This update adds option -t: it directs teeplus.py to use the timestamp as filename for saving the incoming bytes.
teeplus_V0_0_2.zip (http)This is a new tool that I use for IPv4 operations, like generating a list of CIDRs based on ASNs, checking if IPv4 addresses are members of CIDRs, …
Here is the man page:
Usage: myipaddress.py [options] command ...
IP address tool
Arguments:
@file: process each file listed in the text file specified
wildcards are supported
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-m, --man Print manual
-u, --uniques Remove duplicates
-s, --sort Sort
-q, --quiet Quiet
-o OUTPUT, --output=OUTPUT
Output to file (# supported)
-v, --invert Invert selection
-e, --extra Include extra info
Manual:
4 commands are available: cidr2ip, asn2cidr, ipincidr and aso2cidr.
Command cidr2ip is used to generate IPv4 addresses for the given
CIDRs.
Example: myipaddress.py cidr2ip 192.168.0.0/24 10.10.10.0/30
Option -u (--unique) will remove all duplicates from the generated
list.
Option -s (--sort) will sort the list.
Command asn2cidr is used to generate a list of IPv4 CIDRs for the
given ASNs (autonomous system numbers).
Example: myipaddress.py asn2cidr 100 1234
Output:
100: 12.30.153.0/24 74.123.89.0/24 102.210.158.0/24 192.118.48.0/24
198.180.4.0/22 199.36.118.0/24 199.48.212.0/22 216.225.27.0/24
1234: 132.171.0.0/16 137.96.0.0/16 193.110.32.0/21
Option -q (--quiet) will produce a simple list of CIDRs, nothing more.
Example: myipaddress.py -q asn2cidr 1234
Output:
132.171.0.0/16
137.96.0.0/16
193.110.32.0/21
Option -u (--unique) will remove all duplicates from the generated
list.
This command requires CSV file GeoLite2-ASN-Blocks-IPv4.csv to be
present in the same folder as script myipaddress.py.
See below for more info.
Command ipincidr is used to generate a list of IPv4 addresses for the
text files.
The text files either contain a list of IPv4 addresses or a list of
IPv4 CIDRs (it can actually be a mix of both in the same file).
Then the command will produce a list for the given IPv4 addresses that
are contained in the given CIDRs.
If a line of the text file contains a / character, it is interpreted
as a CIDR, otherwise it is interpreted as a IPv4 address.
CIDRs can also be followed by an ASO with the tab character as
separator.
Example: myipaddress.py ipincidr cidrs.txt ipv4s.txt
Option -v (--inverse) will invert the logic: all given IPv4 addresses
that are NOT contained in the GIVEN CIDRs are listed.
Command aso2cidr is used to generate a list of IPv4 CIDRs for the
given ASOs substrings (autonomous system organisations).
Example: myipaddress.py aso2cidr sans-institute
Output:
SANS-INSTITUTE: 66.35.60.0/24 104.193.44.0/24
Example: myipaddress.py aso2cidr sans-institute amadeus
Output:
SANS-INSTITUTE: 66.35.60.0/24 104.193.44.0/24
Amadeus Data Processing GmbH: 82.150.224.0/21 82.150.248.0/23
168.153.3.0/24 168.153.4.0/22 168.153.8.0/23 168.153.32.0/22
168.153.40.0/22 168.153.64.0/22 168.153.96.0/24 168.153.106.0/24
168.153.109.0/24 168.153.110.0/23 168.153.144.0/22 168.153.160.0/22
171.17.128.0/18 171.17.255.0/24 185.165.8.0/23 193.23.186.0/24
193.24.37.0/24 195.27.162.0/23 213.70.140.0/24
Amadeus Soluciones Tecnologicas S.A.: 94.142.200.0/21
Amadeus is an international computer reservations system. A subsidary
is in Bangalore and t: 168.153.1.0/24
Amadeus India Pvt.Ltd.: 202.0.109.0/24
Amadeus India: 203.89.132.0/24
Option -q (--quiet) will produce a simple list of CIDRs, nothing more.
Example: myipaddress.py -q aso2cidr sans-institute
Output:
66.35.60.0/24
104.193.44.0/24
Option -e (--extra) will add the ASO (with tab character as
separator).
Example: myipaddress.py -q -e aso2cidr sans-institute
Output:
66.35.60.0/24 SANS-INSTITUTE
104.193.44.0/24 SANS-INSTITUTE
Option -u (--unique) will remove all duplicates from the generated
list.
This command requires CSV file GeoLite2-ASN-Blocks-IPv4.csv to be
present in the same folder as script myipaddress.py.
See below for more info.
File GeoLite2-ASN-Blocks-IPv4.csv can be obtained for free by creating
an account on maxmind.com and then download database known as:
GeoLite ASN: CSV Format
It's a ZIP file that contains file GeoLite2-ASN-Blocks-IPv4.csv.
I added a quota feature to virustotal-search.py’s -l (–limitrequests) option.
-l is an option to limit the number of requests: you specify the maximum number of requests to make, and virustotal-search.py will stop once that maximum is reached. Remark that virustotal-search.py does 4 hash lookups per requests, thus if your remaining quota for the day is 1000, you can use -l 250 to perform a maximum of requests without exceeding your total quota (250 = 1000 / 4).
With this new version, you can also instruct virustotal-search.py to calculate (via the API) how much remaining quota you have, and use that to decide how much queries to perform. This is done with keyword quota:. The syntax is: -l quota:groupid,maximum,reserve.
groupid is the group ID your account belongs to. For example sans_isc.
maximum is your daily API quota: how many lookups can you do in one day.
And reserve is the number of lookups you want to save: how many lookups should remain when virustotal-search.py has finished.
Let’s try an example: assume you want virustotal-search.py to do as much queries as possible, but leave a reserve of 100 lookups. Option -l will look like this: -l quota:sans_isc,10000,100.
sans_isc is your group ID, 10000 is the daily API quota, 100 is the reserve.
If you want virustotal-search.py to query your remaining quota, without doing any lookups, use string query as reserve. Like this: l quota:sans_isc,10000,query.
In this example, 3896 lookups have been consumed, and that gives 10000 – 3896 = 6104 remaining lookups. To lookup file hashes, that means there are 6104 / 4 = 1526 remaining queries.
Thus in this case, starting virustotal-search.py with option -l quota:sans_isc,10000,0 would be the same as -l 1526. The difference is that in the first case, you don’t have to calculate the value 1526, virustotal-search does this for you.
You can combine this feature with option –sleep to have virustotal-search.py use the remaining lookups at the end of the day.
For example, virustotal-search.py –sleep 01:45:00 -l quota:sans_isc,10000,10 will have virustotal-search.py wait until it’s 01:45:00 (15 minutes before UTC midnight in CEST), then query the amount of remaining lookups, and do the lookups so as not to exceed the quota and to leave 10 lookups available.
virustotal-search_V0_1_9.zip (http)I added value stdout for option -W.
-W stdout: will write all items to stdout (binary) without any end-of-line.
To include an end-of-line, specify a Python string, like this:
-W stdout:’\n’ this will add a newline to the end of the item
-W stdout:’\r’ this will add a carriage return to the end of the item
-W stdout:’\r\n’ this will add a carriage return and newline to the end of the item
I added option -u (–unique) to remove duplicates to search-for-compressions.py.
This is a bugfix version.
pecheck-v0_7_18.zip (http)This update to pngdump.py adds an index for chunks, and allows for the selection of a chunk via its index.
Although many of my tools have zero or a just a few dependencies (it’s a design decision), I’ve had requests to create a requirements file.
It is available now in Didier Stevens Suite ZIP file and on GitHub.
Some dependencies are only necessary when you actually use the corresponding feature. For example, many of my tools support YARA rules, but it’s not a mandatory requirement. If you don’t use YARA rules with my tools, you don’t need to install module yara-python.
I’ve a feature in some of my tools, that let you choose the hash algorithm.
Many of my tools calculate hashes, and for historical reasons, that is the MD5 hash.
But if you want another hash, you can change this (for some of my tools) by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.
Like for pdf-parser.py, on Windows, you can set DSS_DEFAULT_HASH_ALGORITHMS=sha256 and then the hashes of the streams will be SHA256 in stead of MD5.
This tool is still beta.
VBA compression is now supported, besides zlib compression. Option -t (–type) was added so that one can choose the compression type to search for. Possible values are zlib (default) or vba.
And shortcut #p# was added to the yara option, to predefine these rules:
rule attribute_vb_name {
strings:
$a = "Attribute VB_Name = "
condition:
$a
}
rule dir {
strings:
$a = { 01 00 04 }
condition:
$a at 0
}I’ll explain in another blog post how these features can be used to analyze MS Access databases with VBA project.
Didier Stevens 