RecuperaBit, a tool for Forensic File System Reconstruction

A python script that reconstruct filesystem structures and recover files on NTFS filesystems


RecuperaBit is a python script developed by Andrea Lazzarotto useful for attempting to reconstruct a corrupted NTFS filesystem.

RecuperaBit attempts reconstruction of the directory structure regardless of:

  • missing partition table
  • unknown partition boundaries
  • partially-overwritten metadata
  • quick format

The project and the reconstruction algorithms, are part of Andrea’s MSc thesis:

And below a brief presentation on Slideshare:

Usage

usage: main.py [-h] [-s SAVEFILE] [-w] [-o OUTPUTDIR] path

Reconstruct the directory structure of possibly damaged filesystems.

positional arguments:
path path to the disk image

optional arguments:
-h, --help show this help message and exit
-s SAVEFILE, --savefile SAVEFILE
path of the scan save file
-w, --overwrite force overwrite of the save file
-o OUTPUTDIR, --outputdir OUTPUTDIR
directory for restored contents and output files

RecuperaBit does not modify the disk image, however it does read some parts of it multiple times through the execution. It should also work on real devices, such as /dev/sda but this is not advised.


More info and downloads

https://github.com/Lazza/RecuperaBit

Detect and bypass Web Application Firewalls using Python

“If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess.”


Interesting article published by Usman Nasir on KaliTutorials: using a python script, we can forge a malicious XSS request that will be identified by a “signature based” WAF (like ModSecurity) as legitimate.

Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess.


What is a Web Application Firewall?

web-applicaion-firewall-cyberpersons

OWASP website says:

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.


Read the whole article with technical details on KaliTutorials.net:

http://www.kalitutorials.net/2016/12/python-detect-and-bypass-web-application-firewall.html

Streaming media contents from Linux to Chromecast?

It’s simple, with Stream2Chromecast!


Are you searching for an easy way to stream media files from your LinuxBox to a Chromecast?

You can use Stream2chromecast, a simple Python script that makes the task of streaming media files to a Chromecast device ridiculously easy.

Simply clone the project’s GitHub repository with this command

git clone https://github.com/Pat-Carter/stream2chromecast.gi

Now, to stream a media content, start the script with this command line

stream2chromecast.py /path/to/foo.mp4

The utility also supports basic playback controls through -pause, -continue and -stop options.

Subtitles?

Only the WebVTT format is currently supported.

If you have an SRT subtitle file, you can convert it with this online tool:

http://www.webvtt.org/

To cast the subtitles on /path/to/subtitles.vtt use this command:

stream2chromecast.py -subtitles /path/to/subtitles.vtt /path/to/foo.mp4

More info and download

http://www.webvtt.org/

ViperMonkey, VBA parser and emulation engine to analyze malicious macros

An experimental but useful project


ViperMonkey is a toolkit written in Python by Philippe Lagadec, developed to parse VBA macros and emulate their execution.

ViperMonkey acts as a VBA Emulation engine, and tries to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).

Is an experimental project, as says the disclaimer:

– ViperMonkey is a very incomplete and experimental VBA Engine. For now it will NOT handle most real-life macros without errors.

– VBA parsing and emulation is extremely slow for now.

– VBA Emulation is hard and complex, because of all the features of the VBA language, of Microsoft Office applications, and all the DLLs and ActiveX objects that can be called from VBA.

– This open-source project is only developed on my scarce spare time, so do not expect miracles. Any help from you will be very appreciated!

Installation

  • Download the archive from the repository: https://github.com/decalage2/ViperMonkey/archive/master.zip and extract it.
  • (Linux/Mac) Install dependencies by running 
    sudo -H pip install -U -r requirements.txt
  • (Windows) Install dependencies by running
    pip install -U -r requirements.txt
  • Run ViberMonkey with
    python vmonkey.py <file>

For more information and usage examples, refer to this article on Delage.Info:

http://decalage.info/vba_emulation


Links

http://decalage.info/vba_emulation
http://decalage.info/vba_emulation

Matroschka, a steganography tool to hide text in images

Simple and well coded


Матрёшка is a steganography tool written in Python, useful to hide and encrypt images or text in the least significant bits of pixels in an image using HMAC-SHA256 to authenticate the hidden data.

It’s a simple but well coded project, too young to be used in a ‘production environment’:

This is a fun project. Do not use this for serious encryption purposes!

Installation

Simply install Pillow and clone the github repository.

pip install Pillow
git clone [email protected]:fgrimme/Matroschka.git
cd Matroschka

Sample usage

matroschka_medium.png gets hidden and encrypted in matroschka_big.png

python matroschka.py -hide -m foo -k bar resources/matroschka_medium.png resources/matroschka_big.png

Decrypting the image will save the extracted image in resources/secret-image.png

python matroschka.py -open -m foo -k bar resources/matroschka_big.png

More info and downloads on github repository:

https://github.com/fgrimme/Matroschka

BBQSQL, a framework for Blind SQL Injections

Useful for penetration tests


BBQSQL is a blind SQL injection framework written in Python, with also a semi-automatic tool, helpful for create customized SQL injection attacks in penetration testing activities.

Blind SQL injection can be difficult to exploit. When the available automated tools don’t works well, you have to write something custom, and this is time-consuming process: BBQSQL can help you address those issues.

For more information and usage, refer to official documentation on github:

High Level Usage
Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:
– URL
– HTTP Method
– Headers
– Cookies
– Encoding methods
– Redirect behavior
– Files
– HTTP Auth
– Proxies


What is a Blind SQL Injection attack?

https://xkcd.com/327/

From OWASP:

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .


Installation

Simple, with pip:

sudo pip install bbqsql

Alternatively, you can install from source:

git clone https://github.com/Neohapsis/bbqsql.git
cd bbsql
python setup.py install

More information and downloads

https://github.com/Neohapsis/bbqsql/


MacroShop , a collection of scripts for embedding malware payloads in Microsoft Office files

A new youth for macro viruses?


Recently, with a colleague were discussing how Office macros are becoming a vehicle widely used by malware distributors.

On this Github repository i have found Macroshop, a collection of python script to aid the embedding process of malware payloads into Office macros:

  1. macro_safe.py
    Generates safe for VB inclusion into an excel spreadsheet. Requires a batch file generated by Veil-Evasion powershell payloads. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Syntax is: python macro_safe.py test.bat test.txt
  2. exeinvba.py
    Generates VB code for including and unpacking a portable executable onto a file system for delivery via Office Macro. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Requires a PE. Syntax is: python exeinvba.py — exe test.exe — out test.vb — dest “C:UsersPublicDocumentstest.exe” Ensure any backslashes are escaped in the dest variable
  3. macro_safe_old.py
    Same as macro_safe.py, just uses powershell vice VB for architecture detection to call the correct version of powershell.
  4. b64_enc.py
    Watered down version of exeinvba.py that will output both the raw base64 string of the executable and the variable specific section of the VB. May be useful for use with different VB templates or other methods that may require an executable passed as a base64 string somewhere. Automatically stores output into base64_output.txt (raw) and base64_output.vb. Syntax is: python b64_enc.py test.exe

https://github.com/khr0x40sh/MacroShop

Rekall, a framework for memory forensic

An end-to-end solution to incident responders and forensic analysts


Rekall is a collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory samples.

The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system.

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.

Rekall supports investigations of the following 32bit and 64bit memory images:

  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Linux Kernels 2.6.24 to 3.10.
  • OSX 10.7–10.10.x.

Installation

On Linux, simply type (you still need to have python and pip installed first):

sudo pip install rekall

You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):

sudo pip instal--pre rekall

For Windows, Rekall is also available as a self contained installer package from this page

More information and documentation on Official Website and GitHub Page.