This is a bugfix version.
pdf-parser_V0_6_8.zip (https)
MD5: 7702EEA1C6173CB2E91AB88C5013FAF1
SHA256: 3424E6939E79CB597D32F405E2D75B2E42EF7629750D5DFB39927D5C132446EF
Sunday 29 October 2017
Update: pdf-parser.py Version 0.6.8
Saturday 21 October 2017
Update: base64dump.py Version 0.0.8
This new version of base64dump adds support to decode strings like UNICODE strings (-t).
base64dump_V0_0_8.zip (https)
MD5: 1B379A08FBC6E7686A89AF099699B076
SHA256: A81AE1AACCB168787CAF6355D582BB5096760893F5CB60E93E408A0475B4FDAC
Monday 16 October 2017
Update: oledump.py Version 0.0.29
This new version of oledump adds support to decode strings like UNICODE strings (-t), and can dump strings (-S).
oledump_V0_0_29.zip (https)
MD5: 7F98DB95E0E9FF645B8411F421387214
SHA256: E00567490A48A7749DF07F0E7ECD8FD24B3C90DC52E18AFE36253E0B37A543C5
Sunday 17 September 2017
Quickpost: Update: Infinite Control For Bash Bunny
This is an update to my Bash Bunny payload Infinite Control: it sends a CONTROL keypress every 10 seconds. I changed the LED colors, and if you uncomment line 27 the BREAK key will be used (function key 15, as some people suggested).
You can find it on HAK5’s GitHub Bash Bunny repository too.
#!/bin/bash # Title: Infinite Control # Author: Didier Stevens (https://DidierStevens.com) # Version: 0.0.2 2017/09/02 # History: 0.0.1 2017/04/08 start # 0.0.2 2017/09/02 changed LED colors, added BREAK # # Hit the CONTROL key every 10 seconds in an infinite loop, # while blinking the CYAN LED with every keypress. # # Can be used to prevent a machine from sleeping or auto-locking. # # Some users have suggested to hit F15 (BREAK) in stead of CTRL. # This can be done by uncommenting line #INFINITE_KEY=BREAK. # # WARNING: Do not type on the machine's keyboard while this script # is running, or your keystrokes might become commands, # for example CTRL-Q: Quit # # Cyan ..............Hitting CONTROL key # Yellow Blinking ...Sleeping # Red Blinking.......Wow! We broke out of the infinite while loop! ATTACKMODE HID INFINITE_KEY=CTRL #INFINITE_KEY=BREAK # infinite while loop while true do LED SPECIAL QUACK $INFINITE_KEY sleep 1 LED ATTACK sleep 9 done # this code will never be reached LED FAIL
Wednesday 6 September 2017
Update: re-search.py Version 0.0.9
A new option in this version: -x (–hex) to produce hexadecimal output.
re-search_V0_0_9.zip (https)
MD5: E9BC3AFF3FA3D6ED0F14EC4941955C2D
SHA256: 4AA92E513A478D02DD12110D3759FFCB2996A3E8A5D2D812124922C5023C3B50
Saturday 12 August 2017
Update: byte-stats.py Version 0.0.6
This new version of byte-stats.py adds option -r (–ranges). This option will print out extra information on the range of byte values (contiguous byte value sequences) found in the analyzed files.
Example for BASE64 data:
Number of ranges: 5 Fir. Last Len. Range 0x2b 1: + 0x2f 0x39 11: /0123456789 0x3d 1: = 0x41 0x5a 26: ABCDEFGHIJKLMNOPQRSTUVWXYZ 0x61 0x7a 26: abcdefghijklmnopqrstuvwxyz
In this example, 5 ranges are reported: they can be thought of as a kind of fingerprint for BASE64 data.
Each range is characterized by 4 properties:
Fir. (First) is the first byte value in the range.
Last is the last byte value in the range (this value is not displayed for ranges of a single byte).
Len. (length) is the number of unique byte values in the range.
Range is the printout of the byte values in the range (. is printed if the byte value is not printable).
byte-stats_V0_0_6.zip (https)
MD5: CA729FF05E314A9CF5C348CB4A720F13
SHA256: 11E41F51EC9911741D71C8BC3278FA22AADBD865F2BF7BE4E73E82A7736A8FA8
Monday 31 July 2017
Update: translate.py Version 2.5.0
I analyzed a malicious document send by a reader of the Internet Storm Center, and to decode the payload I wanted to use my tool translate.py.
But an option was lacking: I had to combine 2 byte streams to result in the decoded payload, while translate will only accept one byte stream (file, stdout, …).
I solved my problem with a small custom Python script, but then I updated translate.py to accept a second file/byte stream (option -2).
This is how I use it to decode the payload:
translate_v2_5_0.zip (https)
MD5: 768F895537F977EF858B4D82E0E4387C
SHA256: 5451BF8A58A04547BF1D328FC09EE8B5595C1247518115F439FC720A3436519F
Friday 28 July 2017
Analyzing Password Dumps With My Tools – Part 1
I’ve been tweaking some of my tools to help me analyze large password dumps, like exploit.in. And I also have done such analyses with build-in Unix tools (I refer to Unix tools because I started to use Unix in the eighties, before Windows and Linux existed), but I also must be able to do this on Windows machines, where I don’t always have the option to install “Unix-for-Windows” tools like cygwin.
When I started to process the exploit.in files with my CSV tools, I ran into some problems. The data is not very clean, for example, there are lines in the dump that are so long that Python’s csv module will error on it. Normally the format of a line is “email-address:password”, where a colon (:) is a separator between the email address and the password. But sometimes there is no separator in the line, and sometimes there is more than 1 separator. This happens when a password contains a colon (:), but the problem is that the colon (:) is not properly escaped for a CSV parser.
That’s why I made some updates to my python-per-line.py tool.
With python-per-line’s SBC function (Separator Based Cut), I can extract passwords even if the line is too long for other parsers, if there is no separator (:) or more than one separator. This is the expression I use:
SBC(line,’:’,2,1,[])
line is a Python variable, ‘:’ is the separator, 2 is the number of fields, 1 is the field that needs to be selected (index starts from 0, so 1 is the second field, i.e. the password), and [] is the value to return if there is no field with index 1. [] makes that python-per-line will not output a line (e.g. no empty line). SBC will split the line per the : separator, without taking any possible escape characters into account. It will also separate the line into maximum 2 fields, even if there is more than one : character. This is done from left to right, remaining : characters are part of the second field.
The other problem I encountered on Windows is that when I piped the output of python-per-line into count (to count passwords), the process would stop before all files were processed. It turns out that some passwords contain the CTRL-Z character (0x1A), which is the end-of-file marker, so that’s why processing stopped. I solved this problem by escaping the CTRL-Z character with a function I added to python-per-line: RIN (Repr If Needed). This is the expression I use:
RIN(SBC(line,’:’,2,1,[]),’\x1a’)
In this case, RIN will escaped its input (the first argument) with Python’s repr function if the input contains character CTRL-Z (\x1A).
python-per-line can also handle gzip compressed text files, so I was able to free up a couple of gigabytes by compressing the exploit.in text files. My count program version 0.1.0 was able to count the passwords, but it required Python 64 bit and took a long time. That’s why I added sqlite3 support to count.py as a counting method.
Here is the command I used to count the passwords and create a database:
Option -c exploit-in-passwords.db instructs count.py to use a sqlite3 database on disk with name exploit-in-passwords.db as a counting method in stead of a Python dictionary (the default counting method).
Option –ranktop 100 makes count.py output the top 100 most frequent passwords, along with their frequency. -H prints out a header, and -t prints totals.
Option -o passwords-top-100.csv makes count.py write its output to file passwords-top-100.csv, and finally, option -b makes that his output also goes to stdout.
Afterwards, I can use the database to print out other lists, like a top 20:
Option -z makes that count.py does not requires input files, it will just print out data from the database. Option -d sorts the output in descending order (sorted by default per count in ascending order).
From this output, I can see that 123456 is the password with the highest frequency (a bit more than 5 million times), that there are almost 800 million passwords in total and a bit more than 200 million unique passwords.
Thursday 27 July 2017
Update: count.py Version 0.2.0
count is a simple program: it takes text files as input and counts how many times each lines appears.
A couple of years ago, I made a video:
count.py uses a Python dictionary to count items, but that requires a lot of memory to process gigabytes of data.
This new version helps with this problem by providing a count method using a database (sqlite3). By default, a dictionary is still used. But counting with a database can be selected with option -c. With option -c you can provide the name of the database to use: if the name is :memory:, the database will be created in memory. Counting with a sqlite3 database in memory requires less memory than counting with a Python dictionary, but is slower. If the name is a filename, the database will be created on disk. This is of course way slower than in memory, but can process even larger files.
count_v0_2_0.zip (https)
MD5: ACF1982045ABEF86FCDBA87A84F5F588
SHA256: 373DDA0B2C176624998B5907261477943F677855CCECCDD42D6BEB758F8E7B79
Wednesday 26 July 2017
The Paste Command
Clip is a useful command. Paste would be a useful command, unfortunately Windows has no paste command: paste would do the opposite of clip, read the clipboard and write it to stdout.
So I made my own command a couple of years ago, and yesterday I made it ready for publication.
I don’t use paste as often as clip, but sometimes I copy malware related data from my hex editor and then pipe it into my tools with paste.
Paste_V1_0_0_1.zip (https)
MD5: 2107C78DEA38EA98825BB686DB2291AD
SHA256: 329A0AA96E855219ACB99D7BC35F78CE552645F7829D1B475924F895BA614637
Didier Stevens 