Doug Metz

Mal-Hash – interacting with Virus Total API via PowerShell

Virus Total started in 2004 as a free service to analyze files and URLs for malicious behavior. In 2012 Virus Total (VT) was acquired by Google. Virus Total can provide a boon of information for the nascent investigator, though OpSec should remain a concern.

It’s rare to be in a security class where Virus Total is mentioned and not be warned about submitting the file hash vs. submitting the file itself. Often the suspect file, (i.e. ‘companyXYZ_invoice.doc) could contain information that has been customized to the target, you or your company. You’d don’t need to be a big-game target. Often these files are distributed like mass marketing. The copy YOU receive may have information that traces back to you. The bad guys use Virus Total too you see – and if they see that companyXYZ_invoice.doc was submitted (or companyABC_invoice.doc, company123… etc.), it could tip them off as to who is on to them.

The preferred method of submission is to use the file hash. This value is unique* (insert debate about MD5 hash collisions) to the file and is safer to use as a reference to search for. Virus Total supports MD5, SHA1 and SHA256 hashes for lookup.

Virus Total has both free and Enterprise plans available. Registration gives you access to an API key that you can use to interact with VT. The free accounts are limited in the number of API queries you can submit. If you’re working on a project at enterprise scale, chances are you’ll need the license to do so to support the number of queries.

Mal-Hash is a PowerShell script that utilizes the Virus Total API to interact with VT from the command-line. Your API key is kept in a file separate from the script. When you invoke the script, you point it to a file to analyze.

You can either type the path in manually or you can drag and drop the file onto the PowerShell window and the path will auto populate.

The script uses the Get-FileHash PowerShell command to get the MD5, SHA1 and SHA256 hash of the file. The script then (referencing your API key for the lookup), submits the MD5 (by default) hash to Virus Total. The results of the query are displayed back to the PowerShell instance and are also recorded to a text file.

You can get Mal-Hash.ps1 from my GitHub here. As always, feel free to fork the project and contribute back to the code. Learning is a constant process.

Lack Rack part III: the Final chapter

DIY

If you caught the last blog installment you’ve seen that I’m a big proponent of the Steve Jobs “one more thing” methodology.

To ‘finish out’ (as if) the rack design I’ve made two more modifications. The first was reversing the switch positioning and doing some OCD-level cable maintenance.

The last, and the piece de resistance in my opinion, was removing one of the original lower shelves and replacing it with a bank that holds 4 Raspberry Pi. (Pies?)

In case your curious the Pi’s are configured for:

Pi-hole (security, DNS, ad-blocking)
HOOBS (home automation)
NEMS (a Nagios instance for monitoring)
Kali (shenanigans and attack emulation)

That should hold me over for a little while. And I’m really pleased with the results.

Lack Rack Updates

Uncategorized

I have a tendency for DIY projects to never be finished. Actually that’s not entirely true. I finish them, but then I continue to build/expand on them. This has been true of many elements of my home office since moving to our home two years ago. A few months back I posted my DIY network rack built from IKEA end tables. A week or so later LED’s were added. I have several automation routines that will change the LED color based on status conditions.

The rack has served me very well so far, but I wanted to make a few improvements. Previously I had laptop (on riser stand) and a portable (15″ usb-C) monitor on the top. The monitor (and wireless keyboard) is connected an Intel NUC inside the rack that dual boots between REMnux and Windows11.

I wanted to make room for a full size monitor on top, but I was running low on real estate. A couple orders later on amazon and I had exactly what I wanted.

First I added a dual-arm stand that could accommodate a full size monitor (24″ fits well here), and a second arm that supports a laptop. I wound up replacing the monitor arm mount with a different mount that kept it closer to the support pole (the screen was a little too ‘in the face’ before that.) Since the composition materials of the Ikea tables are likely MDF, I added a steel panels on the top and bottom of the clamp for extra durability.

Dual arm mount: https://a.co/d/1PaCopm
Monitor mount: https://a.co /d/4N5JofT
Steel reinforcement panels: https://a.co/d/dbIocDr

The height is perfect for a standing workstation. If I need to work on the laptop, there is enough free space to open and operate fully without impacting the monitor.

So here it is, the [updated] “Lack Rack” finished… for now.

Magnet 2022 CTF – iOS15

CTF, DFIR

One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed in the challenge summary. For me the tools used were:

Magnet Axiom Cyber – [request a free trial]
iLEAPP
Decode
Unfurl
Excel (yup, an old friend returns)

Once you’re registered, process the evidence with Magnet and iLEAPP. The other tools we’ll touch on coming up.

WARNING: SPOILERS AHEAD

Don’t read ahead if you’re still working on the challenges. If you get stuck and want to see how I chose to solve it… then read on friend.

Continue reading →