Forensic Blogs

An aggregator for digital forensics blogs

December 6, 2020 by Didier Stevens

Quickpost: finger.exe

Windows 10 comes with the finger command, an ancient computer network tool.

You can still use it to lookup weather information, for example 🙂

It establishes a TCP connection to the hostname/IP address after the @ character, using destination port 79. And then it sends the text before the @ characters in ASCII, terminated with carriage return & line feed.

After that, it reads the reply, displays it, and closes the TCP connection.

finger.exe is not proxy-aware.

Port 79 is not hardcoded as an integer in finger.exe: the port is identified by service name “finger” (UNICODE), which is defined in the services list (%SystemRoot%\system32\drivers\etc\services). GetAddrInfo uses this list.

If you replace “finger” with “http\x00\x00” (UNICODE) in finger.exe (via binary patching, a shim, …), the finger command will connect to port 80:

As noted by many, finger.exe can be (ab)used to exchange information and files. Here I had my own go at it with finger.exe & Excel:

 

Quickpost info

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Hacking, Networking, Quickpost

July 11, 2020 by Didier Stevens

Quickpost: curl

Since I learned that Windows 10 has curl pre-installed now, I notice I use it more often.

Here are some quick notes, mainly for myself:

 

Using Tor:

curl –socks5-hostname 127.0.0.1:9050 http://didierstevens.com

Option socks5-hostname uses SOCKS5 protocol and does name resolution of the hostname via the SOCKS5 protocol (and not local DNS)

 

Removing the User-Agent header:

curl –header “User-Agent:” http://didierstevens.com

Option –header (-H) can also be used to remove a header: provide the header name with colon, provide no header value.

 

Using a custom User-Agent header (-A –user-agent):

curl –user-agent “Mozilla/5.0 DidierStevens” http://didierstevens.com

 

Saving received data:

curl –dump-header 01.headers –output 01.bin.vir –trace 01.trace –trace-time http://didierstevens.com

Option —dump-header (-D) saves the headers, option –output (-o) saves the body, –trace creates a trace file and –trace-time adds timestamps to the trace file.

 

Option to ignore certificate errors: -k –insecure

 

Putting it all together:

curl –socks5-hostname 127.0.0.1:9050 –user-agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36” –insecure –dump-header 01.headers –output 01.data –trace 01.trace –trace-time https://didierstevens.com

 

Quickpost info

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Networking, Quickpost

May 30, 2020 by Didier Stevens

New Tool: simple_ip_stats.py

Some time ago, I created a tool to calculate the entropy of TCP data for a colleague. And a bit later, he asked me for a tool for UDP.

I have now merged these 2 tools, and added support for other protocols transported by IPv4 and IPv6. And I will no longer maintain simple_tcp_stats.py and simple_udp_stats.py.

This new tool simple_ip_stats.py is a Python program that reads pcap files and produces simple statistics for each IP connection per protocol.

For the moment, it calculates the entropy of the data (without packet reassembling) of each connection (both directions) and reports this in a CSV file:

Protocol;ConnectionID;head;Size;Entropy
TCP;96.126.103.196:80-192.168.10.10:50236;’HTTP’;493;6.73520107812
TCP;192.168.10.10:50236-96.126.103.196:80;’GET ‘;364;5.42858024035
TCP;192.168.10.10:50235-96.126.103.196:80;’GET ‘;426;5.46464090792
UDP;192.168.10.10:56372-239.255.255.250:1900;’M-SE’;173;5.35104059717
TCP;96.126.103.196:80-192.168.10.10:50235;’HTTP’;3308;6.06151478505

simple_ip_stats_V0_0_1.zip (https)
MD5: 0482F3667E4EE6444350D9B0A146F764
SHA256: 480DCF2C82030EF996A6C1C3FEFCAAB77C000EC72DECA91329298C9BCC578BAD

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: My Software, Networking

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • …
  • 13
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)