Acquire, triage and investigate remote evidence via portable iSCSI readonly access
Table of Contents
- About The Project
-
Usage
- Command Line Options
- List devices of the endpoint
- Share a disk or volume as an iSCSI target
- Connect to a SPECTR3 iSCSI target with Windows
- Connect to a SPECTR3 iSCSI target with Linux
- Connect to a SPECTR3 iSCSI target with OSx
- Improved security through IP ACLs
- Encrypt connection over reverse SSH
- SPECTR3 for Linux
- Video Examples
- Roadmap
- Acknowledgments
- Scenarios
This project is based on the great work done by TalAloni with iSCSI Console (windows version) and Fujita with TGT project (linux version) but with a forensic objective more similar to F-Response in its approach to remote acquisition, analysis and triage.
The goal is to make available to the community a command line, open source and easy to use tool for scenarios where a complete forensic acquisition or a fast remote analysis is needed.
And of course... just for fun!
Copy portable executable of SPECTR3 to the endpoint where you want to perform remote acquisition, triage or forensic analysis, remember that you will need administrator permissions to access the block devices.
SPECTR3 v0.7 - Remote acquisition and forensic tool by Alpine Security
Usage: SPECTR3.exe [options]
Options:
-l, --list
List available volumes and disks.
-p, --port
Set the port number to listen on.
-i, --permitip
Set the permited ip client to connect.
-b, --bindip
Set the bind ip where server will listen.
-v, --volume
Set the volume to share.
-d, --disk
Set the disk to share.
-a, --shareall
Share all disks.
-t, --timeout
Stop the service if the configured number of MINUTES without activity elapses. Ex. -t 60 (60 min)
-h, --help
Print this help message.
--sshuser
Set the ssh user to connect.
--sshpass
Set the ssh password to connect in BASE64. NOTE: if the password is empty, the prompt will ask for the password, in this case it does not need to be entered in BASE64.
--sshhost
Set the ssh host to connect.
--sshport
Set the ssh port to connect. Default: 22
--daemon
Run SPECTR3 as background unattended process. NOTE: Manually kill by PID needed.
C:\Users\dev\Desktop>SPECTR3.exe -l
- List Physical Disks:
+ Dsk 0: Msft Virtual Disk 60GB
- List Volumes:
+ Vol 0: EFI system partition Partition 100MB Healthy
+ Vol 1: Microsoft reserved partition Partition 16MB Healthy
+ Vol 2: Basic data partition Partition 59.4GB Healthy
+ Vol 3: Noname Partition 530MB Healthy
Use -d if you want share a full disk or -v if only you want to share a volume. Use the index of de volume or disk in -l list. (Allow Access in firewall if popup)
C:\Users\dev\Desktop>SPECTR3.exe -d 0
- SPECTR3 Server running at 172.29.10.42:3262
+ Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
+ Access Permited from: 0.0.0.0
- Press ENTER key to stop sharing and close server ...
Press ENTER for sharing termination
In Windows Investigator machines you can use the windows native tool iSCSI Initiator:
- Discover targets with "Discover Portal" in "Discovery Tab":
- Use Spectr3 server IP and Port:
- Connect to target in "Targets" tab:
- Acquire or analyze with your favorite tool:
C:\kape> .\kape.exe --tsource G: --tdest C:\Triages\RegistryFiles --target RegistryHives
KAPE version 1.3.0.2, Author: Eric Zimmerman, Contact: https://www.kroll.com/kape (kape@kroll.com)
KAPE directory: C:\kape
Command line: --tsource G: --tdest RegistryFiles --target RegistryHives
System info: Machine name: STARK, 64-bit: True, User: KERO99 OS: Windows10 (10.0.22621)
Using Target operations
Creating target destination directory C:\Triages\RegistryFiles
Found 2 targets. Expanding targets to file list...
Found 30 files in 0.173 seconds. Beginning copy...
Copied 30 out of 30 files in 6.5936 seconds. See C:\Triages\RegistryFiles\2023-05-09T15_06_21_5242679_CopyLog.csv for copy details
Total execution time: 6.5953 seconds
NOTE: if you simply want to do a quick view without the annoying permissions inherited from NTFS, you can use Double Commander (https://github.com/doublecmd/doublecmd) or Powershell as administrator for example
- Disconnect when finish
In linux distros install open-iscsi with apt or yum.
- Discover targets:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p 172.29.10.42:3262
172.29.10.42:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
- Connect targets:
admuser@lindev:~$ sudo iscsiadm -m node -l
Logging in to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Login to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.
- Acquire or analyze with your favorite tool:
admuser@lindev:/tmp$ sudo ewfacquire -u -S 5GiB -t /tmp/windev/windev /dev/sdb
- Disconnect when finish:
admuser@lindev:/tmp$ sudo iscsiadm -m node -u
Logging out of session [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Logout of [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.
- (Optional) Remove Target from cache. Example:
admuser@lindev:~$ sudo iscsiadm -m node -o delete -T iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
In OSx install KernSafe ISCSI Initiator X.
https://www.kernsafe.com/product/macos-iscsi-initiator.aspx
- Discover targets with "Discover" and Discover Menu:
- Use Spectr3 server IP and Port:
- Connect to target:
- Acquire or analyze with your favorite tool:
- Disconnect when finish:
Use -i option to improve de security via IP ACL. Only the permited IP will access to target
C:\Users\dev\Desktop>SPECTR3.exe -d 0 -i 10.10.10.2
- SPECTR3 Server running at 172.20.118.42:3262
+ Access Permited from: 10.10.10.2
- Press any key to stop sharing and close server ...
- Use --sshhost options. Optionally you can add sshuser, sshpass and sshport via arguments. If you want set password via argument, you need convert it to base64 (perfect for remote execution of SPECTR3):
C:\Users\dev\Desktop>SPECTR3.exe -d 0 --sshhost 172.29.10.41
- SSH Username: admuser
- SSH Password: *************
- SPECTR3 Server running at 127.0.0.1:3262
+ Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
+ Access Permited from: 127.0.0.1
- Press ENTER key to stop sharing and close server ...
- Connecting to SSH server ...
+ SSH tunnel successfully connected to 172.29.10.41:22
+ SSH connection state: Connected
- You can see the remote login and the iSCSI port in the remote machine:
May 22 08:31:04 lindev sshd[1131]: Accepted password for admuser from 172.29.10.42 port 49928 ssh2
May 22 08:31:04 lindev sshd[1131]: pam_unix(sshd:session): session opened for user admuser(uid=1000) by (uid=0)
May 22 08:31:04 lindev systemd-logind[692]: New session 4 of user admuser.
admuser@lindev:~$ netstat -tulpna | grep 3262
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:3262 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:3262 :::* LISTEN -
- Show target in localhost and exported port:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p localhost:3262
[sudo] password for admuser:
[localhost]:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
- Connect target as usual.
SPECTR3 for linux works as a wrapper for the https://github.com/fujita/tgt project and uses the tgtd and tgtadmin binaries. Both binaries are embedded in the portable version.
usage: spectr3 [-h] [-V] [-l] [-p PORT] [-i PERMITIP] [-b BINDIP] [-d DEVICE] [-a]
[--chapuser CHAPUSER] [--chappass CHAPPASS] [--daemon]
SPECTR3 Linux v0.3 - Remote acquisition and forensic tool by Alpine Security
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --list List available volumes and disks.
-p PORT, --port PORT Set port to listen on.
-i PERMITIP, --permitip PERMITIP
Set the permited ip client to connect.
-b BINDIP, --bindip BINDIP
Set the bind ip to listen.
-d DEVICE, --device DEVICE
Set device to share. Ex: -d sda1 (without /dev/)
-a, --shareall Share all block devices
--chapuser CHAPUSER Set CHAP username. Ex: --chapuser admin
--chappass CHAPPASS Set CHAP password in BASE64 with minimal password size of 12. Ex: --chappass
QWxwaW5lU2VjdXJpdHk=
--daemon Run SPECTR3 as background unattended process. NOTE: Manually kill by PID
needed.
NOTE: In Centos7/RHEL remember open allow port. Ex: sudo firewall-cmd --zone=public --add-port=3262/tcp
Execution Example:
admuser@lintest:~$ sudo ./spectr3 -l
- List Physical Disks:
+ sda: VMware, VMware Virtual S 20.0GiB
+ sr0: NECVMWar VMware Virtual SATA CDRW Drive 1.8GiB
- List Volumes:
+ sda1: 1.0MiB
+ sda2: ext4 /boot 1.8GiB
+ sda3: 18.2GiB
- List LVM Volumes:
+ ubuntu-lv: ext4 / 10.0GiB
admuser@lintest:~$ sudo ./spectr3 -d sda2
- Starting TGTD...
+ TGTD PID: 38675
+ TGTD started successfully.
- Creating target...
+ Adding device to target...
+ Setting target ACL...
+ Setting target readonly...
- SPECTR3 Server running at 192.168.202.180:3262
+ Target IQN: iqn.2023-05.io.alpine.lintest:sda2
+ Target ACL: ALL
Compile linux portable
cd SPECTR3_LIN
make
sudo pip3 install -r requirements.txt
pyinstaller --onefile spectr3.py --add-binary tgtd:. --add-binary tgtadm:.
- Add option to share all drives in different targets
- Add option to install as a service
- Add option to run as daemon in background
- Tunnelized and encrypted connections
- Linux Version
- Multiplatform easy client
- Others cool things...