Honeypot: Kippo Pi
I’m sure you are all aware of the awesome RaspberryPI machines and no doubt you’ve thought of a number of fun things to run on these little machines whether it’s a media server, home automation system, web server or a penetration testing drop box. Up until last week I had resisted the urge to buy one just for the sheer fact I couldn’t think of anything “interesting” to do with one, I mean there are only so many installs of Backtrack/Kali you can have (I even have Backtrack on my phone).
With my focus at the moment on network forensics and malware I decided to get a RaspberryPI and see how it works as a HoneyPot. The first one I’ve installed is Kippo and this post is about how to get Kippo running on the RaspberryPI.
Kippo is a low interactive SSH honeypot that allows you to capture SSH based attacks and see what those evil hackers are up to. I’m not going to bore you with a long explaination of Kippo because well it’s early and I’ve not had much coffee, instead you can click HERE and go have a read yourself.
The following instructions aren’t the product of my own mind, rather they have been taken from Leon van der Eijk (or @lvdeijk for short) awesome BSides London Kippo Workshop crib sheet.
So to start with you need the following (or close to):
1. RaspberryPI (kinda obvious but..I have the model B)
2. SD Card (I bought a 32GB SanDisk SDHC card, because I want to install other stuff on it)
3. Physical network connection for your RaspberryPI (to download stuff)
4. A home router/firewall that you can do port forwarding on.
5. Coffee (or beverage of your choice)
So first off we need to install some of the dependencies to get Kippo running. SSH onto your RaspberryPI and as the pi user run the following command:
sudo apt-get install subversion python-twisted python-mysqldb mysql-server apache2
The mysql-server and apache2 packages are so we can log Kippo to MySQL and run the kippo-graph website (nice pretty pictures). If you don’t want that functionality just don’t install them (but I would if I were you).
NOTE: Remember the MySQL password you enter during the install as you will need that later.
So now we need to get a copy of Kippo, we are going to use SVN for this:
svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only
Now your choice for installation is your own, by default this command will download Kippo into /home/pi/kippo-read-only.
Now if you installed MySQL as I suggested we need to do some database magic. Basically we are going to create a new database called Kippo and then assign a user and password for Kippo to use. So here we go:
First log into MySQL:
mysql -h localhost -u root -p
You should be prompted to enter your password (now you did remember it didn’t you).
Once logged in you need to create your database:
create database kippo;
And then assign the necessary rights:
GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';
NOTE: The password for the kippo user within the kippo database is ‘Kippo-DB-pass’ you can change it if you want.
You can now exit from MySQL using:
exit (tricky I know)
OK still with me? Right now we need to populate the database ‘kippo’, browse to this folder location:
/kippo-read-only/doc/sql
Within this folder you should find a file called mysql.sql now we need to load that into the database:
mysql -u kippo -p
use kippo;
source mysql.sql;
If that worked without errors you should now have a populated database, you can check by typing this within the MySQL prompt:
show tables;
If that returns some tables, one should be called TTY (I think, like I said it’s early) then we are all good and you can type:
exit
To exit out. We now need to create a kippo.cfg file, don’t panic it’s easy. From the root of the /kippo-read-only folder type this:
cp kippo.cfg.dst kippo.cfg
Now we need to edit the kippo.cfg file with the database details. Using your favourite command line editor (nano is installed so I used that). Navigate the file and find the [database_mysql] section (should all be commented out), un-comment all the fields (including the [database_mysql] one) and modify the values so it looks something like this:
[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass
So we are nearly there. Now kippo uses port 2222 to run its honeypot on, in order to send evil hackers to that port you need to use your home router (which hopefully can do port forwarding) to send all traffic for port 22 to 2222. I’m not going to explain how to do this because everyone’s router is different. So go ahead and configure that port forwarding ready for when we start kippo.
If by chance you have put your honeypot directly on the internet you need to the following additional steps:
sudo apt-get install iptables
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables-save > /etc/iptables.rules
Port forwarding all sorted? Good now we need to change the default port for your ssh server to something a little “higher”. Use this command to change the listening port for the sshd to 65534:
sudo sed -i 's:Port 22:Port 65534:g' /etc/ssh/sshd_config
And then restart your ssh service (you will get kicked off):
sudo /etc/init.d/ssh restart
Back with me? Cool right so essentially you now have a working a Kippo honeypot (hopefully). You can actually at this point start it up. Again it’s a simple process from your /kippo-read-only folder run the following command:
sudo ./start.sh
You can check it’s loaded properly by looking in the /kippo-read-only/log/kippo.log file which should show it starting up properly and you can then run this command to check:
sudo netstat -antp | grep 2222
Which should return an entry saying port 2222 is listening a python process is running.
NOTE: The kippo.log file will also contain all the connection information and any commands that are run. The root password for the Kippo honeypot is ‘123456‘ you can change this by editing the /kippo-read-only/data/userdb.txt file and restarting kippo.
Now we are going to finish this off by installing the kippo-graph application that gives you lots of pretty pictures.
So lets install the extra bits we need:
sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd
sudo /etc/init.d/apache2 restart
That should have hopefully installed all the necessary php components you need to run kippo-graph, now let’s get kippo-graph:
wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.4.tar
sudo mv kippo-graph-0.7.4.tar /var/www
cd /var/www
sudo tar xvf kippo-graph-0.7.4.tar --no-same-permissions
cd kippo-graph
sudo chmod 777 generated-graphs
Before you open the website you need to edit the /var/www/config.php file with your database properties from earlier, I can’t remember where exactly but its not a big file. Once you’ve done that you are ready to browse to:
http://<raspberrypi_ipaddress>/kippo-graph/index.php
That should be it, once you have some data you can populate the graphs and “see” what the evil hackers are up to.
So I’m hoping that this has all worked and you now have a small discrete, energy-efficient honeypot running on your home network. Mine has been running since last night and I’ve had 4 connections to port 22 but no login attempts so far (thought evil hackers didn’t sleep).
Give me a shout if something doesn’t work and I will try my best to help you out.
Code: PDF hunter
So of late I’ve been playing around a lot with Scapy and pcap files, mostly for my sniffMyPackets project but also because it teaches me more about network forensics and python. The other area I’m starting to learn about is Malware Analysis and I’ve been spending some time looking at the Honeynet Project challenges.
One of the challenges to is to find the malicious content within a PDF file that is provided to you in a pcap file. Normally I would just reach for Network Miner and rebuild the file(s) that way but I wanted to see if I could write some code myself.
The goal of my code was simple, parse through a pcap file, identify a PDF and then rebuild the file so that if a tool such as exiftool or file was used that it would correctly be identified as a PDF and that you could open the PDF and view the content (if you wanted to).
I follow a certain process when I’m carving up pcap files, it’s not rocket science really just common sense. First off find the packets you are interested in, I tend to use a mix of Wireshark and Scapy for this and then look for something you can use to filter down to the packets you want before getting into the nitty gritty of carving them up.
For this piece of code I need to find some way of identifying a PDF file in a pcap file and as most PDF files will appear in a pcap file as part of an HTTP conversation, I parse each packet and if the packet has a Raw layer (a raw layer in Scapy is essentially the payload of a packet) then I look for this ‘Content-Type: application/pdf’. If this is matched then I store the TCP ACK number as a variable for use later.
Now once I have the ACK number I then need to find all the packets that relate to this in order to get the whole file. Now it turns out the ACK is the same for all the packets that the PDF download is in (something I didn’t realise until I started this) so it’s a simple case of using the following code to find all the packets I’m after:
for p in pkts:
if p.haslayer(TCP) and p.haslayer(Raw) and (p.getlayer(TCP).ack == int(ack) or p.getlayer(TCP).seq == int(ack)):
raw = p.getlayer(Raw).load
cfile.append(raw)
If either the TCP ACK or SEQ match our stored ACK variable we get the Raw layer and store it into a python list. This means that we now have (hopefully) all the packets that make up the PDF stored nicely away and because it’s a TCP conversation they should all be in the right order.
Now that we have all the packets we write those out to a temporary file, it’s a temporary file because if you were to open it in a text editor you would see all the HTTP headers at the top and the bottom, which means if you ran file against it, then you would get back a file type of “data” and not “PDF” (which is what we are after).
So we then have to do some python magic (well I think it’s magic), to slice the rubbish out. Now this is the part that took me the longest to figure out. If you have ever looked at a PDF file in a text editor (I wouldn’t blame you if you haven’t), you would notice that they start with “%PDF-” and end with “%%EOF” so finding the start of a PDF file is easy, the problem is that a PDF file can have multiple %%EOF towards the end of the file and I kept cutting at the wrong point.
To fix this I came up with a bit of a long-winded way of carving the temporary file up (see the code below):
# Open the temp file, cut the HTTP headers out and then save it again as a PDF
total_lines = ''
firstcut = ''
secondcut = ''
final_cut = ''
f = open(tmpfile, 'r').readlines()
total_lines = len(f)
for x, line in enumerate(f):
if start in line:
firstcut = int(x)
for y, line in enumerate(f):
if end in line:
secondcut = int(y) + 1
f = f[firstcut:]
if int(total_lines) - int(secondcut) != 0:
final_cut = int(total_lines) - int(secondcut)
f = f[:-final_cut]
outfile2.writelines(f)
outfile2.close()
else:
outfile2.writelines(f)
outfile2.close()
If you read Python awesome, if you don’t here’s what happens.
First off I open the temporary file and count the number of lines, I look for the variable I declared at the start of the code as start (which is this: start = str(‘%PDF-’)), if that’s matched it stores the line number as the variable firstcut
I then need to find the last cut, I look for the variable end (which is this: end = str(‘%%EOF’)) now remember I said a PDF can have multiple EOF statements, well I get round that because Python overrides the variable secondcut each time it’s matched so the last line with EOF is always the one used. I also add a +1 to the line number because for the next chunk of code if I didn’t I would actually cut the final %%EOF file the file (I know this because I did it, before realising what was happening).
So we now do a simple little IF statement to make sure that there is something at the end of the file to cut (sometimes there isn’t on the pcap files I’ve used/made) and if there is we slice the bad HTTP headers out before saving the file. If there isn’t anything to cut then we just save the file.
Hopefully that makes sense to non-python people (I can but hope).
I’ve tested this on a number of different pcap files that have PDF downloads in them and it works, I can open and view the PDF and if I run file or exitfool against it then it appears as a normal PDF. I’m sure there are some cases when it won’t work 100% but if you find something that doesn’t let me know so I can try to fix it.
The code can be found here: https://github.com/catalyst256/PDFHunter (in my ever-growing GitHub repo). Oh and I’ve added this function into my sniffMyPackets transform pack.
Enjoy!
sniffMyPackets: New feature video
Well it’s not really “new” but I haven’t blogged about it (something I’m getting worse at) so I thought I would. Just so I know where to find it if I ever need to..
So this video covers some of the new features I’ve added into sniffMyPackets since it’s release. The video is a few weeks old so actually I’ve added more since then but..
Anyway enjoy:
Let me know if you have any comments/suggestions etc.
Adam
sniffMyPackets: Finding Tor
I don’t normally do short random posts but I figure once in a while won’t hurt.
So I’ve been busy working on new transforms for my Maltego pcap analysis package and things are moving along nicely. Part of my process is making notes on things I think would be cool to see and then working my way through the list.
Over the weekend I added “Tor Traffic” to my list, I know most of the traffic is encrypted so wasn’t sure if I could get an end result from it but figure it was worth a look.
Anyway I ‘ve thrown together some Scapy/Python code (soon to be a transform if it’s right) that I think will highlight Tor traffic in a pcap file. Now this is just a work in progress so let me know if I’ve miles off the mark (so to speak).
I created a pcap file by stopping the Tor service on my copy of Backtrack and then starting it again while capturing some packets. I’ve also tested it on another pcap file from the internet with some Tor bot traffic and the results are similar.
Looking through the pcap file I noticed some “strange” entries during the SSL handshake that lead me to my PoC code (no I didn’t Google first to see if it already existed).
During the SSL handshake the “Client Hello” packet includes a Server Name record which in a “normal” handshake might be similar to http://www.google.com however with a Tor SSL handshake its something like “http://www.wth7pbtqsw6.com“, which if you ping doesn’t actually exist.
The other thing to note is that the SSL server name doesn’t have a corresponding DNS query, in fact for all the packets in the pcap file there are no DNS queries/responses which is another way to narrow down possible Tor traffic.
The sniffMyPackets transform can be found HERE:
So basically my python code reads a pcap file and looks for any TCP packet with a payload, that has http://www.xxxxxx in it. It then pulls out the key information (src ip, dst ip, sport, dport and www. value). and just displays it as neat little lines.
The code is below:
#!/usr/bin/env python
import logging, sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
pcap = sys.argv[1]
pkts = rdpcap(pcap)
for x in pkts:
if x.haslayer(TCP) and x.haslayer(Raw):
if 'www.' in x.getlayer(Raw).load:
for s in re.finditer('www.\w*.\w*', str(x)):
dnsrec = s.group()
srcip = x.getlayer(IP).src
dstip = x.getlayer(IP).dst
sport = x.getlayer(TCP).sport
dport = x.getlayer(TCP).dport
ipaddr = srcip, dstip, sport, dport, dnsrec
print ipaddr
If I run this against my pcap file I get these results:
root@bt:~# ./lookfortor.py /root/pcaps/tor-startup.pcap
src: 192.168.1.66 dst: 89.160.29.195 sport: 40651 dport: 9001 dnsrec: http://www.qqsuvxwbs.com
src: 89.160.29.195 dst: 192.168.1.66 sport: 9001 dport: 40651 dnsrec: http://www.vlkkj3kgxh56ibujher.net0
src: 192.168.1.66 dst: 86.59.119.83 sport: 48459 dport: 443 dnsrec: http://www.buukx57zhxo2ujugeevlveb.com
src: 86.59.119.83 dst: 192.168.1.66 sport: 443 dport: 48459 dnsrec: http://www.yhlkhxjmzg3.net0
src: 192.168.1.66 dst: 38.229.70.42 sport: 44829 dport: 443 dnsrec: http://www.wth7pbtqsw6.com
src: 38.229.70.42 dst: 192.168.1.66 sport: 443 dport: 44829 dnsrec: http://www.uvk2wwbbvwpqpkux.net0
root@bt:~#
What you will notice is that the reply packet has a different dnsrec which always has a 0 (zero) on the end..
I’ve tested this on a few pcap files and the results look consistent. Let me know what you think.
sniffMyPackets (Beta) – Released!!
Hello readers, so I just want to say something before I get into the “meat” of this post…. (bear with me)
I don’t work in InfoSec, I don’t have a full-time job where I poke holes in systems, or look at IDS logs and pcap files all day long (would be nice but..) but what I do have is a passion for InfoSec and a desire to give back to the community. I’ve never met 98% of the people who read this blog, but over the last 15 months a lot of you have inspired me to push myself harder and further than I thought possible so this is my way to pay some of that back..
I give you sniffMyPackets, Maltego transforms (based on the Canari Framework) for analysing pcap files..
I decided to write these transforms after the Cyber Security Challenge published a cipher challenge that centered around a pcap file, that and my interest in packets meant this seems liked a good way to mix the two (no I haven’t cracked the cipher challenge).
Now this is a BETA now “beta” means different things to different people so this is my definition:
1. I’m not a developer/coder, I’ve been writing stuff in Python for less than a year. The transforms in this package work and while not perfect they are functioning. I’ve tested them against as many different pcaps as I feel is necessary to make sure they work properly.
2. This is a BETA, so things like error handling are missing from some transforms, I will get around to it but I’m learning as I go so bear with me.
3. This is by no means a finished product, I will continue to add transforms as I go and if you want anything specific let me know and I will add it (or you can add it yourself), but please send me a pcap file if you can.
4. If (more likely when) you find a problem log it as an issue on the github.com site, the same if you think of something that will improve the package.
5. I don’t have a full license of Maltego so I’ve only tested with the community edition within Backtrack (unless someone wants to donate a license..).
6. I’ve only tested this on Backtrack, for 2 reasons.. 1) I don’t own a Mac Book, 2) Windows doesn’t play nicely with Scapy and lets face it, it’s not the best platform for pcap analysis.
I think that’s about it in terms of “BETA”. I’ve written a lot of transforms using Scapy (yes yes I love Scapy) but as people often say, “Use the best tool for the job” so some of them use tshark which has been cool because I’ve learnt a lot more about both tools. Writing python code with Scapy isn’t hard (even for me), but making them “appear” nicely in Maltego has been challenging at times and I’m not 100% happy with the way the entities link, but like I said it’s a BETA… 
I’ve created a wiki that lists the entities and transforms available and I will update them as I go, you can find the wiki here: https://github.com/catalyst256/sniffMyPackets/wiki
If you want to have a play with the transforms you can go here: https://github.com/catalyst256/sniffMyPackets
I also did a short video about the transforms (some of which have changed now) but you can find it here:
So have a play, let me know what you think (good or bad) and I will let you know about updates (new transforms etc etc) when I write them. I may even create a new twitter account so I don’t annoy people with updates all the time.
Cyber Security Challenge – The Masterclass
On Friday the 8th of March, the city of Bristol woke up to what they assumed would be a normal Friday in the vibrant city. What they didn’t know was that throughout the day 40 cyber security (made up of students, IT professionals, and even an English teacher from Scotland) hopefuls would be arriving from around the UK to take part in the Cyber Security Challenge Masterclass (the final) hosted at the HP labs in Bristol.
Now before I go any further a special mention needs to go the Cyber Security Challenge team that organised the weekend and made sure we all got to where we were suppose to be. A massive amount of time and effort went into the event (which was awesome) and I mean imagine trying to organise us lot (the phrase “herding cats” comes to mind).
The Masterclass was to take place on Saturday and was a full on day of Cyber Security goodness, the challenges were put together by HP & Cassidian CyberSecurity UK and you know it’s not going to be easy. Both challenges were team based so each of us had been assigned to a team for the day making 8 teams ready to battle it out (so that’s 5 to a team just in-case you were wondering).
There were 3 main prizes to be won for the event:
1. Cyber Security Challenge Winner
2. Cyber Security Challenge Runner-up
3. Cyber Security Challenge Winning Team
Early on Saturday morning the contestants were photographed so that the assessors could spot the trouble makers easily (and the fact a lot of contestants were called Steve) and then we all hopped onto a bus for the journey to HP labs. On arrival we signed in, surrendered our mobile phones (no Google…) and started the much needed intake of coffee (well in my case anyway).
Now I’m not going to give you a minute by minute account of the day, just the important parts.
We all took a seat in the main auditorium and received our briefing for the day, in the morning 4 teams would take part in the technical challenge put together by Cassidian, and the other 4 teams would take part in a policy challenge created by HP. Then in the afternoon we would swap, sounds straight forward doesn’t it..
Now I would like to mention at this point when we were sitting in the auditorium, standing behind us were a rather large amount of assessors, these were the men and woman that would be judging us as a team and as individuals to determine who the winners would be. They came from a range of different companies and government bodies and all gave up their weekends to help out (thank you) on the day and to give us grief during the presentations (in a nice way of course).
My team named “Caterham” (they were all car names) had the technical challenge first, which was a realistic APT (advanced persistent threat) scenario based around a company that sold management systems to Formula 1 teams and they believed they had been compromised. It was our job to determine if they had, to what extent and give a presentation on our findings.
If you want to read a bit more about both challenges, you can find it here: http://www.computerweekly.com/news/2240179290/Aspirant-UK-cyber-security-champions-prepare-for-battle-in-Bristol
Now I suck at Malware/Forensics (but not for much longer, it’s next on my list) so I wasn’t looking forward to it, luckily as a team we worked well together and the skills I was lacking in that area, were complimented by others in my team and I was able to contribute in other areas (no I didn’t fetch tea and coffee for everyone). Needless to say 1 hour 45 minutes to search for a threat on a medium size network isn’t long and we managed to find the stolen data with about 20 seconds left (cutting it close to say the least).
Now the environment we used wasn’t just a bunch of VM’s, the techs at Cassidian spent a lot of time and effort building a self contained environment that they actually infected themselves over a period of time to give us a realistic APT to investigate and this was alongside they normal day job (big thank you guys).
After some lunch we moved onto the Policy Challenge created by HP, which was more around determining risk based on a given network layout and with a budget of 1.5 million to “solve” the issues we believed existed. Again we had 2 hours to prepare a presentation and then 9 minutes to present to some more assessors who asked us questions, one of which was James Lyne who if you ever met before will know him asking you technical questions isn’t going to be fun (although I still stand my statement that buying zero day attack protection, won’t protect you from zero day attacks because after all they are called zero day for a reason).
That was the end of the day, we all assembled again for the final briefing in the auditorium were the technical lead for Cassidian gave us a run down on how to find the APT (to much groaning and forehead slapping by the contestants). We all then received a certificate to show our attendance and then HP provided a goodie bag on our way out and we hopped back on the bus.
At this point the assessors all got together and plotted our fate, sorry I mean worked out who the winners were, which believe me couldn’t have been easy or fun (unless you like that sort of thing).
Now Saturday evening was an informal dinner, the previous years winner gave a brief talk about what to expect if we won, and then the group of 40 contestants with enough hardware and skills to take over a small countries IT infrastructure were let loose for the evening. Fear not the hotel wireless network wasn’t abused (I don’t think) but I believe that they attempted a Denial of Service attack on the hotel bar that went on to 06:30 am.
On Sunday the Masterclass lunch and prize ceremony was planned. We all had team feedback sessions booked and I think it’s really important to mention that the Cyber Security Challenge team really do want honest feedback and they take that feedback and use it to help shape the next events on what we tell them is good/bad.
After the feedback session we had a couple of hours to kill before lunch, then at 12 noon we all assembled nervously waiting to find out who the winners would be. A lot of the sponsors were there so it was a good opportunity for people to mingle and network. At 1 pm lunch was called and we all took at seats ready for some food and prizes.
Now they make you wait till the last 15 minutes of the lunch to find out the winners so there were a few nervous faces during the 2 hours. The first winners to be announced was the overall Team Winner, and the name that got called was “Caterham“.. oh wait that’s my team.. needless to say the team were very surprised and pleased and we all got some cool prizes (including a SANS course…).
The Cyber Security Challenge Runner-up was Steve Jarvis (a member on our team) and the overall Cyber Security Challenge Winner was Stephen Miller.
Now one of the things that makes the Cyber Security Challenge truly awesome is that all of the contestants won prizes, the price pool donated by sponsors was around £90K and is all designed to enable people to progress a career in Cyber Security so no one goes away empty handed.
The highlights for me were:
I had awesome fun and learnt some new stuff
Met some cool people and put some names to faces (by the way English teachers can be evil..)
Won some prizes (which is really just an added bonus)
A special shout out needs to go to Dan Summers (@Dantiumpro), if it wasn’t for him I would have never heard about the Cyber Security Challenges and wouldn’t have made it to the Masterclass and also a big thank you for bigging me up to a certain gentleman on my table (I was going to say pimping me out but..).
The next round of challenges are available soon, so if you want to be at a Masterclass next year, and are looking for a way into Cyber Security then go to https://cybersecuritychallenge.org.uk and sign up TODAY.
Canari – Breaking free of the cage
Like the title?? I figured as I haven’t posted for a while I ought to go for something a bit more catchy. So this post has two parts, the first is a bit “fluffy” the second is a bit more interesting.
First an important piece of information (it does relate to this post). There is a saying I like to use:
“Nothing is impossible, you are only limited by your imagination”
Now remember that for later and carry on reading…
So I’ve been a bit quiet so far this year in terms of posts, there is no real reason for this (other than being busy) but I never intended to use this blog as a means for posting “junk” and I know you guys are all busy so don’t want to waste your time.
Last year as you may remember was all about the OSCP and I found myself wondering what to do next, then like a shovel in the face it hit me. I’ve struggled to work out what area of InfoSec I want to “specialise” in, there are loads of awesome coders, pen testers, exploit hunters and malware analysts already providing advice and code for people and I don’t want to replicate work for the sake of trying to make myself look good.
The other important factor for me is that I have to be “interested” in what I’m learning otherwise I get bored and side tracked by other things (look at the monkey over there…). Open Source Intelligence, is something that I enjoy and really does interest me, hunting for information that is hidden online just waiting to be found, tie that in with a “hacker” mindset from doing my OSCP and to me that’s a receipe for epic fun (and mischief).
EoF.. (End of Fluffy)
Now where do you start?? So I am going to assume you’ve all used Maltego, if you haven’t hang your head in shame and go look HERE (). Back? Good, so I’ve played around with Maltego before (just the community edition) and it’s cool.. but for me it could be cooler so I started looking at how to write your own transforms and entities and then I found Sploitego (never heard of it.. seriously..)
So if you’ve not seen Sploitego before, I suggest the following:
Sploitego is written using the Canari Framework (http://www.canariproject.com/) which was created by Nadeem Douba (really nice bloke) and the real reason for this post. Canari is python based (which I’m trying to learn) and is essentially awesome. It lets anyone create local Maltego transforms, and takes all the hassle of learning XML (well at least understanding it) away and just lets you focus on the code.
Yesterday I finished my finished Canari framework package. It’s a re-work of the Netscaler Cookie Decrypter I wrote last year, now available in Maltego. It’s not perfect (neither is my coding ability) but it works and I will add some more functionality to it soon. I even now have a github.com account which you can find HERE .
So what does all this mean?? Remember the saying from early??
“Nothing is impossible, you are only limited by your imagination”
Combine that with Canari, Maltego and my own personal “out of box” imagination and rest assured there will be a lot more transform packages appearing soon. My goal is to enhance Maltego with OSINT tools, Wifi tools, basically anything I can think that would help build a profile of someone or something within Maltego. There are no limits, no information is irrelevant as long as there is context to it..
Go try Canari (or Sploitego) for yourself, drop by the forums on the site and say “Hi”.
Me I’m off to buy a copy of Maltego and start my new adventure.
Linkedin Profile
