W3AF Tutorial (Part 2)

Overview
From the previous article we started a basic audit with w3af. This article we are going to discuss writing scripts to start an audit and then we will discuss some of the cool tools included in w3af. The next article will hopefully be about writing plugins. So stay tuned for that. There has been a new versions released on Oct 18th. This article deals with the previous version but none of the topics I have discussed have changed.

Writing StartUp scripts
If you have an audit configuration that you use over an over then scripts are a necessity. It is pain to have to set the same options for your output, auditing and discovery features if you use the same things all the time and only change the target. We will start with a script that you can configure to meet your needs.

Create a file named anything. I will call mine basic.w3af. you write the script the same way that you would actually navigate through w3af to set the settings. So the script below will set all out audit, discovery, and output plugins so that these do not need to be set up after we start w3af.

# Basic startup script
plugins
output console,htmlFile
output
output config htmlFile
set verbosity 10
back
output config console
set verbosity 5
back
# could change this to audit all but just doing Cross Site Scripting Now
audit xss
audit

discovery webSpider,pykto,hmap,allowedMethods
discovery
back

target
set target http://localhost:8081
back


You can also add start to the end of this file and it will automatically start profiling the target when run. To run just type:
>./w3af –s basic.w3af

Looks like this:

$ ./w3af -s basic.w3af
w3af>>> plugins
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> set verbosity 10
w3af/plugin/htmlFile>>> back
w3af/plugins>>> output config console
w3af/plugin/console>>> set verbosity 5
w3af/plugin/console>>> back
w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap,allowedMethods
w3af/plugins>>> discovery
Enabled discovery plugins:
allowedMethods
webSpider
hmap
pykto
w3af/plugins>>> back
w3af>>> target
w3af/target>>> set target http://localhost:8081
w3af/target>>> back
w3af>>>

Now just type start and your audit will begin.


Tools included in w3af
There are a few really cool tools in w3af. Move to the tools folder and list them.

w3af/tools>>> list
base64decode
base64encode
gencc
md5hash
sha1hash
urldecode
urlencode
w3af/tools>>>

With W3AF you can Generate Credit Card numbers and hashes. Open w3af and navigate to the tools folder. The gencc command can generate credit card numbers to test applications or what ever you want. It will generate the following card numbers
- mastercard
- visa16
- visa13
- amex
- discover
- diners
- enRoute
- jcb15
- jcb16
- voyager

Run the following commands to create a 16 digit visa CC#.

w3af/tools>>> run gencc -t visa16
Generated VISA 16 digit card:
4916740510259019
w3af/tools>>>

Create a sha1 hashes as follows:

w3af/tools>>> run sha1hash -e 49167405102590194916740510259019
4b52f4ce218c72a18e644f40550b2966767137c9
w3af/tools>>>

It also has feature to perform urlencoding and decoding which can come in handy when testing or auditing an application. These commands are simple enough…

w3af/tools>>> run urlencode
w3af - urlencoder

Options:
        -h      Print this help message.
        -s      Characters that should not be encoded, default is / .
        -e      String to be encoded.

Example: urlencode -s &% -e encodeMeNow

w3af/tools>>> run urldecode
w3af - urldecoder

Options:
   -h      Print this help message.
   -d      String to be decoded.

Example: urldecode -d decodeMeNow
w3af/tools>>>

That’s all I have so far. Currently working on w3af plugins and should have something ready soon to show. Please add any comments if you may have something to contribute or find any inaccuracies.

W3AF Tutorial (Part 1)

Overview
w3af stands for web auditing and attack framework.I have heard some say that it is the metasploit for web applications. w3af is basically a free open source web application scanner. w3af has many plugins that are divided into attack, audit, exploit, discovery, evasion, bruteforce, mangle and a few others. The code is well commented and written in python so writing your own exploits and plugins should be trivial but i cannot say for sure since i have not tried as of yet. I will spent more time on this in later articles. This will be the first of many w3af tutorials.

Getting started
I have installed it on both ubuntu fiesty and cygwin for windows. Both installs are relatively painless. Just follow the instructions in the w3afUsersGude and you will be fine.

Once you have all the prerequisites then you can start w3af as follows:

$ ./w3af
w3af>>>

Type help will give you a list of options.

w3af>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
url-settings        Configure the URL opener.
misc-settings       Configure w3af misc settings.
session             Load and save sessions.
plugins             Enable, disable and configure plugins.
start               Start site analysis.
exploit             Exploit a vulnerability.
tools               Enter the tools section.
target              Set the target URL.
exit                Exit w3af.
w3af>>>

First we need to talk about how the interface for w3af is configured. You move forward by typing a given option and back by typing back. Type view to see a list of configurable options and use the set command to change the options. Below we will set the target. This will be the url that we will be auditing.

Configuration:

w3af>>> target
w3af/target>>> help
The following commands are available:
help                You are here. help [command|parameter] prints more specific help.
set                 Set a parameter value.
view                List all configuration parameters and current values.
back                Return to previous menu.
w3af/target>>> view
Parameter           Value               Description
=========           =====               ===========
target                                  A comma separated list of URLs
w3af/target>>> set target http://localhost:8080
w3af/target>>> view

Now lets configure our plugins.

w3af/target>>> back
w3af>>> plugins
w3af/plugins>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
list                List all available plugins.
audit               Enable and configure audit plugins.
bruteforce          Enable and configure bruteforce plugins.
discovery           Enable and configure discovery plugins.
evasion             Enable and configure evasion plugins.
grep                Enable and configure grep plugins.
mangle              Enable and configure mangle plugins.
output              Enable and configure output plugins.
back                Return to previous menu.

To audit a web application we need at least three plugins configured. Audit, discovery, and output. Typing list plus the plugin will show all available options for the plugin. If you type list audit you will see all the auditing extensions like xss, xsrf, sql injection, ldap injection, etc. Type list discovery will display all discovery options.
Just typing the plugin name (i.e audit) will display which options are loaded. By default there are no options configured for any of the plugins. You will have to add them. Some examples would be:

w3af/plugins>>> audit xss,xsrf,sqli 

To select a few options to load.
or

w3af/plugins>>> audit all 

To load all options.


I am going to configure our webserver audit to test for Cross site Scripting, typical web server vulnerabilities, and we want it to spider (crawl) the entire site. We also want to save the results into an html audit report. To do this we need to run the following commands:

w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap
w3af/plugins>>> discovery
Enabled discovery plugins:
webSpider
pykto
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> view
Parameter           Value               Description
=========           =====               ===========
verbosity           0                   Verbosity level for this plugin.
httpFileName        output-http.txt     File name where this plugin will write HTTP requests and responses
reportDebug         False               True if debug information will be appended to the report.
fileName            report.html         File name where this plugin will write to

I have just configured a basic audit with w3af to test for XSS. We initially set the target to be http://localhost/ so it will scan my local apache server. I used pykto which is a perl version of nikto to scan for webserver vulnerabilities. The webSpider plugin will do all the url crawling and create lists of urls to audit. The output plugins will write the results to the command line and the html file called report.html in your application folder. The html output will not be available until the audit is complete. hmap fingerprints the server. The output-http.txt records server requests and responses.

Start the audit as follows:

w3af/plugin/htmlFile>>> back
w3af/plugins>>> back
w3af>>> start

Be prepared to wait a while for the audit to complete.

w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
Auto-enabling plugin: discovery.error404page
Auto-enabling plugin: discovery.serverHeader
The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1
Hmap plugin is starting. Fingerprinting may take a while.
The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2
pykto plugin is using "Apache/2.0.55 (Ubuntu) PHP/5.1.2" as the remote server type. This information was obtained by hmap plugin.
pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used, the /icons directory should be removed. The vulnerability was found in the request with id 128.
pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /doc directory is browsable. This may be /usr/doc. The vulnerability was found in the request with id 1865.
pykto plugin found a vulnerability at URL: http://localhost/\> . Vulnerability description: The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. The vulnerability was found in the request with id 3385.
New URL found by discovery: http://localhost/
New URL found by discovery: http://localhost/test2.html
New URL found by discovery: http://localhost/xst2.html
New URL found by discovery: http://localhost/xst.html
New URL found by discovery: http://localhost/test.html

Here is an example of the results.html

RAM Forensics Tools -Backtrack

pdfbook.py

pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > fbookstrings”. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command.
Example Usage:pdfbook.py -f fbookstrings

pdgmail

pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > gmailstrings”. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command.

Example Usage:pdgmail.py -f gmailstrings

PTK

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

Volatility

Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.

Example Usage:volatility plist -f ram.img

PDF Forensic Tools -Backtrack

pdfid

pdfid is a utility that can extract useful information from a PDF file. Specifically, pdfid extracts header information from the PDF such as obj, endobj, stream and other information. Some PDF exploits alter this information, so pdfid can sometimes show the user what exactly is going on inside of the PDF. In this example, we simply gather information from a PDF file called file.pdf.
Example Usage: pdfid.py file.pdf

pdf-parser

pdf-parser is a program used to display detailed information about a PDF file. A very useful feature is the ability to run a stream of data thorugh a filter, such as FlateDecode and ASCIIHexDecode. These filters are sometimes used to obfuscate code in PDF files, so this feature can help expose exploit attempts. In addition to this, pdf-parser can display individual object and data streams, as well as provide statistics for the PDF document. In the example below, we use pdf-parser to provide an overview of the file.pdf PDF file using the –stats option.

Example Usage:pdf-parser.py –stats file.pdf
nbsp;

peepdf

peepdf is a very thorough utility that is used to analyze and edit PDF documents on the byte level. It offers the basic command line usage, but also offers an in depth interactive console. The command line usage provides a more basic overview of the PDF file, while the interactive console provides more powerful functions. In the first example, we use peepdf to provide an overview of file.pdf, while the second one shows how to enter interactive mode using file.pdf.

Example Usage:peepdf.py file.pdf
Example Usage:peepdf.py -i file.pdf

Password Forensics Tools -Backtrack

CmosPwd

CmosPwd is a BIOS password cracker. With support for many different models of BIOS, CmosPwd has different methods of cracking for each type of BIOS. Since a BIOS password prevents you from booting on that computer, it does require some physical manipulation. Once you get the hardware aspect out of the way, usage is very easy. In the following example, we kill CMOS all together.

Example Usage: cmospwd /k

fcrackzip

fcrackzip is a utility used to crack Zip file password protection. There are many Zip crackers out there, however, fcrackzip excels in speed and features, especially the brute force option. It is very easy to use, and in the examples below, we use it to crack a zip file called crack.zip using a brute force method and a dictionary based attack taking passwords from passwords.txt.

Example Usage:fcrackzip -b crack.zip
Example Usage:fcrackzip -D -p passwords.txt crack.zip

samdump

Samdump is a utility that can extract password hashes from SAM files. SAM files are the files located on Windows based systems that contain the passwords for local users. By using samdump, you can retrieve the password hashes, and then use them for cracking with another program. In this example, we retrieve hashes from an exported SAM file named sam.file.

Example Usage:samdump sam.file

Network Forensics

driftnet

Driftnet is a network utility that sniffs traffic for images and other media, and displays them in an X window. This is useful during investigations where users’ Internet habits are being monitored. Rather than sniffer all traffic using utilities like Wireshark, Driftnet makes it easier by automatically picking out images and media and displaying it to the user. In the example below, we use the wireless interface wlan0 in promiscuous mode to capture traffic, and instruct driftnet to be verbose in its output.

Example Usage: driftnet -i wlan0 -v
&nbsp

p0f

p0f is a passive host identifier. p0f uses a fingerprinting technqiue that looks at the structure of TCP/IP packets from the host in order to guess the operating system and other properties of the host. What sets p0f apart from other host analyzers is that p0f is completely passive. All the host has to do is connect to the same network or be contacted by another host on the network. The packets generated through these transactions are enough to give p0f enough data to guess the system. Note that you need a file containing fingerprints in order to identify hosts. In this example, we read fingerprints from /etc/p0f/p0f.fp and listens on wlan0 via libpcap.

Example Usage:p0f -f /etc/p0f/p0f.fp -i wlan0

tcpreplay

tcpreplay is a suite of network utilities that can take previously sniffed traffic and replay the packets onto the live network. This is often used for testing devices on the network, such as firewalls or Intrusion Prevention/Detection Systems (IPS/IDS). The suite itself consists of tcpprep, tcprewrite, tcpreplay, tcpreplay-edit, tcpbridge, and tcpcapinfo.

tcpprep: analyze packet capture files to determine client/server and create caches for use by tcpreplay and tcprewrite
tcprewrite: edit packet capture files in Layer 2 headers
tcpreplay: inject packet capture files back into the live network
tcpreplay-edit: replay and edit files into the network
tcpbridge: bridge two sections of a network together using tcprewrite
tcpcapinfo: decode raw packet capture files and debug them

Wireshark

Wireshark is the famous packet capture and analysis program that has been used by thousand of professionals and amateurs alike. The program allows users to listen in on a network interface using libpcap, and logs the traffic sniffed. In addition to capturing the data, Wireshark provides an easy, graphical method to filter and analyze the traffic. This includes following TCP/IP streams, filtering out ARP or broadcast packets, and virtually any other filtering option you can imagine.

Xplico

Xplico is a Network Forensic Analysis Tool (NFAT) that specializes in extracting application data from packet capture files. Although it includes a live traffic capture feature, it is best suited for pcap anaylsis. Xplico can extract email, HTTP, VoIP, FTP, and other data directly from the pcap file, and presents it to the user as the original application data. For example, it can reconstruct an image sent via FTP from the packet capture of the FTP session. In the example below, we use Xplico to decode the information from capture.pcap.

Example Usage: xplico -m pcap -f capture.pcap

Forensic Suites -Backtrack

ptk

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.
Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

setup autopsy

Autopsy is a GUI (uses web interface) to tools found in the Sleuthkit forensics toolkit. Autopsy specializes in analyzing disk images, and can retrieve information from them using search or browse functions. For a tutorial on retrieving “deleted” information from a disk, take a look at this Autopsy Tutorial.

sleuthkit

Sleuthkit is a forensic toolkit containing many utilities that can be used in a digital forensics investigation. Sleuthkit is the official successor of The Coroner’s Toolkit (TCT). Sleuthkit itself is not a program, rather it is the name given to the collection of many programs. Some of these included utilities are: ils, blkls, fls, fsstat, ffind, mactime, disk_stat. The below example shows how to use MACTime in order to recursively list files that have been accessed since 1/1/2011:

Example usage: mactime -y -R -d / 1/1/2011

Forensic Imaging Tools

air

AIR, or Automated Image and Restore, is a utility used to create forensics-grade disk images from device drives. AIR itself is a GUI frontend for dd/dc3dd, which is the program that is actually used to create the image. On Backtrack, when you first select air, it will download and compile the necessary components to run the program. From here, the GUI is easy to use.

AIR GUI

dc3dd

dc3dd is an altered version of dd, the utility that is used to operate low level disk functions. dc3dd contains several features that are of great use to forensics investigates, including features that help safeguard the original disk being copied. The example below shows how to split a large disk image into smaller pieces, which is extremely useful when dealing with image files that are too large to be moved around easily. It takes /dev/sda as the input file, calculates hashes for the individual new files and the original large file, splits the large file into 2 GB pieces with “000″ as a suffix in the filename, logs all data to /root/Desktop/log.txt, and outputs the smaller files to /root/Desktop/images
Example usage: dc3dd if=/dev/sda progress=on hashconv=after hash=md5,sha1 hashwindow=2GB splitformat=000 split=2GB log=/root/Desktop/log.txt bs=512 iflag=direct conv=noerror, sync of=/root/Desktop/images

ddrescue

ddrescue is a tool used to copy data from a file or device to another. In the case of a damaged device, it attempts to reconstruct the damaged areas, unlike dd, which simply fills the damaged areas with zeros. ddrescue can also be used to merge damaged copies a file together, created a single copy of the file with (hopefully) no damage. Here is an example of ddrescue being used, as found on their website. Together, these commands are used to rescue a disk containing 3 ext2 partitions, including using a logfile and e2fsck to check the filesystems.

Example usage: ddrescue -f -n /dev/hda /dev/hdb logfile
Example usage: ddrescue -d -f -r3 /dev/hda /dev/hdb logfile
Example usage: fdisk /dev/hdb
Example usage: e2fsck -v -f /dev/hdb1
Example usage: e2fsck -v -f /dev/hdb2

ewfacquire

ewfacquire is a tool used to create disk images in the EWF format. EWF formatted images are used in several forensic toolkits, including the EnCase and FTK (Forensic Toolkit). It includes several message digests including MD5 and SHA1. The example below shows ewfacquire creating an image from /dev/sdb1, creating a SHA1 message digest, and logging data to /root/Desktop/log.txt

Example usage: ewfacquire -d sha1 -l /root/Desktop/log.txt /dev/sdb1

Forensic Hashing Tools

hashdeep

Hashdeep is a utility that can compute hashes for many files, looking recursively through directories and computing hashes for each file found. It also contains features to compare and audit message digests. By default, it computes the MD5 and SHA256 hash of the files, although other types can be specified. Available hash types are MD5, SHA1, SHA256, Tiger, and Whirlpool. The below example generates MD5 and SHA256 hashes (same as default no -c given) for files in the /root/Desktop/files/ directory.

Example usage: hashdeep -c md5,sha256 /root/Desktop/files/

md5deep

md5deep is a tool used to compute and compare MD5 message digests. The example below recursively creates MD5 message digests of files found in /root/Desktop/
Example usage: md5deep /root/Desktop/*

sha1deep

Like md5deep, sha1deep is used to computer and compare message digests. Sha1deep deals with SHA1 digests. The usage is the same as md5deep, and the below example creates SHA1 digests of files found in /root/Desktop/
Example usage: sha1deep /root/Desktop/*

sha256deep

Like md5deep, sha256deep is used to computer and compare message digests. Sha256deep deals with SHA256 digests. The usage is the same as md5deep, and the below example creates SHA256 digests of files found in /root/Desktop/

Example usage: sha256deep /root/Desktop/*

tigerdeep

Like md5deep,tigerdeep is used to computer and compare message digests. tigerdeep deals with tiger digests. The usage is the same as md5deep, and the below example creates tiger digests of files found in /root/Desktop/

Example usage: tigerdeep /root/Desktop/*

whirlpooldeep

Like md5deep, whirlpooldeep is used to computer and compare message digests. whirlpooldeep deals with whirlpool digests. The usage is the same as md5deep, and the below example creates whirlpool digests of files found in /root/Desktop/

Example usage: whirlpooldeep /root/Desktop/*

Forensic Carving Tools -Backtrack

fatback

Fatback is a tool which is used to recover deleted files from FAT filesystems. Fatback will read an image of a FAT filesystem, and then outputs all deleted files into a directory determined by the user. This is useful in investigations with Windows machines, since many older Windows installs utilize some form of a FAT filesystem (FAT16, FAT32). Many USB flash drives currently employ some form of a FAT filesystem. The example below takes a FAT filesystem image, outputs the log created by fatback to a directory determined by the user, writes verbosely to the terminal screen, outputs deleted files to a directory determined by the user, and automatically recovers all files the have been deleted.
Example usage: fatback [image] -l [logfile to output] -v -o [output directory] -a

foremost

Foremost is a well known utility that specializes in file carving. It takes image files, such as those created by dd, and will search for file headers in order to recover files. It returns information to the user by outputting files found to a predetermined directory set by the user. The example below outputs JPEG images found in image.img (an image file created by dd) and outputs everything found in /root/Desktop/output/.
Example usage: foremost -v -t jpeg -o /root/Desktop/output/ -i image.img

magicrescue

Magic Rescue is a program that searches a filesystem image for “magic number” bytes, and attempts to recover the files that these magic numbers belong to. Magic numbers are basically several bytes of data that act as a file identifier, giving basic information such as file type. The below example usage uses the jpeg-jfif “recipe” (others are found in /usr/local/share/magicrescue/recipes), meaning it looks for JPEG files based on the JFIF header. The output directory is /root/Desktop/output/, and the image being analyzed in /dev/sdb1, although it can be any filesystem or image file.
Example usage: magicrescue -r jpeg-jfif -d /root/Desktop/output/ /dev/sdb1

recoverjpeg

RecoverJPEG is another utility to recover JPEG images from a filesystem. RecoverJPEG can take input either as a partition (like /dev/sda1) or an image file, like those produced by dd. The below example will recover JPEG images found in the image.img file.
Example usage: recoverjpeg image.img

safecopy

Safecopy is a program used to recover as much data as possible from a damaged device, such as a hard drive or USB drive. Unlike other programs such as dd, cat, or cp, safecopy specializes in damaged devices. Other programs will stop reading data once a damaged area is hit, while Safecopy will read to a point designated by the user, regardless of damaged areas. It does this by identifying the damaged areas, and skipping around them. This example shows how to use Safecopy to recover data on /dev/sdb1, a mounted device that other programs such as cp or dd fail on. It outputs data recovered to /root/Desktop/rescued_files:

Example usage: safecopy /dev/sdb1 /root/Desktop/rescued_files

scalpel

Scalpel is a well known file carving utility that searches a database of known file header and footer signatures, and attempts to carve files from a disk image file. To begin using Scalpel, the scalpel.conf file needs to edited to tell Scalpel which filetypes you are looking for. Example config files can be found here. Just uncomment the lines for each filetype you are searching for. This example uses a configuration file named scalpel.conf, searches the disk image file image.img, and outputs all files carved to /root/Desktop/scalpel_results/

Example usage: scalpel -c scalpel.conf image.img -o /root/Desktop/scalpel_results/

scrounge-ntfs

Scrounge-NTFS is a utility that can be used to recover information from an NTFS partition. Scrounge-NTFS will use information provided by the user in order to rebuild the filesystem tree, which is places on another partition. This program requires you to know the start and end block of the filesystem, but it provides a page to help you guess partition information. The example below uses a cluster size of 8 (the most common, always multiples of 2), sets the output directory to /root/Desktop/output/, reads data from /dev/sda1, starts at sector 63 and ends at sector 81920000, meaning the overall disk has around 40 GB of space.

Example usage: scrounge -c 8 -o /root/Desktop/output/ /dev/sdb1 63 81920000

testdisk

TestDisk is a program that specializes in recovering lost disk partitions, and making disks bootable. It has the ability to rebuild partition tables, rebuild boot sectors, fix the Master File Table (MFT), recover files, and more. The program contains many features, so rather than post a small example usage here, I would suggest looking at their very thorough Step by Step Guide.

Forensic Analysis Tools -Backtrack

bulk_extractor

bulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesn’t look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more.
Example usage: bulk_extractor -o [output directory] input
Note that the output directory must not already exist.

evtparse.pl

This utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline.
Example usage: evtparse.pl -e [event_log]

exiftool

exiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage:
Example usage: exiftool -a -u -g1 [image_file]
Example usage: exiftool -Comment=’Enter a comment in quotes here’ [image_file]

missidentify

The missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user.
Standard usage would usually include searching recursively (-r options).

Example usage: missidentify -r [location]

mork.pl

A Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input.
Example usage: mork.pl –html [Mork_file]

pref.pl

This Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file.
Example usage: pref.pl -v -f [prefetch_file] -c

ptk

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

readpst

ReadPST is a command line utility that takes Microsoft Outlook PST files, and converts them into mbox format files. Mbox files are easier to read and manipulate than PST files, so it allows investigators to view the mail contained in the PST files. In the below example, mail contained in the mail.pst file is converted to mbox format and placed on the root user’s desktop.

Example usage: readpst -o /home/root/Desktop/ mail.pst

reglookup

RegLookUp is a utility that will output the contents of registry entries in Windows NT based systems. It outputs the information in a format that is easily readable, which aids in ease of lookup, and includes several filtering options to make the output even more useful. The below example will output all registry contents found in [registry-file] path.

Example usage: reglookup -v [registry-file]

stegdetect

Stegdetect is a program which will attempt to detect steganographic messages embedded in media. It accepts JPEG images, and will look for signatures of several well known steganography embedding programs in order to alert the user that data may be embedded in the file. The example below runs stegdetect on [file.jpg] and returns whether or not data may be hidden in the image.

Example usage: stegdetect -t jopi [file.jpg]

vinetto

Vinetto is a tool which is used to analyze thumbs.db files. Thumbs.db files contain thumbnail images and metadata of images stored on filesystems, and often remains after the original image has been deleted. Vinetto is able to take these thumbs.db files and extract information regarding images found on the system from them.
Vinetto has several modes, the most useful two are elementary mode and filesystem mode. Elementary mode takes individual thumbs.db files and analyzes them, while filesystem mode takes an entire filesystem image and searches for and analyzes the thumbs.db files contained in the image. The first example below shows basic elementary mode, while the second shows elementary mode with an HTML report and the thumbnails written to a directory of choice.

Example usage: vinetto [thumbs.db file]
Example usage: vinetto -H [directory to write HTML] -o [directory to write thumbnails] [thumbs.db file]

Digital Anti Forensics

Digital Anti Forensics

Install truecrypt

This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file

Digital Forensics

hexedit

hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs.

Example usage: hexedit [filename]

Anti Virus Forensic Tools -BackTrack

chkrootkit

chkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linux, FreeBSD, and OSX versions. It uses standard utlitities such as awk, grep, netstat, cut, echo, and more in order to detect signatures that suggest rootkits.
The standard use of chkrootkit should contain an alternate path to trusted binaries (don’t trust binaries on a machine you are scanning), along with the path to the directory to be scanned.

Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan]

rkhunter

rkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below example, the –sk option sets it so that a keypress isn’t required after each test run.

Example Usage: rkhunter -c –sk

How to Install BlackBuntu inside VirtualBox ~ PenTesting Tutorials

This tutorial will guide you to install the  BlackBuntu(Penetration testing Distribution) inside the Virtual Box
 
First of all download and install the virtual box.


After installation, you can start VirtualBox as follows:

On a Windows host, in the standard "Programs" menu, click on the item in the "VirtualBox" group. On Vista or Windows 7, you can also type "VirtualBox" in the search box of the "Start" menu.



On a Mac OS X host, in the Finder, double-click on the "VirtualBox" item in the "Applications" folder. (You may want to drag this item onto your Dock.)

On a Linux or Solaris host, depending on your desktop environment, a "VirtualBox" item may have been placed in either the "System" or "System Tools" group of your "Applications" menu. Alternatively, you can type VirtualBox in a terminal.

When you start VirtualBox for the first time, a window like the following should come up:

This window is called the "VirtualBox Manager". On the left, you can see a pane that will later list all your virtual machines. Since you have not created any, the list is empty. A row of buttons above it allows you to create new VMs and work on existing VMs, once you have some. The pane on the right displays the properties of the virtual machine currently selected, if any. Again, since you don't have any machines yet, the pane displays a welcome message.

To give you an idea what VirtualBox might look like later, after you have created many machines, here's another example:

 Click on the "New" button at the top of the VirtualBox Manager window. A wizard will pop up to guide you through setting up a new virtual machine (VM):

On the following pages, the wizard will ask you for the bare minimum of information that is needed to create a VM, in particular:

The VM name will later be shown in the VM list of the VirtualBox Manager window, and it will be used for the VM's files on disk. Even though any name could be used, keep in mind that once you have created a few VMs, you will appreciate if you have given your VMs rather informative names; "My VM" would thus be less useful than "Windows XP SP2 with OpenOffice".

For "Operating System Type", select the operating system that you want to install later. The supported operating systems are grouped; if you want to install something very unusual that is not listed, select "Other". Depending on your selection, VirtualBox will enable or disable certain VM settings that your guest operating system may require. This is particularly important for 64-bit guests (see the section called “64-bit guests”). It is therefore recommended to always set it to the correct value.

On the next page, select the memory (RAM) that VirtualBox should allocate every time the virtual machine is started. The amount of memory given here will be taken away from your host machine and presented to the guest operating system, which will report this size as the (virtual) computer's installed RAM.

Note:Read Slow
Choose this setting carefully! The memory you give to the VM will not be available to your host OS while the VM is running, so do not specify more than you can spare. For example, if your host machine has 1 GB of RAM and you enter 512 MB as the amount of RAM for a particular virtual machine, while that VM is running, you will only have 512 MB left for all the other software on your host. If you run two VMs at the same time, even more memory will be allocated for the second VM (which may not even be able to start if that memory is not available). On the other hand, you should specify as much as your guest OS (and your applications) will require to run properly.

A Windows XP guest will require at least a few hundred MB RAM to run properly, and Windows Vista will even refuse to install with less than 512 MB. Of course, if you want to run graphics-intensive applications in your VM, you may require even more RAM.

So, as a rule of thumb, if you have 1 GB of RAM or more in your host computer, it is usually safe to allocate 512 MB to each VM. But, in any case, make sure you always have at least 256 to 512 MB of RAM left on your host operating system. Otherwise you may cause your host OS to excessively swap out memory to your hard disk, effectively bringing your host system to a standstill.

As with the other settings, you can change this setting later, after you have created the VM.

Next, you must specify a virtual hard disk for your VM.

There are many and potentially complicated ways in which VirtualBox can provide hard disk space to a VM (see Chapter Virtual storage for details), but the most common way is to use a large image file on your "real" hard disk, whose contents VirtualBox presents to your VM as if it were a complete hard disk. This file represents an entire hard disk then, so you can even copy it to another host and use it with another VirtualBox installation.

The wizard shows you the following window:

Here you have the following options:

To create a new, empty virtual hard disk, press the "New" button.

You can pick an existing disk image file.

The drop-down list presented in the window contains all disk images which are currently remembered by VirtualBox, probably because they are currently attached to a virtual machine (or have been in the past).

Alternatively, you can click on the small folder button next to the drop-down list to bring up a standard file dialog, which allows you to pick any disk image file on your host disk.

Most probably, if you are using VirtualBox for the first time, you will want to create a new disk image. Hence, press the "New" button.

This brings up another window, the "Create New Virtual Disk Wizard", which helps you create a new disk image file in the new virtual machine's folder.

VirtualBox supports two types of image files:

A dynamically allocated file will only grow in size when the guest actually stores data on its virtual hard disk. It will therefore initially be small on the host hard drive and only later grow to the size specified as it is filled with data.

A fixed-size file will immediately occupy the file specified, even if only a fraction of the virtual hard disk space is actually in use. While occupying much more space, a fixed-size file incurs less overhead and is therefore slightly faster than a dynamically allocated file.

For details about the differences, please refer to the section called “Disk image files (VDI, VMDK, VHD, HDD)”.

To prevent your physical hard disk from running full, VirtualBox limits the size of the image file. Still, it needs to be large enough to hold the contents of your operating system and the applications you want to install -- for a modern Windows or Linux guest, you will probably need several gigabytes for any serious use:

When you select a virtual machine from the list in the Manager window, you will see a summary of that machine's settings on the right.

Clicking on the "Settings" button in the toolbar at the top brings up a detailed window where you can configure many of the properties of the selected VM. But be careful: even though it is possible to change all VM settings after installing a guest operating system, certain changes might prevent a guest operating system from functioning correctly if done after installation.
Note

The "Settings" button is disabled while a VM is either in the "running" or "saved" state. This is simply because the settings dialog allows you to change fundamental characteristics of the virtual computer that is created for your guest operating system, and this operating system may not take it well when, for example, half of its memory is taken away from under its feet. As a result, if the "Settings" button is disabled, shut down the current VM first.

VirtualBox provides a plethora of parameters that can be changed for a virtual machine. The various settings that can be changed in the "Settings" window.

======BlackBuntu Install=======

When a VM gets started for the first time, another wizard -- the "First Start Wizard" -- will pop up to help you select an installation medium. Since the VM is created empty, it would otherwise behave just like a real computer with no operating system installed: it will do nothing and display an error message that no bootable operating system was found.

For this reason, the wizard helps you select a medium to install an operating system from.

If you have physical CD or DVD media from which you want to install your guest operating system (e.g. in the case of a Windows installation CD or DVD), put the media into your host's CD or DVD drive.

Then, in the wizard's drop-down list of installation media, select "Host drive" with the correct drive letter (or, in the case of a Linux host, device file). This will allow your VM to access the media in your host drive, and you can proceed to install from there.

If you have downloaded installation media from the Internet in the form of an ISO image file (most probably in the case of a Linux distribution), you would normally burn this file to an empty CD or DVD and proceed as just described. With VirtualBox however, you can skip this step and mount the ISO file directly. VirtualBox will then present this file as a CD or DVD-ROM drive to the virtual machine, much like it does with virtual hard disk images.

For this case, the wizard's drop-down list contains a list of installation media that were previously used with VirtualBox.

If your medium is not in the list (especially if you are using VirtualBox for the first time), select the small folder icon next to the drop-down list to bring up a standard file dialog, with which you can pick the image file on your host disks.

In both cases, after making the choices in the wizard, you will be able to install your operating system.