Category Archives: Computer Security

The Power of Python

29 Saturday Mar 2014

Posted by in Computer Security, Hacking, Pen-testing, Python

Leave a comment

Tags

, , , ,

I am often asked by CS students interested in a career of pen-testing, what programming language they should learn?  Is there one that is best suited for pen-testing?  My answer is Python — hands down.  It is a very easy language to learn and it is very powerful.  When a pen-tester in the field needs to whip up an automated tool, it is usually done in Python because it is fairly easy to code up working prototypes on the fly.  I will demonstrate by whipping up a Python key-logger in just a moment.

Another reason you should learn Python is that many pen-testing tools are written in Python.  So if you ever need to take an existing tool and extend its capability, you will have to understand the Python language.  Python is also available on many pen-testing platforms such as BackTrack and Kali linux.

As I said, learning Python is very easy because it is a well documented programming language.  Almost everything you need to learn the language is available at python.org.  There are also very good tutorials available here and here.  Once you get the basics down, you will be amazed at the tools you can create.  Allow me to demonstrate with a simple Python key-logger:

First, a word of warning.  This key-logger only works on Windows machines and it will log every key stroke a user presses.  Please do not load this key-logger on anybody’s machine but your own.  This key-logger is for educational purposes only.  Besides, it is not very stealthy.

Next, you will need to install Python on your Windows machine.  You can download Python here.  I am using Python 2.7.6 for a Windows 7 64-bit machine.  Python 2.7.6 is pretty stable so I prefer it to versions 3.x.  Be sure you select the proper installer for your Windows machine (i.e. 32-bit or 64-bit).

After installing Python, you will need to install a library called pyHook.  pyHook is a wrapper for global input hooks in Windows.  It wraps the Windows SetWindowsHookEx API.  You can get the appropriate version for your version of Python and Windows 32-bit or 64-bit versions here.  Scroll all the way down until you get to the pyHook section.  For my machine, I installed the pyHook‑1.5.1.win‑amd64‑py2.7.exe version.

After installing pyHook, fire up a command prompt (cmd.exe) and cd into the C:\Python27 directory, then type ‘python’ at the prompt (without the quotes) you should see:

Screen Shot 2014-03-29 at 8.52.56 PM

the three right angle brackets (>>>) is the prompt for python.  Type ‘import pyHook’ then enter.  You should see no errors if pyHook installed correctly:

Screen Shot 2014-03-29 at 8.55.40 PM

You are now good to go.  Fire up your favorite editor.  You could use notepad.exe but it is much better to use an editor that recognizes Python syntax.  A good one is notepad++ or my favorite is Vim.

Before coding up the key-logger, I visited the documentation page to learn how to use pyHook.  You should too.  Play with pyHook from the Python command shell to get a feel for what you can do with it; see if you can cobble your own key logger together before looking at my implementation.  If you need further hints, see this pyHook wiki.

Here is my implementation:

Screen Shot 2014-03-29 at 9.10.40 PM

That is it!  It only took about 20 lines of code!  That is the power of Python.  To run your key-logger, make sure you are in your Python directory (usually C:\Python27) and type the name of your key-logger (I named mine logger.py):

Screen Shot 2014-03-29 at 9.15.40 PM

Now open up another command prompt and type, ‘dir’, and ‘whoami’.

Screen Shot 2014-03-29 at 9.18.30 PM

Open up notepad and type anything you want:

Screen Shot 2014-03-29 at 9.21.30 PM

Once you are done, your logging file should contain every key you typed:

Screen Shot 2014-03-29 at 9.27.53 PM

With a little reading and some practice, Python can help you become that evil genius you’ve always aspired to be.  That is the power of Python.

 

 

A Malware Analyst’s Bookshelf

02 Thursday Jan 2014

Posted by in Computer Security, Cyber Security Research, Malware RE

2 Comments

Tags

, , , , , , , ,

I am often asked by those wishing to pursue a career as a malware analysit, what references are useful in learning, or the continued learning of the art and craft of malware analysis?  Here is a list of resources that I find useful:

1.  The Art of Computer Virus Research and Defense by Peter Szor (TAOCVRD).  This is the book that introduced me to malware research.  It could use some updating, but sadly, the author recently passed away.  On the other hand, with the popularity of Android malware, what is old is new again.  Many Android malware samples are doing what the old Windows malware used to do in the early days.

TAOCVRD covers different malware types, and the armoring, self-protection strategies they employ, the common detection techniques, and the last chapter is a useful guide in setting up your own malware analysis lab.  Again, a bit outdated because many of the tools we use today were not widely available back when this book was originally published.  However, many of the analysis techniques are still relevant today.

2.  Practical Malware Analysis by Michael Sikorski and Andrew Honig (PMA).  An introductory tour of malware analysis and reverse engineering techniques.  The hands-on labs reinforce the skills covered in each chapter.  Each lab has a set of  “malware” like samples (download from the book’s website).  Introductory chapters cover x86 assembly and the common instructions you will encounter, as well as how to use common tools, such as OllyDbg, and IDA Pro.

3.  One of the most powerful tool for static analysis, that I mentioned in (2), is IDA Pro.  But it has a steep learning curve.  The IDA Pro Book by Chris Eagle is about the only practical users guide available.  Whenever I need to learn something new in IDA, or how to write a plugin, I consult this book.

4.  Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw.  This book shows the common software programming errors and exploitation patterns.  Usually, I will start looking for these patterns in the malware samples I am analyzing to help guide my investigations; knowing these patterns can reveal what the malware may be targeting.

5.  Reversing: Secrets of Reverse Engineering by Eldad Eilam.  This too is a little outdated, but it is the best introduction into the art of RE that I have found so far.  It covers the common tools used, the basics of assembly and x86 architecture, basic Windows internals, and even has a chapter on reversing malware.

This list is by no means exhaustive.  I am sure I am overlooking other good sources and would be happy to hear what other analysts routinely consult.  I am always looking to expand my library.

related articles

Holy 1984 Batman!

01 Sunday Dec 2013

Posted by in Computer Security, Cyber Security Research, Hacking

Leave a comment

Tags

, ,

I warned that hooking everything up to Internet was a bad idea years ago.  Your TV can now watch you!  Too bad you can’t break for commercial every 10 minutes like your TV does.  Here is another article on the subject.

This is what people can do with the new smart TV you are buying for Christmas.  I shudder to think what can be done to medical devices that talk over wireless networks.  I am not sure what can be done about the problem.  People love the convenience of controlling their home’s thermostat or security system remotely, from the Internet.  And the bad guys love the ease of convenience, too.  The “Internet of things” security is a hot growing research area so we will be reading a lot more about the problem.

to publish or not to publish

Often, I am confronted by people about publishing vulnerabilities.  “Why would you bring this to the attention of the hackers?”, they would say.  The truth is, if someone like me can find the problem, then any reasonably intelligent and curious person can also find the problem.  It is very likely, that there are others who are aware of the vulnerabilities and this would include the hacker community.  More of our appliances contain computer chips that run light-weight versions of the Linux operating system and open source software.  Anybody can get access to the source code, and all code contain bugs and vulnerabilities.  It doesn’t matter who wrote the software, or how smart they are, mistakes get made, and others will find those mistakes and exploit them if they can.

Other scientific professions have suffered from similar dilemmas.  Physicists working on the Manhattan project, for example, often had to come to terms with the prospects of advancing human knowledge and having that knowledge lead to human destruction.  Wasn’t there a story somewhere about Buddhist priest who once said: “The good news is: all humans possess the keys to heaven.  The bad news: that same keys also opens the gates of hell.”?

I believe it is better to publish the technical vulnerabilities; to be aware of them so that many bright minds can come together and fix the problems.  And it helps alert the defenders to look out for them.  I remember watching the “Super Friends” as a kid.  On one episode, Robin was complaining about the inherent dangers of scientific discoveries and how easy it can be for people like Lex Luthor to use them for evil.  Batman replied: “… Technology is neither good or evil.  It is the mind behind it that determines its use.”

And they say Batman has no real super powers.  He has a super intellect.  I know.  It’s not as sexy as having a chest you can bounce bullets off of.  Or a new smart TV that you can hook directly up to the Internet.