Skip to main content


Showing posts from 2013

Andrew makes a blog entry! Also the story of KingPhisher!

Hi Interwebtonians,

It has been absolutely ages since I have written a blog post - and its not from the lack of prodding from Roelof. We have genuinely just been busy!

Predominately I want to show you some of the work we had to do for Blackhat 2013 - my first BH talk ever! My section of the work was what we ended up calling 'KingPhisher' as well as the multi-threaded Python script to crawl websites for some parts of 'Teeth' (Roelof's offensive Maltego transforms).

    Video: [HERE]
    Download: [HERE]

A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email…

Vegas feedback, Tungsten release, Teeth install, KingPhisher etc etc.

After what seems to be a lifetime we're back safe and sound in South Africa. It's been a long trip - after Blackhat/Defcon we traveled a little further north west to conduct (another) four day training course.

Blackhat training
We trained two courses at Blackhat - back to back. In total - 42 students. It was fun. We mostly had skilled students and it's always great to see their 'AHA!' moments - when all the pieces come together and they understand our vision.

A pivotal moment for me personally was when I complained that my feet hurt on day 3 of BH training and the training room cleaner (an elderly man that's been in the war in Sarajevo) told me 'you're getting paid for this yes?'.  He survived a war and was cleaning rooms in a hotel in Las Vegas at minimum wage and I was complaining that my feet hurt. Perspective++.

Blackhat talk
The day after training we had our talk. All the demos worked (a special thanks to the networking guys for those 2x Ethernet…

UK based Magicians / Illusionist

A quick post.

I love to watch Derren Brown's shows. I wondered if he was on social media in a private capacity so started mapping relationships between people he works with. In the process I saw a large cloud forming around UK based illusionists, mentalists and 'magicians' and decided to focus on them.

If you ever seen a closed hyper connected community of people - here is the map:

TRX - Framework for writing Python transforms with the TDS

Hi there people from the Interwebs,

We wrote a 'framework' for writing Python transforms with the Maltego TDS. It's called TRX and it's pretty light, easy to use and very hip. It should see you writing kick ass transforms in no time - a complete transform could look as simple as this:

def trx_DNS2IP(m):
  TRX = MaltegoTransform()
    DNSName = socket.gethostbyname(m.Value)
  except socket.error as msg:
  return TRX.returnOutput() 

The document nicely explains the differences between local transforms and TDS transforms and also includes a complete entity reference guide as well as addressing the confusion between V2 and V3 entities - a must read for any transform developer. The document also takes a look at the future of the TDS.

Here is the index of the document - click to read.

Finally the framework / source code can be found [here]. …

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to

Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. O…

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:

Somehow related - the zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the …