Archive
Code: Junk Email Downloader
So a while back someone on Twitter (sorry can’t remember who..) mentioned that when looking for sources of Malware to analyse you shouldn’t overlook your junk/spam emails. What a good idea I thought, lets write some code to do that for me.
I’ve quickly thrown together my “Junk Email Downloader” python script which can be found HERE.
The idea being that you have a mailbox that is just used for JUNK (I use Hotmail as I get a lot of junk via that account). The script will connect to any POP3 server download the emails (and delete them after, so you’ve been warned), once it has downloaded the emails it pulls out the Sender IP, and a list of any URL’s it finds (based on href tags). It does a bit of GeoIP analysis on both (so you need the MaxMinds database) and writes it out to a text file (will look at making more use of that later).
After that it makes an HTTP request to each URL checking to see if it gets a 200 response back (just to make sure the URL’s are still available). For each 200 response it then submits it to VirusTotal via their API for analysis (sorry about the multiple requests guys).
It’s still a work in progress but at over 100 lines of code its the biggest script I’ve ever written so hopefully you might find it useful. Once I’ve tweaked it a bit I’m going to run it on my Raspberry PI, the idea being that it will run once an hour or so.
In the future I will add some more VirusTotal API calls, such as IP/Domain lookup and build in Cuckoo Sandbox API calls so you can submit the URL’s to your own Sandbox for analysis.
Have fun and let me know what you think.
Code: PDF hunter
So of late I’ve been playing around a lot with Scapy and pcap files, mostly for my sniffMyPackets project but also because it teaches me more about network forensics and python. The other area I’m starting to learn about is Malware Analysis and I’ve been spending some time looking at the Honeynet Project challenges.
One of the challenges to is to find the malicious content within a PDF file that is provided to you in a pcap file. Normally I would just reach for Network Miner and rebuild the file(s) that way but I wanted to see if I could write some code myself.
The goal of my code was simple, parse through a pcap file, identify a PDF and then rebuild the file so that if a tool such as exiftool or file was used that it would correctly be identified as a PDF and that you could open the PDF and view the content (if you wanted to).
I follow a certain process when I’m carving up pcap files, it’s not rocket science really just common sense. First off find the packets you are interested in, I tend to use a mix of Wireshark and Scapy for this and then look for something you can use to filter down to the packets you want before getting into the nitty gritty of carving them up.
For this piece of code I need to find some way of identifying a PDF file in a pcap file and as most PDF files will appear in a pcap file as part of an HTTP conversation, I parse each packet and if the packet has a Raw layer (a raw layer in Scapy is essentially the payload of a packet) then I look for this ‘Content-Type: application/pdf’. If this is matched then I store the TCP ACK number as a variable for use later.
Now once I have the ACK number I then need to find all the packets that relate to this in order to get the whole file. Now it turns out the ACK is the same for all the packets that the PDF download is in (something I didn’t realise until I started this) so it’s a simple case of using the following code to find all the packets I’m after:
for p in pkts:
if p.haslayer(TCP) and p.haslayer(Raw) and (p.getlayer(TCP).ack == int(ack) or p.getlayer(TCP).seq == int(ack)):
raw = p.getlayer(Raw).load
cfile.append(raw)
If either the TCP ACK or SEQ match our stored ACK variable we get the Raw layer and store it into a python list. This means that we now have (hopefully) all the packets that make up the PDF stored nicely away and because it’s a TCP conversation they should all be in the right order.
Now that we have all the packets we write those out to a temporary file, it’s a temporary file because if you were to open it in a text editor you would see all the HTTP headers at the top and the bottom, which means if you ran file against it, then you would get back a file type of “data” and not “PDF” (which is what we are after).
So we then have to do some python magic (well I think it’s magic), to slice the rubbish out. Now this is the part that took me the longest to figure out. If you have ever looked at a PDF file in a text editor (I wouldn’t blame you if you haven’t), you would notice that they start with “%PDF-” and end with “%%EOF” so finding the start of a PDF file is easy, the problem is that a PDF file can have multiple %%EOF towards the end of the file and I kept cutting at the wrong point.
To fix this I came up with a bit of a long-winded way of carving the temporary file up (see the code below):
# Open the temp file, cut the HTTP headers out and then save it again as a PDF
total_lines = ''
firstcut = ''
secondcut = ''
final_cut = ''
f = open(tmpfile, 'r').readlines()
total_lines = len(f)
for x, line in enumerate(f):
if start in line:
firstcut = int(x)
for y, line in enumerate(f):
if end in line:
secondcut = int(y) + 1
f = f[firstcut:]
if int(total_lines) - int(secondcut) != 0:
final_cut = int(total_lines) - int(secondcut)
f = f[:-final_cut]
outfile2.writelines(f)
outfile2.close()
else:
outfile2.writelines(f)
outfile2.close()
If you read Python awesome, if you don’t here’s what happens.
First off I open the temporary file and count the number of lines, I look for the variable I declared at the start of the code as start (which is this: start = str(‘%PDF-’)), if that’s matched it stores the line number as the variable firstcut
I then need to find the last cut, I look for the variable end (which is this: end = str(‘%%EOF’)) now remember I said a PDF can have multiple EOF statements, well I get round that because Python overrides the variable secondcut each time it’s matched so the last line with EOF is always the one used. I also add a +1 to the line number because for the next chunk of code if I didn’t I would actually cut the final %%EOF file the file (I know this because I did it, before realising what was happening).
So we now do a simple little IF statement to make sure that there is something at the end of the file to cut (sometimes there isn’t on the pcap files I’ve used/made) and if there is we slice the bad HTTP headers out before saving the file. If there isn’t anything to cut then we just save the file.
Hopefully that makes sense to non-python people (I can but hope).
I’ve tested this on a number of different pcap files that have PDF downloads in them and it works, I can open and view the PDF and if I run file or exitfool against it then it appears as a normal PDF. I’m sure there are some cases when it won’t work 100% but if you find something that doesn’t let me know so I can try to fix it.
The code can be found here: https://github.com/catalyst256/PDFHunter (in my ever-growing GitHub repo). Oh and I’ve added this function into my sniffMyPackets transform pack.
Enjoy!
sniffMyPackets: Finding Tor
I don’t normally do short random posts but I figure once in a while won’t hurt.
So I’ve been busy working on new transforms for my Maltego pcap analysis package and things are moving along nicely. Part of my process is making notes on things I think would be cool to see and then working my way through the list.
Over the weekend I added “Tor Traffic” to my list, I know most of the traffic is encrypted so wasn’t sure if I could get an end result from it but figure it was worth a look.
Anyway I ‘ve thrown together some Scapy/Python code (soon to be a transform if it’s right) that I think will highlight Tor traffic in a pcap file. Now this is just a work in progress so let me know if I’ve miles off the mark (so to speak).
I created a pcap file by stopping the Tor service on my copy of Backtrack and then starting it again while capturing some packets. I’ve also tested it on another pcap file from the internet with some Tor bot traffic and the results are similar.
Looking through the pcap file I noticed some “strange” entries during the SSL handshake that lead me to my PoC code (no I didn’t Google first to see if it already existed).
During the SSL handshake the “Client Hello” packet includes a Server Name record which in a “normal” handshake might be similar to http://www.google.com however with a Tor SSL handshake its something like “http://www.wth7pbtqsw6.com“, which if you ping doesn’t actually exist.
The other thing to note is that the SSL server name doesn’t have a corresponding DNS query, in fact for all the packets in the pcap file there are no DNS queries/responses which is another way to narrow down possible Tor traffic.
The sniffMyPackets transform can be found HERE:
So basically my python code reads a pcap file and looks for any TCP packet with a payload, that has http://www.xxxxxx in it. It then pulls out the key information (src ip, dst ip, sport, dport and www. value). and just displays it as neat little lines.
The code is below:
#!/usr/bin/env python
import logging, sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
pcap = sys.argv[1]
pkts = rdpcap(pcap)
for x in pkts:
if x.haslayer(TCP) and x.haslayer(Raw):
if 'www.' in x.getlayer(Raw).load:
for s in re.finditer('www.\w*.\w*', str(x)):
dnsrec = s.group()
srcip = x.getlayer(IP).src
dstip = x.getlayer(IP).dst
sport = x.getlayer(TCP).sport
dport = x.getlayer(TCP).dport
ipaddr = srcip, dstip, sport, dport, dnsrec
print ipaddr
If I run this against my pcap file I get these results:
root@bt:~# ./lookfortor.py /root/pcaps/tor-startup.pcap
src: 192.168.1.66 dst: 89.160.29.195 sport: 40651 dport: 9001 dnsrec: http://www.qqsuvxwbs.com
src: 89.160.29.195 dst: 192.168.1.66 sport: 9001 dport: 40651 dnsrec: http://www.vlkkj3kgxh56ibujher.net0
src: 192.168.1.66 dst: 86.59.119.83 sport: 48459 dport: 443 dnsrec: http://www.buukx57zhxo2ujugeevlveb.com
src: 86.59.119.83 dst: 192.168.1.66 sport: 443 dport: 48459 dnsrec: http://www.yhlkhxjmzg3.net0
src: 192.168.1.66 dst: 38.229.70.42 sport: 44829 dport: 443 dnsrec: http://www.wth7pbtqsw6.com
src: 38.229.70.42 dst: 192.168.1.66 sport: 443 dport: 44829 dnsrec: http://www.uvk2wwbbvwpqpkux.net0
root@bt:~#
What you will notice is that the reply packet has a different dnsrec which always has a 0 (zero) on the end..
I’ve tested this on a few pcap files and the results look consistent. Let me know what you think.
sniffMyPackets (Beta) – Released!!
Hello readers, so I just want to say something before I get into the “meat” of this post…. (bear with me)
I don’t work in InfoSec, I don’t have a full-time job where I poke holes in systems, or look at IDS logs and pcap files all day long (would be nice but..) but what I do have is a passion for InfoSec and a desire to give back to the community. I’ve never met 98% of the people who read this blog, but over the last 15 months a lot of you have inspired me to push myself harder and further than I thought possible so this is my way to pay some of that back..
I give you sniffMyPackets, Maltego transforms (based on the Canari Framework) for analysing pcap files..
I decided to write these transforms after the Cyber Security Challenge published a cipher challenge that centered around a pcap file, that and my interest in packets meant this seems liked a good way to mix the two (no I haven’t cracked the cipher challenge).
Now this is a BETA now “beta” means different things to different people so this is my definition:
1. I’m not a developer/coder, I’ve been writing stuff in Python for less than a year. The transforms in this package work and while not perfect they are functioning. I’ve tested them against as many different pcaps as I feel is necessary to make sure they work properly.
2. This is a BETA, so things like error handling are missing from some transforms, I will get around to it but I’m learning as I go so bear with me.
3. This is by no means a finished product, I will continue to add transforms as I go and if you want anything specific let me know and I will add it (or you can add it yourself), but please send me a pcap file if you can.
4. If (more likely when) you find a problem log it as an issue on the github.com site, the same if you think of something that will improve the package.
5. I don’t have a full license of Maltego so I’ve only tested with the community edition within Backtrack (unless someone wants to donate a license..).
6. I’ve only tested this on Backtrack, for 2 reasons.. 1) I don’t own a Mac Book, 2) Windows doesn’t play nicely with Scapy and lets face it, it’s not the best platform for pcap analysis.
I think that’s about it in terms of “BETA”. I’ve written a lot of transforms using Scapy (yes yes I love Scapy) but as people often say, “Use the best tool for the job” so some of them use tshark which has been cool because I’ve learnt a lot more about both tools. Writing python code with Scapy isn’t hard (even for me), but making them “appear” nicely in Maltego has been challenging at times and I’m not 100% happy with the way the entities link, but like I said it’s a BETA… 
I’ve created a wiki that lists the entities and transforms available and I will update them as I go, you can find the wiki here: https://github.com/catalyst256/sniffMyPackets/wiki
If you want to have a play with the transforms you can go here: https://github.com/catalyst256/sniffMyPackets
I also did a short video about the transforms (some of which have changed now) but you can find it here:
So have a play, let me know what you think (good or bad) and I will let you know about updates (new transforms etc etc) when I write them. I may even create a new twitter account so I don’t annoy people with updates all the time.
Canari – Breaking free of the cage
Like the title?? I figured as I haven’t posted for a while I ought to go for something a bit more catchy. So this post has two parts, the first is a bit “fluffy” the second is a bit more interesting.
First an important piece of information (it does relate to this post). There is a saying I like to use:
“Nothing is impossible, you are only limited by your imagination”
Now remember that for later and carry on reading…
So I’ve been a bit quiet so far this year in terms of posts, there is no real reason for this (other than being busy) but I never intended to use this blog as a means for posting “junk” and I know you guys are all busy so don’t want to waste your time.
Last year as you may remember was all about the OSCP and I found myself wondering what to do next, then like a shovel in the face it hit me. I’ve struggled to work out what area of InfoSec I want to “specialise” in, there are loads of awesome coders, pen testers, exploit hunters and malware analysts already providing advice and code for people and I don’t want to replicate work for the sake of trying to make myself look good.
The other important factor for me is that I have to be “interested” in what I’m learning otherwise I get bored and side tracked by other things (look at the monkey over there…). Open Source Intelligence, is something that I enjoy and really does interest me, hunting for information that is hidden online just waiting to be found, tie that in with a “hacker” mindset from doing my OSCP and to me that’s a receipe for epic fun (and mischief).
EoF.. (End of Fluffy)
Now where do you start?? So I am going to assume you’ve all used Maltego, if you haven’t hang your head in shame and go look HERE (). Back? Good, so I’ve played around with Maltego before (just the community edition) and it’s cool.. but for me it could be cooler so I started looking at how to write your own transforms and entities and then I found Sploitego (never heard of it.. seriously..)
So if you’ve not seen Sploitego before, I suggest the following:
Sploitego is written using the Canari Framework (http://www.canariproject.com/) which was created by Nadeem Douba (really nice bloke) and the real reason for this post. Canari is python based (which I’m trying to learn) and is essentially awesome. It lets anyone create local Maltego transforms, and takes all the hassle of learning XML (well at least understanding it) away and just lets you focus on the code.
Yesterday I finished my finished Canari framework package. It’s a re-work of the Netscaler Cookie Decrypter I wrote last year, now available in Maltego. It’s not perfect (neither is my coding ability) but it works and I will add some more functionality to it soon. I even now have a github.com account which you can find HERE .
So what does all this mean?? Remember the saying from early??
“Nothing is impossible, you are only limited by your imagination”
Combine that with Canari, Maltego and my own personal “out of box” imagination and rest assured there will be a lot more transform packages appearing soon. My goal is to enhance Maltego with OSINT tools, Wifi tools, basically anything I can think that would help build a profile of someone or something within Maltego. There are no limits, no information is irrelevant as long as there is context to it..
Go try Canari (or Sploitego) for yourself, drop by the forums on the site and say “Hi”.
Me I’m off to buy a copy of Maltego and start my new adventure.
Crazy idea for 2012
Coming soon…
So since I finished my OSCP course I been spending my time attempting to learn how to code in Python and working on my network forensic skills (which suck currently).
To this end I’ve been reading the book “Violent Python” which is actually ideal for me, the examples are both practical and the code works (always a bonus but not always a sure thing). Currently I’m working through the chapter on Network Traffic Analysis which involves lots of work to do with packet captures and Scapy (my two favourite things).
The one issue I’ve come across is the lack of websites where you can download pcap files that contain malware, attacks etc. etc. I know you can download some pcap files from the web or make them yourself, but I’m lazy and would rather have one place to go.
So to that end I’ve created a cunning plan… I’ve decided to build a pcap repository, available for all on the internet. It will be free to use and will eventually allow people to upload pcap files themselves (my web skills suck so might take a while). I have no idea if this idea will work or not but its my way of giving something back to the community.
I’m currently searching for a hosting provider that will allow me plenty of bandwidth and storage space (just in case this idea takes off). All being well I will have a new domain all sorted before Christmas and then the real work will begin.
Long term some of the features that will be available will be:
Ability to upload pcap files
Ability to download pcap files (wouldn’t be much good otherwise)
Search facility
Maybe even the ability to view contents of pcap files on-line
This being a community project I would help that people out there will help, whether it be suggestions, beta testing, donation of pcap files or some web development work (you don’t have to if you don’t want to though).
Well that’s my crazy idea for the year sorted, let me know what you think and I will post updates as I go.
Environment Disclosure via #shodan
First of a big thanks to @achillean and his awesome website over at http://www.shodanhq.com, the amount of information that gets collected and stored is mind-blowing. I had a brief email conversation with John when I decided to write this blog and at the time there were over 70 million records stored in ShodanHQ.
So to the point of this blog post, in my current job I work a lot on e-commerce type stuff, mostly because I’m responsible for the load balancers we use (if you’ve read this blog before you might be able to guess what they are..). Part of that work means every now and again I get sent the output of our regular pen tests to answer questions or fix “holes”.
One of the most common “holes” I fix is what the external pen testers call “Environment Disclosure Information“, which in layman’s terms means you are giving out more information that you should to external people when they visit your websites.
This is an example HTTP header extract from a website, which will highlight the sort of stuff I mean:
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, no-transform, private
Content-Length: 43
Content-Type: image/gif
Date: Sun, 13 May 2012 10:35:11 GMT
Etag: “4FAF8E5F-48B6-0D239661″
Expires: Sat, 12 May 2012 10:35:11 GMT
Last-Modified: Mon, 14 May 2012 10:35:11 GMT
Pragma: no-cache
Server: Omniture DC/2.0.0
Vary: *
X-C: ms-4.4.5
p3p: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
xserver: www4
Now remember I’m no security expert but to me this amount of “free” information about your web environment is both unnecessary and well to be fair a bit sloppy.
Looking at the HTTP header above an unethical type of person can determine the type of server you are running (Server: Omniture DC/2.0.0) and the version its running. Which would make it easier when looking for known vulnerabilities, and you can tell that they have at least 4 web servers (xserver: www4) providing this content (which means some sort of load balancing).
This is another HTTP header from a rather “large” software company that like Marmite you either love or hate..
Cache-Control: max-age=0
Connection: close
Content-Length: 12941
Content-Type: text/html; charset=utf-8
Date: Sun, 13 May 2012 10:40:24 GMT
Expires: Sun, 13 May 2012 10:39:24 GMT
PPServer: PPV: 30 H: BAYIDSLGN1H57 V: 0
Server: Microsoft-IIS/7.5
Set-Cookie: MSPRequ=lt=1336905624&co=1&id=64855; path=/;version=1
MSPOK=$uuid-b9356970-ea8a-491c-8c62-f367d9460ca3;
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
p3p: CP=”DSP CUR OTPi IND OTRi ONL FIN”
Again you will see that the Server: HTTP header is still there, so is this really a security concern? Do pen testers just highlight it as something to put in a report??
Now onto the cool stuff (well it’s cool to me), if you have ever used ShodanHQ you will know that there is an API available, and if you pay a small amount of $$ you can get a lot of functionality. I decided to use that API and write a ruby script that would look through the 70 million records and give me the total number of results that matched some of the most popular HTTP server headers.
This is my code (I have compared the numbers against individual searches with the same server header).
#!/usr/bin/env ruby
require 'rubygems'
require 'shodan'
#Set your Shodan API Key
SHODAN_API_KEY = "enteryourapihere"
#Create the API object
api = Shodan::WebAPI.new(SHODAN_API_KEY)
#Define the array of Server headers you want to search for
array = ["Apache/2.4","Apache/2.3","Apache/2.2.21", "Apache/2.2.20", "Apache/2.2.19", "Apache/2.2.18", "Apache/2.2.17", "Apache/2.2.16", "Apache/2.2.15", "Apache/2.2.14", "Apache/2.2.13", "Apache/2.2.12", "Apache/2.2.11", "Apache/2.2.10", "Apache/2.2.9", "Apache/2.2.8", "Apache/2.2.6", "Apache/2.2.5", "Apache/2.2.4", "Apache/2.2.3", "Apache/2.2.2", "Apache/2.2.0", "Microsoft-IIS/7.5", "Microsoft-IIS/7.0", "Microsoft-IIS/6.0", "Microsoft-IIS/5.0", "Microsoft-IIS/4.0", "Microsoft-IIS/3.0", "Microsoft-IIS/2.0", "Microsoft-IIS/1.0", "nginx", "squid", "lighttpd"]
begin
#For each value in array, search through Shodan
array.each_index {|s| d = api.search("#{array[s]}")
#Print the array value and the total number of matches against the array value
puts "#{array[s]}: #{d['total']}"}
end
I know it’s nothing flash, but it works..
Now the results (drum roll please)…Bear in mind this isn’t all the web server versions, just the ones I could think of or find without spending hours crawling through the internet.
Results:
Apache/2.4: 465
Apache/2.3: 531
Apache/2.2.21: 229250
Apache/2.2.20: 72756
Apache/2.2.19: 72666
Apache/2.2.18: 4048
Apache/2.2.17: 351696
Apache/2.2.16: 444607
Apache/2.2.15: 328945
Apache/2.2.14: 517311
Apache/2.2.13: 141590
Apache/2.2.12: 81345
Apache/2.2.11: 346329
Apache/2.2.10: 89642
Apache/2.2.9: 743891
Apache/2.2.8: 420166
Apache/2.2.6: 97186
Apache/2.2.5: 63
Apache/2.2.4: 131883
Apache/2.2.3: 2854600
Apache/2.2.2: 28955
Apache/2.2.0: 65168
Microsoft-IIS/7.5: 681421
Microsoft-IIS/7.0: 749303
Microsoft-IIS/6.0: 3932895
Microsoft-IIS/5.0: 506169
Microsoft-IIS/4.0: 14731
Microsoft-IIS/3.0: 603
Microsoft-IIS/2.0: 37
Microsoft-IIS/1.0: 31
nginx: 1299084
squid: 192084
lighttpd: 503577
Yes yes I know, surely someone can’t be using IIS/1.0 but I did triple check that result.. To me that’s a lot of people who either don’t care about hiding this information, or like I said earlier it’s not really a big issue.
So lets take it one step further, ShodanHQ also lets you search the exploitdb using the API. Using the ruby script available from the documentation I ran it against Microsoft IIS/6.0 (the most popular IIS version from my research). Using the script I got 6 “known” exploits back (see below).
Results found: 6
3965: Microsoft IIS 6.0 (/AUX/.aspx) Remote Denial of Service Exploit
8704: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability
8754: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
8765: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)
8806: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
15167: Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)
Now most of these might not be valid because of patching, but out of the 3,932,895 results there might be one or two that hasn’t been patched??
I know that realistically you will never be able to hide everything that might or might not give unethical people an advantage if you become a target, but why make it easy for them??
So is this kind of free information really an issue? If you are pen tester does this kind of information help you when running a test or is it just accepted that it’s out there and available??
Let me know what you think.
Man with a plan – My training plan
I’m not the most organised person, especially when it comes to staying focused on something (sorry was I talking about??). If you’ve read this blog before you would have picked up that I’ve decided to expand on my IT Security skills.
To that end I’ve created a 12 month training plan, nothing fancy just a list of technologies/software that I want to learn how to use better. It won’t make me an expert (I’m not that silly), but it will hopefully mean that come BSides London 2013 I might be able to give a track 3 talk.
The training plan includes, Ruby (not Python for the time being), wireshark, metasploit framework, nmap and a long period for scapy. I like the idea of being able to write packets so I’ve dedicated a lot of time to this.
Along the way I will blog about my progress and hopefully start getting some more InfoSec related posts up here instead of my ranting about stuff..
Below is the training plan, feel free to pass any comments if you think I’ve missed anything obvious, my goal is to be able to run pen tests (against my own systems), without resorting to “automated” tools.
I’m also looking (still) for a UK-based InfoSec mentor, if any of you lot are feeling generous (I’m not expecting a lot, just answering some questions when I get stuck). If you’re up for it let @infosecmentors know.
Adam
Netscalers: Making sense of the cookie – the finale
So this is the final part to my Netscaler cookie series. If you haven’t read the other two blog posts you may want to just so this makes a bit of sense..
All make sense now?? (probably not but it’s polite to ask)..
Before I get started I just want to clear something up. I am in no way shape or form a programmer.. It’s one of those areas that up until recently has made my head hurt (and not just from banging my head on the desk a lot) but it is an area that I want to improve on and the best way for me to learn is to do.
So how do you end a series of blog posts about Netscaler cookies and how to decrypt them.. well you write a program to do it for you. I decided to use python to write my little decryption program as it will run on both Windows and Linux (I’ve even tested it to make sure) and it seems to be used a lot by InfoSec type people.
Now this is my first ever python program/script/application and in fact it’s the very first time I’ve ever written something like this (unless you count the macro I wrote in Word 7 that did a cypher substitution encryption), so yes while the code might not be perfect and possibly badly written the important thing is that it works.
Now before I get to the part where I give you the link to the script (is script the right word??) here’s how it works (in basic terms).
The script is designed to do 2 things, it accepts an Netscaler Cookie from the command line;
python nsccookiedecrypt.py NSC_rfse-gesfe-etsgsvs... (not the complete cookie)
It then runs two re.search functions to separate the cookie name (the Netscaler load balancer vserver name) and then the Server IP (IP address of the server your are persistent too).
Once it has these variables, it performs two decryption actions, the first is the cipher substitution to give you the real Server Name;
Service Name=qerd-fdred-dsrfrur-erdded
It then runs the XOR decryption based on the key that was mentioned in Part 2 of my series to give you then Server IP;
Server IP=63.17.71.92
Currently the script outputs both to the command line, it’s not exactly high end coding but it’s not a bad start for me.
You can find the script HERE, I’ve tested in on over a dozen real life Netscaler Cookies, so I’m 90% happy it will work in all cases, it doesn’t use any fancy imports so you should be good to go with just a standard python install.
If you find any bugs or want to let me know how to make it better, please drop me a line. Over time once I get better at coding I will probably improve it. I’ve created a new “Page” on my blog with links to the code and hopefully over time I will add to it.
If you want to modify the script for your own uses, please do, however if you let me know so I can keep tabs on how it’s being used and what I can do to improve it.
I would like to thank Alejandro Nolla for inspiring me to write this (check out his load balancer finder) and Daniel Grootveld for helping me with the XOR decryption (and by help I mean stopping me from using a Excel spreadsheet).
Happy decrypting.
Turning to the dark side
No it’s not a reference to Star Wars or anything sinister, let me explain..
For the last 15 years I’ve spent my IT career working on servers, Microsoft operating systems and all the things that come related to that.
The one skill set I’ve never explored is the magical world of programming, don’t get me wrong I can write basic scripts, SQL queries and the majority of time read other people’s code and work my way through it, but I’ve never spent the time to learn how to program. The biggest reason for this is because my brain seems to rebel against learning the structure of a programming language.
In an effort to increase my skills set and give myself a challenge I decided it was about time I learnt how to programme, the first obstacle, choosing which language to learn. To be honest this is probably the hardest part for a “new” programmer as the list of choices and possibilities seem to be endless. Luckily I had a requirements list (more about this later) and some help from a friend who has been programming for the last 20+ years (cheers Brian).
My requirements where the following:
1. Cross platform support – I wanted to learn a language that would run regardless of the OS and in some cases the hardware platform.
2. Network/Database support – I intend to use my new programming skills to eventually build applications that can access networks and databases so I needed a programming language that already had extensive built-in networking and database support.
3. Makes sense – This might seem a bit of an odd requirement but I wanted a programming language that made sense to me, because I’ve always struggled with programming I wanted to feel at ease with what I was learning.
Once I had my requirements and with the help of Google I created a shortlist of languages that might fit my requirements. These were the ones I came up;
1. C
2. Java
3. Ruby
4. Python
5. Perl
6. Microsoft .NET
Based on my requirements I removed the following languages from my list.
Python and Perl were removed because although they will run on Linux and Windows operating systems it’s not “native” for Microsoft Platforms and I was looking for something that would run “out of the box”. Microsoft .NET was removed because to my knowledge it only runs on Windows operating systems.
Ruby was added to the shortlist because I had read that it was used to write a lot of Security tools and as this is an area I am interested in it was added to the list. It was removed because it wasn’t a language that I knew a lot about or what the requirements for running it within an operating system were (remember people this is my reasons, whether they are right or wrong).
That left C and Java on the list. I understand that C is for all intents and purposes the grandfather of programming languages, learn C and everything else is “easy”. The only issue for me is that C is quite complex (especially to new programmers) and although it supports multi platform seems it didn’t quite fit what I’m looking for.
So my final choice was Java, Java appealed to me for several reasons, 1) I already had a “Teach yourself Java..” book, 2) Java is not platform or operating system dependant (according to Java it’s installed on 3 million devices worldwide), 3) It already has an extensive library for network and database connectivity and finally, 4) looking at examples of code on the internet it makes sense to me.
I’ve been reading through my book for about a week now, the information is slowly sinking in and to be honest I’m actually enjoying it, I’ve got a long way to go but I’m pleased I’ve taken the plunge. I’m already thinking about applications I can write that will help me in my current job, and once I start I will publish anything of interest on the blog for others to review/comment or use.
I will leave you with one final thought, I’ve worked with a lot of programmers over the years and during that time I’ve spent a lot of time and energy proving that the infrastructure isn’t always to blame for an application not working. The one thing I will strive to avoid as I learn Java is to ensure that anything I write works with the infrastructure (no matter if it’s a laptop or a network) so that I can avoid ever saying this.. “The application is awesome in isolation“.
Happy coding,
IT Geek
Linkedin Profile
