Saturday, April 12, 2014

Never enough time ... and an API for Fog

My goal is to blog at LEAST once a month. I missed March and I'm sorry to anyone that tries to get anything useful out of this blog. There is never enough time! I'll try harder.

Anyhow, COMPLETELY unrelated at the moment to security and on the topic of system administration, I am a huge fan of the FOG Project which is a free computer cloning solution. Think of Norton Ghost. However, I personally like this much better!

There is one issue (which is the reason for this blog post) that I have with FOG. They only have a web UI interface. This makes it a pain for automating tasks. So, I started making my first Python API for public consumption. I announced it on the FOG forum here: http://fogproject.org/forum/threads/python-api-for-fog-pyfog.10312/

and the python code is here: https://github.com/JC-SoCal/pyFog

Even though there is not a lot of functionality, I'm doing my best to keep this API professional and clean so that I can continue developing it and it benefits the FOG user community. This is my little way of giving back to their awesome project.

Thanks for reading,
April blog post, check in the box!

Monday, February 10, 2014

The Adobe password breach crossword ...

I thought I would mention here that I revisited the adobe password breach and wrote a blog which was posted at 6Labs. The blog discusses how you can recover the password from the adobe breach data and then if the user was employing password reuse you could access their accounts like email, facebook or possibly even corproate accoutns.  Check it out:

Revisiting the Adobe Password Breach & the Risk to Your Network

Monday, November 18, 2013

ASLR Woes for Malware Analysts using Windows 7

For those of us that have made the move from XP to 7 for their malware analysis, you may have noticed that when trying to use IDA Pro and Olly or another debugger that the virtual addresses are not matching. This is because Windows 7 ships with Address space layout randomization (ASLR) enabled.

We can use Microsoft's Enhanced Mitigation Experience Toolkit to easily toggle ASLR on and off with a reboot. This way you don't have to make any manual registry settings and you can also control DEP, SEHOP and Certificate Trust if you need to.

You can download EMET 4.1 here: http://www.microsoft.com/en-us/download/details.aspx?id=41138


To disable ASLR:

Simply select the drop down next so ASLR and choose disable. You will need to reboot after that.

Sunday, November 3, 2013

Snazzy Windows Context Menu for Malware Analysis

One thing I like to do is save time. I am sure a lot of other people do as well. Malware Analysis is no exception to the rule. With that being said, I have found having my go-to programs in a handy context menu saves a bit of tedious clicking. Below is a screen shot of the menu I made that shows all my tools.


It was a little tricky tweaking the registry to do this, but I feel like I have it down well enough to explain it. So here goes:

Step 0: Warning

Backup your registry, take a snapshot of your VM, or do what ever it is you do in case you break your box doing this. Tweaking the Registry is always dangerous. Also, some words need to be exact. Windows uses conventions over configurations to know what's what in the registry. So don't be lazy or it won't work.

Step 0.5:

Open up the windows registry editor: regedit.exe

Step 1:

To create the cascading Malware Analysis menu navigate to the following key:
[HKEY_CLASSES_ROOT\*\shell\]

Right click on shell and select:
New > Key

For this tutorial we will name it DemoMenu

Right click and select:
New > String Value

Name the new value MUIVerb (this must be exact) and set the value to whatever you want the cascade menu to say, this will be:
Cascade Menu

Warning: Do not edit or modify the one titled (Default)

Right click on DemoMenu and make another String Value. Name this one SubCommands (this must be exact). This is not where we name them, but it is how the menu calls them. Keep the names short and descriptive with no spaces. Use a semicolon to delimit the items. If you would like a divider line put a | (pipe) character in there. Here is a sample for the demo:
DemoNotepad;|;DemoWordPad

If you did it correctly -- yours should look like this:


Step 2:

Step 2 will need to be repeated for each item you put in SubCommands.

Browse to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\

This is where we will create the command for each item.

Right click on shell and select:
New > Key

Name the key the exact same as the first item in our SubCommands data. For this example it is DemoNotepad

Edit the data in the (Default) value. Put whatever you want this command to be called in your menu. For this tutorial we'll just call it Notepad

Right click on the key we made (DemoNotepad) and select:
New > Key

Name this key:
command (this needs to be exact)

Double click on the (Default) value in the command key.

Enter the path of the program we want. For the notepad example we use: "C:\windows\system32\notepad.exe" "%1"
(Mind the quotes and spaces)

We also added a %1 at the end of the command. This is essentially argument 1 but what this will do is reference the file path we are right clicking on so the program knows we want to open that file.

Pro-Tip: If the path to your program contains spaces such as C:\Program Files\blahblah make sure to put the path in double quotes "  ". Since we don't have any clue what we may right click on and if that path has spaces, we put %1 in quotes.

If you did it correctly -- yours should look like this:

Showing the data for DemoNotepad

Showing the data for command


Step 3:

Repeat Step 2 for each item in SubCommands.

I added another for DemoWordpad. Here is a screen shot below:



Step 4: Profit

Now you have an awesome context menu you can save time with:


To save myself time, I turned my context menu registry tweaks into a .reg script. Here is the link to it on github: https://github.com/JC-SoCal/RegistryFun/blob/master/MalwareAnalysisContextMenu.reg

Please feel free to send me questions/comments/concerns or suggestions on here or on twitter @JC_SoCal

Source: http://msdn.microsoft.com/en-us/library/windows/desktop/hh127467(v=vs.85).aspx

Enjoy!

Saturday, October 12, 2013

[Video] Reverse Engineering a 9 year old CrackMe

TL;DR Version: I have always wanted to make a YouTube video to give back to the community demoing something useful, so I recorded myself reversing a 9 year old CrackMe and posted it. Enjoy.


I have learned countless things from YouTube. Including everything from building potato guns to how a nuclear reactor works. So this is my way to give back to the community and try and teach something. 

The CrackMe I reversed is the LaFarge CrackMe #2. I chose this one for two reasons: It had high ratings and it was marked easy. Since I would have to narrate this, I didn't want to have a difficult time with this project. 





Tuesday, May 21, 2013

Update to GIPC

I just published an update to GIPC which brings it to version 1.5.  The fix addresses an issue with the way the MaxMind database stores the value of some country names (with a comma). This was creating an off by one issue with the way the results were displaying and shifting everything to the left. It was a fairly quick fix, but by doing so I removed the comma from the value. 

This update also addressed some error handling. In short, you should now be given a message if there was an error writing an output file for whatever reason. As a result of all this I updated the SourceForge page with some project details.  

Lastly, if this was useful to you please rate it on SourceForge! Also feel free to let me know if you find any bugs or have ideas/features for this or other projects.

Thanks to @sidoyle for finding the CSV bug.

GIPC is available for download here: https://sourceforge.net/projects/jcsocal/

Friday, March 22, 2013

Geographical IP Correlation, a tool!

TL;DR Version: I wrote a tool called GIPC (short for Geographical IP Correlation and pronounced Gypsy) which takes a list of IP address and returns the Geographical information you select based on the MaxMind.com GeoCity Database. Download here (Update, I've moved to SourceForge.com): https://sourceforge.net/projects/jcsocal/files/

Full Version:
As a security analyst, one of the first things I do when confronted with an unknown IP address is attempt to determine its physical location, called GeoLocation or GeoIP. Unfortunately, there is no mathematical calculation to determine the physical location. So, how does this work?

It starts with IANA (Internet Assigned Numbers Authority). IANA is the organization that allocates very large ranges to the RIR (Regional Internet Registries). These registries maintain the allocation of IP addresses for their respective regions. The graphic below shows both name of the registries and the regions they serve.


Source: wikipedia

From here, the RIR assigns blocks of IP addresses to ISPs (Internet Service Providers). The ISPs then assign IP addresses to their customers. It is essentially up to the ISP to provide the location of the demarcation point for that customer. In the even the exact physical location of the end customer is not provided, the ISP's location will be used instead. For the most part the ISP will be within the general vicinity of the actual location usually within 40 kilometers (based on MaxMind's statistics).

GeoLocation database providers typically mine data from WHOIS servers such as ARIN's WHOIS along with their own proprietary methods. Many of these methods are manual. MaxMind.com for instance provides a free database (which is needed for this tool to work) as well as an online demo here: http://www.maxmind.com/en/geoip_demo

With their demo, you can place up to 25 IP addresses in the list and get some decent location information. Below is a sample of the output for the IP 123.123.123.123 a notoriously known bad IP from China.

The above information is awesome, right? It even gives latitude and longitude coordinates to map the location. However, if you try the demo you may notice there is a 25 IP limit. Your may also notice that the data is not given to you in a very usable manner and you will need to copy and paste, as well as fix some formatting if you intended to use this for anything.

The fellows over at MaxMind provided a free copy of their GeoIP City database called GeoLite City which is less accurate. They also offer various APIs to query the information you need based on the IP you provide.  

Now, the lecture ends and the tool begins; enter GIPC (pronounced Gypsy): Geographical IP Correlation

The motivation for this tool was born of necessity. The output from the MaxMind Demo was great, but we don't have time to mess with a 25 IP limit and copy and pasting and then reformatting.

GIPC takes two inputs:
  1. The MaxMind GeoLite City database which you can download here
  2. A text file of IP addresses separated delimited by newlines

You can then toggle the headers on and off as well as the fields you need to display such as:
  • IP Address
  • City
  • Postal Code
  • Region
  • Area Code
  • Metro Code
  • 3 Letter Country Code
  • 2 Letter Country Code
  • Country Name 
  • Latitude
  • Longitude
  • Time Zone Continent
  • DMA Code (Designated Market Area)
Again, the accuracy of the information is dependent on a lot of variables.

The program can then display the results in 3 different ways:
  1. Display the results within the GUI
  2. Export the results to a CSV file
  3. Generate a Google Map html file that displays the aggregate IP count per country in an interactive map using the Google Chart Tool: Geomap Visualization.
Below is an image of the GUI itself:

Below is a sample picture of the google map (not interactive) of what this looks like. Please note that when you run the HTML file, it will connect to Google to fetch the javascript and images.

The GUI was written in Python using Tkinter as part of my personal project to learn how to write GUIs in Python. I compiled this into a Windows 32 bit executable that should run on Windows XP and 7 (I've tested these). I did this to stay in the spirit of the GUI, which with the various libraries that you would need in Python for this to operate smoothly, I could see someone becoming frustrated which isn't the spirit of the GUI; point and click!

Hope this helps,
JC