Didier Stevens

Monday 28 September 2020

Quickpost: USB Passive Load

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I just received a USB passive load. It’s basically 2 resistors connected to the USB power wires in parallel, each with a switch in series:

It can draw approximately 1, 2 or 3 amps (depending on switch positions) from a 5 volt USB source.

The resistors can dissipate 10 Watts, and will become very hot.

The resistor for 1 amp (4,7 ohms, tolerance 5%) maxed-out my FLIR One thermal camera (> 150 °C), but I could measure around 220°C (that’s close to 451°F) with another thermal imaging camera.

The second resistor (2 amps: 2,2 ohms, tolerance 5%) maxed-out that other thermal camera too: this one got hotter than 280°C.

I’m referring to 451°F, because presumably, that’s the temperature to ignite paper. Something I’ll have to test out in safe conditions.

I also measured the resistors, and they are well within tolerance:

Here is a short thermal imaging video of the first resistor heating up:


Quickpost info


Sunday 27 September 2020

Quickpost: Ext2explore

Filed under: Quickpost — Didier Stevens @ 17:17

I was looking for a solution to read my Wifi Pineapple’s recon.db file from the SD card (ext2 formatted) on my Windows 10 machine.

The solution I went with is Ext2explore, a tool that can access ext2 volumes.

 

You have to run it as administrator, otherwise the tool will not be able to get raw access to the ext2 volume:

 

When you run the tool as administrator, you see your volumes. Mine is an SD card:

I can then explore the content and save file recon.db to a folder on my Windows 10 machine:


Quickpost info


Thursday 10 September 2020

Quickpost: dig On Windows

Filed under: Quickpost — Didier Stevens @ 12:40

I found out there’s a dig command for Windows.

I group small tools like this inside a bin folder. But dig relies on a set of DLLs, that should also be in the PATH, so I put them in the same bin folder.

These are the DLLs dig.exe needs:

  • libbind9.dll
  • libcrypto-1_1-x64.dll
  • libdns.dll
  • libirs.dll
  • libisc.dll
  • libisccfg.dll
  • libuv.dll
  • libxml2.dll

I used procmon on my Win10 machine to figure out which DLLs are needed, as you get no error message (there’s probably a registry setting for that).

I do have a Windows 7 VM, that I can also use to figure out which DLLs are missing because it displays an error message:

And you might also need to install the Visual C redistribuable that is included with the downloaded ZIP:

And now I can run dig from my bin folder:


Quickpost info


Wednesday 9 September 2020

Quickpost: Downloading Files With Windows Defender & User Agent String

Filed under: Quickpost — Didier Stevens @ 7:29

@mohammadaskar2 found out you can use Windows Defender to download arbitrary files. Like this:

"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url http://didierstevens.com/index.html -path test.html

This command uses MpCommunication as User Agent String:

Update: this download feature has been disabled.


Quickpost info


Sunday 12 July 2020

Quickpost: curl

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Since I learned that Windows 10 has curl pre-installed now, I notice I use it more often.

Here are some quick notes, mainly for myself:

 

Using Tor:

curl --socks5-hostname 127.0.0.1:9050 http://didierstevens.com

Option socks5-hostname uses SOCKS5 protocol and does name resolution of the hostname via the SOCKS5 protocol (and not local DNS)

 

Removing the User-Agent header:

curl --header "User-Agent:" http://didierstevens.com

Option –header (-H) can also be used to remove a header: provide the header name with colon, provide no header value.

 

Using a custom User-Agent header (-A –user-agent):

curl --user-agent "Mozilla/5.0 DidierStevens" http://didierstevens.com

 

Saving received data:

curl --dump-header 01.headers --output 01.bin.vir --trace 01.trace --trace-time http://didierstevens.com

Option —dump-header (-D) saves the headers, option –output (-o) saves the body, –trace creates a trace file and –trace-time adds timestamps to the trace file.

 

Option to ignore certificate errors: -k –insecure

 

Putting it all together:

curl --socks5-hostname 127.0.0.1:9050 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" --insecure --dump-header 01.headers --output 01.data --trace 01.trace --trace-time https://didierstevens.com

 


Quickpost info


Monday 18 May 2020

Quickpost: curl And SSPI Proxy Authentication

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

curl with SSPI feature supports integrated authentication to a proxy: you don’t need to provide credentials.

The command is the following:

curl –proxy proxyname:8080 –proxy-ntlm -U : https://www.didierstevens.com/index.html

This curl command uses a proxy (–proxy) and authenticates to the proxy (–proxy-ntlm) without providing explicit credentials (-U :).

curl will use an SSPI to perform integrated authentication to the proxy. This is explained on curl’s man page:

If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM authentication then you can tell curl to select the user name and password from your environment by specifying a single colon with this option: “-U :”.

curl’s SSPI feature can also be used to authenticate to an internal IIS server.

Windows’ built-in curl version supports SSPI. You can use the version option to check if your version of curl supports SSPI:

 


Quickpost info


Saturday 9 May 2020

Quickpost: Go: Building For Multiple Operating Systems

Filed under: Quickpost — Didier Stevens @ 11:34

To compile a Go program for multiple operating systems on a single machine, set environment variables GOOS and GOARCH accordingly.

GOOS (Go Operating System):

  • set GOOS=windows
  • set GOOS=linux
  • set GOOS=darwin

GOARCH (Go Architecture):

  • set GOARCH=386
  • set GOARCH=amd64

More values here.

Example program:

package main

import "fmt"

func main() {
	fmt.Printf("hello, world\n")
}

Build command on Windows for Linux 32-bit ELF file:
set GOOS=linux
set GOARCH=386
c:\Go\bin\go.exe build -o program.exe program.go


Quickpost info


Monday 4 May 2020

Quickpost: Empty ZIP File

Filed under: Quickpost — Didier Stevens @ 0:00

As a reminder to myself, here is the hexdump of an empty ZIP file: 50 4B 05 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

And here is the cut-bytes.py command to generate an empty ZIP file:

C:\Demo>cut-bytes.py -a : #e#’PK’+0x0506+repeat(0x12,0x00)
00000000: 50 4B 05 06 00 00 00 00 00 00 00 00 00 00 00 00 PK…………..
00000010: 00 00 00 00 00 00 ……


Quickpost info


Sunday 26 April 2020

Quickpost: My SpiderMonkey’s Cheat Sheet

Filed under: My Software,Quickpost — Didier Stevens @ 8:27

I have a modified version of SpiderMonkey, Mozilla’s (old) JavaScript parser, that helps me with JavaScript analysis.

Details here.

js.exe -e “document.output(‘x’);” sample.js
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘a’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘d’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘X’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘A’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘D’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe -e “document.output(‘f’);” –
zipdump.py -s 1 -d sample.js.zip | js.exe –

Saturday 28 March 2020

Quickpost: Windows Domain Controllers Have No Local Accounts

Filed under: Quickpost — Didier Stevens @ 0:00

Windows domain controllers have no local accounts. I think I learned this back when I made my “Practice ntds.dit File Overview” series of blog posts.

Today I had to search for a Microsoft document covering this: Built-in and Account Domains.


Quickpost info


« Previous PageNext Page »

Blog at WordPress.com.