14789 talking of numbers.
  3. It is very interesting to know that such pattern becomes hashed by the Android system. The hashed value becomes then stored inside the location of “/data/system” in a file named “gesture.key”. Since such filed could be accessible only by the root, that’s why I mentioned that root privileges are a must from the very beginning.
  4. Two methods could be adapted here in order to bypass such pattern.

a. Removing the file called “gesture.key”

  1. Simply open the terminal window.
  2. The current directory should be changed to /data/system first of all.
  3. Make use of the following command in order to get the file removed: “rm gesture.key”.
    Ls gesture.key
    
    The result is:
     Gesture.key
    
    Rm gesture.key
     Ls gesture.key
    
    The output is:
     Gesture. Key: No such file or directory
  4. The device should be now accessible with no pattern lock applied.

b. Pull the file of “gesture.key” and crack SHA-1 hash:

  1. Since the pattern gets hashed inside this file. If we become able to get this file and decrypt its hash, then we have done a great job in bypassing the pattern lock.
  2. Get into the adb shell and become the root first of all using the following two commands:
    $adb shell
    
    [email protected]$su
  3. Get the “gesture.key” file copied into the SDcard first through depending on this command:
     [email protected]#cp /data/system/gesture.key /mnt/sdcard
  4. The file could be now simply pulled out to the local machine through this command:
     $adb pull /mnt/sdcard/gesture.key
  5. Then we need to find the location of gesture.key inside Santoku .
  6. Now, we have to get the stored SHA-1 hash of the pattern compared with all possible hashes stored in a dictionary. Thereafter, if the dictionary includes the same hashed pattern, then we are definitely done.
  7. If we are to get the hash cracked at the moment, we should rely on the following command:
     $ grep -i `xxd -p gesture.key` AndroidGestureSHA1.txt

    The output will shows the cracked pattern. It could be simply spotted that “14789” is the originally used pattern.

  8. Why don’t understand the mechanism of the command we utilized much more? Fundamentally through such command, a comparison between “gesture.key” and “AndroidGestureSHA1.txt” where all possible hashes are stored. When a match was found, it was displayed on the screen as a result.
  9. Another possible small command on the other hand that could have been used is as follows:
    $ cat findpattern.sh
    
      grep -i `xxd -p gesture.key` AndroidGestureSHA1.txt
  10. Get both “gesture.key” and “AndroidGestureSHA1.txt” placed along with the shell and run it. The following command will yield the exact same result as shown before.
    $ sh findpattern.sh
    
      14789;00 03 06 07 08;C8C0B24A15DC8BBFD411427973574695230458F0

References

http://resources.infosecinstitute.com/android-forensics-labs/

 

How to Exploit File Upload Vulnerability (Double Extension)?

(Double Extension-Content Type- Null Byte Injection)Vulnerability

What do I Need to Know?

  • To begin with, what is File Upload Vulnerability?
    • Examples of web applications attacks:

The purpose of these examples intends to give an insight into the types of files used for the sake of knowing how different they could be:

  • A file of extension .jsp could get uploaded into a web tree. It’s execution then occurs as the web user.
  • A file of extension .gif could be uploaded and further get resized. The exploit in this case targets image library flaw.
  • A file of extension .rar and when a software antivirus runs, the execution occurs on the server where such antivirus works.
  • Huge files could be uploaded leading to a denial of service incident.
  • Malicious name or path could be used for an uploaded file, resulting in a critical file getting overwritten.
  • Personal data could be uploaded as a text file accessed by all users, which raises another security issue on the other hand.
  • “Tags” could be contained in a file and then uploaded. The execution then occurs as part of being “included” in a web page.
  • Kali Linux
    • What is the Burp Suite?
      • It is basically an integrated platform designed for the sake of performing security testing of web applications
      • It depends on its tools to perform an entire testing procedure from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

 

How to Perform a Double Extension File Upload?

Since there are some web applications which only allow for some certain types of extensions to get uploaded. Files of extension .jpeg and .png are only allowed in those web applications with a medium security level. In other words, uploading files is restricted to these sorts of extensions; otherwise, they will not be able to get uploaded on the web server. Bypassing a malicious file needs a bit of trick in this case.

In this regard, multiple extensions will get inserted with the file name in order for this to deceive the utilized parameters of security. “img1.php.png” will seem as if it is of the .pnp format having some data, it will execute the .php file leading to an application.

  1. The security level of the website should be set low when clicking DVWA Security.
    Vulnerability
  2. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  3. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP and PNG extension as img1.php.png
    Vulnerability
  4. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  5. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  6. Press “Browse” and choose the prepare for the img1.php.png to get uploaded on the webserver.
    Vulnerability
  7. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  8. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
  9. The sent request of the post method will be fetched by the intercept when uploading. Inside the data you will get, php.png should be transformed into img1.php.
    VulnerabilityVulnerability
  10. Press “Forward” to get the .php file uploaded into the directory at this moment.
  11. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  12. In Metasploit, the following command then will result in showing Meterpreter session 2 of victim PC.
    Vulnerability
    Vulnerability

How to Perform a Content Type File Upload?

For this kind of restrictions, the internal media type of the message content is checked through “Content-Type” entity in the header of the request. For some web applications, a “Content-Type” of “text/plain” is only allowed. Bypassing a malicious file will then require this entity to get edited through a web proxy.

  1. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  2. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP extension as img2.php
    Vulnerability
  3. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  4. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  5. Press “Browse” and choose the img2.php to get prepared for getting uploaded on the webserver.
    Vulnerability
  6. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  7. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
  8. The sent request of the post method will be fetched by the intercept when uploading. Inside the data you will get, the content of img2.php should be transformed from “application/x-php” into “image/png”
    VulnerabilityVulnerability
  9. Press “Forward” to get the .php file uploaded into the directory at this moment.
  10. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  11. In Metasploit, the following command then will result in showing Meterpreter session 3 of victim PC.
    Vulnerability
    Vulnerability

How to Perform a Null Byte Injection?

A smart way to upload the malicious files is to make use of URL-encoded null byte characters (i.e. %00, or 0x00 in hex). Unauthorized access to the system files could be yielded through such injection of a null byte resulting in a blank space in the ASCII translation.

Inserting a null byte will lead a web application, using C/C++ libraries when checking for the file name or its content, to get deceived as it is the end of the string and it should cease reading at this step.

  1. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  2. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP and JPG extensions as img3.php.jpg
    Vulnerability
  3. Type msfconsole to get Metasploit Framework which then should be loaded. The multi handler should be started now.
  4. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  5. Press “Browse” and choose to get img3.php prepared to get uploaded on the webserver.
    Vulnerability
  6. Now the burp suite is to be opened. Under “Proxy” tab, an intercept should be made on.
  7. Manual proxy of the used browser should be set. Press “Upload” now to upload the file.
    Vulnerability
  8. The sent request of the post method will be fetched by the intercept when uploading.
    Inside the data you will get, the img3.php.jpg should be transformed into img3.phpD.jpg for example or any other text is valid as well.

    Vulnerability
  9. Now get the inserted string decoded into hex format. Our used “D” translates into 0x44
    Vulnerability
  10. Under the “Intercept” tab, press “Hex”. Look for the 44 of the D and replace it with a 00 instead.
    VulnerabilityVulnerability
  11. When viewing the fetched data again the D will have changed into 0
    Vulnerability
  12. Press “Forward” to get the file uploaded into the directory at this moment.
  13. The directory’s path to the uploaded file will be shown after the upload is successfully done. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  14. Running the path will result in a reverse connection on Metasploit to open Meterpreter session 4.
    Vulnerability

References

http://www.hackingarticles.in/5-ways-file-upload-vulnerability-exploitation/

https://en.wikipedia.org/wiki/Kali_Linux

https://www.kali.org/

https://tools.kali.org/web-applications/burpsuite

Finally, here’s another of my articles on How to Inspect Process Hallowing.

Vulnerability

How to Exploit File Upload Vulnerability?

(Basic File Upload)

What do I Need to Know First of All?

  • What is File Upload Vulnerability?
    • Description:

Let’s understand file upload vulnerability. In fact, one of the major risks faced by web applications is the potential to get a malware or a malicious code.

The ultimate goal of an attacker is to get some code in a website they desire to attack. They aim at executing a malicious code inside the website.

  • Results:

Attacking a website or a web application through uploading a file which contains a malicious code inside it may result in  plenty of problems with the website itself among which exists:

  • System takeover could happen entirely
  • Overloading of a database or a file system could occur
  • Back-end systems could even become attacked by such malicious code
  • Attacks against clients are also possible
  • Simple defacement could be the result as well
  • In fact, the effect and its hazardous aspects fundamentally vary according to the application’s reaction towards the file and the place where it stores the file essentially
  • Where does the problem actually lie?

There are two main types of problems:

  • Metadata which is a term that describes the name and the path of an uploaded file. But how could such data reach the website or the application? Basically, HTTP multi-port encoding which is one sort of a transport is responsible for providing metadata to the application. Okay well, what could happen as a result? Either, overwriting of a very important file, or storing it in an adverse location will occur. Both of these are severe circumstances. Therefore, it is important to validate and check Metadata before starting to use it.
  • The size of the file or its content, on which the effect and its level depend mainly. Hence, all the interactions between an application and an uploaded file have to get analyzed carefully to understand perfectly what processing and interpreters are there.
  • DVWA Security:

It is important to know what Damn Vulnerable Web Application (DVWA) means.

  • This is a damn vulnerable web application which is a PHP/MySQL.
  • It aims in the first place to provide an efficient means for security professionals for the sake of testing web security tools, which essentially requires a target which has plenty vulnerabilities.
  • Securing web applications and further teaching or learning its concepts by teachers or students respectively are also two of the essential benefits that one can get out of DVWA.
  • Kali Linux

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

  • Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
  • It provides its user with a variety of tools and functions which appear thirteen categories:
    1. Information Gathering such as DMitry
    2. Vulnerability Analysis like Inguma
    3. Tools for exploitation as Metasploit Framework
    4. Wireless Attacks like WIFI Honey
    5. Forensics such as Binwalk
    6. Web Applications like Skipfish
    7. Stress testing like FunkLoad
    8. Sniffing and Spoofing as Wireshark
    9. Password attacks like done by TrueCrack
    10. Maintaining Access such as Intersect
    11. Hardware hacking performed by dex2jar for instance
    12. Reverse Engineering for which Apktool, for example, can be used
    13. Reporting tools as MagicTree
  • Backdoor Shell

    • Whenever an attacker pushes a malicious code onto a certain website for access to the website or a file on it, this piece of code is known as a backdoor shell.
    • Such code is implementable in various programming languages such as PHP, Ruby, or even Python.
    • After accomplishing the task of uploading this code to the website, editing, deleting, or downloading any other files on the website is acceptable. Uploading a self-created file is also another valid option for attackers for the same purpose at the end of the day.
  • Metasploit
    • What is Metasploit Framework?
      • It is actually the most common exploit development framework in the world.
      • The Metasploit Framework is basically an open-source framework which accepts contributions by developers through GitHub.com website.
      • Such contributions are mainly exploits and scanners.
      • Later a team that has employees of Rapid7 and senior external contributors reviews them.
      • The main developers of the framework are Moore, Mart Miller and spoonm.
    • Meterpreter
      • A type of payload following the stagers payload module inside Metasploit is called in-memory Dynamic-link library (DLL) injection stagers.
      • It is an advanced and dynamically extensible payload.
      • It also has the potential for extension over the network at runtime.

How to Perform a Basic File Upload?

We need to upload a PHP file on the web server, assuming that the server does not impose any restrictions. Such restrictions are those which could specify the required extension(s) of an uploaded file or its content-type. Allowing text or image type files for instance on a web server with no restrictions will allow for an uploaded malicious PHP file to bypass and execute as a web application with no problems.

  1. The security level of the website should be low when clicking DVWA Security.
  2. Kali Linux should be opened now and a PHP backdoor should be created with the following command.
    Vulnerability
  3. In the Leaf-pad which is an open source text editor for Linux, the highlighted code should be copied and pasted then saved on the desktop as PHP extension as img.php.
  4. Type msfconsole to get Metasploit Framework which then should be loaded. Multi handler should be started now.
    Vulnerability
  5. Visit the vulnerability menu inside DVWA lab to select “File Upload”.
  6. Press “Browse” and choose the file then press “Upload” to upload the img.php on the

    webserver

    .

    Vulnerability

  7. The directory’s path to the uploaded file will show after the upload is successful. This path is the actual location of the uploaded file. In fact, with simply copying and then pasting the shown –highlighted– part of the URL in the following image, this will yield in executing the file.
    Vulnerability
  8. In Metasploit, the following commands then will result in opening Meterpreter session 1 of victim PC.
    Vulnerability

References

http://www.hackingarticles.in/5-ways-file-upload-vulnerability-exploitation/

https://www.owasp.org/index.php/Unrestricted_File_Upload

http://www.dvwa.co.uk/

https://wiki.alpinelinux.org/wiki/Damn_Vulnerable_Web_Application_(DVWA)

https://en.wikipedia.org/wiki/Kali_Linux

https://www.kali.org/

https://en.wikipedia.org/wiki/Backdoor_Shell