Tools


I program/script quite a bit. I’m not going to throw everything into this page; more a list of some of the things that I created that I think are kind of cool


8ball

Description: This script will deconstruct a snort/suricata rules file (ET rules are freely available on the internets) and re-craft them in a way that can be sent over a network (that uses IDS) to trigger all of those very rules. This script is a great way to tweak performance of an IDS or just abuse the hell out of it.

This tool has come up in my HOPEX and Defcon 22 talk (check the Talks section of this blog for more information).


tcpunmask

tcpunmask takes a packet as input in ASCII-Hex format. Sanitized nibbles are formatted as ?’s. tcpunmask will attempt every possible data value in place of these unknown nibbles and check to see if the checksum(s) match the ones reported in the packet data. Becuase of this, this script will not function if the checksums are also sanitized.

When finished, tcpmask will report all valid packets based on checksum matches. The report is displayed with values separated by commas; this way you can redirect stdout to a csv file for further filtering. GeoIP correlation can also be done

This tool was the topic of discussion in my Toorcon 2013 talk.


mchecker

The purpose of mchecker is to analyze a binary stream of data and to provide information on the data in the context of executability. This will eventually include a high-level yes/no desicion (executable or not). Executability is decided by many heuristics.

Analysis is done raw; without the use of dissasembly libraries. This is done to maintain that we cannot assume that the data will be aligned for us. Because of the previous non-assumption, we can analyze data in a packet fragment.

This script is written in lua

I have not yet given a talk on this yet, but likely will for CactusCon 2015


m2elf

Converts Machine Code to x86 (32-bit) Linux executable (auto-wrapping with ELF headers)

In other words, you can write hexadecimal (or 1’s and 0’s) into a text file and this script will interpret it as machine code, then add the required ELF headers to make the code actually execute. This effectively allows you to take a step lower-level than assembly.

I should note that I routinely use this script in order to do research for many of my “Assembly Is Too High Level” blog posts.


magicbomb

This anti-forensic script will read in a scalpel.conf file and output a payload that would generate a large amount of false positives if analyzed with scalpel/foremost. The amount of data carved is in a few orders of magnitude larger than the payload.

This tool has come up in many talks, but initially it was brought up in Explosive Steganography


hivsneeze

This script parses the signatures from clamav and generates a batch of files intended to look like malware (although they are not actual malware). This script also has the ability to output Tumors (talked about at CactusCon 2014 and HOPEX/Defcon22).

This tool has come up in many talks, but initially it was brought up in Explosive Steganography


eziplode

This script is my version of a zip-bomb, the largest payload of 10MB would extract out to 256 TB, for a 32-bit .zip format.

This tool has come up in my Explosive Steganography talk.


unimpress

This is my very unimpressive terminal-only presentation/slide software.