Codetective - find password hashes and CC numbers

codetective_service/DEPENDENCIES

@@ -0,0 +1,7 @@
+The codetective_service is a wrapper using 
+https://github.com/blackthorne/Codetective
+
+Imports include:
+re, sys, argparse, base64, urlparse, encodings, string, math, collections, datetime, io, struct, os
+
+

codetective_service/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015, Adam Polkosnik, <adam.polkosnik@ny.frb.org> || <apolkosnik@gmail.com>. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

codetective_service/README

@@ -0,0 +1,11 @@
+This CRITs service is utilizing the code from: https://github.com/blackthorne/Codetective (you'll have to obtain a copy and put it in the service's directory so that codetective.py and __init__.py are present in /data/crits_services/codetective_service/Codetective/ folder)
+Please note that the Codetective is licensed under GPL while CRITs services is licensed under MIT.
+
+Codetective
+Sometimes we ran into hashes and other codes and can't figure out where did they came from and how they were built. If you work on pen-testing that might easily happen when you are testing systems from a black box perspective and you are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory.. This may also be useful as a part of a fingerprinting process.
+
+
+Installation instructions:
+Copy over codetective.py and __init__.py into /data/crits_services/codetective_service/Codetective/ folder
+Just make sure that you have the imported libs present.
+Done!

codetective_service/__init__.py

@@ -0,0 +1,111 @@
+# (c) 2015, Adam Polkosnik, <adam.polkosnik@ny.frb.org> || <apolkosnik@gmail.com>
+
+import logging
+
+from django.conf import settings
+from django.template.loader import render_to_string
+
+from crits.services.core import Service, ServiceConfigError
+
+from . import forms
+
+logger = logging.getLogger(__name__)
+
+# This will work if there's an __init__.py inside Codetective folder
+from Codetective.codetective import get_type_of, Finding
+
+DEFAULT_END = -1
+DEFAULT_START = 0
+DEFAULT_MODULES = ["win", "web", "crypto", "personal", "unix", "db", "other"]
+
+class CodetectiveService(Service):
+    """
+    A tool to determine the crypto/encoding algorithm used according to traces of its representation
+    """
+
+    name = "codetective"
+    version = '0.0.5'
+    supported_types = ['Sample']
+    description = "Find password hashes and so on"
+
+    @staticmethod
+    def get_config(existing_config):
+        config = {}
+        fields = forms.CodetectiveServiceConfigForm().fields
+        for name, field in fields.iteritems():
+            config[name] = field.initial
+
+        # If there is a config in the database, use values from that.
+        if existing_config:
+            for key, value in existing_config.iteritems():
+                config[key] = value
+        return config
+
+    @staticmethod
+    def parse_config(config):
+        try:
+            from Codetective.codetective import get_type_of, Finding
+            return
+        except:
+            raise ServiceConfigError("Unable to import Codetective/codetective.py!")
+
+    @staticmethod
+    def get_config_details(config):
+        display_config = {}
+
+        # Rename keys so they render nice.
+        fields = forms.CodetectiveServiceConfigForm().fields
+        for name, field in fields.iteritems():
+            display_config[field.label] = config[name]
+        return display_config
+
+    @staticmethod
+    def valid_for(obj):
+        if obj.filedata.grid_id == None:
+            raise ServiceConfigError("Missing filedata.")
+        return
+
+    @classmethod
+    def generate_config_form(self, config):
+        html = render_to_string('services_config_form.html',
+                                {'name': self.name,
+                                 'form': forms.CodetectiveServiceConfigForm(),
+                                 'config_error': None})
+        form = forms.CodetectiveServiceConfigForm
+        return form, html
+
+    @staticmethod
+    def bind_runtime_form(analyst, config):
+        data = {'start_offset': config['start_offset'][0],
+                'end_offset': config['end_offset'][0],
+                'certainty': config['certainty'][0]}
+        return forms.CodetectiveServiceRunForm(data)
+
+    @classmethod
+    def generate_runtime_form(self, analyst, config, crits_type, identifier):
+        return render_to_string('services_run_form.html',
+                                {'name': self.name,
+                                 'form': forms.CodetectiveServiceRunForm(),
+                                 'crits_type': crits_type,
+                                 'identifier': identifier})
+
+    def run(self, obj, config):
+        start_offset = config['start_offset']
+        end_offset = config['end_offset']
+        certainty = config['certainty']
+        filters = config['filters']
+        data = obj.filedata.read()[start_offset:end_offset]
+        if not data:
+            self._error("Codetective received no data.")
+            raise ("Codetective received no data.")
+        else:
+            try:
+                self._info("Codetective filters:%s analyze:%x, certainty:%d" %(filters, analyze, certainty))
+                results = get_type_of(data, filters)
+                results = [finding for finding in results if finding.certainty >= certainty]
+                for finding in results:
+                    self._add_result('Codetective', "%s" % repr(finding.payload), {'Offset': finding.location, 'Type': finding.type, 'Confidence': finding.confidence, 'Certainty': finding.certainty, 'Details':repr(finding.details), 'Datestamp': finding.created_on})
+            except Exception as err:
+                self._info("Codetective failed on: %s: %s" % (str(obj.id), err))
+            self._info("Codetective finished on: %s" % str(obj.id) )
+        return

codetective_service/forms.py

@@ -0,0 +1,34 @@
+from django import forms
+
+class CodetectiveServiceConfigForm(forms.Form):
+    DEFAULT_MODULES = ["win", "web", "crypto", "personal", "unix", "db", "other"]
+    error_css_class = 'error'
+    required_css_class = 'required'
+    filters = forms.CharField(required=False,
+                                 label="Filters",
+                                 widget=forms.TextInput(),
+                                 help_text="Filter by source of your string",
+                                 initial=DEFAULT_MODULES)
+
+    def __init__(self, *args, **kwargs):
+        super(CodetectiveServiceConfigForm, self).__init__(*args, **kwargs)
+
+class CodetectiveServiceRunForm(forms.Form):
+    error_css_class = 'error'
+    required_css_class = 'required'
+    certainty = forms.IntegerField(required=False,
+                                 label="certainty",
+                                 help_text="Certainty: (0-100).",
+                                 initial=45)
+    start_offset = forms.IntegerField(required=False,
+                                 label="Start offset",
+                                 help_text="Start offset of your search.",
+                                 initial=0)
+    end_offset = forms.IntegerField(required=False,
+                                 label="End offset",
+                                 help_text="End offset of your search.",
+                                 initial=-1)
+
+    def __init__(self, *args, **kwargs):
+        super(CodetectiveServiceRunForm, self).__init__(*args, **kwargs)
+