Posts

Showing posts from August, 2015

Python - Built a Maze Creator and a Server to Allow Clients to Connect and Navigate the Maze

Over 2 years ago I participated in a CTF where in one of the challenges you were presented with an IP Address and a port to connect to.  Upon connecting to the port you were presented with some navigational information with 3-5 seconds to make a decision of where to go inside of a maze.

I was impressed by the challenge and decided a couple of days ago I would build it in python.  First I started out with the code to be able to build, save, load, and modify mazes.  The create.py file contains the ability to initialize a maze if you have not.

From a non-privileged account run ./create.py.  You will then be presented with a greeting, then if you would like to load a maze from a file you are prompted to do so.  Then you are prompted for the number of columns and rows you would like.  This then draws the map using a '#' as a character symbolizing a wall that can not be passed through.

Then you can proceed by creating the maze through typing in 'n', 's', 'w'…

Cryptowall 3.0 downloaded and executed from "William_Isabella_resume.doc"

Image
Recently I was provided a phishing email with an attachment called "William_Isabella_resume.doc".  As I had done in the previous post I used "./oledump William_Isabella_resume.doc" to examine the contents for a malicious macro.  Below is the output of that command.

./oledump.py William_Isabella_resume.doc
 A: word/vbaProject.bin
 A1:       375 'PROJECT'
 A2:        41 'PROJECTwm'
 A3: M   40002 'VBA/ThisDocument'
 A4:      8271 'VBA/_VBA_PROJECT'
 A5:       514 'VBA/dir'

As you can see, item A3 contains a macro.  Then by selecting A3, I output the macro to a text file.
./oledump.py -s A3 -v William_Isabella_resume.doc > macro.txt
I immediately started looking at the macro and noticed a pattern of lines that were repeated with varying length of variables but contained a similar structure.  Two examples of the pattern are below:
Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long ACIZjEo8pvcIr = 80 I3wVba3qWHhnCuC = 19 If ACIZjEo8pvcIr +…

Using oledump.py to pull Malicious Macro's out of Microsoft Word Doc

Image
For the last few months I have been bombarded with Microsoft Word Documents that contain malicious macros.  I wanted to take a couple of minutes and document the use of oledump.py to pull out the malicious macro.  I mainly tear these apart to identify the various indicators of compromise that can be harvested.

Filename: 7ZJ7.doc File Size: 204,800 SHA1: 086ef96c939968e9b149dab81350a2732b2fdb8f MD5:  55687ddebba3665dd44eb7be08dc0c7b Virus Total Detection Ratio: 19/54 Virus Total Link
The tool oledump.py was created by Didier Stevens and he has maintained the tool as this type of malware has evolved.  To read about the command-line options that are available you can run ./oledump.py -h.  To begin to initialize the doc file you run "./oledump.py 7ZJ7.doc".

We can see from the output that there are a total of 17 objects that can be selected.  I am going to hone in on objects 8-10.
I am going to select object 8 and because it is compressed I am going to use another option to deco…

Python script to combine psscan and pslist Output

I was utilizing volatility the other day and was using some command line kung-fu to sort and organize the output from the module for psscan.  That is where this script came about.  Below are the objectives of the script.  Then below the script that is posted are some methods of how I utilized the script.

# Objective of the script:
# - Create a sorted view for psscan output
# - Identify the processes that are currently located in pslist
# - Number the processes in the order they appear in psscan
# - Sort by PIDs in the psscan output

In the below script after you generate the output for the psscan and pslist -P output you need to modify the file names respectively in the below script.

#!/usr/bin/python # Objective of the script: # - Create a sorted view for psscan output # - Identify the processes that are currently located in pslist # - Number the processes in the order they appear in psscan # - Sort by PIDs in the psscan output # Modify the below files for the output that you recei…