Posts

Showing posts from August, 2014

nmap bash script

Designed this nmap bash script to be able to run multiple different scans to pull information that is relevant and save it to unique files.  I also noticed that I was running similar nmap scans and thought I would combine them into a script that automates the process.

v0.2 - Fixed the smb-enum-shares nse by adding a smbdomain argument
        - Fixed the nmapSwitches variable in the nmap command inside of the for loop

#!/bin/bash

location='tallBuilding'
subnet='127.0.0.1'
ipList='results/ipList.txt'

# Creates the output and the results directory if they need to be created
if [ ! -d "output" ]; then
    mkdir output
    mkdir results
fi

# Run a host discovery scan to see which devices are available in the subnet
typeOfScan='nmap-sP'
nmap -sP $subnet -oA output/$location-$typeOfScan

# From the host discovery put together a list of IP Addresses that can be used in future scans
if [ -f "output/$location-$typeOfScan.nmap" ]; then
    cat output/$locatio…

List of Various CTF Sites

This list was provided by a friend of a variety of Capture the Flag events.

http://ctf365.com/ http://www.enigmagroup.org/ http://captf.com/practice-ctf/ https://www.hacking-lab.com/index.html https://microcorruption.com/login https://pentesterlab.com/ http://www.thisislegal.com/ http://captf.com/ http://io.smashthestack.org/ http://www.wechall.net/ http://repo.shell-storm.org/CTF/ http://exploit-exercises.com/ http://overthewire.org/wargames/ http://www.smashthestack.org/ http://www.crackmes.de/ http://amanhardikar.com/mindmaps/Practice.html http://www.gh0st.net http://www.root-me.org/?lang=en

Extract VBA code from Office Documents

http://digital-forensics.sans.org/blog/2009/11/23/extracting-vb-macros-from-malicious-documents

Awards Assembly and Closing Comments from USCC Cyber Camp at SJSU

The below items are what I remember from those who spoke to us at the awards assembly at the USCC Cyber Camp at SJSU in 2014.

Jennifer Lesser is the Director of Security Operations at Facebook and the below comments are what I remember from her talking to us:

To change the game in security you need to have empathy.

She quoted Bill Gates in the following “optimism can fuel innovation and lead to new tools to eliminate suffering,” Gates said. “But if you never really see the people who are suffering, your optimism can’t help them. You will never change their world. … If our optimism doesn’t address the problems that affect so many of our fellow human beings, then our optimism needs more empathy.”

Find the culture [that you want to work in] and then Find the company that will meet your culture.

Their is a lack of encouragement in the information security field.

Often times people say, I won't be good at it.  Did you know that I have not touched a line of code since some of you wer…

Python HTTP POST Request / Response

#!/usr/bin/python

import urllib2, urllib

url = 'http://127.0.0.1/temp.php'
data = {'parameter1':'value1', 'parameter2':'value2'}

data = urllib.urlencode(data)
request = urllib2.Request(url, data)
response = urllib2.urlopen(request)
pageReturned = response.read()

print(pageReturned)

Python HTTP GET Request / Response

#!/usr/bin/python

import urllib2

request = urllib2.Request('http://127.0.0.1/temp')

response = urllib2.urlopen(request)
pageReturned = response.read()

print (pageReturned)

Python Parser for Process Monitor CSV Output

Created a quick parser for Process Monitor csv output files.  I designed it to organize the output based on PID and Operation.  Then I chose to remove the timestamp and deduplicate the remaining information.

This was built to be a tool that can be used in conjunction with Process Monitor to help identify interesting activity.

#!/usr/bin/python
# Script is designed to parse a Process Monitor script and output organized by process and operation
# In my limited testing it took a 29M file down to 5M (At least a little easier to digest)
# It will deduplicate the rows in the output without the timestamp
# This tool is not to replace the output of Process Monitor it is only used as a tool to assist in finding valuable information

import sys
import os
import csv

csvFile='processMonitor.csv'

file = open(csvFile,'r')
reader = csv.reader(file)
# Gather the PIDs and make a uniq list of them
uniqPID = set() # This will store the unique PIDs found in the csv file
uniqOperation = set() # This wi…

Python Parser for CaptureBAT logfile v0.2

This is an updated CaptureBAT parser.  If a blank line or an unreadable line is in the logfile it will give you a warning and continue.

Take the logfile output from CaptureBAT and throw it against this script to organize it.

"CaptureBat.exe -n -c -l logFile_output.txt"

#!/usr/bin/python

# Version 0.2: Added if a line in the log file can not be read then it lists a warning but continues
import sys

def parseFile(file, filter, specific):
        duplicate3rdItem=""
        duplicate4thItem=""

        for line in file:
                try:
                        items=line.split(',')
                        if items[1] == filter and items[2] == specific:
                                # Find the duplicates and remove them
                                if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
                                        print items[0] + " " + items[3] + " " + items[4].rstrip()
                             …

Decode PHP encoded by cha88.cn

Below is a quick bash script that I wrote to decode some PHP web shells encoded by cha88.cn.  The decoding iterates through base64 decoding and gzinflating 30 times to then produce the original php code.

#!/bin/bash
workingFile=$1
tempFile="${workingFile}.temp" tempFile2="${workingFile}.temp2"
cat $workingFile | grep -v -e "/\*" -e "online encode by cha88.cn!" -e "\*/" | sed 's/eval(/$uncompressed = /' | sed 's/?>/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile
for i in {1..30} do php $tempFile | sed 's/?><?php/<?php/' | sed 's/eval(/$uncompressed = /' | sed 's/?><?/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile2 mv -f $tempFile2 $tempFile rm -f $tempFile2 done