Road to OSCP Part 3: Using a LAN Turtle to conduct network forensics (white hat)

LAN_Turtle_SD_800x

I think everyone knows what a LAN turtle is. It’s quite possibly, the most dangerous damned USB-ethernet dongle looking device that can be conceived. It can…

  • 1. Operate as it’s own functional Linux box, much like a Raspberry Pi
  • 2. Deploy malware, run remote nmap scans
  • 3. Sniff, alter, redirect, and spoof traffic on the network
  • 4. Exfiltrate important data using techniques such as DNS tunneling, HTTP tunneling, SSH tunneling, and even tunneling through TOR

But a lesser known ability of the LAN turtle, and it’s sister Hak5 product, the Packet Squirrel, is it’s usefulness to Computer Hacking Forensic Investigators and Incident Responders.

It allows you to…

  • 1. Remotely capture packets (frames actually) into a local file
  • 2. Sweep potentially comprised networks for intruders
  • 3. Remotely detect breach incidents such as arpspoofing (if arpalert is installed)

In this chapter, we will turn  a common $50 penetration testing tool, commonly known as a “LAN Tap”, into a forensics tool for Incident Responders, as recently I received a $50/hr gig to perform a investigation on a possibly compromised Massage Parlor chain and badly needed a way to remotely administer and monitor networks for signs of intrusion, lateral movement, and unwarranted data exfiltration. Should I confirm the presence of malicious traffic, I would immediately request my client to authorize me in creating  a forensic image of the compromised machine(s).

We are assuming that you have already followed your initial LAN Turtle startup guide here so your LAN turtle is ready for configuration

https://docs.hak5.org/hc/en-us/articles/360010471074-Connecting-for-the-first-time

We are also assuming that you have read my previous article on how to configure a remote VPS Jumpbox using Amazon AWS, DigitalOcean, Linode, Rackspace, or Vultr, and therefore you have a publicly reachable IP address in the cloud.

https://www.linkedin.com/pulse/road-oscp-part-2-configuring-remotely-accessible-password-chang-tan/

Now it’s time to convert a LAN turtle into a forensic packet sniffer that saves to a local disk from a remote location!

1. Properly configure your LAN turtle to connect to your remote VPS with a public IP via AutoSSH

The LAN Turtle exclusively uses public key authentication and therefore, you need to generate a public key

Screenshot from 2019-06-21 21-02-14

CTRL+Z out of the menu into the LAN turtle console.

Screenshot from 2019-06-21 21-02-25

Since the LAN turtle is effectively a pocket-held Linux distribution much like a Raspberry Pi, you can use standard Linux commands to connect to your remote, publicly reachable IPv4 JumpBox

First generate the keys

ssh-keygen

Then from the console of the LAN turtle, remotely install the keys to your jumpbox

ssh-copy-id root@<jumpboxIP>

Since it’s using a default SSH id_rsa.pub key, the KeyManager module in LAN turtle is not required to be enabled or activated.

Now type “fg” and enter to bring the menu back to the foreground and configure autoSSH

Screenshot from 2019-06-21 20-23-18

Submit, activate and enable this service and verify that autoSSH has opened a tunnel by logging into your jumpbox via SSH

Screenshot from 2019-06-21 20-26-30

At this point, you may login to your LAN turtle remotely by typing, which throws you back to the interactive menu.

ssh root@localhost -p 8443

In this state, the remainder of the guide can be administered REMOTELY.

2. Enable remote SSH file systems on the LAN turtle

On your jumpbox, make a directory to store the SSH Filesystem

mkdir /root/lanturtle

Back in the main menu on your LAN turtle menu select SSHFS configuration then configure it as so

Screenshot from 2019-06-21 20-30-20

Then select submit and enable and activate the service.

3. Test tcpdump

Ctrl+Z out of the menu again and run tcpdump

tcpdump -i any -U -w /sshfs/capture.pcap

On your jumpbox, check that the pcap file is properly being written to

Screenshot from 2019-06-21 20-32-12

4. Add a CRON daemon cronjob that automatically starts a tcpdump packet capture and forwards it to your remote SSH file system

This will start when the LAN turtle “boots”, or “reboots” as soon as you plug it into a workstation-in-suspect.

Go back to the EZ-Mode crontab creator, “fg” and select the crontab  module

Screenshot from 2019-06-21 20-35-04

Add the line to the bottom of the text. All hash-marked lines are ignored and only serve as examples

@reboot /bin/sh tcpdump -i any -U -w /sshfs/capture.pcap

Now select OK and enable and activate it.

If at any time this module is failing, you can manually create the crontab by CTRL+Zing out of the menu and then manually edit crontabs with ‘crontab -e’

5. Forensic Analysis of Packet Captures

Now that we managed to remotely capture packets through the LAN turtle, that in turn, is writing the file to a VPS that we control, we can now analyze the network traffic for any suspicious activity

If you prefer using a console, you can use tshark

tshark -q -r capture.pcap -z expert

Screenshot from 2019-06-21 20-44-51

Otherwise, you may just download the capture file locally and then run wireshark on it.

Furthermore, common IDPS systems (Intrusion Detection/Prevention Systems) can parse out the data from the pcap file in order to match it’s notorious malware signature detection algorithms against the capture, for suricata its

suricata -r capture.pcap

Same for snort

snort -r capture.pcap

If you are using Kali Linux, you also have the option of using pcredz to extract credentials or tcpxtract to arbitrary extract downloaded files, key-exchanges, downloaded pages.

pcredz -f capture.pcap

pcredz

For tcpxtract it is

tcpxtract -f capture.file -o /dumpdirectory

Thank you, and know that a LAN Turtle or Packet Squirrel can be used as a forensics and incident response tool, and not just something for pentesters!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s