From aldeid
Jump to: navigation, search

Fake Apple email campaign

Wed, 13 Nov 2013 17:25:00 +0100

Analysis of a fake Apple email campaign (

Read more


Extract information from pcap files with Honeysnap

Sun, 27 Sep 2013 14:30:00 +0100

Honeysnap is a tool used for extracting and analyzing data from pcap files, including IRC communications. It is developed and maintained by Arthur Clune of the UK Chapter.

Read more


Highlight system modifications with CaptureBAT

Sun, 27 Sep 2013 14:30:00 +0100

Capture client is a high interaction client honeypot which monitors the state of a system. It monitors processes, files, as well as the registry and classifies an event as being malicious by checking exclusion lists. These exclusion lists are regular expressions which can either allow or deny a particular event from a process in the system. Because of the fact that it uses regular expressions, creating these lists can be very simple but can also provide very fine grained exclusions if needed. The client can also copy all modified and deleted files to a temporary directory as well as capture all incoming and outgoing packets on the network adapters.

Read more


Finds Ascii, Unicode and Resource strings in a file with BinText

Sun, 27 Sep 2013 14:30:00 +0100

A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

Read more


Dissect McAfee Quarantined files with Unbup

Thu, 19 Sep 2013 15:39:00 +0200

Unbup is a toolkit useful for dissecting a McAfee quarantined file (BUP). It is composed of the 3 following files: (McAfee UnBup tool written in Perl because it was faster than the bash script also included), (McAfee UnBup tool written in Bash script because it was fast to prototype, (Simple bitwise xor script written in Perl)

Read more


HitmanPro, second opinion scanner

Tue, 02 July 2013 11:23:00 +0200

HitmanPro is a malware detection application developped by Surfright. HitmanPro is described as a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.). Three excellent characteristics you may appreciate: it does not need to be installed (can be run as a standalone executable), it supports the command line (CLI) and it is fast.

Read more


UPX (Ultimate Packer for eXecutables)

Sun, 23 June 2013 22:45:00 +0200

UPX (Ultimate Packer for eXecutables) is one of the most famous packers for executables. Many malwares are packed using UPX.

Read more


WMIC for Linux

Sun, 09 June 2013 16:45:00 +0100

Windows Management Instrumentation Command-line (WMIC) uses Windows Management Instrumentation (WMI) to enable system management from the command line. This post explains how to install a wmic client on a Linux machine. The above installation procedure has been tested on a Ubuntu 12.04 LTS 32 bits host. The client for Linux is not as powerful as the one for Windows because it is limited to "select" requests (i.e. not possible to request something like "process list brief") but will be helpful if you don't want to start your Windows virtual machine.

Read more


GetSusp can identify unknown malwares

Thu, 06 June 2013 20:54:00 +0100

McAfee GetSusp is intended for users who suspect undetected malware on their computer. GetSusp eliminates the need for deep technical knowledge of computer systems to isolate undetected malware. It does this by using a combination of heuristics and querying the McAfee Global Threat Intelligence (GTI) file reputation database to gather suspicious files.

Read more


rifiuti2 analyzes INFO2 file in the Windows recycle bin

Wed, 05 June 2013 14:47:00 +0100

Rifiuti2 is a rewrite of rifiuti, a tool that analyzes Windows Recycle Bin INFO2 file. Some of the features provided by rifiuti2: Supports Windows file names in any languages; Supports Vista and Windows 2008 (no more uses INFO2 file); Enables localization (that is, translatable) by using glib; More rigorous error checking; Supports output in XML format.

Read more


SpiderFoot gathers a lot of information from a domain

Sat, 25 May 2013 09:49:00 +0100

SpiderFoot is an open source footprinting tool, available for Windows and Linux. It is written in Python and provides an easy-to-use GUI. SpiderFoot obtains a wide range of information about a target, such as web servers, netblocks, e-mail addresses and more.

Read more


Decrypting UserAssist registry keys

Sun, 07 April 2013 14:18:00 +0200

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys. The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line (cmd.exe) do not appear in these registry keys. From a forensics perspective, being able to decode this information can be very useful.

Read more


WinPrefetchView reads information contained in Windows prefetch files

Tue, 02 April 2013 22:22:00 +0200

Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run. WinPrefetchView is a small utility that reads the prefetch files and displays the information stored in them (files used, files loaded on Windows boot).

Read more


Jsunpack-n, the CLI version of Jsunpack

Sat, 09 Mar 2013 09:20:00 +0100

Jsunpack-n is a command-line Javascript unpacker that has more or less the same features as the Web version of Jsunpack

Read more

Pescanner.png, a PE analyzer

Sun, 03 Mar 2013 15:26:00 +0100 is a PE analyzer written in python by the authors of the Malware Analysts Cookbook. It is available in the companion DVD shipped by the book but is also freely distributed on Google code. The script has the ability to detect files with TLS entries, files with resource directories, suspicious IAT entries, suspicious entry point sections, sections with zero-length raw sizes, sections with extremely low or high entropy, invalid timestamps and file version information. Among other things, this script is helpful to understand the behavior of an executable and classify malwares (UPX packed, trojan downloader, trojan dropper, ...).

Read more


From AlienVault SIEM alarms to identification of infected files on the compromised machine

Mon, 25 Feb 2013 13:31:00 +0100

This article shows how to dig into the memory dump using volatility to identify malwares found on a Windows XP machine, initially detected with the AlienVault SIEM.

Read more


Volatility framework explained

Sun, 24 Feb 2013 08:26:00 +0100

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibiltiy into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Read more


Yara to analyze malwares

Sun, 17 Feb 2013 18:18:00 +0100

Yara is a very powerful tool aimed at helping malware researchers to identify and classify malware samples. It is based on signatures files that offer a great flexibility: hex, string, regular expressions, ... Yara is available as a standalone application, or a python port that you can use for your own developments. Yara is also included as an available plugin in volatility.

Read more


File Transfer Via DNS

Sat, 16 Feb 2013 14:51:00 +0100

You guys already know DNS encapsulation (e.g. dns2tcp) to transfer data over DNS but I've found a very interesting post from Johannes Ullrich who introduces a relatively stealthy concept to transfer data via DNS requests. It consists of sending hex parts of a file as part of DNS requests on one side and to capture and split these DNS requests on the other side. No specific tool is required but tcpdump and xxd.

Read more


Decrypt XOR encrypted files with

Sat, 16 Feb 2013 10:10:00 +0100 is a python based script that performs some XOR analysis: guess the key length (based on count of equal chars), guess the key (based on knowledge of most probable char) and decrypt a XOR encrypted file.

Read more


Write AlienVault Plugins

Thu, 14 Feb 2013 18:18:00 +0100

This document explains how to write a plugin for AlienVault in order to integrate logs from an external device (and for which a plugin does not exist yet) to generate SIEM events, and make correlation to generate alarms based on these events. The current example is to integrate logs from a 3Com ADSL 11g WiFi router and write a correlation directive to track authentication bruteforce attempts.

Read more


EDF fake emails

Sun, 07 Oct 2012 14:30:00 +0200

Several types of emails have been sent to people in France from people pretending to be *EDF*, a leading energy player in France. They try to convince users to click on malicious links. This article analyzes these emails and give advice about how to detect they are fake and dangerous emails.

Read more


Sshkeydata estimates keystrokes from SSH sessions

Sun, 12 August 2012 19:10:00 +0200

Sshkeydata is a command line SSH content analysis tool. This program analyzes keydata files created by chaosreader, and can estimate the original commands typed during SSH sessions.

Read more


GCrack cracks hashes with Google

Sun, 12 August 2012 10:30:00 +0200

Crack is a hash cracker (supports following hashes: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, NTLM) based on Google results. It is inspired by BozoCrack that cracks MD5 hashes by googling for hashes and using the resultant query as a wordlist, but has a few improvements.

Read more


sshow, SSH traffic analyzer

Fri, 10 August 2012 11:30:00 +0200

sshow analyzes encrypted SSH-1 and SSH-2 traffic, identifying authentication attempts, the lengths of passwords entered in interactive sessions, and command line lengths. The following advisory describes the attacks implemented by sshow in detail:

Read more



Fri, 3 August 2012 10:40:00 +0200

winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4).

Read more


PsTools from SysInternals

Fri, 13 July 2012 18:50:00 +0200

PsTools is a set of tools developed by Sysinternals for Microsoft Windows systems and is composed of PsExec (remotely execute commands), PsFile (remotely display open files), PsGetSid (display a computer or a user SID), PsInfo (show information about a system), PsKill (stop processes by name or ID), PsList (show details about processes), PsLoggedOn (show logged on users on locally and via resource shares), PsLogList (list and remove events logs entries), PsPasswd (change passwords), PsService (display and manage services), PsShutdown (stop and restart a computer) and PsSuspend (stop processes).

Read more


Securely delete files

Thu, 05 July 2012 21:10:00 +0200

When files are deleted, data still resides on the hard drive (though the reference to the file is removed). Even if the data is over-written by other files, it's still possible to restore the old files (there are tools for it). You will find below a list of tools for Mac OS, Windows and Linux to securely remove files.

Read more


Cymothoa backdoor

Sun, 17 June 2012 22:17:00 +0200

Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process. It supports timing options (scheduler) for a better stealthiness. The last version also supports the creation of a new process.

Read more


CODENAME: Samurai Skills Course, Review

Thu, 7 June 2012 18:00:00 +0200

This course is a fascinating adventure in real world penetration. The instructor has excellent knowledges and the examples are really well chosen. At the end of some of the modules, I was just like “wow, so good, I’m going to watch it again”. I highly recommend this training to any one, being beginner in penetration testing and willing to improve its skills or already being aware of penetration testing techniques and willing to consolidate its skills (e.g. in the objective of a certification). Congratulations to Mohamed for this excellent job.

Read more


RitX, discovery of all domains hosted on the same server as a given IP/domain

Thu, 17 May 2012 22:00:00 +0200

RitX is a Perl-based script that automatizes the discovery of domains hosted on the same server as a given IP or domain. It requests following services:,,,,,,,,,,,,

Read more

Older entries »