Created by gh-md-toc
The tools I daily use on my research
Tool's description
A tool to parse pcap files in order to find suspicious actions. The parsed data is dumped on JSON format, as shown below:
"HTTP": [{
"Host": "bailXXXX.com",
"Protocol": "HTTP",
"IPdst": "209.99.Y.Z",
"Path": "/Faculdade/Walts.zip",
"PortDST": 80,
"IPsrc": "192.168.1.1",
"PortSRC": 49169,
"Method": "GET"
}],
"DNS": [{"entry": [ {
"Protocol": "DNS",
"IPdst": "192.168.1.1",
"PortDST": 53,
"IPsrc": "192.168.1.1",
"Type": "QUERY",
"PortSRC": 55604,
"Name": "time.windows.com."
}]},],
A tool for scheduling samples for analysis procedures as soon as they are trapped by a honeypot. The tool is Inotify based and is intended to be running on background. The tool can span many analysis procedures at time, as shown below:
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware1 PATHNAME:
/tmp/malware/malware1
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware2 PATHNAME:
/tmp/malware/malware2
[Thread 1]: malware1 popped for analysis
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware3 PATHNAME:
/tmp/malware/malware3
[Thread 2]: malware2 popped for analysis
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malwareN PATHNAME:
/tmp/malware/malwareN
[Thread 3]: malware3 popped for analysis
A tool to calculate all hashes of a given binary, so you can check on internet if the given threat is already known. An execution example is shown below:
Hashes of /bin/bash
[SSDEEP] :
12288:khRO05dvtF0rztLGcXNnxX3BlJDd1XLsNbb8ckf9PSKMedh50jn58r0mUX:kXR5dvY/tLGcXNB3Bldnobu7MedbSnh
[CRC32] : 0x594e4450
[MD5] : 164ebd6889588da166a52ca0d57b9004
[SHA1] : 8e3aa19fdc42e87659746f6dc8ea3af74ab30362
[SHA224] : ad640f0e92c5f2df008518269196925be0cc0f7679fcd6ce8ddc1dea
[SHA256] : 8c4d49445d0050884e0703571f187338b10c7836b08ed822cc5fc6cf15ac76b0
[SHA384] :
6be640b6fe9fe9e077b2f7bf5f85c446f70aa635ceb88a993e148ee0eee2caad9725a4a12c3eefc50961ea5a0a048769
[SHA512] :
cc7cb38021a7604f2fd5a54a3013e15bba3b752f7815c11e64638234b386dd91c5d970a6d1c73d4af9945a2c258048486632d6a69b44f4c8448f7f8d4e
Retrieves PE informationg of a given binary, using pefile, and prints it on JSON format, as shown below:
"Imports": [
{
"Name ": "Sleep",
"Address": "0x140003028"
},
{
"Name ": "GetSystemTimeAsFileTime",
"Address": "0x140003030"
},
{
"Name ": "GetCurrentThreadId",
"Address": "0x140003038"
},
{
"Name ": "QueryPerformanceCounter",
"Address": "0x140003040"
},
A privilege elevation tool to perform analysis using higher privileges.
A set of bash functions which help static malware analysis. Currently, the following functions are available:
- is_pe: Determines if the given file is in the Portable Executable (PE) file-format.
- is_pe32: Determines if the given file is a 32-bit PE.
- is_pe64: Determines if the given file is a 64-bit PE.
- is_dll: Determines if the given file has DLL image characteristics.
- is_dotnet: Determines if the given file is a .Net application.
- get_ext: Retrieves the last file extension format from the filename.
- get_section: Get binary sections from objdump disasm of the given file.
You can use the functions by executing the following command on your bash: source MiB.sh
Usage Example. Printing all x64 files in a directory:
for i in `ls`; do
if [ `is_pe64 $i` == "True" ]; then
echo $i;
fi;
done;
The example above is from one of available print functions, such as:
- print_is_pe: Prints all PE files on the current directory.
- print_is_pe32: Prints all PE32 files on the current directory.
- print_is_pe64: Prints all PE+ files on the current directory.
- print_is_dll: Prints all DLL files on the current directory.
- print_is_dotnet: Prints all .Net files on the current directory.
A script which generates rules for tcpdump:
Usage:
[TRG] No Interface Supplied
[TRG] python TCPDUMP.rules.generator/trg.py --interface <iface> (required) --options
[TRG] Options: --host <host list> --exclude-host <host_list> --port <port_list> --exclude-port <port_list --protocol <protocol_list> --exclude-protocol <protocol_list> --out <outfile>
[TRG] Type -h for help
Input:
IFACE='eth0'
HOST='192.168.1.1 192.168.1.2'
EHOST='192.168.1.3 192.168.1.4'
PORT='1 2 3'
EPORT='4 5 6'
PROTO='tcp'
EPROTO='arp'
OUT='mypcap.pcap'
python trg.py --interface $IFACE --host "$HOST" --exclude-host "EHOST" --port "$PORT" --exclude-port "$PORT" --protocol "$PROTO" --exclude-protocol "$EPROTO" --out "$OUT"
Output:
tcpdump -i eth0 host 192.168.1.1 and host 192.168.1.2 and not host EHOST and port 1 and port 2 and port 3 and not port 1 and not port 2 and not port 3 and tcp and not arp -w mypcap.pcap
Generates IPTABLES rules
Usage:
Usage: python irg.py <config_file>
Config File:
[forward]
enabled = Yes
[maskerade]
enabled = Yes
iface = eth0
[ports]
accept=1,tcp,2,tcp,3,udp,4,udp
reject=5,6,7,8
[routing]
route = 10.0.0.1,tcp
Output:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 1 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2 -j ACCEPT
iptables -A FORWARD -p udp --dport 3 -j ACCEPT
iptables -A FORWARD -p udp --dport 4 -j ACCEPT
iptables -A FORWARD -p 6 --dport 5 -j REJECT
iptables -A FORWARD -p 8 --dport 7 -j REJECT
iptables -t nat -A -p tcp -j DNAT --to 10.0.0.1
A tool for helping pcap's stats generation:
Usage:
[TFG] python tfg.py <pcap_file> (required) --options
[TFG] Options: --all <ip> (exclusive) --ip-src --ip-dst --tcp-src --tcp-dst --udp-src --udp-dst
[TFG] Type -h for help
Input:
python tfg.py /tmp/teste.pcap --ip-src --ip-dst --tcp-src --tcp-dst --udp-src --udp-dst
Output:
tshark -r /tmp/teste.pcap -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport -T fields
Tshark result:
192.168.0.104 200.147.A.B 43880 443
200.147.A.B 192.168.0.104 443 43880
192.168.0.104 255.255.255.255 17500 17500
192.168.0.104 192.168.0.255 17500 17500
192.168.0.104 91.189.A.B 39583 123
The Virtual Machine Management module:
Virtual Machine data at XML format.
XML file:
<Machines>
<VM name="VM1">
<ip>192.168.1.1</ip>
<port>12345</port>
<snapshot>Snap1</snapshot>
</VM>
</Machines>
Implemented Functions:
- find_all: Get all VM info.
- find_snap: Get snapshot name.
- find_add: Get IP address.
- find_port: Get VM open port.
- find_name: Find VM name.
Output Example:
VM NAME: VM1
VM IP: 192.168.1.1
VM PORT: 12345
VM SNAPSHOT: Snap1
VM NAME: VM2
VM IP: 192.168.1.2
VM PORT: 54321
VM SNAPSHOT: Snap2
Given a VM-id, restore its snapshot and executes the analysis routine.
Usage:
python snapshot.py <vm_number>
VM 1 Output:
[VM 1] None - Reverting Snapshot Snap2.
Put your code here!