November 26th, 2014

python treemap module – PyTreeMap

As part of a couple different projects I’m working (and *hoping* to release sometime soon), I’ve created/implemented a simple treemap module for python (Code here). There are a few python treemap modules already, but I couldn’t find a simple one with minimal prerequisites and that implements anything other than the “squarified layout”. Since I couldn’t find one when I was looking, I thought it might be worth releasing independently of the other work. Note that the module does not handle the actual graphing, it’s intentionally just the layout calculations (I do have pygame and jython/ test implementations for the graphing, so if you’re interested in those email me).

There are many different layout algorithms for treemap graphs optimized for various features, and they have evolved over the years. This is a good page on the history of treemaps. The algorithm for this module is the “split” layout and was taken from this great paper on treemaps. Chapter 5 covers several different algorithms with their various features and implementation details.

Here’s a sample of how to use the module:

    from PyTreeMap import SimpleTreeMap
    # Arbitrary list of numbers
    # Give the treemap its coordinates and title
    root = SimpleTreeMap(x=0, y=0, w=100, h=100, title="RootNode")
    # Add each of the items giving it a size or weight equivalent to its value
    for i in items:

    # Add a couple children to two different nodes

    print " [*] Setup [%s] top-level items to layout" % len(items)

    # Iterate over treemap nodes and their children nodes
    for i in root:
        print " [*] Coordinates are x [%s] y [%s] w [%s] h [%s]" % i.getCoordinates()
        for j in i:
            print " [*] -- Child Coordinates are x [%s] y [%s] w [%s] h [%s]" % j.getCoordinates()

And this will output the following:

 [*] Setup [19] top-level items to layout
 [*] Laying out now...
 [*] Coordinates are x [0.0] y [0.0] w [1.53579926455] h [14.5017095894]
 [*] Coordinates are x [1.53579926455] y [0.0] w [33.78758382] h [14.5017095894]
 [*] -- Child Coordinates are x [1.53579926455] y [0.0] w [12.9952245462] h [14.5017095894]
 [*] -- Child Coordinates are x [14.5310238107] y [0.0] w [20.7923592739] h [14.5017095894]
 [*] Coordinates are x [0.0] y [14.5017095894] w [31.6438640133] h [30.2644374039]
 [*] -- Child Coordinates are x [0.0] y [14.5017095894] w [12.1707169282] h [30.2644374039]
 [*] -- Child Coordinates are x [12.1707169282] y [14.5017095894] w [19.4731470851] h [30.2644374039]
 [*] Coordinates are x [31.6438640133] y [14.5017095894] w [3.67951907131] h [30.2644374039]
 [*] Coordinates are x [35.3233830846] y [0.0] w [38.8059701493] h [44.7661469933]
 [*] Coordinates are x [74.1293532338] y [0.0] w [9.53129091385] h [4.67338897183]
... (snip)

The previous output shows the x,y,w,h coordinates for each block of the graph including the child nodes. Children can be added arbitrarily deep. You can find the source for the module here.

Just so you can see what a treemap looks like, this is a random screenshot from a small project I’m hoping to release soon (ignore the colors):

Let me know if you have any feedback/improvements/etc.

SEAT Version 0.3 and Backtrack 4

It is with great excitement that we bring you the latest version of SEAT!. SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan web sites for potential vulnerabilities. Version 0.3 includes the much needed Search Engine XML signature update, several performance enhancements, and the fix for the dreaded GUI “segmentation error”.

You can download the latest version of SEAT here. Detailed documentation is available in documentation.pdf. Also, if you are a big fan of Backtrack like me, you can get SEAT preinstalled with the upcoming final release of Backtrack 4.

SEAT v.0.3

LDAP password audit and general hackery

I have a few smaller tools/scripts I’m going to be posting in the near future on a new hackery page. Some of these are random things that don’t quite deserve a whole project page, but I still wanted to put a general reference together.

The first thing I’m putting up is a small tool that will dump out a unix-like password file given a LDAP database dump in LDIF format. The point of this is so that you can audit your LDAP passwords with something like john the ripper. Here’s an example usage:


usage: ./ <ldif file> <output password file> [<user matchString>]
       example: ./ ldif.out passwd.txt "^ou: MyGroup"
       (matchString default is "objectClass: posixAccount")

 # Dump the initial database with slapcat
 $ slapcat > ldap.out
 $ ./ ldap.out pw.out
 [*] Adding new user [New User, newuser] to results
 [*] Adding new user [A User, auser] to results
 [*] newuser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::New User
 [*] auser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::A User
 [*] Wrote [2] password lines to [pw.out]
 [*] Done

$ john pw.out

Anyway, hopefully it’s mildly useful to a couple people. Since the standard PAM modules for password policy enforcement are a little harder to use with LDAP, sometimes it seems like weak LDAP accounts can linger around for a longer than intended. Let me know if you have any problems running it, I know there are several different possible password encoding and hashing types, and posixAccount setup schemas, so YMMV

Look for some more things to be posted to the hackery page in the coming days.

Depant your network

MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). Depant works by downloading a default password list, and then mapping out the local network to see what open services are available. Once it has a list of services, it will test each service for default passwords. Once it’s gone through each of the services, depant will determine the fastest service (as recorded in phase one) and use it to perform an optional second phase of tests with a larger (user-supplied) set of default users/passwords.

By default depant has a list of “safe” services to test. These are tested services that hydra seems to work well with. Currently it’s a small list as depant (and hydra) needs to be tested against more networks to see what are good default services to test for. Alternately a user can specify ‘-A’ to scan all ports that hydra knows services for. You can also specify only certain ports with ‘-o’ (it supports ranges, and comma separated lists). If any errors arise from running with extra services, please try to run depant with the ‘-d’ flag (debug), and send us the output.

User/Password combinations can be entered in one of two ways, either with separate files for usernames and passwords (this will test every combination of username/passwords), or with a “combined” file that has entries formatted like “username:password”. ‘-u’, and ‘-p’ (or ‘-U’, and ‘-P’ for the second phase) specify the individual username/password files, and ‘-c’ (or ‘-C’ for the second phase) specifies a “combined” username:password file. Only one of these methods is intended to be used at one time.

Here is the usage information, along with a couple examples:

usage: depant ( -H <host> | -f <hostList>) ( -c <userPassList> | -u <userList> -p <passList>) <options>
-H <host (or CIDR block) to scan>
-f <host list file> (each ip or CIDR block per line)
-e <exclude hosts list> (each ip or CIDR block per line)
-g <output file for default password list> (Gets list from Phenoelit site)
-c <combined user:password list> (not in conjunction with -u/-p)
-u <username list> (used in conjunction with password list)
-p <password list> (used in conjunction with username list)
-o <port list> (e.g. 21,22,137-139 default is “safe ports”)
-O <output file> (CSV log of any user/passwords we find)
-C <second phase combined user:password list> (not in conjunction with -U/-P)
-U <second phase user list>
-P <second phase password list>
-A (run all ports hydra knows about)
-D (Do a dry run only, map network, and output what things are going to be checked)
-h (help)
-d (debug)

Downloads the default password list into dpl.txt:

./ -g ./dpl.txt

Checks for the user:pass combinations in dpl.txt on all ports for ips in hosts.txt:

./ -f ~/hosts.txt -d -A -c dpl.txt

Checks the network services anywhere in (excluding hosts listed in exclude.txt)
with the users and passwords specified, and if nothing is found, it will check the
larger user and dictionary list against the fastest service:

./ -A -H -e exclude.txt -u users.txt -p passwd.txt -U more-users.txt -P big-dict.txt

And here’s a quick example of it running against a local system. This will check against a combined user/pasword file for the first phase, and then use the separated user and password files for the second phase. You can see that in the second phase it is able to find a username and password:

$ depant -c ./dpl -U ./user.txt -P ./pass.txt -H

-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-

[*] Phase 2 scanning enabled
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [] port [22] to list of services to test
[*] Found [1] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [] port [22]
[*] Fastest service to run second phase on is [] port [22]
[*] We did not find results in phase one… going to second phase
[*] Starting phase 2
[*] Checking for default passwords on host [] port [22]
[!!!] Found user [testuser] with pass [YourPasswordSucks] on [] service/port [22]
[!!!] We found logins on [1] hosts
[*] Total runtime was [34] seconds
[*] Finished.

Thanks to the other resources that make something like this possible. Hydra does the password brute-forcing, and nmap does the actual scanning. Also thanks to Phenoelit for the default password list.

We’re very interested in getting feedback for this or anything else we’re up to. Let us know either way, whether you run into major problems, or if works well for you. You can try running the tool with “-d” (for debug) to get extra information during the run. If you submit any bugs, please include the debug output to help us troubleshoot the issue. You can email me at aaron {@t} if you have any feedback (which is greatly appreciated).

Happy Downloading, :) .

Update: Here’s an updated version that adds a couple extra options to optimize the nmap flags that are run.

New Open Source Forensics GUI

The guys over at Professional Security Testers recently posted about a new open source forensics tool named PTK. It’s an updated front end for sleuth kit, which could possibly replace the current interface, Autopsy, which has been getting pretty stale. Autopsy is pretty good, but I’ve found if you know what you’re looking for that the sleuth kit CLI and a couple scripts to automate case creation is often faster. PTK claims many improvements over autopsy:

* Indexing Engine
 - String Extracion
    o Allocated, Unallocated, Slack Space
    o Live Search
 - File Categorization
    o File signature analysis
        oFile extension mismatch
    - Auto Data Carving
        o Customizable file signature
    - Hash Set Manager

* Advanced Timeline
* Gallery View
* Advance Keyword Search
* Bookmarking Section
* Multi Investigator System
* Incident Response Mode

Looks pretty interesting. It doesn’t mention OSX support, but since TSK is supported on OSX, I’m hoping it will run there as well since it’s just a web interface. We used Autopsy and TSK a bit this weekend during CTF pre-quals, and an update is greatly appreciated. :)

PS — Recon, an entire convention focused on reverse engineering, is next weekend. If you can get to Montreal, you should check it out. It looks like there are a few interesting talks going on.

metasploit 3.1

Greetings from Tahoe. It looks like there is a new release of Metasploit out now. It includes among other things a GUI, full windows support, some new wifi fuzzing modules, a bunch of new exploits, and Scruby, which is a ruby port of an awesome tool, Scapy.

“Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community” — HD Moore

Get some.

The great fuzz frenzy

Fuzzing is hot these days. I just ran across a neat idea/tool called FuzzMan recently (posted to full-disclosure I think). It takes a man page as input, and will fuzz input parameters based on what options it can parse from the man-page. The examples page shows the tool eliciting several segfaults in a known vulnerable version of sharutils.

There is an article in the latest hackin9 magazine (the print version anyway) about fuzzing, which covers several different fuzzing tools as applied to their relevant layers. You should check out the hackin9 magazine if you haven’t already. It’s a pretty good read, and is much more technical than other security/hacking print publications. It is a little spendy though (probably partially because it’s translated and imported), but I think it’s worth it. This issue they started a hacking challenge which is included (among other things) on a CD.

Yea for google images.

VOIP security tool list

Here is a list of VOIP security tools that I found today whilst scouring my RSS feeds (sorry original poster, I lost the reference). There are different sections for different attacks, including sniffing tools, scanning and enumeration tools, VoIP packet creation and flooding tools, and the attack du jour, fuzzing tools. Looks like fun. :)

metasploit three finally released

The long awaited metasploit 3.0 has been released. Here are some screenshots and demos of the latest version. Everything was rewritten in ruby, and lots of new features were added. Some of the cool things are the meterpreter, irb, db_autopwn (best name ever), the latest wi-fi exploits and threaded attacks. Here is the download packages (the linked are for unix, but win32 is also available).


I guess today is “tools” day at MRL. Here is another tool I ran across recently that I think is useful. Wyd is a modular potential password generator that can generate a wordlist from multiple sources. For example you can dump a website, and use that as input, or just scan a hard-drive in a forensics case to find content for the list. It currently knows about a few different file types (html, .doc, .pdf. .ppt, etc). I created a module for it that will scan jpg images for exif data that can be used as a source. I submitted it to the maintainers, so maybe it will end up in one of the next releases.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS