Archives/2013
|
Fake Apple email campaign Wed, 13 Nov 2013 17:25:00 +0100 Analysis of a fake Apple email campaign (support.apple.com.fr.retail.ipad.verification2013.personalsetup.dalatgap.com). |
|
Extract information from pcap files with Honeysnap Sun, 27 Sep 2013 14:30:00 +0100 Honeysnap is a tool used for extracting and analyzing data from pcap files, including IRC communications. It is developed and maintained by Arthur Clune of the UK Chapter. |
|
Highlight system modifications with CaptureBAT Sun, 27 Sep 2013 14:30:00 +0100 Capture client is a high interaction client honeypot which monitors the state of a system. It monitors processes, files, as well as the registry and classifies an event as being malicious by checking exclusion lists. These exclusion lists are regular expressions which can either allow or deny a particular event from a process in the system. Because of the fact that it uses regular expressions, creating these lists can be very simple but can also provide very fine grained exclusions if needed. The client can also copy all modified and deleted files to a temporary directory as well as capture all incoming and outgoing packets on the network adapters. |
|
Finds Ascii, Unicode and Resource strings in a file with BinText Sun, 27 Sep 2013 14:30:00 +0100 A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format. |
|
Dissect McAfee Quarantined files with Unbup Thu, 19 Sep 2013 15:39:00 +0200 Unbup is a toolkit useful for dissecting a McAfee quarantined file (BUP). It is composed of the 3 following files: UnBup.pl (McAfee UnBup tool written in Perl because it was faster than the bash script also included), UnBup.sh (McAfee UnBup tool written in Bash script because it was fast to prototype, xor.pl (Simple bitwise xor script written in Perl) |
|
HitmanPro, second opinion scanner Tue, 02 July 2013 11:23:00 +0200 HitmanPro is a malware detection application developped by Surfright. HitmanPro is described as a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.). Three excellent characteristics you may appreciate: it does not need to be installed (can be run as a standalone executable), it supports the command line (CLI) and it is fast. |
|
UPX (Ultimate Packer for eXecutables) Sun, 23 June 2013 22:45:00 +0200 UPX (Ultimate Packer for eXecutables) is one of the most famous packers for executables. Many malware are packed using UPX. |
|
WMIC for Linux Sun, 09 June 2013 16:45:00 +0100 Windows Management Instrumentation Command-line (WMIC) uses Windows Management Instrumentation (WMI) to enable system management from the command line. This post explains how to install a wmic client on a Linux machine. The above installation procedure has been tested on a Ubuntu 12.04 LTS 32 bits host. The client for Linux is not as powerful as the one for Windows because it is limited to "select" requests (i.e. not possible to request something like "process list brief") but will be helpful if you don't want to start your Windows virtual machine. |
|
GetSusp can identify unknown malware Thu, 06 June 2013 20:54:00 +0100 McAfee GetSusp is intended for users who suspect undetected malware on their computer. GetSusp eliminates the need for deep technical knowledge of computer systems to isolate undetected malware. It does this by using a combination of heuristics and querying the McAfee Global Threat Intelligence (GTI) file reputation database to gather suspicious files. |
|
rifiuti2 analyzes INFO2 file in the Windows recycle bin Wed, 05 June 2013 14:47:00 +0100 Rifiuti2 is a rewrite of rifiuti, a tool that analyzes Windows Recycle Bin INFO2 file. Some of the features provided by rifiuti2: Supports Windows file names in any languages; Supports Vista and Windows 2008 (no more uses INFO2 file); Enables localization (that is, translatable) by using glib; More rigorous error checking; Supports output in XML format. |
|
SpiderFoot gathers a lot of information from a domain Sat, 25 May 2013 09:49:00 +0100 SpiderFoot is an open source footprinting tool, available for Windows and Linux. It is written in Python and provides an easy-to-use GUI. SpiderFoot obtains a wide range of information about a target, such as web servers, netblocks, e-mail addresses and more. |
|
Decrypting UserAssist registry keys Sun, 07 April 2013 14:18:00 +0200 Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys. The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the commandline (cmd.exe) do not appear in these registry keys. From a forensics perspective, being able to decode this information can be very useful. |
|
WinPrefetchView reads information contained in Windows prefetch files Tue, 02 April 2013 22:22:00 +0200 Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run. WinPrefetchView is a small utility that reads the prefetch files and displays the information stored in them (files used, files loaded on Windows boot). |
|
Jsunpack-n, the CLI version of Jsunpack Sat, 09 Mar 2013 09:20:00 +0100 Jsunpack-n is a command-line Javascript unpacker that has more or less the same features as the Web version of Jsunpack |
|
pescanner.py, a PE analyzer Sun, 03 Mar 2013 15:26:00 +0100 pescanner.py is a PE analyzer written in python by the authors of the Malware Analysts Cookbook. It is available in the companion DVD shipped by the book but is also freely distributed on Google code. The script has the ability to detect files with TLS entries, files with resource directories, suspicious IAT entries, suspicious entry point sections, sections with zero-length raw sizes, sections with extremely low or high entropy, invalid timestamps and file version information. Among other things, this script is helpful to understand the behavior of an executable and classify malware (UPX packed, trojan downloader, trojan dropper, ...). |
|
From AlienVault SIEM alarms to identification of infected files on the compromised machine Mon, 25 Feb 2013 13:31:00 +0100 This article shows how to dig into the memory dump using volatility to identify malware found on a Windows XP machine, initially detected with the AlienVault SIEM. |
|
Volatility framework explained Sun, 24 Feb 2013 08:26:00 +0100 The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibiltiy into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. |
|
Yara to analyze malware Sun, 17 Feb 2013 18:18:00 +0100 Yara is a very powerful tool aimed at helping malware researchers to identify and classify malware samples. It is based on signatures files that offer a great flexibility: hex, string, regular expressions, ... Yara is available as a standalone application, or a python port that you can use for your own developments. Yara is also included as an available plugin in volatility. |
|
File Transfer Via DNS Sat, 16 Feb 2013 14:51:00 +0100 You guys already know DNS encapsulation (e.g. dns2tcp) to transfer data over DNS but I've found a very interesting post from Johannes Ullrich who introduces a relatively stealthy concept to transfer data via DNS requests. It consists of sending hex parts of a file as part of DNS requests on one side and to capture and split these DNS requests on the other side. No specific tool is required but tcpdump and xxd. |
|
Decrypt XOR encrypted files with xortool.py Sat, 16 Feb 2013 10:10:00 +0100 Xortool.py is a python based script that performs some XOR analysis: guess the key length (based on count of equal chars), guess the key (based on knowledge of most probable char) and decrypt a XOR encrypted file. |
|
Write AlienVault Plugins Thu, 14 Feb 2013 18:18:00 +0100 This document explains how to write a plugin for AlienVault in order to integrate logs from an external device (and for which a plugin does not exist yet) to generate SIEM events, and make correlation to generate alarms based on these events. The current example is to integrate logs from a 3Com ADSL 11g WiFi router and write a correlation directive to track authentication bruteforce attempts. |
|
EDF fake emails Sun, 07 Oct 2012 14:30:00 +0200 Several types of emails have been sent to people in France from people pretending to be *EDF*, a leading energy player in France. They try to convince users to click on malicious links. This article analyzes these emails and give advice about how to detect they are fake and dangerous emails. |
|
Sshkeydata estimates keystrokes from SSH sessions Sun, 12 August 2012 19:10:00 +0200 Sshkeydata is a command line SSH content analysis tool. This program analyzes keydata files created by chaosreader, and can estimate the original commands typed during SSH sessions. |
|
GCrack cracks hashes with Google Sun, 12 August 2012 10:30:00 +0200 Crack is a hash cracker (supports following hashes: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, NTLM) based on Google results. It is inspired by BozoCrack that cracks MD5 hashes by googling for hashes and using the resultant query as a wordlist, but has a few improvements. |
|
sshow, SSH traffic analyzer Fri, 10 August 2012 11:30:00 +0200 sshow analyzes encrypted SSH-1 and SSH-2 traffic, identifying authentication attempts, the lengths of passwords entered in interactive sessions, and command line lengths. The following advisory describes the attacks implemented by sshow in detail: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt. |
|
Winexe Fri, 3 August 2012 10:40:00 +0200 winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4). |
|
PsTools from SysInternals Fri, 13 July 2012 18:50:00 +0200 PsTools is a set of tools developed by Sysinternals for Microsoft Windows systems and is composed of PsExec (remotely execute commands), PsFile (remotely display open files), PsGetSid (display a computer or a user SID), PsInfo (show information about a system), PsKill (stop processes by name or ID), PsList (show details about processes), PsLoggedOn (show logged on users on locally and via resource shares), PsLogList (list and remove events logs entries), PsPasswd (change passwords), PsService (display and manage services), PsShutdown (stop and restart a computer) and PsSuspend (stop processes). |
|
Securely delete files Thu, 05 July 2012 21:10:00 +0200 When files are deleted, data still resides on the hard drive (though the reference to the file is removed). Even if the data is over-written by other files, it's still possible to restore the old files (there are tools for it). You will find below a list of tools for Mac OS, Windows and Linux to securely remove files. |
|
Cymothoa backdoor Sun, 17 June 2012 22:17:00 +0200 Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process. It supports timing options (scheduler) for a better stealthiness. The last version also supports the creation of a new process. |
|
CODENAME: Samurai Skills Course, Review Thu, 7 June 2012 18:00:00 +0200 This course is a fascinating adventure in real world penetration. The instructor has excellent knowledges and the examples are really well chosen. At the end of some of the modules, I was just like “wow, so good, I’m going to watch it again”. I highly recommend this training to any one, being beginner in penetration testing and willing to improve its skills or already being aware of penetration testing techniques and willing to consolidate its skills (e.g. in the objective of a certification). Congratulations to Mohamed for this excellent job. |
|
RitX, discovery of all domains hosted on the same server as a given IP/domain Thu, 17 May 2012 22:00:00 +0200 RitX is a Perl-based script that automatizes the discovery of domains hosted on the same server as a given IP or domain. It requests following services: Ewhois.com, Viewdns.info, Yougetsignal.com, Myiptest.com, Ip-adress.com, DNStrails.com, My-ip-neighbors.com, Domainsbyip.com, Bing.com, Whois.WebHosting.info, Robtex.com, Tools.web-max.ca, Sameip.org. |