These are tools and associated files that have been developed as part of my coursework at Dakota State University.
scotty.py - This is a python3 script that converts a binary file into a bash (or similar) script that will reconstitute the original file when exectuted. Each line can be run independently, the output is suitable for being pasted into questionable shells or executed one line at a time via an RCE. Various options are provided to alter the output script depending on the needs of the user.
Syntax: ./scotty.py ifile [perline] [ofile] [nobuiltin]Requirements: The (self imposed) requirements for this project were to create a file-upload utility that would be capable of functioning with a bare minimum of support from the target system. All that is assumed is that the target system's native shell is bash and that the user has some mechanism to execute single line shell commands.
Design: This project is very straight forward. The input file is read byte by byte. These bytes are collated into groups of a fixed size and added as arguments to a series of bash printf commands which appended data to the end of a target file. Some configuration options (to change the size of the lines, etc) are provided to customize the output according to the user's needs.
Download scotty.py
Watch scotty.py Demo Video
readme.txt
youtube
mal2zip.exe - This is a C# command line utilty that downloads files (from https:, http:, ftp: file: URIs) to memory, creates a password protect zip file in memory, then writes that zip file to disk. This allows the "safer" handling of potentially malicious files by never writing the original file to disk.
Requirements: The (self imposed) requirements for this project were to allow the download and safe(er) handling of malware samples by not writing them to disk in their raw form. The desired output was a standard password protected "sample.zip" file with the default password of "infected".
Design: The main function of this utility uses the .NET WebClient class to connect to a remote server using http:, https:, ftp:, or file: URI prefixes. The downloaded bytes are then, within memory, converted into a zip file using the 'ICSharpCode.SharpZipLib' library. This virtual zip file is then written to disk. Various other features are included: the ability to generate md5 hashes, the ability to pipe the downloaded bytes into other functions and an option to send the downloaded bytes directly to virustotal without writing them to disk.
Download mal2zip.exe (and all its DLLs and such)
mal2zip-src.zip
Watch mal2zip.exe Demo Video
README.txt
youtube
file2otp.py - This is a python3 command line utility that uses Python's random functions in conjunction with a preset seed to encrypt a given file. A file signature prefix database is utilized to mask the file as a desired filetype, or bytes can be extracted from a "donor" file in order to provide the desired signature. The goal is to be able to move a file from system to system without tripping any IDS response.
Requirements:I wanted to be able to perform a "good enough" encryption as well as a "good enough" file type spoofing in order to defeat the limited resources that an inline IDS would be able to bring to bear without overcomplicating the tool or depending on encryption libraries. Additionally, it was necessary to provide a "mini" version of the encryptor/decryptor that can be more easily deployed on a remote system.
file2otp.py
file2otp demo video
README.txt
youtube
PCAPlog - This is a two part utility, consisting of a python script and a lua Wireshark plugin. These scripts allow console commands, console output and arbitrary user comments to be embedded in an ongoing packet capture to allow later correlation with the network data. For instance, if you are running many commands during a penetration test of a networked device, this script will allow you to identify exactly which network artifacts were generated in relation to your exact commands.
Requirements:I had years ago written a very basic form of this - just a simple script that would emit arbitrary text to UDP/9 on a given address and get picked up by Ethereal (yes, that long ago). This wasn't super useful - I would never remember to use it and it didn't actually log what I was doing, rather it would log what I said I was doing, which was at best a lazy description of what I had done. With this tool, I wanted to log exactly what I was doing, and what output I received automatically... because if the tool doesn't do it for me I'm never going to do it. I project that this will be a lot more useful for me going forward with this sort of work.
pcaplog.py - this goes somewhere in your path like a normal script
pcaplog.lua - this needs to go in the appropriate Wireshark plugin folder for your use case
pcaplog - console output example
pcaplog - Wireshark view
youtube demo
youtube code walkthrough (optional)
pcaplog2.py - Version 2!
pcaplog2.lua - Version 2!
pcaplog3.py - Version 3!
pcaplog3.lua - Version 3!
AMSIspy - This is a C# command line utility that allows the user to query the Windows 10 AntiMalware Scan Interface to extract the subset of bytes in that file that flag a given sample as malware. In essence, it is an AV signature ripper for arbitrary files.
Requirements:
In short, the requirement is to identify the minimum set of bytes necessary to classify a given sample as malware.
I had wanted to write this for a while, its been in my notes for years. Originally thought I was going to have to go through a process such as… 1) disabling antivirus, 2) writing a subset of bytes to disk, 3) enabling antivirus, 4) determining if those bytes were quarantined or not 5) repeat. This was going to be messy at best. Finding that there was a reasonable API to get the same information was almost cathartic.
Design:
The AMSI API provides a function that allows you to submit an array of bytes and receive a thumbs up or thumbs down from the installed antivirus engine. This is all we need to build a brute force engine to examine any arbitrary set of bytes.
The brute force consists of two phases, which I refer to as “trifurcation” and “refining”.
In the “trifurcation phase”, we divide the sample bytes into three halves. First half, last half, and (of course) the middle half. These overlap by design in the hope of catching any signatures that would otherwise be split over the border. This process is repeated recursively until we’ve found the smallest possible chunk (as subdivided by this process) which is still detected as malware.
In the “refining” phase, we start with that chunk. We then perform an optimized process to remove as many leading and trailing bytes as possible in as few steps as possible. At the point where the malware is no longer detected, we back up by one and that is our final set of bytes.
amsispy.exe - executable
amsispy.png - Screenshot
amsispy.zip - source code
Youtube Demo
# This script will generate a NOP Ladder (NOP Sled) that consists of a specified number # of individual "rungs" At the end of each rung, a JMP command is executed to reach the next rung. # # It is expected that when this ladder is loaded up into memory, it will be divided into sets of 8 bytes # (tweakable via rung_length) and be separated by a predictable amount of unrelated code. # # Specifically, this was written for the case where shellcode is being written into a javascript array. # Each 8 byte rung becomes a single variable within the array and there is a predicitable amount # of space between each. This amount of space is defined by the "jump_geometry" variable
