Irregular Expressions


December 16, 2011  12:25 AM

Can you crack it (Part 5)

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

We now have our unicode.

QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR.78jKLw==

Here is something that should decode it for us.

#!/usr/bin/perl
use Compress::Zlib;

use MIME::Base64;

$new = "QkJCQjIAAACR2PtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O44TDeuZw5P+0SsbEcYR.78jKLw==";

$test =  MIME::Base64::decode $new;
print "$test";

Direct the output from that to a file and take a look in a hex editor.

> decode.pl > out.bin
(Here it is)
42 42 42 42 32 00 00 00 91 D8 FB 5C 08 0E AA D9 E6 82 F1 24 7E F1 D9 83 FF 33 73 2D 00 BE B5 DD ED 15 0E 2A C7 C3 B8 E1 30 DE B9 9C 39 3F ED 12 B1 B1 1C 61 1E FC 8C A2 F0

This does not look like anything specific, there is nothing significant at the start of it like the last set.

I think it’s time to get a debugger up and running.

I am not an expert at debugging compiled exe and reading assembly so this should be fun.

December 13, 2011  4:40 PM

Can you crack it (Part 4)

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I tried running the file.exe created, it does not appear to do anything.  It’s important but I don’t know what to do with it just yet.

The thing I find odd was the hex was given in a png, that’s worth checking out.

I have both sets of files on my SIFT Workstation.  I will start with my favorite tools.

strings

strings cyber.png  | less

Take a look in the file, here is something worth looking at.

]iTXtComment
QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR
78jKLw==2
That looks like unicode.  Lets look at the png’s metadata.
exiftool cyber.png
Comment                         : QkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR.78jKLw==

Down at the end is what we are looking for in the Comment section.

That definitely is Unicode.  I have a script around to decode that somewhere for part 5..


December 13, 2011  12:35 PM

Can you crack it (Part 3)

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Well it looks like I am late to the party, I went back to the site and it’s closed.

That’s ok, we will keep going.

If you have not figured out what is contained in the image, it’s a….

> file test.exe
test.exe: DOS executable (COM)

I have recognized this from experience, if you want to see where file gets this from you can find it here.

less /usr/share/misc/magic
# DR-DOS STACKER.COM SCREATE.SYS missed
>0      byte            0xeb            DOS executable (COM)

Double check the file to make sure you have the correct hex entered in to the file, I had a mistake in mine.  The file command will still return a DOS exe if the whole file is not correct.  It only checks the first bits.


December 12, 2011  6:08 PM

Can you crack it (Part 2)

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

First we need some tools.

All of the tools I am thinking I will need you can download and install, but if you go get the SANS SIFT-KIT it should have everything you need.

https://computer-forensics11.sans.org/community/download-sift-kit/2.1

( You might need to register )

You can download the ISO or VM, it does not matter what you do.  The ISO will let you install it, and I think it’s 200 Megs smaller.


December 12, 2011  12:46 AM

Can you crack it (Part 1)

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am going to work on…

http://www.canyoucrackit.co.uk/

I think I know what I am looking for right off the start, I just don’t have anything prepared to work on it with right now (Skyrim).

What I can say is the first few bits of hex will get you started, sadly I know what those are off memory.


December 11, 2011  1:38 AM

CoBiT studying

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I found a good xls with some great exam info on it for studying.

http://www.box.com/fnaik-cobit

I though it was worth sharing.


November 28, 2011  11:49 AM

Blackhole exploit kit

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am pretty sure I have mentioned this kit before, so here is a write up on it.

http://isc.sans.edu/diary.html?storyid=12079

I have it somewhere but have not had the time to try it out, you should be able to locate it on the interwebs if you want to see.


November 28, 2011  11:22 AM

I enjoy vulnerability write ups

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This one is really good, everything is written well and well explained.

https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue


November 28, 2011  10:41 AM

Another hacking lab

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This one is by OWASP.

https://www.hacking-lab.com/index.html

I have not used it yet, I have been pretty busy for the last bit prepping for the CoBiT exam, and a few other things.  Looks like lots of fun anyway.


November 28, 2011  10:26 AM

Pastebin

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

For the last while pastebin has been the method of choice to post your evil doings.

So do you want to know if you have had a problem?

A few people have created pastebin searching apps, so you can check to see if your email address or company is listed.

Here is one,

http://www.andrewmohawk.com/pasteLert/

Another good way to watch this is with a custom Google search that will alert you, or you can go right to pastebin and do a search.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: