Monday, May 26, 2014

Python: Cipher and Base64 Encoding / Decoding

Below is part of a challenge that I came up with to first create like a caesar cipher or rot13 similar cipher and then use base64 to encode a URL.  Below is the python code to accomplish this:

#!/usr/bin/python

import string
import base64

url = "http://i1.ytimg.com/vi/jp4nzjap6I8/movieposter.jpg?v=4f16e5dc"
my_base64chars  = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

s = url.translate(string.maketrans(my_base64chars, std_base64chars))
data = base64.b64encode(s)
print data

Below is how to decode the same information:

#!/usr/bin/python

import string
import base64

code = "cjMzejovL3NCLjgzc3dxLm15dy81cy90ekV4OXRrekdTSS93eTVzb3p5MjNvMS50enE/NT1FcEJHb0ZubQ=="
output = base64.b64decode(code)
print output

my_base64chars  = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

s = output.translate(string.maketrans(std_base64chars, my_base64chars))
print s

Thursday, May 8, 2014

Malware Analysis with twistd

On Kali Linux is an application called "twistd".  I utilized this program to spin up a quick FTP server and then an SMTP server to analyze some malware.  

To spin up the ftp server the following command was used:
twistd -n ftp -p 21
This allowed the malware to connect and allow me to pull the FTP username and FTP password was was being utilized.  I was also able to gather the SMTP information that I needed.  The DNS and other information was gathered with dnsspoof and other utilities.

To spin up the smtp server I needed to to allow for some sort of AUTH.   I utilized the following command:

twistd -n mail --smtp=25 --maildirdbmdomain='test.com=test' --user='test@test.com=password' --auth=anonymous -E --hostname=test.com
This tool was quick and efficient to gather information that I needed quickly.  From the malware I was able to identify the following indicators of compromise:

Email with Subject: Fw: CREDIT PAYMENT ALERT!($14,700.00) 
Link in email downloads: bank payment slip.zip 

Drops the following files after installation:
Console.exe - Virustotal Results (0/52) (hxxps://www.virustotal.com/en/file/30f083a7dc2cb9f3d242cb59bd935f5654dc7144f8b258c2b0da32504777b555/analysis/)

conf.ini - This contains the settings for Console.ex

core.dll - Virustotal Results (0/51) (hxxps://www.virustotal.com/en/file/8e1105aace5b1cb3a38bad511ef69361b41960bb62b2bb9de6131ec776825b41/analysis/)

runasservice.exe
service.ini
 
Other indicators: 
Sends an email outbound every 4 hours with the keystrokes, screenshots and other information that is dropped.
Sends outbound an SMTP message with subject "Money !!! OH MONEY !!!"
SMTP Account used to auth and relay the message is sholm3000@163.com
SMTP Server is smtp.163.com
Send to account: sholm3000@yahoo.com

Another way to send the files captured is by FTP:
FTP Server: sholm1000.bplaced.net
FTP Username: sholm1000
FTP Password: slowdown1234

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...