______ Y ______
My own personal time capsule.
Tag Archives: ids/ips
Binary XOR decoder
Posted by on May 1, 2012
Handy if you have a few binaries to reverse, and need a quick and dirty way to perform an XOR on them with the given key.
print "[+] XOR binary decoder by Y"
print "[+] Will perform an XOR decode on files given spcified key"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./xor_decode.py <FILE_PATH> <key>"
print "[+] example: ./xor_decode.py binary.bin 0xAA,0x00,0xAB"
print "\n"
import sys
def decode(xored_file,key):
fHandle = open(xored_file,"rb")
fBuffer = fHandle.read()
fHandle.close()
# key format 0xAA,0x11,0xAB ....
key = [key]
dec_buffer= ''
c = ''
# do all the xoring on the buffer
for x in range(11,len(fBuffer)):
var_a = ord(fBuffer[x])
var_b = key[c%len(key)]
decoded = var_a ^ var_b # xor
dec_buffer = dec_buffer + (chr(decoded))
c+=1
out_name = xored_file+".decoded"
outHandle = open(out_name,"wb")
outHandle.write(decoded)
outHandle.close()
xored_file = sys.argv[1]
key = sys.argv[2]
decode(xored_file,key)
IDS/IPS Testing with EICAR
Posted by on January 26, 2012
Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire.
# IMPORTS
import socket
import httplib,urllib
import ftplib
import telnetlib
# the eicar string to test with
EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
############# CONFIGURATION #############
IP = "127.0.0.1"
############# END OF CONF #############
def info():
print "[+] Multi-Protocol EICAR tester by Y"
print "[+] contact : If you know me then give me a shout"
print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS"
print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols"
print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)"
def sendHTTP(data,target,port):
try:
print "[+] Sending HTTP request"
conn = httplib.HTTPConnection(target,port)
try:
print "\t HEAD"
conn.request("HEAD",EICAR)
except:
pass
try:
print "\t GET"
conn.request("GET",EICAR)
except:
pass
try:
print "\t POST"
params = urllib.urlencode({'eicar': EICAR})
headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
conn.request("POST", "", params, headers)
except:
pass
try:
print "\t PUT"
conn.request("PUT",EICAR)
except:
pass
try:
print "\t DELETE"
conn.request("DELETE",EICAR)
except:
pass
except Exception,e:
print "[-] Unable to send HTTP data due to : ",e
pass
def sendFTP(data,target,port):
try:
print "[+] Sending FTP request"
ftp = ftplib.FTP()
ftp.connect(target, port)
ftp.putline(data) # send single EICAR request
ftp.close()
except Exception,e:
print "[-] Unable to send FTP data due to : ",e
pass
def sendTelnet(data,target,port):
try:
print "[+] Sending TELNET request"
tn = telnetlib.Telnet(target,port)
tn.write(EICAR)
tn.close()
except Exception,e:
print "[-] Unable to send TELNET data due to : ",e
pass
def sendSMTP(data,target,port):
try:
print "[+] Sending SMTP request"
tn = telnetlib.Telnet(target,port)
tn.write("HELO localhost")
tn.write("MAIL FROM: root@localhost")
tn.write("RCPT TO: root@localhost")
tn.write("DATA \n")
tn.write(EICAR)
tn.write("\n\t\n\t")
tn.write("QUIT")
tn.close()
except Exception,e:
print "[-] Unable to send SMTP data due to : ",e
pass
def sendSSH(data,targer,port):
pass
def sendSSL(data,target,port):
try:
print "[+] Sending HTTP request"
conn = httplib.HTTPSConnection(target,port)
try:
print "\t HEAD"
conn.request("HEAD",EICAR)
except:
pass
try:
print "\t GET"
conn.request("GET",EICAR)
except:
pass
try:
print "\t POST"
params = urllib.urlencode({'eicar': EICAR})
headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
conn.request("POST", "", params, headers)
except:
pass
try:
print "\t PUT"
conn.request("PUT",EICAR)
except:
pass
try:
print "\t DELETE"
conn.request("DELETE",EICAR)
except:
pass
except Exception,e:
print "[-] Unable to send HTTP data due to : ",e
pass
def sendICMP(data,target):
pass
def sendRCP(data,target,port):
pass
def sendTCP(data,target,port):
try:
print "[+] Sending TCP data "
socket.setdefaulttimeout(4)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, int(port)))
s.send(data)
s.close()
except Exception,e:
print "[-] Unable to send TCP data due to : ",e
pass
def sendUDP(data,target,port):
try:
print "[+] Sending UDP data "
sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )
sock.sendto( data, (target, port))
except Exception,e:
print "[-] Unable to send UDP data due to : ",e
pass
def sendNETBIOS(data,target,port):
pass
def sendDNS(data,target,port):
try:
print "[+] Sending DNS request "
sendUDP(data, target, port) # dirty trick
except Exception,e:
print "[-] Unable to send DNS data due to : ",e
pass
def end():
print "Done, now review IDS logs for each protocol"
def start_test():
info()
sendFTP(EICAR, IP, 21)
sendTelnet(EICAR, IP, 23)
sendSMTP(EICAR, IP, 25)
sendUDP(EICAR,IP, 100)
sendHTTP(EICAR, IP, 80)
sendTCP(EICAR, IP, 22)
sendSSL(EICAR, IP, 443)
sendDNS(EICAR,IP,53)
#TODO:
#Protocol play ( these are HPING2 wrappers )
#sendICMP(EICAR,'192.168.2.79')
#sendRCP(EICAR, '192.168.2.79', 445)
#sendNETBIOS(EICAR, '192.168.2.79', 139)
#sendSSH(EICAR, '192.168.2.79', 22)
sendDNS(EICAR,IP,53)
end()
# start_test the test
start_test()
______ Y ______ 