Didier Stevens

Tuesday 10 July 2018

Quickpost: Compiling DLLs with MinGW on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

To compile the DLLs from this quickpost with MinGW on Kali, you first have to install MinGW.

Issue this command: apt install mingw-w64

Compile for 64-bit: x86_64-w64-mingw32-gcc -shared -o DemoDll.dll DemoDll.cpp

Compile for 32-bit: i686-w64-mingw32-gcc -shared -o DemoDll-x86.dll DemoDll.cpp

Option -shared is required to produce a DLL in stead of an EXE.


Quickpost info


 

Wednesday 27 June 2018

Quickpost: Decoding Certutil Encoded Files

Filed under: My Software,Quickpost — Didier Stevens @ 0:00

As I showed a colleague, it’s easy to analyze a file encoded with certutil using my base64dump.py tool:

Just use option -w to ignore all whitespace, and base64dump.py will detect and decode the base64 string.

As can be seen in the screenshot, it’s a file starting with MZ: probably a PE file.

We can confirm this with my YARA rule to detect PE files:

Or use pecheck.py:

 


Quickpost info


Wednesday 6 June 2018

Quickpost: John & Dummy Hashes

Filed under: Quickpost — Didier Stevens @ 0:00

I knew you could use dummy hashes with John the Ripper (to test rules, for example), I’ve seen it mentioned in the help. It took me some time however to figure out the exact format of a dummy hash.

It’s like this:

$dummy$48336c6c30

48336c6c30 is the hexadecimal representation of string H3ll0.

The hexadecimal string following $dummy$ has to use lowercase letters. If you use uppercase letters, you’ll get the dreaded “No password hashes loaded (see FAQ)”.

Here is an example using l33t rules:

 


Quickpost info


Monday 28 May 2018

Quickpost: Windows Debugger as Post Mortem Debugger – 32-bit & 64-bit

Filed under: Quickpost,Reverse Engineering — Didier Stevens @ 0:00

I was following Microsoft’s advice to install WinDbg as a post mortem debugger, but didn’t get the expected results.

It turns out that WinDbg x64 version will register itself as the post mortem debugger for 64-bit and 32-bit processes, and not just for 64-bit processes:

Of course, WinDbg x86 version will register itself only for 32-bit processes:

So to make sure that WinDbg x64 version will debug only 64-bit processes and WinDbg x86 version will debug 32-bit processes, run the post mortem registration commands in this order:

"c:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -I
"c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -I

And of course, run the commands from an elevated command prompt, as you’ll need to write to the HKLM hive. Otherwise you’ll get a reminder:

 


Quickpost info


Tuesday 3 April 2018

Quickpost: Email Server Simulator

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I needed an email server simulator to test a script I’m writing (a simple email honeypot), and found GreenMail.

It’s a Java application and can thus run on Windows too:

This is the command I used:

java -Dgreenmail.setup.test.all -Dgreenmail.users=testuser1:P#ssw0rd@example.com,testuser2:P#ssw0rd@example.com -Dgreenmail.verbose -Dgreenmail.auth.disabled -jar greenmail-standalone-1.5.7.jar

This command starts all servers (SMTP, POP3, IMAP) on the default ports + 3000 (3025, 3110, …).

I configured 2 user mailboxes, enabled verbosity and disabled authentication.

To send emails to my script, I used Outlook:

Since everything is running on the same machine using localhost (127.0.0.1), I’m using Npcap so that I can capture loopback traffic with Wireshark (WinPcap can not capture loopback traffic).

 


Quickpost info


Tuesday 27 March 2018

Quickpost: Using Suricata on Windows

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I like to be able to get work done, regardless of the machine I’m using. That’s why I installed Suricata on Windows to help me develop rules.

Here is the process:

Installing Suricata with default settings:

Now that I installed Suricata in the programs folder, I’m going to create a folder with my configurations, rules and test captures. Let’s say that folder is C:\Suricata.

In that folder, I create folders log, rules and projects.

In folder rules, I copy the content of the rules folder in the Suricata programs directory.

threshold.config is an empty file, and suricata.yaml is a copy of suricata.yaml found inside the Suricata programs directory.

You can find the modifications I make to suricata.yaml on GitHub. Of course, you can make more configuration changes, this is just a minimum.

Then, for each project or test, I create a folder in folder projects. Like this mimikatz folder:

I use the following BAT file to start Suricata with my rules and my capture file:

“C:\Program Files (x86)\Suricata\suricata.exe” -c ..\..\suricata.yaml -S mimikatz.rules -l logs -k none -v -r drsuapi-DsGetNCChanges.pcap
pause

With option -S I use my rule file mimikatz.rules (exclusively, no other rule file will be loaded), option -l logs uses my local logs directory to write the log files, -k none disable checksum checks, -v means verbose and -r .pcap reads my capture file for processing by Suricata.

If you get this error:

you need to install WinPcap. Here is the installation with default options:

Then you will get output like this:

When you use option -s in stead of -S, your rule will be loaded together with the rules configured in the configuration file. This will give you warnings, because the rule files are missing:

You can download rules from Emerging Threats and extract the files from the rules folder to your C:\Suricata\rules folder.

Of course, you can also process your capture file without explicit rule:

Please post a comment if you want to share your own preferred configuration options.

 


Quickpost info


Monday 26 February 2018

Quickpost: Using nmap With Tallow (Tor proxy)

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Here’s how I used nmap with Tallow on Windows, a transparent Tor proxy:

ICMP is not supported by the Tor network (hence -Pn) neither SYN scanning (hence TCP scanning -sT).

Flag “Force web-only” blocks all ports except 80 and 443, hence why port 22 is filtered.

 


Quickpost info


Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


Saturday 3 February 2018

Quickpost: Code To Connect To Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 20:16

I wanted a program to connect to Tor Onion Services (aka hidden services). It’s written in Python and uses the PySocks module:


import socks

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'
PORT = 80

print('[*] Creating socket')
oSocket = socks.socksocket()

print('[*] Setting SOCKS5 proxy %s %s' % (PROXYHOST, PROXYPORT))
oSocket.set_proxy(socks.SOCKS5, PROXYHOST, PROXYPORT)

print('[*] Connecting %s %s' % (HOST, PORT))
oSocket.connect((HOST, PORT))

print('[*] Sending')
data = ['GET / HTTP/1.1', 'Host: %s' % HOST]
data = '\r\n'.join(data) + '\r\n\r\n'
print(data)
oSocket.sendall(data.encode('ascii'))

print('[*] Receiving')
print(oSocket.recv(0x1000))

print('[*] Closing')
oSocket.close()

print('[*] Done')

In line 13 I configure the socksocket to use Tor as a SOCKS5 proxy (Tor needs to be running).

From that line on, the code is the same as for the build-in socket module:


import socket

...
print('[*] Creating socket')
oSocket = socket.socket()

...

In this first example I build an HTTP GET request, that is something that doesn’t have to be done when module requests is used:


import requests

PROXYHOST = 'localhost'
PROXYPORT = 9050

HOST = 'duskgytldkxiuqc6.onion'

url = 'http://' + HOST
print('[*] Requesting %s' % url)
print(requests.get(url, proxies={'http': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT), 'https': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT)}).text)

print('[*] Done')


Quickpost info


Sunday 21 January 2018

Quickpost: Retrieving Malware Via Tor On Windows

Filed under: Malware,Quickpost — Didier Stevens @ 22:46

I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration.

On Linux, its easy: I install tor and torsocks packages, then start tor, and use wget or curl with torsocks, like this:

torsocks wget URL

torsocks curl URL

On Windows, its a bit more difficult, because the torsocks trick doesn’t work.

I run Tor (Windows Expert Bundle) without any configuration:

This will give me a Socks listener, that curl can use:

curl --socks5-hostname 127.0.0.1:9050 http://www.didierstevens.com

option –socks5-hostname makes curl use the Socks listener provided by Tor to make connections and perform DNS requests (option –socks5 does not use the Socks listener for DNS request, just for connections).

wget has no option to use a Socks listener, but it can use an HTTP(S) proxy.

Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.

I make 2 changes to Privoxy’s configuration config.txt:

1) I change line 811 from “toggle 1” to “toggle 0” to configure Privoxy as a normal proxy, without filtering.

2) I add this line 1363: “forward-socks5t / 127.0.0.1:9050 .”, this makes Privoxy use Tor.

Then I launch Privoxy:

And then I can use wget like this:

wget -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 URL

Port 8118 is Privoxy’s port. If you want, you can also put these options in a configuration file.

Often, my wget command will be a bit more complex (I’ll explain this in another blog post, but it’s based on this ISC diary entry):

wget -d -o 01.log -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 --no-check-certificate URL

 

I can also use Tor browser in stead of Tor, but then I need to connect to port 9150.


Quickpost info


Next Page »

Blog at WordPress.com.