malicious-attachment-analysis-script to Timesketch with colab jupyter

Malspam Analysis csv to Timesketch

The great cocaman has released a new useful script to check IMAP accounts attachments for MalwareBazaar hits. He wrote about the script on his blog. The script generates a csv with timestamps. So for sure I wanted to check how easy it would be to get that data to Timesketch.

You can find his script on github: https://github.com/cocaman/analysis_scripts

If you edit it with your credentials and run it, you will end up with a csv with the following headers:

Date,Subject,Attachment,MD5 Hash,Malware

The date values however are really weird, so that is going to be fun as the sample file I got from cocaman had various formats, time zones and others in the column.

First step we open the csv in Google Sheets (my fav. csv parser) and do not let it parse any dates etc…

I removed one line where the date was “None” but of course spending a little more time could also solve that.

Download the csv again as csv.

Now lets move to colab for further stuff.

The process is pretty straightforward. Install google-colab and import the csv.

After formatting the date to be parsed and in a Timesketchable format, we can upload the pandas dataframe. The pandas dataframe looks like the following:

The resulting notebook is available on github.

Finally our result in Timesketch looks like the following:

Using INetSim to redirect a particular IP

Having a small set of systems for malware analysis is a must hve of course, I have most of my envirenment in different VMs but sometimes you need to access IPs in the normal office LAN.

Here is a setup-example before:

Notebook eth0 192.168.1.22
- Remnux (watcher)
---- eth0 NAT 10.0.3.3 <--- sitting in the "good network"
---- eth1 VM malnet 192.168.99.99
---- inetsim listening on 192.168.99.99 offering various services

- Windows victim system (malho)
---- eth0 VM malnet 192.168.99.98 default gw 192.168.99.99

That is pretty simple, if malware running on the "malho" system and trying to connect to anything, it get's catched by inetsim and packetsniffers.

But now the interesting aspect: e.g. if you have a system:

SSH server
---- eth0 192.168.1.33

That you want to access from malho (could be any other service as well)

Use the following inetsim settings:


#############################################################
# Redirect
#############################################################

#########################################
# redirect_enabled
#
# Turn connection redirection on or off.
#
# Syntax: redirect_enabled [yes|no]
#
# Default: no
#
redirect_enabled	yes


#########################################
# redirect_unknown_services
#
# Redirect connection attempts to unbound ports
# to dummy service
#
# Syntax: redirect_unknown_services [yes|no]
#
# Default: yes
#
redirect_unknown_services yes	


#########################################
# redirect_external_address
#
# IP address used as source address if INetSim
# acts as a router for redirecting packets to
# external networks.
# This option only takes effect if static rules
# for redirecting packets to external networks
# are defined (see 'redirect_static_rule' below).
#
# Syntax: redirect_external_address 
#
# Default: none
#
redirect_external_address  10.0.3.3

#########################################
# redirect_static_rule
#
# Static mappings for connection redirection.
# Note: Currently only protocols tcp, udp and icmp are supported.
#
# Syntax: redirect_static_rule tcp|udp       
#         redirect_static_rule tcp|udp           
#         redirect_static_rule tcp|udp <:port>                
#         redirect_static_rule tcp|udp <:port>                <:port>
#         redirect_static_rule icmp     
#         redirect_static_rule icmp              
#         redirect_static_rule icmp    <:icmp-type>           
#
# Default: none 
#
# Examples:
#
# WWW caching service
#redirect_static_rule	tcp             :8080			:80
#
# Submission [RFC4409]
#redirect_static_rule	tcp             :587			:25
#
# Echo-Request [RFC792]
#redirect_static_rule	icmp 10.10.10.20:echo-request	10.1.0.25
#
# Redirection based on IP address and/or port:
#redirect_static_rule	tcp	10.10.10.55:88  	 10.10.10.1:80
#redirect_static_rule	tcp	           :99  	192.168.1.1:25
#redirect_static_rule	tcp	10.10.10.20:    	 172.16.1.2:
redirect_static_rule tcp 192.168.1.33: 192.168.1.33:
redirect_static_rule icmp 192.168.1.33:echo-request 192.168.1.33

#########################################
# redirect_change_ttl
#
# Change the time-to-live header field to a random value
# in outgoing IP packets.
#
# Syntax: redirect_change_ttl [yes|no]
#
# Default: no
#
#redirect_change_ttl	yes


#########################################
# redirect_exclude_port
#
# Connections to  on this port
# are not redirected
#
# Syntax: redirect_exclude_port 
#
# Default: none
#
#redirect_exclude_port		tcp:22
#redirect_exclude_port		udp:111


#########################################
# redirect_ignore_bootp
#
# If set to 'yes', BOOTP (DHCP) broadcasts will not be redirected
# (UDP packets with source address 0.0.0.0, port 68 and
# destination address 255.255.255.255, port 67 or vice versa)
#
# Syntax: redirect_ignore_bootp [yes|no]
#
# Default: no
#
#redirect_ignore_bootp		yes


#########################################
# redirect_ignore_netbios
#
# If set to 'yes', NetBIOS broadcasts will not be redirected
# (UDP packets with source/destination port 137/138
# and destination address x.x.x.255 on the local network)
#
# Syntax: redirect_ignore_netbios [yes|no]
#
# Default: no
#
#redirect_ignore_netbios	yes


#########################################
# redirect_icmp_timestamp
#
# If set to 'ms', ICMP Timestamp requests will be answered
# with number of milliseconds since midnight UTC according
# to faketime.
# If set to 'sec', ICMP Timestamp requests will be answered
# with number of seconds since epoch (high order bit of the
# timestamp will be set to indicate non-standard value).
# Setting to 'no' disables manipulation of ICMP Timestamp
# requests.
#
# Syntax: redirect_icmp_timestamp [ms|sec|no]
#
# Default: ms
#
#redirect_icmp_timestamp	sec

--> you can now ping and ssh from malho to 192.168.1.

Another handy thing is you can also hide your local ip:

 redirect_static_rule icmp 1.2.3.4:echo-request 192.168.1.33

--> you can now ping and whatever from malho using 1.2.3.4 and the malho will not get the actual IP.

Upload kippo ssh honeypot files to viper

You want to store all your samples catched by your SSH-Kippo Honeypot to your malware repository operated with viper?

Go that way:
Start Viper API:

foo@bar ~/scripts/viper $ ./api.py -H 0.0.0.0 -p 8080

and upload all your samples to viper:

for i in /home/pi/kippo-read-only/dl/*; do curl -F file=@$i -F tags="honeypot" http://covert:8080/file/add; done 

Result:

{
    "message": "added"
}{
    "message": "added"
}

(you might want to modify the dir to your setup)
Why not automate uploading from kippo to viper?
– The „attacker“ might upload more then just malware / samples. You do not want to waste space in your malware zoo with another copy of netcat…