YARA for pentesters

Posted: December 25, 2017 in general

YARA is a pattern matching swiss army knife often used by malware researchers. The strength of YARA is to quickly and easily identify files based on rules which are mostly aimed at identifying byte patterns. This aides malware researches, threat intelligence and forensic investigators to identify malware samples.

We can of course use the same approach to identify files containing juicy information which like always will hopefully aid us to pwn some network somewhere. Most of the files that we use like ntds.dit/registry hives reside at fixed location or at the bare minimum at configurable locations. This usually causes us to write pretty awesome scripts to retrieve and process these files to get the juicy info. YARA can be a nice tool to account for the unexpected events of system administrators placing these and many other files in unexpected locations.

To start with the end result, let’s see the results of searching for file with passwords (loosely used to also identify hashes) inside a directory:

sudo yara -r -t hashed_passwords juicy_files.txt /etc
shadow_file /etc/shadow
shadow_file /etc/shadow-

and if we do this inside a directory which contains some test files:

yara -r -t hashed_passwords juicy_files.txt files
shadow_file files/shadow
hive_file files/mysecurity
hive_file files/mysam
hive_file files/system
ntds_file files/ntds.dit
hive_file files/mysystem

Like you can imagine you can use this approach to search entire filesystems at once as well as network shares. Since the rules are very powerful and easy to write I think it’s much easier to maintain a repository of rules instead of custom scripts for each juicy file that we encounter during our pwnage. You can find the repository over here, feel free to commit more rules :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.