segmentation fault Kali Linux 2.0 [solved]

Kali Linux 2.0,the well known Penetration testing distro contains a plethora for digital forensics tools and is widely used by ethical hacker community across the globe.It comes with over 650 tools pre-installed that help  perform tasks like network analysis, ethical hacking, load & crash testing etc. It is powered by Linux kernel 4.0 and has enhanced support for different graphics cards and desktop environments.However ,a small bug as I noticed running two regular commands as apt-get update and msfupdate. Used to get the segmentation fault error as seen below in the screen shot :

Resolved by running the following commands at terminal to open sources.list  file

root@kali:~# leafpad /etc/apt/sources.list

As the file opens, simply select all the existing content in the file and delete it.Further to it cut and paste the following lines in the file and save :  

# Regular repositories

deb http://http.kali.org/kali sana main non-free contrib

deb http://security.kali.org/kali-security sana/updates main contrib non-free

# Source repositories

deb-src http://http.kali.org/kali sana main non-free contrib

deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

and now it should work just as it worked in my case as seen below :

Burp Suite : Configuring the browser and redirecting traffic

1.   Vide my last post about installing Burp Suite here ,now I move ahead to configure your browser in order to redirect all HTTP/S requests through Burp Proxy, instead of the actual target website. In my case here I am configuring a Mozilla Browser with proxy host address to 127.0.0.1 and the proxy port to 8080 , for both HTTP and HTTPS.The typical configuring of browsers is more or less common with major browsers with minor differences in interfaces.Here next I place you screen shots as I surfed a redirected traffic both for http and https via Burp Suite.First steps to configure Mozilla followed by screen shots :

Configuring Mozilla Firefox

- Click Firefox menu and then Preferences.
- In the Advanced options, under the Network tab, click on connection Settings.
- Select Manual proxy configuration.
- Enter the proxy host address as 127.0.0.1 and the proxy port as 8080.
- Select Use this proxy server for all protocols.
- Make sure to remove all exceptions from the No Proxy for field.
- Click OK and close.

2.   So now you have a working installation of Burp Suite and your browser is properly configured to intercept all requests.Now to test go to the browser, enter any http://www.****** site in the address bar and press Enter . If all is well, Burp Proxy should intercept this request. In Burp Suite,go to the Proxy and Intercept tab and verify that the web request is waiting for your approval.Ensure tha the Intercept on button is enabled; click on it and allow the request to transit through Burp by pressing Forward in Burp Suite Interface. Now in the browser, you should see the http page you entered in address bar.

Now try a https site and you are bound to see this warning as seen below in the screenshot.You will be presented with a This Connection is Untrusted page.In such a case, you are required to manually approve the connection by clicking on I Understand The Risks, then Add Exceptions... and Confirm Security Exception. To make sure that Burp Proxy is actually causing the warning, you click on the certificate status View... and see that the certificate belongs to PortSwigger CA as seen below in one screenshot.

 PortSwigger CA certificate

This setup means that Burp Suite is now ready for use as the traffic is being redirected as desired as per configuration....

Volatility Framework Command : Using pslist - pstree - psscan to identify process details from mem dump

This post will share an example to run the three volatility terminal commands including pslist, pstree and psscan

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU,Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

Usage as follows :

pslist

The command pslist will be useful for any forensic prelim inquiry to find out the processes being run on the pc at the likely time of incident.The pslist command is used to list the processes of a system and it does not detect hidden or unlinked processes."pslist" module utilizes the same algorithm as the tasklist command that would be executed on the live computer. And also, Windows Task Manager uses the same approach as well.The command "pslist" traverses the list of active process structures that the Windows kernel maintains.The screen shot below shows a task manager activity of a windows PC i am using for test.Subsequently I have taken a fresh dump at this time and then analysed this dump with volatility on UBUNTU to find the process details which actually come out as the same as seen in the screenshots below :

Windows TASK MANAGER as seen in Windows OS
(CLICK TO ENLARGE)

The command usage at terminal syntax goes like this :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist

Click on image to ENLARGE

Click on image to ENLARGE

 [TRIM]

Click on image to ENLARGE

 [TRIM]

The columns display the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started. The offset is a virtual address by default, but the physical offset can be obtained with the -P switch as seen in the command below with screenshot.

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist -P

(Output with -P Switch)
Click on image to ENLARGE

pstree

pstree command is used to view the process listing in tree form and enumerates processes using the same technique as pslist, so it will also not show hidden or unlinked processes. Child process are indicated using indention and periods.SCreen shot of output and syntax as below :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pstree

Click on image to ENLARGE

 psscan

psscan is used to enumerate processes by pool tag scanning and can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit. Syntax and screenshot of output as follows:

vol.py --profile=Win7SP0x86 -f win7.dmp psscan

Click on image to ENLARGE

Volatility Command : Using kdbgscan/kprcscan to scan for potential KDBG/KPCR structures

This post will share an example to run the two volatility terminal commands including kdbgscan and kprcscan.

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU) (Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

Basic intro about these two commands :

kdbgscan

This command is used to scan for potential KDBG structures and is meant to positively identify the correct profile of the system and the correct KDBG (kernel debugger block) address. It simply scans for KDBG header signatures linked to the profiles in Volatility.

Usage : 

python vol.py --profile=Win7SP0x86 -f filename.raw kdbgscan

Screen shot executing the above command shown below :

(CLICK TO ENLARGE)

kpcrscan

This command is used to scan for potential KPCR(Kernel Processor Control Region) structures. A KPCR is a data structure used by the kernel to store the processor-specific data. Kpcrscan searches for and dumps potential KPCR values. On a multi-core system, each processor has its own KPCR. Therefore, ideally  one should see at least as many KPCR addresses as there are processors on the machine from which the memory dump was acquired.Usage as follows :

python vol.py --profile=Win7SP0x86 -f win_image.raw kpcrscan

Screen shot with output as below :

(CLICK ON IMAGE TO ENLARGE)

Volatility-Advanced Memory Forensics Framework : Installation@Ubuntu

1.   The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile.The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.Vide this post, I am sharing how to install volatility in Ubuntu 12.04 in a step wise manner.The post includes screen-shots and ready to shoot terminal commands for installing other dependent libraries.

Firstly : Installing Dependencies

sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Secondly : Installing PyCrypto

First download PyCRypto from https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz

Go to ~/..../Downloads/

tar -zxvf pycrypto-2.6.1.tar.gz

cd pycrypto-2.6.1

python setup.py build

sudo python setup.py build install

Thirdly: Installing Distrom
Distrom ,a disassemble library for x86/AMD64 can be downloaded from https://github.com/gdabah/distorm

Goto downloads where the file is likely downloaded :

unzip distorm3.zip

cd distorm3/

python setup.py build

python setup.py build install

Fourthly: Installing Yara 

Volatility needs another important dependency known as Yara,that can be installed as follows:

wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

tar -zxvf yara-1.4.tar.gz

cd yara-1.4/

sudo ./configure

sudo make

sudo make install

Fifthly : Installing Yara-Python





Download the tar.gz from https://yara-project.googlecode.com/files/yara-python-1.4a.tar.gz

tar -zxvf yara-python-1.4a.tar.gz

cd yara-python-1.4a/

python setup.py build

python setup.py build install

sudo echo “/usr/local/lib” >> /etc/ld.so.conf

sudo ldconfig

Now through with the installation of dependencies,we go ahead to install Volatility after we download the tar ball from https://code.google.com/p/volatility/downloads/detail?name=volatility-2.3.1.tar.gz&can=2&q=

~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

The installation is complete now and you should get a similar screen as seen below on running the command python vol.py -h

Kali Linux 2.0 : The new release has arrived

Kali Linux ,is a well known Penetration testing distro and also contains a plethora for digital forensics, is widely used by ethical hacker community across the globe and is maintained and developed by the organization known as “Offensive Security”. It comes with over 650 tools pre-installed that help  perform tasks like network analysis, ethical hacking, load & crash testing etc. It is powered by Linux kernel 4.0 and has enhanced support for different graphics cards and desktop environments.The most recent version of Kali has just been released few days back and here I bring you the installation step by step screen shot being installed in Virtual Box.

 Choose Install above

The desktop boots to the following screen...thats it... You are ready to go....