Tag Archives: infosec

KRACK WPA2 Wi-Fi Vulnerability

A serious security vulnerability in wireless (Wi-Fi) protocol has been identified: KRACK, short for Key Reinstallation Attack. Comprehensive details on the vulnerability and proof-of-concept exploitation video can be found on vulnerability’s official website:  https://www.krackattacks.com/

Great vulnerability summary and what to do:

Monitor & Remediate: 

Assigned CVEs:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

List of Affected Vendors:

*Nix Distributions:

Additional References:

 

Advertisements
Tagged , ,

VMware and Digital Forensic Process

Recently, I have started performing digital forensics on virtual images and wanted to briefly share the process that I am following and the challenges that I am facing:

The Process:

  • Originally, the machines in the environment are virtualized via VMware ESX.
  • To take the forensic image at a given point, the virtual machine is suspended and copied to a forensic workstation.
  • Following the second step, retains the memory in the vmem file and allows for memory analysis.
  • The suspended machines is resumed on the forensic workstation via VMware Workstation.

The Challenge:

  • Usually, the machine coming from the ESX has large resource allocations that are not available on the forensic workstation. For example, the machine in ESX can be allocated 12GB of RAM and 4 processors – however, this cannot be met with what is available on the forensic workstation. This results in machine being non-responsive when resumed on the VMware Workstation.
  • When you are able to resume the machine in VMware Workstation you are not able to transfer any tools over without first installing the VMmware tools – sometimes this requires a restart.
  • If the machine was originally part of a domain and the machine was suspended without someone already logged-in; you do not have a way to get into the system other than resetting the password via some live disk. The other option is to retrieve password from the memory.
  • If the machine itself does not have enough disk space for you to save output from all your tools then you have to enable Folder Sharing feature on the VMworktation.

These are some of my immediate experience from performing forensic on virtual images. The reason for this post is to get feedback from the forensic community on how I can improve my process and make sure I minimize the changes made to the evidence.

Tagged , , ,