Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 164

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 167

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 170

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 173

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 176

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 178

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 180

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 202

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 206

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 224

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 225

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 227

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 56

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 49
23 | July | 2012 | Certified Ethical Hackers Security Analyst Malware Hacking Information
From the daily archives: Monday, July 23, 2012

/* trimexe.c
*
* A small program for extracting PE files from small chunks
* of raw data. This is designed to fish executables out of the
* reassembled raw data you can get from “follow TCP stream” in
* wireshark, for example.
*
* At the moment it finds the first PE file in the stream and uses
* the PE coff and section header data to compute the file size
* of the executable. Output of various header values and offsets
* is in hex and decimal to save a trip to the calculator.
*
* It then opens a temporary file in . and carves the file out
* of the image based on the offset of MZ and
* the size.
*
* Code is ugly but commented, probably not enough error checking,
* but if fseek fails, you have bigger problems than I.
*
* Written for SANS network forensics puzzle contest #6
* Copyright 2010 Candice Quates, license GPL.
*/

#include <stdio.h>
#include <errno.h>
#include <unistd.h>

int
main(int argc, char *argv[]) {
long mzoffset;
long peoffset;
long filesize;
unsigned int sections;
FILE *source;
FILE *dest;
unsigned int i,j,k,l;
int destfd;
char tmpname[14] = “./pefileXXXXX”;

if (argc==2) {
printf(“filename: %s\n”,argv[1]);
} else {
fprintf(stderr, “usage: %s filename”, argv[0]);
exit (1);
}

// open file
source=fopen(argv[1],”r”);
if (source == NULL) {
fprintf(stderr,”error: %s, %s\n”, argv[0],strerror(errno));
exit(1);
}
// search for MZ
j=0;
while (j!=EOF) {
k=j;
j=fgetc(source);
if (j==’Z’ && k==’M') {
mzoffset=ftell(source);
mzoffset=mzoffset-2;
break;
}
}
if (j==EOF) {
fprintf(stderr,”I cannot find an executable file here.\n”);
exit(1);
}

fprintf(stdout,”MZ located %d %x\n”,mzoffset,mzoffset);
// fseek(source,0x3c,SEEK_CUR); // offset to PEoffset
// I should be chasing offsets here. but this is easier.
// search for PE
while (j!=EOF) {
k=j;
j=fgetc(source);
if (j==’E’ && k==’P') {
peoffset=ftell(source);
peoffset=peoffset-2;
break;
}
}
if (j==EOF) {
fprintf(stderr,”I cannot find an executable file here.\n”);
exit(1);
}
fprintf(stdout,”PE located %d %x\n”,peoffset,peoffset);
// the section count is a few bytes further. +2, but need +2 for 00
fseek(source,4,SEEK_CUR);
sections=fgetc(source);
fprintf(stdout,”Number of sections %d %x\n”,sections,sections);
// optional header size
fseek(source,13,SEEK_CUR);
i=fgetc(source);
fprintf(stdout,”Opt header size %d %x\n”,i,i);
// 2 more bytes in coff header, plus size of optional, should
// put us in the section table.
fseek(source,i+3,SEEK_CUR);
// go down N sections.
fseek(source,40*(sections-1),SEEK_CUR);
// size of last section
fseek(source,16,SEEK_CUR);
j=getw(source);
fprintf(stdout,”Last section raw size %d %x\n”,j,j);
l=getw(source);
fprintf(stdout,”Last section raw offset %d %x\n”,l,l);
// add together. voila.
filesize=l+j;
fprintf(stdout,”Size of file from MZ, %d %x\n”,filesize,filesize);

// now, to carve it, open new temp file
destfd=mkstemp(tmpname);
if (destfd==-1) {
fprintf(stderr,”Error creating temp file %s: %s\n”,
tmpname, strerror(errno));
exit(1);
}
fprintf(stdout,”Output file: %s\n”,tmpname);
dest=fdopen(destfd,”w”);
// go back up to MZ
fseek(source,mzoffset,SEEK_SET);
// this is ugly.
if ((filesize % 2) != 0) filesize–;
for (i=0; i<filesize; i++) {
j=fgetc(source);
fputc(j,dest);
}
fclose(dest);
fclose(source);
return 0;
}

#!/usr/bin/perl
#################################################################################################
# smtpcat
#################################################################################################
# This script reads a PCAP file and prints out all the smtp connections in the file and gives
# the user the option of dumping the payload as an eml file
#
# Author: Amar Yousif
# Version : 1.0
# Date : 10/26/2009
#
# Copyright 2009 Amar Yousif (AmarYousif ( a t ) gmail.com)
#
# Please 1) report bugs and give suggestions when you can, and
# 2) give credit when you use :)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# See <http://www.gnu.org/licenses/> for more info.
#
# If you are missing any of the perl modules needed for this script, install from CPAN
# like so, we’ll use Net::Pcap as an example: “perl -MCPAN -e ‘install Net::Pcap’”.

use strict;
use Getopt::Long;
use Pod::Usage;
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use MIME::Base64;
use FindBin ‘$Bin’;

# other variables
my $file;
my $out;
my $input;
my $print_help;
my $show_version;
my $SANS;
my $version = “1.0″;
my $index = 1;
my $buffer = 7;
my $filter;
my $filter_c;
my ( $ether, $ip, $trans );
my $err;
my $packets;
my $packet;
my $np;
my $srcmac = ‘defined’;
my $from;
my $to;
my $date;
my $subj;
my $pass;
my $show_pass;
my $codepass;
my $old;
my %header;
my $dump_nr;
my $tag = 0;
my $change_port;
my $buffered;
my $klean;
my $dir;
my $srcip;
my $dstip;
my $srcport;
my $dstport;
my $all;
my $counter;
my $y;
my $show_quitters;
my $show_tls;

# read options
GetOptions(
“read:s” => \$file,
“write:s” => \$out,
“dump:s” => \$dump_nr,
“password!” => \$show_pass,
“change:s” => \$change_port,
“version!” => \$show_version,
“buffered!” => \$buffered,
“all!” => \$all,
“quit!” => \$show_quitters,
“tls!” => \$show_tls,
“klean!” => \$klean,
“SANS!” => \$SANS,
“help|?!” => \$print_help
) or pod2usage(2);

# check if we are asking for help
pod2usage( -verbose => 1 ) if $print_help;

# print version information
show_version() if $show_version;
&SAN if $SANS;

# check if we’re changing the smtp port
$change_port = ’587′ if ( !$change_port );

# check if we’re going to clean cache
&clean if $klean;

# check if input file exists
pod2usage(2) unless -e $file;

# handle file names with full path
$_ = $file;
s/\//./g;
$dir = $_;

# now we need to check if we are going to read all packets or dump a certain traffic
if ( defined $dump_nr ) {

# dump a certain traffic

# first check if out file is defined
die(‘Unable to determine output file, use the parameter -w FILE’)
unless defined $out;

# try to open the out file (create a new one)
if ( -e $out ) {
print “Overwriting file: $out\n”;
}
open( OF, ‘>’ . “$out” );
binmode(OF);

# now to dump a certain stream
open( IN, “<$Bin/smtpcatout/$dir/$dump_nr” )
|| die “Can’t open /smtpcatout/$dir/$dump_nr for reading: $!\n”;
while (<IN>) {
if (m/MAIL FROM:.*<(.*)>.*/) { $tag = 1 }
if ( $tag == 1 ) { print OF}
}
close(IN);
close(OF);

}
else {

#start reading the file
$packets = Net::Pcap::open_offline( $file, \$err );
if ( defined $err ) {
die ‘Unable to read the PCAP file ‘ . $err . “\n”;
}
$filter =
“(tcp[13] & 0x3f = 0×02) and (dst port 25 or dst port $change_port)”;

Net::Pcap::compile( $packets, \$filter_c, $filter, 1, undef );
Net::Pcap::setfilter( $packets, $filter_c );

# find the number of packets
$np = 0;
while ( defined $srcmac ) {
$np++;
$packet = Net::Pcap::next( $packets, \%header );
$ether = NetPacket::Ethernet->decode($packet);
$srcmac = $ether->{‘src_mac’};
}
Net::Pcap::close($packets);

# try to open the out DIR (create a new one)
print “Overwriting files in output directory: smtpcatout\n\n”;
`mkdir $Bin/smtpcatout 2>&-`;
`mkdir $Bin/smtpcatout/$dir 2>&-`;

for ( $index = 1 ; $index < $np ; $index++ ) {
if ($buffered) {
if ( $counter == $buffer ) {

# print out a statement
print “Read more packets [Y|n]: “;
$input = <STDIN>;
chomp($input);

if ( lc($input) eq ‘n’ ) {

# we quit
print “Not printing out more packets\n”;
exit 0;
}
else {

# we continue
$counter = 0;

# clear the screen
system $^O eq ‘MSWin32′ ? ‘cls’ : ‘clear’;

}
}
}

$packets = Net::Pcap::open_offline( $file, \$err );
if ( defined $err ) {
die ‘Unable to read the PCAP file ‘ . $err . “\n”;
}

open( OF, ‘>’ . “$Bin/smtpcatout/$dir/$index” )
|| die “can’t open file smtpcatout/$dir/$index”;

binmode(OF);

$y = dump_stream($index);
$counter = $counter + $y;

# close the network file (since we have finished our processing)
Net::Pcap::close($packets);

}
}

#—————————————————————

# dump_stream
sub dump_stream {
my $in = shift;
my %header;
my $packet;
my $x = 0;

# the filter
$filter =
“(tcp[13] & 0x3f = 0×02) and (dst port 25 or dst port $change_port)”;

Net::Pcap::compile( $packets, \$filter_c, $filter, 1, undef );
Net::Pcap::setfilter( $packets, $filter_c );

# find the correct packet
for ( my $i = 0 ; $i < $in ; $i++ ) {
$packet = Net::Pcap::next( $packets, \%header );
}

# strip header information and get the data part
$ether = NetPacket::Ethernet->decode($packet);
$ip = NetPacket::IP->decode( $ether->{‘data’} );
$trans = NetPacket::TCP->decode( $ip->{‘data’} );

$srcip = $ip->{‘src_ip’};
$dstip = $ip->{‘dest_ip’};
$srcport = $trans->{‘src_port’};
$dstport = $trans->{‘dest_port’};

# now I need to read all the data part of the entire conversation
# and dump it into a file
# construct a filter
$filter =
‘tcp and (host ‘
. $ip->{‘src_ip’}
. ‘ and host ‘
. $ip->{‘dest_ip’}
. ‘) and ( dst port ‘
. $trans->{‘dest_port’}
. ‘ and src port ‘
. $trans->{‘src_port’} . ‘)’;
Net::Pcap::compile( $packets, \$filter_c, $filter, 1, undef );
Net::Pcap::setfilter( $packets, $filter_c );

# read all the packets that belong to this particular stream
Net::Pcap::loop( $packets, -1, \&dump_to_file, ” );

close(OF);

$from = ”;
$codepass = ”;
$old = ”;
$to = ”;
$date = ”;
$subj = ”;
my $z = 0;
my $quitter = 0;
my $tlstag = 0;
my $fromtag = 0;
my $totag = 0;
my $datetag = 0;
my $subjtag = 0;

open( IN, “<$Bin/smtpcatout/$dir/$index” )
|| die “Can’t open $Bin/smtpcatout/$dir/$index for reading: $!\n”;
while (<IN>) {
chomp;
if ((m/^MAIL FROM:.*<(.*)>.*/) && ($fromtag == 0)) { $from = ($1) ; $codepass = $old ; $fromtag = 1 }
if ((m/^RCPT TO:.*<(.*)>.*/) && ( $totag == 0 )) { $to = ($1) ; $totag = 1 }
if ((m/^Date:(.*)/) && ( $datetag == 0 )) { $date = ($1) ; $datetag = 1 }
if ((m/^Subject:(.*)/) && ( $subjtag == 0 )) { $subj = ($1) ; $subjtag = 1 }
if ((m/^STARTTLS.*/) && ( $z < 4 )) { $tlstag = 1 }
$old = $_;
$z++;
}
close(IN);

if ( $z < 4 ) { $quitter = 1 }

$pass = decode_base64($codepass);
`cp $Bin/smtpcatout/$dir/$index $Bin/smtpcatout/testyfile`;

if ($all) {
print ‘[', $index, '] ‘;
print $srcip, ‘:’, $srcport, ‘ -> ‘, $dstip, ‘:’, $dstport, “\n”;
print ‘[', $index, '] ‘;
print “$from -> $to $date\n”;
print ‘[', $index, '] ‘;
print “SUBJ:$subj\n”;
print ‘[', $index, '] ‘ if $show_pass;
print “PASS:$pass\n” if $show_pass;
print “\n”;
$x++;
return ($x);
}
if ($show_quitters) {
if ( -s “$Bin/smtpcatout/testyfile” ) {
print ‘[', $index, '] ‘;
print $srcip, ‘:’, $srcport, ‘ -> ‘, $dstip, ‘:’, $dstport, “\n”;
print ‘[', $index, '] ‘;
print “$from -> $to $date\n”;
print ‘[', $index, '] ‘;
print “SUBJ:$subj\n”;
print ‘[', $index, '] ‘ if $show_pass;
print “PASS:$pass\n” if $show_pass;
print “\n”;
$x++;
return ($x);
}
}
if ($show_tls) {
if ( ( -s “$Bin/smtpcatout/testyfile” ) && ( $quitter == 0 ) ) {
print ‘[', $index, '] ‘;
print $srcip, ‘:’, $srcport, ‘ -> ‘, $dstip, ‘:’, $dstport, “\n”;
print ‘[', $index, '] ‘;
print “$from -> $to $date\n”;
print ‘[', $index, '] ‘;
print “SUBJ:$subj\n”;
print ‘[', $index, '] ‘ if $show_pass;
print “PASS:$pass\n” if $show_pass;
print “\n”;
$x++;
return ($x);
}
}
if ( !($all) && !($show_quitters) && !($show_tls) ) {
if ( ( -s “$Bin/smtpcatout/testyfile” )
&& ( $quitter == 0 )
&& ( $tlstag == 0 ) )
{
print ‘[', $index, '] ‘;
print $srcip, ‘:’, $srcport, ‘ -> ‘, $dstip, ‘:’, $dstport, “\n”;
print ‘[', $index, '] ‘;
print “$from -> $to $date\n”;
print ‘[', $index, '] ‘;
print “SUBJ:$subj\n”;
print ‘[', $index, '] ‘ if $show_pass;
print “PASS:$pass\n” if $show_pass;
print “\n”;
$x++;
return ($x);
}
}

}

# dump_to_file
#
sub dump_to_file {
my $user_data = shift;
my $header = shift;
my $pack = shift;

# strip headers
$ether = NetPacket::Ethernet->decode($pack);
$ip = NetPacket::IP->decode( $ether->{‘data’} );
$trans = NetPacket::TCP->decode( $ip->{‘data’} );

# and now to dump the content of the data variable into a file
print OF $trans->{‘data’};

return 1;
}

sub SAN {
my $range = 100;
my $random_number = rand($range);
print “\n”, ‘Sec558 is verii niice. -Borat 2009′, “\n\n” if ($random_number < 70);
print “\n”, ‘Sec558! Respek. -Ali G 2009′, “\n\n” if ($random_number == 70);
print “\n”, ‘Sec558! Wa wa wee wa! -Borat 2009′, “\n\n” if ($random_number > 70);
exit 0;
}

sub show_version {
print “\n\n”, $0, ‘ version ‘, $version, ‘ copyright 2009, Amar Yousif’,
“\n\n”;
exit 0;
}

sub clean {
print
“\n\t\tARE YOU SURE THAT YOU WANT TO DEL EVERYTHING INSDIE $Bin/smtpcatout/ ? [y|n]\n”;
$input = <STDIN>;
chomp($input);
if ( lc($input) eq ‘y’ ) {
`rm -rf $Bin/smtpcatout/*`;
}
exit 0;
}

exit 0;

__END__

=pod

=head1 msg

B<smtpcat> takes a pcap file as an input and prints out information about all smtp conversations in that pcap file. The tool comes with options that allow you to scale and further customize your work, and the ability to dump the content of a specific conversation into an output file.
=head1 NAME

B<smtpcat> – a script to read PCAP file and display info about smtp streams with the option to dump smtp payload content

=head1 SYNOPSIS

B<smtpcat> -r|–read PCAP_FILE [-p|--password] [-c|--change SMTPPORT] [-b|--buffered] [-q|--quit] [-a|--all] [-t|--tls]

B<smtpcat> -w|–write OUTFILE -d|-dump INDEX

B<smtpcat> [-v|--version] [-h|--help|-?] [-k|--klean]

=head1 OPTIONS

=over 8

=item B<-r|-read PCAP_FILE>

The PCAP file that the script should read.

=item B<-p|-password>

The tool will not try to decode the AuthSMTP passwords by default; with this option it will attempt to decode and display smtp passwords.

=item B<-c|-change SMTPPORT>

The tool will assume that smtp runs on TCP ports 25 and 587 by default, but you can change the smtp ports with this option to 25 and SMTPPORT.

=item B<-b|-buffered>

The default mode (if the -b option is not used) is to display output to STDOUT without buffering, so it can be grep-ed. But, if this option is used, the output will be buffered, 7 at a time.

=item B<-q|-quit>

The default mode (if the -q option is not used) is to display only the smtp streams with payload and only those that complete, some smtp scanners will connect via smtp and then quit quickly. The script does not show quitters. If you want to see the quitters use this option.

=item B<-a|-all>

The default mode (if the -a option is not used) is to display only the smtp streams with payload, so it can avoid the noise with SYN scans; if you want to see all connections use the -a option; it is not recommended as it will generate a lot of noise.

=item B<-t|-tls>

The default mode (if the -t option is not used) is to NOT display info about smtp conversations over TLS; as it won’t be helpful for it is encrypted. However if you want to see them anyway, use this option.

=item B<-w|-write OUTFILE>

Use this option to define an output file to dump the content of the smtp msg into. You must use the -d option if this option is used.

=item B<-d|-dump INDEX>

The default behavior (if the -d option is not used) is to dump information about smtp streams found inside the pcap file. In the printout an index number is written. To be able to dump the content of an smtp msg into a file you must first find out the index number and then use the -d INDEX option with that index number to dump that conversation into a file.

=item B<-k|-klean>

The script will use the directory smtpcatout to store session info for all the pcap files that it runs; this can grow big. This option will remove everything inside the said directory.

=item B<-v|-version>

Dump the version number of the script to the screen and quit.

=item B<-h|-help|-?>

Print this help menu.

=back

=head1 DESCRIPTION

B<smtpcat> takes a pcap file as an input and prints out information about all smtp conversations in that pcap file. The tool comes with options that allow you to scale and further customize your work, and the ability to dump the content of a specific conversation into an output file.

=head1 AUTHOR

Amar Yousif <amaryousif AT gmail.com> 2009

=cut

Set your Twitter account name in your settings to use the TwitterBar Section.