Difference between pages "Tools:Network Forensics" and "JTAG LG P930 (Nitro HD)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Network Forensics Packages and Appliances)
 
 
Line 1: Line 1:
=Network Forensics Packages and Appliances=
+
== JTAG LG P930 (Nitro HD) ==
; [[E-Detective]]
+
: http://www.edecision4u.com/
+
: http://www.digi-forensics.com/home.html
+
  
; [[Burst]]
+
The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive [[IP geolocation]] service.
+
  
; [[chkrootkit]]
+
For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.
: http://www.chkrootkit.org
+
  
; [[cryptcat]]
+
=== Getting Started ===
: http://farm9.org/Cryptcat/
+
  
; [[Enterasys Dragon]]
+
What you need to extract the lock from the device:
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
+
: Instrusion Detection System, includes session reconstruction.
+
  
 +
# A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
 +
# Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
 +
# A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
 +
# PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').
  
; [[ipfix]]/[[netflow v5/9]]
+
=== NAND Dump Procedure ===
: http://www.mantaro.com/products/MNIS/collector.htm
+
: MNIS Collector is an IPFIX collector which also supports legacy Netflow.  It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
+
  
 +
# Disassemble the phone down to the PCB.
 +
# Connect the Octoplus JTAG Box to the PC via USB.
 +
# Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
 +
# Connect the PCB to the DC power supply.
 +
# Start the "Octoplus JTAG" software.
 +
# Power the PCB.
 +
# Dump the NAND.
  
; [[Mantaro Network Intelligence Solutions (MNIS)]]
+
Instructions for disassembly can be found on Internet but it can be summarised as follows:
: http://www.mantaro.com/products/MNIS/index.htm
+
: MNIS  is a comprehensive and scalable network intelligence platform for network forensics and various other applications.  It is built on high speed Deep Packet Inspection and metadata alerting.  It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks.
+
: http://www.mantaro.com/products/MNIS/network_intelligence_applications.htm#network_forensics
+
  
 +
# Remove the rear cover and battery.
 +
# Remove the 9 x Phillips screws.
 +
# Split the phone case using a case opening tool (guitar pick).
  
; [[MaxMind]]
+
{| border="1" cellpadding="2"
: http://www.maxmind.com
+
|-
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
+
| [[ File:lg-p930-nitro-hd-front.png | 400px ]]
 +
| [[ File:lg-p930-nitro-hd-back.png | 400px ]]
 +
|-
 +
|}
  
; [[netcat]]
+
Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.
: http://netcat.sourceforge.net/
+
  
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-disassembled-1.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-2.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-disassembled-3.png | 350px ]]
 +
|-
 +
|}
  
; [[netflow]]/[[flowtools]]
+
With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
: http://www.splintered.net/sw/flow-tools/
+
: http://silktools.sourceforge.net/
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
+
  
; NetDetector
 
: http://www.niksun.com/product.php?id=4
 
: NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure
 
  
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-1.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-2.png | 350px ]]
 +
| [[ File:lg-p930-nitro-hd-connected-via-jtag-3.png | 350px ]]
 +
|-
 +
|}
  
; NetIntercept
+
Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.
: http://www.sandstorm.net/products/netintercept
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
  
; NetVCR
 
: http://www.niksun.com/product.php?id=3
 
: NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements
 
  
;NIKSUN Full Function Appliance
+
{| border="1" cellpadding="2"
: http://www.niksun.com/product.php?id=11
+
|-
: NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.
+
| [[ File:octoplus-settings.png | 600px ]]
 +
|-
 +
|}
  
; NetOmni
+
Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.
: http://www.niksun.com/product.php?id=1
+
: NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.
+
  
; NISUN Puma Portable
+
If you receive errors that the PCB could not be connected to, try the following:
: http://www.niksun.com/product.php?id=15
+
: NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals
+
  
 +
* Confirm that the PCB is receiving power from the DC power supply.  If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A.  If the PCB is pulling more current, it is likely already booted and the read may fail.
 +
* Power off the PCB, power it back on, and immediately connect then start the JTAG read.
 +
* Check all of your PCB to JTAG connections under a microscope.  Inspect for shorts or incorrect connections.
 +
* Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.
  
; [[ipfix]]/[[netflow v5/9]]
+
==== Notes ====
: http://www.mantaro.com/products/MNIS/collector.htm
+
: MNIS Collector is an IPFIX collector which also supports legacy Netflow.  It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
+
  
 +
This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range.  We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF.  This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.
  
 +
== References ==
  
; [[NetworkMiner]]
+
* http://android-forensics.com/android-forensics-study-of-password-and-pattern-lock-protection/143
: http://sourceforge.net/projects/networkminer/
+
* http://forensics.spreitzenbarth.de/2012/02/
: http://www.netresec.com/?page=NetworkMiner
+
* http://www.ccl-forensics.com/Software/other-software-a-scripts.html
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
+
: NetworkMiner is available both as a [http://sourceforge.net/projects/networkminer/ free open source tool] and as a [http://www.netresec.com/?page=NetworkMiner commercial network forensics tool].
+
 
+
; [[rkhunter]]
+
: http://rkhunter.sourceforge.net/
+
 
+
; [[ngrep]]
+
: http://ngrep.sourceforge.net/
+
 
+
; [[nslookup]]
+
: http://en.wikipedia.org/wiki/Nslookup
+
: Name Server Lookup command line tool used to find IP address from domain name.
+
 
+
; [[Sguil]]
+
: http://sguil.sourceforge.net/
+
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[ssldump]]
+
: http://ssldump.sourceforge.net/
+
 
+
; [[tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpxtract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
: Linux/open-source. Based in India.
+
 
+
; [[OmniPeek]] by [[WildPackets]]
+
: http://www.wildpackets.com/solutions/network_forensics
+
: http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer/forensics_search
+
: OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
+
 
+
; [[Whois]]
+
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
 
+
; [[IP Regional Registries]]
+
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
 
+
; [[Wireshark]] / Ethereal
+
: http://www.wireshark.org/
+
: Open Source protocol analyzer previously known as ethereal.
+
 
+
; [[Kismet]]
+
: http://www.kismetwireless.net/
+
: Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+
 
+
; [[Xplico]]
+
: http://www.xplico.org/
+
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
 
+
=Command-line tools=
+
 
+
[[arp]] - view the contents of your ARP cache
+
 
+
[[ifconfig]] - view your mac and IP address
+
 
+
[[ping]] - send packets to probe remote machines
+
 
+
[[SplitCap]] http://splitcap.sourceforge.net/ - SplitCap is a free open source pcap file splitter.
+
 
+
[[tcpdump]] - capture packets
+
 
+
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
+
 
+
[[nemesis]] - create arbitrary packets
+
 
+
[[tcpreplay]] - replay captured packets
+
 
+
[[traceroute]] - view a network path
+
 
+
[[gnetcast]] - GNU rewrite of netcat
+
 
+
[[packit]] - packet generator
+
 
+
[[nmap]] - utility for network exploration and security auditing
+
 
+
[[Xplico]] Open Source Network Forensic Analysis Tool (NFAT)
+
 
+
==ARP and Ethernet MAC Tools==
+
 
+
[[arping]] - transmit ARP traffic
+
 
+
[[arpdig]] - probe LAN for MAC addresses
+
 
+
[[arpwatch]] - watch ARP changes
+
 
+
[[arp-sk]] - perform denial of service attacks
+
 
+
[[macof]] - CAM table attacks
+
 
+
[[ettercap]] - performs various low-level Ethernet network attacks
+
 
+
==CISCO Discovery Protocol Tools==
+
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
+
 
+
==ICMP Layer Tests and Attacks==
+
[[icmp-reset]]
+
 
+
[[icmp-quench]]
+
 
+
[[icmp-mtu]]
+
 
+
[[ish]] - ICMP shell (like SSH, but uses ICMP)
+
 
+
[[isnprober]]
+
 
+
==IP Layer Tests==
+
[[iperf]] - IP multicast test
+
 
+
[[fragtest]] - IP fragment reassembly test
+
 
+
==UDP Layer Tests==
+
 
+
[[udpcast]] - includes UDP-receiver and UDP-sender
+
 
+
==TCP Layer==
+
 
+
[[lft]] http://pwhois.org/lft - TCP tracing
+
 
+
[[etrace]] http://www.bindshell.net/tools/etrace
+
 
+
[[firewalk]] http://www.packetfactory.net
+

Latest revision as of 09:32, 18 August 2013

JTAG LG P930 (Nitro HD)

The LG P930 (Nitro HD) is an Android based smartphone. At the time of this writing (2013FEB07), I am unaware of any method to bypass the PIN, password, or pattern locks on a LG P930 that is not rooted and does not have ADB enabled. JTAG to the rescue! Using JTAG, a copy of the NAND can be extracted, and the pin or pattern lock decoded from it.

For the purpose of this document, a LG P930 with a gesture pattern lock was disassembled, read via JTAG, reassembled, and the pattern lock removed.

Getting Started

What you need to extract the lock from the device:

  1. A Octoplus JTAG Box with the latest Octoplus JTAG Manager software. The Octoplus JTAG Box used for this was purchased from GSM Server on eBay. Update: This device is now supported by the RIFF Box as well.
  2. Soldering skills and ultra-fine tip soldering iron (a JTAG jig may be available).
  3. A DC Power supply capable of supplying 3.8V/1.83A output. The power supply used for this was an Agilent U8002A DC Power Supply.
  4. PatternLockScripts from CCL Forensics ('GenerateAndroidGestureRainbowTable.py' and 'Android_GestureFinder.py').

NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the Octoplus JTAG Box to the PC via USB.
  3. Connect the Octoplus JTAG Box to the PCB via the JTAG pins.
  4. Connect the PCB to the DC power supply.
  5. Start the "Octoplus JTAG" software.
  6. Power the PCB.
  7. Dump the NAND.

Instructions for disassembly can be found on Internet but it can be summarised as follows:

  1. Remove the rear cover and battery.
  2. Remove the 9 x Phillips screws.
  3. Split the phone case using a case opening tool (guitar pick).
Lg-p930-nitro-hd-front.png Lg-p930-nitro-hd-back.png

Once the phone has been disassembled, you can see the JTAG connection port near the microUSB header. The connector used on the PCB is a microminiature board-to-board Molex connectors. Molex sells the mating heading under the brand name "SlimStack" however sourcing these headers in small quantities can be difficult. In some cases, JTAG adapter jigs can be purchased from companies such as multi-com.pl however based on the cost and amount of time it takes to receive said items, it can be faster to solder lead wires off this header. Note: A decent microscope is mandatory for this step as soldering these connections without one is extremely difficult.

Lg-p930-nitro-hd-disassembled-1.png Lg-p930-nitro-hd-disassembled-2.png Lg-p930-nitro-hd-disassembled-3.png

With the phone now disassembled you can solder on your 0.040 gauge lead wires to the JTAG test points. Also, connect the PCB battery terminal connections to the DC power supply. The negative (-) connection is the innermost pin and the positive (+) pin is the outside pin. You can configure your power supply to match the battery specifications which in this case is 3.8V and 1.830A but do not apply power at this time.


Lg-p930-nitro-hd-connected-via-jtag-1.png Lg-p930-nitro-hd-connected-via-jtag-2.png Lg-p930-nitro-hd-connected-via-jtag-3.png

Now we can start the Octoplus JTAG software and configure it. See the picture for more detail.


Octoplus-settings.png

Apply power to the DC power supply and turn the phone on using the button on the side of the PCB (you will feel the phone vibrate after 3-5 seconds of holding the button). After powering the phone on, connect via JTAG to the phone by hitting the "Connect" button in the Octoplus JTAG software, you should receive a "Connect Successful" message in the bottom pane. Now click on the "Read" button to start the read and name the output file accordingly. In this case I named the file "lg-p930-jtag-x0000000_x06BC000.bin" to reflect the memory range I am extracting.

If you receive errors that the PCB could not be connected to, try the following:

  • Confirm that the PCB is receiving power from the DC power supply. If you can measure current draw of the PCB, you should see that the PCB is pulling about 0.04A. If the PCB is pulling more current, it is likely already booted and the read may fail.
  • Power off the PCB, power it back on, and immediately connect then start the JTAG read.
  • Check all of your PCB to JTAG connections under a microscope. Inspect for shorts or incorrect connections.
  • Upon receiving a successful JTAG dump you can process the file with the CCL Forensics Android scripts to extract the gesture or pin lock.

Notes

This exhibit gave us some issue when reading ~100MB mark and the read kept disconnecting around that memory range. We opted to read the device with multiple reads by reading from 0MB-96MB, skipping over data, then reading from 192MB-EOF. This captured enough data to acquire the password hash which was located around the 1.3GB range on this particular phone.

References