My masters class had us writing Yara rules for our project lab. Given that I recently gave a talk at DataWorks MD that took a brief foray into describing the use of Yara rules for static malware analysis – well – I was prepared for and looking forward to this particular lab.

The challenging part of the lab: to help us understand how analysts decide which byte(s) to check for hex strings, the lab had use the Linux utility, hexeditor. As instructed, we were to

  • sudo hexeditor
  • use the keyboard’s arrows to navigate into a particular file
  • press Ctl-W to invoke ‘search’
  • use the arrows to navigate to the hex search option, as opposed to text search
  • type in the appropriate hex string. Note: the hex string could be longer than the editor would show us in its entry window. With a long enough string, we were then working blind with typos
  • if the hex string was found, jot down at what byte position so that we could later use that in our Yara rules

Bleah… Too many opportunities for typos. Too slow, as we needed to iterate across five files. _Really_ too slow when you consider we were doing this in a VM hosted on university infrastructure, using its GUI via NoMachine.

Improvement 1: sudo hexeditor filename at least got me into a particular file, and importantly, let my file history show me what files I had already interacted with.

I then looked for command-line options to target hexeditor with a search string. That would at least let me repeat previous commands and edit the filename or the hexstring. Unfortunately, hexeditor doesn’t support anything of that sort. grep would apparently have gotten me to whether the pattern existed in the file, but not given me the byte location.

Long-ish story short, although the lab itself had no reason to cause me to do this, and it certainly took me longer to work this out than to just hand jam it, I now have scripts to iterate over a set of files and a set of hex strings to determine if the hex string is represented in the files, and if so, where. My geek demon is satisfied this evening, and I’m holding onto the files here to help in CTFs or other future geekish fun. Credit to here for the general approach for finding hex data locations in files, and here for helping work out the problem of iterating over lines that contain spaces.

#!/bin/bash

# test_hex_find.sh
# Examine file for hex value
# Argument 1: file name to check
# Argument 2: hex string to look for

position=$(od -v -t x1 $1 | sed 's/[^ ]* * //' | tr '\012' ' ' | grep -b -i -o "$2" | sed 's/:.*//')

if [ ! -z "$position" ]
then	
  position=$(( position/3 ))

  echo "filename: $1, hex value: $2"
  printf '%06X\n' $position
fi
#!/bin/bash

# find_hex.sh
IFS=$'\n' hex_strings=( $(xargs -n1 <hex_strings.txt) )


for hex_string in ${hex_strings[@]}; do
	echo $hex_string
done

for file in *.exe; do
  for hex_string in ${hex_strings[@]}; do 
    ./test_hex_find.sh $file "$hex_string"
  done
done
"C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73"
"8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF"
"5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D"

Things I’m in the middle of reading, also known as glimpses into my psyche:

  • Thinking, Fast and Slow, by Daniel Kahneman: we’re reading this for our Women In Technology Group at work. So far, a couple of chapters in, my System 1 brain is convinced the book should progress more quickly
  • The Clown in You, by Caroline Dream: reading this to try to think about my clowning in new ways, to spark my thinking in new paths
  • Hacking, the Art of Exploitation, by Jon Erickson: my cyber masters program is leaving me less than inspired, and more feeling slogged in its various papers. Hoping this book gives me some new angles and inspiration

I’m more geek goddess than domestic diva. That said, tonight’s dinner was GOOD! Crab dip with pita chips, chicken and sausage jambalaya, and cheesy shrimp and grits. Oh, and I have dough rising for an attempt at beignets. The things you can do with a four day weekend… I had a day to shop and prep and have two days (!!) to recover.

I love having a happy family around the dinner table. We’re all in our pajamas – some of us in the Christmas family pajamas we put on last night, and some have changed into sets they got as Christmas presents. Our bellies are full and my heart is very happy.

Yeah, this kind of joke is just my kind. Thank you, Ian Coldwater, for enlivening my day. Thinking about posting it at work, too.

As the leader of our Women In Tech group for work, I particularly appreciate the pun-blaming on MOM! All the better that it’s the capitalized, exclamation-pointed version.

I frequent some Facebook groups related to buying and selling used clown and circus supplies. Last month, a guy posted 3 or 4 pictures of this massive yard sale amount of stuff. Folks kept offering him money for individual items, but he’d say he’d only deal with folks who’d pick up. He ALSO said he’d be willing to take a reasonable offer for the lot. After seeing enough folks make individual offers, I decided, heck, the guy’s in New York, I’ll make him an offer, and if he takes it, I’ll make it back by shipping out just the things folks have offered on.

So, that’s what I did. I made the guy an offer. I came back with a mini-van chock full of things. A full-size Scooby Doo costume. A full-size Easter bunny costume. 6 large Lowes’ boxes filled with costumes and supplies, including a couple of puppets that run usually for $300+. Two boxes of videos. Another full (+!) box of clown magazines. A full bin of various magic tricks. A box of juggling bean bags. All in all, a bonanza of random fun. I spent a weekend building out an inventory spreadsheet and looking things up to figure out their probable retail value. I’ve been putting them up on Facebook, selling them off at a bit at a time.

So, if you know anyone who wants an Easter bunny costume or a set of dove pans, I’m your gal! I’ll be taking at least a representative box or two to the local clown convention next month – see if I can find some willing homes for another thing or two, at least!

When you’re experienced in life…

And you have a 10-15 page paper due for your masters class…

You start with a beer…

And you don’t plug in your laptop, so time is ticking…

And you write a WordPress post…

And then maybe, just maybe, you write your paper.

After another beer.

(Inspired by “When You Give a Mouse a Cookie” and an impending group project deadline.)

While my thoughts are fresh on my latest CTF…

Pluses:

  • Throughout the event, in top 3. Currently in top 2, but closing out for the day to get other things done.
  • Figured out a few things: interrogating VMDKs via extracting them; linking up a shared drive in Kali
  • Had some success with python scripting to interrogate Word documents to find hidden data, as well as to find md5 and sha1 hashes. Sha-1 grep string was: ‘[0-9A-Fa-f]{40}’

Need to learn:

  • reverse engineering to interrogate malware or other executables
  • faster ways to traverse Wireshark data. Getting protocol statistics is a good starting point – want to get better there
  • executing random files – need VMs stood up for Windows to have them ready to roll…

Hmmm – I thought the CTF was closing out tonight, but it’s not until Sunday night. I need to carefully tread this, for the sake of my health and marriage..

I started a masters program a few weeks ago. Tuesday is the due date for the last project in the first class. We had three weeks to do it, where “it” includes a 10 page lab report on password cracking tools, a 10 page white paper discussing a particular medical organization, its data breach(es!), and what we’d convey to the board for an action plan moving forward. Good bit of work, but spread over 3 weeks and 5 people, presumably not so bad.

The first week mostly went by, and nothing happened. Note: our group, as are the other groups in the class, was randomly assigned by the professor. Further, because it’s an online program, none of us had ever met or interacted with each other before. We had a deliverable due a week in for a communications plan and a project plan. I had vowed to not be the stuckee trying to herd cats, but as the week went by, I eventually caved and setup the group meeting. We “met” and established regular checkpoints on Sunday, roughed in a communications and project plan, with a goal of completing our initial research and building out a rough outline by the following Friday.

Friday came, and the shared outline document had… my contributions. Another team member had added two links with no context as to why we’d use them. Another teammate had been in the document and edited it – to remove a character and replace it. Not looking strong. I asked each team member for commitments, documented them in our outline, and we said we’d meet again on Sunday, that they’d work on the outline building off of what I’d put together.

We met on Sunday. I’d committed to working up the lab report so it was out of the way. That took me a good portion of Saturday, as the assignment guidance required me to interrogate each password separately, and across 16 passwords with two different cracking strategies, there’s a good bit of tending and screen captures. On Saturday, I had a system, worked it through, and then wrote up the paper, which included several discussion questions outside the scope of the lab itself, requiring further research. Answered all but one of the questions, and bounced a question to the professor to help us better tune our lab report response. On Sunday, the team met again, and our outline was… no further. But the team divided the sections we thought needed covered in the whitepaper, each team member took a few segments, and each team member committed to writing their section before this past Friday. The theory was that I had written the lab report, we’d pull in some small sections from that, but that the rest of the team was responsible for the lift on the whitepaper, and I’d help with the smoothing of the paper and the setup of the presentation.

It’s now the final Sunday before things are due. On Friday, most sections of the paper were still empty. I pointed that out Friday morning in our group chat and said I wasn’t bailing folks out. Members of the team collaborated on Saturday morning, though still not in the document itself. We’re now on the final Sunday call, and folks are attempting to arrange the bits of content that they’ve written into something. We’re still missing segments of information and are over page count, grammatically incoherent in some places, and just a mess overall.

Did I mention I hate group projects? My only saving grace is that I can demonstrate my own individual contributions through the completed paper and through version history in Google Docs. Several are now slogging through online. I’ve left the call but said I’ll be on standby once the folks who are still wrestling thing they’re in better shape so we can do the pruning of the paper and work the presentation. UURRRRRRGHH!!!

Quarantine, day N… Was at work last week, and now off again.

Early in, I set up a Google Doc in which I listed goals for the quarantine. Projects I could accomplish with the extra time. Some of them are already complete – I got my Grace Hopper application in, built out some challenges for a CTF, planted seeds. Some are in progress – about half of the front yard has had its onion grass removed. I’ve done more running and pushups. Still working towards pullups. Have mostly left the burpee goal alone, though I think that’s on the list today.

What I’ve realized isn’t strongly on the list are household organizing or cleanup projects. I could wash windows. I could dust floorboards. I could… These are the sorts of projects my parents used to give me when I’d done something wrong, though. The sort of work penance aspects to grind a spirit down. I’m not in the mood to punish myself.

What I keep doing is more minor things: clean up a corner. Put away something that’s been in the wrong place for far too long. Work to keep the kitchen quasi-clear with all of the extra food preparation going on. (Somehow kids love making food, but never connect it with the extra cleanup.) Go for more long walks with my hubby. I’m most of the way through a puzzle, which is usually something we only do over Christmas break. Try a new recipe or two once in a while… We had a Monte Cristo casserole the other day that was pretty good!

The weeks without a rhythm are long. Completing big household projects and then seeing them be overrun would be too discouraging. So I’d describe myself as pacing. We’re in a time of unknown length and I’m just trying to make it through.