Table of Contents
- About The Project
-
Usage
- Command Line Options
- List devices of the endpoint
- Share a disk or volume as an iSCSI target
- Connect to a SPECTR3 iSCSI target with Windows
- Connect to a SPECTR3 iSCSI target with Linux
- Connect to a SPECTR3 iSCSI target with OSx
- Improved security through IP ACLs
- Encrypt connection over reverse SSH
- SPECTR3 for Linux
- Roadmap
- Acknowledgments
- Scenarios
This project is based on the great work done by TalAloni with iSCSI Console but with a forensic objective more similar to F-Response in its approach to remote acquisition, analysis and triage.
The goal is to make available to the community a command line, open source and easy to use tool for scenarios where a complete forensic acquisition or a fast remote analysis is needed.
And of course... just for fun!
Copy portable executable of SPECTR3 to the endpoint where you want to perform remote acquisition, triage or forensic analysis, remember that you will need administrator permissions to access the block devices.
SPECTR3 v0.6 - Remote acquisition and forensic tool by Alpine Security
Usage: SPECTR3.exe [options]
Options:
-l, --list
List available volumes and disks.
-p, --port
Set the port number to listen on.
-i, --permitip
Set the permited ip client to connect.
-b, --bindip
Set the bind ip where server will listen.
-v, --volume
Set the volume to share.
-d, --disk
Set the disk to share.
-t, --timeout
Stop the service if the configured number of MINUTES without activity elapses. Ex. -t 60 (60 min)
-h, --help
Print this help message.
--sshuser
Set the ssh user to connect.
--sshpass
Set the ssh password to connect in BASE64. NOTE: if the password is empty, the prompt will ask for the password, in this case it does not need to be entered in BASE64.
--sshhost
Set the ssh host to connect.
--sshport
Set the ssh port to connect. Default: 22
--daemon
Run SPECTR3 as background unattended process. NOTE: Manually kill by PID needed.
C:\Users\dev\Desktop>SPECTR3.exe -l
- List Physical Disks:
+ Dsk 0: Msft Virtual Disk 60GB
- List Volumes:
+ Vol 0: EFI system partition Partition 100MB Healthy
+ Vol 1: Microsoft reserved partition Partition 16MB Healthy
+ Vol 2: Basic data partition Partition 59.4GB Healthy
+ Vol 3: Noname Partition 530MB Healthy
Use -d if you want share a full disk or -v if only you want to share a volume. Use the index of de volume or disk in -l list. (Allow Access in firewall if popup)
C:\Users\dev\Desktop>SPECTR3.exe -d 0
- SPECTR3 Server running at 172.29.10.42:3262
+ Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
+ Access Permited from: 0.0.0.0
- Press ENTER key to stop sharing and close server ...
Press ENTER for sharing termination
In Windows Investigator machines you can use the windows native tool iSCSI Initiator:
- Discover targets with "Discover Portal" in "Discovery Tab":
- Use Spectr3 server IP and Port:
- Connect to target in "Targets" tab:
- Acquire or analyze with your favorite tool:
C:\kape> .\kape.exe --tsource G: --tdest C:\Triages\RegistryFiles --target RegistryHives
KAPE version 1.3.0.2, Author: Eric Zimmerman, Contact: https://www.kroll.com/kape ([email protected])
KAPE directory: C:\kape
Command line: --tsource G: --tdest RegistryFiles --target RegistryHives
System info: Machine name: STARK, 64-bit: True, User: KERO99 OS: Windows10 (10.0.22621)
Using Target operations
Creating target destination directory C:\Triages\RegistryFiles
Found 2 targets. Expanding targets to file list...
Found 30 files in 0.173 seconds. Beginning copy...
Copied 30 out of 30 files in 6.5936 seconds. See C:\Triages\RegistryFiles\2023-05-09T15_06_21_5242679_CopyLog.csv for copy details
Total execution time: 6.5953 seconds
NOTE: if you simply want to do a quick view without the annoying permissions inherited from NTFS, you can use Double Commander (https://github.com/doublecmd/doublecmd) or Powershell as administrator for example
- Disconnect when finish
In linux distros install open-iscsi with apt or yum.
- Discover targets:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p 172.29.10.42:3262
172.29.10.42:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
- Connect targets:
admuser@lindev:~$ sudo iscsiadm -m node -l
Logging in to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Login to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.
- Acquire or analyze with your favorite tool:
admuser@lindev:/tmp$ sudo ewfacquire -u -S 5GiB -t /tmp/windev/windev /dev/sdb
- Disconnect when finish:
admuser@lindev:/tmp$ sudo iscsiadm -m node -u
Logging out of session [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]
Logout of [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.
- (Optional) Remove Target from cache. Example:
admuser@lindev:~$ sudo iscsiadm -m node -o delete -T iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
In OSx install KernSafe ISCSI Initiator X.
https://www.kernsafe.com/product/macos-iscsi-initiator.aspx
- Discover targets with "Discover" and Discover Menu:
- Use Spectr3 server IP and Port:
- Connect to target:
- Acquire or analyze with your favorite tool:
- Disconnect when finish:
Use -i option to improve de security via IP ACL. Only the permited IP will access to target
C:\Users\dev\Desktop>SPECTR3.exe -d 0 -i 10.10.10.2
- SPECTR3 Server running at 172.20.118.42:3262
+ Access Permited from: 10.10.10.2
- Press any key to stop sharing and close server ...
- Use --sshhost options. Optionally you can add sshuser, sshpass and sshport via arguments. If you want set password via argument, you need convert it to base64 (perfect for remote execution of SPECTR3):
C:\Users\dev\Desktop>SPECTR3.exe -d 0 --sshhost 172.29.10.41
- SSH Username: admuser
- SSH Password: *************
- SPECTR3 Server running at 127.0.0.1:3262
+ Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
+ Access Permited from: 127.0.0.1
- Press ENTER key to stop sharing and close server ...
- Connecting to SSH server ...
+ SSH tunnel successfully connected to 172.29.10.41:22
+ SSH connection state: Connected
- You can see the remote login and the iSCSI port in the remote machine:
May 22 08:31:04 lindev sshd[1131]: Accepted password for admuser from 172.29.10.42 port 49928 ssh2
May 22 08:31:04 lindev sshd[1131]: pam_unix(sshd:session): session opened for user admuser(uid=1000) by (uid=0)
May 22 08:31:04 lindev systemd-logind[692]: New session 4 of user admuser.
admuser@lindev:~$ netstat -tulpna | grep 3262
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:3262 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:3262 :::* LISTEN -
- Show target in localhost and exported port:
admuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p localhost:3262
[sudo] password for admuser:
[localhost]:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0
- Connect target as usual.
SPECTR3 for linux works as a wrapper for the https://github.com/fujita/tgt project and uses the tgtd and tgtadmin binaries. Both binaries are embedded in the portable version. ''' usage: spectr3 [-h] [-V] [-l] [-p PORT] [-i PERMITIP] [-b BINDIP] [-d DEVICE] [--daemon]
SPECTR3 v0.1 Linux - Remote acquisition and forensic tool by Alpine Security
options: -h, --help show this help message and exit -V, --version show program's version number and exit -l, --list List available volumes and disks. -p PORT, --port PORT Set port to listen on. -i PERMITIP, --permitip PERMITIP Set the permited ip client to connect. -b BINDIP, --bindip BINDIP Set the bind ip to listen. -d DEVICE, --device DEVICE Set device to share. --daemon Run SPECTR3 as background unattended process. '''
- Add option to share all drives in different targets
- Add option to install as a service
- Add option to run as daemon in background
- Tunnelized and encrypted connections
- Linux Version
- Multiplatform easy client
- Others cool things...