Thursday, 19 June 2014

Maltego Local Transform Hello World

Maltego is an open source intelligence and forensics application. It will offer timous mining and gathering of information as well as the representation of this information in a easy to understand format. Local transforms are pieces of code that run on the same machine which the client application is. 

 Ref: 
https://www.paterva.com/web6/
http://www.paterva.com/web6/documentation/developer-local.php

How we can write our own Local Transform, here is the step-by-step guide for beginner.

Run the Maltego Python Code (Ref: https://github.com/Lookingglass/Maltego)
The codes are adapted from "Lookingglass" so as to start up more easily. (not all the codes will be used in the sample files)

1. Download the zip file, it contains 3 files:
- MaltegoClass.py
- MaltegoTransform.py
- vxicon.png
putting them into the same directory.

2. MaltegoClass.py contains the EntityType, MaltegoEntity and MaltegoTransform, which are the basic classes for the Local Transform in Maltego.
Here we add our own EntityType, my.Input and my.Output, which will be used for creating a new Entity later.


3. In MaltegoTransform.py, it has our Local Transform functions and rendering the output. Here we have the helloworld which takes "myInput" as input and output as "myOutput" which we defined in MaltegoClass.py. we simply "process" the input by adding "processed" as demostration.



4. We add the function names to the dict, it can be called by adding the corresponding arguments in command line.


5. We try to run MaltegoTransform.py in command line. It returns the XML as result.
python MaltegoTransform.py helloworld 'Yeah baby!'


So now we have the MaltegoClass and MaltegoTransform ready, next step is to create the new Entity and Local Transform.

Create a new Entity
1. Choose "New Entity Type"


2. Type the information as below,
Display name: My input, which will display in the palette
Short description: whatever you like
Unique type name: it is the unique name that we will reference in our LocalTransform code
Inheritance: we choose "maltego.Phrase" here, which is text input
Icon: you may add your own icon from clicking "manage" and add the icon to Custom Category

Click"Next >"


3. Create a custom main property and click "Next >"


4. Add to category, we type our own category "My Entity Category" and click "Finish"


5 . We repeat the above steps and Create "my.Output", after we have done so, we click "Manage Entities", we can find "My Input" and "My Output"


Create Local Transform
1. Choose "Manage Transforms"


2. Create new Transform Sets, click "Transform Sets" tab, and click "New Set..", type the set name and description.


3. After creating the New Transform Set, choose "All Transform" tab and choose "New Local Transform".


4. Type the following information as below, and Input entity type as "My Input" which we created previously, and choose "Transform Set" as "My Local Transform Set" that we created before. Click "Next >"


5. Type the commands for running the Transform
Command: python (if using Windows, may change full path)
Parameters: MaltegoTransform.py helloworld (the command that runs the function)
Working directory: The location of the python files

Click "Finish"


6. "My Local Transform" is added to the list.


Create a new graph using our new Local Transform
1. Create a new graph, our new Entities are under "My Entity Category", drag "My Input" to the graph, and type the text you want.


2. Right click the icon and choose "My Local Transform Set" -> "My Local Transform".


3. It will run MaltegoTransform.py and return the results, "Processed: Yeah baby!!".



Export Configuration
After creating the new Entities, Local Transforms and icon, we can export them as *.mtz together with the python files (MaltegoClass.py and MaltegoTransform.py) for the others to use

1. Export > Export Configuration


2. Choose "Custom selection", we just want to export the new stuff we created just now.


3.  We check "Entities", "Transforms", "Transform Sets" and "Icons".


4. Expand it and check the necessary items, ie "My Input", "My Output", "My Local Transform", "My Local Transform Set" and custom icon.




Choose "Next >"

5. Save the file as "myConfig.mtz", and it can be use imported into another Maltego, and also copying the python files to the corresponding locations.



Choose "Finish". and that's all

Summary
The above is just the simple steps to create new Entities, Transforms and run the hello world function, we can develop more complex Transforms and use the power of Maltego for further investigation and analysis.

Posted by at No comments:
Labels: , ,

Wednesday, 21 May 2014

SANS Gold Paper - Website Security for Mobile

Smartphones and Tablets are very popular nowadays; other than playing around the apps, most of us use the
mobile devices to browse web pages. People usually look for convenient and quick browsing without paying much attention to security settings like anti-phishing or anti-xss filtering. Thus, special attention must be paid
to the end-user's web security when they use mobile devices (mainly on iOS and Android Platforms). For
example, how easily phishing can be done in mobile devices; what is the impact of visiting...

http://www.sans.org/reading-room/whitepapers/pda/website-security-mobile-34190
Posted by at No comments:
Labels: , , ,

Tuesday, 20 May 2014

PlaidCTF 2014 For-350 write up

Challenge:

You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.

Password is saved as SHA1, and it is located in NVRAM on the device. So in order to find the location of the password, let's set one on our own first, open simulator, do factory reset, so we can set our password and search in memory later on. Let's reset it by entering the password 10 times wrongly.


Let's reset the screen lock password to be "password", and its SHA is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"



Let's search for in the NVRAM, 9930-nv.dmp, search for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
the offset is 00053020 (and starting with "3C000000")



Restore the original 9930-nv.dmp, go to the same offset, got the hash "3E270F54C6EB3175B4EF8B20080795EF2EE15589"



Google it, we got "fuckfuckfuckyouhahaha"...


We go back to the BB again and unlock, cool, we can enter it!


From the hints, let's search the contact, and we found Plaid CTF


Open it, and we get the first key, "fuckfuckfucky0uh4h4h4".. but there's another challenge, ok let's download it



From blackberry.dmp, it looks like a full dump, anyway, let's open it with winhex. In order to speed up, we just search for  "3C000000"... first of all, we got "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" again, it's "password", but it does not look like the key :-(...


With more patience... we got another one, we got "AC0CFE7BD0AE22B44722F1A01ECB6CE102CA27C5"


we google it, finally got "BerryGood"



Reference:
http://crackberry.com/security-blackberry-balance
The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key

http://www.forensicfocus.com/Forums/viewtopic/t=7055/
password should be in SHA1
Posted by at No comments:
Labels: , , ,

ebctf 2013 For-100 write up

Challenge:

After a recent attack, we found this encrypted file. Luckily, we made a memory dump, can you decrypt the file?
Archive password: lcoXse3oa3Uicioc

Files can also be found here: http://ctf.zone/EbCTF-2013-08/Forensics/100/

Download and unzip the memory dump, check the file type


Also check the strings, so it could be linux 64 bit

Pre-requisites:
We will be using volatility to investigate the memory dump, and a suitable linux profile to read it. In this case, for convenience, we can simply download Ubuntu 12.04 64bit and run it in VM
http://www.ubuntu.com/download/desktop/questions?distro=desktop&bits=64&release=lts
after setting up the VM for Ubuntu, we will install volatility (you may also need to install subversion beforehand)
in Ubuntu 64bit open the terminal,  to install subversion:
$ sudo apt-get install subversion
To install volatility:
sudo  svn checkout http://volatility.googlecode.com/svn/trunk/ volatility
$ cd volatility
$ sudo python setup.py install
*note: the path in the sample codes may be different (subject to your own environment)

To create Linux Profile (Ubuntu1204-64bit) for read the memory dump
ref:  https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

To install dwarfdump:
$ apt-get install dwarfdum
$ cd volatility/tools/linux
$ make
$ head module.dwarf

Making the profile:
From above, we found “BOOT_IMAGE=/boot/vmlinuz-3.5.0-23-generic”, we may create the profile from Ubuntu12.04 64bit with System.map-3.5.0-23-generic
$ sudo zip volatility/volatility/plugins/overlays/linux/Ubuntu1204.zip volatility/tools/linux/module.dwarf /boot/System.map-3.5.0-23-generic
Ubuntu1204.zip will be created, we can see “LinuxUbuntu1204x64” profile
$ python vol.py  --info | grep Linux


Everything is ready, we can analyze the memory dump, There's a python2 process (pid=1317), we will want to examine it further
$ python  vol.py --profile=LinuxUbuntu1204x64 -f memory.dump linux_pslist


We will use linux_bash to check for any clues in the history
$ python vol.py --profile=LinuxUbuntu1204x64 -f memory.dump linux_bash


Two important findings here,
python2 ctf.py ‘ i hide my ‘
kill -s SIGUSR 1317
the python was executed with argument “ i hide my”, and eventually the process was killed by SIGUSR1

The python code could still be in the memory, so we grep the strings
$strings memory.dump | grep SIGUSR1


“signal.signal(signal.SIGUSR1, encrypt)” seems to be part of the python
We save the strings in a text file and do another search for the rest of the codes
$ strings memory.dump > memory.dump.txt
Search the string “signal.signal(signal.SIGUSR1, encrypt)” in text editor, we could find the python codes around
Now we’ve got key1: ‘is this where’, key2: ‘ i hide my ’, and now we have to find key3 in order to decrypt the “flag” file


We try examine the python process memory for what could be input as argument
$ python vol.py --profile=LinuxUbuntu1204x64 -f memory.dump linux_proc_maps -p 1317
We see “[heap]” between python2 and encrypt, it could be string of the input


We dump the memory for further analysis
$ python vol.py --profile=LinuxUbuntu1204x64 -f memory.dump linux_dump_map -p 1317 –dump-dir output/
$ grep -r 'i hide my' output/
These two files should contain “i hide my”,  Let’s search the strings in these two files
Ha! We got sth. useful! ‘is this where i hide my secrets?’, so key3 is “secrets”!
You may also simply search for memory.dump strings to find “is this where i hide my secrets”


Now we modify the python code to see if it can decrypt the flag, we got key1, key2 and key3, and we print the result of decrypt


Finally we got the flag :)
ebctf{55169c1c241aa20412da94b3fcbf8506}



Posted by at 3 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)