Didier Stevens

Tuesday 28 February 2017

Password History Analysis

Filed under: Encryption,My Software — Didier Stevens @ 0:00

When cracking Active Directory passwords as I explained in this series of blog posts, you can also crack the password history.

The program I’m releasing now will make a report of users who “recycle” their previous passwords by using a common string.

Example:

 

20170227-220004

The man page:

Usage: password-history-analysis.py [options] [[@]file ...]
Program to analyze password history

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -s SEPARATOR, --separator=SEPARATOR
                        Separator used in the password files (default :)
  -l, --lowercase       Convert usernames to lowercase
  -n, --nonmatching     Print lines that do not match a password entry
  -L LENGTH, --length=LENGTH
                        Minimum length common string

Manual:

This program analyzes files with password history, and reports
statistics on common strings (prefix, suffix, infix) of passwords per
user.
The minimum lenght of a common string is 3 characters by default. Use
option -L to change the minimum length of the common string.


Example of input file (passwords.txt):
user01:HASH:azerty-
user01_history0:HASH:azerty0
user01_history1:HASH:azerty1
user01_history2:HASH:azerty2
user01_history3:HASH:azerty3
user01_history4:HASH:azerty4
user01_history5:HASH:azerty5
user01_history6:HASH:azerty6
user01_history7:HASH:azerty7
user01_history8:HASH:azerty8
user01_history9:HASH:azerty9
user01_history10:HASH:azerty10
user01_history11:HASH:azerty11
user01_history12:HASH:azerty12
user01_history13:HASH:azerty13
user01_history14:HASH:azerty14
user01_history15:HASH:azerty15
user01_history16:HASH:azerty16
user01_history17:HASH:azerty17
user01_history18:HASH:azerty18
user01_history19:HASH:azerty19
user01_history20:HASH:azerty20
user01_history21:HASH:azerty21
user01_history22:HASH:azerty22
user02:HASH:99Monkey
user02_history0:HASH:00Monkey
user02_history1:HASH:01Monkey
user02_history2:HASH:02Monkey
user02_history3:HASH:03Monkey
user02_history4:HASH:04Monkey
user02_history5:HASH:05Monkey
user02_history6:HASH:06Monkey
user02_history7:HASH:07Monkey
user02_history8:HASH:08Monkey
user02_history9:HASH:09Monkey
user02_history10:HASH:10Monkey
user02_history11:HASH:11Monkey
user02_history12:HASH:12Monkey
user02_history13:HASH:13Monkey
user02_history14:HASH:14Monkey
user02_history15:HASH:15Monkey
user02_history16:HASH:16Monkey
user02_history17:HASH:17Monkey
user02_history18:HASH:18Monkey
user02_history19:HASH:19Monkey
user02_history20:HASH:20Monkey
user02_history21:HASH:21Monkey
user02_history22:HASH:22Monkey
user03:HASH:SomethingElse
user03_history0:HASH:Password0
user03_history1:HASH:Password1
user03_history2:HASH:Password2
user03_history3:HASH:Password3
user03_history4:HASH:Password4
user03_history5:HASH:Password5
user03_history6:HASH:Password6
user03_history7:HASH:Password7
user03_history8:HASH:Password8
user03_history9:HASH:Password9
user03_history10:HASH:Password10
user03_history11:HASH:Azerty$1

Usage example:
password-history-analysis.py passwords.txt

Output:
user01:24:24:100.00:azerty
user02:24:24:100.00:Monkey
user03:13:11:84.62:Password

The first field is the username.
The second field is the number of passwords for the given username.
The third field is the largest number of passwords for the given
username with the same prefix or suffix.
The fourth field is the percentage of third and second field.
The fifth field is the password's common string.

The report can be written to file with option -o.
Use option -l to convert usernames to lowercase.

Option -n will not produce a report, but output all lines that do not
match a password entry. Use this to detect entries not handled by this
program.

The separator (for input and output) is :, and can be changed with
option -s.

password-history-analysis_v0_0_1.zip (https)
MD5: 2ED7FB5E6968B25AEBF623754E5513B0
SHA256: DA75A8E2C92DCD31FB3C05732C660C3996EAEBADFA198535C051DC02AE94805B

Sunday 26 February 2017

Update: translate.py Version 2.4.0

Filed under: My Software,Update — Didier Stevens @ 9:19

I added a feature similar to “here files” to translate.py. It’s something I already did in xor-kpa.py.

In stead of using an input filename, the content can also be passed in the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or non-printable characters, hexadecimal (#h#) or base64 (#b#) can be used.

Example:
translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC “byte ^0xDD”
Output:
This is a secret!

translate_v2_4_0.zip (https)
MD5: B33830C68D8A8A7534AF178243658E70
SHA256: A01AB10FCE42664869C4E31DB1AB2E1E0237172D0AE9685549A09BF866D7F885

Saturday 25 February 2017

Update: rtfdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:28

This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…

20170225-112653

rtfdump_V0_0_5.zip (https)
MD5: 14475C70D992FB72306D5F83815DDE19
SHA256: A26A60536509BA7CF55FF1876E8BC3A6DBA43F1EF8841F159D55411FD11B5078

Wednesday 22 February 2017

Update: base64dump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

After searching with base64dump for encoded strings in this maldoc sample, I decided to add an option to base64dump to check all encodings automatically.

Use option -e with value all to try out all encodings, and report all found strings ordered by increasing length. And with option -u, you can limit the output to unique decoded strings.

zipdump.py -s 5 -d output.docx.vir.zip | base64dump.py -e all -u

20170221-202720

base64dump_V0_0_6.zip (https)
MD5: CDC956FAFD7AC2A86C9CD40EC188C7FC
SHA256: BFBCFA51DDC47793C8CA397B261E036701543610F637CE8813BC5870FC4B2C2F

Wednesday 15 February 2017

Quickpost: ClamAV and ZIP File Decryption

Filed under: Malware,Quickpost — Didier Stevens @ 0:00

While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.

It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.

I created one signature for password “infected”:

ZipPasswordInfected;Engine:81-255;0;infected

ZipPasswordInfected is the name I gave to the signature.

Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.

0 indicates that the password is in ASCII.

infected is the password to attempt ZIP decryption.

And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.

In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.

clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip
notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.50:1)
Time: 0.063 sec (0 m 0 s)

Quickpost info

Tuesday 14 February 2017

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Blog at WordPress.com.