Monday, May 26, 2014

Python: Cipher and Base64 Encoding / Decoding

Below is part of a challenge that I came up with to first create like a caesar cipher or rot13 similar cipher and then use base64 to encode a URL.  Below is the python code to accomplish this:


import string
import base64

url = ""
my_base64chars  = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

s = url.translate(string.maketrans(my_base64chars, std_base64chars))
data = base64.b64encode(s)
print data

Below is how to decode the same information:


import string
import base64

code = "cjMzejovL3NCLjgzc3dxLm15dy81cy90ekV4OXRrekdTSS93eTVzb3p5MjNvMS50enE/NT1FcEJHb0ZubQ=="
output = base64.b64decode(code)
print output

my_base64chars  = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
std_base64chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

s = output.translate(string.maketrans(std_base64chars, my_base64chars))
print s

Thursday, May 8, 2014

Malware Analysis with twistd

On Kali Linux is an application called "twistd".  I utilized this program to spin up a quick FTP server and then an SMTP server to analyze some malware.  

To spin up the ftp server the following command was used:
twistd -n ftp -p 21
This allowed the malware to connect and allow me to pull the FTP username and FTP password was was being utilized.  I was also able to gather the SMTP information that I needed.  The DNS and other information was gathered with dnsspoof and other utilities.

To spin up the smtp server I needed to to allow for some sort of AUTH.   I utilized the following command:

twistd -n mail --smtp=25 --maildirdbmdomain='' --user='' --auth=anonymous -E
This tool was quick and efficient to gather information that I needed quickly.  From the malware I was able to identify the following indicators of compromise:

Email with Subject: Fw: CREDIT PAYMENT ALERT!($14,700.00) 
Link in email downloads: bank payment 

Drops the following files after installation:
Console.exe - Virustotal Results (0/52) (hxxps://

conf.ini - This contains the settings for Console.ex

core.dll - Virustotal Results (0/51) (hxxps://

Other indicators: 
Sends an email outbound every 4 hours with the keystrokes, screenshots and other information that is dropped.
Sends outbound an SMTP message with subject "Money !!! OH MONEY !!!"
SMTP Account used to auth and relay the message is
SMTP Server is
Send to account:

Another way to send the files captured is by FTP:
FTP Server:
FTP Username: sholm1000
FTP Password: slowdown1234

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...