To find the files that are left behind by Java go to \\comp\c$\Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 The path may vary.
In each numbered folder it will contain an IDX file and the actual file.
By utilizing https://github.com/Rurik/Java_IDX_Parser/blob/master/idx_parser.py you can evaluate the IDX file to see if the information contained could be malicious.
Wednesday, April 24, 2013
Tuesday, April 23, 2013
Lifehacker - Supercharge your Command Line
To be able to search forward and backward based on keyword create a .inputrc file with the following contents:
"\e[A": history-search-backward
"\e[B": history-search-forward
set show-all-if-ambiguous on
set completion-ignore-case on
Then from the command line $ (keyword or letters) up or down to navigate!
Sweet!
"\e[A": history-search-backward
"\e[B": history-search-forward
set show-all-if-ambiguous on
set completion-ignore-case on
Then from the command line $ (keyword or letters) up or down to navigate!
Sweet!
Sunday, April 21, 2013
Twitter with OAuth - Download Tweets and Email
I have found that I can receive alerts of security advisories on Twitter quicker than going to news sites. So I started looking into building a python app to authenticate, download the last 20 tweets, and then send through an email the tweet based on the keyword identified.
To setup python for this:
apt-get install python-pip
pip install tweepy
pip install oauth
pip install oauth-python-twitter
I also had to log into the development side of Twitter and create an application and approve it for authentication to get the keys and secrets. Then the following python script came about:
#!/usr/bin/env python
import sys
import string
import tweepy
import smtplib
# Twitter account information
CONSUMER_KEY = 'xxxxx'
CONSUMER_SECRET = 'xxxxx'
ACCESS_KEY = 'xxxxx'
ACCESS_SECRET = 'xxxxx'
# Gmail Access for the sending of an email
server = smtplib.SMTP("smtp.gmail.com", 587)
server.starttls()
server.login('email@address.com', 'password')
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)
auth.set_access_token(ACCESS_KEY, ACCESS_SECRET)
api = tweepy.API(auth)
info = api.home_timeline()
for i in info:
if "keyword" in i.text:
infoString = i.text
server.sendmail("fromemail", "toemail", infoString)
To setup python for this:
apt-get install python-pip
pip install tweepy
pip install oauth
pip install oauth-python-twitter
I also had to log into the development side of Twitter and create an application and approve it for authentication to get the keys and secrets. Then the following python script came about:
#!/usr/bin/env python
import sys
import string
import tweepy
import smtplib
# Twitter account information
CONSUMER_KEY = 'xxxxx'
CONSUMER_SECRET = 'xxxxx'
ACCESS_KEY = 'xxxxx'
ACCESS_SECRET = 'xxxxx'
# Gmail Access for the sending of an email
server = smtplib.SMTP("smtp.gmail.com", 587)
server.starttls()
server.login('email@address.com', 'password')
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)
auth.set_access_token(ACCESS_KEY, ACCESS_SECRET)
api = tweepy.API(auth)
info = api.home_timeline()
for i in info:
if "keyword" in i.text:
infoString = i.text
server.sendmail("fromemail", "toemail", infoString)
De-obfuscating Malware (Subtracting Hex)
Recently I came across some webpages that were referring to the Redkit malware. The page that I was directed to contained some javascript like the following:
!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76
Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.
So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)
#!/usr/bin/env python
ins = open("temp", "r")
array = []
for line in ins:
print hex(int(line, 16) - 5)
Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.
!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76
Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.
So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)
#!/usr/bin/env python
ins = open("temp", "r")
array = []
for line in ins:
print hex(int(line, 16) - 5)
Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.
Tuesday, April 9, 2013
Scapy is Awesome
Created 2 scripts using scapy to analyze some packet captures. Just wanted to preserve what took some time to design.
This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time. A challenge was to identify a way to display the time in a readable format.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
pktData = pkt.sprintf("%Raw.load%")
pktDataLength = len(pkt.sprintf("%Raw.load%"))
if pktHour == "7" and int(pktMinute) == 4:
totalPackets+=1
totalDataSize+=pktDataLength
print "Destination: %s" % pktDst
print "Source: %s" % pktSrc
print "Data Length: %s" % pktDataLength
print "Packet Time: %s" % pktTime
print pktData
print "\n"
print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize
This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time. We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktTimeZoneHour = int(pktHour)-2
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
if loopCount == 0:
startHour = pktHour
startMinute = pktMinute
if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
totalPacketsSource1+=1
elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
totalPacketsSource2+=1
elif pktHour == startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
elif pktHour != startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
startHour = pktHour
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
loopCount+=1
This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time. A challenge was to identify a way to display the time in a readable format.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
pktData = pkt.sprintf("%Raw.load%")
pktDataLength = len(pkt.sprintf("%Raw.load%"))
if pktHour == "7" and int(pktMinute) == 4:
totalPackets+=1
totalDataSize+=pktDataLength
print "Destination: %s" % pktDst
print "Source: %s" % pktSrc
print "Data Length: %s" % pktDataLength
print "Packet Time: %s" % pktTime
print pktData
print "\n"
print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize
This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time. We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktTimeZoneHour = int(pktHour)-2
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
if loopCount == 0:
startHour = pktHour
startMinute = pktMinute
if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
totalPacketsSource1+=1
elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
totalPacketsSource2+=1
elif pktHour == startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
elif pktHour != startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
startHour = pktHour
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
loopCount+=1
Subscribe to:
Posts (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...