Posts

Showing posts from April, 2013

Java IDX Notes from BSidesSLC

To find the files that are left behind by Java go to \\comp\c$\Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\6.0  The path may vary.

In each numbered folder it will contain an IDX file and the actual file.

By utilizing https://github.com/Rurik/Java_IDX_Parser/blob/master/idx_parser.py you can evaluate the IDX file to see if the information contained could be malicious.

Lifehacker - Supercharge your Command Line

To be able to search forward and backward based on keyword create a .inputrc file with the following contents:

"\e[A": history-search-backward
"\e[B": history-search-forward
set show-all-if-ambiguous on
set completion-ignore-case on

Then from the command line $ (keyword or letters) up or down to navigate!

Sweet!

Twitter with OAuth - Download Tweets and Email

I have found that I can receive alerts of security advisories on Twitter quicker than going to news sites.  So I started looking into building a python app to authenticate, download the last 20 tweets, and then send through an email the tweet based on the keyword identified.

To setup python for this:
apt-get install python-pip
pip install tweepy
pip install oauth
pip install oauth-python-twitter

I also had to log into the development side of Twitter and create an application and approve it for authentication to get the keys and secrets.  Then the following python script came about:

#!/usr/bin/env python

import sys
import string
import tweepy
import smtplib

# Twitter account information
CONSUMER_KEY = 'xxxxx'
CONSUMER_SECRET = 'xxxxx'
ACCESS_KEY = 'xxxxx'
ACCESS_SECRET = 'xxxxx'

# Gmail Access for the sending of an email
server = smtplib.SMTP("smtp.gmail.com", 587)
server.starttls()
server.login('email@address.com', 'password')

auth = tweepy.OAut…

De-obfuscating Malware (Subtracting Hex)

Recently I came across some webpages that were referring to the Redkit malware.  The page that I was directed to contained some javascript like the following:

!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76

Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.

So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)

#!/usr/bin/env python

ins = open("temp", "r")
array = []
for line in ins:
    print hex(int(line, 16) - 5)

Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.


Scapy is Awesome

Created 2 scripts using scapy to analyze some packet captures.  Just wanted to preserve what took some time to design.

This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time.  A challenge was to identify a way to display the time in a readable format.

#!/usr/bin/env python


from scapy.all import *
import time

packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0

for pkt in packets:
        pktSrc = pkt.sprintf("%IP.src%")
        pktDst = pkt.sprintf("%IP.dst%")
        # Remember that the time is in UTC format
        pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
        pktHour = time.strftime("%H", time.gmtime(pkt.time))
        pktMinute = time.strftime("%M", time.gmtime(pkt.time))
        pktData = pkt.sprintf("%Raw.load%")
        pktDataLength = len(pkt.sprintf("%Raw.load%"))
        if pktHour == "7" and int(pktMin…