Sunday 14 December 2014
Thursday 27 November 2014
python - print hex string into binary file
#!/usr/local/bin/python3
import binascii
file = open("xxx.exe", "wb")
with open("xxx.txt", "r") as f:
i = 0
byte = f.read(2)
while byte != "" and len(byte) == 2:
try:
file.write(binascii.unhexlify(byte))
except:
print(byte)
print(i)
print(len(byte))
byte = f.read(2)
byte = byte.rstrip()
i = i + 2
f.close()
file.close()
Wednesday 26 November 2014
py_xxd.py
#!/usr/local/bin/python3
from binascii import hexlify
output = ""
with open("a.exe", "rb") as file:
i = 0
j = 0
k = 0
output_1 = ""
output_2 = ""
a = file.read(1)
while a != b'':
i += 1
j += 1
k += 1
byte = hexlify(a).decode("ascii")
output_1 = output_1 + byte
if k == 2:
output_1 = output_1 + " "
k = 0
dec_value = int(hexlify(a), 16)
if dec_value >= 32 and dec_value <= 126:
asc = a.decode("utf-8")
else:
asc = "."
output_2 += asc
if i == 16:
print("{:07x}: {} {}".format(j - 16, output_1, output_2))
i = 0
output_1 = ""
output_2 = ""
a = file.read(1)
file.close()
Tuesday 25 November 2014
Office
http://malwageddon.blogspot.com.au/2014/05/dissecting-tips-ole-and-office-open-xml.html
https://blog.malwarebytes.org/intelligence/2013/08/ms-office-files/
http://blog.g-sec.lu/2009/07/new-advances-in-officeexcelpowerpoint.html
https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF/6703
https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092
https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-malicious-microsoft-office-documents-cve-2012-0158
https://blog.malwarebytes.org/intelligence/2013/08/ms-office-files/
http://blog.g-sec.lu/2009/07/new-advances-in-officeexcelpowerpoint.html
https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF/6703
https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092
https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-malicious-microsoft-office-documents-cve-2012-0158
Sunday 23 November 2014
$pdfextract filename.pdf
- All of the components will be extracted to filename.dump folder
- Do a "grep javascript" here
PDF Stream Dumper
- "Scan malicious"
http://hiddenillusion.blogspot.co.uk/2012/06/getting-what-you-want-out-of-pdf-with.html
$shellcode2exe
$base64 -d
c:\>convertshellcode.exe
$js-beatify
$js -f filename.js
document = {
write:print
};
$unicode2hex-escaped
- All of the components will be extracted to filename.dump folder
- Do a "grep javascript" here
PDF Stream Dumper
- "Scan malicious"
http://hiddenillusion.blogspot.co.uk/2012/06/getting-what-you-want-out-of-pdf-with.html
$shellcode2exe
$base64 -d
c:\>convertshellcode.exe
$js-beatify
$js -f filename.js
document = {
write:print
};
$unicode2hex-escaped
Tuesday 4 November 2014
PDF malware analysis links
http://resources.infosecinstitute.com/analyzing-malicious-pdf/
http://digital-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis/
https://blog.malwarebytes.org/intelligence/2013/08/the-malware-archives-pdf-files/
http://zeltser.com/reverse-malware/analyzing-malicious-documents.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf
http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/
https://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf
http://blog.spiderlabs.com/2011/09/analyzing-pdf-malware-part-1.html
http://digital-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis/
https://blog.malwarebytes.org/intelligence/2013/08/the-malware-archives-pdf-files/
http://zeltser.com/reverse-malware/analyzing-malicious-documents.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf
http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/
https://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf
http://blog.spiderlabs.com/2011/09/analyzing-pdf-malware-part-1.html
Saturday 1 November 2014
Compare two binary on Linux
% xxd b1 > b1.hex
% xxd b2 > b2.hex
And then
% diff b1.hex b2.hex
% vimdiff b1.hex b2.hex
Saturday 20 September 2014
Issues & features of Nessus
1, Intrusive or Non-Intrusive
- "Safe Mode" (Nessus)
- Qualys will only use non-intrusive
2, "Don't scan fragile devices" - Nessus
- Printers
- NetWare
3, "Do not log in with user accounts not specified in the policy" - Nessus
- To prevent users being locked out if there is locking out policy
4, Scan to internal from outside or inside. (But avoid scan outside from internal if possible - Qualys says)
5, "Enable experimental scripts" - (Nessus: Do not enable this setting while scanning a production network.)
6, Scan options which might cause long time (Nessus):
- Thorough test (slow)
- CGI test
7, "Report paranoia" - Nessus
- This setting determines if "Avoid false alarm"
8, Nessus support communicating with various Vendor products to:
- Gether information of assets
- Scan their policy files to do compliance check (e.g. Cisco IOS, Juniper OS, Huawei)
9, The “HTTP login page” settings provide control over where authenticated testing of a custom web-based application begins - Nessus
10, Nessus checks system hosts files for signs of a compromise
11, The “Malicious Process Detection” menu allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known malware, as well as a list of known good hashes to reduce false positives.
12, Scan if not available:
- Scan or not if host not discoverable (enable ping)
- Scan closed ports? ("Ignore closed ports")
13, Plugins might need to provide some information to proceed, e.g.:
+ Login password
- AD, Ldap
- HTTP cookie
- Database login (then it is similar to previous ISS database scanner!)
- Known malicious or benigh file hashes
14, Nessus can leverage credentials for patch management system like WSUS to perform patch auditing on systems for which credentials may not be available to the Nessus scanner
15, The “Ping the remote host” options allow for granular control over Nessus’ ability to ping hosts during discovery scanning. This can be done via ARP ping, TCP ping, ICMP ping, or applicative UDP ping.
16, To scan VMware guest systems, “ping” must disabled. In the scan policy under “Advanced” -> “Ping the remote host”, uncheck TCP, ICMP, and ARP ping. (--why??)
17,Check open TCP ports found by local port enumerators If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).
18, The “Remote web server screenshot” menu enables Nessus to take screenshots to better demonstrate some findings. This includes some services (e.g., VNC, RDP) as well as configuration specific options (e.g., web server directory indexing)
19, Under the “SMB Scope” menu, if the option “Request information about the domain” is set, then domain users will be queried instead of local users.
20, The “SMTP settings” menu specifies options for SMTP (Simple Mail Transport Protocol) tests that run on all devices within the scanned domain that are running SMTP services. E.g. to test relay.
21, "Enable web applications tests"
- "Safe Mode" (Nessus)
- Qualys will only use non-intrusive
2, "Don't scan fragile devices" - Nessus
- Printers
- NetWare
3, "Do not log in with user accounts not specified in the policy" - Nessus
- To prevent users being locked out if there is locking out policy
4, Scan to internal from outside or inside. (But avoid scan outside from internal if possible - Qualys says)
5, "Enable experimental scripts" - (Nessus: Do not enable this setting while scanning a production network.)
6, Scan options which might cause long time (Nessus):
- Thorough test (slow)
- CGI test
7, "Report paranoia" - Nessus
- This setting determines if "Avoid false alarm"
8, Nessus support communicating with various Vendor products to:
- Gether information of assets
- Scan their policy files to do compliance check (e.g. Cisco IOS, Juniper OS, Huawei)
9, The “HTTP login page” settings provide control over where authenticated testing of a custom web-based application begins - Nessus
10, Nessus checks system hosts files for signs of a compromise
11, The “Malicious Process Detection” menu allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known malware, as well as a list of known good hashes to reduce false positives.
12, Scan if not available:
- Scan or not if host not discoverable (enable ping)
- Scan closed ports? ("Ignore closed ports")
13, Plugins might need to provide some information to proceed, e.g.:
+ Login password
- AD, Ldap
- HTTP cookie
- Database login (then it is similar to previous ISS database scanner!)
- Known malicious or benigh file hashes
14, Nessus can leverage credentials for patch management system like WSUS to perform patch auditing on systems for which credentials may not be available to the Nessus scanner
15, The “Ping the remote host” options allow for granular control over Nessus’ ability to ping hosts during discovery scanning. This can be done via ARP ping, TCP ping, ICMP ping, or applicative UDP ping.
16, To scan VMware guest systems, “ping” must disabled. In the scan policy under “Advanced” -> “Ping the remote host”, uncheck TCP, ICMP, and ARP ping. (--why??)
17,Check open TCP ports found by local port enumerators If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).
18, The “Remote web server screenshot” menu enables Nessus to take screenshots to better demonstrate some findings. This includes some services (e.g., VNC, RDP) as well as configuration specific options (e.g., web server directory indexing)
19, Under the “SMB Scope” menu, if the option “Request information about the domain” is set, then domain users will be queried instead of local users.
20, The “SMTP settings” menu specifies options for SMTP (Simple Mail Transport Protocol) tests that run on all devices within the scanned domain that are running SMTP services. E.g. to test relay.
21, "Enable web applications tests"
Monday 15 September 2014
Comparison of Vulnerability Scanners
Qualys:
All vulnerability tests performed by QualysGuard are non-intrusive in design, architecture and implementation. Their objective is to assess a target system with no impact on its operation or functions to determine if vulnerabilities exist.
All vulnerability tests performed by QualysGuard are non-intrusive in design, architecture and implementation. Their objective is to assess a target system with no impact on its operation or functions to determine if vulnerabilities exist.
Subscribe to:
Posts (Atom)