This is the Python 3 version of my email file analysis tool (eml).
emldump_V0_0_11.zip (https)
MD5: 09408ED0C2183178BEA71459CE001995
SHA256: 01B3543CCBAE806E1536BF55E62DF7D30885737909DB4322348AC521138660CC
This is the Python 3 version of my email file analysis tool (eml).
emldump_V0_0_11.zip (https)
MD5: 09408ED0C2183178BEA71459CE001995
SHA256: 01B3543CCBAE806E1536BF55E62DF7D30885737909DB4322348AC521138660CC
This is a Python 3 update for my disitool.
disitool_v0_4.zip (https)
MD5: 3A41D8805340716913FAECE7C79B10A7
SHA256: 51EBFB0759FEEA69FFFB643659FD74DC5043338719A91CE36E427D175196661A
You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …).
Here is an example that I created:
Update: this example is on pastebin: https://pastebin.com/QUGiWTHj
There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable $hctqdvb) is the payload.
The script uses AES encryption, with a 256-bit key, CBC mode, PKCS7 padding and an initialization vector (IV) that is stored in the first 16 bytes of the payload (0..15).
And after the payload is decrypted, it has to be decompressed with the Gzip algorithm.
With base64dump.py, I can find the 2 BASE64 strings in the PowerShell script:
I select the second BASE64 string (payload) to pipe into translate.py, using the following small Python script (decrypt.py) to do the decryption:
from Crypto.Cipher import AES from Crypto.Util import Padding def Decrypt(data): iv = data[0:16] ciphertext = data[16:] key = binascii.a2b_base64(keybase64) oAES = AES.new(key, AES.MODE_CBC, iv) return Padding.unpad(oAES.decrypt(ciphertext), 16)
This small script uses crypto functions from pycryptodome.
I use translate.py in fullread mode (-f –fullread, to “translate” the file in a single step, in stead of byte per byte) and use function Decrypt to decrypt the block of data, like this:
I load the script decrypt.py with option -s, and I pass the key as a BASE64 string via option -e.
The output is non-printable bytes, because the decrypted payload is Gzip compressed. I use translate.py again to do the decompression:
And now the “payload” I used is decrypted and decompressed: “This is a test!”
Each stream and storage can have an indicator in oledump.py‘s output:
You’ll probably know M and m: they are indicators that appear often.
Here is an overview of all possible indicators:
This new version of oledump.py brings extra JSON support and a new indicator.
Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded).
This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each VBA module stream.
And there is a new indicator (!) :
This indicator is used for VBA module streams for which oledump is not able to recognize “normal” VBA source code (e.g. starting with something else than attributes). Here is an example of a sample that would cause this ! indicator to appear: AV Cleaned Maldoc.
oledump_V0_0_55.zip (https)
MD5: 499B66DC3BAF86BDA4BC0370E3C18A1A
SHA256: ABEABFF0F1F5AA2239AFCDE73A676D4E8D9BA2F82C03B8663FFAB6F8D3A360E7
This is a Python 3 bug fix version.
translate_v2_5_10.zip (https)
MD5: DB9574D664257263C51FE7C74C7B281E
SHA256: E8993B3F2C25A92A9F4583636E1CEF79D79649B29FFF56EAA9AF8A30FCF9B9A6
I recently learned about the Qwerty effect on a podcast: baby names are more likely to contain characters (percentual) from the right hand on a Qwerty keyboard than characters from the left hand.
This got me wondering: what about passwords?
I wrote a Python program and let it run on the rockyou password list:
There is a qwerty effect in this list: 57% of the passwords have more letters from the right-side, and 43% from the left-side.
To decide if a password is “left” or “right”, I count the letters per password (I ignore all other characters), and if the ratio of “left” letters to the total amount of letters is higher than the ratio of “right” letters to the total amount of letters, then the password is “left”. And vice versa.
Remark that I don’t know if these passwords were created by users with a qwerty keyboard. It could be another layout. But for some layouts, the set of left and right letters doesn’t change, as with azerty for example.
According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt.
This tool decodes and dumps the configuration of Cobalt Strike beacons.
You can find a sample beacon here.
1768_v0_0_3.zip (https)
MD5: 73DB2E96EE5B6427AF6CCE2672F91CB2
SHA256: C06850A132B89F5E8C127E43FD5CC42051706CDF058EB2D688BC8BD3043E6E02
I did some tests to generate electricity (230V AC) with a portable 12V battery (well, it’s 10 Kg).
I have a 12V VRLA battery with a capacity of 35,000 mAh. That’s 12V times 35 Ah = 420 Wh. Or equivalent to a 116,667 mAh (420,000 mWh / 3.6 V) USB powerbank.
Charging this 12V battery with a 12V battery charger connected to a 230V power outlet takes almost 7 hours (6:57) and requires 0.49 kWh. That is measured with a plug-in electricity meter with a .00 kWh precision. And I’m working under the assumption that the power requirement of the electricity meter is so small that it can be neglected.
Then I use this fully charged battery to power a 230V 150W halogen lamp via a 12V DC to 230V AC power inverter (modified sine wave).
It runs for 2 hours (2 tests: 2:01 and 2:03) and consumes 0.30 kWh.
Of the 0.49 kWh energy I put into my system, I get 0.30 kWh out of the system. That’s 61%, or a bit better than half of the energy I put into the system.
The main phases where I expect the energy losses are occurring, is in 230V AC to 12V DC conversion and electrical to chemical energy conversion (charging); and chemical to electrical conversion and 12V DC to 230V AC conversion (discharging). I believe the highest energy loss to occur in the power inverter.
And with energy loss, I mean energy that is converted into forms that are not directly useful to me, like heat.
Remark that the halogen lamp test stopped after 2 hours, because the power inverter stopped converting. The battery voltage was 11.5 V then, and I could still draw 1 A at 11.5 V for an hour (I stopped that test after 1 hour).
Next I’m going to try out a 12V to 5V adapter and power some USB devices.
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries: