Bruteforce: Password Spray - Create List of Possible Usernames from CSV

 I am teaching a class that introduces password spraying to students.  I introduce to them a website that we have in a lab where we collect the first name and last name of people on the page, then develop a username list to conduct a bruteforce password spray based on the sub-technique in the MITRE Att&ck Framework https://attack.mitre.org/techniques/T1110/003/.

The below python script takes a csv file as shown below and creates different username formats based on the list.

CSV File example:

james,carver
julio,deguilio
robin,freid
ted,montrose
trey,montoya

Python3 Script example:

 

#!/usr/bin/python3

import sys
import getopt
import csv

def main():
    inputfile = ''
    # Read the argument for the userlist file
    if len(sys.argv) < 2:
        print("./createUserList.py -i --userlist--")
        exit(1)
    else:
        opts, argv = getopt.getopt(sys.argv[1:],"i:")
        for opt, arg in opts:
            if opt in ['-i']:
                inputfile = arg
        # Read in the columns for first and last name...
        # This is not built to have column header names...
        with open(inputfile) as csv_file:
            csv_reader = csv.reader(csv_file, delimiter=",")
            for row in csv_reader:
                firstname = row[0]
                lastname = row[1]
                # first.last
                print(firstname + "." + lastname)
                # first_last
                print(firstname + "_" + lastname)
                # f.last
                print(firstname[0:1] + "." + lastname)
                # first.l
                print(firstname + "." + lastname[0:1])




if __name__=="__main__":
    main()  

Volatility 3 Quick Setup on Remnux 7

 As I mentioned in the post last week I downloaded remnux to run volatility 2 or 3 for the memory image provided at BSides Idaho Falls.

After executing volatility the first time it will state that the symbol files need to be installed.  If you go to https://docs.remnux.org/discover-the-tools/perform+memory+forensics it talks about where to download the symbol files.  However the installation path is incorrect for remnux 7 that is listed.

If you execute the command "vol3 -vvv -f <mem image file> windows.info.Info", the path where it is looking for the symbol files will show as /usr/local/lib/python3.8/dist-packages/volatility3/framework/symbols or /usr/local/lib/python3.8/dist-packages/volatility3/symbols.  I observed that the 2nd directory does not exist and did not work when I created it...  I did not look into why...

 

My initial file that I downloaded was dfrws2005-physical-memory1.dmp.  As I loaded it with vol3 it kept returning that I did not have the symbols loaded.  I was becoming a little frustrated then I tried a memory image from the Malware Analysts Handbook and it worked.  I observed that it will attempt to find a symbol file but depending on the memory image vol3 did not work so I fell back to vol2.py.

Then I was able to run the variety of plugins available.  You can see the plugins available by default by executing:

vol3 -f <mem image file> -h

Here is a list of memory images available: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

Symbols File Updates: https://github.com/volatilityfoundation/volatility3#symbol-tables

BSIDES Idaho Falls - Cloud Forensics Challenge - Expectations and Takeaways

BSIDES Idaho Falls offered a workshop called Cloud Forensics with an accompanying CTF.  I left early Friday to make the 3 hour drive for the workshop because I see the need in my career to learn more about the Cloud especially as it applies to Forensics.

My expectations had to change for this workshop.  I was expecting it to use the awscli to explore intrusions, cloud trail logs, and other tools.  Knowing that the instructor, Kerry Hazelton had 23 years of experience and was experienced in this realm I listened and undertook the CTF challenge that followed.

The new expectations that I built for the course:

1st - The workshop could have been named "Using an Amazon Instance in the Cloud to Conduct Forensics" (The instance was of a Windows 10 OS)

2nd - How to mirror traffic from 1 instance into the instance built for forensics

3rd - Use tools like Autopsy, ExifTool, and others to explore the artifacts.

Additional notes and takeaways:

I was unaware of the Autospy GUI that you could install in windows.  I explored version 4.9.1 and was impressed.  I observed as I tried to import the given images provided by the instructor that a VM with 2 CPUs and 8GB RAM struggled with digesting the 4 images provided in < 3 hours of time.  I could see how an Amazon Instance with the necessary resources (being temporary) could speed the process of forensics.  Especially if you are short on time and current resources as was the case in the CTF that lasted for 3 hours.  (The images were provided by an email caught in my spam folder the night before...)

Autopsy, the web server provided on a linux platform I have used in the past.  When I used the GUI I was impressed how it would digest the information, still a little slow.  You do need to make a choice as you import images that you have taken whether you enable or disable windows defender.  Windows Defender from what I experienced helped to identify malware that was carved from images, but also caused an interruption in the operation of the import process in Autopsy.

Mirroring traffic from 1 instance in Amazon to another instance through configuration of the ENI's I need to spend some more time in troubleshooting how this works.  A great take away!

One of the challenges involved looking at a memory image to solve what had occurred.  I initially loaded Volatility 3 into my linux VM and ran into issues with missing dependencies.  This is a plague of using Volatility 2.6 or 3.  To avoid this plague you can download the VM called "Remnux".  This has volatility 3 and autopsy pre-installed.  Volatility and how it works is different than Volatility 2.6 which I am most familiar with.

Then, I was not sure about the wireless provided so I used my phones hot spot.  I was not in a position to download "Remnux" during the challenge.  I then reverted to using the pre-compiled binary of Volatility 2.6 on Windows 10.  This worked until I found that I needed to extend the functionality to a plugin for exploring the browsing history of firefox.

In Summary

The workshop was thin on direction and content and very broad in expectations for the CTF Challenge.  I would recommend next year try and be more lean in the expectations of the CTF Challenge.  Then I would provide a better introductory email to introduce the workshop, content necessary to be successful in understanding the topics explored, and better introduce what is expected to be submitted in the CTF Challenge at least 3 days in advance.

The instructor, Kerry met my expectations of providing a challenge that was difficult.  Introduced us to new tools and how to use those tools to be successful.  

Thank you BSIDES Idaho Falls, I will look forward to participating next year!!