Initial

emedvedev · emedvedev · commit 1851ce08ade1 · 2015-09-14T01:45:13.000+06:00
diff --git a/LICENSE.md b/LICENSE.md
@@ -0,0 +1 @@
+ZFG license: just do whatever you want with this code.
diff --git a/README.md b/README.md
@@ -1,2 +1,37 @@
-# stackstorm-forensics
-Forensics and CTF automation pack to use with StackStorm. Actions and ChatOps aliases.
+# StackStorm Forensics
+
+## Marceline
+
+An automation pack for [https://github.com/StackStorm|StackStorm]: various actions and ChatOps aliases for file/stream forensics and CTFs challenges.
+
+Although this pack was meant to power Randoms' own CTF helper, Marceline, it can also be reused as a set of independent StackStorm actions or as code somewhere else. Whatever you want, really.
+
+## Commands
+
+So far the list of things Marceline does is really small:
+```
+base64 decode {{ string }} - Do a base64 decode of a string.
+base64 encode {{ string }} - Do a base64 encode of a string.
+crack substitution {{ ciphertext }} - Try to crack a substitution cipher.
+rot13 {{ string }} - Apply rot13 to a string.
+what.s next? - Look for upcoming CTFs.
+when is {{ query }}? - Look for upcoming CTFs.
+```
+
+However, I'm planning to extend it in the nearest future, and you're more than welcome to contribute.
+
+![](http://i.imgur.com/xxnIghW.gifv)
+
+## Todo
+
+* File analysis: `file`, `hachoir-subfile`
+* Metadata extraction: `hachoir-metadata`
+* Output from `strings`
+* Hash lookups
+* Hex/bin/dec/ascii/unicode conversions
+* Basic steganographic analysis
+* Nmap scanning
+
+Suggestions are always appreciated.
+
+— Ed.
diff --git a/actions/base64-decode.yaml b/actions/base64-decode.yaml
@@ -0,0 +1,15 @@
+---
+name: "base64decode"
+runner_type: "local-shell-cmd"
+description: "Do a base64 decode of a string."
+enabled: true
+parameters:
+  string:
+    type: "string"
+    description: "String to decode."
+    required: true
+  cmd:
+    description: "Command to run"
+    type: "string"
+    immutable: true
+    default: "echo \"{{ string }}\" | base64 -d"
diff --git a/actions/base64-encode.yaml b/actions/base64-encode.yaml
@@ -0,0 +1,15 @@
+---
+name: "base64encode"
+runner_type: "local-shell-cmd"
+description: "Do a base64 encode of a string."
+enabled: true
+parameters:
+  string:
+    type: "string"
+    description: "String to encode."
+    required: true
+  cmd:
+    description: "Command to run"
+    type: "string"
+    immutable: true
+    default: "echo \"{{ string }}\" | base64"
diff --git a/actions/ctfsearch.py b/actions/ctfsearch.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python
+
+import ics
+import requests
+import arrow
+import re
+
+from st2actions.runners.pythonrunner import Action
+
+__all__ = [
+    'CTFSearchAction'
+]
+
+
+class CTFSearchAction(Action):
+    def run(self, query):
+        calendar = 'https://www.google.com/calendar/ical/ctftime%40gmail.com/public/basic.ics'
+        contents = requests.get(calendar).text
+        contents = re.sub(r'(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})Z',
+                          r'\1-\2-\3T\4:\5',
+                          contents)
+        ctfs = ics.Calendar(contents)
+        for event in ctfs.events[arrow.utcnow():]:
+            if not query or (query.lower() in event.name.lower()):
+                url = re.search('URL: (.*?)\n', event.description)
+                return "%s starts %s%s" % (
+                    event.name,
+                    event.begin.humanize(),
+                    " (%s)" % (url.group(1)) if url else "",
+                )
+        return "can't find upcoming CTFs matching \"%s\" :(" % (query)
diff --git a/actions/ctfsearch.yaml b/actions/ctfsearch.yaml
@@ -0,0 +1,11 @@
+---
+name: "ctfsearch"
+runner_type: "python-script"
+description: "Searches CTFTime.org calendar for events."
+enabled: true
+entry_point: "ctfsearch.py"
+parameters:
+  query:
+    type: "string"
+    description: "Query for CTF title."
+    required: false
diff --git a/actions/rot13.py b/actions/rot13.py
@@ -0,0 +1,13 @@
+#!/usr/bin/python
+
+import codecs
+from st2actions.runners.pythonrunner import Action
+
+__all__ = [
+    'Rot13Action'
+]
+
+
+class Rot13Action(Action):
+    def run(self, string):
+        return codecs.encode(string, 'rot_13')
diff --git a/actions/rot13.yaml b/actions/rot13.yaml
@@ -0,0 +1,11 @@
+---
+name: "rot13"
+runner_type: "python-script"
+description: "Shift a string 13 chars."
+enabled: true
+entry_point: "rot13.py"
+parameters:
+  string:
+    type: "string"
+    description: "String to rotate."
+    required: true
diff --git a/actions/substitution.py b/actions/substitution.py
@@ -0,0 +1,22 @@
+#!/usr/bin/python
+
+import requests
+import re
+from st2actions.runners.pythonrunner import Action
+
+__all__ = [
+    'SubstitutionAction'
+]
+
+
+class SubstitutionAction(Action):
+    def run(self, ciphertext):
+        page = requests.post("http://quipqiup.com/index.php", {
+            'mode': '3',
+            'clues': '',
+            'action': 'Solve',
+            'ciphertext': ciphertext
+        })
+        expression = '\<script\>solsum.*?\"(.*?)\"'
+        result = re.search(expression, page.text)
+        return result.group(1)
diff --git a/actions/substitution.yaml b/actions/substitution.yaml
@@ -0,0 +1,11 @@
+---
+name: "substitution"
+runner_type: "python-script"
+description: "Crack a substitution cipher."
+enabled: true
+entry_point: "substitution.py"
+parameters:
+  ciphertext:
+    type: "string"
+    description: "Ciphertext to crack."
+    required: true
diff --git a/aliases/base64-decode.yaml b/aliases/base64-decode.yaml
@@ -0,0 +1,10 @@
+---
+name: "forensics_base64decode"
+action_ref: "forensics.base64decode"
+description: "Do a base64 decode of a string."
+formats:
+    - "base64 decode {{ string }}"
+ack:
+    disabled: true
+execution:
+    output: "{{ result }}"
diff --git a/aliases/base64-encode.yaml b/aliases/base64-encode.yaml
@@ -0,0 +1,10 @@
+---
+name: "forensics_base64encode"
+action_ref: "forensics.base64encode"
+description: "Do a base64 encode of a string."
+formats:
+    - "base64 encode {{ string }}"
+ack:
+    disabled: true
+execution:
+    output: "{{ result }}"
diff --git a/aliases/ctfsearch.yaml b/aliases/ctfsearch.yaml
@@ -0,0 +1,11 @@
+---
+name: "forensics_ctfsearch"
+action_ref: "forensics.ctfsearch"
+description: "Look for upcoming CTFs."
+formats:
+    - "what.s next\\?"
+    - "when is {{ query }}\\?"
+ack:
+    disabled: true
+execution:
+    output: "{{ result }}"
diff --git a/aliases/rot13.yaml b/aliases/rot13.yaml
@@ -0,0 +1,10 @@
+---
+name: "forensics_rot13"
+action_ref: "forensics.rot13"
+description: "Apply rot13 to a string."
+formats:
+    - "rot13 {{ string }}"
+ack:
+    disabled: true
+execution:
+    output: "{{ result }}"
diff --git a/aliases/substitution.yaml b/aliases/substitution.yaml
@@ -0,0 +1,10 @@
+---
+name: "forensics_substitution"
+action_ref: "forensics.substitution"
+description: "Try to crack a substitution cipher."
+formats:
+    - "crack substitution {{ ciphertext }}"
+ack:
+    disabled: true
+execution:
+    output: "here's the best I could come up with: ```{{ result }}``` I used http://quipqiup.com/ by Edwin Olson to crack the cipher, and you should consider buying him a beer or at least visiting the website. :)"
diff --git a/pack.yaml b/pack.yaml
@@ -0,0 +1,10 @@
+---
+name : forensics
+description : st2 action pack for basic forensics and file analysis
+keywords:
+  - cipher
+  - steganography
+  - forensics
+version : 0.1
+author : emedvedev
+email : edward.medvedev@gmail.com
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,7 @@
+requests
+arrow
+ics
+binwalk
+hachoir-core
+hachoir-parser
+hachoir-metadata

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ZFG license: just do whatever you want with this code.`