As penetration testers or if you’re just performing a simple or regular scan, we all know that the tasks can become a repetitive process (e. g. if you are performing a pentest in a streamlined environment). Typing, again and again, the Metasploit commands and making minor changes to perform an attack in the target,  can get a bit tiresome, but not to worry, here is where resource scripts can be very useful and be used on Metasploit to automate the repetitive tasks at hand.

They are essentially batch scripts and contain a set of commands that are automatically and sequentially executed when you load this resource scripts in Metasploit. A resource script can be created by chaining together a series of console Metasploit commands, mainly used for scanning purposes, and you can even directly embed Ruby to do things like call APIs, interact with objects in the database, and iterate actions.

We are going to create a simple resource script as an example, that will automate, the auxiliary scanning in an ftp service and will inform us what version of ftp service, the target is currently running.

The commands are basically the same that you are accustomed to using in Metasploit with the adding of the automation process.

You can create the script in any text editor you feel comfortable with.

We’ll create the script by typing Metasploit commands (the commands are the same regarding structure) but the commands will be executed unsequentially.

The first command we’ll use is the following:

msfconsole
use auxiliary/scanner/ftp/ftp_version

This will execute the scanning process and will tell us what ftp version is running in the target, as we have said before.

The next command will be to “see” what options you want to execute in the Pentest using the script you’ll be creating.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary (scanner/ftp/ftp_version) options

As a result, you will see the options available for the ftp service. For this example, the most important aspects are the RHOST, the threads in it, and to select the appropriate range of machines (target).

So for the script, we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4 [target host]
set THREADS 10 [number of threads]

The threads are dependant on the scale of the network, so, if you are scanning a large networks, you have to increase the amount of threads you want to use.

Now there’s something to be considered about this. and is the fact that you can change this values “on the fly”, therefore, you don’t have to type into the metasploit console the commands again and again if you want to change the options you want to explore, you can change it in the script and they can be executed remotely.

And now we just execute the command, or if you you are using an exploit module; exploit, but as this is a simple resource script we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.103
set THREADS 10
run

We save this text file as  

vim ftp_scanner.rc

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4
set THREADS 10
run

esc
:
w

Where the extension .rc means resource script. Now we locate the script to be run in Metasploit. In there you type:

cd (location of the script you just created)

You have to make sure that your Metasploit post-rescue database is built and is already running. So now we can perform the Pentest of the ftp service by running this script, to look for threads in the RHOST of the target host

In Metasploit we type

msfconsole -r ftp_scanner.rc

This will start the Metasploit Framework and launch the created resource script.

Advantages of the Resource Scripts

And now the interesting thing about this procedure is that after performing the scanning and getting the results assorted, and ready for you to assess the information you just obtained, if you want to change the IP or increase the threads you just have to edit the script and run it again.

Resource scripts versatility lies in their ability to take advantage of many of the capabilities that are available in Metasploit and Ruby, whether you are using them from the Metasploit console or from the Metasploit web interface.

The community of The Metasploit Framework has made available many resource scripts (if you are a framework user) you can go to.

Here at Infosec Addicts in our courses Pentesting Candidate program and Ultimate Hacklab, you can get more information about the creation of this useful tools to facilitate the performing of any audit procedures or Pentest, using Metasploit. We hope sincerely that you can join us in this quest, of finding the best and more reliable solutions to be able to perform a Pentest in a throughout and reliable way for you.

In this FREE webinar Joe McCray will cover the fundamentals of the network penetration testing, and how to perform basic penetration testing tasks. This webinar is designed for people with little to no network penetration testing experience.

About Joe McCray:

Joe McCray has been teaching IT Security since 2005 and it finally hit him. While he was helping by offering hands-on labs, and no death by PowerPoint in his classes. He realized that in order for him to be a good teacher he needed a more compact and complete training program.

This webinar will be held on the 1st of February at 1pm EST

Click the link below to sign up for this webinar:

https://attendee.gotowebinar.com/register/6831470640505615106

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

• Why is it essential for an examiner to get some files of interest from an iOS device?

  

All activities of an iOS device user are stored inside the device in different formats and for various purposes as well. This evidence is apparently collected for the sake of serving the iOS user in the very first place. However, this is not the complete case. It is because the evidence obtained and stored cookies are even much more than what the user could ask for or need.

Information just like locations, messages, contacts, web surfing habits, notes, pictures and more are available on iOS devices storage media. Many of them come with time-stamped data.

From the forensics point of view, such data becomes much more and more valuable. This is since businesses begin to grow larger nowadays using iOS devices. It urges examiners to cope with any new technologies or software releases. It could offer any help with the forensics procedure and smooth extraction of data and acquisition of it.

• Cookies of browser inside /private/var/mobile/Library

• What is meant by cookies in the first place?
  

Cookies are often utilized by a web page to help provide a user with web pages customized to a very great extent. Users get identified in this manner while they are assisted with personalized results and experience.

A user may be asked to get necessary information filled up when browsing a web page which makes use of it. Names and interests may be the sort of information asked for when it comes to a website depending on cookies. The browser used by the user is the one responsible for storing this critical data on the device for further usage by the site afterward. The browser gets such cookies essentially from this sever in the very first place essentially.

From the perspective of websites, it is an important aspect to have the cookies stored on a computer. It is because such cookies get sent over to the server hosting the site whenever this website is visited. Accordingly, custom pages are sent to the user depending on such cookies.

Have you ever visited a website which welcomes you with your name or shows to you the last time when you visited the site? This website is using cookies to serve you with a customized experience better when visiting their website.

Let’s talk more about exciting stuff of the cookies file. What can be found inside it in particular? Basically, inside the file, there must be information about the website there in the first place. Moreover, some personal information could be stored along with the information about the website. It is generally in the case that the user provides the site with such information. Otherwise, they will not be included.

It is interesting to know that most of such information will be of text format at the end of the day. Nonetheless, useful websites send such cookie data into the browser in an encrypted form. The fact that they want to secure the data to a great extent, so the reason for this encryption attributes. It is to ensure that they will not make sense even when extracted and acquired in some way or another.

From the perspective of an examiner performing forensics investigation, this data is very crucial in the process. It is because they represent some preferences of the user along with data such as their names and interests. It would help someone interested in  an investigation to get data of interest from such cookies.

In such cookies, several vital parameters are passed through such for identification and related purposes intended by the cookies mainly. Typically, the given parameters are like illustrated in the following points:

• The name of the cookie.
• The value of the cookie.
• The expiration date of the cookie: this determines how long the cookie will remain in an active status in the browser of the user.
• The path for the cookie is valid. Web pages outside of that way cannot use the cookie.
• The domain for the cookie is valid. It makes the cookie accessible to pages on any of the servers in an area.
• The need for a secure connection: this indicates that the cookie can only be used under the condition of having a secure server.
• How to perform such extraction of cookies?
  

  

It is considered a significant source of evidence when it comes to forensics investigations to get the data extracted from the browser cookies. Such cookies are attached to the very popular Safari browser. The file which contains these vitally essential cookies is named cookies.binarycookies.

The different main characteristic of the standard browsers and Safari browser lies in the storage of cookies. Browsers such as Internet Explorer store their cookies data inside a plain text format file or they utilize an SQLite database format residing inside the folder of history. Safari, on the other hand, gets its browser cookies stored inside a binary format file.

It is therefore worth noting that opening such a binary format file requires a sort of specific software for this reason in the first place. Such tools could be like iPhone Extractor or any HEX editor to be able to grasp what is there inside such files of interest.

For sure we have opened such files to go through what could be inside such data. When we did that, we figured out that whenever there is a header inside the record, one or more pages are coming after it. Inside each page, there exists one or even more cookies residing there.

It is also essential to make sense of the sizes of each field constructing the cookies of such file. The signature field occupies 4 bytes by default to store the COOK header. In the meanwhile, another field named as Number of pages makes up 4 bytes to store Little Endian Integer. There is also another field called Page Size, and this one uses up 4 bytes of the storage to have another Little Endean Integer saved. An area named Page, on the other hand, varies in size according to the size of the cookies itself. Finally, the tail field has a capacity of eight bytes to store a Hash for the checksum possibly.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

• What are the files of interest in the first place?
  

Extraction of applications,photos,passwords – iOS forensics – There are several directories that one can find for investigation purposes inside an iOS. It is irrespective of whatever the device model is. The structure of directories is common among all iOS devices. The layout utilized for it is a UNIX layout. It is very vital to mention that different file formats exist in this case. Thus, there are some files of format XML, binary data, or SQL databases.

Alright, so how are we going to investigate such files without getting to know their actual location on the device? Initially, data of the default application gets stored inside the following path: private/var/mobile/Library folder. In other words, data of apps like Address Book, Mail, Calendar, Maps, Notes, YouTube, Safari, Texting, Weather and Voicemail applications. On the other hand, some other apps like NFL 2012, Shazam or AroundMe which essentially get downloaded from iTunes have their data stored in the following path: private/var/mobile/Applications.

• Downloaded applications from iTunes in private/var/mobile/Applications 
  

The folder: Mobile/Application is always in a dynamic status especially whenever a new application gets downloaded from iTunes. When this happens, basically a new directory gets automatically created inside this folder. Such a file contains all the embedded files that an application needs and originally comes. Also, a unique identifier of 32-character alphanumeric values. This identifier will be used by any iOS devices produced by Apple after that.

An example of such an identifier could be something like“GA07A3WW- 0E39-33OJ-B947-9CAA16688G22”. When dealing with this application, an iOS devices is perceive as an id which is consistent and used it. By default, there are some subfolders contained by an application:

• Documents folder: this has all the files which are relevant to an application.
• Temp folder: any files which are runtime and temporary reside there.
• Library folder: any data which is cached or preferences are included in this folder.

There are also some other files which are commonly found in an application folder in an iOS device. Such records are like info.plist, resourcerules.plist and applestores.db. However, configuration files, plist files, and XML data could be found varying and different according to the application itself. It also happens that some vitally essential data for an investigation process could be existent inside such folders. Such include cookies, usernames, and passwords.

• Photos inside private/var/mobile/media/DCIM

All photos could be found in the media/DCIM folder.  These are photos either taken via the phone itself or synced from another device. All images will have timestamp metadata. If a picture is received through the camera of the device itself, then it will reside inside a folder named 100APPLE. It will have a name which is in order sequentially. It is according to when the photo was taken in comparison to the others.

To elaborate on this point, naming such photos will begin with “IMG_0001” and then this number will get incremented by one each time a new picture takes no matter how many images got removed in the way through. Taking into consideration, it shall conclude that any missing numbers throughout the used range will indicate that its associated photo is deleting for some reason.

Sometimes it is essential and most importantly exciting to get to know what programs or applications were installed on the machine before it becomes on its current state at the time of forensics. It could be identified through the folder of DCIM/999Apple. Inside this folder, all taken screenshots will be found, which will eventually help with the investigation process. Navigating through these photos will show whether a banned application suspected to have been running on the device was installed or not.

• Keystrokes inside /private/var/mobile/Library/Keyboard
  

A text file named dynamic-text.dat is considered a dynamic dictionary for an iOS device. It is one of the most important directories to investigate through because every written word by the user gets stored in this dictionary at the time it gets typed. Applications like Notes, Safari, Messages, Facebook will have any typed words inside them get entered into this dynamic dictionary. In fact, any applications which are open for a text input get their text data stored in this dynamic dictionary.

The rationale behind such dictionary lies in aiding a user with the typing process. On the other hand, this aspect is perceived as a source of a precious information because common words can come to be known and hence become a keyword for searching.

The downside of this dictionary is that it does not include a timestamp metadata of its reserved words. Accordingly, the time in which a word was typed cannot be identified through this dynamic dictionary.

There is an SQLite database named UserDictionary.sqlite in which all manual auto-corrections get stored. The importance of such database from the perspective of an examiner is that any keywords could be identified whether they are technical ones, special ones, of the Standard English language, or even any acronyms which could become all of the great vitality to the investigation process.

• Passwords inside /private/var/Keychains
  

The keychain of Apple to manage passwords is the one that is mostly in use when it comes to passwords of iOS applications. A database file called keychain-2.db is utilized for the sake of having different accounts and passwords which used to be utilized on the device previously. There are several tables used for saving this information. They include cert, genp, inet, keys, sqlite_sequence, and tversion.

Inside this database, there is a great deal of valuable data that could be found there such as Voicemail passwords, wireless access point key phrases and device login passcodes. While some of these passwords may be stored in an encrypted format, some others could be found in an understandable form. Nevertheless, for those encrypted ones, a password cracker utility could be seen in this case. For instance, an examiner may depend on Elcomsoft’s iPhone Password Breaker, where the extracted keychain file should be given to get such files decrypted.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/