Tag Archives: Python

Hunting Pastebin with PasteHunter

      5 Comments on Hunting Pastebin with PasteHunter

From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone. tl;dr Using Yara Rules to find and save interesting data from pastebin https://github.com/kevthehermit/PasteHunter Hackers and script kiddies are quick to… Read more »

Viper – Modules – APK

      No Comments on Viper – Modules – APK

This follows on from the post detailing the basic usage of viper. If you have not read that post I would start there. An index of all the modules can be found here. APK The apk module is designed to extract information from Android Application Packages (APK). I am not going to look at the APK structure im just going to showcase what… Read more »

Viper – First Use

      2 Comments on Viper – First Use

This series is going to take a closer look at using the Viper analysis platform and its associated modules. If you are new to Viper here are a few links for you. http://viper.li – The projects home https://github.com/botherder/viper – the projects GitHub Install Guide – My Install guide. Lets dive straight in and assume you have just finished installing and… Read more »

Decoding Rig Exploit Kit

      No Comments on Decoding Rig Exploit Kit

This is going to be short and too the point. Python script to decode Rig Exploit Kit landing page. Its on my Github Here – https://github.com/kevthehermit/Scripts/blob/master/RigDecoder.py And this is a quick cast to show it in use. As usual Questions Queries Comments below.

Viper in the browser

      3 Comments on Viper in the browser

Merry Christmas, Happy New Year and Seasons greetings to you all. This is my final post of the year. Next year I am hoping to post more content on a regular basis. I’m upgrading the lab at home and rebuilding it from the ground up. I have prepped most of the Virtuals and have documented their build process and usage… Read more »

EnCase And AnalyzeMFT

      2 Comments on EnCase And AnalyzeMFT

I have some familiarity with Windows Forensics having passed my SANS 508 exam, However Chip is my resident Forensics expert so when he pointed me in the direction of  a blog post about running python scripts in EnCase I was immediately interested. I haven’t really played with EnCase and have been looking for a reason, this seems like a good one. In… Read more »

RAT Decoders

      8 Comments on RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans. In this post ill be releasing a handful of the static decoders i have written so far. I have set up a Repo on GitHub that will… Read more »

I Hear you like Mount Points

      6 Comments on I Hear you like Mount Points

tl;dr Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis. I Hear You Like Mount Points The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of… Read more »

Extracting Configurations From Malware Samples

      1 Comment on Extracting Configurations From Malware Samples

I like RAT’s and i don’t mean the furry creatures that live in cages or sewer lines, I am of course talking about Remote Access Trojans. Used by Script Kiddies, E Crime Rings and APT groups alike. they provide a wide range of tools and capabilities for any one who manages to get one implanted on your network or system…. Read more »

Python Challenge – 2

      No Comments on Python Challenge – 2

WARNING SOLUTIONS HERE URL: http://www.pythonchallenge.com/pc/def/ocr.html This one gives us a clue about looking at the source. Looking at the source code we are presented with a large chunk of random code and another clue <!– %%$@_$^__#)^)&!_+]!*@&^}@[@%]()%+$&[(_@%+%$*^@$^!+]!&_#)_*}{}}!}_]$[%}@[{_@#_^{* @##&{#&{&)*%(]{{([*}@[@&]+!!*{)!}{%+{))])[!^})+)$]#{*+^((@^@}$[**$&^{$!@#$%)!@(& +^!{%_$&@^!}$_${)$_#)!({@!)(^}!*^&!$%_&&}&_#&@{)]{+)%*{&*%*&@%$+]!*__(#!*){%&@++ !_)^$&&%#+)}!@!)&^}**#!_$([$!$}#*^}$+&#[{*{}{((#$]{[$[$$()_#}!@}^@_&%^*!){*^^_$^ ]@}#%[%!^[^_})+@&}{@*!(@$%$^)}[_!}(*}#}#___}!](@_{{(*#%!%%+*)^+#%}$+_]#}%!**#!^_ )@)$%%^{_%!@(&{!}$_$[)*!^&{}*#{!)@})!*{^&[&$#@)*@#@_@^_#*!@_#})+[^&!@*}^){%%{&#@ @{%(&{+(#^{@{)%_$[+}]$]^{^#(*}%)@$@}(#{_&]#%#]{_*({(])$%[!}#@@&_)([*]}$}&${^}@(% (%[@%!}%*$}(*@)}){+@(%@*$&]*^*}*]&$[}*]%]+*}^!}*$^^_()#$^]++@__){&&+((#%+(&+){)$ %&&#($[[+##*%${)_!+{_[})%++)$#))]]]$]@]@($+{&%&%+!!!@]_]+])^*@$(@#${}}#}{%}#+{(@ …Snip With a large block of special characters it seems likly that normal characters are rare…. Read more »