______ Y ______
My own personal time capsule.
Tag Archives: ids/ips
Binary XOR decoder
May 1, 2012
Posted by on Handy if you have a few binaries to reverse, and need a quick and dirty way to perform an XOR on them with the given key.
print "[+] XOR binary decoder by Y" print "[+] Will perform an XOR decode on files given spcified key" print "[+] contact : If you know me then give me a shout" print "[+] usage: ./xor_decode.py <FILE_PATH> <key>" print "[+] example: ./xor_decode.py binary.bin 0xAA,0x00,0xAB" print "\n" import sys def decode(xored_file,key): fHandle = open(xored_file,"rb") fBuffer = fHandle.read() fHandle.close() # key format 0xAA,0x11,0xAB .... key = [key] dec_buffer= '' c = '' # do all the xoring on the buffer for x in range(11,len(fBuffer)): var_a = ord(fBuffer[x]) var_b = key[c%len(key)] decoded = var_a ^ var_b # xor dec_buffer = dec_buffer + (chr(decoded)) c+=1 out_name = xored_file+".decoded" outHandle = open(out_name,"wb") outHandle.write(decoded) outHandle.close() xored_file = sys.argv[1] key = sys.argv[2] decode(xored_file,key)
IDS/IPS Testing with EICAR
January 26, 2012
Posted by on Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire.
# IMPORTS import socket import httplib,urllib import ftplib import telnetlib # the eicar string to test with EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ############# CONFIGURATION ############# IP = "127.0.0.1" ############# END OF CONF ############# def info(): print "[+] Multi-Protocol EICAR tester by Y" print "[+] contact : If you know me then give me a shout" print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS" print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols" print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)" def sendHTTP(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendFTP(data,target,port): try: print "[+] Sending FTP request" ftp = ftplib.FTP() ftp.connect(target, port) ftp.putline(data) # send single EICAR request ftp.close() except Exception,e: print "[-] Unable to send FTP data due to : ",e pass def sendTelnet(data,target,port): try: print "[+] Sending TELNET request" tn = telnetlib.Telnet(target,port) tn.write(EICAR) tn.close() except Exception,e: print "[-] Unable to send TELNET data due to : ",e pass def sendSMTP(data,target,port): try: print "[+] Sending SMTP request" tn = telnetlib.Telnet(target,port) tn.write("HELO localhost") tn.write("MAIL FROM: root@localhost") tn.write("RCPT TO: root@localhost") tn.write("DATA \n") tn.write(EICAR) tn.write("\n\t\n\t") tn.write("QUIT") tn.close() except Exception,e: print "[-] Unable to send SMTP data due to : ",e pass def sendSSH(data,targer,port): pass def sendSSL(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPSConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendICMP(data,target): pass def sendRCP(data,target,port): pass def sendTCP(data,target,port): try: print "[+] Sending TCP data " socket.setdefaulttimeout(4) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, int(port))) s.send(data) s.close() except Exception,e: print "[-] Unable to send TCP data due to : ",e pass def sendUDP(data,target,port): try: print "[+] Sending UDP data " sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) sock.sendto( data, (target, port)) except Exception,e: print "[-] Unable to send UDP data due to : ",e pass def sendNETBIOS(data,target,port): pass def sendDNS(data,target,port): try: print "[+] Sending DNS request " sendUDP(data, target, port) # dirty trick except Exception,e: print "[-] Unable to send DNS data due to : ",e pass def end(): print "Done, now review IDS logs for each protocol" def start_test(): info() sendFTP(EICAR, IP, 21) sendTelnet(EICAR, IP, 23) sendSMTP(EICAR, IP, 25) sendUDP(EICAR,IP, 100) sendHTTP(EICAR, IP, 80) sendTCP(EICAR, IP, 22) sendSSL(EICAR, IP, 443) sendDNS(EICAR,IP,53) #TODO: #Protocol play ( these are HPING2 wrappers ) #sendICMP(EICAR,'192.168.2.79') #sendRCP(EICAR, '192.168.2.79', 445) #sendNETBIOS(EICAR, '192.168.2.79', 139) #sendSSH(EICAR, '192.168.2.79', 22) sendDNS(EICAR,IP,53) end() # start_test the test start_test()