Didier Stevens

Monday 20 February 2012

Peeking at NAFT

Filed under: My Software,Networking — Didier Stevens @ 20:02

Here are DNS queries issued by a Windows XP machine:

And here is a command history of a Cisco router:

What do these results have in common?

Both were produced by analyzing RAM dumps with a new forensic toolkit I’m developing, the Network Appliance Forensic Toolkit, or NAFT.

More to be published soon.

But if you want a beta version now, provide me a Cisco core dump in exchange 😉


  1. I have Cisco ASA 5055. In what way I can create core dump for you or does the system need to crash?

    Comment by Henri Salo — Tuesday 21 February 2012 @ 5:48

  2. Impressive 🙂

    Comment by c3ret — Tuesday 21 February 2012 @ 9:38

  3. @Henri I can have access to a 5505 too. On IOS, you use ‘write core’ or ‘test crash’. Have to check out what to use on ASA.

    Comment by Didier Stevens — Wednesday 22 February 2012 @ 8:30

  4. @Henri Go to config mode and issue command ‘coredump enable’. If you don’t have enough flash memory to write the code dump to, you’ll get an error message.
    Then issue ‘crashinfo force’.

    Comment by Didier Stevens — Wednesday 22 February 2012 @ 11:06

  5. Hi Didier,

    The “NiStTeSt” stuff is interesting. It almost certainly varies with IOS version, but if you’ve got command logging turned on on a router with an otherwise “blank” config, you’ll see this when the router reloads:

    *Apr 13 09:30:49.383: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:access-list 199 permit icmp host host
    *Apr 13 09:30:49.387: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto map NiStTeSt1 10 ipsec-manual
    *Apr 13 09:30:49.387: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:match address 199
    *Apr 13 09:30:49.387: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:set peer
    *Apr 13 09:30:49.387: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:exit
    *Apr 13 09:30:49.403: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no access-list 199
    *Apr 13 09:30:49.407: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no crypto map NiStTeSt1

    It’s odd that the config should be modified (albeit benignly, eventually) in this way during reload. I opened a TAC case at the time, but was met with the blank stares you sometimes encounter there.

    It also makes me wonder if whatever bit of IOS it is that is doing this could somehow be subverted to issue arbitrary commands every time the router reloads….


    Comment by Alec Waters — Wednesday 22 February 2012 @ 11:44

  6. […] can find a first release of my Network Appliance Forensic Toolkit here. This first release contains a tool for generic network appliances, but also works on memory […]

    Pingback by NAFT Release « Didier Stevens — Monday 12 March 2012 @ 19:42

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.