Simulating EternalBlue Exploit Used by WannaCry Attack
05/17/2017
On May 12 2017, a ransomware called WannaCry attacked the Internet across multiple countries, causing serious damages to some companies, hospitals, and government agencies.
The WannaCry used a vulnerability in Windows operating system to infect target machines. The attack method that exploits vulnerability was disclosed in April and named as “EternalBlue”. The vulnerability was discovered in Microsoft’s Server Message Block(SMB) running on port 445, normally used for file sharing between machines in the network.
Although Microsoft found the vulnerability earlier and release a security patch to fix the problem in security bulletin MS17-010 in March, 2017, there were still a lot of machines not patched till May. This gave the WannaCry an excellent opportunity to infect machines worldwide.
In this post, I am going to simulate an EternalBlue exploitation against a vulnerable Windows 7 virtual machine using Kali Linux and Metasploit Framework.
First, create a virtual machine running Windows 7. DO NOT INSTALL NEW WINDOWS UPDATES.
(No new updates installed)
Then, share a folder. The Windows Firewall will enable the rule to allow inbound communication through port 445.
...Read moreFixing No Disk Space Problem Caused by Snapshots in OpenSUSE
01/16/2017
Problem
There was an issue about my OpenSUSE Leap 42.1 today. When I started the system,
OpenSUSE could not enter the desktop and left a message “No space left on
device”. Luckily, I was still able to operate the system through terminal. By
running the df -h command, the current disk usage was revealed:
Filesystem Size Used Avail Use% Mounted on
devtmpfs 3.9G 4.0K 3.9G 1% /dev
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 3.9G 11M 3.9G 1% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda9 21G 20G 0 100% /
/dev/sda9 21G 20G 0 100% /var/tmp
/dev/sda9 21G 20G 0 100% /var/spool
/dev/sda9 21G 20G 0 100% /var/opt
/dev/sda9 21G 20G 0 100% /var/lib/pgsql
/dev/sda9 21G 20G 0 100% /var/lib/mailman
/dev/sda9 21G 20G 0 100% /var/lib/named
/dev/sda2 256M 39M 218M 15% /boot/efi
/dev/sda9 21G 20G 0 100% /var/lib/mysql
/dev/sda9 21G 20G 0 100% /var/lib/mariadb
/dev/sda10 30G 8.3G 22G 29% /home
/dev/sda9 21G 20G 0 100% /var/lib/libvirt/images
/dev/sda9 21G 20G 0 100% /var/crash
/dev/sda9 21G 20G 0 100% /tmp
/dev/sda9 21G 20G 0 100% /srv
/dev/sda9 21G 20G 0 100% /opt
/dev/sda9 21G 20G 0 100% /boot/grub2/x86_64-efi
/dev/sda9 21G 20G 0 100% /boot/grub2/i386-pc
/dev/sda9 21G 20G 0 100% /usr/local
/dev/sda9 21G 20G 0 100% /var/log
/dev/sda9 21G 20G 0 100% /.snapshots
Among the output, /dev/sda9 is a Btrfs volume with many subvolumes. As the result showed, disk space in this volume had been exhausted. How did this happen?
(Note: If you just want to find the solution, please go to “Summary” part near the end of this article.)
...Read moreGet Partition Type GUIDs from GPT
02/19/2016
GUID Partition Table (GPT) is a new disk partition system designed to replace classical DOS (a.k.a MBR) partition system. It is supported by most modern operating systems.
A GPT system starts with a legacy Master Boot Record (MBR) sector. The next sector is GPT header, followed by 32 sectors containing GPT partitiion entries. Each entry occupies 128 bytes and describes one single partition on the disk. Since a sector’s size is 512 bytes, each one can store 4 entries. Thus, the whole partition table can store at most 32 * 4 = 128 partition entries.
(By The original uploader was Kbolino at English Wikipedia [CC BY-SA 2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons)
Each partition entry starts with a 16-byte long partition type globally unique identifier (GUID). It is used to describe the type and general purpose of the partition. This can provide useful information to digital forensic examiners.
Unfortunately, the current version of the Sleuth Kit (4.1.3) does not display partition type GUIDs when processing a GPT system directly. But with a little help of other tools, it won’t be difficult to obtain such information from a disk image.
...Read moreInside Sleuth Kit 01 - Source Code Structure
02/02/2016
Since the Sleuth Kit is an open source software, we can obtain TSK’s source codes easily. Studying the source codes can help us understand more concepts in file system analysis. It will be a great experience to study inside the Sleuth Kit.
The source codes of TSK can be downloaded here.
Note the release version of TSK is in the “master” branch. The current version of TSK being developed is in the “develop” branch. I will use the master branch to explain my discovery over TSK source codes.
The tools folder stores compiled programs once you follow the instruction manual
in “INSTALL.txt” at root folder. These programs are categorized into different folders
such as fstools, vstools, hashtools. The corresponding *.cpp files are also
in these folders. These files contain the main function of each program, making
them good starting point to study the codes.
Using Sleuth Kit 05 - File listing tool
01/30/2015
Digital forensic examiners extract useful information from files. The Sleuth
Kit provides powerful tool to list files contained in a partition. This tool
is fls.
The basic format of fls is: fls [partition_image] [[inode]].
The inode value is optional.
As a simple example, suppose we want to list files in the root folder of partition image “logicalUSBraw.001”. Simply use:
$ fls logicalUSBraw.001
What if what we have is a whole disk image? Of course we can use mmcat to
extract the target partition to a new image file and proceed with fls. But an
easier method will be using the offset value of the target partition given by
the mmls tool and combining it with -o argument.