Didier Stevens

Sunday 20 October 2019

New Tool: simple_tcp_stats.py

Filed under: My Software,Networking — Didier Stevens @ 10:25

My new tool simple_tcp_stats.py is a Python program that reads pcap files and produces simple statistics for each TCP connection.

For the moment, it calculates the entropy of the data (without packet reassembling) of each TCP connection (both directions) and reports this with a CSV file:

ConnectionID;head;Size;Entropy;’GET ‘;364;5.42858024035;’GET ‘;426;5.46464090792;’HTTP’;3308;6.06151478505;’HTTP’;493;6.73520107812


simple_tcp_stats_V0_0_1.zip (https)
MD5: 606DB4208BBC5908D9F32A68DDF90AC6
SHA256: 68B275C58736AE450D23BEA82CC1592936E541E00726D8ED95F5CA8ACB02B7CE

Wednesday 2 October 2019

Shark Jack Capture File

Filed under: Hardware,Networking — Didier Stevens @ 0:00

I have a new toy: a “Shark Jack“. It’s a small device sold by Hak5 that performs a nmap scan (-sP) when plugged into a network port (that’s the default “payload”).

In this blog post, I’m sharing the network capture of a scan performed in this “test environment”:

The device (small black box, almost square) between the Shark Jack (SJ) and the router is my “Packet Squirrel”: a simple network capture device.

A couple of observations:

  1. The SJ was tested with its original firmware (1.0.0)
  2. The SJ will randomize its MAC address
  3. The SJ performs 2 full DHCP handshakes prior to the nmap scan
  4. The SJ listens on port 53 (tcp and udp) using dnsmasq (observed while scanning)

Example of different MAC addresses after before and after reboot:

root@shark:~# ifconfig
eth0 Link encap:Ethernet HWaddr 2E:AF:43:F2:3E:22
inet addr: Bcast: Mask:


root@shark:~# ifconfig
eth0 Link encap:Ethernet HWaddr 86:72:96:71:C3:3C
inet addr: Bcast: Mask:


And it can get quite hot while charging, as can be observed in this thermal image:

shark_jack_capture.zip (https)
MD5: 9E5C1187D64A6EC7284C06464E791F01
SHA256: 5153F5C7B559BEC1539B0395F97C5852064D7ED9309B837F11A9381EA6ED4C88

Wednesday 7 August 2019

Downloading Executables Over DNS: Capture Files

Filed under: maldoc,Networking — Didier Stevens @ 0:00

In my BruCON training “Malicious Documents For Red Teams” (October 2019), we will cover downloading of files over DNS. I Tweeted about downloading Mimikatz via DNS-over-HTTPS with an Excel sheet.

I’m not releasing the Python code to serve files via DNS, nor the VBA code to download files over DNS/DoH: this is reserved for the attendees of my training.

But here I am sharing capture files of the downloads via DNS, so that you can understand how traffic looks like, and how to detect it.

Capture files inside the ZIP container (password is infected):

  1. 1-dns-txt.pcap: downloading of files via DNS TXT records, EICAR file (binary, hexadecimal and BASE64 encoded) and Mimikatz.exe (BASE64 encoded)
  2. 2-DoH-txt.pcap: downloading of Mimikatz.exe via DNS TXT records via dns.google.com (Google’s DNS over HTTPS)
  3. 3-DoH-txt-domain-fronting.pcap: same as 2, but with domain fronting (www.google.com)
  4. 4-DoH-txt.pcapng: same as 2, but in a PCAPNG file with decryption keys
  5. 5-DoH-txt.pcapng: same as 4, but with shorter DNS TXT records (to help with decryption)

DNS_TXT_captures.zip (https)
MD5: 5DB5091B9B641E9B8DA0E29CE9870981
SHA256: 49858B8BBA851B86EAB2DB6C5F329C5B587A3B1C7EB1A1E6028BCFBCDF445ECC

Tuesday 30 July 2019

Quickpost: tcp-honeypot.py & Browser Tests

Filed under: My Software,Networking,Quickpost — Didier Stevens @ 0:00

tcp-honeypot.py is a Python program that allows you to define listeners using dictionaries: they listen on a given TCP port and process connections according to their configuration.

It started as a simple TCP honeypot, but now I use it too if I need a small network server.

For my quickpost “Quickpost: Browsers & Content-Disposition“, I needed a simple web server that would serve a page that I could fully control (headers & body).

I did this with tcp-honeypot. Dictionary dListeners (used by tcp-honeypot) defines the listeners: the keys are the TCP port numbers to listen on, and the values are dictionaries with configuration entries.

As I wanted to serve 3 different pages, I resorted to listen on 3 different ports (8080, 8081, 8082), each would serve a different page. Each dictionary for these listeners contains one entry with key THP_REPLY. Because each listener is very simple it listens for a connection and reads incoming data, discards it, and then sends its reply (regardless of input).

Here is the code to do this (file content-disposition-test.py):

#!/usr/bin/env python

__description__ = 'TCP honeypot configuration for Content-Disposition tests'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2019/04/03'

Source code put in public domain by Didier Stevens, no Copyright
Use at your own risk

  2019/04/03: start


dListeners = {
    8080:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: inline', '', 'Line 1', 'Line 2', 'Line 3'])},
    8081:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment', '', 'Line 1', 'Line 2', 'Line 3'])},
    8082:    {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment; filename="test.js"', '', 'Line 1', 'Line 2', 'Line 3'])},

THP_REPLY configures a listener to read incoming data when a TCP connection is established, then send a reply (the value of dictionary entry THP_ENTRY) and then close the connection. This value is a string: the HTTP message (start-line, headers and body) to be send to the browser. In stead of defining one long string with start-line, headers and body, separated with carriage return & newline (CR NL), I use convenience function TW_CRNL. When you call convenience function TW_CRNL (Terminate With CR NL) with a list of strings, it terminates each string with CR NL (\r\n) and concatenates all strings into one string, that is returned by the function.

To start the server with this configuration, I just have to run tcp-honeypot.py with content-disposition-test.py as argument.

There are other methods to do this, for example using a single port. I’ll describe these methods in an upcoming blog post.

Quickpost info

Wednesday 3 July 2019

Quickpost: nslookup Types

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A reminder to myself, how to set a nslookup type via the command-line:

The label of the root domain is an empty string, hence a FQDN with root domain ends with a dot (.), like google.com. :

Quickpost info

Monday 20 May 2019

WebDAV, NTLM & Responder

Filed under: Encryption,Networking — Didier Stevens @ 0:00

I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.

Long story short: there’s a bug in Responder version It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:

The code in Responder “sees” just “Content-Length” and waits for more packets:

I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):

And now I have NTLMSSP headers:

I just start my modified version of Responder:

Generate WebDAV traffic from a Windows 7 client:

And Responder participates in the challenge:

This can of course be cracked (if the password is not too complex), with John The Ripper for example:

I also have a blog post with more details about WebDAV traffic from Windows clients.

Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.

You can find the capture file here:

webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8

Sunday 19 May 2019

Quickpost: Retrieving an SSL Certificate with nmap

Filed under: Encryption,Networking,Quickpost — Didier Stevens @ 8:28

One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site.

Since then, nmap has a scripting engine, and there is a script to check a certificate with nmap: ssl-cert.nse.

You just have to scan the site and port for which you want to check the certificate, like this: nmap -p 443 –script ssl-cert didierstevens.com

If you want the certificate too, increase verbosity with option -v:

Checking a certificate will not work if you scan a port that is not known to provide SSL/TLS:

In that case, you have to use service discovery (-sV):


Quickpost info

Wednesday 10 October 2018

KEIHash: Fingerprinting SSH

Filed under: Encryption,My Software,Networking — Didier Stevens @ 0:00

keihash.py is a program to parse pcap files and calculate the KEIHash of SSH connections.

The KEIHash is the MD5 hash of the Key Exchange Init (KEI) data (strings). For obvious reasons, I could not call this an SSH fingerprint. This is inspired by JA3 SSL fingerprinting.

It can be used to profile SSH clients and servers. For example, the hash for the latest version of PuTTY (SSH-2.0-PuTTY_Release_0.70) is 1c5eaa56f3e4569385ae5f82a54715ee.

This is the MD5 hash of:


These are all the strings found in the Key Exchange Init packet, prefixed by their length and concatenated with separator ;.

With this, I’ve been able to identify SSH clients with spoofed banners attempting to connect to my servers.

keihash_V0_0_1.zip (https)
MD5: 674D019A739679D9659D2D512A60BDD8
SHA256: DB7471F1253E3AEA6BFD0BA38C154AF3E1D1967F13980AC3F42BB61BBB750490

Saturday 18 August 2018

Quickpost: Revisiting JA3

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A year ago I tried out JA3. Time for a new test.

This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.

The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.

Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.

I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.

Notice that Shodan is one of the matched fingerprints.

Let’s take a closer look:

I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06: is indeed Shodan:

Name: sky.census.shodan.io

Quickpost info

Tuesday 3 April 2018

Quickpost: Email Server Simulator

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I needed an email server simulator to test a script I’m writing (a simple email honeypot), and found GreenMail.

It’s a Java application and can thus run on Windows too:

This is the command I used:

java -Dgreenmail.setup.test.all -Dgreenmail.users=testuser1:P#ssw0rd@example.com,testuser2:P#ssw0rd@example.com -Dgreenmail.verbose -Dgreenmail.auth.disabled -jar greenmail-standalone-1.5.7.jar

This command starts all servers (SMTP, POP3, IMAP) on the default ports + 3000 (3025, 3110, …).

I configured 2 user mailboxes, enabled verbosity and disabled authentication.

To send emails to my script, I used Outlook:

Since everything is running on the same machine using localhost (, I’m using Npcap so that I can capture loopback traffic with Wireshark (WinPcap can not capture loopback traffic).


Quickpost info

Next Page »

Blog at WordPress.com.