Anticuckoo – A tool to detect and crash Cuckoo Sandbox.

Anticuckoo

A tool to detect and crash Cuckoo Sandbox.

Tested in Cuckoo Sandbox Official and Accuvant’s Cuckoo version.

Reddit / netsec discussion about anticuckoo.

Features

  • Detection:
    • Cuckoo hooks detection (all kind of cuckoo hooks).
    • Suspicius data in own memory (without APIs, page per page scanning).
  • Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
    • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo’s HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler’s stack.

The overkill methods can be useful. For example using the overkill methods you have two features in one: detection/crash and “a kind of Sleep” (Cuckoomon bypass long Sleeps calls).

TODO list

Cuckoo Detection

Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:

ScreenShot

Accesed Files in Sumary (django web):

ScreenShot

Cuckoo Crash

Specify in submit options the crash argument, ex -c1 (via django web):

ScreenShot

And check Screenshots/connect via RDP/whatson connection to verify the crash. Ex -c1 via RDP:

Screenshot

TODO

  • Python process & agent.py detection – 70% DONE
  • Improve hook detection checking correct bytes in well known places (Ex Native APIs always have the same signatures etc.).
  • Cuckoo’s TLS entry detection.

New ideas & PRs are wellcome.

 

 

 

 

Hijacking SSH to Inject Port Forwards

During red team post exploitation I sometimes run into jump boxes leading to test environments, production servers, DMZs, or other organizational branches. As these systems are designed to act as couriers of outbound traffic, hijacking SSH sessions belonging to other users can be useful. So what do you do when you have full control over a jump box and want to leverage another user’s outbound SSH access to tunnel into another segment? What if you don’t have passwords, keys, shouldn’t drop binaries, and SSH is protected by 2-factor authentication? Roll up your sleeves and trust your command line Kung Fu!

This post will cover two approaches to hijacking SSH sessions, without credentials, with the goal inserting dynamic port forwards on the fly. The two stages at which I’ll approach hijacking sessions are: (1) upon session creation, and (2) when a live SSH session exists inside of screen (more common than you’d think). In each case our final goal is to create a tunnel inside another user’s active session in order to gain access to outbound routes on the terminating SSHD host.

Hijacking SSH on Creation:

To hijack newly created SSH sessions we can leverage a feature known as SSH multiplexing. This feature allows for the creation of control sockets that enable an attacker to create their own sessions inside the original user’ socket, without re-authentication. The ControlMaster feature was introduced in OpenSSH 4, and has was previously referenced in H D Moore and Val Smith’s Tactical Exploitation presentation. I also demonstrated the attack in a talk/class of mine entitled, The Poor Man’s Rootkit. In this post I will show two means to force the creation of master sockets, and then how to inject port forwards into them.

 

ControlMaster via SSH Client Config:

The most common way to deploy ControlMaster sockets is by altering the system wide SSH client config.

Inserting ControlMaster options into ssh_config on hop_1

These settings will cause all new SSH sessions to create a persistent brokering master socket.
I’ve used %h in control socket commands to represent the target host, %h can be any char(s).

Master socket created in ControlPath
Connecting to the socket:

This socket can be used to create further sessions, without credentials, even after the original user exits their session.

Creating a session using a master socket.
Adding a dynamic tunnel:
Remember our end goal is to pivot into other network segments. The following command will create a dynamic tunnel inside an existing master socket.

Dynamic port forward added to live socket

Removing the socket:

Simply exiting the multiplexed sessions will not close the master socket. In order to close the socket you must explicitly send an exit request.

Shutting down the master socket

 

SSH ControlMaster via Shell Functions:

Another way to leverage this hijacking technique, that I haven’t seen shared before, is by abusing the fact that master sockets may be created through SSH client option flags. As such, we can use a shell function to intercept a user’s SSH client commands and inject our own ControlMaster arguments.
ssh () 
{ 
    /usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@";
}

A simple ControlMaster injecting wrapper function.

This intercepting wrapper function will create sockets identical to those we created using ssh_config.
Successfully injecting ControlMaster options into an SSH client command

 

Flow of traffic in this attack:

Using SSH ControlMaster sockets and socket options we can now hijack SSH sessions and inject port forwards, all without authentication.
Now to tackle sessions in progress…

Hijacking Active SSH Sessions:

It is not uncommon for users to create screen sessions to house SSH connections to other boxes they are working on. What most users do not realize is that these session can be hijacked and have port forwards injected into them on the fly.Hunting for screen sessions: 
One way to find screen sessions is to look under /var/run/screen. Or you can enumerate a single user by issuing an incomplete screen -r command.
Hunting for screen sessions
Bypassing screen pts/tty restrictions:
Accessing the screen sessions of another user is not as straight forward su’ing and viewing; this is where many attackers give up. su to a user to interact with their screen session and you will find yourself staring at one of the following errors: “Cannot open your terminal ‘/dev/pts/#’ – please check.” or “Must be connected to a terminal.”
Error when trying to access another user’s screen session
One way to bypass this restriction is to use the script binary to wrap the su’d user session.
Using script to bypass screen pts/tty restrictions

 

Adding a tunnel on the fly:
A rarely used feature of SSH is the escape sub-shell. If you are using a means other than SSH to control your access to the jump box you can leverage escape sequences to add port forwards into another user’s established session. Use ~C to drop into the SSH sub-shell, then -D:<port> to add a dynamic forward on the fly. To remove the forward use ~C followed by -KD:<port>
Adding port forwards with SSH escape commands
If you are using SSH for your primary shell the above example will not work from inside screen.This is due to the fact that your own outermost SSH client will catch the escape characters. Not to worry, I’ll show you a way around that!

 

Creating tunnels with screen stuffing:
Screen has a feature that allows you to “Stuff” the contents of a buffer into its input queue. The stuffed text is parsed as if it had been typed from inside screen, allowing us to bypass escape characters being caught by outer SSH sessions.
Stuffing screen to create a port forward
Stuffing screen to shutdown a port forward

A note on stealthy stuffing: Stuff’d text is visible inside a screen session’s scroll back. You can prevent this by altering the scroll back length on the fly. This can be done by changing the scrollback to 0 lines before your command, clearing the screen, then setting it back.
screen -S my_ssh_session -X scrollback 0
screen -S my_ssh_session -p 0 -X stuff $'~C'
screen -S my_ssh_session -p 0 -X stuff $'-D:9090\nclear\n'
screen -S my_ssh_session -X scrollback 15000

 

Flow of traffic in screen hijack attack:

Thanks to SSH escapes and screen stuffing we now have a means to hijack established sessions and inject tunnels on the fly!

Tunneling into Remote Segments:

The final step is to bind a local port on our machine to connect us to the tunnel we injected on hop_1.
We now have a full dynamic tunnel into the remote segment, without authentication.

Local port forward on attacker machine via SSH escapes.

 

Credit: 0xthem

MongoDB phpMoAdmin GUI Tool Zero-day Vulnerability Puts Websites at Risk

phpMoAdmin-mongoDB-exploit-hacking

About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making rounds in underground market.

MongoDB, one of the leading NoSQL databases, is an open-source database used by companies of all sizes, across all industries for a wide variety of applications. By leveraging in-memory computing, MongoDB provides high performance for both reads and writes.

 

‘PhPMoAdmin’ ZERO-DAY VULNERABILITY
Hacker known by the online moniker, “sp1nlock” has found a zero-day vulnerability in ‘phpMoAdmin‘, a free, open-source, written in PHP, AJAX-based MongoDB GUI (graphical user interface) administration tool that allows you to easily manage noSQL database MongoDB.
According to multiple posts available on the exploit selling underground forums, the phpMoAdmin is vulnerable to a Zero-Day Remote Code Execution flaw that allows an unauthorized remote user to hijack the websites running phpMoAdmin tool.
 

0-DAY EXPLOIT AVAILABLE AND IT WORKS
At the time of writing, we have no idea that phpMoAdmin developers are aware of the this zero-day vulnerability or not, but this exploit is already for sale on underground exploits forums and has already been verified by the market administrators that — It Works!
It might be possible that number of buyers and hackers already have access to the phpMoAdmin zero-day exploit and, unfortunately, there is no patch yet available for thousands of vulnerable websites.

 

 

HOW TO PROTECT MONGO DATABASE ?
In order to protect yourself, users of MongoDB database are recommended to avoid using phpMoAdmin until the developer team releases a patch for the zero-day remote code execution vulnerability.
As an alternate to the phpMoAdmin, you can make use of other free MongoDB GUI Tools available, as follows:
  • RockMongo – A Powerful MongoDB GUI Tool
  • MongoVUE – A Desktop based MongoDB GUI Tool
  • Mongo-Express – A well featured MongoDB GUI Tool
  • UMongo – A Decent MongoDB GUI Tool
  • Genghis – A lightweight MongoDB GUI Tool
However, if you don’t want to replace your phpMoAdmin file, then the simplest approach would be to restrict unauthorized access using htaccess password i.e. creating ‘.htpasswd’ authentication for folder containing “moadmin.php” file.

 
 

Credit: thn

 

AppUse – Android Pentest Platform Unified Standalone Environment

AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Faster & More Powerful
The system is a blessing to security teams, who from now on can easily perform security tests on Android applications. It was created as a virtual machine targeted for penetration testing teams who are interested in a convenient, personalized platform for android application security testing, for catching security problems and analysis of the application traffic.
Now, in order to test Android applications, all you will need is to download AppUse Virtual Machine, activate it, load your application and test it.

 

Easy to Use
There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.
Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for Android application security testing.

 

AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for Android applications; an environment like this has not been available until today, certainly not with the rich format offered today by AppUse VM.
This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.

 

We at AppSec Labs do not stagnate, specifically at a time in which so many cyber attacks take place, we consider it our duty to assist the public and enable quick and effective security testing.

 

As a part of AppSec Labs’ policy to promote application security in general, and specifically mobile application security, AppUse is offered as a free download on our website, in order to share the knowledge, experience and investment with the data security community.

 

Features
  • New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes

 

 

Credit:  kitploit

DroidStealth | Android Encryption Tool with Stealth Capabilities

DroidStealth-Android-encryption-tool

 

We all have Internet-connected smartphones in our pockets, but it’s very hard to find a place on Internet to feel secure and private. No doubt, there is data Encryption on cell phones, but what’s the use if it is cracked by hackers or law enforcement?

What if the encrypted files don’t exist in the first place for law enforcement to decrypt it? That’s the motive behind DroidStealth, a new Android encryption tool that not only protects sensitive data with obfuscation, but ​also hides its existence on your phone as if it has nothing to hide.

 

DroidStealth Android app has been developed by security researchers from Delft University of Technology in the Netherlands and would come as a windfall to both the privacy lovers and the cyber criminals.

 

STEALTH LOGIN MECHANISM
DroidStealth Android encryption tool creates a hidden folder in your phone in which it stores your all encrypted files. The app itself can be opened by simply dialing a phone number of any length which is actually a pin or by punching an invisible widget on your phone’s home screen five times.

 

The application is developed in order to hide the existence of any protection mechanism that usually hints casual inspectors that they need to do some tampering in an attempt to gain access to users’ encrypted data.

 

According to developer quartet Olivier Hokke, Alex Kolpa, Joris van den Oever and Alex Walterbos of Delft University of Technology, several other disguise techniques, such as hiding the app within a flashlight program, are used to hide your private data.

Since simply encrypting the data is not enough, our approach provides an added step of obfuscation that increases security of the data: DroidStealth hides itself,” the group wrote in the paper titled, ‘A Self-Compiling Android Data Obfuscation Tool’ co-authored with supervisor Johan Pouwelse.

Instead of actually calling the number, the application launches, requesting the pin code. Furthermore, DroidStealth fully intercepts the call, making sure the number never gets added to the call log.

 

FEATURES OF DROIDSTEALTH
DroidStealth-Android-encryption-tool

Some DroidStealth Android encryption tool features are listed below:

  • The app is stored in a secretive mode, and can be renamed to appear as a benign app to “hide in plain sight”.
  • The app doesn’t appear under the normal downloaded app list.
  • The app provides notification to the user if any of the secret files are left unlocked.
  • The can be kept out of the running process list when not in use.
  • The app does not pop up in the recent visited list.
LIMITATIONS OF DROIDSTEALTH
In a centralized store the DroidStealth Android encryption tool would result in a possible exposure threat, so it was distributed “nomadically” as an untrusted Android application rather than from the Google Play Store which would show up in a user’s list of installed apps.
Secret data files would be encrypted using Facebook’s Conceal API and could not be accessed from other apps or from its original location.

 

DRAWBACK OF DROIDSTEALTH
This may be one of the major drawback of DroidStealth app among others, which are listed below:
  • The data is encrypted and decrypted within the app.
  • Uninstalling the app may lead to deletion of all the data.
  • Low memory of the phone might lead to force quitting of the application and this might lead to loss of the data.
  • If a user’s phone gets in the hands of investigation while the app is under decode mode, then it would be difficult for them to secure the data from officials.
GET DROIDSTEALTH NOW
The developers said that the DroidStealth Android encryption tool’s user interface (UI) is chosen black “in order to give users the feeling that they are indeed working in secret“.
DroidStealth app is not released on Google Play, but users can get it with a untrusted APK version of the App. The APK is available as an unaligned version, while users can download the nomadic versions of the app that are available throughout the Internet.
Credit: 

 

Exploit Pack – Open Source Security Project for Penetration Testing and Exploit Development

 

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Impact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc.

 

Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

 

Video demonstration of the latest Exploit Pack release:

 

More than 300+ exploits
Military grade professional security tool
Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.

 

Remote Persistent Agents
Reverse a shell and escalate privileges
Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shell-codes directly into the agent.

 

Write your own Exploits
Use Exploit Pack as a learning platform
Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fulfill the needs of an Exploit Writer.

 

 
 

Appie – Android Pen-testing Portable Integrated Environment

 

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick.This is a one stop answer for all the tools needed in Android Application Security Assessment.

 

Difference between Appie and existing environments ?
  • Tools contained in Appie are running on host machine instead of running on virtual machine.
  • Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
  • As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
  • Awesome Interface

 

Which tools are included in Appie ?

 

Download Appie

 

 

Credit: blackploit

BlueMaho Project – Bluetooth Security Testing Suite

BlueMaho is GUI-shell (interface) for a suite of tools best used for Bluetooth security testing. It is freeware, opensource, written on python, uses wxPython. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.

I did get interested in Bluetooth for a while and the security implications of a personal area network protocol which includes discovery/broadcast etc. I ended up only posting one article at the time though which was about Haraldscan – BlueTooth Discovery Scanner.

BlueMaho Project - Bluetooth Security Testing Suite

I have a bunch more Bluetooth related resources to share though, so I’ll be putting them out from time to time. Some (like this) aren’t particularly up to date, but give you a great base to start with and play around.

Features

  • Scan for devices, show advanced info, SDP records, vendor etc
  • Track devices – show where and how much times device was seen, its name changes
  • Loop scan – it can scan all time, showing you online devices
  • Alerts with sound if new device found
  • on_new_device – you can spacify what command should it run when it founds new device
  • It can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
  • Send files
  • Change name, class, mode, BD_ADDR of local HCI devices
  • Save results in database
  • Form nice statistics (uniq devices by day/hour, vendors, services etc)
  • Test remote device for known vulnerabilities (see exploits for more details)
  • Test remote device for unknown vulnerabilities (see tools for more details)
  • Themes! you can customize it

Requirements

The main requirements are:

  • OS (tested with Debian 4.0 Etch / 2.6.18)
  • Python 2.4
  • wxPython
  • BlueZ

You can download BlueMaho here:

bluemaho_v090417.tgz

Or read more here.

 

 

Credit: darknet

SIM Card Forensics

The SIM (subscriber identity module) is a fundamental component of cellular phones. It’s also known as an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted into another; it allows users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part because of this useful property. Basically, the ICC deployed for 2G networks was called a SIM and the UICC smart card running the universal subscriber identity module (USIM) application. The UICC card accepts only 3G universal mobile telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day SIMs, containing backward-compatible information. A USIM has a unique feature in that it allows one phone to have multiple numbers. If the SIM and USIM application are running on the same UICC, then they cannot be working simultaneously.

The first SIM card was about the size of a credit card. As technology developed, the cell phone began to shrank in size and so did the SIM card. The mini-SIM card, which is about one-third the size of a credit card. But today we are using smartphones that use micro-SIM, which is smaller than mini-SIM. These SIM cards vary in size but all have the functionality for both the identification and authentication of the subscriber’s phone to its network and all contain storage for phone numbers, SMS, and other information, and allow for the creation of applications on the card itself.

Untitled

SIM Structure and File Systems

A SIM card contains a processor and operating system with between 16 and 256 KB of persistent, electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random access memory) and ROM (read-only memory). RAM controls the program execution flow and the ROM controls the operating system work flow, user authentication, data encryption algorithm, and other applications. The hierarchically organized file system of a SIM resides in persistent memory and stores data as names and phone number entries, text messages, and network service settings. Depending on the phone used, some information on the SIM may coexist in the memory of the phone. Alternatively, information may reside entirely in the memory of the phone instead of available memory on the SIM.

The hierarchical file system resides in EEPROM. The file system consists of three types of files: master file (MF), dedicated files, and elementary files. The master file is the root of the file system. Dedicated files are the subordinate directories of master files. Elementary files contain various types of data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a fixed set of fixed-size records used cyclically.

1

As can be seen in the above figure, dedicated files are subordinate directories under the MF, their contents and functions being defined by the GSM11.11 standards. Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF are EFs (ICCID). Subordinate to each of the DFs are supporting EFs, which contain the actual data. The EFs under DF (DCS1800) and DF (GSM) contain network-related information and the EFs under DF (Telecom) contain the service-related information.

All the files have headers, but only EFs contain data. The first byte of every header identifies the file type and the header contains the information related to the structure of the files. The body of an EF contains information related to the application. Files can be either administrative- or application-specific and access to stored data is controlled by the operating system.

Security in SIM

SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the security attributes. These security features filter every execution and allow only those with proper authorization to access the requested functionality. There are different levels of access conditions in DF and EF files. They are:

  • Always—This condition allows to access files without any restrictions.
  • Card holder verification 1 (CHV1)—This condition allows access to files after successful verification of the user’s PIN or if PIN verification is disabled.
  • Card holder verification 2 (CHV2)—This condition allows access to files after successful verification of the user’s PIN2 or if the PIN2 verification is disabled.
  • Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only after prescribed requirements for administrative access are fulfilled.
  • Never (NEV)—Access of the file over the SIM/ME interface is forbidden.

The SIM operating system controls access to an element of the file system based on its access condition and the type of action being attempted. The operating system allows only limited number of attempts, usually three, to enter the correct CHV before further attempts are blocked. For unblocking, it requires a PUK code, called the PIN unblocking key, which resets the CHV and attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can be easily provided by the service provider.

Sensitive Data in SIM

1

The SIM card contains sensitive information about the subscriber. Data such as contact lists and messages can be stored in SIM. SIM cards themselves contain a repository of data and information, some of which is listed below:

  • Integrated circuit card identifier (ICCID)
  • International mobile subscriber identity (IMSI)
  • Service provider name (SPN)
  • Mobile country code (MCC)
  • Mobile network code (MNC)
  • Mobile subscriber identification number (MSIN)
  • Mobile station international subscriber directory number (MSISDN)
  • Abbreviated dialing numbers (ADN)
  • Last dialed numbers (LDN)
  • Short message service (SMS)
  • Language preference (LP)
  • Card holder verification (CHV1 and CHV2)
  • Ciphering key (Kc)
  • Ciphering key sequence number
  • Emergency call code
  • Fixed dialing numbers (FDN)
  • Local area identity (LAI)
  • Own dialing number
  • Temporary mobile subscriber identity (TMSI)
  • Routing area identifier (RIA) network code
  • Service dialing numbers (SDNs)

These data have forensics value and can be scattered from EF files. Now we will discuss some of these data.

A. Service Related Information

ICCID: The integrated circuit card identification is a unique numeric identifier for the SIM that can be up to 20 digits long. It consists of an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier number, and an individual account identification number.
Twenty-digit ICCIDs have an additional “checksum” digit. One example of the interpretation of a hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is shown below.

  • Issuer identification number (IIN) is variable in length up to a maximum of seven digits:

The first two digits are fixed and make up the Industry Identifier. “89″ refers to the telecommunications industry.

-The next two or three digits refer to the mobile country code (MCC) as defined by ITU-T recommendation E.164. “310″ refers to the United States.

-The next one to four digits refer to the mobile network code (MNC). This is a fixed number for a country or world zone. “410″ refers to the operator, AT&T Mobility.

-The next two digits, “10,” pertain to the home location register.

  • Individual account information is variable in length:

The next nine digits, “654378930,” represent the individual account identification number. Every number under one IIN has the same number of digits.

  • Check digit—the last digit, “1,” is computed from the other 18 digits using the Luhn algorithm.

IMSI: The international mobile subscriber identity
is a unique 15-digit number provided to the subscriber. It has a similar structure to ICCID and consists of the MCC, MNC, and MSIN. An example of interpreting a hypothetical 15-digit IMSI (302 720 123456789) is shown below:

  • MCC—The first three digits identify the country. “302″ refers to Canada.
  • MNC—The next two (European Standard) or three digits (North American Standard) identify the operator. “720″ refers to Rogers Communications.
  • MSIN—The next nine digits, “123456789,” identify the mobile unit within a carrier’s GSM network

MSISDN—The Mobile Station International Subscriber Directory Number is intended to convey the telephone number assigned to the subscriber for receiving calls on the phone. An example of the MSISDN format is shown below:

  • CC can be up to 3 digits.
  • NDC usually 2 or 3 digits.
  • SN can be up to a maximum 10 digits.

B. Phonebook and Call Information

1. Abbreviated dialing numbers (ADN)—Any number and name dialed by the subscriber is saved by the ADN EF. The type of number and numbering plan identification is also maintained under this. This function works on the subscriber’s commonly dialed numbers. The ADN cannot be changed by the service provider and they can be attributed to the user of the phone. Most SIMs provide 100 slots for ADN entries.

2. Fixed dialing numbers (FDN)—The FDN EF works similar to the ADN because it involves contact numbers and names. With this function, the user doesn’t have to dial numbers; by pressing any number pad of the phone, he can access to the contact number.

3. Last number dialed (LND)—The LND EF contains the number most recently dialed by the subscriber. The number and name associated with that number is stored in this entry. Depending upon the phone, it is also conceivable that the information may be stored in the handset and not on the SIM. Any numbers that may be present can provide valuable information to an investigator.

Untitled

XML Phonebook Entry

C. Messaging Information—Messaging is a communication medium by which text is entered on one cell phone and delivered via the mobile phone network. The short message service contains texts and associated parameters for the message. SMS entries contain other information besides the text itself, such as the time an incoming message was sent, as recorded by the mobile phone network, the sender’s phone number, the SMS center address, and the status of the entry. An SMS is limited to either 160 characters (Latin alphabet) or 70 characters (for other alphabets). Longer messages are broken down by the sending phone and reassembled by the receiving phone.

Tools for SIM Forensics

To perform forensic investigation on a SIM card, it has to be removed from the cell phone and connect to a SIM card reader. The original data of SIM card is preserved by the elimination of write requests to the SIM during its analysis. Then we calculate the HASH value of the data; hashing is used for checking the integrity of the data, that is, whether it has changed or not. There are lots of forensic tools are available but all tools are not able to extract data from every type of cell phone and SIM card. Now we will discuss about some famous tools:

Encase Smartphone Examiner: This tool is specifically designed for gathering data from smartphones and tablets such as iPhone, iPad, etc. It can capture evidence from devices that use the Apple iOS, HP Palm OS, Windows Mobile OS, Google Android OS, or RIM Blackberry OS. It can acquire data from Blackberry and iTunes backup files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic.

1

MOBILedit! Forensic: This tool can analyze phones via Bluetooth, IrDA, or cable connection; it analyzes SIMs through SIM readers and can read deleted messages from the SIM card.

a

pySIM: A SIM card management tool capable of creating, editing, deleting, and performing backup and restore operations on the SIM phonebook and SMS records.

Untitled

AccessData Mobile Phone Examiner (MPE) Plus: This tool supports for than 7000 phones including iOS , Android , Blackberry, Windows Mobile, and Chinese devices and can be purchased as hardware with a SIM card reader and data cables. File systems are immediately viewable and can be parsed in MPE+ to locate lock code, EXIF, and any data contained in the mobile phone’s file system.

1

SIMpull: SIMpull is a powerful tool, a SIM card acquisition application that allows you to acquire the entire contents of a SIM card. This capability includes the retrieval of deleted SMS messages, a feature not available on many other commercial SIM card acquisition programs. SIMpull first determines if the card is either a GSM SIM or 3G USIM, then performs a logical acquisition of all files defined in either ETSI TS 151.011 (GSM) or ETSI TS 131.102 (USIM) standards.

1

As can be seen in above figure, by using the SIMpull application we can see the information of SMS such as a SMS text and its length, the SMS sender’s number information, service center information, etc.

References

http://www.forensicmag.com/articles/2011/04/sim-forensics-part-1

http://www.infosecinstitute.com/courses/mobile-computer-forensics.html

https://www.visualanalysis.com/ProductsVA_SIMpull.aspx

http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/Reference%20Mat-final-a.pdf

CREDIT:  Rohit Shaw – eforensicsmag