Posts

Showing posts from November, 2022

Tcpxtract – Extract Files from Network Traffic AKA Carving

Image
 Tcpxtract – Extract Files from Network Traffic AKA Carving Last updated: September 9, 2015 | 15,075 views tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network. Other tools that fill a similar need are driftnet and EtherPEG. driftnet and EtherPEG are tools for monitoring and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across packet boundries. tcpxtrac...

Katana v2 (y0jimb0) – Portable Multi-Boot Security Suite

Image
 Katana v2 (y0jimb0) – Portable Multi-Boot Security Suite Last updated: September 9, 2015 | 28,389 views Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more. New in V2 This version has a bunch of new stuff all around. One major addition to the project is Forge. This tool facilitates a simple point-and-click installation for adding even more distributions to Katana Bootable. This new version also adds the Computer Aided Investigative Environment (CAINE) for a live forensics environment and Kon-Boot for bypassing password. Much effort was placed on the installation of additional applications to the Katana Too...

peepdf – Analyze & Modify PDF Files

Image
 peepdf – Analyze & Modify PDF Files peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones. The main functionalities of peepdf are the following: Analysis: Decodings: hexadecimal, octal, name objects More used filters References in objects and where an object is referenced Strings search (including streams) Physical structure (offsets) Logical tree stru...

Malware Analyser v3.0 – A Static & Dynamic Malware Analysis Tool

Image
 Malware Analyser v3.0 – A Static & Dynamic Malware Analysis Tool Malware Analyser is freeware tool to perform static and dynamic analysis on malware executables, it can be used to identify potential traces of anti-debug, keyboard hooks, system hooks and DEP setting change calls in the malware. This is a stepping release since for the first time the Dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) along with process dumping feature. Malware analysis is a process to perform analysis of malware and how to study the components and behavior of malware. On this paper it will use two methods of malware analysis, static analysis and dynamic analysis. Static analysis is a method of malware analysis which done without running the malware. While dynamic analysis is a method of malware analysis which the malware is running in a secure system [7]. Malware analysis is important, since many malware at this day which is not ...

Sniffjoke 0.4.1 Released – Anti-sniffing Framework & Tool For Session Scrambling

Image
 Sniffjoke 0.4.1 Released – Anti-sniffing Framework & Tool For Session Scrambling SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer). An Internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server support is needed! The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective. SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector. How Does It Work? It works only und...

Collar Bomber Gets Owned By Word Metadata & USB Drive

Image
 Collar Bomber Gets Owned By Word Metadata & USB Drive There were other more technical and probably relevant stories to report on today, but for some reason I just found this story very odd and strangely fascinating. Now here a strange case, a man climbs into a young girls bedroom in the middle of the night, threatens her with a baseball bat and then chains a bomb to her neck. His random instructions include e-mailing to a Gmail account and he leaves a ‘soft copy’ version of the ransom note on a pen-drive with the girl. There are plenty of metadata extraction tools such as Metagoofil and The Revisionist. And well even without those, after recovering the file you can just open it in Word and view the metadata. I’m guessing this Paul Peters chap wasn’t so familiar with wear levelling and metadata. He should have known better, and well he was doing this for a ransom..so really he should have just bought a new pen-drive for the job. But as we know well, these people don’t think lik...

NetworkMiner v1.1 Released – Windows Packet Analyzer & Sniffer

Image
NetworkMiner v1.1 Released – Windows Packet Analyzer & Sniffer NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. What is NetworkMiner for? NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. Is NetworkMiner free? Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to...

File Disclosure Browser – Tool To Explore .DS_Store Files

Image
 File Disclosure Browser – Tool To Explore .DS_Store Files The File Disclosure Browser takes .DS_Store files found on websites and parses through them to find a list of all potential files in the directory. It can then either just display the URLs for the files or if you give it a proxy it can browse to the files itself. How do I open DS_Store files? To open DS_Store files in Windows, you can right-click on the file, click Open With, then choose an application. Some user-suggested applications are Windows Notepad, WinRAR, Free File Viewer, Adobe Acrobat, Microsoft Office, etc. Also, try dragging the file to a browser to open it. What is DS_Store file Git? DS_Store file? It stands for Desktop Services Store and it holds meta information about your folder's thumbnails, settings, etc. . DS_Store files are created any time you navigate to a file or folder from the Finder on a Mac. What is DS_Store on Google Drive? '. DS_Store' files are automatically generated by macOS' Fin...

Rec Studio 4 – Reverse Engineering Compiler & Decompiler

Image
 Rec Studio 4 – Reverse Engineering Compiler & Decompiler REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems. REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries. Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2. Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging infor...

The Cryptographic Implementations Analysis Toolkit

Image
 The Cryptographic Implementations Analysis Toolkit (CIAT) is a compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable). It is particularly helpful in the forensic analysis and reverse engineering of malware using cryptographic code and encrypted payloads. This was an interesting find because it wasn’t too long ago I published a post about Mediggo, a Tool To Detect Weak Or Insecure Cryptosystems Using Generic Cryptanalysis Techniques. Requirements Windows Binaries included in this distribution as well as supporting libraries were compiled using gcc, Mingw and Msys. Linux binaries were compiled using gcc 4.1.2. They were tested from command line in machine with Windows Vista Home Premium (32 bit + SP1) and on Linux Gentoo 2008.0 X86 operating systems. They should run without problems in any computer with Windows 2000, XP or VISTA 32bit and any Linux x86 with Mesa3-D, bu...

Sysdig – Linux System Troubleshooting Tool

Image
 Sysdig – Linux System Troubleshooting Tool Sysdig is open source, Linux System Troubleshooting Tool: capture system state and activity from a running Linux instance, then save, filter and analyze. Think of it as strace + tcpdump + lsof + awesome sauce. With a little Lua cherry on top. Sysdig was born from a team’s constant frustration. System level troubleshooting is just way more of a pain than it should be — especially in distributed, virtualized, and cloud-based environments. So they took the lessons they learned while building network monitoring tools like WinPCap and Wireshark and created a new kind of system troubleshooting tool for Linux. What is Sysdig tool? Sysdig uses a unified platform to deliver security, monitoring, and forensics in a container- and microservices-friendly architecture. Sysdig Monitor is a monitoring, troubleshooting, and alerting suite offering deep, process-level visibility into dynamic, distributed production environments. Sysdig captures system cal...

DAMM – Differential Analysis of Malware in Memory

Image
 DAMM – Differential Analysis of Malware in Memory Differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample; data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory. An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and c...