Help im getting this error

[oasec1]

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest() #ssdeep.hash(each) NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

[x41x41x90]

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

[oasec1]

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 notifications@github.com wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520.

[x41x41x90]

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 notifications@github.com wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359.

[oasec1]

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 notifications@github.com wrote:

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 notifications@github.com wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498.

[oasec1]

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6 ($ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d $ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1 $ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859 ($ Found link https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea ($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 notifications@github.com wrote:

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 notifications@github.com wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498 .

[x41x41x90]

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6 ($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d $ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1 $ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859 ($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea ($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 notifications@github.com wrote:

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 notifications@github.com

wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498> .

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428.

[oasec1]

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 notifications@github.com wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6 ($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d $ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1 $ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859 ($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea ($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 notifications@github.com wrote:

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < notifications@github.com>

wrote:

Hey Robert, hopefully I can lend a hand. :)

It looks like you may have ssdeep installed, however you'll need the python implementation of it. Try this here:

https://pypi.python.org/pypi/ssdeep/2.9-0.3

or just "pip install ssdeep" to see if you can get ssdeep to import.

If that doesn't work and you're not able to get ssdeep working, change this line:

tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

to this:

tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each)

This will save sha256 hash as ssdeep, but it should be enough to get it working for you. Let me know how it works, and glad you liked the presentation!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 4:56 PM, oasec1 notifications@github.com

wrote:

I got this error while attempting to run the sample;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 27, in import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED ImportError: No module named ssdeep

After commenting that line out in the shredder.py file i got this error;

robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ !\ \ \ FW-\ Voice\ Message.eml | ./shredder.py Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 167, in parse_the_email tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest()

ssdeep.hash(each)

NameError: global name 'ssdeep' is not defined

SSDeep is installed see here;

robert@ubuntu:/opt$ sudo apt-get install ssdeep Reading package lists... Done Building dependency tree Reading state information... Done ssdeep is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. robert@ubuntu:/opt$

I loved your presentation,Enjoyed All Your Metadatas Are Belong To Me: Reverse Engineering Emails on an Enterprise?

Thanks for sharing this concept. Robert

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962.

[x41x41x90]

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 notifications@github.com wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last):

File "", line 17, in

File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep",

File "/usr/lib/python2.7/distutils/core.py", line 112, in setup

_setup_distribution = dist = klass(attrs)

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in init

self.fetch_build_eggs(attrs.pop('setup_requires'))

File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs

parse_requirements(requires), installer=self.fetch_build_egg

File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve

raise VersionConflict(dist,req) # XXX put more info here

pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1'))

---

Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2

On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 notifications@github.com

wrote:

How about sudo pip install ssdeep? On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < notifications@github.com> wrote: > Hey Robert, hopefully I can lend a hand. :) > > It looks like you may have ssdeep installed, however you'll > need > the > python > implementation of it. Try this here: > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > or just "pip install ssdeep" to see if you can get ssdeep to > import. > > If that doesn't work and you're not able to get ssdeep working, > change > this > line: > > tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > #ssdeep.hash(each) > > to this: > > tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each) > > This will save sha256 hash as ssdeep, but it should be enough > to > get > it > working for you. Let me know how it works, and glad you liked > the > presentation! > > Regards, > > --Ronnie > @iHeartMalware > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > notifications@github.com> wrote: > > I got this error while attempting to run the sample; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 27, in > > import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED > > ImportError: No module named ssdeep > > > > After commenting that line out in the shredder.py file i got > > this > > error; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 204, in > > parse_the_email(my_email) # Does the magic, calls def > > parse_the_email(email) > > File "./shredder.py", line 167, in parse_the_email > > tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > #ssdeep.hash(each) > > NameError: global name 'ssdeep' is not defined > > > > SSDeep is installed see here; > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > ssdeep is already the newest version. > > 0 upgraded, 0 newly installed, 0 to remove and 5 not > > upgraded. > > robert@ubuntu:/opt$ > > > > I loved your presentation,Enjoyed All Your Metadatas Are > > Belong > > To > > Me: > > Reverse Engineering Emails on an Enterprise? > > > > Thanks for sharing this concept. > > Robert > > > > — > > Reply to this email directly or view it on GitHub > > https://github.com/x41x41x90/pm_shredder/issues/1. > > — > Reply to this email directly or view it on GitHub > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303.

[oasec1]

OK I was working in Linux yesterday and got that to work now. :) now today I'm in windows and also got that to work. I question would it be hard to add the code to parse multiple messages matching a specific file extension, IE; msg,eml etc?

Thanks for all of your help. :) Robert

On Wed, Nov 12, 2014 at 9:29 AM, x41x41x90 notifications@github.com wrote:

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 notifications@github.com wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 < notifications@github.com> wrote: > How about sudo pip install ssdeep? > On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com > wrote: > > > Changing the file was unsuccessful. The new pip install also > > threw > > errors. > > > > robert@ubuntu:/opt$ pip install ssdeep > > Downloading/unpacking ssdeep > > Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded > > Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) > > egg_info > > for package ssdeep > > Traceback (most recent call last): > > File "", line 17, in > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > ext_package="ssdeep", > > File "/usr/lib/python2.7/distutils/core.py", line 112, in setup > > _setup_distribution = dist = klass(attrs) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in __init__ > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in fetch_build_eggs > > parse_requirements(requires), installer=self.fetch_build_egg > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line > > 598, > > in resolve > > raise VersionConflict(dist,req) # XXX put more info here > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > Complete output from command python setup.py egg_info: > > Traceback (most recent call last): > > > > File "", line 17, in > > > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > > > ext_package="ssdeep", > > > > File "/usr/lib/python2.7/distutils/core.py", line 112, in setup > > > > _setup_distribution = dist = klass(attrs) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in > > **init** > > > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in > > fetch_build_eggs > > > > parse_requirements(requires), installer=self.fetch_build_egg > > > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line > > 598, > > in > > resolve > > > > raise VersionConflict(dist,req) # XXX put more info here > > > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > > > --- > > > > Cleaning up... > > Command python setup.py egg_info failed with error code 1 in > > /tmp/pip_build_robert/ssdeep > > Storing debug log for failure in /tmp/tmpt2KBX2 > > > > On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < > > notifications@github.com> > > > > wrote: > > > > > Hey Robert, hopefully I can lend a hand. :) > > > > > > It looks like you may have ssdeep installed, however you'll > > > need > > > the > > > python > > > implementation of it. Try this here: > > > > > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > > > > > or just "pip install ssdeep" to see if you can get ssdeep to > > > import. > > > > > > If that doesn't work and you're not able to get ssdeep > > > working, > > > change > > > this > > > line: > > > > > > tSsdeep = ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > #ssdeep.hash(each) > > > > > > to this: > > > > > > tSsdeep = hashlib.sha256(each).hexdigest() #ssdeep.hash(each) > > > > > > This will save sha256 hash as ssdeep, but it should be enough > > > to > > > get > > > it > > > working for you. Let me know how it works, and glad you liked > > > the > > > presentation! > > > > > > Regards, > > > > > > --Ronnie > > > @iHeartMalware > > > > > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > > > notifications@github.com> > > > > wrote: > > > > > > I got this error while attempting to run the sample; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 27, in > > > > import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED > > > > ImportError: No module named ssdeep > > > > > > > > After commenting that line out in the shredder.py file i > > > > got > > > > this > > > > error; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 204, in > > > > parse_the_email(my_email) # Does the magic, calls def > > > > parse_the_email(email) > > > > File "./shredder.py", line 167, in parse_the_email > > > > tSsdeep = > > > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > > #ssdeep.hash(each) > > > > NameError: global name 'ssdeep' is not defined > > > > > > > > SSDeep is installed see here; > > > > > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > > > Reading package lists... Done > > > > Building dependency tree > > > > Reading state information... Done > > > > ssdeep is already the newest version. > > > > 0 upgraded, 0 newly installed, 0 to remove and 5 not > > > > upgraded. > > > > robert@ubuntu:/opt$ > > > > > > > > I loved your presentation,Enjoyed All Your Metadatas Are > > > > Belong > > > > To > > > > Me: > > > > Reverse Engineering Emails on an Enterprise? > > > > > > > > Thanks for sharing this concept. > > > > Robert > > > > > > > > — > > > > Reply to this email directly or view it on GitHub > > > > https://github.com/x41x41x90/pm_shredder/issues/1. > > > > > > — > > > Reply to this email directly or view it on GitHub > > > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62725253.

[x41x41x90]

Parsing .msg files gets messy, so that's why I have just the .eml files. This was meant to be able to pull things off the wire, so that's why I stuck with .eml files. :)

Regards,

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 10:44 AM, oasec1 notifications@github.com wrote:

OK I was working in Linux yesterday and got that to work now. :) now today I'm in windows and also got that to work. I question would it be hard to add the code to parse multiple messages matching a specific file extension, IE; msg,eml etc?

Thanks for all of your help. :) Robert

On Wed, Nov 12, 2014 at 9:29 AM, x41x41x90 notifications@github.com wrote:

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 notifications@github.com wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 < notifications@github.com> wrote: > How about sudo pip install ssdeep? > On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com > wrote: > > > Changing the file was unsuccessful. The new pip install also > > threw > > errors. > > > > robert@ubuntu:/opt$ pip install ssdeep > > Downloading/unpacking ssdeep > > Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded > > Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) > > egg_info > > for package ssdeep > > Traceback (most recent call last): > > File "", line 17, in > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > ext_package="ssdeep", > > File "/usr/lib/python2.7/distutils/core.py", line 112, in > > setup > > _setup_distribution = dist = klass(attrs) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in __init__ > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in fetch_build_eggs > > parse_requirements(requires), installer=self.fetch_build_egg > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", > > line > > 598, > > in resolve > > raise VersionConflict(dist,req) # XXX put more info here > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > Complete output from command python setup.py egg_info: > > Traceback (most recent call last): > > > > File "", line 17, in > > > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > > > ext_package="ssdeep", > > > > File "/usr/lib/python2.7/distutils/core.py", line 112, in > > setup > > > > _setup_distribution = dist = klass(attrs) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in > > **init** > > > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in > > fetch_build_eggs > > > > parse_requirements(requires), installer=self.fetch_build_egg > > > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", > > line > > 598, > > in > > resolve > > > > raise VersionConflict(dist,req) # XXX put more info here > > > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > > > --- > > > > Cleaning up... > > Command python setup.py egg_info failed with error code 1 in > > /tmp/pip_build_robert/ssdeep > > Storing debug log for failure in /tmp/tmpt2KBX2 > > > > On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < > > notifications@github.com> > > > > wrote: > > > > > Hey Robert, hopefully I can lend a hand. :) > > > > > > It looks like you may have ssdeep installed, however you'll > > > need > > > the > > > python > > > implementation of it. Try this here: > > > > > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > > > > > or just "pip install ssdeep" to see if you can get ssdeep > > > to > > > import. > > > > > > If that doesn't work and you're not able to get ssdeep > > > working, > > > change > > > this > > > line: > > > > > > tSsdeep = > > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > #ssdeep.hash(each) > > > > > > to this: > > > > > > tSsdeep = hashlib.sha256(each).hexdigest() > > > #ssdeep.hash(each) > > > > > > This will save sha256 hash as ssdeep, but it should be > > > enough > > > to > > > get > > > it > > > working for you. Let me know how it works, and glad you > > > liked > > > the > > > presentation! > > > > > > Regards, > > > > > > --Ronnie > > > @iHeartMalware > > > > > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > > > notifications@github.com> > > > > wrote: > > > > > > I got this error while attempting to run the sample; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 27, in > > > > import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED > > > > ImportError: No module named ssdeep > > > > > > > > After commenting that line out in the shredder.py file i > > > > got > > > > this > > > > error; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 204, in > > > > parse_the_email(my_email) # Does the magic, calls def > > > > parse_the_email(email) > > > > File "./shredder.py", line 167, in parse_the_email > > > > tSsdeep = > > > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > > #ssdeep.hash(each) > > > > NameError: global name 'ssdeep' is not defined > > > > > > > > SSDeep is installed see here; > > > > > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > > > Reading package lists... Done > > > > Building dependency tree > > > > Reading state information... Done > > > > ssdeep is already the newest version. > > > > 0 upgraded, 0 newly installed, 0 to remove and 5 not > > > > upgraded. > > > > robert@ubuntu:/opt$ > > > > > > > > I loved your presentation,Enjoyed All Your Metadatas Are > > > > Belong > > > > To > > > > Me: > > > > Reverse Engineering Emails on an Enterprise? > > > > > > > > Thanks for sharing this concept. > > > > Robert > > > > > > > > — > > > > Reply to this email directly or view it on GitHub > > > > https://github.com/x41x41x90/pm_shredder/issues/1. > > > > > > — > > > Reply to this email directly or view it on GitHub > > > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62725253.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62738433.

[oasec1]

can it process multiple .eml messages with one command line?

On Wed, Nov 12, 2014 at 11:03 AM, x41x41x90 notifications@github.com wrote:

Parsing .msg files gets messy, so that's why I have just the .eml files. This was meant to be able to pull things off the wire, so that's why I stuck with .eml files. :)

Regards,

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 10:44 AM, oasec1 notifications@github.com wrote:

OK I was working in Linux yesterday and got that to work now. :) now today I'm in windows and also got that to work. I question would it be hard to add the code to parse multiple messages matching a specific file extension, IE; msg,eml etc?

Thanks for all of your help. :) Robert

On Wed, Nov 12, 2014 at 9:29 AM, x41x41x90 notifications@github.com wrote:

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 notifications@github.com

wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 < notifications@github.com> wrote: > How about sudo pip install ssdeep? > On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com > wrote: > > > Changing the file was unsuccessful. The new pip install > > also > > threw > > errors. > > > > robert@ubuntu:/opt$ pip install ssdeep > > Downloading/unpacking ssdeep > > Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded > > Running setup.py > > (path:/tmp/pip_build_robert/ssdeep/setup.py) > > egg_info > > for package ssdeep > > Traceback (most recent call last): > > File "", line 17, in > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > ext_package="ssdeep", > > File "/usr/lib/python2.7/distutils/core.py", line 112, in > > setup > > _setup_distribution = dist = klass(attrs) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in __init__ > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in fetch_build_eggs > > parse_requirements(requires), > > installer=self.fetch_build_egg > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", > > line > > 598, > > in resolve > > raise VersionConflict(dist,req) # XXX put more info here > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > Complete output from command python setup.py egg_info: > > Traceback (most recent call last): > > > > File "", line 17, in > > > > File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in > > > > > > ext_package="ssdeep", > > > > File "/usr/lib/python2.7/distutils/core.py", line 112, in > > setup > > > > _setup_distribution = dist = klass(attrs) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 221, > > in > > **init** > > > > self.fetch_build_eggs(attrs.pop('setup_requires')) > > > > File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", > > line > > 245, > > in > > fetch_build_eggs > > > > parse_requirements(requires), > > installer=self.fetch_build_egg > > > > File "/usr/lib/python2.7/dist-packages/pkg_resources.py", > > line > > 598, > > in > > resolve > > > > raise VersionConflict(dist,req) # XXX put more info here > > > > pkg_resources.VersionConflict: (six 1.3.0 > > (/usr/lib/python2.7/dist-packages), > > Requirement.parse('six>=1.4.1')) > > > > --- > > > > Cleaning up... > > Command python setup.py egg_info failed with error code 1 > > in > > /tmp/pip_build_robert/ssdeep > > Storing debug log for failure in /tmp/tmpt2KBX2 > > > > On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < > > notifications@github.com> > > > > wrote: > > > > > Hey Robert, hopefully I can lend a hand. :) > > > > > > It looks like you may have ssdeep installed, however > > > you'll > > > need > > > the > > > python > > > implementation of it. Try this here: > > > > > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > > > > > or just "pip install ssdeep" to see if you can get ssdeep > > > to > > > import. > > > > > > If that doesn't work and you're not able to get ssdeep > > > working, > > > change > > > this > > > line: > > > > > > tSsdeep = > > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > #ssdeep.hash(each) > > > > > > to this: > > > > > > tSsdeep = hashlib.sha256(each).hexdigest() > > > #ssdeep.hash(each) > > > > > > This will save sha256 hash as ssdeep, but it should be > > > enough > > > to > > > get > > > it > > > working for you. Let me know how it works, and glad you > > > liked > > > the > > > presentation! > > > > > > Regards, > > > > > > --Ronnie > > > @iHeartMalware > > > > > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > > > notifications@github.com> > > > > wrote: > > > > > > I got this error while attempting to run the sample; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 27, in > > > > import ssdeep # for fuzzy hashes // TEMPORARILY REMOVED > > > > ImportError: No module named ssdeep > > > > > > > > After commenting that line out in the shredder.py file > > > > i > > > > got > > > > this > > > > error; > > > > > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ is\ > > > > BAD\ > > > > !\ > > > > \ > > > > \ > > > > FW-\ > > > > Voice\ Message.eml | ./shredder.py > > > > Traceback (most recent call last): > > > > File "./shredder.py", line 204, in > > > > parse_the_email(my_email) # Does the magic, calls def > > > > parse_the_email(email) > > > > File "./shredder.py", line 167, in parse_the_email > > > > tSsdeep = > > > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > > > #ssdeep.hash(each) > > > > NameError: global name 'ssdeep' is not defined > > > > > > > > SSDeep is installed see here; > > > > > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > > > Reading package lists... Done > > > > Building dependency tree > > > > Reading state information... Done > > > > ssdeep is already the newest version. > > > > 0 upgraded, 0 newly installed, 0 to remove and 5 not > > > > upgraded. > > > > robert@ubuntu:/opt$ > > > > > > > > I loved your presentation,Enjoyed All Your Metadatas > > > > Are > > > > Belong > > > > To > > > > Me: > > > > Reverse Engineering Emails on an Enterprise? > > > > > > > > Thanks for sharing this concept. > > > > Robert > > > > > > > > — > > > > Reply to this email directly or view it on GitHub > > > > https://github.com/x41x41x90/pm_shredder/issues/1. > > > > > > — > > > Reply to this email directly or view it on GitHub > > > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62725253>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62738433.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62742014.

[x41x41x90]

You'll just need a dispatcher to have it suck in the files. This is by design, as it's meant to be run with postfix for threading.

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 11:35 AM, oasec1 notifications@github.com wrote:

can it process multiple .eml messages with one command line?

On Wed, Nov 12, 2014 at 11:03 AM, x41x41x90 notifications@github.com wrote:

Parsing .msg files gets messy, so that's why I have just the .eml files. This was meant to be able to pull things off the wire, so that's why I stuck with .eml files. :)

Regards,

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 10:44 AM, oasec1 notifications@github.com wrote:

OK I was working in Linux yesterday and got that to work now. :) now today I'm in windows and also got that to work. I question would it be hard to add the code to parse multiple messages matching a specific file extension, IE; msg,eml etc?

Thanks for all of your help. :) Robert

On Wed, Nov 12, 2014 at 9:29 AM, x41x41x90 notifications@github.com wrote:

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 < notifications@github.com>

wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 < notifications@github.com> wrote: > How about sudo pip install ssdeep? > On Nov 11, 2014 8:16 PM, "oasec1" notifications@github.com

wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < notifications@github.com> wrote: > Hey Robert, hopefully I can lend a hand. :) > > It looks like you may have ssdeep installed, however > you'll > need > the > python > implementation of it. Try this here: > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > or just "pip install ssdeep" to see if you can get > ssdeep > to > import. > > If that doesn't work and you're not able to get ssdeep > working, > change > this > line: > > tSsdeep = > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > #ssdeep.hash(each) > > to this: > > tSsdeep = hashlib.sha256(each).hexdigest() > #ssdeep.hash(each) > > This will save sha256 hash as ssdeep, but it should be > enough > to > get > it > working for you. Let me know how it works, and glad you > liked > the > presentation! > > Regards, > > --Ronnie > @iHeartMalware > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > notifications@github.com> wrote: > > I got this error while attempting to run the sample; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ > > is\ > > BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 27, in > > import ssdeep # for fuzzy hashes // TEMPORARILY > > REMOVED > > ImportError: No module named ssdeep > > > > After commenting that line out in the shredder.py > > file > > i > > got > > this > > error; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ > > is\ > > BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 204, in > > parse_the_email(my_email) # Does the magic, calls def > > parse_the_email(email) > > File "./shredder.py", line 167, in parse_the_email > > tSsdeep = > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > #ssdeep.hash(each) > > NameError: global name 'ssdeep' is not defined > > > > SSDeep is installed see here; > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > ssdeep is already the newest version. > > 0 upgraded, 0 newly installed, 0 to remove and 5 not > > upgraded. > > robert@ubuntu:/opt$ > > > > I loved your presentation,Enjoyed All Your Metadatas > > Are > > Belong > > To > > Me: > > Reverse Engineering Emails on an Enterprise? > > > > Thanks for sharing this concept. > > Robert > > > > — > > Reply to this email directly or view it on GitHub > > https://github.com/x41x41x90/pm_shredder/issues/1. > > — > Reply to this email directly or view it on GitHub > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62725253>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62738433>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62742014.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62747881.

[oasec1]

OK, I was able to kludge up a working script file. Now for a few other questions. Your read me mentions tying it into a SEIM, we have a SEIM and SPLUNK, my preference is to tie it into that. Do you have more information regarding making the connection, or how to do that?. I have to tell you this is a great approach to this.

On Wed, Nov 12, 2014 at 1:03 PM, x41x41x90 notifications@github.com wrote:

You'll just need a dispatcher to have it suck in the files. This is by design, as it's meant to be run with postfix for threading.

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 11:35 AM, oasec1 notifications@github.com wrote:

can it process multiple .eml messages with one command line?

On Wed, Nov 12, 2014 at 11:03 AM, x41x41x90 notifications@github.com wrote:

Parsing .msg files gets messy, so that's why I have just the .eml files. This was meant to be able to pull things off the wire, so that's why I stuck with .eml files. :)

Regards,

--Ronnie @iHeartMalware

On Wed, Nov 12, 2014 at 10:44 AM, oasec1 notifications@github.com wrote:

OK I was working in Linux yesterday and got that to work now. :) now today I'm in windows and also got that to work. I question would it be hard to add the code to parse multiple messages matching a specific file extension, IE; msg,eml etc?

Thanks for all of your help. :) Robert

On Wed, Nov 12, 2014 at 9:29 AM, x41x41x90 notifications@github.com

wrote:

Alright...hopefully this will be the last piece. :)

Remove the database (rm clarityData) and ./create_db.py. That will re-initialize a database for you, and hopefully get you working.

You may want to do it like cat email.eml | ./shredder.py debug, as that should let you bypass VirusTotal integration if you didn't put in a key. I usually pass "no no", and that's enough for me.

Let me know if that works for ya!

Regards,

--Ronnie @iHeartMalware

On Tue, Nov 11, 2014 at 11:39 PM, oasec1 notifications@github.com

wrote:

ok, making that change let me get a bit further, see below.

robert@ubuntu:/opt/pm_shredder$ sudo cat Message\ Filtered\ (Filter\ \ EISO-20140.msg | ./shredder.py cat: Message Filtered (Filter EISO-20140.msg: No such file or directory Traceback (most recent call last): File "./shredder.py", line 204, in parse_the_email(my_email) # Does the magic, calls def parse_the_email(email) File "./shredder.py", line 173, in parse_the_email my_db.execute("INSERT INTO hash_db VALUES (\'" + my_uuid + "\', \'" + tMd5 + "\', \'" + tSha256 + "\', \'" + tSsdeep + "\')") sqlite3.OperationalError: attempt to write a readonly database

Any thoughts?

contents of folder

robert@ubuntu:/opt/pm_shredder$ ls clarityData Message Filtered (Filter EISO-201403) (1).msg README.md yara_headers.yar create_db.py Message Filtered (Filter EISO-201403) (2).msg Rules yara_include.yar display_db.py Message Filtered (Filter EISO-201403).msg shredder.py YO this is BAD ! FW- Voice Message.eml makePath.py Message Filtered (Filter EISO-201409).msg shredder.py.org

On Tue, Nov 11, 2014 at 8:48 PM, x41x41x90 < notifications@github.com>

wrote:

Blah, ssdeep library always gave me problems too. :)

Try to comment out the ssdeep import and use tSsdeep = hashlib.sha256(each).hexdigest() . that should get ya something working.

Regards, On Nov 11, 2014 8:29 PM, "oasec1" notifications@github.com wrote:

here is the output log file

Downloading/unpacking ssdeep Getting page https://pypi.python.org/simple/ssdeep/ URLs to search for versions for ssdeep:

• https://pypi.python.org/simple/ssdeep/ Analyzing links from page https://pypi.python.org/simple/ssdeep/ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.5.tar.gz#md5=fd9e5271c01ca389cc621ae306327ab6

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.1.zip#md5=58ca7f02f75c4ca90001cdb85045f53d

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.2.zip#md5=6cf29a15cca50085f9a83ff1128a87f1

$ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-2.9-0.3.tar.gz#md5=ba7125cd68c4fcc4a69a3811dc8aa7$

Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.0.tar.gz#md5=cabd8d06fe67f7796df193ef15a68859

($ Found link

https://pypi.python.org/packages/source/s/ssdeep/ssdeep-3.1.tar.gz#md5=645ecb3fecb6c490938ae4b1c5d3e2ea

($ Skipping link http://ssdeep.sourceforge.net/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link http://ssdeep.sourceforge.net/changes.txt (from https://pypi.python.org/simple/ssdeep/); unknown archi$ Skipping link http://www.dinotools.org/ (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://bitbucket.org/denis/ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Skipping link https://github.com/DinoTools/python-ssdeep (from https://pypi.python.org/simple/ssdeep/); not a file Using version 3.1 (newest of versions: 3.1, 3.0, 2.9-0.3, 2.9-0.2, 2.9-0.1, 2.5)

Doesn't show any errors here... Ugh

On Tue, Nov 11, 2014 at 8:27 PM, Rob Ayers oasec1@gmail.com

wrote:

that caused these errors

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 8:17 PM, x41x41x90 < notifications@github.com> wrote: > How about sudo pip install ssdeep? > On Nov 11, 2014 8:16 PM, "oasec1" < > notifications@github.com>

wrote:

Changing the file was unsuccessful. The new pip install also threw errors.

robert@ubuntu:/opt$ pip install ssdeep Downloading/unpacking ssdeep Downloading ssdeep-3.1.tar.gz (386kB): 386kB downloaded Running setup.py (path:/tmp/pip_build_robert/ssdeep/setup.py) egg_info for package ssdeep Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in

ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in __init__ self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) Complete output from command python setup.py egg_info: Traceback (most recent call last): File "", line 17, in File "/tmp/pip_build_robert/ssdeep/setup.py", line 128, in ext_package="ssdeep", File "/usr/lib/python2.7/distutils/core.py", line 112, in setup _setup_distribution = dist = klass(attrs) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 221, in **init** self.fetch_build_eggs(attrs.pop('setup_requires')) File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 245, in fetch_build_eggs parse_requirements(requires), installer=self.fetch_build_egg File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 598, in resolve raise VersionConflict(dist,req) # XXX put more info here pkg_resources.VersionConflict: (six 1.3.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('six>=1.4.1')) --- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_robert/ssdeep Storing debug log for failure in /tmp/tmpt2KBX2 On Tue, Nov 11, 2014 at 7:55 PM, x41x41x90 < notifications@github.com> wrote: > Hey Robert, hopefully I can lend a hand. :) > > It looks like you may have ssdeep installed, however > you'll > need > the > python > implementation of it. Try this here: > > https://pypi.python.org/pypi/ssdeep/2.9-0.3 > > or just "pip install ssdeep" to see if you can get > ssdeep > to > import. > > If that doesn't work and you're not able to get > ssdeep > working, > change > this > line: > > tSsdeep = > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > #ssdeep.hash(each) > > to this: > > tSsdeep = hashlib.sha256(each).hexdigest() > #ssdeep.hash(each) > > This will save sha256 hash as ssdeep, but it should > be > enough > to > get > it > working for you. Let me know how it works, and glad > you > liked > the > presentation! > > Regards, > > --Ronnie > @iHeartMalware > > On Tue, Nov 11, 2014 at 4:56 PM, oasec1 < > notifications@github.com> wrote: > > I got this error while attempting to run the > > sample; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ > > is\ > > BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 27, in > > import ssdeep # for fuzzy hashes // TEMPORARILY > > REMOVED > > ImportError: No module named ssdeep > > > > After commenting that line out in the shredder.py > > file > > i > > got > > this > > error; > > > > robert@ubuntu:/opt/pm_shredder$ sudo cat YO\ this\ > > is\ > > BAD\ > > !\ > > \ > > \ > > FW-\ > > Voice\ Message.eml | ./shredder.py > > Traceback (most recent call last): > > File "./shredder.py", line 204, in > > parse_the_email(my_email) # Does the magic, calls > > def > > parse_the_email(email) > > File "./shredder.py", line 167, in parse_the_email > > tSsdeep = > > ssdeep.hash(each)#hashlib.sha256(each).hexdigest() > > #ssdeep.hash(each) > > NameError: global name 'ssdeep' is not defined > > > > SSDeep is installed see here; > > > > robert@ubuntu:/opt$ sudo apt-get install ssdeep > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > ssdeep is already the newest version. > > 0 upgraded, 0 newly installed, 0 to remove and 5 > > not > > upgraded. > > robert@ubuntu:/opt$ > > > > I loved your presentation,Enjoyed All Your > > Metadatas > > Are > > Belong > > To > > Me: > > Reverse Engineering Emails on an Enterprise? > > > > Thanks for sharing this concept. > > Robert > > > > — > > Reply to this email directly or view it on GitHub > > https://github.com/x41x41x90/pm_shredder/issues/1. > > — > Reply to this email directly or view it on GitHub > <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62652520>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654359>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62654498>

.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62655428>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62656962>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62669303>.

— Reply to this email directly or view it on GitHub <

https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62725253>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62738433>.

— Reply to this email directly or view it on GitHub < https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62742014>.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62747881.

— Reply to this email directly or view it on GitHub https://github.com/x41x41x90/pm_shredder/issues/1#issuecomment-62762742.