SAMHAIN v3.1.2 - File Integrity Checker / Host-Based Intrusion Detection System

The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Features

» Centralized monitoring

The client/server architecture allows central logging, central storage of baseline databases and client configurations, and central updates of baseline databases.

» Web-based management console

The web-based Beltane console, available as separate package, allows to monitor server and client activity, view client reports, and update the baseline databases.

» Flexible logging

Samhain supports multiple logging facilities, each of which can be configured individually.

» Tamper resistance

Samhain offers PGP-signed database and configuration files, a stealth mode, and several more features to protect its integrity.

   

Download SAMHAIN v3.1.2

Read More

Hook Analyser 3.1 - Malware Analysis Tool

Hook Analyser is a freeware application which allows an investigator/analyst to perform “static & run-time / dynamic” analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet.

Essentially it’s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping.

Hook Analyser is perhaps the only “free” software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations.

Features/Functionality

• Spawn and Hook to Application – Enables you to spawn an application, and hook into it
• Hook to a specific running process – Allows you to hook to a running (active) process
• Static Malware Analysis – Scans PE/Windows executables to identify potential malware traces
• Application crash analysis – Allows you to analyse memory content when an application crashes
• Exe extractor – This module essentially extracts executables from running process/s

Download Hook Analyser 3.1

Read More

FS-NyarL - Network Takeover & Forensic Analysis Tool

NyarL it's Nyarlathotep, a mitological chaotic deity of the writer HP. Lovecraft's cosmogony.

It's represent Crawling Chaos and FS-NyarL it's The Crawling Chaos of Cyber Security :-)

A network takeover & forensic analysis tool - useful to advanced PenTest tasks & for fun and profit - but use it at your own risk!

 

• Interactive Console
• Real Time Passwords Found
• Real Time Hosts Enumeration
• Tuned Injections & Client Side Attacks
• ARP Poisoning & SSL Hijacking
• Automated HTTP Report Generator

ATTACKS IMPLEMENTED:

• MITM (Arp Poisoning)
• Sniffing (With & Without Arp Poisoning)
• SSL Hijacking (Full SSL/TLS Control)
• HTTP Session Hijaking (Take & Use Session Cookies)
• Client Browser Takeover (with Filter Injection in data stream)
• Browser AutoPwn (with Filter Injection in data steam)
• Evil Java Applet (with Filter Injection in data stream)
• DNS Spoofing
• Port Scanning

POST ATTACKS DATA OBTAINED:

• Passwords extracted from data stream
• Pcap file with whole data stream for deep analysis
• Session flows extracted from data stream (Xplico & Chaosreader)
• Files extracted from data stream
• Hosts enumeration (IP,MAC,OS)
• URLs extracted from data stream
• Cookies extracted from data stream
• Images extracted from data stream
• List of HTTP files downloaded extracted from URLs

DEPENDENCIES (aka USED TOOLS):

• Chaosreader (already in bin folder)
• Xplico
• Ettercap
• Arpspoof
• Arp-scan
• Mitmproxy
• Nmap
• Tcpdump
• Beef
• SET
• Metasploit
• Dsniff
• Macchanger
• Hamster
• Ferret
• P0f
• Foremost
• SSLStrip
• SSLSplit

Download FS-NyarL

Read More

Scout - Download and analyze webpage components to identify infected files

Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.

Download Scout

Read More

[CIAT] Crypto Implementations Analysis Toolkit

The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).

Download CIAT

Read More

[WebSploit Framework] Scan And Analysis Remote System From Vulnerability

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

WebSploit Is An Open Source Project For :

[>]Social Engineering Works

[>]Scan,Crawler & Analysis Web

[>]Automatic Exploiter

[>]Support Network Attacks

[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service

[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin

[+]format infector - inject reverse & bind payload into file format

[+]phpmyadmin Scanner

[+]LFI Bypasser

[+]Apache Users Scanner

[+]Dir Bruter

[+]admin finder

[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks

[+]MITM - Man In The Middle Attack

[+]Java Applet Attack

[+]MFOD Attack Vector

[+]USB Infection Attack

[+]ARP Dos Attack

[+]Web Killer Attack

[+]Fake Update Attack

[+]Fake Access point Attack

[+]Wifi Honeypot

[+]Wifi Jammer

[+]Wifi Dos

[+]Bluetooth POD Attack

Download WebSploit

Read More

[Binwalk] Firmware Analysis Tool

Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules.

Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including:

• Embedded file identification and extraction
• Executable code identification
• Type casting
• Entropy analysis and graphing
• Heuristic data analysis
• "Smart" strings analysis

Binwalk's file signatures are (mostly) compatible with the magic signatures used by the Unix file utility, and include customized/improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, kernels, bootloaders, filesystems, etc.

Features

Binwalk is:

• Fast
• Flexible
• Extendable
• Easy to use

Binwalk can:

• Find and extract interesting files / data from binary images
• Find and extract raw compression streams
• Identify opcodes for a variety of architectures
• Perform data entropy analysis
• Heuristically analyze unknown compression / encryption
• Visualize binary data
• Diff an arbitrary number of files

Download Binwalk

Read More

[Raft v3.0.1] Response Analysis and Further Testing Tool

Not an inspection proxy

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

RAFT uses markup to create templates for fuzz testing.

Download Raft v3.0.1

Read More

[Hook Analyser 2.5] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.5

This has now five (5) key functionalities:

1. Spawn and Hook to Application – This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
1. PE validation (with XOR bruteforce)
2. Static malware analysis.
3. Other options (such as pattern search or dump all)
4. Type of hooking (Automatic, Smart or manual)
5. Spawn and hook

Currently, there are three types of hooking being supported –

• Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
• Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
• Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.

2. Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –

1. List all running process
2. Identify the running process executable path.
3. Perform static malware analysis on executable (fetched from process executable path)
4. Other options (such as pattern search or dump all)
5. Type of hooking (Automatic, Smart or manual)
6. Hook to a specific running process
7. Hook and continue the process

3. Static Malware Analysis – This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -

1. PE file validation (with XOR bruteforce)
2. CRC and timestamps validation
3. PE properties such as Image Base, Entry point, sections, subsystem
4. TLS entry detection.
5. Entry point verification (if falls in suspicious section)
6. Suspicious entry point detection
7. Packer detection
8. Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
9. Import intel scanning.
10. Deep search (module)
    Online search of MD5 (of executable) on Threat Expert.
11. String dump (ASCII)
12. Executable file information
13. Hexdump
14. PEfile info dumping
15. …and more.

4. Application crash analysis – This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).

• Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A

5. Exe extractor – This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.5

Read More

[REMnux] A Linux Distribution for Malware Analysis

REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.

REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Originally released in 2010, REMnux has been updated to version 4 in April 2013.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

• Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
• Memory analysis: Updated Volatility to version 2.2.
• PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
• Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
• Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind

New tools added to REMnux:

• Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
• XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
• PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
• Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
• Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.

If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.

Download REMnux

Read More

[Binwalk v1.2] Firmware Analysis Tool

Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.

Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Changelog v1.2

• Recursive File Scanning and Extraction: Often files extracted by binwalk need to be further scanned / analyzed.
• Entropy and Strings Analysis: Binwalk’s signature analysis is great, but how do you know it didn’t miss something? What do you do if binwalk doesn’t find anything at all? Examining a file’s entropy can reveal a lot about its contents
• Plugin Support: In addition to a scriptable API, binwalk now supports plugins that are afforded considerable control over binwalk’s scan process. Plugins are particularly useful for extending or modifying binwalk’s analysis where custom signatures fall short.

Plugins are easy to write; check out some of the examples on the wiki!

Full Changelog: here

Download Binwalk v1.2

Read More

[360-FAAR v0.4.1] Firewall Analysis Audit And Repair

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Changes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options and '.' chooses the default if available. The Netscreen output stage now uses a default zone if none are specified.

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),

Netscreen ScreenOS (in get config / syslog format),

Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

Download 360-FAAR Firewall Analysis Audit And Repair 0.4.1

Read More

[Capsa packet Sniffer] Herramienta Portable para Análisis de Red

Capsa es una Herramienta Portable para Análisis de Red gratuito para que los administradores de red puedan supervisar, diagnosticar y solucionar sus problemas en network. La versión gratuita del analizador viene con toneladas de características, y es lo suficientemente buena para se uso doméstico, así como su uso en la pequeña empresa.

Con Capsa Sniffer puedes monitorear y capturar los datos de red de 50 direcciones IP.

Características de Capsa :

• Detalle de tráfico de todos los equipos.
• Control de ancho de banda (para encontrar los equipos que están viendo vídeos en línea).
• Diagnóstico de Red para identificar problemas en la red.
• La registro de actividad del Netwok (para la grabación de mensajería instantánea y correo web).
• Red de monitoreo del comportamiento.

Download Capsa packet Sniffer

Read More

[HoneyProxy] A man-in-the-middle SSL Proxy & Traffic Analyzer

HoneyProxy is a lightweight tool that allows live HTTP(S) traffic inspection and analysis.

It focuses on features that are useful for malware analysis and network forensics.

Features

• Analyze HTTP(S) traffic on the fly
• Filter and highlight traffic, regex support included.
• Report Generation for saved flows, including a live JS editor.
• Save HTTP conversations for later analysis
• Make scripted changes with Python, e.g. remove Cache Header.
• based on and compatible to mitmproxy.
• cross-platform (Windows, OSX and Linux)
• SSL interception certs generated on the fly

Looking for more? Check out our GitHub wiki!

 

Quick Start

Download the latest release or pick a development snapshot.

Install all dependencies: pip install pyOpenSSL pyasn1 Twisted Autobahn
Windows users: Install the binaries for pyOpenSSL and Twisted manually (or compile yourself).
Ubuntu / Debian users: Install twisted as a package (sudo apt-get install python-twisted). If you get errors, check this page.

Start HoneyProxy with python honeyproxy.py or python honeyproxy.py --help.
If you don't use a modern browser, a kitten will die. We support both Firefox and Chrome!
Most command line parameters are documented in the mitmproxy docs.

Read More

[Dexter] A Free Tool for Mobile (Android) Malware Analysis

Bluebox Labs just released Dexter, a free tool which wants to help information security professionals and malware analysts to analyze Android mobile applications in order to find malware and vulnerabilities.

Dexter combines manual and automatic static program analysis to provide a better understanding of an Android application. Since the original application source code is not required, Dexter is useful during third party binary application analyses and malware reverse engineering.

The following core features are provided to the analyst:

• App statistics and direct access to all program entry points
• Package graph visualization
• Class and inheritance diagrams
• Class decompilation
• Method bytecode graph visualization
• A relational query language and text search feature
• APK file browser
• Coloring, tagging and commenting on package, class, method and even basic block layer
• String listing including code cross reference resolution
• Automated semantic annotation of program elements
• Integrated multi-user support for collaboration

More info Here.

Read More

[Converter v0.7] Analyzing and Deobfuscating Malicious Scripts

Malicious Java applets have been making news for awhile so I thought I would update Converter to include some new features to help with deobfuscating them.

This is a list of changes made to this version:

+ Replaced Binary-to/from-Text with Binary-to/from-Hex to make it more useful

+ Added Filter > “Keep Hex” to only keep hex characters

+ Added Format > “Mixed Octal to Hex” to convert a mixture of text and octal to hex

+ Added Format > “Sort Text” to sort a string

+ Added Format > “Hex Format – CSV” separates hex values with a comma

+ Added Tools > “String Builder” to keep values between quotes

+ Modified “Dec-to-Hex” and “Dec-to-Octal” to handle negative integers

+ Added “copy output to input” option to Secret Decoder Ring

+ Added ability to import first KB (or all) of data to Key Search/Convert

+ Eliminated extra fields in Key Search/Convert screen

+ Made expression capability in Key Search/Convert and Convert Binary File a little more robust (added Extra > “Expressions Help”)

Here’s a look at some of the features in action…

This applet used binary strings to hide its actions:

Just paste it in and the Binary-to-Hex feature will split on every eight characters and convert them to hex. You can choose the Output Format using the dropdown at the bottom.

Here we see an applet concatenating several variables together before it deobfuscates it:

Using the “String Builder” feature…

Just paste the section in and Converter will concatenate everything between the quotes together. Make sure the beginning and ending quotes are present.

This applet is using a mix of text and octal characters:

The “Mixed Octal to Hex” feature…

Will convert the string (including escaped characters) to hex.

This applet is using an array of positive and negative integers:

Converter now converts decimal to hex properly.

This particular applet takes this concatenated string and deobfuscates it by running through a decoder routine three times:

The Secret Decoder Ring now allows you to copy the output to the input field so you can decode it any number of times without having to manually copy/paste each time.

Finally, you can see the changes made to the Key Search/Convert screen. I tried to make the expressions as flexible as possible.


Download Converter v0.7
Official website: http://www.kahusecurity.com/

Read More

[Hook Analyser v2.4] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.4

• Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
• The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
• Exe extractor – This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
• The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
• Minor bug fixes.

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.4

Read More

[Automater 1.2] IP and URL Analysis Tool

Automater is a IP and URL Analysis tool we created to help automate the analysis process. You can see a video of Automater in action in TekTip episode 15.

Download Automater 1.2

Read More

[Zeus] Registry Analysis Using Volatility Framework

How to analysis a registry from the memory using Volatility Framework.

In this video I’m using Zeus Memory for registry analysis, and l will show F-secure top10 malware registry launchpoints. Not all but some of them

Download Zeus Memory : http://malwarecookbook.googlecode.com/svn-history/r26/trunk/17/1/zeus.vmem.zip

Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

Source : - http://adf.ly/1465nY

Read More

[SAMHAIN 3.0.9] File Integrity Checker / Host-Based Intrusion Detection System

The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Changes: Some build errors have been fixed, as well as the 'probe' command for the server (clients could be erroneously omitted under certain conditions). An option has been added to the Windows registry check to ignore changes if only the timestamp has changed, and full scans requested by the inotify module will now only run at times configured for regular full scans. 

Download SAMHAIN 3.0.9

Read More