Didier Stevens

Friday 27 May 2022

PoC: Cobalt Strike mitm Attack

Filed under: Encryption,Hacking,Malware — Didier Stevens @ 0:00

I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now.

I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands.

In this video, a malicious beacon is terminated by sending it a sleep command followed by an exit command. I just included the sleep command to show that it’s possible to do this for more than one command.

I selected this malicious beacon for this PoC because it uses one of the leaked private keys, enabling the script to decrypt the metadata and obtain the necessary AES and HMAC keys.

The PoC does not support malleable C2 data transforms, but the code to do this can be taken from my other cs-* tools.

Thursday 26 May 2022

Update: Python Templates Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 14:56

Some small updates to my Python templates.

python-templates_V0_0_7.zip (http)
MD5: 46EE756206A0A941F7B29C3551FF48FF
SHA256: 5158046371E8E925AB7A158827496BA971F24F5FE0A232AC0FDF0B10427DB98B

Update: 1768.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 10:12

Here is a small update of my tool to analyze Cobalt Strike beacons.

1768_v0_0_14.zip (http)
MD5: 6E8494125F4DDB044556182C8A196DD1
SHA256: D8CFCC735666D90BB160E30C7AD7100B0520FAC2929277E7B1DAD1CFFD0B3EC8

Update: pdf-parser.py Version 0.7.6

Filed under: My Software,Update — Didier Stevens @ 9:56

This new version of pdf-parser fixes a couple of bug and has a work around for non compliant PDFs.

pdf-parser_V0_7_6.zip (http)
MD5: 3B6F837AF147422B1256596BCA69D737
SHA256: 34379A9987B2286706AF4C43AC72C93611AE3E9C0C571DD729EBB09C7A707A0D

Update: re-search.py Version 0.0.20

Filed under: My Software,Update — Didier Stevens @ 9:03

This new version of re-search.py brings input & output encoding to option –encoding (this was input encoding only in prior versions).

re-search_V0_0_20.zip (http)
MD5: AA8091E9F9D7C639CDB3D71C842DE6C3
SHA256: 78290F2D06D29514C2BAF95BFE9EF95AF4DDE9798EA0EE27EB800DCF4D99786A

Update: pecheck.py Version 0.7.15

Filed under: My Software,Update — Didier Stevens @ 8:26

This new version of pecheck.py, my tool to analyze PE files, brings some extra information on overlays:

pecheck-v0_7_15.zip (http)
MD5: 8D85E40E4770D9F29C08CBE3D7BE57F0
SHA256: 596848BC8BD03936604212E4CBE9545A03EE629BE6125D08A4E28068F1952961

Sunday 15 May 2022

Update: base64dump.py Version 0.0.21

Filed under: My Software,Update — Didier Stevens @ 18:37

This new version of base64dump adds decoding of netbios name encoding with lowercase letters.

base64dump_V0_0_21.zip (http)
MD5: 5701B6D9691E366ED5E2EE6D06689012
SHA256: BE939E0225C83319A31A096DA29C1CA9D3C575DCCE9C1795814B335BD0871E92

Saturday 14 May 2022

Update: oledump.py Version 0.0.67

Filed under: My Software,Update — Didier Stevens @ 10:12

This new version of oledump.py brings support for user defined properties and an update to plugin plugin_msg_summary.py

Office documents with VSTO applications have user defined properties. These properties can be extracted with my plugin plugin_medata.py, but not with the current version of olefile.
However, the development version of olefile can be used to extract these properties. This new version of oledump checks if the olefile module has a function to extract user defined properties (get_userdefined_properties), and if it does, it calls it when analyzing metadata:

Figure: oledump option -M with olefile supporting get_userdefined_properties
Figure: plugin_metadata

I added URL extracting to my plugin plugin_msg_summary, a plugin to summarize the content of an .msg file (Outlook email).

oledump_V0_0_67b.zip (http)
MD5: D6D1748A98AEA3D922D99415E908C609
SHA256: 092A2EA0FBB67357FC5E4D7B8E266B52EA242C147609FD025616754EAA2532E1

Friday 13 May 2022

Update: zipdump.py Version 0.0.22

Filed under: My Software,Update — Didier Stevens @ 6:44

This is just a bugfix version.

zipdump_v0_0_22.zip (http)
MD5: 68F9F3809E4E1F9ADE4A4C3835CDF475
SHA256: 92ED372579001C826D5AF31615B8334CC798FF2DA4AF8B7C46267BF7D995C757

Sunday 8 May 2022

Update: cs-parse-traffic.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 8:52

In this update for cs-parse-traffic.py, my tool to decrypt & parse Cobalt Strike traffic, I added some error handling.

cs-parse-traffic_V0_0_5.zip (http)
MD5: CFF6D97E816B23065F051D91B0F101A6
SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302
Next Page »

Blog at WordPress.com.