Didier Stevens

Friday 22 October 2021

New Tool: cs-decrypt-metadata.py

Filed under: Announcement,Encryption,My Software,Reverse Engineering — Didier Stevens @ 0:00

cs-decrypt-metadata.py is a new tool, developed to decrypt the metadata of a Cobalt Strike beacon.

An active beacon regularly checks in with its team server, transmitting medata (like the AES key, the username & machine name, …) that is encrypted with the team server’s private key.

This tool can decrypt this data, provided:

  1. you give it the file containing the private (and public) key, .cobaltstrike.beacon_keys (option -f)
  2. you give it the private key in hexadecimal format (option -p)
  3. the private key is one of the 6 keys in its repository (default behavior)

I will publish blog posts explaining how to use this tool.

Here is a quick example:

cs-decrypt-metadata_V0_0_1.zip (https)
MD5: 31F94659163A6E044A011B0D82623413
SHA256: 50ED1820DC63009B579D7D894D4DD3C5F181CFC000CA83B2134100EE92EEDD9F

Thursday 21 October 2021

“Public” Private Cobalt Strike Keys

Filed under: Encryption,Malware,My Software — Didier Stevens @ 18:05

I found 6 private keys used by malicious Cobalt Strike servers. There’s a significant number of malicious CS servers on the Internet that reuse these keys, thus allowing us to decrypt their C2 traffic. For the details, I recommend reading the following blog post I wrote “Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1“.

I integrated these keys in the database (1768.json) of my tool 1768.py (starting version 0.0.8).

Whenever you analyze a beacon with 1768.py that uses a public key with a known private key, the report will point this out:

And when you use option verbose, the private key will be included:

If you want to integrated these 6 keys in your own tools: be my guest. You can find these key pairs in 1768.json.

Monday 11 October 2021

Update: 1768.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings an update to the statistics in file 1768.json.

1768_v0_0_8.zip (https)
MD5: C410C38FC2B5F0B2C3104D7FC1D35C58
SHA256: 9374650575E0F15331CE05ACFD2BFA4CD6EBEB1497207B9B6D4B1F7A0214457D

Sunday 3 October 2021

New Tool: onion-connect-service-detection.py

Filed under: My Software,Networking — Didier Stevens @ 0:00

To better understand how nmap does service detection, I implemented a tool in Python that tries to do (more or less) the same. nmap detects what service is listening on a port, by sending it probes (particular byte sequences) and matching it with expected replies. These probes and replies can be found in file nmap-service-probes.

It allows me to experiment with service detection.

By default onion-connect-service-detection.py connects to service ports over the Tor network.

Here is an example where I use the tool to detect services on the 10 most popular ports (top:10) of example.com. With a time-out of 5 seconds.

onion-connect-service-detection_V0_0_1.zip (https)
MD5: 8C6D94E1CEE4747E18807CB95FCB1EE9
SHA256: ADC8D937522F55CC47C91E5DC01B2B7D22372E5726542DAF84134279643F8297

Wednesday 29 September 2021

Update: base64dump.py Version 0.0.17

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of base64dump brings 2 new features:

  • support for ASCII85 encoding: a85
  • selecting of the largest result: -s L
base64dump_V0_0_17.zip (https)
MD5: B535A0B9E73D068380078FC5006756E8
SHA256: DDC67BEBC5C3407213673C0228E84796E6816294A029997542BA7DD9AF659C4E

Wednesday 22 September 2021

Update: re-search.py Version 0.0.18

Filed under: My Software,Update — Didier Stevens @ 0:00

This version has some Python3/Linux/MacOS fixes.

re-search_V0_0_18.zip (https)
MD5: 1BCA3B59B719FAFD6016D2F9F32F1A05
SHA256: 9E4807D3CE0EC320028AC760D3915F4FC0CBF6EC6E20FC9B2C91C54E74E6F548

Saturday 21 August 2021

Update: AnalyzePESig Version 0.0.0.8

Filed under: My Software,Update — Didier Stevens @ 11:52

This new version of AnalyzePESig, my tool to analyze the digital signature of PE files, brings some major updates:

  • Support for UNICODE filenames
  • Reintroduction of the capability to verify the signature of non-PE files, like .MSI files

And several bug fixes.

AnalyzePESig_V0_0_0_8.zip (https)
MD5: C14A2C8AA91D34F534B4F76E7014E3A9
SHA256: BCCF90BF6E4C26C33BF16DA20CF220DAE8D748B942224659DC720B35BB8EFE86

Friday 20 August 2021

Update: pdf-parser.py Version 0.7.5

Filed under: My Software,PDF,Uncategorized,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_5.zip (https)
MD5: D39E98981E6FEA48BF61CA2F78ED0B09
SHA256: 5D970AFAC501A71D4FDDEECBD63060062226BF1D587A6A74702DDA79B5C2D3FB

Update: pdfid.py Version 0.2.8

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version

pdfid_v0_2_8.zip (https)
MD5: 9DDE1D9010D860303B03F3317DAF07B4
SHA256: 0D0AA12592FA29BC5E7A9C3CFA0AAEBB711CEF373A0AE0AD523723C64C9D02B4

Tuesday 17 August 2021

Update: oledump.py Version 0.0.62

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings a bug fix and an update to plugin_biff’s XOR deobfuscation.

oledump_V0_0_62.zip (https)
MD5: F16DB945970B49A60155443ED82CDE29
SHA256: 4AE5DF2CC8E8F5A395027A8056B1A33B8F05C0AB6FC18D56D46DC151BB4302FB

« Previous PageNext Page »

Blog at WordPress.com.