WannaCrack! A Mix of Digital Forensics + Python Cracking

June 14, 2017 | Views: 10188

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

~$ whoami

I am Aslam Admani, and this is an interactive article that’s most beneficial if you can practically follow along.

~$ Setting_The_Scene

You are a digital forensic analyst. Your boss has given you a USB flash drive which was recovered from a suspect’s home. He is suspected to be a fraud who is involved in credit card scams.

Inside the USB is the following files (which you must set-up):

  1. Let’s download an image and rename it: BlvckAr7.jpg.
    • This is a basic image, within this we’ll place a secret file i.e. use stenography, which we’ll come to a little later.
    • Right click image, then select “save as” or “save image as” to save this file to your computer.

  2.  A zip file, which appears to be password protected… We’ll come to this later.

~$ The_setup_1

  • Kali Linux OS (on any environment)
    • If you do not have a Kali box, there are plenty of tutorials out there which go through, a step-by-step process in order to install and configure it properly. NOTE, it would be worthless installing and configuring a Kali machine SPECIFICALLY for this article. However, I would suggest it if you’re interested in hacking and forensics in general. I’ll leave links towards the end of this article for tutorials and guides on the installation process.
  • A USB flash drive (to set the scene, this isn’t a necessity though)

Assuming you have these two requirements, let’s move on to the next stage.

~$ The_setup_2

  • sudo apt-get upgrade (if your machine requires upgrading)
  • sudo apt-get install steghide

Now that we have the tool required, let’s create our secret file.

You can use any text editor. Name this file S3CR37Z.txt, and the layout should look something like this:

FORENAME SURNAME:    ACCOUNT NUMBER

TYPE:                                          VISA

EXPIRATION:                         DATE

Create multiple entries, and try to make it seem as real as possible.

Once you’ve completed this task, let’s hide this file into the image file we downloaded earlier. In order to do this, we use steghide. On the terminal enter the following:

  • steghide embed -cf BlvckAr7.jpg -ef S3CR37Z.txt
    • Next, it will ask you for a password. For this, we will use qwerty123 (Of course this is significantly insecure, however, the criminal assumes nobody would know that the file is hidden inside of the image).
  • Once we have completed this successfully we can delete S3CR37Z.txt
    • Type in rm S3CR37Z.txt (to remove the text file with the secret contents).

Subsequently we create a zip file which is named cats.zip. This zip will also be password protected and contain the image BlvckAr7.jpg

  • zip -e cats.zip BlvckAr7.jpg
    • Again, it will ask you for a password, which we will set as scarface23 (this password is more secure than the last, however is it really strong?)

— At this point you should have a zip file named cats.zip, inside of this zip, is an image, within the image is a secret file, which we have no access to —

If you’ve reached this point, great! Now it’s time to store this zipfile into a USB, which is the hypothetical USB we’ve recovered from the crime scene. So place the content inside of it and let’s begin with the forensics!

~$ Setting_the_scene  –Forensic_Analyst

Okay so, we receive a USB stick, the first thing we should do as a forensic analyst is to create a bit-by-bit image of it, and verify the integrity of it, however before we proceed with this, we should create a folder called ‘Secure_Store’.

Within this, we will have a few more folders.

  • mkdir Secure_Store
  • cd Secure_Store; mkdir image logical physical analysis

For this assignment we will be using image, physical and analysis.

  • Image will contain the bit-by-bit copied image
  • physical will contain the contents of the USB
  • and analysis will have our analysis of the USB, i.e. our findings.

Once we have created these directories we must unmount the flash drive from the main file system, so that we could image it, and mount it within our Secure evidence directory (Secure_Store)

We do this by entering:

  • df -hl (this will list the drives withing your machine)
    • You should look for the flash drive, if you’re finding difficulties in doing so, you could unplug it, run the same command and find the differences between the result.

Filesystem           size           used           avail           use%               mounted on

The above should be the columns that the command returns, once we have identified the USB drive, locate where it is mounted.

From this we should note the filesystem entry of the USB and the mounted on entry.

It may look something like: /media/root/Name_of_USB in the mount entry column. (This would differ depending on your user name, USB name etc.)

So we can copy that row (/media/root/Name_of_USB)

Next, type in the following command to remove it from the main filesystem:

  • umount /media/root/Name_of_USB
    • now type the df command again to see if it has been removed from the list.

Next we create a bit-by-bit image by using the name of the USB filesystem. We could use dd, or dd_secure, either one would be an excellent choice. This may take a while, so be patient.

  • dd if=/dev/sdb1   of=~/Desktop/Secure_Store/image/USB_image.dd
    • Where it says /dev/sdb1 on this example, you may need to change it depending on the results from the output of your df -lh command.
    • ***NOTE BE VERY CAUTIOUS***

Once this task is complete, we can verify the bit-by-bit copy by using the md5 hashing algorithm.

  • md5sum /dev/sdb1
  • mdf5sum ~/Desktop/Secure_Store/image/USB_image.dd
    • if these provide the exact same result, we’re good to go!
    • It may be best to note these down, or store them in a text file, for the final report (We won’t be going over the report as part of this article)

Subsequently we can mount the USB inside of the Secure_Store/physical directory

  • mount ~/Desktop/Secure_Store/image/USB_image.dd ~/Desktop/Secure_Store/physical

Now if we go into the physical directory we should see a zip file named cats.zip… copy it to the analysis directory, begin working inside of the analysis directory. Now we can see, it has a password? How do we get around this?

Let’s create a small password cracking script with python. The password file we will use is called rockyou.txt. This file could be found online, it contains millions of real-user passwords, which were found on vulnerable website databases.

Go to this website, https://wiki.skullsecurity.org/Passwords, and click on rockyou.txt.bz2, give it some time to download.

Once we have it downloaded, extract the file into your Desktop.

Now let’s make the script.

This script will loop through every line within the rockyou.txt file, attempting to extract the files from the cats.zip folder passing the line as a password.

Open a text editor, we’ll just use gedit, enter gedit zipCracker.py

###############################################

#  Created by Aslam Admani for Cybrary WannaCrack blog #

###############################################

import zipfile

def Main()

    f = open(‘~/Desktop/rockyou.txt’, ‘r’) #open the rockyou.txt file in read mode

    for line in f.readlines(): #iterate through each line of the password file

         pw = line.strip(‘n’) #remove default newline keys at the end of each password

         try:

             zfile = zipfile.ZipFile(‘/root/Desktop/Secure_Store/physical/cats.zip’) #declare the zip file you want to use, the path I’m using is /root/Desktop/ Because I’m using the root user, find the current working directory in which your zip file lies.

             zfile.extractall(/root/Desktop/Secure_Store/physical ,pwd=pw) #attempt to extract all from the zip file, with the current password

             print ‘password found: %s’ % pw  #if this works, print the password to the screen

        except:

             pass #otherwise pass until we have our password

if __name__ == ‘__main__’:

    Main()

The python script looks good, run it in the terminal:

  • python zipCracker.py

This may take a while depending on how deep the passwords we made are within the rockyou.txt file.

If this has run successfully, which it should, your next objective is to analyse the image we see…

We have an image named BlvckAr7.jpg, it appears to look like a normal jpeg file. However the eyes can deceive, we must dig further.

Let’s start, using EXIFTOOL.

Exiftool is an analysis tool, which can analyse many file extensions, find original extensions plus more.

  • exiftool BlvckAr7.jpg
    • if this command doesn’t work, use sudo apt-get install exiftool to install it.

With this jpg file we shouldn’t see anything particularly suspicious?

However let’s put our forensics caps on and think outside the box, we have an image which states ‘nothing to see here’, let’s google this and see if we have the same image, with the same extension, if so, we could download all similar files and compare the sizes. Maybe that could give us a lead?

So we download the exact same images we find, and we compare the sizes, using exiftool, notice the difference? One is bigger than the other right?

Let’s check the integrity of both files, using md5sum,

We can see there’s a difference. Maybe it could be that this image was taken from another source, or something of the sort, regardless we have our suspicions. Let’s assume there’s another file inside of the S3CR37Z.jpg file, so let’s now use steghide to extract what we may have in there.

  • steghide extract -sf BlvckAr7.jpg
    • it’s asking us for a passphrase, what do we do here!

Let’s create a python file called StegCrack.py

 

##############################################

# Created by Aslam Admani for Cybrary WannaCrack blog#

##############################################

import pexpect

import os

def Main():

    PROMPT = [‘$ ‘,  ‘# ‘, ‘> ‘, ‘>> ‘]

    f=open(‘~/Desktop/rockyou.txt’, ‘r’)

    for line in f.readlines():

        pw = line.strip(‘n’)

        try:

            child = pexpect.spawn(‘steghide extract -sf S3CR37Z.jpg’)

            child.expect([pexpect.TIMEOUT, ‘passphrase: ‘, ‘Passphrase: ‘, ‘password: ‘])

            child.sendline(pw)

             child.expect(PROMPT)

         except:

             pass

if __name__ == ‘__main__’:

    Main()

This should release the hidden file into the current directory, and now we should see a file called: S3CR37Z.txt

Unfortunately this script doesn’t display the password to the output, however you can check out my github to see if there are any updates to these scripts. https://github.com/c0d14k

If you’re interested or need help, here’s a video to show how to download and install Kali Linux on VMWare Player: https://www.youtube.com/watch?v=k5mNnkG0FVk

Congratulations if you have completed this article, followed along and were sucessful!

Comments and tips would be highly appreciated.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
14 Comments
  1. Good article. BTW, that rockyou wordlist is already on Kali under /usr/share/wordlists, so if you or others are using Kali, you can save yourself a lot of time by using what Kali already has in that directory. Theres also lots of good lists for directory traversal, fuzzing for XSS, etc. there.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel