« Posts under New Tools

CrypTool 2

CrypTool 2 is the modern successor of CrypTool 1CrypTool is a free, open-source Windows program for cryptography and cryptanalysis. It is available in 5 languages and the most wide-spreaded e-learning software of its kind. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees and civil servants.

Originally designed as an internal business application for information security training, CrypTool has since developed into an important open-source project in the field of cryptology and IT security awareness.

CrypTool 2 also provides a variety of cryptanalytical tools to analyze or even break classical and modern ciphers.

Pyew

To get the ball rolling again, let me introduce you to a nice little tool that I found and started playing with while I was traveling around the country.

Pyew is a python tool similar to radare. Pyew has many useful features for doing malware analysis. The tool is a work in progress but does show some promise. What I like about it is that I can do some quick static analysis on a file to determine what additional analysis needs to be done. The ability to use the PEiD database within the tool is nice. The integration of tools for PDF analysis are coming along as well.

Here’s a sample of what it looks like:

$ pyew b6bd1640dcbd7b81970f8e4606b215e1
PE Information

Sections:
UPX0 0x1000 0x40000 0
UPX1 0x41000 0x2f000 191488
.rsrc 0x70000 0x2000 7680

Entry Point at 0x2ede0
Virtual Address is 0x46f9e0
Code Analysis …

0000 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP………….
0010 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ……..@…….
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 …………….
0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ……..!..L.!..
0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 in32..$7……..
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0100 50 45 00 00 4C 01 03 00 EB BF 70 4B 00 00 00 00 PE..L…..pK….
0110 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 F0 02 00 …………….
0120 00 20 00 00 00 00 04 00 E0 F9 06 00 00 10 04 00 . …………..
0130 00 00 07 00 00 00 40 00 00 10 00 00 00 02 00 00 ……@………
0140 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 …………….
0150 00 20 07 00 00 10 00 00 00 00 00 00 02 00 00 00 . …………..
0160 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 …..@……….
0170 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 …………….
0180 48 1A 07 00 C4 01 00 00 00 00 07 00 48 1A 00 00 H………..H…
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01C0 98 FB 06 00 18 00 00 00 00 00 00 00 00 00 00 00 …………….
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01F0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 ……..UPX0….

Check out pyew here.

Peepdf

I am a huge proponent of Didier Steven’s PDF tools but I have to say this new tool rocks! Lenny Zelter did a nice write-up of the this tools capabilities to analyze malicious PDFs. Matter of fact, Lenny is so impressed with the tool he plans to include it in the next release of his REMnux distro.

peepdf is a Python tool to analyze PDF files. The aim of Jose Miguel Esparza, the author of peepdf, is to provide all the necessary components that a security researcher would need in a PDF analysis without using 3 or 4 tools to perform all the tasks.

Project website can be found here.

BackTrack 5 Release – May 10th, 2011

BackTrack 5 will be released in 3 days.

Here are some of the details from the folks over at Offensive Security:

  • Our release will start on May 10th (don’t bug us about the timezone), and will primarily be available for download via torrents. This is to reduce the massive load on our mirrors for the first few hours.
  • As time progresses into the release , we will then allow direct downloads from our mirrors.
  • We will have KDE (4.6) and Gnome (2.6) Desktop environment flavours
  • 32 and 64 bit support
  • A basic ARM BackTrack image which can be chrooted into from android enabled devices. (hopefully released May 10th)
  • The 32 and 64 bit images support “Forensics Mode”, which boots a forensically sound instance of BackTrack and “Stealth mode”, which boots without generating network traffic.
  • All support for Backtrack 4 will end on May 10th, 2011 and BackTrack 4 will not be available for download from our official mirrors from that date onwards.
  • And yes, Metasploit 3.7.0 *was* packaged into BT5.

BackTrack Linux

GnackTrackR6 Has Been Released

GnackTrackR6 is now officially released.

Get it now.

Tools

While I was looking over my tools list, I noticed that I have not included a couple of tools that I use on a daily basis for reversing engineering malware.

The first one is Frank Boldewin’s OfficeMalScanner. OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files.

The second Didier Steven’s PDF Tools. PDF Tools includes pdf-parser.py, make-pdf-javascript.py, and pdfid.py. Pdf-parser and pdfid are obviously the most popular and most used in the reverse engineering community. Pdf-parser.py will parse a PDF document to identify the fundamental elements used in the analyzed file. Pdfid.py is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened.

And speaking of the PDF Tools, a friend of mine put together an Ubuntu ppa repository to easily add the PDF Tools to your Ubuntu workstation. To add the PDF Tools using his ppa do the following:

sudo apt-add-repository ppa:pi-rho/security
sudo apt-get update
sudo apt-get install pdf-tools

In addition to the PDF Tools, he has included nmap-5.35DC1, kismet-newcore, tshark 1.4.3, and wireshark 1.4.3.

Exposing the Google Password Secrets

Nagareshwar Talekar of Security Xploded just released a complete disclosure on the Google password storage mechanism and encryption methods used by various Google applications including GTalk, Picassa, GDesktop etc and other popular browsers. The write up is complete with cryptography code examples for decryption of Google passwords for all these applications.

Also released with the write up of his research work is GooglePasswordDecryptor. GooglePasswordDecryptor is a tool used to recover stored Google account passwords by various Google applications as well as popular web browsers.

At the time of this blog, I have not looked into the GooglePasswordDecryptor tool so I can neither recommend or reject the use of this tool. But I guarantee you that I will look into it over the next days and see if it is a viable tool to add to the toolkit.

Read more…

GnackTrack

GnackTrack is a Live (and installable) Linux distribution designed for Penetration Testing and is based on Ubuntu. Although this sounds like BackTrack, it is most certainly not; it’s very similar but based on the much loved GNOME!

Although the download is slow and currently they suffer from a lack of mirror sites, the distro is a welcome to someone like me who has always modified BackTrack to use the gnome desktop.

GnackTrack

Katana: Portable Multi-Boot Security Suite (Version 2.0 released!)

“Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Abel, and many more.”

Read more…

Firesheep

A lot of talk has come out about the new Firefox extension called Firesheep. Firesheep was released at Toorcon on Oct. 24, 2010 to demonstrate the serious problem with the way websites, such as Facebook and Twitter, handle authenticated session management.

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.