"MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis." read more...
After playing with the applications installed on the Pwn Pad, I found that the most important application (at least for me) was missing from the pre-installed apps. Namely, DSploit. Although DSploit has tons of features, I really liked the multiprotocol password sniffing (same as dsniff) and the session hijacking functionality.
The DSploit APK in the Play Store was not working for me, but the latest nightly on http://dsploit.net worked like a charm.
Most features require that you and your target uses the same WiFi network, and that's it. It can be Open, WEP, WPA/WPA2 Personal. On all of these networks, DSploit will sniff the passwords - because of the active attacks. E.g. a lot of email clients still use IMAP with clear text passwords, or some webmails, etc.
First, DSploit lists the AP and the known devices on the network. In this case, I chose one victim client.
In the following submenu, there are tons of options, but the best features are in the MITM section.
Stealthiness warning: in some cases, I received the following popup on the victim Windows:
This is what we have under the MITM submenu:
Password sniffing
For example, let's start with the Password Sniffer. It is the same as EvilAP and DSniff in my previous post. With the same results for the popular Hungarian webmail with the default secure login checkbox turned off. Don't forget, this is not an Open WiFi network, but one with WPA2 protection!
Session hijack
Now let's assume that the victim is very security-aware and he checks the secure login checkbox. Another cause can be that the victim already logged in, long before we started to attack. The session hijacking function is similar to the Firesheep tool, but it works with every website where the session cookies are sent in clear text, and there is no need for any additional support.
In a session hijacking attack (also called "sidejacking"), after the victim browser sends the authentication cookies in clear text, DSploit copies these cookies into its own browser, and opens the website with the same cookies, which results in successful login most of the time. Let's see session hijacking in action!
Here, we can see that the session cookies have been sniffed from the air:
Let's select that session, and be amazed that we logged into the user's webmail session.
Redirect traffic
This feature can be used both for fun or profit. For fun, you can redirect all the victim traffic to http://www.kittenwar.com/. For-profit, you can redirect your victim to phishing pages.
Replace images, videos
I think this is just for fun here. Endless Rick Rolling possibilities.
Script injection
This is mostly for profit. client-side injection, drive-by-exploits, endless possibilities.
Custom filter
If you are familiar with ettercap, this has similar functionalities (but dumber), with string or regex replacements. E.g. you can replace the news, stock prices, which pizza the victim ordered, etc. If you know more fun stuff here, please leave a comment (only HTTP scenario - e.g. attacking Facebook won't work).
Additional fun (not in DSploit) - SSLStrip
From the MITM section of DSploit, I really miss the SSLStrip functionality. Luckily, it is built into the Pwn Pad. With the help of SSLStrip, we can remove the references to HTTPS links in the clear text HTTP traffic, and replace those with HTTP. So even if the user checks the secure login checkbox at freemail.hu, the password will be sent in clear text - thus it can be sniffed with DSniff.
HTML source on the client-side without SSLstrip:
HTML source on the client-side with SSL strip:
With EvilAP, SSLStrip, and DSniff, the password can be stolen. No hacking skillz needed.
Lessons learned here
If you are a website operator where you allow your users to login, always:
Use HTTPS with a trusted certificate, and redirect all unencrypted traffic to HTTPS ASAP
"DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more." read more...
"Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis attacks directed through fragrouter could be a most powerful combination for the system auditor to find security problems that could then be reported to the vendor(s)." read more...
Intro: I recently returned from the new Social Engineering training provided by Social-Engineer.org in the beautiful city of Seattle,WA, a state known for sparkly vampires, music and coffee shop culture. As many of you reading this article, i also read the authors definitive book Social Engineering- The art of human hacking and routinely perform SE engagements for my clients. When i heard that the author of the aforementioned book was providing training i immediately signed up to get an in person glance at the content provided in the book. However, i was pleasantly surprised to find the course covered so much more then what was presented in the book.
I wasn't aware that there would be more then one instructor and was extremely happy with the content provided by both instructors. Chris and Robin both have a vast amount of knowledge and experience in the realm of social engineering. Each instructor brought a different angle and use case scenario to the course content. Robin is an FBI agent in charge of behavioral analysis and uses social engineering in his daily life and work to get the results needed to keep our country safe. Chris uses social engineering in his daily work to help keep his clients secure and provides all sorts of free learning material to the information security community through podcasts and online frameworks.
Course Material and Expectation: I originally thought that the material covered in class would be a live reiteration of the material covered in Chris's book. However, I couldn't have been more wrong !! The whole first day was about reading yourself and other people, much of the material was what Robin uses to train FBI agents in eliciting information from possible terrorist threats. Each learning module was based on live demo's, nightly labs, and constant classroom interaction. Each module was in depth and the level of interaction between students was extremely useful and friendly. I would say the instructors had as much fun as the students learning and sharing social techniques and war stories. The class was heavily made up of ways to elicit personal and confidential information in a way that left the individuatial "Happier for having met you". Using language, body posture and social truisms as your weapon to gather information, not intended for your ears, but happily leaving the tongue of your target. Other class activities and materials included an in depth look at micro expressions with labs and free extended learning material going beyond the allotted classroom days. Also break out sessions which focused on creating Phone and Phishing scripts to effectively raise your rate of success. These sessions were invaluable at learning to use proper language techniques on the phone and in email to obtain your objectives.
Nightly Missions/Labs: If you think that you are going to relax at night with a beer. Think again!! You must ensure that your nights are free, as you will be going on missions to gain information from live targets at venues of your choice. Each night you will have a partner and a mission to gain certain information while making that persons day better then it started. The information you are requested to obtain will change each night and if done properly you will notice all of the material in class starting to unfold.. When you get to body language training you will notice which targets are open and when its best to go in for the kill. You will see interactions change based on a persons change in posture and facial expressions. Each day you will take the new techniques you have learned and put them into practice. Each morning you have to report your findings to the class.. During my nightly labs i obtained information such as door codes to secured research facilities, information regarding secret yet to be released projects. On the lighter side of things i obtained much personal information from my targets along with phone numbers and invitations for further hangouts and events. I made many new friends inside and outside of class. There were also labs within the confines of the classroom such as games used to solidify your knowledge and tests to figure out what kind of learner you are. Technical labs on the use of information gathering tools and ways to use phone and phishing techniques to your advantage via linguistically and technologically. Essentially the class was about 60% interaction and labs.
Proof it works: After class i immediately had a phishing and phone based contract at my current employment. I used the email and phone scripts that we created in class with 100% click rate and 100% success in phone elicitation techniques. Gaining full unfettered access to networks through phone and email elicitation and interaction. Although I do generally have a decent SE success rate, my rates on return are now much higher and an understanding of what works and what doesn't, and why are much more refined.
Conclusion and Certification: I paid for this class out of pocket, including all expenses, hotels, rentals cars and planes etc etc. I would say that the class was worth every penny in which i paid for it. Many extras were given including black hat passes, extended training from notable sources and continued interaction from instructors after class ended. I would highly recommend this class to anyone looking for a solid foundation in social engineering or a non technical alternative to training. You will learn a lot, push yourself in new ways and have a blast doing it. However I did not see any sparkly vampires while in seattle.... Twilight lied to me LOL The certification is a 48 hour test in which you will utilize your knowledge gained technologically and socially to breach a company.I am not going to give away to much information about the certification as i haven't taken it yet and I do not want to misspeak on the subject. However I will say that social-engineer.org has done an excellent job at figuring out a way to include Real World Social Engineering into a test with verifiable proof of results. I am going to take my test in a couple weeks and it should be a blast!!!
Thanks and I hope this review is helpful to all those looking for SE training. I had a blast :) :)Continue reading
We found out that many TLS implementations are still vulnerable to different variations of a 19-year old Bleichenbacher's attack. Since Hanno argued to have an attack name, we called it ROBOT: https://robotattack.org
Given the new attack variants, we released a new version of TLS-Attacker 2.2, which covers our vulnerabilities.
Bleichenbacher's attack from 1998
In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allow an adversary to execute an adaptive-chosen ciphertext attack. This attack also belongs to the category of padding oracle attacks. By performing the attack, the adversary exploits different responses returned by the server that decrypts the requests and validates the PKCS#1 1.5 padding. Given such a server, the attacker can use it as an oracle and decrypt ciphertexts.
We refer to one of our previous blog posts for more details.
OK, so what is new in our research?
In our research we performed scans of several well-known hosts and found out many of them are vulnerable to different forms of the attack. In the original paper, an oracle was constructed from a server that responded with different TLS alert messages. In 2014, further side-channels like timings were exploited. However, all the previous studies have considered mostly open source implementations. Only a few vulnerabilities have been found.
In our scans we could identify more than seven vulnerable products and open source software implementations, including F5, Radware, Cisco, Erlang, Bouncy Castle, or WolfSSL. We identified new side-channels triggered by incomplete protocol flows or TCP socket states.
For example, some F5 products would respond to a malformed ciphertext located in the ClientKeyExchange message with a TLS alert 40 (handshake failure) but allow connections to timeout if the decryption was successful. We could observe this behaviour only when sending incomplete TLS handshakes missing ChangeCipherSpec and Finished messages.
See our paper for more interesting results.
Release of TLS-Attacker 2.2
These new findings motivated us to implement the complete detection of Bleichenbacher attacks in our TLS-Attacker. Before our research, TLS-Attacker had implemented a basic Bleichenbacher attack evaluation with full TLS protocol flows. We extended this evaluation with shortened protocol flows with missing ChangeCipherSpec and Finished messages, and implemented an oracle detection based on TCP timeouts and duplicated TLS alerts. In addition, Robert (@ic0ns) added many fixes and merged features like replay attacks on 0-RTT in TLS 1.3.
In case the server responds with different error messages, it is most likely vulnerable. The following example provides an example of a vulnerable server detection output:
14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered vulnerable to this attack if it responds differently to the test vectors. 14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered secure if it always responds the same way. 14:12:49 [main] CONSOLE attacks.impl.Attacker - Found a difference in responses in the Complete TLS protocol flow with CCS and Finished messages. 14:12:49 [main] CONSOLE attacks.impl.Attacker - The server seems to respond with different record contents. 14:12:49 [main] INFO attacks.Main - Vulnerable:true
In this case TLS-Attacker identified that sending different PKCS#1 messages results in different server responses (the record contents are different).
A step by step lab based mini course on analyzing your car network
I wanted to learn about hacking cars. As usual I searched around the internet and didn't find any comprehensive resources on how to do this, just bits and pieces of the same info over and over which is frustrating. I am not a car hacking expert, I just like to hack stuff. This mini course will run in a fully simulated lab environment available from open garages, which means in 5 minutes from now you can follow along and hack cars without ever bricking your girlfriends car. Since you obviously wouldn't attack your own Lambo, totally use your girlfriends Prius.
Below are the topics covered in this blogseries so you can decide if you want to read further:
Whats covered in this car hacking mini course:
Setting up Virtual Environments for testing
Sniffing CAN Traffic
Parsing CAN Traffic
Reverse Engineering CAN IDs
Denial of service attacks
Replaying/Injecting Traffic
Coding your own CAN Socket Tools in python
Targeted attacks against your cars components
Transitioning this to attacking a real car with hardware
The first thing we are going to do before we get into any car hacking specifics such as "WTF is CAN?", is get your lab up and running. We are going to run a simple simulated CAN Bus network which controls various features of your simulated car. Its better to learn by doing then sit here and recite a bunch of car network lingo at you and hope you remember it.
I also don't want you to buy a bunch of hardware and jack into your real car right away. Instead there are options that can get you started hacking cars RIGHT NOW by following along with this tutorial. This will also serve to take away the fear of hacking your actual car by understanding what your doing first.
Video Playlist:
Setting up your Lab:
First things first, set yourself up with an Ubuntu VMware install, and load it up. Optionally you could use a Kali Iinux VM, however, that thing drives me nuts with copy paste issues and I think Kayak was giving me install problems. So support is on you if you would like to use Kali. However, I do know Kali will work fine with OpenGarages virtual car.. So feel free to use it for that if you have it handy and want to get started right away.
Install PreReq Libraries:
Once you load this up you are going to want to install CAN utilities and pre-requisite libraries. This is really easy to do with the following Apt-get commands:
Once this is done we can startup the simulator by changing directories to the downloaded repo and running the following 2 commands, which will setup a virtual CAN interface and a simulator GUI Cluster:
Run the setup Script to get the vcan0 interface up:
root@kali:~/ICSim# ./setup_vcan.sh
root@kali:~/ICSim# ./icsim vcan0
On a new terminal tab we will open up our simulators controller with the following command,
root@kali:~/ICSim#./controls vcan0
Note: that the controller must be the in-focus GUI screen to send keyboard commands to the simulator.
How to Use the Simulator:
The simulator has a speedometer with Right and Left turn signals, doors etc. Below are the list of commands to control the simulator when the Control panel is in focus. Give them each a try and note the changes to the simulator.
Up and Down keys control the gauges clusters speedometer
Left and Right keys Control the Blinkers
Right Shift + X, A or B open doors
Left Shift + X, A or be Close doors
Try a few of the above commands for example Right Shift +X and you will see the interface change like so, notice the open door graphic:
Awesome, thanks to OpenGarages you now you have your very own car to hack
Notice in the setup commands above we used a VCan0 interface. Run Ifconfig and you will now see that you indeed have a new network interface that speaks to the CAN network over VCan0.
ficti0n@ubuntu:~/Desktop/ICSim$ ifconfig vcan0
vcan0 Link encap:UNSPECHWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
Car networks run on a variety of protocols most prevalent being CAN. You can think of a CAN Bus like an old school networking hub where everyone can see everyone elses traffic. This is true to some extent although you may not see all of the cars traffic if its not connected to that particular bus your plugged into. You can think of CAN traffic kind of like UDP in that its send and forget, the main difference being parts of the CAN bus network don't actually have addresses and everything runs off arbitration IDs and priorities. Thats enough background to get you doing rather then reading.
With a little knowledge out of the way lets check if we can see our CAN traffic from our virtual car via the CanDump utility, which you installed as part of CanUtils package above. Using the following command on the vcan0 interface our simulator uses you can view a stream of traffic:
ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0
Above we can see a bunch of CAN frames, and if we perform actions on the vehicle we will see changes to data values in the CanDump output.However this may happen very fast, and we may not be able to see if for example we unlocked our simulators door. This is because things are changing constantly in the cars IDLE state. One single value changing may not stand out enough for us to take notice or may scroll so fast we cant see it.
Capture and Replay CAN Actions:
One option would be to perform an action and replay it, we should see the actions happen again in the replay if the traffic for the action we recorded is on the same bus network our device is plugged into. There are loads of networks within a car and its not guaranteed our network tap for example an OBD2 port plugin is connected to the same network as door we opened.Or the door may not be connected to the network at all depending on your car and its age or how its configured.
Replaying dumps with CanPlayer:
Another useful tool included with CanUtils package is CanPlayer for replaying traffic. If the functionality we are trying to capture is on the same Bus as the adaptor plugged into the car, or in this case our Virtual CAN interface, we can use CanDump to save traffic to a file. We then use CanPlayer to replay the traffic on the network. For example lets run CanDump and open a door and then replay the functionality with CanPlayer.
Lab 1 Steps:
Run CanDump
Right Shift + X to open a door
Cancel CanDump (ctrl+c)
Left Shift + X to close the door
Run can player with the saved dump and it will replay the traffic and open the door
Recording the door opening:(-l for logging)
ficti0n@ubuntu:~/Desktop/ICSim$ candump -l vcan0
Replaying the CanDump file:(use the file your can dump created)
Nice, so if all went well you should see that your door is now open again. If this did not happen when attacking a real car, just try to replay it again. CAN networks are not like TCP/IP, they are more like UDP in that you send out your request and its not expecting a response. So if it gets lost then it gets lost and you have to resend. Perhaps something with higher priority on the network was sending at the time of your replay and your traffic was overshadowed by it.
Interacting with the Can Bus and Reversing Traffic:
So thats cool, but what about actually understanding what is going on with this traffic, CanDump is not very useful for this, is scrolls by to quickly for us to learn much from.Instead we can use CanSniffer with colorized output to show us the bytes within packets that change. Below is an example of CanSniffer Traffic:
You will see 3 fields, Time, IDand Data. Its pretty easy to figure out what these are based on thier name. The most important part for our usage in this blog are the ID and the Data fields.
The ID field is the frame ID which is loosely associated with the device on the network which is effected by the frame being sent. The ID to also determines the priority of the frame on the network.The lower the number of the CAN-ID the higher priority it has on the network and more likely it will be handled first.The data field is the data being sent to change some parameter like unlocking a door or updating output. You will notice that some of the bytes are highlighted RED. The values in red are the values that are changing during the idle state you are currently in.
Determine which ID and Byte controls the throttle:
So with the terminal sniffing window open put the simulator and the controller into the foreground, with the controller being the window you have clicked and selected.Pay attention to the CanSniffer output while hitting the UP ARROW and look for a value that was white but is now Red and increasing in value as the throttle goes up.This might take you a few minutes of paying attention to whats going on to see.
The following 2 pictures show ID 244 in the IDLE state followed by pressing the up button to increase the speed. You will notice a byte has turned red and is increasing in value through a range of HEX values 0-F. It will continue to enumerate through values till it reaches its max speed.
The byte in ID 244 which is changing is the value while the throttle is engaged, so 244 associated in some way with the increasing speed. The throttle speed is a good value to start with as it keeps increasing its value when pressed making it easier to spot while viewing the CanSniffer output.
Singling out Values with Filters:
If you would like to single out the throttle value then click the terminal window and press -000000 followed by the Enter key which will clear out all of the values scrolling. Then press +244 followed by the Enter key which will add back the throttle ID. You can now click the controller again and increase the speed with your Up arrow button without all the noise clouding your view.You will instead as shown below only have ID 244 in your output:
To get back all of the IDs again click the terminal window and input +000000 followed by the Enter key. Now you should see all of the output as before.Essentially 000000 means include everything. But when you put a minus in front of it then it negates everything and clears your terminal window filtering out all values.
Determine Blinker ID:
Now lets figure out another ID for the blinkers. If you hit the left or right arrow with the controls window selected you will notice a whole new ID appears in the list, ID 188 shown in the picture below which is associated with the blinker.
This ID was not listed before as it was not in use within the data output until you pressed the blinker control.Lets single this value out by pressing -000000 followed by +188. Just like in the throttle example your terminal should only show ID 188, initially it will show with 00 byte values.
As you press the left and the right blinker you will see the first Byte change from 00 to 01 or 02. If neither is pressed as in the screenshot above it will be 00. Its kind of hard to have the controller in focus and get a screenshot at the same time but the ID will remain visible as 00 until it times out and disappears from the list when not active. However with it filtered out as above you can get a better view of things and it wont disappear.
Time for YOU to do some Protocol Reversing:
This lab will give you a good idea how to reverse all of the functionality of the car and associate each action with the proper ID and BYTE. This way you can create a map of intended functionality changes you wish to make.Above we have done a few walk throughs with you on how to determine which byte and ID is associated with an action. Now its time to map everything out yourself with all the remaining functionality before moving on to attacking individual components.
Lab Work Suggestion:
Take out a piece of paper and a pencil
Try unlocking and locking doors and write down the ID which controls this action (remember your filters)
Try unlocking each door and write down the BYTES needed for each door to open
Try locking each doors and what Bytes change and what are their values, write them down
Do the same thing for the blinkers left and right (Might be different then what I did above)
What ID is the speedometer using?What byte changes the speed?
Attacking Functionality Directly:
With all of the functionality mapped out we can now try to target various devices in the network directly without interacting with the controllers GUI. Maybe we broke into the car via cellular OnStar connectionor the center console units BLE connection which was connected to the CAN network in some way. After an exploit we have direct access to the CAN network and we would like to perform actions. Or maybe you have installed a wireless device into an OBD2 port under the dashboard you have remote access to the automobile.
Using the data from the CAN network reversing lab above we can call these actions directly with the proper CAN-ID and Byte.Since we are remote to the target we can't just reach over and grab the steering wheel or hit the throttle we will instead send your CAN frame to make the change.
One way we can do this is via the CanSend utility. Lets take our information from our lab above and make the left turn signal flash with the following ID 188 for the turn signal by changing the first byte to 01 indicating the left signal is pressed. CanSend uses the format ID#Data. You will see this below when sending the turn signal via CanSend.
You should have noticed that the left signal flashed. If not pay more attention and give it another try or make sure you used the correct ID and changed the correct byte.So lets do the same thing with the throttle and try to set the speed to something with ID 244 that we determined was the throttle.
My guess is that nothing happened because its so fast the needle is not going to jump to that value. So instead lets try repeating this over and over again with a bash loop which simply says that while True keep sending the throttle value of 11 which equates to about 30mph:
ficti0n@ubuntu:~/Desktop/ICSim$ while true; do cansend vcan0 244#00000011F6;done
Yes thats much better, you may notice the needle jumping back and forth a bit. The reason the needle is bouncing back and forth is because the normal CAN traffic is sent telling the car its actually set to 00 in between your frames saying its 30mph.But it worked and you have now changed the speed the car sees and you have flashed the blinker without using the cars normal blinker controls. Pretty cool right?
Monitor the CAN Bus and react to it:
Another way to handle this issue is to monitor the CAN network and when it sees an ID sent it will automatically send the corresponding ID with a different value.. Lets give that a try to modify our speed output by monitoring for changes. Below we are simply running CanDump and parsing for ID 244 in the log output which is the throttle value that tells the car the speed. When a device in the car reports ID 244 and its value we will immediately resend our own value saying the speed is 30mph with the value 11.See below command and try this out.
ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0 | grep " 244 " | while read line; do cansend vcan0 244#00000011F6; done
With this running after a few seconds you will see the speed adjust to around 30MPH once it captures a legitimate CAN-ID 244 from the network traffic and sends its own value right after.
Ok cool, so now while the above command is still running click the controller window and start holding down the Up arrow with the controller in focus.. After a few seconds or so when the speed gets above 30MPH you will see the needle fighting for the real higher value and adjusting back to 30MPH as your command keeps sending its on value as a replacement to the real speed.
So thats one way of monitoring the network and reacting to what you see in a very crude manner.Maybe someone stole your car and you want to monitor for an open door and if they try to open the door it immediately locks them in.
Conclusion and whats next:
I am not an expert car hacker but I hope you enjoyed this. Thats about as far as I want to go into this subject today, in the next blog we will get into how to code python to perform actions on the CAN network to manipulate things in a similar way.With your own code you are not limited to the functionality of the tools you are provided and can do whatever you want. This is much more powerful then just using the CanUtils pre defined tools. Later on I will also get into the hardware side of things if you would like to try this on a real car where things are more complicated and things can go wrong.
Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!
Dependencies
Python 2.7.x
git
bottle
requests
yara-python
Quickstart
Clone the project to your local directory (or download the zip file of the project)
All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.
$make help help - display this makefile's help information venv - create a virtual environment for development clean - clean all files using .gitignore rules scrub - clean all files, even untracked files test - run tests test-verbose - run tests [verbosely] check-coverage - perform test coverage checks check-style - perform pep8 check fix-style - perform check with autopep8 fixes docs - generate project documentation check-docs - quick check docs consistency serve-docs - serve project html documentation dist - create a wheel distribution package dist-test - test a wheel distribution package dist-upload - upload a wheel distribution package
Create a virtual environment with all dependencies
$make venv //Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex: $source /Users/ssbhat/.venvs/rastrea2r/bin/activate
Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder
$cd src/rastrea2r/server/ $python rastrea2r_server_v0.3.py Bottle v0.12.13 server starting up (using WSGIRefServer())... Listening on http://0.0.0.0:8080/
Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.
Rastrea2r RESTful remote Yara/Triage tool for Incident Responders
positional arguments: {yara-disk,yara-mem,triage}
modes of operation yara-disk Yara scan for file/directory objects on disk yara-mem Yara scan for running processes in memory triage Collect triage information from endpoint
optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit
Further more, the available options under each command can be viewed by executing the help option. i,e
yara-disk: Yara scan for file/directory objects on disk
yara-mem: Yara scan for running processes in memory
memdump: Acquires a memory dump from the endpoint ** Windows only
triage: Collects triage information from the endpoint ** Windows only
Notes For memdump and triage modules, SMB shares must be set up in this specific way:
Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
\path-to-share-foldertools
Output is sent to a shared folder called DATA (write only)
\path-to-share-folderdata
For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
The RESTful API server stores data received in a file called results.txt in the same directory.
Contributing to rastrea2r project The Developer Documentation provides complete information on how to contribute to rastrea2r project Demo videos on Youtube
Peruano,Ingeniero UNI Lima 68, diplomado en el CEPE Paris 71, Doctorado en Economia en Grenoble 73, Profesor Principal de la UNI, fue Presidente de la ADUNI 79, Presidente del capitulo de ingenieros industriales y economistas, Secretario general y Decano Nacional del Colegio de Ingenieros del Peru, Regidor Metropolitano de Lima 83-89, Presidente de la empresa de servicios informaticos de Lima (SERMIN), Presidente del Servicio de Catastro Integral de Lima, Director de la empresa inmobiliaria de Lima EMILIMA, Director del Banco Central Reserva del Peru 2001-2006. Representante del Peru en FLAR, CEMLA y la conferencia de NN.UU. sobre Finanzas para el desarrollo. Elegido consejero del Consejo Nacional de la Magistratura, fue su presidente 2011 y dirige la comision de evaluacion y ratificacion de jueces y fiscales. Profesor invitado en Francia, profesor de la escuela de postgrado en la FIIS-UNI es miembro emerito de la Orden de Ingenieria y recibio la distincion de la Antorcha de Habich-UNI
"MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis." read more...
Related articles
"DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more." read more...
Read more
"Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis attacks directed through fragrouter could be a most powerful combination for the system auditor to find security problems that could then be reported to the vendor(s)." read more...
