Skip to content

Forensic tool for acquisition, triage and analysis of remote block devices via iSCSI protocol.

License

Notifications You must be signed in to change notification settings

alpine-sec/SPECTR3

Repository files navigation


Spectr3_2

SPECTR3: Remote Acquisition Tool

Acquire, triage and investigate remote evidence via portable iSCSI readonly access

Table of Contents
  1. About The Project
  2. Usage
  3. Video Examples
  4. Roadmap
  5. Acknowledgments
  6. Scenarios

About The Project

This project is based on the great work done by TalAloni with iSCSI Console (windows version) and Fujita with TGT project (linux version) but with a forensic objective more similar to F-Response in its approach to remote acquisition, analysis and triage.

The goal is to make available to the community a command line, open source and easy to use tool for scenarios where a complete forensic acquisition or a fast remote analysis is needed.

And of course... just for fun!

Usage

DOWNLOAD EXECUTABLE

Copy portable executable of SPECTR3 to the endpoint where you want to perform remote acquisition, triage or forensic analysis, remember that you will need administrator permissions to access the block devices.

Command Line Options

SPECTR3 v0.7.5 - Remote acquisition and forensic tool by Alpine Security
Usage: SPECTR3.exe [options]
Options:
  -l, --list
    List available volumes and disks.
  -p, --port
    Set the port number to listen on.
  -i, --permitip
    Set the permited ip client to connect.
  -b, --bindip
    Set the bind ip where server will listen.
  -v, --volume
    Set the volume to share.
  -d, --disk
    Set the disk to share.
  -a, --shareall
    Share all disks.
  -t, --timeout
    Stop the service if the configured number of MINUTES without activity elapses. Ex. -t 60 (60 min)
  -h, --help
    Print this help message.
  --sshuser
    Set the ssh user to connect.
  --sshpass
    Set the ssh password to connect in BASE64. NOTE: if the password is empty, the prompt will ask for the password, in this case it does not need to be entered in BASE64.
  --sshhost
    Set the ssh host to connect.
  --sshport
    Set the ssh port to connect. Default: 22
  --daemon
    Run SPECTR3 as background unattended process. NOTE: Manually kill by PID needed.

List devices of the endpoint

C:\Users\dev\Desktop>SPECTR3.exe -l
- List Physical Disks:
    + Dsk 0:  Msft Virtual Disk    60GB
- List Volumes:
    + Vol 0:  EFI system partition Partition 100MB Healthy
    + Vol 1:  Microsoft reserved partition Partition 16MB Healthy
    + Vol 2:  Basic data partition Partition 59.4GB Healthy
    + Vol 3:  Noname Partition 530MB Healthy

Share a disk or volume as an iSCSI target

Use -d if you want share a full disk or -v if only you want to share a volume. Use the index of de volume or disk in -l list. (Allow Access in firewall if popup)

C:\Users\dev\Desktop>SPECTR3.exe -d 0

  - SPECTR3 Server running at 172.29.10.42:3262
    + Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
    + Access Permited from: 0.0.0.0
  - Press ENTER key to stop sharing and close server ...

Press ENTER for sharing termination


Connect to a SPECTR3 iSCSI target with Windows

In Windows Investigator machines you can use the windows native tool iSCSI Initiator:

  1. Discover targets with "Discover Portal" in "Discovery Tab":

win01

  1. Use Spectr3 server IP and Port:

win02

  1. Connect to target in "Targets" tab:

win03

win04

  1. Acquire or analyze with your favorite tool:

win05

win06

C:\kape> .\kape.exe --tsource G: --tdest C:\Triages\RegistryFiles --target RegistryHives
KAPE version 1.3.0.2, Author: Eric Zimmerman, Contact: https://www.kroll.com/kape (kape@kroll.com)

KAPE directory: C:\kape
Command line:   --tsource G: --tdest RegistryFiles --target RegistryHives

System info: Machine name: STARK, 64-bit: True, User: KERO99 OS: Windows10 (10.0.22621)

Using Target operations
  Creating target destination directory C:\Triages\RegistryFiles
Found 2 targets. Expanding targets to file list...
Found 30 files in 0.173 seconds. Beginning copy...

Copied 30 out of 30 files in 6.5936 seconds. See C:\Triages\RegistryFiles\2023-05-09T15_06_21_5242679_CopyLog.csv for copy details

Total execution time: 6.5953 seconds

NOTE: if you simply want to do a quick view without the annoying permissions inherited from NTFS, you can use Double Commander (https://github.com/doublecmd/doublecmd) or Powershell as administrator for example

  1. Disconnect when finish

Connect to a SPECTR3 iSCSI target with Linux

In linux distros install open-iscsi with apt or yum.

  1. Discover targets:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p 172.29.10.42:3262
172.29.10.42:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
  1. Connect targets:
admuser@lindev:~$ sudo iscsiadm -m node -l
Logging in to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Login to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.

image

  1. Acquire or analyze with your favorite tool:
admuser@lindev:/tmp$ sudo ewfacquire -u -S 5GiB -t /tmp/windev/windev /dev/sdb

image

  1. Disconnect when finish:
admuser@lindev:/tmp$ sudo iscsiadm -m node -u
Logging out of session [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Logout of [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.
  1. (Optional) Remove Target from cache. Example:
admuser@lindev:~$ sudo iscsiadm -m node -o delete -T iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0

Connect to a SPECTR3 iSCSI target with OSx

In OSx install KernSafe ISCSI Initiator X.

https://www.kernsafe.com/product/macos-iscsi-initiator.aspx

  1. Discover targets with "Discover" and Discover Menu:

osx01

osx02

  1. Use Spectr3 server IP and Port:

osx03

osx04

  1. Connect to target:

osx06

osx07

  1. Acquire or analyze with your favorite tool:

osx08

  1. Disconnect when finish:

⚠️ Remember to disconnect your ISCSI drives before shutdown ⚠️


Improved security through IP ACLs

Use -i option to improve de security via IP ACL. Only the permited IP will access to target

C:\Users\dev\Desktop>SPECTR3.exe -d 0 -i 10.10.10.2
  - SPECTR3 Server running at 172.20.118.42:3262
    + Access Permited from: 10.10.10.2
  - Press any key to stop sharing and close server ...

Encrypt connection over reverse SSH

  1. Use --sshhost options. Optionally you can add sshuser, sshpass and sshport via arguments. If you want set password via argument, you need convert it to base64 (perfect for remote execution of SPECTR3):
C:\Users\dev\Desktop>SPECTR3.exe -d 0 --sshhost 172.29.10.41
  - SSH Username: admuser
  - SSH Password: *************
  - SPECTR3 Server running at 127.0.0.1:3262
    + Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
    + Access Permited from: 127.0.0.1
  - Press ENTER key to stop sharing and close server ...
  - Connecting to SSH server ...
    + SSH tunnel successfully connected to 172.29.10.41:22
    + SSH connection state: Connected
  1. You can see the remote login and the iSCSI port in the remote machine:
May 22 08:31:04 lindev sshd[1131]: Accepted password for admuser from 172.29.10.42 port 49928 ssh2
May 22 08:31:04 lindev sshd[1131]: pam_unix(sshd:session): session opened for user admuser(uid=1000) by (uid=0)
May 22 08:31:04 lindev systemd-logind[692]: New session 4 of user admuser.
admuser@lindev:~$ netstat -tulpna | grep 3262
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:3262          0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:3262                :::*                    LISTEN      -
  1. Show target in localhost and exported port:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p localhost:3262
[sudo] password for admuser:
[localhost]:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
  1. Connect target as usual.

SPECTR3 for Linux

SPECTR3 for linux works as a wrapper for the https://github.com/fujita/tgt project and uses the tgtd and tgtadmin binaries. Both binaries are embedded in the portable version.

usage: spectr3 [-h] [-V] [-l] [-p PORT] [-i PERMITIP] [-b BINDIP] [-d DEVICE] [-a]
               [--chapuser CHAPUSER] [--chappass CHAPPASS] [--daemon]

SPECTR3 Linux v0.3 - Remote acquisition and forensic tool by Alpine Security

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -l, --list            List available volumes and disks.
  -p PORT, --port PORT  Set port to listen on.
  -i PERMITIP, --permitip PERMITIP
                        Set the permited ip client to connect.
  -b BINDIP, --bindip BINDIP
                        Set the bind ip to listen.
  -d DEVICE, --device DEVICE
                        Set device to share. Ex: -d sda1 (without /dev/)
  -a, --shareall        Share all block devices
  --chapuser CHAPUSER   Set CHAP username. Ex: --chapuser admin
  --chappass CHAPPASS   Set CHAP password in BASE64 with minimal password size of 12. Ex: --chappass
                        QWxwaW5lU2VjdXJpdHk=
  --daemon              Run SPECTR3 as background unattended process. NOTE: Manually kill by PID
                        needed.

NOTE: In Centos7/RHEL remember open allow port. Ex: sudo firewall-cmd --zone=public --add-port=3262/tcp

Execution Example:

admuser@lintest:~$ sudo ./spectr3 -l
- List Physical Disks:
    + sda:  VMware, VMware Virtual S    20.0GiB
    + sr0:  NECVMWar VMware Virtual SATA CDRW Drive    1.8GiB
- List Volumes:
    + sda1:                     1.0MiB
    + sda2:     ext4    /boot   1.8GiB
    + sda3:                     18.2GiB
- List LVM Volumes:
    + ubuntu-lv:        ext4    /       10.0GiB
admuser@lintest:~$ sudo ./spectr3 -d sda2
  - Starting TGTD...
    + TGTD PID: 38675
    + TGTD started successfully.

  - Creating target...
    + Adding device to target...
    + Setting target ACL...
    + Setting target readonly...

  - SPECTR3 Server running at 192.168.202.180:3262
    + Target IQN: iqn.2023-05.io.alpine.lintest:sda2
    + Target ACL: ALL

Compile linux portable

cd SPECTR3_LIN
make
sudo pip3 install -r requirements.txt
pyinstaller --onefile spectr3.py --add-binary tgtd:. --add-binary tgtadm:.

Examples

Fast EVTX triage with SPECTR3, Hayabusa and Timesketch

Watch the video

Remote Acquisition of Windows Server Core with SPECTR3

Watch the video

Scenarios

SPECTR3-Basic

Roadmap

  • Add option to share all drives in different targets
  • Add option to install as a service
  • Add option to run as daemon in background
  • Tunnelized and encrypted connections
  • Linux Version
  • Multiplatform easy client
  • Others cool things...

Acknowledgments

(back to top)