Didier Stevens

This new tool, teeplus.py, is an extension of the tee command.

The tools takes (binary) data from stdin, and sends it to stdout, while also writing the data to a file on disk.

While the tee command requires a filename as argument, teeplus.py takes no arguments (only options).

By default, teeplus.py will write the data to a file on disk, with filename equal to the sha256 of the data and extension .vir.

And it will also log this activity in a log file (teeplus.log by default).

Here is an example.

I run curl with a request to ipify to get my current public IPv4 address:

Then I pipe this output to teeplus.py:

This results in the creation of two files inside the current directory:

The first file it the output of the curl command:

The filename is the SHA256 hash of the data with extension .vir:

The second file, teeplus.log, is a log file:

Each line in teeplus.log has 4 fields (comma separated):

1. The ISO timestamp when the activity was logged
2. The length in bytes of the data
3. The SHA256 hash of the data
4. An error message (empty string when no error occured)

A line is created for each invocation of the teeplus.py command:

When the IPv4 address changes:

And the command is executed again, a new .vir file is created (since the received data changed):

And this is reflected in the log file:

This allows you to create a log of your public IPv4 address, for example (by scheduling this command as a recurrent task).

I use it for monitoring websites, and saving a copy of the HTML page I downloaded. I will explain how in an upcoming blog post.

teeplus.py has a couple of options: you can change the extension of the saved file, and the filename of the log file. And you can also us option -n to prevent the data to be piped to stdout (or you could redirect to /dev/null).

This is something I would do when the teeplus.py command is not followed by another command.

teeplus_V0_0_1.zip (http)
MD5: 0A3704CD56BD6B3A1FF2B92FD87476FB
SHA256: 9E3CBE7323D83FFC588FD67F7B762F53189391A43EDF465C64BD0E4D8E7E8990

split-overlap.py is a tool to split a binary file in parts of a given size.

For example: split-overlap.py 1000 test.data

When test.data is a binary file with size 2500 bytes, the above command will create 2 files of 1000 bytes and one file of 500 bytes.

It’s also possible to split a file with some overlap. Like this:

The blue block represents the original file, the yellow blocks are parts of the original file without overlap, and the green blocks represent parts of the original file with some overlap.

A command to achieve this, is, for example: split-overlap.py 100M+1M dump

This will create parts of 101 MB in size, with a overlap of 1 MB.

The main reason I developed this tool, is to be able to handle very large files, like memory dumps, by tools who can not handle such large files.

Splitting up a file in smaller, equal parts is a solution, but then you run the risk (a small risk) that the pattern you are looking for, is just at the “edge”: that the file is split in such a way, that one part contains the beginning of the pattern, and the next part contains the rest of the pattern. Then your tools are unlikely to find the pattern.

I solve this with my tool by using an overlap. You just have to make sure that the size of the overlap, is larger than the pattern you are looking for.

If you want to know more, read the man page: split-overlap.py -m

split-overlap_V0_0_1.zip (http)
MD5: 77CFF0787244B3B940B07D099C26C3F1
SHA256: 3C246F35F612A43B83843F327AB4EA4EE2CADDBCEDEAD9C50540228DAB17025A

This is the release of simple_listener.py, a Python program that can accept TCP and UDP connections and react according to its configuration. It has evolved from my beta program tcp-honeypot.py, that I will no longer maintain.

Everything you could do with tcp-honeypot, can be done with simple_listener.

I use simple_listener now whenever I need a server that listens for incoming TCP and/or UDP connections. For example, I have a configuration that can accept connections from Cobalt Strike beacons using leaked private keys.

simple_listener has a full man page, explaining all configuration items and options.

simple_listener_v0_1_2.zip (http)
MD5: 8F79FCB51EE2C1EB20B0F30F022EAE47
SHA256: F0EED539775AF36FFEB9B91529AF852C833D6A2764A9B9C65998AEA577F08175

sortcanon.py is a tool to sort text files according to some canonicalization function. For example, sorting domains or ipv4 addresses.

This is actually an old tool, that I still had to publish. I just updated it to Python 3.

This is the man page:

Usage: sortcanon.py [options] [files]
Sort with canonicalization function

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Valid Canonicalization function names:
 domain: lambda x: '.'.join(x.split('.')[::-1])
 ipv4: lambda x: [int(n) for n in x.split('.')]
 length: lambda x: len(x)

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -c CANONICALIZE, --canonicalize=CANONICALIZE
                        Canonicalization function
  -r, --reverse         Reverse sort
  -u, --unique          Make unique list
  -o OUTPUT, --output=OUTPUT
                        Output file

Manual:

sortcanon is a tool to sort the content of text files according to some
canonicalization function.
The tool takes input from stdin or one or more text files provided as argument.
All lines from the different input files are put together and sorted.

If no option is used to select a particular type of sorting, then normal
alphabetical sorting is applied.

Use option -o to write the output to the given file, in stead of stdout.

Use option -r to reverse the sort order.

Use option -u to produce a list of unique lines: remove all doubles before
sorting.

Option -c can be used to select a particular type of sorting.
For the moment, 2 options are provided:

domain: interpret the content of the text files as domain names, and sort them
first by TLD, then domain, then subdomain, and so on ...

length: sort the lines by line length. The longest lines will be printed out
last.

ipv4: sort IPv4 addresses.

You can also provide your own Python lambda function to canonicalize each line
for sorting.
Remark that this involves the use of the Python eval function: do only use this
with trusted input.

sortcanon_V0_0_1.zip (http)
MD5: CC20EA756E3E0796C617830C8F91AFF4
SHA256: 42EDE51EE70A39FD0933A77B8FE119F1CA8C174336C0DA4C079B1F02C1AB33EC