Satori (悟り)

A 'forensic oriented' filesystem image suite!

The project is being rewritten and is under heavy development: https://github.com/satori-ng/

Full Blog Post: https://securosophy.com/2016/08/10/the-satori-suite/

   ▄████████    ▄████████     ███      ▄██████▄     ▄████████  ▄█  
  ███    ███   ███    ███ ▀█████████▄ ███    ███   ███    ███ ███  
  ███    █▀    ███    ███    ▀███▀▀██ ███    ███   ███    ███ ███▌ 
  ███          ███    ███     ███   ▀ ███    ███  ▄███▄▄▄▄██▀ ███▌ 
▀███████████ ▀███████████     ███     ███    ███ ▀▀███▀▀▀▀▀   ███▌ 
         ███   ███    ███     ███     ███    ███ ▀███████████ ███  
   ▄█    ███   ███    ███     ███     ███    ███   ███    ███ ███  
 ▄████████▀    ███    █▀     ▄████▀    ▀██████▀    ███    ███ █▀   
                                                   ███    ███

"Satori" is a Japanese Buddhist term for awakening, "comprehension; understanding" [...] enlightment. en.wikipedia.org/wiki/Satori

It is named after the spontaneous feeling of absolute knowledge, an analyst feels when he/she finally understands what exactly is happening in a system or network!

The idea (and inspiration) for development of this tool came from mr. Vivek Ramachandran, Securitytube.net founder, as the main project for Module 8 of the 'SecurityTube Python Scripting Expert (SPSE)' Course. I thank him from the bottom of my heart for his contribution in security community (and my personal development)!

Suite Description

Satori has 3 basic tools (and 1 not that basic):

satori-imager

Satori Imager creates images of a File System saving key elements for each file like: filename(duh!), privileges, size, type, text content and hash (if chosen), while maintaining the File System's tree-like structure. The images are saved as (gzipped) Json files or python Pickles and also contain metadata about the system such as user that did the image dump, date of the image dump, system 'uname' and more.

usage: satori-imager.py [-h] [--type {pickle,json,sqlite}] [--no-gzip]
                        [--verbose | --debug | --quiet] [--filetypes | --text]
                        [--hash] [--threads THREADS]
                        [image]

Crawls the whole filesystem and creates an image of it to a file.

satori-remoter

Now imagine the Satori Imager all via SSH. This is Satori Remoter

$ ./satori-remote.py [email protected] -v --argument '--threads 4 -v'
Password: 

Remote directory is '/tmp/'
Satori will be copied from '/root/satori'
Attempting SSH connection to '10.0.2.15' as user 'user'
Connection Established!
SFTP channel opened!
Satori folder copied at remote location '/tmp/'
The command to run in remote host is:
'chmod 775 /tmp//satori; cd /tmp//satori; ./satori-imager.py --threads 4 -v '
Executing... 
Getting remote file '/tmp//satori/Linux-4.6.0-kali1-amd64-x86_64-with-Kali-kali-rolling-kali-rolling.jsn.gz'
Done!
Satori image is located at '/root/satori/Linux-4.6.0-kali1-amd64-x86_64-with-Kali-kali-rolling-kali-rolling.jsn.gz'
Remote copied files purged!
SSH session closed!

Gets the image via SFTP and optionally purges the Satori executables from the target machine

satori-browser

Satori Browser is a tool that loads those image files and spawns a custom UNIX-like shell in the underlying File System. The user can freely ls, cd and stat all files in the FileSystem image. The shell's capabilities depend on the choices made when creating the image, for example: if Satori Imager was configured to dump text content of files then, also, a 'cat' command would be available.

{Satori} n0p_sl3d@kali-laptop / $ ls 
0               dev             initrd.img      lib32           live-build      opt             run             sys             var
bin             etc             initrd.img.old  lib64           lost+found      proc            sbin            tmp             vmlinuz
boot            home            lib             libx32          media           root            srv             usr             vmlinuz.old
{Satori} n0p_sl3d@kali-laptop / $ cd etc
{Satori} n0p_sl3d@kali-laptop /etc $ stat passwd
	SHA2 : N/A
	group : 0
	privileges : 0100644
	filename : passwd
	owner : 0
	path : /etc
	type : N/A
	size : 2825
{Satori} n0p_sl3d@kali-laptop /etc $

satori-differ

usage: satori-differ.py [-h] [--type {pickle,json,sqlite}] [--no-gzip]
                        [-v | --debug | --quiet]
                        original subject

Deeply diffs 2 satori Images

Satori Differ is the real magic! Here is how it works:

Let's say you get your hands on a File System where something has gone wrong. Either you know it is 'rootable' (maybe a vulnhub VM?) or it has been under attack and there may exist a backdoor in it. Running the Satori Imager on it you acquire an image of it.
Given it is a Linux Distro you can find its clean form online. So by downloading, checking the hash and installing it in a VM you can run again the Satori Imager and get the clean image of the very same distribution.
Now, by running the Satori Differ in the 2 images (let's call them 'original' and 'dirty') you get every kind of difference between them, being privilege alteration, different size for crucial files, missing or renamed files, 'chowned' files, etc...

There are even features for hash comparison of binaries (backdoored /bin/ files) and text-file 'diffing' for configuration files (you don't remember you allowed 'root login' in /etc/ssh/sshd_config ? ...well you maybe didn't!)

Well, while Satori doesn't reveal vulnerabilities or misconfiguration, it gives you a place to start by showing you all the "Deviations" from the normal. And Deviation is the magic word in forensics!

Satori is in the public domain. Use it and/or change it freely.

[!] Project Restructure

This project can be restructured [/rewritten] in a more comprehensive and modular form, to achieve several goals like performance, extendability and maintainability.

For this reason, a new structure is proposed, closely resembling the old one, but with increased abstraction and modularity:

Proposition

Structure

The whole project will be divided in 5 modules/parts:

core part, which will handle the file format of the created images and the way they are represented in memory in their Object Oriented form. Hence, it is gonna have 2 sub-parts:
- io which will implemented ways to store and retrieve the Satori images (json, pickle, sqlite, etc)
- api which will define the Object of the Satori image
imager part, that will run, given several parameters on a host, and produce the Satori Image.
differ, that will compare 2 Satori Images and produce a Satori Diff Result object.
browser will be the module that presents a Satori Image in CLI. Standard bash commands should be available with output resembling the traditional output. find, locate and ls are some sample commands that should be implemented.
remoter part will reuse the imager code to create a Satori Image from a remote machine through [S]FTP/SSH[/SMB].
[?] viewer would be a module that presents a Satori Image in a Web interface.

Extendability

The Worker/Consumer model of the imager can be overloaded with more functionalities than using stat on files. IT can be modified in a way that a hook can be applied when any file gets processed and additional information can be retrieved. The current --hash and --filetype options can be restructured as Satori Extensions.

If additional information is stored in a Satori Image due to an Extension, the differ and browser modules (and viewer as well), have to also have a way to interpret (diff and browse), this new kind of data. Hence, the Extensions will need to have a differ and browser functionality overloading.

Portability Requirements

The project should be usable under both Windows and Linux.
All modules needed to produce a Satori Image (core and imager) must be dependency-free

Distribution

All modules should be distributed separately (respecting cross dependencies). For example: installing the imager component should only install the core component as a dependency.
The project shall be rewritten in Python3
The project and project components should be available in PyPI and available with a pip install command.

New Features/Enhancements

It is possible that some functionality of GatherOS can be augmented in the new project. This will better serve for maintaining crucial information in a Satori Image.
Colored logs from the differ can help identifying misconfigurations.

operatorequals / satori Goto Github PK

satori's Introduction

Satori (悟り)

Suite Description

Satori has 3 basic tools (and 1 not that basic):

satori-imager

satori-remoter

satori-browser

satori-differ

satori's People

Contributors

Stargazers

Watchers

Forkers

satori's Issues

Proposition

Structure

Extendability

Portability Requirements

Distribution

New Features/Enhancements

Recommend Projects

Recommend Topics

Recommend Org

Jobs