Wednesday, April 24, 2013

Java IDX Notes from BSidesSLC

To find the files that are left behind by Java go to \\comp\c$\Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\6.0  The path may vary.

In each numbered folder it will contain an IDX file and the actual file.

By utilizing https://github.com/Rurik/Java_IDX_Parser/blob/master/idx_parser.py you can evaluate the IDX file to see if the information contained could be malicious.

Tuesday, April 23, 2013

Lifehacker - Supercharge your Command Line

To be able to search forward and backward based on keyword create a .inputrc file with the following contents:

"\e[A": history-search-backward
"\e[B": history-search-forward
set show-all-if-ambiguous on
set completion-ignore-case on

Then from the command line $ (keyword or letters) up or down to navigate!

Sweet!

Sunday, April 21, 2013

Twitter with OAuth - Download Tweets and Email

I have found that I can receive alerts of security advisories on Twitter quicker than going to news sites.  So I started looking into building a python app to authenticate, download the last 20 tweets, and then send through an email the tweet based on the keyword identified.

To setup python for this:
apt-get install python-pip
pip install tweepy
pip install oauth
pip install oauth-python-twitter

I also had to log into the development side of Twitter and create an application and approve it for authentication to get the keys and secrets.  Then the following python script came about:

#!/usr/bin/env python

import sys
import string
import tweepy
import smtplib

# Twitter account information
CONSUMER_KEY = 'xxxxx'
CONSUMER_SECRET = 'xxxxx'
ACCESS_KEY = 'xxxxx'
ACCESS_SECRET = 'xxxxx'

# Gmail Access for the sending of an email
server = smtplib.SMTP("smtp.gmail.com", 587)
server.starttls()
server.login('email@address.com', 'password')

auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)
auth.set_access_token(ACCESS_KEY, ACCESS_SECRET)
api = tweepy.API(auth)

info = api.home_timeline()
for i in info:
    if "keyword" in i.text:

                infoString = i.text
                server.sendmail("fromemail", "toemail", infoString)

De-obfuscating Malware (Subtracting Hex)

Recently I came across some webpages that were referring to the Redkit malware.  The page that I was directed to contained some javascript like the following:

!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76

Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.

So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)

#!/usr/bin/env python

ins = open("temp", "r")
array = []
for line in ins:
    print hex(int(line, 16) - 5)


Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.


Tuesday, April 9, 2013

Scapy is Awesome

Created 2 scripts using scapy to analyze some packet captures.  Just wanted to preserve what took some time to design.

This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time.  A challenge was to identify a way to display the time in a readable format.

#!/usr/bin/env python


from scapy.all import *
import time

packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0

for pkt in packets:
        pktSrc = pkt.sprintf("%IP.src%")
        pktDst = pkt.sprintf("%IP.dst%")
        # Remember that the time is in UTC format
        pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
        pktHour = time.strftime("%H", time.gmtime(pkt.time))
        pktMinute = time.strftime("%M", time.gmtime(pkt.time))
        pktData = pkt.sprintf("%Raw.load%")
        pktDataLength = len(pkt.sprintf("%Raw.load%"))
        if pktHour == "7" and int(pktMinute) == 4:
                totalPackets+=1
                totalDataSize+=pktDataLength
                print "Destination: %s" % pktDst
                print "Source: %s" % pktSrc
                print "Data Length: %s" % pktDataLength
                print "Packet Time: %s" % pktTime
                print pktData
                print "\n"

print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize


This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time.  We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.

#!/usr/bin/env python


from scapy.all import *
import time

packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0

for pkt in packets:
        pktSrc = pkt.sprintf("%IP.src%")
        pktDst = pkt.sprintf("%IP.dst%")
        # Remember that the time is in UTC format 

        pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
        pktHour = time.strftime("%H", time.gmtime(pkt.time))
        pktTimeZoneHour = int(pktHour)-2

        pktMinute = time.strftime("%M", time.gmtime(pkt.time))
        if loopCount == 0:
                startHour = pktHour
                startMinute = pktMinute
        if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
                totalPacketsSource1+=1
        elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
                totalPacketsSource2+=1
        elif pktHour == startHour and pktMinute != startMinute:
                print "%s %s:%s Source1 Packets: %s   Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
                startMinute = pktMinute
                if pktSrc == "1.1.1.1":
                        totalPacketsSource1=1
                        totalPacketsSource2=0
                else:
                        totalPacketsSource1=0
                        totalPacketsSource2=1
        elif pktHour != startHour and pktMinute != startMinute:
                print "%s %s:%s Source1 Packets: %s   Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
                startMinute = pktMinute
                startHour = pktHour
                if pktSrc == "1.1.1.1":
                        totalPacketsSource1=1
                        totalPacketsSource2=0
                else:
                        totalPacketsSource1=0
                        totalPacketsSource2=1
        loopCount+=1



Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...