Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 7z File Support #289

Merged
merged 9 commits into from
Jan 20, 2023
Merged

Add 7z File Support #289

merged 9 commits into from
Jan 20, 2023

Conversation

ryanohoro
Copy link
Collaborator

Describe the change

Adds 7z file support with tastes applied to a new scanner ScanSevenZip

Extracts files, and metadata

Re-uses John The Ripper code to crack encrypted 7z files

Refactors some JTR code into a common scanner library to increase re-usability

Depends on 7zz/7zip, JTR, 7z2john

Adds new dependency lzma perl module

Supports extracting filenames from encrypted 7z archives that do not explicitly encrypt the filenames

Closes #235

Describe testing procedures

./strelka-oneshot -l - -f src/python/strelka/tests/fixtures/test_password.7z

{
    "file": {
        "depth": 0,
        "flavors": {
            "mime": ["application/x-7z-compressed"],
            "yara": ["_7zip_file"]
        },
        "scanners": ["ScanEntropy", "ScanFooter", "ScanHash", "ScanHeader", "ScanSevenZip", "ScanYara"],
        "size": 1776,
        "tree": {
            "node": "798b1c9b-4bac-423e-a0ad-70b79a82bf7e",
            "root": "798b1c9b-4bac-423e-a0ad-70b79a82bf7e"
        }
    },
    "request": {
        "attributes": {
            "filename": "src/python/strelka/tests/fixtures/test_password.7z"
        },
        "client": "go-oneshot",
        "id": "798b1c9b-4bac-423e-a0ad-70b79a82bf7e",
        "source": "ubuntu",
        "time": 1674110004
    },
    "scan": {
        "entropy": {
            "elapsed": 0.000222,
            "entropy": 7.8690872116893065
        },
        "footer": {
            "backslash": "9\\x03*\\x1dv\\x7f\\xd5\\x87j.\\x10\\xe4\\\\w\\xb0\\x17\\x06\\x86\\x00\\x01\\t\\x80\\xad\\x00\\x07\\x0b\\x01\\x00\\x01#\\x03\\x01\\x01\\x05]\\x00\\x10\\x00\\x00\\x0c\\x81R\\n\\x01\\x90\\xf1\\xeb\\x9f\\x00\\x00",
            "elapsed": 0.000024,
            "footer": "9\u0003*\u001dv�Շj.\u0010�\\w�\u0017\u0006�\u0000\u0001\t��\u0000\u0007\u000b\u0001\u0000\u0001#\u0003\u0001\u0001\u0005]\u0000\u0010\u0000\u0000\u000c�R\n\u0001���\u0000\u0000"
        },
        "hash": {
            "elapsed": 0.003196,
            "md5": "f6eb86ae2a9b1ecbea560a4227edeeaf",
            "sha1": "ec4a050c95cdf4d1b7a2a461cfee17a04ef778e1",
            "sha256": "919ea21babf635a40a7862f57a8c9930c7ac8068f54360d26fc63954e352254d",
            "ssdeep": "48:+fx/XemF896evv2ufLW3aC+eskqnKODV/92tzRRfcn331ahK:o9emS9hv2UnerKDUzfcn3FahK",
            "tlsh": "T1AF310BF3AA370D97FC8713B879DBE411C532855AD3981EDE5E547A7B1781D107421640"
        },
        "header": {
            "backslash": "7z\\xbc\\xaf'\\x1c\\x00\\x04\\x8d\\xc5D\\x9a\\xad\\x06\\x00\\x00\\x00\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5]\\xbe\\xd9jA\\x82`\\xde\\xd1\\xbd\\xb1\\xed\\xc5\\xb7\u003cw\\x9a\\xc8O\\xf6\\xa0",
            "elapsed": 0.000024,
            "header": "7z��'\u001c\u0000\u0004��D��\u0006\u0000\u0000\u0000\u0000\u0000\u0000#\u0000\u0000\u0000\u0000\u0000\u0000\u0000�]��jA�`�ѽ��ŷ\u003cw��O��"
        },
        "seven_zip": {
            "cracked_password": "password",
            "elapsed": 0.145188,
            "files": [{
                    "datetime": "2022-12-12 03:12:55",
                    "filename": "hidden/lorem-hidden.txt",
                    "size": "4015"
                }, {
                    "datetime": "2022-12-12 03:12:55",
                    "filename": "hidden/lorem-readonly.txt",
                    "size": "4015"
                }, {
                    "datetime": "2022-12-12 03:12:55",
                    "filename": "hidden/lorem.txt",
                    "size": "4015"
                }, {
                    "datetime": "2022-12-12 03:12:55",
                    "filename": "lorem.txt",
                    "size": "4015"
                }
            ],
            "hidden_dirs": ["hidden"],
            "meta": {
                "7zip_version": "22.01"
            },
            "total": {
                "extracted": 4,
                "files": 4
            }
        },
        "yara": {
            "elapsed": 0.0022,
            "matches": ["test"]
        }
    }
}

============================= test session starts ==============================
platform linux -- Python 3.10.6, pytest-7.2.0, pluggy-1.0.0
rootdir: /strelka
plugins: mock-3.10.0, unordered-0.5.2
collected 100 items
...
tests/test_scan_seven_zip.py .....
...
====================== 100 passed, 26 warnings in 44.58s =======================

Sample output

"seven_zip": {
    "cracked_password": "password",
    "elapsed": 0.145188,
    "files": [{
            "datetime": "2022-12-12 03:12:55",
            "filename": "hidden/lorem-hidden.txt",
            "size": "4015"
        }, {
            "datetime": "2022-12-12 03:12:55",
            "filename": "hidden/lorem-readonly.txt",
            "size": "4015"
        }, {
            "datetime": "2022-12-12 03:12:55",
            "filename": "hidden/lorem.txt",
            "size": "4015"
        }, {
            "datetime": "2022-12-12 03:12:55",
            "filename": "lorem.txt",
            "size": "4015"
        }
    ],
    "hidden_dirs": ["hidden"],
    "meta": {
        "7zip_version": "22.01"
    },
    "total": {
        "extracted": 4,
        "files": 4
    }
},

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of and tested my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

phutelmyer
phutelmyer reviewed Jan 19, 2023
View reviewed changes
src/python/strelka/scanners/common/password_cracking.py
@@ -0,0 +1,175 @@
import logging
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call on this file

@phutelmyer phutelmyer merged commit 321284d into target:master Jan 20, 2023
@phutelmyer
Copy link
Contributor

Closes #288. Merged.

@phutelmyer phutelmyer mentioned this pull request Jan 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phutelmyer phutelmyer phutelmyer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature Request] Add scanner support for 7z archives
2 participants
@ryanohoro @phutelmyer