This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
import re | |
import datetime, time | |
import argparse | |
import nids | |
end_states = (nids.NIDS_CLOSE, nids.NIDS_TIMEOUT, nids.NIDS_RESET) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Verifying that +7h3ram is my Bitcoin username. You can send me #bitcoin here: https://onename.io/7h3ram |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import datetime, re, difflib | |
def k10(stack): | |
if len(stack) <= 1: | |
return | |
checkHashes, checkDuplicates, checkDelta, checkName = True, True, True, True | |
score, dCount, fCount, deltaScore, fnameScore, chainAverage = 65, 0, 0, 0, 0, 0 | |
duplicates, dChain, fChain, features = [], [], [], [ 'valid_filenames' ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def map_to_lowercase_letter(s): | |
return ord('a') + ((s - ord('a')) % 26) | |
def next_domain(domain): | |
dl = [ord(x) for x in list(domain)] | |
dl[0] = map_to_lowercase_letter(dl[0] + dl[3]) | |
dl[1] = map_to_lowercase_letter(dl[0] + 2*dl[1]) | |
dl[2] = map_to_lowercase_letter(dl[0] + dl[2] - 1) | |
dl[3] = map_to_lowercase_letter(dl[1] + dl[2] + dl[3]) | |
return ''.join([chr(x) for x in dl]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
""" | |
Shiotob DGA | |
Generates domains for the Shiotob malware | |
- top level domains alternate between '.net' and '.com' | |
- domains are between 14 and 19 characters long | |
- domains consist of all letters and digits 123945 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
generate domains according to: | |
- https://www.endgame.com/blog/malware-with-a-personal-touch.html | |
- http://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf | |
requires words1.txt and words2.txt | |
""" | |
import time | |
from datetime import datetime | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
from datetime import datetime | |
seed_const = 42 | |
days_period = 16 | |
nr_of_domains = 64 | |
third_lvl_min_len = 8 | |
third_lvl_max_len = 15 | |
class Rand: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
def get_domains(nr, how_many): | |
bases = { | |
1: { | |
'length': 7, | |
'tld': 'com', | |
'key': '1676d5775e05c50b46baa5579d4fc7', | |
'base': 0x45AE94B2 | |
}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import hashlib | |
from datetime import datetime, timedelta | |
import struct | |
import argparse | |
def get_seed(seq_nr, date): | |
key = "\x01\x05\x19\x35" | |
seq_nr = struct.pack('<I', seq_nr) | |
year = struct.pack('<H', date.year) | |
month = struct.pack('<H', date.month) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
class RandInt: | |
def __init__(self, seed): | |
self.seed = seed | |
def rand_int_modulus(self, modulus): | |
ix = self.seed | |
ix = 16807*(ix % 127773) - 2836*(ix / 127773) & 0xFFFFFFFF |
OlderNewer