Didier Stevens

Saturday 3 February 2018

Quickpost: Code To Connect To Tor Onion Service

Filed under: Networking,Quickpost — Didier Stevens @ 20:16

I wanted a program to connect to Tor Onion Services (aka hidden services). It’s written in Python and uses the PySocks module:

import socks

PROXYHOST = 'localhost'

HOST = 'duskgytldkxiuqc6.onion'
PORT = 80

print('[*] Creating socket')
oSocket = socks.socksocket()

print('[*] Setting SOCKS5 proxy %s %s' % (PROXYHOST, PROXYPORT))
oSocket.set_proxy(socks.SOCKS5, PROXYHOST, PROXYPORT)

print('[*] Connecting %s %s' % (HOST, PORT))
oSocket.connect((HOST, PORT))

print('[*] Sending')
data = ['GET / HTTP/1.1', 'Host: %s' % HOST]
data = '\r\n'.join(data) + '\r\n\r\n'

print('[*] Receiving')

print('[*] Closing')

print('[*] Done')

In line 13 I configure the socksocket to use Tor as a SOCKS5 proxy (Tor needs to be running).

From that line on, the code is the same as for the build-in socket module:

import socket

print('[*] Creating socket')
oSocket = socket.socket()


In this first example I build an HTTP GET request, that is something that doesn’t have to be done when module requests is used:

import requests

PROXYHOST = 'localhost'

HOST = 'duskgytldkxiuqc6.onion'

url = 'http://' + HOST
print('[*] Requesting %s' % url)
print(requests.get(url, proxies={'http': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT), 'https': 'socks5h://%s:%s' % (PROXYHOST, PROXYPORT)}).text)

print('[*] Done')

Quickpost info

Thursday 1 February 2018

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

NVISO Blog posts:

Wednesday 31 January 2018

Update: rtfdump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

In this version, I’ve changed the output for “level 0”. Level 0 is actually the remainder, e.g. what comes after the last balanced curly brace. In a normal RTF document, there should be no remainder.

rtfdump_V0_0_7.zip (https)
MD5: 59F86BA57D67CB78B9D863AFEA710709
SHA256: 1A8EDD4F73F020F44B0AAB39FC3A1C313C81BF8A1E031A76D8B8C85E34116DD6

Tuesday 30 January 2018

Update: translate.py Version 2.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post.

But it’s still not that practical, copying that onliner from my blog post, so I’m releasing a new version of translate.py where I defined function GzipD as that onliner (and I also defined ZlibD).

Here is how I use build-in function GzipD to decompress the malicious payload:

translate_v2_5_2.zip (https)
MD5: 1499C7D9C03928F2CE90BAA813A982DA
SHA256: 34451966781CA9821CD66AEF54379A3B47576CD4FCE8CBEFD9EFA3DA06E49CE9

Monday 29 January 2018

New Tool: jpegdump.py

Filed under: My Software — Didier Stevens @ 0:00

jpegdump.py is a tool I developed to analyze JPEG images. I have used it for a couple of ISC diary entries: Analyzing JPEG files, It is a resume – Part 3 and A strange JPEG file.

This tool reads binary files and parses the JPEG markers inside them:

It can help with corrupted images, here is an example of a JPEG file that was partially overwritten by ransomware:

The partial image starts from marker 3.

With options -f and -c, one can search through binary files with embedded JPEG images, like this Google Chrome process dump:

For more information, take a look at the man page: jpegdump.py -m


jpegdump_V0_0_3.zip (https)
MD5: 929F3EC096AEBEC642C44C6A6EE2895E
SHA256: C5C1CA151C7E24FB6E305E5116BE7B6BC4C417810217249D3831BE5805BBAA9F

Sunday 21 January 2018

Quickpost: Retrieving Malware Via Tor On Windows

Filed under: Malware,Quickpost — Didier Stevens @ 22:46

I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration.

On Linux, its easy: I install tor and torsocks packages, then start tor, and use wget or curl with torsocks, like this:

torsocks wget URL

torsocks curl URL

On Windows, its a bit more difficult, because the torsocks trick doesn’t work.

I run Tor (Windows Expert Bundle) without any configuration:

This will give me a Socks listener, that curl can use:

curl --socks5-hostname http://www.didierstevens.com

option –socks5-hostname makes curl use the Socks listener provided by Tor to make connections and perform DNS requests (option –socks5 does not use the Socks listener for DNS request, just for connections).

wget has no option to use a Socks listener, but it can use an HTTP(S) proxy.

Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.

I make 2 changes to Privoxy’s configuration config.txt:

1) I change line 811 from “toggle 1” to “toggle 0” to configure Privoxy as a normal proxy, without filtering.

2) I add this line 1363: “forward-socks5t / .”, this makes Privoxy use Tor.

Then I launch Privoxy:

And then I can use wget like this:

wget -e use_proxy=yes -e http_proxy= -e https_proxy= URL

Port 8118 is Privoxy’s port. If you want, you can also put these options in a configuration file.

Often, my wget command will be a bit more complex (I’ll explain this in another blog post, but it’s based on this ISC diary entry):

wget -d -o 01.log -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -e use_proxy=yes -e http_proxy= -e https_proxy= --no-check-certificate URL


I can also use Tor browser in stead of Tor, but then I need to connect to port 9150.

Quickpost info

Saturday 20 January 2018

Quickpost: Data Exfiltration With Tor Browser And Domain Fronting

Filed under: Quickpost — Didier Stevens @ 23:46

Some notes, mainly for myself.

Installing the Tor Browser on Windows can be done without administrative rights.

Start the Tor Browser and configure it:

Meek is a Tor pluggable transport for domain fronting, I select Amazon for domain fronting:

Tor Browser supports proxies:

Then I can connect to the Tor network with TLS via an Amazon server:

And then go to a web site to exfiltrate data:

In the packet capture, I just see DNS requests for a0.awsstatic.com followed by a TLS connection:


Quickpost info

Friday 19 January 2018

Update: format-bytes.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 21:48

This new version of format-bytes.py display extra information when unpacking strings: string length, first 10 bytes of the string (ASCII and HEX), entropy and MD5 hash.

In this example, a small binary file starts with an integer with the string length (25 bytes), followed by the string (like a Pascal string):

format-bytes_V0_0_4.zip (https)
MD5: EBCF854E9525D470171D7D8E99F836FD

Monday 15 January 2018

Update: xmldump.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of xmldump introduces 2 new commands to extract information from XML files: elementtext and attributes.

The following video shows how to use these commands:


xmldump_V0_0_2.zip (https)
SHA256: 0A8B94EE8C77B404A507F4BEA4C5464146F3745A1FA9017ED3DCE8D7C2D18C15

Tuesday 2 January 2018

Overview of Content Published In December

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in December:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

« Previous PageNext Page »

Blog at WordPress.com.