0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: jumb01
June 14, 2017

WannaCrack! A Mix of Digital Forensics + Python Cracking

By: jumb01
June 14, 2017
By: jumb01
June 14, 2017
~$ whoamiI am Aslam Admani, and this is an interactive article that's most beneficial if you can practically follow along.~$ Setting_The_SceneYou are a digital forensic analyst. Your boss has given you a USB flash drive which was recovered from a suspect's home. He is suspected to be a fraud who is involved in credit card scams.Inside the USB is the following files (which you must set-up):
  1. Let's download an image and rename it: BlvckAr7.jpg.
    • This is a basic image, within this we'll place a secret file i.e. use stenography, which we'll come to a little later.
    • [caption id="attachment_94456" align="aligncenter" width="281"] Right click image, then select "save as" or "save image as" to save this file to your computer.[/caption]
  2.  A zip file, which appears to be password protected... We'll come to this later.
~$ The_setup_1
  • Kali Linux OS (on any environment)
    • If you do not have a Kali box, there are plenty of tutorials out there which go through, a step-by-step process in order to install and configure it properly. NOTE, it would be worthless installing and configuring a Kali machine SPECIFICALLY for this article. However, I would suggest it if you're interested in hacking and forensics in general. I'll leave links towards the end of this article for tutorials and guides on the installation process.
  • A USB flash drive (to set the scene, this isn't a necessity though)
Assuming you have these two requirements, let's move on to the next stage.~$ The_setup_2
  • sudo apt-get upgrade (if your machine requires upgrading)
  • sudo apt-get install steghide
Now that we have the tool required, let's create our secret file.You can use any text editor. Name this file S3CR37Z.txt, and the layout should look something like this:FORENAME SURNAME:    ACCOUNT NUMBERTYPE:                                          VISAEXPIRATION:                         DATECreate multiple entries, and try to make it seem as real as possible.Once you've completed this task, let's hide this file into the image file we downloaded earlier. In order to do this, we use steghide. On the terminal enter the following:
  • steghide embed -cf BlvckAr7.jpg -ef S3CR37Z.txt
    • Next, it will ask you for a password. For this, we will use qwerty123 (Of course this is significantly insecure, however, the criminal assumes nobody would know that the file is hidden inside of the image).
  • Once we have completed this successfully we can delete S3CR37Z.txt
    • Type in rm S3CR37Z.txt (to remove the text file with the secret contents).
Subsequently we create a zip file which is named cats.zip. This zip will also be password protected and contain the image BlvckAr7.jpg
  • zip -e cats.zip BlvckAr7.jpg
    • Again, it will ask you for a password, which we will set as scarface23 (this password is more secure than the last, however is it really strong?)
--- At this point you should have a zip file named cats.zip, inside of this zip, is an image, within the image is a secret file, which we have no access to ---If you've reached this point, great! Now it's time to store this zipfile into a USB, which is the hypothetical USB we've recovered from the crime scene. So place the content inside of it and let's begin with the forensics!~$ Setting_the_scene  --Forensic_AnalystOkay so, we receive a USB stick, the first thing we should do as a forensic analyst is to create a bit-by-bit image of it, and verify the integrity of it, however before we proceed with this, we should create a folder called 'Secure_Store'.Within this, we will have a few more folders.
  • mkdir Secure_Store
  • cd Secure_Store; mkdir image logical physical analysis
For this assignment we will be using image, physical and analysis.
  • Image will contain the bit-by-bit copied image
  • physical will contain the contents of the USB
  • and analysis will have our analysis of the USB, i.e. our findings.
Once we have created these directories we must unmount the flash drive from the main file system, so that we could image it, and mount it within our Secure evidence directory (Secure_Store)We do this by entering:
  • df -hl (this will list the drives withing your machine)
    • You should look for the flash drive, if you're finding difficulties in doing so, you could unplug it, run the same command and find the differences between the result.
Filesystem           size           used           avail           use%               mounted onThe above should be the columns that the command returns, once we have identified the USB drive, locate where it is mounted.From this we should note the filesystem entry of the USB and the mounted on entry.It may look something like: /media/root/Name_of_USB in the mount entry column. (This would differ depending on your user name, USB name etc.)So we can copy that row (/media/root/Name_of_USB)Next, type in the following command to remove it from the main filesystem:
  • umount /media/root/Name_of_USB
    • now type the df command again to see if it has been removed from the list.
Next we create a bit-by-bit image by using the name of the USB filesystem. We could use dd, or dd_secure, either one would be an excellent choice. This may take a while, so be patient.
  • dd if=/dev/sdb1   of=~/Desktop/Secure_Store/image/USB_image.dd
    • Where it says /dev/sdb1 on this example, you may need to change it depending on the results from the output of your df -lh command.
    • ***NOTE BE VERY CAUTIOUS***
Once this task is complete, we can verify the bit-by-bit copy by using the md5 hashing algorithm.
  • md5sum /dev/sdb1
  • mdf5sum ~/Desktop/Secure_Store/image/USB_image.dd
    • if these provide the exact same result, we're good to go!
    • It may be best to note these down, or store them in a text file, for the final report (We won't be going over the report as part of this article)
Subsequently we can mount the USB inside of the Secure_Store/physical directory
  • mount ~/Desktop/Secure_Store/image/USB_image.dd ~/Desktop/Secure_Store/physical
Now if we go into the physical directory we should see a zip file named cats.zip... copy it to the analysis directory, begin working inside of the analysis directory. Now we can see, it has a password? How do we get around this?Let's create a small password cracking script with python. The password file we will use is called rockyou.txt. This file could be found online, it contains millions of real-user passwords, which were found on vulnerable website databases.Go to this website, https://wiki.skullsecurity.org/Passwords, and click on rockyou.txt.bz2, give it some time to download.Once we have it downloaded, extract the file into your Desktop.Now let's make the script.This script will loop through every line within the rockyou.txt file, attempting to extract the files from the cats.zip folder passing the line as a password.Open a text editor, we'll just use gedit, enter gedit zipCracker.py################################################  Created by Aslam Admani for Cybrary WannaCrack blog################################################import zipfiledef Main()    f = open('~/Desktop/rockyou.txt', 'r')#open the rockyou.txt file in read mode    for line in f.readlines():#iterate through each line of the password file         pw = line.strip('n')#remove default newline keys at the end of each password         try:             zfile = zipfile.ZipFile('/root/Desktop/Secure_Store/physical/cats.zip')#declare the zip file you want to use, the path I'm using is /root/Desktop/ Because I'm using the root user, find the current working directory in which your zip file lies.             zfile.extractall(/root/Desktop/Secure_Store/physical ,pwd=pw)#attempt to extract all from the zip file, with the current password             print 'password found: %s' % pw  #if this works, print the password to the screen        except:             pass#otherwise pass until we have our passwordif __name__ == '__main__':    Main()The python script looks good, run it in the terminal:
  • python zipCracker.py
This may take a while depending on how deep the passwords we made are within the rockyou.txt file.If this has run successfully, which it should, your next objective is to analyse the image we see...We have an image named BlvckAr7.jpg, it appears to look like a normal jpeg file. However the eyes can deceive, we must dig further.Let's start, using EXIFTOOL.Exiftool is an analysis tool, which can analyse many file extensions, find original extensions plus more.
  • exiftool BlvckAr7.jpg
    • if this command doesn't work, use sudo apt-get install exiftool to install it.
With this jpg file we shouldn't see anything particularly suspicious?However let's put our forensics caps on and think outside the box, we have an image which states 'nothing to see here', let's google this and see if we have the same image, with the same extension, if so, we could download all similar files and compare the sizes. Maybe that could give us a lead?So we download the exact same images we find, and we compare the sizes, using exiftool, notice the difference? One is bigger than the other right?Let's check the integrity of both files, using md5sum,We can see there's a difference. Maybe it could be that this image was taken from another source, or something of the sort, regardless we have our suspicions. Let's assume there's another file inside of the S3CR37Z.jpg file, so let's now use steghide to extract what we may have in there.
  • steghide extract -sf BlvckAr7.jpg
    • it's asking us for a passphrase, what do we do here!
Let's create a python file called StegCrack.py ############################################### Created by Aslam Admani for Cybrary WannaCrack blog###############################################import pexpectimport osdef Main():    PROMPT = ['$ ',  '# ', '> ', '>> ']    f=open('~/Desktop/rockyou.txt', 'r')    for line in f.readlines():        pw = line.strip('n')        try:            child = pexpect.spawn('steghide extract -sf S3CR37Z.jpg')            child.expect([pexpect.TIMEOUT, 'passphrase: ', 'Passphrase: ', 'password: '])            child.sendline(pw)             child.expect(PROMPT)         except:             passif __name__ == '__main__':    Main()This should release the hidden file into the current directory, and now we should see a file called: S3CR37Z.txtUnfortunately this script doesn't display the password to the output, however you can check out my github to see if there are any updates to these scripts. https://github.com/c0d14kIf you're interested or need help, here's a video to show how to download and install Kali Linux on VMWare Player: https://www.youtube.com/watch?v=k5mNnkG0FVkCongratulations if you have completed this article, followed along and were sucessful!Comments and tips would be highly appreciated.

Join over 2 million IT and cyber professionals advancing their careers

OR REGISTER WITH

Google

Already have an account? Sign In »

Ready to Share Your Original Content?

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry