While i was doing some malware analysis i had to make my analysis somewhat semi automated. In order to achieve this i made a few programs with the wonderful language Ruby.
Ruby makes it easy and fast to make tools for you analysis toolbox, which was just what i needed. As one might see under the source-code; i am not a well educated programmer, but as long as my dirty-code works and makes it easier for me - i couldnt care less to be honest. It's like my car, it's not classy and it smells like shit - but it works. ;)
There is nothing spectacular about my programs as some of them have already been developed, and humble as i am they might be better ;)
The reason i made those scripts was because i needed to develop my own programming skills in Ruby, and the best way to do that is to learn by doing.
This is just a version 0.0.1 of the gem and for now it contain the most important features althou i am likely to upgrade this gem with more modules later on.
For now it made my analysis of a malware specimen i got a lot easier especially since i am working from CLI and had to document every findings i made during my school assignment.
Gem Link:
Edit:
Decided to add them to github instead, just for kicks... Find source code here.
onsdag 22. august 2012
mandag 16. juli 2012
Ruby and the honeys
While doing some dionaea honeypot analysis i had to make things simple, thats why i made
"Simple program to extract information from Dionaea's sqlite3 logfile". It is required to input the sqllog.sqlite while creating a new object with this class.
In order to save place on me blog i pasted the source code on pastie.org. This way i will keep this blog looking like an actual blog.
"Simple program to extract information from Dionaea's sqlite3 logfile". It is required to input the sqllog.sqlite while creating a new object with this class.
In order to save place on me blog i pasted the source code on pastie.org. This way i will keep this blog looking like an actual blog.
require 'sqlite3'
# Reads Dionaea sqlite3 log file
# Queries are stolen from http://carnivore.it/2009/11/06
module MyTools
class Dionaea
def initialize(log)
@log = log
end
# BAM!
def execute_query(sql_query)
db = SQLite3::Database.new(@log)
db.execute(sql_query)
end
# Sort by most downloaded files
def most_downloaded
query = %q{
SELECT
COUNT(download_md5_hash),
download_md5_hash,
download_url
FROM
downloads
GROUP BY
download_md5_hash
ORDER BY
COUNT(download_md5_hash)
DESC
}
execute_query(query)
end
# Sort by "most used download location"
def most_used_dl
query = %q{
SELECT
COUNT(*),
download_url
FROM
downloads
GROUP BY
download_url
ORDER BY
COUNT(*)
DESC;
}
execute_query(query)
end
# Sort by most aggressive attackers
def aggressive_attackers
query = %q{
SELECT
count(*),
download_md5_hash,
remote_host,
download_url
FROM
connections
NATURAL JOIN
downloads
GROUP BY
download_md5_hash,remote_host
ORDER BY
COUNT(*)
DESC
}
execute_query(query)
end
# Shows last 24 hours activity
def last_24hours
query = %q{
SELECT
ROUND((connection_timestamp%(3600*24))/3600) AS hour,
count(*)
FROM
connections
WHERE
connection_parent IS NULL
GROUP BY
ROUND((connection_timestamp%(3600*24))/3600);
}
execute_query(query)
end
# Sort by md5s retrieved
def get_md5s
query = %q{
SELECT
download_md5_hash,
download_url,
remote_host
FROM
connections
NATURAL JOIN
downloads
GROUP BY
download_md5_hash,remote_host
ORDER BY
download_url
DESC
}
md5s = []
execute_query(query).each do |result|
md5s << result.slice(0)
end
return md5s
end
# Sort by MD5, download url and attackers IP
def get_jiggy_with_it
query = %q{
SELECT
count(*),
download_md5_hash,
download_url,
remote_host
FROM
connections
NATURAL JOIN
downloads
GROUP BY
download_md5_hash,remote_host
ORDER BY
download_url
DESC
}
execute_query(query)
end
end
end
fredag 18. mai 2012
A quick android-sdk install guide for ubuntu (12.04)
Download Oracle Java
http://www.oracle.com/technetwork/java/javase/downloads
We will extract javaXX.tar.gz into /usr/local/java, so lets create that first.
$ sudo mkdir -p /usr/local/java
Then extract it
$ sudo tar -xzvf javaXX.tar.gz -C /usr/local/java
Then we add a path to java into either /etc/profile, or your local .bashrc file.
# JAVA PATH
JAVA_HOME=/usr/local/java/jdk1.7.0_04
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
JAVA_HOME=/usr/local/java/jre1.7.0_04
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
export JAVA_HOME
export PATH
# END JAVA PATH
Then we will give the location to where java is
$ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jdk1.7.0_04/bin/java" 1
$ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/local/java/jdk1.7.0_04/bin/javac" 1
Download and install android SDK
http://developer.android.com/sdk/index.html
Download and install Eclipse => helios (3.6). If you have no clue, Eclipse classic is pretty sexy i guess...
http://www.eclipse.org/downloads/
Add a path to both android-sdk and eclipse inside .bashrc
$ echo "export PATH=${PATH}:~/.android-sdk/tools:~/.android-sdk/platform-tools:~/.eclipse" >> ~/.bashrc
Open eclipse, add new "repository" to install the ADT plugin
https://dl-ssl.google.com/android/eclipse/
I am obviously using ubuntu, so in order to connect to the phone using adb i had to
create a new udev rule.. ("99-android.rules"-filename might differ on ubuntu versions).
$ sudo nano -w /etc/udev/rules.d/99-android.rules
SUBSYSTEM=="usb", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX"
TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
$ sudo chmod a+rx /etc/udev/rules.d/99-android.rules
If you wonder what your vendor and product id is, simply use the tool lsusb
$ lsusb
(OUTPUT blah blah blah)
Bus 001 Device 005: ID XXX1:XXX2 MOBILE PHONE-THINGY
Where XXX1 is Vendor ID, and XXX2 is Product ID.
----------------------------
Then you should be ready to start develop apps.
This is a pretty nice series of tutorials found on youtube:
http://www.youtube.com/watch?v=CxPh1tgiK2g&feature=relmfu
wich starts with how to install the environment and goes on from there.
onsdag 25. april 2012
MySQL cheatsheet
I made yet another casino-game at the end of this assigment from school. Its pretty boring, yes indeed. Anyways, i had this pretty stupid function that was supposed to save user stats into a MySQL DB. It might be one of many stupid ideas while programming the casino, but its a good way to learn.... i hope.
Since i forget the commands between each time i use mysql i created this cheat-sheet. Hopefully this will help me remembering until next time i work with MySQL. Oh, this article doesnt describe anything about securing MySQL.
Oh yeah, i forgot to be a gentleman and use capital letters on sql commands.. shame on me. Its easier to read and easier to sort out variables from commands etc... bear that in mind.
So, assuming you have a mysql root account:
Login:
$ mysql -h localhost -u root_acc -p
-p prompt for password during login.
-h host to connect, this is optional while using localhost.
Create a new user:
mysql> create user 'casino'@'localhost' identified by 'secretpassword';
NOTE: If you want remote connections, use @'IP/HOSTNAME' from the host you are connecting from
Grant access to db:
mysql> grant all on casino_db.* to 'casino'@'localhost'
So, maybe its time to create the supposed casino_db aswell
create database casino_db;
Create tables into DB:
mysql> use casino_db;
mysql> select database();
mysql> create table player
-> (
-> PRIMARY KEY (name),
-> name VARCHAR(25) NOT NULL,
-> played INT UNSIGNED NOT NULL
-> );
Insert into database table:
mysql> insert into player values("NAME", playedINTEGER);
Show table content:
mysql> select * from player
Delete user:
mysql> drop user 'casino'@'localhost'
Delete table:
mysql> drop table player;
Show users:
mysql> select * from mysql.user;
All of this could be put into a *.sql file and implemented by using command
mysql -u root_acc -p < my_template.sql (-u casino -p should also work if you granted user access to specific database)
my_template.sql:
CREATE DATABASE casino_db;
USE casino_db;
SELECT DATABASE();
CREATE TABLE player
(
PRIMARY KEY (name),
name VARCHAR(25) NOT NULL,
played INT UNSIGNED NOT NULL
);
Remote connections; open /etc/mysql/my.cnf, replace this with your IP.
bind-address = 127.0.0.1
And restart mysql service
$ sudo service mysql restart
Since i forget the commands between each time i use mysql i created this cheat-sheet. Hopefully this will help me remembering until next time i work with MySQL. Oh, this article doesnt describe anything about securing MySQL.
Oh yeah, i forgot to be a gentleman and use capital letters on sql commands.. shame on me. Its easier to read and easier to sort out variables from commands etc... bear that in mind.
So, assuming you have a mysql root account:
Login:
$ mysql -h localhost -u root_acc -p
-p prompt for password during login.
-h host to connect, this is optional while using localhost.
Create a new user:
mysql> create user 'casino'@'localhost' identified by 'secretpassword';
NOTE: If you want remote connections, use @'IP/HOSTNAME' from the host you are connecting from
Grant access to db:
mysql> grant all on casino_db.* to 'casino'@'localhost'
So, maybe its time to create the supposed casino_db aswell
create database casino_db;
Create tables into DB:
mysql> use casino_db;
mysql> select database();
mysql> create table player
-> (
-> PRIMARY KEY (name),
-> name VARCHAR(25) NOT NULL,
-> played INT UNSIGNED NOT NULL
-> );
Inspect database tables (to see variables etc):
mysql> describe player;
Insert into database table:
mysql> insert into player values("NAME", playedINTEGER);
Show table content:
mysql> select * from player
Delete user:
mysql> drop user 'casino'@'localhost'
Delete table:
mysql> drop table player;
Show users:
mysql> select * from mysql.user;
All of this could be put into a *.sql file and implemented by using command
mysql -u root_acc -p < my_template.sql (-u casino -p should also work if you granted user access to specific database)
my_template.sql:
CREATE DATABASE casino_db;
USE casino_db;
SELECT DATABASE();
CREATE TABLE player
(
PRIMARY KEY (name),
name VARCHAR(25) NOT NULL,
played INT UNSIGNED NOT NULL
);
Remote connections; open /etc/mysql/my.cnf, replace this with your IP.
bind-address = 127.0.0.1
And restart mysql service
$ sudo service mysql restart
tirsdag 24. april 2012
ssh login + no password = ez-mode
At times i find my self type passwords just too often, that again make me lose focus on the stuff i wanted to do.
At those times it is kinda convenient to not have to type password during a ssh-login. Other reasons might be.... automatically control servers, configuration steps ... etc
At the client, type this in terminal:
$ ssh-keygen -t rsa
Then copy the .pub file to the remote server
$ ssh-copy-id -i .ssh/id_rsa.pub user@host
NOTE: ssh-copy-id is available on Linux distros, but while doing this on an OpenBSD machine you have to copy the public key into authorized_keys.
$ scp .ssh/id_rsa.pub host:.ssh/authorized_keys
At those times it is kinda convenient to not have to type password during a ssh-login. Other reasons might be.... automatically control servers, configuration steps ... etc
At the client, type this in terminal:
$ ssh-keygen -t rsa
Then copy the .pub file to the remote server
$ ssh-copy-id -i .ssh/id_rsa.pub user@host
NOTE: ssh-copy-id is available on Linux distros, but while doing this on an OpenBSD machine you have to copy the public key into authorized_keys.
$ scp .ssh/id_rsa.pub host:.ssh/authorized_keys
onsdag 14. mars 2012
Vortex level0, while still learning C....
I have been playing around with overthewire.org first levels of wargame(s) a few times before. Its a golden opportunity for me now to do them in C.
Althou going over the "C-socket hill" was pretty tough, i finally managed it!
The first one i solved was vortex level0.
I did it a few different ways and ended up with a tidy code (i think):
vortex_level0.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define HOST "vortex.labs.overthewire.org"
#define PORT "5842"
int sockfd();
int connect_host();
int handle_uints();
int get_tze_pass();
int main()
{
int socket;
socket = sockfd();
connect_host(socket);
handle_uints(socket);
get_tze_pass(socket);
close(socket);
return 0;
}
int sockfd()
{
return socket(AF_INET, SOCK_STREAM, 0);
}
int connect_host(int socket)
{
struct addrinfo hostname, *p;
memset(&hostname, 0, sizeof(hostname));
hostname.ai_family = AF_INET;
hostname.ai_socktype = SOCK_STREAM;
getaddrinfo(HOST,PORT, &hostname, &p);
connect(socket, p->ai_addr, p->ai_addrlen);
return 0;
}
int handle_uints(int socket)
{
int uints[4], i, sum = 0;
for (i = 0; i < 4; i++) {
read(socket, &uints[i], 4);
}
for (i = 0; i < 4; i++) {
sum = sum + uints[i];
}
send(socket, &sum, sizeof(sum), 0);
return 0;
}
int get_tze_pass(int socket)
{
char login[18];
recv(socket, &login, sizeof(login), 0);
printf("%s\n", login);
recv(socket, &login, sizeof(login), 0);
printf("%s\n", login);
return 0;
}
Althou going over the "C-socket hill" was pretty tough, i finally managed it!
The first one i solved was vortex level0.
I did it a few different ways and ended up with a tidy code (i think):
vortex_level0.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define HOST "vortex.labs.overthewire.org"
#define PORT "5842"
int sockfd();
int connect_host();
int handle_uints();
int get_tze_pass();
int main()
{
int socket;
socket = sockfd();
connect_host(socket);
handle_uints(socket);
get_tze_pass(socket);
close(socket);
return 0;
}
int sockfd()
{
return socket(AF_INET, SOCK_STREAM, 0);
}
int connect_host(int socket)
{
struct addrinfo hostname, *p;
memset(&hostname, 0, sizeof(hostname));
hostname.ai_family = AF_INET;
hostname.ai_socktype = SOCK_STREAM;
getaddrinfo(HOST,PORT, &hostname, &p);
connect(socket, p->ai_addr, p->ai_addrlen);
return 0;
}
int handle_uints(int socket)
{
int uints[4], i, sum = 0;
for (i = 0; i < 4; i++) {
read(socket, &uints[i], 4);
}
for (i = 0; i < 4; i++) {
sum = sum + uints[i];
}
send(socket, &sum, sizeof(sum), 0);
return 0;
}
int get_tze_pass(int socket)
{
char login[18];
recv(socket, &login, sizeof(login), 0);
printf("%s\n", login);
recv(socket, &login, sizeof(login), 0);
printf("%s\n", login);
return 0;
}
torsdag 1. mars 2012
A game of Craps (Ruby and Java)
This week i have been reading lots about c language and "programming logics and design". We are supposed to learn C programming and develop a game in the end of this module assignment.
In one example we are writing a game of craps in c... C is just too much typing, and hard to keep control over all syntax' for a newbie, but still learning! :D
Although we are programming in C, i first wrote the program in ruby wich gave me a much clearer understanding of what to do in C.(except from classes and rest of easy ruby syntaxes)
Even if you don't know much about programming, i guess you should be able to understand what the program does.
I will not paste the C program here, since its pretty similar to the example in "C how to program" by Deitel and Deitel. Boooring! >)
A game of craps (Java)
In one example we are writing a game of craps in c... C is just too much typing, and hard to keep control over all syntax' for a newbie, but still learning! :D
Although we are programming in C, i first wrote the program in ruby wich gave me a much clearer understanding of what to do in C.(except from classes and rest of easy ruby syntaxes)
Even if you don't know much about programming, i guess you should be able to understand what the program does.
class Craps
def initialize
puts "A game of craps"
first_roll
end
def first_roll
roll = roll_dice
case roll
when 7,11
game_won
when 2,3,12
game_lost
else
puts "Your point is: " + roll.to_s
@my_points = roll
keep_rolling
end
end
def roll_dice
#dice = (1+rand(6)) + (1+rand(6))
die1 = 1+rand(6)
die2 = 1+rand(6)
dice = die1 + die2
puts "You rolled: #{die1} + #{die2} = #{dice}"
return dice
end
def game_won
puts "You win"
exit
end
def game_lost
puts "You lose"
exit
end
def keep_rolling
roll = roll_dice
case roll
when @my_points
game_won
when 7
game_lost
else
while roll
case roll_dice
when @my_points
game_won
when 7
game_lost
end
end
end
end
end
play = Craps.new
# Output:
# A game of craps
# You rolled: 5
# Your point is: 5
# You rolled: 12
# You rolled: 8
# You rolled: 5
# You win
I will not paste the C program here, since its pretty similar to the example in "C how to program" by Deitel and Deitel. Boooring! >)
A game of craps (Java)
The java version is just the same. The java syntax' are pretty easy to learn after studying C the last couple of weeks. Java is the language to learn if i ever want to make an android app... but... do i? o_O
I seem to love this game... maybe not, but its an easy way to learn, among other well written programs.
import java.util.Random;
class Craps {
private Random randomizeDice = new Random();
int my_point;
int roll = 0;
public void game_won() {
System.out.println("You win!");
System.exit(0);
}
public void game_lost() {
System.out.println("You lose!");
System.exit(0);
}
public void first_roll() {
roll = roll_dice();
switch (roll) {
case 7:
case 11:
game_won();
case 2:
case 3:
case 12:
game_lost();
default:
my_point = roll;
System.out.println("Your point is: " + my_point);
}
}
Abonner på:
Innlegg (Atom)