Thursday, April 30, 2015

REMnux Tutorial-4.1: Datagrams, Fragmentation & Anomalies

      REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

      It is free, lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious files.
   
      REMnux provides the collection of some of the most common and effective tools used for
      reverse engineering malwares in categories like:

      1) Investigate Linux malwares
      2) Statically analyze windows executable file
      3) Examine File properties and contents
      4) Multiple sample processing
      5) Memory Snapshot Examination
      6) Extract and decode artifacts
      7) Examine Documents
      8) Browser Malware Examination
      9) Network utilities

      REMnux Tutorial - 4.1 explains about OSI layer, Internet Protocol(IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP) & Internet Control Message Protocol(ICMP). It focuses on Protocol Headers and the interpretation of various header fields.It further describes about how to detect malicious Datagrams, packet filtering systems behaviors & anomalies causing due to fragmentation.       
















Click here to access my PPT slides.
       Video presentation explaining the slides will be posted soon.!
       Thanks for visiting my blog.!

Tuesday, April 28, 2015

Network Forensics using Packet Sniffer : Wireshark

Wireshark is open source network packet analyzer tool available for most of the OS.

It capture network packets and tries to display that packet data as detailed as possible.

Prominent features of Wireshark: 
  • Capture live packet data from a network interface. No Mirror port needed.
  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
  • Import packets from text files containing hex dumps of packet data.
  • Display packets with very detailed protocol information.
  • Save packet data captured.
  • Export some or all packets in a number of capture file formats.
  • Filter packets on many criteria.
  • Search for packets on many criteria.
  • Colorize packet display based on filters.
  • Create various statistics.
What Wireshark does not provide:
  • Wireshark is just a packet analyzer tool and it isn’t an intrusion detection system. So it displays no warnings about the type of traffic passing through.
  • Wireshark will not manipulate things on the network, it will only "measure" things from it.
  • Wireshark doesn’t send packets on the network or do other active things (except for name resolutions, but even that can be disabled).
     Anomalies Detection using Wireshark:
  • Log analytics, their co-relation, and pattern understanding etc. helps a lot in realizing any type of anomalies going across the environment.
  • Wireshark can be used as network forensic software. It can be used to detect various successful/unsuccessful breaches like DOS, DDOS, Data Loss etc.
  • If some malware is communicating with external domain, by analyzing the traffic flowing out of the system, it is possible to realize the action and to detect malicious process/dll associated with that particular process call. After knowing the time when that particular event happened, event logs can be explored to understand which process initiated the communication and by analyzing that, its possible to identify malware.
This presentation describes about how to examine a slew of malicious traffic, customizes Wireshark to detect these problems faster, and extracts relevant information using command-line tools. Presentation also describes about how to detect anomalies just by analyzing the logs using Wireshark packet sniffer.




Courtesy : Laura Chappell

Thursday, April 23, 2015

REMnux Tutorial-3: Investigation on Malicious PDF & Doc documents

       REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

       It is free, lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious files.
   
       REMnux provides the collection of some of the most common and effective tools used for
       reverse engineering malwares in categories like:

      1) Investigate Linux malwares
      2) Statically analyze windows executable file
      3) Examine File properties and contents
      4) Multiple sample processing
      5) Memory Snapshot Examination
      6) Extract and decode artifacts
      7) Examine Documents
      8) Browser Malware Examination
      9) Network utilities

       REMnux Tutorial - 3 covers about variety of tools to investigate on malicious PDF and Doc documents. Tutorial covers about examining PDF, Doc files, extraction and analysis of Javascript & Shellcode from it and their analysis.

Tools covered: AnalysePDF, pdfextract, pefid, peepdf, origami-extractjs, origami-pdfscan, origami-walker, pdfxray_lite, pdf-parser, pdfobjflow, pdftk, PdfStreamDumper, OfficdeMalScanner, RTLScan, unicode2hex-unescaped, shellcode2exe, unicode2raw, sctest, xxxswf, Swfdump, Extract_swf



       












Click here to access my PPT slides.
     
       Video presentation explaining the slides will be posted soon.!
       Thanks for visiting my blog.!

Tuesday, April 21, 2015

REMnux Tutorial-2: Extraction and decoding of Artifacts

       REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

       It is free, lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious files.
   
       REMnux provides the collection of some of the most common and effective tools used for
       reverse engineering malwares in categories like:

      1) Investigate Linux malwares
      2) Statically analyze windows executable file
      3) Examine File properties and contents
      4) Multiple sample processing
      5) Memory Snapshot Examination
      6) Extract and decode artifacts
      7) Examine Documents
      8) Browser Malware Examination
      9) Network utilities

      REMnux Tutorial - 2 covers tools and techniques used to extract and decode artifacts.Tutorial also describes about steps to perform investigation on infected drives with forensic discipline.

Tools covered : unXOR, XORSearch, XORStrings, xorBruteForcer, brutexor, xortool, NoMoreXor, Dcfldd, Foremost, Scalpel, Bulk_extractor, hackoir



    




  














       Please click here to access my PPT slides.
     
       Video presentation explaining the slides will be posted soon.!
       Thanks for visiting my blog.!

Thursday, April 16, 2015

REMnux Tutorial-1: Statically Analyse Windows Portable Executable (PE) Files

       REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

       It is free, lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious files.
   
       REMnux provides the collection of some of the most common and effective tools used for
       reverse engineering malwares in categories like:

      1) Investigate Linux malwares
      2) Statically analyze windows executable file
      3) Examine File properties and contents
      4) Multiple sample processing
      5) Memory Snapshot Examination
      6) Extract and decode artifacts
      7) Examine Documents
      8) Browser Malware Examination
      9) Network utilities

      REMnux Tutorial - 1 covers tools and techniques used to statically analyze Windows Portable Executable (PE) files. It describes how to detect anomalies in PE file, to decide whether it is compressed or not, Investigation and difference between disassemblers, debuggers and decompilers.

Tools covered: UPX, ByteHist, Density Scout, PEScanner, EXEScan, PEFrame, Pev, Pyew, Bokken, 


    




  














       Please click here to access my PPT slides.
     
       Video presentation explaining the slides will be posted soon.!
       Thanks for visiting my blog.!

A walk through Windows Firewall and Netsh commands

A firewall is a network security system that controls incoming and outgoing network traffic based on a set of rules.

Firewall can be hardware based/ software based or it can be the combination of both.

There are different types of firewall functioning at different layes of OSI Model like Packet Firewalls,

Stateful Firewalls, Application layer Firewalls, Proxy Firewall, Next Generation Firewalls etc.

This article explains about setting firewall in windows OS.

Article focuses on enabling firewall logs, understanding rules and its management, understanding firewall logs and finally it ends by describing about Netsh Commands an command line replacement for firewall GUI.

Please click here to access my PPT slides.

Wednesday, April 15, 2015

The power of REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux is a free,lightweight Linux (Ubuntu distribution) toolkit for reverse-engineering malicious software.

REMnux provides the collection of some of the most common and effective tools used for reverse engineering malwares in categories like:

1) Investigate Linux malwares
2) Statically analyse windows executable file
3) Examine File properties and contents
4) Multiple sample processing
5) Memory Snapshot Examination
6) Extract and decode artifacts
7) Examine Documents
8) Browser malware Examination
9) Network utilities

Install REMnux in VMware Workstation or Oracle Virtual Box from (https://remnux.org/). Also download different virus sample from : http://remnux.org/remnux-v4-malware.zip (Password to extract zip : fruits)

Suggested Video tutorials:

1) https://www.sans.org/webcast/recording/citrix/98045/18035
2) https://www.youtube.com/watch?v=4LzCr9qf5_Q

Since the tutorial doesn't cover all the tools, I would be posting the videos soon to explore every reverse engineering tools in brief.

I have listed tools for different sections below. 

Note : Some of the described tools are not available in REMnux distribution so if you face any difficulty, feel free to download them.

Tool Name How to Invoke (Basic Command) Category Description
VBinDiff vbindiff Edit and View Files: Binary Compare binary files
wxHexEditor wxHexEditor Edit and View Files: Binary Graphical hex editor
XMind xmind Edit and View Files: Documents Mind-mapping tool for organizing thoughts and data
Xpdf xpdf Edit and View Files: Documents PDF viewer
feh feh Edit and View FIles: Images Image viewer
ImageMagick display Edit and View Files: Images Image viewer
SciTE scite Edit and view files: Text Simple, yet powerful text editor
extract_swf extract_swf.py Examine Browser Malware: Flash Extract Flash object from files
RABCDAsm rabcdasm, abcexport Examine Browser Malware: Flash Examine ActionScript from Flash files
SWF Tools swfdump, swfextract, swfstrings, etc. Examine Browser Malware: Flash A toolkit for examining, creating and modifying Flash files
xxxswf xxxswf.py Examine Browser Malware: Flash Extract Flash objects from other files
Jad jad Examine Browser Malware: Java Java Decompiler
Java Cache IDX Parser idx_parser.py Examine Browser Malware: Java Examine Java IDX files
Java Decompiler jd-gui Examine Browser Malware: Java Decompile Java class files
def.js js -f /usr/local/etc/def.js Examine Browser Malware: JavaScript Library of JavaScript objects commonly defined by a browser or a PDF reader
ExtractScripts extractscripts Examine Browser Malware: JavaScript Extract JavaScript scripts from an HTML file
Firebug firefox, F12 Examine Browser Malware: JavaScript JavaScript debugger for Firefox
JavaScript Deobfuscator firefox, Tools, Web Developer, JavaScript Deobfuscator Examine Browser Malware: JavaScript Observe JavaScript scripts being executed by Firefox
JS Beautifier js-beautify Examine Browser Malware: JavaScript Reformat JavaScript scripts to improve their readability
JSDetox cd /usr/local/jsdetox && ./jsdetox && firefox http://127.0.0.1:3000 Examine Browser Malware: JavaScript Decode obfuscated JavaScript
Rhino Debugger rhino-debugger Examine Browser Malware: JavaScript Standalone JavaScript debugger
SpiderMonkey js Examine Browser Malware: JavaScript JavaScript engine from Mozilla
V8 d8 Examine Browser Malware: JavaScript JavaScript engine from Google
Automater cd /usr/local/Automater && ./Automater.py Examine Browser Malware: Websites Look up URL/Domain, IP and MD5 hash details
Burp Proxy Free Edition burpsuite Examine Browser Malware: Websites Analyze and interact with websites in a controlled manner
curl curl Examine Browser Malware: Websites Command-line tool for retrieving website contents
Firefox firefox Examine Browser Malware: Websites Web browser
Malzilla malzilla Examine Browser Malware: Websites Analyze suspicious websites and decode JavaScript
mitmproxy mitmproxy, mitmdump Examine Browser Malware: Websites Intercept, modify, replay and save HTTP and HTTPS traffic
Network Miner Free Edition NetworkMiner Examine Browser Malware: Websites Examine network traffic and carve PCAP capture files
pdnstool pdnstool Examine Browser Malware: Websites Perform passive DNS lookups
Thug cd /usr/local/thug/src && ./thug.py Examine Browser Malware: Websites Honeyclient for investigating suspicios websites
Tor tor start Examine Browser Malware: Websites Tools for directing network traffic through anonymizing proxies
Wget wget Examine Browser Malware: Websites Command-line tool for retrieving website contents
QuickJava firefox, QJ button Examine Browser Malware: Websites - Firefox Toggle Firefox' support for risky web contents
Tamper Data firefox, Tools, Tamper Data Examine Browser Malware: Websites - Firefox View and modify HTTP/HTTPS headers and post parameters.
OfficeMalScanner OfficeMalScanner Examine Document Files: Microsoft Office Examine suspicious Microsoft Office files
officeparser officeparser.py Examine Document Files: Microsoft Office Extract embedded files and macros from office documents
AnalyzePDF cd /usr/local/AnalyzePDF && ./AnalyzePDF.py Examine Document Files: PDF Examine a malicious PDF file
Origami pdfwalker, pdfextract, pdfcop, etc. Examine Document Files: PDF Framework for examining, creating and modifying PDF files
PDF X-RAY Lite pdfxray_lite Examine Document Files: PDF Examine the PDF document structure and contents
pdfid pdfid Examine Document Files: PDF Locate common suspicious artifacts in a PDF file
Pdfobjflow pdf-parser.py | pdfobjflow.py Examine Document Files: PDF Visualizes the output from pdf-parser
pdf-parser pdf-parser.py Examine Document Files: PDF Examine a suspicious PDF file
PDFtk pdftk Examine Document Files: PDF Edit PDF files
peepdf peepdf Examine Document Files: PDF Analyze suspicious PDF files
dism-this dism-this.py Examine Document Files: Shellcode Analyze disassembled data within file objects
sctest sctest Examine Document Files: Shellcode Emulate shellcode execution
unicode2hex-escaped unicode2hex-escaped Examine Document Files: Shellcode Clean up and convert Unicode to hex
unicode2raw unicode2raw Examine Document Files: Shellcode Clean up and convert Unicode to raw
Autorule cd /usr/local/autorule && ./tester.py Examine FIle Properties and Contents: Define Automatically define Yara signatures for a set of files
IOCextractor IOCextractor Examine FIle Properties and Contents: Define Extract IOCs from a text report file
Yara Editor yara-editor Examine FIle Properties and Contents: Define Create and modify Yara rules
YaraGenerator yaraGenerator.py Examine FIle Properties and Contents: Define Generate Yara rules for designated files
Hash Identifier hash_id Examine File Properties and Contents: Hashes Identify the different types of hashes used to encrypt data and especially passwords
nsrllookup nsrllookup Examine File Properties and Contents: Hashes Look up file hashes on an NSRL database server
ssdeep ssdeep Examine File Properties and Contents: Hashes Define and scan for a "fuzzy" signature of a file
totalhash totalhash.py Examine File Properties and Contents: Hashes Look up a suspicious file hash in the totalhash.com database
ClamAV clamscan Examine File Properties and Contents: Scan Clam antivirus engine
ExifTool exiftool Examine File Properties and Contents: Scan Extract file properties
TrID trid Examine File Properties and Contents: Scan Identify file types
Yara yara Examine File Properties and Contents: Scan Scan files and file system for signatures
AESKeyFinder aeskeyfind Examine Memory Snapshots Locate embedded AES keys
findaes findaes Examine Memory Snapshots Locate embedded AES keys
RSAKeyFinder rsakeyfind Examine Memory Snapshots Locate embedded RSA keys
TotalRecall cd /usr/local/TotalRecall && ./TotalRecall.py Examine Memory Snapshots Run popular Volatility commands and generate a report
Volatility Framework vol Examine Memory Snapshots Memory forensics tool and framework
bulk_extractor bulk_extractor Extract and Decode Artifacts: Carving Scan a disk image, a file, or a directory of files and extracts useful information
Foremost foremost Extract and Decode Artifacts: Carving Carve contents of files
Hachoir hachoir-subfile, hachoir-metadata, hachoir-urwid Extract and Decode Artifacts: Carving View, edit and carve contents of various binary file types
pe-carv.py pe-carv.py Extract and Decode Artifacts: Carving Carve out PE files
Scalpel scalpel Extract and Decode Artifacts: Carving Carve contents of files
Balbuzard /usr/local/balbuzard/balbuzard.py
/usr/local/balbuzard/bbcrack.py
/usr/local/balbuzard/bbharvest.py
/usr/local/balbuzard/bbtrans.py
Extract and Decode Artifacts: Deobfuscate Extract and decode suspicious patterns from malicious files
brutexor/iheartxor brutexor.py Extract and Decode Artifacts: Deobfuscate Bruteforce all possible 1-byte XOR key values and examine the file for strings that might have been encoded with these keys
ex_pe_xor ex_pe_xor.py Extract and Decode Artifacts: Deobfuscate Carve out single-byte XOR encoded executables from files
NoMoreXOR NoMoreXOR.py Extract and Decode Artifacts: Deobfuscate Guess 256-byte XOR keys by using frequency analysis
unXOR unxor.py Extract and Decode Artifacts: Deobfuscate Guess a XOR key via known-plaintext attacks
XORBruteForcer xorBruteForcer.py Extract and Decode Artifacts: Deobfuscate implements a XOR bruteforcing of a given file
XORSearch xorsearch Extract and Decode Artifacts: Deobfuscate Locate and decode strings obfuscated using common techniques
XORStrings xorstrings Extract and Decode Artifacts: Deobfuscate Locate and decode XOR-obfuscated strings
xortool xortool Extract and Decode Artifacts: Deobfuscate Locate and deobuscate contents encoded using a multi-byte XOR cipher
xortools from xortools import rolling_xor Extract and Decode Artifacts: Deobfuscate Library for decoding XOR-obfuscated contents
pestr pestr Extract and Decode Artifacts: Extract Strings Extract strings from a PE file
strdeobj strdeobj Extract and Decode Artifacts: Extract Strings Extract and decode strings defined as arrays
Evan's Debugger (EDBB) edb Investigate Linux Malware: Debug Debug EFL binary files
GDB gdb Investigate Linux Malware: Debug A powerful debugger
Sysdig sysdig Investigate Linux Malware: System Track and examine local system activities on a Linux system
Unhide unhide Investigate Linux Malware: System Find local hidden processes or connections on a Linux system
ltrace ltrace Investigate Linux Malware: Trace Trace library calls
strace strace Investigate Linux Malware: Trace Trace system calls and signals
Androwarn androwarn.py Misc. Android static code analyzer
bashhacks source /usr/local/bashhacks/bashhacks.sh Misc. Useful bash shell functions
ProcDOT procdot Misc. Visualize and examine the output of Process Monitor and network sniffer logs
EPIC IRC Client irc Network: Misc. IRC client
Netcat nc Network: Misc. Flexible network client and server
prettyping.sh pping Network: Misc. Ping a host while looking pretty
set-static-ip set-static-ip Network: Misc. Temporarily assign a static IP
stunnel stunnel Network: Misc. SSL encryption wrapper
FakeDNS fakedns Network: Services Respond to DNS queries with a specified IP address
fakeMail fakemail Network: Services Fake mail server that captures emails messages sent through it without retransmitting them
Honeyd farpd start && honeyd start Network: Services Intercept network traffic and emulate common services
INetSim inetsim Network: Services Emulate common network services
Inspire IRCd ircd start Network: Services IRC server
OpenSSH sshd start Network: Services SSH server
Tiny HTTPd httpd start Network: Services A simple web server that supports HTTP
ngrep ngrep Network: Sniffing Sniff the network while looking for patterns that match the specified regular expressions
TCPDump tcpdump Network: Sniffing Command-line network sniffer
tcpick tcpick Network: Sniffing Sniffer that reassembles TCP streams
Wireshark wireshark Network: Sniffing Network sniffer
Maltrieve maltrieve.py Process Multiple Samples Retrieve malware from malicious sites
MASTIFF mas Process Multiple Samples
Ragpicker cd /usr/local/MalwareCrawler/src && ./ragpicker.py Process Multiple Samples Plugin based malware crawler with pre-analysis and reporting functionalities
Viper viper Process Multiple Samples Store, classify and investigate suspicious binary files
WIPSTER Installer /usr/local/sbin/install-wipster Process Multiple Samples Install web interface for MASTIFF and other tools
Disass from disass.Disass32 import Disass32 Python: Library Binary analysis library for Python
pefile import pefile Python: Library A library for examining PE file contents
PyV8 import PyV8 Python: Library Python wrapper for Google's V8 JavaScript engine
objdump objdump Statically examine PE files: Disassemble

Investigate Linux Malware: Disassemble
Disassemble binary files
Udis86 udcli Statically examine PE files: Disassemble

Investigate Linux Malware: Disassemble
Disassemble binary files
Vivisect vivbin Statically examine PE files: Disassemble

Investigate Linux Malware: Disassemble
Statically examine and emulate binary files
ExeScan exescan.py Statically examine PE files: Find Anomalies Statically examine a PE file and detect suspicious characteristics
Peframe cd /usr/local/peframe && ./peframe.py Statically examine PE files: Find Anomalies Statically examine PE files
pescanner pescanner Statically examine PE files: Find Anomalies Statically examine a PE file
pev pepack, pescan, pestr, pehash, readpe, etc. Statically examine PE files: Find Anomalies PE file analysis toolkit
Signsrch signsrch Statically examine PE files: Find Anomalies Locate common code patterns
RATDecoders cd /usr/local/RATDecoders && ls Statically examine PE files: Investigate Extract and decode configuration details from common RAT samples
Bokken bokken Statically examine PE files: Investigate

Investigate Linux Malware: Investigate
Interactive static malware analysis tool
Pyew pyew Statically examine PE files: Investigate

Investigate Linux Malware: Investigate
Statically examine suspicious files
Radare radare Statically examine PE files: Investigate

Investigate Linux Malware: Investigate

Edit and View Files: Binary
the reverse engineering framework
Radare 2 radare2 Statically examine PE files: Investigate

Investigate Linux Malware: Investigate

Edit and View Files: Binary
Framework for examining binary files
Bytehist bytehist Statically examine PE files: Unpacking Generate byte-usage-histograms for all types of files with a focus PE files
Density Scout densityscout Statically examine PE files: Unpacking Calculates density (like entropy) of files in the specified location, useful for finding packed programs
PackerID packerid Statically examine PE files: Unpacking Help determine which packer was used to protect a PE file
UPX upx Statically examine PE files: Unpacking A popular tool for packing and unpacking executable files

Courtesy: Lenny Zeltser (https://zeltser.com/)
                  REMnux (https://remnux.org/)