In this new version of pdfid.py, a new option was added: -n.
With this option, you can suppress output for names with a count of zero:
pdfid_v0_2_3.zip (https)
MD5: 65966E8BBF932D3C0830B755FDE094FE
SHA256: 9482176D173EFA6F2F33EE409B091BFA45685FC285B87F7219A4E9418B47F739
pcap-rename.py is a program to rename pcap files with the timestamp of the first packet in the pcap file.
This new version supports big-endian pcap files.
pcap-rename_V0_0_2.zip (https)
MD5: 6EFFA5313946DEAF3363835B1D3C684E
SHA256: 3BA23CC936B49AF83306E486B0BFC9ABAF5BD0B5E3DEF81D8564BCC3810C06B9
I observed WebDAV traffic to malicious sites in the past (in proxy logs), and recently I took some time to take a closer look.
TL;DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established.
I did my tests with 2 Windows 7 VMs on the same subnet, one Windows 7 machine with IIS/WebDAV, and the other Windows 7 machine with Word 2016 and a .docx document with a remote template (template.dotx) (using the file:// URI scheme). The Windows firewall on the IIS machine was configured to block ports 139 and 445.
When the .docx document is opened, Word will retrieve the template:
Here is the URI:
First we see attempts to connect on ports 445 and 139 on the IIS machine (SYN packets):
These come from the “System process”:
There are no packets coming back from the IIS machine (I blocked port 139 and 445), and after almost 30 seconds we see an HTTP request to port 80 on the IIS machine:
This is a WebDAV request, notice the User Agent string “DavClnt”:
This TCP connection originates from the Word process:
And about 3 seconds after this request, we get another WebDAV request:
For this request, the User Agent string is “Microsoft-WebDAV-MiniRedir/6.1.7601”.
This TCP connection originates from the WebClient service:
This service was not started:
The svchost service host process will load and start the WebClient service:
WebClient (WebClnt.dll) is the WebDAV service:
To summarize, when the file:// URI scheme is used in a Word document and SMB connections can not be established, we will see WebDAV requests from:
I’ve observed the same behavior with Windows 10 (with a different version number for the WebClient User Agent string).
When the document is opened a second time, there is no WebDAV request from Word (1), only requests from the WebClient service (2).
When I stop the WebClient service and reopen the document, there is first a WebDAV request from Word (1) followed by requests from the WebClient service (2).
When I disable the WebClient service and reopen the document, there are no more WebDAV requests at all.
This version has a man page now.
I use this tool to decode obfuscated strings in malicious scripts:
Usage: numbers-to-string.py [options] [expression [[@]file ...]]
Program to convert numbers into a string
Arguments:
@file: process each file listed in the text file specified
wildcards are supported
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-m, --man Print manual
-o OUTPUT, --output=OUTPUT
Output to file
-e, --error Generate error when error occurs in Python expression
-i, --ignore Ignore numbers greater than 255
-n NUMBER, --number=NUMBER
Minimum number of numbers (3 by default)
-j, --join Join output
Manual:
numbers-to-string.py is a Python program that reads texts files (as
arguments on the commandline, @here files or stdin), extract numbers
from these files and converts these to strings.
The first argument of numbers-to-string.py is a Python expression.
This Python expression can use variable n that represents each
extracted number.
Here is an example, with a script file (test.js) containing a list of
numbers:
C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
Running this script file through numbers-to-string.py with an empty
expression ("") converts the numbers to a string:
C:\Demo>numbers-to-string.py "" test.js
Didier
68 is the ASCII number of letter D, 105 is the ASCII number of letter
i, ...
numbers-to-string.py converts each number it extracts to a character,
and concatenates them into one string per line.
The same result can be obtained by using Python expression n, where n
represents the extracted numbers:
C:\Demo>numbers-to-string.py n test.js
Didier
The advantage of using a Python expression becomes obvious when the
numbers have been altered to obfuscate their meaning.
In the next example, 1 has been added to each number, making
straightforward conversion generate an unintelligible string:
a = (105, 117, 117, 113, 116, 59, 48, 48, 69, 106, 101, 106, 102, 115,
84, 117, 102, 119, 102, 111, 116, 47, 100, 112, 110)
C:\Demo>numbers-to-string.py n test.js
iuuqt;00EjejfsTufwfot/dpn
If we use the Python expression to substract 1 from each number (n -
1), then we can decode the string:
C:\Demo>numbers-to-string.py "n - 1" test.js
https://DidierStevens.com
For more complex operations, a lambda expression can be used. The
argument of the lambda expression is the list of numbers.
Here is an example from a real malicious document:
C:\Demo>numbers-to-string.py "lambda l: [b - 40 + i*2 for i, b in
enumerate(l)]" test.js
http://pmspotter.wz.cz/656465/d5678h9.exe
numbers-to-string.py will work line per line, as illustrated with this
example:
C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
b = (83, 116, 101, 118, 101, 110, 115)
C:\Demo>numbers-to-string.py n test.js
Didier
Stevens
With option -j, the output strings can be concatenated:
C:\Demo>numbers-to-string.py -j n test.js
DidierStevens
Output can be written to a file using option -o.
numbers-to-string.py needs at least 3 numbers per line to start
extracting. Lines with less than 3 numbers are ignored. 3 numbers is
the default minimum value, and can be changed using option -n.
Errors that occur when evaluating the Python expression will be
silently ignored. To have the tool raise these errors, use option -e.
If the resulting value of the expression is more than 255, an error
will be generated, unless option -i is used to ignore these errors.
numbers-to-string_v0_0_3.zip (https)
MD5: 6FD49062058E6A03A4A7BF3A3D26408A
SHA256: 9457AFA699B61DA52F07921D3F7AB486585036654D64AD126B933345E71BC07F
This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost.
oledump_V0_0_30.zip (https)
MD5: BBD53C65FC40891E2125B9808F507E4A
SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0
This new version of pecheck.py adds support for option -g to select a section:
pecheck-v0_7_1.zip (https)
MD5: D5907442424C527A9937CFA65377C9BD
SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B
This new version of cut-bytes.py brings a small cosmetic change to the way a hex/ASCII dump is displayed:
An extra space is added between the 8th and 9th byte of the hexdump. This was suggested to me by an attendee of the last private training I gave.
cut-bytes_V0_0_6.zip (https)
MD5: 7F726219F6F601018B4BD39E9A407728
SHA256: BFD80EF00455CD938A05A18EAA33551ABEC6B0298A0AEE81052E6F5A12BB86F7
My tool byte-stats.py calculates statistics for the files it analyzes. With option -l (and -p) , it produces a list of values for different parts of the file (buckets), for example a list of entropy values. With this, one can have an idea how the entropy changes inside a file.
But as the saying goes, a picture is worth a thousand words, so I added option -g to produce a very simple graph of these values (just a line, no axis or scale). This does not require any extra Python module, I use Python’s TkInter module, the standard GUI for Python.
byte-stats_V0_0_7.zip (https)
MD5: 9991B5C5BEB3CB7989FE6DC30789EB49
SHA256: 82198195EA9C92832027CC8E2E3ABE161787551A06750E042096CF2DF0AC9384
Metasploit has a module to create Microsoft Word document with macros (.docm): office_word_macro.
Documents generated with this module are not that hard to analyze and detect, because they always use the same VBA code. As I explain in my workshops and trainings, although the “new” Office file format (OOXML) is a ZIP container for XML files, VBA code is still stored inside a binary file (vbaProject.bin) using the “old” file format (Compound File Binary Format, or ole file as I like to call it). This Metasploit module always uses the same vbaProject.bin file (inside the template file), and I explain how to analyze and detect it in this video:
I show YARA rules and ClamAV signatures in this video to detect documents created with this Metasploit module.
Here are the YARA rules:
/*
Version 0.0.1 2017/08/20
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2017/08/20: start
*/
import "hash"
rule metasploit_office_word_macro_ID_GUID {
meta:
description = "Detect Metasploit's office_word_macro unique GUID"
strings:
$ID = "ID=\"{BB64F33D-3617-FA44-AFC9-63F65314A8A3}\""
condition:
$ID
}
rule metasploit_office_word_macro_vbaproject_bin_zipped {
meta:
description = "Detect .docm files created with Metasploit's office_word_macro exploit"
strings:
$a = {776F72642F76626150726F6A6563742E62696EED3B0D7853D775E75D3D0959B6B1640C7120908B4CB04C2421C9B22D3B98EADF86D860B0032421C1FA79C222B2A44A4FD8E4A795B1D3928435AC5D33CAD20E42DAA62DEB489AB07EE9BA8976FB42F3B5DF48D3ED4BBA7531C99666FDBE0E4AB32F69B6C43BF7BD275BFE2350BA}
condition:
$a and hash.md5(@a + 19, 5962) == "e5995aba8551f30cc15c87ee49fb834a"
}
The first rule (metasploit_office_word_macro_ID_GUID) detects the vbaProject.bin file used by this Metasploit module based on the unique ID ({BB64F33D-3617-FA44-AFC9-63F65314A8A3}) stored inside stream PROJECTwm of file vbaProject.bin. This rule must be used with a tool that can scan inside ZIP files, like zipdump.py or ClamAV.
If you can’t use such a tool, you can still use the second rule (metasploit_office_word_macro_vbaproject_bin_zipped) with the standard YARA scanner: this rule looks for the datastream of the compressed vbaProject.bin file inside Office files.
Here are the ClamAV signatures:
Signature to be put inside a .ndb file: metasploit_office_word_macro_ID_GUID:0:*:49443D227B42423634463333442D333631372D464134342D414643392D3633463635333134413841337D22 Signature to be put inside a .hdb file: 1788454ae206101fa6febf99005ce03b:15872:metasploit_office_word_macro_vbaproject_bin
The first signature (metasploit_office_word_macro_ID_GUID) detects the unique ID (just like the first YARA rule), and the second signature (metasploit_office_word_macro_vbaproject_bin) detects the vbaProject.bin file based on the MD5 hash (1788454ae206101fa6febf99005ce03b).
ClamAV is able to scan inside OOXML/ZIP files.
Here is an overview of content I published in October:
Blog posts:
SANS ISC Diary entries:
NVISO Blog posts:
Didier Stevens 