Ethical Hackers Vol. 2

2022-08-26 15:40:01 Open / Comment

2022-08-25 16:30:52 With dBmonster you are able to scan for nearby WiFi devices and track them trough the signal strength (dBm (https://en.m.wikipedia.org/wiki/DBm)) of their sent packets (https://www.kitploit.com/search/label/Packets) (sniffed with TShark (https://tshark.dev/setup/about/#what-is-tsharkdev)). These dBm values will be plotted to a graph (https://www.kitploit.com/search/label/Graph) with matplotlib (https://matplotlib.org/). It can help you to identify the exact location of nearby WiFi devices (use a directional WiFi antenna (https://simplewifi.com/blogs/news/omni-directional-vs-antennadirectional-antenna) for the best results) or to find out how your self made antenna (https://www.makeuseof.com/10-diy-long-range-wi-fi-antennas-you-can-make-at-home/) works the best (antenna radiation patterns (https://help.ui.com/hc/en-us/articles/115012664088-UniFi-Introduction-to-Antenna-Radiation-Patterns)).
Features on Linux and MacOS Feature Linux MacOS Listing WiFi interfaces Track & scan on 2.4GHz Track & scan on 5GHz Scanning for AP Scanning for STA Beep when device found Installation git clone https://github.com/90N45-d3v/dBmonster
cd dBmonster

# Install required tools (On MacOS without sudo)
sudo python requirements.py

# Start dBmonster
sudo python dBmonster.py
Has been successfully tested on... Platform  WiFi Adapter  Kali Linux ALFA AWUS036NHA, DIY Bi-Quad WiFi Antenna (https://www.instructables.com/Bi-Quad-WiFi-Antenna/) MacOS Monterey Internal card 802.11 a/b/g/n/ac (MBP 2019) * should work on any MacOS or Debian (https://www.kitploit.com/search/label/Debian) based system and with every WiFi card that supports monitor-mode Troubleshooting for MacOS Normally, you can only enable monitor-mode on the internal wifi card from MacOS with the airport (https://osxdaily.com/2007/01/18/airport-the-little-known-command-line-wireless-utility/) utility from Apple. Somehow, wireshark (https://www.kitploit.com/search/label/Wireshark) (or here TShark) can enable it too on MacOS. Cool, but because of the MacOS system and Wireshark’s workaround, there are many issues running dBmonster on MacOS. After some time, it could freeze and/or you have to stop dBmonster/Tshark manually from the CLI with the ps command. If you want to run it anyway, here are some helpful tips: Kill dBmonster, if you can't stop it over the GUI Look if there are any processes, named dBmonster, tshark (https://www.kitploit.com/search/label/Tshark) or python: sudo ps -U root
Now kill them with the following command: sudo kill
Stop monitor-mode, if it's enabled after running dBmonster sudo airport sniff
Press control + c after a few seconds * Please contact me on twitter (https://twitter.com/90N45), if you have anymore problems Working on... Capture signal strength data for offline graphs Generate graphs from normal wireshark.pcapng file Generate multiple graphs in one coordinate system Additional information If the tracked WiFi device is out of range or doesn't send any packets, the graph stops plotting till there is new data. So don't panic ;) dBmonster wasn't tested on all systems... If there are any errors or something is going wrong, contact me. If you used dBmonster on a non-listed Platform or WiFi Adapter, please open an issue (with Platform and WiFi Adapter information) and I will add your specification to the README.md

Download dBmonster (https://github.com/90N45-d3v/dBmonster) Open / Comment

2022-08-25 16:30:52 Open / Comment

2022-08-25 16:30:52 dBmonster - Track WiFi Devices With Their Recieved Signal Strength
http://www.kitploit.com/2022/08/dbmonster-track-wifi-devices-with-their.html Open / Comment

2022-06-24 15:58:11 Installation git clone https://github.com/mnrkbys/norimaci.git Future Work YARA scanning VirusTotal scanning Author Minoru Kobayashi (https://twitter.com/unkn0wnbit) License Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

Download Norimaci (https://github.com/mnrkbys/norimaci) Open / Comment

2022-06-24 15:58:07 Open / Comment

2022-06-24 15:58:06 -f FILE, --file FILE Path to a bsm log file
-p PROCLIST, --proclist PROCLIST
Path to a process list file
-o OUT, --out OUT Path to an output file
-c, --console Output JSON data to stdout.
-rp, --use-running-proclist
Use current running process list instead of a existing
process list file. And, the process list is saved to a
file which places in the same directory of '--file' or
to a file which speci fied '--proclist'.
--with-failure Output records which has a failure status too.
--with-failure-socket
Output records which has a failure status too (related
socket() syscall only).
--force Enable to overwrite an existing output file.
--debug Enable debug mode. monitorappconv.py $ python3 ./monitorappconv.py -h
usage: monitorappconv.py [-h] [-f FILE] [-o OUT] [-c] [--force] [--debug]

Parses data of Fireeye Monitor.app and converts it to JSON format. Please note
that strings in JSON data are saved as UTF-8.

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path to a saved data of Monitor.app.
-o OUT, --out OUT Path to an output file.
-c, --console Output JSON data to stdout.
--force Enable to overwrite an output file.
--debug Enable debug mode. Demo Analyze AppleJeus.A on macOS 10.15 Catalina with Norimaci. This demo movie was made for Japan Security Analyst Conference 2020 (JSAC2020) Open / Comment

2022-06-24 15:58:06 # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
minfree:5
naflags:lo,aa,fc,fd,pc,nt,ex <- edit here like this
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
Usage Basic usage with OpenBSM (most standard usage) Run norimaci.py with sudo. Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on). Wait for a while (Until, the malware can get their goal). Press "Ctrl + C " at the appropriate time in the terminal where Norimaci runs in. 2 kind of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv). Confirm reports with your favorite tools (e.g. text editors, grep, less, etc). $ sudo python3 ./norimaci.py -m openbsm -o ./out/
Password:

--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
[*] Launching OpenBSM agent...
[*] When runtime is complete, press CTRL+C to stop logging.
^C
[*] Termination of OpenBSM agent commencing... please wait
[*] Converting OpenBSM data ...
[*] Loading converted macOS activity data ...
[*] Saving report to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219.txt
[*] Saving timeline to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219_timeline.csv Basic usage with Monitor.app Note: Monitor.app can not run on macOS 10.15. But, it works fine on macOS 10.14 or earlier. Run norimaci.py with sudo. Enter a password after Norimaci launches Monitor.app (Monitor.app needs a password to install its kext). Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on). Wait for a while (Until, the malware can get their goal). Press "Ctrl + C " at the appropriate time in the terminal where Norimaci runs in. 2 kind of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv). Confirm reports with your favorite tools (e.g. text editors, grep, less, etc). Help of scripts norimaci.py $ python3 ./norimaci.py -h

--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
usage: norimaci.py [-h] [-m MONITOR] [-j JSON] [-bl OPENBSM_LOG] [-p PROCLIST]
[-ml MONITORAPP_LOG] [-o OUTPUT] [--force] [--debug]

Light weight sandbox which works with OpenBSM or Fireeye's Monitor.app

optional arguments:
-h, --help show this help message and exit
-m MONITOR, --monitor MONITOR
Specify a program to monitor macOS activity. You can
choose 'openbsm' or 'monitorapp'.
-j JSON, --json JSON Path to a JSON file which is converted by
'openbsmconv.py' or 'monitorappconv.py'.
-bl OPENBSM_LOG, --openbsm-log OPENBSM_LOG
Path to an OpenBSM log file.
-p PROCLIST, --proclist PROCLIST
Path to a process list file to process OpenBSM log
file. A file which has ".proclist" extnsion would be
used, if this option is not specified.
-ml MONITORAPP_LOG, --monitorapp-log MONITORAPP_LOG
Path to a Monitor.app data file.
-o OUTPUT, --output OUTPUT
Path to an output directory.
--force Enable to overwrite output files.
--debug Enable debug mode. openbsmconv.py $ python3 ./openbsmconv.py -h
usage: openbsmconv.py [-h] [-f FILE] [-p PROCLIST] [-o OUT] [-c] [-rp]
[--with-failure] [--with-failure-socket] [--force]
[--debug]

Converts OpenBSM log file to JSON format.

optional arguments:
-h, --help show this help message and exit Open / Comment

2022-06-24 15:58:06 Open / Comment

2022-06-24 15:58:06 Norimaci - Simple And Lightweight Malware Analysis Sandbox For macOS
http://www.kitploit.com/2022/06/norimaci-simple-and-lightweight-malware.html Open / Comment