Didier Stevens

Friday 31 May 2019

Update: hex-to-bin.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 10:47

This new version comes with option -a to parse ASCII/hexdumps as produced by my tools.

Option -s can be used to select another hexadecimal/ASCII dump than the first one (for example, -s 2 to select the second dump).

Option -l (list) can be used to produce an overview of all hexadecimal/ASCII dumps found in the input, together with an index number to be used with option -s.

hex-to-bin_V0_0_2.zip (https)
MD5: 4F415E4117EC497C52E244A7087E36B9
SHA256: D283C312CC169419BC16D9199F5EC850D5D7565B9FDB272CA5236F97EDAD22C3

Tuesday 28 May 2019

Update: zipdump Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 0:00

This update is just a small change to the help description, to clarify password dictionary attacking with the build-in password list.

zipdump_v0_0_15.zip (https)
MD5: 148D49FC54477C12EBB620FDCEF61AA2
SHA256: DE6FE35FA281FAD9BBF8C56883212519E60FDF0BCAFB3AFBBF964E5C808CCA2D

Monday 27 May 2019

DSSuite: A Docker Container With My Tools

Filed under: Announcement,My Software — Didier Stevens @ 0:00

I want to thank Xavier Mertens for creating a Docker container with my tools (GitHub): DSSuite.

Details can be found in ISC diary entry “DSSuite – A Docker Container with Didier’s Tools“.

Monday 20 May 2019

WebDAV, NTLM & Responder

Filed under: Encryption,Networking — Didier Stevens @ 0:00

I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.

Long story short: there’s a bug in Responder version It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:

The code in Responder “sees” just “Content-Length” and waits for more packets:

I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):

And now I have NTLMSSP headers:

I just start my modified version of Responder:

Generate WebDAV traffic from a Windows 7 client:

And Responder participates in the challenge:

This can of course be cracked (if the password is not too complex), with John The Ripper for example:

I also have a blog post with more details about WebDAV traffic from Windows clients.

Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.

You can find the capture file here:

webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8

Sunday 19 May 2019

Quickpost: Retrieving an SSL Certificate with nmap

Filed under: Encryption,Networking,Quickpost — Didier Stevens @ 8:28

One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site.

Since then, nmap has a scripting engine, and there is a script to check a certificate with nmap: ssl-cert.nse.

You just have to scan the site and port for which you want to check the certificate, like this: nmap -p 443 –script ssl-cert didierstevens.com

If you want the certificate too, increase verbosity with option -v:

Checking a certificate will not work if you scan a port that is not known to provide SSL/TLS:

In that case, you have to use service discovery (-sV):


Quickpost info

Overview of Content Published in April

Filed under: Announcement — Didier Stevens @ 7:55

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Blog at WordPress.com.