May 27, 2015

Tools: Zarp - Network Attack Tool

Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.
The long-term goal of zarp is to become the master command center of a network; to provide a modular, well-defined framework that provides a powerful overview and in-depth analysis of an entire network. This will come to light with the future inclusion of a web application front-end, which acts as the television screen, whereas the CLI interface will be the remote. This will provide network topology reports, host relationships, and more. zarp aims to be your window into the potential exploitability of a network and its hosts, not an exploitation platform itself; it is the manipulation of relationships and trust felt within local intranets. Look for zeb, the web-app frontend to zarp, sometime in the future.

Source:: https://github.com/hatRiot/zarp

Tools: yaraQA - Performing automated Yara Q&A with Cuckoo

It is not strictly necessary to have installed pygal. However, YaraQA will not be able to generate
plots showing Yara Accuracy Results if it is not.

    Install Pygal:
        $ pip install pygal


It is assumed that Cuckoo's Sandbox, and Yara are both installed. 
 
As it is well known, Cuckoo Sandbox is a malware analysis system which allows us to customize both processing and reporting stages. In this context, we can feed Cuckoo with Yara Rules based not only on the content of malware, but also on its behavior.
One of the most prominent issues when working with Yara Rules is to know how accurate they are. Unfortunately, Cuckoo Sandbox doesn’t include a feature that allows you to do this. For this reason, we developed yaraqa.py, a python code that will let you test your own Yara rulesets in a flexible and customizable way.
YaraQA
Yaraqa.py will try to apply your Yara ruleset to a malware repository, goodware repository or both. It will control whether a file must match a rule or not and maintain internal counters to finally show a statistic summary that will allow us to see our Yara rulesets accuracy. The script can handle these options:
In order to launch yaraqa.py successfully, we need to fill its configuration file, yaraqa.conf. In this file, you’ll have to specify where to find your goodware and malware repositories, static and memory Yara rules and the needed parameters for Cuckoo. You can find further information about the directory organization and filename directives needed by yaraqa.py in order to work properly in the README file.
 
 
Source::  https://www.blueliv.com/research/performing-automated-yara-qa-with-cuckoo/

Tools: IDAREF - IDA Pro Instruction Reference Plugin

IDA Pro Full Instruction Reference Plugin - It's like auto-comments but useful.
I'm generally pretty good at figuring out what various Intel instructions do. But, once in a while I need to either know some precise detail (i.e. exact side effects of SUB) or come across a rare instruction. Then I break my train of thought and have to dig out the reference manual. Which got me thinking: Why can't IDA just give me the full documentation?


Source:: https://github.com/nologic/idaref

May 26, 2015

Howto: Collect data for Digital Forensic

1. Wipe hdd
# sudo shred -v -n 0 -z /dev/sdc

2. Check byte in harddisk that was replaced by 0 or not.
# sudo xxd -a /dev/sdc

3. MD5Sum Source (Evidence)
# sudo md5sum /dev/sdb

4. Copy from evidence (/dev/sdb/) to hdd (/dev/sdc)
# sudo dd if=/dev/sdc bs=512 count=499712 | md5sum
or create image from source
# dcfldd if=/dev/sdb hash=md5 of=/media/diskimage.dd bs=512 noerror

Tools: Loki - Simple IOC Scanner

Run

  • Download the program archive via the button "Download ZIP" on the right sidebar
  • Unpack LOKI locally
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports

  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)
Source:: https://github.com/Neo23x0/Loki

Tools: vmware-snapcompare - VMware Snapshot Forensic Comparison Scripts

These scripts are derived from the contents of the May 2011 paper "Forensic Analysis of VMware Hard Disks" by Manish Hirwani. The paper was retrieved in March, 2013 from https://ritdml.rit.edu/bitstream/handle/1850/13818/MHirwaniThesis5-4-2011.pdf, and a copy is included in this repository.
The files in the "bash.original" directory reflect the closest functional version of the scripts in the PDF. Future feature additions will be made to files in "bash.new" directory, and possibly others.
These scripts are not only used for VMware image comparisons, but could help in analysis of any "changed" system images.

Initial Modifications

The originals were modified to function within the SANS SIFT Ubuntu VMware distribution. (See http://computer-forensics.sans.org/community/downloads for details and download.) Modifications between the paper and initial commit included:
  • Handling special characters in filenames
  • Use sleep(1) instead of usleep for better portability
  • Move common function and variable definitions to a separate file, sourced as needed
  • Syntax corrections
  • Use mmls(1) from TSK instead of fdisk(8)
  • Paths to binaries to sync with SIFT paths
  • Other minor changes to enable functionality within SIFT environment
Source:: https://github.com/philhagen/vmware-snapcompare

Tools: SYWokrs - Wireless Auditing, Intrusion Detection & Prevention System

Wireless Auditing, Intrusion Detection & Prevention System
Depends on PyCrypto, run pip install pycrypto to install. (Removed - Encryption feature)
Youtube Video Playlist - https://www.youtube.com/watch?v=aGTQAWoeujA&index=1&list=PLrekpjW7JwW-T0CeXP8GwudtJmTJ6KZ8O
Blog - http://syworks.blogspot.com/2014/04/waidps-wireless-auditing-intrusion.html
Fans Page - https://www.facebook.com/syworks

Source:: https://github.com/SYWorks/waidps

Tools: SSHAttackFinder - A simple Python script that scans the logfile for attackers failing passwords on your system.

The script automatically saves the "IPs" file to the current working directory (os.cwd()), however why not edit this line, and make the script output to your website's directory? Add the script to a cronjob, and you have a dynamically updating list of possible attackers!
Example line: IPsf = open("/var/www/site/IPs", "w+")
Example Cron Line (crontab -e): 0 0 * * * python3 /home/foobar/SSHAttackFinder.py

However the person running this file must have access to the directory!
This script only runs on Linux. It may not work out-of-the-box on some distros, that don't use /var/log/auth.log, however change the "auth" line to the applicable logfile, and it should run.

Source::  https://github.com/toma678/SSHAttackFinder