Before It Bytes!

SecuraTip Episode 3: Noriben

In this episode of SecuraTip, we take a look at Brian Baskin’s portable malware analysis tool Noriben.

Noriben, which acts as an intelligent wrapper for procmon, will monitor process activity for files, services, registry, and network activity. This awesome tool takes things a step further by filtering out noise so that the analyst can focus on the details that matter!

SecuraTip Episode 2: Automater

In this episode of SecuraTip we focus on OSINT analysis of IP Addresses, URLs, and Hashes using Automater.

Automater given a target (-t) or a file (-f) will determine if it is a URL, IP, or hash and will then run the appropriate tool-set against the file giving the user a common output.
To download Automater or get more details on it, visit

SANS Code: Securabit_Tek5
$200 off any SANS Course at

Gathering and Cracking MD5 Hashes

As I mentioned in my post over at TekDefense, the number of data dumps put out has increased heavily, mostly because of the Anonymous #OpIsreal stuff. With that in mind I figured this would be a great time to talk about my process for finding, gathering, and cracking hashes. I should note that I am a hobbyist in this arena, so don’t take my word as gospel here. Test my methods and develop a solution that fits your needs.

Finding Hashes

There are many methods for finding database dumps, here are a few:

  • PasteLert: Created by Andrew Mohawk, PasteLert will index Pastebin and alert you to items that match whatever query you have. I have it alert for anything matching the MD5 for 123456 as this is the most common password.
  • DumpMon: Dumpmon monitors for data dumps and reports them via twitter
  • PastebinDorks: PastebinDorks is another great Twitter account to follow for interesting pastes.

All of these sources are great, just monitor them and watch for the links to the data breaches

Collecting the Hashes

Usually the files or URLs that have hashes in them also contain other data. The following screenshot is an example of the typical format:

4-9-2013 3-24-56 PM

The way this is formatted, we could pull out the MD5s with the cut command in Linux. For others though, the format is so inconsistent that we would not be able to grab the MD5s easily. A tool I created (tekCollect) can grab them with ease. Download tekCollect here. tekCollect can grab specified data types from a file or URL. In this case I will use the URL option:

[email protected]:~/workspace/Automater# ./ -u
aw.php?i=S6wCigZ5 -t MD5

With a -o option on the command, you can have tekCollect output the results out to a file.

Cracking hashes:

My usual process for cracking hashes is to check the hashes against a wordlist, and for those that can’t be found with the wordlist, I attempt to bruteforce them using hashcat masks.

Wordlist option

BackTrack (Kali) comes with a bunch of wordlists. If you need another though I have some available here.

As I am doing my cracking within a VM, and not on a physical machine with hardcore GPUs I use traditional hashcat instead of oclhascat.

When you run hashcat it will hash your wordlist and then compare those hashes to the hashes you want to crack:

hashcat -o crackedhashes.out demohashes.out 1aN0rmusWL.txt

4-9-2013 4-45-58 PM

Using this option in less than 5 seconds we were able to crack 33 of the 413 passwords.

4-9-2013 4-48-49 PM

Now you may be wondering why only 33. The main reason for this is that this was part of #OpIsreal and because of that my dictionary being primarily English will not detect foreign languages. Notice how all the hashes that were found translated to passwords consisting of only numbers.


No matter how good your wordlists are, you are never going to catch all of the passwords. There may come a time where you will want to bruteforce your way in. What this means is that you’ll need to try every possible combination in an attempt to determine the password. Luckily, running tools like Pipal we are able to understand that most passwords follow certain formats. For instance, we understand that most passwords consist solely of lowercase letters. Using hashcat masks, we can tell hashcat the format we want it to look at.

For this attempt I am going to attempt to bruteforce all combinations of 8 digits:

hashcat -a 3 -o crackedhashes2.out demohashes.out ?d?d?d?d?d?d?d?d

4-9-2013 5-09-29 PM

Now, we have captured 46 more hashes. By experimenting with the hashcat masks, you will be able to bruteforce your way into a good number of these.


Like I said in the beginning of the post, I am not an expert in password cracking, but more of a hobbyist. Using my wordlists and hashcat masks, I am usually able to get 60% to 80% of the passwords from a dump. What is your method and how successful is it?


I had the pleasure of attending BsidesROC this past Saturday in Rochester, NY while visiting family.  The only previous experience I’d had with Bsides was in Las Vegas last summer, and I must say out of the many small conferences I have been to over the last couple of years, these guys did a very impressive job!  The conference consisted of two tracks with a total of 15 talks.

Here’s a rundown of the events:

  • The Rochester chapter of TOOOL was kept very busy with a constant flow of lock pickers, both new and veteran, and managed to sell out of the kits they had available.
  • Interlock, the local hackerspace was also there and had a number of great projects to show off.  I always love seeing hackerspaces at conferences!
  • Hacker Battleship, a unique play on the CTF which was really fun for the 24 who participated.  Someone SQL injected the scoreboard too 😉

There were just over 200 attendees and everything flowed very smoothly.  The event had the feeling of something that just happened there every weekend, and there were flying SHARKS! Albeit without laser beams for the safety of all present of course. 😉

Some other misc stats:

  • The 3D badges took approximately 50 hours to print and were awesome!
  • 3129 DHCP leases were handed out throughout the day.
  • 6 flying sharks and fish, including one flying red angry bird.

Looking forward to next year!

Wireshark Export HTTP objects

In the first episode of SecuraTip, I showed viewers how to extract files from pcaps using a very manual method, and using an automated method with NetworkMiner. The purpose of this was to show the drastic difference between the two methods.

As Doug Burks and CIDSecurity mentioned on Twitter and YouTube there is an easier method for pulling out files from pcaps using Wireshark verse the manual process I showed. Though there is a major limitation that I will speak more of at the end.



Wireshark HTTP object export options

1. Open the pcap with Wireshark.

2. Choose File –> Export Objects –> HTTP


*While I chose HTTP for this, you may need to choose a different option like SMB to correspond with the type of traffic you are dealing with.

3. You will now be presented a list of files that you can save out directly from the HTTP sessions.


4. Simply press Save As and you know have the file.

Now as you can tell if you have watched the SecuraTip episode, there are some limitations here. For instance we do not see the files 1.txt and 2.txt that we saw when looking at the PCAP with NetworkMiner. The reason for this is that WireShark is just pulling files from HTTP Sessions. 1.txt and 2.txt were in the same pcap but were transferred via FTP instead of HTTP. As far as I know there is not automated way to pull FTP files transferred directly in Wireshark. Please correct me if I am wrong there. NetworkMiner doesn’t care what protocol or service was used, if the file was transferred in the clear, then it will try to extract it.

As we all know, there are many ways to attack any problem in IT. Do you have a different technique other than what is described here or in the video? Let us know.

SecuraTip Episode 1: NetworkMiner

In the first episode of SecuraTip we learn how to extract files from a pcap using NetworkMiner.

Additionally this episode also shows some of the other features of NetworkMiner, and the manual process of carving files from a pcap using Wireshark.

We’ve included both YouTube and MP4 formats.

Thanks to @TekDefense