2012
01.25

Pipal analysis of 2,151,226 passwords

Category: quick tips, tools / Tag:  / Add Comment

I saw this posted by mubix the other day and I figured I would run them through Pipal.

Generating stats, hit CTRL-C to finish early and dump stats on words already processed.
Please wait...
Processing:    100% |oooooooooooooooooooooooooooooooooooooooooo| Time: 04:56:52

Total entries = 2151241
Total unique entries = 2150838

Top 10 passwords
# = 6 (0.0%)
Priscilla = 2 (0.0%)
Pp123456 = 2 (0.0%)
1234567G = 2 (0.0%)
P@$$w0rd = 2 (0.0%)
WWWWWWWWWW = 2 (0.0%)
mark2010 = 2 (0.0%)
Director = 2 (0.0%)
lms123456 = 2 (0.0%)
Skittles = 2 (0.0%)

Top 10 base words
love = 1446 (0.07%)
admin = 1060 (0.05%)
wang = 1043 (0.05%)
zhang = 870 (0.04%)
chen = 777 (0.04%)
abcd = 757 (0.04%)
yang = 605 (0.03%)
alex = 576 (0.03%)
password = 549 (0.03%)
woaini = 471 (0.02%)

Password length (length ordered)
1 = 72 (0.0%)
2 = 793 (0.04%)
3 = 3869 (0.18%)
4 = 20497 (0.95%)
5 = 53054 (2.47%)
6 = 315809 (14.68%)
7 = 266296 (12.38%)
8 = 621915 (28.91%)
9 = 327319 (15.22%)
10 = 270726 (12.58%)
11 = 125482 (5.83%)
12 = 77372 (3.6%)
13 = 30023 (1.4%)
14 = 20539 (0.95%)
15 = 10487 (0.49%)
16 = 4446 (0.21%)
17 = 847 (0.04%)
18 = 599 (0.03%)
19 = 278 (0.01%)
20 = 332 (0.02%)
21 = 107 (0.0%)
22 = 105 (0.0%)
23 = 58 (0.0%)
24 = 74 (0.0%)
25 = 30 (0.0%)
26 = 42 (0.0%)
27 = 32 (0.0%)
28 = 33 (0.0%)
29 = 25 (0.0%)
34 = 2 (0.0%)
36 = 2 (0.0%)
54 = 3 (0.0%)
58 = 2 (0.0%)
73 = 3 (0.0%)
74 = 2 (0.0%)
76 = 2 (0.0%)

Password length (count ordered)
8 = 621915 (28.91%)
9 = 327319 (15.22%)
6 = 315809 (14.68%)
10 = 270726 (12.58%)
7 = 266296 (12.38%)
11 = 125482 (5.83%)
12 = 77372 (3.6%)
5 = 53054 (2.47%)
13 = 30023 (1.4%)
14 = 20539 (0.95%)
4 = 20497 (0.95%)
15 = 10487 (0.49%)
16 = 4446 (0.21%)
3 = 3869 (0.18%)
17 = 847 (0.04%)
2 = 793 (0.04%)
18 = 599 (0.03%)
20 = 332 (0.02%)
19 = 278 (0.01%)
21 = 107 (0.0%)
22 = 105 (0.0%)
24 = 74 (0.0%)
1 = 72 (0.0%)
23 = 58 (0.0%)
26 = 42 (0.0%)
28 = 33 (0.0%)
27 = 32 (0.0%)
25 = 30 (0.0%)
29 = 25 (0.0%)
54 = 3 (0.0%)
73 = 3 (0.0%)
76 = 2 (0.0%)
58 = 2 (0.0%)
74 = 2 (0.0%)
34 = 2 (0.0%)
36 = 2 (0.0%)

        |
        |
        |
        |
        |
        |
        |
      | ||
      | ||
      |||||
      |||||
      |||||
      ||||||
      ||||||
     ||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901

One to six characters = 394088 (18.32%)
One to eight characters = 1282297 (59.61%)
More than eight characters = 868944 (40.39%)

Only lowercase alpha = 512685 (23.83%)
Only uppercase alpha = 16079 (0.75%)
Only alpha = 528764 (24.58%)
Only numeric = 499600 (23.22%)

First capital last symbol = 3825 (0.18%)
First capital last number = 75962 (3.53%)

Months
january = 69 (0.0%)
february = 28 (0.0%)
march = 261 (0.01%)
april = 406 (0.02%)
may = 1908 (0.09%)
june = 422 (0.02%)
july = 316 (0.01%)
august = 228 (0.01%)
september = 90 (0.0%)
october = 112 (0.01%)
november = 113 (0.01%)
december = 106 (0.0%)

Days
monday = 73 (0.0%)
tuesday = 23 (0.0%)
wednesday = 13 (0.0%)
thursday = 10 (0.0%)
friday = 59 (0.0%)
saturday = 9 (0.0%)
sunday = 64 (0.0%)

Months (Abreviated)
jan = 3762 (0.17%)
feb = 461 (0.02%)
mar = 14583 (0.68%)
apr = 1131 (0.05%)
may = 1908 (0.09%)
jun = 4576 (0.21%)
jul = 2009 (0.09%)
aug = 840 (0.04%)
sept = 302 (0.01%)
oct = 670 (0.03%)
nov = 1444 (0.07%)
dec = 1231 (0.06%)

Days (Abreviated)
mon = 8174 (0.38%)
tues = 33 (0.0%)
wed = 530 (0.02%)
thurs = 23 (0.0%)
fri = 1408 (0.07%)
sat = 1431 (0.07%)
sun = 4396 (0.2%)

Includes years
1975 = 1847 (0.09%)
1976 = 1883 (0.09%)
1977 = 2006 (0.09%)
1978 = 2309 (0.11%)
1979 = 2336 (0.11%)
1980 = 2979 (0.14%)
1981 = 3327 (0.15%)
1982 = 4125 (0.19%)
1983 = 4220 (0.2%)
1984 = 4734 (0.22%)
1985 = 5076 (0.24%)
1986 = 6545 (0.3%)
1987 = 8245 (0.38%)
1988 = 7970 (0.37%)
1989 = 7581 (0.35%)
1990 = 4814 (0.22%)
1991 = 3453 (0.16%)
1992 = 2772 (0.13%)
1993 = 2457 (0.11%)
1994 = 2340 (0.11%)
1995 = 2139 (0.1%)
1996 = 1865 (0.09%)
1997 = 1543 (0.07%)
1998 = 1383 (0.06%)
1999 = 1377 (0.06%)
2000 = 4194 (0.19%)
2001 = 2769 (0.13%)
2002 = 2798 (0.13%)
2003 = 2734 (0.13%)
2004 = 2777 (0.13%)
2005 = 3223 (0.15%)
2006 = 3602 (0.17%)
2007 = 3958 (0.18%)
2008 = 5830 (0.27%)
2009 = 4819 (0.22%)
2010 = 6085 (0.28%)
2011 = 1502 (0.07%)
2012 = 1604 (0.07%)
2013 = 3385 (0.16%)
2014 = 508 (0.02%)
2015 = 589 (0.03%)
2016 = 491 (0.02%)
2017 = 404 (0.02%)
2018 = 448 (0.02%)
2019 = 675 (0.03%)
2020 = 1320 (0.06%)

Years (Top 10)
1987 = 8245 (0.38%)
1988 = 7970 (0.37%)
1989 = 7581 (0.35%)
1986 = 6545 (0.3%)
2010 = 6085 (0.28%)
2008 = 5830 (0.27%)
1985 = 5076 (0.24%)
2009 = 4819 (0.22%)
1990 = 4814 (0.22%)
1984 = 4734 (0.22%)

Single digit on the end = 133740 (6.22%)
Two digits on the end = 203255 (9.45%)
Three digits on the end = 126930 (5.9%)

Last number
0 = 143953 (6.69%)
1 = 181461 (8.44%)
2 = 126631 (5.89%)
3 = 148494 (6.9%)
4 = 108461 (5.04%)
5 = 110222 (5.12%)
6 = 114095 (5.3%)
7 = 108722 (5.05%)
8 = 121007 (5.62%)
9 = 115755 (5.38%)

 |
 |
 | |
|| |
||||
||||  | ||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit
1 = 181461 (8.44%)
3 = 148494 (6.9%)
0 = 143953 (6.69%)
2 = 126631 (5.89%)
8 = 121007 (5.62%)
9 = 115755 (5.38%)
6 = 114095 (5.3%)
5 = 110222 (5.12%)
7 = 108722 (5.05%)
4 = 108461 (5.04%)

Last 2 digits (Top 10)
23 = 50989 (2.37%)
00 = 32443 (1.51%)
11 = 28856 (1.34%)
12 = 28073 (1.3%)
10 = 26135 (1.21%)
21 = 24646 (1.15%)
01 = 23783 (1.11%)
20 = 21820 (1.01%)
88 = 21736 (1.01%)
14 = 19692 (0.92%)

Last 3 digits (Top 10)
123 = 36112 (1.68%)
000 = 10451 (0.49%)
456 = 9204 (0.43%)
234 = 7357 (0.34%)
520 = 7129 (0.33%)
007 = 6616 (0.31%)
314 = 6586 (0.31%)
010 = 6149 (0.29%)
111 = 5621 (0.26%)
321 = 5134 (0.24%)

Last 4 digits (Top 10)
3456 = 6967 (0.32%)
1234 = 6363 (0.3%)
1314 = 5497 (0.26%)
2010 = 4058 (0.19%)
2008 = 3714 (0.17%)
0000 = 3555 (0.17%)
2009 = 3457 (0.16%)
2345 = 3198 (0.15%)
2000 = 2654 (0.12%)
1987 = 2588 (0.12%)

Last 5 digits (Top 10)
23456 = 6748 (0.31%)
12345 = 3003 (0.14%)
01314 = 1900 (0.09%)
56789 = 1339 (0.06%)
00000 = 1218 (0.06%)
23123 = 1003 (0.05%)
11111 = 991 (0.05%)
54321 = 700 (0.03%)
14520 = 643 (0.03%)
88888 = 638 (0.03%)

Character sets
loweralphanum: 880710 (40.94%)
loweralpha: 512685 (23.83%)
numeric: 499600 (23.22%)
mixedalphanum: 112574 (5.23%)
mixedalpha: 33534 (1.56%)
upperalphanum: 29254 (1.36%)
loweralphaspecialnum: 28026 (1.3%)
upperalpha: 16079 (0.75%)
loweralphaspecial: 15719 (0.73%)
mixedalphaspecialnum: 7213 (0.34%)
specialnum: 6552 (0.3%)
mixedalphaspecial: 2572 (0.12%)
upperalphaspecialnum: 2049 (0.1%)
upperalphaspecial: 862 (0.04%)
special: 496 (0.02%)

Character set ordering
stringdigit: 658941 (30.63%)
allstring: 562298 (26.14%)
alldigit: 499600 (23.22%)
othermask: 154449 (7.18%)
digitstring: 108929 (5.06%)
stringdigitstring: 100925 (4.69%)
digitstringdigit: 36324 (1.69%)
stringspecialdigit: 11910 (0.55%)
stringspecialstring: 9290 (0.43%)
stringspecial: 5877 (0.27%)
specialstringspecial: 1177 (0.05%)
specialstring: 1025 (0.05%)
allspecial: 496 (0.02%)

Hashcat masks (Top 10)
?d?d?d?d?d?d?d?d: 137829 (6.41%)
?l?l?l?l?l?l?l?l: 116129 (5.4%)
?d?d?d?d?d?d: 113505 (5.28%)
?l?l?l?l?l?l: 88568 (4.12%)
?l?l?l?l?l?l?l?l?l: 78589 (3.65%)
?l?l?l?l?l?l?l: 74372 (3.46%)
?d?d?d?d?d?d?d: 62111 (2.89%)
?l?l?l?l?l?l?l?l?l?l: 58968 (2.74%)
?l?l?l?l?l?l?d?d: 56796 (2.64%)
?d?d?d?d?d?d?d?d?d?d: 52756 (2.45%)


Just thought I would share…

2012
01.25

CuckooBox 0.3 on Ubuntu

Category: Cuckoobox / Tag:  / Add Comment

This is continuing a series of posts on CuckooBox. It is more or less the same setup as previous posts.

First install the dependencies:

sudo apt-get install python python-dev python-mako python-dpkt python-magic tcpdump git

wget http://download.virtualbox.org/virtualbox/4.1.8/virtualbox-4.1_4.1.8-75467~Ubuntu~oneiric_i386.deb
wget http://download.virtualbox.org/virtualbox/4.1.8/Oracle_VM_VirtualBox_Extension_Pack-4.1.8-75467.vbox-extpack
sudo dpkg -i virtualbox-4.1_4.1.8-75467~Ubuntu~oneiric_i386.deb
vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.8-75467.vbox-extpack

Configure tcpdump to run without needing root priv’s:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

And now to install the latest development version of CuckooBox:

cd /opt/
git clone https://github.com/cuckoobox/cuckoo.git

Create a VM in virtual box to detonate the malware on:

VBoxManage createvm --name "CuckooBox_Node_1" --ostype WindowsXP --register

Make sure to:
Install a base operating system (in this case Windows XP)
Install VirtualBox GuestAdditions
Install Python2.7
Install Python Image Library (Used by Cuckoo to capture screenshots during execution)
Install WinAppDbg (Used for the Tracer package)
Install distorm3 (Used for the Tracer package)
Install Additional Software (Acrobat, Office, FireFox, etc)

Turn Off Windows Firewall as well as Windows Update. Now clone the VM to reduce configuration as well as increase number of nodes in your CuckooBox analysis pool.


VBoxManage controlvm "CuckooBox_Node_1" poweroff
VBoxManage clonevm "CuckooBox_Node_1" --name "CuckooBox_Node_2" --registervm
VBoxManage clonevm "CuckooBox_Node_1" --name "CuckooBox_Node_3" --registervm

Enable NIC Tracing for each VM allowing CuckooBox to capture any network traffic observed during malware execution.

VBoxManage modifyvm "CuckooBox_Node_1" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap
VBoxManage modifyvm "CuckooBox_Node_2" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo2/dump.pcap
VBoxManage modifyvm "CuckooBox_Node_3" --nictrace1 on --nictracefile1 /opt/cuckoo/shares/cuckoo3/dump.pcap

Enable file sharing between the nodes and CuckooBox software.

cp -R /opt/cuckoo/shares/cuckoo1/ /opt/cuckoo/shares/cuckoo2
cp -R /opt/cuckoo/shares/cuckoo1/ /opt/cuckoo/shares/cuckoo3

VBoxManage sharedfolder add "CuckooBox_Node_1" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_1" --name "cuckoo1" --hostpath "/opt/cuckoo/shares/cuckoo1"
VBoxManage sharedfolder add "CuckooBox_Node_2" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_2" --name "cuckoo2" --hostpath "/opt/cuckoo/shares/cuckoo2"
VBoxManage sharedfolder add "CuckooBox_Node_3" --name "setup" --hostpath "/opt/cuckoo/shares/setup" --readonly
VBoxManage sharedfolder add "CuckooBox_Node_3" --name "cuckoo3" --hostpath "/opt/cuckoo/shares/cuckoo3"

Power On an log into each VM. Make any necessary last minute changes (rename the machine, specify either static or DHCP addresses, etc) and make a snapshot of the VM.


VBoxManage snapshot "CuckooBox_Node_1" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_1" poweroff
VBoxManage snapshot "CuckooBox_Node_1" restorecurrent
VBoxManage snapshot "CuckooBox_Node_2" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_2" poweroff
VBoxManage snapshot "CuckooBox_Node_2" restorecurrent
VBoxManage snapshot "CuckooBox_Node_3" take "CuckooBox" --pause
VBoxManage controlvm "CuckooBox_Node_3" poweroff
VBoxManage snapshot "CuckooBox_Node_3" restorecurrent

Finally install SSDeep as well as PySSDeep for FuzzyHashing.

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.7/ssdeep-2.7.tar.gz
tar -xvzf ssdeep-2.7.tar.gz
cd ssdeep-2.7
./configure
make
sudo make isntall
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd pyssdeep
sudo python setup.py build
sudo python setup.py install

Now that CuckooBox is installed and configured, it is time for execution. Open up three tabs in your terminal (or use screen)

cd /opt/cuckoo
python cuckoo.py - tab1
python web.py - tab2

In tab 3 – submit.py:

Usage: submit.py [options] filepath

Options:
  -h, --help            show this help message and exit
  -t TIMEOUT, --timeout=TIMEOUT
                        Specify analysis execution time limit
  -p PACKAGE, --package=PACKAGE
                        Specify custom analysis package name
  -r PRIORITY, --priority=PRIORITY
                        Specify an analysis priority expressed in integer
  -c CUSTOM, --custom=CUSTOM
                        Specify any custom value to be passed to postprocessing
  -d, --download        Specify if the target is an URL to be downloaded
  -u, --url             Specify if the target is an URL to be analyzed
  -m MACHINE, --machine=MACHINE
                        Specify a virtual machine you want to specifically use for this analysis

Once the malware has completed execution – point your browser to http://localhost:8080. If all went well you should see something similar to the following:

Thanks again to all the developers at CuckooBox

Happy Hunting

2012
01.03

Automated CuckooBox submission

Category: Cuckoobox / Tag:  / Add Comment

I wanted to write a quick script to submit files placed in a DropBox directory to CuckooBox. My main objectives were to:

  1. Write more python
  2. Submit malware from anywhere
  3. Ensure that the malware submitted to CuckooBox was unique


#!/usr/bin/env python

import sys, time, os, shelve, hashlib
from cuckoo.core.db import CuckooDatabase

MALWARE_DIR = "/Users/zwned/Dropbox/malware/"

SLEEP_TIME = 60

HISTORY_FILE = "cuckooMon_hist"

class Monitor:

def process( self ):
newMalware = self.grabNewMalware()
self.processed = shelve.open( MALWARE_DIR + HISTORY_FILE )
for malware in newMalware:
self.processMalware( malware )
self.processed.close()

def grabNewMalware( self ):
malware = []
malwares = os.walk( MALWARE_DIR )
for specimens in malwares:
(dirpath, dirnames, filenames) = specimens
for f in filenames :
ext = f.lower().split(".")[-1]
if ( ext == "exe" or ext == "pdf"):
malware.append( os.path.normpath( dirpath + "/" + f ) )
malware.sort()
return malware

def processMalware( self, malware ):
if ( not self.processed.has_key(self.md5Checksum( malware )) ):
db = CuckooDatabase()
print "[-] Processing ", malware
try:
db.add_task( malware )
print "[+] Successful"
print "[+] Adding malware to history"
self.processed[self.md5Checksum( malware )] = malware
except:
print "[!] FAILURE ", str(sys.exc_info())
else:
print "[!] Already in database, removing..."
os.remove( malware )

def md5Checksum(self, malware):
fh = open(malware, 'rb')
m = hashlib.md5()
while True:
data = fh.read(8192)
if not data:
break
m.update(data)
return m.hexdigest()

def monitor( self ):
while ( True ):
self.process()
print "[-] Checked last at: " , str( time.asctime(time.localtime()))
time.sleep( SLEEP_TIME )

if __name__ == "__main__":
malware = Monitor()
malware.monitor()

The script can be found here.

2011
12.17

NTFS support in OSX Lion

Category: quick tips / Tag:  / Add Comment

A coworker of mine was asking how to get NTFS working for OSX (WTF Apple no native NTFS read/write, really? REALLY?!?). So, I shot him this link. I figured it would be a bit easier to summarize the post below:


$ brew install fuse4x
$ brew install ntfs-3g

$ sudo brew link ntfs-3g

$ sudo cp -rfX /usr/local/Cellar/fuse4x-kext/0.8.13/Library/ \
  Extensions/fuse4x.kext /System/Library/Extensions

$ sudo chmod +s /System/Library/Extensions/fuse4x.kext/Support/load_fuse4x

$ sudo mv /sbin/mount_ntfs /sbin/mount_ntfs.orig
$ sudo touch /sbin/mount_ntfs
$ sudo chmod 0755 /sbin/mount_ntfs
$ sudo chown 0:0 /sbin/mount_ntfs

$ cat < < EOF | sudo tee /sbin/mount_ntfs
#!/bin/bash
VOLUME_NAME="${@:$#}"
VOLUME_NAME=${VOLUME_NAME#/Volumes/}
USER_ID=501
GROUP_ID=20
TIMEOUT=20
if [ `/usr/bin/stat -f "%u" /dev/console` -eq 0 ]; then
        USERNAME=`/usr/bin/defaults read /library/preferences/com.apple.loginwindow | /usr/bin/grep autoLoginUser | /usr/bin/awk '{ print $3 }' | /usr/bin/sed 's/;//'`
        if [ "$USERNAME" = "" ]; then
                until [ `stat -f "%u" /dev/console` -ne 0 ] || [ $TIMEOUT -eq 0 ]; do
                        sleep 1
                        let TIMEOUT--
                done
                if [ $TIMEOUT -ne 0 ]; then
                        USER_ID=`/usr/bin/stat -f "%u" /dev/console`
                        GROUP_ID=`/usr/bin/stat -f "%g" /dev/console`
                fi
        else
                USER_ID=`/usr/bin/id -u $USERNAME`
                GROUP_ID=`/usr/bin/id -g $USERNAME`
        fi
else
        USER_ID=`/usr/bin/stat -f "%u" /dev/console`
        GROUP_ID=`/usr/bin/stat -f "%g" /dev/console`
fi
/usr/local/bin/ntfs-3g \
        -o volname="${VOLUME_NAME}" \
        -o local \
        -o noappledouble \
        -o negative_vncache \
        -o auto_xattr \
        -o auto_cache \
        -o noatime \
        -o windows_names \
        -o user_xattr \
        -o inherit \
        -o uid=$USER_ID \
        -o gid=$GROUP_ID \
        -o allow_other \
        "$@" &> /var/log/ntfsmnt.log
exit $?;
EOF

Thanks Apples & Rubies!

*NOTE* Here is a copy of the raw file in case the formatting jacked up the ability to copy and paste. Eventually Ill look into styling my gist’s to match the layout of the blog.

2011
12.01

Never leave home without your dotfiles

Category: quick tips / Tag:  / Add Comment

I stumbled across this a few weeks back and it has been invaluable for setting up an environment. I immediately feel at home and I have all of my dotfiles at my disposal.


$ sudo gem install homesick
$ homesick clone https://github.com/zwned/dotfiles.git
$ homesick symlink dotfiles

Then just source the files you need or log out and log back in. Thats it……sweet! Now I just have to finish migrating my dotfiles to github.

homesick

Thank you Mr Joshua Nichols!

« Previous Entries