additional archive formats

[yoshimo]

https://en.wikipedia.org/wiki/List_of_archive_formats When i look at the compression section and compare it with JTRs various extractors, i think there should be at least support for rar and 7z which are also quite common.

Rarely i see arj, ace, egg and alz, but so far they are not encrypted just yet, although the format supports it. Support for those in JTR and RspamD is incomplete and depens on work there as well.

[JBHRgm]

Sorry for the late reply, we have been busy with other projects for the last few weeks so we kind of forgot about it. As far as i can understand your issue you are refering to other archive extension than just .zip. This should be easy to achieve as we are using magic numbers (aka hex signatures) of the passed datastreams for comparison in our oletools function in the olefy.py file. You could add the magic numbers of your desired format to the if statement at line 96 in regards to this list: https://en.wikipedia.org/wiki/List_of_file_signatures If you want to include 7z archives you could add the following as an or-statement: stream[:6] == "37 7A BC AF 27 1C" as this hexcode matches the hex signature for 7z, at least according to the list mentioned before. This is probably not the best solution and can be improved upon but it was the simplest to get started. Note: We didnt do a lot of testing with other file extensions than zip but according to the list zip shares its hex signature with other files like word or powerpoint. We dont know how the programm will behave if such files are being passed but we are willing to also look into that and post it as an issue if its necessary.

Please be aware that this project is not finished yet as we ran into major problems that we couldnt get fixed. We will update this repository with the necessary wiki and probably some code changes in the next future. There is going to be a detailed description of the problem that we ran into if we cant get it fixed.

regards, JB

[yoshimo]

Even if you can, i am sure it will be intresting to see what others struggle with.

[yoshimo]

RspamD seems to have worked on finding the proper mimetype for archives, why would we have to rely on our own matching of filetypes and encryption state via hex strings?

[JBHRgm]

I think i know what you are refering to. Once you configure oletools as an external service of Rspamd you can filter elements by MIME or content type (external_services.conf), we tried it that way before but didn't end up with the result we expected. That is why we just pass everything on to the service and check there. We are aware that this is not the intended way but as said earlier it was the easiest ^^. We will probably also look into that again with some more testing of Rspamds type recognition. But if you came up with your own solution in the meantime we would definitely appreciate you sharing it with us :)

[JBHRgm]

support for 7zip and rar has been added. It really seems like John would be the limiting factor as (at least for zip, 7z and rar) every archive seems to need its own "2john" function.

[yoshimo]

Eventually you need to handle it in all 3 places RSpamD for detection and unpacking so that we can analyse the content in a sandbox or antivirus tool. JTR for cracking the password and Mail-Attac for connecting both. Requests for all formats are done, samples are in the JTR sample repo.

https://github.com/openwall/john/issues/4569 https://github.com/openwall/john-samples/pull/6 https://github.com/rspamd/rspamd/issues/3403 https://github.com/rspamd/rspamd/issues/2815

although i forgot arj issues "upstream" as it seems.

For now i think everything that is part of https://github.com/rspamd/rspamd/blob/75d5d020bce87534c3f802e20bbf0bca465705d2/src/libmime/archives.c and detected as encrypted and has an implemented unpacker should cover most cases.